View Architecture Planning VMware Horizon 6 Version 6.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Architecture Planning You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Architecture Planning 5 1 Introduction to View 7 Advantages of Using View 7 View Features 9 How the Components Fit Together 11 Integrating and Customizing View 15 2 Planning a Rich User Experience 19 Feature Support Matrix for View Agent 19 Choosing a Display Protocol 21 Using Hosted Applications 23 Using View Persona Management to Retain User Data and Settings 24 Using USB Devices with Remote Desktops and Applications 25 Using the Real-Time Audio-Video Feature for Webcams and Microphone
View Architecture Planning Advantages of Using Multiple vCenter Servers in a Pod 67 5 Planning for Security Features 69 Understanding Client Connections 69 Choosing a User Authentication Method 71 Restricting Remote Desktop Access 74 Using Group Policy Settings to Secure Remote Desktops and Applications Implementing Best Practices to Secure Client Systems 75 Assigning Administrator Roles 75 Preparing to Use a Security Server 76 Understanding View Communications Protocols 81 75 6 Overview of Steps to Se
View Architecture Planning View Architecture Planning provides an introduction to VMware Horizon™ 6, including a description of its major features and deployment options and an overview of how the components are typically set up in a production environment.
View Architecture Planning 6 VMware, Inc.
1 Introduction to View With View, IT departments can run remote desktops and applications in the datacenter and deliver these desktops and applications to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
View Architecture Planning n Remote desktops and applications that are hosted in a datacenter experience little or no downtime. Virtual machines can reside on high-availability clusters of VMware servers. Virtual desktops can also connect to back-end physical systems and Microsoft Remote Desktop Services (RDS) hosts. Convenience The unified management console is built for scalability so that even the largest View deployments can be efficiently managed from a single management interface.
Chapter 1 Introduction to View n Integration with Workspace Portal means that IT managers can use the Web-based Workspace Portal administration interface to monitor user and group entitlements to remote desktops. n With View Persona Management, physical and virtual desktops can be centrally managed, including user profiles, application entitlement, policies, performance, and other settings. Deploy View Persona Management to physical desktop users prior to converting to virtual desktops.
View Architecture Planning n Use multiple monitors. With PCoIP multiple-monitor support, you can adjust the display resolution and rotation separately for each monitor. n Access USB devices and other peripherals that are connected to the local device that displays your virtual desktop. You can specify which types of USB devices end users are allowed to connect to.
Chapter 1 Introduction to View n Integrate with Mirage™ and Horizon FLEX™ to manage locally installed virtual machine desktops and to deploy and update applications on dedicated full-clone remote desktops without overwriting userinstalled applications. How the Components Fit Together End users start Horizon Client to log in to View Connection Server.
View Architecture Planning Figure 1‑2.
Chapter 1 Introduction to View View Connection Server This software service acts as a broker for client connections. View Connection Server authenticates users through Windows Active Directory and directs the request to the appropriate virtual machine, physical PC, or Microsoft RDS host.
View Architecture Planning n Details about the HTML Access Web client, which allows you to open a remote desktop inside a browser. No Horizon Client application is installed on the client system or device. See the Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. n Various third-party thin clients and zero clients, available only through certified partners. n View Open Client, which supports the VMware partner certification program.
Chapter 1 Introduction to View Although you can install View Composer on its own server host, a View Composer service can operate with only one vCenter Server instance. Similarly, a vCenter Server instance can be associated with only one View Composer service. vCenter Server This service acts as a central administrator for VMware ESXi servers that are connected on a network. vCenter Server provides the central point for configuring, provisioning, and managing virtual machines in the datacenter.
View Architecture Planning Horizon vRealize Orchestrator plug-in n Provides policies, including expiration, available in VMware Fusion™ ® Professional and VMware Player Plus™, that are comparable to the polices provided with the previous Local Mode feature. Fusion Pro and Player Plus are included with Mirage. n Eliminates the need for users to check in or check out their desktops to receive updates. n Enables administrators to utilize the Mirage layering capability, backup features, and file portal.
Chapter 1 Introduction to View This architecture requires the installation of a Microsoft Lync 2013 client on the remote desktop and a Microsoft Lync VDI plug-in on the Windows 7 or 8 client endpoint. Customers can use the Microsoft Lync 2013 client for presence, instant messaging, Web conferencing, and Microsoft Office functionality.
View Architecture Planning n Query the event database. n Query the state of services. You can use the cmdlets in conjunction with the vSphere PowerCLI cmdlets, which provide an administrative interface to the VMware vSphere product. For more information, see the View Integration document. Modifying LDAP Configuration Data in View When you use View Administrator to modify the configuration of View, the appropriate LDAP data in the repository is updated.
2 Planning a Rich User Experience View provides the familiar, personalized desktop environment that end users expect. For example, on some client systems, end users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. View includes many features that you might want to make available to your end users.
View Architecture Planning Table 2‑1. Operating Systems for Linked-Clone and Full-Clone Remote Desktops (Continued) Guest Operating System Version Edition Service Pack Windows 7 64-bit and 32-bit Enterprise and Professional SP1 Windows Server 2012 R2 64-bit Datacenter None Windows Server 2008 R2 64-bit Datacenter SP1 Table 2‑2.
Chapter 2 Planning a Rich User Experience Choosing a Display Protocol A display protocol provides end users with a graphical interface to a remote desktop or application that resides in the datacenter. Depending on which type of client device you have, you can choose between PCoIP (PC-over-IP), which VMware provides, or Microsoft RDP (Remote Desktop Protocol). You can set policies to control which protocol is used or to allow end users to choose the protocol when they log in to a desktop.
View Architecture Planning For information about which desktop operating systems support specific PCoIP features, see “Feature Support Matrix for View Agent,” on page 19. For information about which client devices support specific PCoIP features, go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Recommended Guest Operating System Settings 1GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen mode, or 720p or higher formatted video.
Chapter 2 Planning a Rich User Experience Microsoft RDP Remote Desktop Protocol is the same multichannel protocol many people already use to access their work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to transmit data. Microsoft RDP is a supported display protocol for remote desktops that use virtual machines, physical machines, or shared session desktops on an RDS host. (Only the PCoIP display protocol is supported for remote applications.
View Architecture Planning To use this feature, you install applications on a Microsoft RDS host. In this respect, View hosted applications work similarly to other application remoting solutions. View hosted applications are delivered using the PCoIP display protocol, for an optimized user experience. Using View Persona Management to Retain User Data and Settings You can use View Persona Management with remote desktops and with physical computers and virtual machines that are not managed by View.
Chapter 2 Planning a Rich User Experience n Specify which files and folders to download in the background after a user logs in to the desktop. Within a folder, you can also specify files to exclude. n Specify which files and folders within a user's persona to manage with Windows roaming profiles functionality instead of View Persona Management. Within a folder, you can also specify files to exclude. As with Windows roaming profiles, you can configure folder redirection.
View Architecture Planning In most cases, you cannot use a USB device in your client system and in your remote desktop or application at the same time. Only a few types of USB devices can be shared between a remote desktop and the local computer. These devices include smart card readers and human interface devices such as keyboards and pointing devices. Administrators can specify which types of USB devices end users are allowed to connect to.
Chapter 2 Planning a Rich User Experience Virtual Shared Graphics Acceleration (vSGA) Available with vSphere 5.1 and later, this feature allows multiple virtual machines to share the physical GPUs on ESXi hosts. You can use 3D applications for design, modeling, and multimedia. Soft 3D Software-accelerated graphics, available with vSphere 5.0 and later, allows you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical GPU.
View Architecture Planning Using Single Sign-On for Logging In to a Remote Desktop The single-sign-on (SSO) feature allows end users to supply login credentials only once. If you do not use the single-sign-on feature, end users must log in twice. They are first prompted to log in to View Connection Server and then are prompted log in to their remote desktop. If smart cards are also used, end users must sign in three times because users must also log in when the smart card reader prompts them for a PIN.
Managing Desktop and Application Pools from a Central Location 3 You can create pools that include one or hundreds or thousands of remote desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Remote Desktop Services (RDS) hosts. Create one virtual machine as a base image, and View can generate a pool of remote desktops from that image. You can also create pools of applications that give users remote access to applications.
View Architecture Planning In addition, using desktop pools provides many conveniences. Dedicated-assignment pools Each user is assigned a particular remote desktop and returns to the same desktop at each login. Users can personalize their desktops, install applications, and store data. Floating-assignment pools The remote desktop is optionally deleted and re-created after each use, offering a highly controlled environment.
Chapter 3 Managing Desktop and Application Pools from a Central Location Reducing and Managing Storage Requirements Deploying desktops on virtual machines that are managed by vCenter Server provides all the storage efficiencies that were previously available only for virtualized servers. Using View Composer increases the storage savings because all virtual machines in a pool share a virtual disk with a base image.
View Architecture Planning Compatible vSphere 5.5 Update 1 or Later Features With vSphere 5.5 Update 1 or a later release, you can use Virtual SAN, which virtualizes the local physical solid-state disks and hard disk drives available on ESXi hosts into a single datastore shared by all hosts in a cluster.
Chapter 3 Managing Desktop and Application Pools from a Central Location Each virtual machine maintains its policy regardless of its physical location in the cluster. If the policy becomes noncompliant because of a host, disk, or network failure, or workload changes, Virtual SAN reconfigures the data of the affected virtual machines and load-balances to meet the policies of each virtual machine.
View Architecture Planning Using Virtual Volumes for Virtual-Machine-Centric Storage and Policy-Based Management With Virtual Volumes (VVols), available with vSphere 6.0 or a later release, an individual virtual machine, not the datastore, becomes a unit of storage management. The storage hardware gains control over virtual disk content, layout, and management. With Virtual Volumes, abstract storage containers replace traditional storage volumes based on LUNs or NFS shares.
Chapter 3 Managing Desktop and Application Pools from a Central Location Reducing Storage Requirements with View Composer Because View Composer creates desktop images that share virtual disks with a base image, you can reduce the required storage capacity by 50 to 90 percent. View Composer uses a base image, or parent virtual machine, and creates a pool of up to 2,000 linked-clone virtual machines.
View Architecture Planning Local Datastores for Floating, Stateless Desktops Linked-clone desktops can be stored on local datastores, which are internal spare disks on ESXi hosts. Local storage offers advantages such as inexpensive hardware, fast virtual-machine provisioning, highperformance power operations, and simple management. However, using local storage limits the vSphere infrastructure configuration options that are available to you.
Chapter 3 Managing Desktop and Application Pools from a Central Location Deploying Individual Applications Using an RDS Host You might choose to provide end users with remote applications rather than remote desktops. Individual remote applications might be easier to navigate on a small mobile device. End users can access remote Windows-based applications by using the same Horizon Client that they previously used for accessing remote desktops, and they use the same PCoIP display protocol.
View Architecture Planning After you create a virtualized application with VMware ThinApp, you can choose to either stream the application from a shared file server or install the application on the virtual desktops.
Chapter 3 Managing Desktop and Application Pools from a Central Location After a GPO is applied, properties are stored in the local Windows registry of the specified component. You can use GPOs to set all the policies that are available from the View Administrator user interface (UI). You can also use GPOs to set policies that are not available from the UI. For a complete list and description of the settings available through ADM templates, see Setting Up Desktop and Application Pools in View.
View Architecture Planning 40 VMware, Inc.
Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments 4 A typical View architecture design uses a pod strategy that consists of components that support up to 10,000 remote desktops using a vSphere 5.1 or later infrastructure. Pod definitions can vary, based on hardware configuration, View and vSphere software versions used, and other environment-specific design factors.
View Architecture Planning Virtual Machine Requirements for Remote Desktops When you plan the specifications for remote desktops, the choices that you make regarding RAM, CPU, and disk space have a significant effect on your choices for server and storage hardware and expenditures.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Estimating Memory Requirements for Virtual Machine Desktops RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment.
View Architecture Planning RAM Sizing for Specific Monitor Configurations When Using PCoIP If you use PCoIP, the display protocol from VMware, the amount of extra RAM that the ESXi host requires depends in part on the number of monitors configured for end users and on the display resolution. Table 4-1 lists the amount of overhead RAM required for various configurations. The amounts of memory listed in the columns are in addition to the amount of memory required for other PCoIP functionality. Table 4‑1.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments A good starting point is to allocate 1GB for 32-bit Windows 7 or later desktops and 2GB for 64-bit Windows 7 or later desktops. If you want to use one of the hardware accelerated graphics features for 3D workloads, VMware recommends 2 virtual CPUs and 4GB of RAM.
View Architecture Planning n Turn off Windows services such as the indexer service, the defragmenter service, and restore points. For details, see the topics "Optimize Windows Guest Operating System Performance," "Optimize Windows 7 and Windows 8 Guest Operating System Performance," and "Overview of Windows 7 and Windows 8 Services and Tasks That Cause Linked-Clone Growth," in Setting Up Desktop and Application Pools in View.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Note that physical RAM costs are not linear and that in some situations, it can be cost-effective to purchase more smaller servers that do not use expensive DIMM chips. In other cases, rack density, storage connectivity, manageability and other considerations can make minimizing the number of servers in a deployment a better choice. n Note that in View 5.
View Architecture Planning n Pools for Kiosk Users on page 49 Kiosk users might include customers at airline check-in stations, students in classrooms or libraries, medical personnel at medical data entry workstations, or customers at self-service points. Accounts associated with client devices rather than users are entitled to use these desktop pools because users do not need to log in to use the client device or the remote desktop.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Pools for Knowledge Workers and Power Users Knowledge workers must be able to create complex documents and have them persist on the desktop. Power users must be able to install their own applications and have them persist. Depending on the nature and amount of personal data that must be retained, the desktop can be stateful or stateless.
View Architecture Planning To set up kiosk mode, you must use the vdmadmin command-line interface and perform several procedures documented in the topics about kiosk mode in the View Administration document. As part of this setup, you can use the following pool settings. n Create an automated pool so that desktops can be created when the pool is created or can be generated on demand based on pool usage. n Use floating assignment so that users can access any available desktop in the pool.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Table 4‑2. Desktop Virtual Machine Example for Windows 7 or Windows 8 (Continued) Item Example Virtual SCSI adapter type LSI Logic SAS (the default) Virtual network adapter VMXNET 3 IMPORTANT Horizon 6 version 6.1 and later releases do not support Windows XP and Windows Vista desktops. View Agent 6.0.2 is the last View release that supports these guest operating systems.
View Architecture Planning n Each CPU core has compute capacity for 8 to 10 virtual desktops. n The number of IP addresses available for the subnet limits the number of desktops in the pool. For example, if your network is set up so that the subnet for the pool contains only 256 usable IP addresses, the pool size is limited to 256 desktops. You can, however, configure multiple network labels to greatly expand the number of IP addresses assigned to virtual machines in a pool.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Table 4‑5.
View Architecture Planning This example assumes that View Connection Server is running on a 64-bit Windows Server 2008 R2 Enterprise operating system. Table 4‑7.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Under the following conditions, vSphere clusters can contain up to 32 ESXi hosts, or nodes: n vSphere 5.1 and later, with View Composer linked-clone pools, and store replica disks on NFS datastores or VMFS5 or later datastores n n vSphere 6.0 and later, and store pools on Virtual Volumes datastores If you have vSphere 5.
View Architecture Planning Table 4‑8. View Infrastructure Cluster Example (Continued) Item Example SSD storage Virtual machines for vCenter Server, View Composer, SQL database server, and the parent virtual machines Non-SSD storage Virtual machines for Active Directory, View Connection Server, and security server Cluster type DRS (Distributed Resource Scheduler)/HA Table 4‑9.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Shared Storage Example For a View 5.2 test environment, View Composer replica virtual machines were placed on high-readperformance solid-state drives (SSD), which support tens of thousands of I/Os per second (IOPS). Linked clones were placed on traditional, lower-performance spinning media-backed datastores, which are less expensive and provide higher storage capacity.
View Architecture Planning Figure 4‑1. Tiered Storage Example for a Large Desktop Pool Parent 2 Parent 4 Parent 1 Parent 3 Parent 5 PARENT SSD, shared across all clusters Replica 1 ES X ES X ES X ESX cluster, consisting of 192 Intel cores and 2.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Storage Bandwidth Considerations In a View environment, logon storms are the main consideration when determining bandwidth requirements. Although many elements are important to designing a storage system that supports a View environment, from a server configuration perspective, planning for proper storage bandwidth is essential. You must also consider the effects of port consolidation hardware.
View Architecture Planning For more information, see the information guide called PCoIP Display Protocol: Information and Scenario-Based Network Sizing Guide. Optimization Controls Available with PCoIP If you use the PCoIP display protocol from VMware, you can adjust several elements that affect bandwidth usage. n You can configure the image quality level and frame rate used during periods of network congestion.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Virtual VMotiondvswitch (1 uplink per host) Infra-dvswitch (2 uplink per host) Desktop-dvswitch (2 uplink per host) This switch was used by the ESXi hosts of infrastructure, parent, and desktop virtual machines. n Jumbo Frame (9000 MTU) n 1 Ephemeral Distributed Port Group n Private VLAN and 192.168.x.x addressing This switch was used by the ESXi hosts of infrastructure virtual machines.
View Architecture Planning For 10,000 desktops the logon storm occurred over a 60-minute period, using a normal distribution of logon times. The virtual machines were powered on and were available before the logon storm began. After logon, a workload started, which included the following applications: Adobe Reader, Microsoft Outlook, Internet Explorer, Microsoft Word, and Notepad.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments WAN Support and PCoIP For wide-area networks (WANs), you must consider bandwidth constraints and latency issues. The PCoIP display protocol provided by VMware adapts to varying latency and bandwidth conditions. If you use the RDP display protocol, you must have a WAN optimization product to accelerate applications for users in branch offices or small offices.
View Architecture Planning n Bandwidth utilization is 80 percent (.8 utilization factor). Formula for Determining the Number of Users Supported n In the worst case, users require 150Kbps: (1.5Mbps*.8)/150Kbps = (1500*.8)/150 = 8 users n In the best case, users require 50Kbps: (1.5Mbps*.8)/50Kbps = (1500*.8)/50 = 24 users Result This remote office can support between 8 and 24 concurrent users per T1 line with 1.5Mbps capacity.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Table 4‑11. Example of a LAN-Based View Pod Constructed of 5 Building Blocks (Continued) Item Number View Connection Servers 7 (5 for connections from inside the corporate network and 2 for connections from outside) vLANs See Table 4-10. 10Gb Ethernet module 1 Modular networking switch 1 Each vCenter Server can support up to 10,000 virtual machines.
View Architecture Planning Table 4‑12.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Advantages of Using Multiple vCenter Servers in a Pod When you create a design for a View production environment that accommodates more than 500 desktops, several considerations affect whether to use one vCenter Server instance rather than multiple instances. Starting with View 5.2, VMware supports managing up to 10,000 desktop virtual machines within a single View pod with a single vCenter 5.1 or later server.
View Architecture Planning In addition to these automated options for vCenter Server failover, you can also choose to rebuild the failed server on a new virtual machine or physical server. Most key information is stored in the vCenter Server database. Risk tolerance is an important factor in determining whether to use one or multiple vCenter Server instances in your pod design.
Planning for Security Features 5 View offers strong network security to protect sensitive corporate data. For added security, you can integrate View with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature.
View Architecture Planning n Tunneled Client Connections with Microsoft RDP on page 70 When users connect to a remote desktop with the Microsoft RDP display protocol, Horizon Client can make a second HTTPS connection to the View Connection Server host. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data.
Chapter 5 Planning for Security Features In a standard deployment of View Connection Server instances, the HTTPS secure connection terminates at the View Connection Server. In a DMZ deployment, the HTTPS secure connection terminates at a security server. See “Preparing to Use a Security Server,” on page 76 for information on DMZ deployments and security servers.
View Architecture Planning Active Directory Authentication Each View Connection Server instance is joined to an Active Directory domain, and users are authenticated against Active Directory for the joined domain. Users are also authenticated against any additional user domains with which a trust agreement exists.
Chapter 5 Planning for Security Features Smart Card Authentication A smart card is a small plastic card that is embedded with a computer chip. Many government agencies and large enterprises use smart cards to authenticate users who access their computer networks. One type of smart card used by the United States Department of Defense is called a Common Access Card (CAC). Administrators can enable individual View Connection Server instances for smart card authentication.
View Architecture Planning Restricting Remote Desktop Access You can use the restricted entitlements feature to restrict remote desktop access based on the View Connection Server instance that a user connects to. With restricted entitlements, you assign one or more tags to a View Connection Server instance. Then, when configuring a desktop pool, you select the tags of the View Connection Server instances that you want to be able to access the desktop pool.
Chapter 5 Planning for Security Features The restricted entitlements feature only enforces tag matching. You must design your network topology to force certain clients to connect through a particular View Connection Server instance. Using Group Policy Settings to Secure Remote Desktops and Applications View includes Group Policy administrative (ADM) templates that contain security-related group policy settings that you can use to secure your remote desktops and applications.
View Architecture Planning Preparing to Use a Security Server A security server is a special instance of View Connection Server that runs a subset of View Connection Server functions. You can use a security server to provide an additional layer of security between the Internet and your internal network. A security server resides within a DMZ and acts as a proxy host for connections inside your trusted network.
Chapter 5 Planning for Security Features Figure 5‑2. Load-Balanced Security Servers in a DMZ client device external network DMZ load balancing View Security Servers View Connection Servers Microsoft Active Directory vCenter Management Server ESX hosts running Virtual Desktop virtual machines When users outside the corporate network connect to a security server, they must successfully authenticate before they can access remote desktops and applications.
View Architecture Planning Figure 5‑3. Multiple Security Servers client device client device external network DMZ external network load balancing View Security Servers load balancing View Connection Servers vCenter Management Server Microsoft Active Directory ESXi hosts running Virtual Desktop virtual machines You must implement a hardware or software load balancing solution if you install more than one security server. View Connection Server does not provide its own load balancing functionality.
Chapter 5 Planning for Security Features Figure 5‑4.
View Architecture Planning Table 5‑1. Front-End Firewall Rules (Continued) Default Port Source Protocol Destination Default Port Notes Horizon Client TCP Any UDP Any PCoIP Security server TCP 4172 UDP 4172 External client devices connect to a security server within the DMZ on TCP port 4172 and UDP port 4172 to communicate with a remote desktop or application over PCoIP.
Chapter 5 Planning for Security Features Table 5‑2. Back-End Firewall Rules (Continued) Default Port Source Protocol Destination Default Port Notes Security server TCP Any UDP 55000 PCoIP Remote desktop or application TCP 4172 UDP 4172 Security servers connect to remote desktops and applications on TCP port 4172 and UDP port 4172 to exchange PCoIP traffic.
View Architecture Planning Figure 5‑5. View Components and Protocols Without a Security Server client device RDP Client Horizon Client PCoIP RDP HTTP(S) View Secure GW Server & PCoIP Secure GW View Connection Server View Messaging View Broker & Admin Server View Administrator HTTP(S) SOAP vCenter Server View Manager LDAP JMS RDP PCoIP View Agent View desktop virtual machine NOTE This figure shows direct connections for clients using either PCoIP or RDP.
Chapter 5 Planning for Security Features Figure 5‑6.
View Architecture Planning Table 5‑3. Default Ports (Continued) Protocol Port PCoIP Any TCP port from Horizon Client to port 4172 of the remote desktop or application. PCoIP also uses UDP port 50002 from Horizon Client (or UDP port 55000 from the PCoIP Secure Gateway) to port 4172 of the remote desktop or application. PCoIP or RDP For USB redirection, TCP port 32111 is used alongside PCoIP or RDP from the client to the remote desktop.
Chapter 5 Planning for Security Features When end users such as home or mobile workers access desktops from the Internet, security servers provide the required level of security and connectivity so that a VPN connection is not necessary. The PCoIP Secure Gateway component ensures that the only remote traffic that can enter the corporate data center is traffic on behalf of a strongly authenticated user. End users can access only the resources that they are authorized to access.
View Architecture Planning Table 5‑4. Ports Opened During View Connection Server Installation (Continued) Protocol Ports View Connection Server Instance Type HTTP TCP 80 Standard, replica, and security server HTTPS TCP 443 Standard, replica, and security server PCoIP TCP 4172 in; UDP 4172 both directions Standard, replica, and security server HTTPS TCP 8443 Standard, replica, and security server.
Chapter 5 Planning for Security Features Firewall Rules for Active Directory If you have a firewall between your View environment and your Active Directory server, you must make sure that all of the necessary ports are opened. For example, View Connection Server must be able to access the Active Directory Global Catalog and Lightweight Directory Access Protocol (LDAP) servers.
View Architecture Planning 88 VMware, Inc.
Overview of Steps to Setting Up a View Environment 6 Complete these high-level tasks to install View and configure an initial deployment. Table 6‑1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: View Installation and vSphere documentation. 2 If you have not yet done so, install and set up ESXi hosts and vCenter Server. Instructions: VMware vSphere documentation.
View Architecture Planning Table 6‑1. View Installation and Setup Check List (Continued) 90 Step Task 12 (Optional) Configure View Persona Management, which gives users access to personalized data and settings whenever they log in to a desktop. Instructions: Setting Up Desktop and Application Pools in View. 13 (Optional) For added security, integrate smart card authentication or a RADIUS two-factor authentication solution. Instructions: View Administration document. VMware, Inc.
Index Symbols .
View Architecture Planning front-end firewall configuring 78 rules 79 G gateway server 84 GPOs, security settings for remote desktops 75 GRID vGPU, NVIDIA 26 H HA cluster 51, 53, 54 hardware requirements, PCoIP 21 hardware-accelerated graphics 26 Horizon Client 38 Horizon Client for Linux 13 Horizon Workspace 7 hosted applications 23 HTML Access 12 I I/O storms 59 iSCSI SAN arrays 31 J Java Message Service 85 Java Message Service protocol 79 JMS protocol 79, 81 K kiosk mode 49 knowledge workers 42, 43
Index restricted entitlements 74 roaming profiles 24 RSA key size, changing 85 RSA SecurID authentication, configuring 72 S SBPM (storage-based policy management) 32, 34 scalability, planning for 41 SCOM 15 SCSI adapter types 50 security 30 security servers best practices for deploying 76 firewall rules for 79 implementing 76 load balancing 76 overview 13 PCoIP Secure Gateway 84 security features, planning 69 setup, View 89 shared storage 31, 57 single sign-on (SSO) 14, 28, 73 smart card authentication 73
View Architecture Planning vSphere 7, 9, 31 vSphere cluster 54, 64 W WAN support 63 webcam 26 Windows page file 45 Windows roaming profiles 24 worker types 42, 43, 45, 47 Wyse MMR 19, 27 94 VMware, Inc.