Architecture Planning
Table Of Contents
- View Architecture Planning
- Contents
- View Architecture Planning
- Introduction to View
- Planning a Rich User Experience
- Feature Support Matrix for View Agent
- Choosing a Display Protocol
- Using Hosted Applications
- Using View Persona Management to Retain User Data and Settings
- Using USB Devices with Remote Desktops and Applications
- Using the Real-Time Audio-Video Feature for Webcams and Microphones
- Using 3D Graphics Applications
- Streaming Multimedia to a Remote Desktop
- Printing from a Remote Desktop
- Using Single Sign-On for Logging In to a Remote Desktop
- Using Multiple Monitors
- Managing Desktop and Application Pools from a Central Location
- Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments
- Virtual Machine Requirements for Remote Desktops
- View ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- RDS Host Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- vSphere Clusters
- Storage and Bandwidth Requirements
- View Building Blocks
- View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting Remote Desktop Access
- Using Group Policy Settings to Secure Remote Desktops and Applications
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding View Communications Protocols
- Overview of Steps to Setting Up a View Environment
- Index
In a standard deployment of View Connection Server instances, the HTTPS secure connection terminates at
the View Connection Server. In a DMZ deployment, the HTTPS secure connection terminates at a security
server. See “Preparing to Use a Security Server,” on page 76 for information on DMZ deployments and
security servers.
Clients that use the PCoIP display protocol can use the tunnel connection for USB redirection and
multimedia redirection (MMR) acceleration, but for all other data, PCoIP uses the PCoIP Secure Gateway on
a security server. For more information, see “Client Connections Using the PCoIP Secure Gateway,” on
page 70.
Direct Client Connections
Administrators can configure View Connection Server settings so that remote desktop and application
sessions are established directly between the client system and the remote application or desktop virtual
machine, bypassing the View Connection Server host. This type of connection is called a direct client
connection.
With direct client connections, an HTTPS connection is still made between the client and the View
Connection Server host for users to authenticate and select remote desktops and applications, but the second
HTTPS connection (the tunnel connection) is not used.
Direct PCoIP connections include the following built-in security features:
n
PCoIP supports Advanced Encryption Standard (AES) encryption, which is turned on by default, and
PCoIP uses IP Security (IPsec).
n
PCoIP works with third-party VPN clients.
For clients that use the Microsoft RDP display protocol, direct client connections to remote desktops are
appropriate only if your deployment is inside a corporate network. With direct client connections, RDP
traffic is sent unencrypted over the connection between the client and the desktop virtual machine.
Choosing a User Authentication Method
View uses your existing Active Directory infrastructure for user authentication and management. For added
security, you can integrate View with two-factor authentication solutions, such as RSA SecurID and
RADIUS, and smart card authentication solutions.
n
Active Directory Authentication on page 72
Each View Connection Server instance is joined to an Active Directory domain, and users are
authenticated against Active Directory for the joined domain. Users are also authenticated against any
additional user domains with which a trust agreement exists.
n
Using Two-Factor Authentication on page 72
You can configure a View Connection Server instance so that users are required to use RSA SecurID
authentication or RADIUS (Remote Authentication Dial-In User Service) authentication.
n
Smart Card Authentication on page 73
A smart card is a small plastic card that is embedded with a computer chip. Many government
agencies and large enterprises use smart cards to authenticate users who access their computer
networks. One type of smart card used by the United States Department of Defense is called a
Common Access Card (CAC).
n
Using the Log In as Current User Feature Available with Windows-Based Horizon Client on page 73
With Horizon Client for Windows, when users select the Log in as current user check box, the
credentials that they provided when logging in to the client system are used to authenticate to the
View Connection Server instance and to the remote desktop. No further user authentication is
required.
Chapter 5 Planning for Security Features
VMware, Inc. 71