Architecture Planning
Table Of Contents
- View Architecture Planning
- Contents
- View Architecture Planning
- Introduction to View
- Planning a Rich User Experience
- Feature Support Matrix for View Agent
- Choosing a Display Protocol
- Using Hosted Applications
- Using View Persona Management to Retain User Data and Settings
- Using USB Devices with Remote Desktops and Applications
- Using the Real-Time Audio-Video Feature for Webcams and Microphones
- Using 3D Graphics Applications
- Streaming Multimedia to a Remote Desktop
- Printing from a Remote Desktop
- Using Single Sign-On for Logging In to a Remote Desktop
- Using Multiple Monitors
- Managing Desktop and Application Pools from a Central Location
- Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments
- Virtual Machine Requirements for Remote Desktops
- View ESXi Node
- Desktop Pools for Specific Types of Workers
- Desktop Virtual Machine Configuration
- RDS Host Virtual Machine Configuration
- vCenter Server and View Composer Virtual Machine Configuration
- View Connection Server Maximums and Virtual Machine Configuration
- vSphere Clusters
- Storage and Bandwidth Requirements
- View Building Blocks
- View Pods
- Advantages of Using Multiple vCenter Servers in a Pod
- Planning for Security Features
- Understanding Client Connections
- Choosing a User Authentication Method
- Restricting Remote Desktop Access
- Using Group Policy Settings to Secure Remote Desktops and Applications
- Implementing Best Practices to Secure Client Systems
- Assigning Administrator Roles
- Preparing to Use a Security Server
- Understanding View Communications Protocols
- Overview of Steps to Setting Up a View Environment
- Index
Smart Card Authentication
A smart card is a small plastic card that is embedded with a computer chip. Many government agencies and
large enterprises use smart cards to authenticate users who access their computer networks. One type of
smart card used by the United States Department of Defense is called a Common Access Card (CAC).
Administrators can enable individual View Connection Server instances for smart card authentication.
Enabling a View Connection Server instance to use smart card authentication typically involves adding your
root certificate to a truststore file and then modifying View Connection Server settings.
All client connections, including client connections that use smart card authentication, are SSL enabled.
To use smart cards, client machines must have smart card middleware and a smart card reader. To install
certificates on smart cards, you must set up a computer to act as an enrollment station. For information
about whether a particular type of Horizon Client supports smart cards, see the Horizon Client
documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Using the Log In as Current User Feature Available with Windows-Based
Horizon Client
With Horizon Client for Windows, when users select the Log in as current user check box, the credentials
that they provided when logging in to the client system are used to authenticate to the View Connection
Server instance and to the remote desktop. No further user authentication is required.
To support this feature, user credentials are stored on both the View Connection Server instance and on the
client system.
n
On the View Connection Server instance, user credentials are encrypted and stored in the user session
along with the username, domain, and optional UPN. The credentials are added when authentication
occurs and are purged when the session object is destroyed. The session object is destroyed when the
user logs out, the session times out, or authentication fails. The session object resides in volatile memory
and is not stored in View LDAP or in a disk file.
n
On the client system, user credentials are encrypted and stored in a table in the Authentication Package,
which is a component of Horizon Client. The credentials are added to the table when the user logs in
and are removed from the table when the user logs out. The table resides in volatile memory.
Administrators can use Horizon Client group policy settings to control the availability of the Log in as
current user check box and to specify its default value. Administrators can also use group policy to specify
which View Connection Server instances accept the user identity and credential information that is passed
when users select the Log in as current user check box in Horizon Client.
The Log in as current user feature has the following limitations and requirements:
n
When smart card authentication is set to Required on a View Connection Server instance,
authentication fails for users who select the Log in as current user check box when they connect to the
View Connection Server instance. These users must reauthenticate with their smart card and PIN when
they log in to View Connection Server.
n
The time on the system where the client logs in and the time on the View Connection Server host must
be synchronized.
n
If the default Access this computer from the network user-right assignments are modified on the client
system, they must be modified as described in VMware Knowledge Base (KB) article 1025691.
n
The client machine must be able to communicate with the corporate Active Directory server and not use
cached credentials for authentication. For example, if users log in to their client machines from outside
the corporate network, cached credentials are used for authentication. If the user then attempts to
connect to a security server or a View Connection Server instance without first establishing a VPN
connection, the user is prompted for credentials, and the Log in as Current User feature does not work.
Chapter 5 Planning for Security Features
VMware, Inc. 73