View Installation VMware Horizon 6 Version 6.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Installation You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Installation 5 1 System Requirements for Server Components 7 View Connection Server Requirements View Administrator Requirements 9 View Composer Requirements 9 7 2 System Requirements for Guest Operating Systems 13 Supported Operating Systems for View Agent 13 Supported Operating Systems for Standalone View Persona Management Remote Display Protocol and Software Support 14 14 3 Installing View in an IPv6 Environment 19 Setting Up View in an IPv6 Environment 19 Supported vSphere , Data
View Installation 6 Installing View Connection Server 45 Installing the View Connection Server Software 45 Installation Prerequisites for View Connection Server 45 Install View Connection Server with a New Configuration 46 Install a Replicated Instance of View Connection Server 52 Configure a Security Server Pairing Password 58 Install a Security Server 58 Firewall Rules for View Connection Server 65 Reinstall View Connection Server with a Backup Configuration 67 Microsoft Windows Installer Command-Line O
View Installation View Installation explains how to install the VMware Horizon™ 6 server and client components. Intended Audience This information is intended for anyone who wants to install VMware Horizon 6. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations. VMware, Inc.
View Installation 6 VMware, Inc.
System Requirements for Server Components 1 Hosts that run View server components must meet specific hardware and software requirements.
View Installation Hardware Requirements for View Connection Server You must install all View Connection Server installation types, including standard, replica, and security server installations, on a dedicated physical or virtual machine that meets specific hardware requirements. Table 1‑1. View Connection Server Hardware Requirements Hardware Component Required Recommended Processor Pentium IV 2.
Chapter 1 System Requirements for Server Components Network Requirements for Replicated View Connection Server Instances When installing replicated View Connection Server instances, you must usually configure the instances in the same physical location and connect them over a high-performance LAN. Otherwise, latency issues could cause the View LDAP configurations on View Connection Server instances to become inconsistent.
View Installation n Hardware Requirements for Standalone View Composer on page 10 If you install View Composer on a different physical or virtual machine from the one used for vCenter Server, you must use a dedicated machine that meets specific hardware requirements. n Database Requirements for View Composer on page 11 View Composer requires an SQL database to store data. The View Composer database must reside on, or be available to, the View Composer server host.
Chapter 1 System Requirements for Server Components Database Requirements for View Composer View Composer requires an SQL database to store data. The View Composer database must reside on, or be available to, the View Composer server host. If a database server instance already exists for vCenter Server, View Composer can use that existing instance if it is a version listed in Table 1-5. For example, View Composer can use the Microsoft SQL Server instance provided with vCenter Server.
View Installation 12 VMware, Inc.
2 System Requirements for Guest Operating Systems Systems running View Agent or Standalone View Persona Management must meet certain hardware and software requirements.
View Installation You can install the standalone version of View Persona Management on physical computers. See “Supported Operating Systems for Standalone View Persona Management,” on page 14. The following table lists the Windows operating systems versions that are supported for creating desktop pools and application pools on an RDS host. Table 2‑2.
Chapter 2 System Requirements for Guest Operating Systems PCoIP PCoIP (PC over IP) provides an optimized desktop experience for the delivery of a remote application or an entire remote desktop environment, including applications, images, audio, and video content for a wide range of users on the LAN or across the WAN. PCoIP can compensate for an increase in latency or a reduction in bandwidth, to ensure that end users can remain productive regardless of network conditions.
View Installation Video Quality Requirements 480p-formatted video You can play video at 480p or lower at native resolutions when the remote desktop has a single virtual CPU. If you want to play the video in highdefinition Flash or in full screen mode, the desktop requires a dual virtual CPU. Even with a dual virtual CPU desktop, as low as 360p-formatted video played in full screen mode can lag behind audio, particularly on Windows clients.
Chapter 2 System Requirements for Guest Operating Systems Hardware Requirements for Client Systems For information about processor and memory requirements, see the "Using VMware Horizon Client" document for the specific type of client system. Go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. NOTE Mobile client devices use only the PCoIP display protocol. VMware, Inc.
View Installation 18 VMware, Inc.
Installing View in an IPv6 Environment 3 View supports IPv6 as an alternative to IPv4. The environment must be either IPv6 only or IPv4 only. View does not support a mixed IPv6 and IPv4 environment. Not all View features that are supported in an IPv4 environment are supported in an IPv6 environment. View does not support upgrading from an IPv4 environment to an IPv6 environment. Also, View does not support migration between IPv4 and IPv6 environments.
View Installation n Setting the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,” on page 106. n Modifying the PCoIP External URL. See “Set the External URLs for a View Connection Server Instance,” on page 106. n Installing View Agent. See the View Agent installation topics in the Setting Up Desktop and Application Pools document. n Installing Horizon Client for Windows. See the VMware Horizon Client for Windows document in https://www.vmware.
Chapter 3 Installing View in an IPv6 Environment Supported Windows Operating Systems for Desktops and RDS Hosts in an IPv6 Environment In an IPv6 environment, View supports specific Windows operating systems for desktop machines and RDS hosts. RDS hosts provide session-based desktops and applications to users. The following Windows operating systems are supported for desktop machines.
View Installation n HTML Access through Blast Secure Gateway Supported Authentication Types in an IPv6 Environment In an IPv6 environment, View supports specific authentication types.
Chapter 3 Installing View in an IPv6 Environment n Scanner redirection n USB redirection n Multimedia redirection (MMR) n Real-time audio-video (RTAV) n Persona Management n vRealize Operations Desktop Agent n Lync n Syslog n Log Insight n Serial redirection n Flash URL redirection n Teradici TERA host card VMware, Inc.
View Installation 24 VMware, Inc.
Preparing Active Directory 4 View uses your existing Microsoft Active Directory infrastructure for user authentication and management. You must perform certain tasks to prepare Active Directory for use with View.
View Installation Users are authenticated against Active Directory for the View Connection Server host's domain and against any additional user domains with which a trust agreement exists. NOTE Because security servers do not access any authentication repositories, including Active Directory, they do not need to reside in an Active Directory domain.
Chapter 4 Preparing Active Directory Creating Groups for Users You should create groups for different types of users in Active Directory. For example, you can create a group called View Users for your end users and another group called View Administrators for users that will administer remote desktops and applications. Creating a User Account for vCenter Server You must create a user account in Active Directory to use with vCenter Server.
View Installation 2 Add the Create Computer Objects, Delete Computer Objects, and Write All Properties permissions to the account in the Active Directory container in which the linked-clone computer accounts are created or to which the linked-clone computer accounts are moved.
Chapter 4 Preparing Active Directory Procedure 1 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a b c d Windows 2008 a b Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. Right-click your domain and click Properties. On the Group Policy tab, click Open to open the Group Policy Management plug-in. Right-click Default Domain Policy, and click Edit.
View Installation n Add the Root Certificate to the Enterprise NTAuth Store on page 31 If you use a CA to issue smart card login or domain controller certificates, you must add the root certificate to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.
Chapter 4 Preparing Active Directory 3 Right-click Trusted Root Certification Authorities and select Import. 4 Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK. 5 Close the Group Policy window. All of the systems in the domain now have a copy of the root certificate in their trusted root store.
View Installation The CA is now trusted to issue certificates of this type. 32 VMware, Inc.
Installing View Composer 5 To use View Composer, you create a View Composer database, install the View Composer service, and optimize your View infrastructure to support View Composer. You can install the View Composer service on the same host as vCenter Server or on a separate host. View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop pools. You must have a license to install and use the View Composer feature.
View Installation n Create a SQL Server Database for View Composer on page 34 View Composer can store linked-clone desktop information in a SQL Server database. You create a View Composer database by adding it to SQL Server and configuring an ODBC data source for it. n Create an Oracle Database for View Composer on page 37 View Composer can store linked-clone desktop information in an Oracle 12c or 11g database.
Chapter 5 Installing View Composer 4 In the New Database dialog box, type a name in the Database name text box. For example: ViewComposer 5 Click OK. SQL Server Management Studio adds your database to the Databases entry in the Object Explorer panel. 6 Exit Microsoft SQL Server Management Studio.
View Installation 6 In the View Composer database, grant the schema permissions SELECT, INSERT, DELETE, UPDATE, and EXECUTE on the dbo schema to the VCMP_USER_ROLE. 7 Grant the VCMP_USER_ROLE to the user [vcmpuser]. 8 Grant the VCMP_ADMIN_ROLE to the user [vcmpuser]. 9 In the MSDB database, create the database role VCMP_ADMIN_ROLE. 10 Grant privileges to the VCMP_ADMIN_ROLE in MSDB. a On the MSDB tables syscategories, sysjobsteps, and sysjobs grant the SELECT permission to the user [vcmpuser].
Chapter 5 Installing View Composer 6 In the Server text box, type the SQL Server database name. Use the form host_name\server_name, where host_name is the name of the computer and server_name is the SQL Server instance. For example: VCHOST1\VIM_SQLEXP 7 Click Next. 8 Make sure that the Connect to SQL Server to obtain default settings for the additional configuration options check box is selected and select an authentication option.
View Installation Add a View Composer Database to Oracle 12c or 11g You can use the Oracle Database Configuration Assistant to add a new View Composer database to an existing Oracle 12c or 11g instance. Prerequisites Verify that a supported version of Oracle 12c or 11g is installed on the local or remote computer. See “Database Requirements for View Composer,” on page 11. Procedure 1 Start the Database Configuration Assistant on the computer on which you are adding the View Composer database.
Chapter 5 Installing View Composer Procedure 1 Log in to a SQL*Plus session with the system account. 2 Run the following SQL statement to create the database. CREATE SMALLFILE TABLESPACE "VCMP" DATAFILE '/u01/app/oracle/oradata/vcdb/vcmp01.dbf' SIZE 512M AUTOEXTEND ON NEXT 10M MAXSIZE UNLIMITED LOGGING EXTENT MANAGEMENT LOCAL SEGMENT SPACE MANAGEMENT AUTO; In this example, VCMP is the sample name of the View Composer database and vcmp01.dbf is the name of the database file.
View Installation Add an ODBC Data Source to Oracle 12c or 11g After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service. When you configure an ODBC DSN for View Composer, secure the underlying database connection to an appropriate level for your environment. For information about securing database connections, see the Oracle database documentation.
Chapter 5 Installing View Composer For details about configuring SSL certificates and using the SviConfig ReplaceCertificate utility, see Chapter 7, “Configuring SSL Certificates for View Servers,” on page 71. If you install vCenter Server and View Composer on the same Windows Server computer, they can use the same SSL certificate, but you must configure the certificate separately for each component. Install the View Composer Service To use View Composer, you must install the View Composer service.
View Installation 5 Type the DSN for the View Composer database that you provided in the Microsoft or Oracle ODBC Data Source Administrator wizard. For example: VMware View Composer NOTE If you did not configure a DSN for the View Composer database, click ODBC DSN Setup to configure a name now. 6 Type the domain administrator user name and password that you provided in the ODBC Data Source Administrator wizard.
Chapter 5 Installing View Composer Configuring Your Infrastructure for View Composer You can take advantage of features in vSphere, vCenter Server, Active Directory, and other components of your infrastructure to optimize the performance, availability, and reliability of View Composer. Configuring the vSphere Environment for View Composer To support View Composer, you should follow certain best practices when you install and configure vCenter Server, ESXi, and other vSphere components.
View Installation 44 VMware, Inc.
Installing View Connection Server 6 To use View Connection Server, you install the software on supported computers, configure the required components, and, optionally, optimize the components.
View Installation n You must join the View Connection Server host to an Active Directory domain. View Connection Server supports the following Active Directory Domain Services (AD DS) domain functional levels: n Windows Server 2003 n Windows Server 2008 n Windows Server 2008 R2 n Windows Server 2012 n Windows Server 2012 R2 The View Connection Server host must not be a domain controller.
Chapter 6 Installing View Connection Server By default, the HTML Access component is installed on the View Connection Server host when you install View Connection Server. This component configures the View user portal page to display an HTML Access icon in addition to the Horizon Client icon. The additional icon allows users to select HTML Access when they connect to their desktops.
View Installation 6 Select the Internet Protocol (IP) version, IPv4 or IPv6. You must install all View components with the same IP version. 7 Make sure that Install HTML Access is selected if you intend to allow users to connect to their desktops by using HTML Access. If IPv4 is selected, this setting is selected by default. If IPv6 is selected, this setting is not displayed because HTML Access is not supported in an IPv6 environment.
Chapter 6 Installing View Connection Server n VMware Horizon View Blast Secure Gateway n VMware Horizon View Web Component n VMware VDMDS, which provides View LDAP directory services For information about these services, see the View Administration document. If the Install HTML Access setting was selected during the installation, the HTML Access component is installed on the Windows Server computer.
View Installation n If your network topology includes a back-end firewall between a security server and the View Connection Server instance, you must configure the firewall to support IPsec. See “Configuring a BackEnd Firewall to Support IPsec,” on page 66. n Verify that the Windows computer on which you install View Connection Server has version 2.0 or later of the MSI runtime engine. For details, see the Microsoft Web site. n Familiarize yourself with the MSI installer command-line options.
Chapter 6 Installing View Connection Server If the Install HTML Access setting was selected during the installation, the HTML Access component is installed on the Windows Server computer. This component configures the HTML Access icon in the View user portal page and enables the VMware Horizon View Connection Server (Blast-In) rule in the Windows Firewall. This firewall rule allows Web browsers on client devices to connect to the View Connection Server on TCP port 8443.
View Installation Install a Replicated Instance of View Connection Server To provide high availability and load balancing, you can install one or more additional instances of View Connection Server that replicate an existing View Connection Server instance. After a replica installation, the existing and newly installed instances of View Connection Server are identical. When you install a replicated instance, View copies the View LDAP configuration data from the existing View Connection Server instance.
Chapter 6 Installing View Connection Server n If you install a replicated View Connection Server instance that is View 5.1 or later, and the existing View Connection Server instance you are replicating is View 5.0.x or earlier, prepare a data recovery password. See “Install View Connection Server with a New Configuration,” on page 46. n Familiarize yourself with the network ports that must be opened on the Windows Firewall for View Connection Server instances.
View Installation The View services are installed on the Windows Server computer: n VMware Horizon View Connection Server n VMware Horizon View Framework Component n VMware Horizon View Message Bus Component n VMware Horizon View Script Host n VMware Horizon View Security Gateway Component n VMware Horizon View PCoIP Secure Gateway n VMware Horizon View Blast Secure Gateway n VMware Horizon View Web Component n VMware VDMDS, which provides View LDAP directory services For information abou
Chapter 6 Installing View Connection Server n If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which you are installing View Connection Server, install the Microsoft hotfix that is described in KB 978116 at http://support.microsoft.com/kb/978116. n Verify that your installation satisfies the requirements described in “View Connection Server Requirements,” on page 7.
View Installation 4 Check for new patches on the Windows Server computer and run Windows Update as needed. Even if you fully patched the Windows Server computer before you installed View Connection Server, the installation might have enabled operating system features for the first time. Additional patches might now be required.
Chapter 6 Installing View Connection Server Silent Installation Properties for a Replicated Instance of View Connection Server You can include specific properties when you silently install a replicated View Connection Server instance from the command line. You must use a PROPERTY=value format so that Microsoft Windows Installer (MSI) can interpret the properties and values. Table 6‑2.
View Installation Configure a Security Server Pairing Password Before you can install a security server, you must configure a security server pairing password. When you install a security server with the View Connection Server installation program, the program prompts you for this password during the installation process. The security server pairing password is a one-time password that permits a security server to be paired with a View Connection Server instance.
Chapter 6 Installing View Connection Server n Prepare your environment for the installation. See “Installation Prerequisites for View Connection Server,” on page 45. n Verify that the View Connection Server instance to be paired with the security server is installed and configured and is running a View Connection Server version that is compatible with the security server version. See "View Component Compatibility Matrix" in the View Upgrades document.
View Installation 9 In the External URL text box, type the external URL of the security server for client endpoints that use the RDP or PCoIP display protocols. The URL must contain the protocol, client-resolvable security server name, and port number. Tunnel clients that run outside of your network use this URL to connect to the security server. For example: https://view.example.
Chapter 6 Installing View Connection Server The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443. NOTE If the installation is cancelled or aborted, you might have to remove IPsec rules for the security server before you can begin the installation again.
View Installation n Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled. n Familiarize yourself with the network ports that must be opened on the Windows Firewall for a security server.
Chapter 6 Installing View Connection Server What to do next Configure an SSL server certificate for the security server. See Chapter 7, “Configuring SSL Certificates for View Servers,” on page 71. You might have to configure client connection settings for the security server, and you can tune Windows Server settings to support a large deployment. See “Configuring Horizon Client Connections,” on page 103 and “Sizing Windows Server Settings to Support Your Deployment,” on page 113.
View Installation Table 6‑3. MSI Properties for Silently Installing a Security Server (Continued) MSI Property Description Default Value VDM_SERVER_SS_PCOIP_T CPPORT The PCoIP Secure Gateway external TCP port number. This property is supported only when the security server is installed on Windows Server 2008 R2 or later. None For example: VDM_SERVER_SS_PCOIP_TCPPORT=4172 This property is required if you plan to use the PCoIP Secure Gateway component.
Chapter 6 Installing View Connection Server You can configure an initial security server pairing without using IPsec rules. Before you install the security server, you can open View Administrator and deselect the global setting Use IPSec for Security Server Connections, which is enabled by default. If IPsec rules are not in effect, you do not have to remove them before you upgrade or reinstall.
View Installation Table 6‑4. Ports Opened During View Connection Server Installation (Continued) Protocol Ports View Connection Server Instance Type AJP13 TCP 8009 Standard and replica HTTP TCP 80 Standard, replica, and security server HTTPS TCP 443 Standard, replica, and security server PCoIP TCP 4172 in; UDP 4172 both directions Standard, replica, and security server HTTPS TCP 8443 Standard, replica, and security server.
Chapter 6 Installing View Connection Server The following rules apply to firewalls that use NAT. Table 6‑6. NAT Firewall Requirements to Support IPsec Rules Source Protocol Port Destination Notes Security server ISAKMP UDP 500 View Connection Server Security servers use UDP port 500 to initiate IPsec security negotiation. Security server NAT-T ISAKMP UDP 4500 View Connection Server Security servers use UDP port 4500 to traverse NATs and negotiate IPsec security.
View Installation 4 Uninstall the View Connection Server from the computer by using the Windows Add/Remove Programs utility. Do not uninstall the View LDAP configuration, called the AD LDS Instance VMwareVDMDS instance. You can use the Add/Remove Programs utility to verify that the AD LDS Instance VMwareVDMDS instance was not removed from the Windows Server computer. 5 Reinstall View Connection Server. At the installer prompt, accept the existing View LDAP directory.
Chapter 6 Installing View Connection Server Table 6‑8. MSI Command-Line Options and MSI Properties MSI Option or Property Description /qn Instructs the MSI installer not to display the installer wizard pages. For example, you might want to install View Agent silently and use only default setup options and features: VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn" Alternatively, you can use the /qb option to display the wizard pages in a noninteractive, automated installation.
View Installation Uninstalling View Components Silently by Using MSI Command-Line Options You can uninstall View components by using Microsoft Windows Installer (MSI) command-line options. Syntax msiexec.exe /qb /x product_code Options The /qb option displays the uninstall progress bar. To suppress displaying the uninstall progress bar, replace the /qb option with the /qn option. The /x option uninstalls the View component.
Configuring SSL Certificates for View Servers 7 VMware strongly recommends that you configure SSL certificates for authentication of View Connection Server instances, security servers, and View Composer service instances. A default SSL server certificate is generated when you install View Connection Server instances, security servers, or View Composer instances. You can use the default certificate for testing purposes. IMPORTANT Replace the default certificate as soon as possible.
View Installation n If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on the Windows Server computer. The installation extracts the keys and certificates and imports them into the Windows Certificate Store. vCenter Server and View Composer Before you add vCenter Server and View Composer to View in a production environment, make sure that vCenter Server and View Composer use certificates that are signed by a CA.
Chapter 7 Configuring SSL Certificates for View Servers Similarly, if a SAML 2.0 authenticator is configured for View Connection Server, the View Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate. Overview of Tasks for Setting Up SSL Certificates To set up SSL server certificates for View servers, you must perform several high-level tasks.
View Installation If a SAML authenticator is configured for use with a View Connection Server instance, View Connection Server also performs certificate revocation checking on the SAML server certificate. Obtaining a Signed SSL Certificate from a CA If your organization does not provide you with an SSL server certificate, you must request a new certificate that is signed by a CA. You can use several methods to obtain a new signed certificate.
Chapter 7 Configuring SSL Certificates for View Servers n Verify that you have the appropriate credentials to request a certificate that can be issued to a computer or service. Procedure 1 In the MMC window on the Windows Server host, expand the Certificates (local computer) node and select the Personal folder. 2 From the Action menu, go to All Tasks > Request New Certificate to display the Certificate Enrollment wizard. 3 Select a Certificate Enrollment Policy.
View Installation 2 Import a Signed Server Certificate into a Windows Certificate Store on page 76 You must import the SSL server certificate into the Windows local computer certificate store on the Windows Server host on which the View Connection Server instance or security server service is installed.
Chapter 7 Configuring SSL Certificates for View Servers For more information about certificates, consult the Microsoft online help available with the Certificate snap-in to MMC. NOTE If you off-load SSL connections to an intermediate server, you must import the same SSL server certificate onto both the intermediate server and the off-loaded View server. For details, see "Off-load SSL Connections to Intermediate Servers" in the View Administration document.
View Installation 3 On the General tab, delete the Friendly name text and type vdm. 4 Click Apply and click OK. 5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of vdm. a Locate any other server certificate, right-click the certificate, and click Properties. b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK.
Chapter 7 Configuring SSL Certificates for View Servers 2 Right-click the Trusted Root Certification Authorities > Certificates folder and click All Tasks > Import. 3 In the Certificate Import wizard, click Next and browse to the location where the root CA certificate is stored. 4 Select the root CA certificate file and click Open. 5 Click Next, click Next, and click Finish.
View Installation 6 Restart the View Composer service to make your changes take effect.
Chapter 7 Configuring SSL Certificates for View Servers 2 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a b c d Windows 2008 a b Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. Right-click your domain and click Properties. On the Group Policy tab, click Open to open the Group Policy Management plug-in. Right-click Default Domain Policy, and click Edit.
View Installation Configure Horizon Client for iOS to Trust Root and Intermediate Certificates If a server certificate is signed by a CA that is not trusted by iPads and iPhones that run Horizon Client for iOS, you can configure the the device to trust the root and intermediate certificates. You must distribute the root certificate and all intermediate certificates in the trust chain to the devices Procedure 1 Send the root certificate and intermediate certificates as email attachments to the iPad.
Chapter 7 Configuring SSL Certificates for View Servers Value Description 1 Do not perform certificate revocation checking. 2 Check only the server certificate. Do not check any other certificates in the chain. 3 Check all certificates in the chain. 4 (Default) Check all certificates except the root certificate. If this registry value is not set, or if the value set is not valid (that is, if the value is not 1, 2, 3, or 4), all certificates are checked except the root certificate.
View Installation 2 Configure a PSG Certificate in the Windows Certificate Store on page 84 To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the View Connection Server or security server computer on which the PSG is running.
Chapter 7 Configuring SSL Certificates for View Servers Prerequisites n Verify that the key length is at least 1024 bits. n Verify that the SSL certificate is valid. The current time on the server computer must be within the certificate start and end dates. n Verify that the certificate subject name or a subject alternate name matches the SSLCertPsgSni setting in the Windows registry. See “Verify That the Server Name Matches the PSG Certificate Subject Name,” on page 84.
View Installation Set the PSG Certificate Friendly Name in the Windows Registry The PSG identifies the SSL certificate to use by means of the server name and certificate Friendly name. You must set the Friendly name value in the Windows registry on the View Connection Server or security server computer on which the PSG is running. The certificate Friendly name vdm is used by all View Connection Server instances and security servers.
Chapter 7 Configuring SSL Certificates for View Servers Prerequisites Verify that all client devices that connect to this server, including thin clients, run Horizon Client 5.2 for Windows or Horizon Client 2.0 or later releases. You must upgrade the legacy clients. Procedure 1 Start the Windows Registry Editor on the View Connection Server or security server computer where the PCoIP Secure Gateway is running. 2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.
View Installation Troubleshooting Certificate Issues on View Connection Server and Security Server Certificate issues on a View server prevent you from connecting to View Administrator or cause a red health indicator to be displayed for a server. Problem You cannot connect to View Administrator on the View Connection Server instance with the problem.
Configuring View for the First Time 8 After you install the View server software and configure SSL certificates for the servers, you must take a few additional steps to set up a working View environment. You configure user accounts for vCenter Server and View Composer, install a View license key, add vCenter Server and View Composer to your View environment, configure the PCoIP Secure Gateway and secure tunnel, and, optionally, size Windows Server settings to support your View environment.
View Installation Where to Use the vCenter Server User and View Composer Users After you create and configure these user accounts, you specify the user names in View Administrator. n You specify a vCenter Server user when you add vCenter Server to View. n You specify a standalone View Composer Server user when you configure View Composer settings and select Standalone View Composer Server. n You specify a View Composer user for AD operations when you configure View Composer domains.
Chapter 8 Configuring View for the First Time 2 In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add Permission, and add the vCenter Server user. NOTE You must define the vCenter Server user at the vCenter Server level. 3 From the drop-down menu, select the Administrator role, or the View Composer or View Manager role that you created, and assign it to the vCenter Server user.
View Installation Table 8‑1. Privileges Required for the View Manager Role (Continued) Privilege Group Privileges to Enable Host In Configuration: n Advanced settings Profile Driven Storage (If you are using Virtual SAN datastores or Virtual Volumes) (all) View Composer Privileges Required for the vCenter Server User To support View Composer, the vCenter Server user must have privileges in addition to those required to support View.
Chapter 8 Configuring View for the First Time View Administrator and View Connection Server View Administrator provides a management interface for View. Depending on your View deployment, you use one or more View Administrator interfaces. n Use one View Administrator interface to manage the View components that are associated with a single, standalone View Connection Server instance or a group of replicated View Connection Server instances.
View Installation 2 Log in as a user with credentials to access the View Administrators account. You specify the View Administrators account when you install a standalone View Connection Server instance or the first View Connection Server instance in a replicated group. The View Administrators account can be the local Administrators group (BUILTIN\Administrators) on the View Connection Server computer or a domain user or group account.
Chapter 8 Configuring View for the First Time In a testing environment, you can use the default certificate that is installed with vCenter Server, but you must accept the certificate thumbprint when you add vCenter Server to View. n Verify that all View Connection Server instances in the replicated group trust the root CA certificate for the server certificate that is installed on the vCenter Server host.
View Installation n If the vCenter Server instance is configured with a default certificate, you must first determine whether to accept the thumbprint of the existing certificate. See “Accept the Thumbprint of a Default SSL Certificate,” on page 102. If View uses multiple vCenter Server instances, repeat this procedure to add the other vCenter Server instances.
Chapter 8 Configuring View for the First Time 3 If you are using View Composer, select the location of the View Composer machine. Option Description View Composer is installed on the same machine as vCenter Server. a b Select View Composer co-installed with the vCenter Server. Make sure that the port number is the same as the port that you specified when you installed the View Composer service on vCenter Server. The default port number is 18443. View Composer is installed on its own separate machine.
View Installation 3 Type the domain user name, including the domain name, of the View Composer user. For example: domain.com\admin 4 Type the account password. 5 Click OK. 6 To add domain user accounts with privileges in other Active Directory domains in which you deploy linked-clone pools, repeat the preceding steps. 7 Click Next to display the Storage Settings page. What to do next Enable virtual machine disk space reclamation and configure View Storage Accelerator for View.
Chapter 8 Configuring View for the First Time View Composer Array Integration (VCAI) is not supported in pools that contain virtual machines with space-efficient disks. VCAI is not supported on linked clones that are virtual hardware version 9 or later, because these OS disks are always space-efficient, even when you disable the space reclamation operation. VCAI uses vStorage APIs for Array Integration (VAAI) native NFS snapshot technology to clone virtual machines.
View Installation View Storage Accelerator is now qualified to work in configurations that use View replica tiering, in which replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View Storage Accelerator with View replica tiering are not materially significant, certain capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and supported.
Chapter 8 Configuring View for the First Time Concurrent Operations Limits for vCenter Server and View Composer When you add vCenter Server to View or edit the vCenter Server settings, you can configure several options that set the maximum number of concurrent operations that are performed by vCenter Server and View Composer. You configure these options in the Advanced Settings panel on the vCenter Server Information page. Table 8‑3.
View Installation For example, the average desktop takes two to three minutes to start. Therefore, the concurrent power operations limit should be 3 times the peak power-on rate. The default setting of 50 is expected to support a peak power-on rate of 16 desktops per minute. The system waits a maximum of five minutes for a desktop to start. If the start time takes longer, other errors are likely to occur. To be conservative, you can set a concurrent power operations limit of 5 times the peak power-on rate.
Chapter 8 Configuring View for the First Time Procedure 1 When View Administrator displays an Invalid Certificate Detected dialog box, click View Certificate. 2 Examine the certificate thumbprint in the Certificate Information window. 3 Examine the certificate thumbprint that was configured for the vCenter Server or View Composer instance. a On the vCenter Server or View Composer host, start the MMC snap-in and open the Windows Certificate Store.
View Installation When the secure tunnel and secure gateways are disabled, desktop and application sessions are established directly between the client device and the remote machine, bypassing the View Connection Server or security server host. This type of connection is called a direct connection. Desktop and application sessions that use direct connections remain connected even if View Connection Server is no longer running.
Chapter 8 Configuring View for the First Time 4 Configure use of the PCoIP Secure Gateway. Option Description Enable the PCoIP Secure Gateway Select Use PCoIP Secure Gateway for PCoIP connections to machine. Disable the PCoIP secure Gateway Deselect Use PCoIP Secure Gateway for PCoIP connections to machine. The PCoIP Secure Gateway is disabled by default. 5 Click OK to save your changes.
View Installation To use the Blast Secure Gateway, a user's endpoint device must have access to an FQDN that it can resolve to an IP address that allows the user's Web browser to reach a View Connection Server or security server host. Using Tunnel Connections from External Locations By default, a View Connection Server or security server host can be contacted only by tunnel clients that reside within the same network and are therefore able to locate the requested host.
Chapter 8 Configuring View for the First Time n To set the Blast external URL, verify that the Blast Secure Gateway is enabled on the View Connection Server instance. See “Configure Secure HTML Access,” on page 105. Procedure 1 In View Administrator, click View Configuration > Servers. 2 Select the Connection Servers tab, select a View Connection Server instance, and click Edit. 3 Type the secure tunnel external URL in the External URL text box.
View Installation Procedure 1 In View Administrator, select View Configuration > Servers. 2 Select the Security Servers tab, select the security server, and click Edit. 3 Type the Secure Tunnel external URL in the External URL text box. The URL must contain the protocol, client-resolvable security server host name and port number. For example: https://myserver.example.com:443 NOTE You can use the IP address if you have to access a security server when the host name is not resolvable.
Chapter 8 Configuring View for the First Time Procedure 1 Start the ADSI Edit utility on your View Connection Server computer. 2 In the console tree, select Connect to. 3 In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name DC=vdi, DC=vmware, DC=int. 4 In the Select or type a domain or server text box, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server computer followed by port 389.
View Installation Prerequisites Verify that the port that is specified in the External URL for this View Connection Server instance or security server will continue to be valid after you change ports in this procedure. Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection Server or security server computer. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties The properties in the locked.
Chapter 8 Configuring View for the First Time Prerequisites Verify that the port that is specified in the PCoIP External URL on the View Connection Server instance or security server will continue to be valid after you change ports in this procedure. Procedure 1 Start the Windows Registry Editor on the View Connection Server or security server computer where the PCoIP Secure Gateway is running. 2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.
View Installation 4 Type the SviConfig ChangeCertificateBindingPort command. For example: sviconfig -operation=ChangeCertificateBindingPort -Port=port number where -port=port number is the new port to which View Composer binds the certificate. The port=port number parameter is required. 5 Restart the View Composer service to make your changes take effect. What to do next If necessary, manually reconfigure the Windows firewall on the View Composer server to open the updated port.
Chapter 8 Configuring View for the First Time Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection Server or security server computer. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties The properties in the locked.properties file are case sensitive. 2 Add the following lines to the locked.properties file: frontMappingHttpDisabled.1=5:*:missing frontMappingHttpDisabled.
View Installation If you increase a computer's memory to 10GB to support a larger deployment, restart View Connection Server to ensure that the JVM heap size is automatically increased to the recommended value. You do not have to reinstall View Connection Server. IMPORTANT Do not change the JVM heap size on 64-bit Windows Server computers. Changing this value might make View Connection Server behavior unstable.
Configuring Event Reporting 9 You can create an event database to record information about View events. In addition, if you use a Syslog server, you can configure View Connection Server to send events to a Syslog server or create a flat file of events written in Syslog format.
View Installation 2 Add a user for this database that has permission to create tables, views, and, in the case of Oracle, triggers and sequences, as well as permission to read from and write to these objects. For a Microsoft SQL Server database, do not use the Integrated Windows Authentication security model method of authentication. Be sure to use the SQL Server Authentication method of authentication.
Chapter 9 Configuring Event Reporting Configure the Event Database The event database stores information about View events as records in a database rather than in a log file. You configure an event database after installing a View Connection Server instance. You need to configure only one host in a View Connection Server group. The remaining hosts in the group are configured automatically.
View Installation 3 (Optional) In the Event Settings window, click Edit, change the length of time to show events and the number of days to classify events as new, and click OK. These settings pertain to the length of time the events are listed in the View Administrator interface. After this time, the events are only available in the historical database tables. The Database Configuration window displays the current configuration of the event database.
Chapter 9 Configuring Event Reporting 2 (Optional) In the Syslog area, to configure View Connection Server to send events to a Syslog server, click Add next to Send to syslog servers, and supply the server name or IP address and the UDP port number. 3 (Optional) To enable View event log messages to be generated and stored in Syslog format, in log files, select the Log to file: Enable check box. The log files are retained locally unless you specify a UNC path to a file share.
View Installation 120 VMware, Inc.
Index A D Active Directory configuring domains and trust relationships 25 preparing for smart card authentication 29 preparing for use with View 25 Active Directory groups, creating for kiosk mode client accounts 26 ADM template files 29 antivirus software, View Composer 43 databases creating for View Composer 33 View events 115, 117 default certificate, replacing 71 direct connections, configuring 104 DNS names, giving preference 108 DNS resolution, View Composer 43 documentation feedback, how to provi
View Installation View Composer, standalone 10 View Connection Server 8 Horizon Client for iOS, trusting the root certificate 82 Horizon Client for Mac OS X, trusting the root certificate 81 Horizon clients, configuring connections 103 host caching, for vCenter Server 99 HTML access, configuring 105 HTTP changing the port for HTTP redirection 112 preventing HTTP redirection 112 I initial configuration, View 89 installation, silent installation options 68 intermediate certificates, adding to intermediate c
Index ReplaceCertificate option, sviconfig utility 79 replicated instances installing 52 installing silently 54 network requirements 9 silent installation properties 57 Restricted Groups policy, configuring 28 root certificate, importing into Windows Certificate Store 78 root certificates adding to the Enterprise NTAuth store 31 adding to trusted roots 30, 80 S secure tunnel, external URL 105 security servers configuring a pairing password 58 configuring an external URL 105 installer file 58 installing si
View Installation settings in View Administrator 96 SSL certificates 40 View Composer infrastructure configuring vSphere 43 optimizing 43 testing DNS resolution 43 View Composer installation installer file 41 overview 33 requirements overview 9 View Composer upgrade compatibility with vCenter Server versions 10 operating system requirements 10 requirements overview 9 View Connection Server, hardware requirements 8 View Connection Server configuration client connections 103 event database 115, 117 events fo