View Architecture Planning VMware Horizon 6 Version 6.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Architecture Planning You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents View Architecture Planning 5 1 Introduction to View 7 Advantages of Using View 7 View Features 9 How the Components Fit Together 11 Integrating and Customizing View 15 2 Planning a Rich User Experience 19 Feature Support Matrix for View Agent 19 Choosing a Display Protocol 21 Using Hosted Applications 23 Using View Persona Management to Retain User Data and Settings 24 Using USB Devices with Remote Desktops and Applications 25 Using the Real-Time Audio-Video Feature for Webcams and Microphone
View Architecture Planning Advantages of Using Multiple vCenter Servers in a Pod 70 5 Planning for Security Features 73 Understanding Client Connections 73 Choosing a User Authentication Method 76 Restricting Remote Desktop Access 78 Using Group Policy Settings to Secure Remote Desktops and Applications Implementing Best Practices to Secure Client Systems 80 Assigning Administrator Roles 80 Preparing to Use a Security Server 80 Understanding View Communications Protocols 86 79 6 Overview of Steps to Se
View Architecture Planning View Architecture Planning provides an introduction to VMware Horizon™ 6, including a description of its major features and deployment options and an overview of how the components are typically set up in a production environment.
View Architecture Planning 6 VMware, Inc.
1 Introduction to View With View, IT departments can run remote desktops and applications in the datacenter and deliver these desktops and applications to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
View Architecture Planning n Remote desktops and applications that are hosted in a datacenter experience little or no downtime. Virtual machines can reside on high-availability clusters of VMware servers. Virtual desktops can also connect to back-end physical systems and Microsoft Remote Desktop Services (RDS) hosts. Convenience The unified management console is built for scalability so that even the largest View deployments can be efficiently managed from a single management interface.
Chapter 1 Introduction to View n Integration with Workspace Portal means that IT managers can use the Web-based Workspace Portal administration interface to monitor user and group entitlements to remote desktops. n With View Persona Management, physical and virtual desktops can be centrally managed, including user profiles, application entitlement, policies, performance, and other settings. Deploy View Persona Management to physical desktop users prior to converting to virtual desktops.
View Architecture Planning n Use multiple monitors. With PCoIP multiple-monitor support, you can adjust the display resolution and rotation separately for each monitor. n Access USB devices and other peripherals that are connected to the local device that displays your virtual desktop. You can specify which types of USB devices end users are allowed to connect to.
Chapter 1 Introduction to View n Integrate with Mirage™ and Horizon FLEX™ to manage locally installed virtual machine desktops and to deploy and update applications on dedicated full-clone remote desktops without overwriting userinstalled applications. How the Components Fit Together End users start Horizon Client to log in to View Connection Server.
View Architecture Planning Figure 1‑2.
Chapter 1 Introduction to View View Connection Server This software service acts as a broker for client connections. View Connection Server authenticates users through Windows Active Directory and directs the request to the appropriate virtual machine, physical PC, or Microsoft RDS host.
View Architecture Planning n Details about the HTML Access Web client, which allows you to open a remote desktop inside a browser. No Horizon Client application is installed on the client system or device. See the Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. n Various third-party thin clients and zero clients, available only through certified partners. n View Open Client, which supports the VMware partner certification program.
Chapter 1 Introduction to View You can also use View Composer to create automated farms of linked-clone Microsoft RDS hosts, which provide hosted applications to end users. Although you can install View Composer on its own server host, a View Composer service can operate with only one vCenter Server instance. Similarly, a vCenter Server instance can be associated with only one View Composer service.
View Architecture Planning Mirage provides a better offline virtual desktop solution than the Local Mode feature that was previously included with View. Mirage includes the following security and management features for offline desktops: VMware Horizon vRealize Orchestrator plug-in n Encrypts the locally installed virtual machine and prevents a user from modifying virtual machine settings that affect the integrity of the secure container.
Chapter 1 Introduction to View This feature is available only on some types of clients. To find out whether this feature is supported on a particular type of client, see the feature support matrix included in the "Using VMware Horizon Client" document for the specific type of desktop or mobile client device. Go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
View Architecture Planning The View PowerCLI provides an easy-to-use PowerShell interface to View. You can use the View PowerCLI cmdlets to perform various administration tasks on View components. n Create and update desktop pools. n Configure multiple network labels to greatly expand the number of IP addresses assigned to virtual machines in a pool. n Add datacenter resources to a full virtual machine or linked-clone pool.
2 Planning a Rich User Experience View provides the familiar, personalized desktop environment that end users expect. For example, on some client systems, end users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. View includes many features that you might want to make available to your end users.
View Architecture Planning Table 2‑1. Operating Systems for Linked-Clone and Full-Clone Remote Desktops (Continued) Guest Operating System Version Edition Service Pack Windows 8 64-bit and 32-bit Enterprise and Professional None Windows 7 64-bit and 32-bit Enterprise and Professional SP1 Windows Server 2012 R2 64-bit Datacenter None Windows Server 2008 R2 64-bit Datacenter SP1 Table 2‑2.
Chapter 2 Planning a Rich User Experience Table 2‑3. Features Supported on Windows Operating Systems Where View Agent Is Installed (Continued) Feature Windows 7 Desktop Windows 8.x Desktop Windows 10 Desktop Windows Server 2008/2012 R2 Desktop Single sign-on X X X X X Multiple monitors X X X X X Microsoft RDSHosted Desktops and Apps NOTE For information about which features are supported on the various types of client devices, see the Horizon Client documentation at https://www.vmware.
View Architecture Planning n Audio redirection with dynamic audio quality adjustment for LAN and WAN. n Real-Time Audio-Video for using webcams and microphones on some client types. n Copy and paste of text and, on some clients, images between the client operating system and a remote application or desktop. For other client types, only copy and paste of plain text is supported. You cannot copy and paste system objects such as folders and files between systems.
Chapter 2 Planning a Rich User Experience For more information about 3D features, see “Using 3D Graphics Applications,” on page 27. Hardware Requirements for Client Systems For information about processor and memory requirements, see the "Using VMware Horizon Client" document for the specific type of desktop or mobile client device. Go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
View Architecture Planning For example, when a user must access a database remotely, if large amounts of data must be transmitted over the WAN, performance is usually affected. With hosted applications, all parts of the application can be located in the same data center as the database, so that traffic is isolated and only the screen updates are sent across the WAN.
Chapter 2 Planning a Rich User Experience By setting group policies (GPOs), you have granular control of the files and folders to include in a persona: n Specify whether to include the local settings folder. This policy affects the AppData\Local folder. n Specify which files and folders to load at login time. For example: Application Data\Microsoft\Certificates. Within a folder, you can also specify files to exclude.
View Architecture Planning When you use this feature in desktop pools that are deployed on single-user machines, most USB devices that are attached to the local client system become available in the remote desktop. You can even connect to and manage an iPad from a remote desktop. For example, you can sync your iPad with iTunes installed in your remote desktop. On some client devices, such as Windows and Mac OS X computers, the USB devices are listed in a menu in Horizon Client.
Chapter 2 Planning a Rich User Experience Using 3D Graphics Applications The software- and hardware-accelerated graphics features available with the PCoIP display protocol enable remote desktop users to run 3D applications ranging from Google Earth to CAD and other graphicsintensive applications. NVIDIA GRID vGPU (shared GPU hardware acceleration) Available with vSphere 6.0 and later, this feature allows a physical GPU (graphical processing unit) on an ESXi host to be shared among virtual machines.
View Architecture Planning Printing from a Remote Desktop The virtual printing feature allows end users on some client systems to use local or network printers from a remote desktop without requiring that additional print drivers be installed in the remote desktop operating system. The location-based printing feature allows you to map remote desktops to the printer that is closest to the endpoint client device.
Chapter 2 Planning a Rich User Experience n If you use more than 2 monitors, the monitors must be in the same mode and have the same screen resolution. That is, if you use 3 monitors, all 3 monitors must be in either portrait mode or landscape mode and must use the same screen resolution. n Monitors can be placed side by side, stacked 2 by 2, or vertically stacked only if you are using 2 monitors and the total height is less than 4096 pixels.
View Architecture Planning 30 VMware, Inc.
Managing Desktop and Application Pools from a Central Location 3 You can create pools that include one or hundreds or thousands of remote desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Remote Desktop Services (RDS) hosts. Create one virtual machine as a base image, and View can generate a pool of remote desktops from that image. You can also create pools of applications that give users remote access to applications.
View Architecture Planning In addition, using desktop pools provides many conveniences. Dedicated-assignment pools Each user is assigned a particular remote desktop and returns to the same desktop at each login. Users can personalize their desktops, install applications, and store data. Floating-assignment pools The remote desktop is optionally deleted and re-created after each use, offering a highly controlled environment.
Chapter 3 Managing Desktop and Application Pools from a Central Location Reducing and Managing Storage Requirements Deploying desktops on virtual machines that are managed by vCenter Server provides all the storage efficiencies that were previously available only for virtualized servers. Using View Composer increases the storage savings because all virtual machines in a pool share a virtual disk with a base image.
View Architecture Planning Compatible vSphere 5.5 Update 1 or Later Features With vSphere 5.5 Update 1 or a later release, you can use Virtual SAN, which virtualizes the local physical solid-state disks and hard disk drives available on ESXi hosts into a single datastore shared by all hosts in a cluster.
Chapter 3 Managing Desktop and Application Pools from a Central Location Each virtual machine maintains its policy regardless of its physical location in the cluster. If the policy becomes noncompliant because of a host, disk, or network failure, or workload changes, Virtual SAN reconfigures the data of the affected virtual machines and load-balances to meet the policies of each virtual machine.
View Architecture Planning Using Virtual Volumes for Virtual-Machine-Centric Storage and Policy-Based Management With Virtual Volumes (VVols), available with vSphere 6.0 or a later release, an individual virtual machine, not the datastore, becomes a unit of storage management. The storage hardware gains control over virtual disk content, layout, and management. With Virtual Volumes, abstract storage containers replace traditional storage volumes based on LUNs or NFS shares.
Chapter 3 Managing Desktop and Application Pools from a Central Location Reducing Storage Requirements with View Composer Because View Composer creates desktop images that share virtual disks with a base image, you can reduce the required storage capacity by 50 to 90 percent. View Composer uses a base image, or parent virtual machine, and creates a pool of up to 2,000 linked-clone virtual machines.
View Architecture Planning Local Datastores for Floating, Stateless Desktops Linked-clone desktops can be stored on local datastores, which are internal spare disks on ESXi hosts. Local storage offers advantages such as inexpensive hardware, fast virtual-machine provisioning, highperformance power operations, and simple management. However, using local storage limits the vSphere infrastructure configuration options that are available to you.
Chapter 3 Managing Desktop and Application Pools from a Central Location Deploying Individual Applications Using an RDS Host You might choose to provide end users with remote applications rather than remote desktops. Individual remote applications might be easier to navigate on a small mobile device. End users can access remote Windows-based applications by using the same Horizon Client that they previously used for accessing remote desktops, and they use the same PCoIP display protocol.
View Architecture Planning After you create a virtualized application with VMware ThinApp, you can choose to either stream the application from a shared file server or install the application on the virtual desktops.
Chapter 3 Managing Desktop and Application Pools from a Central Location After a GPO is applied, properties are stored in the local Windows registry of the specified component. You can use GPOs to set all the policies that are available from the View Administrator user interface (UI). You can also use GPOs to set policies that are not available from the UI. For a complete list and description of the settings available through ADM templates, see Setting Up Desktop and Application Pools in View.
View Architecture Planning 42 VMware, Inc.
Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments 4 A typical View architecture design uses a pod strategy that consists of components that support up to 10,000 remote desktops using a vSphere 5.1 or later infrastructure. Pod definitions can vary, based on hardware configuration, View and vSphere software versions used, and other environment-specific design factors.
View Architecture Planning Virtual Machine Requirements for Remote Desktops When you plan the specifications for remote desktops, the choices that you make regarding RAM, CPU, and disk space have a significant effect on your choices for server and storage hardware and expenditures.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Estimating Memory Requirements for Virtual Machine Desktops RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment.
View Architecture Planning RAM Sizing for Specific Monitor Configurations When Using PCoIP In addition to system memory, a virtual machine also requires a small amount of RAM on the ESXi host for video overhead. This VRAM size requirement depends in on the display resolution and number of monitors configured for end users. Table 4-1 lists the amount of overhead RAM required for various configurations.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments By default, the multiple-monitor configuration matches the host topology. There is extra overhead precalcuated for more than 2 monitors to accommodate additional topology schemes.
View Architecture Planning Choosing the Appropriate System Disk Size When allocating disk space, provide only enough space for the operating system, applications, and additional content that users might install or generate. Usually this amount is smaller than the size of the disk that is included on a physical PC. Because datacenter disk space usually costs more per gigabyte than desktop or laptop disk space in a traditional PC deployment, optimize the operating system image size.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments There is no substitute for measuring performance under actual, real world scenarios, such as in a pilot, to determine an appropriate consolidation ratio for your environment and hardware configuration. Consolidation ratios can vary significantly, based on usage patterns and environmental factors.
View Architecture Planning You create stateful desktop images by creating dedicated-assignment pools of either linked-clone virtual machines or full virtual machines. If you use linked-clone virtual machines, you can configure View Composer persistent disks and folder redirection. Some storage vendors have cost-effective storage solutions for stateful desktop images. These vendors often have their own best practices and provisioning utilities.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments n Use the Persona Management feature so that users always have their preferred desktop appearance and application settings, as with Windows user profiles. If you do not have the desktops set to be refreshed or deleted at logoff, you can configure the persona to be removed at logoff.
View Architecture Planning Pools for Kiosk Users Kiosk users might include customers at airline check-in stations, students in classrooms or libraries, medical personnel at medical data entry workstations, or customers at self-service points. Accounts associated with client devices rather than users are entitled to use these desktop pools because users do not need to log in to use the client device or the remote desktop.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Table 4‑2.
View Architecture Planning vCenter Server and View Composer Virtual Machine Configuration You can install vCenter Server and View Composer on the same virtual machine or on separate servers. These servers require much more memory and processing power than a desktop virtual machine. VMware tested having View Composer create and provision 2,000 desktops per pool using vSphere 5.1 or later. VMware also tested having View Composer perform a recompose operation on 2,000 desktops at a time.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Table 4‑5.
View Architecture Planning View Connection Server Cluster Design Considerations You can deploy multiple replicated View Connection Server instances in a group to support load balancing and high availability. Groups of replicated instances are designed to support clustering within a LANconnected single-datacenter environment.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments The number of connections per Access Point appliance is similar to those for security servers. For more information about Access Point appliances, see Deploying and Configuring Access Point.
View Architecture Planning In cases where availability requirements are high, proper configuration of VMware HA is essential. If you use VMware HA and are planning for a fixed number of desktops per server, run each server at a reduced capacity. If a server fails, the capacity of desktops per server is not exceeded when the desktops are restarted on a different host.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Storage and Bandwidth Requirements Several considerations go into planning for shared storage of virtual machine desktops, planning for storage bandwidth requirements with regard to I/O storms, and planning network bandwidth needs. Details about the storage and networking components used in a test setup at VMware are provided in these related topics. n Shared Storage Example on page 59 For a View 5.
View Architecture Planning The following example describes the tiered storage strategy used in a View 5.2 test setup in which one vCenter Server managed 10,000 desktops. NOTE This example was used in a View 5.2 setup, which was carried out prior to the release of VMware Virtual SAN. For guidance on sizing and designing the key components of View virtual desktop infrastructures for VMware Virtual SAN, see the white paper at http://www.vmware.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Figure 4‑1. Tiered Storage Example for a Large Desktop Pool Parent 2 Parent 4 Parent 1 Parent 3 Parent 5 PARENT SSD, shared across all clusters Replica 1 ES X ES X ES X ESX cluster, consisting of 192 Intel cores and 2.
View Architecture Planning Storage Bandwidth Considerations In a View environment, logon storms are the main consideration when determining bandwidth requirements. Although many elements are important to designing a storage system that supports a View environment, from a server configuration perspective, planning for proper storage bandwidth is essential. You must also consider the effects of port consolidation hardware.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments For more information, see the information guide called PCoIP Display Protocol: Information and Scenario-Based Network Sizing Guide. Optimization Controls Available with PCoIP If you use the PCoIP display protocol from VMware, you can adjust several elements that affect bandwidth usage. n You can configure the image quality level and frame rate used during periods of network congestion.
View Architecture Planning Virtual VMotiondvswitch (1 uplink per host) Infra-dvswitch (2 uplink per host) Desktop-dvswitch (2 uplink per host) This switch was used by the ESXi hosts of infrastructure, parent, and desktop virtual machines. n Jumbo Frame (9000 MTU) n 1 Ephemeral Distributed Port Group n Private VLAN and 192.168.x.x addressing This switch was used by the ESXi hosts of infrastructure virtual machines.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments For 10,000 desktops the logon storm occurred over a 60-minute period, using a normal distribution of logon times. The virtual machines were powered on and were available before the logon storm began. After logon, a workload started, which included the following applications: Adobe Reader, Microsoft Outlook, Internet Explorer, Microsoft Word, and Notepad.
View Architecture Planning WAN Support and PCoIP For wide-area networks (WANs), you must consider bandwidth constraints and latency issues. The PCoIP display protocol provided by VMware adapts to varying latency and bandwidth conditions. If you use the RDP display protocol, you must have a WAN optimization product to accelerate applications for users in branch offices or small offices. With PCoIP, many WAN optimization techniques are built into the base protocol.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments n Bandwidth utilization is 80 percent (.8 utilization factor). Formula for Determining the Number of Users Supported n In the worst case, users require 150Kbps: (1.5Mbps*.8)/150Kbps = (1500*.8)/150 = 8 users n In the best case, users require 50Kbps: (1.5Mbps*.8)/50Kbps = (1500*.8)/50 = 24 users Result This remote office can support between 8 and 24 concurrent users per T1 line with 1.5Mbps capacity.
View Architecture Planning Table 4‑11. Example of a LAN-Based View Pod Constructed of 5 Building Blocks Item Number Building blocks for a View pod 5 vCenter Server and View Composer 5 (1 virtual machine that hosts both in each building block) Database server 5 (1 standalone database server in each building block) MS SQL Server or Oracle database server View Connection Servers 7 (5 for connections from inside the corporate network and 2 for connections from outside) vLANs See Table 4-10.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Although using one vCenter Server and one View Composer for 10,000 desktops is possible, doing so creates a situation where there is a single point of failure. The loss of that single vCenter Server renders the entire desktop deployment unavailable for power, provisioning, and refit operations. For this reason, choose a deployment architecture that meets your requirements for overall component resiliency.
View Architecture Planning The Cloud Pod Architecture feature is not supported in an IPv6 environment. For more information, see Administering View Cloud Pod Architecture. Advantages of Using Multiple vCenter Servers in a Pod When you create a design for a View production environment that accommodates more than 500 desktops, several considerations affect whether to use one vCenter Server instance rather than multiple instances. Starting with View 5.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments n Compatible third-party failover products IMPORTANT To use one of these failover strategies, the vCenter Server instance must not be installed in a virtual machine that is part of the cluster that the vCenter Server instance manages. In addition to these automated options for vCenter Server failover, you can also choose to rebuild the failed server on a new virtual machine or physical server.
View Architecture Planning Your design might benefit from a hybrid approach. You can choose to have very large and relatively static pools managed by one vCenter Server instance and have several smaller, more dynamic desktop pools managed by multiple vCenter Server instances. The best strategy for upgrading existing large-scale pods is to first upgrade the VMware software components of your existing pod.
Planning for Security Features 5 View offers strong network security to protect sensitive corporate data. For added security, you can integrate View with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature. IMPORTANT With Horizon 6 version 6.2 and later releases, View can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms.
View Architecture Planning n Client Connections Using the PCoIP Secure Gateway on page 74 When clients connect to a remote desktop or application with the PCoIP display protocol from VMware, Horizon Client can make a second connection to the PCoIP Secure Gateway component on a View Connection Server instance, security server, or Access Point appliance. This connection provides the required level of security and connectivity when accessing remote desktops and applications from the Internet.
Chapter 5 Planning for Security Features Tunneled Client Connections with Microsoft RDP When users connect to a remote desktop with the Microsoft RDP display protocol, Horizon Client can make a second HTTPS connection to the View Connection Server host. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data. The tunnel connection offers the following advantages: n RDP data is tunneled through HTTPS and is encrypted using SSL.
View Architecture Planning Choosing a User Authentication Method View uses your existing Active Directory infrastructure for user authentication and management. For added security, you can integrate View with two-factor authentication solutions, such as RSA SecurID and RADIUS, and smart card authentication solutions.
Chapter 5 Planning for Security Features Administrators can use the vdmadmin command-line interface to configure domain filtering, which limits the domains that a View Connection Server instance searches and that it displays to users. See the View Administration document for more information. Policies, such as restricting permitted hours to log in and setting the expiration date for passwords, are also handled through existing Active Directory operational procedures.
View Architecture Planning Using the Log In as Current User Feature Available with Windows-Based Horizon Client With Horizon Client for Windows, when users select the Log in as current user check box, the credentials that they provided when logging in to the client system are used to authenticate to the View Connection Server instance and to the remote desktop. No further user authentication is required.
Chapter 5 Planning for Security Features n Assign the tag "External" to the View Connection Server instance that is paired with the security server and supports your external users. n Assign the "Internal" tag to the desktop pools that should be accessible only to internal users. n Assign the "External" tag to the desktop pools that should be accessible only to external users.
View Architecture Planning n Prevent users from providing credential information with Horizon Client command line options. n Prevent non-Horizon Client systems from using RDP to connect to remote desktops. You can set this policy so that connections must be Horizon Client-managed, which means that users must use View to connect to remote desktops. See the Setting Up Desktop and Application Pools in View for information on using remote desktop and Horizon Client group policy settings.
Chapter 5 Planning for Security Features A DMZ-based security server deployment requires a few ports to be opened on the firewall to allow clients to connect with security servers inside the DMZ. You must also configure ports for communication between security servers and the View Connection Server instances in the internal network. See “Firewall Rules for DMZ-Based Security Servers,” on page 84 for information on specific ports.
View Architecture Planning Figure 5‑2. Load-Balanced Security Servers in a DMZ client device external network DMZ load balancing View Security Servers View Connection Servers Microsoft Active Directory vCenter Management Server ESX hosts running Virtual Desktop virtual machines When users outside the corporate network connect to a security server, they must successfully authenticate before they can access remote desktops and applications.
Chapter 5 Planning for Security Features Figure 5‑3. Multiple Security Servers client device client device external network DMZ load balancing internal network View Security Servers load balancing View Connection Servers Microsoft Active Directory vCenter Management Server ESXi hosts running Virtual Desktop virtual machines You must implement a hardware or software load balancing solution if you install more than one security server.
View Architecture Planning Figure 5‑4.
Chapter 5 Planning for Security Features Table 5‑1. Front-End Firewall Rules (Continued) Default Port Source Protocol Destination Default Port Notes Horizon Client TCP Any UDP Any PCoIP Security server TCP 4172 UDP 4172 External client devices connect to a security server within the DMZ on TCP port 4172 and UDP port 4172 to communicate with a remote desktop or application over PCoIP.
View Architecture Planning Table 5‑2. Back-End Firewall Rules (Continued) Default Port Source Protocol Destination Default Port Notes Security server TCP Any UDP 55000 PCoIP Remote desktop or application TCP 4172 UDP 4172 Security servers connect to remote desktops and applications on TCP port 4172 and UDP port 4172 to exchange PCoIP traffic.
Chapter 5 Planning for Security Features Figure 5‑5. View Components and Protocols Without a Security Server client device RDP Client Horizon Client PCoIP RDP HTTP(S) View Secure GW Server & PCoIP Secure GW View Connection Server View Messaging View Broker & Admin Server View Administrator HTTP(S) SOAP vCenter Server View Manager LDAP JMS RDP PCoIP View Agent View desktop virtual machine NOTE This figure shows direct connections for clients using either PCoIP or RDP.
View Architecture Planning Figure 5‑6. View Components and Protocols with a Security Server client devices RDP Client Horizon Client HTTP(S) Blast HTTP(S) PCoIP View Security Server View Secure GW Server & PCoIP Secure GW Blast PCoIP RDP, Framework, MMR, CDR... AJP13 JMS View Secure GW Server & PCoIP Secure GW HTTP(S) View Broker & Admin Server View Messaging View Connection Server View Administrator SOAP vCenter Server View Manager LDAP JMS PCoIP RDP, Framework, MMR, CDR...
Chapter 5 Planning for Security Features Table 5‑3. Default Ports (Continued) Protocol Port HTTP TCP port 80 HTTPS TCP port 443 MMR/CDR For multimedia redirection and client drive redirection, TCP port 9427 RDP TCP port 3389 NOTE If the View Connection Server instance is configured for direct client connections, these protocols connect directly from the client to the remote desktop and are not tunneled through the View Secure GW Server component.
View Architecture Planning PCoIP Secure Gateway Security servers and Access Point appliances include a PCoIP Secure Gateway component. When the PCoIP Secure Gateway is enabled, after authentication, clients that use PCoIP can make another secure connection to a security server or Access Point appliance. This connection allows clients to access remote desktops and applications from the Internet.
Chapter 5 Planning for Security Features If you choose to install HTML Access with View Connection Server, the installer configures the VMware Horizon View Connection Server (Blast-In) rule in Windows Firewall to open TCP port 8443, used by HTML Access. The following table lists the default ports that can be opened automatically during installation. Ports are incoming unless otherwise noted. Table 5‑4.
View Architecture Planning If you instruct the View Agent installation program to not enable Remote Desktop support, it does not open ports 3389 and 32111, and you must open these ports manually. If you use a virtual machine template as a desktop source, firewall exceptions carry over to deployed desktops only if the template is a member of the desktop domain. You can use Microsoft group policy settings to manage local firewall exceptions.
Overview of Steps to Setting Up a View Environment 6 Complete these high-level tasks to install View and configure an initial deployment. Table 6‑1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: View Installation and vSphere documentation. 2 If you have not yet done so, install and set up ESXi hosts and vCenter Server. Instructions: VMware vSphere documentation.
View Architecture Planning Table 6‑1. View Installation and Setup Check List (Continued) 94 Step Task 12 (Optional) Configure View Persona Management, which gives users access to personalized data and settings whenever they log in to a desktop. Instructions: Setting Up Desktop and Application Pools in View. 13 (Optional) For added security, integrate smart card authentication or a RADIUS two-factor authentication solution. Instructions: View Administration document. VMware, Inc.
Index Symbols .
View Architecture Planning front-end firewall configuring 83 rules 84 G gateway server 89 GPOs, security settings for remote desktops 79 GRID vGPU, NVIDIA 27 H HA cluster 54, 55, 57 hardware requirements, PCoIP 21 hardware-accelerated graphics 27 Horizon Client 40 Horizon Client for Linux 13 Horizon Workspace 7 hosted applications 23 HTML Access 12 I I/O storms 62 iSCSI SAN arrays 33 J Java Message Service 90 Java Message Service protocol 84 JMS protocol 84, 86 K kiosk mode 52 knowledge workers 44, 45
Index restricted entitlements 78 roaming profiles 24 RSA key size, changing 90 RSA SecurID authentication, configuring 77 S SBPM (storage-based policy management) 34, 36 scalability, planning for 43 SCOM 15 SCSI adapter types 52 security 32 security features, planning 73 security servers best practices for deploying 81 firewall rules for 84 implementing 80 load balancing 81 overview 13 PCoIP Secure Gateway 90 setup, View 93 shared storage 33, 59 single sign-on (SSO) 14, 28, 78 smart card authentication 77
View Architecture Planning vSphere 7, 9, 33 vSphere cluster 57, 67 W WAN support 66 webcam 26 Windows page file 48 Windows roaming profiles 24 worker types 44, 45, 47, 49 Wyse MMR 19, 27 98 VMware, Inc.