View Installation Modified on 4 JAN 2018 VMware Horizon 7 7.
View Installation You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2011–2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents View Installation 6 1 System Requirements for Server Components 7 Horizon Connection Server Requirements View Administrator Requirements View Composer Requirements 7 9 10 2 System Requirements for Guest Operating Systems 13 Supported Operating Systems for Horizon Agent 13 Supported Operating Systems for Standalone Horizon Persona Management Remote Display Protocol and Software Support 14 14 3 Installing Horizon 7 in an IPv6 Environment 21 Setting Up Horizon 7 in an IPv6 Environment 21
View Installation Disable Weak Ciphers in SSL/TLS 39 6 Installing View Composer 40 Prepare a View Composer Database 40 Configuring an SSL Certificate for View Composer Install the View Composer Service 49 49 Enable TLSv1.
View Installation 10 Configuring Event Reporting 146 Add a Database and Database User for Horizon 7 Events Prepare an SQL Server Database for Event Reporting Configure the Event Database 147 148 Configure Event Logging for Syslog Servers VMware, Inc.
View Installation ® View Installation explains how to install the VMware Horizon 7 server and client components. Intended Audience This information is intended for anyone who wants to install VMware Horizon 7. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology and datacenter operations. VMware, Inc.
System Requirements for Server Components 1 Hosts that run Horizon 7 server components must meet specific hardware and software requirements.
View Installation Table 1‑1. Horizon Connection Server Hardware Requirements Hardware Component Required Recommended Processor Pentium IV 2.
View Installation For details about which versions of Horizon are compatible with which versions of vCenter Server and ESXi, see the VMware Product Interoperability Matrix at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php. Network Requirements for Replicated Horizon Connection Server Instances When installing replicated Horizon Connection Server instances, you must usually configure the instances in the same physical location and connect them over a high-performance LAN.
View Installation To display text properly, View Administrator requires Microsoft-specific fonts. If your Web browser runs on a non-Windows operating system such as Linux, UNIX, or Mac, make sure that Microsoft-specific fonts are installed on your computer. Currently, the Microsoft Web site does not distribute Microsoft fonts, but you can download them from independent Web sites.
View Installation Hardware Requirements for Standalone View Composer If you install View Composer on a different physical or virtual machine from the one used for vCenter Server, you must use a dedicated machine that meets specific hardware requirements. A standalone View Composer installation works with vCenter Server installed on a separate Windows Server machine or with the Linux-based vCenter Server appliance.
View Installation For the most up-to-date information about supported databases, see the VMware Product Interoperability Matrixes at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php. For Solution/Database Interoperability, after you select the product and version, for the Add Database step, to see a list of all supported databases, select Any and click Add. VMware, Inc.
System Requirements for Guest Operating Systems 2 Systems running Horizon Agent or Standalone View Persona Management must meet certain hardware and software requirements.
View Installation For enhanced security, VMware recommends configuring cipher suites to remove known vulnerabilities. For instructions on how to set up a domain policy on cipher suites for Windows machines that run View Composer or Horizon Agent, see Disable Weak Ciphers in SSL/TLS.
View Installation PCoIP PCoIP (PC over IP) provides an optimized desktop experience for the delivery of a remote application or an entire remote desktop environment, including applications, images, audio, and video content for a wide range of users on the LAN or across the WAN. PCoIP can compensate for an increase in latency or a reduction in bandwidth, to ensure that end users can remain productive regardless of network conditions.
View Installation For information about which desktop operating systems support specific PCoIP features, see "Feature Support Matrix for Horizon Agent" in the View Architecture Planning document. For information about which client devices support specific PCoIP features, go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
View Installation Microsoft RDP Remote Desktop Protocol is the same multichannel protocol many people already use to access their work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to transmit data. Microsoft RDP is a supported display protocol for remote desktops that use virtual machines, physical machines, or shared session desktops on an RDS host. (Only the PCoIP display protocol and the VMware Blast display protocol are supported for remote applications.
View Installation VMware Blast Extreme Features Key features of VMware Blast Extreme include the following: n Users outside the corporate firewall can use this protocol with the corporate virtual private network (VPN), or users can make secure, encrypted connections to a security server or Access Point appliance in the corporate DMZ. n Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You can, however, change the encryption key cipher to AES-256.
View Installation n Copy and paste of text and, on some clients, images between the client operating system and a remote application or desktop. For other client types, only copy and paste of plain text is supported. You cannot copy and paste system objects such as folders and files between systems. n Multiple monitors are supported for some client types.
View Installation Video Quality Requirements 480p-formatted video You can play video at 480p or lower at native resolutions when the remote desktop has a single virtual CPU. If you want to play the video in highdefinition Flash or in full screen mode, the desktop requires a dual virtual CPU. Even with a dual virtual CPU desktop, as low as 360p-formatted video played in full screen mode can lag behind audio, particularly on Windows clients.
Installing Horizon 7 in an IPv6 Environment 3 Horizon 7 supports IPv6 as an alternative to IPv4. The environment must be either IPv6 only or IPv4 only. Horizon 7 does not support a mixed IPv6 and IPv4 environment. Not all Horizon 7 features that are supported in an IPv4 environment are supported in an IPv6 environment. Horizon 7 does not support upgrading from an IPv4 environment to an IPv6 environment. Also, Horizon 7 does not support migration between IPv4 and IPv6 environments.
View Installation n Configuring the PCoIP External URL. See Configuring External URLs for Secure Gateway and Tunnel Connections. n Setting the PCoIP External URL. See Set the External URLs for an Horizon Connection Server Instance. n Modifying the PCoIP External URL. See Set the External URLs for an Horizon Connection Server Instance. n Installing Horizon Agent. See the Horizon Agent installation topics in the Setting Up Desktop and Application Pools document.
View Installation Supported Operating Systems for Horizon 7 Servers in an IPv6 Environment In an IPv6 environment, you must install Horizon 7 servers on specific Windows Server operating systems. Horizon 7 servers include Connection Server instances, replica servers, security servers, and View Composer instances.
View Installation The following types of clients are not supported. n Clients that run on Mac, Android, Linux, or Windows Store n iOS 9.1 or earlier n PCoIP Zero Client Supported Remoting Protocols in an IPv6 Environment In an IPv6 environment, Horizon 7 supports specific remoting protocols.
View Installation n Automated desktop pools of full virtual machines or View Composer linked clones Note Automated desktop pools of instant clones are not supported.
View Installation n Device Bridge n File Association n Flash URL redirection n HTML access n Log Insight n Lync n Real-time audio-video (RTAV) n Scanner redirection n Serial port redirection n Skype for Business n Syslog n Teradici TERA host card n TSMMR n URL redirection n Virtual SAN n Virtual Volumes n vRealize Operations Desktop Agent VMware, Inc.
Installing Horizon 7 in FIPS Mode 4 Horizon 7 can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms. You can enable the use of these algorithms by installing Horizon 7 in FIPS mode. Not all Horizon 7 features are supported in FIPS mode. Also, Horizon 7 does not support upgrading from a non-FIPS installation to a FIPS installation. Note To ensure that Horizon 7 runs in FIPS mode, you must enable FIPS when you install all Horizon 7 components.
View Installation n When installing a security server, select the FIPS mode option. See Install a Security Server. n When a Windows system is configured for FIPS operation and Horizon 7 is configured to communicate between a Connection Server and a security server with IPSec, the security server fails to install. In an IPv4 environment, specify the PCoIP external URL as an IP address with the port number 4172.
Preparing Active Directory 5 Horizon 7 uses your existing Microsoft Active Directory infrastructure for user authentication and management. You must perform certain tasks to prepare Active Directory for use with Horizon 7.
View Installation Configuring Domains and Trust Relationships You must join each Connection Server host to an Active Directory domain. The host must not be a domain controller. Active Directory also manages the Horizon Agent machines, including single-user machines and RDS hosts, and the users and groups in your Horizon 7 deployment. You can entitle users and groups to remote desktops and applications, and you can select users and groups to be administrators in Horizon Administrator.
View Installation Trust Relationships and Domain Filtering To determine which domains it can access, a Connection Server instance traverses trust relationships beginning with its own domain. For a small, well-connected set of domains, Connection Server can quickly determine the full list of domains, but the time that it takes increases as the number of domains increases or as the connectivity between the domains decreases.
View Installation Creating Groups for Users You should create groups for different types of users in Active Directory. For example, you can create a group called Horizon 7 Users for your end users and another group called Horizon 7 Administrators for users that will administer remote desktops and applications. Creating a User Account for vCenter Server You must create a user account in Active Directory to use with vCenter Server.
View Installation To ensure security, you should create a separate user account to use with View Composer. By creating a separate account, you can guarantee that it does not have additional privileges that are defined for another purpose. You can give the account the minimum privileges that it needs to create and remove computer objects in a specified Active Directory container. For example, the View Composer account does not require domain administrator privileges.
View Installation Create a User Account for Instant-Clone Operations Before you deploy instant clones, you must create a user account that has the permission to perform certain operations in Active Directory. Select this account when you add an instant-clone domain administrator before deploying instant-clone desktop pools. For more information, see "Add an Instant-Clone Domain Administrator" in the Setting Up Virtual Desktops in Horizon 7 document.
View Installation Procedure 1 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a Windows 2008 Windows 2012R2 Windows 2016 Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. b Right-click your domain and click Properties. c On the Group Policy tab, click Open to open the Group Policy Management plug-in. d Right-click Default Domain Policy, and click Edit.
View Installation n Add UPNs for Smart Card Users Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users and administrators that use smart cards to authenticate in Horizon 7 must have a valid UPN.
View Installation 5 Click OK to save the attribute setting. Add the Root Certificate to Trusted Root Certification Authorities If you use a certification authority (CA) to issue smart card login or domain controller certificates, you must add the root certificate to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to perform this procedure if the Windows domain controller acts as the root CA.
View Installation Procedure 1 On the Active Directory server, navigate to the Group Policy Management plug-in. AD Version Navigation Path Windows 2003 a Windows 2008 Windows 2012R2 Windows 2016 Select Start > All Programs > Administrative Tools > Active Directory Users and Computers. b Right-click your domain and click Properties. c On the Group Policy tab, click Open to open the Group Policy Management plug-in. d Right-click Default Domain Policy, and click Edit.
View Installation Disable Weak Ciphers in SSL/TLS To achieve greater security, you can configure the domain policy GPO (group policy object) to ensure that View Composer and Windows-based machines running View Agent or Horizon Agent do not use weak ciphers when they communicate using the SSL/TLS protocol. Procedure 1 On the Active Directory server, edit the GPO by selecting Start > Administrative Tools > Group Policy Management, right-clicking the GPO, and selecting Edit.
Installing View Composer 6 To use View Composer, you create a View Composer database, install the View Composer service, and optimize your View infrastructure to support View Composer. You can install the View Composer service on the same host as vCenter Server or on a separate host. View Composer is an optional feature. Install View Composer if you intend to deploy linked-clone desktop pools. You must have a license to install and use the View Composer feature.
View Installation n Linked-clone desktops that are deployed by View Composer n Replicas that are created by View Composer Each instance of the View Composer service must have its own View Composer database. Multiple View Composer services cannot share a View Composer database. For a list of supported database versions, see Database Requirements for View Composer and the Events Database. To add a View Composer database to an installed database instance, choose one of these procedures.
View Installation Prerequisites n Verify that a supported version of SQL Server is installed on the computer on which you will install View Composer or in your network environment. For details, see Database Requirements for View Composer and the Events Database. n Verify that you use SQL Server Management Studio to create and administer the database. Alternatively, you can use SQL Server Management Studio Express, which you can download and install from the following Web site. http://www.microsoft.
View Installation Prerequisites n Verify that a View Composer database is created. See Add a View Composer Database to SQL Server. Procedure 1 Log in to a Microsoft SQL Server Management Studio session as the sysadmin (SA) or a user account with sysadmin privileges. 2 Create a user who will be granted the appropriate SQL Server database permissions.
View Installation 14 In the MSDB database, revoke the VCMP_ADMIN_ROLE from the user [vcmpuser]. After you revoke the role, you can leave the role as inactive or remove the role for increased security. For instructions for creating an ODBC DSN, see Add an ODBC Data Source to SQL Server. For instructions for installing View Composer, see Install the View Composer Service.
View Installation 8 Make sure that the Connect to SQL Server to obtain default settings for the additional configuration options check box is selected and select an authentication option. Option Description Integrate Windows authentication Select this option if you are using a local instance of SQL Server. This option is also known as trusted authentication. Integrate Windows authentication is supported only if SQL Server is running on the local computer.
View Installation n Add an ODBC Data Source to Oracle 12c or 11g After you add a View Composer database to an Oracle 12c or 11g instance, you must configure an ODBC connection to the new database to make this data source visible to the View Composer service. Add a View Composer Database to Oracle 12c or 11g You can use the Oracle Database Configuration Assistant to add a new View Composer database to an existing Oracle 12c or 11g instance.
View Installation Use a SQL Statement to Add a View Composer Database to an Oracle Instance When you create the database, you can customize the location of the data and log files. Prerequisites The View Composer database must have certain table spaces and privileges. You can use a SQL statement to create the View Composer database in an Oracle 12c or 11g database instance. Verify that a supported version of Oracle 12c or 11g is installed on the local or remote computer.
View Installation 2 Run the following SQL command to create a View Composer database user with the correct permissions.
View Installation 5 In the Oracle ODBC Driver Configuration dialog box, type a DSN to use with View Composer, a description of the data source, and a user ID to connect to the database. If you configured an Oracle database user ID with specific security permissions, specify this user ID. Note You use the DSN when you install the View Composer service. 6 Specify a TNS Service Name by selecting the Global Database Name from the drop-down menu.
View Installation The View Composer software cannot coexist on the same virtual or physical machine with any other Horizon 7 software component, including a replica server, security server, Connection Server, Horizon Agent, or Horizon Client. For enhanced security, we recommend configuring cipher suites to remove known vulnerabilities. For instructions on how to set up a domain policy on cipher suites for Windows machines that run View Composer or Horizon Agent, see Disable Weak Ciphers in SSL/TLS.
View Installation 5 Type the DSN for the View Composer database that you provided in the Microsoft or Oracle ODBC Data Source Administrator wizard. For example: VMware View Composer Note If you did not configure a DSN for the View Composer database, click ODBC DSN Setup to configure a name now. 6 Type the domain administrator user name and password that you provided in the ODBC Data Source Administrator wizard.
View Installation Enable TLSv1.0 on vCenter and ESXi Connections from View Composer Horizon 7 and later components have the TLSv1.0 security protocol disabled by default. If your deployment includes an older version of vCenter Server that supports only TLSv1.0, you might need to enable TLSv1.0 for View Composer connections after installing or upgrading to View Composer 7.0 or a later release. Some earlier maintenance releases of vCenter Server 5.0, 5.1, and 5.5 support only TLSv1.
View Installation Configuring Your Infrastructure for View Composer You can take advantage of features in vSphere, vCenter Server, Active Directory, and other components of your infrastructure to optimize the performance, availability, and reliability of View Composer. Configuring the vSphere Environment for View Composer To support View Composer, you should follow certain best practices when you install and configure vCenter Server, ESXi, and other vSphere components.
Installing Horizon Connection Server 7 To use Connection Server, you install the software on supported computers, configure the required components, and, optionally, optimize the components.
View Installation Security server installation Generates a Connection Server instance that adds an additional layer of security between the Internet and your internal network. Enrollment Server installation Installs an enrollment server that is required for the True SSO (single signon) feature, so that after users log in to VMware Identity Manager, they can connect to a remote desktop or application without having to provide Active Directory credentials.
View Installation n To run the Horizon Connection Server installer, you must use a domain user account with Administrator privileges on the system. n When you install Connection Server, you authorize an Administrators account. You can specify the local Administrators group or a domain user or group account. Horizon 7 assigns full administration rights, including the right to install replicated Connection Server instances, to this account only.
View Installation n Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection Server. n If you intend to authorize a domain user or group as the Administrators account, verify that you created the domain account in Active Directory. n If you use MIT Kerberos authentication to log in to a Windows Server 2008 R2 computer on which you are installing Connection Server, install the Microsoft hotfix that is described in KB 978116 at http://support.microsoft.
View Installation 7 Select whether to enable or disable FIPS mode. This option is available only if FIPS mode is enabled in Windows. 8 Make sure that Install HTML Access is selected if you intend to allow users to connect to their desktops by using a Web browser. If IPv4 is selected, this setting is selected by default. If IPv6 is selected, this setting is not displayed because HTML Access is not supported in an IPv6 environment. 9 Type a data recovery password and, optionally, a password reminder.
View Installation The Horizon 7 services are installed on the Windows Server computer: n VMware Horizon Connection Server n VMware Horizon View Framework Component n VMware Horizon View Message Bus Component n VMware Horizon View Script Host n VMware Horizon View Security Gateway Component n VMware Horizon View PCoIP Secure Gateway n VMware Horizon View Blast Secure Gateway n VMware Horizon View Web Component n VMware VDMDS, which provides View LDAP directory services For information abou
View Installation Prerequisites n Verify that you can log in as a domain user with administrator privileges on the Windows Server computer on which you install Connection Server. n Verify that your installation satisfies the requirements described in Horizon Connection Server Requirements. n Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection Server.
View Installation 3 Type the installation command on one line. For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=1 VDM_INITIAL_ADMIN_SID=S-1-5-32-544 VDM_SERVER_RECOVERY_PWD=mini VDM_SERVER_RECOVERY_PWD_REMINDER=""First car""" Important When you perform a silent installation, the full command line, including the data recovery password, is logged in the installer's vminst.log file.
View Installation Silent Installation Properties for a View Connection Server Standard Installation You can include specific View Connection Server properties when you perform a silent installation from the command line. You must use a PROPERTY=value format so that Microsoft Windows Installer (MSI) can interpret the properties and values. Table 7‑1.
View Installation Table 7‑1. MSI Properties for Silently Installing View Connection Server in a Standard Installation (Continued) MSI Property Description Default Value VDM_FIPS_ENABLED Specifies whether to enable or disable FIPS mode. A value of 1 enables FIPS mode. A value of 0 disables FIPS mode. If this property is set to 1 and Windows is not in FIPS mode, the installer will abort. 0 HTMLACCESS Controls the HTML Access add-on installation.
View Installation 6 In the Properties dialog box, edit the pae-ClientSSLSecureProtocols attribute to add the following value \LIST:TLSv1.2,TLSv1.1,TLSv1 Be sure to include the back slash at the beginning of the line. 7 Click OK. 8 If this is a fresh installation, to apply the configuration change, restart the VMware Horizon View Connection Server service on each connection server instance.
View Installation n To install the replicated instance, you must log in as a user with the Administrators role. You specify the account or group with the Administrators role when you install the first instance of Connection Server. The role can be assigned to the local Administrators group or a domain user or group. See Install Horizon Connection Server with a New Configuration.
View Installation 4 Accept or change the destination folder. 5 Select the View Replica Server installation option. 6 Select the Internet Protocol (IP) version, IPv4 or IPv6. You must install all Horizon 7 components with the same IP version. 7 Select whether to enable or disable FIPS mode. This option is available only if FIPS mode is enabled in Windows. 8 Make sure that Install HTML Access is selected if you intend to allow users to connect to their desktops by using HTML Access.
View Installation n VMware Horizon View Web Component n VMware VDMDS, which provides View LDAP directory services For information about these services, see the View Administration document. If the Install HTML Access setting was selected during the installation, the HTML Access component is installed on the Windows Server computer.
View Installation n Verify that your installation satisfies the requirements described in Horizon Connection Server Requirements. n Verify that the computers on which you install replicated Connection Server instances are connected over a high-performance LAN. See Network Requirements for Replicated Horizon Connection Server Instances. n Prepare your environment for the installation. See Installation Prerequisites for Horizon Connection Server.
View Installation 3 Type the installation command on one line. For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=2 ADAM_PRIMARY_NAME=cs1.companydomain.com VDM_INITIAL_ADMIN_SID=S-1-5-32-544" If you install a replicated Connection Server instance that is View 5.1 or later, and the existing Connection Server instance you are replicating is View 5.0.x or earlier, you must specify a data recovery password, and you can add a password reminder.
View Installation What to do next Configure an SSL server certificate for the Connection Server instance. See Chapter 8 Configuring SSL Certificates for Horizon 7 Servers. You do not have to perform an initial Horizon 7 configuration on a replicated instance of Connection Server. The replicated instance inherits its configuration from the existing Connection Server instance.
View Installation Table 7‑2. MSI Properties for Silently installing a Replicated Instance of Horizon Connection Server (Continued) MSI Property Description Default Value VDM_SERVER_ The data recovery password. If a data recovery password is not set in View LDAP, this property is mandatory. None RECOVERY_PWD Note The data recover password is not set in View LDAP if the standard Connection Server instance you are replicating is View 5.0 or earlier.
View Installation What to do next Install a security server. See Install a Security Server. Important If you do not provide the security server pairing password to the Connection Server installation program within the password timeout period, the password becomes invalid and you must configure a new password. Install a Security Server A security server is an instance of Connection Server that adds an additional layer of security between the Internet and your internal network.
View Installation n Familiarize yourself with the network ports that must be opened on the Windows Firewall for a security server. See Firewall Rules for Horizon Connection Server. n If your network topology includes a back-end firewall between the security server and Connection Server, you must configure the firewall to support IPsec. See Configuring a Back-End Firewall to Support IPsec.
View Installation 10 In the External URL text box, type the external URL of the security server for client endpoints that use the RDP or PCoIP display protocols. The URL must contain the protocol, client-resolvable security server name, and port number. Tunnel clients that run outside of your network use this URL to connect to the security server. For example: https://view.example.
View Installation The VMware Horizon View Connection Server (Blast-In) rule is enabled in the Windows Firewall on the security server. This firewall rule allows Web browsers on client devices to use HTML Access to connect to the security server on TCP port 8443. Note If the installation is cancelled or aborted, you might have to remove IPsec rules for the security server before you can begin the installation again.
View Installation n Verify that the Connection Server instance to be paired with the security server is accessible to the computer on which you plan to install the security server. n Configure a security server pairing password. See Configure a Security Server Pairing Password. n Familiarize yourself with the format of external URLs. See Configuring External URLs for Secure Gateway and Tunnel Connections. n Verify that Windows Firewall with Advanced Security is set to on in the active profiles.
View Installation 3 Type the installation command on one line. For example: VMware-viewconnectionserver-y.y.y-xxxxxx.exe /s /v"/qn VDM_SERVER_INSTANCE_TYPE=3 VDM_SERVER_NAME=cs1.internaldomain.com VDM_SERVER_SS_EXTURL=https://view.companydomain.com:443 VDM_SERVER_SS_PCOIP_IPADDR=10.20.30.40 VDM_SERVER_SS_PCOIP_TCPPORT=4172 VDM_SERVER_SS_PCOIP_UDPPORT=4172 VDM_SERVER_SS_BSG_EXTURL=https://view.companydomain.
View Installation Table 7‑3. MSI Properties for Silently Installing a Security Server MSI Property Description Default Value INSTALLDIR The path and folder in which the Connection Server software is installed. %ProgramFiles %\VMware\VMware View\Server For example: INSTALLDIR=""D:\abc\my folder"" The sets of two double quotes that enclose the path permit the MSI installer to interpret the space as a valid part of the path. This MSI property is optional.
View Installation Table 7‑3. MSI Properties for Silently Installing a Security Server (Continued) MSI Property Description Default Value VDM_SERVER_SS_PCOIP_ UDPPORT The PCoIP Secure Gateway external UDP port number. This property is supported only when the security server is installed on Windows Server 2008 R2 or later. None For example: VDM_SERVER_SS_PCOIP_UDPPORT=4172 This property is required if you plan to use the PCoIP Secure Gateway component.
View Installation You can configure an initial security server pairing without using IPsec rules. Before you install the security server, you can open Horizon Administrator and deselect the global setting Use IPSec for Security Server Connections, which is enabled by default. If IPsec rules are not in effect, you do not have to remove them before you upgrade or reinstall. Note You do not have to remove a security server from Horizon Administrator before you upgrade or reinstall the security server.
View Installation Table 7‑4.
View Installation Table 7‑5. Non-NAT Firewall Requirements to Support IPsec Rules Source Protocol Port Destination Notes Security server ISAKMP UDP 500 Horizon Connection Server Security servers use UDP port 500 to negotiate IPsec security. Security server ESP N/A Horizon Connection Server ESP protocol encapsulates IPsec encrypted traffic. You do not have to specify a port for ESP as part of the rule.
View Installation n Familiarize yourself with restoring a View LDAP configuration from an LDIF backup file by using the vdmimport command. See "Backing Up and Restoring Horizon 7 Configuration Data" in the View Administration document. n Familiarize yourself with the steps for installing a new Connection Server instance. See Install Horizon Connection Server with a New Configuration. Procedure 1 Install Connection Server with a new configuration. 2 Decrypt the encrypted LDIF file.
View Installation For details about MSI, see the Microsoft Web site. For MSI command-line options, see the Microsoft Developer Network (MSDN) Library Web site and search for MSI command-line options. To see MSI command-line usage, you can open a command prompt on the Horizon 7 component computer and type msiexec /?. To run a Horizon 7 component installer silently, you begin by silencing the bootstrap program that extracts the installer into a temporary directory and starts an interactive installation.
View Installation Table 7‑8. MSI Command-Line Options and MSI Properties MSI Option or Property Description /qn Instructs the MSI installer not to display the installer wizard pages. For example, you might want to install Horizon Agent silently and use only default setup options and features: VMware-viewagent-y.y.y-xxxxxx.exe /s /v"/qn" Alternatively, you can use the /qb option to display a basic progress dialog box in a noninteractive, automated installation.
View Installation Table 7‑8. MSI Command-Line Options and MSI Properties (Continued) MSI Option or Property REBOOT Description You can use the REBOOT=ReallySuppress option to allow system configuration tasks to complete before the system reboots. This MSI property is optional. /l*v log_file Writes logging information into the specified log file with verbose output. For example: /l*v ""%TEMP%\vmmsi.
View Installation Uninstall a Horizon Agent Example To uninstall a 32-bit Horizon Agent version 7.0.2, enter the following command: msiexec.exe /qb /x {B23352D8-AD44-4379-A56E-0E337F9C4036} To uninstall a 64-bit Horizon Agent version 7.0.2, enter the following command: msiexec.exe /qb /x {53D6EE37-6B10-4963-81B1-8E2972A1DA4D} Add a verbose log to the command. /l*v "%TEMP%\vmmsi_uninstall.log" If you do not explicitly pass the /l option, the default verbose log file is %TEMP%\MSInnnn.
Configuring SSL Certificates for Horizon 7 Servers 8 VMware strongly recommends that you configure SSL certificates for authentication of Connection Server instances, security servers, and View Composer service instances. A default SSL server certificate is generated when you install Connection Server instances, security servers, or View Composer instances. You can use the default certificate for testing purposes. Important Replace the default certificate as soon as possible.
View Installation By default, when you install Connection Server or security server, the installation generates a self-signed certificate for the server. However, the installation uses an existing certificate in the following cases: n If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate Store n If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on the Windows Server computer.
View Installation Additional Guidelines For general information about requesting and using SSL certificates that are signed by a CA, see Benefits of Using SSL Certificates Signed by a CA. When client endpoints connect to a Connection Server instance or security server, they are presented with the server's SSL server certificate and any intermediate certificates in the trust chain. To trust the server certificate, the client systems must have installed the root certificate of the signing CA.
View Installation 5 If your server certificate was signed by an intermediate CA, import the intermediate certificates into the Windows local computer certificate store. To simplify client configuration, import the entire certificate chain into the Windows local computer certificate store. If intermediate certificates are missing from the Horizon 7 server, they must be configured for clients and computers that launch Horizon Administrator.
View Installation For testing purposes, you can obtain a free temporary certificate based on an untrusted root from many CAs. Important You must follow certain rules and guidelines when you obtain signed SSL certificates from a CA. n When you generate a certificate request on a computer, make sure that a private key is generated also.
View Installation Procedure 1 In the MMC window on the Windows Server host, expand the Certificates (local computer) node and select the Personal folder. 2 From the Action menu, go to All Tasks > Request New Certificate to display the Certificate Enrollment wizard. 3 Select a Certificate Enrollment Policy. 4 Select the types of certificates that you want to request, select the Make private key exportable option, and click Enroll. 5 Click Finish.
View Installation Procedure 1 Add the Certificate Snap-In to MMC Before you can add certificates to the Windows Certificate Store, you must add the Certificate snapin to the Microsoft Management Console (MMC) on the Windows Server host on which the Horizon 7 server is installed.
View Installation What to do next Import the SSL server certificate into the Windows Certificate Store. Import a Signed Server Certificate into a Windows Certificate Store You must import the SSL server certificate into the Windows local computer certificate store on the Windows Server host on which the Connection Server instance or security server service is installed. You also must perform this task on the Windows Server host where the View Composer service is installed.
View Installation 9 Verify that the new certificate contains a private key. a In the Certificates (Local Computer) > Personal > Certificates folder, double-click the new certificate. b In the General tab of the Certificate Information dialog box, verify that the following statement appears: You have a private key that corresponds to this certificate. What to do next Modify the certificate Friendly name to vdm.
View Installation Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store If the Windows Server host on which Connection Server is installed does not trust the root certificate for the signed SSL server certificate, you must import the root certificate into the Windows local computer certificate store.
View Installation 3 In the Certificate Import wizard, click Next and browse to the location where the root CA certificate is stored. 4 Select the root CA certificate file and click Open. 5 Click Next, click Next, and click Finish. 6 If your server certificate was signed by an intermediate CA, import all intermediate certificates in the certificate chain into the Windows local computer certificate store.
View Installation 4 Type the SviConfig ReplaceCertificate command. For example: sviconfig -operation=ReplaceCertificate -delete=false where -delete is a required parameter that operates on the certificate that is being replaced. You must specify either -delete=true to delete the old certificate from the Windows local computer certificate store or -delete=false to keep the old certificate in the Windows certificate store.
View Installation n For Horizon Client for Android, see documentation on the Google Web site, such as the Android 3.0 User's Guide n For Horizon Client for Linux, see the Ubuntu documentation Prerequisites Verify that the server certificate was generated with a KeyLength value of 1024 or larger. Client endpoints will not validate a certificate on a server that was generated with a KeyLength under 1024, and the clients will fail to connect to the server.
View Installation All systems in the domain now have certificate information in their trusted root certificate stores and intermediate certificate stores that allows them to trust the root and intermediate certificates. Configure Horizon Client for Mac to Trust Root and Intermediate Certificates If a server certificate is signed by a CA that is not trusted by computers that run Horizon Client for Mac, you can configure these computers to trust the root and intermediate certificates.
View Installation Configuring Certificate Revocation Checking on Server Certificates Each Connection Server instance performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. By default, all certificates in the chain are checked except the root certificate. You can, however, change this default. If a SAML 2.
View Installation If this registry value is not set, or if the value set is not valid (that is, if the value is not 1, 2, 3, or 4), all certificates are checked except the root certificate. Set this registry value on each server on which you intend to modify revocation checking. You do not have to restart the system after you set this value.
View Installation Procedure 1 Verify That the Server Name Matches the PSG Certificate Subject Name When a Connection Server instance or security server is installed, the installer creates a registry setting with a value that contains the FQDN of the computer. You must verify that this value matches the server name part of the URL that security scanners use to reach the PSG port.
View Installation 3 Verify that the value of the SSLCertPsgSni setting matches the server name in the URL that scanners will use to connect to the PSG and matches the subject name or a subject alternate name of the SSL certificate that you intend to install for the PSG. If the value does not match, replace it with the correct value. 4 Restart the VMware Horizon View PCoIP Secure Gateway service to make your changes take effect.
View Installation 2 Import the SSL certificate that is issued to the PSG by selecting More Actions > All Tasks > Import. Select the following settings in the Certificate Import wizard: a Mark this key as exportable b Include all extendable properties Complete the wizard to finish importing the certificate into the Personal folder 3 Verify that the new certificate contains a private key by taking one of these steps: n Verify that a yellow key appears on the certificate icon.
View Installation Prerequisites n Verify that the Window registry contains the correct subject name that is used to reach the PSG port and that matches the PSG certificate subject name or subject alternate name. See Verify That the Server Name Matches the PSG Certificate Subject Name. n Verify that the certificate Friendly name is configured in the Windows local computer certificate store. See Configure a PSG Certificate in the Windows Certificate Store.
View Installation Procedure 1 Start the Windows Registry Editor on the Connection Server or security server computer where the PCoIP Secure Gateway is running. 2 Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key. 3 Add a new String (REG_SZ) value, SSLCertPresentLegacyCertificate, to this registry key. 4 Set the SSLCertPresentLegacyCertificate value to 0. 5 Restart the VMware Horizon View PCoIP Secure Gateway service to make your changes take effect.
View Installation Troubleshooting Certificate Issues on Horizon Connection Server and Security Server Certificate issues on a Horizon 7 server prevent you from connecting to Horizon Administrator or cause a red health indicator to be displayed for a server. Problem You cannot connect to Horizon Administrator on the Connection Server instance with the problem.
Configuring Horizon 7 for the First Time 9 After you install the Horizon 7 server software and configure SSL certificates for the servers, you must take a few additional steps to set up a working Horizon 7 environment.
View Installation To summarize, when you configure Horizon 7 for the first time, you provide these user accounts in Horizon Administrator: n The vCenter Server user allows Horizon 7 and View Composer to perform operations in vCenter Server. n The standalone View Composer Server user allows Horizon 7 to authenticate to the View Composer service on a standalone machine.
View Installation Prerequisites n In Active Directory, create a user in the Connection Server domain or a trusted domain. See Creating a User Account for vCenter Server. n Familiarize yourself with the vCenter Server privileges that are required for the user account. See Privileges Required for the vCenter Server User. n If you use View Composer, familiarize yourself with the additional required privileges. See View Composer and Instant Clone Privileges Required for the vCenter Server User.
View Installation What to do next In Horizon Administrator, when you add vCenter Server to Horizon 7, specify the vCenter Server user. See Add vCenter Server Instances to Horizon 7. Privileges Required for the vCenter Server User The vCenter Server user must have sufficient vCenter Server privileges to enable Horizon 7 to perform operations in vCenter Server. Create a View Manager role for the vCenter Server user with the required privileges. Table 9‑1.
View Installation Table 9‑1. Privileges Required for the View Manager Role (Continued) Privilege Group Privileges to Enable Host The following Host privilege is required to implement View Storage Accelerator, which enables ESXi host caching. If you do not use View Storage Accelerator, the vCenter Server user does not need this privilege.
View Installation Table 9‑2.
View Installation Horizon Administrator and Horizon Connection Server Horizon Administrator provides a Web-based management interface for Horizon 7. The Horizon Connection Server can have multiple instances that serve as replica servers or security servers. Depending on your Horizon 7 deployment, you can get a Horizon Administrator interface with each instance of a Connection Server.
View Installation If you open your Web browser on the Connection Server host, use https://127.0.0.1 to connect, not https://localhost. This method improves security by avoiding potential DNS attacks on the localhost resolution. Option Description You configured a certificate signed by a CA for View Connection Server. When you first connect, your Web browser displays Horizon Administrator. The default, self-signed certificate supplied with View Connection Server is configured.
View Installation 5 Verify that the Desktop, Application Remoting, and View Composer licenses are enabled or disabled, based on the edition of VMware Horizon 7 that your product license entitles you to use. Not all features and capabilities of VMware Horizon 7 are available in all editions. For a comparison of feature sets in each edition, see http://www.vmware.com/files/pdf/products/horizon-view/VMware-Horizon-View-Pricing-LicensingFAQ.pdf.
View Installation n Familiarize yourself with the settings that determine the maximum operations limits for vCenter Server and View Composer. See Concurrent Operations Limits for vCenter Server and View Composer and Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms. Procedure 1 In Horizon Administrator, select View Configuration > Servers. 2 On the vCenter Servers tab, click Add.
View Installation Configure View Composer Settings To use View Composer, you must configure settings that allow Connection Server to connect to the View Composer service. View Composer can be installed on its own standalone machine or on the same machine as vCenter Server. VMware recommends having a one-to-one mapping between each View Composer service and vCenter Server instance. Prerequisites n Verify that you configured Connection Server to connect to vCenter Server.
View Installation 3 If you are using View Composer, select the location of the View Composer machine. Option Description View Composer is installed on the same machine as vCenter Server. a Select View Composer co-installed with the vCenter Server. b Make sure that the port number is the same as the port that you specified when you installed the View Composer service on vCenter Server. The default port number is 18443. View Composer is installed on its own separate machine.
View Installation Procedure 1 On the View Composer Domains page, click Add to add the View Composer user for AD operations account information. 2 Type the domain name of the Active Directory domain. For example: domain.com 3 Type the domain user name, including the domain name, of the View Composer user. For example: domain.com\admin 4 Type the account password. 5 Click OK.
View Installation Disk space reclamation is especially useful for deployments that cannot take advantage of storage-saving strategies such as refresh on logoff. For example, knowledge workers who install user applications on dedicated remote desktops might lose their personal applications if the remote desktops were refreshed or recomposed. With disk space reclamation, Horizon 7 can maintain linked clones at close to the reduced size they start out with when they are first provisioned.
View Installation 2 On the Storage Settings page, make sure that Enable space reclamation is selected. Space reclamation is selected by default if you are performing a fresh installation of View 5.2 or later. You must select Enable space reclamation if you are upgrading to View 5.2 or later from View 5.1 or an earlier release. What to do next On the Storage Settings page, configure View Storage Accelerator.
View Installation View Storage Accelerator is now qualified to work in configurations that use Horizon 7 replica tiering, in which replicas are stored on a separate datastore than linked clones. Although the performance benefits of using View Storage Accelerator with Horizon 7 replica tiering are not materially significant, certain capacity-related benefits might be realized by storing the replicas on a separate datastore. Hence, this combination is tested and supported.
View Installation What to do next To configure the PCoIP Secure Gateway, secure tunnel, and external URLs for client connections, see Configuring Horizon Client Connections. To complete View Storage Accelerator settings in Horizon 7, configure View Storage Accelerator for desktop pools. See "Configure View Storage Accelerator for Desktop Pools" in the Setting Up Virtual Desktops in Horizon 7 document.
View Installation Setting a Concurrent Power Operations Rate to Support Remote Desktop Logon Storms The Max concurrent power operations setting governs the maximum number of concurrent power operations that can occur on remote desktop virtual machines in a vCenter Server instance. This limit is set to 50 by default. You can change this value to support peak power-on rates when many users log on to their desktops at the same time.
View Installation If you replace a default certificate with a certificate that is signed by a CA, but Connection Server does not trust the root certificate, you must determine whether to accept the certificate thumbprint. A thumbprint is a cryptographic hash of a certificate. The thumbprint is used to quickly determine if a presented certificate is the same as another certificate, such as the certificate that was accepted previously.
View Installation 4 Verify that the thumbprint in the Certificate Information window matches the thumbprint for the vCenter Server or View Composer instance. Similarly, verify that the thumbprints match for a SAML authenticator. 5 Determine whether to accept the certificate thumbprint. Option Description The thumbprints match. Click Accept to use the default certificate. The thumbprints do not match. Click Reject. Troubleshoot the mismatched certificates.
View Installation Typically, to provide secure connections for external clients that connect to a security server or Connection Server host over a WAN, you enable the secure tunnel, the PCoIP Secure Gateway, and the Blast Secure Gateway. You can disable the secure tunnel and the secure gateways to allow internal, LAN-connected clients to establish direct connections to remote desktops and applications.
View Installation 4 Configure use of the PCoIP Secure Gateway. Option Description Enable the PCoIP Secure Gateway Select Use PCoIP Secure Gateway for PCoIP connections to machine. Disable the PCoIP secure Gateway Deselect Use PCoIP Secure Gateway for PCoIP connections to machine. The PCoIP Secure Gateway is disabled by default. 5 Click OK to save your changes.
View Installation When the Blast Secure Gateway is not enabled, client devices and client Web browsers use the VMware Blast Extreme protocol to establish direct connections to remote desktop virtual machines and applications, bypassing the Blast Secure Gateway. Important A typical network configuration that provides secure connections for external users includes a security server.
View Installation Many organizations require that users can connect from an external location by using a specific IP address or client-resolvable domain name, and a specific port. This information might or might not resemble the actual address and port number of the Connection Server or security server host. The information is provided to a client system in the form of a URL. For example: n https://view-example.com:443 n https://view.example.com:443 n https://example.com:1234 n https://10.20.30.
View Installation n To set the Blast external URL, verify that the Blast Secure Gateway is enabled on the Connection Server instance. See Configure the Blast Secure Gateway. Procedure 1 In Horizon Administrator, click View Configuration > Servers. 2 Select the Connection Servers tab, select a Connection Server instance, and click Edit. 3 Type the secure tunnel external URL in the External URL text box. The URL must contain the protocol, client-resolvable host name and port number.
View Installation Prerequisites n Verify that the secure tunnel connections and the PCoIP Secure Gateway are enabled on the Connection Server instance that is paired with this security server. See Configure the PCoIP Secure Gateway and Secure Tunnel Connections. n To set the Blast external URL, verify that the Blast Secure Gateway is enabled on the Connection Server instance that is paired with this security server. See Configure the Blast Secure Gateway.
View Installation Give Preference to DNS Names When Horizon Connection Server Returns Address Information By default, when sending the addresses of desktop machines and RDS hosts to clients and gateways, Horizon Connection Server gives preference to IP addresses. You can change this default behavior with a View LDAP attribute that tells Horizon Connection Server to give preference to DNS names.
View Installation For Connection Server instances and security servers that are directly behind a gateway, perform the procedure described in Allow HTML Access Through a Gateway. You must perform this procedure for each Horizon 7 server that is behind the load balancer or loadbalanced gateway. Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the Connection Server or security server host. For example: install_directory\VMware\VMware View\Server\sslgateway\co
View Installation 2 Add the portalHost property and set it to the address of the gateway. For example, if https://view-gateway.example.com is the address that browsers use to access Horizon 7 through the gateway, add portalHost=view-gateway.example.com to the locked.properties file. If the Connection Server instance or security server is behind multiple gateways, you can specify each gateway by adding a number to the portalHost property, for example: portalHost.1=view-gateway-1.example.com portalHost.
View Installation If you change the SSL port number and you need HTTP redirection to continue working, you must also change the port number for HTTP redirection. See Change the Port Number for HTTP Redirection to Connection Server. Prerequisites Verify that the port that is specified in the External URL for this Connection Server instance or security server will continue to be valid after you change ports in this procedure. Procedure 1 Create or edit the locked.
View Installation Replace the Default Ports or NICs for the PCoIP Secure Gateway on Horizon Connection Server Instances and on Security Servers You can replace the default ports or NICs that are used by a PCoIP Secure Gateway service that runs on a Connection Server instance or security server. Your organization might require you to perform these tasks to comply with organization policies or to avoid contention.
View Installation 4 (Optional) If the computer on which the PCoIP Secure Gateway is running has multiple NICs, select one NIC to listen on the configured ports. Under the same registry key, add the following String (REG_SZ) values to specify the IP address that is bound to the designated NIC. For example: ExternalBindIP "10.20.30.40" InternalBindIP "172.16.17.18" If you configure external and internal connections to use the same NIC, the external and internal UDP ports must not be the same.
View Installation 6 Restart the Connection Server service or security server service to make your changes take effect. Replace the Default Port for View Composer The SSL certificate that is used by the View Composer service is bound to a certain port by default. You can replace the default port by using the SviConfig ChangeCertificateBindingPort utility.
View Installation Change the Port Number for HTTP Redirection to Connection Server If you replace the default port 443 on a Horizon 7 server, and you want to allow HTTP redirection for Horizon Clients that attempt to connect to port 80, you must configure the locked.properties file on the Horizon 7 server. Note This procedure has no effect if you off-load SSL to an intermediate device. With SSL off-loading in place, the HTTP port on the Horizon 7 server provides service to clients.
View Installation Procedure 1 Create or edit the locked.properties file in the SSL gateway configuration folder on the Connection Server or security server computer. For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties The properties in the locked.properties file are case sensitive. 2 Add the following lines to the locked.properties file: frontMappingHttpDisabled.1=5:*:missing frontMappingHttpDisabled.
View Installation Configure less than 10GB of memory for small, proof-of-concept deployments only. With the required minimum of 4GB of memory, a configuration can support approximately 500 concurrent tunnel sessions, which is more than adequate to support small, proof-of-concept deployments. However, because your deployment might grow larger as more users are added to the environment, VMware recommends that you always configure at least 10GB of memory.
Configuring Event Reporting 10 You can create an event database to record information about Horizon 7 events. In addition, if you use a Syslog server, you can configure Connection Server to send events to a Syslog server or create a flat file of events written in Syslog format.
View Installation Procedure 1 Add a new database to the server and give it a descriptive name such as HorizonEvents. For an Oracle 12c or 11g database, also provide an Oracle System Identifier (SID), which you will use when you configure the event database in Horizon Administrator. 2 Add a user for this database that has permission to create tables, views, and, in the case of Oracle, triggers and sequences, as well as permission to read from and write to these objects.
View Installation What to do next Use Horizon Administrator to connect the database to Connection Server. Follow the instructions in Configure the Event Database. Configure the Event Database The event database stores information about Horizon 7 events as records in a database rather than in a log file. You configure an event database after installing a Connection Server instance. You need to configure only one host in a Connection Server group.
View Installation n A prefix for the tables in the event database, for example, VE_. The prefix enables the database to be shared among Horizon 7 installations. Note You must enter characters that are valid for the database software you are using. The syntax of the prefix is not checked when you complete the dialog box. If you enter characters that are not valid for the database software you are using, an error occurs when Connection Server attempts to connect to the database server.
View Installation You can alternatively use a vdmadmin command to configure file-based logging of events in Syslog format. See the topic about generating Horizon 7 event log messages in Syslog format using the -I option of the vdmadmin command, in the View Administration document. Important Syslog data is sent across the network without software-based encryption, and might contain sensitive data, such as user names.