Horizon Mobile Secure Workplace - Design Guide: VMware, Inc.
Transcript of Horizon Mobile Secure Workplace - Design Guide: VMware, Inc.
VMware® Horizon™ Mobile Secure Workplace™
VA L I D AT E D D E S I G N G U I D E
VMware Horizon Mobile Secure Workplace
VA L I D AT E D D E S I G N G U I D E / 2
Table of Contents
About the Validated Design Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4What Is Mobile Secure Workplace? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Mobile Secure Workplace Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Key Components of the Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Core Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Additional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Solution Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Lab Equipment List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Optional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Overview of Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Datacenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 RADIUS Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Single Sign-On for “Follow-Me Desktop” Experience . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Endpoint Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Persona Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Optional: User-Installed Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 User Connection Flow Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Design Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Appendix 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Functional Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Performance Validation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Appendix 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
How to Set Up Location-Based Printing on a Zero Client . . . . . . . . . . . . . . . . . . . . . . 34
VA L I D AT E D D E S I G N G U I D E / 3
VMware Horizon Mobile Secure Workplace
About the Validated Design GuideVMware® Validated Design Guides provide an overview of the solution architecture and implementation. The validated designs and solutions have been created through architectural design development and lab testing.
The guide is intended to provide guidance for the introduction of proof of concepts, emerging new technology and architectures, as well as enhancement of customer use cases.
The Validated Design Guides:
• Incorporategenerallyavailableproductsintothedesign
•Employrepeatableprocessesforthedeployment,operation,andmanagementofcomponentswithinthesolution.
Validated Designs are tested for a specific use case or architectural practice on a limited scale and duration. These guides ensure the viability of theoretical designs or concepts in real world practices.
The Validated Design Guides provide an overview of the solution design and implementation guidance that includes:
•Usecasesthatarecateredtothedesign
•Productsthatwerevalidatedaspartofdesigntesting
•Softwarethatwasusedforeachcomponentofthedesign
•Configurationsusedtosupportthedesigntestcases
•Alistofdesignlimitationsandissuesdiscoveredduringthetesting
VA L I D AT E D D E S I G N G U I D E / 4
VMware Horizon Mobile Secure Workplace
IntroductionThisValidatedDesignGuideprovidesyouanoverviewoftheVMwareHorizon™MobileSecureWorkplace™solution. The architecture uses products from VMware and its ecosystem of partners to build a comprehensive solution that satisfies the specific requirements of various use cases in enterprises such as mobility, bring your own device (BYOD), security, compliance, and printing.
This document will provide an overview of the various use cases, logical solution architecture, and results of the testedconfiguration.Thesolutionisnotexclusivetotheproductstestedwithinthearchitecture.ConsultyourVMware representative for more information about how to modify the architecture with your preferred vendors.
AudienceThis document is intended to assist solution architects, sales engineers, field consultants, advanced services specialists,andcustomerswhowillconfigureanddeployavirtualmobilesecureworkplacesolution.
Business CaseToday’sworkforceisnolongertetheredtotraditionalstationarydesktops.Newdeviceshaveproliferatedatcompaniesofallsizes.Workersareincreasinglymobile,andmorethan60percentofenterprisefirmsand85percentofSMBorganizationsarelookingtoinitiateBYODprograms.Althoughendusersareembracingthesetrends,ITdepartments—facedwithtightbudgets—arestrugglingwithhowtobestsupportandmanagethesenewdeviceswhileprotectingcorporatedataasitisaccessedacrossnetworksandlocations.
Aneedtofindasecure,streamlinedandmorecost-effectivewaytomanageendusersacrossdevicesandlocations has become a top priority for many customers today.
Researchshowsthat97percentofemployeescarrymorethantwodevicesand50percentofemployeescarrymorethanthreedevices.Itisestimatedthatbytheendof2013,therewillbemorethan272milliontablets.Withthepopularityofthesenewdevicesandwithcompaniesincreasinglysupportingteleworkingandremoteworking,itisbecomingimportanttoprovideawaytoenablesecureaccesstoworkplacesoverawidevarietyof devices for end users across locations.
VA L I D AT E D D E S I G N G U I D E / 5
VMware Horizon Mobile Secure Workplace
What Is Mobile Secure Workplace?TheVMwareHorizonMobileSecureWorkplacesolutionprovidesaninnovativewayforITtosupportdevicediversity and bring your own device initiatives by improving user access and mobility, streamlining application updates,enhancingdatasecurity,anddeliveringthehighest-fidelityuserexperience.
Thissolutionenablesyoutoaddressthefollowingthreekeyrequirements:
Mobility
TheMobileSecureWorkplacesolutionbuiltonVMwareHorizonView™placesdesktopsinthedatacenterandprovidesaccesstothedatacenterthroughanydevice.Withamultitudeofclientdevicessupported,thedesktopscanbeaccessedfromanyworkstation,thinclient,ormobiledevice.ThisenablestrueBYODsupportand,withsessionpersistence,enablessessionmobilityacrossdevices—soyougettousethesamedesktopfromdifferentdevices.WithPersonaManagementandoptionaluser-installedapplicationssupport,theMobileSecureWorkplacesolutionprovidestruesessionpersistenceacrossdevicesandsessions.Inadditiontoprovidingsessionpersistenceacrossdevices,VMwareHorizonViewusesPCoIPprotocoltodeliverthebestdesktopuserexperiencefromanydevice.
Security
Withsupportforend-useraccessviatwo-factorauthentication(RSASecurID,RADIUSauthentication,etc.),theMobileSecureWorkplacesolutionemphasizesdataandapplicationsecurityintheorganization.Inadditionto providing the right level of access to the right resources, it also simplifies patch management and update management.Sinceallthedesktopsareinthedatacenter,theMobileSecureWorkplacesolutionhelpsITadministratorsupdateandpatchthedesktopstothelatestversion.Thisensuresthatnovulnerabilitiesexistintheenvironmentduetounpatchedororphanedsystems.Alsosincethedataresidesinthedatacenter,andisprotectedbyVMwarevShield™,itprovidessuperiorsecurityfortheenvironment.
Management
Oneofthekeychallengesfacingorganizationstodayistheabilitytomanageandgetanoverviewoftheenvironment,desktops,accesspolicies,andservicelevels.TheMobileSecureWorkplacesolution,withoptionallyintegratedVMwarevCenter™OperationsManager™,providesanintegrateddashboardwithintelligentresponseonalldesktop-relatedevents,whichhelpsITadministratorstoprovidetherightamountofinterventionandguidancewhenvirtualinfrastructureperformancelookstobeexceedinganexpectedrangeofbehavior.ThesolutioncanalsoincludevCenterConfigurationManager(vCM)forimportingsuggestedconfigurations and to meet regulatory compliance requirements.
VA L I D AT E D D E S I G N G U I D E / 6
VMware Horizon Mobile Secure Workplace
User ProfilesInatypicalorganization,therearemultipleuserprofileswithuniquerequirements.Thissolutionarchitecturecaters to the following five distinct user profiles.
USER PROFILE CHARACTERISTICS
Office-BasedInformationWorker
Workerswithabroaderskillsetthatrequireassimilationandmanipulationofinformationorinputfrommultiplesources.Examplesincludehigher-levelback-officefunctions,suchasfinance,IT,andmid-levelmanagement.Theseuserswillrequirearelatively broad application portfolio. They will also need some level of control over how they access applications and data, but not full administrative control. They are unlikelytobemobile,butmightworkfrommorethanonefixedlocation.Theywillrequiremulti-channelcommunicationandcollaborationcapabilitiesforworkingwithpeers.
Content/MediaWorker/SoftwareDeveloper
Workerswithahighlevelofexpertiseinanareaofcreativityorsciencethatrequiresdetailedmanipulationofcontent.Thesearethetraditionalpowerusers.Examplesinclude engineers, graphic designers and some developers. They typically require a narrow,butspecialized,portfolioofapplications.Theyareunlikelytobemobileandwillnormallyworkfromasingle,fixedlocation.Theywillalsoneedsomelevelofcontrol over how they access applications and data, but not full administrative control, andmaybering-fencedfromothercorporatefunctions.Theywillrequirehighlevelsofcomputation capability and graphical display. They may also require specialist peripheral devices.
HomeOfficeWorker Workerswithabroaderskillsetthatrequireassimilationandmanipulationofinformationorinputfrommultiplesources.Theseworkersalsoneedtoroamwithinadefinedareaorsetofareassuchasacampusoroffice,ortraditionallyworkfromhome.Examplesincluderemoteworkers,teachers,doctors,andhigher-levelmanagers.
TravelingWorker Workerswhospendatleast50percentoftheirtimeinanon-officeornon-campuslocation. They will typically be oriented to a single function, often customer facing. Examplesincludesalesandservicerepresentatives.Theytypicallyrequireaccesstoonly a narrow portfolio of applications and only create information content in a highly structured manner. They will not require control over how they access applications or data, but will need access from almost any location within geographic boundaries. They typically tend to use laptops.
VIP Business executives who will typically require access to only a small number of applications, but they will expect control over how they access these applications and corporate data. They will need to be mobile and typically tend to use tablets and laptops.
Table 1: Business User Profiles Considered in the Mobile Secure Workplace Architecture
VA L I D AT E D D E S I G N G U I D E / 7
VMware Horizon Mobile Secure Workplace
Thesefivebusinessuserprofilescanbetransposedtothreedistinctuserworkloadprofilesaslistedbelow:
USER PROFILE REQUIREMENTS
KnowledgeWorker Application Profile:MSOffice,Adobe,IE,Firefox,Chrome,Outlook,SaaSapplications(usingJRE),Windowsapplications(Notepad,Calculator),multimediaplayers(Flash,WMP,etc.),antivirus,WebExNetwork Profile:LANSecurity Profile: AuditcapabilityandGPOsettingsforUXpolicy;andantivirusandDLP(datalossprotection–RSAandSymantec)Other:Multi-monitor;printtonearestprinter
PowerUser Application Profile: MSOffice,Adobe,IE,Firefox,Chrome,Outlook,SaaSapplications(usingJRE),Windowsapplications(Notepad,Calculator),multimediaplayers(Flash,WMP,etc.),antivirus,WebEx,mediaanddevelopmentenvironmentsNetwork Profile:LANandWANSecurity Profile: Two-factorauthentication,auditcapabilityandGPOsettingsforUXpolicy;dataencryptionandantivirusOther:Multi-monitor;printtonearestprinter
Mobile Knowledge Worker
Application Profile: MSOffice,Adobe,Outlook,IE,Firefox,Chrome,SaaSapplications,Windowsapplications,multimediaplayers(Flash,QuickTime,etc.),antivirus,WebexNetwork Profile: LANandWANSecurity Profile: Two-factorauthentication,auditcapabilityandGPOsettingsforUXpolicy;dataencryptionandantivirus;autodisconnectuponconnectingtonewdeviceOther:Printtonearestprinter
Table 2: User Workload Profiles
The validated design in this document supports the unique requirements of these user profiles and also helps theITteammanagetheenvironmentsecurely.
VA L I D AT E D D E S I G N G U I D E / 8
VMware Horizon Mobile Secure Workplace
Mobile Secure Workplace Architecture OverviewThefollowingdiagramshowsthelogicaltopologyfortheMobileSecureWorkplacesolution:
DMZ
Infrastructure
Management
Virtual Desktops
HorizonViewClientDevices
Horizon View Security Servers
Layer 7 Load Balancer for Horizon View Security and Connection Servers
Horizon View Connection Servers
ActiveDirectory
vCenter Antivirus vCM vCOps
ManagementvSphere
Infrastructure
Virtual DesktopvSphere
Infrastructure
Local SSD Datastores
for Horizon View Composer
Linked Clone Storage
Shared Storage Infrastructurefor Persona, User Data,
ThinApp Applications and VM Master Images
vShield
PrintServer
Certi�cateAuthority
RADIUS SSO
VMware
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
VMware
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP VMware
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
ExternalNetwork
Internal Network
AndroidTablet
iPad PDA ZeroClient
ThinClient
Windows Horizon View
Client
Windows Horizon View Client
with Local Mode
Macintosh Horizon View
Client
Figure 1: Mobile Secure Workplace Reference Architecture
VA L I D AT E D D E S I G N G U I D E / 9
VMware Horizon Mobile Secure Workplace
The architecture consists of two virtual machine clusters, the management cluster and virtualdesktopcluster forscalabilitypurposes.Inaddition,thethird-partysoftwaremanagementoradd-onfunctionsincludingtheecosystempartnerproductsforprinting,user-installedapplications,security,SIEM,systemmanagement,andantivirus, can be segmented into the third resource boundary.
The management cluster includes all the management components required for the VMware Horizon View base architecturealongwithvCenterOperationsManagerandvShield-relatedVMwareproducts.Thevirtualdesktopclusterisdedicatedtohostthestatelessvirtualdesktops,accessedbytheendusers.Theenvironmentsaresegregatedtoeffectivelyutilizetheunderlyinghardwareresources,andsupportstoragelayertieringwhererequired.
The management architecture can host multiple connection servers, load balanced to provide redundancy andavailability.Enterpriseuserscanaccesstheclosestdesktopimmediatelybyaccessingthenetworkofloadbalancersusingasinglenamespace,andremoteuserscanaccesstheenvironmentusingViewSecurityServersdeployedinthedemilitarizedzone(DMZ).UsageofsecurityserversenablestheenduserstoaccessthedesktopsviaPCoIPandhaveabetteruserexperience.
The architecture is built based on the standard reference architectures published by VMware and is scalable.
VA L I D AT E D D E S I G N G U I D E / 1 0
VMware Horizon Mobile Secure Workplace
Key Components of the ArchitectureThough the architecture is vendor agnostic, below is a list of components that are part of the architecture:
Core Components
vSphere and vCenter–ThesolutionisbuiltontopofvSphere,theindustry-leadingvirtualizationplatform.TherearemanybenefitstousingthevSphereplatformandmoreinformationontheplatformcanbefoundontheVMware Web site.
VMware Horizon View–ThecentralcomponentofthesolutionarchitectureisVMware Horizon View, which is the industry-leadingvirtualdesktopinfrastructure(VDI)product.
VMware vShield–VMwarevShieldprovidesbest-in-classsecuritytothevirtualdesktopenvironment.vShieldEndpointwiththehypervisor-basedAntivirusprotection(fromourleadingAVvendors),providestremendousbenefitsintermsofmanagementandeaseofusefortheenvironment.Inaddition,vShieldAppandvShieldEdgeproductsaddsecuritytotheenvironment.VisittheVMwareWebsiteformoreinformationonthevShield line of products.
ThinPrint–Mostoftheusecasescateredtobythissolutionhavealocation-awareprintingrequirement.ThinPrintsoftware,OEM’dbyVMware,providesthefunctionalityoflocation-awareprintingfrommanydevices.MoreinformationaboutThinPrintcanbefoundontheThinPrint Web site.
Additional Components
Management–OneofthebiggestchallengesfacedbytheITgroupison-demandmanagementoftheentireenvironment and an ability to proactively identify and plan the infrastructure. VMware vCenter Operations Manager for Horizon View provides the management infrastructure required for the environment.
Compliance–Oneofthekeyrequirementsofmanyverticalindustriesistheabilitytomanagecomplianceto various industry regulations. VMware vCenter Configuration Manager helps organizations achieve their compliance requirements.
Persona Management and User-Installed Applications–Manyusecasesdefinedinthesolutionhavearequirementtopersistuserinformationacrosssessions.Butthebiggestcostsavings,bothintermsofCapExandOpEx,canbeachievedbyusingstatelessdesktops.Toeffectivelyachievethis,HorizonViewhasafeaturecalledPersonaManagementtomaintainuserdataandprofilepersistenceacrossstatelesssessions.Inadditiontotheprofilepersistence,someusecasesrequiresupportforuser-installedapplications.Thiscanbeachievedbyusingsome of our partner products.
The next section of the document details the architecture as it was built for testing within the lab environment at VMware.
VA L I D AT E D D E S I G N G U I D E / 1 1
VMware Horizon Mobile Secure Workplace
Solution ValidationThesolutionimplementedinthelabwassizedtoscaletomanythousandsofdesktopsperthesizingguidelinesprovided in VMware published reference architectures. The architecture was built in podsorbuildingblocksforeasyscalability.Forthefunctionaltestingaspects,thesolutionwasimplementedwith250desktopsandwasdeployed on the following hardware in the validation.
Lab Equipment List
PRODUCT FUNCTION / DESCRIPTION / VERSION
Servers 5-1Userverswith2IntelXeonE788372.67GHzprocessors,96GBRAM
1-3Userverswith2IntelXeonE788372.67GHzprocessors,128GBRAM
Hard drives 8–300GBIntel320SSDDrives
8–600GB7200RPMHDD
Attachedstorage iSCSIstoragearray,RawDiskCapacity:8TB,RawFlashCache160GB,24GBRAM, 4–1GbEnetworkports
Networking Unmanagedlayer2–10/10024portswitch
Table 3: Lab Equipment
Solution Components
PRODUCT FUNCTION / DESCRIPTION / VERSION
vSphere 5.0.1
vSpherewithvCenter 5.0
VMware Horizon View 5.1
VMware Horizon View Composer
3.0
vShieldEdge™, vShieldApp™,and vShieldEndpoint™
5.0.1
SSOwithRADIUS SafenetAuthenticationManagerv6.1.7
Desktopantivirus TrendMicroDeepSecurity
Table 4: Solution Components
Optional Components
PRODUCT FUNCTION / DESCRIPTION / VERSION
vCenterOperationsManager for Horizon View
1.0
Load balancer BigIPGTMLTMAPM
MicrosoftSystemCenter SystemCenter2012
Liquidware Lab ProfileUnity
Data security Verdasys
FollowMedesktopsession roaming
HIDNaviGO
Table 5: Optional Components
VA L I D AT E D D E S I G N G U I D E / 1 2
VMware Horizon Mobile Secure Workplace
Overview of ArchitectureIntheMobileSecureWorkplacedesignitisimportanttoseparatethemanagementanddesktopcomponentsintotwodiscreteblocksofinfrastructure.InthedesignwecreatedamanagementclusterandaHorizonViewpodinordertoestablishasubscription-orconsumption-basedmodel.Thismethodologyisimportantinorderto scale the solution easily, as another pod can be plugged into the architecture as required and services can beextendedtoaccommodatetheexpansion.Third-partyserviceswerealsogroupedtogetherasaseparatevirtualappliance(vApp)entityinordertoprovideperformanceisolation.
vShieldnetworkingwasconfiguredtoprovidethesecurityarchitecture,specificallyaroundvirtualdesktopcommunicationandapplicationprotocolflowinandoutofthemanagement,services,anddesktoppoolsecurity zones.
Inordertosatisfythemobilityandsecurityspecificationsinthisdesign,thearchitectureleveragedseveralthird-partysolutions.
VA L I D AT E D D E S I G N G U I D E / 1 3
VMware Horizon Mobile Secure Workplace
Datacenter
This diagram shows how each software component was deployed on each host.
Management Cluster with HA and DRS
VDI Cluster
Connection Server
Security Server
100GBSQL DB
500GBVM Storage
500GBVM Storage
2TBThinApps, User Data, User Pro�le Storage
Antivirus
iSCSI Storage Array, Raw Disk Capacity 8TB, with Raw Flash Cache 160GB, 24GB RAM
SSO
Security Server
vShield
RADIUS Certi�cateAuthority
Certi�cateAuthority
Print Server
ActiveDirectory
SQLDB
ActiveDirectory
vCMvCOps
Connection ServervCenter
Third-Party Components
Load Balancer Applance
Load Balancer Applance
Third-Party Components
Optional Components
Intel Xeon E7 8837 2.67GHz Processors,
96GB RAM
Intel Xeon E7 8837 2.67GHz Processors,
96GB RAM
Intel Xeon E7 8837 2.67GHz Processors,
96GB RAM
Intel Xeon E7 8837 2.67GHz Processors,
96GB RAM
Intel Xeon E7 8837 2.67GHz Processors,
96GB RAM
Intel Xeon E7 8837 2.67GHz Processors, 128GB RAM
Intel Xeon E7 8837 2.67GHz Processors, 128GB RAM
Figure 2: Datacenter Configuration in Three Clusters
The datacenter was configured with three clusters: management, virtualdesktop, and ViewServices (forthird-partyproducts).
VA L I D AT E D D E S I G N G U I D E / 1 4
VMware Horizon Mobile Secure Workplace
Asnapshotoftheenvironmentisprovidedbelow:
Figure 3: Datacenter Environment
The infrastructure components required for the environment are configured in the management cluster, and the ViewServicescomponentsareconfiguredintheViewServicescluster.
ThemanagementclusterincludestwoActiveDirectoryvirtualmachinesforredundancy,avCenterserverwithSQLvirtualmachine,andaCertificateAuthorityforRADIUSauthentication,usingSafeNetAuthenticationManager.
TheViewServicesclusterincludestheViewConnectionServer,vCenterComplianceManager,vShieldSecurityManager,andViewSecurityServers.Theseformthecoreandoptionalservicesrequiredfortheenvironment,tosatisfy the requirements of the five user profiles discussed earlier.
Separateresourcepoolswereaddedforeachoneoftheuserprofiles.Thefiveuserprofilesweretransposedtothreetechnologyprofiles:KnowledgeWorker,PowerUser,andMobileKnowledgeWorker.Thevirtualdesktopsforeachoneoftheprofileswillbecreatedwithintheseresourcepools.ThevShieldEdgeproductwasconfiguredtoensurethattheseresourcepoolsaresegregatedandcannottalktoeachother.
Inadditiontotheaboveclusters,forthevalidation,theenvironmentincludedaViewPlannerinstancetolaunchworkloads.
VA L I D AT E D D E S I G N G U I D E / 1 5
VMware Horizon Mobile Secure Workplace
Storage
FortheMobileSecureWorkplacedesign,thetypicalstorageconfigurationcanbelogicallysegregatedintotwoclusters: management andVDI. The management cluster is in turn is segmented into general,SQL, vShield and third-party.TheVDIclusterissegregatedintovirtualdesktopsandUser/Corporatedatasegments,followingthelogicalsegregationofworkloadsinthesedatastores.
The general datastore clusterinthemanagementsegmentconsistsofActiveDirectory,DNS,ViewConnectionManager,ViewSecurityServers,etc.Allgeneralinfrastructurecomponentsarelocatedinthissegment.Storagebestpracticesarefollowedwhenthedatastoresarecreated(e.g.,twoinstancesofAD,VCM,andVSSarelocatedintwoseparatedatastoresforfailoverprotection).FollowStorageBestPracticeswhendesigningaproduction environment.
The SQLlogicalclustercontainsthedatastoresforallSQLdatabasesusedforComposer,vCenter,etc.,andthevShieldclustercontainsthedatastoresforallvShieldvirtualmachines.Inaddition,aseparatedatastoreclusterhostsallthird-partysoftwaresuchasuser-installedapplicationsupport.
The VDIlogicalclustercontainsdatastoresforvirtualdesktopsanduserandcorporatedata.
Typically,themanagementlogicalclustercanbeFibreChanneloriSCSIandthevirtualdesktopdatastoresareinSSDforfasterperformance.TheuserdataandcorporatedataarelocatedinNFSdatastores.
The diagram below shows the storage configuration for the environment.
Figure 4: Storage Configuration
VA L I D AT E D D E S I G N G U I D E / 1 6
VMware Horizon Mobile Secure Workplace
Inthislabdesign,themanagementlogicalcluster(general,SQL,vShieldandthird-partyvirtualmachinedatastores)islocatediniSCSIdatastores.TheVDIcluster(virtualdesktops)islocatedinSSDandtheuserdataislocatedinNFSdatastores.Forproductionenvironments,VMwarerecommendsthatITadministratorsreviewStorageBestPracticesdocumentationonthebeststorageoptionsforvarioustypesofvirtualmachines.
Networking
Forthisarchitecture,vSpherenetworkdistributedswitchtechnologywasleveragedtosimplifytheconfigurationforMobileSecureWorkplace.
Management Cluster
vDS
VDI Cluster
Uplink Port 1 Uplink Port 2
ESXiHost
ESXiHost
Management 1 VLAN
Management 2 VLAN
Fault Tolerance Logging VLAN
vMotion VLAN
ESXiHost
ESXiHost
ESXiHost
ESXiHost
ESXiHost
VM Pool 1 VLAN
VM Pool 2 VLAN
VM Pool 3 VLAN
Figure 5: Network Overview of the Environment
StandardVLANswereusedtosegregatevSpheremanagement,servicesmanagement,anddesktopvirtualmachinetraffic.InthisconfigurationalluplinkportswereconfiguredasVTPtrunkportsintothevSpherehosts.Allnetworkingwasthenbrokenoutatthevirtualdistributedswitch(vDS)level.
VA L I D AT E D D E S I G N G U I D E / 1 7
VMware Horizon Mobile Secure Workplace
Figure 6: vDS Portgroup Layout
Security
ThefigurebelowillustrateshowthevShieldAppSecurityZonesweresetupforcommunicationbetweenthemanagementcomponentsandthedesktoppools.
vShieldEdgeallowsustocontroltheapplicationtrafficflowsbetweendiscretecomponentsatagranularlevel.vShieldEdgewasusedtosegregatethemanagementclusterfromthedesktopcluster.Itcanalsobeusedtosegregatepoolsofdesktopswhichhavestringentsecurityrequirements.
vShieldAppwasusedasaloadbalancerfortheinternalViewConnectionManagers,usedexclusivelybyusersinsidethecorporatenetwork.
Theexternalconnectionsareloadbalancedvianetworkloadbalancers.
VMwarevShield App
VMwarevShield App
VMwarevShield App
VM Pool 1
VM VM VM VM VM VM
VM VM VM VM VM VM
VM VM VM VM VM VM
Management Cluster
VM VM VM VM VM VM VM VM VM VM
VM Pool 2
VM VM VM VM VM VM
VM VM VM VM VM VM
VM VM VM VM VM VM
VM Pool 3
VM VM VM VM VM VM
VM VM VM VM VM VM
VM VM VM VM VM VM
VMwarevShield App
Figure 7: vShield App Security Zone Setup
VA L I D AT E D D E S I G N G U I D E / 1 8
VMware Horizon Mobile Secure Workplace
AscreenshotofthevShieldEdgeconfigurationfortheManagementandDMZnetworksisshownbelow:
Figure 8: vShield Edge Configuration for Management and DMZ Networks
vShieldEdgeisalsousedtosegregatetheManagementandUserProfilepools.AscreenshotofvShieldEdgeconfigurationfortheManagementandKnowledgeWorkerprofilepoolisshownbelow:
Figure 9: vShield Edge Configuration for Management and Knowledge Worker Profile Pool
VA L I D AT E D D E S I G N G U I D E / 1 9
VMware Horizon Mobile Secure Workplace
vShieldEdgeisconfiguredaroundeachuserprofilepooltoensurethatdatadoesnotcrossoverbetweenuserprofilepools,butonlybetweenManagementandUserprofilepools.AsampleconfigurationfortheKnowledgeWorkerprofilepoolisshownbelow:
Figure 10: Knowledge Worker Profile Pool
VA L I D AT E D D E S I G N G U I D E / 2 0
VMware Horizon Mobile Secure Workplace
Firewallruleswerealsoestablishedtorestrictdatamovement.Asnapshotofthefirewallrulesisshownbelow:
Figure 11: Firewall Rules
VA L I D AT E D D E S I G N G U I D E / 2 1
VMware Horizon Mobile Secure Workplace
RADIUS Two-Factor Authentication
HorizonViewsupportsavarietyoftwo-factorauthenticationdevicesincludingRSASecurID,RADIUScompliantOne-TimePasswordtoken,contacted/contactlesscard,andsmartcards.ThisarchitectureemployedtheRADIUSauthenticationfeatureinView5.1usingaSafeNetRADIUSservertoauthenticateallusers.
TheRADIUSclientwasfirstaddedtotheViewConnectionServerfromthe Windows Server Manager folder > Roles > NPS (Local) > RADIUS Clients and Servers > Radius Clients.Asnapshotoftheconfigurationisprovided below:
Figure 12: Creating New RADIUS Client
VA L I D AT E D D E S I G N G U I D E / 2 2
VMware Horizon Mobile Secure Workplace
OncetheRADIUSclientwasaddedtotheserver,itwaspairedwiththeViewConnectionServerusingtheHorizonViewadministratordashboard,byeditingtheConnectionServersettingsintheadministratorconsole,and selecting RADIUS authentication from the 2-factor Authentication drop down menu in the Authentication tab.
Figure 13: View Connection Authentication Server Settings
TheRADIUSserverinformationwaspopulatedusingtheCreate New Authenticator button. This provides enhancedauthenticationusingOTSP.
Single Sign-On for “Follow-Me Desktop” Experience
OneofthekeyfeaturesofMobileSecureWorkplaceissessionpersistence.Thisenablestheusertodisconnectandreconnecttotheirdesktopsessionfromandbetweenanydevice.ThisfeatureisenabledinHorizonViewbydefault.Inadditiontothestandardfeature,thisarchitecturealsoemploysHIDNaviGOforeasiertap-inaccesstodesktops.Thisfeatureenablestheusertodisconnectadesktopsessionfromonedeviceandreconnect to it from another device. The session state, along with the user profile information, is preserved across sessions, thereby providing true mobility across devices.
VA L I D AT E D D E S I G N G U I D E / 2 3
VMware Horizon Mobile Secure Workplace
Management
TheViewConnectionManagershowsthehealthofvariouscomponentsdeployedwithintheinfrastructure(notincludingthethird-partyproducts).Thisbasiclevelofinformationcanbesufficientformanyorganizations.
Figure 14: View Connection Manager System Health
VA L I D AT E D D E S I G N G U I D E / 2 4
VMware Horizon Mobile Secure Workplace
Fororganizationsthatrequireenhancedmonitoringandmanagement,includingcapacityplanning,theMobileSecureWorkplacesolutionintegratestheVMwarevCenterOperationsManagerforHorizonViewproduct.Thisproduct,whenintegrated,providesend-to-endvisibilityoftheHorizonViewenvironment.Thepatentedanalytics and integrated approach to performance, capacity, and configuration management deliver simplified healthandperformancemanagementalongwithabetterend-userexperience,sinceissuescanbeidentifiedand solved proactively.
Figure 15: vCenter Operations Manager Dashboard
Inadditiontotheaboveanalytics,thearchitecturealsosupportsaddingmorethird-partyanalyticsandmonitoring tools to suit any organizational needs.
Endpoint Management
TheOS,applications,andsettingsontheendpointalsoneedtobemanaged.WhentheseendpointsrunanembeddedversionofMicrosoftWindows,theycanbemanagedinmuchthesamewayasaphysicaldesktop.Endpointmanagementtoolscanbeusedtoautomateandsimplifythetaskofprovisioningandmonitoringthedesktopvirtualizationendpoints.Network-basedservicessuchasDynamicHostConfigurationProtocol(DHCP)and file servers can also be used to provision and update endpoints.
Therearemanyendpointmanagementsolutionsavailableinthemarket.Forthisarchitecture,weusedtheSystemCenterConfigurationManager(SCCM)tomanagetheWindows-basedendpoints.InadditiontotheOSupdatesandpatchesbeingdeliveredbySCCM,thesoftwarewasalsousedtodeliverThinApppackagestotheendpoints.Iftheorganization’sendpointsconsistofamixofWindowsandotherendpoints,multiplethird-party software products can be used to manage them.
VA L I D AT E D D E S I G N G U I D E / 2 5
VMware Horizon Mobile Secure Workplace
Persona Management
Inatraditionalphysicaldesktopwithlocalstorage,allofthechangesausermakestotheirprofilearestoredonthelocalharddiskintheirprofile.Inthevirtualdesktopworld,desktopscomeintwoflavors:dedicated desktops(alsoknownaspersistentdesktops)inwhichusersareassignedaspecificdesktopandusethatdesktopeachtimetheylogin;andfloatingdesktops(alsoknownasnon-persistent)whichprovidetheuseranyavailabledesktopforeachsession.Fordedicateddesktops,theuser’sprofileisstoredinthepersistentdatadisk.Butdedicateddesktopsarenotstorageefficient,increasingthetotalcostofownershipforthesolution.
TheMobileSecureWorkplacesolutionemploysfloatingdesktopswithPersonaManagementenabled.Thisfeatureseamlesslypreservesauser’sprofileonanetworkshareforsafekeepingbetweensessionsineitherfloatingordedicateddesktops.Personapersistsdataandsettingsstoredintheprofilewithoutspecificknowledgeofhowaparticularapplicationworks.Thisenablesthearchitecturetobemorestorageefficient.ThePersonaManagementfeatureisalsoefficientduringlogintimes,sinceitdownloadsonlythefilesthatWindowsrequires,suchasuserregistryfiles.Otherfilesarecopiedtothedesktopwhentheuseroranapplicationopensthem from the profile folder, thus increasing efficiency.
Printing
Thelocation-basedprintingfeature,enabledbyThinPrintandbuiltintoHorizonView,helpsmapprintersthatarephysicallyclosetothethinclientsinanenterprise.Inthisarchitecture,location-basedprintingwasenabledbyconfiguringtheActiveDirectorygrouppolicysettingAutoConnect Location-based Printing for VMware View, which is located in the Microsoft Group Policy Object Editor in the Software Settings folder under Computer Configuration.Sincethispolicyisdevicespecificandnotuserspecific,theuseralwaysgetstoprint to the printer closest to the device. This also enables the printer to print to locally attached printers (athomesforhomeofficeemployees).DetailedinformationontheThinPrintGPOconfigurationisprovidedinthe Appendix.
Thissolutiondoesnotincludelocation-awareprintingfrommobiledevicesorlaptops.Therearenumerousthird-partysoftwareproductswhichenablesecureprintingfrommobiledevices.Moreinformationcanbefound in the Secure Printing with VMware View paper.
Optional: User-Installed Applications
Inanyenterprise,therearesomeuserprofileswhichrequiresupportforuser-installedapplications.ThisfeatureisinadditiontotheprofilepersistencefeatureofferedbyPersonaManagement.TheMobileSecureWorkplacedesignusestheLiquidwareLabsProfileUnityFlexAppproducttoenabletheusertoinstalltheirownapplicationsinafloatingdesktop,andhavethatapplicationpersistacrosssessions.TheFlexAppproductenablestheapplicationstobestoredseparatelyfromtheWindowsoperatingsystemwhileintegratingthematlogon.Thereareotherthird-partyapplicationswhichalsoenablethisfunction.
VA L I D AT E D D E S I G N G U I D E / 2 6
VMware Horizon Mobile Secure Workplace
User Connection Flow Sequence
ThediagrambelowillustratesthevirtualdesktopconnectionpathafterauserinitiatestheHorizonViewclientand logs in to the environment.
Figure 16: Virtual Desktop Connection Path
TheinternalnetworkusersreachtheappropriateConnectionServerviatheloadbalancer,whiletheWANusersreachtheConnectionServerviatheViewSecurityServers.AfterauthenticationusingRADIUSOTSP,theuserispresenteduser-installedapplications.User-installedapplicationsaresnappedtotheVirtualDesktopatthetimeofassignment,makingtheenvironmentefficient.
VA L I D AT E D D E S I G N G U I D E / 2 7
VMware Horizon Mobile Secure Workplace
Design Optimizations
StorageThisdesignusestheViewStorageAcceleratorfeaturetooptimizethestoragearrayconfiguration.
Figure 17: View Storage Accelerator Feature Enabled
This feature optimizes the environment for ReadsandcansignificantlylowertheIOPSrequiredfromthearray.
Horizon View ComposerInthisdesign,theComposerwasdeployedasastandaloneserverforscalabilityandfailoverpurposes.
Figure 18: View Composer Server Settings as Standalone
VA L I D AT E D D E S I G N G U I D E / 2 8
VMware Horizon Mobile Secure Workplace
Summary TheMobileSecureWorkplacedesignprovidesworkloadoptimizationforVDImobilityandsecurityinthedesktopcomputingenvironment.Thisarchitecture,builtwithVMwareHorizonViewandecosystempartnerproducts,wastestedfortheintegrationofvariousproductstoprovideavalidatedend-to-endsolution.ThisdesigncanbeusedtobuildaMobileSecureWorkplacesolutioninyourorganization.Thearchitecture,whiletightlyintegrated,isalsobuilttobemodular,socustomerscanpickandchoosethevariouscomponentsthatfit their specific needs. The architecture is also scalable per the guidelines provided in the VMware Horizon View reference architectures.
Thisdesigncaterstothethreekeyvirtualdesktoprequirementsinanyorganization:Mobility,SecurityandManagement.WithBYODsupportandsessionpersistenceacrossdeviceswithPersonaManagement,thisdesign enables true mobility for the end users in an organization.
IntegrationwithVMwarevShieldEndpoint,AppandEdgeproductsallowstheinfrastructureboundarytobeclearly identified. Virtual machines are secure from external virus threats by offloading the detection to the vShieldsecurevirtualmachine,andinternaldatabreachescanbeavoidedbyavirtualresourceboundarysegregation.
Finally,withsupportfromvCenterOperationsManagerforHorizonView,thedesignprovidesITprofessionalsthe ability to see the infrastructure from a single integrated dashboard, managing the service levels for their organization as well as capacity planning.
TheMobileSecureWorkplacedesignemploysvariousthird-partycomponentstosupporttheend-userrequirements.Thesethird-partycomponentscanbereplacedwiththecustomer’spreferredvendors.Thisdesign provides the ability to modularly replace various components, while achieving the same results described in this design.
VA L I D AT E D D E S I G N G U I D E / 2 9
VMware Horizon Mobile Secure Workplace
Appendix 1
Test Cases
Forthisarchitecture,thetestcasescoverthreekeyfeatures:Mobility,Security,andManagement.Inadditionto the test cases explained below, the VMware ecosystem of partners conducted their own testing to see how theirproductsintegratewiththissolution.MoreinformationonpartnertestingwillbefoundintheHow-ToGuides for this solution.
Belowisanoverviewofthekeytestcasesandtheirresults.
Functional Test Cases
Mobility
# TEST CASE DESCRIPTION RESULT
1 BYOD ConnecttoavirtualdesktopviaHorizonViewclientsinWindowslaptop,Mac,thinclient,iPhone,iPad,andAndroiddevice
Pass
2 UserExperience Accesscommonofficeapplications(MSWord,MSExcel,MSPowerPoint,AdobeAcrobatReaderandWindowsMediaPlayer)fromthinclientandmobiledeviceswithgoodtogreat user experience
Pass
3 SessionMobility ConnecttoadesktopsessionfromWindowssystem,disconnect,andconnectbacktothesamesessionusingaMac (with all the profile and user data intact)
Pass
Table 6: Mobility Test Case Summary
Security
# TEST CASE DESCRIPTION RESULT
1 VirusProtection AfterAVisupdatedusingvShieldEndpoint,useEICARfiletotesttheAVprotection
Pass
2 EnvironmentAccess
Confirmthatdesktopaccessisnotprovidedwhenthefollowing are used:
-Incorrectpassword-IncorrectOTSPpasscode-Deactivatedusername
Pass
3 DesktopAccess Ensurethatusergetsaccesstothecorrectdesktoppoolbytestingaccessandtheinabilitytoaccessdesktopsinotherpools
Pass
4 PoolSecurity Ensurethatdesktopsinonepoolcannotaccessresourcesinanotherpool,exceptforthemanagementandViewServicescluster
Pass
5 DataProtection Ensuredataprotectionby:-ChangingGPOandtestingthatusercannotdownload
anydatatoUSB-ChangingGPOandtestingthatusercannotdownload
any data to host computer
Pass
Table 7: Security Test Case Summary
VA L I D AT E D D E S I G N G U I D E / 3 0
VMware Horizon Mobile Secure Workplace
Management
# TEST CASE DESCRIPTION RESULT
1 AlertsonUnauthorizedAccess
Ensurethatalertsaregeneratedforunauthorizedaccesstotheenvironment,desktoppoolsandGPOpolicyviolation
Pass
2 CapacityPlanning GeneratecapacityplanningdatafromvCenterOperationsManager
Pass
3 Virtual Machine Status
EnsurethatvirtualmachinesthatmissedanyupdatesarereportedinvCenterOperationsManager
Pass
Table 8: Management Test Case Summary
Performance Validation Results
Inadditiontothemanualfunctionaltests,thedesignwastestedusingViewPlannerforworkload.
ThegraphsbelowdetailtheresultsfromViewPlannerfor64virtualmachineswithaheavyworkloadrunningthreeiterationswithun-tunedimages.
Figure 19: CPU Usage Test Results
VA L I D AT E D D E S I G N G U I D E / 3 1
VMware Horizon Mobile Secure Workplace
Figure 20: Memory Usage Test Results
VA L I D AT E D D E S I G N G U I D E / 3 2
VMware Horizon Mobile Secure Workplace
Figure 21: Application Network Bit Rate Test Results
VA L I D AT E D D E S I G N G U I D E / 3 3
VMware Horizon Mobile Secure Workplace
Figure 22: Datastore Byte Rate Test Results
Appendix 2
VA L I D AT E D D E S I G N G U I D E / 3 4
VMware Horizon Mobile Secure Workplace
How to Set Up Location-Based Printing on a Zero Client
Step 1: Reinstall AgentIfyoufollowedtheoptimizationguidewhenyoufirstsetupyourHorizonViewenvironmentyouweretoldtodisableVirtualPrintinginaZeroClientenvironment.ThiswasrecommendedbecauseThinPrintwasnotsupportedinaZeroClientenvironmentandthereforeCPUcycleswerewastedbyenablingthisfeature.WithVMwareView4.5andlater,location-basedprintingissupported,sotheVirtualPrintercomponentisneeded.Toenablethis,re-runtheView Agent installer, select Modify and change the Virtual Printing setting, as seen below.
Figure 23: VMware View Agent Installer
Figure 24: VMware View Agent Virtual Printing Setting
Step 2: Install the Print Driver Theprinterdriverneedstobeinstalledonthevirtualmachine;todothisweneedtoinstalltheprintdriverintotheOS.
VA L I D AT E D D E S I G N G U I D E / 3 5
VMware Horizon Mobile Secure Workplace
Windows XPToinstallaprintdriveronWindowsXPopenPrinters and Faxes,rightclickanywhereinthewhitespaceandgo to Server Properties.Fromtherechoosethe Drivers tab and select Add.Followthewizardtoaddthedriveryou need.
Figure 25: Adding a Print Driver in Windows XP
Windows 7ServerPropertiesisnotavailableonWindows7.InsteadyouhavetoinstallthedriverbygoingthroughtheAdd Printerwizard.SelectAdd a local printer, follow the directions in the wizard, and and add the printer driver on the driver selection screen.
Figure 26: Adding a Print Driver in Windows 7
Asafinalstepyouwillneedtodeletetheprinterthatyoujustcreated.
Step 3: Set Up DLL on Domain ControllerInthisstepwewillberegisteringaDLL,addinganADMfiletoGroupPolicy,andconfiguringtheGroupPolicy
VA L I D AT E D D E S I G N G U I D E / 3 6
VMware Horizon Mobile Secure Workplace
itself.ThesefilesenableadditionalfeaturesinGroupPolicythatallowlocation-basedprintingtowork.
Register the Location-Based Printing Group Policy DLL FilePleasereviewSettingUpLocation-BasedPrinting in the latest VMware Horizon View Administration Guide for complete details
Beforeyoucanconfigurethegrouppolicysettingforlocation-basedprinting,youmustregistertheDLLfileTPVMGPoACmap.dll.VMwareprovides32-bitand64-bitversionsoftheTPVMGPoACmap.dll file on your ViewConnectionServer.
install_directory\VMware\VMware View\Server\Extras\GroupPolicyFiles\ThinPrint
Procedure1. Copy the appropriate version of TPVMGPoACmap.dll to your Active Directory server or to the domain
computer that you use to configure group policies.
2. Use the regsvr32 utility to register the TPVMGPoACmap.dll file.
a.For example: regsvr32 “C:\TPVMGPoACmap.dll”
Step 4: Set Up Group PolicyEnable Loopback Processing for Horizon View DesktopsPleasereviewAddViewADMTemplatestoaGPO in the latest VMware Horizon View Administration Guide for complete details.
TomakeUserConfigurationsettingsthatusuallyapplytoacomputerapplytoalloftheusersthatlogintothatcomputer,enableloopbackprocessing.
Prerequisites•CreateGPOsfortheHorizonViewcomponentgrouppolicysettingsandlinkthemtotheOUthatcontains
yourHorizonViewdesktops.
•VerifythattheMicrosoftMMCandtheGroupPolicyObjectEditorsnap-inareavailableonyourActiveDirectory server.
Procedure1. On your Active Directory server, select Start > All Programs > Administrative Tools > Active Directory
Users and Computers.
2. Right-click the OU that contains your Horizon View desktops and select Properties.
3. On the Group Policy tab, click Open to open the Group Policy Management plug-in.
4. In the right pane, right-click the GPO that you created for the group policy settings and select Edit.
a. The Group Policy Object Editor window appears.
5. Expand the Computer Configuration folder and then expand the Administrative Templates, System, and Group Policy folders.
6. In the right pane, right-click User Group Policy loopback processing mode and select Properties.
7. On the Setting tab, select Enabled and then select a loopback processing mode from the Mode drop-down menu.
8. Click OK to save your changes.
Set Up AutoConnect Map Additional PrintersPleasereviewConfiguretheLocation-BasedPrintingGroupPolicy in the latest VMware Horizon View Administration Guide for complete details.
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-VDG-MOBILESECWKPL-USLET-20130405-WEB
VMware Horizon Mobile Secure Workplace
ThescreenshotillustrateshowtosetupaprintertoconnecttoAllIPRanges,AllClientNames,AllMacAddresses,andAllUserGroups.ThePrinterNamewillbeTEST-NETWORK,itwillusetheHPLaserJet4driver(whichwasinstalledinStep2),anditwillconnectontheIPaddressof192.168.100.5.
Figure 27: Sample Printer Setup
Important:PrintDriveriscasesensitive(andspacesensitive)—thedrivernamemustmatchthedrivernamefrom the virtual machine exactly as it appears on the virtual machine. This may mean that if you have one networkprinteranduseitfrombothXPandWindows7,youmayneedtosetupmultiplemappingstothesame printer.
TroubleshootingOpen a command prompt and go to this directory: C:\Program Files\VMWare\VMWare Tools\
Fromwithinthatdirectoryrunthesecommands:
tpautoconnect.exe –d all
-ThiswilldeleteallprinterscreatedbyThinPrint
tpautoconnect.exe –v –i vmware –a COM1 –F 30
-ThiscommandisthesamecommandthatisrunbytheTPprocess.Theonlydifferenceisthatinsteadofrunning the process with the quiet flag (-q) we want to run it in verbose mode (-v). This will help us see if there are any errors.
Common ErrorsCan’t get Client Name–ThiserrormostlikelymeansthattheGroupPolicyisnottakingeffect.
No suitable client protocol found.–Thiserrorcanbeignored.Followingthiserroryoushouldsee your printer’s map.