Objective 1.1 – Configure and Manage Horizon View Components

This Post will cover Objective 1.1 of the VCAP-DTM Deployment Exam

Tools and References for Objective 1.1:
View Architecture Planning
View Installation
Scenarios for Setting Up SSL Certificates for View
View Administration
Administering View Cloud Pod Architecture
View Security
VMware End-User-Computing Best Practices Poster
VMware Horizon 6 Network Ports Diagram
Horizon 6 Storage Considerations
Horizon 6 Decision Maker
VMware Horizon 6 Reference Architecture
View Administrator
vdmimport

Skills and Abilities:

Set External URLs for a View Connection Server instance

Note: By default a view connection server or security server host can only be connected by tunnel clients that reside within the same network so you will need to setup External URL settings inside View Administrator.

There are 3 types of External URLs that can be configured: Secure Tunnel External URL, PCoIP External URL, and Blast External URL.

The secure tunnel external URL, PCoIP external URL, and Blast external URL must be the addresses that client systems use to reach this View Connection Server or Security Server instance. Make sure not specify the secure tunnel external URL for this instance and the PCoIP external URL for a paired security server this will not work.

Configure View Connection server External URL's:

1. In View Administrator, click View Configuration > Servers.
2. In the View Connection Servers tab, select a View Connection Server instance and click Edit.
3. Type the secure tunnel external URL in the External URL text box. The URL must contain the protocol, client-resolvable host name and port number. For example: https://view-example.com:443 or https://10.20.30.40:443
4. Type the PCoIP Secure Gateway external URL in the PCoIP External URL text box. Make sure to specify the PCoIP external URL as an IP address with the port number 4172. Make sure to NOT INCLUDE A PROTOCOL NAME. For example: 10.20.30.40:4172 The URL must contain the IP address and port number that a client system can use to reach the View Connection Server host or View Security Server host.
5. Type the Blast Secure Gateway External URL in the Blast External URL text box. This URL must contain the HTTPS protocol, client-resolvable host name, and port number. For example: https://view-example.com:8443 The URL must contain the FQDN and port number that a client system can use to reach this View Connection Server host.

Configure View Security Server External URL's:

Note: when you installed the Security server the URLs where setup during the install but this is how to manual make changes to the Security Server External URL's.

1. In View Administrator, click View Configuration > Servers.
2. In the Security Servers tab, select a Security Server and click Edit.
3. Type the secure tunnel external URL in the External URL text box. The URL must contain the protocol, client-resolvable security server host name and port number. For example: https://view-example.com:443 or https://10.20.30.40:443
4. Type the PCoIP Secure Gateway external URL in the PCoIP External URL text box. Make sure to specify the PCoIP external URL as an IP address with the port number 4172. Make sure to NOT INCLUDE A PROTOCOL NAME. For example: 10.20.30.40:4172 The URL must contain the IP address and port number that a client system can use to reach the View Security Server host.
5. Type the Blast Secure Gateway External URL in the Blast External URL text box. This URL must contain the HTTPS protocol, client-resolvable host name, and port number. For example: https://view-example.com:8443 The URL must contain the FQDN and port number that a client system can use to reach this Security Server host.

Configure restricted entitlements

Steps on how to configure on Connection server:

1. Log into view Admin page
2. In View Admin page go to View Configuration > Servers
3. On the tab Connection Server select Connection Server to which you want to assign tag and press Edit
4. On General tab enter the tags in which you want associate with this Connection server. Separate tags with ; or , for multiple tags
5. Click OK to save setting and close Edit page

Steps on how to configure desktop pools for Tags:

1. Log into view Admin page
2. In View Administrator webpage navigate to Catalog – Desktop Pools
3. Select Pool for which one you want to set restriction and click Edit button
4. At the Edit setting page click Desktop Pool Setting tab
5. Under General – Connection Server restriction click Browse
6. Select Restricted to this tags and select tags which you want to assign
7. Click OK and OK to save and exit the setting page

Manage View Connection Server SSL connections

Configure and manage global settings

• From View Admin Website go to View Configuration / Global Setting
• Here you can modify setting like:
• For General Settings:
• View Administrator session timeout – default 30 minute
• Forcibly disconnect users: 600 minute
• Single Sign-on (SSO): Enable or Disable
• Client-dependent setting:
• For client that support application – If the user stops using keyboard and mouse disconnect their application and discard SSO credentials: Never or After…
• Other clients – Discard SSO credentials: Never or After …

• Auto update: Enable automatic update upper left corner area in View Admin page
• Pre-login message: Message for user when they login to View Desktop
• Display warring before forced log off and specify time after which user will forcibly logoff from their desktop
• Enable Window Server Desktops
• Mirage Server setting – Specify URL for Mirage server
• For Global Security settings:
• Re-authenticate secure tunnel connections after network interruption
• Message Security mode
• Enhanced security status
• Enable IPSec for Security Server pairing
• Change data recovery password: This password protects data backups of your Connection Server. This password will be required to recover a backup.

Configure redundant View Connection/Security Server instances for availability/performance

• Install a replica server or a 2nd security server to provide availability / performance

Configure View Composer settings according to a deployment plan

Steps to setup SQL ODBC for composer:

• On the computer on which View Composer will be installed, select Start > Administrative Tools > Data Source (ODBC).
• Select the System DSN tab.
• Click Add and select SQL Native Client from the list.
• Click Finish.
• In the Create a New Data Source to SQL Server setup wizard, type a name and description of the View Composer database.   For example: ViewComposer
• In the Server text box, type the SQL Server database name.
• Use the form host_name\server_name, where host_name is the name of the computer and server_name is the SQL Server instance.   For example: VCHOST1\VIM_SQLEXP
• Click Next.
• Make sure that the Connect to SQL Server to obtain default settings for the additional configuration options check box is selected and select an authentication option.
• Integrate Windows Authentication
• SQL Server Authentication
• Click Next.
• Select the Change the default database to check box and select the name of the View Composer database from the list.
• For example: ViewComposer
• If the SQL Server connection is configured with SSL enabled, navigate to the Microsoft SQL Server DSN Configuration page and select Use strong encryption for data.
• Finish and close the Microsoft ODBC Data Source Administrator wizard.

SSL Certificate for View Composer:

• If you import a CA-signed certificate before you install View Composer, you can select the signed certificate during the View Composer installation. This approach eliminates the manual task of replacing the default certificate after the installation.
• If you intend to replace an existing certificate or the default, self-signed certificate with a new certificate after you install View Composer, you must import the new certificate and run the SviConfig ReplaceCertificate utility to bind your new certificate to the port used by View Composer.

Install view composer service:

• To start the View Composer installation program, right-click the installer file and select Run as administrator.
• Accept the VMware license terms
• Accept or change the destination folder.
• Type the DSN for the View Composer database that you provided in the Microsoft or Oracle ODBC Data Source Administrator wizard.
• For example: VMware View Composer
• Note If you did not configure a DSN for the View Composer database, click ODBC DSN Setup to configure a name now.
• Type the domain administrator user name and password that you provided in the ODBC Data Source Administrator wizard.
• If you configured an Oracle database user with specific security permissions, specify this user name.
• Type a port number or accept the default value.
• View Connection Server uses this port to communicate with the View Composer service.
• Provide an SSL certificate.
• Create default SSL certificate
• Use an existing SSL certificate
• Click Install and Finish to complete the View Composer service installation.

Create and manage custom roles and permissions

• To create custom roles and permissions go to View Configuration / Administrators in View Admin Page
• Administrators and Groups tab allows to add Users to the existing 9 pre create Roles . There is two sets of Roles one with full access and one with read-only access.
• Roles tab – allows to create custom Roles with necessary privileges. There is 14 different privileges to choose from.
• Access Group tab – allows to create custom access group to  organize the desktop pools in your organization. They can also be used for delegated administration.

Import configuration data into a View Connection Server

• Before you do an import of configuration data into a view connection server make sure to take a backup of the current configuration.
• The tool that is used to do this action is vdmimport. This should be located in the following directory in your view connection server \vmware\vmware view\server\tools\bin
• Stop all instances of View Composer by stopping the Windows service VMware Horizon View Composer on the servers where View Composer runs.
• Stop all security server instances by stopping the Windows service VMware Horizon Security Server on all security servers.
• Uninstall all instances of View Connection Server. Uninstall both VMware Horizon View Connection Server and AD LDS Instance VMwareVDMDS.
• Install one instance of View Connection Server.
• Stop the View Connection Server instance by stopping the Windows service VMware Horizon Connection Server.
• Click Start and Command Prompt.
• Uninstall both VMware Horizon View Connection Server and AD LDS Instance VMwareVDMDS.
• Decrypt the encrypted LDIF file.
• At the command prompt, type the vdmimport command. Specify the -d option, the -p option with the data recovery password, and the -f option with an existing encrypted LDIF file followed by a name for the decrypted LDIF file. For example:

vdmimport -d -p mypassword
-f MyEncryptedexport.LDF > MyDecryptedexport.LDF

• If you do not remember your data recovery password, type the command without the -p option. The utility displays the password reminder and prompts you to enter the password.
• Import the decrypted LDIF file to restore the View LDAP configuration.

Specify the -f option with the decrypted LDIF file. For example:
vdmimport -f MyDecryptedexport.LDF

• Uninstall View Connection Server. Uninstall only the package VMware Horizon View Connection Server.
• Reinstall View Connection Server.
• Log in to View Administrator and validate that the configuration is correct.
• Start the View Composer instances.
• Reinstall the replica server instances.
• Start the security server instances.

Create and install a View SSL certificate

Below is a list of high level tasks on how to configure SSL certificates on view servers

• Determine if you need to obtain a new signed SSL certificate from a CA.
• If your organization already has a valid SSL server certificate, you can use that certificate to replace the
• default SSL server certificate provided with View Connection Server, security server, or View
• Composer. To use an existing certificate, you also need the accompanying private key.
• Your organization provided you with a valid SSL server certificate.
• Go directly to step 2.
• You do not have an SSL server certificate.
• Obtain a signed SSL server certificate from a CA.
• Import the SSL certificate into the Windows local computer certificate store on the View server host.
• For View Connection Server instances and security servers, modify the certificate Friendly name to vdm.
• Assign the Friendly name vdm to only one certificate on each View server host.
• On View Connection Server computers, if the root certificate is not trusted by the Windows Server host, import the root certificate into the Windows local computer certificate store.
• In addition, if the View Connection Server instances do not trust the root certificates of the SSL server certificates configured for security server, View Composer, and vCenter Server hosts, you also must import those root certificates. Take these steps for View Connection Server instances only. You do not have to import the root certificate to View Composer, vCenter Server, or security server hosts.
• If your server certificate was signed by an intermediate CA, import the intermediate certificates into the Windows local computer certificate store.
• To simplify client configuration, import the entire certificate chain into the Windows local computer
• certificate store. If intermediate certificates are missing from the View server, they must be configured
• for clients and computers that launch View Administrator.
• For View Composer instances, take one of these steps:
• If you import the certificate into the Windows local computer certificate store before you install View Composer, you can select your certificate during the View Composer installation.
• If you intend to replace an existing certificate or the default, self-signed certificate with a new certificate after you install View Composer, run the SviConfig ReplaceCertificate utility to bind the new certificate to the port used by View Composer.
• If your CA is not well known, configure clients to trust the root and intermediate certificates.
• Also ensure that the computers on which you launch View Administrator trust the root and intermediate certificates.
• Determine whether to reconfigure certificate revocation checking.
• View Connection Server performs certificate revocation checking on View servers, View Composer, and vCenter Server. Most certificates signed by a CA include certificate revocation information. If your CA does not include this information, you can configure the server not to check certificates for revocation.
• If a SAML authenticator is configured for use with a View Connection Server instance, View Connection Server also performs certificate revocation checking on the SAML server certificate.

Configure SAML authentication with View and entitle users to desktop pools

• In View Administrator, select View Configuration > Servers.
• On the Connection Servers tab, select a View Connection Server instance to associate with the SAML authenticator and click Edit.
• On the Authentication tab, select a setting from the Delegation of authentication to VMware Horizon
• (SAML 2.0 Authenticator) drop-down menu to enable or disable the SAML authenticator.
• Disabled
• SAML authentication is disabled. You can launch remote desktops and applications only from Horizon Client.
• Allowed
• SAML authentication is enabled. You can launch remote desktops and applications from both Horizon Client and Workspace Portal or the third-party device.
• Required
• SAML authentication is enabled. You can launch remote desktops and applications only from Workspace Portal or the third-party device. You cannot launch desktops or applications from Horizon Client manually.
• You can configure each View Connection Server instance in your deployment to have different SAML authentication settings, depending on your requirements.
• Select Create New Authenticator from the SAML Authenticator drop-down menu, or, if a SAML authenticator has already been added, click Manage Authenticators and click Add.
• Configure the SAML authenticator in the Add SAML 2.0 Authenticator dialog box.
• Label
• Unique name that identifies the SAML authenticator.
• Description
• Brief description of the SAML authenticator. This value is optional.
• Metadata URL
• URL for retrieving all of the information required to exchange SAML information between the SAML identity provider and the View Connection Server instance. In the URL https:///SAAS/API/1.0/GET/metadata/idp.xml, click and replace it with the FQDN or IP address of the Workspace Portal server or external-facing load balancer (third-party device).
• Administration URL
• URL for accessing the administration console of the SAML identity provider. For Workspace Portal, this URL should point to the Workspace Portal Connector Web interface. This value is optional.
• Click OK to save the SAML authenticator configuration.
• If you provided valid information, you must either accept the self-signed certificate (not recommended) or use a trusted certificate for View and Workspace Portal.
• The SAML 2.0 Authenticator drop-down menu displays the newly created authenticator, which is now set as the selected authenticator.
• In the System Health section on the View Administrator dashboard, select Other components > SAML 2.0 Authenticators, select the SAML authenticator that you added, and verify the details.
• If the configuration is successful, the authenticator's health is green. An authenticator's health can display red if the certificate is untrusted, if Workspace Portal is unavailable, or if the metadata URL is invalid. If the certificate is untrusted, you might be able to click Verify to validate and accept the certificate.