VMware Horizon View 5.2 Install Part 4: VM and Pool Creation

As a quick recap of this series we are installing VMware Horizon View 5.2 for a small pilot of a Windows 8 VDI desktop. In Part 1 we installed the Connection Server, in Part 2 we configured an SSL certificate, and in Part 3 we performed some basic Connection Server configuration.

In this installment we really get our hands dirty, and get to the fun stuff. First, we will provision a new Windows 8 VM, then properly configure AD, and finally create a pool for our Windows 8 VM.

For this exercise I would suggest using Windows 8 x64, Enterprise edition. I’m only preparing one VM in this demo, but feel free to create a larger pool.

Additional articles in this series:

VMware Horizon View 5.2 Part 1: Basic Installation
VMware Horizon View 5.2 Part 2: SSL Certificate
VMware Horizon View 5.2 Part 3: Initial Config

Prepare Win8 VM for Horizon View 5.2

1. In vCenter provision a new Windows 8 x64 (or x86) VM using hardware version 9. I would do a minimum of 3GB of RAM and a 30GB C drive. Mount the Windows 8 ISO, and do a regular installation.

2. Install VMware tools, then configure the network properties, do Windows update, and join to your domain.

3. By default Windows 8 has aggressive power settings, and the VM will suspend after a while. I recommend using the High Performance power profile. I would also enable remote desktop access as well.

4. As part of your Horizon View 5.2 downloads you should have downloaded the agent installer. Copy the appropriate agent (x86 or x64) to the VM and start the installer.

5. If you are asked to reboot the VM, do so. Re-run the installer and select all defaults and wait for the install to complete.

Configure Active Directory

1. Create a new OU for your VDI computers. We will need to apply a GPO to them, so a new OU makes life easier. I called the OU Windows 8 VDI.

2. Create a domain security group that users will go into that are authorized to get a desktop from the pool that we will define later on. I called my group VDI_Windows 8 Standard. Add a couple of test users to this group.

3. We need to modify the Remote Desktop Users group to allow the group we just created access. You can do this any number of ways, but let’s create a new GPO for this purpose. Link the GPO to the VDI OU you created.

4. Open the GPO and navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsRestricted Groups.

5. Right click on Restricted Groups and add the group Remote Desktop Users. Now add the group you created and added to users to back in step 2. Be sure to add this group under Members of this group in the upper half of the window.

6. Reboot your Win8 and make sure the policy has applied to the computer.

Creating a Desktop Pool

1. Launch the Horizon View Administrator and in the left pane under Inventory select Pools. Click Add Pool.

2. For this mini-pilot effort we will do a Manual Pool using Dedicated with automatic assignment.

3.  Choose vCenter virtual machines.

4. You should now see your vCenter server listed.

5. On the Pool ID screen you need to configure the ID, Display Name, Folder and an optional description. The ID has limitations on what characters you can use (e.g. no spaces) and the box will be outlined in red if you violate the rules.

6. The pool settings are highly dependent on your environment, so feel free to tweak them as needed. I changed a few settings to those shown below.

VMware Horizon View

7. Locate the Windows 8 VM(s) that you have provisioned and add them to the pool.

8. If your infrastructure meets the requirements, the wizard will now allow you to choose to use the storage accelerator. If you aren’t using a third-party storage appliance like Atlantis Computing ILIO then I would enable the feature.

9. On the Ready to Complete screen review all of your choices. At the top of the window mark the Entitle users after this wizard finishes.

10. When the Entitle window pops up add your entitlement group (e.g. VDI_Windows 8 Standard).

11. Reboot your Windows 8 VMs, and wait a few minutes. In the View Administrator click on Desktops and you should see your desktop(s) listed. Wait (a while) for the status to change to Available. It could be very slow to change from the Startup status so be patient.

Stay tuned for upcoming installments in the Horizon View 5.2 series, coming to a blog near you.

VMware Horizon View 5.2 Install Part 3: Initial Config

Welcome to the third part in the series for installing and configuring VMware Horizon View 5.2. In Part 1 and Part 2 we performed a basic install of the VMware Horizon View connection server role and setup a trusted SSL certificate. In this installment we will do some basic configuration of a vCenter role, setup a service account, add a license key, and link the Connection server to vCenter.

Additional articles in this series:

VMware Horizon View 5.2 Part 1: Basic Installation
VMware Horizon View 5.2 Part 2: SSL Certificate
VMware Horizon View 5.2 Part 4: VM and Pool Creation

VMware Horizon View 5.2 Initial Configuration

1. Create a domain service account that the View connection server will use to connect to vCenter. On a domain controller create a new AD service account, and set the password to never expire. In my environment the account is called SVC-View01-001. Name is not important, so use whatever naming convention suits you.

2. Login to the vSphere Web Client and from the Home page click on Administration.

In the Administration page click on Role Manager. Create a new role by clicking on the green plus icon. Call it something like View Administrator.
3. Add all of the privileges to the View Administrator role shown in the VMware table below.
4. In the vSphere Web Client navigate to Home > vCenter > Hosts and Clusters, then click on the vCenter name. Now click on the Manage tab and then the Permission tab. Click on the green plus icon to add a permission.
5.  Add the domain service account in the left pane, and change the role to View Administrator in the right pane.
6. Launch the View administrator and in the left pane expand View Configuration. Click on Product Licensing and Usage. Enter your View 5 product license key.
7. Under View Configuration click on Servers. Click on the vCenter Servers tab and click Add. Enter the vCenter’s FQDN, your service account name and password. Review the advanced settings in the lower half of the pane to see if they make sense for your environment. I left the defaults.
8. Since we haven’t yet installed View Composer (optional component), select Do not use View Composer.
9. If you are using vCenter 5.1 and ESXi 5.1, you will be presented with some new storage settings. I would leave the all the defaults, as those will produce the best results. If you are using a third party VDI storage accelerator such as Atlantis Computing ILIO then I would disable these storage features as they won’t provide much benefit.
10. At this point the vCenter should be successfully added and have green check boxes under all features.
We have now covered the major configuration steps for the View Connection server components. Next up is a little AD work, creating a VM template, and adding a few desktops to the View administrator console. You can check out that installment in Part 4 here.

VMware Horizon View 5.2 Install Part 2: SSL Certificate

This is the second part in a blog series of how to install and configure VMware Horizon View 5.2. In Part 1 we did the basic connection server install, and installed Adobe Flash player. Next up is configuring a trusted SSL certificate for VMware Horizon View.

There are a number of ways to request and mint SSL certificates. You could use a commercial CA, Microsoft internal CA or another flavor of CA if you wish. Unlike some vCenter components the View SSL certificate does not need any unusual properties beyond Server Authentication usage. No unique OU properties, no client authentication, no data encryption, etc. I would advise using a SAN certificate, so you can access the server via shortname and the FQDN without certificate errors.

I am using an Enterprise online Windows Server 2012 Certificate Authority in this example. The CA has been pre-configured to issue a variety of certificate template types, one of which I called “Server Authentication-SAN”. You don’t need a template with this name, but the template needs to support the SAN field, which the basic “computer” template will NOT. For general steps on how to configure a custom certificate template for a Microsoft CA, see my article here.

Additional articles in this series:

VMware Horizon View 5.2 Part 1: Basic Installation
VMware Horizon VIew 5.2 Part 3: Initial Config
VMware Horizon View 5.2 Part 4: VM and Pool Creation

VMware Horizon View SSL Certificate Installation

1. On the View server open a blank MMC. Add the Certificates snap-in and chose Computer account.

2. Open the Personal certificates container and expand Certificates. Depending on the auto-enrollment policy (if any) in your domain, you may find two or more certificates listed. One of the certificates will be the self-signed VMware certificate that we no longer want to use. You can see this by looking at the “Issued By” field.

3. Now we want to request a new certificate from our online CA via a the certificate request wizard. Right click on Certificates, select All Tasks, then Request New certificate.

4. A couple of clicks into the wizard you should see an Active Directory Enrollment Policy listed.

5. Click Next and you should now see one or more templates that your CA administrator has published. If you use the standard “Computer” template the CA will strip any SAN values that you enter. So if you want a SAN certificate you will need to use a CA template that allows for such usage. Since SAN certificate are not uncommon, I already had a certificate template ready. Again, for a link how to create a custom CA template see my article here.

6. Check the box next to your SAN template. Click on the line of text next to the yellow warning. On the Subject tab you now need to configure the “Common name” for the subject name and add two “DNS” alternative names. Use the View server FQDN for the Subject Name and add both the FQDN and short name DNS names for the alternative name, as shown below.

7. Click on the General tab and enter a friendly name of vdm.

8. Click on the Private Key tab and under Key Options allow the private key to be exportable.

9. Click OK then click on Enroll. If all goes well you should get a succeeded message.

10. In the MMC double click on the new certificate and validate all properties, including Subject Alternative Name are properly populated.

11. At this point you can either delete the self-signed VMware certificate, OR you must remove the vdm friendly name from the VMware certificate. View looks for a single certificate with the vdm friendly name. To remove the VDM friendly name from the VMware certificate just right click on the VMware certificate and select Properties, then delete the friendly name.
12. Restart all of the View services on your View server. The critical one is the VMware View Security Gateway Component. If it stops running shortly after you start it, there’s a problem with your certificate. The most common cause is having a certificate that does NOT allow exporting of the private key. You may see something like:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

13. Now you can launch the View administrator and change the URL to either the server’s short name or FQDN, and you should NOT see any browser SSL errors.

14. Once you login you can click on the Dashboard icon on the left and view the server details for your connection server. It should show a valid SSL certificate.

Congratulations on configuring your View Connection Server SSL certificate. Very easy, and straight forward (vCenter team are you listening?). Next up is Part 3, where configure basic parameters in the View Connection Server.

VMware Horizon View 5.2 Install Part 1: Basic Installation

In case you missed it, VMware has recently GA’d their Horizon Suite of software. This is a re-branding and expansion of the end user computing portfolio, which includes View, their VDI solution. You can see my blog post for the full announcement here. This series will cover the VMware Horizon View 5.2 install process, which is pretty straight forward.

Last year I started  a View 5.1 install series, but for various reasons I didn’t get all the parts posted that I wanted. So I will endeavor for my View 5.2 series to go end-to-end, time permitting. Thankfully View is much easier to install and configure than vCenter 5.1, so I don’t expect a 15 part series to get through the full process.

Unfortunately the View 5.2 components are NOT supported on Windows Server 2012 (Horizon Mirage IS though), so we will be using Windows Server 2008 R2 for the connection server VM. For the client OS I will use Windows 8 x64 Enterprise, as that is now supported with View 5.2 on vSphere 5.1 (not vSphere 5.0 though).

Additional articles in this series:

VMware Horizon View 5.2 Part 2: SSL Certificate
VMware Horizon VIew 5.2 Part 3: Initial Config
VMware Horizon View 5.2 Part 4: VM and Pool Creation

VMware Horizon View 5.2 Install

1. Provision a Windows Server 2008 R2 SP1 VM, and do your normal configuration such as joining it to your domain. Resist the strong urge to use a Windows Server 2012 VM, as that is not supported. Note to View team: Please get with the program. vCenter 5.0 U2 supports WS2012, why can’t you?

2. Download the Horizon Suite 1.0 components from the VMware site. Copy the Connection Server installer to your newly provisioned VM and start the install process.

3. Once you get to the Destination Folder, you can leave the default value or put it elsewhere like on the D drive. For this example I’ll keep it simple and leave it on the C drive.

4. Next up you need to decide what role this particular server will be used for. For this series we will start off with the View Standard server.

5. The wizard will now prompt you for a data recovery password. Should your View server become inoperable or face other technical issues, you may need the recovery password to well….recover your environment. So make sure you write this down and keep it in a safe place. The password can be from 1 to 128 characters.
6. If in your environment you use the Windows firewall, View can automatically configure the appropriate rules. Since I’m using the Windows firewall, I want View to configure the rules for me. Note that if you want to use the Security server, it requires the use of Windows firewall to establish an IPsec connection to the Connection server. So I would advise using the Windows firewall.
7. Now you need to tell View what administrator group will have access into the View console. I would strongly urge the use of a domain security group vice the local administrator group. Following my favorite RBAC naming convention I’m using APP_View_All_Administrator. You should create your own group.
8. Next up it will ask you if you want to send anonymous data to VMware. I most certainly do NOT, but the choice is yours.
9. Click Install and wait for the installer to complete.
10. Unfortunately the View console relies on the very insecure Adobe Flash player. So download it to the computer(s) that you want to access the View console from.
In Part 2 we will configure the SSL certificate for the View connection server. In this area the View team is light-years ahead of the vCenter team. Installing a trusted SSL certificate is cake, and shockingly uses the Windows OS certificate store (yeah!).

VMware Horizon Suite 1.0 is now GA!

Today VMware released their Horizon Suite 1.0. What is Horizon Suite? Basically its a re-branding of their View product, with additions to the suite via some acquisitions over the last couple of years. Major components in the Horizon Suite include:

  • Horizon Workspace 1.0
  • Horizon Mirage
  • Horizon View 5.2

As seems par for the course, you need to look closely at the licensing model since some bundle/suites are based on concurrent users, while others are named users. If you currently own View licenses with concurrent licenses, watch out if you want the Horizon Suite. You MUST switch to the named user model. Named user licenses allow you to use multiple devices to access your desktop remotely.

Horizon View: Concurrent User

  • Horizon View
  • ThinApp
  • Workstation
  • vSphere
  • vCenter

Horizon Mirage: Named User

  • Horizon Mirage
  • ThinApp
  • Workstation
  • Fusion Pro

Horizon Workspace: Named User

  • Horizon Workspace
  • ThinApp
  • Workstation
  • Horizon Mobile for Android

Horizon Suite: Named User

  • Horizon View Bundle
  • Horizon Mirage Bundle
  • Horizon Workspace Bundle

For a great blog digging into the technical enhancements in this release of the Horizon Suite, check out this great post by Andre Leibovici. A taste of the new features includes:

  • Windows 8 support (requires vSphere 5.1, not 5.0)
  • Hardware accelerated 3D graphics
  • Improved Lync support
  • Multi-touch for Windows 8
  • Faster PCoIP performance
  • Multi-VLAN support
  • Better security

Unfortunately View does NOT support Windows Server 2012 for any components. This seems a bit odd, as vSphere 5.0 U2 fully supports vCenter/VUM on Windows Server 2012, which came out in December 2012. Mirage does support Windows Server 2012, though. I’m a bit baffled by the lack of SQL 2012 support even though that hit the streets nearly one year ago. VMware is very inconsistent on what server-side MS products they support.

As always, reading the release notes is very insightful. You can find the View 5.2 release notes here. For all of the View 5.2 docs, go here.

Highly Critical VMware View Security Bulletin for 4.x and 5.x

VMware has released a high priority View security bulletin that affects View 5.x users prior to 5.1.2 and View 4.x users prior to 4.6.2. This is a directory traversal security vulnerability that allows unauthenticated remote attackers to get access to any file on the affected View Servers. For externally facing View Security servers, this is particularly severe.

You can read the full VMware Security Bulletin here. If you are running a View environment, and in particular View Security Servers, I would urge you to immediately review the bulletin and take action to remediate the issue.

Snippet from the bulletin:

1. Summary

VMware View releases address a critical directory traversal vulnerability in the View Connection Server and View Security Server.

2. Relevant releases

VMware View 5.x prior to version 5.1.2
VMware View 4.x prior to version 4.6.2
     
3. Problem Description

a. VMware View Server directory traversal

VMware View contains a critical directory traversal vulnerability that allows an unauthenticated remote attacker to retrieve arbitrary files from affected View Servers. Exploitation of this issue may expose sensitive information stored on the server.

Workarounds

This vulnerability affects both the View Connection Server and the View Security Server; VMware recommends that customers immediately update both servers to a fixed version of View.
Customers who are unable to immediately update their View Servers should consider the following options:

•Disable Security Server

Disabling the Security Server will prevent exploitation of this vulnerability over untrusted remote networks. To restore functionality for remote users, allow them to connect to the Connection Server via a VPN.

•Block directory traversal attempts

It may be possible to prevent exploitation of this issue by blocking directory traversal attacks with an intrusion protection system or application layer firewall.

New VMware View Clients for multiple Platforms

A few days ago VMware released updated View clients for a variety of platforms, including Windows, Mac, iOS, Linux and Android. According to the release notes the following enhancements were made to the clients. You can download the updated clients here.

What’s New in View Client for Windows 5.2

  • Windows 8 support – View Client for Windows 5.2 and View Client with Local Mode 5.2 run on Windows 8 Pro and Enterprise client systems in Desktop mode.
  • URI (Uniform resource identifier) support – Simplify the process of logging in to a View desktop for end users by creating a Web or email link they can click to launch View Client and connect to a desktop with specific configuration options. For example, you can create a link that prompts an end user for a password only, and then opens a particular desktop in full screen mode using the PCoIP display protocol.

What’s New in View Client for Linux

  • Ubuntu 12.04 improvements
  • New USB redirection configuration – The USB component is available only with the version of View Client for Linux provided by third-party vendors. With View Client 1.6, administrators can use a configuration file on the client system to specify which USB devices can be redirected to a View desktop. Configuration refinements include filtering mechanisms for including and excluding a device by, for example, vendor ID or product ID.
  • URI (Uniform resource identifier) support – Simplify the process of logging in to a View desktop for end users by creating a Web or email link they can click to launch View Client and connect to a desktop with specific configuration options. For example, you can create a link that prompts an end user for a password only, and then opens a particular desktop in full screen mode using the PCoIP display protocol.

VMware View Client for Android 1.6.x includes the following new features:

  • Support for Jelly Bean
  • – View Client for Android now supports the Android 4.1 operating system.

  • Support for Android phones – Android phones from Samsung, and Android 4.0 and later phones are now supported.
  • Support for Android tablets from VMware Ready partners, including Samsung and Fujitsu – Also supported are the Amazon Kindle Fire and Android 3.x/4.x based tablets.

    View Client 1.6.1 includes improved support for the latest Amazon Kindle Fire and Kindle Fire HD.

  • RSA soft token integration – Now there is no need to leave View Client to support RSA authentication. You can import an RSA software token directly into View Client. Then you need enter only your RSA PIN into View Client when RSA authentication is required. No need for an RSA hardware token or RSA software token utility.
  • Multitasking improvements – View Client 1.6 suspends data transmission when you switch to another app. Data transmission resumes when you switch back to View Client.
  • Home screen shortcuts – You can create a View desktop shortcut for your Android Home screen. Use this shortcut to log in directly instead of tapping the View Client icon.
  • URI (Uniform resource identifier) support – Simplify the process of logging in to a View desktop for end users by creating a Web or email link they can click to launch View Client and connect to a desktop with specific configuration options. For example, you can create a link that prompts an end user for a password only, and then opens a particular desktop in full screen mode.
  • Client-side caching – The PCoIP client-side image cache stores image content in memory to avoid retransmission, providing significant reduction of bandwidth usage. Note that View Agent and View Connection Server must be version 5.0 or later.

VMware View 5.1 Installation Part 2 – View Composer

This series includes:
VMware View 5.1 Installation Part 1 – View Connection Server

This is the second installment in the VMware View 5.1 installation and configuration series. The first part covered the installation of View connection server and its SSL certificate. This post covers the optional component, View Composer 3.0. Composer is part of the View Premier bundle, and allows you to deploy link-clones for stateless VDI.

Unlike the Connection server, the View Composer 3.0 requires a SQL database back-end. Unfortunately, View Composer does NOT support Windows authentication if the SQL server is not on the Composer server. This is disappointing, as SQL authentication is not secure and other VMware products fully support Windows authentication to SQL such as vCenter, VUM, and UMDS. I would strongly uge you configure SQL transport encryption so that the weak SQL authentication is wrapped in SSL. For some guidance on configuring SQL SSL, check out this article.

Let’s get started on installing VMware Composer 3.0:

1. If your SQL server is not co-located with your Composer 3.0 server, then make sure your SQL server allows mixed mode authentication. To verify the authentication mode open Microsoft SQL Server Management studio. In the Object Explorer right click on the SQL server name and select Properties. Then click on Security, and change the authentication mode to SQL Server and Windows Authentication mode. Restart the SQL services if you had to change the mode.

2. You need to create the View composer database. You can do this manually, or modify the script below to suit your sizing requirements and file paths. You can cut and paste the script below into the Microsoft SQL Server Management Studio, then click on Execute.

USE master
create database “SD01-vCenter Composer”
on
( name = ‘SD01-vCenter Composer’,
  filename = ‘K:Microsoft SQL ServerMSSQLDataSD01-vCenter_Composer.mdf’,
  size = 250MB,
  filegrowth = 25MB )
  log on
  ( name = ‘SD01-vCenter Composer log’,
    filename = ‘L:Microsoft SQL ServerMSSQLDataLogsSD01-vCenter_Composer.ldf’,
    size = 100MB,
    filegrowth = 10MB )
    COLLATE SQL_Latin1_General_CP1_CI_AS;
GO

3. Since Composer uses SQL authentication, you need to create an account within SQL server. Pay close attention to the password policy, as it may default to require you to change password at next login, which is not what we want for a service account. Change the default database to the Composer database.

4. Next, we need to give the SQL account permissions to the Composer database. To do this we need to add a new user to the SQL database Give the SQL account db_owner permissions for the schema and database.

5. Switch over to what will be the View Composer server (could be your vCenter server, your View Composer server or a another server). Install the Microsoft SQL Native Client, then start the Composer installation and click through the wizard unitl you get to the database configuration. Click on ODBC DSN Setup then click on System DSN.

6. Click Add and on the next screen the SQL Server should be listed. Click Finish.

7. On the next screen fill in the DSN name you want to use, and the FQDN of the SQL server. Copy the name to the clipboard.

8. Select SQL Authentication then enter the SQL account credentials that you created in SQL server.

9. Change the default database to the Composer database that you created earlier.
10. Optionally configure strong SQL encryption, if you have configured your SQL server with a SSL certificate. Otherwise don’t enable encryption or the SQL client won’t be able to connect. Finish out the rest of the ODBC wizard.
11. Back in the Composer installation window, paste the DSN from the clipboard and enter the SQL account credentials.

12. If you are installing Composer on the same server as View Connection server, you should already have a SSL certificate installed if you followed my previous instructions here. If you are installing on the vCenter server or another server, then follow that link and do steps 1-7 to install a SSL certificate. Select the appropriate certificate by looking at the thumbprint.

To lookup the certificate thumbprint open a blank MMC, add the certificate snap-in for the computer account, then open the Details of the right  certificate and look for the Thumbprint value.

13. Wait for the installation to complete and reboot the server if prompted.
VMware View Composer 3.0 is now installed! The next article in this series will configure View Administrator.

VMware View 5.1 client enhancements

Along with the release of the server components of VMware View 5.1, VMware also updated all of their clients. You can download the clients here. Clients include: Mac, iPad, Ubuntu Linux, Windows (32-bit and 64-bit), and Android. On a security related note, the View 4.6.0.4914 client has a security vulnerability, so you should upgrade to 4.6.1 or later such as 5.1.

Also, if you are interested in the Linux View client, the only official one that VMware produces is for Ubuntu, and has a limited feature set (no USB access, no smart card support, or virtual printing). However, many vendors create their own View client with enhanced features and support for different embedded Linux distros. For example, Wyse provides day 1 support for View 5.1 in their thin clients. To date I haven’t seen any support statement from HP for View 5.1 clients, although I’m sure that’s in the works..just lagging Wyse.

What’s new in all of the View clients? Check ’em out:

View Client for Windows 5.1

  • Video playback improvements – Up to 3X better video playback performance.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • View Client with Local Mode improvements – The virtual machines used for local mode View desktops can now use virtual hardware version 8, which is included with vSphere 5. For information about the features enabled with virtual hardware version 8, see the vSphere 5 release notes.
  • Improved mouse responsiveness

View Client for Linux 1.5

  • Video playback improvements – Up to 3X better video playback performance.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • Improved mouse responsiveness
  • Works with Ubuntu 12.04 – The version of View Client for Linux 1.5 that is available from the Ubuntu Software Center works with both 32-bit and 64-bit versions of Ubuntu 12.04.

View Client for Mac 1.5

  • Audio and video improvements – Up to 3X better video playback performance. Greatly improved audio/video synchronization.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • Mouse improvements – Improved mouse responsiveness. Resolved mouse tracking issue when switching to and from View Client.


View Client for Android 1.5
  • Support for Ice Cream Sandwich
  • – View Client for Android now supports the Android 4.0 operating system.

  • Mouse support improvements – View Client now supports hover, right-click, and the scroll wheel mouse events on Ice Cream Sandwich devices.
  • Video playback improvements – Up to 2X better video playback performance.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • Save password option with VMware View 5.1 – When connecting to a View 5.1 server and if the View administrator enables this feature, end users have the option of saving their user name and password to simplify login to their desktop.
  • Internationalization improvements – French, German, and Spanish keyboards are supported when using VMware View 5.1 servers and appropriate international desktop keyboards. Direct Korean language input is supported when using VMware View 5.1 servers and desktops.
  • Touch in text fields to activate the onscreen keyboard – This feature is available when using VMware View 5.1 servers and virtual desktops. Click in a text field and the keyboard will be activated. You also have the ability to turn this feature off.
  • User interface improvements – More refined interface for small screen devices, all new Settings interface, and new, improved graphics.


View Client for iPad 1.5
  • Support for the new iPad
  • Video playback improvements – Up to 50% better video playback performance.
  • Two-factor authentication improvements – RADIUS two-factor authentication is now supported with VMware View 5.1.
  • Save password option with VMware View 5.1 – When connecting to a View 5.1 server and if the View administrator enables this feature, end users have the option of saving their user name and password to simplify login to their desktop.
  • Internationalization improvements – French, German, and Spanish keyboards are supported when using VMware View 5.1 servers and appropriate international desktop keyboards. Direct Korean language input is supported when using VMware View 5.1 servers and desktops.
  • Touch in text fields to activate the onscreen keyboard – This feature is available when using VMware View 5.1 servers and virtual desktops. Click in a text field and the keyboard will be activated. You also have the ability to turn this feature off.
  • Bluetooth keyboard improvements – The extended keyboard bar longer covers the Start menu and task bar when using a Bluetooth keyboard. Also, the touch in text fields option introduced in View 5.1 will activate the Bluetooth keyboard when clicking in a text field.
  • User interface improvements – More refined interface with new, improved graphics.

VMware View 5.1 Installation Part 1 – View Connection Server

Update: Slightly changed the discussing regarding the required certificate template type. The key to creating a certificate that will work with View is enabling the “allow private key export” option on the certificate. A “computer” or “web server” certificate will work, IF this option is enabled when the certificate is created.

This is the first post in a short series on configuring VMware View 5.1, using vSphere 5.0 Update 1, on Windows Server 2008 R2 SP1. The article assumes you already have vCenter 5.0 running in the environment, and are using Microsoft SQL Server 2008 R2, so I won’t cover how to install those products.

Other articles in this series include:
VMware View 5.1 Installation Part 2 – Composer

Having worked a lot with XenDesktop 5.5 in the past, it is interesting to see work flow for a View 5.1 installation. The first component I installed is the View Connection server, which can NOT be installed on the vCenter server. It will complain about port 80 being taken, so start off with a fresh Windows Server 2008 R2 SP1 VM for this component.

After you have provisioned a fresh VM for the View connection manager, we need to get our certificate house in order to ensure properly trusted SSL connections to this server. After the certificate is created and installed, we proceed with the basic View Connection server installation process, and finally verify the SSL certificate is working. The next article will cover the View Composer, which requires a database back-end, unlike View Connection server.

Take note the SSL certificate configuration process for View 5.1 is *completely* different from View 5.0 and previous versions. DO NOT follow VMware KB article 1008705 for View 5.1. You can find all of the View 5.1 documentation here. Should you try the View 5.0 and earlier instructions you can expect errors such as the following to be logged:

Couldn’t create SSL socket factory com.vmware.vdi.ice.server.u.a(SourceFile:529)
java.lang.NullPointerException: invalid null input

[u] Ignoring invalid storetype: pkcs12
[u] Ignoring invalid storetype: jks

To properly configure View 5.1 connection server, follow these steps:

1. On what will be your new View Connection server open a blank MMC, add the Certificates snap-in, and manage certificates for your Computer Account.

2. Open your personal certificates and review any existing certificates you may have. In this case I have Autoenroll configured, so the server automatically got a “computer” certificate installed. However, View Connection server can’t use this certificate if it was issued with all default settings, which prohibit exporting the private key.

If you try to use this certificate, the built-in web server will barf and you won’t get the login screen. The reason for this, is the default computer certificate template does not allow the private key to be exported, which View requires. So you could either alter the computer certificate request to allow private key export, or create a web server template (or request) with the allow private key export enabled.


3. Right click in the right pane and select Request New Certificate. Click Next, and on the following screen if you have a Windows CA that is online and configured to issue computer certificates, you should see something similar to the following picture. Click Next.

4. In my environment I configured my Microsoft Root CA to issue a custom web server template (Web Server v3), so I selected that enrollment policy. I recommend using a custom “web server” template as you can extend the validity period, ensure the allow private key export option is enabled, and customize the cipher strength. If you use the default computer template, you must alter the request properties to allow exporting of the private key or the certificate will not work. 
To create a custom web server certificate template, see my article How to create custom Microsoft CA SSL certificate templates to create a template. Or you can simply import a pkcs#12 certificate from a commercial CA into the computer store, such as GoDaddy or Verisign. As I’ve mentioned before the certificate template MUST have the “Allow private key to be exported” option enabled, otherwise the VMware View Security Gateway component will fail to start. Also, only use the Windows Server 2003 certificate template option, NOT Windows Server 2008, as those will NOT work.
5. Click on More information is required.. and the following window will pop up. For the subject name select common name and enter the FQDN of the View server. Click on Add to move the value to the right side.
6. On the General tab add a Friendly Name of vdm to the certificate. This is key! And only one certificate in your computer’s store can have this friendly name. Note that the friendly name is not baked into the certificate, and you can change it after the certificate is installed. If you import a certificate from a commercial CA, then open the properties of your imported certificate and change the friendly name.

7. Click OK, then click on Enroll. If all goes well, you should now see a new certificate with a friendly name of vdm in your certificate store. Note that the intended purposes is only Server Authentication.

8. Start the VMware View Connection Server installation process, and modify the installation directory as you see fit. I always install software on the D: drive, as shown below.


9. Select View Standard Server.

10. Enter a strong recovery password and optional password reminder.

11. Have the installer automatically configure your firewall.
12. Enter the group name you choose for View administrators.

13. Click through the remainder of the installation and wait for the installer to complete.

14. It is extremely unfortunate that the View console relies on Adobe Flash player, as it is riddled with nearly weekly critical security vulnerabilities. So you must install Flash player on whatever machine you want to access the View administrator console from. VMware really needs to update the interface to HTML5.

15. After you’ve lowered the security posture of your victim computer with Adobe Flash, you can browse to the FQDN and shortname URL (e.g. HTTPS://D0001View/admin) and you should get welcomed by the View Administrator logon screen and no SSL errors. In your browser open the properties of the SSL certificate and verify it is using your trusted certificate.
And now you should see the View Administrator logon!
© 2017 - Sitemap