Home > Blogs > VMware End-User Computing Blog


USB Device Redirection in VMware Horizon View 5.1 and 5.2

By Peter Brown, Senior R&D Manager, VMware, London, UK

With the EUC Solutions Management and Technical Marketing team

What Is USB Device Redirection?

We are all used to USB devices on laptop or desktop machines. If you are working in a VDI environment such as VMware Horizon View*, you may want to use your USB devices in that virtualized desktop too. USB device redirection is functionality in Horizon View that allows the USB device to be connected to the virtualized desktop as if it had been physically plugged into it.

USB Redirection Changes in VMware View 5.1

The USB device is redirected from the physical device to the virtual desktop using network redirection of the USB request block (URB). The USB device driver needs to be installed on the VDI desktop (but it does not need installing on the client machine). Recent enhancements in VMware View 5.1 have greatly improved device compatibility as well as support for USB redirection on Windows, Mac, and Linux hosts.

At a high level, the changes between VMware View 5.0 and 5.1 include:

  • Integration with other VMware components (allowing devices to be used between VMware applications, such as between Horizon View, VMware Workstation, and VMware Fusion).
  • Broader device support, adding devices such as SanDisk Cruzer and IronKey.
  • A new filtering mechanism on the client and agent, which allows specific devices to be blocked from redirection. These filtering rules can be applied locally on a client or via administrative policy using GPOs.
  • A splitting mechanism allowing complex composite USB devices to be partially forwarded.
  • Devices that reset themselves during operation are automatically re-forwarded (notably, Blackberry or iPhone system updates, SanDisk Cruzer, and IronKey).
  • The driver for a device does not need to be installed on the client machine.

… and much, much more!

For details about USB device redirection in Horizon View, read on.

Horizon View Clients to Support New USB Redirection Features

The latest Horizon View clients can be downloaded from here. The Horizon View Windows client v5.1 and later supports the new USB redirection functionality. This support was added to the Linux and Arm clients in v1.5, and more recently we added it to the Mac OSX client in v1.7.

USB Device Support in Virtual Environments

Horizon View does not implement anything to explicitly block USB devices from working. However, some devices are not designed to work in a virtualized environment. For example:

  • Webcams are not officially supported in Horizon View via USB redirection. Some may work, but it is not recommended to use them at any scale. Webcams typically send uncompressed images, which require a huge amount of bandwidth. Therefore, redirected webcams are unsuitable for large-scale use. Testing in our lab shows that some webcams running at 640×480 at 15 fps can consume 62Mbps!
    *** UPDATE 12th July 2013***
    Webcams are now supported via the Real-Time Audio-Video functionality which ships as part of Feature Pack 2. See Real-Time Audio-Video (RTAV) for Horizon View Blog Post for more information. Note that they should not be forwarded via USB redirection as that has the same issues as identified above.
  • Some third-party device drivers contain internal timeouts. If the network latency causes messages to exceed these timeouts, then the device may not work.
  • Some security USB devices explicitly check if they are plugged into a local machine and are not being redirected. These devices will therefore present problems for redirection.

In general, most devices redirect correctly, although, depending on latency, the performance may be slower than if they were connected locally.

USB Device Filtering

USB device filtering allows specific devices, device families (e.g., storage devices), or vendor product models to be restricted from being forwarded to the virtualized desktop. These rules can be applied locally at the client, or at the virtualized desktop. Administrative group policy (GPOs) can be applied, too, allowing company-wide configurations to be applied across all or some desktops.

USB device filtering is often used by companies to disable the use of mass storage devices on virtualized desktops, or perhaps to block a specific device which a user never wants to be forwarded (e.g., USB-to-Ethernet adapter).

Complex filter rules can be constructed – for example, to disallow all products from a specific vendor, except for a specific device model. When used in conjunction with USB device splitting (see below), the configuration options can be very powerful.  A previously posted engineering blog on this topic is Filtering and Splitting for USB Devices in VMware View 5.1.

USB Device Splitting

Some USB devices are composite devices. Many such devices exist; for example, a single physical device may contain a speaker, microphone, keypad, and mouse. In Horizon View 5.1 and later, it is possible to split this device such that some parts of the device (e.g., mouse) are left local to the client machine, and other parts are forwarded to the virtualized desktop. This can result in a much more effective user experience.

Check out the blog post What’s New with USB Redirection in VMware View 5.1? for more information and a practical USB-device splitting example.

Does It matter If I’m Using an RDP or PCoIP Display Protocol?

No – VMware Horizon View USB redirection works independently of the display protocol.

USB1 / USB2 / USB3 Compatibility

USB redirection operates over a network. The throughput (performance) of forwarded devices will depend directly on your network latency. The higher the latency, the lower the throughput. USB1 and USB2 devices are supported in Horizon View, but with high network latency, it is likely that you will have slower performance with lower throughput than if the devices were used locally.

Super-speed USB3 devices are not currently supported in Horizon View. USB3 devices will however often work (in USB2 mode) when plugged into a USB2 port on the client machine. This method should always work when running Windows 8. However, we have found that on other operating systems, depending on the USB chipset on the client motherboard, these USB3 devices may not work properly in USB2 mode when redirected to the virtualized desktop.

USB Redirection Performance in a LAN Compared to a WAN

As mentioned above, the performance of the redirected USB device will vary greatly depending on the network latency and reliability. For example, a single USB storage device read-request requires three roundtrips between the client and virtualized desktop. A read of a complete file may need multiple USB read operations, and the larger the latency, the longer the roundtrips will take. An unreliable network link will cause retries, and the performance can be further reduced.

For this reason, some devices do not work well over a latent network such as a WAN. Examples include USB DVD writers, which require a steady bit-rate of data to allow the burn operation to complete correctly, or USB audio and video devices, which require low latency for the data to be useful.

It is possible to simulate WAN environments in a virtualized environment with tools such as WanEm. This simulation can be useful for testing specific device performance in a virtual desktop over latent or unreliable networks in advance of deploying the virtual desktops to end users.

USB Storage Device Performance 

Due to the way that USB storage devices work, performance can be slow over a WAN. This is because before the USB device can appear in the Windows operating system, the file structure needs to be read from the device. The file structure can be very large (depending on how the device has been formatted) and can take significant time to read, so the device may take a long time to appear for use. There are some tricks that can help improve the performance – for example, formatting a USB device as NTFS rather than FAT helps to decrease the initial connection time. The KB article Redirecting a USB flash drive might take several minutes explains this trick in more detail.

Auto-Connecting USB Devices to a Virtual Desktop

Configuration options allow USB devices to be automatically forwarded to the virtualized desktop after they are connected to the client device. Alternatively, on Windows and Mac clients the menu allows manual selection of which devices are forwarded.

Is USB Data Encrypted?

Yes, from VMware View 5.0 onward. Redirected USB data is encoded in an SSL channel from the client right through to the desktop. USB redirection requires port 32111 to be open on your firewalls.

Is It Possible to Disable USB Redirection?

Some highly security-sensitive applications require that USB redirection be disabled to virtualized desktops. This can be achieved in one of several ways:

  • Horizon View pool policy can be used to disable USB redirection for a specific pool. This can be configured from the VMware Horizon View Administrator UI:

User overrides can also be applied to enable or disable USB redirection on a per user basis in a specific pool.

  • The ExcludeAllDevices configuration option can be applied on the agent or the client side to prevent any devices from being forwarded. (Note: This can be used in conjunction with an “AllowFilter” rule to permit only a specific device to work and to block all others.)
  • During installation of the View Agent on the Horizon View desktop, you can de-select the USB redirection components. Without these components installed, it is absolutely not possible to do USB redirection!

What’s New with USB Redirection in VMware Horizon View 5.2?

Using USB devices to listen to audio from your virtualized desktop has always been possible. However, in VMware View 5.1 and earlier – depending on what you were “doing” in the desktop – redirection of USB audio devices could cause audio quality problems. Depending on the specific USB device and also on the way you plan to use that device, an enhancement in Horizon View 5.2 can improve the audio quality. This enhancement isn’t a fix-all solution, and this functionality is disabled by default. However, if you do experience low-quality audio for your device and application, then it might be worth experimenting with this new option.

For example, this enhancement has improved audio-out performance with the Olympus DR-2000 Speech Mike device.

To enable the new audio-out enhancement, you need to set a registry key in your Horizon View guest desktop.  For best-quality audio, set the following registry key:

Windows XP: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\USB\AudioOutDeviceFlags = 0×600

Win Vista/7/8: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\USB\AudioOutDeviceFlags = 0×700

Wrap-Up

The enhancements for USB redirection in Horizon View 5.1 and 5.2 enable you to do just about anything you want. Give it a try, and join the conversation on the Horizon View USB Community Forum.

* We changed the name from VMware View to VMware Horizon View with the 5.2 release. We use the legacy name here for the 5.0 and 5.1 releases, but we use the new name when referring to 5.2 alone or when aggregated with prior releases.

 

 

13 thoughts on “USB Device Redirection in VMware Horizon View 5.1 and 5.2

  1. Pingback: USB Device Redirection in VMware Horizon View 5.1 and 5.2 at That's my View

  2. Johan Sjögren

    Are webcam and microphone supported in the new version 5.2? We use Webex but in the 5.1.x version are not webcams supported.

    1. Peter Brown

      Hi Johan,
      Webcams are not officially supported in View yet.

      The problem as outlined above is that when redirected as a USB device the bandwidth needed is often very large and it doesn’t scale in a typical environment. Some cameras can work if you configure their resolutions small enough, however this isn’t a valid solution for all users and you can’t do this with all webcams. Hence it is not officially supported.

      We know there is a lot of interest in this functionality, so it is good to understand your use case of using it with Webex.

      cheers
      Peter Brown

      UPDATE 12th July 2013
      We are delighted to announce the new Real-Time Audio-Video functionality as part of Horizon View Feature Pack 2. This functionality adds support in Horizon View for Webcams and Audio-In. Please see my blog post here: http://blogs.vmware.com/euc/2013/07/3370.html for more details.

  3. Cameron

    Hi there, can you provide more information on the type of encryption for USB? Is it also available when you are not using an external security server but connecting firectly to a desktop referred via a connection server?

    1. Peter Brown

      Hi Cameron
      The channel is encrypted using SSL negotiated between client and agent using the available cipher suites.

      Prior to View 5.0, the encryption was only between the client and the security server.

      In View 5.0 and later, the channel is encrypted from the client to the agent regardless of whether the connection goes via the security server.

      For View 5.0 and View 5.1 RC4 128/128 would be the typical cipher.

      For Horizon View 5.2 it would typically be AES 128 or AES 256.
      These are configurable via standard OS config options.

      Kind Regards

      Peter Brown

  4. Joe Clarke

    Great write up, thanks for the summary! I recently submitted a feature request for improvement that I guess didn’t make it into 5.2. I came into a use case recently where a customer wanted to auto connect only a specific USB device from a device which had several built in components they didn’t want to autoconnect. Unfortunately the USB autoconnect function is all or nothing, so we would have had to blacklist those device PIDs, but the customer needed them to be available, just not auto connected. I imagine plenty of folks would love a “always auto-connect this USB device” GPO client option. Thanks again for the post!

    1. Peter Brown

      Hi Joe
      I presume this is a composite device that you are referring to? Can you not use splitting for this requirement you mention? i.e. ensure that the specific parts that they don’t want to forward are kept locally and the part they do want is forwarded?

      Alternatively, if this is several separate devices (then splitting isn’t applicable) but in this case you could set the ExcludeAllDevices rule, but then set the includeVidPid for the specific device they want, and set auto forward to enabled.

      If this doesn’t solve your issue then post back and let me know in a bit more detail what you are trying to achieve and we can look to include it in the backlog for future development work!

      cheers

      Peter Brown

  5. Bob Vaal

    Is HP’s DOT4 USB Printing port supported in View. Have a HP Printer that works on the parent VM but won’t on the view client via USB redirection.

    1. Peter Brown

      Hi Bob
      Can you provide the model number and I’ll see if its one of the devices we regularly test with.

      If this is causing you problems though then please raise a support request and the right folks can then investigate.
      Kind Regards

      Peter Brown

  6. Bob Vaal

    Figured it out. The HP LJ P1102w does NOT use HP’s DOT4 USB Printing drivers. The HP LJ P1102w has it’s drivers built in. When you hook it up USB it creates a USB CDROM Drive with the drivers so you can install them. When you first attach it via USB Redirection to a Veiw desktop, it succesfully creates the USB CDROM Drive but fails finding a USB port when installing the drivers.

    The printer also allows wireless connectivity to it. I configured the printer for wireless. Connected to it via it’s web based interface. In the configuration there is a setting to turn off “Show HP Smart Install download option” and “Enable USB HP Smart Install” options. This allowed the USB redirection to use the P1102w drivers that I preinstalled in my parent image.

    1. Peter Brown

      Ah – that’s great news Bob. Thanks for posting back.
      We do test with various HP printers, but this wasn’t one of them, so it’s great that you figured it out.
      cheers
      peter brown

Comments are closed.