By Peter Brown, Senior R&D Manager, VMware, London, UK
With the EUC Solutions Management and Technical Marketing team
What Is USB Device Redirection?
We are all used to USB devices on laptop or desktop machines. If you are working in a VDI environment such as VMware Horizon View*, you may want to use your USB devices in that virtualized desktop too. USB device redirection is functionality in Horizon View that allows the USB device to be connected to the virtualized desktop as if it had been physically plugged into it.
USB Redirection Changes in VMware View 5.1
The USB device is redirected from the physical device to the virtual desktop using network redirection of the USB request block (URB). The USB device driver needs to be installed on the VDI desktop (but it does not need installing on the client machine). Recent enhancements in VMware View 5.1 have greatly improved device compatibility as well as support for USB redirection on Windows, Mac, and Linux hosts.
At a high level, the changes between VMware View 5.0 and 5.1 include:
- Integration with other VMware components (allowing devices to be used between VMware applications, such as between Horizon View, VMware Workstation, and VMware Fusion).
- Broader device support, adding devices such as SanDisk Cruzer and IronKey.
- A new filtering mechanism on the client and agent, which allows specific devices to be blocked from redirection. These filtering rules can be applied locally on a client or via administrative policy using GPOs.
- A splitting mechanism allowing complex composite USB devices to be partially forwarded.
- Devices that reset themselves during operation are automatically re-forwarded (notably, Blackberry or iPhone system updates, SanDisk Cruzer, and IronKey).
- The driver for a device does not need to be installed on the client machine.
… and much, much more!
For details about USB device redirection in Horizon View, read on.
Horizon View Clients to Support New USB Redirection Features
The latest Horizon View clients can be downloaded from here. The Horizon View Windows client v5.1 and later supports the new USB redirection functionality. This support was added to the Linux and Arm clients in v1.5, and more recently we added it to the Mac OSX client in v1.7.
USB Device Support in Virtual Environments
Horizon View does not implement anything to explicitly block USB devices from working. However, some devices are not designed to work in a virtualized environment. For example:
- Webcams are not officially supported in Horizon View via USB redirection. Some may work, but it is not recommended to use them at any scale. Webcams typically send uncompressed images, which require a huge amount of bandwidth. Therefore, redirected webcams are unsuitable for large-scale use. Testing in our lab shows that some webcams running at 640×480 at 15 fps can consume 62Mbps!
*** UPDATE 12th July 2013***
Webcams are now supported via the Real-Time Audio-Video functionality which ships as part of Feature Pack 2. See Real-Time Audio-Video (RTAV) for Horizon View Blog Post for more information. Note that they should not be forwarded via USB redirection as that has the same issues as identified above.
- Some third-party device drivers contain internal timeouts. If the network latency causes messages to exceed these timeouts, then the device may not work.
- Some security USB devices explicitly check if they are plugged into a local machine and are not being redirected. These devices will therefore present problems for redirection.
In general, most devices redirect correctly, although, depending on latency, the performance may be slower than if they were connected locally.
USB Device Filtering
USB device filtering allows specific devices, device families (e.g., storage devices), or vendor product models to be restricted from being forwarded to the virtualized desktop. These rules can be applied locally at the client, or at the virtualized desktop. Administrative group policy (GPOs) can be applied, too, allowing company-wide configurations to be applied across all or some desktops.
USB device filtering is often used by companies to disable the use of mass storage devices on virtualized desktops, or perhaps to block a specific device which a user never wants to be forwarded (e.g., USB-to-Ethernet adapter).
Complex filter rules can be constructed – for example, to disallow all products from a specific vendor, except for a specific device model. When used in conjunction with USB device splitting (see below), the configuration options can be very powerful. A previously posted engineering blog on this topic is Filtering and Splitting for USB Devices in VMware View 5.1.
USB Device Splitting
Some USB devices are composite devices. Many such devices exist; for example, a single physical device may contain a speaker, microphone, keypad, and mouse. In Horizon View 5.1 and later, it is possible to split this device such that some parts of the device (e.g., mouse) are left local to the client machine, and other parts are forwarded to the virtualized desktop. This can result in a much more effective user experience.
Check out the blog post What’s New with USB Redirection in VMware View 5.1? for more information and a practical USB-device splitting example.
Does It matter If I’m Using an RDP or PCoIP Display Protocol?
No – VMware Horizon View USB redirection works independently of the display protocol.
USB1 / USB2 / USB3 Compatibility
USB redirection operates over a network. The throughput (performance) of forwarded devices will depend directly on your network latency. The higher the latency, the lower the throughput. USB1 and USB2 devices are supported in Horizon View, but with high network latency, it is likely that you will have slower performance with lower throughput than if the devices were used locally.
Super-speed USB3 devices are not currently supported in Horizon View. USB3 devices will however often work (in USB2 mode) when plugged into a USB2 port on the client machine. This method should always work when running Windows 8. However, we have found that on other operating systems, depending on the USB chipset on the client motherboard, these USB3 devices may not work properly in USB2 mode when redirected to the virtualized desktop.
USB Redirection Performance in a LAN Compared to a WAN
As mentioned above, the performance of the redirected USB device will vary greatly depending on the network latency and reliability. For example, a single USB storage device read-request requires three roundtrips between the client and virtualized desktop. A read of a complete file may need multiple USB read operations, and the larger the latency, the longer the roundtrips will take. An unreliable network link will cause retries, and the performance can be further reduced.
For this reason, some devices do not work well over a latent network such as a WAN. Examples include USB DVD writers, which require a steady bit-rate of data to allow the burn operation to complete correctly, or USB audio and video devices, which require low latency for the data to be useful.
It is possible to simulate WAN environments in a virtualized environment with tools such as WanEm. This simulation can be useful for testing specific device performance in a virtual desktop over latent or unreliable networks in advance of deploying the virtual desktops to end users.
USB Storage Device Performance
Due to the way that USB storage devices work, performance can be slow over a WAN. This is because before the USB device can appear in the Windows operating system, the file structure needs to be read from the device. The file structure can be very large (depending on how the device has been formatted) and can take significant time to read, so the device may take a long time to appear for use. There are some tricks that can help improve the performance – for example, formatting a USB device as NTFS rather than FAT helps to decrease the initial connection time. The KB article Redirecting a USB flash drive might take several minutes explains this trick in more detail.
Auto-Connecting USB Devices to a Virtual Desktop
Configuration options allow USB devices to be automatically forwarded to the virtualized desktop after they are connected to the client device. Alternatively, on Windows and Mac clients the menu allows manual selection of which devices are forwarded.
Is USB Data Encrypted?
Yes, from VMware View 5.0 onward. Redirected USB data is encoded in an SSL channel from the client right through to the desktop. USB redirection requires port 32111 to be open on your firewalls.
Is It Possible to Disable USB Redirection?
Some highly security-sensitive applications require that USB redirection be disabled to virtualized desktops. This can be achieved in one of several ways:
- Horizon View pool policy can be used to disable USB redirection for a specific pool. This can be configured from the VMware Horizon View Administrator UI:
User overrides can also be applied to enable or disable USB redirection on a per user basis in a specific pool.
- The ExcludeAllDevices configuration option can be applied on the agent or the client side to prevent any devices from being forwarded. (Note: This can be used in conjunction with an “AllowFilter” rule to permit only a specific device to work and to block all others.)
- During installation of the View Agent on the Horizon View desktop, you can de-select the USB redirection components. Without these components installed, it is absolutely not possible to do USB redirection!
What’s New with USB Redirection in VMware Horizon View 5.2?
Using USB devices to listen to audio from your virtualized desktop has always been possible. However, in VMware View 5.1 and earlier – depending on what you were “doing” in the desktop – redirection of USB audio devices could cause audio quality problems. Depending on the specific USB device and also on the way you plan to use that device, an enhancement in Horizon View 5.2 can improve the audio quality. This enhancement isn’t a fix-all solution, and this functionality is disabled by default. However, if you do experience low-quality audio for your device and application, then it might be worth experimenting with this new option.
For example, this enhancement has improved audio-out performance with the Olympus DR-2000 Speech Mike device.
To enable the new audio-out enhancement, you need to set a registry key in your Horizon View guest desktop. For best-quality audio, set the following registry key:
Windows XP: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\USB\AudioOutDeviceFlags = 0x600
Win Vista/7/8: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\USB\AudioOutDeviceFlags = 0x700
The enhancements for USB redirection in Horizon View 5.1 and 5.2 enable you to do just about anything you want. Give it a try, and join the conversation on the Horizon View USB Community Forum.
* We changed the name from VMware View to VMware Horizon View with the 5.2 release. We use the legacy name here for the 5.0 and 5.1 releases, but we use the new name when referring to 5.2 alone or when aggregated with prior releases.