Using VMware Horizon View Agent Direct-Connection in Horizon View 5.3
One of the great new features of VMware Horizon View 5.3 is the ability for any View Client to connect directly to a Horizon View desktop without using View Connection Server. VMware Horizon View Agent Direct-Connection (VADC) Plug-In enables some important new possibilities and flexibility in the way that Horizon View desktops can be used.
What Is the Horizon View Agent Direct-Connection For?
This new feature is intended to allow Horizon View to be deployed to support some specific additional use cases. These use cases include the following:
- DaaS – Multi-tenant Desktop-as-a-Service (DaaS) deployments such as those used with Desktone technology. Newly acquired by VMware, the Desktone platform enables service providers to deliver Windows desktops as a subscription service. This includes the new DaaS offering within VMware vCloud Hybrid Service (vCHS). Many Horizon View service providers are using this new technology today to offer subscription DaaS.
- Branch offices – Branch office and retail store environments where VMware vSphere hosts running Horizon View desktops are deployed in multiple locations, and View Clients connect locally within each location without being constrained by WAN performance and reliability. Several VMware partners have incorporated this feature into their branch office solutions for Horizon View.
- Brokerless Horizon View desktops – Simple 1:1 deployments where full brokering from View Connection Server is not needed.
How Does VADC Work?
To support this direct-connection capability, a new Horizon View 5.3 software component called VMware Horizon View Agent Direct-Connection Plug-In (VADC) can be installed on each Horizon View desktop alongside View Agent. This component is essentially a mini View Connection Server on each Horizon View desktop that supports the full capabilities of each View Client (VMware and third-party). Supported capabilities include PCoIP, RDP, USB redirection, sound, 3D, Real-Time Audio-Video (RTAV), Unity Touch, single sign-on, session management, and more.
This diagram shows a View Client connecting directly to a Horizon View desktop virtual machine.
When a user starts View Client, instead of specifying the name or IP address of a View Connection Server or View Security Server, they can specify the name or IP address of the Horizon View desktop itself.
The user logs in as they normally would, either with a local user account or a domain account (if the desktop is joined to an Active Directory domain). Once connected, the user experiences the full capabilities of Horizon View as if they had connected via a View Connection Server.
How Do I Install and Configure Horizon VADC Plug-In?
Installation and configuration is very simple, but the order of the steps and configuration settings are very important. The basic steps are outlined below:
- Set up a virtual machine on the vSphere platform and change the default video RAM setting to a larger value (such as 128MB).
- Install the Microsoft Windows operating system.
- If you want to use VMware Tools, install it now.
- Install View Agent 5.3 or newer and reboot if requested.
- Install the Horizon View Agent Direct-Connection Plug-In 5.3 or newer.
That’s it! You can now start any View Client and specify the name or IP address of this Horizon View desktop. Of course, these installation steps would normally be performed on a master image and provisioned consistently across multiple desktops.
During installation of the Horizon View Agent Direct-Connection Plug-In, you can specify the TCP port number that the HTTPS protocol will listen on for incoming connections from View Clients. Normally you should leave this as the default value of 443. You can also allow the installer to configure the firewall to create an inbound rule to allow this port through. The TCP port number can be changed later, if required.
There are several other advanced configuration settings for VADC. These can either be managed through Active Directory Group Policy Objects or by making registry updates directly in the Horizon View desktop master image. A full list of these settings is described in the VMware Horizon View Agent Direct-Connection Administration guide.
The guide describes how VADC can be configured for use in an environment that uses NAT (network address translation) and port mapping for client connections so that a single IP address from View Clients can be used for all desktops, and a unique TCP port number can be used to select a specific desktop. The guide also has information about how SSL server certificates can be set up and managed.
Is There a Big Overhead on Each Desktop?
No. VADC is tiny—just over 300KB. An important design goal for this feature was to ensure the footprint was small. There is no additional service running and not even an additional process. View Agent supports a plug-in architecture, and so VADC is a small, efficient, native-code DLL. It communicates with View Agent through a high-performance, in-process framework channel, and all HTTP(S) handling is performed through the HTTP.SYS kernel mode driver. When VADC is installed, it is automatically loaded when View Agent starts. It makes use of the existing View Agent functionality for all of the Horizon View features, and uses existing operating-system functionality for the HTTP(S) protocol traffic, SSL server certificate handling, and so on.
The filename for the Horizon View Agent Direct-Connection Plug-In is wsnm_xmlapi.dll. The diagram below shows the main modules of this plug-in together with the main interfaces to Microsoft subsystems and to the View Agent itself.
Can VADC Be Used in Conjunction with View Connection Server?
Yes. Although VADC can be used on its own without View Connection Server, there are several situations where deployments will use both. View Connection Server can be used to provision and manage desktops, while View Client users can still connect directly through VADC. A mixed mode can also be supported where brokered connections via View Connection Server can be supported for some users, and direct connections can be supported for others.
Often a branch office deployment with vSphere hosts in each branch will involve View Connection Server running in the datacenter to provision and manage the desktops in each branch. View Client users in the branch can connect directly to local desktops with VADC. This configuration enables optimal performance, with the advantage that wide-area network failures will not prevent users from accessing their desktops.
View Connection Server provides powerful features for machine provisioning and management (in addition to brokering). In general, you should always deploy View Connection Server when it is practical to do so, even in cases where View Clients connect directly with VADC.
How Do View Clients Know Which Horizon View Desktop to Connect To?
There are several options here.
If the user knows the name or address of the desktop, they can enter it into the View Client prompt for View Connection Server.
When each virtual desktop is created, a DNS entry can be added to give the desktop a meaningful, easy-to-remember name, such as the username of the desktop owner, e.g., jdoe.vdi.myco.com. The user simply connects to this DNS name each time to get to their virtual desktop.
View Clients support a URI specification allowing the client to launch automatically. The desktop name or address can be included in this URI specification so that the user clicks the URL to launch the installed View Client and connect automatically. A sample URL is below:
When a user clicks the URL above, a View Client connection is made to the virtual desktop jdoe.vdi.myco.com, and a session on the desktop computer jdoe-w7 is launched using the PCoIP protocol.
Thin clients and View Clients in kiosk mode can be configured to automatically connect to their associated virtual desktop at power-on. For example, Teradici Management Console can be used to automatically configure zero clients to give each client their own IP address as well as the View Connection Server name and address. In this case, the View Connection Server name and address would be the associated virtual desktop.
In some use cases, such as many DaaS deployments of Horizon View, brokering is handled by the Desktone tenant appliance, which automatically routes the desktop connection.
Are NAT and Port Mapping Supported?
Yes. This is useful in cases where a NAT and port-mapping device is between the View Client and Horizon View desktop. In this case, a single IP address can be used to access many desktops and a specific TCP port number is used to select individual desktops.
By allocating five ports per desktop (to allow for secondary connections such as PCoIP, USB redirection, and so on), and with a port number range of 65535 per IP address, then over 13,000 desktops can be accessed on a single IP address. VADC can automatically calculate the necessary external port numbers and supply these to the client as needed, and each desktop can use standard ports. This makes NAT and port-mapping setup very straightforward across large numbers of desktops.
For more information on setting up NAT and port mapping, see Using Network Address Translation and Port Mapping in the VMware Horizon View Agent Direct-Connection Plug-In Administration guide.
How Are SSL Server Certificates Handled?
View Clients validate the SSL server certificate returned when establishing a connection. This gives the user the assurance that they are connecting to a trusted environment and reduces the possibility of a MITM security attack. The SSL server certificate is usually present on the View Connection Server, View Security Server, or load balancer. In the case where there is a direct connection to a desktop running VADC, the SSL server certificate is returned from the virtual desktop itself.
When VADC starts for the first time after installation, it automatically generates a self-signed SSL server certificate in the same way that certificates are generated for View Connection Server and View Security Server. This self-signed certificate in Horizon View should always be considered temporary. In a production environment, this self-signed certificate should be replaced by a certificate signed by a trusted Certificate Authority (CA).
With VADC, the SSL server certificate is stored in the standard Windows Certificate Store, so the procedure for installing a CA-signed certificate to replace the self-signed certificate is exactly the same as for View Connection Server–except the process is done on each desktop machine.
To deploy a CA-signed SSL server certificate onto many virtual desktops, you can use the same wildcard certificate on all desktops or group of desktops. This can be installed manually, as part of the machine image, or can be set up as part of the Active Directory Enrollment Policy.
For more information, see Replacing the Default Self-Signed SSL Server Certificate in the VMware Horizon View Agent Direct-Connection Plug-In Administration guide.
Where Can I Get More Information?
For further information, refer to the VMware Horizon View Agent Direct-Connection Plug-In Administration guide.
See also the following two new videos:
You can also use the VMware Horizon View Community Forum to post questions about this or any other component or feature of VMware Horizon View.
VMware Horizon View customers can download the software from here – VMware Horizon View Agent Direct-Connection 5.3 download.
By Mark Benson, Senior Staff Engineer and Senior Horizon View Architect, VMware End-User Computing CTO Office