By Gang Si, Senior Member of the Technical Staff, End-User Computing, VMware
As you may know, VMware Horizon with View has supported redirection of USB devices to VDI desktops for a long time. Now, for the first time, View has the capability of redirecting USB storage devices to RDSH desktops and applications. This feature is supported on Windows Server 2012 and later.
For RDSH desktops and apps, multiple users can log in to the same RDSH server at the same time, but each redirected USB storage device is isolated to the session of the individual who plugged the USB device into their endpoint. Nobody but the user who plugged in the redirected device can use it or even see it.
Client UI
The client UI for USB redirection in RDSH desktops is the same as the client UI in VDI desktops.
Figure 1: USB Redirection Drop-Down Menu for Desktops
The client UI for USB redirection in RDSH apps is different from the client UI in VDI desktops. To open the app contextual menu, the end user launches the application. After the application is launched, the user returns to the desktop and application selection screen and right-clicks the application icon. In Figure 2, the application contextual menu for Notepad is seen.
Figure 2: Application Contextual Menu
The user selects Settings from the application contextual menu to open the settings dialog box, as seen in Figure 3. The user can alternatively launch the settings dialog box by right-clicking the Horizon Client icon from the system tray and selecting Settings.
Figure 3: Settings Dialog Box
When the user clicks USB Devices in the left panel of the settings window, the available USB storage devices are shown in the middle panel. The user selects the device they want to redirect to Notepad and then clicks Connect.
They are presented with a list of open applications to which the USB device can be connected.
Figure 4: Application Selection Dialog Box
In this example, the user selects Notepad and clicks OK to redirect the device to Notepad. In Notepad, the user will then be able to click File > Open to browse the files on the redirected USB storage device.
The redirected USB storage device belongs to the user’s Windows session, not to the specific application. If the user launches another application later on, and that application is hosted from the same RDSH server, that application can also have access to the redirected USB storage device. The user can see the open applications in the right panel of the settings dialog box. In Figure 5, both Notepad and WordPad have access to the same Kingston USB device.
Figure 5: USB Redirection in Settings Dialog Box
Depending on the Horizon with View configuration, you might have an application that cannot access an already-redirected USB storage device. This is because the application does not come from the same RDSH server. In order for the new application to access the device, the device must first be disconnected from the applications already using it on the other RDSH server. To disconnect the device, click Disconnect. In Figure 5, clicking Disconnect disconnects the Kingston USB device from Notepad and WordPad.
Device Filtering and Splitting
In some cases, you might want to allow only specific USB storage devices to be redirected. You achieve this by configuring Global Policy Object (GPO) settings for View and applying them to either the RDSH server or one or more client machines.
You can allow USB storage devices with only certain vendor and device IDs to be redirected. For example, to allow only USB storage devices with vendor ID 0123 and device ID abcd to be redirected, you need to remove the IncludeFamily value under HKLM\SOFTWARE\Policies\VMware, Inc.\VMware VDM\Agent\USB from the RDSH server registry and use these GPO settings for the RDSH server:
ExcludeAllDevices Enabled
IncludeVidPid o:vid-0123_pid-abcd
If you want to control the device redirection on a specific client machine, remove the o: value. For example, to allow only USB storage devices with vendor ID 0123 and device ID abcd to be redirected, apply these GPO settings to the desired client machine:
ExcludeAllDevices Enabled
IncludeVidPid vid-0123_pid-abcd
You can also block certain devices but allow all other devices to be redirected. For detailed information on device filtering, refer to the white paper USB Device Redirection, Configuration, and Usage in VMware Horizon with View.
If you have a composite device that has a storage interface and a HID interface, you need to use the device-splitting rule. The device-splitting rule can be configured through GPO settings for View. To determine the necessary GPO settings, look at the client log.
For example, in the log you might see:
[vmware-view-usbd] DevFltr: Device id: Vid-0123_Pid-abcd
[vmware-view-usbd] DevFltr: Interface count: 2
[vmware-view-usbd] DevFltr: Interface [0] – Family(s): Storage
[vmware-view-usbd] DevFltr: Interface [1] – Family(s): hid
In this example, use the following GPO setting on a specific client machine:
IncludeVidPid vid-0123_pid-abcd
SplitVidPid vid-0123_pid-abcd(exintf:01)
For more detail on device splitting, as well as the location of the client log, refer to the white paper USB Device Redirection, Configuration, and Usage in VMware Horizon with View.
What You Need
In order to make use of USB redirection and splitting, you must do all of the following:
- Install or upgrade to View Agent 6.1 or later, and select the USB redirection feature, which is not selected by default.
- Install or upgrade to Horizon Client 3.3 or later, and select the USB redirection feature, which is selected by default.
- Set the USB access policy in View Global Policies to Allow.
Note: USB CD-ROM drives are not supported. Secure disks that require unlocking before accessing are not supported.
Conclusion
With this new feature, a user can redirect a USB storage device plugged into their endpoint to their own RDSH desktop or RDSH application session. In parallel, other users can plug in their own USB storage devices to their endpoints and redirect them to their own RDSH desktop or application sessions. This redirection feature ensures that each USB storage device is isolated to its own user session and guarantees exclusive and secure access for that user.
Useful Links
There are several additional blog articles that you might find useful.