VMware Horizon By Product Technical Guides

USB Redirection of Storage Devices in Horizon with View for RDSH Desktops and Apps

By Gang Si, Senior Member of the Technical Staff, End-User Computing, VMware

As you may know, VMware Horizon with View has supported redirection of USB devices to VDI desktops for a long time. Now, for the first time, View has the capability of redirecting USB storage devices to RDSH desktops and applications. This feature is supported on Windows Server 2012 and later.

For RDSH desktops and apps, multiple users can log in to the same RDSH server at the same time, but each redirected USB storage device is isolated to the session of the individual who plugged the USB device into their endpoint. Nobody but the user who plugged in the redirected device can use it or even see it.

Client UI

The client UI for USB redirection in RDSH desktops is the same as the client UI in VDI desktops.

VMware_RDSH_USB_redirection_UI
Figure 1: USB Redirection Drop-Down Menu for Desktops

The client UI for USB redirection in RDSH apps is different from the client UI in VDI desktops. To open the app contextual menu, the end user launches the application. After the application is launched, the user returns to the desktop and application selection screen and right-clicks the application icon. In Figure 2, the application contextual menu for Notepad is seen.

VMware_RDSH_App_contextual_menu
Figure 2: Application Contextual Menu

The user selects Settings from the application contextual menu to open the settings dialog box, as seen in Figure 3. The user can alternatively launch the settings dialog box by right-clicking the Horizon Client icon from the system tray and selecting Settings.

VMware_Horizon_Client_Menu
Figure 3: Settings Dialog Box

When the user clicks USB Devices in the left panel of the settings window, the available USB storage devices are shown in the middle panel. The user selects the device they want to redirect to Notepad and then clicks Connect.

They are presented with a list of open applications to which the USB device can be connected.

VMware_Horizon_Client_App_Dialogue
Figure 4: Application Selection Dialog Box

In this example, the user selects Notepad and clicks OK to redirect the device to Notepad. In Notepad, the user will then be able to click File > Open to browse the files on the redirected USB storage device.

The redirected USB storage device belongs to the user’s Windows session, not to the specific application. If the user launches another application later on, and that application is hosted from the same RDSH server, that application can also have access to the redirected USB storage device. The user can see the open applications in the right panel of the settings dialog box. In Figure 5, both Notepad and WordPad have access to the same Kingston USB device.

VMware_USB_redirection_settings_dialog
Figure 5: USB Redirection in Settings Dialog Box

Depending on the Horizon with View configuration, you might have an application that cannot access an already-redirected USB storage device. This is because the application does not come from the same RDSH server. In order for the new application to access the device, the device must first be disconnected from the applications already using it on the other RDSH server. To disconnect the device, click Disconnect. In Figure 5, clicking Disconnect disconnects the Kingston USB device from Notepad and WordPad.

Device Filtering and Splitting

In some cases, you might want to allow only specific USB storage devices to be redirected. You achieve this by configuring Global Policy Object (GPO) settings for View and applying them to either the RDSH server or one or more client machines.

You can allow USB storage devices with only certain vendor and device IDs to be redirected. For example, to allow only USB storage devices with vendor ID 0123 and device ID abcd to be redirected, you need to remove the IncludeFamily value under HKLM\SOFTWARE\Policies\VMware, Inc.\VMware VDM\Agent\USB from the RDSH server registry and use these GPO settings for the RDSH server:

ExcludeAllDevices   Enabled
IncludeVidPid       o:vid-0123_pid-abcd

If you want to control the device redirection on a specific client machine, remove the o: value.  For example, to allow only USB storage devices with vendor ID 0123 and device ID abcd to be redirected, apply these GPO settings to the desired client machine:

ExcludeAllDevices   Enabled
IncludeVidPid       vid-0123_pid-abcd

You can also block certain devices but allow all other devices to be redirected. For detailed information on device filtering, refer to the white paper USB Device Redirection, Configuration, and Usage in VMware Horizon with View.

If you have a composite device that has a storage interface and a HID interface, you need to use the device-splitting rule. The device-splitting rule can be configured through GPO settings for View. To determine the necessary GPO settings, look at the client log.

For example, in the log you might see:

[vmware-view-usbd] DevFltr: Device id: Vid-0123_Pid-abcd
[vmware-view-usbd] DevFltr: Interface count: 2
[vmware-view-usbd] DevFltr: Interface [0] – Family(s): Storage
[vmware-view-usbd] DevFltr: Interface [1] – Family(s): hid

In this example, use the following GPO setting on a specific client machine:

IncludeVidPid vid-0123_pid-abcd
SplitVidPid vid-0123_pid-abcd(exintf:01)

For more detail on device splitting, as well as the location of the client log, refer to the white paper USB Device Redirection, Configuration, and Usage in VMware Horizon with View.

What You Need

In order to make use of USB redirection and splitting, you must do all of the following:

  • Install or upgrade to View Agent 6.1 or later, and select the USB redirection feature, which is not selected by default.
  • Install or upgrade to Horizon Client 3.3 or later, and select the USB redirection feature, which is selected by default.
  • Set the USB access policy in View Global Policies to Allow.

Note: USB CD-ROM drives are not supported. Secure disks that require unlocking before accessing are not supported.

Conclusion

With this new feature, a user can redirect a USB storage device plugged into their endpoint to their own RDSH desktop or RDSH application session. In parallel, other users can plug in their own USB storage devices to their endpoints and redirect them to their own RDSH desktop or application sessions. This redirection feature ensures that each USB storage device is isolated to its own user session and guarantees exclusive and secure access for that user.

Useful Links

There are several additional blog articles that you might find useful.