horizon

VMware Horizon View and HTML access (Blast protocol)

With the release of the VMware Horizon View Feature Pack 1 for VMware Horizon View 5.2 it possible to connect with HTML5 to your View desktop.  This without installing additional software. The new HTML5 protocol is called Blast. Connecting by using the Blast HTML protocol can be handy when you are on a device that does not have the VMware View client installed. 

The VMware Horizon View Feature Pack 1 contains the following two main components:

  • Remote Experience Agent installer
  • HTML Access installer

Remote Experience Agent installer contains:

  • HTML Access Agent: The HTML Access Agent allows users to connect to Horizon View desktops by using HTML Access
  • Unity Touch: With Unity Touch, tablet and smart phone users can easily browse, search, and open Windows applications and files, choose favorite applications and files,and switch between running applications, all without using the Start menu or Taskbar. Unity touch requires a VMware View Client

This component is installed on the View Desktop (XP SP3, Windows Vista (32-bit), Windows 7 or 8 )

HTML Access installer: This installer configures View Connection Server instances to allow users to select HTML Access to connect to desktops. After you run the HTML Access installer, the View Portal displays an HTML Access icon in addition to the View Client icon.

This component is installed on the Blast Secure Gateway know as View Connection Server (Not the Security Server).

Here is an overview of the components and firewall ports that’s needs to be opened:

VMware Blast

A single security server can support up to 100 simultaneous connections to Web clients using the Blast protocol. For a complete list and drawing of the firewall ports that needs to be opened in a VMware View Security Server environment see my earlier post here.

In the View Administrator the connections using a the Blast protocol can be monitored:

image

Unity Touch is supported on the following Horizon View Client versions:

  • Horizon View Client for iOS 2.0 or later
  • Horizon View Client for Android 2.0 or later

Unity Touch is supported on the following mobile device operating systems:

  • iOS 5.0 and later
  • Android 3 (Honeycomb)

The following Web browsers are supported:

  • Chrome 22 or later
  • Internet Explorer 9 or later
  • Safari 5.1.7 or later
  • Firefox 16 or later
  • Mobile Safari on iOS devices running iOS 6 or later

Don’t expect: that the Blast protocol offers:

  • The same performance as PCoIP!
  • USB and multimedia redirection
  • ThinPrint support

But the  Blast HTML protocol can be handy when you are on a device that does not have the VMware View client installed.

image image 
View Portal. Choose  between the View Client or HTML access Logon screen HTML access
foto (1) foto
Unity touch from iPhone Unity touch from iPhone

Tips for implementing a VMware Horizon View Security Server

A security server is a special instance of View Connection Server that runs a subset of View Connection Server functions. You can use a security server to provide an additional layer of security between the internet and your internal network. A security server resides within a DMZ and acts as a proxy host for connections inside your trusted network. 

Setting up a VMware Horizon View Security server can be a challenging task because you have to deal with firewalls and some ports that’s need to be opened between the servers. Here are some tips for implementing a VMware Horizon View Security server:

  • A Security server resides within a DMZ
  • The security server is not a member of the Active Directory
  • Create or obtain a signed certificate for the Security Server from a  trusted Certificate Authority. More information about the certificate options can be found here.
  • To allow tunneling of the PCoIP protocol from the Security Server  to a Connection Server, configure the PCoIP Secure Gateway. More info can be found here
  • Verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled
  • Back-end firewalls must be set up to support IPsec. If you have a back-end firewall between security servers and View Connection Server instances, you must configure firewall rules to allow the connections to work. More information: See “Configuring a Back-End Firewall to Support IPsec ” in the View Installation guide.
  • Windows Firewall with Advanced Security must be enabled on Security Server and View Connection Server hosts.  By default, IPsec rules govern connections between the View security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled.  Best choice: Set Windows Firewall with Advanced Security to on before you install the View servers. Make sure it’s on for any active profiles; better still, set it to on for all profiles.  Alternative: Before you install security servers, open View Administrator and disable the Global Setting, Use IPsec for Security Server Connections, by setting it to no. (This is not recommended.)

image

  • The firewall rules that needs  to  be used can be found here. I made a drawing (based on VMware Horizon View Security server version 5.2) of a single View Security server that list the ports and rules that needs to be opened between the servers:

VMware View firewall poorten

 

(*1) HTML Access uses TCP port 8443 for client connections to the Blast Secure Gateway

(*2) Enable this port for firewalls that use NAT. For non-NAT firewalls use the ESP protocol.

(*3) Enable this port  if you use VMware Horizon View HTML Access, security servers connect to View desktops on HTTPS port 22443 to communicate with the Blast agent.

Display the protocol used on the VMware View desktop background

Systinternals has a tool called “BgInfo”. With this tool  it is possible to display content on a Windows desktop background.  For example environment variable Information such as “computer name” and the “IP address”  can be displayed. This can be very handy when testing or for people that do they support for the Windows environment.

VMware View 5.1 has the following environment variables available in a desktop session :

  • ViewClient_Broker_DNS_Name
  • ViewClient_Broker_DomainName
  • ViewClient_Broker_Remote_IP_Address
  • ViewClient_Broker_Tunneled
  • ViewClient_Broker_Tunnel_URL
  • ViewClient_Broker_URL
  • ViewClient_Broker_UserName
  • ViewClient_IP_Address
  • ViewClient_LoggedOn_Domainname
  • ViewClient_LoggedOn_Username
  • ViewClient_Machine_Name
  • ViewClient_MAC_Address
  • ViewClient_Protocol
  • ViewClient_Type
  • ViewClient_Windows_Timezone

The View environment variables can be added to BgInfo using the custom field option.

image

After running BgInfo, the View environment variables are displayed on the desktop background. In the following example we added information on the desktop about what protocol (RDP or PCoIP) is used  to connect to the View desktop:

image