One of the great new features of VMware Horizon View 5.3 is the ability for any View Client to connect directly to a Horizon View desktop without using View Connection Server. VMware Horizon View Agent Direct-Connection (VADC) Plug-In enables some important new possibilities and flexibility in the way that Horizon View desktops can be used.
This new feature is intended to allow Horizon View to be deployed to support some specific additional use cases. These use cases include the following:
To support this direct-connection capability, a new Horizon View 5.3 software component called VMware Horizon View Agent Direct-Connection Plug-In (VADC) can be installed on each Horizon View desktop alongside View Agent. This component is essentially a mini View Connection Server on each Horizon View desktop that supports the full capabilities of each View Client (VMware and third-party). Supported capabilities include PCoIP, RDP, USB redirection, sound, 3D, Real-Time Audio-Video (RTAV), Unity Touch, single sign-on, session management, and more.
This diagram shows a View Client connecting directly to a Horizon View desktop virtual machine.
When a user starts View Client, instead of specifying the name or IP address of a View Connection Server or View Security Server, they can specify the name or IP address of the Horizon View desktop itself.
The user logs in as they normally would, either with a local user account or a domain account (if the desktop is joined to an Active Directory domain). Once connected, the user experiences the full capabilities of Horizon View as if they had connected via a View Connection Server.
Installation and configuration is very simple, but the order of the steps and configuration settings are very important. The basic steps are outlined below:
That’s it! You can now start any View Client and specify the name or IP address of this Horizon View desktop. Of course, these installation steps would normally be performed on a master image and provisioned consistently across multiple desktops.
During installation of the Horizon View Agent Direct-Connection Plug-In, you can specify the TCP port number that the HTTPS protocol will listen on for incoming connections from View Clients. Normally you should leave this as the default value of 443. You can also allow the installer to configure the firewall to create an inbound rule to allow this port through. The TCP port number can be changed later, if required.
There are several other advanced configuration settings for VADC. These can either be managed through Active Directory Group Policy Objects or by making registry updates directly in the Horizon View desktop master image. A full list of these settings is described in the VMware Horizon View Agent Direct-Connection Administration guide.
The guide describes how VADC can be configured for use in an environment that uses NAT (network address translation) and port mapping for client connections so that a single IP address from View Clients can be used for all desktops, and a unique TCP port number can be used to select a specific desktop. The guide also has information about how SSL server certificates can be set up and managed.
No. VADC is tiny—just over 300KB. An important design goal for this feature was to ensure the footprint was small. There is no additional service running and not even an additional process. View Agent supports a plug-in architecture, and so VADC is a small, efficient, native-code DLL. It communicates with View Agent through a high-performance, in-process framework channel, and all HTTP(S) handling is performed through the HTTP.SYS kernel mode driver. When VADC is installed, it is automatically loaded when View Agent starts. It makes use of the existing View Agent functionality for all of the Horizon View features, and uses existing operating-system functionality for the HTTP(S) protocol traffic, SSL server certificate handling, and so on.
The filename for the Horizon View Agent Direct-Connection Plug-In is wsnm_xmlapi.dll . The diagram below shows the main modules of this plug-in together with the main interfaces to Microsoft subsystems and to the View Agent itself.
Yes. Although VADC can be used on its own without View Connection Server, there are several situations where deployments will use both. View Connection Server can be used to provision and manage desktops, while View Client users can still connect directly through VADC. A mixed mode can also be supported where brokered connections via View Connection Server can be supported for some users, and direct connections can be supported for others.
Often a branch office deployment with vSphere hosts in each branch will involve View Connection Server running in the datacenter to provision and manage the desktops in each branch. View Client users in the branch can connect directly to local desktops with VADC. This configuration enables optimal performance, with the advantage that wide-area network failures will not prevent users from accessing their desktops.
View Connection Server provides powerful features for machine provisioning and management (in addition to brokering). In general, you should always deploy View Connection Server when it is practical to do so, even in cases where View Clients connect directly with VADC.
There are several options here.
If the user knows the name or address of the desktop, they can enter it into the View Client prompt for View Connection Server.
When each virtual desktop is created, a DNS entry can be added to give the desktop a meaningful, easy-to-remember name, such as the username of the desktop owner, e.g., jdoe.vdi.myco.com. The user simply connects to this DNS name each time to get to their virtual desktop.
View Clients support a URI specification allowing the client to launch automatically. The desktop name or address can be included in this URI specification so that the user clicks the URL to launch the installed View Client and connect automatically. A sample URL is below:
When a user clicks the URL above, a View Client connection is made to the virtual desktop jdoe.vdi.myco.com, and a session on the desktop computer jdoe-w7 is launched using the PCoIP protocol.
Thin clients and View Clients in kiosk mode can be configured to automatically connect to their associated virtual desktop at power-on. For example, Teradici Management Console can be used to automatically configure zero clients to give each client their own IP address as well as the View Connection Server name and address. In this case, the View Connection Server name and address would be the associated virtual desktop.
In some use cases, such as many DaaS deployments of Horizon View, brokering is handled by the Desktone tenant appliance, which automatically routes the desktop connection.
Yes. This is useful in cases where a NAT and port-mapping device is between the View Client and Horizon View desktop. In this case, a single IP address can be used to access many desktops and a specific TCP port number is used to select individual desktops.
By allocating five ports per desktop (to allow for secondary connections such as PCoIP, USB redirection, and so on), and with a port number range of 65535 per IP address, then over 13,000 desktops can be accessed on a single IP address. VADC can automatically calculate the necessary external port numbers and supply these to the client as needed, and each desktop can use standard ports. This makes NAT and port-mapping setup very straightforward across large numbers of desktops.
For more information on setting up NAT and port mapping, see Using Network Address Translation and Port Mapping in the VMware Horizon View Agent Direct-Connection Plug-In Administration guide.
View Clients validate the SSL server certificate returned when establishing a connection. This gives the user the assurance that they are connecting to a trusted environment and reduces the possibility of a MITM security attack. The SSL server certificate is usually present on the View Connection Server, View Security Server, or load balancer. In the case where there is a direct connection to a desktop running VADC, the SSL server certificate is returned from the virtual desktop itself.
When VADC starts for the first time after installation, it automatically generates a self-signed SSL server certificate in the same way that certificates are generated for View Connection Server and View Security Server. This self-signed certificate in Horizon View should always be considered temporary. In a production environment, this self-signed certificate should be replaced by a certificate signed by a trusted Certificate Authority (CA).
With VADC, the SSL server certificate is stored in the standard Windows Certificate Store, so the procedure for installing a CA-signed certificate to replace the self-signed certificate is exactly the same as for View Connection Server–except the process is done on each desktop machine.
To deploy a CA-signed SSL server certificate onto many virtual desktops, you can use the same wildcard certificate on all desktops or group of desktops. This can be installed manually, as part of the machine image, or can be set up as part of the Active Directory Enrollment Policy.
For more information, see Replacing the Default Self-Signed SSL Server Certificate in the VMware Horizon View Agent Direct-Connection Plug-In Administration guide.
See also the following two new videos:
You can also use the VMware Horizon View Community Forum to post questions about this or any other component or feature of VMware Horizon View.
VMware Horizon View customers can download the software from here – VMware Horizon View Agent Direct-Connection 5.3 download.
By Mark Benson, Senior Staff Engineer and Senior Horizon View Architect, VMware End-User Computing CTO Office
Mark Benson is a senior staff engineer for the VMware EUC CTO Office (specializing in desktop and application virtualization technologies such as authentication, security, HA and remote access) and senior…
