VMware Horizon FLEX Administration Guide

Similar documents
AntiSpyware Enterprise Module 8.5

VMware Horizon FLEX Administration Guide

VMware Horizon FLEX Administration Guide

License Manager Installation and Setup

Architecture and Data Flows Reference Guide

IaaS Configuration for Virtual Platforms

HP Application Lifecycle Management

VMware Horizon Mirage Web Manager Guide

STRM Log Manager Installation Guide

Welch Allyn CardioPerfect Workstation Installation Guide

Quick Reference Guide: One-time Account Update

Kofax Reporting. Administrator's Guide

Start Here. IMPORTANT: To ensure that the software is installed correctly, do not connect the USB cable until step 17. Remove tape and cardboard

Morgan Stanley Ad Hoc Reporting Guide

FortiClient (Mac OS X) Release Notes VERSION

New Internet Radio Feature

ClearPeaks Customer Care Guide. Business as Usual (BaU) Services Peace of mind for your BI Investment

Small Business Networking

Small Business Networking

EasyMP Network Projection Operation Guide

How To Network A Smll Business

Small Business Networking

Small Business Networking

How To Set Up A Network For Your Business

McAfee Network Security Platform

CallPilot 100/150 Upgrade Addendum

Section 5.2, Commands for Configuring ISDN Protocols. Section 5.3, Configuring ISDN Signaling. Section 5.4, Configuring ISDN LAPD and Call Control

Vendor Rating for Service Desk Selection



Technical manual for Multi Apartment Gateway 1456B Passion.Technology.Design.

DEVELOPMENT. Introduction to Virtualization E-book. anow is the time to realize all of the benefits of virtualizing your test and development lab.

Student Access to Virtual Desktops from personally owned Windows computers

Series. Setup Guide. (P.4) +800mm MEMO

Engineer-to-Engineer Note

Active Directory Service

5 a LAN 6 a gateway 7 a modem

Enterprise Digital Signage Create a New Sign

Enterprise Risk Management Software Buyer s Guide

JaERM Software-as-a-Solution Package

How To Organize A Meeting On Gotomeeting

Version X3450. Version X3510. Features. Release Note Version X3510. Product: 24online Release Number: X3510

Unleashing the Power of Cloud

Health insurance exchanges What to expect in 2014

Use Geometry Expressions to create a more complex locus of points. Find evidence for equivalence using Geometry Expressions.

Introducing Kashef for Application Monitoring

Reasoning to Solve Equations and Inequalities

Easy Interactive Tools Ver.3.0 Operation Guide

Network Configuration Independence Mechanism

VoIP for the Small Business

Health insurance marketplace What to expect in 2014

Virtual Machine. Part II: Program Control. Building a Modern Computer From First Principles.

ELECTRONIC DEVELOPMENT APPLICATION (EDA) SYSTEM

Advanced Baseline and Release Management. Ed Taekema

Health insurance exchanges What to expect in 2014

Intellio Video System 25

Scenarios for Setting Up SSL Certificates for View

Architecture and Data Flows Reference Guide

Small Business Cloud Services

File Storage Guidelines Intended Usage

Browser-based Support Console

IdeaPad Y470/ Y570. User Guide V1.0. Read the safety notices and important tips in the included manuals before using your computer.

In addition, the following elements form an integral part of the Agency strike prevention plan:

2. Transaction Cost Economics

Data replication in mobile computing

FAULT TREES AND RELIABILITY BLOCK DIAGRAMS. Harry G. Kwatny. Department of Mechanical Engineering & Mechanics Drexel University

Protocol Analysis / Analysis of Software Artifacts Kevin Bierhoff

VMware Horizon FLEX User Guide

Regular Sets and Expressions

VMware Horizon FLEX User Guide

trademark and symbol guidelines FOR CORPORATE STATIONARY APPLICATIONS reviewed

Reconfiguring VMware vsphere Update Manager

HTTP communication between Symantec Enterprise Vault and Clearwell E- Discovery

Engineer-to-Engineer Note

PROF. BOYAN KOSTADINOV NEW YORK CITY COLLEGE OF TECHNOLOGY, CUNY

NSi Mobile Installation Guide. Version 6.2

Engineer-to-Engineer Note

E-Commerce Comparison

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

KEY SKILLS INFORMATION TECHNOLOGY Level 3. Question Paper. 29 January 9 February 2001

Agenda. Who are we? Agenda. Cloud Computing in Everyday Life. Who are we? What is Cloud Computing? Drivers and Adoption Enabling Technologies Q & A

Section 5-4 Trigonometric Functions

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

SolarWinds Technical Reference

Tablet Charging Wall Mount 12

Experiment 6: Friction

SyGEMe: Integrated Municipal Facilities Management of Water Ressources Swiss Geoscience Meeting, Neuchâtel, 21 novembre 2009 k

Test Management using Telelogic DOORS. Francisco López Telelogic DOORS Specialist

Overview of International Roaming (WORLD WING)

Obtaining SSL Certificates for VMware Horizon View Servers

Transcription:

VMwre Horizon FLEX Administrtion Guide Horizon FLEX 1.5 This document supports the version of ech product listed nd supports ll susequent versions until the document is replced y new edition. To check for more recent editions of this document, see http://www.vmwre.com/support/pus. EN-001787-00

You cn find the most up-to-dte technicl documenttion on the VMwre We site t: http://www.vmwre.com/support/ The VMwre We site lso provides the ltest product updtes. If you hve comments out this documenttion, sumit your feedck to: docfeedck@vmwre.com Copyright 2014, 2015 VMwre, Inc. All rights reserved. Copyright nd trdemrk informtion. VMwre, Inc. 3401 Hillview Ave. Plo Alto, CA 94304 www.vmwre.com 2 VMwre, Inc.

Contents VMwre Horizon FLEX Administrtion Guide 5 1 Introducing Horizon FLEX 7 Horizon FLEX Components 7 Aout Mirge 8 Horizon FLEX Architecture 8 Horizon FLEX System Requirements 10 Horizon FLEX Network Requirements 10 Supported Host nd Guest Operting Systems 11 2 Instlling Horizon FLEX 13 Horizon FLEX Instlltion Overview 13 Instlling nd Configuring Mirge Components for Horizon FLEX 14 Crete Downlod Folder for Horizon FLEX Virtul Mchine Pckges 15 Set Up Certificte for the Horizon FLEX Server y Using OpenSSL 15 Configure the IIS SSL Server Certificte for the Horizon FLEX Server 16 Configure Active Directory Settings 16 Test the Horizon FLEX Admin Console Connection 17 Instlling the Horizon FLEX Client for End Users 18 Crete Mss Deployment Pckge to Instll Fusion Pro 18 Provide Plyer Pro Instlltion Pckge to End Users 18 Run n Unttended Plyer Pro Instlltion 19 3 Setting Up Certifictes for Horizon FLEX Virtul Mchines 21 Creting Trusted Certifictes List 21 Aout the PEM Formt 22 Creting PEM-Formt Certifictes 22 Crete nd Import the Trusted Certifictes List File 23 Updting Certifictes on the Server 24 Using Self-Signed Certifictes 24 Instll Self-Signed Certificte on Windows Computer 24 Instll Self-Signed Certificte on Mc 25 Using Internl CA Certifictes 27 Instll n Internl Root CA Certificte on Windows Computer 27 Instll n Internl Root CA Certificte on Mc 28 4 Creting nd Deploying Horizon FLEX Virtul Mchines 31 Horizon FLEX Virtul Mchine Deployment Overview 31 Crete Source Virtul Mchine in Fusion Pro 32 Crete Source Virtul Mchine in Worksttion (Not included in Horizon FLEX ) 33 Instll the Mirge Client In Source Virtul Mchine 34 VMwre, Inc. 3

Prepre Source Virtul Mchine to Join n Active Directory Domin 35 Compress Source Virtul Mchine Pckge 36 Register Source Virtul Mchine with the Horizon FLEX Policy Server 37 Creting Policies nd Entitlements 38 Configure Generl Policy for Horizon FLEX Imge 38 Configure USB Device Policy for Horizon FLEX Imge 40 Configure Custom USB Device Policy for Horizon FLEX Imge 41 Updte Policy for Deployed Horizon FLEX Imge 42 Entitle Horizon FLEX Imge 43 Crete URI to Deploy Horizon FLEX Virtul Mchine 44 5 Mnging Horizon FLEX Virtul Mchines 47 Mnge Horizon FLEX Virtul Mchines 47 6 Mintining the Horizon FLEX System 49 Upgrde from Previous Horizon FLEX Versions 49 Index 51 4 VMwre, Inc.

The VMwre Horizon FLEX Administrtion Guide descries how to instll nd dminister VMwre Horizon FLEX. Intended Audience This informtion is intended for nyone who wnts to instll Horizon FLEX. The informtion is written for experienced Windows system dministrtors who re fmilir with virtul mchine technology. VMwre, Inc. 5

6 VMwre, Inc.

Introducing Horizon FLEX 1 Horizon FLEX is policy-sed, continerized desktop solution tht enles IT dministrtors to crete, secure, nd mnge locl desktops for end users. End users work within restricted virtul mchine, clled Horizon FLEX virtul mchine, on their own computers. Becuse Horizon FLEX virtul mchines re stored loclly, on end-user computers, corporte pplictions re ccessile to offline users. This chpter includes the following topics: Horizon FLEX Components, on pge 7 Horizon FLEX Architecture, on pge 8 Horizon FLEX System Requirements, on pge 10 Horizon FLEX Network Requirements, on pge 10 Supported Host nd Guest Operting Systems, on pge 11 Horizon FLEX Components Horizon FLEX is comintion of VMwre components, including Mirge, Fusion Pro, nd Plyer Pro. VMwre Mirge for Horizon FLEX Horizon FLEX Policy Server Horizon FLEX Admin Console The Mirge Server tht is used y Horizon FLEX. The server provides Horizon FLEX virtul mchine mngement. You cn mnge, ck up, nd ptch virtul mchines y using the Mirge for Horizon FLEX lyering technology. Use of Mirge for Horizon FLEX is optionl. You cn lso use other imge mngement tools to mnge Horizon FLEX virtul mchines. The stndrd Mirge server with n extension tht includes Horizon FLEXspecific functionlity. The Horizon FLEX Policy Server is ctivted fter you pply the Horizon FLEX license to Mirge for Horizon FLEX. The We mngement user interfce for the Horizon FLEX Policy Server. The Horizon FLEX Admin Console is locted in the Mirge We Mnger component. You use the Horizon FLEX Admin Console to perform virtul mchine mngement tsks, including the following: Mnge n inventory of virtul mchines Browse list of users nd groups in the Active Directory service Entitle users nd groups to one or more virtul mchines Specify virtul mchine policies for given entitlement Prevent users from ccessing virtul mchines y using remote lock Exmine virtul mchine detils nd sttus t ny time VMwre, Inc. 7

Horizon FLEX Client Horizon FLEX Virtul Mchine The client softwre tht end users use to downlod the Horizon FLEX virtul mchines to their locl computers. The clients include VMwre Fusion Pro for Mc computers nd VMwre Plyer Pro for Windows computers. Fusion Pro nd Plyer Pro re included in the Horizon FLEX pckge. One license key is provided for oth Fusion Pro nd Plyer Pro. The virtul mchine tht end users run on their own computers. You use Fusion Pro to crete source virtul mchines for Horizon FLEX virtul mchines. Fusion Pro is included in the Horizon FLEX pckge. A Horizon FLEX server cn support up to 1,000 users. NOTE You cn lso use VMwre Worksttion to crete source virtul mchines. Worksttion is not included in the Horizon FLEX pckge. Aout Mirge Mirge is integrl to the opertion nd use of Horizon FLEX virtul mchines. Horizon FLEX uses suset of the fetures ville in Mirge: Mirge Server Mirge Mngement Server Mirge We Mnger Mirge Mngement Console This document does not descrie ll of the informtion pertining to Mirge. For complete informtion out Mirge, see the Mirge documenttion t https://www.vmwre.com/support/pus/mirge_pus.html. Horizon FLEX Architecture A typicl Horizon FLEX deployment includes the Horizon FLEX server, file server, n HTTPS proxy, red-only domin controller (RODC), nd offsite nd onsite end-user systems. Figure 1-1 shows the reltionships etween the mjor components of Horizon FLEX deployment 8 VMwre, Inc.

Chpter 1 Introducing Horizon FLEX Figure 1 1. Smple Horizon FLEX Deployment Without Mirge Horizon FLEX Server Mirge Mngement Console Mirge Mngement Server File Server HTTPS Proxy Offsite Users RODC DMZ Onsite Users Horizon FLEX Server The Horizon FLEX server is composed of the Horizon FLEX Admin Console nd the Horizon FLEX Policy Server. The Horizon FLEX server provides the following functionlity. Assigns Horizon FLEX virtul mchines to users nd groups from directory service Mintins record of Horizon FLEX virtul mchines in use y individul users Provides security certificte mngement to ensure the secure nd trusted communiction etween the deployed Horizon FLEX virtul mchines nd the Horizon FLEX server. Enforces policy settings to the client Enles modifiction of policy settings for given user nd Horizon FLEX virtul mchine comintion Monitors Horizon FLEX virtul mchine sttus The Mirge Mngement Console is the grphicl user interfce used for sclle mintennce, mngement, nd monitoring of deployed endpoints. The Mirge We Mnger mirrors Mirge Mngement Console functionlity. By defult, port 7443 is used y the Horizon FLEX Policy Server for externl ccess, nd port 8443 is used y the Mirge Mngement Server to communicte with the Horizon FLEX Policy Server. You must configure your firewll policies to llow the required ports. For complete list of ports used y Mirge, see the Mirge documenttion t https://www.vmwre.com/support/pus/mirge_pus.html. File Server A file server stores the TAR files tht contin the source virtul mchine files for Horizon FLEX virtul mchines. The file server is locted inside the DMZ. VMwre, Inc. 9

HTTPS Proxy RODC An HTTPS proxy enles offsite end-user systems to rech the Mirge Mngement Console. The HTTPS proxy is inside the DMZ. An RODC enles office end-user systems to log in to their Horizon FLEX virtul mchines nd join the Active Directory domin for the first oot up of the VM. An RODC is required only if you re llowing outside users to log in without using VPN. The RODC is inside the DMZ. Horizon FLEX System Requirements Ech product in the Horizon FLEX pckge hs certin system requirements. Mirge for Horizon FLEX Fusion Pro Plyer Pro Worksttion The system requirements for Horizon FLEX 1.5 re the sme s for Mirge 5.4. See the Mirge documenttion t https://www.vmwre.com/support/pus/mirge_pus.html. Horizon FLEX 1.5 uses Fusion Pro 7.1.2 s the client softwre for Mc clients. Horizon FLEX 1.5 is not comptile with erlier versions of Fusion Pro. For Fusion Pro hrdwre nd softwre requirements, see the VMwre Horizon FLEX User Guide. Horizon FLEX 1.5 uses Plyer Pro 7.1.2 s the client softwre for Windows clients. Horizon FLEX 1.5 is not comptile with erlier versions of Plyer Pro. For Plyer Pro hrdwre nd softwre requirements, see the VMwre Horizon FLEX User Guide. Horizon FLEX 1.5 is comptile with Worksttion 11.1.2. You cn use Worksttion to crete nd open source virtul mchine, ut Worksttion cnnot downlod Horizon FLEX virtul mchine. Worksttion is not included in the Horizon FLEX instlltion pckge. For Worksttion hrdwre nd softwre requirements, see the Worksttion documenttion t https://www.vmwre.com/support/pus/ws_pus.html. Horizon FLEX Network Requirements Horizon FLEX enles end users to run corporte pplictions even when they re disconnected from the network. Horizon FLEX virtul mchines re stored loclly for complete desktop experience tht does not require network connection. A network connection is required etween the Horizon FLEX Policy Server nd the Horizon FLEX Client in the following circumstnces: For the initil downlod of the Horizon FLEX virtul mchine to the user's locl computer. To register Horizon FLEX virtul mchine tht ws provided on USB device or deployed on the user's locl computer. To receive Horizon FLEX virtul mchine restriction nd policy updtes. When you register source virtul mchine for Horizon FLEX virtul mchine, you specify downlod loction URL for virtul mchine pckge. The downlod folder must e ccessile to end user computers for end users to downlod virtul mchines. 10 VMwre, Inc.

Chpter 1 Introducing Horizon FLEX Supported Host nd Guest Operting Systems The locl computer on which end users use the Horizon FLEX Client must hve supported host operting system. A Horizon FLEX virtul mchine must use supported guest operting system. Supported Host Operting Systems Your end users cn run the Horizon FLEX Client nd ccess their Horizon FLEX virtul mchine y using physicl computer tht hs one of the following operting systems. Tle 1 1. Supported Host Operting Systems Horizon FLEX Client Supported Operting Systems Plyer Pro Windows 7 Windows 8.1 Enterprise Windows Server 2012 R2 Windows 8 Windows 8.1 Pro NOTE Plyer Pro supports only 64-it operting systems. Fusion Pro Mc OS X 10.10 Mc OS X 10.9 Supported Guest Operting Systems A Horizon FLEX virtul mchine cn contin one of the following guest operting systems. Windows 7 Windows 8.1 Windows XP Windows Server 2012 R2 Windows 2012 Uuntu 14.04 VMwre, Inc. 11

12 VMwre, Inc.

Instlling Horizon FLEX 2 The Horizon FLEX instlltion involves instlling the Horizon FLEX server nd client components, creting folders to store Horizon FLEX virtul mchines, prepring Active Directory, setting up certifictes, nd creting nd deploying Horizon FLEX virtul mchines. This chpter includes the following topics: Horizon FLEX Instlltion Overview, on pge 13 Instlling nd Configuring Mirge Components for Horizon FLEX, on pge 14 Crete Downlod Folder for Horizon FLEX Virtul Mchine Pckges, on pge 15 Set Up Certificte for the Horizon FLEX Server y Using OpenSSL, on pge 15 Configure the IIS SSL Server Certificte for the Horizon FLEX Server, on pge 16 Configure Active Directory Settings, on pge 16 Test the Horizon FLEX Admin Console Connection, on pge 17 Instlling the Horizon FLEX Client for End Users, on pge 18 Horizon FLEX Instlltion Overview Horizon FLEX is comintion of VMwre components, including Mirge, Fusion Pro, nd Plyer Pro. The Horizon FLEX instlltion involves instlling ech of these components nd performing dditionl Horizon FLEX-specific tsks. For successful Horizon FLEX deployment, you must understnd the sequence of required tsks. Before you instll Horizon FLEX, verify tht it meets ll of the hrdwre nd softwre requirements, tht you hve vlid licenses, nd tht you hve downloded the Horizon FLEX component instllers from the VMwre Horizon FLEX product downlod pge. You instll the Horizon FLEX y performing these steps: 1 Instll the Mirge system. See Instlling nd Configuring Mirge Components for Horizon FLEX, on pge 14. 2 Set up certifictes for Horizon FLEX virtul mchines. See Chpter 3, Setting Up Certifictes for Horizon FLEX Virtul Mchines, on pge 21. 3 Crete downlod folder for storing your Horizon FLEX virtul mchine pckges. See Crete Downlod Folder for Horizon FLEX Virtul Mchine Pckges, on pge 15. 4 Add virtul directory in IIS for your Horizon FLEX virtul mchine downlod folder nd edit the site indings. VMwre, Inc. 13

See Configure the IIS SSL Server Certificte for the Horizon FLEX Server, on pge 16. 5 (Optionl) Configure Horizon FLEX to synchronize entities in only selected Active Directory orgniztionl unit (OU). See Configure Active Directory Settings, on pge 16. 6 Test the connection to the Horizon FLEX Admin Console. See Test the Horizon FLEX Admin Console Connection, on pge 17. 7 Instll Horizon FLEX Client on ech end-user host, or instruct end users to instll Horizon FLEX Client on their own computers. See Instlling the Horizon FLEX Client for End Users, on pge 18. 8 Crete nd deploy Horizon FLEX virtul mchines. See Chpter 4, Creting nd Deploying Horizon FLEX Virtul Mchines, on pge 31. Instlling nd Configuring Mirge Components for Horizon FLEX The first Horizon FLEX instlltion step is to instll nd configure the Mirge system. The Horizon FLEX pckge includes the following components: VMwre Mirge for FLEX (the Mirge Core Softwre) Mirge PowerCLI for Windows Mirge Gtewy Applince Softwre Downlod the instlltion files from the Horizon FLEX Server product downlod pge. The Mirge deployment involves the instlltion of the following components. 1 Mirge Mngement Server 2 Mirge Server 3 Mirge Mngement Console 4 Mirge We mnger To instll nd configure the Mirge system, follow the instlltion instructions in the Mirge documenttion t https://www.vmwre.com/support/pus/mirge_pus.html. When you instll the Mirge system, you must select certin options for the Horizon FLEX server to operte correctly. The Mirge Server nd Mirge console re only required if you re instlling the Mirge client in the source virtul mchines. If plcing the virtul mchine imges on the sme system s the Horizon FLEX Server, plce the imges in the IIS "Defult We" server. The We Mngement Server nd the Mirge Mngement Server should e instlled on the sme server. However, the SQL server should e instlled on seprte server. During Mirge server instlltion, choose SSL for the Mirge server trnsport. SSL is required to use the Mirge Gtewy feture for externl ccess nd mngement of Horizon FLEX systems. Before configuring the Mirge Server for SSL, you must instll the server SSL certificte. Before you instll the Mirge We Mnger, verify tht.net Frmework 4.0 is instlled on the server. The Mirge Mngement Server must run s user who hs Active Directory red permissions. If you pln to join Horizon FLEX virtul mchines to n Active Directory domin, the Mirge Mngement Server must run s user who hs domin join permissions. 14 VMwre, Inc.

Chpter 2 Instlling Horizon FLEX Crete Downlod Folder for Horizon FLEX Virtul Mchine Pckges During the Horizon FLEX virtul mchine deployment process, you compress your source virtul mchine pckges into TAR (.tr) formt so tht end users cn esily downlod their Horizon FLEX virtul mchines. You must crete downlod folder for storing these TAR files. 1 Crete the downlod folder on the Horizon FLEX server or on nother server. The downlod folder does not need to e on the Horizon FLEX server, ut the files it contins must e downlodle without ny uthentiction chllenge. 2 Assign permissions to the downlod folder so tht users cn downlod the files tht it contins. 3 (Optionl) Shre the downlod folder with n dministrtive group, such s Horizon FLEX Admins. This cn e n dministrtive group for users to mnge Horizon FLEX deployments. This step cn mke it esier to register your source virtul mchines with the Horizon FLEX Policy Server. Wht to do next Crete virtul directory in IIS to llow the Horizon FLEX virtul mchines to e downloded to end-user systems. See Configure the IIS SSL Server Certificte for the Horizon FLEX Server, on pge 16. Set Up Certificte for the Horizon FLEX Server y Using OpenSSL You cn crete self-signed certificte for the Horizon FLEX server y using OpenSSL. Prerequisites The OpenSSL configurtion file is creted on the Mirge Gtewy Server. See the Mirge documenttion t https://www.vmwre.com/support/pus/mirge_pus.html. 1 At the OpenSSL commnd prompt, crete certificte: $ openssl req -new -dys expirtion time -x509 -newkey rs:2048 - keyout key filenme -outcertificte filenme -nodes expirtion time represents the numer of dys tht the certificte should e vlid, key filenme represents the filenme for the key, nd certificte filenme represents the new certificte nme. A self-signed certificte nd privte key re generted. The certificte uses 2048-it RSA key nd does not protect the key with pssphrse. 2 When prompted, enter the country nme, stte nme, loclity, orgniztion nme, nd orgniztionl unit nme. 3 In the Common Nme text ox, enter the host nme of the Horizon FLEX server to e protected. This text ox must e completed. 4 Enter the emil ddress. The self-signed certificte nd ssocited privte key re generted. 5 If the privte key must e in.pfx formt, enter the following commnd y using the certificte nme nd key filenme generted in the previous steps: $ openssl pkcs12 -export -outoutput pfx filenme -inkey key filenme -in certificte nme A new pssword-protected.pfx file is generted tht cn e deployed on ny device tht requires.pfx certifictes insted of PEM certifictes. VMwre, Inc. 15

Configure the IIS SSL Server Certificte for the Horizon FLEX Server You must configure the IIS SSL server certificte for the Horizon FLEX server to set the certificte chin from the Horizon FLEX server to the Horizon FLEX virtul mchines. Prerequisites Instll Mirge for Horizon FLEX. See Instlling nd Configuring Mirge Components for Horizon FLEX, on pge 14. Instll the Server SSL Certificte on the Mirge server. See the Mirge documenttion t https://www.vmwre.com/support/pus/mirge_pus.html Configure certificte uthentiction for your Horizon FLEX virtul mchines. See Chpter 3, Setting Up Certifictes for Horizon FLEX Virtul Mchines, on pge 21. Crete downlod folder for your Horizon FLEX virtul mchine pckges. See Crete Downlod Folder for Horizon FLEX Virtul Mchine Pckges, on pge 15. 1 Open IIS Mnger. 2 Nvigte to VMwre Mirge Mngement We Site nd select rvm. 3 Right-click rvm nd select Add Virtul Directory. 4 Type nme in the Alis text ox, rowse to the folder tht you creted to contin the Horizon FLEX virtul mchine pckges, nd click OK. 5 Nvigte to the root node, the connection node defined for the Mirge server. 6 On the Mirge Home pge under IIS, doule click Server Certifictes. The IIS SSL server certifictes window opens. 7 Click Import in the right column. This step imports the creted SSL certificte nd ssigns key to identify the certificte. 8 Select VMwre Mirge Mngement We Site nd click Edit Bindings in the right column. 9 Set the HTTPS port to use your Horizon FLEX server certificte nd click OK. Configure Active Directory Settings When you entitle Horizon FLEX virtul mchine, you dd users nd groups from your existing Active Directory infrstructure to the entitlement. By defult, Horizon FLEX synchronizes your entire Active Directory infrstructure with the Horizon FLEX dtse. You cn optionlly configure Horizon FLEX to synchronize only specific orgniztion unit (OU). Prerequisites Instll Mirge for Horizon FLEX. See Instlling nd Configuring Mirge Components for Horizon FLEX, on pge 14. 16 VMwre, Inc.

Chpter 2 Instlling Horizon FLEX 1 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 2 In the Horizon FLEX Admin Console, click the Generl System Settings icon nd click Active Directory Settings. 3 Type the OU to synchronize in the Orgniztionl Unit text ox. As you egin to type in the text ox, the ville OUs in your Active Directory infrstructure pper in drop-down menu nd you cn select the pproprite OU. 4 Click OK to sve the OU setting. The Horizon FLEX server vlidtes the OU to verify tht it exists nd is ccessile. The Horizon FLEX server synchronizes the Active Directory entities tht elong only to the OU tht you selected, including entities tht elong to ny child OUs of the selected OU. Any time you configure new OU, the Horizon FLEX server deletes the previously synchronized entities from the dtse nd strts new full synchroniztion process. You cn configure the policy for client virtul mchines so tht the power-on pssword mtches the user's Active Directory pssword fter first strtup. See Configure Generl Policy for Horizon FLEX Imge, on pge 38. Test the Horizon FLEX Admin Console Connection You cn verify your Horizon FLEX deployment y testing the Horizon FLEX Admin Console connection. Prerequisites Instll Mirge for Horizon FLEX. See Instlling nd Configuring Mirge Components for Horizon FLEX, on pge 14. Configure certificte uthentiction. See Chpter 3, Setting Up Certifictes for Horizon FLEX Virtul Mchines, on pge 21. 1 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 2 Verify tht the Horizon FLEX Admin Console pge ppers correctly. The Imges, Policies, Entitlements, nd Virtul Mchines uttons should e visile in the left nvigtion pnel. VMwre, Inc. 17

Instlling the Horizon FLEX Client for End Users End users must hve the Horizon FLEX Client softwre instlled on their locl computers efore they cn downlod the Horizon FLEX virtul mchines. Supported clients included in the Horizon FLEX pckge re Fusion Pro for Mc OS X mchines nd Plyer Pro for Windows mchines. You cn crete mss deployment to instll the Horizon FLEX Client on mny systems t one time, or you cn instruct end users to otin the Horizon FLEX Client from the VMwre We site nd instll it themselves. You cn lso run n unttended Plyer Pro instlltion on multiple Windows mchines. Crete Mss Deployment Pckge to Instll Fusion Pro You cn crete Fusion Pro mss deployment pckge to instll Fusion Pro on ny numer of end-user Mcs. You cn use stndrd pckge deployment tools, including Apple Remote Desktop Admin, to deploy the mss deployment pckge. When you configure the mss deployment pckge, specify your Horizon FLEX license key in the [Volume License] section of the Deploy.ini file nd plce copy of the Fusion Pro ppliction in the 00Fusion_Deployment_Items folder. You cn use the optionl connectatstrtupurl prmeter in the [Loctions] section of the Deploy.ini file to specify user nme nd the host nme of your Horizon FLEX server, for exmple: connectatstrtupurl = vmwre-rvm://johndoe@yourflexserver.com:7443 If no virtul mchines re instlled on the user's Mc when the user lunches Fusion Pro, the Connect dilog ox opens nd the Server nd Usernme text oxes re prepopulted with the host nme nd user nme tht you specified in the connectatstrtupurl prmeter. For step-y-step informtion out creting mss deployment pckge, see the VMwre knowledge se rticle t http://k.vmwre.com/k/2058680. Provide Plyer Pro Instlltion Pckge to End Users You cn instll Plyer Pro on end user mchines nd deploy Horizon FLEX virtul mchines y creting uniform resource identifier (URI). Using URI, you cn crete n emil tht contins link tht the end user cn click to connect to server nd downlod the Plyer Pro instller. When instlltion is complete, the end user is prompted to connect to server nd downlod Horizon FLEX virtul mchine. If Plyer Pro is lredy instlled, you cn crete URI to deploy Horizon FLEX virtul mchine only. See Crete URI to Deploy Horizon FLEX Virtul Mchine, on pge 44 Prerequisites Give the end user pssword for the server nd the Plyer Pro license key for use with Horizon FLEX. 1 Construct URI to crete customized Plyer Pro instlltion nd deployment pckge. The commnd line hs the following structure: VMwre-plyer-x.x.x-xxxxxxx.exe /v PLAYER_RVM_URI="vmwre-rvm://usernme@myserver.com:7443 Specify the version nd uild numer of the Plyer Pro.exe file. usernme is the user's login nme nd myserver.com is the host nme of the server. You must include vmwre-rvm:// nd :7443 in the server ddress. Do not include http or https in the server ddress. 2 Enter link text in n emil nd enter hyperlink informtion for the URI. You cn use ny emil system to send the link. However, ecuse the formt of the URI is not recognized s stndrd URL, you must mnully enter the hyperlink informtion. 18 VMwre, Inc.

Chpter 2 Instlling Horizon FLEX 3 Crete n emil for the user nd enter some link text. For exmple: Your Pro Plyer Instller File 4 Select the link text, right-click the selected text, nd select Hyperlink. 5 Select Link to: Existing File or We Pge. 6 Enter the URI in the Address text ox. For exmple: vmwre-rvm://johndoe@yourserver.com:7443 The link is now ctive. 7 Click OK. 8 Send the emil to the user. If no virtul mchines re instlled on the user's computer when the user strts Plyer Pro, the Connect to Server dilog ox opens. The Server nd Usernme text oxes re prepopulted with the vlues tht you specified in the URI. The user enters pssword nd connects to the server to downlod Horizon FLEX virtul mchine. Run n Unttended Plyer Pro Instlltion You cn use the unttended instlltion feture of the Microsoft Windows Instller (MSI) to instll Plyer Pro on severl Windows hosts without hving to respond to wizrd prompts. This feture is convenient in lrge enterprise. Prerequisites Verify tht the host system meets the host system requirements. Verify tht the host computer hs version 2.0 or lter of the MSI runtime engine. This version of the instller is ville in versions of Windows eginning with Windows XP nd is ville from Microsoft. See the Microsoft We site for more informtion. 1 Log in to the host system s the dministrtor user or s user who is memer of the locl Administrtors group. If you log in to the domin, the domin ccount must lso e locl dministrtor. 2 Extrct the dministrtive instlltion imge from the Plyer Pro setup file. The setup filenme is similr to VMwre-plyer-xxxx-xxxx.exe, where xxxx-xxxx is the version nd uild numer. For exmple: setup.exe /s /e instll_temp_pth 3 Enter the instlltion commnd on one line. These exmples show the options tht you cn dd to the commnd. VMwre-plyer-x.x.x-xxxxxx.exe /s /nsr /v "EULAS_AGREED=1 INSTALLDIR=""pth_to_progrm_directory"" ADDLOCAL=ALL DISABLE_AUTORUN=0 QUICKLAUNCH_SHORTCUT=0 SERIALNUMBER=""xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"" " VMwre-plyer-x.x.x-xxxxxx.exe /s /v EULAS_AGREED=1 SERIALNUMBER="xxxxx-xxxxx-xxxxx-xxxxxxxxxx" VMwre-plyer-x.x.x-xxxxxx.exe /s /nsr /v EULAS_AGREED=1 REMOVE=NAT SERIALNUMBER="xxxxxxxxxx-xxxxx-xxxxx-xxxxx" You cn use the optionl/nsr commnd to prevent the trget mchine from reooting silently. VMwre, Inc. 19

You cn use the optionl INSTALLDIR property to specify file pth for the instlltion tht is different from the defult loction. NOTE The quottion mrks round the file pth re importnt. All the MSI rguments re pssed with the /v option. The outer quottion mrks group the MSI rguments nd the inner quottion mrks put quottion mrk in tht rgument. You cn use the optionl REMOVE property to skip the instlltion of certin fetures. 20 VMwre, Inc.

Setting Up Certifictes for 3 Horizon FLEX Virtul Mchines Before you crete nd deploy Horizon FLEX virtul mchines, you must set up certifictes to ensure tht end users cn successfully downlod nd use their virtul mchines. VMwre recommends tht you use certificte tht is issued y certificte uthority (CA), such s Entrust or Go Dddy, or third-prty certificte, on your Horizon FLEX server. If you re using self-signed certificte or certificte from n internl CA insted of generlly trusted certificte, you must tke steps to ensure tht the certificte is trusted on ll end-user computers tht will downlod nd use Horizon FLEX virtul mchines. For informtion out setting up certifictes in Mirge for the Horizon FLEX Server, see the Mirge documenttion t https://www.vmwre.com/support/pus/mirge_pus.html. This chpter includes the following topics: Creting Trusted Certifictes List, on pge 21 Using Self-Signed Certifictes, on pge 24 Using Internl CA Certifictes, on pge 27 Creting Trusted Certifictes List You cn crete list of trusted certifictes for Horizon FLEX virtul mchines nd import the list to the Horizon FLEX Policy Server. When you use trusted certifictes list, you do not need to instll certifictes on end-user hosts. Using list of trusted certifictes cn prevent mlicious users from creting their own self-signed certifictes for the sme hostnme nd dding those certifictes to their host's list of trusted certifictes. When you configure the Horizon FLEX Policy Server to use trusted certifictes list, the client host ignores the host's list of certifictes nd uses the trusted certifictes list to verify server connections insted. If the client host cnnot verify certificte y using the trusted certifictes list, the server connection fils. If the trusted certifictes list is empty in the source virtul mchine, Plyer Pro nd Fusion Pro uthenticte ginst the host's list of trusted certifictes. To crete the trusted certifictes list, you export ech certificte to seprte file nd then conctente ll of the files into single file. You use the Horizon FLEX Admin Console to import the conctented certifictes file to the Horizon FLEX Policy Server. You must export certifictes in Privcy Enhnced Mil (PEM) formt. On Windows systems, the PEM certificte encoding is clled Bse-64 encoded X.509 (.CER). Only PEM-encoded certifictes re supported. No other certificte formt (DER, Serilized Certificte Store/SST, PKCS #12/PFX, PKCS #7/P7B) is ccepted. VMwre, Inc. 21

Aout the PEM Formt The PEM formt is stndrd certificte formt tht is Bse64 encoded. An exmple of PEM-formt certificte is s follows: -----BEGIN CERTIFICATE----- MIIDojCCAwugAwIBAgIJAMLM0CJRzPyzMA0GCSqGSI3DQEBBQUAMIGTMQswCQYD VQQGEwJVUzETMBEGA1UECBMKQ2FsWZvcm5pYTESMBAGA1UEBxMJUGFsyBBHRv MS8wLQYDVQQKEyZWTXdhcmUsIEluYy4gLSBX3Jrc3RhdGlviBTU0wgVGVzdGlu ZzEqMCgGA1UEAxMhV29y3N0YXRp24gQ2VydGlmWNhdGUgQXV0G9yXR5MB4X DTExMDcxNTAyMjY0OFoXDTE1MDcxNDAyMjY0OFowgZMxCzAJBgNVBAYTAlVTMRMw EQYDVQQIEwpDYWxpZm9ymlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xLzAtBgNVBAoT JlZNd2FyZSwgSW5jLiAtIFdvcmtzdGF0W9uIFNTTCBUZXN0W5nMSowKAYDVQQD EyFX3Jrc3RhdGlviBDZXJ0WZpY2F0ZSBBdXRo3JpdHkwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAL/tBlngiEkCK7ssCBe8lZ30FlIHmpECmwEm3AID1C0 lnc+ldrt2ammqiknxbpxgbgyrnrnnshrzp1xxr/wl22ayt7nx+p/xsh2srd cggctn/wh/arcirtlcjrwy55laah9xwzortryr84ibjqphzxcoptsi9o4zviqx AgMBAAGjgfswgfgwHQYDVR0OBBYEFMoT527dtvlgR1EzYK4EnQHS6T2ZMIHIBgNV HSMEgcAwg2AFMoT527dtvlgR1EzYK4EnQHS6T2ZoYGZpIGWMIGTMQswCQYDVQQG EwJVUzETMBEGA1UECBMKQ2FsWZvcm5pYTESMBAGA1UEBxMJUGFsyBBHRvMS8w LQYDVQQKEyZWTXdhcmUsIEluYy4gLSBX3Jrc3RhdGlviBTU0wgVGVzdGluZzEq MCgGA1UEAxMhV29y3N0YXRp24gQ2VydGlmWNhdGUgQXV0G9yXR5ggkAwszQ IlHM/LMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBcoiwDWGWXzI+j 0gG/7BNzpNHzR1RGAF4nB9JrnCYWvB313kgYDMHogfiAoQchsu/py/OYBYVRjjFJ YVTJ7DVl/3Gpk3+tcdJfEmqIz76PVWfWTnhuJEMYrMM4W06B/K2cs24kZtcXQ h84fytvcg/l6tp5swgei4vwgrfxga== -----END CERTIFICATE----- When you crete trusted certifictes list, you conctente multiple PEM-formt certifictes into single file. Line endings re uto-detected. The following exmple shows the formt of conctented certifictes list tht contins two certifictes. -----BEGIN CERTIFICATE----- <se64 content here> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <se64 content here> -----END CERTIFICATE----- Creting PEM-Formt Certifictes You cn crete PEM-formt certifictes y downloding the certificte from the CA's We site or y exporting the certifictes from host system. For exmple, you cn downlod certifictes for Verisign from the Symntec We site t https://www.symntec.com/pge.jsp?id=roots. Export PEM-Formt Certificte From Mc You cn export PEM-formt certificte from Mc. Prerequisites Become fmilir with how to use Keychin Access on Mc. For more informtion, see the Apple Support We site t http://support.pple.com. 22 VMwre, Inc.

Chpter 3 Setting Up Certifictes for Horizon FLEX Virtul Mchines 1 On the Mc, open Keychin Access. 2 From the sider, select System Roots. 3 Locte the certificte to export. 4 Select File > Export Items. 5 Select loction to sve the certificte nd select the Privcy Enhnced Mil (.pem) file formt. Export PEM-Formt Certificte From Windows System You cn export PEM-formt certificte from Windows system. On Windows, the PEM certificte encoding is clled Bse-64 encoded X.509 (.CER). Prerequisites Become fmilir with how to use Certificte Mnger on Windows system. For more informtion, see the Microsoft TechNet We site t http://technet.microsoft.com. 1 On the Windows system, open Certificte Mnger (certmgr.exe). 2 Right-click the certificte to export nd select All Tsks > Export. 3 Select options in the Certificte Export Wizrd. Select Bse-64 encoded X.509 (.CER) for the file export formt. For the certificte to work with Horizon FLEX, you must choose this option. c Provide loction to sve the certificte nd file nme. Review the settings you selected nd click Finish. The certificte file is sved to the loction you indicted. Crete nd Import the Trusted Certifictes List File After you export your PEM-formt certifictes, you must construct the trusted certificte list nd import the certifictes list file to the Horizon FLEX Policy Server. Prerequisites Export ech certificte in PEM formt. See Creting PEM-Formt Certifictes, on pge 22. 1 To crete the trusted certifictes list file, conctente ech PEM-formt certificte file into single file. You cn use the ct commnd, or you cn copy nd pste the contents of the certificte files into text file. You cn sfely edit Bse64 content in text editor. For exmple: $ ct mycert1.pem mycert2.pem mycert3.pem > list.pem 2 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 3 In the Horizon FLEX Admin Console, click the Generl System Settings icon nd select Certifictes. VMwre, Inc. 23

4 Click Import, rowse to the trusted certifictes list file, nd click Open to import the file. Updting Certifictes on the Server When certificte expires, nd new certificte hs n expirtion dte tht is set fr into the future, you cn dd the new certificte s second certificte to the trusted certifictes list in the Horizon FLEX Policy Server. Adding the new certificte to the trusted certifictes list enles ll Horizon FLEX virtul mchines to downlod the new certificte. Then, when the certificte switch occurs, ll of the Horizon FLEX virtul mchines tht received the new list of certifictes cn connect to the Horizon FLEX server nd you cn remove the old trusted certificte from the policy file. If you chnge the server certificte fter the Horizon FLEX virtul mchines hve lredy een registered nd run, then your end users need to verify tht the chnged certificte is trusted y Fusion Pro or Plyer Pro. If the new server certificte is self-signed, the Horizon FLEX client does not report the instnce sttus correctly to the Horizon FLEX server. The end user should open the Horizon FLEX virtul mchine nd click Connect to connect to the server. If the end user receives the Invlid security certificte error messge, the end user should confirm with you to verify the certificte is vlid nd if so, select the Alwys trust this host with this certificte check ox nd click Connect Anywy. Using Self-Signed Certifictes If you do not configure the self-signed certificte into the source virtul mchine eing prepred, you must instll the certificte on ech end-user host for Horizon FLEX virtul mchines to function correctly. If the list of certifictes is empty in the policy file, Plyer Pro nd Fusion Pro will fll ck to uthenticting ginst the host's list of trusted certifictes. If you include the self-signed certificte of source virtul mchine on the Horizon FLEX Policy Server, nd you configure or instll the self-signed certificte for the Horizon FLEX Client (either in the source virtul mchine's policy file or in the host's list of trusted certifictes), you do not need to instll the certificte on end-user hosts when certificte updtes re required, for exmple, when certificte expires. For informtion out configuring certifictes into source virtul mchine, see Crete Source Virtul Mchine in Fusion Pro, on pge 32. For informtion out creting trusted certifictes list nd importing it to the Horizon FLEX Policy Server, see Creting Trusted Certifictes List, on pge 21. For informtion out updting certifictes, see Updting Certifictes on the Server, on pge 24. Instll Self-Signed Certificte on Windows Computer To instll self-signed certificte on Windows host, you export the certificte from your Horizon FLEX server nd import it to the Windows computer. Prerequisites Become fmilir with how to instll nd use the MMC Certifictes snp-in on Windows system. For more informtion, go to the Windows TechNet We site t http://technet.microsoft.com. Instll Windows IIS. 24 VMwre, Inc.

Chpter 3 Setting Up Certifictes for Horizon FLEX Virtul Mchines 1 Export the self-signed certificte from your Horizon FLEX server. c d On the Horizon FLEX server, strt MMC (mmc.exe), dd the Certifictes snp-in for computer ccount, nd mnge certifictes for the locl computer. Select File > Add/Remove Snp-in. Click the Certifictes snp-in nd click Add. On the Certifictes snp-in disply, select Computer ccount nd click Next. This setting is required y the Horizon FLEX server. e f g Select Locl Computer nd click Finish nd then OK. In the left nvigtion pne, expnd Certifictes (Locl Computer). Right-click on Trusted Root Certifiction Authorities nd select All Tsks > Import. The Certificte Import Wizrd opens. h i j Click Next. Browse for the root certificte file nd click Next. Select Plce ll certifictes in the following store: Trusted Root Certifiction Authorities nd click Next, then click Finish. k Right-click on Intermedite Root Certifiction Authorities nd select All Tsks > Import. l m n o p q The Certificte Import Wizrd opens. Browse for the root certificte file nd click Next. Select Plce ll certifictes in the following store: Intermedite Root Certifiction Authorities nd click Next, then click Finish. Repet steps m. nd n. for ech intermedite certificte to e instlled. Nvigte to Trusted Root Certifiction Authorities > Certifictes. Select nd export the self-signed certificte. Export the certificte in DER-encoded inry X.509 (.CER) formt. 2 Copy the self-signed certificte to the client Windows computer. 3 Import the self-signed certificte to the client Windows computer. c On the Windows computer, strt MMC (mmc.exe). Add the Certifictes snp-in for the computer ccount nd mnge certifictes for the locl computer. Import the self-signed certificte into Trusted Root Certifiction Authorities > Certifictes. The self-signed certificte is now trusted for ll users. Instll Self-Signed Certificte on Mc To instll self-signed certificte on Mc host, you export the certificte from your Horizon FLEX server nd import it to the Mc. Prerequisites Become fmilir with how to instll nd use the MMC Certifictes snp-in on Windows system. For more informtion, go to the Windows TechNet We site t http://technet.microsoft.com. VMwre, Inc. 25

Become fmilir with how to use Keychin Access on Mc. For more informtion, go to the Apple Support We site t http://support.pple.com. Instll Windows IIS. 1 Export the self-signed certificte from your Horizon FLEX server. c d On the Horizon FLEX server, strt MMC (mmc.exe), dd the Certifictes snp-in for computer ccount, nd mnge certifictes for the locl computer. Select File > Add/Remove Snp-in. Click the Certifictes snp-in nd click Add. On the Certifictes snp-in disply, select Computer ccount nd click Next. This setting is required y the Horizon FLEX server. e f g Select Locl Computer nd click Finish nd then OK. In the left nvigtion pne, expnd Certifictes (Locl Computer). Right-click on Trusted Root Certifiction Authorities nd select All Tsks > Import. The Certificte Import Wizrd opens. h i j Click Next. Browse for the root certificte file nd click Next. Select Plce ll certifictes in the following store: Trusted Root Certifiction Authorities nd click Next, then click Finish. k Right-click on Intermedite Root Certifiction Authorities nd select All Tsks > Import. l m n o p q The Certificte Import Wizrd opens. Browse for the root certificte file nd click Next. Select Plce ll certifictes in the following store: Intermedite Root Certifiction Authorities nd click Next, then click Finish. Repet steps m. nd n. for ech intermedite certificte to e instlled. Nvigte to Trusted Root Certifiction Authorities > Certifictes. Select nd export the self-signed certificte. Export the certificte in DER-encoded inry X.509 (.CER) formt. 2 Copy the self-signed certificte to the Mc. 3 Import the self-signed certificte on the Mc. Doule-click the self-signed certificte to open it in Keychin Access. The self-signed certificte ppers in login. Copy the self-signed certificte to System. You must copy the certificte to System to ensure tht it is trusted y ll users nd locl system processes, including the virtul mchine (vmwre-vmx) processes in Fusion Pro. c Open the self-signed certificte in System, expnd Trust, select Use System Defult, nd sve your chnges. 26 VMwre, Inc.

Chpter 3 Setting Up Certifictes for Horizon FLEX Virtul Mchines d e Reopen the self-signed certificte in System, expnd Trust, select Alwys Trust, nd sve your chnges. Delete the self-signed certificte from login. Using Internl CA Certifictes If you use certificte from n internl CA insted of from commercil CA such s Entrust or Go Dddy, nd you do not configure the certificte into the source virtul mchine eing prepred, you must instll the root CA certificte on ech end-user host for Horizon FLEX virtul mchines to function correctly. NOTE Becuse the server certificte is signed y the root CA, you do not need to import the server certificte to end-user hosts. If the list of certifictes is empty in the policy file, Plyer Pro nd Fusion Pro will fll ck to uthenticting ginst the host's list of trusted certifictes. If you include the internl CA certificte of source virtul mchine on the Horizon FLEX Policy Server, nd you configure or instll the certificte for the Horizon FLEX Client (either in the source virtul mchine's policy file or in the host's list of trusted certifictes), you do not need to instll the root CA certificte on enduser hosts when certificte updtes re required, for exmple, when certificte expires. For informtion out configuring certifictes into source virtul mchine, see Crete Source Virtul Mchine in Fusion Pro, on pge 32. For informtion out creting trusted certifictes list nd importing it to the Horizon FLEX Policy Server, see Creting Trusted Certifictes List, on pge 21. For informtion out updting certifictes, see Updting Certifictes on the Server, on pge 24. Instll n Internl Root CA Certificte on Windows Computer To instll n internl root CA certificte on Windows host, you export the certificte from your Horizon FLEX server nd import it to the Windows computer. Prerequisites Become fmilir with how to instll nd use the MMC Certifictes snp-in on Windows system. For more informtion, go to the Windows TechNet We site t http://technet.microsoft.com. Otin nd instll n internl CA certificte. You cn use the Windows MMC Certifictes snp-in to request certificte. Instll Windows IIS. 1 Export the root CA certificte from your Horizon FLEX server. c d On the Horizon FLEX server, strt MMC (mmc.exe), dd the Certifictes snp-in for computer ccount, nd mnge certifictes for the locl computer. Select File > Add/Remove Snp-in. Click the Certifictes snp-in nd click Add. On the Certifictes snp-in disply, select Computer ccount nd click Next. This setting is required y the Horizon FLEX server. e f Select Locl Computer nd click Finish nd then OK. In the left nvigtion pne, expnd Certifictes (Locl Computer). VMwre, Inc. 27

g Right-click on Trusted Root Certifiction Authorities nd select All Tsks > Import. The Certificte Import Wizrd opens. h i j k l m n o p q Click Next. Browse for the root certificte file nd click Next. Select Plce ll certifictes in the following store: Trusted Root Certifiction Authorities nd click Next, then click Finish. Right-click on Intermedite Root Certifiction Authorities nd select All Tsks > Import. The Certificte Import Wizrd opens. Browse for the root certificte file nd click Next. Select Plce ll certifictes in the following store: Intermedite Root Certifiction Authorities nd click Next, then click Finish. Repet steps m. nd n. for ech intermedite certificte to e instlled. Nvigte to Trusted Root Certifiction Authorities > Certifictes. Select nd export the root CA certificte. Export the certificte in DER-encoded inry X.509 (.CER) formt. 2 Copy the root CA certificte to the Windows computer. 3 Import the root CA certificte to the Windows computer. c On the Windows computer, strt MMC (mmc.exe). Add the Certifictes snp-in for the computer ccount nd mnge certifictes for the locl computer. Import the root CA certificte into Trusted Root Certifiction Authorities > Certifictes. The root CA certificte is now trusted for ll users. Instll n Internl Root CA Certificte on Mc To instll n internl root CA certificte on Mc host, you export the certificte from your Horizon FLEX server nd import it to the Mc. Prerequisites Become fmilir with how to instll nd use the MMC Certifictes snp-in on Windows system. For more informtion, go to the Windows TechNet We site t http://technet.microsoft.com. Become fmilir with how to use Keychin Access on Mc. For more informtion, go to the Apple Support We site t http://support.pple.com. Instll Windows IIS. 1 Export the root CA certificte from your Horizon FLEX server. c On the Horizon FLEX server, strt MMC (mmc.exe), dd the Certifictes snp-in for computer ccount, nd mnge certifictes for the locl computer. Select File > Add/Remove Snp-in. Click the Certifictes snp-in nd click Add. 28 VMwre, Inc.

Chpter 3 Setting Up Certifictes for Horizon FLEX Virtul Mchines d On the Certifictes snp-in disply, select Computer ccount nd click Next. This setting is required y the Horizon FLEX server. e f g Select Locl Computer nd click Finish nd then OK. In the left nvigtion pne, expnd Certifictes (Locl Computer). Right-click on Trusted Root Certifiction Authorities nd select All Tsks > Import. The Certificte Import Wizrd opens. h i j k l m n o p q Click Next. Browse for the root certificte file nd click Next. Select Plce ll certifictes in the following store: Trusted Root Certifiction Authorities nd click Next, then click Finish. Right-click on Intermedite Root Certifiction Authorities nd select All Tsks > Import. The Certificte Import Wizrd opens. Browse for the root certificte file nd click Next. Select Plce ll certifictes in the following store: Intermedite Root Certifiction Authorities nd click Next, then click Finish. Repet steps m. nd n. for ech intermedite certificte to e instlled. Nvigte to Trusted Root Certifiction Authorities > Certifictes. Select nd export the root CA certificte. Export the certificte in DER-encoded inry X.509 (.CER) formt. 2 Copy the root CA certificte to the Mc. 3 Import the root CA certificte on the Mc. Doule-click the root CA certificte to open it in Keychin Access. The root CA certificte ppers in login. Copy the root CA certificte to System. You must copy the certificte to System to ensure tht it is trusted y ll users nd locl system processes, including the virtul mchine (.vmx) processes in Fusion. c d e Open the root CA certificte, expnd Trust, select Use System Defults, nd sve your chnges. Reopen the root CA certificte, expnd Trust, select Alwys Trust, nd sve your chnges. Delete the root CA certificte from login. VMwre, Inc. 29

30 VMwre, Inc.

Creting nd Deploying 4 Horizon FLEX Virtul Mchines You cn crete multiple Horizon FLEX virtul mchines nd entitle those virtul mchines to vriety of end users, including Mc users. Users cn e connected or disconnected from the enterprise network when they use their Horizon FLEX virtul mchines. When you crete source virtul mchine for Horizon FLEX virtul mchine, you must select certin options for the virtul mchine to function correctly with Horizon FLEX. You cn use Fusion Pro or Worksttion (not included in the Horizon FLEX pckge) to crete source virtul mchine. This chpter includes the following topics: Horizon FLEX Virtul Mchine Deployment Overview, on pge 31 Crete Source Virtul Mchine in Fusion Pro, on pge 32 Crete Source Virtul Mchine in Worksttion (Not included in Horizon FLEX), on pge 33 Instll the Mirge Client In Source Virtul Mchine, on pge 34 Prepre Source Virtul Mchine to Join n Active Directory Domin, on pge 35 Compress Source Virtul Mchine Pckge, on pge 36 Register Source Virtul Mchine with the Horizon FLEX Policy Server, on pge 37 Creting Policies nd Entitlements, on pge 38 Crete URI to Deploy Horizon FLEX Virtul Mchine, on pge 44 Horizon FLEX Virtul Mchine Deployment Overview To deploy Horizon FLEX virtul mchine, you perform tsks in specific order. 1 Crete nd configure source virtul mchine. See Crete Source Virtul Mchine in Fusion Pro, on pge 32 or Crete Source Virtul Mchine in Worksttion (Not included in Horizon FLEX), on pge 33. 2 (Optionl) Prepre the source virtul mchine to join n Active Directory domin. See Prepre Source Virtul Mchine to Join n Active Directory Domin, on pge 35. 3 Compress the source virtul mchine pckge nd sve it in your downlod directory. See Compress Source Virtul Mchine Pckge, on pge 36. 4 Register the source virtul mchine with the Horizon FLEX Policy Server. See Register Source Virtul Mchine with the Horizon FLEX Policy Server, on pge 37. VMwre, Inc. 31

5 Crete policy for the Horizon FLEX imge nd entitle the imge to your Active Directory users nd groups. See Creting Policies nd Entitlements, on pge 38. 6 (Optionl) Crete URI to deploy the Horizon FLEX virtul mchine. See Crete URI to Deploy Horizon FLEX Virtul Mchine, on pge 44. Crete Source Virtul Mchine in Fusion Pro You cn use Fusion Pro to crete source virtul mchine for Horizon FLEX virtul mchine. When you crete source virtul mchine, you must set encryption nd restriction informtion so tht the virtul mchine functions correctly with Horizon FLEX. You cn lso use Worksttion to crete source virtul mchine. Worksttion is not included in the Horizon FLEX pckge. If you enle USB device use, drg nd drop, nd copy nd pste fetures when you crete the virtul mchine, you cn set policies in the Horizon FLEX Admin Console to enle or disle these fetures for end users. However, if you disle these fetures when you crete the virtul mchine, you cnnot override the virtul mchine settings to enle the fetures y setting policies. Prerequisites Become fmilir with how to crete virtul mchine in Fusion Pro. See the Fusion documenttion t https://www.vmwre.com/support/pus/fusion_pus.html. Become fmilir with the supported guest operting systems for Horizon FLEX virtul mchines. See Supported Host nd Guest Operting Systems, on pge 11. Instll Fusion Pro with Horizon FLEX license key. 1 Open Fusion Pro nd crete virtul mchine. Select guest operting system tht is supported for Horizon FLEX virtul mchines. Configure the virtul mchine for distriution to your end users. 2 From the Virtul Mchine Lirry, select the new virtul mchine nd select Settings > Encryption & Restrictions. 3 Select Enle Encryption nd set pssword for opening the virtul mchine. The pssword must e six chrcters or longer. You must give this encryption pssword to your end users to enle them to open the virtul mchine. You must retin the encryption pssword. You cnnot ccess the virtul mchine without this pssword. 4 Check Enle Restrictions nd set pssword for editing the restrictions on the virtul mchine. This pssword should e different thn the virtul mchine encryption pssword. You must retin the restrictions pssword. You cnnot edit the restrictions on the virtul mchine without this pssword. 5 Click Configure. The restrictions configurtion window opens. 6 Set the Restriction Type to Mnged. You must set the restriction type to Mnged to distriute nd use the virtul mchine with Horizon FLEX. 32 VMwre, Inc.

Chpter 4 Creting nd Deploying Horizon FLEX Virtul Mchines 7 Type the URL of the Horizon FLEX server on which you intend to host the virtul mchine in the Restrictions Mngement Server text ox. 8 Click Check Server to verify the Horizon FLEX server URL. 9 (Optionl) To dd trusted certifictes to the virtul mchine, click the + utton nd nvigte to the loction of ech certificte file. If you dd certifictes to the virtul mchine, the Horizon FLEX Client uses the certifictes in the virtul mchine nd does not use the certifictes on the host. To do certificte control nd setup on the Horizon FLEX Policy Server for ll Horizon FLEX virtul mchines, leve the certifictes ox lnk. 10 Click Sve. 11 Click the Lock icon to prevent further chnges to the restrictions of the virtul mchine. You cn edit restrictions for the virtul mchine y using the restrictions pssword. Wht to do next If you intend to join the Horizon FLEX virtul mchine to n Active Directory domin, prepre the virtul mchine to join the domin. See Prepre Source Virtul Mchine to Join n Active Directory Domin, on pge 35. To instll the Mirge client in the source virtul mchine, see Instll the Mirge Client In Source Virtul Mchine, on pge 34. Crete Source Virtul Mchine in Worksttion (Not included in Horizon FLEX ) You cn use Worksttion 11 to crete source virtul mchine for Horizon FLEX virtul mchine. Worksttion is not included in the Horizon FLEX pckge. A Horizon FLEX license key for Worksttion is not required. Prerequisites Review how to crete virtul mchine in Worksttion. See the Worksttion documenttion t https://www.vmwre.com/support/pus/ws_pus.html Review the supported guest operting systems for Horizon FLEX virtul mchines. See Supported Host nd Guest Operting Systems, on pge 11. Instll Worksttion. 1 Open Worksttion nd crete virtul mchine. 2 Instll the guest OS. Select guest operting system tht is supported for Horizon FLEX virtul mchines. Configure the virtul mchine for distriution to your end users. 3 Encrypt nd restrict the virtul mchine. Select the virtul mchine nd select VM > Settings. 4 On the Options t, select Access Control. VMwre, Inc. 33

5 Click Encrypt, type n encryption pssword, nd click Encrypt. The encryption pssword is required to gin ccess to the virtul mchine. It does not prevent the user from chnging the virtul mchine configurtion. Turn on restrictions nd enter pssword to prevent the user from chnging the virtul mchine configurtion. IMPORTANT Record the encryption pssword you use. If you forget the pssword, Worksttion does not provide wy to retrieve it. Worksttion egins encrypting the virtul mchine. After the encryption process is complete, you cn set restrictions pssword. 6 Select the Enle Restrictions check ox nd set pssword for editing the restrictions on the virtul mchine. Set different pssword thn the virtul mchine encryption pssword. You must retin the restrictions pssword. You cnnot edit the restrictions on the virtul mchine without this pssword. 7 Set the Restriction Type to Mnged. You must set the restriction type to Mnged to distriute nd use the virtul mchine with Horizon FLEX. 8 Enter the URL of the Horizon FLEX server on which you intend to host the virtul mchine in the Restrictions Mngement Server text ox. 9 Click Check Server to verify the Horizon FLEX server URL. 10 (Optionl) To dd trusted certifictes to the virtul mchine, click the Mnge Certifictes icon nd nvigte to the loction of ech certificte file. If you dd certifictes to the virtul mchine, the Horizon FLEX Client uses the certifictes in the virtul mchine nd does not use the certifictes on the host. To do certificte control nd setup on the Horizon FLEX Policy Server for ll Horizon FLEX virtul mchines, leve the certifictes ox lnk. 11 Click Sve. Wht to do next If you intend to join the Horizon FLEX virtul mchine to n Active Directory domin, prepre the virtul mchine to join the domin. See Prepre Source Virtul Mchine to Join n Active Directory Domin, on pge 35. To instll the Mirge client in the source virtul mchine, see Instll the Mirge Client In Source Virtul Mchine, on pge 34. Instll the Mirge Client In Source Virtul Mchine If the source virtul mchine hs Windows guest operting system, you cn instll the Mirge client in the virtul mchine. Instlling the Mirge client is optionl. If you instll the Mirge client in source virtul mchine, you cn select disster recovery scenrios when you entitle the virtul mchine. For exmple, you cn select n option to mke the Mirge server crete CVD for the Horizon FLEX virtul mchines tht the end user downlods. Mirge periodiclly synchronizes end-user dt into the dtcenter sed on the selected Mirge policy. You cn use this dt to restore the CVD or ccess files on the virtul mchine y using the Mirge File Portl in the min Mirge Mngement Console. 34 VMwre, Inc.

Chpter 4 Creting nd Deploying Horizon FLEX Virtul Mchines In the Mirge Mngement Console, configure Mirge to crete new CVDs whenever n end user downlods nd logs into new Horizon FLEX virtul mchine. In the CVD Auto Cretion settings, enle the Enle Automtic CVD Cretion setting. See the VMwre Mirge Administrtor's Guide for more informtion. Prerequisites Crete the source virtul mchine. See Crete Source Virtul Mchine in Fusion Pro, on pge 32 or Crete Source Virtul Mchine in Worksttion (Not included in Horizon FLEX), on pge 33. Otin the VMwre Mirge Instlltion Guide for Mirge client instlltion instructions. 1 In Fusion Pro, strt the source virtul mchine nd log in to the guest operting system. 2 Instll the ltest version of VMwre Tools. c d e From the menu r, select Virtul Mchine > Instll VMwre Tools. Click Next to progress through the instlltion. Select Complete, unless you need to exclude certin fetures of VMwre Tools, nd click Next. Click Instll. When the instlltion finishes, click Yes to restrt the virtul mchine. 3 Instll the Mirge client. 4 In the Mirge Mngement Console, verify tht the endpoint ppers s Pending Assignment. 5 Power off the source virtul mchine in Mirge while it is in Pending Assigning stte. Do not provide the usernme nd pssword, nd do not register the source virtul mchine t the Mirge client prompt. If you do register the source virtul mchine with Mirge, the Horizon FLEX virtul mchine will e duplicted when the end user ccesses it. Prepre Source Virtul Mchine to Join n Active Directory Domin If you intend to join Horizon FLEX virtul mchine to specific Active Directory domin, you must prepre the source virtul mchine to join the domin efore you register it with the Horizon FLEX Policy Server. Prerequisites Crete source virtul mchine. See Crete Source Virtul Mchine in Fusion Pro, on pge 32 or Crete Source Virtul Mchine in Worksttion (Not included in Horizon FLEX), on pge 33. NOTE Do not instll Windows 7 Home edition or non-windows guest operting system in the source virtul mchine. You cnnot join Windows 7 Home edition operting system or non-windows guest operting system to domin. Verify tht you hve the dministrtor pssword for the source virtul mchine. In the Horizon FLEX Admin Console, set the policy for the virtul mchine to join the Active Directory domin. The Horizon FLEX dministrtor ccount must hve permission to crete ojects in the Active Directory. An RODC must e instlled in the DMZ. Configure the Active Directory to support the domin join. VMwre, Inc. 35

1 In Fusion Pro, strt the source virtul mchine nd log in to the guest operting system. 2 (Optionl) Turn off Windows updte. 3 Instll the ltest version of VMwre Tools. c d e From the menu r, select Virtul Mchine > Instll VMwre Tools. Click Next to progress through the instlltion. Select Complete, unless you need to exclude certin fetures of VMwre Tools, nd click Next. Click Instll. When the instlltion finishes, click Yes to restrt the virtul mchine. 4 Run instll-rvmsetup.cmd s n dministrtor to instll the VMwre RVM Setup Service in the source virtul mchine. The VMwre RVM Setup Service performs the domin join opertion. instll-rvmsetup.cmd is included with VMwre Tools. 5 Open the Windows Services snp-in (services.msc) nd verify tht the VMwre RVM Setup Service strtup type is set to Automtic. 6 Shut down the source virtul mchine. The VMwre RVM Setup Service strts the next time you oot up the source virtul mchine. Compress Source Virtul Mchine Pckge You must compress the source virtul mchine pckge in TAR (.tr) formt so tht end users cn esily downlod the virtul mchine. A virtul mchine pckge (sometimes clled undle) includes ll of the virtul mchine files tht re required to run virtul mchine. Prerequisites Crete the source virtul mchine. See Crete Source Virtul Mchine in Fusion Pro, on pge 32 or Crete Source Virtul Mchine in Worksttion (Not included in Horizon FLEX), on pge 33. Crete nd configure downlod folder for your Horizon FLEX virtul mchine pckges. See Crete Downlod Folder for Horizon FLEX Virtul Mchine Pckges, on pge 15 nd Configure the IIS SSL Server Certificte for the Horizon FLEX Server, on pge 16. 1 If the source virtul mchine is running, shut it down. 2 In Fusion Pro or Worksttion, nvigte to the source virtul mchine. 3 Select File > Export to TAR nd export the source virtul mchine pckge to TAR file. Remove ny spces from the TAR file nme. Removing spces from the file nme cn mke it esier to connect to the downlod URL for the virtul mchine. 4 Export the TAR file to your Horizon FLEX virtul mchine pckges downlod folder. Wht to do next Register the source virtul mchine with the Horizon FLEX Policy Server. See Register Source Virtul Mchine with the Horizon FLEX Policy Server, on pge 37. 36 VMwre, Inc.

Chpter 4 Creting nd Deploying Horizon FLEX Virtul Mchines Register Source Virtul Mchine with the Horizon FLEX Policy Server You must register source virtul mchine with the Horizon FLEX Policy Server s Horizon FLEX imge efore you cn distriute the virtul mchine to end users. Prerequisites Compress the source virtul mchine files in TAR (.tr) rchive file. See Compress Source Virtul Mchine Pckge, on pge 36. Verify tht your Horizon FLEX virtul mchine pckges downlod directory is set up properly. See Crete Downlod Folder for Horizon FLEX Virtul Mchine Pckges, on pge 15 nd Configure the IIS SSL Server Certificte for the Horizon FLEX Server, on pge 16. Verify tht restrictions re lredy set in the source virtul mchine's configurtion (.vmx) file. If you select virtul mchine tht does not hve restrictions set, the Horizon FLEX Policy Server rejects the.vmx file s invlid. For informtion out setting restrictions in virtul mchine, see Crete Source Virtul Mchine in Fusion Pro, on pge 32. 1 If the source virtul mchine is on Mc, perform these steps. Find the virtul mchine pckge (.vmwrevm) file for the virtul mchine, right-click the file nme, nd select Show Pckge Content. Copy the virtul mchine configurtion (.vmx) file to loction tht is ccessile to the Horizon FLEX server. 2 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 3 Click Imges in the left nvigtion pnel. 4 Click the New (+) utton. 5 Click Select next to the Select Imge File text ox nd rowse to the virtul mchine configurtion (.vmx) file for the source virtul mchine. 6 Type user-friendly nme for the Horizon FLEX virtul mchine file in the Imge Nme text ox. For exmple: Windows 7 VM 7 (Optionl) Type description of the Horizon FLEX virtul mchine in the Description text ox. 8 (Optionl) Click the Chnge utton next to Icon nd uplod n icon for the Horizon FLEX virtul mchine. Uploded icons must e PNG (.png) files. VMwre, Inc. 37

9 (Optionl) In the Imge URL text ox type the fully qulified pth of the TAR file tht contins the source virtul mchine pckge. End users will downlod the Horizon FLEX virtul mchine from this URL. The URL formt is http://server:port/downlod_directory/filenme.tr, where server is the hostnme or IP ddress of the server where you stored the TAR file, port is the port numer on the server, downlod_folder is the nme of the Horizon FLEX virtul mchine downlod folder tht contins the TAR file, nd filenme.tr is the nme of the TAR file tht contins the source virtul mchine pckge. The URL cn strt with either http or https. For exmple: https://flexserver.demo.locl:7443/flexdownlods/windows7vm.tr 10 (Optionl) Type text in the Disclimer (Optionl) text ox. If you do not specify ny text, the Horizon FLEX Client does not disply disclimer text when user downlods the Horizon FLEX virtul mchine. 11 Click OK to register the source virtul mchine s Horizon FLEX imge. 12 (Optionl) Type the imge URL in We rowser to verify the URL. For exmple: https://flexserver.demo.locl:7443/flexdownlods/windows7vm.tr You should e prompted to sve the file. If you receive permissions error, you might need to djust the NTFS permissions for the downlod folder. Wht to do next Add policies to the Horizon FLEX imge. See Configure Generl Policy for Horizon FLEX Imge, on pge 38. Creting Policies nd Entitlements You use policies to set n expirtion dte nd control the fetures in virtul mchine instnces creted from Horizon FLEX imge. You use entitlements so tht specific users nd groups cn crete virtul mchine instnces from prticulr Horizon FLEX imge. You ssocite policy with ech entitlement tht you crete. This policy defines the defult restriction settings for the virtul mchine instnces tht re creted from the Horizon FLEX imge in the entitlement. You cn include the sme Horizon FLEX imge in multiple entitlements, nd you cn ssocite ech entitlement with different policy. The sme user cn e memer of multiple entitlements. When virtul mchine instnce is creted, the policies ssocited with entitlements determine the instnce's initil restrictions. As n dministrtor, you cn chnge the restriction settings for prticulr virtul mchine instnce. Instnce-specific restrictions ct s the restrictions for specific user nd virtul mchine comintion. For informtion out editing restrictions for virtul mchines, see Mnge Horizon FLEX Virtul Mchines, on pge 47. Configure Generl Policy for Horizon FLEX Imge You configure generl policies to set n expirtion dte nd control the fetures in virtul mchine instnces creted from Horizon FLEX imge. IMPORTANT If the copy-nd-pste, drg-nd-drop, nd folder shring settings re enled in the source virtul mchine, you cn configure policy to enle or disle these fetures when users downlod n instnce of the virtul mchine. If these fetures re disled in the source virtul mchine, you cnnot override the virtul mchine settings y enling the fetures in policy. You select the policy to ssign to Horizon FLEX imge when you entitle the imge to users. You cn use the sme policy in multiple entitlements. 38 VMwre, Inc.

Chpter 4 Creting nd Deploying Horizon FLEX Virtul Mchines 1 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 2 Click Policies in the left nvigtion pne. 3 Click the Generl t to dd policy, or select n existing policy nd click Edit to modify it. 4 Type nme for the policy in the Policy Nme text ox. 5 (Optionl) Type description for the policy in the Description text ox. 6 In Generl Restrictions, configure virtul mchine restrictions. Option Expirtion dte Copy nd Pste opertions Drg nd Drop opertions Folder Shring settings Chnge memory nd CPU settings Require the user to chnge the power on pssphrse when moving or copying the virtul mchine Set the power on pssphrse to mtch the user's AD pssphrse fter first strtup Restrict the user from creting multiple copies of the virtul mchine Action Use the clendr widget to set n expirtion dte for the virtul mchine. Specify whether to llow copy-nd-pste opertions in the virtul mchine. This policy controls copy-nd-pste opertions etween the virtul mchine guest nd host. It does not control copy-nd-pste opertions in the virtul mchine. Specify whether to llow drg-nd-drop opertions in the virtul mchine. This policy controls drg-nd-drop opertions etween the virtul mchine guest nd host. It does not control drg-nd-drop opertions in the virtul mchine. Specify whether to llow using shred folders in the virtul mchine guest operting system if the dministrtor hs configured shred folders in the virtul mchine. Specify whether to llow users to chnge the memory nd CPU settings of the virtul mchine. Specify whether to require users to chnge the encryption pssword if they move or copy the virtul mchine. Specify whether the pssword tht users enter when powering on the virtul mchine mtches the Active Directory pssword. Specify whether to llow users to downlod multiple instnces of the virtul mchine or copy lredy registered virtul mchines. 7 (Optionl) In End User Messges, configure virtul mchine expirtion settings. The defult messge is This virtul mchine is expired. Type n dditionl custom messge to disply to the user when the virtul mchine is expired. Select the Disply this messge check ox, select the numer of dys efore the virtul mchine expires to disply custom messge, nd type the custom messge text. VMwre, Inc. 39

8 In Server Settings, configure Horizon FLEX server settings. Option FLEX Server URL Server Contct Frequency Offline Time Limit Action Type the URL of the Horizon FLEX server tht hosts the virtul mchine pckge. For exmple: https://flexserver.demo.locl:7443 IMPORTANT Do not dd /rvm to the end of the URL. Select the frequency with which the virtul mchine contcts the server for synchroniztion. Set the numer of dys tht users cn use the virtul mchine efore the virtul mchine must connect to the Horizon FLEX server. When the offline time limit is exceeded, the virtul mchine must connect to the Horizon FLEX server efore it cn power on. 9 Click OK to sve the policy. The new policy ppers in the policy list. Wht to do next Entitle the Horizon FLEX virtul mchine. See Entitle Horizon FLEX Imge, on pge 43. Configure USB Device Policy for Horizon FLEX Imge You configure policies to control whether USB devices cn e used on virtul mchines creted from Horizon FLEX imge. IMPORTANT If the USB device controller is present in the source virtul mchine, you cn configure policy to enle or disle this feture when users downlod n instnce of the virtul mchine. If this feture is disled in the source virtul mchine, you cnnot override the virtul mchine settings y enling this feture in policy. 1 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 2 Click Policies in the left nvigtion pne. 3 Click the Device Control t to dd new device policy. 4 Select the Glol Use of USB devices drop-down menu to set whether the policy will llow ll USB devices or lock ll USB devices on the virtul mchine. All the USB device clsses re dimmed nd cnnot e chnged. See Configure Custom USB Device Policy for Horizon FLEX Imge, on pge 41 to crete custom policy where specific USB device clsses re llowed. 5 Click OK to sve the policy. The new or updted policy ppers in the policy list. Wht to do next Entitle the Horizon FLEX virtul mchine. See Entitle Horizon FLEX Imge, on pge 43. 40 VMwre, Inc.

Chpter 4 Creting nd Deploying Horizon FLEX Virtul Mchines Configure Custom USB Device Policy for Horizon FLEX Imge You cn configure custom device policies to control whether specific types of USB devices cn e used on virtul mchines creted from Horizon FLEX imge. IMPORTANT If the USB device controller is present in the source virtul mchine, you cn configure policy to enle or disle this feture when users downlod n instnce of the virtul mchine. If this feture is disled in the source virtul mchine, you cnnot override the virtul mchine settings y enling this feture in policy. 1 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 2 Click Policies in the left nvigtion pne. 3 Click the Device Control t to dd new device policy. 4 Set the Glol Use of USB devices drop-down menu to Custom to llow or lock specific clsses of USB devices on the virtul mchine. The text oxes for the clss of USB devices pper, giving you the opportunity to llow or lock specific clsses. 5 Select the USB clsses to llow or lock on the virtul mchine. Tle 4 1. USB Device Types USB Clss Bse Clss Exmples Audio 01h USB sound crd Communiction nd CDC Device 02h USB network dpter, RS-232 seril devices Physicl 05h Joystick Imge 06h USB cmer, USB scnner, wecm Printer 07h USB printer Mss Storge 08h USB disk Smrt Crd 0Bh USB smrt crd reder Content Security 0Dh Fingerprint reder Video 0Eh Wecm Wireless Controller E0h Bluetooth dpter, Microsoft RNDIS Miscellneous EFh Select the Miscellneous option to llow or lock USB devices not covered in the previous clsses. See Tle 4-2 for USB clsses tht require the Miscellneous setting. VMwre, Inc. 41

Tle 4 2. Miscellneous USB Device Clsses USB Clss Bse Clss Exmples Humn Interfce Device (HID) 03h USB keyord, USB joystick, USB mouse Hu 09h USB hu Personl Helthcre 0Fh Pulse monitor (wtch) Dignostic Device DCh USB complince testing device Appliction-specific FEh IrDA Bridge, Test nd Mesurement Clss (USBTMC), USB Device Firmwre Upgrde (DFU) 6 Optionlly, you cn configure the device policy to llow specific USB devices. c d Under the Allow the virtul mchine to use the following USB devices text ox, click Add. Enter the nme of the USB device in the Nme text ox. Enter the vendor ID s hex vlue in the Vendor ID text ox. Enter the product ID s hex vlue in the Product ID text ox. e Click Add nd click Updte. To otin the USB device informtion on Windows mchine, click System Tools nd then select Device Mnger. To otin USB device informtion on Mc, click the Apple icon, select Aout the Mc, select System Report, then select USB nd click the device item. 7 Click OK to sve the policy. The new or updted policy ppers in the policy list. Wht to do next Entitle the Horizon FLEX virtul mchine. See Entitle Horizon FLEX Imge, on pge 43. Updte Policy for Deployed Horizon FLEX Imge After Horizon FLEX imge hs een deployed to users, you cn updte policies tht pply to existing virtul mchine instnces. IMPORTANT If you edit n existing policy y using the Policies utton in the left nvigtion pne, the edit pplies only to new users. The edited policy does not pply to existing users with deployed virtul mchine instnces. 1 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 2 Click Virtul Mchines in the left nvigtion pne. 3 Select the virtul mchine. 4 Click Edit. 5 Updte the policy for the virtul mchine nd click OK when complete. 42 VMwre, Inc.

Chpter 4 Creting nd Deploying Horizon FLEX Virtul Mchines Wht to do next See Configure Generl Policy for Horizon FLEX Imge, on pge 38 nd Configure USB Device Policy for Horizon FLEX Imge, on pge 40 for more informtion. Entitle Horizon FLEX Imge You use entitlements to llow specific users nd groups to downlod nd use virtul mchine instnces from prticulr Horizon FLEX imge. Users cn downlod ny Horizon FLEX virtul mchine to which they re entitled. Users need to enter their Active Directory credentils efore they cn register nd use Horizon FLEX virtul mchine for the first time. Users cn either log into the Horizon FLEX server nd downlod the virtul mchine, or they cn copy the Horizon FLEX virtul mchine from USB nd then enter the Active Directory credentils on the first oot up. Prerequisites Verify tht the pproprite Active Directory users nd groups re synchronized in the Horizon FLEX dtse. See Configure Active Directory Settings, on pge 16. Register the source virtul mchine with the Horizon FLEX Policy Server. See Register Source Virtul Mchine with the Horizon FLEX Policy Server, on pge 37. Configure policy for the Horizon FLEX imge. See Configure Generl Policy for Horizon FLEX Imge, on pge 38. 1 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 2 Click Entitlements in the left pne. 3 Click the New (+) utton to crete n entitlement, select n existing entitlement nd click Edit to modify it, or select n existing entitlement nd click Duplicte to duplicte it. 4 Type nme for the entitlement in the Entitlement Nme text ox, select Horizon FLEX imge to dd to the entitlement, nd click Next. You cn use the serch field to filter the list of Horizon FLEX imges. If you duplicte n existing entitlement, you must renme the duplicte entitlement efore sving it. 5 Select the Active Directory users nd groups to include in the entitlement. Use the serch field to find nd select users nd groups to dd to the entitlement. New Active Directory users nd groups cn tke up to 15 minutes to pper in serch results. Click Add to dd user or group to the Entitlement Memers list. You cn use the Remove or Cler All uttons to mnge the list of memers. c Click Next. 6 Select policy for the entitlement nd click Next. You cn use the serch field to filter the list of policies nd the Cler Filter nd Show Filter uttons to mnge your serches. VMwre, Inc. 43

7 (Optionl) To use virtul mchine nming pttern, select the Use mchine nme configurtion check ox nd configure the nming pttern. Type the mchine nme pttern to use in the Mchine Nme Pttern text ox. To ensure tht ech virtul mchine receives different nme nd cn join the domin, include the {usernme} plceholder. This plceholder is replced y the individul user's nme when the user downlods the virtul mchine. For exmple, if the nme pttern is vm-usernme, nd user1 downlods the virtul mchine, the virtul mchine nme is chnged to vm-user1. The mchine nme is limited to 15 chrcters. If mchine nme is longer thn 15 chrcters, only the first 15 chrcters will e used. c Select domin nme from the Domin Nme drop-down menu. (Optionl) Type n OU in the Orgniztionl Unit text ox, or leve the text ox lnk to use the defult OU. For exmple: OU=hr1, OU=hr, OU=flex, DC=ws, DC=test, DC=com 8 (Optionl) If you instlled the Mirge client in the virtul mchine, select whether to mnge the virtul mchine with Mirge. Option Use VMwre Mirge for disster recovery nd Imge mngement scenrios Use VMwre Mirge for disster recovery scenrios Do not use VMwre Mirge to mnge the virtul mchines Description Select this option to select CVD policy, se lyer, n ppliction lyer, nd other configurtions. The Mirge server utomticlly cretes CVD for virtul mchines tht the end user downlods. Mirge periodiclly synchronizes end-user dt into the dt center sed on the selected Mirge policy. In the min Mirge Mngement Console, you cn use this dt to restore the CVD or ccess files on the virtul mchine y using the Mirge File Portl. The Mirge server lso utomticlly deploys se nd ppliction lyers to the virtul mchine fter it hs een provisioned for imge complince nd remote ppliction delivery. Select this option to select CVD policy. The Mirge server cretes CVD for virtul mchines tht the end user downlods. You cn use this dt to restore the CVD or ccess files on the virtul mchine y using the Mirge File Portl in the min Mirge Mngement Console. Select this option to opt out of mnging the virtul mchine with Mirge. If you delete virtul mchine in which the Mirge client is instlled, the Mirge server rchives the CVD of the deleted virtul mchine. 9 Click Next nd review the settings of the entitlement. 10 Click Finish to sve the entitlement, or click Bck to return to the previous pge nd edit the entitlement. Crete URI to Deploy Horizon FLEX Virtul Mchine You cn deploy Horizon FLEX virtul mchine y creting uniform resource identifier (URI). Using URI, you cn crete n emil tht contins link tht the end user cn click to connect to server nd downlod Horizon FLEX virtul mchine. Prerequisites Verify tht the Horizon FLEX client is instlled on the end user system. Give the end user pssword for the server nd the encryption pssword for the virtul mchine. 44 VMwre, Inc.

Chpter 4 Creting nd Deploying Horizon FLEX Virtul Mchines 1 Construct URI for the end user. A URI hs the following structure: vmwre-rvm://usernme@myserver.com:7443 usernme is the user's login nme nd myserver.com is the host nme of the server. You must include vmwre-rvm:// nd :7443 in the server ddress. Do not include http or https in the server ddress. 2 Type link text in n emil nd enter hyperlink informtion for the URI. You cn use ny emil system to send the link. However, ecuse the formt of the URI is not recognized s stndrd URL, you must mnully enter the hyperlink informtion. 3 Crete n emil for the user nd enter some link text. For exmple: Your Horizon FLEX virtul mchine 4 Select the link text, right-click the selected text, nd select Hyperlink. 5 Select Link to: Existing File or We Pge. 6 Enter the URI in the Address text ox. For exmple: vmwre-rvm://johndoe@yourserver.com:7443 The link is now ctive. 7 Click OK. 8 Send the emil to the user. When the user clicks the link in the emil, the user's Horizon FLEX Client strts nd the server connection dilog ox opens. The server nd user nme text oxes re prepopulted with the vlues tht you specified in the URI. The user enters pssword nd connects to the server to downlod virtul mchine. VMwre, Inc. 45

46 VMwre, Inc.

Mnging Horizon FLEX Virtul 5 Mchines You cn mnge deployed Horizon FLEX virtul mchines y performing opertions such s Edit, Lockout, Rectivte, Wipe, Archive, or Delete. Mnge Horizon FLEX Virtul Mchines Once Horizon FLEX virtul mchines re deployed, you cn mnge them y performing different opertions. You cn view the inventory of deployed Horizon FLEX virtul mchines in the Horizon FLEX Admin Console. You cn use the Serch text ox to filter the virtul mchine list nd the sortle column hedings to find specific virtul mchine. Use the column heding drop-down menu to select the columns to view or hide. When you select virtul mchine in the list, you cn expnd the Properties window t the ottom of the pge to view generl settings for the virtul mchine nd policies pplied to the virtul mchine. 1 Strt the Horizon FLEX Admin Console. c In We rowser, enter https://wemngerserver:7443/rvm, where WeMngerServer is the DNS nme or IP ddress of the host where the Mirge We Mnger is instlled. Enter the user nme nd pssword of domin ccount tht hs ccess to Mirge. Click Login. 2 Click Virtul Mchines in the left nvigtion pne. The inventory of deployed Horizon FLEX virtul mchines ppers on the Virtul Mchines pge. 3 To mnge specific virtul mchine, select the virtul mchine in the list. Option Edit Lockout Rectivte Wipe Action Select virtul mchine nd click Edit to chnge the policies ssigned to this virtul mchine. Select virtul mchine nd click Lockout to revoke user ccess to the specific virtul mchine. Select n expired or locked-out virtul mchine nd click Rectivte to reset the virtul mchine. Select virtul mchine nd click Wipe to delete it from the file system. VMwre, Inc. 47

Option Archive Delete Action Select virtul mchine nd click Archive to disle the virtul mchine for use nd keep n offline record of the virtul mchine. Select the Disply rchived instnces ox t the ottom of the Virtul Mchines pge to view virtul mchines tht hve een rchived. You cn click Rectivte to enle n rchived virtul mchine. Select n rchived virtul mchine nd click Delete. You cnnot delete virtul mchine tht hs ny other sttus thn Archived. 4 To determine the ctions tht you cn tke for virtul mchine, view the virtul mchine sttus in the Sttus column. Sttus Active Inctive Expired Pending Expired Locked Out Pending Lockout Pending Rectivte Downloding Downlod Cncelled Downlod Pused Domin Join Fil User Deleted Wiped Pending Wipe Archived Description The virtul mchine is in use, hs contcted the server, nd hs not expired. The Horizon FLEX Client tht the user used to open the virtul mchine hs filed to contct the server for longer thn the offline working policy period. The expirtion dte hs een reched nd the virtul mchine hs een turned off. The server is witing for confirmtion from the Horizon FLEX Client tht the virtul mchine is expired. An dministrtor hs locked out the user of the virtul mchine. A lockout hs een initited. The sttus remins Pending until the Horizon FLEX Client verifies tht the virtul mchine hs een locked out. The server is witing for confirmtion from the Horizon FLEX Client tht the virtul mchine is rectivted. The user is downloding the virtul mchine. The user hs cnceled the downlod. The user hs pused the downlod. The virtul mchine filed to join domin. The most common reson why virtul mchine might fil to join domin is tht the oject lredy exists in Active Directory. In this cse, check the offline domin join log, which is mintined y the operting system, to determine how to solve the filure. The user hs deleted the VM on the client. The virtul mchine hs een wiped y the dministrtor nd removed from the user's system. The server is witing for confirmtion from the Horizon FLEX Client tht the virtul mchine hs een removed from the user's system. The virtul mchine hs een rchived. NOTE You must select the Disply rchived instnces check ox to view rchived virtul mchines. 48 VMwre, Inc.

Mintining the Horizon FLEX 6 System You cn perform mintennce opertions on the Horizon FLEX system, including upgrding from previous Horizon FLEX versions. Upgrde from Previous Horizon FLEX Versions You cn upgrde the Horizon FLEX system from erlier Horizon FLEX versions. 1 Downlod the Horizon FLEX Server nd Horizon FLEX Client instlltion files for the upgrde version. 2 Upgrde the Horizon FLEX Server component. Upgrde the Mirge Mngement Server. If you use Mirge to mnge your Windows virtul mchines, upgrde ll Mirge servers. Upgrde the Mirge We Mnger (We Mngement Console). 3 Upgrde ll Horizon FLEX clients to the version tht is comptile with the upgrded Horizon FLEX Server. u u Provide your end users with the instller file for the Fusion Pro or Plyer Pro upgrde version, or instruct them to downlod the softwre from the VMwre We site. Upgrde the Horizon FLEX Clients y using mss deployment. All Horizon FLEX virtul mchines should e shut down efore upgrding. Wht to do next For complete Mirge upgrde instructions, see the VMwre Mirge documenttion t https://www.vmwre.com/support/pus/mirge_pus.html. NOTE Do not select the Crete new storge res when upgrding the Mirge Mngement Server. If you select this option nd enter the pth to the originl storge re, your entire Mirge instlltion, including se lyer, pp lyer, CVD dt, nd so on, re deleted nd ecome irretrievle if ckup is unville. See Instlling the Horizon FLEX Client for End Users, on pge 18 for informtion on using mss deployment to provide the Horizon FLEX Client to end users. VMwre, Inc. 49

50 VMwre, Inc.

Index A Active Directory 16, 35, 43 rchitecture 8 rchiving virtul mchines 47 C certifictes internl root CA 27, 28 self-signed 15 certifictes, self-signed 24, 25 certifictes, setting up 15 components 7 configuring, Active Directory settings 16 copy nd pste 38 creting Horizon FLEX VMs 31 custom device control settings 41 D deleting virtul mchines 47 deploying Horizon FLEX VMs 31 deployment overview 31 device control settings 40 domin join 35 downlod folder 15 drg nd drop 38 E editing virtul mchines 47 emil link 44 encryption settings 32 entitlements 43 entitlements nd policies 38 EULA 37 expirtion dte 38 expired certifictes 24 exporting certifictes 22, 23 F folder shring 38 G glossry 5 guest operting systems 11 H Horizon FLEX terminology 7 Horizon FLEX Admin Console 17 Horizon FLEX Client, instlling for end users 18 Horizon FLEX VM deployment 31 host operting systems 11 I IIS virtul directory 16 imge URL 37 instlltion overview 13 instlling Fusion Pro, mss deployment pckge 18 instlling Horizon FLEX Client softwre for end users 18 internl CA certifictes 27, 28 introduction 7 K Keychin Access 22, 28 L locking out virtul mchines 47 M Mc certifictes 22, 28 mchine nme configurtion 43 mintining the Horizon FLEX system 49 mss deployment feture for Fusion Pro 18 memory nd CPU settings 38 Mirge 8, 14 Mirge client 34 N network requirements 10 O orgniztionl units 16 P PEM formt 22, 23 Plyer Pro instlltion pckge 18 policies 38 policies nd entitlements 38 policy server 37 VMwre, Inc. 51

policy updtes 42 R rectivting virtul mchines 47 restriction settings 32 RVM Setup Service 35 S self-signed certifictes 24, 25 setting up Horizon FLEX server certificte 15 source virtul mchines 31 33, 37 sttus vlues 47 system requirements,horizon FLEX 10 T TAR file 36 trusted certifictes list 21, 23 U unttended Plyer Pro instlltion 19 updting policy 42 upgrding Horizon FLEX version 49 URI formt 44 USB custom device control settings 41 USB device control settings 40 V virtul mchine pckges 36 VM pckges 36 VMwre RVM Setup Service 35 VMwre Tools 35 W Windows certifictes 23 25, 27 wiping virtul mchines 47 52 VMwre, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information