The VMware View Agent Configuration ADMX template file (view_agent_direct_connection.admx) contains policy settings related to View Agent Direct-Connection Plug-In.
The View Agent Direct-Connection Configuration settings are in the Group Policy Management Editor in .
| Setting | Description |
|---|---|
| Applications Enabled | This setting supports application launch on remote desktop session hosts. The default setting is enabled. |
| Client Config Name Value Pairs | List of values to be passed to the client in the form name=value. Example: clientCredentialCacheTimeout=1440. |
| Client Session Timeout | The maximum length of time in seconds that session is kept active if a client is not connected. The default is 36000 seconds (10 hours). |
| Client setting: AlwaysConnect | The value can be set to TRUE or FALSE. AlwaysConnect setting is sent to Horizon Client. If this policy is set to TRUE, it overrides any saved client preferences. No value is set by default. Enabling this policy sets the value to TRUE. Disabling this policy sets the value to FALSE. |
| Client setting: AutoConnect | This setting overrides any saved Horizon Client preferences. No value is set by default. Enabling this policy will set the value to true, disabling this policy will set the value to false. |
| Client setting: ScreenSize | ScreenSize setting sent to Horizon Client. If enabled, it overrides any saved client preferences. If not configured or disabled, the client preferences are used. |
| Multimedia redirection (MMR) Enabled | Determines whether MMR is enabled for client systems. MMR is a Microsoft DirectShow filter that forwards multimedia data from specific codecs on Horizon desktops directly through a TCP socket to the client system. The data is then decoded directly on the client system, where it is played. The default value is disabled. MMR does not work correctly if the client system's video display hardware does not have overlay support. Client systems may have insufficient resources to handle local multimedia decoding. |
| Reset Enabled | The value can be set to TRUE or FALSE. When set to TRUE, an authenticated Horizon Client can perform an operating system level reboot. The default setting is disabled (FALSE). |
| Session Timeout | The period of time a user can keep a session open after logging in with Horizon Client. The value is set in minutes. The default is 600 minutes. When this timeout is reached, all of a user's desktop and applications sessions are disconnected. |
| USB AutoConnect | The value can be set to TRUE or FALSE. Connect USB devices to the desktop when they are plugged in. If this policy is set, it overrides any saved client preferences. No value is set by default. |
| USB Enabled | The value can be set to TRUE or FALSE. Determines whether desktops can use USB devices connected to the client system. The default value is enabled. To prevent the use of external devices for security reasons, change the setting to disabled (FALSE). |
| User Idle Timeout | If there is no user activity on the Horizon client for this period of time, the user's desktop and application sessions are disconnected. The value is set in seconds. The default is 900 seconds (15 minutes). |
Authentication Settings
The Authentication settings are in the Group Policy Management Editor in . Within this folder is the Log On As Current User settings.
| Setting | Description |
|---|---|
| Allow Legacy Clients | When disabled, Horizon Client versions older than 5.5 will not authenticate using the Log in as current user feature. If this setting is not configured, older clients are supported. |
| Allow NTLM Fallback | When enabled, Horizon Client uses NTLM authentication instead of Kerberos when there is no access to the domain controller. If this setting is not configured, NTLM fallback is not allowed. |
| Require Channel Bindings | When enabled, channel bindings provide an additional security layer to secure NTLM authentication. Horizon Client versions older than 5.5 do not support channel bindings. |
| Client Credential Cache Timeout | The time period, in minutes, that a Horizon Client allows a user to use a saved password. 0 means never, and -1 means forever. Horizon Client offers users the option of saving their passwords if this setting is set to a valid value. The default is 0 (never). |
| Disclaimer Enabled | The value can be set to TRUE or FALSE. If set to TRUE, show disclaimer text for user acceptance at login. The text is shown from 'Disclaimer Text' if written, or from the GPO Configuration\Windows Settings\Security Settings\Local Policies\Security Options: Interactive logon. The default setting for disclaimerEnabled is FALSE. |
| Disclaimer Text | The disclaimer text shown to Horizon Client users at login. The Disclaimer Enabled policy must be set to TRUE. If the text is not specified, the default is to use the value from Windows policy Configuration\Windows Settings\Security Settings\Local Policies\Security Options. |
| X509 Certificate Authentication | Determines if Smart Card X.509 certificate authentication is disabled, allowed, or required. |
| X509 SSL Certificate Authentication Enabled | Determines if Smart Card X.509 certificate authentication is enabled by a direct SSL connection from a Horizon Client. This option is not required if X.509 certificate authentication is handled via an intermediate SSL termination point. Changing this setting requires a restart of the Horizon Agent. |
Protocol and Network Settings
The Protocol and Network settings are in the Group Policy Management Editor in .
| Setting | Description |
|---|---|
| Default Protocol | The default display protocol used by Horizon Client to connect to the desktop. If the value is not set, then the default value is BLAST. |
| External Blast Port | The port number sent to Horizon Client for the destination TCP port number that is used for the HTML5/Blast protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is in a NAT environment. No value is set by default. |
| External Framework Channel Port | The port number sent to the Horizon Client for the destination TCP port number that is used for the Framework Channel protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port where the service is listening. Typically, this port number is in a NAT environment. No value is set by default. |
| External IP Address | The IPV4 address sent to Horizon Client for the destination IP address that is used for secondary protocols (RDP, PCoIP, Framework channel, and so on). Only set this value if the externally exposed address does not match the address of the desktop machine. Typically, this address is in a NAT environment. No value is set by default. |
| External PCoIP Port | The port number sent to Horizon Client for the destination TCP/UDP port number that is used for the PCoIP protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is in a NAT environment. No value is set by default. |
| External RDP Port | The port number sent to Horizon Client for the destination TCP port number that is used for the RDP protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is in a NAT environment. No value is set by default. |
| HTTPS Port Number | The TCP port on which the plug-in listens for incoming HTTPS requests from Horizon Client. If this value is changed, you must make a corresponding change to the Windows firewall to allow incoming traffic. The default is 443. |
The External Port numbers and External IP Address values are used for Network Address Translation (NAT) and port mapping support. For more information see, Using Network Address Translation and Port Mapping.
For smart card authentication, the certificate authority (CA) that signs the smart card certificates must be in the Windows certificate Store. For information about how to add a certificate authority, see
Add a Certificate Authority to the Windows Certificate Store.
Note: If a user attempts to log in using a smart card to a Windows 7 or Windows Server 2008 R2 machine and the Smart Card certificate has been signed by an intermediate CA, the attempt may fail because Windows can send the client a trusted issuer list that does not contain intermediate CA names. If this happens, the client will be unable to select an appropriate Smart Card certificate. To avoid this problem, set the registry value
SendTrustedIssuerList (REG_DWORD) to 0 in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL. With this registry value set to 0, Windows does not send a trusted issuer list to the client, which can then select all the valid certificates from the smart card.
