The VMware View Agent Configuration ADMX template file (view_agent_direct_connection.admx) contains policy settings related to View Agent Direct-Connection Plug-In.

The View Agent Direct-Connection Configuration settings are in the Group Policy Management Editor in Computer Configuration > Administrative Templates > VMware View Agent Configuration > View Agent Direct-Connection Configuration.

Table 1. View Agent Direct-Connection Plug-In Configuration Settings

Setting

Description

Applications Enabled

This setting supports application launch on remote desktop session hosts. The default setting is enabled.

Client Config Name Value Pairs

List of values to be passed to the client in the form name=value. Example: clientCredentialCacheTimeout=1440.

Client Credential Cache Timeout

The time period, in minutes, that a Horizon Client allows a user to use a saved password. 0 means never, and -1 means forever. Horizon Client offers users the option of saving their passwords if this setting is set to a valid value. The default is 0 (never).

Client Session Timeout

The maximum length of time in seconds that session is kept active if a client is not connected. The default is 36000 seconds (10 hours).

Client setting: AlwaysConnect

The value can be set to TRUE or FALSE. AlwaysConnect setting is sent to Horizon Client. If this policy is set to TRUE, it overrides any saved client preferences. No value is set by default. Enabling this policy sets the value to TRUE. Disabling this policy sets the value to FALSE.

Client setting: AutoConnect

This setting overrides any saved Horizon Client preferences. No value is set by default. Enabling this policy will set the value to true, disabling this policy will set the value to false.

Client setting: ScreenSize

ScreenSize setting sent to Horizon Client. If enabled, it overrides any saved client preferences. If not configured or disabled, the client preferences are used.

Default Protocol

The default display protocol used by Horizon Client to connect to the desktop. If the value is not set, then the default value is BLAST.

Disclaimer Enabled

The value can be set to TRUE or FALSE. If set to TRUE, show disclaimer text for user acceptance at login. The text is shown from 'Disclaimer Text' if written, or from the GPO Configuration\Windows Settings\Security Settings\Local Policies\Security Options: Interactive logon. The default setting for disclaimerEnabled is FALSE.

Disclaimer Text

The disclaimer text shown to Horizon Client users at login. The Disclaimer Enabled policy must be set to TRUE. If the text is not specified, the default is to use the value from Windows policy Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

External Blast Port

The port number sent to Horizon Client for the destination TCP port number that is used for the HTML5/Blast protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is in a NAT environment. No value is set by default.

External Framework Channel Port

The port number sent to the Horizon Client for the destination TCP port number that is used for the Framework Channel protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port where the service is listening. Typically, this port number is in a NAT environment. No value is set by default.

External IP Address

The IPV4 address sent to Horizon Client for the destination IP address that is used for secondary protocols (RDP, PCoIP, Framework channel, and so on). Only set this value if the externally exposed address does not match the address of the desktop machine. Typically, this address is in a NAT environment. No value is set by default.

External PCoIP Port

The port number sent to Horizon Client for the destination TCP/UDP port number that is used for the PCoIP protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is in a NAT environment. No value is set by default.

External RDP Port

The port number sent to Horizon Client for the destination TCP port number that is used for the RDP protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is in a NAT environment. No value is set by default.

HTTPS Port Number

The TCP port on which the plug-in listens for incoming HTTPS requests from Horizon Client. If this value is changed, you must make a corresponding change to the Windows firewall to allow incoming traffic. The default is 443.

Multimedia redirection (MMR) Enabled

Determines whether MMR is enabled for client systems. MMR is a Microsoft DirectShow filter that forwards multimedia data from specific codecs on Horizon desktops directly through a TCP socket to the client system. The data is then decoded directly on the client system, where it is played. The default value is disabled.

MMR does not work correctly if the client system's video display hardware does not have overlay support. Client systems may have insufficient resources to handle local multimedia decoding.

Reset Enabled

The value can be set to TRUE or FALSE. When set to TRUE, an authenticated Horizon Client can perform an operating system level reboot. The default setting is disabled (FALSE).

Session Timeout

The period of time a user can keep a session open after logging in with Horizon Client. The value is set in minutes. The default is 600 minutes. When this timeout is reached, all of a user's desktop and applications sessions are disconnected.

USB AutoConnect

The value can be set to TRUE or FALSE. Connect USB devices to the desktop when they are plugged in. If this policy is set, it overrides any saved client preferences. No value is set by default.

USB Enabled

The value can be set to TRUE or FALSE. Determines whether desktops can use USB devices connected to the client system. The default value is enabled. To prevent the use of external devices for security reasons, change the setting to disabled (FALSE).

User Idle Timeout

If there is no user activity on the Horizon client for this period of time, the user's desktop and application sessions are disconnected. The value is set in seconds. The default is 900 seconds (15 minutes).

X509 Certificate Authentication

Determines if Smart Card X.509 certificate authentication is disabled, allowed, or required.

X509 SSL Certificate Authentication Enabled

Determines if Smart Card X.509 certificate authentication is enabled by a direct SSL connection from a Horizon Client. This option is not required if X.509 certificate authentication is handled via an intermediate SSL termination point. Changing this setting requires a restart of the Horizon Agent.

The External Port numbers and External IP Address values are used for Network Address Translation (NAT) and port mapping support. For more information see, Using Network Address Translation and Port Mapping.

For smart card authentication, the certificate authority (CA) that signs the smart card certificates must be in the Windows certificate Store. For information about how to add a certificate authority, see Add a Certificate Authority to the Windows Certificate Store.

Note:

If a user attempts to log in using a smart card to a Windows 7 or Windows Server 2008 R2 machine and the Smart Card certificate has been signed by an intermediate CA, the attempt may fail because Windows can send the client a trusted issuer list that does not contain intermediate CA names. If this happens, the client will be unable to select an appropriate Smart Card certificate. To avoid this problem, set the registry value SendTrustedIssuerList (REG_DWORD) to 0 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL. With this registry value set to 0, Windows does not send a trusted issuer list to the client, which can then select all the valid certificates from the smart card.