For Windows machines, the VMware View Agent Configuration ADMX template file (view_agent_direct_connection.admx) contains configuration settings related to the Horizon Agent Direct-Connection Plug-In (formerly View Agent Direct-Connection Plug-In). For Linux machines, you specify these configuration settings in the /etc/vmware/vadc/viewagent-vadc.conf configuration file.
(Windows) Horizon Agent Direct-Connection Plug-In Configuration Settings
For Windows desktops, the Horizon Agent Direct-Connection Plug-In configuration settings are in the Group Policy Management Editor in .
| Setting | Description |
|---|---|
| Applications Enabled | This setting supports application launch on remote desktop session hosts. The default setting is enabled. |
| Client Config Name Value Pairs | List of values to be passed to the client in the form name=value. Example: clientCredentialCacheTimeout=1440. |
| Client Session Timeout | The maximum length of time in seconds that session is kept active if a client is not connected. The default is 36000 seconds (10 hours). |
| Client setting: AlwaysConnect | The value can be set to TRUE or FALSE. AlwaysConnect setting is sent to Horizon Client. If this policy is set to TRUE, it overrides any saved client preferences. No value is set by default. Enabling this policy sets the value to TRUE. Turning off this policy sets the value to FALSE. |
| Client setting: AutoConnect | This setting overrides any saved Horizon Client preferences. No value is set by default. Enabling this policy will set the value to true, turning off this policy will set the value to false. |
| Client setting: ScreenSize | The setting sent to Horizon Client. If configured, it overrides any saved client preferences. If not configured, the client preferences are used. |
| Multimedia redirection (MMR) Enabled | Determines whether MMR is enabled for client systems. MMR is a Microsoft DirectShow filter that forwards multimedia data from specific codecs on remote desktops directly through a TCP socket to the client system. The data is then decoded directly on the client system, where it is played. The default value is FALSE, which means MMR is turned off. MMR does not work correctly if the client system's video display hardware does not have overlay support. Client systems may have insufficient resources to handle local multimedia decoding. |
| Reset Enabled | The value can be set to TRUE or FALSE. When set to TRUE, an authenticated Horizon Client can perform an operating system level reboot. The default setting is not enabled (FALSE). |
| Session Timeout | The period of time a user can keep a session open after logging in with Horizon Client. The value is set in minutes. The default is 600 minutes. When this timeout is reached, all of a user's desktop and applications sessions are disconnected. |
| USB AutoConnect | The value can be set to TRUE or FALSE. Connect USB devices to the desktop when they are plugged in. If this policy is set, it overrides any saved client preferences. No value is set by default. |
| USB Enabled | The value can be set to TRUE or FALSE. Determines whether desktops can use USB devices connected to the client system. The default value is enabled. To prevent the use of external devices for security reasons, change the setting to turn off the setting (FALSE). |
| User Idle Timeout | If there is no user activity on the Horizon client for this period of time, the user's desktop and application sessions are disconnected. The value is set in seconds. The default is 900 seconds (15 minutes). |
(Windows) Horizon Agent Direct-Connection Plug-In Authentication Settings
For Windows desktops, the Authentication settings are in the Group Policy Management Editor in . Within this folder is the Log On As Current User settings.
| Setting | Description |
|---|---|
| Allow Legacy Clients | When this setting is turned off, Horizon Client versions older than 5.5 will not authenticate using the Log in as current user feature. If this setting is not configured, older clients are supported. |
| Allow NTLM Fallback | When enabled, Horizon Client uses NTLM authentication instead of Kerberos when there is no access to the domain controller. If this setting is not configured, NTLM fallback is not allowed. |
| Require Channel Bindings | When enabled, channel bindings provide an additional security layer to secure NTLM authentication. Horizon Client versions older than 5.5 do not support channel bindings. |
| Client Credential Cache Timeout | The time period, in minutes, that a Horizon Client allows a user to use a saved password. 0 means never, and -1 means forever. Horizon Client offers users the option of saving their passwords if this setting is set to a valid value. The default is 0 (never). |
| Disclaimer Enabled | The value can be set to TRUE or FALSE. If set to TRUE, show disclaimer text for user acceptance at login. The text is shown from 'Disclaimer Text' if written, or from the GPO Configuration\Windows Settings\Security Settings\Local Policies\Security Options: Interactive logon. The default setting for disclaimerEnabled is FALSE. |
| Disclaimer Text | The disclaimer text shown to Horizon Client users at login. The Disclaimer Enabled policy must be set to TRUE. If the text is not specified, the default is to use the value from Windows policy Configuration\Windows Settings\Security Settings\Local Policies\Security Options. |
| X509 Certificate Authentication | Determines if Smart Card X.509 certificate authentication is turned off, allowed, or required. |
| X509 SSL Certificate Authentication Enabled | Determines if Smart Card X.509 certificate authentication is enabled by a direct SSL connection from a Horizon Client. This option is not required if X.509 certificate authentication is handled via an intermediate SSL termination point. Changing this setting requires a restart of the Horizon Agent. |
(Windows) Horizon Agent Direct-Connection Plug-In Protocol and Network Settings
For Windows desktops, the Protocol and Network settings are in the Group Policy Management Editor in .
| Setting | Description |
|---|---|
| Default Protocol | The default display protocol used by Horizon Client to connect to the desktop. If the value is not set, then the default value is BLAST. |
| External Blast Port | The port number sent to Horizon Client for the destination TCP port number that is used for the HTML5/Blast protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is in a NAT environment. No value is set by default. |
| External Framework Channel Port | The port number sent to the Horizon Client for the destination TCP port number that is used for the Framework Channel protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port where the service is listening. Typically, this port number is in a NAT environment. No value is set by default. |
| External IP Address | The IPV4 address sent to Horizon Client for the destination IP address that is used for secondary protocols (RDP, PCoIP, Framework channel, and so on). Only set this value if the externally exposed address does not match the address of the desktop machine. Typically, this address is in a NAT environment. No value is set by default. |
| External PCoIP Port | The port number sent to Horizon Client for the destination TCP/UDP port number that is used for the PCoIP protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is in a NAT environment. No value is set by default. |
| External RDP Port | The port number sent to Horizon Client for the destination TCP port number that is used for the RDP protocol. A + character in front of the number indicates a relative number from the port number used for HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is in a NAT environment. No value is set by default. |
| HTTPS Port Number | The TCP port on which the plug-in listens for incoming HTTPS requests from Horizon Client. If this value is changed, you must make a corresponding change to the Windows firewall to allow incoming traffic. The default is 443. |
The External Port numbers and External IP Address values are used for Network Address Translation (NAT) and port mapping support. For more information see, Windows - Using Network Address Translation and Port Mapping.
For smart card authentication, the certificate authority (CA) that signs the smart card certificates must be in the Windows certificate Store. For information about how to add a certificate authority, see
Windows - Set Up Smart Card Authentication.
Note: If a user attempts to log in using a smart card to a Windows 7 or Windows Server 2008 R2 machine and the Smart Card certificate has been signed by an intermediate CA, the attempt may fail because Windows can send the client a trusted issuer list that does not contain intermediate CA names. If this happens, the client will be unable to select an appropriate Smart Card certificate. To avoid this problem, set the registry value
SendTrustedIssuerList (REG_DWORD) to 0 in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL. With this registry value set to 0, Windows does not send a trusted issuer list to the client, which can then select all the valid certificates from the smart card.
(Linux) Horizon Agent Direct-Connection Plug-In Configuration Settings
For Linux desktops, the Horizon Agent Direct-Connection Plug-In configuration settings are in the /etc/vmware/vadc/viewagent-vadc.conf configuration file.
| Setting | Description |
|---|---|
| AgentDisconnectTimeout | The time period, in minutes, after the client session is disconnected that Horizon Agent waits to log out from the desktop. To deactivate automatic logouts and keep the client logged in to the desktop indefinitely, set the value to 0. To log out from the desktop immediately when the client disconnects the session, set the value to -1. The default value is 0. |
| AgentEmptySessionLogoff | Specifies whether to log out or disconnect from the application session after the time period specified in the AgentEmptySessionTimeout policy. To specify the logout action, set the value to TRUE. To specify the disconnect action, set the value to FALSE. When this setting is not configured, the default is FALSE. |
| AgentEmptySessionTimeout | The time period, in minutes, after the client user closes all application windows that Horizon Agent waits to disconnect or log out from the application session. To keep the client connected or logged in to the application session indefinitely, set the value to 0. To disconnect or log out from the application session immediately when all application windows are closed, set the value to -1. The default value is 1 minute. This timeout policy is used with the action (disconnect or log out from session) specified in the AgentEmptySessionLogoff policy. |
| AgentPreLaunchSessionTimeout | The maximum length of time, in minutes, that Horizon Agent keeps an application session active if the client user does not start the application. To keep the application session active indefinitely, set the value to 0. The default value is 10 minutes. |
| ClientAlwaysConnect | The value can be set to TRUE to enable the policy or FALSE to deactivate the policy. This setting is sent to Horizon Client. If this policy is set to TRUE, it overrides any saved client preferences. No value is set by default. |
| ClientAutoConnect | This setting overrides any saved Horizon Client preferences. The value can be set to TRUE to enable the policy or FALSE to deactivate the policy. No value is set by default. |
| ClientCredentialCacheTimeout | The time period, in minutes, that a Horizon Client allows a user to use a saved password. 0 means never, and -1 means forever. Horizon Client offers users the option of saving their passwords if this setting is set to a valid value. When this setting is not configured, the default is 0 (never). |
| ClientScreenSize | The setting sent to Horizon Client. If configured, it overrides any saved client preferences. If not configured, the client preferences are used. |
| ClientSessionTimeout | The time period, in seconds, after the last reported user activity that a Horizon Client allows before the session is considered to be idle and disconnected. The minimum value is 300 seconds (5 minutes). The default is 36000 seconds (10 hours). |
| CSRFProtectionEnabled | Specifies whether to enable CSRF protection by sending an X-CSRF-TOKEN with web service requests. If set to TRUE, protection is enabled. If set to FALSE, protection is deactivated. The default is TRUE. |
| DesktopName | The name of the remote desktop. If this setting is not configured, the desktop takes the name of the host machine. |
| DisclaimerFile | The path to the file containing disclaimer text shown to Horizon Client users at login. No value is set by default. |
| DomainName | Sets the FQDN domain name of client users. If you join the machine to a domain, the domain name is retrieved automatically and this setting is not required. If you use an LDAP authentication service without joining the Linux machine to a domain, configure this setting to retrieve the domain name. Replace the placeholder value |
| EntitleGroups | The user group or list of groups whose members are allowed to access the direct-connection desktop or application. By default, this setting is configured with the To configure additional entitlement groups, add the group names to the setting list and use a colon to separate the entries. |
| ExternalBlastPort | The port number sent to Horizon Client for the destination TCP port number that is used for Blast connections through a port mapping device. A + character in front of the number indicates a relative number from the port number used for NAT HTTPS. Only set this value if the externally exposed port number does not match the port that the service is listening on. Typically, this port number is used in a NAT environment. No value is set by default. |
| ExternalIPAddress | The IPv4 address sent to Horizon Client for the destination IP address that is used for Blast connections through a port mapping device. Only set this value if the externally exposed address does not match the address of the desktop machine. Typically, this address is used in a NAT environment. No value is set by default. |
| HTTPSPortNumber | The TCP port on which the plug-in listens for incoming HTTPS requests from Horizon Client. The default is 8443. |
| MaxSessions | The maximum number of published desktop or published application sessions that Horizon Agent supports. This policy only goes into effect when the Linux machine is configured as a multi-session host. The default value is 50. |
| ResetEnabled | The value can be set to TRUE or FALSE. When set to TRUE, an authenticated Horizon Client can perform an operating system level reboot. When this setting is not configured, the default value is FALSE, which deactivates the reboot capability. |
| SessionTimeout | The period of time a user can keep a session open after logging in with Horizon Client. The value is set in minutes. A value of -1 means forever. The default is 600 minutes (10 hours). When this timeout is reached, all of a user's desktop and applications sessions are disconnected. |
| USBAutoConnect | The value can be set to TRUE or FALSE. If set to TRUE, Horizon Client automatically connects USB devices to the desktop when they are plugged in. If this policy is set, it overrides any saved client preferences. No value is set by default. |
| UserIdleTimeout | If there is no user activity on Horizon Client for this period of time, the user's desktop and application sessions are disconnected. The value is set in seconds. A value of -1 means that sessions are never disconnected. The default is 900 seconds (15 minutes). |
| X509CertAuth | The level of support for Smart Card X.509 certificate authentication. The value can be set to 0 (deactivated), 1 (allowed), or 2 (required). The default value is 0. |
