Escolar Documentos
Profissional Documentos
Cultura Documentos
Identity Manager
VMware Identity Manager
EN-001792-07
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright 2015, 2016 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
VMware, Inc.
Contents
Deployment Scenario 22
Integrating Independent View Pods 22
Integrating View Cloud Pod Architecture (CPA) Deployments 27
Enabling Multiple Client Access URLs for Custom Network Ranges 37
Viewing the Connection Information for View Desktop and Application Pools 38
Viewing User and Group Entitlements to View Desktop and Application Pools 38
Setting the Deployment Type for View Entitlements 39
Viewing Launch Options for View Desktops and Applications 40
Launching a View Desktop or Application 42
Allowing Users to Reset Their View Desktops in VMware Identity Manager 43
Reducing Resource Usage and Increasing Performance of VMware Identity Manager Desktop in
Non-Persistent View Desktops 44
53
VMware, Inc.
83
Index
93
VMware, Inc.
Setting Up Resources in
VMware Identity Manager
Setting Up Resources in VMware Identity Manager provides instructions for adding resources to the
VMware Identity Manager catalog and making them available from users' systems, such as from their
desktops and mobile devices. These resources include Web applications, View desktop and application
pools, and Citrix-published resources.
Intended Audience
This information is intended for anyone who configures and administers the resources for the
VMware Identity Manager service. The information is written for experienced Windows or Linux system
administrators who are familiar with virtual machine technology.
VMware, Inc.
VMware, Inc.
After you install and configure VMware Identity Manager, to provide users with access to supported
resources, you must enable these resources in the VMware Identity Manager administration console. Except
for Web applications, each resource type requires you to integrate VMware Identity Manager with another
product or component.
You can integrate the following types of resources with VMware Identity Manager:
n
Web applications
Citrix-published resources
You integrate these resources from the Catalog tab in the administration console.
To integrate Web applications, you use the Add Application menu in the Catalog tab.
To integrate and enable Horizon 7, Horizon 6, or View desktop and application pools, Horizon Air - Cloud
Hosted Apps and Desktops, or Citrix-published resources, you use the Manage Desktop Applications
menu in the Catalog tab.
You can manage global settings for integrated resources from the Catalog > Settings page. You can manage
settings for individual applications by selecting the application in the Catalog tab.
VMware, Inc.
VMware, Inc.
In the VMware Identity Manager service, you can add your organization's external Web applications and
entitle users to them.
To enable users to access a Web application through the service, verify that the following requirements are
met:
n
If you configure the Web application to use a federation protocol, use SAML 1.1, SAML 2.0, or WSFederation 1.2. Configuring the Web application to use a federation protocol is not a requirement.
The users you plan to entitle to the Web application are registered users of that application.
If the Web application is a multitenant application, the service points to your instance of the application.
Description
Popular enterprise Web application types are listed in the cloud application catalog. These
applications are partially configured. You must complete the rest of the application record form.
You can add Web applications to your catalog that are not listed in the cloud application catalog.
The application record for these Web applications are more generic than that of cloud
application catalog applications. You enter the application description and configuration
information to create the application record.
You can import a Web application that you previously configured in the service. You might want
to use this method to move a deployment from staging to production. In such a situation, you
export a Web application from the staging deployment as a ZIP file. You then import the ZIP file
to the production deployment.
VMware, Inc.
After you add Web applications to the catalog, you can configure entitlements, access policies, licensing, and
provisioning information.
Web applications are added in the administration console. Log in with the administrator user role assigned
from your Active Directory or LDAP directory. The URL to log in to the administration console is
https://mycompany.vmwareidentity.com.
Add a Web Application to Your Catalog from the Cloud Application Catalog
The cloud application catalog is populated with Web applications. These applications include some
information in their application records. When you add a Web application to your catalog from the cloud
application catalog, you must provide additional information to complete the application record. You might
also need to work with your Web application account representatives to complete other required setup.
Many of the applications in the cloud application catalog use Security Assertion Markup Language (SAML 1
or SAML 2) to exchange authentication and authorization data to verify that users can access a Web
application.
When you add a Web application to the catalog, you are creating an entry that points indirectly to the Web
application. The entry is defined by the application record, which is a form that includes a URL to the Web
application.
You can apply an access policy to control user access to the application. If you do not want to use the default
access policy, create a new one. See VMware Identity Manager Administration Guide for information about
managing access policies.
Procedure
1
Click Add Application > Web Application ...from the cloud application catalog.
(Optional) Customize the information on the Details page for your organization's needs.
Items on the page are populated with information specific to the Web application.
You can edit some of the items, depending on the application.
Form Item
Description
Name
Description
Icon
Click Browse to upload an icon for the application. Icons in PNG, JPG, and ICON file formats, up to
4MB, are supported.
Uploaded icons are resized to 80px X 80px.
To prevent distortion, upload icons where the height and width are equal to each other and as close as
possible to the 80px X 80px resize dimensions.
Categories
To allow the application to appear in a category search of catalog resources, select a category from the
drop-down menu. You must have created the category earlier.
Click Save.
Click Configuration, edit the application record's configuration details, and click Save.
Some of the items on the form are prepopulated with information specific to the Web application. Some
of the prepopulated items are editable, while others are not. The information requested varies from
application to application.
10
VMware, Inc.
For some applications, the form has an Application Parameters section. If the section exists for an
application and a parameter in the section does not have a default value, provide a value to allow the
application to launch. If a default value is provided, you can edit the value.
7
Select the Entitlements, Licensing, and Provisioning tabs and customize the information as
appropriate.
Tab
Description
Entitlements
Entitle users and groups to the application. You can configure entitlements while initially
configuring the application or anytime in the future.
Access Policies
Licensing
Configure license tracking. Add license information for the application to track license use in
reports.
Provisioning
What to do next
For details about adding user and group entitlements for Web applications, see Entitling Users and Groups
to Web Applications, on page 13.
VMware, Inc.
Description
Name
Description
Icon
11
Form Item
Description
Authentication Profile
In the Configuration page, edit the application record's configuration details as necessary, and click
Save.
Some of the items on the form are prepopulated.
When the SAML 2.0 POST Profile is selected on the Details page, the Configuration page includes the
Configure Via section. Use the options in the Configure Via section to specify how the application
metadata is retrieved. You can select retrieval by auto-discovery URL, meta-data XML, or manual
configuration.
Option
Action
Meta-data XML
Manual configuration
If the XML metadata is not available to you, complete the XML manual
configuration items.
Select the Entitlements, Licensing, and Provisioning tabs and customize the information as
appropriate.
Tab
Description
Entitlements
Entitle users and groups to the application. You can configure entitlements while initially
configuring the application or anytime in the future.
Access Policies
Apply a Web application-specific access policy to control user access to the application.
Licensing
Configure license tracking. Add license information for the application to track license usage in
reports.
Provisioning
What to do next
See Entitling Users and Groups to Web Applications, on page 13 for details about adding user and group
entitlements for Web applications.
12
VMware, Inc.
Procedure
1
Log in to the administration console of the service from which to export a Web application.
Click Export.
Log in to the administration console of the service in which to import the Web application.
10
Click Browse, browse to the location on your local system where you saved the application bundle as a
ZIP file, select the file, and click Submit.
11
Edit the information on the Details, Configuration, Entitlements, Access Policies, Licensing, and
Provisioning pages as necessary.
What to do next
For details about adding user and group entitlements for Web applications, see Entitling Users and Groups
to Web Applications, on page 13.
VMware, Inc.
13
Description
a
b
c
d
e
The information page for the Web application appears with the
Entitlements tab selected by default. Group entitlements are listed in
one table, user entitlements are listed in another table.
Click Add group entitlement or Add user entitlement.
Type the names of the groups or users.
g
Access a user or group and add
Web application entitlements to that
user or group.
a
b
c
d
e
f
You can search for users or groups by starting to type a search string
and allowing the autocomplete feature to list the options, or you can
click browse to view the entire list.
Use the drop-down menu to select how to activate each selected Web
application.
n Automatic displays the application by default in an entitled user's
list of Web applications the next time that user logs in using the
Workspace for Windows application.
n User-Activated requires that an entitled user must add the Web
application to their list of Web applications using the Workspace
for Windows application before the user can use the Web
application.
Click Save.
Click the Users & Groups tab.
Click the Users or Groups tab.
Click the name of a user or group.
Click Add Entitlement.
Select the check boxes next to the Web applications to which you want
to entitle the user or group.
Use the drop-down menu to select how to activate each selected Web
application.
n Automatic displays the application by default in an entitled user's
list of Web applications the next time that user logs in using the
Workspace for Windows application.
n User-Activated requires that an entitled user must add the Web
application to their list of Web applications using the Workspace
for Windows application before the user can use the Web
application.
Click Save.
The selected user or group is now entitled to use the Web application.
14
VMware, Inc.
After you create the Google service account, enable Google Apps domain-wide delegation.
a
b
c
In the API Manager Credentials > Create credentials page, click Manage service accounts.
Click the
Select the Enable Google Apps Domain-wide Delegation checkbox, and click Save.
Delegate Google Apps domain-wide authority to your service account from the Security > Advanced
Settings > Authentication > Manage API client access page in the Google Admin console. See the
Google documentation for more information.
When you delegate domain-wide authority to the service account, enter the following values for the
One or More API Scopes field:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/aut
h/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.user.al
ias,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admi
n.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.reado
nly,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/a
uth/admin.directory.group
You can now enable provisioning in the VMware Identity Manager service.
VMware, Inc.
15
Procedure
1
Description
Select Adapter
Select GoogleAppsProvisioningAdapter.
AdminUsername
Your Google Apps administrator user name. Do not include the domain
name.
For example: admin
ServiceAccount
Private Key
DomainName
SuspendOnDeprovisioning
Select this option if you want users to be suspended in Google when you
remove their entitlement to Google Apps.
Enable Provisioning
For example:
Click Save.
Select the attributes with which to provision users in Google by setting values for them.
The following attributes are required, and have default values.
16
UserName
FirstName
VMware, Inc.
LastName
For some attributes, mapped values can be specified per group. For example, the USERNAME
attribute.
Click +ADD to add a group. You can set different values for the groups. The groups are listed
in order of precedence and you can change the order by clicking the blue up and down arrows.
If a user belongs to more than one group in the list, then the value of the first group to which
the user belongs is used. The ALL USERS group can be used to set a default value.
The expressions in the VALUE drop-down list are the ones listed in the User Attributes page. If
you want to add any expressions to the list, add them to the User Attributes page. You can also
type in a value directly.
n
For some attributes, you can specify multiple values. For example, you can specify multiple
phone numbers for the PHONES attribute.
VMware, Inc.
17
Click Save.
Provisioning is now enabled. When you entitle a user to Google Apps, if the user does not exist in Google,
the user will be created.
Note When you entitle a user to Google Apps, if you set the DEPLOYMENT field value to Automatic, the
user is provisioned immediately. If you set the value to User-Activated, the user is provisioned when the
user adds Google Apps to their My Apps portal.
18
In the VMware Identity Manager administration console, click the Catalog tab.
In the Provisioning page, under the Provisioning section, click the Groups tab.
VMware, Inc.
In the Add Group Provisioning dialog box, enter the following information.
Option
Description
Group Name
Enter the name of the VMware Identity Manager group you want to
provision in Google. You can start typing to search for a group.
Group Email
Enter an email address for the group in Google. The group will be created
in Google with this email address. The email address must either be new
or belong to an existing Google group. It must not belong to a user.
If a group with this email address already exists in Google, members of the
VMware Identity Manager group you selected are added to that group.
Important Ensure that the domain of the email address matches the
domain you specified in the DomainName field in the Provisioning page.
For example:
Click Provision.
The group is provisioned in Google with the same name as the VMware Identity Manager group and
the email address you specified. The provisioning status is displayed in the Groups tab in the
Provisioning page.
What to do next
To verify that the group is provisioned in Google, do the following.
1
VMware, Inc.
19
In the VMware Identity Manager administration console, click the Catalog tab.
In the Provisioning page, under the Provisioning section, click the Groups tab.
Select the checkbox next to the group you want to deprovision and click Deprovision.
The group is deleted in Google. It is also removed from the Group Provisioning table in the
VMware Identity Manager administration console.
Additional Information
Additional information is available on configuring SAML-based single sign-on to specific Web applications,
such as Office 365 and Google Apps.
See the VMware Identity Manager Integrations Documentation.
20
VMware, Inc.
Supported Versions
VMware Identity Manager supports the following versions and features.
n
Integrating independent View pods is supported for View 5.3 and later.
Integrating pod federations, created using the Cloud Pod Architecture feature, is supported for Horizon
6.2 and later.
Also see the VMware Product Interoperability Matrix for the latest support information.
This chapter includes the following topics:
n
Enabling Multiple Client Access URLs for Custom Network Ranges, on page 37
Viewing the Connection Information for View Desktop and Application Pools, on page 38
Viewing User and Group Entitlements to View Desktop and Application Pools, on page 38
VMware, Inc.
21
Allowing Users to Reset Their View Desktops in VMware Identity Manager, on page 43
Reducing Resource Usage and Increasing Performance of VMware Identity Manager Desktop in
Non-Persistent View Desktops, on page 44
Deployment Scenario
You can integrate your on-premises View, Horizon 6, or Horizon 7 deployment with your
VMware Identity Manager tenant.
You need the following components.
n
While deploying the on-premise components, ensure that the connector can communicate with the View
Connection Server instances.
All communication between the VMware Identity Manager service and the on-premise components is
through the connector. The connector and the service communicate over a communication channel that is
automatically set up during installation.
The following diagram depicts a VMware Identity Manager-View integration.
Figure 31. VMware Identity Manager and View Integration
On Premises
VMware Identity
Manager Connector
Resources and
entitlements
sync to service
VMware Identity
Manager Service
vIDM Tenant
Retrieve resources
and entitlements
22
Deploy View desktop and application pools, with entitlements set for Active Directory users and
groups.
Enable the userPrincipalName attribute in the VMware Identity Manager administration console, on
the User Attributes page.
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
Sync Active Directory users and groups who are entitled to View pools in View Connection Server
instances to the VMware Identity Manager service using directory sync.
Join VMware Identity Manager to the same Active Directory domain as View.
Configure SAML authenticator on the View Connection Server. You must always use the
VMware Identity Manager FQDN on the Authenticator configuration page.
Set up View
To use View with VMware Identity Manager, you must first install and configure View.
VMware Identity Manager supports View 5.3 and later versions. Also, see the VMware Product
Interoperability Matrix for the latest support information.
Note HTML Access is supported for Horizon 6.1.1 and later.
When you configure View, ensure that you meet the following requirements.
n
Deploy View Connection Servers on the default port 443 or on a custom port.
Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each
View Connection Server in your View setup. VMware Identity Manager requires reverse lookup for
View Connection Servers, View Security server, and load balancer. If reverse lookup is not properly
configured, the VMware Identity Manager integration with View fails.
Deploy and configure View pools and desktops with entitlements set for Active Directory users and
groups. Ensure that users have the correct entitlements.
While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off
after disconnect option to 1 or 2 minutes instead of immediately.
Ensure that you create View pools in the root folder of View. If you create View pools in a folder other
than the root folder, VMware Identity Manager cannot query those View polls and entitlements.
Extending the SAML metadata expiration period to 90 days on the View Connection Servers is
recommended. See Change the Expiration Period for Service Provider Metadata on View Connection
Server for information.
Verify that you have an Active Directory domain name, username, and password, with the rights to join
the domain.
See "Integrating with Active Directory" in Installing and Configuring VMware Identity Manager for more
information about joining a domain.
Verify that the attribute userPrincipalName in the VMware Identity Manager User Attributes page is
enabled. You can access this page in the administration console by clicking Identity & Access
Management > Setup > User Attributes.
Verify that users and groups with View Pool entitlements are synced to VMware Identity Manager
using Directory sync.
VMware, Inc.
23
Procedure
1
Click Setup.
In the Connectors page, click Join Domain next to the appropriate directory.
Type the information for the Active Directory domain and click Join Domain. Do not use non-ASCII
characters when you enter your domain information.
Option
Description
Domain
Type the fully qualified domain name of the Active Directory. An example
is HS.TRDOT.COM.
Note The active directory FQDN must be in the same domain as the
View Connection Server. Otherwise, your deployment fails.
Domain User
Domain Password
To configure View integration in a multi-domain environment, verify that VMware Identity Manager
and the View servers are joined to the same domain.
What to do next
Add View pods to VMware Identity Manager.
24
Click Add View Pod for each View pod you want to add.
Enter the fully qualified hostname of the View Connection Server instance, such as
viewconnectionserver.example.com. The domain name must match exactly the domain
name to which you joined the View Connection Server instance.
Username
Password
If users use smart card authentication to sign in to this View pod instead of passwords,
select the check box.
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
Suppress Password
Popup
This option only applies to Horizon versions that support the Certificate SSO feature.
When Certificate SSO is configured in View, users do not require a password to log into
their Windows desktops. However, if users are logged into VMware Identity Manager
using a non-password authentication method such as SecurID, when they launch their
Windows desktops, they are prompted for a password. You can select this option to
prevent a password dialog box from being shown to users in that scenario.
Sync Local
Entitlements
If local entitlements are configured for the pod, select this option.
From the Deployment Type drop-down list, select how View resources are made available to users in
the user portal.
n
User-Activated - VMware Identity Manager adds View resources to the Catalog page in the user
portal. To use a resource, users must move the resource from the Catalog page to the Launcher
page.
Automatic - VMware Identity Manager adds the resources directly to the Launcher page in the
user portal for users' immediate use.
The deployment type that you select here is a global setting that applies to all user entitlements for all
the resources in your View integration. You can modify the deployment type for individual users or
groups per resource, from the resource's Entitlements page.
Setting the global deployment type to User-Activated is recommended. You can then modify the setting
for specific users or groups per resource.
For more information about setting the deployment type, Setting the Deployment Type for View
Entitlements, on page 39.
8
Select Do not sync duplicate applications to prevent duplicate applications from being synced from
multiple servers.
When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in
the multiple data centers. Checking this option prevents duplication of the desktop or application pools
in your VMware Identity Manager catalog.
Select how often you want this information to sync from the View Connection Server.
10
Click Save.
11
12
Click the Identity & Access Management tab, then click Setup.
In the Edit Network Range page, in the View Pod section, enter the View Pod client access URL
host name and port number for that network range.
In the IP Ranges section, specify the IP ranges to which you want to apply the settings.
Click Save.
See also Enabling Multiple Client Access URLs for Custom Network Ranges, on page 37.
VMware, Inc.
25
Log in to the View Administrator Web interface as a user with the Administrator role assigned.
Configure SAML authentication for each View Connection Server instance in your View deployment.
You must use your VMware Identity Manager service's fully-qualified domain name on the
Authenticator configuration page.
Important View and VMware Identity Manager must be in time sync. If View and
VMware Identity Manager are not in time sync, when you try to launch a View application or desktop,
an invalid SAML message occurs.
What to do next
You must establish and maintain SSL Trust between VMware Identity Manager and the View Connection
Server.
Establish or Update SSL Trust between VMware Identity Manager and the View
Connection Server
Initially, you must accept an SSL certificate on the View Connection server to establish trust between
VMware Identity Manager and the View Connection server. If you change an SSL certificate on the View
Connection server after the integration, you must return to VMware Identity Manager and reestablish that
trust.
Prerequisites
n
Verify that View has an SSL certificate installed. By default, View has a self-signed certificate.
In View, change the certificate of the View Connection Server to a root-signed certificate. See the
VMware View documentation for information about configuring a View Connection server instance or
Security Server to use a new certificate.
Configure SAML authentication on the View Connection server. You must always use the
VMware Identity Manager FQDN on the authenticator configuration page.
Note If you use a third-party identity provider to access View desktops from
VMware Identity Manager, SAML authentication on the View Connection server must be set to allowed.
Procedure
1
In the VMware Identity Manager administration console, click the Catalog tab.
Click the Update SSL Cert link next to the Replicated Server Group.
If the VMware Identity Manager certificate changes after the initial configuration, you must accept the
SAML Authenticator from View again. If the View certificate changes, you must accept the SSL certificate in
VMware Identity Manager.
26
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
Site B
Independent Pod
Pod 1
CPA Federation
Pod 2
Pod 3
Global LDAP
Replication
VCS 1
VCS 3
VCS 5
VCS 2
VCS 4
VCS 6
LDAP
Replication
LDAP
Replication
LDAP
Replication
The View Cloud Pod Architecture feature links together multiple View pods to form a single large desktop
and application brokering and management environment called a pod federation. A pod federation can
span multiple sites and data centers.
You can integrate one or more pod federations with the VMware Identity Manager service. Note that pod
federations are created and managed in View, and that user and group entitlements to the pod federation's
desktops and application pools are set in View. You sync the resources and entitlements to
VMware Identity Manager.
Pod federations have global entitlements, which enable you to entitle users to desktops and applications
which can be accessed from any pod in the pod federation. A global entitlement can consist of resources
from multiple pods in the federation. For example, a global desktop entitlement might contain desktop
pools from three different pods in three different data centers. Individual pods in the pod federation can
also have local entitlements configured. You can sync both global and local entitlements to
VMware Identity Manager.
Integrating a View pod federation with the VMware Identity Manager service involves the following highlevel tasks in the VMware Identity Manager administration console:
n
Add all the pods that form the pod federation, specifying View Connection Server details for each.
While VMware Identity Manager can sync global entitlements from any one of the pods in the pod
federation, it needs to connect to each pod to sync metadata required for SAML authentication. It also
needs to connect to the pods to sync local entitlements, if applicable.
Add the pod federation details and specify the global launch URL. The global launch URL, typically the
global load balancer URL, is used to launch globally-entitled desktops and applications.
You can customize the global launch URL for specific network ranges, for example for internal and
external access.
VMware, Inc.
27
Sync resources and entitlements from the pod federation to the VMware Identity Manager service.
Note Only global entitlements that have the All Sites scope policy in a pod federation are synced. The
All Sites scope policy sets the scope of the search for an application or desktop to all the pods across the
pod federation.
Customize the global launch URL by setting client access URLs for specific network ranges. These URLs
are used to launch globally-entitled resources from the pod federation. By default, the global launch
URL you specify while adding the federation is used as the global launch URL for all network ranges.
Specify client access URLs for each pod in the pod federation that has local entitlements configured.
These URLs are used to launch locally-entitled desktops and applications from the pod. A client access
URL can be a View Connection Server URL, a Security Server URL, or a load balancer URL. Client
access URLs are set for specific network ranges. By default, the View connection server you specify
while adding the pod is used as the client access URL for all network ranges.
When you integrate a pod federation with the VMware Identity Manager service, the service does the
following:
n
Syncs all global entitlements, that have the All Sites scope policy, from the pod federation.
Syncs local entitlements, if selected, from the pods that are part of the pod federation.
Syncs metadata from all the View Connection Servers in the pod federation.
Allows end users to access their View applications and desktops from the My Apps portal.
End users access can access their View applications and desktops from the My Apps portal. All the
resources to which they are entitled, whether through global entitlements or local entitlements, are
displayed. Applications and desktops are launched in the Horizon Client. When a user launches a locallyentitled application or desktop, it is launched from the View Connection Server to which the user connects.
Globally-entitled resources are launched from the View Connection Server in which the resource is located.
28
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
VMware Identity
Manager Service
Federation 1 (F1)
Pod 1 (P1)
URL EG
Global
LB
URL E1
LB
Security
Server
Connection
Server
Security
Server
Connection
Server
URL I1
LB
Connector on Premises
Sync 1
Local
Pod 2 (P2)
URL E2
LB
Security
Server
Connection
Server
Security
Server
Connection
Server
URL I2
LB
Connection
Server
Sync 2
Local
Sync
API
Sync 3
Local
Sync 4
Pod 3 (P3)
Connection
Server
URL IG
Global
LB
Local
URL I3
LB
This diagram depicts a sample pod federation deployment. A pod federation, named Federation 1, is created
in Horizon 6. It has three pods, Pod 1, Pod 2, and Pod 3. Pod 1 and Pod 2 are configured with Security Server
instances for each View Connection Server and an external load balancer for external access, and with an
internal load balancer for internal access. Pod 3 is configured for only internal access with an internal load
balancer. The pod federation as a whole has an external global load balancer and an internal global load
balancer.
Desktop and application pools are deployed on the pods. Global entitlements are configured for Federation
1 and local entitlements are also configured for the individual pods.
Federation 1 is integrated with the VMware Identity Manager service. The VMware Identity Manager
service syncs global entitlements as well as local entitlements from Federation 1. Because global entitlements
are replicated in each pod, it syncs global entitlements from Pod 1. It also syncs local entitlements from Pod
1, Pod 2, and Pod 3.
End users can view all the desktops and applications to which they are entitled, whether through global
entitlements or local entitlements, in the VMware Identity Manager My Apps portal. When a user launches
a desktop or application, if it is part of a global entitlement, the launch request goes to the external or
internal global load balancer, URL EG or URL IG, based on the network range of the user. If the resource is
from a local entitlement, the launch request goes to the internal or external load balancer of the pod on
which the resource is deployed, based on the network range of the user. For example, for a resource on Pod
2, the request goes to URL I2 or URL E2.
VMware, Inc.
29
VMware Identity Manager supports the Cloud Pod Architecture feature in Horizon 6.2 and later, for
both applications and desktops.
You can integrate a maximum of 10 pod federations with the VMware Identity Manager service. Each
federation can contain up to 7 pods.
Deploy View Connection Server instances on the default port 443 or on a custom port.
Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each
View Connection Server instance in your View environment. VMware Identity Manager requires
reverse lookup for View Connection Server, View Security Server, and load balancer instances. If
reverse lookup is not properly configured, the VMware Identity Manager integration with View fails.
The VMware Identity Manager connector, a component of the service, must be able to reach all the
View Connection Server instances in the pod federation.
All the View Connection Server instances in the pod federation must have SAML authentication
configured, with the VMware Identity Manager service specified as the identity provider. You must use
the service's fully-qualified domain name as part of the URL.
See Configure SAML Authentication, on page 26 for more information.
Extending the SAML metadata expiration period to 90 days on the View Connection Server instances is
recommended. See Change the Expiration Period for Service Provider Metadata on View Connection
Server for information.
While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off
after disconnect option to 1 or 2 minutes instead of immediately.
Ensure that you create View pools in the root folder of View. If you create View pools in a folder
other than the root folder, VMware Identity Manager cannot query those View pods and
entitlements.
If you add or remove application or desktop pools after integrating with VMware Identity Manager, for
the changes to appear in the VMware Identity Manager service, you must sync again.
n
You must create the pod federation in your View environment, by initializing the Cloud Pod
Architecture feature from one of the pods and joining all the other pods to the federation, before
integrating with the VMware Identity Manager service. Global entitlements are replicated to pods when
they join the federation.
If you join or remove a pod from the pod federation after you integrate with the
VMware Identity Manager service, you must edit the pod federation details in the
VMware Identity Manager administration console to add or remove the pod, save your changes, and
sync again.
30
In your View environment, create global entitlements in the pod federation to entitle Active Directory
users or groups to desktops and applications.
The global entitlements that you want to sync to VMware Identity Manager must have the All sites
scope policy set. Entitlements with any other scope policy are not synced.
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
To enable end users to launch desktops or application in a Web browser, select the HTML Access option
for the global entitlement in View.
For more information about configuring View, see the Horizon 6 or Horizon 7 documentation.
You have a username and password with the rights to join the Active Directory domain that is used
with View. For more information about the rights required to join a domain, see "Integrating with
Active Directory" in Installing and Configuring VMware Identity Manager.
Procedure
1
Verify that the attribute userPrincipalName in the VMware Identity Manager User Attributes page is
marked required.
a
In the administration console, click the Identity & Access Management tab.
If the Required checkbox for the userPrincipalName attribute is not selected, select it.
Important You must do this before you create the VMware Identity Manager directory. User
attributes cannot be changed to required after the directory is created.
VMware, Inc.
31
Sync the users and groups that have global or local entitlements in your View environment from Active
Directory to the VMware Identity Manager service through directory sync.
a
To view current users and groups, click the Users & Groups tab.
Join the VMware Identity Manager directory to the same Active Directory domain as View.
a
Type the information for the Active Directory domain and click Join Domain. Do not use nonASCII characters when you enter your domain information.
Option
Description
Domain
Type the fully qualified domain name of the Active Directory. For
example, hs.example.com.
Note The Active Directory FQDN must be in the same domain as the
View Connection Server instances. Otherwise, your deployment fails.
Domain User
Domain Password
Verify that VMware Identity Manager and the View servers are joined to the same domain.
Set up your View environment following the requirements described in Requirements for Integrating
View Pod Federations, on page 30.
Set up your VMware Identity Manager instance according to the requirements described in Set up
Your VMware Identity Manager Environment, on page 31.
Procedure
32
In the Pods and Sync tab, select the Enable View Pools checkbox, if it is not already checked.
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
Add all the View pods that are part of the cloud pod federation, one at a time.
a
Description
Connection Server
Enter the fully qualified domain name (FQDN) of the View Connection
Server instance, for example, pod5server.example.com. The domain
name must match the domain name to which you joined the View
Connection Server instance.
Username
Password
If local entitlements are configured for the pod, select this checkbox.
For example:
Repeat these steps until you have added all the pods in the cloud pod federation.
Click Save.
Replicated servers in each pod are displayed.
VMware, Inc.
Click the Federation tab and select the Enable CPA Federations checkbox.
33
In the Federation Name field, type the name of the cloud pod federation.
In the Launch URL field, type the global launch URL to be used to launch globally-entitled desktops or
applications. For example, federationA.example.com.
The launch URL is typically the global load balancer URL of the cloud pod federation. You can
customize the launch URL for specific network ranges later in the configuration process.
34
10
Click Add Pod and select all the pods that are part of the cloud pod federation, one at a time.
11
Click Save.
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
12
Click the Pods and Sync tab, scroll to the bottom of the page, and set the deployment and sync options
for your configuration.
Option
Description
Deployment type
Select how View resources are made available to users in the user portal.
n User-Activated: VMware Identity Manager adds View resources to the
Catalog page in the user portal. To use a resource, users must move the
resource from the Catalog page to the Launcher page.
n Automatic: VMware Identity Manager adds the resources directly to
the Launcher page in the user portal for users' immediate use.
The deployment type that you select here is a global setting that applies to
all user entitlements for all the resources in your View integration. You can
modify the deployment type for individual users or groups per resource,
from the resource's Entitlements page.
Setting the global deployment type to User-Activated is recommended.
You can then modify the setting for specific users or groups per resource.
For more information about setting the deployment type, Setting the
Deployment Type for View Entitlements, on page 39.
Select this option if you want to prevent duplicate applications from being
synced from multiple servers. When VMware Identity Manager is
deployed in multiple data centers, the same resources are set up in the
multiple data centers. Selecting this option prevents duplication of the
desktop or application pools in your VMware Identity Manager catalog.
Select how often you want View resources and entitlements to sync. You
can set up a regular sync schedule or choose to sync manually. If you
choose Manually, you must return to this page and click Sync Now
whenever there is a change in your View resources or entitlements.
13
Click Save.
14
15
16
Click the Identity & Access Management tab and click Setup on the right of the page.
17
VMware, Inc.
35
18
Customize launch URLs for specific network ranges. For example, different launch URLs are typically
set for internal and external access.
a
Select a network range. You can select an existing network range or create a new one. You can also
edit the default ALL RANGES network range.
The Edit Network Range page is displayed. The View CPA federation section lists the global
launch URL of the pod federation you added in the Federation tab. If you added multiple pod
federations, all are listed. The View Pod section lists all the View pods from the Pods and Sync tab
that have the Sync Local Entitlements option selected.
In the View CPA federation section, for the global launch URL, specify the fully-qualified domain
name of the server to which to direct launch requests for global entitlements that come from this
network range. This is typically the global load balancer URL of the View pod federation
deployment.
For example: lb.example.com
The global launch URL is used to launch globally-entitled resources.
In the View Pod section, for each of the View pod instances, specify the fully-qualified domain
name of the server to which to direct launch requests for local entitlements that come from this
network range. You can specify a View Connection Server instance, a load balancer, or a security
server. For example, if you are editing a range that provides internal access, you would specify the
internal load balancer for the pod.
For example: lb.example.com
The client access URL is used to launch locally-entitled resources from the pod.
See also Enabling Multiple Client Access URLs for Custom Network Ranges, on page 37.
36
Log in to the View Administrator Web interface as a user with the Administrator role assigned.
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
Configure SAML authentication for each View Connection Server instance in your View deployment.
You must use your VMware Identity Manager service's fully-qualified domain name on the
Authenticator configuration page.
Important View and VMware Identity Manager must be in time sync. If View and
VMware Identity Manager are not in time sync, when you try to launch a View application or desktop,
an invalid SAML message occurs.
What to do next
You must establish and maintain SSL Trust between VMware Identity Manager and the View Connection
Server.
Establish or Update SSL Trust between VMware Identity Manager and the View
Connection Server
Initially, you must accept an SSL certificate on the View Connection server to establish trust between
VMware Identity Manager and the View Connection server. If you change an SSL certificate on the View
Connection server after the integration, you must return to VMware Identity Manager and reestablish that
trust.
Prerequisites
n
Verify that View has an SSL certificate installed. By default, View has a self-signed certificate.
In View, change the certificate of the View Connection Server to a root-signed certificate. See the
VMware View documentation for information about configuring a View Connection server instance or
Security Server to use a new certificate.
Configure SAML authentication on the View Connection server. You must always use the
VMware Identity Manager FQDN on the authenticator configuration page.
Note If you use a third-party identity provider to access View desktops from
VMware Identity Manager, SAML authentication on the View Connection server must be set to allowed.
Procedure
1
In the VMware Identity Manager administration console, click the Catalog tab.
Click the Update SSL Cert link next to the Replicated Server Group.
If the VMware Identity Manager certificate changes after the initial configuration, you must accept the
SAML Authenticator from View again. If the View certificate changes, you must accept the SSL certificate in
VMware Identity Manager.
VMware, Inc.
37
Specify the client access URL and port in the Client Access URL Host and URL Port fields, using your
company's configuration.
For example: pod6.mycompany.com
Verify that each network range in your environment contains a client access URL.
Important If you miss a network range, end users who launch through that network range might
have problems.
To view desktop pools, click Any Application Type > View Desktop Pools. To view application pools,
click Any Application Type > View Hosted Applications.
View the connection information, which consists of attributes retrieved from the View Connection
Server instance.
See the View documentation for details about these attributes.
Synchronize information and the respective entitlements from the View Connection Server instances to
VMware Identity Manager. You can force a sync on the View Pools page in the connector service admin,
by clicking Sync Now.
Procedure
1
38
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
View user and group entitlements to View desktop and application pools.
Option
Action
a
b
Global level
The global setting applies to all user entitlements for all the View resources in your deployment. You
specify the global deployment type when you first integrate View resources with VMware Identity
Manager from the View Pools page. After the initial integration, you can modify the global setting from
the same page. Note that if you change the global setting after the initial integration, the new setting
only applies to new entitlements that are synced. To modify existing entitlements, you can change the
setting at the individual resource level.
Note Setting the global deployment type to User-Activated is recommended. In typical scenarios, you
set the global setting to User-Activated, and then modify it to Activated for specific user and group
entitlements.
During sync, the deployment type for existing entitlements is not changed. For new entitlements in the sync,
the global setting is applied.
Note Once a resource has been activated, that is, once it appears in the Launcher page for a user, it will
continue to appear in the Launcher page unless the user deletes it. Any changes to the deployment type will
not remove it from the Launcher page.
Procedure
1
VMware, Inc.
To set the deployment type at the global level, follow these steps.
a
Click the Catalog tab and select Manage Desktop Applications > View Application.
39
Click Save.
The setting will be applied to all new entitlements beginning with the next sync.
To set the deployment type for a specific user or group entitlement, follow these steps.
a
In the Edit User Entitlement dialog box, select the deployment type for the entitlement.
Click Save.
The deployment type set at the user or group entitlement level has precedence over the global
deployment type setting, and will not be modified during sync.
40
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
VMware Identity Manager supports HTML Access for Horizon 6.1.1 and later.
VMware Identity Manager also supports all the display protocols that View supports for the Horizon Client.
For Horizon 7, VMware Identity Manager supports the Blast protocol in addition to PCoIP and RDP for
Horizon Client 4.0. When VMware Identity Manager users launch a desktop or application in the Horizon
Client, it uses the protocol that is set for the farm in View.
Note In View, in addition to setting the default display protocol, administrators can specify whether users
are allowed to choose a display protocol. If you want to support versions of Horizon Client that do not
support the default protocol, allowing users to choose the display protocol is recommended. Otherwise, the
application or desktop cannot be launched.
For information about configuring the display protocols and launch options, see the Horizon 7, Horizon 6,
or View documentation.
In the VMware Identity Manager administration console, you can check the launch options that a View
desktop or application supports.
Procedure
1
To display desktop pools, click Any Application Type > View Desktop Pools. To display applications,
click Any Application Type > View Hosted Applications.
The value of the field can be NATIVE or BROWSER, or both. If only NATIVE is listed, the desktop or
application can only be launched in the Horizon Client. Users must install the Horizon Client on their
systems before starting the application from VMware Identity Manager. If BROWSER is listed, users
can start the application or desktop in a browser. If both are specified, users can select how they want to
start the application.
Note For Horizon 7 integrations, the Allow HTML Access to desktop and applications on this farm
option must be enabled in Horizon 7 for the BROWSER option to appear in the Supported client types
list.
VMware, Inc.
41
Right-click the desktop or application you want to use and check whether it displays a Horizon Client
requirement.
Clicking the arrow on the OPEN button displays the launch options. If a launch option is not available,
it is disabled.
Install the Horizon Client on your system, if it is required and you have not yet installed it.
Right-click the desktop or application, click the arrow on the Open button if launch options are not
displayed, select either in Horizon Client or in Browser, and click Open.
If you chose the Browser option, the application or desktop is started in a browser. If you are using Horizon
6.1.1 or later, the browser window also displays an HTML Access Tray. The HTML Access Tray displays all
the other desktop or applications that are connected to the same View Connection Server as the application
you started. Resources from other View Connection Servers in your deployment are not listed. You can use
the HTML Access Tray to switch from one desktop or application to another. You can also view which
applications are running.
42
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
Note If the SAML metadata on the View Connection Server instances has expired, the application or
desktop will not launch. To resolve this issue, you must sync the View resources to
VMware Identity Manager again. Click Sync Now in the View Pools page in the administration console.
Configure View to allow users to reset their desktops. See the documentation for View, Horizon 6, or
Horizon 7, specifically the View Administration guide.
To ensure that specific View desktops are resettable by users, the client access URLs for the respective
pods should have trusted certificates. If the URLs have root-signed or self-signed certificates, configure
VMware Identity Manager to trust those certificates. See VMware Identity Manager Installation and
Configuration for information about applying a root certificate.
Procedure
u
(Optional) Verify that VMware Identity Manager lists a given desktop as resettable by users.
a
In the Any Application Type drop-down menu, select View Desktop Pools.
Click Details.
What to do next
If a View desktop becomes unresponsive in the future, you or users can reset the desktop in the My Apps
portal by right-clicking the unresponsive desktop and clicking Reset Desktop.
VMware, Inc.
43
Install the VMware Identity Manager Desktop application in the template that is used for the nonpersistent View desktops using the recommended command-line installer options.
/v Installer Option
Description
ENABLE_AUTOUPDATE = 0
INSTALL_MODE =
RUN_FROM_SHARE
If you plan to have the users use ThinApp packages in these View desktops, use
this option to have the ThinApp packages streamed from the server instead of
downloaded to the Windows system.
The following is an example of installing the VMware Identity Manager Desktop application with an
optimal configuration for non-persistent View desktops where the users are expected to use ThinApp
packages. The WORKSPACE_SERVER option specifies the VMware Identity Manager server for this
installation.
VMware-Identity-Manager-Desktop-n.n.n-nnnnnnn.exe /v
WORKSPACE_SERVER="https://server.company.com" ENABLE_AUTOUPDATE=0 INSTALL_MODE=RUN_FROM_SHARE
44
VMware, Inc.
The VMware Horizon Air - Cloud Hosted service can be integrated with the VMware Identity Manager
service.
By integrating your Horizon Air tenant with the VMware Identity Manager service, you give your
VMware Identity Manager users the ability to access their entitled VMware Horizon Air Apps and
VMware Horizon Air Desktops from the VMware Identity Manager My Apps portal.
You create and configure desktop and application pools, also known as assignments, in the Horizon Air
tenant. You also set user and group entitlements in the Horizon Air tenant, not in the
VMware Identity Manager service. You must sync these users and groups to the VMware Identity Manager
service from Active Directory before integrating with the Horizon Air tenant.
After you integrate the Horizon Air tenant with VMware Identity Manager, you can see the Horizon Air
desktops and applications in the VMware Identity Manager administration console. You can also view user
and group entitlements.
You can set up a sync schedule to regularly sync resources and entitlements from the Horizon Air tenant to
the VMware Identity Manager service.
End users must install the VMware Horizon Client to launch Horizon Air desktops and applications
from the My Apps portal. Horizon Client versions 3.4 and later are supported.
This chapter includes the following topics:
n
Viewing User and Group Entitlements to Horizon Air Desktops and Apps, on page 53
VMware, Inc.
45
If you want to integrate other on-premises resources, such as Citrix published resources, deploying a
connector on premises enables you to use the same connector for all your resources.
If you already have a VMware Identity Manager tenant deployment, with a connector installed on
premises, you can use your existing deployment to integrate Horizon Air Desktops and Apps.
The connector syncs user and group information from Active Directory to the VMware Identity
Manager tenant.
Horizon air user and group entitlements are synced from the Horizon Air tenant to the VMware
Identity Manager tenant through the connector.
46
The end user logs into the VMware Identity Manager service and clicks on a desktop or
application.
VMware, Inc.
Chapter 4 Providing Access to Horizon Air - Cloud Hosted Desktops and Apps
The service generates a launch URL and passes it to the Horizon Client. The launch URL includes a
SAML artifact ID.
The Horizon Air tenant receives the request and validates the SAML artifact ID with the VMware
Identity Manager service.
If the SAML artifact ID is validated by the VMware Identity Manager service, the desktop or
application is streamed to the Horizon Client by the Horizon Air tenant.
A Horizon Air tenant, that is accessible by the VMware Identity Manager connector. Work with
your Horizon Air representative to set this up.
A VMware Identity Manager connector appliance installed on premises. See Deployment Scenario
for Horizon Air Integration, on page 46 for information.
Connector version 2016.1.1 or later is required for Horizon Air integration.
Verify with your Horizon Air service provider that your Horizon Air tenant meets the following
requirements.
n
The tenant name must be a fully qualified domain name (FQDN), not just a host name. For
example, server-ta1.example.com instead of server-ta1.
The tenant appliances must have valid, signed certificates issued by a CA. Self-signed certificates
are not supported. The certificate must match the FQDN of the tenant appliance.
If you created your VMware Identity Manager directory with UPN as a search attribute, and you
intend to sync static desktop pools from the Horizon Air tenant, your service provider must enable
UPN for the tenant and restart the tenant appliance, otherwise users will be unable to launch static
desktops.
UPN can be enabled in the Horizon Air Service Center, in the Policy Management page, by
selecting the tenant, typing dtpolicy, setting the fabric.ad.use.userPrincipalNames policy to true,
and restarting the tenant appliance.
VMware, Inc.
47
Ensure that the Horizon Air tenant and the VMware Identity Manager tenant are in time sync. If they
are not in time sync, an invalid SAML error can occur when users launch Horizon Air desktops and
applications.
Create and configure desktop and application pools, also known as assignments, in the Horizon Air
tenant administration console. You can create the following types of pools in the Horizon Air tenant:
n
VMware Identity Manager only supports launch over PCoIP. Only those desktop and application
pools that support launch over PCoIP are synced to VMware Identity Manager.
End users must install the Horizon Client to launch desktops and applications.
You can only sync from a single Horizon Air tenant to VMware Identity Manager.
Set user and group entitlements to Horizon Air desktops and applications in the Horizon Air tenant
administrative interface.
Note Only entitlements for users that belong to a registered group are synced. Users who do not
belong to any group will not see their entitlements in VMware Identity Manager.
In the VMware Identity Manager administration console, ensure that users and groups with these
entitlements are synced from Active Directory to VMware Identity Manager using directory sync.
In the Catalog tab, select Manage Desktop Applications > Horizon Air Applications.
Select the Enable Horizon Air Desktops and Applications check box.
48
Option
Description
Tenant Host
Tenant Port
Admin Username
VMware, Inc.
Chapter 4 Providing Access to Horizon Air - Cloud Hosted Desktops and Apps
Option
Description
Admin Password
Admin Domain
Domains to Sync
Deployment Type
Select how Horizon Air resources are made available to users in the user
portal.
n User-Activated: VMware Identity Manager adds Horizon Air
resources to the Catalog page in the user portal. To use a resource,
users must move the resource from the Catalog page to the Launcher
page.
n Automatic: VMware Identity Manager adds the resources directly to
the Launcher page in the user portal for users' immediate use.
The deployment type that you select here is a global setting that applies to
all user entitlements for all the resources in your Horizon Air integration.
You can modify the deployment type for individual users or groups per
resource, from the resource's Entitlements page.
Setting the global deployment type to User-Activated is recommended.
You can then modify the setting for specific users or groups per resource.
For more information about setting the deployment type, Setting the
Deployment Type for Horizon Air Entitlements, on page 54.
For example:
Click Save.
Click Sync Now to sync resources and entitlements from the Horizon Air tenant.
What to do next
Configure SAML Authentication, on page 50.
VMware, Inc.
49
The Horizon Air tenant name is a fully-qualified domain name (FQDN). For example, serverta1-1.example.com instead of server-ta1-1.
The Horizon Air tenant appliances have valid SSL certificates from a CA installed. Self-signed
certificates are not supported. The certificate must match the FQDN of the tenant appliance.
Procedure
1
In the VMware Identity Manager administration console, click the arrow on the Catalog tab and select
Settings.
Description
URL to which to post the SAML assertion. This URL is typically the
Horizon Air tenant's floating IP or Access Point URL. For example,
https://mytenant.example.com.
Audience
Unique identifier of the Horizon Air tenant. This URL is typically the
Horizon Air tenant's floating IP or Access Point URL. For example,
https://mytenant.example.com.
For example:
50
VMware, Inc.
Chapter 4 Providing Access to Horizon Air - Cloud Hosted Desktops and Apps
Click the Accept Certificate link next to each Horizon Air tenant appliance URL to accept the certificate.
Important If you change the SSL certificate on the Horizon Air tenant appliance after integration, you
must return to this page and accept the certificate again to re-establish trust.
Click Save.
What to do next
Configure SAML authentication in the Horizon Air tenant.
In the VMware Identity Manager administration console, click the arrow on the Catalog tab and select
Settings.
Make a note of the URL from the browser's address bar, such as
https://VMwareIdentityManagerFQDN/SAAS/API/1.0/GET/metadata/idp.xml.
VMware, Inc.
51
Run the following REST API calls against the primary Horizon Air tenant.
a
POST https://DaaSPrimaryTenant/dt-rest/v100/system/login?domain=domainname&user=tenantadminusername&pw=password
For example:
POST https://10.10.10.10/dt-rest/v100/system/login?domain=AIRTENANTA&user=tenantadmin&pw=mypassword
Get the values from the header Authorization and x-dt-csrf-header to use for the next API call.
b
PUT https://DaaSPrimaryTenantAppliance/dtrest/v100/security/manager/create/modify/identityprovider
For example:
PUT https://10.10.10.10/dt-rest/v100/security/manager/create/modify/identityprovider
Header Authorization: Use the value from the previous login API response header.
Header x-dt-csrf-header: Use the value from the previous login API response header.
Header Content-Type: Use text/xml.
Body:
<DtIdentityProviderConfig>
<workspaceAddress>https://VMwareIdentityManagerFQDN/SAAS/API/1.0/GET/metadata/idp.xml<wor
kspaceAddress>
<timeout>0</timeout>
<tenantAddress>HorizonAirTenantFloatingAddressOrAccessPoint</tenantAddress>
<dataCenterId>HorizonAirTenantDatacenterID</dataCenterId>
</DtIdentityProviderConfig>
where
<workspaceAddress>: Specify the VMware Identity Manager IdP metadata URL you copied in step 4
above.
<tenantaddress>: Specify the floating address or Access Point of the Horizon Air tenant appliance.
<dataCenterId>: Specify the datacenter ID of the Horizon Air tenant. You can find the ID in the
datacenter table of the primary Horizon Air tenant by using this command: Select * from
datacenter;
Your integration is complete. You can now view Horizon Air desktop and application pools in the VMware
Identity Manager administration console and end users can launch the resources to which they are entitled.
Syncing Horizon Air Desktops and Apps with VMware Identity Manager
When you initially integrate a Horizon Air tenant with your VMware Identity Manager deployment, you
sync resources and entitlements from the Horizon Air tenant to the VMware Identity Manager service. You
may also have set up a regular sync schedule or chosen to sync manually. If you modify Horizon Air
desktop and application pools, or entitlements, you can sync the updates to VMware Identity Manager at
any time using the Sync Now feature.
Procedure
1
52
VMware, Inc.
Chapter 4 Providing Access to Horizon Air - Cloud Hosted Desktops and Apps
In the Catalog tab, click Manage Desktop Applications > Horizon Air Application.
(Optional) To specify a regular sync schedule, select one of the options in the Choose Horizon Air Sync
Frequency field and click Save.
Click Any Application Type and select Horizon Air Desktops or Horizon Air Applications.
Click Details.
Attributes retrieved from the Horizon Air tenant are displayed. See the Horizon Air documentation for
information about these attributes.
View user and group entitlements to Horizon Air desktops and applications.
VMware, Inc.
Option
Action
a
b
53
Global level
The global setting applies to all user entitlements for all the Horizon Air resources in your deployment.
You specify the global deployment type when you first integrate Horizon Air resources with VMware
Identity Manager from the Horizon Air Resources page. After the initial integration, you can modify the
global setting from the same page. Note that if you change the global setting after the initial integration,
the new setting only applies to new entitlements that are synced. To modify existing entitlements, you
can change the setting at the individual resource level.
Note Setting the global deployment type to User-Activated is recommended. In typical scenarios, you
set the global setting to User-Activated, and then modify it to Activated for specific user and group
entitlements.
During sync, the deployment type for existing entitlements is not changed. For new entitlements in the sync,
the global setting is applied.
Note Once a resource has been activated, that is, once it appears in the Launcher page for a user, it will
continue to appear in the Launcher page unless the user deletes it. Any changes to the deployment type will
not remove it from the Launcher page.
Procedure
1
To set the deployment type at the global level, follow these steps.
a
Click the Catalog tab and select Manage Desktop Applications > Horizon Air Application.
In the Deployment Type field in the Horizon Air Resources page, select User-Activated or
Automatic.
Click Save.
The setting will be applied to all new entitlements beginning with the next sync.
54
To set the deployment type for a specific user or group entitlement, follow these steps.
a
VMware, Inc.
Chapter 4 Providing Access to Horizon Air - Cloud Hosted Desktops and Apps
In the Edit User Entitlement dialog box, select the deployment type for the entitlement.
Click Save.
The deployment type set at the user or group entitlement level has precedence over the global
deployment type setting, and will not be modified during sync.
VMware, Inc.
55
56
VMware, Inc.
You can provide VMware Identity Manager users access to Citrix-published resources. Citrix-published
resources include applications and desktops within Citrix XenApp and XenDesktop farms. Desktops are
also referred to as Citrix-published delivery groups.
When you integrate a Citrix deployment with VMware Identity Manager, VMware Identity Manager users
can use Citrix Receiver on their systems and devices to access their entitled Citrix-published resources.
After you integrate VMware Identity Manager with your Citrix deployment, you use the Citrix deployment
to manage Citrix-published applications and Citrix-published desktops and to entitle users to those
resources. You can then use the VMware Identity Manager administration console to view these Citrix
resources and their entitlements.
VMware Identity Manager provides default global application delivery settings for Citrix-published
resources. For example, you can edit the settings that control resource streaming and resource security. You
can configure the delivery settings globally, for all the Citrix resources in the VMware Identity Manager
catalog, or for individual Citrix resources.
VMware Identity Manager also supports Citrix deployments that include Citrix Netscaler. To use the
Netscaler feature, you must install Integration Broker 2.4 or later.
Supported Versions
n
VMware Identity Manager supports XenApp 5.0, 6.0, 6.5, and 7.x, and XenDesktop 7.x.
To use the Netscaler feature, you require Integration Broker 2.4 or later.
To use XenApp 7.x or XenDesktop 7.x, you require Integration Broker 2.6 or later.
Supported operating systems for Integration Broker are Windows Server 2008 R2, Windows Server
2012, and Windows Server 2012 R2.
VMware, Inc.
57
Requirements
To integrate a Citrix deployment with the VMware Identity Manager service, you need the following
components.
n
While deploying the on-premise components, ensure that you meet these requirements.
n
The connector must be able to communicate with the Integration Broker. If you have deployed multiple
connector instances, ensure that all of them can communicate with the Integration Broker.
The Integration Broker must be able to communicate with the Citrix server farm.
All communication between the VMware Identity Manager service and the on-premise components is
through the connector. The connector and the service communicate over a communication channel that is
automatically set up during installation.
The following diagram depicts a VMware Identity Manager-Citrix server farm integration and illustrates
how resources and entitlements are synced to the VMware Identity Manager service.
Figure 51. Resources and Entitlements Sync
On Premises
VMware Identity
Manager Connector
Resources and
entitlements
sync to service
VMware Identity
Manager Service
vIDM Tenant
Integration Broker
Citrix PowerShell SDK
calls to retrieve
resources and entitlements
Citrix Farm or
Load Balancer
58
VMware, Inc.
The following diagram illustrates how an application or desktop is launched from the
VMware Identity Manager service.
Figure 52. Application or Desktop Launch
On Premises
VMware Identity
Manager Connector
VMware Identity
Manager Service
vIDM Tenant
3
4 ICA file
ICA file
Citrix Receiver
Integration Broker
1
Citrix Farm or
Load Balancer
User launches
application/desktop
5
Application/desktop
launched
Supported Features
VMware Identity Manager provides support for the following functions:
n
Synchronize entitlements from a Citrix farm to VMware Identity Manager entitlement store.
Route application launch traffic through a Netscaler appliance or through a direct connection.
VMware Identity Manager uses the Integration Broker, a component of VMware Identity Manager, to
deliver Citrix-published resources to the end user.
n
VMware Identity Manager pushes Citrix farm information and publishes resource information from the
Citrix farm to the catalog based on configured synchronization.
A VMware Identity Manager administrator can set the generic user settings template and the ICA
launch template for all the resources in an organization. This template is saved as an organization
artifact in the VMware Identity Manager data store.
A VMware Identity Manager administrator can set the ICA launch template by resource in the
VMware Identity Manager catalog. This template is saved as part of the resource definition in the
VMware Identity Manager catalog.
VMware Identity Manager synchronizes the Citrix-published resources and entitlements from the Citrix
farm to the VMware Identity Manager entitlement store. Synchronization occurs based on the frequency set
in the schedule. The Citrix farm is the single source of truth for all supported operations in
VMware Identity Manager.
VMware Identity Manager uses the Citrix Receiver to launch Citrix-published resources. The end user must
install the Citrix Receiver on their device. The Citrix Receiver delivers the Citrix-published resources to the
end user.
VMware Identity Manager also provides multi-device support. End users can launch a Citrix-published
resource, such as the Textpad application, from VMware Identity Manager on any device, such as a laptop,
domain-joined desktop, or non-domain-joined desktop.
VMware, Inc.
59
The following table describes the administrator's task on the Citrix farm and the corresponding operation
that results after a synchronization with VMware Identity Manager.
Table 51. VMware Identity Manager and Citrix Farm Synchronization
Action in the Citrix farm
VMware Identity Manager uses the Integration Broker component and a Citrix SDK to handle SSO from
VMware Identity Manager to Citrix-published resources.
Figure 53. SSO between VMware Identity Manager and Citrix Farm
REST call
to retrieve
ICA file
Integration
Broker Web
application
XenApp Web
Interface
SDK 5.4
IIS
VMware Identity
Manager Connector
Web Interface
SDK calls
Citrix farm
to retrieve
ICA file
Citrix farm or
load balancer
DMZ
1
Launch
Citrix-published
resources
5
Application
delivery
ICA file
VMware Identity
Manager Service
Citrix Receiver
60
VMware, Inc.
VMware Identity Manager syncs a delivery group only if its Delivery Type is set to DesktopsAndApps or
DesktopsOnly. If the delivery group's Delivery Type is set to AppsOnly, its applications are synced but the
delivery group itself is not synced and does not appear in the VMware Identity Manager catalog.
Configure your delivery groups accordingly.
Upgrade
VMware Identity Manager does not require additional setup after a VMware Identity Manager upgrade or a
Citrix product upgrade to maintain the integration between VMware Identity Manager and Citrix-published
resources. To upgrade Integration Broker, you must uninstall the older version and then install the new
version. To reinstall Citrix Receiver, see the Citrix documentation.
Note To use the Netscaler feature, you must install Integration Broker 2.4 or later. If you are using XenApp
or XenDesktop 7.x, you must install Integration Broker 2.6 or later.
Install an SSL server certificate on the XenApp or XenDesktop 7.x servers that you are integrating with
VMware Identity Manager.
For information about how to install an SSL server certificate, see the Microsoft documentation.
Click Properties and verify that Server Authentication is enabled for the certificate.
Install Studio and PowerShell SDK: Citrix Broker PowerShell Snapin and Citrix Configuration
PowerShell Snapin from media.
To verify the installation, follow these steps.
a
Launch PowerShell.
VMware, Inc.
61
Install an SSL server certificate on the Citrix servers that you are integrating with
VMware Identity Manager.
For information about how to install an SSL server certificate, see the Microsoft documentation.
Click Properties and verify that Server Authentication is enabled for the certificate.
If the Citrix PowerShell modules are not installed in the default location, replace the default path
with the path that is used in your environment.
d
If you do not have Winrm installed, download and install Winrm from the Microsoft Web site.
Procedure
1
Install an SSL server certificate on the Citrix servers that you are integrating with
VMware Identity Manager.
Click Properties and verify that Server Authentication is enabled for the certificate.
Type the Get-Service winrm command to verify that Winrm is installed on the server.
62
Install the Citrix PowerShell SDK 5.0 or 6.0 depending on the Citrix server version.
VMware, Inc.
After the listener is created, go to the Integration Broker server to verify that PowerShell remoting
is installed correctly.
winrm identify -r:https://XENAPP_HOSTNAME:5986 -u:USERNAME
Output:
IdentifyResponse
ProtocolVersion=http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor=Microsoft Corporation
ProductVersion=OS: 6.0.6002 SP: 2.0 Stack: 2.0
Prepare Windows Server for Integration Broker (Windows Server 2008 R2,
Windows Server 2012, or Windows Server 2012 R2)
Before you install Integration Broker, you must prepare your Windows system.
The following operating systems are supported for Integration Broker.
n
Prerequisites
n
VMware, Inc.
63
Multiple instances are useful for both high-availability and load-balancing purposes.
If you use multiple Integration Broker instances, a preferred practice is to install one
Integration Broker instance for each Windows Server instance.
If your deployment distributes heavy traffic, a preferred practice is to use at least one
Integration Broker instance to sync with VMware Identity Manager and at least one
Integration Broker instance to provide SSO.
Verify that Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 are installed
with the latest updates. To check for updates, select Control Panel > Windows Update.
Install .NET Framework 3.5. When you install .NET, it installs version 3.5 as a feature. If you are using
Windows Server 2008 R2, ensure that you select WCF Activation. If you are using Windows Server 2012
or 2012 R2, ensure that you select HTTP Activation.
Download and install Microsoft Visual J# 2.0 Redistributable Package - Second Edition. Depending on
your operating system, you might need to download either the 32-bit or 64-bit version of Microsoft
Visual J#.
Configure IIS 7 or 7.5 for Windows Server 2008 R2, IIS 8 for Windows Server 2012, or IIS 8.5 for
Windows Server 2012 R2.
Note If you are installing IIS 7, install it in 6.0 Management Compatibility Mode. You must also install
the Management Tools if this is your only IIS 7 instance.
64
VMware, Inc.
For Windows Server 2012 or 2012 R2, select the following features, roles, and role services. You select
these in Server Manager, using the Add Roles and Features wizard.
Features
Roles
Application Server
Web Server (IIS)
n File Server
For example:
n
Role Services
VMware, Inc.
65
Directory Browsing
HTTP Errors
n Static Content
n HTTP Redirection
n Health and Diagnostics
n HTTP Logging
n Logging Tools
n Request Monitor
n Tracing
n Performance
n Static Content Compression
n Dynamic Content Compression
n Security
n Request Filtering
n Basic Authentication
n Client Certificate Mapping Authentication
n Digest Authentication
n IIS Client Certificate Mapping Authentication
n IP and Domain Restrictions
n URL Authorization
n Windows Authentication
n Application Development
n Management Tools
n IIS Management Console
n IIS 6 Management Compatibility
n IIS Management Scripts and Tools
For example:
n
66
For Windows Server 2008, select the following roles. You select these in Server Manager, using the Add
Roles and Features wizard.
n
Application Server
File Server
VMware, Inc.
Configure an application pool. You can use the default application pool or create an application pool
that is dedicated to Integration Broker.
If you are using IIS 8.0 or later, in IIS Manager, ensure that the http and https bindings for the Default
Web Site do not have a host name configured. The Host name field for the http and https bindings
should be blank. For example:
In IIS Manager, configure the default application pool or the one you set up to use with Integration
Broker.
a
Note In Windows 2012 and Windows 2012 R2, the application pool may have been configured to
a different version of .NET Framework by default. Ensure that you configure the application pool
to .NET Framework 2.0.
3
In IIS Manager, configure Identity to use the same account as the Citrix-published resources
administrator.
Integration Broker uses this account to authenticate.
VMware, Inc.
Type the credentials for the Citrix-published resources administrator username and password,
Domain Name username and Domain Name password.
67
If you are using XenApp 6.0, download and install version 6.0 of Citrix PowerShell SDK from
the Citrix website.
If you are using XenApp 6.5, download and install version 6.5 of Citrix PowerShell SDK from
the Citrix website.
If you are using XenApp 7.x or XenDesktop 7.x, install the following PowerShell SDKs from
the XenApp or XenDesktop 7.x DVD, or from the Citrix website:
n
If the Citrix XenApp or XenDesktop farm's execution policy is configured to use remote sign on,
you must add your root certificate to the Trusted Root Certification Authorities store. See the
Microsoft website about adding root certificates to the store.
If the Citrix XenApp or XenDesktop farm's execution policy is configured to unrestricted, you do
not need to add root CAs to the Trusted Root Certification Authorities store.
Before you run this command, verify that PowerShell SDK is successfully installed.
a
Verify that the list includes all the applications hosted by Citrix.
What to do next
If the Invoke-Command command fails, see Memory Issue Prevents Proper Configuration of Integration
Broker, on page 90.
Next, deploy and configure Integration Broker.
68
The VMware Identity Manager connector must be able to communicate with the Integration Broker. If
you have multiple connector instances, ensure that all of them can communicate with the Integration
Broker.
To use the Netscaler feature, you must install Integration Broker 2.4 or later. For XenApp or XenDesktop
7.x, you must install Integration Broker 2.6 or later.
VMware, Inc.
Deploying only one instance of Integration Broker per Windows Server instance is recommended.
Install Citrix PowerShell remoting. See Enabling Citrix PowerShell Remoting on Citrix Server Farm,
on page 61 and the Citrix documentation for more information.
See Prepare Windows Server for Integration Broker (Windows Server 2008 R2, Windows Server 2012,
or Windows Server 2012 R2), on page 63.
Procedure
1
Type the Web location where you want to install the Integration Broker.
(Optional) If you created a separate pool for the Integration Broker, select your application pool.
Caution Do not change the Virtual Directory name.
Add the HTTPS binding using the newly created certificate in the drop-down menu.
Download the Citrix Web Interface SDK 5.4 (WISDK zip file) from the Citrix Web site.
Copy the contents from the WI5_4_0_SDK/zipfiles/sdkdemo/wisdk directory to the default bin directory
at c:\inetpub\wwwroot\IB\bin.
VMware, Inc.
69
Restart IIS.
Verify that the HTTP binding produces the expected output by typing
http://hostname /IB/API/RestServiceImpl.svc/ibhealthcheck in the address bar of a browser.
The expected output displays.
All ok
Verify that the HTTPS binding produces the expected output by typing
https://hostname /IB/API/RestServiceImpl.svc/ibhealthcheck in the address bar of a browser.
The expected output displays.
All ok
Copy and paste the following OpenSSL commands into the configuration file.
# openssl x509 extfile params
extensions = extend
[req] # openssl req params
prompt = no
distinguished_name = dn-param
[dn-param] # DN fields
C = US
ST = CA
O = VMware (Dummy Cert)
OU = Horizon Workspace (Dummy Cert)
CN = hostname (Virtual machine hostname where the Integration Broker is installed. )
emailAddress = EMAIL PROTECTED
[extend] # openssl extensions
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
[policy] # certificate policy extension data
70
VMware, Inc.
Create a CSR (certificate signing request) with the generate key. The server.csr is stored in your
working directory.
openssl req -new -key server.key -out server.csr -config ./openssl_ext.conf
Move the server.p12 file to the Windows machine where Integration Broker is installed.
Import the certificate into the root and personal store certificates.
a
Copy the certificate into the Trusted Root CAs in the same mmc console.
VMware, Inc.
Private key
CN in the subject attribute that matches the Integration Broker Host Name
Extended key usage attribute with both client and server authentication enabled
71
Configure VMware Identity Manager. See VMware Identity Manager Installation and Configuration for
information.
Review Citrix documentation for your version of Citrix XenApp or XenDesktop at the Citrix Web site.
To distribute the load in a large-scale enterprise deployment, dedicate one or more Integration Broker
instances for sync purposes and one or more Integration Broker instances for SSO purposes.
If you use multiple Integration Broker instances for sync purposes or for SSO purposes, put a load
balancer in front of the Integration Broker instances. For example, if you use multiple Integration
Broker instances for sync purposes, put a load balancer in front of those Integration Broker instances
and note the host name or IP address of the load balancer for use during this task.
Verify that distinguishedName is marked as a required attribute in the VMware Identity Manager
directory. XenApp resources cannot be synced without this. Required attributes must be set before a
directory is created. If you have already created a directory and distinguishedName is not a required
attribute, delete the directory, make distinguishedName a required attribute in the Identity & Access
Management > Setup > User Attributes page and then create a new directory.
Procedure
1
Click Manage Desktop Applications and select Citrix Published Application from the drop-down
menu.
In the Published Apps - Citrix page, select the Enable Citrix-based Applications check box.
Enter the Sync Integration Broker or load balancer host name and port number.
If you configured a load balancer in front of multiple Integration Broker instances used for sync
purposes, enter the host name or IP address and port name of the load balancer.
Select Use SSL if you are connecting to the Integration Broker over SSL.
If you are using the same Integration Broker instance for both sync and single sign-on, click the Use
same as Sync Integration Broker button.
If you configured dedicated sync and SSO Integration Broker instances, enter the following
information.
a
72
Type the SSO Integration Broker or load balancer host name and port number.
VMware, Inc.
If you configured a load balancer in front of multiple Integration Broker instances dedicated to
providing SSO, enter the host name or IP address and port number of the load balancer.
Important Using port 443 is recommended.
b
7
Select Use SSL if you are connecting to the Integration Broker over SSL.
Option
Description
Version
Select the Citrix server farm version: 5.0, 6.0, 6.5, or 7.x.
Server name
Transport type
Port numbers
From the Deployment Type drop-down list, select how Citrix-published resources are made available
to users in the user portal.
n
User-Activated - VMware Identity Manager adds Citrix resources to the Catalog page in the user
portal. To use a resource, users must move the resource from the Catalog page to the Launcher
page.
Automatic - VMware Identity Manager adds the resource directly to the Launcher page in the user
portal for users' immediate use.
The deployment type that you select here is a global setting that applies to all user entitlements for all
the resources in your Citrix integration. You can modify the deployment type for individual users or
groups per resource, from the application or desktop's Entitlements page.
Setting the global deployment type to User-Activated is recommended. You can then modify the setting
for specific users or groups per resource.
For more information about setting the deployment type, see Setting the Deployment Type for Citrix
Entitlements, on page 79.
9
Select Sync categories from server farms if you want to sync categories from Citrix farms to
VMware Identity Manager.
10
Select Do not sync duplicate applications to prevent duplicate applications from being synced from
multiple servers. When VMware Identity Manager is deployed in multiple data centers, the same
resources are set up in the multiple data centers. Checking this option prevents duplication of the
desktops or applications in your VMware Identity Manager catalog.
11
In the Choose frequency field, select how frequently you want to sync resources and entitlements
automatically from the Citrix farms. If you do not want to set up an automatic sync schedule, select
Manually.
VMware, Inc.
73
12
13
Click Save.
A dialog box appears that lists the number of applications, delivery groups (desktops), and entitlements
that will be synced. You can click on the links to view details. Click Save and continue in the dialog
box.
Configuring Netscaler
To configure VMware Identity Manager for Netscaler, you need to specify a Secure Ticket Authority (STA)
server for each XenApp farm in your Citrix deployment. The STA server is used to generate and validate
STA tickets during the application or desktop launch process.
When a user launches an application or desktop, VMware Identity Manager obtains a ticket from the STA
server. The ticket is presented to Netscaler, along with other information, and Netscaler validates the ticket
with the STA server before establishing a secure connection to the XenApp farm.
Prerequisites
You have integrated Citrix published resources with VMware Identity Manager and completed the
configuration in the Catalog > Manage Desktop Applications > Citrix Published Applications page.
74
VMware, Inc.
Procedure
1
In the VMware Identity Manager administration console, click the arrow on the Catalog tab and select
Settings.
The Farm UUID, Farm Name, Farm Version and XML Servers fields are populated with values from
your Citrix deployment and you cannot modify these fields.
In the STA Server field, enter the STA server URL in the following format.
transporttype://server:port
(Optional) Enter additional STA servers, if required. For example, you may want to specify a
second STA server for failover purposes.
If you added multiple STA servers, select the order in the XenApp STA Servers fields by clicking
Move Up or Move Down.
Click Update.
If there are multiple XenApp farms in your deployment, specify an STA server for each farm.
What to do next
Configure policies for specific network IP ranges that specify that launch traffic should be routed through
Netscaler to the XenApp server.
VMware, Inc.
75
Select an existing network range or click Add Network Range to create a new one.
If you are creating a new network range, provide a name and description for the network range.
To route ICA traffic from the specified IP range to Netscaler, do the following:
n
Enter the Netscaler host name in the Client Access URL Host field. For example:
netscalerhost.example.com
76
Enter the port for the Netscaler host in the URL Port field. For example: 443
VMware, Inc.
To route ICA traffic from the specified IP range directly to the XenApp server, do the following:
n
Enter the XenApp server host name in the Client Access URL Host field. For example:
xenapphost.example.com
Enter the port for the XenApp server host in the URL Port field. For example: 443
In the IP Ranges field, specify the IP range to which your selections apply.
Click Save.
Select Citrix Published Applications for applications or Citrix Published Delivery Groups for
desktops, then select the Netscaler ICA Properties tab.
The properties fields are populated with default settings.
VMware, Inc.
77
Click Save.
Click Manage Desktop Applications and select Citrix Published Application from the drop-down
menu.
Procedure
1
78
VMware, Inc.
Action
a
b
a
b
c
Global level
The global setting applies to all user entitlements for all the Citrix-published resources in your
deployment. You specify the global deployment type when you first integrate Citrix-published
resources with VMware Identity Manager from the Published Apps - Citrix page. After the initial
integration, you can modify the global setting from the same page. Note that if you change the global
setting after the initial integration, the new setting only applies to new entitlements that are synced. To
modify existing entitlements, you can change the setting at the individual resource level.
Note Setting the global deployment type to User-Activated is recommended. In typical scenarios, you
set the global setting to User-Activated, and then modify it to Activated for specific user and group
entitlements.
During sync, the deployment type for existing entitlements is not changed. For new entitlements in the sync,
the global setting is applied.
Note Once a resource has been activated, that is, once it appears in the Launcher page for a user, it will
continue to appear in the Launcher page unless the user deletes it. Any changes to the deployment type will
not remove it from the Launcher page.
VMware, Inc.
79
Procedure
1
To set the deployment type at the global level, follow these steps.
a
Click the Catalog tab and select Manage Desktop Applications > Citrix Published Application.
Click Save.
The setting will be applied to all new entitlements beginning with the next sync.
To set the deployment type for a specific user or group entitlement, follow these steps.
a
In the Edit User Entitlement dialog box, select the deployment type for the entitlement.
Click Save.
The deployment type set at the user or group entitlement level has precedence over the global
deployment type setting, and will not be modified during sync.
80
VMware, Inc.
Select Citrix Published Applications to edit ICA settings for applications or Citrix Published Delivery
Groups to edit ICA settings for desktops.
For example:
VMware, Inc.
81
In the ICA Configuration tab, edit the ICA properties according to Citrix guidelines.
The ICA Client Properties and ICA Launch Properties fields must be used together. Both fields must
have values or both must be empty.
Click Save.
Unless individual resources have their own resource delivery settings, your Citrix deployment applies the
global ICA properties when it delivers Citrix-published resources available through
VMware Identity Manager to users.
82
Click Any Application Type > Citrix Published Applications to edit settings for applications or Any
Application Type > Citrix Published Delivery Groups to edit settings for desktops.
Click Configuration.
VMware, Inc.
View the information about the resource as carried forward from your Citrix deployment.
The page provides several details about the resource, such as the resource name, resource ID, server
name, and so on. Also, the page displays information about the resources enablement. If the Enabled
check box is not selected, the resource is disabled in your Citrix deployment.
If the Enabled check box is not selected and you want to hide the resource from users, select the Hide
When Disabled check box.
In the ICA properties text boxes, add properties or edit existing properties according to Citrix
guidelines.
Note Both the ICA Client Properties and ICA Launch Properties text boxes must have values or both
must be empty.
Click Save.
VMware, Inc.
83
84
VMware, Inc.
Troubleshooting
VMware Identity Manager Resource
Configuration
You can troubleshoot issues that you or users experience after you configure VMware Identity Manager
resources.
This chapter includes the following topics:
n
When Users Launch a Citrix-Published Resource, the Browser Displays 500 Internal Server Error, on
page 89
Resource Not Available Error while Launching XenApp 7.x Desktops, on page 90
Cause
VMware Identity Manager does not set encryption levels. If the encryption level on the XenApp server is set
higher than the default setting used in the Citrix-Receiver, users see this error.
You must set a higher encryption level in Workspace.
Solution
1
VMware, Inc.
85
Make the following changes in both the ICA Configuration and Netscaler ICA Configuration tabs.
a
Edit the ICA Client Properties text box. To set the encryption level to 128, enter
EncryptionLevelSession=EncRC5-128.
Edit the ICA Launch Properties text box. To set the encryption level to 128, enter
[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll.
Citrix-published resources
Resource entitlements
If a Web page does not display the expected output, it displays an error and adds information to the
Integration Broker logs. Review the Integration Broker logs to continue the troubleshooting process.
86
VMware, Inc.
Procedure
1
In a browser, enter a URL such as one of the following, replacing the placeholders with the
appropriate information.
n
Review the content of the Web page and, if necessary, review the Integration Broker logs.
If Integration Broker is properly configured, the page displays Citrix server farm information,
such as the following.
"[{\"FarmName\":\"test data\",\"ServerVersion\":\"
6.0.6410\",\"AdministratorType\":\"Full\",\"SessionCount\":\"2\",\"MachineName\":\"test
data\"}]
If the Web page does not display the server farm information, log information is sent to the
Integration broker. To further troubleshoot the issue, review the logs on the Integration Broker
host at %programdata%/VMware/HorizonIntegrationBroker.
VMware, Inc.
87
In a browser, enter a URL such as one of the following, replacing the placeholders with the
appropriate information.
n
Review the content of the Web page and, if necessary, review the Integration Broker logs.
If Integration Broker is properly configured, the page displays a list of all the resources in the
Citrix server farm.
If the Web page does not display a list of resources, log information is sent to the Integration
broker. To further troubleshoot the issue, review the logs on the Integration Broker host at
%programdata%/VMware/HorizonIntegrationBroker.
88
VMware, Inc.
In a browser, enter a URL such as one of the following, replacing the placeholders with the
appropriate information.
Replace the ApplicationName place holder with the name of the application you are specifying.
n
Review the content of the Web page and, if necessary, review the Integration Broker logs.
If Integration Broker is properly configured, the page displays a list of all the entitlements for
the application or delivery group you specified.
If the Web page does not display a list of entitlements, log information is sent to the Integration
broker. To further troubleshoot the issue, review the logs on the Integration Broker host at
%programdata%/VMware/HorizonIntegrationBroker.
Note the settings of the transport type, port number, and SSL relay port number of each server farm
integrated with your VMware Identity Manager deployment.
VMware, Inc.
89
In the Server Farms section, change the Transport type, Port, and SSL Relay Port settings for each
server farm to match the settings in your Citrix server configuration.
When the error appears, issue the command to increase the allotted memory. For example,
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'
90
Turn off the power management option for the delivery group in the Citrix XenApp 7.x server.
Sync the Citrix-published resources to the VMware Identity Manager service again.
VMware, Inc.
Cause
This error might occur if the SAML metadata on the View Connection Server instances expired after the last
sync.
Solution
1
In the Pods and Sync tab of the View Pools page, click Sync Now to sync View resources to
VMware Identity Manager again.
VMware, Inc.
91
92
VMware, Inc.
Index
Numerics
enable 37
entitlements, Web applications 13
example 70
A
access policy sets, Web-applicationspecific 1012
Active Directory, join 23
application records
Web applications 11
Web applications from the cloud application
catalog 10
applications, Web 912
B
browser 40
C
catalog, Web applications 9
Citrix deployment 57
Citrix Receiver 57
Citrix resources access policies 76
Citrix server 62, 89
Citrix XenDesktop 57
Citrix Power Shell Remoting 61
Citrix PowerShell Remoting 62
Citrix server farm 62, 89
Citrix-published applications 57, 58, 78, 8183,
85
Citrix-published desktops 57, 58, 78, 8183, 85
Citrix-published resources 57, 58, 78, 8183,
85, 89
Citrix-published resource support 72
cloud application catalog, Web applications 10
Cloud Pod Architecture 30, 31
cloud pod federation 27, 32
configure, SAML authentication 26, 36, 51
connector deployment options for Horizon Air 46
create 50
D
deployment type 39, 54, 79
deprovision Google groups 20
G
global resource settings 81
Google Apps provisioning adapter 15, 18, 20
Google group provisioning 18
group provisioning, Google 18
H
Horizon 6 cloud pod federation 27
Horizon Air integration 46
Horizon Air application pools 53
Horizon Air cloud pod federation 32
Horizon Air desktop pools 53
Horizon Air desktops and applications 47
Horizon Air Desktops and Apps 53, 55
Horizon Air Desktops and Apps entitlements 53
Horizon DaaS desktops and application pools,
See VMware Horizon DaaS desktops
and application pools
HTML 5 40
HTTPS on IIS 69
I
ICA properties 81, 82, 85
Independent Computing Architecture 81
install 68, 69
integrate 45
Integration Broker 63, 69, 72, 86, 90
Integration Broker Server 68
J
join, Active Directory Domain 23
L
launch error, View resources 91
M
multitenant Web applications 9
N
Netscaler 74, 76
VMware, Inc.
93
P
pod federation 27, 30, 32
pod federations 31
PowerShell Remoting 61
PowerShell remoting 90
PowerShell SDK 86, 90
prerequisites for integrating Horizon Air desktops
and applications 47
provisioning adapters 14, 15
W
Web application bundle 12
Web applications
adding 9
entitling 13
multitenant 9
X
XenApp 7.x desktop 90
XenDesktop 57
R
Resource not available error 90
S
SAML 911, 20
SAML authentication 26, 36, 50, 51
self-signed certificate 70
single sign-on 20
SSL trust, update on View Connection
Server 26, 37
sync
View Connection Server 23
VMware Horizon DaaS Connection Server 48
sync Active Directory 52
T
troubleshooting 85
U
users
View Hosted Applications 38
viewing entitlements to View desktop pools 38
V
View, deployment scenario 22
View entitlements 38
View application pools 38
View Connection Server 38
View desktop pools View desktop pools,
providing access 21
View desktop
allow reset 43
start 42
View desktop pools, See View desktop pools
View Hosted Application 38
View pods 24
VMware Horizon DaaS 45
VMware Horizon DaaS desktops and application
pools VMware Horizon DaaS desktops
and application pools, providing
access 45
94
VMware, Inc.