Workspace Air Resource

Setting Up Resources in VMware
Identity Manager
VMware Identity Manager
This document supports the version of each product listed and

supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions of
this document, see http://www.vmware.com/support/pubs.
EN-001792-07
Setting Up Resources in VMware Identity Manager
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright 2015, 2016 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
VMware, Inc.
Contents
1 Introduction to Setting Up Resources in VMware Identity Manager 7

2 Providing Access to Web Applications 9
Adding Web Applications to Your Organization's Catalog

Entitling Users and Groups to Web Applications 13
Using Provisioning Adapters 14
Additional Information 20
3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application

Pools 21
Deployment Scenario 22
Integrating Independent View Pods 22
Integrating View Cloud Pod Architecture (CPA) Deployments 27
Enabling Multiple Client Access URLs for Custom Network Ranges 37
Viewing the Connection Information for View Desktop and Application Pools 38
Viewing User and Group Entitlements to View Desktop and Application Pools 38
Setting the Deployment Type for View Entitlements 39
Viewing Launch Options for View Desktops and Applications 40
Launching a View Desktop or Application 42
Allowing Users to Reset Their View Desktops in VMware Identity Manager 43
Reducing Resource Usage and Increasing Performance of VMware Identity Manager Desktop in
Non-Persistent View Desktops 44
4 Providing Access to Horizon Air - Cloud Hosted Desktops and Apps 45

Integrating Horizon Air Desktops and Apps 45
Viewing Details of Horizon Air Desktop and Application Pools 53
Viewing User and Group Entitlements to Horizon Air Desktops and Apps
Setting the Deployment Type for Horizon Air Entitlements 54
Launching a Horizon Air Desktop or Application 55
53
5 Providing Access to Citrix-Published Resources 57
Integrating VMware Identity Manager with Citrix-Published Resources 58

Enabling Citrix PowerShell Remoting on Citrix Server Farm 61
Preparing and Installing Integration Broker 63
Synchronizing VMware Identity Manager with Citrix Server Farms 72
Configuring VMware Identity Manager for Netscaler 74
Viewing User and Group Entitlements to Citrix-Published Resources 78
Setting the Deployment Type for Citrix Entitlements 79
Editing Delivery Settings for Citrix-Published Resources 81
VMware, Inc.
Managing Categories for Citrix-Published Resources
83
6 Troubleshooting VMware Identity Manager Resource Configuration 85
Users Accessing Citrix-Published Resources Receive an Encryption Error 85

Citrix-Published Resources Are Not Available in VMware Identity Manager 86
When Users Launch a Citrix-Published Resource, the Browser Displays 500 Internal Server Error 89
Memory Issue Prevents Proper Configuration of Integration Broker 90
Resource Not Available Error while Launching XenApp 7.x Desktops 90
Unable to Launch Desktop from Citrix XenDesktop Farm on Windows 7 91
Users Unable to Launch View Applications or Desktops 91
Index
93
VMware, Inc.
Setting Up Resources in
Setting Up Resources in VMware Identity Manager provides instructions for adding resources to the
VMware Identity Manager catalog and making them available from users' systems, such as from their
desktops and mobile devices. These resources include Web applications, View desktop and application
pools, and Citrix-published resources.
Intended Audience
This information is intended for anyone who configures and administers the resources for the
VMware Identity Manager service. The information is written for experienced Windows or Linux system
administrators who are familiar with virtual machine technology.
VMware, Inc.
VMware, Inc.
Introduction to Setting Up Resources

in VMware Identity Manager
After you install and configure VMware Identity Manager, to provide users with access to supported
resources, you must enable these resources in the VMware Identity Manager administration console. Except
for Web applications, each resource type requires you to integrate VMware Identity Manager with another
product or component.
You can integrate the following types of resources with VMware Identity Manager:
n
Web applications
Horizon Air - Cloud Hosted Apps and Desktops
Horizon 7, Horizon 6, or View desktop and application pools
Citrix-published resources
You integrate these resources from the Catalog tab in the administration console.
To integrate Web applications, you use the Add Application menu in the Catalog tab.
To integrate and enable Horizon 7, Horizon 6, or View desktop and application pools, Horizon Air - Cloud
Hosted Apps and Desktops, or Citrix-published resources, you use the Manage Desktop Applications
menu in the Catalog tab.
You can manage global settings for integrated resources from the Catalog > Settings page. You can manage
settings for individual applications by selecting the application in the Catalog tab.
VMware, Inc.
VMware, Inc.
Providing Access to Web

Applications
In the VMware Identity Manager service, you can add your organization's external Web applications and
entitle users to them.
To enable users to access a Web application through the service, verify that the following requirements are
met:
n
If you configure the Web application to use a federation protocol, use SAML 1.1, SAML 2.0, or WSFederation 1.2. Configuring the Web application to use a federation protocol is not a requirement.
The users you plan to entitle to the Web application are registered users of that application.
If the Web application is a multitenant application, the service points to your instance of the application.
This chapter includes the following topics:

n
Adding Web Applications to Your Organization's Catalog, on page 9
Entitling Users and Groups to Web Applications, on page 13
Using Provisioning Adapters, on page 14
Additional Information, on page 20
Adding Web Applications to Your Organization's Catalog

You can add your organization's Web applications to your catalog and make these applications accessible to
your users and groups.
When you add an entry for a Web application to the catalog, you create an application record and configure
the address of the Web application. The VMware Identity Manager service uses the application record as a
template to establish a secure connection with the Web application.
The following methods can be used to add application records of Web applications to your catalog from the
Catalog tab.
Method
Description
From the cloud

application catalog
Popular enterprise Web application types are listed in the cloud application catalog. These
applications are partially configured. You must complete the rest of the application record form.
Create a new one
You can add Web applications to your catalog that are not listed in the cloud application catalog.
The application record for these Web applications are more generic than that of cloud
application catalog applications. You enter the application description and configuration
information to create the application record.
Import a ZIP or JAR

file
You can import a Web application that you previously configured in the service. You might want
to use this method to move a deployment from staging to production. In such a situation, you
export a Web application from the staging deployment as a ZIP file. You then import the ZIP file
to the production deployment.
VMware, Inc.
After you add Web applications to the catalog, you can configure entitlements, access policies, licensing, and
provisioning information.
Web applications are added in the administration console. Log in with the administrator user role assigned
from your Active Directory or LDAP directory. The URL to log in to the administration console is
https://mycompany.vmwareidentity.com.
Add a Web Application to Your Catalog from the Cloud Application Catalog
The cloud application catalog is populated with Web applications. These applications include some
information in their application records. When you add a Web application to your catalog from the cloud
application catalog, you must provide additional information to complete the application record. You might
also need to work with your Web application account representatives to complete other required setup.
Many of the applications in the cloud application catalog use Security Assertion Markup Language (SAML 1
or SAML 2) to exchange authentication and authorization data to verify that users can access a Web
application.
When you add a Web application to the catalog, you are creating an entry that points indirectly to the Web
application. The entry is defined by the application record, which is a form that includes a URL to the Web
application.
You can apply an access policy to control user access to the application. If you do not want to use the default
access policy, create a new one. See VMware Identity Manager Administration Guide for information about
managing access policies.
Procedure
1
In the administration console, click the Catalog tab.
Click Add Application > Web Application ...from the cloud application catalog.
Click the icon of the Web application you want to add.

The application record is added to your catalog, and the Details page appears with the name and
authentication profile already specified.
(Optional) Customize the information on the Details page for your organization's needs.
Items on the page are populated with information specific to the Web application.
You can edit some of the items, depending on the application.
Form Item
Description
Name
The name of the application.
Description
A description of the application that users can read.
Icon
Click Browse to upload an icon for the application. Icons in PNG, JPG, and ICON file formats, up to
4MB, are supported.
Uploaded icons are resized to 80px X 80px.
To prevent distortion, upload icons where the height and width are equal to each other and as close as
possible to the 80px X 80px resize dimensions.
Categories
To allow the application to appear in a category search of catalog resources, select a category from the
drop-down menu. You must have created the category earlier.
Click Save.
Click Configuration, edit the application record's configuration details, and click Save.
Some of the items on the form are prepopulated with information specific to the Web application. Some
of the prepopulated items are editable, while others are not. The information requested varies from
application to application.
10
VMware, Inc.
Chapter 2 Providing Access to Web Applications
For some applications, the form has an Application Parameters section. If the section exists for an
application and a parameter in the section does not have a default value, provide a value to allow the
application to launch. If a default value is provided, you can edit the value.
7
Select the Entitlements, Licensing, and Provisioning tabs and customize the information as
appropriate.
Tab
Description
Entitlements
Entitle users and groups to the application. You can configure entitlements while initially
configuring the application or anytime in the future.
Access Policies
Apply an access policy to control user access to the application.
Licensing
Configure license tracking. Add license information for the application to track license use in
reports.
Provisioning
Select a provisioning adapter, if applicable. Currently, a provisioning adapter is available for

Google Apps. See Using the Google Apps Provisioning Adapter, on page 15 for more
information.
Provisioning provides automatic application user management from a single location.
Provisioning adapters allow the Web application to retrieve specific information from the
VMware Identity Manager service as required. For example, to enable automatic user provisioning
to Google Apps, user account information, such as the user name, first name, and last name must
exist in the Google Apps database. An application might require other information, such as groupmembership and authorization-role information.
What to do next
For details about adding user and group entitlements for Web applications, see Entitling Users and Groups
to Web Applications, on page 13.
Add a Web Application to Your Catalog by Creating a New Application Record

You can add Web applications to your catalog that are not listed in the cloud application catalog. You create
an application record when you add the Web application.
When you successfully complete the application record for a Web application, an entry is created in your
catalog that points indirectly to the Web application, and the Web application and the
VMware Identity Manager service can use SAML to communicate with each other.
You can apply an access policy to control user access to the application. If you do not want to use the default
access policy, create a new one. See VMware Identity Manager Administration Guide for information about
managing access policies.
Procedure
1
Click Add Application > Web Application ...create a new one.

The application record is added to your catalog, and the system displays the record's Details page.
VMware, Inc.
Complete the information on the Details page, and click Next.

Form Item
Description
Name
Provide the name of the application.
Description
(Optional) Provide a description of the application.
Icon
(Optional) Click Browse to upload an icon for the application. Icons in

PNG, JPG, and ICON file formats, up to 4 MB, are supported. Uploaded icons are resized
to 80px X 80px.
To prevent distortion, upload icons where the height and width are equal to each other and
as close as possible to the 80px X 80px resize dimensions.
11
Form Item
Description
Authentication Profile
Specify the appropriate federation protocol, if any.
In the Configuration page, edit the application record's configuration details as necessary, and click
Save.
Some of the items on the form are prepopulated.
When the SAML 2.0 POST Profile is selected on the Details page, the Configuration page includes the
Configure Via section. Use the options in the Configure Via section to specify how the application
metadata is retrieved. You can select retrieval by auto-discovery URL, meta-data XML, or manual
configuration.
Option
Action
Auto-discovery (meta-data) URL
If the XML metadata is accessible on the Internet, provide the URL.
Meta-data XML
If the XML metadata is not accessible on the Internet, but is available to

you, paste the XML in the text box.
Manual configuration
If the XML metadata is not available to you, complete the XML manual
configuration items.
Select the Entitlements, Licensing, and Provisioning tabs and customize the information as
appropriate.
Tab
Description
Entitlements
Entitle users and groups to the application. You can configure entitlements while initially
configuring the application or anytime in the future.
Access Policies
Apply a Web application-specific access policy to control user access to the application.
Licensing
Configure license tracking. Add license information for the application to track license usage in
reports.
Provisioning
Select a provisioning adapter, if applicable. Currently, a provisioning adapter is available for

Google Apps. See Using the Google Apps Provisioning Adapter, on page 15 for more
information.
Provisioning provides automatic application user management from a single location.
Provisioning adapters allow the Web application to retrieve specific information from the
VMware Identity Manager service as required. For example, to enable automatic user provisioning
to Google Apps, user account information, such as the user name, first name, and last name must
exist in the Google Apps database. An application might require other information, such as groupmembership and authorization-role information.
What to do next
See Entitling Users and Groups to Web Applications, on page 13 for details about adding user and group
entitlements for Web applications.
Add a Web Application to Your Catalog by Importing a ZIP or JAR File

You can import to your catalog a Web application that was previously configured in the
VMware Identity Manager service. For example, you might want to import an application from your staging
environment to your production environment.
This process involves exporting the application bundle from the service and importing it into the new
environment. The application might not require further configuration, especially if you thoroughly tested
the configuration values in the original environment. To further configure the Web application after
importing it, see Add a Web Application to Your Catalog from the Cloud Application Catalog, on page 10
or Add a Web Application to Your Catalog by Creating a New Application Record, on page 11.
12
VMware, Inc.
Procedure
1
Log in to the administration console of the service from which to export a Web application.
Click the Catalog tab.
Click Any Application Type > Web Applications.
Click the icon of the Web application to export.
Click Export.
Save the zipped application bundle to your local system.
Log in to the administration console of the service in which to import the Web application.
Click Add Application > Web Application ...import an application.
10
Click Browse, browse to the location on your local system where you saved the application bundle as a
ZIP file, select the file, and click Submit.
11
Edit the information on the Details, Configuration, Entitlements, Access Policies, Licensing, and
Provisioning pages as necessary.
What to do next
For details about adding user and group entitlements for Web applications, see Entitling Users and Groups
to Web Applications, on page 13.
Entitling Users and Groups to Web Applications

After you add Web applications to your catalog, you can entitle users and groups to them.
You can only entitle VMware Identity Manager users, users who are imported from your directory server, to
Web applications. When you entitle a user to a Web application, the user sees the application and can launch
it from their My Apps portal. If you remove the entitlement, the user cannot see or launch the application.
In many cases, the most effective way to entitle users to Web applications is to add a Web application
entitlement to a group of users. However, in certain situations entitling individual users to a Web
application is more appropriate.
Procedure
1
VMware, Inc.
Log in to the administration console.
13
Entitle users to a Web application.

Method
Description
Access a Web application and

entitle users or groups to it.
a
b
c

Click Any Application Type > Web Applications.
Click the Web application to which to entitle users and groups.
d
e
The information page for the Web application appears with the
Entitlements tab selected by default. Group entitlements are listed in
one table, user entitlements are listed in another table.
Click Add group entitlement or Add user entitlement.
Type the names of the groups or users.
g
Access a user or group and add
Web application entitlements to that
user or group.
a
b
c
d
e
f
You can search for users or groups by starting to type a search string
and allowing the autocomplete feature to list the options, or you can
click browse to view the entire list.
Use the drop-down menu to select how to activate each selected Web
application.
n Automatic displays the application by default in an entitled user's
list of Web applications the next time that user logs in using the
Workspace for Windows application.
n User-Activated requires that an entitled user must add the Web
application to their list of Web applications using the Workspace
for Windows application before the user can use the Web
application.
Click Save.
Click the Users & Groups tab.
Click the Users or Groups tab.
Click the name of a user or group.
Click Add Entitlement.
Select the check boxes next to the Web applications to which you want
to entitle the user or group.
Use the drop-down menu to select how to activate each selected Web
application.
n Automatic displays the application by default in an entitled user's
list of Web applications the next time that user logs in using the
Workspace for Windows application.
n User-Activated requires that an entitled user must add the Web
application to their list of Web applications using the Workspace
for Windows application before the user can use the Web
application.
Click Save.
The selected user or group is now entitled to use the Web application.
Using Provisioning Adapters

Provisioning provides automatic application user management from a single location. Provisioning adapters
allow Web applications to retrieve specific information from the VMware Identity Manager service as
required. For example, to enable automatic user provisioning to Google Apps, required user account
information, such as the user name, first name, and last name can be retrieved from the
VMware Identity Manager service. If provisioning is enabled for a Web application, when you entitle a user
to the application in the VMware Identity Manager service, the user is provisioned in the Web application.
The VMware Identity Manager service currently includes the following provisioning adapters.
n
Google Apps provisioning adapter.

See Using the Google Apps Provisioning Adapter, on page 15.
14
VMware, Inc.
Using the Google Apps Provisioning Adapter

You can use the Google Apps Provisioning Adapter to automatically provision users in Google from the
VMware Identity Manager service. If provisioning is enabled, whenever you entitle a user to Google Apps
in the service, the user is also created in Google.
Before enabling provisioning in VMware Identity Manager, you must do the following:
1
Create a Google service account and its credentials.

You will need your service accounts client ID, email address, and private key file to enable
provisioning.
After you create the Google service account, enable Google Apps domain-wide delegation.
a
b
c
In the API Manager Credentials > Create credentials page, click Manage service accounts.
Click the
icon next to your service account and select Edit.
Select the Enable Google Apps Domain-wide Delegation checkbox, and click Save.
Delegate Google Apps domain-wide authority to your service account from the Security > Advanced
Settings > Authentication > Manage API client access page in the Google Admin console. See the
Google documentation for more information.
When you delegate domain-wide authority to the service account, enter the following values for the
One or More API Scopes field:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/aut
h/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.user.al
ias,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admi
n.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.reado
nly,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/a
uth/admin.directory.group
You can now enable provisioning in the VMware Identity Manager service.
VMware, Inc.
15
Procedure
1
Log in to the VMware Identity Manager administration console.
Click Google Apps.
In the Modify application page, click Provisioning.
Enter the following information.

Option
Description
Select Adapter
Select GoogleAppsProvisioningAdapter.
AdminUsername
Your Google Apps administrator user name. Do not include the domain
name.
For example: admin
ServiceAccount
The client email of the service account.

You can get the client email from the key file.
Private Key
Copy and paste the service account's private key.
DomainName
Your company's domain name.

For example: example.com
SuspendOnDeprovisioning
Select this option if you want users to be suspended in Google when you
remove their entitlement to Google Apps.
Enable Provisioning
Select this option.
For example:
Click Test Connection.

If the connection is successful, a "Made a connection to Google service" message appears at the top of
the page.
Click Save.
Click the Users tab.
Select the attributes with which to provision users in Google by setting values for them.
The following attributes are required, and have default values.
16
UserName
FirstName
VMware, Inc.
LastName
To set values for the attributes, follow these steps.

a
Click Edit mapped values.
Click Edit next to the attribute and select a value.

n
For some attributes, mapped values can be specified per group. For example, the USERNAME
attribute.
Click +ADD to add a group. You can set different values for the groups. The groups are listed
in order of precedence and you can change the order by clicking the blue up and down arrows.
If a user belongs to more than one group in the list, then the value of the first group to which
the user belongs is used. The ALL USERS group can be used to set a default value.
The expressions in the VALUE drop-down list are the ones listed in the User Attributes page. If
you want to add any expressions to the list, add them to the User Attributes page. You can also
type in a value directly.
n
For some attributes, you can specify multiple values. For example, you can specify multiple
phone numbers for the PHONES attribute.
Click +ADD to add another value.

The expressions in the drop-down list are the ones listed in the User Attributes page. If you
want to add any expressions to the list, add them to the User Attributes page. You can also
type in a value directly.
c
VMware, Inc.
Click Queue Changes or Save.
17
Edit the other attributes you want to set.
Click Save.
Provisioning is now enabled. When you entitle a user to Google Apps, if the user does not exist in Google,
the user will be created.
Note When you entitle a user to Google Apps, if you set the DEPLOYMENT field value to Automatic, the
user is provisioned immediately. If you set the value to User-Activated, the user is provisioned when the
user adds Google Apps to their My Apps portal.
Provisioning a Group in Google

You can provision groups in Google from the VMware Identity Manager service using the Google Apps
provisioning adapter. You can select any of your VMware Identity Manager groups, whether they are
created locally or synced from your enterprise directory, to provision. The group is created in Google and
the email addresses of the group members are added to it.
Groups in Google can be used as mailing lists. They can also be used to manage access to documents, sites,
calendars, and so on.
After you provision a group in Google, you can manage it like any other Google group. For example, you
can add or delete users.
Prerequisites
You have configured the Google Apps provisioning adapter. See Using the Google Apps Provisioning
Adapter, on page 15.
Procedure
18
In the VMware Identity Manager administration console, click the Catalog tab.
Click Google Apps.
In the Provisioning page, under the Provisioning section, click the Groups tab.
Click Add Group Provisioning.
VMware, Inc.
In the Add Group Provisioning dialog box, enter the following information.
Option
Description
Group Name
Enter the name of the VMware Identity Manager group you want to
provision in Google. You can start typing to search for a group.
Group Owner Email
Enter the email address of the owner of the group.
Group Email
Enter an email address for the group in Google. The group will be created
in Google with this email address. The email address must either be new
or belong to an existing Google group. It must not belong to a user.
If a group with this email address already exists in Google, members of the
VMware Identity Manager group you selected are added to that group.
Important Ensure that the domain of the email address matches the
domain you specified in the DomainName field in the Provisioning page.
For example:
Click Provision.
The group is provisioned in Google with the same name as the VMware Identity Manager group and
the email address you specified. The provisioning status is displayed in the Groups tab in the
Provisioning page.
What to do next
To verify that the group is provisioned in Google, do the following.
1
Log in to the Google Admin console.
Click the Groups icon.

You may need to click MORE CONTROLS at the bottom of the page to see the Groups icon.
VMware, Inc.
Select the new group to view details.
19
Deprovisioning a Group in Google

You can deprovision groups that you provisioned in Google from the VMware Identity Manager service.
Deprovisioning a group deletes the group in Google.
Prerequisites
Verify that the Google Apps provisioning adapter is configured in the VMware Identity Manager service.
See Using the Google Apps Provisioning Adapter, on page 15.
Procedure
1
Click Google Apps.
In the Provisioning page, under the Provisioning section, click the Groups tab.
Select the checkbox next to the group you want to deprovision and click Deprovision.
The group is deleted in Google. It is also removed from the Group Provisioning table in the
VMware Identity Manager administration console.
Additional Information
Additional information is available on configuring SAML-based single sign-on to specific Web applications,
such as Office 365 and Google Apps.
See the VMware Identity Manager Integrations Documentation.
20
VMware, Inc.
Providing Access to View, Horizon 6,

or Horizon 7 Desktop and Application
Pools
By integrating your organization's View, Horizon 6, or Horizon 7 environment with your

VMware Identity Manager deployment, you give your VMware Identity Manager users the ability to use the
My Apps portal to access their entitled View desktop and application pools. You can integrate independent
View pods, which consist of View Connection Server instances, and pod federations, which contain multiple
pods and can span multiple sites and data centers.
You deploy and manage desktop and application pools in the View administrator interface. You also create
entitlements for Active Directory users and groups in View. When you integrate View pods or pod
federations with your VMware Identity Manager service, you sync information about these resources and
entitlements to VMware Identity Manager. In the VMware Identity Manager administration console, you
can see the associations between users and groups and the View pools to which they are entitled.
For information about configuring View, see the View, Horizon 6, or Horizon 7 documentation.
Supported Versions
VMware Identity Manager supports the following versions and features.
n
Integrating independent View pods is supported for View 5.3 and later.
Integrating pod federations, created using the Cloud Pod Architecture feature, is supported for Horizon
6.2 and later.
HTML Access is supported for Horizon 6.1.1 and later.
Certificate SSO is supported for Horizon 7.x.
Also see the VMware Product Interoperability Matrix for the latest support information.
n
Deployment Scenario, on page 22
Integrating Independent View Pods, on page 22
Integrating View Cloud Pod Architecture (CPA) Deployments, on page 27
Enabling Multiple Client Access URLs for Custom Network Ranges, on page 37
Viewing the Connection Information for View Desktop and Application Pools, on page 38
Viewing User and Group Entitlements to View Desktop and Application Pools, on page 38
Setting the Deployment Type for View Entitlements, on page 39
Viewing Launch Options for View Desktops and Applications, on page 40
Launching a View Desktop or Application, on page 42
VMware, Inc.
21
Allowing Users to Reset Their View Desktops in VMware Identity Manager, on page 43
Reducing Resource Usage and Increasing Performance of VMware Identity Manager Desktop in
Non-Persistent View Desktops, on page 44
Deployment Scenario
You can integrate your on-premises View, Horizon 6, or Horizon 7 deployment with your
VMware Identity Manager tenant.
You need the following components.
n
A VMware Identity Manager tenant.
A VMware Identity Manager connector, version 2.7 or later, installed on premises.

You can download the connector from https://my.vmware.com.
A View, Horizon 6, or Horizon 7 deployment on premises.
While deploying the on-premise components, ensure that the connector can communicate with the View
Connection Server instances.
All communication between the VMware Identity Manager service and the on-premise components is
through the connector. The connector and the service communicate over a communication channel that is
automatically set up during installation.
The following diagram depicts a VMware Identity Manager-View integration.
Figure 31. VMware Identity Manager and View Integration
On Premises
VMware Identity
Manager Connector
Resources and
entitlements
sync to service
VMware Identity
Manager Service
vIDM Tenant
Retrieve resources
and entitlements
View Connection Server
Integrating Independent View Pods

To integrate independent View pods, you add the View Connection Server details in the VMware Identity
Manager administration console and sync with the View Connection Server.
Before you perform any integration tasks in the VMware Identity Manager administration console, set up
View. You create and configure View pools in View, not in VMware Identity Manager. You also set
entitlements for Active Directory users and groups in View.
Integrating View involves the following high-level tasks.
22
Deploy and configure View.
Deploy View desktop and application pools, with entitlements set for Active Directory users and
groups.
Enable the userPrincipalName attribute in the VMware Identity Manager administration console, on
the User Attributes page.
VMware, Inc.
Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools
Sync Active Directory users and groups who are entitled to View pools in View Connection Server
instances to the VMware Identity Manager service using directory sync.
Join VMware Identity Manager to the same Active Directory domain as View.
Add View pods to VMware Identity Manager.
Configure SAML authenticator on the View Connection Server. You must always use the
VMware Identity Manager FQDN on the Authenticator configuration page.
Set up View
To use View with VMware Identity Manager, you must first install and configure View.
VMware Identity Manager supports View 5.3 and later versions. Also, see the VMware Product
Interoperability Matrix for the latest support information.
Note HTML Access is supported for Horizon 6.1.1 and later.
When you configure View, ensure that you meet the following requirements.
n
Deploy View Connection Servers on the default port 443 or on a custom port.
Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each
View Connection Server in your View setup. VMware Identity Manager requires reverse lookup for
View Connection Servers, View Security server, and load balancer. If reverse lookup is not properly
configured, the VMware Identity Manager integration with View fails.
Deploy and configure View pools and desktops with entitlements set for Active Directory users and
groups. Ensure that users have the correct entitlements.
While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off
after disconnect option to 1 or 2 minutes instead of immediately.
Ensure that you create View pools in the root folder of View. If you create View pools in a folder other
than the root folder, VMware Identity Manager cannot query those View polls and entitlements.
Extending the SAML metadata expiration period to 90 days on the View Connection Servers is
recommended. See Change the Expiration Period for Service Provider Metadata on View Connection
Server for information.
Join Active Directory Domain

Before you integrate with View, VMware Identity Manager must join the Active Directory domain that is
used for View.
Prerequisites
n
Verify that you have an Active Directory domain name, username, and password, with the rights to join
the domain.
See "Integrating with Active Directory" in Installing and Configuring VMware Identity Manager for more
information about joining a domain.
Verify that the attribute userPrincipalName in the VMware Identity Manager User Attributes page is
enabled. You can access this page in the administration console by clicking Identity & Access
Management > Setup > User Attributes.
Verify that users and groups with View Pool entitlements are synced to VMware Identity Manager
using Directory sync.
If applicable, establish a connection to multi-domains or trusted multi-forest domains in Active

Directory. See VMware Identity Manager Installation and Configuration.
VMware, Inc.
23
Procedure
1
Log in to the connector service admin.
Click Identity & Access Management.
Click Setup.
In the Connectors page, click Join Domain next to the appropriate directory.
Type the information for the Active Directory domain and click Join Domain. Do not use non-ASCII
characters when you enter your domain information.
Option
Description
Domain
Type the fully qualified domain name of the Active Directory. An example
is HS.TRDOT.COM.
Note The active directory FQDN must be in the same domain as the
View Connection Server. Otherwise, your deployment fails.
Domain User
Type the username of an account in Active Directory that has permissions

to join systems to that Active Directory domain.
Domain Password
Type the password associated with the AD Username. This password is

not stored by VMware Identity Manager.
To configure View integration in a multi-domain environment, verify that VMware Identity Manager
and the View servers are joined to the same domain.
What to do next
Add View pods to VMware Identity Manager.
Add View Pods to VMware Identity Manager and Sync Resources

You can add multiple View pods to VMware Identity Manager. You also need to configure client access
URLs for the different pods.
You add View pods in the View Pools page of the VMware Identity Manager administration console. You
can return to the page at any time to modify the View configuration, or to add or remove View pods.
Procedure
24
Click Manage Resource Types and select View Application.
Check the Enable View Pools check box.
Click Add View Pod for each View pod you want to add.
Provide the configuration information specific to each View pod.

Connection Server
Enter the fully qualified hostname of the View Connection Server instance, such as
viewconnectionserver.example.com. The domain name must match exactly the domain
name to which you joined the View Connection Server instance.
Username
Enter the administrator username for this View pod.
Password
Enter the administrator password for this View pod.
Using Smart Card

Authentication with
Third-Party Identity
Provider
If users use smart card authentication to sign in to this View pod instead of passwords,
select the check box.
VMware, Inc.
Suppress Password
Popup
This option only applies to Horizon versions that support the Certificate SSO feature.
When Certificate SSO is configured in View, users do not require a password to log into
their Windows desktops. However, if users are logged into VMware Identity Manager
using a non-password authentication method such as SecurID, when they launch their
Windows desktops, they are prompted for a password. You can select this option to
prevent a password dialog box from being shown to users in that scenario.
Sync Local
Entitlements
If local entitlements are configured for the pod, select this option.
From the Deployment Type drop-down list, select how View resources are made available to users in
the user portal.
n
User-Activated - VMware Identity Manager adds View resources to the Catalog page in the user
portal. To use a resource, users must move the resource from the Catalog page to the Launcher
page.
Automatic - VMware Identity Manager adds the resources directly to the Launcher page in the
user portal for users' immediate use.
The deployment type that you select here is a global setting that applies to all user entitlements for all
the resources in your View integration. You can modify the deployment type for individual users or
groups per resource, from the resource's Entitlements page.
Setting the global deployment type to User-Activated is recommended. You can then modify the setting
for specific users or groups per resource.
For more information about setting the deployment type, Setting the Deployment Type for View
Entitlements, on page 39.
8
Select Do not sync duplicate applications to prevent duplicate applications from being synced from
multiple servers.
When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in
the multiple data centers. Checking this option prevents duplication of the desktop or application pools
in your VMware Identity Manager catalog.
Select how often you want this information to sync from the View Connection Server.
10
Click Save.
11
Click Sync Now.

Each time you change information in View, such as add an entitlement or add a user, a sync is required
to propagate the changes to VMware Identity Manager.
Note Each time you click Save to save settings on this page, you must click Sync Now next to sync,
otherwise existing resources will not launch.
12
Configure the Client Access URLs for the View pods.

a
Click the Identity & Access Management tab, then click Setup.
Click Network Ranges.
Select a network range.
In the Edit Network Range page, in the View Pod section, enter the View Pod client access URL
host name and port number for that network range.
In the IP Ranges section, specify the IP ranges to which you want to apply the settings.
Click Save.
See also Enabling Multiple Client Access URLs for Custom Network Ranges, on page 37.
VMware, Inc.
25
Configure SAML Authentication

To launch a View, Horizon 6, or Horizon 7 application or desktop from the VMware Identity Manager
service and have single sign-on from VMware Identity Manager to the application or desktop, you must
configure SAML authentication in all the View Connection Server instances in your View deployment.
Do not perform this task if your organization uses smart card authentication to view resources using a thirdparty identity provider.
Procedure
1
Log in to the View Administrator Web interface as a user with the Administrator role assigned.
Configure SAML authentication for each View Connection Server instance in your View deployment.
You must use your VMware Identity Manager service's fully-qualified domain name on the
Authenticator configuration page.
Important View and VMware Identity Manager must be in time sync. If View and
VMware Identity Manager are not in time sync, when you try to launch a View application or desktop,
an invalid SAML message occurs.
What to do next
You must establish and maintain SSL Trust between VMware Identity Manager and the View Connection
Server.
Establish or Update SSL Trust between VMware Identity Manager and the View
Connection Server
Initially, you must accept an SSL certificate on the View Connection server to establish trust between
VMware Identity Manager and the View Connection server. If you change an SSL certificate on the View
Connection server after the integration, you must return to VMware Identity Manager and reestablish that
trust.
Prerequisites
n
Verify that View has an SSL certificate installed. By default, View has a self-signed certificate.
In View, change the certificate of the View Connection Server to a root-signed certificate. See the
VMware View documentation for information about configuring a View Connection server instance or
Security Server to use a new certificate.
Configure SAML authentication on the View Connection server. You must always use the
VMware Identity Manager FQDN on the authenticator configuration page.
Note If you use a third-party identity provider to access View desktops from
VMware Identity Manager, SAML authentication on the View Connection server must be set to allowed.
Procedure
1
Click the Update SSL Cert link next to the Replicated Server Group.
Click Accept on the Certificate Information page.
If the VMware Identity Manager certificate changes after the initial configuration, you must accept the
SAML Authenticator from View again. If the View certificate changes, you must accept the SSL certificate in
VMware Identity Manager.
26
VMware, Inc.
Integrating View Cloud Pod Architecture (CPA) Deployments

In addition to integrating independent View pods with VMware Identity Manager, you can integrate View
Cloud Pod Architecture (CPA) deployments.
Figure 32. Integrating View Pod Federations with the VMware Identity Manager Service
Site A
Site B
Independent Pod
Pod 1
CPA Federation
Pod 2
Pod 3
Global LDAP
Replication
VCS 1
VCS 3
VCS 5
VCS 2
VCS 4
VCS 6
LDAP
Replication
LDAP
Replication
LDAP
Replication

Connector On Premises
The View Cloud Pod Architecture feature links together multiple View pods to form a single large desktop
and application brokering and management environment called a pod federation. A pod federation can
span multiple sites and data centers.
You can integrate one or more pod federations with the VMware Identity Manager service. Note that pod
federations are created and managed in View, and that user and group entitlements to the pod federation's
desktops and application pools are set in View. You sync the resources and entitlements to
Pod federations have global entitlements, which enable you to entitle users to desktops and applications
which can be accessed from any pod in the pod federation. A global entitlement can consist of resources
from multiple pods in the federation. For example, a global desktop entitlement might contain desktop
pools from three different pods in three different data centers. Individual pods in the pod federation can
also have local entitlements configured. You can sync both global and local entitlements to
Integrating a View pod federation with the VMware Identity Manager service involves the following highlevel tasks in the VMware Identity Manager administration console:
n
Add all the pods that form the pod federation, specifying View Connection Server details for each.
While VMware Identity Manager can sync global entitlements from any one of the pods in the pod
federation, it needs to connect to each pod to sync metadata required for SAML authentication. It also
needs to connect to the pods to sync local entitlements, if applicable.
Add the pod federation details and specify the global launch URL. The global launch URL, typically the
global load balancer URL, is used to launch globally-entitled desktops and applications.
You can customize the global launch URL for specific network ranges, for example for internal and
external access.
VMware, Inc.
27
Sync resources and entitlements from the pod federation to the VMware Identity Manager service.
Note Only global entitlements that have the All Sites scope policy in a pod federation are synced. The
All Sites scope policy sets the scope of the search for an application or desktop to all the pods across the
pod federation.
Customize the global launch URL by setting client access URLs for specific network ranges. These URLs
are used to launch globally-entitled resources from the pod federation. By default, the global launch
URL you specify while adding the federation is used as the global launch URL for all network ranges.
Specify client access URLs for each pod in the pod federation that has local entitlements configured.
These URLs are used to launch locally-entitled desktops and applications from the pod. A client access
URL can be a View Connection Server URL, a Security Server URL, or a load balancer URL. Client
access URLs are set for specific network ranges. By default, the View connection server you specify
while adding the pod is used as the client access URL for all network ranges.
When you integrate a pod federation with the VMware Identity Manager service, the service does the
following:
n
Syncs all global entitlements, that have the All Sites scope policy, from the pod federation.
Syncs local entitlements, if selected, from the pods that are part of the pod federation.
Syncs metadata from all the View Connection Servers in the pod federation.
Allows end users to access their View applications and desktops from the My Apps portal.
End users access can access their View applications and desktops from the My Apps portal. All the
resources to which they are entitled, whether through global entitlements or local entitlements, are
displayed. Applications and desktops are launched in the Horizon Client. When a user launches a locallyentitled application or desktop, it is launched from the View Connection Server to which the user connects.
Globally-entitled resources are launched from the View Connection Server in which the resource is located.
Sample Cloud Pod Architecture Deployment

The following diagram shows a sample cloud pod architecture deployment and how it is integrated with the
VMware Identity Manager service.
28
VMware, Inc.
Figure 33. Cloud Pod Architecture Deployment Example
VMware Identity
Manager Service
Federation 1 (F1)
Pod 1 (P1)
URL EG
Global
LB
URL E1
LB
Security
Server
Connection
Server
Security
Server
Connection
Server
URL I1
LB
Connector on Premises
Sync 1
Local
Pod 2 (P2)
URL E2
LB
Security
Server
Connection
Server
Security
Server
Connection
Server
URL I2
LB
Connection
Server
Sync 2
Local
Sync
API
Sync 3
Local
Sync 4
Pod 3 (P3)
Connection
Server
URL IG
Global
LB
Local
URL I3
LB
This diagram depicts a sample pod federation deployment. A pod federation, named Federation 1, is created
in Horizon 6. It has three pods, Pod 1, Pod 2, and Pod 3. Pod 1 and Pod 2 are configured with Security Server
instances for each View Connection Server and an external load balancer for external access, and with an
internal load balancer for internal access. Pod 3 is configured for only internal access with an internal load
balancer. The pod federation as a whole has an external global load balancer and an internal global load
balancer.
Desktop and application pools are deployed on the pods. Global entitlements are configured for Federation
1 and local entitlements are also configured for the individual pods.
Federation 1 is integrated with the VMware Identity Manager service. The VMware Identity Manager
service syncs global entitlements as well as local entitlements from Federation 1. Because global entitlements
are replicated in each pod, it syncs global entitlements from Pod 1. It also syncs local entitlements from Pod
1, Pod 2, and Pod 3.
End users can view all the desktops and applications to which they are entitled, whether through global
entitlements or local entitlements, in the VMware Identity Manager My Apps portal. When a user launches
a desktop or application, if it is part of a global entitlement, the launch request goes to the external or
internal global load balancer, URL EG or URL IG, based on the network range of the user. If the resource is
from a local entitlement, the launch request goes to the internal or external load balancer of the pod on
which the resource is deployed, based on the network range of the user. For example, for a resource on Pod
2, the request goes to URL I2 or URL E2.
VMware, Inc.
29
Requirements for Integrating View Pod Federations

Integrating View pod federations with VMware Identity Manager has the following requirements.
n
VMware Identity Manager supports the Cloud Pod Architecture feature in Horizon 6.2 and later, for
both applications and desktops.
You can integrate a maximum of 10 pod federations with the VMware Identity Manager service. Each
federation can contain up to 7 pods.
Deploy View Connection Server instances on the default port 443 or on a custom port.
Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each
View Connection Server instance in your View environment. VMware Identity Manager requires
reverse lookup for View Connection Server, View Security Server, and load balancer instances. If
reverse lookup is not properly configured, the VMware Identity Manager integration with View fails.
The VMware Identity Manager connector, a component of the service, must be able to reach all the
View Connection Server instances in the pod federation.
All the View Connection Server instances in the pod federation must have SAML authentication
configured, with the VMware Identity Manager service specified as the identity provider. You must use
the service's fully-qualified domain name as part of the URL.
See Configure SAML Authentication, on page 26 for more information.
Extending the SAML metadata expiration period to 90 days on the View Connection Server instances is
recommended. See Change the Expiration Period for Service Provider Metadata on View Connection
Server for information.
View Connection Server certificates will be synced to VMware Identity Manager.
Deploy application and desktop pools in the View pods.

n
While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off
after disconnect option to 1 or 2 minutes instead of immediately.
Ensure that you create View pools in the root folder of View. If you create View pools in a folder
other than the root folder, VMware Identity Manager cannot query those View pods and
entitlements.
If you add or remove application or desktop pools after integrating with VMware Identity Manager, for
the changes to appear in the VMware Identity Manager service, you must sync again.
n
You must create the pod federation in your View environment, by initializing the Cloud Pod
Architecture feature from one of the pods and joining all the other pods to the federation, before
integrating with the VMware Identity Manager service. Global entitlements are replicated to pods when
they join the federation.
If you join or remove a pod from the pod federation after you integrate with the
VMware Identity Manager service, you must edit the pod federation details in the
VMware Identity Manager administration console to add or remove the pod, save your changes, and
sync again.
30
In your View environment, create global entitlements in the pod federation to entitle Active Directory
users or groups to desktops and applications.
The global entitlements that you want to sync to VMware Identity Manager must have the All sites
scope policy set. Entitlements with any other scope policy are not synced.
VMware, Inc.
To enable end users to launch desktops or application in a Web browser, select the HTML Access option
for the global entitlement in View.
(Optional) Create local entitlements on the pods, if required.
For more information about configuring View, see the Horizon 6 or Horizon 7 documentation.
Set up Your VMware Identity Manager Environment

After setting up your View environment, you must set up your VMware Identity Manager environment
before integrating pod federations with the service.
Prerequisites
n
You have a username and password with the rights to join the Active Directory domain that is used
with View. For more information about the rights required to join a domain, see "Integrating with
Active Directory" in Installing and Configuring VMware Identity Manager.
Procedure
1
Verify that the attribute userPrincipalName in the VMware Identity Manager User Attributes page is
marked required.
a
In the administration console, click the Identity & Access Management tab.
Click Setup and select the User Attributes tab.
If the Required checkbox for the userPrincipalName attribute is not selected, select it.
Important You must do this before you create the VMware Identity Manager directory. User
attributes cannot be changed to required after the directory is created.
VMware, Inc.
31
Sync the users and groups that have global or local entitlements in your View environment from Active
Directory to the VMware Identity Manager service through directory sync.
a
To view current users and groups, click the Users & Groups tab.
Select the Identity & Access Management > Directories tab.
Select the appropriate directory.
Modify the directory settings if needed, and click Sync Now.
If applicable, establish a connection to multi-domains or trusted multi-forest domains in Active

Directory. See Installing and Configuring VMware Identity Manager for information.
Join the VMware Identity Manager directory to the same Active Directory domain as View.
a
Click the Identity & Access Management tab.
Click Setup and select the Connectors tab.
Click Join Domain next to the appropriate directory.
Type the information for the Active Directory domain and click Join Domain. Do not use nonASCII characters when you enter your domain information.
Option
Description
Domain
Type the fully qualified domain name of the Active Directory. For
example, hs.example.com.
Note The Active Directory FQDN must be in the same domain as the
View Connection Server instances. Otherwise, your deployment fails.
Domain User
Type the username of an account in Active Directory that has

permissions to join systems to that Active Directory domain.
Domain Password
Type the password associated with the AD Username. This password

is not stored by VMware Identity Manager.
Verify that VMware Identity Manager and the View servers are joined to the same domain.
Add a Cloud Pod Federation and Sync Resources

To add a pod federation, you first add all the pods that belong to the pod federation, then add the pod
federation details, specify a global launch URL for global entitlements, sync entitlements, and set client
access URLs for specific network ranges.
Prerequisites
n
Set up your View environment following the requirements described in Requirements for Integrating
View Pod Federations, on page 30.
Set up your VMware Identity Manager instance according to the requirements described in Set up
Your VMware Identity Manager Environment, on page 31.
Procedure
32
Click Manage Desktop Applications and select View Application.
In the Pods and Sync tab, select the Enable View Pools checkbox, if it is not already checked.
VMware, Inc.
Add all the View pods that are part of the cloud pod federation, one at a time.
a
Provide the View pod details.

Option
Description
Connection Server
Enter the fully qualified domain name (FQDN) of the View Connection
Server instance, for example, pod5server.example.com. The domain
name must match the domain name to which you joined the View
Connection Server instance.
Username
The administrator user name for the pod.
Password
The administrator password for the pod.
Using Smart Card Authentication

with Third-Party Identity Provider
If users use smart card authentication to sign in to this View pod

instead of passwords, select the checkbox.
Suppress Password Popup
This option only applies to Horizon versions that support the

Certificate SSO feature.
When Certificate SSO is configured in View, users do not require a
password to log into their Windows desktops. However, if users are
logged into VMware Identity Manager using a non-password
authentication method such as SecurID, when they launch their
Windows desktops, they are prompted for a password. You can select
this option to prevent a password dialog box from being shown to
users in that scenario.
Sync Local Entitlements
If local entitlements are configured for the pod, select this checkbox.
For example:
Click Add View Pod and add the next pod.
Repeat these steps until you have added all the pods in the cloud pod federation.
Click Save.
Replicated servers in each pod are displayed.
VMware, Inc.
Click the Federation tab and select the Enable CPA Federations checkbox.
33
In the Federation Name field, type the name of the cloud pod federation.
In the Launch URL field, type the global launch URL to be used to launch globally-entitled desktops or
applications. For example, federationA.example.com.
The launch URL is typically the global load balancer URL of the cloud pod federation. You can
customize the launch URL for specific network ranges later in the configuration process.
Select a pod that belongs to the cloud pod federation.

All the pods that you added in the Pods and Sync tab are listed in the drop-down list.
34
10
Click Add Pod and select all the pods that are part of the cloud pod federation, one at a time.
11
Click Save.
VMware, Inc.
12
Click the Pods and Sync tab, scroll to the bottom of the page, and set the deployment and sync options
for your configuration.
Option
Description
Deployment type
Select how View resources are made available to users in the user portal.
n User-Activated: VMware Identity Manager adds View resources to the
Catalog page in the user portal. To use a resource, users must move the
resource from the Catalog page to the Launcher page.
n Automatic: VMware Identity Manager adds the resources directly to
the Launcher page in the user portal for users' immediate use.
The deployment type that you select here is a global setting that applies to
all user entitlements for all the resources in your View integration. You can
modify the deployment type for individual users or groups per resource,
from the resource's Entitlements page.
Setting the global deployment type to User-Activated is recommended.
You can then modify the setting for specific users or groups per resource.
For more information about setting the deployment type, Setting the
Deployment Type for View Entitlements, on page 39.
Do not sync duplicate applications
Select this option if you want to prevent duplicate applications from being
synced from multiple servers. When VMware Identity Manager is
deployed in multiple data centers, the same resources are set up in the
multiple data centers. Selecting this option prevents duplication of the
desktop or application pools in your VMware Identity Manager catalog.
Choose View pool sync frequency
Select how often you want View resources and entitlements to sync. You
can set up a regular sync schedule or choose to sync manually. If you
choose Manually, you must return to this page and click Sync Now
whenever there is a change in your View resources or entitlements.
13
Click Save.
14
Click Sync Now.

Each time you change information in View, such as add an entitlement or add a user, a sync is required
to propagate the changes to VMware Identity Manager.
Note Each time you click Save to save settings on this page, you must click Sync Now next to sync,
otherwise existing resources will not launch.
15
At the top-right of the page, click Admin Console.
16
Click the Identity & Access Management tab and click Setup on the right of the page.
17
Click the Network Ranges tab.
VMware, Inc.
35
18
Customize launch URLs for specific network ranges. For example, different launch URLs are typically
set for internal and external access.
a
Select a network range. You can select an existing network range or create a new one. You can also
edit the default ALL RANGES network range.
The Edit Network Range page is displayed. The View CPA federation section lists the global
launch URL of the pod federation you added in the Federation tab. If you added multiple pod
federations, all are listed. The View Pod section lists all the View pods from the Pods and Sync tab
that have the Sync Local Entitlements option selected.
In the View CPA federation section, for the global launch URL, specify the fully-qualified domain
name of the server to which to direct launch requests for global entitlements that come from this
network range. This is typically the global load balancer URL of the View pod federation
deployment.
For example: lb.example.com
The global launch URL is used to launch globally-entitled resources.
In the View Pod section, for each of the View pod instances, specify the fully-qualified domain
name of the server to which to direct launch requests for local entitlements that come from this
network range. You can specify a View Connection Server instance, a load balancer, or a security
server. For example, if you are editing a range that provides internal access, you would specify the
internal load balancer for the pod.
For example: lb.example.com
The client access URL is used to launch locally-entitled resources from the pod.
See also Enabling Multiple Client Access URLs for Custom Network Ranges, on page 37.

To launch a View, Horizon 6, or Horizon 7 application or desktop from the VMware Identity Manager
service and have single sign-on from VMware Identity Manager to the application or desktop, you must
configure SAML authentication in all the View Connection Server instances in your View deployment.
Do not perform this task if your organization uses smart card authentication to view resources using a thirdparty identity provider.
Procedure
1
36
Log in to the View Administrator Web interface as a user with the Administrator role assigned.
VMware, Inc.
Configure SAML authentication for each View Connection Server instance in your View deployment.
You must use your VMware Identity Manager service's fully-qualified domain name on the
Authenticator configuration page.
Important View and VMware Identity Manager must be in time sync. If View and
VMware Identity Manager are not in time sync, when you try to launch a View application or desktop,
an invalid SAML message occurs.
What to do next
You must establish and maintain SSL Trust between VMware Identity Manager and the View Connection
Server.
Establish or Update SSL Trust between VMware Identity Manager and the View
Connection Server
Initially, you must accept an SSL certificate on the View Connection server to establish trust between
VMware Identity Manager and the View Connection server. If you change an SSL certificate on the View
Connection server after the integration, you must return to VMware Identity Manager and reestablish that
trust.
Prerequisites
n
Verify that View has an SSL certificate installed. By default, View has a self-signed certificate.
In View, change the certificate of the View Connection Server to a root-signed certificate. See the
VMware View documentation for information about configuring a View Connection server instance or
Security Server to use a new certificate.
Configure SAML authentication on the View Connection server. You must always use the
VMware Identity Manager FQDN on the authenticator configuration page.
Note If you use a third-party identity provider to access View desktops from
VMware Identity Manager, SAML authentication on the View Connection server must be set to allowed.
Procedure
1
Click the Update SSL Cert link next to the Replicated Server Group.
Click Accept on the Certificate Information page.
If the VMware Identity Manager certificate changes after the initial configuration, you must accept the
SAML Authenticator from View again. If the View certificate changes, you must accept the SSL certificate in
Enabling Multiple Client Access URLs for Custom Network Ranges

If your company uses multiple client access URLs for different network ranges, you must edit the default
network range so the end user connects to the correct client access URL and port number. If these settings
are not updated, the Horizon Client will not launch.
Procedure
1
Click Setup on the right, then click Network Ranges.
VMware, Inc.
37
Click the network range to modify.

The Edit Network Range page appears. The View CPA federation section appears only if you
integrated Cloud Pod Architecture (CPA), deployments, also known as pod federations. This section
lists the global launch URL you specified for the pod federation in the Federation tab of the View Pools
page. The View Pod section lists all the View pods that have the Sync Local Entitlements option
selected.
Specify the client access URL and port in the Client Access URL Host and URL Port fields, using your
company's configuration.
For example: pod6.mycompany.com
Verify that each network range in your environment contains a client access URL.
Important If you miss a network range, end users who launch through that network range might
have problems.
Viewing the Connection Information for View Desktop and Application

Pools
You can view the information about the connection between VMware Identity Manager and a View desktop
or application pool.
Procedure
1
To view desktop pools, click Any Application Type > View Desktop Pools. To view application pools,
click Any Application Type > View Hosted Applications.
Click the name of the View application or desktop pool.
Click Details on the left.
View the connection information, which consists of attributes retrieved from the View Connection
Server instance.
See the View documentation for details about these attributes.
Viewing User and Group Entitlements to View Desktop and

Application Pools
You can see the View pools to which your VMware Identity Manager users and groups are entitled.
Prerequisites
n
Synchronize information and the respective entitlements from the View Connection Server instances to
VMware Identity Manager. You can force a sync on the View Pools page in the connector service admin,
by clicking Sync Now.
Procedure
1
38
VMware, Inc.
View user and group entitlements to View desktop and application pools.
Option
Action
List users and groups entitled to a

specific View desktop pool.
a
b
List of View desktop and

application pool entitlements for a
specific user or group.
a Click the Users & Groups tab.

b Click the Users tab or the Groups tab.
c Click the name of an individual user or group.
The Entitlements tab is selected by default. View desktop and application
pools to which the user or group is entitled are listed.

Click Any Application Type > View Desktop Pools or View Hosted
Applications.
c Click the icon for the View pool for which you want to list
entitlements.
The Entitlements tab is selected by default. Group entitlements and user
entitlements are listed in separate tables.
Setting the Deployment Type for View Entitlements

You can set the deployment type for View resources, which determines how the resources are made
available to users. Setting the deployment type to User-Activated adds the resources to the Catalog page in
the user portal. To use a resource, users must move the resource from the Catalog page to the Launcher
page. Setting the deployment type to Automatic adds the resources directly to the Launcher page in the user
portal for users' immediate use.
You can set the deployment type at different levels.
n
Global level
The global setting applies to all user entitlements for all the View resources in your deployment. You
specify the global deployment type when you first integrate View resources with VMware Identity
Manager from the View Pools page. After the initial integration, you can modify the global setting from
the same page. Note that if you change the global setting after the initial integration, the new setting
only applies to new entitlements that are synced. To modify existing entitlements, you can change the
setting at the individual resource level.
Note Setting the global deployment type to User-Activated is recommended. In typical scenarios, you
set the global setting to User-Activated, and then modify it to Activated for specific user and group
entitlements.
User or group entitlement level

You can also set the deployment type at the individual application or desktop level for specific users
and groups. This setting overrides the global setting. This setting will not be changed during
subsequent syncs.
During sync, the deployment type for existing entitlements is not changed. For new entitlements in the sync,
the global setting is applied.
Note Once a resource has been activated, that is, once it appears in the Launcher page for a user, it will
continue to appear in the Launcher page unless the user deletes it. Any changes to the deployment type will
not remove it from the Launcher page.
Procedure
1
VMware, Inc.
To set the deployment type at the global level, follow these steps.
a
Click the Catalog tab and select Manage Desktop Applications > View Application.
Select the Pods and Sync tab.
39
In the Deployment Type field, select User-Activated or Automatic.
Note Setting the global deployment type to User-Activated is recommended.

d
Click Save.
The setting will be applied to all new entitlements beginning with the next sync.
To set the deployment type for a specific user or group entitlement, follow these steps.
a
Click the application or desktop whose entitlement you want to edit.
Click Entitlements to display the Entitlements page for the application.

You can view the current deployment settings for user and group entitlements in the
DEPLOYMENT column.
Click Edit next to the entitlement you want to edit.
In the Edit User Entitlement dialog box, select the deployment type for the entitlement.
Click Save.
The deployment type set at the user or group entitlement level has precedence over the global
deployment type setting, and will not be modified during sync.
Viewing Launch Options for View Desktops and Applications

View desktops and applications can be launched from the VMware Identity Manager My Apps portal in the
Horizon Client or a Web browser, based on how the desktop or application has been configured in View. If a
View desktop or application is only configured for the Horizon Client, users must install the Horizon Client
on their systems.
The HTML Access feature of View provides View administrators the option of configuring a View desktop
or application for browsers. This configuration is done in View and no configuration is required in
VMware Identity Manager. In Horizon 7, the Allow HTML Access to desktop and applications on this
farm setting determines whether users in VMware Identity Manager have the option to launch desktops or
applications from that farm in a browser.
40
VMware, Inc.
VMware Identity Manager supports HTML Access for Horizon 6.1.1 and later.
VMware Identity Manager also supports all the display protocols that View supports for the Horizon Client.
For Horizon 7, VMware Identity Manager supports the Blast protocol in addition to PCoIP and RDP for
Horizon Client 4.0. When VMware Identity Manager users launch a desktop or application in the Horizon
Client, it uses the protocol that is set for the farm in View.
Note In View, in addition to setting the default display protocol, administrators can specify whether users
are allowed to choose a display protocol. If you want to support versions of Horizon Client that do not
support the default protocol, allowing users to choose the display protocol is recommended. Otherwise, the
application or desktop cannot be launched.
For information about configuring the display protocols and launch options, see the Horizon 7, Horizon 6,
or View documentation.
In the VMware Identity Manager administration console, you can check the launch options that a View
desktop or application supports.
Procedure
1
To display desktop pools, click Any Application Type > View Desktop Pools. To display applications,
click Any Application Type > View Hosted Applications.
Click the name of the View application or desktop.
Click Details on the left.

The Supported client types field displays the launch options.
The value of the field can be NATIVE or BROWSER, or both. If only NATIVE is listed, the desktop or
application can only be launched in the Horizon Client. Users must install the Horizon Client on their
systems before starting the application from VMware Identity Manager. If BROWSER is listed, users
can start the application or desktop in a browser. If both are specified, users can select how they want to
start the application.
Note For Horizon 7 integrations, the Allow HTML Access to desktop and applications on this farm
option must be enabled in Horizon 7 for the BROWSER option to appear in the Supported client types
list.
VMware, Inc.
41
Launching a View Desktop or Application

Users can launch a View desktop or application from the VMware Identity Manager user portal.
Based on how an application or desktop has been configured in View, it can be launched in the Horizon
Client or in a browser. For applications or desktops that can only be launched in the Horizon Client, you
must install the Horizon Client on your system. For applications and desktops that can be launched in either
the Horizon Client or a browser, you can select the launch method.
You can also set a default preference by clicking the arrow next to your name on the top-right of the page,
selecting Preferences, and making your selection.
Prerequisites
Based on how the application or desktop has been configured in View, you might need to install the Horizon
Client.
For supported Horizon Client versions, see the VMware Product Interoperability Matrix at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Procedure
1
Log in to the VMware Identity Manager user portal.
Right-click the desktop or application you want to use and check whether it displays a Horizon Client
requirement.
Clicking the arrow on the OPEN button displays the launch options. If a launch option is not available,
it is disabled.
Install the Horizon Client on your system, if it is required and you have not yet installed it.
Right-click the desktop or application, click the arrow on the Open button if launch options are not
displayed, select either in Horizon Client or in Browser, and click Open.
If you chose the Browser option, the application or desktop is started in a browser. If you are using Horizon
6.1.1 or later, the browser window also displays an HTML Access Tray. The HTML Access Tray displays all
the other desktop or applications that are connected to the same View Connection Server as the application
you started. Resources from other View Connection Servers in your deployment are not listed. You can use
the HTML Access Tray to switch from one desktop or application to another. You can also view which
applications are running.
42
VMware, Inc.
Note If the SAML metadata on the View Connection Server instances has expired, the application or
desktop will not launch. To resolve this issue, you must sync the View resources to
VMware Identity Manager again. Click Sync Now in the View Pools page in the administration console.
Allowing Users to Reset Their View Desktops in

Depending on how you configure View and VMware Identity Manager, users can use the My Apps portal to
reset an unresponsive View desktop.
When you configure View to allow users to reset their desktops, the configuration applies to both View and
Prerequisites
n
Configure View to allow users to reset their desktops. See the documentation for View, Horizon 6, or
Horizon 7, specifically the View Administration guide.
To ensure that specific View desktops are resettable by users, the client access URLs for the respective
pods should have trusted certificates. If the URLs have root-signed or self-signed certificates, configure
VMware Identity Manager to trust those certificates. See VMware Identity Manager Installation and
Configuration for information about applying a root certificate.
Procedure
u
(Optional) Verify that VMware Identity Manager lists a given desktop as resettable by users.
a
In the administration console, select the Catalog tab.
In the Any Application Type drop-down menu, select View Desktop Pools.
Click the name of the desktop.
Click Details.
Confirm that the Reset allowed setting is set to true.

If the setting is false, then View is not configured to allow users to reset the desktop.
What to do next
If a View desktop becomes unresponsive in the future, you or users can reset the desktop in the My Apps
portal by right-clicking the unresponsive desktop and clicking Reset Desktop.
VMware, Inc.
43
Reducing Resource Usage and Increasing Performance of

VMware Identity Manager Desktop in Non-Persistent View Desktops
To reduce resource usage and increase performance when using the My Apps portal in non-persistent
desktops, also known as stateless desktops, you can configure the client with settings optimized for using it
in a non-persistent View desktop.
Problem
When a non-persistent View desktop has the VMware Identity Manager Desktop application installed in the
View desktop, each time a user starts a session, an increased amount of resources are used, such as storage
I/Os.
Cause
Non-persistent View desktops are inherently stateless. Such View desktops are also known as floating
desktops, and new sessions can be created when the floating desktops are recomposed or the user is given a
new desktop from the pool. Unless the VMware Identity Manager Desktop application used in the nonpersistent desktops is configured with settings that are optimized for this scenario, users might experience
degraded performance when accessing ThinApp packages.
Typically, you configure the VMware Identity Manager Desktop application for the View desktops using the
command-line installer options. SeeCommand-Line Installer Options for VMware Identity Manager
Desktop.
Solution
u
Install the VMware Identity Manager Desktop application in the template that is used for the nonpersistent View desktops using the recommended command-line installer options.
/v Installer Option
Description
ENABLE_AUTOUPDATE = 0
Prevents the automatic update of the VMware Identity Manager Desktop

application to a newer version. Typically, your View administrator updates the
application in the template.
INSTALL_MODE =
RUN_FROM_SHARE
If you plan to have the users use ThinApp packages in these View desktops, use
this option to have the ThinApp packages streamed from the server instead of
downloaded to the Windows system.
The following is an example of installing the VMware Identity Manager Desktop application with an
optimal configuration for non-persistent View desktops where the users are expected to use ThinApp
packages. The WORKSPACE_SERVER option specifies the VMware Identity Manager server for this
installation.
VMware-Identity-Manager-Desktop-n.n.n-nnnnnnn.exe /v
WORKSPACE_SERVER="https://server.company.com" ENABLE_AUTOUPDATE=0 INSTALL_MODE=RUN_FROM_SHARE
44
VMware, Inc.
Providing Access to Horizon Air Cloud Hosted Desktops and Apps
The VMware Horizon Air - Cloud Hosted service can be integrated with the VMware Identity Manager
service.
By integrating your Horizon Air tenant with the VMware Identity Manager service, you give your
VMware Identity Manager users the ability to access their entitled VMware Horizon Air Apps and
VMware Horizon Air Desktops from the VMware Identity Manager My Apps portal.
You create and configure desktop and application pools, also known as assignments, in the Horizon Air
tenant. You also set user and group entitlements in the Horizon Air tenant, not in the
VMware Identity Manager service. You must sync these users and groups to the VMware Identity Manager
service from Active Directory before integrating with the Horizon Air tenant.
After you integrate the Horizon Air tenant with VMware Identity Manager, you can see the Horizon Air
desktops and applications in the VMware Identity Manager administration console. You can also view user
and group entitlements.
You can set up a sync schedule to regularly sync resources and entitlements from the Horizon Air tenant to
the VMware Identity Manager service.
End users must install the VMware Horizon Client to launch Horizon Air desktops and applications
from the My Apps portal. Horizon Client versions 3.4 and later are supported.
n
Integrating Horizon Air Desktops and Apps, on page 45
Viewing Details of Horizon Air Desktop and Application Pools, on page 53
Viewing User and Group Entitlements to Horizon Air Desktops and Apps, on page 53
Setting the Deployment Type for Horizon Air Entitlements, on page 54
Launching a Horizon Air Desktop or Application, on page 55
Integrating Horizon Air Desktops and Apps

To integrate Horizon Air - Cloud Hosted desktops and applications with the VMware Identity Manager
service, you add your Horizon Air tenant details in the VMware Identity Manager administration console
and sync resources and entitlements from the Horizon Air tenant. You also configure SAML authentication
to enable trust between the Horizon Air tenant and the VMware Identity Manager service.
VMware, Inc.
45
Deployment Scenario for Horizon Air Integration

To integrate Horizon Air Desktops and Apps with VMware Identity Manager, you need a Horizon Air
tenant, a VMware Identity Manager tenant, and a VMware Identity Manager connector. You must install the
connector appliance on premises in your local data center with line-of-sight to the Horizon Air tenant.
Note Connector version 2016.1.1 or later is required for Horizon Air integration.
Connector Deployment On Premises

Advantages of deploying the connector on premises include:
n
If you want to integrate other on-premises resources, such as Citrix published resources, deploying a
connector on premises enables you to use the same connector for all your resources.
If you already have a VMware Identity Manager tenant deployment, with a connector installed on
premises, you can use your existing deployment to integrate Horizon Air Desktops and Apps.
Figure 41. Horizon Air Integration with Connector Deployed On Premises
The connector syncs user and group information from Active Directory to the VMware Identity
Manager tenant.
Horizon air user and group entitlements are synced from the Horizon Air tenant to the VMware
Identity Manager tenant through the connector.
The end user accesses a desktop or application as follows:

a
46
The end user logs into the VMware Identity Manager service and clicks on a desktop or
application.
VMware, Inc.
Chapter 4 Providing Access to Horizon Air - Cloud Hosted Desktops and Apps
The service generates a launch URL and passes it to the Horizon Client. The launch URL includes a
SAML artifact ID.
The Horizon Client accesses the launch URL.
The Horizon Air tenant receives the request and validates the SAML artifact ID with the VMware
Identity Manager service.
If the SAML artifact ID is validated by the VMware Identity Manager service, the desktop or
application is streamed to the Horizon Client by the Horizon Air tenant.
Installing the Connector

For information on installing the connector, see VMware Identity Manager Connector Installation and
Configuration. Connector version 2016.1.1 or later is required for Horizon Air integration.
After you install and configure the connector, create a directory in your VMware Identity Manager tenant
and ensure that you sync the Active Directory users and groups that have Horizon Air Desktops and Apps
entitlements. To create a directory, you select the Identity & Access Management > Directories tab and click
Add Directory. See Integrating with Active Directory in VMware Identity Manager Connector Installation
and Configuration for information.
If you have an existing connector deployment, upgrade the connector to version 2016.1.1 or later. See
Upgrading VMware Identity Manager Connector. Also ensure that you sync the Active Directory users and
groups that have Horizon Air Apps and Desktops entitlements.
Note One VMware Identity Manager tenant or connector only supports one Horizon Air tenant.
Prerequisites for Integration

Before you integrate Horizon Air desktops and applications with VMware Identity Manager, ensure that
you meet the prerequisites.
n
Verify that you have the following setup:

n
A Horizon Air tenant, that is accessible by the VMware Identity Manager connector. Work with
your Horizon Air representative to set this up.
A VMware Identity Manager tenant
A VMware Identity Manager connector appliance installed on premises. See Deployment Scenario
for Horizon Air Integration, on page 46 for information.
Connector version 2016.1.1 or later is required for Horizon Air integration.
Verify with your Horizon Air service provider that your Horizon Air tenant meets the following
requirements.
n
The tenant name must be a fully qualified domain name (FQDN), not just a host name. For
example, server-ta1.example.com instead of server-ta1.
The tenant appliances must have valid, signed certificates issued by a CA. Self-signed certificates
are not supported. The certificate must match the FQDN of the tenant appliance.
If you created your VMware Identity Manager directory with UPN as a search attribute, and you
intend to sync static desktop pools from the Horizon Air tenant, your service provider must enable
UPN for the tenant and restart the tenant appliance, otherwise users will be unable to launch static
desktops.
UPN can be enabled in the Horizon Air Service Center, in the Policy Management page, by
selecting the tenant, typing dtpolicy, setting the fabric.ad.use.userPrincipalNames policy to true,
and restarting the tenant appliance.
VMware, Inc.
47
Ensure that the Horizon Air tenant and the VMware Identity Manager tenant are in time sync. If they
are not in time sync, an invalid SAML error can occur when users launch Horizon Air desktops and
applications.
Create and configure desktop and application pools, also known as assignments, in the Horizon Air
tenant administration console. You can create the following types of pools in the Horizon Air tenant:
n
Dynamic desktop pool, also known as floating desktop assignment
Static desktop pool, also known as dedicated desktop assignment
Session-based pool with desktops, also known as session desktop assignment
Session-based pool with applications, also known as remote application assignment

For more information about the types of pools, see the Horizon Air documentation.
The following limitations apply.
VMware Identity Manager only supports launch over PCoIP. Only those desktop and application
pools that support launch over PCoIP are synced to VMware Identity Manager.
End users must install the Horizon Client to launch desktops and applications.
You can only sync from a single Horizon Air tenant to VMware Identity Manager.
Set user and group entitlements to Horizon Air desktops and applications in the Horizon Air tenant
administrative interface.
Note Only entitlements for users that belong to a registered group are synced. Users who do not
belong to any group will not see their entitlements in VMware Identity Manager.
In the VMware Identity Manager administration console, ensure that users and groups with these
entitlements are synced from Active Directory to VMware Identity Manager using directory sync.
Enable Horizon Air Desktops and Apps in VMware Identity Manager

To integrate Horizon Air Desktops and Apps with VMware Identity Manager, you add your Horizon Air
tenant details in the VMware Identity Manager administration console and sync resources and entitlements
from the Horizon Air tenant.
Prerequisites
Verify that you meet the prerequisites described in Prerequisites for Integration, on page 47.
Procedure
1
In the Catalog tab, select Manage Desktop Applications > Horizon Air Applications.
Select the Enable Horizon Air Desktops and Applications check box.
Enter the information for your environment.

Important Do not use non-ASCII characters when you enter your domain information.
48
Option
Description
Tenant Host
Fully-qualified domain name of your tenant host. For example:

tenant1.example.com
Tenant Port
Port number of your tenant host. For example: 443
Admin Username
User name for your tenant administrator account. For example:

tenantadmin
VMware, Inc.
Option
Description
Admin Password
Password for your tenant administrator account.
Admin Domain
Active Directory NETBIOS domain name in which the tenant

administrator resides.
Domains to Sync
Active Directory NETBIOS domain names for syncing Horizon Air

resources and entitlements.
Note This field is case-sensitive. Ensure you use the proper case when
you enter the names.
Deployment Type
Select how Horizon Air resources are made available to users in the user
portal.
n User-Activated: VMware Identity Manager adds Horizon Air
resources to the Catalog page in the user portal. To use a resource,
users must move the resource from the Catalog page to the Launcher
page.
n Automatic: VMware Identity Manager adds the resources directly to
the Launcher page in the user portal for users' immediate use.
The deployment type that you select here is a global setting that applies to
all user entitlements for all the resources in your Horizon Air integration.
You can modify the deployment type for individual users or groups per
resource, from the resource's Entitlements page.
Setting the global deployment type to User-Activated is recommended.
You can then modify the setting for specific users or groups per resource.
For more information about setting the deployment type, Setting the
Deployment Type for Horizon Air Entitlements, on page 54.
Choose Horizon Air Sync

Frequency
The frequency at which to sync Horizon Air resources and entitlements.
For example:
Click Save.
Click Sync Now to sync resources and entitlements from the Horizon Air tenant.
What to do next
Configure SAML Authentication, on page 50.
VMware, Inc.
49

Configure SAML authentication to enable trust between the service provider (Horizon Air tenant) and the
identity provider (VMware Identity Manager).
To configure SAML authentication, you create a federation artifact for the Horizon Air tenant in the VMware
Identity Manager administration console and configure SAML authentication in the Horizon Air tenant.
Create Federation Artifact for Horizon Air

To configure SAML authentication, you need to create a federation artifact for the Horizon Air tenant.
Prerequisites
Verify the following with your service provider:
n
The Horizon Air tenant name is a fully-qualified domain name (FQDN). For example, serverta1-1.example.com instead of server-ta1-1.
The Horizon Air tenant appliances have valid SSL certificates from a CA installed. Self-signed
certificates are not supported. The certificate must match the FQDN of the tenant appliance.
Procedure
1
In the VMware Identity Manager administration console, click the arrow on the Catalog tab and select
Settings.
In the left pane, select Horizon Air.
Enter the information for your environment to create a federation artifact.

Setting
Description
Assertion Consumer Service
URL to which to post the SAML assertion. This URL is typically the
Horizon Air tenant's floating IP or Access Point URL. For example,
https://mytenant.example.com.
Audience
Unique identifier of the Horizon Air tenant. This URL is typically the
Horizon Air tenant's floating IP or Access Point URL. For example,
https://mytenant.example.com.
Tenant Appliance URLs
The URL of the Horizon Air tenant appliance, in the format

https://TenantApplianceFQDN/admin/SAML/metadata. If you have multiple
tenant appliances, click Add Tenant Appliance URL to add the URLs.
If the tenant appliances are behind a floating IP or Access Point appliance,
specify the floating IP or Access Point appliance URL, in the format
https://FloatingIPorAccessPointFQDN/admin/SAML/metadata.
For example:
50
VMware, Inc.
Click the Accept Certificate link next to each Horizon Air tenant appliance URL to accept the certificate.
Important If you change the SSL certificate on the Horizon Air tenant appliance after integration, you
must return to this page and accept the certificate again to re-establish trust.
Click Save.
What to do next
Configure SAML authentication in the Horizon Air tenant.
Configure SAML Authentication in the Horizon Air Tenant

After you create a federation artifact in the VMware Identity Manager administration console, configure
SAML authentication in the Horizon Air tenant.
Note Do not configure SAML authentication if your organization uses smart card authentication to view
resources using a third-party identity provider.
Note The Horizon Air tenant appliance and VMware Identity Manager must be in time sync. If they are
not in time sync, when you try to launch Horizon Air desktops and applications, an invalid SAML message
appears.
Procedure
1
Settings.
In the left pane, click SAML Metadata.
Click the Identity Provider (IdP) metadata link.
Make a note of the URL from the browser's address bar, such as
https://VMwareIdentityManagerFQDN/SAAS/API/1.0/GET/metadata/idp.xml.
VMware, Inc.
51
Run the following REST API calls against the primary Horizon Air tenant.
a
POST https://DaaSPrimaryTenant/dt-rest/v100/system/login?domain=domainname&user=tenantadminusername&pw=password
For example:
POST https://10.10.10.10/dt-rest/v100/system/login?domain=AIRTENANTA&user=tenantadmin&pw=mypassword
Get the values from the header Authorization and x-dt-csrf-header to use for the next API call.
b
PUT https://DaaSPrimaryTenantAppliance/dtrest/v100/security/manager/create/modify/identityprovider
For example:
PUT https://10.10.10.10/dt-rest/v100/security/manager/create/modify/identityprovider
Header Authorization: Use the value from the previous login API response header.
Header x-dt-csrf-header: Use the value from the previous login API response header.
Header Content-Type: Use text/xml.
Body:
<DtIdentityProviderConfig>
<workspaceAddress>https://VMwareIdentityManagerFQDN/SAAS/API/1.0/GET/metadata/idp.xml<wor
kspaceAddress>
<timeout>0</timeout>
<tenantAddress>HorizonAirTenantFloatingAddressOrAccessPoint</tenantAddress>
<dataCenterId>HorizonAirTenantDatacenterID</dataCenterId>
</DtIdentityProviderConfig>
where
<workspaceAddress>: Specify the VMware Identity Manager IdP metadata URL you copied in step 4
above.
<tenantaddress>: Specify the floating address or Access Point of the Horizon Air tenant appliance.
For example, horizonair-tenant.example.com.
<dataCenterId>: Specify the datacenter ID of the Horizon Air tenant. You can find the ID in the
datacenter table of the primary Horizon Air tenant by using this command: Select * from
datacenter;
Restart the tenant appliances.
Your integration is complete. You can now view Horizon Air desktop and application pools in the VMware
Identity Manager administration console and end users can launch the resources to which they are entitled.
Syncing Horizon Air Desktops and Apps with VMware Identity Manager
When you initially integrate a Horizon Air tenant with your VMware Identity Manager deployment, you
sync resources and entitlements from the Horizon Air tenant to the VMware Identity Manager service. You
may also have set up a regular sync schedule or chosen to sync manually. If you modify Horizon Air
desktop and application pools, or entitlements, you can sync the updates to VMware Identity Manager at
any time using the Sync Now feature.
Procedure
1
52
VMware, Inc.
In the Catalog tab, click Manage Desktop Applications > Horizon Air Application.
Click Sync Now.
(Optional) To specify a regular sync schedule, select one of the options in the Choose Horizon Air Sync
Frequency field and click Save.
Viewing Details of Horizon Air Desktop and Application Pools

You can view information about the Horizon Air desktop and application pools that have been synced to
Procedure
1
Click Any Application Type and select Horizon Air Desktops or Horizon Air Applications.
Select a desktop or application pool.
Click Details.
Attributes retrieved from the Horizon Air tenant are displayed. See the Horizon Air documentation for
information about these attributes.
Viewing User and Group Entitlements to Horizon Air Desktops and

Apps
You can view which Horizon Air desktops and applications your VMware Identity Manager users and
groups are entitled to.
User and group entitlements to Horizon Air resources are set in the Horizon Air tenant administrative
interface and cannot be modified from the VMware Identity Manager administration console.
Prerequisites
To see the latest information, sync Horizon Air Desktops and Apps. You can force a sync by selecting
Catalog > Manage Desktop Applications > Horizon Air Applications to go to the Horizon Air Resources
page, and clicking Sync Now.
Procedure
1
View user and group entitlements to Horizon Air desktops and applications.
VMware, Inc.
Option
Action
List users and groups entitled to a

specific Horizon Air desktop or
application pool.
a
b
List of Horizon Air desktop and

application pool entitlements for a
specific user or group.
a Click the Users & Groups tab.

b Click the Users tab or the Groups tab.
c Click the name of an individual user or group.
The Entitlements tab is selected by default. Horizon Air desktop and
application pools to which the user or group is entitled are listed.

Click Any Application Type > Horizon Air Desktops or Horizon Air
Applications.
c Select the pool for which you want to list entitlements.
The Entitlements tab is selected by default. Group entitlements and user
entitlements are listed in separate tables.
53
Setting the Deployment Type for Horizon Air Entitlements

You can set the deployment type for Horizon Air resources, which determines how the resources are made
available to users. Setting the deployment type to User-Activated adds the resources to the Catalog page in
the user portal. To use a resource, users must move the resource from the Catalog page to the Launcher
page. Setting the deployment type to Automatic adds the resources directly to the Launcher page in the user
n
Global level
The global setting applies to all user entitlements for all the Horizon Air resources in your deployment.
You specify the global deployment type when you first integrate Horizon Air resources with VMware
Identity Manager from the Horizon Air Resources page. After the initial integration, you can modify the
global setting from the same page. Note that if you change the global setting after the initial integration,
the new setting only applies to new entitlements that are synced. To modify existing entitlements, you
can change the setting at the individual resource level.
entitlements.

subsequent syncs.
Procedure
1
a
Click the Catalog tab and select Manage Desktop Applications > Horizon Air Application.
In the Deployment Type field in the Horizon Air Resources page, select User-Activated or
Automatic.

c
Click Save.
54
a
VMware, Inc.

DEPLOYMENT column.
Click Save.
Launching a Horizon Air Desktop or Application

End users can log in to their My Apps portal and launch the Horizon Air desktops and applications to
which they are entitled. Users must install Horizon Client 3.4 or later on their machines as these desktops
and applications can only be launched on the client.
Prerequisites
Install Horizon Client 3.4 or later on your computer. You can download the Horizon Client from My
VMware. You can also right-click any Horizon Air application or desktop in the My Apps portal for a direct
link to the Horizon Client download page.
Procedure
1
Log in to the VMware Identity Manager My Apps portal.
Double-click the desktop or application you want to launch.

The desktop or application is launched in the Horizon Client.
VMware, Inc.
55
56
VMware, Inc.
Providing Access to Citrix-Published

Resources
You can provide VMware Identity Manager users access to Citrix-published resources. Citrix-published
resources include applications and desktops within Citrix XenApp and XenDesktop farms. Desktops are
also referred to as Citrix-published delivery groups.
When you integrate a Citrix deployment with VMware Identity Manager, VMware Identity Manager users
can use Citrix Receiver on their systems and devices to access their entitled Citrix-published resources.
After you integrate VMware Identity Manager with your Citrix deployment, you use the Citrix deployment
to manage Citrix-published applications and Citrix-published desktops and to entitle users to those
resources. You can then use the VMware Identity Manager administration console to view these Citrix
resources and their entitlements.
VMware Identity Manager provides default global application delivery settings for Citrix-published
resources. For example, you can edit the settings that control resource streaming and resource security. You
can configure the delivery settings globally, for all the Citrix resources in the VMware Identity Manager
catalog, or for individual Citrix resources.
VMware Identity Manager also supports Citrix deployments that include Citrix Netscaler. To use the
Netscaler feature, you must install Integration Broker 2.4 or later.
Supported Versions
n
VMware Identity Manager supports XenApp 5.0, 6.0, 6.5, and 7.x, and XenDesktop 7.x.
To use the Netscaler feature, you require Integration Broker 2.4 or later.
To use XenApp 7.x or XenDesktop 7.x, you require Integration Broker 2.6 or later.
Supported operating systems for Integration Broker are Windows Server 2008 R2, Windows Server
2012, and Windows Server 2012 R2.

n
Integrating VMware Identity Manager with Citrix-Published Resources, on page 58
Enabling Citrix PowerShell Remoting on Citrix Server Farm, on page 61
Preparing and Installing Integration Broker, on page 63
Synchronizing VMware Identity Manager with Citrix Server Farms, on page 72
Configuring VMware Identity Manager for Netscaler, on page 74
Viewing User and Group Entitlements to Citrix-Published Resources, on page 78
Setting the Deployment Type for Citrix Entitlements, on page 79
Editing Delivery Settings for Citrix-Published Resources, on page 81
VMware, Inc.
57
Managing Categories for Citrix-Published Resources, on page 83
Integrating VMware Identity Manager with Citrix-Published Resources

You can integrate VMware Identity Manager with your Citrix deployment to provide Citrix-published
resources to your end users.
Requirements
To integrate a Citrix deployment with the VMware Identity Manager service, you need the following
components.
n
A VMware Identity Manager tenant.
A VMware Identity Manager connector, version 2.7 or later, installed on premises.

You can download the connector from https://my.vmware.com.
An Integration Broker instance installed on premises. The Integration Broker, a component of

VMware Identity Manager, is the component that communicates with Citrix server farms.
You can download the Integration Broker from https://my.vmware.com.
To integrate with XenApp or XenDesktop 7.x, you must install Integration Broker 2.6 or later. To use the
Netscaler feature, you must install Integration Broker 2.4 or later.
A Citrix deployment on premises.
While deploying the on-premise components, ensure that you meet these requirements.
n
The connector must be able to communicate with the Integration Broker. If you have deployed multiple
connector instances, ensure that all of them can communicate with the Integration Broker.
The Integration Broker must be able to communicate with the Citrix server farm.
All communication between the VMware Identity Manager service and the on-premise components is
through the connector. The connector and the service communicate over a communication channel that is
automatically set up during installation.
The following diagram depicts a VMware Identity Manager-Citrix server farm integration and illustrates
how resources and entitlements are synced to the VMware Identity Manager service.
Figure 51. Resources and Entitlements Sync
On Premises
VMware Identity
Manager Connector
Resources and
entitlements
sync to service
VMware Identity
Manager Service
vIDM Tenant
REST call to retrieve

resources and entitlements
Integration Broker
Citrix PowerShell SDK
calls to retrieve
resources and entitlements
Citrix Farm or
Load Balancer
58
VMware, Inc.
Chapter 5 Providing Access to Citrix-Published Resources
The following diagram illustrates how an application or desktop is launched from the
VMware Identity Manager service.
Figure 52. Application or Desktop Launch
On Premises
VMware Identity
Manager Connector
VMware Identity
Manager Service
Retrieves ICA file

2
vIDM Tenant
3
4 ICA file
ICA file
Citrix Receiver
Integration Broker
1
Citrix Farm or
Load Balancer
User launches
application/desktop
5
Application/desktop
launched
Supported Features
VMware Identity Manager provides support for the following functions:
n
Synchronize Citrix-published applications, Citrix-published desktops, or both from a Citrix farm to

Synchronize entitlements from a Citrix farm to VMware Identity Manager entitlement store.
Launch Citrix-published resources using SSO.
Route application launch traffic through a Netscaler appliance or through a direct connection.
VMware Identity Manager uses the Integration Broker, a component of VMware Identity Manager, to
deliver Citrix-published resources to the end user.
n
VMware Identity Manager pushes Citrix farm information and publishes resource information from the
Citrix farm to the catalog based on configured synchronization.
A VMware Identity Manager administrator can set the generic user settings template and the ICA
launch template for all the resources in an organization. This template is saved as an organization
artifact in the VMware Identity Manager data store.
A VMware Identity Manager administrator can set the ICA launch template by resource in the
VMware Identity Manager catalog. This template is saved as part of the resource definition in the
VMware Identity Manager catalog.
VMware Identity Manager synchronizes the Citrix-published resources and entitlements from the Citrix
farm to the VMware Identity Manager entitlement store. Synchronization occurs based on the frequency set
in the schedule. The Citrix farm is the single source of truth for all supported operations in
VMware Identity Manager uses the Citrix Receiver to launch Citrix-published resources. The end user must
install the Citrix Receiver on their device. The Citrix Receiver delivers the Citrix-published resources to the
end user.
VMware Identity Manager also provides multi-device support. End users can launch a Citrix-published
resource, such as the Textpad application, from VMware Identity Manager on any device, such as a laptop,
domain-joined desktop, or non-domain-joined desktop.
VMware, Inc.
59
The following table describes the administrator's task on the Citrix farm and the corresponding operation
that results after a synchronization with VMware Identity Manager.
Table 51. VMware Identity Manager and Citrix Farm Synchronization
Action in the Citrix farm
Result after sync with VMware Identity Manager
Publish a new resource, application or desktop, to the

Citrix farm.
VMware Identity Manager creates the Citrix-published

resource in the VMware Identity Manager catalog.
Edit a resource in the Citrix farm.
VMware Identity Manager updates the Citrix-published

resource in the VMware Identity Manager catalog.
Delete a resource in the Citrix farm.
VMware Identity Manager deletes the entitlements

associated with the Citrix-published resource and then
deletes the Citrix-published resource from the catalog.
Add an end user entitlement for a resource in the Citrix

farm.
VMware Identity Manager creates an entitlement in the

VMware Identity Manager entitlement store to associate
with the Citrix-published resource and domain identities.
Remove an end user entitlement for a resource in the Citrix

farm.
VMware Identity Manager deletes the entitlement from the

VMware Identity Manager entitlement store.
VMware Identity Manager uses the Integration Broker component and a Citrix SDK to handle SSO from
VMware Identity Manager to Citrix-published resources.
Figure 53. SSO between VMware Identity Manager and Citrix Farm
REST call
to retrieve
ICA file
Integration
Broker Web
application
XenApp Web
Interface
SDK 5.4
IIS
VMware Identity
Manager Connector
Web Interface
SDK calls
Citrix farm
to retrieve
ICA file
Citrix farm or
load balancer
Windows 2008 hosting

Integration Broker
DMZ
1
Launch
Citrix-published
resources
5
Application
delivery
ICA file
VMware Identity
Manager Service
Citrix Receiver
Syncing Delivery Groups

A delivery group's Delivery Type setting in Citrix determines how VMware Identity Manager syncs the
delivery group.
60
VMware, Inc.
VMware Identity Manager syncs a delivery group only if its Delivery Type is set to DesktopsAndApps or
DesktopsOnly. If the delivery group's Delivery Type is set to AppsOnly, its applications are synced but the
delivery group itself is not synced and does not appear in the VMware Identity Manager catalog.
Configure your delivery groups accordingly.
Upgrade
VMware Identity Manager does not require additional setup after a VMware Identity Manager upgrade or a
Citrix product upgrade to maintain the integration between VMware Identity Manager and Citrix-published
resources. To upgrade Integration Broker, you must uninstall the older version and then install the new
version. To reinstall Citrix Receiver, see the Citrix documentation.
Note To use the Netscaler feature, you must install Integration Broker 2.4 or later. If you are using XenApp
or XenDesktop 7.x, you must install Integration Broker 2.6 or later.
Enabling Citrix PowerShell Remoting on Citrix Server Farm

You must enable remote invocations between the Integration Broker and the Citrix farm. Citrix PowerShell
Remoting requires a secure HTTPS channel to make remote calls. To enable this function, you must install a
valid certificate from a certification authority.
Prerequisites
Verify that the instructions you use to set up Citrix PowerShell Remoting match the version of the Citrix
server farm you use.
Set up Citrix PowerShell Remoting on XenApp or XenDesktop 7.x

You must enable Citrix PowerShell remoting on the Citrix servers that you are integrating with
VMware Identity Manager. Citrix PowerShell remoting enables connections between Integration Broker and
the XenApp or XenDesktop server farm.
Procedure
1
Install an SSL server certificate on the XenApp or XenDesktop 7.x servers that you are integrating with
For information about how to install an SSL server certificate, see the Microsoft documentation.
Click Properties and verify that Server Authentication is enabled for the certificate.
Install Studio and PowerShell SDK: Citrix Broker PowerShell Snapin and Citrix Configuration
PowerShell Snapin from media.
To verify the installation, follow these steps.
a
Launch PowerShell.
Enter this command:

Add-PSSnapin Citrix*
Enter this command:

Get-ConfigSite -AdminAddress XenApp7.xServer
VMware, Inc.
61
Set Up Citrix PowerShell Remoting on Citrix Server Farm 6.5

You must enable Citrix PowerShell remoting on the Citrix servers that you are integrating with
the Citrix server farm.
Procedure
1
Install an SSL server certificate on the Citrix servers that you are integrating with
For information about how to install an SSL server certificate, see the Microsoft documentation.
Enable Citrix PowerShell Remoting.

a
Open Citrix PowerShell Module > Program Files.
Type the set-executionpolicy remotesigned command.
Type the Import-Module command.

Import-Module C:\Program Files\Citrix\PowerShell
Modules\Citrix.XenApp.Commands.Remoting\Enable-XAPSRemoting.ps1
If the Citrix PowerShell modules are not installed in the default location, replace the default path
with the path that is used in your environment.
d
Type the Enable-XAPSRemoting command.
Set Up Citrix PowerShell Remoting on Citrix Server Farm 5.0 or 6.0

You must enable Citrix PowerShell remoting on the Citrix servers you are integrating with
the Citrix server farm.
Prerequisites
n
If you do not have Winrm installed, download and install Winrm from the Microsoft Web site.
Procedure
1
Install an SSL server certificate on the Citrix servers that you are integrating with
Open the PowerShell console in the administrator mode.
Enable Citrix PowerShell Remoting.

a
Type the Get-Service winrm command to verify that Winrm is installed on the server.
Type the Enable-PSRemoting command.

This command enables PowerShell Remoting on the server.
62
Install the Citrix PowerShell SDK 5.0 or 6.0 depending on the Citrix server version.
VMware, Inc.
Enable winrm HTTPS listener from the command prompt.

1
Create a certificate on the server.
Record the certificate's thumb print.
Verify that the certificate's thumb print is configured.

winrm quickconfig -transport:https
Create the listener.

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="host
FQDN";CertificateThumbprint="certificate thumbprint"}
Verify that the listener was created.

winrm e winrm/config/listener
This server is ready to use.

g
After the listener is created, go to the Integration Broker server to verify that PowerShell remoting
is installed correctly.
winrm identify -r:https://XENAPP_HOSTNAME:5986 -u:USERNAME
Output:
IdentifyResponse
ProtocolVersion=http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor=Microsoft Corporation
ProductVersion=OS: 6.0.6002 SP: 2.0 Stack: 2.0
Preparing and Installing Integration Broker

Before you install Integration Broker, verify that your VMware Identity Manager environment is installed
and configured correctly. To deploy Integration Broker, you need to first configure your Windows Server
environment and then install Integration Broker.
Note VMware Identity Manager does not install or require installation of any VMware software on Citrix
servers.
Prepare Windows Server for Integration Broker (Windows Server 2008 R2,
Windows Server 2012, or Windows Server 2012 R2)
Before you install Integration Broker, you must prepare your Windows system.
The following operating systems are supported for Integration Broker.
n
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Prerequisites
n
Determine how you will deploy Integration Broker.

Consider the following questions.
n
VMware, Inc.
Will you use multiple Integration Broker instances?
63
Multiple instances are useful for both high-availability and load-balancing purposes.
If you use multiple Integration Broker instances, a preferred practice is to install one
Integration Broker instance for each Windows Server instance.
If your deployment distributes heavy traffic, a preferred practice is to use at least one
Integration Broker instance to sync with VMware Identity Manager and at least one
Integration Broker instance to provide SSO.
If so, will you use load balancers?

If your deployment uses multiple Integration Broker instances for high-availability or loadbalancing purposes, consider installing them behind one or more load balancers.
Verify that Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 are installed
with the latest updates. To check for updates, select Control Panel > Windows Update.
Install .NET Framework 3.5. When you install .NET, it installs version 3.5 as a feature. If you are using
Windows Server 2008 R2, ensure that you select WCF Activation. If you are using Windows Server 2012
or 2012 R2, ensure that you select HTTP Activation.
Download and install Microsoft Visual J# 2.0 Redistributable Package - Second Edition. Depending on
your operating system, you might need to download either the 32-bit or 64-bit version of Microsoft
Visual J#.
Configure IIS 7 or 7.5 for Windows Server 2008 R2, IIS 8 for Windows Server 2012, or IIS 8.5 for
Windows Server 2012 R2.
Note If you are installing IIS 7, install it in 6.0 Management Compatibility Mode. You must also install
the Management Tools if this is your only IIS 7 instance.
64
VMware, Inc.
For Windows Server 2012 or 2012 R2, select the following features, roles, and role services. You select
these in Server Manager, using the Add Roles and Features wizard.
Features
.NET Framework 3.5 Features

n .NET Framework 3.5 (includes .NET 2.0 and 3.0)
n HTTP Activation
n IIS Hostable Web Core
n Windows Process Activation Service
n WinRM IIS Extension
n WoW64 Support
For example:
Roles
Application Server
Web Server (IIS)
n File Server
For example:
n
Role Services
VMware, Inc.
Application Server Role Services

n .NET Framework 4.5
n COM+ Network Access
n Web Server (IIS) Support
n Windows Process Activation Service Support
n HTTP Activation
Web Server Role (IIS) Role Services
n Web Server
n Common HTTP Features
n Default Document
65
Directory Browsing
HTTP Errors
n Static Content
n HTTP Redirection
n Health and Diagnostics
n HTTP Logging
n Logging Tools
n Request Monitor
n Tracing
n Performance
n Static Content Compression
n Dynamic Content Compression
n Security
n Request Filtering
n Basic Authentication
n Client Certificate Mapping Authentication
n Digest Authentication
n IIS Client Certificate Mapping Authentication
n IP and Domain Restrictions
n URL Authorization
n Windows Authentication
n Application Development
n Management Tools
n IIS Management Console
n IIS 6 Management Compatibility
n IIS Management Scripts and Tools
For example:
n
66
For Windows Server 2008, select the following roles. You select these in Server Manager, using the Add
Roles and Features wizard.
n
Application Server
Web Server (IIS)
File Server
VMware, Inc.
Configure an application pool. You can use the default application pool or create an application pool
that is dedicated to Integration Broker.
Note See the VMware Product Interoperability Matrixes at

http://www.vmware.com/resources/compatibility/sim/interop_matrix.php to verify version information.
Procedure
1
If you are using IIS 8.0 or later, in IIS Manager, ensure that the http and https bindings for the Default
Web Site do not have a host name configured. The Host name field for the http and https bindings
should be blank. For example:
In IIS Manager, configure the default application pool or the one you set up to use with Integration
Broker.
a
Click the application pool.
Verify these requirements.

n
.NET Framework version 2.0
Set 32-bit applications to true.
Note In Windows 2012 and Windows 2012 R2, the application pool may have been configured to
a different version of .NET Framework by default. Ensure that you configure the application pool
to .NET Framework 2.0.
3
In IIS Manager, configure Identity to use the same account as the Citrix-published resources
administrator.
Integration Broker uses this account to authenticate.
VMware, Inc.
Right-click the application pool.
Click Identity in the Advanced Settings dialog.
Click Custom Account and click Set.
Type the credentials for the Citrix-published resources administrator username and password,
Domain Name username and Domain Name password.
67
Download and install the Citrix PowerShell SDK.

a
Download and install the appropriate version.

n
If you are using XenApp 6.0, download and install version 6.0 of Citrix PowerShell SDK from
the Citrix website.
If you are using XenApp 6.5, download and install version 6.5 of Citrix PowerShell SDK from
the Citrix website.
If you are using XenApp 7.x or XenDesktop 7.x, install the following PowerShell SDKs from
the XenApp or XenDesktop 7.x DVD, or from the Citrix website:
n
Citrix Broker PowerShell snap-in
Citrix Configuration Service PowerShell snap-in
Set the execution policy for Citrix PowerShell Remoting.
If the Citrix XenApp or XenDesktop farm's execution policy is configured to use remote sign on,
you must add your root certificate to the Trusted Root Certification Authorities store. See the
Microsoft website about adding root certificates to the store.
If the Citrix XenApp or XenDesktop farm's execution policy is configured to unrestricted, you do
not need to add root CAs to the Trusted Root Certification Authorities store.
Before you run this command, verify that PowerShell SDK is successfully installed.
a
Launch PowerShell SDK as administrator.
Verify PowerShell remoting.

This sample command applies to XenApp or XenDesktop 7.x.
Get-BrokerDesktopGroup -AdminAddress CitrixServerName
Get-ConfigSite -AdminAddress CitrixServerName
This sample command applies to Citrix Server Farm 6.5.

Get-XAApplication -ComputerName CITRIX SERVER NAME
This sample command applies to Citrix Server Farm 6.0.

Invoke-Command -ComputerName XENAPP_HOST_NAME -ScriptBlock { Add-PSSnapin Citrix* ;GetXAApplication } -Credential DOMAIN\USERNAME
Verify that the list includes all the applications hosted by Citrix.
What to do next
If the Invoke-Command command fails, see Memory Issue Prevents Proper Configuration of Integration
Broker, on page 90.
Next, deploy and configure Integration Broker.
Deploying Integration Broker

To deploy Integration Broker, you install the Integration Broker and set up a secure channel between
Integration Broker and the Citrix server farm.
Follow these guidelines when you deploy the Integration Broker.
68
The VMware Identity Manager connector must be able to communicate with the Integration Broker. If
you have multiple connector instances, ensure that all of them can communicate with the Integration
Broker.
To use the Netscaler feature, you must install Integration Broker 2.4 or later. For XenApp or XenDesktop
7.x, you must install Integration Broker 2.6 or later.
VMware, Inc.
Deploying only one instance of Integration Broker per Windows Server instance is recommended.
Install Integration Broker

VMware Identity Manager uses the VMware Identity Manager Integration Broker component and the Citrix
SDK to handle single sign-on between VMware Identity Manager, Citrix server farms, and Citrix-published
resources.
You download Integration Broker from My VMware.
Prerequisites
n
Install Citrix PowerShell remoting. See Enabling Citrix PowerShell Remoting on Citrix Server Farm,
on page 61 and the Citrix documentation for more information.
See Prepare Windows Server for Integration Broker (Windows Server 2008 R2, Windows Server 2012,
or Windows Server 2012 R2), on page 63.
Procedure
1
Log in as a Windows administrator.
Open the IB.msi file to run the Integration Broker installation.
Type the Web location where you want to install the Integration Broker.
(Optional) If you created a separate pool for the Integration Broker, select your application pool.
Caution Do not change the Virtual Directory name.
Click Next to finish installing Integration Broker.
Set Up Integration Broker for HTTP and HTTPS Bindings

Citrix PowerShell Remoting requires a secure HTTPS channel to make remote calls. Without a secure HTTPS
channel, you cannot enable remote invocations between Integration Broker and Citrix server farm.
A certificate is required to use the IIS Server. You can purchase or generate a certificate from a third-party
root CA.
OpenSSL is installed by default. OpenSSL is an open source implementation of the SSL and TLS protocols.
Prerequisites
Mark the certificate key exportable. See the Microsoft documentation for more information on certificate
keys.
Procedure
1
Add HTTPS binding to the Integration Broker Web site.

a
Click Start > Run.
Open inetmgr and right-click on the default Web site.
Click Edit Bindings.
Add the HTTPS binding using the newly created certificate in the drop-down menu.
Download the Citrix Web Interface SDK 5.4 (WISDK zip file) from the Citrix Web site.
After the installation is finished, unzip the wisdk.zip file.
Copy the contents from the WI5_4_0_SDK/zipfiles/sdkdemo/wisdk directory to the default bin directory
at c:\inetpub\wwwroot\IB\bin.
VMware, Inc.
69
Restart IIS.
Verify that the HTTP binding produces the expected output by typing
http://hostname /IB/API/RestServiceImpl.svc/ibhealthcheck in the address bar of a browser.
The expected output displays.
All ok
Verify that the HTTPS binding produces the expected output by typing
https://hostname /IB/API/RestServiceImpl.svc/ibhealthcheck in the address bar of a browser.
All ok
Create a Self-signed Certificate Example

These instructions provide a sample for how to set a self-signed certificate using OpenSSL for Integration
Broker.
Procedure
1
Create a self-signed certificate for the IIS server.
Create the ibcerts folder to use as the working directory.
Create a configuration file using the vi openssl_ext.conf command.

a
Copy and paste the following OpenSSL commands into the configuration file.
# openssl x509 extfile params
extensions = extend
[req] # openssl req params
prompt = no
distinguished_name = dn-param
[dn-param] # DN fields
C = US
ST = CA
O = VMware (Dummy Cert)
OU = Horizon Workspace (Dummy Cert)
CN = hostname (Virtual machine hostname where the Integration Broker is installed. )
emailAddress = EMAIL PROTECTED
[extend] # openssl extensions
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
[policy] # certificate policy extension data
Note Type the CN value before you save the file.

b
Run this command to generate a private key.

openssl genrsa -des3 -out server.key 1024
70
Type the passphrase for server.key, for example, vmware.
VMware, Inc.
Rename the server.key file to server.key.orig.

mv server.key server.key.orig
Remove the password associated with the key.

openssl rsa -in server.key.orig -out server.key
Create a CSR (certificate signing request) with the generate key. The server.csr is stored in your
working directory.
openssl req -new -key server.key -out server.csr -config ./openssl_ext.conf
Sign the CSR.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile
openssl_ext.conf

Signature ok subject=/C=US/ST=CA/O=VMware (Dummy Cert)/OU=Horizon Workspace (Dummy
Cert)/CN=w2-hwdog-xa.vmware.com/emailAddress=EMAIL PROTECTED Getting Private key
Create P12 format.

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
Press Enter at the prompt for an export password.

Important Do not enter a password.
The expected output is server.p12 file.
Move the server.p12 file to the Windows machine where Integration Broker is installed.
From the Command Prompt, type mmc.
Click File > Add or Remove Snap-ins.
In the Snap-in window, click Certificates and click Add.
Select the Computer account radio button.
Import the certificate into the root and personal store certificates.
a
Choose All Files in the dialog.
Select the server.p12 file.
Click the Exportable check box.
Leave the password blank.
Accept the defaults for the subsequent steps.
Copy the certificate into the Trusted Root CAs in the same mmc console.
Verify that the content of the certificate includes these elements.
VMware, Inc.
Private key
CN in the subject attribute that matches the Integration Broker Host Name
Extended key usage attribute with both client and server authentication enabled
71
Synchronizing VMware Identity Manager with Citrix Server Farms

When you enable Citrix-published resource support, you establish communication and schedule the
synchronization frequency between VMware Identity Manager and the Citrix server farm.
Prerequisites
n
Configure VMware Identity Manager. See VMware Identity Manager Installation and Configuration for
information.
Review Citrix documentation for your version of Citrix XenApp or XenDesktop at the Citrix Web site.
Syncing Delivery Groups

A delivery group's Delivery Type setting in Citrix determines how VMware Identity Manager syncs the
delivery group.
VMware Identity Manager syncs a delivery group only if its Delivery Type is set to DesktopsAndApps
or DesktopsOnly. If the delivery group's Delivery Type is set to AppsOnly, its applications are synced
but the delivery group itself is not synced and does not appear in the VMware Identity Manager
catalog.
Configure your delivery groups accordingly.
To distribute the load in a large-scale enterprise deployment, dedicate one or more Integration Broker
instances for sync purposes and one or more Integration Broker instances for SSO purposes.
If you use multiple Integration Broker instances for sync purposes or for SSO purposes, put a load
balancer in front of the Integration Broker instances. For example, if you use multiple Integration
Broker instances for sync purposes, put a load balancer in front of those Integration Broker instances
and note the host name or IP address of the load balancer for use during this task.
Verify that distinguishedName is marked as a required attribute in the VMware Identity Manager
directory. XenApp resources cannot be synced without this. Required attributes must be set before a
directory is created. If you have already created a directory and distinguishedName is not a required
attribute, delete the directory, make distinguishedName a required attribute in the Identity & Access
Management > Setup > User Attributes page and then create a new directory.
Procedure
1
Select the Catalog tab.
Click Manage Desktop Applications and select Citrix Published Application from the drop-down
menu.
In the Published Apps - Citrix page, select the Enable Citrix-based Applications check box.
Enter the Sync Integration Broker or load balancer host name and port number.
If you configured a load balancer in front of multiple Integration Broker instances used for sync
purposes, enter the host name or IP address and port name of the load balancer.
Select Use SSL if you are connecting to the Integration Broker over SSL.
Enter the SSO Integration Broker information.

n
If you are using the same Integration Broker instance for both sync and single sign-on, click the Use
same as Sync Integration Broker button.
If you configured dedicated sync and SSO Integration Broker instances, enter the following
information.
a
72
Type the SSO Integration Broker or load balancer host name and port number.
VMware, Inc.
If you configured a load balancer in front of multiple Integration Broker instances dedicated to
providing SSO, enter the host name or IP address and port number of the load balancer.
Important Using port 443 is recommended.
b
7
Select Use SSL if you are connecting to the Integration Broker over SSL.
Enter the Citrix server farm details.

To add multiple farms, click +Add Server Farm.
Option
Description
Version
Select the Citrix server farm version: 5.0, 6.0, 6.5, or 7.x.
Server name
Server name assigned in your environment.
Servers (failover order)
Organize the Citrix XML brokers (servers) in failover order.

VMware Identity Manager respects this order during SSO and under
failover conditions.
Note The XML brokers must have PowerShell Remoting enabled.
Transport type
Transport type used in your Citrix server configuration: HTTP, HTTPS, or

SSL RELAY.
Note The transport type and port must match your Citrix server
configuration.
Port numbers
Port setting used in your Citrix server configuration

Note The transport type and port must match your Citrix server
configuration.
From the Deployment Type drop-down list, select how Citrix-published resources are made available
to users in the user portal.
n
User-Activated - VMware Identity Manager adds Citrix resources to the Catalog page in the user
portal. To use a resource, users must move the resource from the Catalog page to the Launcher
page.
Automatic - VMware Identity Manager adds the resource directly to the Launcher page in the user
The deployment type that you select here is a global setting that applies to all user entitlements for all
the resources in your Citrix integration. You can modify the deployment type for individual users or
groups per resource, from the application or desktop's Entitlements page.
Setting the global deployment type to User-Activated is recommended. You can then modify the setting
for specific users or groups per resource.
For more information about setting the deployment type, see Setting the Deployment Type for Citrix
Entitlements, on page 79.
9
Select Sync categories from server farms if you want to sync categories from Citrix farms to
10
Select Do not sync duplicate applications to prevent duplicate applications from being synced from
multiple servers. When VMware Identity Manager is deployed in multiple data centers, the same
resources are set up in the multiple data centers. Checking this option prevents duplication of the
desktops or applications in your VMware Identity Manager catalog.
11
In the Choose frequency field, select how frequently you want to sync resources and entitlements
automatically from the Citrix farms. If you do not want to set up an automatic sync schedule, select
Manually.
VMware, Inc.
73
12
Click Sync Now to synchronize Citrix-published resources to VMware Identity Manager.

At times, when you synchronize Integration Broker with SSL, the synchronization can be slow
depending on factors in your environment, such as network speed and traffic. Synchronization can also
be slow if your Citrix deployment is very large, for example, over 300 applications.
Note The anonymous user group feature in the Citrix product is not supported with
13
Click Save.
A dialog box appears that lists the number of applications, delivery groups (desktops), and entitlements
that will be synced. You can click on the links to view details. Click Save and continue in the dialog
box.
Citrix-published resources and corresponding entitlements are synchronized with

VMware Identity Manager. End users can now add Citrix-published resources to their My Apps portal and
launch them.
Configuring VMware Identity Manager for Netscaler

VMware Identity Manager supports Citrix deployments that include Netscaler. A Netscaler appliance is
typically used to provide external access to XenApp or XenDesktop applications or desktops.
If your Citrix deployment includes a Netscaler appliance, you can configure VMware Identity Manager with
the appropriate settings so that when users launch Citrix resources, the traffic is routed through Netscaler to
the XenApp server.
In VMware Identity Manager, you need to specify the Secure Ticket Authority (STA) server for each XenApp
farm. The STA server is used to generate and validate STA tickets during the application launch process.
You can also set policies on client network IP ranges that specify whether launch traffic is routed through
Netscaler to the XenApp server or whether it is routed directly to the XenApp server. This allows you to
meet both external and internal access needs.
You can also edit the ICA properties for the Netscaler configuration. ICA properties control application or
desktop delivery settings. For more information about ICA properties, see the Citrix documentation.
Note To use the Netscaler feature, you must use Integration Broker 2.4 or later. You can download
Integration Broker from My VMware. Upgrade is not supported. Uninstall the older version, then install the
new version.
Configuring Netscaler
To configure VMware Identity Manager for Netscaler, you need to specify a Secure Ticket Authority (STA)
server for each XenApp farm in your Citrix deployment. The STA server is used to generate and validate
STA tickets during the application or desktop launch process.
When a user launches an application or desktop, VMware Identity Manager obtains a ticket from the STA
server. The ticket is presented to Netscaler, along with other information, and Netscaler validates the ticket
with the STA server before establishing a secure connection to the XenApp farm.
Prerequisites
You have integrated Citrix published resources with VMware Identity Manager and completed the
configuration in the Catalog > Manage Desktop Applications > Citrix Published Applications page.
74
VMware, Inc.
Procedure
1
Settings.
Select Citrix Published Applications from the left pane.
Select the Netscaler Configuration tab.
The Farm UUID, Farm Name, Farm Version and XML Servers fields are populated with values from
your Citrix deployment and you cannot modify these fields.
Specify one or more STA servers.

a
In the STA Server field, enter the STA server URL in the following format.
transporttype://server:port
For example: http://staserver.example.com:80

Only alphanumeric characters, period (.), and hyphen (-), are allowed in the URL.
b
Click Add To List.

The server appears in the XenApp STA Servers list.
(Optional) Enter additional STA servers, if required. For example, you may want to specify a
second STA server for failover purposes.
If you added multiple STA servers, select the order in the XenApp STA Servers fields by clicking
Move Up or Move Down.
Click Update.
If there are multiple XenApp farms in your deployment, specify an STA server for each farm.
What to do next
Configure policies for specific network IP ranges that specify that launch traffic should be routed through
Netscaler to the XenApp server.
VMware, Inc.
75
Configuring Access Policies for Citrix Resources

You can create policies that determine whether users' application or desktop launch traffic (ICA traffic) is
routed through Netscaler or through a direct connection to the XenApp server. This enables you to serve the
needs of users for both external and internal access to the Citrix resources in your deployment.
You set policies for specific network IP ranges. For example, you can configure an IP range for Netscaler and
another IP range for a direct connection. When a user launches an application or desktop from the
VMware Identity Manager portal, if the user's IP address falls in the range configured for Netscaler, the ICA
traffic is routed through Netscaler to the XenApp server. If the IP address falls in the direct connection
range, the ICA traffic is routed directly to the XenApp server.
If there is a conflict between policies, the latest policy is used.
Prerequisites
You have configured VMware Identity Manager for Netscaler in the Catalog > Settings > Citrix Published
Applications > Netscaler Configuration tab.
Procedure
1
Click Setup and select the Network Ranges tab.
Select an existing network range or click Add Network Range to create a new one.
If you are creating a new network range, provide a name and description for the network range.
In the XenApp section of the page, enter the following information.

n
To route ICA traffic from the specified IP range to Netscaler, do the following:
n
Enter the Netscaler host name in the Client Access URL Host field. For example:
netscalerhost.example.com
76
Enter the port for the Netscaler host in the URL Port field. For example: 443
VMware, Inc.
Select the Netscaler checkbox.
This option is typically used to configure external access.

n
To route ICA traffic from the specified IP range directly to the XenApp server, do the following:
n
Enter the XenApp server host name in the Client Access URL Host field. For example:
xenapphost.example.com
Enter the port for the XenApp server host in the URL Port field. For example: 443
Deselect the Netscaler checkbox.
This option is typically used to configure internal access.

7
In the IP Ranges field, specify the IP range to which your selections apply.
Click Save.
Editing ICA Properties for Netscaler

You can configure delivery settings globally for all Citrix-published resources by editing the ICA properties.
To apply the settings to ICA traffic that is routed through Netscaler, you edit the ICA properties in the Citrix
Published Applications > Netscaler ICA Configuration or Citrix Published Delivery Groups > Netscaler
ICA Configuration tabs. For applications, use Citrix Published Applications > Netscaler ICA
Configuration. For desktops, use Citrix Published Delivery Groups > Netscaler ICA Configuration.
Application delivery settings that are set on individual Citrix resources do not apply to ICA traffic routed
through Netscaler.
Note To edit ICA properties for ICA traffic that goes through a direct connection, and not through
Netscaler, see Edit Resource Delivery Settings Globally for All Citrix-Published Resources, on page 81.
Procedure
1
Click the arrow on the Catalog tab and select Settings.
Select Citrix Published Applications for applications or Citrix Published Delivery Groups for
desktops, then select the Netscaler ICA Properties tab.
The properties fields are populated with default settings.
VMware, Inc.
77
Edit the ICA client properties or launch properties.

You can change the values of the properties or add new ones. See the Citrix documentation for
information about ICA properties.
Note The ICA Client Properties and ICA Launch Properties fields must be used together. Both fields
must have values or both must be empty.
Click Save.
Viewing User and Group Entitlements to Citrix-Published Resources

You can see the Citrix-published applications and desktops to which your VMware Identity Manager users
and groups are entitled. Desktops are referred to as delivery groups in the VMware Identity Manager
administration console.
Important You cannot use VMware Identity Manager to make changes to your Citrix deployment. If a
Citrix administrator makes any changes, such as entitling new users to a Citrix-published resource, or
adding a new server farm, you must force a sync to propagate the changes to VMware Identity Manager.
Prerequisites
Verify that VMware Identity Manager is integrated with your Citrix deployment. See Chapter 5, Providing
Access to Citrix-Published Resources, on page 57.
Synchronize information, including entitlements, from your Citrix deployment to
VMware Identity Manager. You can force a sync with the following steps:
1
Click Manage Desktop Applications and select Citrix Published Application from the drop-down
menu.
In the Published Apps - Citrix page, click Sync Now.
Procedure
1
78
VMware, Inc.
View user and group entitlements to Citrix-published resources.

Citrix-published resources include Citrix-published applications and Citrix-published desktops, also
referred to as delivery groups.
Option
Action
View the list of users and groups

entitled to a specific Citrixpublished resource.
a
b

Click Any Application Type and select Citrix Published Applications
to view applications or Citrix Published Delivery Groups to view
desktops.
Click the name of the Citrix-published resource for which you want to
list entitlements.
The Entitlements tab is selected by default. Group entitlements and
user entitlements are listed in separate tables.
View the list of Citrix-published

resource entitlements for a specific
user or group.
a
b
c
Click the Users & Groups tab.

Click the Users tab or the Groups tab.
Click the name of an individual user or group.
The Entitlements tab is selected by default. Entitled Citrix-published
resources are listed in the Citrix Published Applications and Citrix
Published Delivery Groups tables on the Entitlements page.
Setting the Deployment Type for Citrix Entitlements

You can set the deployment type for Citrix-published resources, which determines how the resources are
made available to users. Setting the deployment type to User-Activated adds the resources to the Catalog
page in the user portal. To use a resource, users must move the resource from the Catalog page to the
Launcher page. Setting the deployment type to Automatic adds the resources directly to the Launcher page
in the user portal for users' immediate use.
n
Global level
The global setting applies to all user entitlements for all the Citrix-published resources in your
deployment. You specify the global deployment type when you first integrate Citrix-published
resources with VMware Identity Manager from the Published Apps - Citrix page. After the initial
integration, you can modify the global setting from the same page. Note that if you change the global
setting after the initial integration, the new setting only applies to new entitlements that are synced. To
modify existing entitlements, you can change the setting at the individual resource level.
entitlements.

subsequent syncs.
VMware, Inc.
79
Procedure
1
a
Click the Catalog tab and select Manage Desktop Applications > Citrix Published Application.
In the Deployment Type field, select User-Activated or Automatic.

c
Click Save.
a

DEPLOYMENT column.
Click Save.
80
VMware, Inc.
Editing Delivery Settings for Citrix-Published Resources

You can edit the delivery settings of Citrix-published applications and desktops in the
VMware Identity Manager administration console. Desktops are referred to as delivery groups.
You can edit the delivery settings globally for all of the Citrix-published applications and Citrix-published
desktops available from your VMware Identity Manager deployment, or individually for specific Citrixpublished resources.
You configure the delivery settings by editing Independent Computing Architecture (ICA) properties. ICA is
a Citrix proprietary protocol. A wide range of ICA properties are available, controlling areas such as
security, display, and compression. For more information about configuring ICA properties, see the Citrix
documentation.
VMware Identity Manager includes default global settings that define how the configured Citrix
deployment delivers Citrix-published resources to users. You can edit the default VMware Identity Manager
settings and add new settings.
You can also specify delivery settings for individual resources. Settings for individual resources take
precedence over global settings. When you provide ICA properties for the delivery of a specific resource, list
all the properties necessary for the Citrix deployment to deliver the resource in the manner you expect.
When delivery settings exist in VMware Identity Manager for an individual resource,
VMware Identity Manager applies only those settings and ignores all global resource delivery settings.
Edit Resource Delivery Settings Globally for All Citrix-Published Resources

You can edit the global delivery settings for Citrix-published applications and desktops in your
VMware Identity Manager deployment.
The ICA properties fields for these global settings are populated with default values until you edit them.
Important ICA properties specified in the Citrix Published Applications > ICA Configuration or Citrix
Published Delivery Groups > ICA Configuration tab apply to launch traffic that goes through a direct
connection. For launch traffic that is routed through Netscaler, see Editing ICA Properties for Netscaler,
on page 77.
Procedure
1
Select Citrix Published Applications to edit ICA settings for applications or Citrix Published Delivery
Groups to edit ICA settings for desktops.
For example:
VMware, Inc.
81
In the ICA Configuration tab, edit the ICA properties according to Citrix guidelines.
The ICA Client Properties and ICA Launch Properties fields must be used together. Both fields must
have values or both must be empty.
Click Save.
Unless individual resources have their own resource delivery settings, your Citrix deployment applies the
global ICA properties when it delivers Citrix-published resources available through
VMware Identity Manager to users.
Edit the Delivery Settings for a Single Citrix-Published Resource

You can edit the delivery settings (ICA properties) for individual Citrix-published applications and desktops
in your VMware Identity Manager deployment.
The ICA properties text boxes for individual applications are empty by default.
When you edit the ICA properties of an individual Citrix-published resource, those settings take precedence
over the global settings. For information on global settings, see Edit Resource Delivery Settings Globally for
All Citrix-Published Resources, on page 81.
Important ICA properties set on individual applications or desktops do not apply to ICA traffic that is
routed through Netscaler. Only the global settings in the Netscaler ICA Properties page, accessed from the
Catalog > Settings > Citrix Published Applications tab and the Catalog > Settings > Citrix Published
Delivery Groups tab apply to ICA traffic routed through Netscaler. For more information, see Editing ICA
Properties for Netscaler, on page 77.
Procedure
82
Click Any Application Type > Citrix Published Applications to edit settings for applications or Any
Application Type > Citrix Published Delivery Groups to edit settings for desktops.
Click the name of the Citrix-published resource to edit.
Click Configuration.
VMware, Inc.
View the information about the resource as carried forward from your Citrix deployment.
The page provides several details about the resource, such as the resource name, resource ID, server
name, and so on. Also, the page displays information about the resources enablement. If the Enabled
check box is not selected, the resource is disabled in your Citrix deployment.
If the Enabled check box is not selected and you want to hide the resource from users, select the Hide
When Disabled check box.
In the ICA properties text boxes, add properties or edit existing properties according to Citrix
guidelines.
Note Both the ICA Client Properties and ICA Launch Properties text boxes must have values or both
must be empty.
Click Save.
Managing Categories for Citrix-Published Resources

You can use the VMware Identity Manager administration console and your Citrix deployment to manage
Citrix-published resource categories.
In your Citrix deployment, you give a Citrix-published application or desktop a category name by editing
the Client application folder text box in the resource's properties. When you integrate your Citrix
deployment with VMware Identity Manager, existing category names for Citrix-published applications and
desktops are carried over to VMware Identity Manager.
After the integration, you can continue to create categories in your Citrix deployment. If you enabled the
Sync categories from server farms check box on the Published Apps - Citrix page, the new categories are
carried over to VMware Identity Manager during the next sync. See Synchronizing VMware Identity
Manager with Citrix Server Farms, on page 72.
You can also create categories directly in VMware Identity Manager. See the VMware Identity Manager
Administration Guide for information about using resource categories.
In the administration console, you can create and view categories of all Citrix-published resources by
clicking the Catalog tab, then clicking Any Application Type and selecting Citrix Published Applications
for applications or Citrix Published Delivery Groups for desktops You can view and edit the categories of a
specific Citrix-published resource by clicking the name of the resource and selecting Details.
When you create a category in VMware Identity Manager, the category never appears in your Citrix
deployment.
When you create a category in your Citrix deployment, the category appears in VMware Identity Manager
at the next sync. When you update a category name in your Citrix deployment, the updated category name
appears in VMware Identity Manager while the original category name remains. If you want to remove the
original category name from VMware Identity Manager, you must remove it manually.
VMware, Inc.
83
84
VMware, Inc.
Troubleshooting
VMware Identity Manager Resource
Configuration
You can troubleshoot issues that you or users experience after you configure VMware Identity Manager
resources.
n
Users Accessing Citrix-Published Resources Receive an Encryption Error, on page 85
Citrix-Published Resources Are Not Available in VMware Identity Manager, on page 86
When Users Launch a Citrix-Published Resource, the Browser Displays 500 Internal Server Error, on
page 89
Memory Issue Prevents Proper Configuration of Integration Broker, on page 90
Resource Not Available Error while Launching XenApp 7.x Desktops, on page 90
Unable to Launch Desktop from Citrix XenDesktop Farm on Windows 7, on page 91
Users Unable to Launch View Applications or Desktops, on page 91
Users Accessing Citrix-Published Resources Receive an Encryption

Error
The XenApp ICA properties in VMware Identity Manager must include the encryption property set to the
same encryption level as configured on the XenApp servers in the farm, otherwise users cannot access their
Citrix-published applications or desktops.
Problem
When a user connects to a Citrix-published resource from VMware Identity Manager, the following error
message is displayed.
You do not have the proper encryption level to access this Session
Cause
VMware Identity Manager does not set encryption levels. If the encryption level on the XenApp server is set
higher than the default setting used in the Citrix-Receiver, users see this error.
You must set a higher encryption level in Workspace.
Solution
1
Select Citrix Published Applications.
VMware, Inc.
85
Make the following changes in both the ICA Configuration and Netscaler ICA Configuration tabs.
a
Edit the ICA Client Properties text box. To set the encryption level to 128, enter
EncryptionLevelSession=EncRC5-128.
Edit the ICA Launch Properties text box. To set the encryption level to 128, enter
[EncRC5-128]
DriverNameWin16=pdc128w.dll
DriverNameWin32=pdc128n.dll.
Citrix-Published Resources Are Not Available in

A communication issue between Integration Broker and PowerShell SDK might prevent Citrix-Published
Applications and Desktops from appearing in the VMware Identity Manager catalog.
Problem
After you integrate Citrix with VMware Identity Manager, Citrix-published resources do not appear in the
VMware Identity Manager catalog.
Cause
A configuration issue might exist in Integration Broker that prevents proper communication with
PowerShell SDK.
Solution
You can specify URLs in a browser to troubleshoot where an Integration Broker configuration issue exists.
This troubleshooting method can help you identify if the problem is a configuration issue in the following
areas.
n
The Citrix server farm
Citrix-published resources
Resource entitlements
If a Web page does not display the expected output, it displays an error and adds information to the
Integration Broker logs. Review the Integration Broker logs to continue the troubleshooting process.
86
VMware, Inc.
Chapter 6 Troubleshooting VMware Identity Manager Resource Configuration
Procedure
1
Use a browser to check the Citrix server farm information.

a
In a browser, enter a URL such as one of the following, replacing the placeholders with the
appropriate information.
n
Citrix Server Farm 7.x

https://IBhostname/IB/API/RestServiceImpl.svc/hznxenapp/admin/xenfarminfo?
computerName=XenAppServerHostname&xenappversion=Version7x
Citrix Server Farm 6.5

computerName=XenAppServerHostname&xenappversion=Version65orLater
Citrix Server Farm 5.5 or 6.0

computerName=XenAppServerHostname&xenappversion=Legacy
Review the content of the Web page and, if necessary, review the Integration Broker logs.
If Integration Broker is properly configured, the page displays Citrix server farm information,
such as the following.
"[{\"FarmName\":\"test data\",\"ServerVersion\":\"
6.0.6410\",\"AdministratorType\":\"Full\",\"SessionCount\":\"2\",\"MachineName\":\"test
data\"}]
If the Web page does not display the server farm information, log information is sent to the
Integration broker. To further troubleshoot the issue, review the logs on the Integration Broker
host at %programdata%/VMware/HorizonIntegrationBroker.
VMware, Inc.
87
Use a browser to list all Citrix-published resources in the server farm.

a
n

To list all applications:
https://IBhostname/IB/API/RestServiceImpl.svc/hznxenapp/admin/applications?
To list all delivery groups:
https://IBhostname/IB/API/RestServiceImpl.svc/hznxenapp/admin/deliveryGroups?

computerName=XenAppServerHostname&xenappversion=Version65orLater

computerName=XenAppServerHostname&xenappversion=Legacy
If Integration Broker is properly configured, the page displays a list of all the resources in the
Citrix server farm.
If the Web page does not display a list of resources, log information is sent to the Integration
broker. To further troubleshoot the issue, review the logs on the Integration Broker host at
%programdata%/VMware/HorizonIntegrationBroker.
88
VMware, Inc.
Use a browser to check the entitlements for a single Citrix-published resource.

a
Replace the ApplicationName place holder with the name of the application you are specifying.
n

To check an application:
https://IBhostname/IB/API/RestServiceImpl.svc/hznxenapp/admin/entitlements?
computerName=XenAppServerHostname&xenappversion=Version7x&appName=Applicatio
nName
To check a delivery group:
https://IBhostname/IB/API/RestServiceImpl.svc/hznxenapp/admin/deliveryGroup/entitlem
ents?
computerName=XenAppServerHostname&xenappversion=Version7x&deliveryGroupName
=deliveryGroupName

computerName=XenAppServerHostname&xenappversion=Version65orLater&appName=Ap
plicationName

computerName=XenAppServerHostname&xenappversion=Legacy&appName=ApplicationN
ame
If Integration Broker is properly configured, the page displays a list of all the entitlements for
the application or delivery group you specified.
If the Web page does not display a list of entitlements, log information is sent to the Integration
broker. To further troubleshoot the issue, review the logs on the Integration Broker host at
%programdata%/VMware/HorizonIntegrationBroker.
When Users Launch a Citrix-Published Resource, the Browser

Displays 500 Internal Server Error
A mismatch between the configurations of the Citrix server farm and VMware Identity Manager might
cause the launch of Citrix-published resources to fail.
Problem
Launching a Citrix-published resource fails as the browser displays 500 Internal Server Error.
Cause
A 500 error occurs when the Citrix server farm information provided in the administration console does not
match the Citrix server configuration.
Solution
1
Note the settings of the transport type, port number, and SSL relay port number of each server farm
integrated with your VMware Identity Manager deployment.
VMware, Inc.
89
Click Manage Desktop Applications and select Citrix Published Applications.
In the Server Farms section, change the Transport type, Port, and SSL Relay Port settings for each
server farm to match the settings in your Citrix server configuration.
Memory Issue Prevents Proper Configuration of Integration Broker

When you integrate VMware Identity Manager with Citrix server farm versions 6.0 and earlier, insufficient
memory allotted to PowerShell SDK results in an error.
Problem
When you issue the Invoke-Command command to verify PowerShell remoting, an error related to insufficient
memory appears. You are instructed to issue the Invoke-Command command during Prepare Windows
Server for Integration Broker (Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012
R2), on page 63.
Cause
On the Windows system where PowerShell remoting is executed, the memory allotted to PowerShell SDK
might be insufficient for the number of Citrix-published resources.
Solution
You can increase the memory allotted to the PowerShell SDK.
Procedure
1
When the error appears, issue the command to increase the allotted memory. For example,
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'
Reissue the Invoke-Command command and complete the task.
Resource Not Available Error while Launching XenApp 7.x Desktops

Users are unable to launch a XenApp 7.x desktop. A Resource not available error appears.
Problem
While launching a desktop from a XenApp 7.x delivery group, users get a Resource not available error.
Cause
Machine catalogs created using the Citrix Machine Creation server have power management switched on by
default. This results in the machine being shut down after logging off.
Solution
90
Turn off the power management option for the delivery group in the Citrix XenApp 7.x server.
Sync the Citrix-published resources to the VMware Identity Manager service again.
VMware, Inc.
Unable to Launch Desktop from Citrix XenDesktop Farm on Windows

7
On Windows 7, users are unable to launch desktops from a Citrix XenDesktop farm when SSL is enabled for
the Integration Broker.
Problem
If SSL is enabled for the Integration Broker, when users launch a desktop on Windows 7, sometimes the
desktop does not start and displays the following error: "The connection to desktop failed with status 1030."
This problem has been observed intermittently on Firefox but may also occur on other browsers.
Solution
See the Citrix Knowledge Center article, Troubleshooting 1030 Error on Windows 7 Image, for more
information about this problem.
Users Unable to Launch View Applications or Desktops

Users are unable to launch Horizon 7, Horizon 6, or View applications or desktops from the
VMware Identity Manager user portal.
Problem
Users are unable to launch Horizon 7, Horizon 6, or View applications or desktops from the
VMware Identity Manager user portal and the following error appears in the user interface:
Error launching resource. Please contact your IT Administrator.
Cause
This error might occur if the SAML metadata on the View Connection Server instances expired after the last
sync.
Solution
1
Click Manage Desktop Applications > View Application.
In the Pods and Sync tab of the View Pools page, click Sync Now to sync View resources to
VMware Identity Manager again.
VMware, Inc.
91
92
VMware, Inc.
Index
Numerics
1030 error on Windows 7 91

500 Internal Server Error 89
enable 37
entitlements, Web applications 13
example 70
A
access policy sets, Web-applicationspecific 1012
Active Directory, join 23
application records
Web applications 11
Web applications from the cloud application
catalog 10
applications, Web 912
B
browser 40
C
catalog, Web applications 9
Citrix deployment 57
Citrix Receiver 57
Citrix resources access policies 76
Citrix server 62, 89
Citrix XenDesktop 57
Citrix Power Shell Remoting 61
Citrix PowerShell Remoting 62
Citrix server farm 62, 89
Citrix-published applications 57, 58, 78, 8183,
85
Citrix-published desktops 57, 58, 78, 8183, 85
Citrix-published resources 57, 58, 78, 8183,
85, 89
Citrix-published resource support 72
cloud application catalog, Web applications 10
Cloud Pod Architecture 30, 31
cloud pod federation 27, 32
configure, SAML authentication 26, 36, 51
connector deployment options for Horizon Air 46
create 50
D
deployment type 39, 54, 79
deprovision Google groups 20
G
global resource settings 81
Google Apps provisioning adapter 15, 18, 20
Google group provisioning 18
group provisioning, Google 18
H
Horizon 6 cloud pod federation 27
Horizon Air integration 46
Horizon Air application pools 53
Horizon Air cloud pod federation 32
Horizon Air desktop pools 53
Horizon Air desktops and applications 47
Horizon Air Desktops and Apps 53, 55
Horizon Air Desktops and Apps entitlements 53
Horizon DaaS desktops and application pools,
See VMware Horizon DaaS desktops
and application pools
HTML 5 40
HTTPS on IIS 69
I
ICA properties 81, 82, 85
Independent Computing Architecture 81
install 68, 69
integrate 45
Integration Broker 63, 69, 72, 86, 90
Integration Broker Server 68
J
join, Active Directory Domain 23
L
launch error, View resources 91
M
multitenant Web applications 9
N
Netscaler 74, 76
VMware, Inc.
93
Netscaler configuration 74, 77

Netscaler ICA properties 77
P
pod federation 27, 30, 32
pod federations 31
PowerShell Remoting 61
PowerShell remoting 90
PowerShell SDK 86, 90
prerequisites for integrating Horizon Air desktops
and applications 47
provisioning adapters 14, 15
W
Web application bundle 12
Web applications
adding 9
entitling 13
multitenant 9
X
XenApp 7.x desktop 90
XenDesktop 57
R
Resource not available error 90
S
SAML 911, 20
SAML authentication 26, 36, 50, 51
self-signed certificate 70
single sign-on 20
SSL trust, update on View Connection
Server 26, 37
sync
View Connection Server 23
VMware Horizon DaaS Connection Server 48
sync Active Directory 52
T
troubleshooting 85
U
users
View Hosted Applications 38
viewing entitlements to View desktop pools 38
V
View, deployment scenario 22
View entitlements 38
View application pools 38
View Connection Server 38
View desktop pools View desktop pools,
providing access 21
View desktop
allow reset 43
start 42
View desktop pools, See View desktop pools
View Hosted Application 38
View pods 24
VMware Horizon DaaS 45
VMware Horizon DaaS desktops and application
pools VMware Horizon DaaS desktops
and application pools, providing
access 45
94
VMware, Inc.

Workspace Air Resource

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Workspace Air Resource

Enviado por

Direitos autorais:

Formatos disponíveis

Setting Up Resources in VMware

This document supports the version of each product listed and

Setting Up Resources in VMware Identity Manager

Setting Up Resources in VMware Identity Manager

1 Introduction to Setting Up Resources in VMware Identity Manager 7

Adding Web Applications to Your Organization's Catalog

3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application

4 Providing Access to Horizon Air - Cloud Hosted Desktops and Apps 45

5 Providing Access to Citrix-Published Resources 57

Integrating VMware Identity Manager with Citrix-Published Resources 58

Setting Up Resources in VMware Identity Manager

Managing Categories for Citrix-Published Resources

6 Troubleshooting VMware Identity Manager Resource Configuration 85

Users Accessing Citrix-Published Resources Receive an Encryption Error 85

Setting Up Resources in VMware Identity Manager

Introduction to Setting Up Resources

Horizon Air - Cloud Hosted Apps and Desktops

Horizon 7, Horizon 6, or View desktop and application pools

Setting Up Resources in VMware Identity Manager

Providing Access to Web

This chapter includes the following topics:

Adding Web Applications to Your Organization's Catalog, on page 9

Entitling Users and Groups to Web Applications, on page 13

Using Provisioning Adapters, on page 14

Additional Information, on page 20

Adding Web Applications to Your Organization's Catalog

From the cloud

Create a new one

Import a ZIP or JAR

Setting Up Resources in VMware Identity Manager

In the administration console, click the Catalog tab.

Click the icon of the Web application you want to add.

The name of the application.

A description of the application that users can read.

Chapter 2 Providing Access to Web Applications

Apply an access policy to control user access to the application.

Select a provisioning adapter, if applicable. Currently, a provisioning adapter is available for

Add a Web Application to Your Catalog by Creating a New Application Record

In the administration console, click the Catalog tab.

Click Add Application > Web Application ...create a new one.

Complete the information on the Details page, and click Next.

Provide the name of the application.

(Optional) Provide a description of the application.

(Optional) Click Browse to upload an icon for the application. Icons in

Setting Up Resources in VMware Identity Manager

Specify the appropriate federation protocol, if any.

Auto-discovery (meta-data) URL

If the XML metadata is accessible on the Internet, provide the URL.

If the XML metadata is not accessible on the Internet, but is available to

Select a provisioning adapter, if applicable. Currently, a provisioning adapter is available for

Add a Web Application to Your Catalog by Importing a ZIP or JAR File

Chapter 2 Providing Access to Web Applications

Click the Catalog tab.

Click Any Application Type > Web Applications.

Click the icon of the Web application to export.

Save the zipped application bundle to your local system.

Click the Catalog tab.

Click Add Application > Web Application ...import an application.

Entitling Users and Groups to Web Applications

Log in to the administration console.

Setting Up Resources in VMware Identity Manager

Entitle users to a Web application.

Access a Web application and

Click the Catalog tab.