Security-related settings are provided in the ADM template file for View Agent (vdm_agent.adm). Unless noted otherwise, the settings include only a Computer Configuration setting.

Security Settings are stored in the registry on the guest machine under HKLM\Software\VMware, Inc.\VMware VDM\Agent\Configuration.

Security-Related Settings in the View Agent Configuration Template

Setting

Description

AllowDirectRDP

Determines whether clients other than Horizon Client devices can connect directly to View desktops with RDP. When this setting is disabled, View Agent permits only View-managed connections through Horizon Client.

When connecting to a remote desktop from Horizon Client for Mac OS X, do not disable the AllowDirectRDP setting. If this setting is disabled, the connection fails with an Access is denied error.

By default, while a user is logged in to a View desktop session, you can use RDP to connect to the virtual machine from outside of View. The RDP connection terminates the View desktop session, and the View user's unsaved data and settings might be lost. The View user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, disable the AllowDirectRDP setting.

Important

For View to operate correctly, the Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.

This setting is enabled by default.

The equivalent Windows Registry value is AllowDirectRDP.

AllowSingleSignon

Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is enabled, users are required to enter their credentials only once, when they log in to the server. When this setting is disabled, users must reauthenticate when the remote connection is made.

This setting is enabled by default.

The equivalent Windows Registry value is AllowSingleSignon.

CommandsToRunOnConnect

Specifies a list of commands or command scripts to be run when a session is connected for the first time.

No list is specified by default.

The equivalent Windows Registry value is CommandsToRunOnConnect.

CommandsToRunOnDisconnect

Specifies a list of commands or command scripts to be run when a session is disconnected.

No list is specified by default.

The equivalent Windows Registry value is CommandsToRunOnReconnect.

CommandsToRunOnReconnect

Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.

No list is specified by default.

The equivalent Windows Registry value is CommandsToRunOnDisconnect.

ConnectionTicketTimeout

Specifies the amount of time in seconds that the View connection ticket is valid.

Horizon Client devices use a connection ticket for verification and single sign-on when connecting to View Agent. For security reasons, a connection ticket is valid for a limited amount of time. When a user connects to a View desktop, authentication must take place within the connection ticket timeout period or the session times out. If this setting is not configured, the default timeout period is 900 seconds.

The equivalent Windows Registry value is VdmConnectionTicketTimeout.

CredentialFilterExceptions

Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames.

No list is specified by default.

The equivalent Windows Registry value is CredentialFilterExceptions.

For more information about these settings and their security implications, see the View Administration document.