Anterovium - Fotolia
VMware's Workspace Portal can be users' go-to place to launch applications, and if you use View to deliver virtual desktops to users or RDSH in Horizon 6 to publish applications, the Workspace Portal is an even more valuable tool. Luckily, adding View pools to a Workspace appliance is a straightforward process.
With single sign-on (SSO) and access to many different resource types, VMware's Workspace Portal aims to be the central place for your users to start when they want to access applications. It is really a customizable, browser-based launcher with a self-service app store that workers can use to access their desktops and applications from any device. Workspace centralizes Web apps, ThinApp and XenApp applications, as well as published Remote Desktop Session Host (RDSH) applications. You can also give users access to VMware virtual desktop pools from the same launch page.
This article will walk you through adding View pools to an existing Workspace Portal. Once integrated, users can add virtual desktops to their portals and launch them without having to authenticate themselves again.
Integrating View with Workspace
The process of integrating View into Workspace is fairly straightforward. First, make sure your Workspace appliance is joined to Active Directory (AD) and that directory Sync requires user accounts have User Principal Name (UPN) attributes. Then tell View to trust Workspace and tell Workspace where to find View.
Joining the appliance to AD uses the same process you would use to join many other VMware appliances: Identify the domain by its domain name system (DNS) name and provide credentials with rights to add a computer to the domain. Because the initial appliance setup involves LDAP access to AD, you will already have the right DNS, routing and firewall configuration.
It's best to add the requirement for UPNs for synchronized accounts as you set up the appliance. If you add this requirement after accounts are synchronized and before you have UPNs, the accounts will be removed from Workspace. It's a good idea to do a manual directory sync so you can check to see if any accounts get removed.
Your View Connection Servers need to be told that the Workspace Portal will authenticate users and use SAML to validate these users against View.
Using SAML involves View trusting Workspace for authentication, rather than having users log on with their AD credentials again. On each connection server you must allow "Delegation of Authentication to VMware Horizon," and on one connection server you must also set up the authenticators.
To setup an authenticator, simply give Workspace a name in View, then enter the URL of your Workspace server. If your View environment doesn't trust the Secure Sockets Layer certificates on your Workspace server, then you will need to confirm that you accept the certificate. This is a great reason to put a trusted certificate on Workspace, even if it's one issued by your internal certificate authority.
Setting things up on the Workspace side is simple too:
Enter the name of one of your connection servers and provide some View administrator credentials to connect. Again, having trusted certificates will make this simple and immediate. If you are still using the default self-signed certificates, then you will need to confirm them, also a two-click process.
Once the connection servers are set up, you can configure scheduled sync and whether virtual desktop pools should be automatically added to users' Workspaces. Frequent sync means that changes to users' pool entitlements will appear in their Workspace sooner. Leaving the pools set as User Initiated means pools appear on the App Center page, rather than on their portals. The Automatic setting puts the pools on the portal immediately.
One possible stumbling block for this process is if there is a firewall separating your Workspace server from your View Connection Servers. Workspace needs to access both View Web services and the Active Directory Application Mode instance on the connection servers. Make sure HTTPS and the AD ports are open from Workspace to all your Connection servers.
Once a View pool is added to Workspace and synchronized, users will be able to add their pools to their portals or remove them. Workspace controls Web app entitlement, but View controls View pool entitlement. Both usually use AD groups to control access to resources. View pools also have the same icons in Workspace as they do in View, helping users identify their pools.
Managing linked clone desktop pools in View
Differences between creating Citrix and VMware pools