The global lockdown has skyrocketed VDIs and remote client access through the roof. Ensuring that the remote working process is both performant and secure is key. Horizon 7 is one such tool, which relies on encrypted connections and different authentication protocols, assuring safe and controlled access to physical computers at the office.
horizon-access-physical-machines-01

In the situation where employees need to access their work computers remotely, VMware Horizon can be configured to allow the access to physical machines located at office.

To avoid tricky and unsecure solutions to access corporate computers from home, VMware Horizon provides safe and controlled accesses to physical computers located at office with a limited load of the IT staff in terms of deployment and management.

The concept is to have a working Horizon Connection Server located in the corporate LAN reachable via VPN or via Internet through the Unified Access Gateway component. If the Horizon infrastructure is not already implemented, it is a matter of minutes to setup the required components for this purpose.

Horizon Connection Server

Relying on encrypted connections, Horizon supports different authentication protocols such as Active Directory, Radius, certificates and so on, offering secure connections.

This procedure allows the administrators to make physical machines located in the corporate LAN reachable by remote users and assign the access to specific users.

Prerequisites

To implement Horizon as solution to connect physical machines, you need the following components:

  • A Windows Server joined to an Active Directory domain with Horizon Connection Server installed.
  • A remote connection solution (VPN or Unified Access Gateway).
  • The Horizon Agent installed in the physical machines to connect.

Although Windows 7 SP1 and Windows 10 clients use RDP protocol to connect, starting from Horizon 7.7, Windows 10 Enterprise clients (builds 1803-1809 and 1903-1909) can take benefit also of the Blast Extreme protocol that provides better performance. Check out the compatibility matrix to ensure if the Blast Extreme protocol is supported in your clients with the Horizon version used.

Install Horizon Agent to physical machines

All physical machines located in the working place that need to be reachable by Horizon require the Horizon Agent installed.

From VMware website download the Horizon Agent and run the installer on each physical machine.

Horizon Agent

Click Next to proceed with Horizon Agent installation.

Horizon Agent installation

Accept the EULA and click Next.

Accept the EULA

Select Desktop Mode option and click Next.

Desktop Mode

Specify the protocol to be used for establishing the connection then click Next.

Specify the protocol

Leave default program features to install and click Next.

Custom setup

Click Install to install Horizon Agent to the physical machine.

Install Horizon Agent

The Horizon Agent is being installed.

The Horizon Agent

When the installation has been completed, click Finish to exit the installation wizard.

Finish to exit the installation wizard

Click Yes to reboot the system to complete the installation.

Reboot the system

 

Configure VMware Horizon 7 to access physical machines

Once the Agents have been installed, access the Horizon Connection Server Admin page by entering the correct credentials and click Sign in. To connect physical machines only it is not necessary to specify a vCenter Server in the Horizon configuration.

Sign in VMware Horizon 7

Go to the Desktops section under Inventory and click Add to configure a new Desktop Pool.

Desktop Pool

Select Manual Desktop Pool option and click Next.

Select Manual Desktop Pool

Since the machines are not virtual, select Other sources option and click Next.

wp-image-14850

Since we need to specify which users have access to which physical machines, select Dedicated item leaving other options unchecked.

select Dedicated item leaving other options unchecked

Specify an ID and a Display Name for the Desktop Pool to create and optionally a Description. Click Next to continue.

Specify an ID

From the Automatically Logoff After Disconnect drop-down menu, specify how the Logoff should take place. Enable the Display Assigned Machine Name option to display the machine name instead of the Desktop Pool name in the Horizon Client. Click Next.

Enable the Display Assigned Machine Name

Specify the Default Display Protocol and if users are allowed to choose the protocol to use. Enable the HTML Access option (it requires Blast protocol) to allow the access to physical machines through the preferred browser. With HTML access you don’t need to install the Horizon Client to connect the remote machine. Click Next.

Default Display Protocol

Additional info about the HTML Access option.

HTML Access option

Select the machines to add to the Desktop Pool (only the machines with the Horizon Agent installed are displayed) and click Next.

Select the machines

Click Submit to create the Desktop Pool.

wp-image-14857

The Desktop Pool has been created successfully. Note that Entitled column reports a value of 0.

wp-image-14858

 

Add entitlements

To assign users to the created Desktop Pool (who can actually use the selected pool), click Entitlements and select Add Entitlements.

Add entitlements

Click Add.

Click Add Entitlements

Specify the Domain and the filter Name/User Name to quickly identify the correct group/user to use then click Find. User names or Group names that contain the entered string are displayed. Select the User/Group to use and click OK.

Specify the Domain

Click OK to confirm the selected User/Group.

Selected User/Group

Now click the Pool ID name link to check the assigned entitlements.

Pool ID name link

Go to Entitlements tab and check if the specified User/Group has been set.

Specified User/Group

Assign users to machines

Next step is the assignment of users to specific machines. Go to Machines tab and select the physical machine to assign. From the More Command drop-down menu select Assign User.

Machines tab

If you receive this warning, just click OK to continue.

Warning

Enter the correct Domain and specify the Name/User Name to find then click Find. Select the user and click OK.

Enter the correct Domain

The selected user has been assigned to the chosen machine.

ManualPool

The Horizon Connection Server configuration is now complete.

Test the connection

To test the connection, you may need to establish a VPN connection to your office first if the Unified Access Gateway is not available.

Open your preferred browser and enter the address https://<dns_horizon_server>/portal. If the Blast Extreme protocol is supported, select VMware Horizon HTML Access.

VMware Horizon HTML Access

If you receive such error message, you need to tweak your Horizon Connection Server configuration.

Error message

Login to your Horizon Connection Server and create a new file in the C:\ProgramFile>VMware>VMware View>Server>sslgateway>conf folder with the following name:

locked.properties

locked.properties

Add the following line in the locked.properties file then save the file.

checkOrigin=false

checkOrigin=false

From Services, restart the VMware Horizon View Connection Server service.

VMware Horizon View Connection Server

Now the connection to the Horizon server can be established successfully. Enter the username and password then click Login.

Login to VMware Horizon

From the Horizon Dashboard, click the assigned machine to connect.

Horizon Dashboard

StarWind VSAN for vSphere uses your local hypervisor cluster to create fault-tolerant and robust virtual shared storage, eliminating the need to buy a costly physical SAN. You can deploy it on any off-the-shelf hardware you already got. Thanks to mirroring of internal hard disks and flash between hypervisor servers, you get a 2-node Highly Available cluster. There is no need for a witness instance, and you’re not restricted on storage size, features, or number of VMs. Your IT-environment will not only achieve constant uptime and skyrocketing performance, you will also save a good deal on CapEx and OpEx.
Find out more about ➡ StarWind VSAN for vSphere

The login screen of the physical machine is displayed. Enter the credentials and press Enter.

Enter the credentials

The user is now connected to the physical computer located at the office and he/she is now able to do his/her duties.

Connected to the physical computer

In case of unpredictable events such as the COVID-19 pandemic, this solution allows the companies to save a lot of money since the purchase of expensive computers for employees working from home is not necessary. A simple and cheap computer may suffice for the user to connect the working place and become productive again.

Views All Time
7
Views Today
16
Appreciate how useful this article was to you?
No Ratings Yet
Loading...
Back to blog
The following two tabs change content below.
Paolo Valsecchi
System Engineer, VCP-DCV, vExpert, VMCE, Veeam Vanguard, Author of virtual blog nolabnoparty.com