Categories ArticlesVMware

Using VMware Horizon to connect to remote computers without a VPN

The ongoing COVID-19 pandemic has forced many businesses and organizations to implement remote work solutions in a hurry, often without proper planning and preparation. Companies have tried various solutions to allow their employees to work safely from home instead of coming into crowded office environments. Mark Van Noy has been dealing with this situation at the University of Colorado Boulder in Colorado, where he works managing the virtual desktop infrastructure. They have implemented VMware Horizon, which securely delivers virtual desktops and apps across the hybrid cloud. Mark describes below how they use this platform to enable remote access to physical computers. Readers who are already using VMware in their environment may find Mark’s explanation helpful for enabling safe remote work for their own users.

What problem are we trying to solve?


With the increase of work from home, there has been an increase in the number of employees accessing their work desktop remotely. The most obvious way to accomplish this on Windows systems is to provide the IP address or the DNS name of the computer to the end-user then have them use Remote Desktop Protocol (RDP) after connecting through the company's VPN. Using RDP certainly works, but connecting to the VPN adds more complexity for the end-user, and RDP is not a great protocol for connections with high latency. For companies that already have a VMware Horizon View environment for providing VDI, there is an alternative.

What does the horizon view do to solve the problem?

The Horizon View infrastructure brings flexibility, efficiency, and customer ease of use. By leveraging existing infrastructure, the Horizon product allows physical computers to function like full VDI virtual machines. For example, a pool of physical computers can be created without assigned users. When end-users login, they are automatically assigned to an available computer in the pool. With a conventional Remote Desktop connection, there is no convenient way to tell if someone is already logged into a computer. The connection has to be made by the end-user to the named computer itself. Similarly, pools of computers can be created using physical computers that assign users to specific computers so that the H.264 based Blast protocol can be used for latency tolerant display of the desktop. Using VMware Horizon also removes the risk of an RDP connection bumping an already connected session as a new user tries to connect to a physical computer.

What does VMware Horizon View do to solve the problem?

The Horizon View infrastructure brings flexibility, efficiency, and customer ease of use. By leveraging existing infrastructure, the Horizon product allows physical computers to function like full VDI virtual machines. For example, a pool of physical computers can be created without assigned users. When end-users login, they are automatically assigned to an available computer in the pool. With a conventional Remote Desktop connection, there is no convenient way to tell if someone is already logged into a computer. The connection has to be made by the end-user to the named computer itself. Similarly, pools of computers can be created using physical computers that assign users to specific computers so that the H.264 based Blast protocol can be used for latency tolerant display of the desktop. Using VMware Horizon also removes the risk of an RDP connection bumping an already connected session as a new user tries to connect to a physical computer.

What is needed to get started?

First and foremost, an existing VMware Horizon View infrastructure is needed as it is unlikely worth the effort to build out new servers simply for a better way to connect to physical computers. It is also highly desirable to have at least one User Access Gateway, UAG, to remove the need for an active VPN connection.

Detailing how to configure VMware Connection servers and UAG appliances is beyond the scope of this article. The capabilities of the built-out VDI infrastructure will apply to the physical pools. So, if HTML access to VDI has been fully configured, then end-users can access physical computers with a web browser without needing to install any client software, for instance.

How to implement VMware Horizon

Begin by creating a new set of Group Policies to limit the number of connections that can simultaneously be made to any individual computer and to allow appropriate users to connect. The VMware Horizon agent relies on some RDS settings to determine how it should behave. For example, the agent assumes that Windows allows multiple Remote Desktop connections, which results in non-server flavors of Windows kicking logged in users off when another user tries to connect by default. Setting the maximum number of connections allowed to 1 will prevent sessions from getting kicked. Similarly, the Horizon agent relies on the Remote Desktop Users group to determine who is allowed to log in so appropriate users must be added to the Remote Desktop Users local group. Group Policy Preferences could be used rather than the older Group Policy for more granularity rather than using the GPO settings specified below.

Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups\Remote Desktop Users

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit Number Connections

  • Enabled
  • RD Maximum Connections allowed = 1
  • Restrict Remote Desktop Services users to a single Remote Desktop Services session: Enabled

Next, the actual agent needs to be deployed to the physical computers that should be managed. The best way to deploy the agent is to use the command line install switches even if the agent is installed manually. The interactive installer does not expose the option to set the VDM_VC_MANAGED_AGENT property to false, which is a required setting to use the agent on physical computers. Note that there is no space in the command line between the double quotes after the v and the forward slash before the qn. If a space is placed between these elements, the install will fail.

VMware-Horizon-Agent-x86_64-7.12.0-15805436.exe /s /v”/qn VDM_VC_MANAGED_AGENT=0 VDM_SERVER_NAME=<broker/connection server> VDM_SERVER_USERNAME=<username> VDM_SERVER_PASSWORD=<password>”

The username and password need to be a service account with appropriate permissions to join computers to the domain used. There are also additional options that can be specified as properties on the command line. (VMware provides a list of the available options.)

Once the agent has been installed, the final step is to create pools using the Horizon Management Console. Since physical pools of computers cannot be directly managed by VMware, the options are significantly limited compared to setting up a traditional VM based pool. This actually makes setting a pool up fairly simple. When creating a new pool, select the Manual desktop pool option. Then select the Other sources options when prompted for the source of the computers. The user assignment can be either floating or dedicated, with floating being the better choice for training labs. If access through a web browser is a desired feature, then the Remote Display Protocol should be set to VMware Blast. Otherwise, PCoIP or RDP could also be used. For step seven of pool creation, at least one computer must be added to the pool. This is why it was important to get the agent installed on the desired computers before creating pools. Horizon will only display computers to add to the pool that have checked in with the Connection servers through the installed agent.

Since VMware Tools cannot be installed on physical computers, there is some missing functionality. Most notably, if multiple NICs are present on the physical computer, or virtualization software such as Hyper-V has created multiple virtual NICs, the Horizon agent could become confused as to which NIC it should be communicating over. This could cause computers to show in Problem Computers as Agent Unreachable. If a computer needs to have multiple NICs and have access through Horizon, VMware has provided documentation on how to specify which network interface should be used. The documentation was written for specifying the appropriate interface with VM’s in mind.

VMware Horizon: Right for you?

Should you use VMware Horizon to access physical computers? If you already have Horizon in your environment, then probably. A physical computer will use up a concurrent user license just like connecting to a VM, so a lack of licenses could make this option a poor choice. Otherwise, being able to connect through just a web browser or the Horizon Client without having to worry about VPN connections or remembering IP addresses certainly is a better end-user experience. We currently use Horizon to provide access to our physical lab computers, and for that use case, it has been a real boon since our students do not need to know anything more than that they want to connect to a specific pool name.

Featured image: Shutterstock

Mitch Tulloch

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Share
Published by
Mitch Tulloch

Recent Posts

Contactless payments are hot, but are they secure?

The trend to contactless payments has accelerated as retailers and consumers adjust to COVID-19 realities.…

8 hours ago

Season’s fleecings: CISA warns on holiday shopping scams

The U.S. Department of Homeland Security is warning that online holiday shopping scams may be…

11 hours ago

Azure DNS: Using Azure DevOps to protect public DNS zones

This in-depth tutorial shows you how to use features available in Azure DevOps to boost…

14 hours ago

Report: Baidu Android apps had potential to expose data

Two apps from Chinese tech giant Baidu that had been available in the Google Play…

1 day ago

Shining a light on the dark shadow cast by shadow IT

Employees who don’t have the tools to get their jobs done sometimes turn to the…

2 days ago

Microsoft 365 troubleshooting: Diagnostic tools at your fingertips

Many Exchange Server troubleshooting tools don’t work with Microsoft 365. Fortunately, Microsoft has a bunch…

4 days ago