VMware Horizon Community
epaquay
Contributor
Contributor
‎06-27-2011 06:00 AM

VMware View 4.6 in multiple domains environement

Hi,

We are trying to deploy a View solution with different desktops on 3 differents domains who are separated for security reasons.

Following to several searches, I understand that the View Connection server requires a two-ways trust relationship between the domains.

Gosh, why the hell do they need this ? This sounds for me quite excessive in term of security issues.

Am I the only one to be worry about this ? Do you have any alternative solution ?

Thx,

Eric

0 Kudos
6 Replies
pdarcy
Contributor
Contributor
‎06-27-2011 06:13 AM

epaquay

I had the same issue recently with a customer and they only way we got around it due to the fact we could not provide a two way trust was to create a second set of brokers for that domain. I agree its a security nightmare, maybe View 5 will fix that?

0 Kudos
mittim12
Immortal
Immortal
‎06-27-2011 02:24 PM

Welcome to the forums.   I'm sorry  to say but I doubt anyone here other than the VMware employees can answer the question regarding why it's needed.  If you seriously want an answer to that I think you should contact your rep and pose the question to him.  He would have the ability to reach out to resources that may not read the message board.

0 Kudos
SunnyV
Contributor
Contributor
‎06-29-2011 10:09 AM

I think the Trust is required, so that you can Entitle the Pool. If the users reside in another Domain, than the one the Connection Server is in, then it will not be able to find the account you want to Entitle.

We have a one way trust between the View Connection Server (CS) Domain and the Entitled Domain, where the CS Domain trusts the Entitled Domain. In our environment the View Desktops are registered in another Domain, they have 2 nics one to the Entitled Domain network and another to the Desktop Domain. So in total we have 3 Domains.

Once we have created the one way Trust, we create a Global Group in the Entitled Domain, add users into that group. Then we create a Domain Local Group in the CS Domain and add the Global Group from the Entitled Domain into the Domain Local Group. When you Entitle the pool, you will see the Domain Local Group, which has the Trust established to allow user accounts in the Entitled Domain Global Group. When the users log in, they log into the Entitled Domain and are presented with a pool of desktops in the desktop Domain. We add routes into the View desktop, so it finds it's way around. We also hide the Domain using the VDMADMIN tool in View. So the users have to enter their username as username@EntitledDomain.

It's confusing, but works!

0 Kudos
eeg3
Commander
Commander
‎06-29-2011 10:14 AM

If your IT department will not let you have an OU, I would bet a significant amount of money they're not going to set up a trust between a domain you set up and their domain. I think the easiest method would be to try to get an OU delegated to you, whether you have to go to their boss and explain what you need and why it's not a big deal or not.

Blog: http://blog.eeg3.net
0 Kudos
PatriciaGomez
Contributor
Contributor
‎09-20-2012 05:43 AM

How can you hide all Domains using the VDMADMIN tool in View and get the list empty so users have to enter their username as username@EntitledDomain? We are working with View 5.1 but it should be similar to 4.6. We can hide all domains except the broker domain. Thanks!

0 Kudos
SunnyV
Contributor
Contributor
‎09-20-2012 07:09 AM

To hide domains you need to type the following command...

"\Program Files\VMware\VMware View\Server\tools\bin\vdmadmin -N -domains -exclude -domain <DOMAIN NAME> -add"

on the connection server / broker.

To list exclude list type the following command...

"\Program Files\VMware\VMware View\Server\tools\bin\vdmadmin -N -domains -list"

To show all the commands that you can use with vdmadmin.exe type the following command...

"\Program Files\VMware\VMware View\Server\tools\bin\vdmadmin -help"

Hope this helps!

0 Kudos