Horizon View

New VMware Security Advisory VMSA-2017-0008

Today VMware has released the following new security advisory:

VMSA-2017-0008 – VMware Unified Access Gateway, Horizon View and Workstation updates resolve multiple security vulnerabilities

This documents several critical memory corruption vulnerabilities affecting VMware Unified Access Gateway (formerly called Access Point) (8.2.x), Horizon View (7.x, 6.2.x) and Workstation (12.5.x).

Issue (a) is a heap-based buffer overflow vulnerability (CVE-2017-4907) which affects VMware Unified Access Gateway and Horizon View. This issue may be exploited remotely to execute code on the security gateway. VMware Unified Access Gateway 2.9 is not affected. This issue has been addressed in VMware Unified Access Gateway 2.8.1, Horizon View 7.1.0 and 6.2.4.

Issues (b), (c) and (d) are heap-based buffer-overflow, out-of-bounds read/write and integer-overflow vulnerabilities (CVE-2017-4908, CVE-2017-4909, CVE-2017-4910, CVE-2017-4911, CVE-2017-4912, CVE-2017-4913) in JPEG2000 and TrueType Font (TTF) parsers in the TPView.dll. These issues exist due the use of vulnerable Cortado ThinPrint component and impact VMware Horizon View Client for Windows and Workstation. Exploitation is possible only if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. These issues have been addressed in VMware Workstation 12.5.3, Horizon View Client for Windows 7.1.0 and 6.2.4.

We would like to thank Claudio Moletta (redr2e), and Ke Liu of Tencent&#rsquo;s Xuanwu Lab, Gogil and Giwan Go of STEALIEN working with ZDI for reporting these issues to us.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

The post New VMware Security Advisory VMSA-2017-0008 appeared first on VMware Security & Compliance Blog.

Read more..

VMware Horizon 7.1 Is GA! What’s New – Part 2

Co-authored by Graeme Gordon, Senior End-User-Computing Architect, EUC Technical Marketing, VMware.

In part 1 of the Horizon 7.1 What New blog article, we looked at the list of new Horizon 7.1 platform features, a sampling of Horizon Client 4.4 features, and an overview of the new remote experience features. In this post, we delve deeper into:

  • Blast Extreme enhancements
  • VMware Horizon Virtualization Pack for Skype for Business (Beta Release)
  • Remote Experience features
  • VMware Horizon for Linux version 7.1

Blast Extreme Enhancements

To provide an even greater user experience over a variety of network types, Blast Extreme has been extended with an adaptive transport. From their client devices, users can indicate the quality of the network they are using. This helps Blast Extreme select the best strategy for dealing with that network to deliver the best experience. Typical is the default and in the majority of scenarios the end user should not need to change this.

The options are:

  • Typical - TCP is used for the initial connection to authenticate, and then our new adaptive UDP-based transport is used for the connection to the desktop or published app session.
  • Excellent – Suited to LAN environments or can be useful in low bandwidth WAN links. Blast Extreme uses TCP for both the initial authentication and the connection to the desktop or app.
  • Poor – Helps adapt to very poor network connection, such as one with more than 20 percent packet loss, the adaptive UDP component will take measures to ensure an acceptable user experience. This adds a capability to duplicate some packets on the network to improve user experience on a high packet loss connection.

If users are connecting from outside the corporate network, the UDP component requires the VMware Unified Access Gateway 2.9 (formerly called Access Point), which is being released at the same time as Horizon 7.1. Connections will fall back to use TCP if any in-line component, such as Unified Access Gateway, does not support the new UDP stack.

The other new feature for Blast Extreme is the ability to access physical workstations (Tech Preview). On Windows 7 and Windows 10 PCs, you can install Horizon Agent 7.1 and then connect using Blast Extreme from Horizon Client 4.4.

Horizon Virtualization Pack for Skype for Business (Beta Release)

From Windows-based Horizon Clients, you can now make audio and video calls from within a virtual desktop.

  • Virtualization pack components include a media proxy on the agent (virtual desktop) side, and a media engine on the client side.
  • All media is sent as a separate RTP stream directly between endpoints, outside of the display protocol so that the server infrastructure is not affected during audio and video calls.
  • Through the use of native Skype codecs, bandwidth usage is equivalent to native Skype for Business calls.

For this beta release, several limitations apply. For example, point-to-point calls are supported, but multi-party video conferencing is not. For more information, go to the VMware Horizon Virtualization Pack for Skype for Business Beta site.

Remote Experience Features

New features for all types of RDSH farms include the ability to select a graphics file to customize the app icon shown in the selector window so that users can more easily identity the application they want. For a demo, check out the new video Customizing Horizon RDSH Application Icons.

Also available for all types of RDSH farms is the ability to allow unauthenticated user access to published apps from Windows and Linux clients. This feature is useful for kiosk-mode scenarios or where the application has its own security and user management. Find out the configuration details and see a demo by watching the new video Providing Unauthenticated Access to Horizon Published Applications.

Horizon for Linux

For Linux-based virtual desktops, Version 7.1 of Horizon for Linux adds support for the following 64-bit operating systems:

  • Red Hat Enterprise Linux 7.3
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise Server 12 SP2
  • CentOS 7.3

In technical preview, Linux desktops get the ability to use USB redirection:

  • The USBD service has been re-architected to support Linux desktops.
  • USB devices can be used with both USB redirection and client-drive redirection (CDR).
  • Linux desktops must run on Ubuntu 14.04 or 16.04.
  • Client devices must be using Horizon Client for Windows 4.4.

For information about these and other new features, such as single sign-on support for Ubuntu and the ability to sync the client keyboard locale and input language with those on the remote desktop, see Setting UpHorizon7 Version 7.1 for Linux Desktops.

Conclusion

VMware Horizon 7.1 is a significant release in all areas: server, platform, protocol, client features, Linux desktops, integration with Skype for Business, and on and on. So many new features we could not begin to do them justice here. Use the following resources to begin your own exploration.

We&#rsquo;re pleased to announce that all of the following are now generally available:

  • VMware Horizon 7.1
  • VMware Horizon 7 for Linux Version 7.1
  • VMware Horizon Clients, version 4.4 for Windows, Windows 10 UWP, macOS, Linux, iOS, and Android

 

Download Pages:

https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon/7_1

https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon_clients/4_0

Horizon 7.1 Documentation:
https://www.vmware.com/support/pubs/view_pubs.html

Horizon Client 4.4 Documentation:
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html

Resources

Publishing Applications with VMware Horizon 7 Quick Start Guide

 

The post VMware Horizon 7.1 Is GA! What&#rsquo;s New - Part 2 appeared first on VMware End-User Computing Blog.

Read more..

VMware Horizon 7.1 Is GA! What’s New – Part 1

Co-authored by Graeme Gordon, Senior End-User-Computing Architect, EUC Technical Marketing, VMware.

With this new release, VMware Horizon 7.1 extends just-in-time delivery from virtual desktops to published applications by leveraging our Just-in-Time Management Platform (JMP). With JMP, the operating system (OS), applications, and user personalization are assembled on demand for users. Users get their desktops, their apps, their settings, and their preferences, all based on where they are connecting from at that moment and what type of device they are using.

Administrators use VMware Instant Clone Technology to rapidly recreate and maintain desktop VMs and, now, with Horizon 7.1, RDSH server VMs. Applications are provided on demand with VMware App Volumes. User personas and permissions are managed in real time by VMware User Environment Manager. Finally, Horizon 7.1 enhancements to the Blast Extreme display protocol improve performance even on poorly performing networks.

Horizon 7.1 includes lots of new features in addition to the above-mentioned fast provisioning of RDSH servers with Instant Clone Technology and the Blast Extreme Adaptive Transport component added to Blast Extreme.

Here&#rsquo;s an overview of the new platform features.

One feature seen here, Hide Server and Domain Info, allows an administrator to prevent server and domain information from being displayed in the Horizon Client interface. Be sure to see the new video Hiding the Connection Server URL and Domain List from the Horizon Client to find out how easy it is to set up this new security feature.

If you use vSphere 6.5 with Horizon 7.1, you can make use of the vSphere 6.5 VM encryption feature to encrypt full-clone VMs. Encryption is done at the hypervisor level rather than within the VM, which provides a variety of benefits, as outlined in What&#rsquo;s New in vSphere 6.5: Security.

Next, we have the remote experience features. Every three months, new client and agent binaries are released that add enhancements to the end user&#rsquo;s remote experience. The Horizon 7.1 release includes Horizon Client 4.4 and an associated new Horizon Agent. Key new remote experience features in this release include considerable improvements to Blast Extreme, Beta release of the Horizon Virtualization Pack for Skype for Business, and improvements to Horizon 7 RDSH based published applications.

And finally, here is a sampling of just a few of the new client-specific features.

 

In this blog post, which is part 1 of the series, we&#rsquo;ll expand a bit on the following major features:

  • Support for Instant Clone basedRDSH published apps
  • Newly supported features on instant clones

In part 2 of this series, we expand on the remote experience features and new VMware Horizon for Linux features.

  • Blast Extreme enhancements, including the new adaptive UDP transport component, as well as access to physical workstations
  • VMware Horizon Virtualization Pack for Skype for Business
  • New OS support for Linux desktops and USB redirection (Tech Preview)

RDSH Published Apps and Desktops

Extending Instant Clone Technology to RDSH farms allows administrators to instantly spin up new RDSH farms and quickly refresh existing RDSH farms, with zero down time.

  • The Add Farm wizard in Horizon Administrator now includes an option for Instant Clones, and uses ClonePrep to customize RDSH VMs without requiring a reboot.
  • Instant clones are rapidly created, customized, and ready for use. Simply editing the Farm settings allows for the scale up or down of a farm in seconds.
  • The Schedule Maintenance wizard lets you schedule an immediate one-off update or refresh of the VM, or automated regularly recurring refreshes, or both. The benefit is that the farm and the RDSH servers can quickly and easily be updated or automatically regenerated on a schedule to maintain optimal performance and storage use.

With instant clones, maintenance windows are brief, and some servers can always be available.

For guidance about maintenance options and a list of best practices, see the Just-in-Time Apps with Horizon 7 blog post.

 

Instant Clone Feature Support

Horizon 7.1 adds support for the following features for Instant Clones:

  • NVIDIA GRID vGPU – This feature adds support for NVIDIA M-series cards. You can now use instant-clone desktop VMs if you need high-end, hardware-accelerated workstation graphics. More information will be published in an upcoming blog post.
  • Multi-VLAN support – You can now create large desktop pools or RDSH farms in environments where the physical network is divided into smaller subnets and would not normally support large numbers of VMs.

On the vCenter Settings page of the Add Pool or Add Farm wizard for instant clones, browse to select multiple networks that use static port binding groups. The VMs will be distributed among the selected networks.

  • VMware vSphere host maintenance mode enhancements – Placing a vSphere host in maintenance mode now automatically deletes running parent VMs used for instant clone creation. Because the running parent VM is a protected entry in VMware vCenter Server, the VM cannot be powered off or deleted manually, which would ordinarily prevent a vSphere host from entering maintenance mode.

With this enhancement, when a vSphere 6.0 U1 or later host enters maintenance mode, the running parent VMs are powered off and deleted. Instant clones are migrated to another host in the cluster using VMware vSphere Distributed Resource Scheduler. After the vSphere host exits maintenance mode, running parent VMs are created automatically only when needed, such as for a provisioning task.

Conclusion

This post provides only the briefest gloss on the long list of Horizon 7.1 platform and Horizon Client 4.4 features. With headline features such as rapidly provisioned RDSH servers with Instant Clone Technology, and now that Blast Extreme has added a newly reworked adaptive UDP transport to accommodate the full gamut of network types, we have finally and fully arrived at just-in-time apps and desktops. For details about new remote experience features and Horizon for Linux, be sure to see What&#rsquo;s New with VMware Horizon 7.1 – Part 2.

We&#rsquo;re pleased to announce that all of the following are now generally available:

  • VMware Horizon 7.1
  • VMware Horizon for Linux Version 7.1
  • VMware Horizon Clients, version 4.4 for Windows, Windows 10 UWP, macOS, Linux, iOS, and Android

 

Download Pages:

https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon/7_1

https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon_clients/4_0

Horizon 7.1 Documentation:
https://www.vmware.com/support/pubs/view_pubs.html

Horizon Client 4.4 Documentation:
https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html

Resources

Publishing Applications with VMware Horizon 7 Quick Start Guide

The post VMware Horizon 7.1 Is GA! What&#rsquo;s New - Part 1 appeared first on VMware End-User Computing Blog.

Read more..

Getting Started with PowerCLI for Horizon View

PowerCLI 6.5 introduced a brand new, completely re-written, module for Horizon View that is leaps and bounds better than the prior release. As an automation fanatic and former View administrator, PowerCLI&#rsquo;s offering for Horizon View has always been an important part of my toolbox.

Graeme Gordon, a Senior EUC Architect on our EUC Technical Marketing team, has created a terrific video on how to get started using this new module that we recommend checking out.

Watch the Video

Also, here&#rsquo;s a direct link to the blog post Graeme references in the video: Getting Started with PowerCLI 6.5 for Horizon View

The post Getting Started with PowerCLI for Horizon View appeared first on VMware PowerCLI Blog.

Read more..

VMware vRealize Operations for Horizon and Published Applications 6.4, Part 2: New Support for Monitoring VMware App Volumes, View in VMware Horizon 7, and VMware Access Point

By Sujay Gopalan, Solution Architect, Technical Marketing and Enablement, Enterprise Desktop, VMware

Introduction

This blog post introduces new support for monitoring VMware App Volumes, View in VMware Horizon 7, and VMware Access Point. The first blog in this series introduced what is new in VMware vRealize Operations for Horizon and Published Applications 6.4. Part 3 discusses new application-crash alerts for desktop applications, and a new dashboard for root-cause analysis. Part 4 addresses new reporting on application CPU and memory usage. In Part 4, we also discuss support added for the latest versions of Citrix and Horizon 7 VDI solutions, and enhancements to the stability of the vRealize Operations for Horizon and Published Applications environments.

Support for Monitoring VMware App Volumes

VMware vRealize Operations for Horizon and Published Applications 6.4 introduces the ability to monitor existing App Volumes Managers. This can be set up when you configure the vRealize Operations for Horizon or vRealize Operations for Published Apps broker agent on a Horizon Connection Server or a Citrix Desktop Delivery Controller, as shown in Figures 1 and 2.

Figure 1: Configuring App Volumes Monitoring While Deploying the Broker Agent on a Horizon Connection Server

Figure 2: Configuring App Volumes Monitoring While Deploying the Broker Agent on a Citrix Desktop Delivery Controller

You can now monitor App Volumes Manager assignments and capture metrics about the time taken for attachments. With this release, vRealize Operations for Horizon and vRealize Operations for Published Applications have the ability to monitor AppVolumes 2.12 or later.

Figure 3 shows the sessions connected with attached AppStacks when a user is assigned an AppStack.

Figure 3: Horizon User Session Details Dashboard Showing User Sessions and the New Column for Attached AppStacks

Figure 3 shows the user vrops51-2v4htestuser2 connected to a VDI desktop session and the AppStack V4X_ADOBE attached to the session.

You can also view AppStack statistics as part of the Session Logon Breakdown section, as shown in Figure 4, which also indicates the AppStack attach time (in this case, at 7.11 seconds).

Figure 4: Horizon Help Desk Tab with the Session Logon Breakdown Section

You can see an advanced view of vRealize Operations for Horizon capturing AppStack information when you enter a session from the Horizon User Session Details dashboard, shown in Figure 5. You can see a relation map of the objects connected and the AppStack attach time in seconds.

Figure 5: vRealize Operations for Horizon Troubleshooting Tab

Support for Monitoring View in Horizon 7.0.2 and 7.0.3

This new release of vRealize Operations for Horizon ensures that you are able to capture data from current versions of Horizon 7, up to the latest version, 7.0.3. You can now display events on dashboards and generate custom reports that are captured and sent back from the vRealize Operations for Horizon or Published Applications agents.

Support for Monitoring the View Access Point Appliance

Access Point functions as a secure gateway for users who want to access application and desktop resources from outside the corporate firewall. You can now monitor the Access Point deployments and sessions served during operation to include metrics about session count, current status per protocol, and more.

Figure 6 shows how to add an Access Point appliance during the configuration of the vRealize Operations for Horizon broker agent. You can add multiple Access Point appliances, and you will need to provide additional information such as Name, IP Address, Port, Username, and Password. Click the Test button to validate the connectivity and then click the + (plus) button to add to the list of monitored Access Point appliances.

Figure 6: Adding an Access Point Appliance During Configuration of the Horizon Broker Agent

Because Access Point is a component of Horizon 7.x, the option to add an Access Point appliance is not available when installing vRealize Operations for Published Applications and when configuring the Published Applications broker agent in the Citrix XenDesktop or XenApp environment.

From the Horizon Overview dashboard shown in Figure 7, you can view Top Horizon Alerts, including Access Point alerts. Figure 7 also shows a view of the Access Point appliances that are configured to report data collection status, session count, and percentage of total sessions for the Access Point appliance from the same Horizon Overview dashboard.

Figure 7: Horizon Overview Dashboard with Access Point Appliances Displayed

The set of alerts in Figure 8 is an example of the types of alerts that can be displayed on the vRealize Operations alerts pane.

Figure 8: vRealize Operations for Horizon Capturing Alerts from Access Point Appliances

The screenshot in Figure 8 is filtered to show any alert sent from Access Point appliances into vRealize Operations for Horizon. Among the listed alerts, you find an alert showing that the session count of connections coming into Access Point has crossed its threshold. Other alerts from Access Point show errors connecting, and time-outs on incoming user sessions trying to connect by way of the Blast Extreme protocol. Further investigation might reveal an incorrectly configured connection to and from the Access Point and Horizon Connection Servers. Further examination of the alert might provide &#rsquo;recommendations&#rdquo; about what &#rsquo;caused&#rdquo; the Access Point appliance to return an alert to vRealize Operations for Horizon.

The first alert was generated when the number of connecting user sessions in the Access Point appliance crossed a threshold, which can be specified by editing the &#rsquo;symptom definition&#rdquo; for the Access Point object shown in Figure 9. Similar thresholds can be set for other metrics being captured.

Figure 9: Setting Thresholds for Access Point in Edit Symptom Definition

Support for Monitoring the View Cloud Pod Architecture

VMware vRealize Operations for Horizon now offers the ability for you to view statistics about sessions that are served by Horizon Connection Servers in a Cloud Pod Architecture, and the cross-pod communication status.

Figure 10 shows a simple environment set up with two pods that have one Horizon Connection Server each, and the object relation map of the pod federation within the VDI environment.

Figure 10: A Simple View Cloud Pod Architecture Setup

Any change to the environment is reflected under the Troubleshooting tab or in the form of an alert that takes you to the Troubleshooting tab. In the Troubleshooting tab, you can view a component in question and connections to other objects, giving you the ability to identify components that are working (indicated by green badges) and ones that are not working. From this relation map, you can navigate to additional metrics that help to identify the next course of troubleshooting action.

In the example in Figure 11, an alert is being generated as a result of the failure of a Horizon Connection Server. When you open (click) the alert, you get more information about the failure. The alert status of Active remains until the connectivity of this instance is resolved.

Figure 11: An Active Alert Status

In Figure 12, you can see the details of the specific alert. This helps you gain more information about how to help identify the source of the issue and begin troubleshooting. Information such as the reason for the failure is displayed, depending on the issue.

Figure 12: vRealize Operations Manager for Horizon, Summary Tab, with Reason for Alert

Part 3 in this blog-post series addresses the new application-crash alerts for desktop applications, and the new dashboard for root-cause analysis. Part 4 of the series provides information about memory usage, support, and enhancements. See you there!

The post VMware vRealize Operations for Horizon and Published Applications 6.4, Part 2: New Support for Monitoring VMware App Volumes, View in VMware Horizon 7, and VMware Access Point appeared first on VMware End-User Computing Blog.

Read more..

VMware vRealize Operations for Horizon and Published Applications 6.4, Part 2: New Support for Monitoring VMware App Volumes, View in VMware Horizon 7, and VMware Access Point

By Sujay Gopalan, Solution Architect, Technical Marketing and Enablement, Enterprise Desktop, VMware

Introduction

This blog post introduces new support for monitoring VMware App Volumes, View in VMware Horizon 7, and VMware Access Point. The first blog in this series introduced what is new in VMware vRealize Operations for Horizon and Published Applications 6.4. Part 3 discusses new application-crash alerts for