VMware vRealize Operations for Horizon 6.5.1

Last Modified: Jan 21, 2018 @ 7:09 am

Navigation

💡 = Recently Updated

Change Log

Planning

vRealize Operations for Horizon is composed of several components:

  • vRealize Operations Manager appliance – this is the same vROps appliance deployed for monitoring of vSphere infrastructures, and hence it can monitor the vSphere clusters that are hosting the Horizon Agents.
  • Horizon Adapter for vRealize Operations – this is a .pak file installed on a vROps appliance. The Horizon Adapter receives data from one or more Broker Agents.
    • Broker Agent is installed on top of a Horizon Collection Server in each Horizon pod. The Broker Agent collects information from Horizon Connection Servers (e.g. events database), and feeds the data to the Horizon Adapter running on a vRealize Operations Manager appliance. The Broker Agent can also collect data from Unified Access Gateway, and App Volumes.
  • vROps Dashboards, Reports, and Alerts for Horizon – these display the information collected by the Horizon Adapter. Installation of the Horizon Adapter .pak file automatically imports the Dashboards, Reports, and Alerts.

The vROps Horizon monitoring solution components have different versions:

  • vRealize Operations for Horizon Adapter 6.5.1 – Horizon Adapter 6.5.1 is supported to monitor Horizon 7.4.
    • The Horizon Adapter and Broker Agent should be the same version.
  • vRealize Operations Manager 6.6.1 – this is the recommended version of vROps that will host the 6.5.1 Horizon Adapter. See VMware’s Product Interoperability Matrix for other versions of vROPs that are also supported by Horizon Adapter 6.5.1.

vRealize Operations Manager 6.6.1 has a new HTML5 user interface that looks quite different from vRealize Operations Manager 6.5 and older, thus necessitating a new post. See the post vRealize Operations for Horizon 6.4 for the older user vROps user interface, and older Horizon Adapters.

vRealize Operations for Horizon comes with two licenses:

  • vRealize Operations Manager Enterprise license – this license enables vSphere monitoring, and should only apply to Horizon workloads.
  • vRealize Operations for Horizon Adapter license – this license enables the Horizon Adapter to collect data from the Broker Agent for a specific number of Horizon Agent machines. The Horizon 7 Enterprise License can also be used to license the Adapter.

VMware 2146615 vRealize Operations Manager 6.3 Sizing Guidelines:

VMware Blog Post – VMware vRealize Operations for Horizon & Published Apps 6.5 Is GA:

  • NVIDIA vGPU Support: monitoring for the performance and usage of NVIDIA virtual GPU (vGPU) products on VMware ESXi hosts. To enable and use this feature, you must have the NVIDIA Virtual GPU Management Pack installed, and then import the integrated dashboards for vGPU monitoring.
  • User- & Pool-Level Metrics: provides out-of-the-box metrics on usage at the user/pool level, such as historical records of users accessing the desktop pool and historical pool access records for a selected user. You can download the record as a CSV report.
  • Cloud Pod Architecture Support: you can see whether a pool is a global pool, if a global entitlement is assigned to the pool and whether a session is a global session.
  • New Design for Logon Time: provides a new way to calculate the logon time. Horizon 7.3 is required for this feature.
  • New Process Alerts: monitor processes by triggering an alert and offering a recommendation for any process abnormality in your virtual machine (VM).

Links to descriptions of new features in vRealize Operations Manager 6.6:

If you have Log Insight, there’s also a Content Pack for Horizon View. See VMware Blog Post Horizon View Content pack for vRealize Log Insight  💡

Download Files

  1. Go to the download page for vRealize Operations for Horizon 6.5.1.
  2. Download vRealize Operations Manager 6.6.1 appliance, which is listed on the bottom of the vROps for Horizon 6.5.1 download page.

    1. See VMware’s Product Interoperability Matrix to determine which combinations of vROPs and Horizon Adapter are compatible with Horizon 7.3.
  3. On the same vROps for Horizon 6.5.1 download page, download the vRealize Operations for Horizon Adapter.
  4. Download the vRealize Operations for Horizon Broker Agent 64-Bit.
  5. Download the vRealize Operations for Horizon Desktop Agent.

Deploy Appliance

  1. If you are upgrading an existing vROps appliance, skip ahead to the Patch/Upgrade Appliance section.
  2. In vSphere Web Client, navigate to the vCenter object, right-click it, and click Deploy OVF Template.
  3. In the Select Source page, select Local file, browse to the vRealize Operations Manager 6.6.1 .ova file, and click Next.

  4. In the Select name and location page, give the VM a name, and click Next.
  5. In the Select a resource page, select a cluster, and click Next.
  6. In the Review details page, click Next.
  7. In the Accept EULAs page, click Accept, and then click Next.
  8. In the Select Configuration page, select a size, and then click Next.
  9. In the Select Storage page, select Thin Provision, select a datastore, and then click Next.
  10. In the Select networks page, select a port group, and click Next.
  11. In the Customize template page:
    1. Enter the IP address information for the appliance.
    2. You can also specify the time zone by expanding Please add the amount of disk space.
  12. Then click Next.
  13. In the Ready to Complete page, click Finish.

Create vROps Cluster

  1. If you are upgrading an existing vROps appliance, skip ahead to the Patch/Upgrade Appliance section.
  2. Power on the new vROps virtual appliance.
  3. Wait for the appliance to start.
  4. Use a browser to go to https://IPAddress/admin. If you see a Service unavailable message, wait a couple minutes and try again.
  5. On the bottom of the page, click New Installation.
  6. In the Getting Started page, click Next.
  7. In the Set Administrator Password page, enter a password based on the listed requirements. Click Next.
  8. In the Choose Certificate page, you can upload a PEM certificate.

    1. The Certificate file must have .pem extension. It will not accept any other extension.
    2. Make sure the certificate file has both the certificate and keyfile combined into a single file.
    3. If there are intermediate Certificate Authorities, add them to the PEM file. CA certificates go below the server certificate.
  9. Click Next when done.
  10. In the Deployment Settings page:
    1. Eenter a name for the master node.
    2. Enter a NTP Server Address, and click Add.
  11. Then click Next.
  12. In the Ready to Complete page, click Finish.

Start Cluster

  1. From the https://IPAddress/admin page, click Start vRealize Operations Manager.
  2. Click Yes. This will take several minutes.
  3. Log into the appliance using the admin account.
  4. On the Welcome page, click Next.
  5. In the Accept EULA page, check the box next to I accept the terms, and click Next.
  6. In the Enter Product License Key page, enter the vRealize Operations Manager license key, click Validate License Key, and click Next. Note: there is a separate license for the Horizon Adapter that will be entered later.
  7. In the Customer Experience Improvement Program page, make a choice, and click Next.
  8. In the Ready to Complete page, click Finish.

Patch/Upgrade Appliance

  1. Download the Upgrade Pack or Hot Patch from the vRealize Operations 6.6.1 download page.
  2. Use a browser to go to https://vROpsIP/admin, and login as admin.
  3. On the left, switch to the Software Update page.
  4. On the right, click Install a Software Update.
  5. Click Browse and browse to an upgrade or Hot Patch .pak file downloaded from vmware.com. You must upgrade the operating system first (.pak file name containing VA-OS), and then upgrade vRealize Operations Manager (file name without OS in it).

  6. Click Upload.
  7. Click Next.
  8. In the End User License Agreement page, check the box next to I accept the terms, and click Next.
  9. In the Update Information page, click Next.
  10. In the Install Software Update page, click Install.

  11. After rebooting and logging in again, the Software Update page shows that the update has been completed.

  12. Click Install a Software Update again.
  13. Browse to the vRealize_Operations_Manager-6.6.1.pak file. It’s the one without OS in the name.
  14. Click Upload.
  15. Click Next.
  16. In the End User License Agreement page, check the box next to I accept the terms, and click Next.
  17. In the Update Information page, click Next.
  18. In the Install Software Update page, click Install.
  19. After it reboots, notice the new logon screen. Login as admin.
  20. The Software Update page should indicate that the update is completed.

Configure vSphere Adapter

  1. Login to the appliance at https://vROps_IP/ui. This is the ui path instead of the admin path.
  2. Go to Administration > Solutions.
  3. Highlight the VMware vSphere Solution, and click the Configure button in the toolbar.
  4. In the Configure adapters page, on the bottom half, in the Display Name field, enter a name for the vCenter adapter.
  5. In the vCenter Server field, enter the address of the vCenter server.
  6. Click the green plus icon to add a Credential.
  7. In the Manage Credential window:
    1. Give the credential a name.
    2. Enter credentials for the vCenter server.
    3. Click OK.
  8. Back in the Manage Solution window, click the Test Connection button.

    1. In the Review and Accept Certificate window, click Accept to accept the certificate.
    2. In the Info window, click OK to acknowledge that the test was successful.
  9. Back in the Manage Solution window, on the bottom right, click Save Settings.

    1. In the Info window, click OK to acknowledge that the adapter instance was successfully saved.
  10. Click Close to close the Manage Solution window.
  11. Note: it takes four weeks for vRealize Operations Manager to determine dynamic thresholds.

Active Directory Authentication

  1. In the vRealize Operations Manager console, in the top of the page, click Administration.
  2. On the left, expand Access, and click Authentication Sources.
  3. On the right, click the green plus icon.
  4. In the Source Display Name field, enter a display name. This name will appear on the logon page as shown below.
  5. From the Source Type drop-down, select Active Directory.
  6. In the Domain/Subdomain field, enter the DNS name of your Active Directory domain.
  7. Enter credentials of a LDAP bind service account.
  8. Check the box next to Use SSL/TLS.
  9. On the bottom of the window, click Test.

    1. In the Review and Accept Certificate window, check the box next to Accept this certificate, and click OK.
    2. In the Info window, click OK to acknowledge that the test was successful.
  10. Click OK to close the Add Source for User and Group Import window.
  11. On the left, click Access > Access Control.
  12. On the right, switch to the User Groups tab.
  13. In the toolbar, click the Import Group icon.
  14. In the Import User Groups page, ensure your Active Directory source is selected, enter your Horizon Administrators group name, click Search, and then select the group. Click Next.
  15. On the Roles and Objects page, from the Select Role drop-down, select Administrator.
  16. Check the box next to Assign this role to the group.
  17. Check the box next to Allow access to all objects in the system. Click Finish.
  18. Click Yes when warned about access to all Objects in the system.
  19. On the top right, click the person icon, and click Log Out.
  20. Change the drop-down to the Active Directory source, and login as an Active Directory account.

Session Timeout

  1. The vRealize Operations webpage defaults to 30 minutes timeout. To change it, go to Administration > Management > Global Settings, and click the pencil icon.
  2. The maximum value for Session Timeout is 34560. Click OK.

Alerting

  1. In vRealize Operations console, go to Administration > Outbound Settings.
  2. On the right, click the green plus icon.
  3. From the Plugin Type drop-down, select Standard Email Plugin.
  4. Give the Instance a name.
  5. Enter the SMTP information
  6. On the bottom, click Test.

    1. In the Test Connection window, click OK to acknowledge that the test was successful.
  7. Then click Save to close the Add/Edit Outbound Instance window.
  8. You can then go to Alerts > Alert Settings > Notification Settings, and create notifications.
  9. Give the notification rule a name.
  10. For Method, select the Standard Email Plugin, and the outbound instance you created earlier.
  11. Enter Recipients.
  12. Select Triggers and Criticality. Click Save.

Install Horizon Adapter 6.5.1 PAK File on vROps

  1. Login to the vRealize Operations appliance web page (/ui path).
  2. Go to Administration > Solutions.
  3. On the right, click the green plus icon.
  4. In the Select Solution page, click Browse.
  5. Browse to VMware-vrops-viewadapter-6.5.1…pak, and select it.
  6. Back in the Add Solution wizard, click Upload.
  7. After upload is complete, click Next.
  8. In the End User License Agreement page, check the box next to I accept the terms, and click Next.
  9. The Install page appears, and installation begins automatically.
  10. After it’s done installing, in the Install page, click Finish.
  11. If you have NVIDIA GPUs, also install the NVIDIA Virtual GPU Management Pack for vRealize Operations.

Horizon Adapter Licensing

  1. In the vRealize Operations web page, go to Administration > Management > Licensing.
  2. On the right, click the green plus icon.
  3. In the Select product or solution drop-down, select VMware Horizon.
  4. Enter the vROps for Horizon license key, and click Validate. Note: you enter the Adapter key (or Horizon 7 Enterprise key), not the vRealize Operations Manager key.
  5. Click Save to close the Add License window.
  6. You might have to add objects to the License Groups as detailed at Associate Horizon Objects with Your vRealize Operations for Horizon License Key at VMware Docs.

Configure Horizon Adapter

Here are some guidelines regarding the Horizon Adapter:

  • You can only have one Horizon adapter per vRealize Operations appliance.
  • Each adapter can handle up to 10,000 virtual desktops.
  • Multiple Horizon pods can point to a single Adapter.

Do the following to create and configure a Horizon Adapter:

  1. In vRealize Operations Manager, go back to Administration > Solutions.
  2. On the right, in the top half, highlight the VMware Horizon adapter, and click the Configure icon.
  3. On the top part, highlight the Horizon Adapter.
  4. On the bottom, give the adapter a Display Name, and an Adapter ID.
  5. Click the green plus icon to add a credential.

    1. Give the credential a name.
    2. Enter a new password (shared key), and click OK to close the Manage Credential window. You’ll use this password later when configuring the Broker Agent.
  6. Back in the Manage Solution window, click Test Connection.

    1. In the Info window, click OK to acknowledge that the test was successful.
  7. On the bottom right, click Save Settings.

    1. In the Info window, click OK.
  8. Then click Close to close the Manage Solution window.

Enable SSH

VMware Knowledgebase article – Enabling SSH access in vRealize Operations Manager 6.0.x (2100515):

  1. Connect to the vRealize Operations Manager virtual machine console.
  2. Press Alt+F1, and login as root.
    Note: By default there is no root password configured. Just press <Enter>, and you’ll be prompted to enter a root password.
  3. Start the SSH service by running the command:
    service sshd start
  4. To configure SSH to start automatically run this command:
    chkconfig sshd on

Appliance Firewall for Horizon Adapter

  1. Login as root to the CLI of the appliance using SSH, or the virtual machine console.
    1. The first time you login into the console as root, there will be no password. It will ask you to specify a new password.
  2. Use vi to edit the file /opt/vmware/etc/vmware-vcops-firewall.conf.
  3. Ports 3099 through 3101 are needed by the Horizon Adapter/Broker. In newer versions, there might be a TCPPORTS line for 3091:3101. If this is already configured, then press :q to exit vi since there’s no need to change anything.
  4. If you see a TCPPORTS line that only adds 3091:3094, then right below that line, add a new line containing TCPPORTS="$TCPPORTS 3099:3101".
    1. In vi, press i to enter insert mode, and then press <Esc> to exit insert mode.
  5. Press <Esc> to exit edit mode, and enter :wq to save the file and exit.
  6. Run /etc/init.d/vmware-vcops-firewall restart.
  7. If you have vRealize Operations for Horizon Desktop Agents that are older than 6.2, then you’ll need to enable TLS 1.0 by editing the properties file. See Create an Instance of the Horizon Adapter at VMware Pubs for more information.

Install Horizon Broker Agent

  1. Login to one Horizon Connection Server in your Horizon pod. Only install the Broker Agent on one Horizon Connection Server in each pod.
  2. Run the downloaded VMware-v4vbrokeragent-x86_64-6.5.1.exe.
  3. In the Welcome to the VMware vRealize Operations for Horizon Broker Agent Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms in the License Agreement, and click Next.
  5. In the Ready to install the Broker Agent page, click Install.
  6. In the Completed the VMware vRealize Operations for Horizon Broker Agent Setup Wizard page, click Finish.

Configure Horizon Broker Agent

  1. The Configuration tool will appear immediately after installation. Or launch vRealize Operations for Horizon Broker Agent Settings from the Start Menu.
  2. In the Pair Adapter page, enter the IP address of the vRealize Operations appliance, enter 3091 for the port, enter the adapter password (configured earlier), and click Pair.
  3. After broker pairing is successful, click Next. If this doesn’t work, make sure the firewall ports are opened on the vRealize Operations appliance.
  4. In the Connection Server page, enter credentials for Horizon View, and click Test.
  5. Then click Next.
  6. In the Event DB and Desktop Pool page, enter the SQL credentials to access the Events database, and click Test.
  7. Then click Next.
  8. In the Configure App Volumes page, enter the App Volumes info, and click Test. Click the plus icon to add it to the list. Then click Next.
  9. In the Monitor Unified Access Gateway page, enter an appliance name, enter the UAG IP, enter 9443 as the port, enter the admin credentials, and click Test.
  10. Click the plus icon to add the Unified Access Gateway appliance to the list. Then click Next.
  11. In the Intervals and Timeouts page, click Next.
  12. In the Logging page, click Next.
  13. In the Broker Agent Service page, click Start. Then click Next.
  14. In the Ready to Complete page, click Finish.
  15. In the vRealize Operations web console (/ui), from the Dashboards page, you can view the Horizon Adapter Self Health dashboard to verify that the adapter and broker agent are functional.

Desktop Agent

The Desktop Agent should be installed on every Horizon Agent machine. Horizon 7 Agents come with vROps Desktop Agents. If you’re not running the latest version of Horizon 7 Agent, then upgrade the vROps Desktop Agent on those machines.

  1. Run the downloaded vRealize Operations for Horizon Desktop Agent 6.5.1 (VMware-v4vdeskopagent-x86_64-6.5.1.exe).
  2. In the Welcome to the VMware vRealize Operations for Horizon Desktop Agent Setup Wizard agent, click Next.
  3. In the End-User License Agreement page, check the box next to I accept the terms in the License Agreement, and click Next.
  4. In the Ready to install the Desktop Agent page, click Install.
  5. In the Completed the VMware vRealize Operations for Horizon Desktop Agent Setup Wizard page, click Finish.
  6. If you go to C:\Program Files\VMware\VMware View\Agent\bin, and view the properties of the v4pa_agent.exe file, on the Details page, you’ll see the installed version of the Desktop Agent.

Related Pages

VMware Horizon 7 – Cloud Pod Architecture

Last Modified: Jan 28, 2018 @ 2:07 pm

Navigation

This post applies to all VMware Horizon versions 7.0 and newer

Change Log

Planning

Cloud Pod Architecture lets you publish a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

  • Global Entitlements – Entitlements are the same thing as published icons. When you create an entitlement (local or global), you are publishing an icon from a pool.
    • For local entitlement, the icon is only published from one pool.
    • For global entitlement, the icon can be published from multiple pools. The pools can be in one pod or from multiple pods.
    • Don’t configure both global and local entitlements for the same pool.
    • A single pool can only belong to one global entitlement.
    • Horizon 6.2 and newer supports Global Entitlements for applications. However, it’s one application per global entitlement.
  • Pod Federation – Global entitlements can’t be created until a Pod Federation is created. This federation could be one pod or multiple pods.
    • The pods can be separated into sites. A site can contain multiple pods.
  • Global Load Balancing – Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a globally available Horizon Connection Server. The connected Horizon Connection Server then uses Global Entitlements to select a site/pod/pool.
    • When a user launches a Global Entitlement, the Connection Server selects a pod based on the Global Entitlement Scoping, which can be All Sites, Within site, or Within Pod. This is from the perspective of the Connection Server the user is currently connected to. Horizon will prefer the local pod if possible.
    • Users or groups can be assigned to Home Sites. Global Entitlements can be configured to prefer Home Sites over the normal site/pod selection criteria.
  • Dedicated Assignment – For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
  • Firewall Ports – The Horizon Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 135, TCP 22389, TCP 22636, and TCP 8472. Make sure these ports are open. More info at Ray Heffer VMware Horizon 7.4 Network Ports for Cloud Pod Architecture.
  • RBAC – View Administrator includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Limits in Horizon 7.3: Note: these limits seem to be increasing with each release of Horizon 7.

  • Max users = 140,000
  • Max Pods = 25
  • Max Sessions per Pod = 10,000
  • Max Sites = 7
  • Max Horizon Connection Servers = 175

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

  • Use F5 GTM or NetScaler GSLB to connect users to a Horizon Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
  • The Horizon Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
  • User’s PCoIP session goes through the initially connected Horizon Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route Blast/PCoIP through a Horizon Connection Server in the remote pod. In fact, the Horizon Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this Blast/PCoIP traffic.

For more information on multi-datacenter design for Horizon 7, see VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture, which is an 88 page document that includes the following:

  • Identity Manager
  • App Volumes
  • Horizon 7 Cloud Pod Architecture
  • User Environment Manager
  • SQL AlwaysOn Availability Groups
  • Nnetworking
  • Storage (e.g vSAN)
  • Active Directory
  • Distributed File System
  • Global Load Balancing

Initialize First Pod

  1. In View Administrator, on the left, expand View Configuration, and click Cloud Pod Architecture.
  2. On the right, click Initialize the Cloud Pod Architecture feature.
  3. Click OK to initialize.
  4. A status page is displayed.
  5. Click OK to reload the client.
  6. On the left, expand View Configuration, and click Cloud Pod Architecture.
  7. On the right, feel free to rename the federation by clicking the Edit button.

  8. On the left, expand View Configuration, and click Sites.
  9. On the right, click the Edit button to rename the Default First Site to be more descriptive.

  10. If you click the site to highlight it, you can Edit the Pod in the lower half to make the name more descriptive.

  11. If you add a Replica server after global entitlements are enabled, see VMware 2080521 Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.
  12. See VMware 2080522 Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

  1. Connect to View Administrator in the second pod.
  2. On the left, expand View Configuration, and click Cloud Pod Architecture.
  3. On the right, click Join the pod federation.
  4. Enter the name of an existing Horizon Connection Server that is already joined to the federation.
  5. Enter credentials, and click OK.
  6. The Join status is displayed.
  7. Click OK to reload the client.
  8. On the left, expand View Configuration, and click Sites.
  9. If this pod is in a different site, then click Add to create a new site.
  10. Give the site a name, and click OK.
  11. Highlight the first site.
  12. On the bottom, highlight the new pod, and click Edit.
  13. Rename the pod and put it in the 2nd site. Click OK.

Global Entitlements

Do not create both global and local entitlements for the same pool otherwise users might see two icons. Create the local pool, but don’t entitle it. Instead, create a Global Entitlement and add the local pool to it.

  1. In View Administrator, on the left, expand Catalog, and click Global Entitlements.
  2. On the right, click Add.
  3. In the Type page, select Desktop Entitlement or Application Entitlement, and click Next.
  4. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one entitlement per application so include the application name.
    1. Horizon 7.2 lets you configure tag restrictions (Connection Server restrictions) from this wizard.

      1. In Horizon 7.1, it’s only configurable from the lmvutil command. See Restrict Access to a Global Entitlement at VMware Pubs.
    2. Horizon 7.3 lets you select a Category Folder where the published icon will be placed on the client’s Start Menu. This applies to Horizon Client 4.6 and newer. See Configuring Start Menu Shortcuts for Desktop and Application Pools at VMware Docs.

  5. In the Policies section:
    1. The Use home site checkbox tells the global entitlement to respect user home sites.
    2. Change the Default display protocol to VMware Blast.
      1. In Horizon 7.3.1 and newer, if you set the Default display protocol to PCoIP, then HTML5 Blast won’t work unless Allow users to choose protocol is set to Yes. See VMware Communities Upgraded from 7.0.1 to 7.3.1, getting “You cannot access your applications or desktops”… error.  💡
    3. Check the box next to HTML Access.
    4. Horizon 7.2 adds a Pre-launch checkbox. Enable it on at least one application, and entitle the application to the users that need the Pre-launch feature.
    5. Horizon 7.3 adds a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published icon to that AD group. The published icon can then only be accessed from the client computers in the AD group. Notes:
    6. Make other selections.
  6. Click Next.
  7. In the Users and Groups page, add users that can see the icon. Click Next.
  8. In the Ready to Complete page, click Finish.
  9. Double-click the new global entitlement.
  10. On the Local Pools tab, click Add.
  11. Select the pools you want to add and click Add. Remember, only one app per Global Entitlement.
  12. Go to another pod and view the Global Entitlements.
  13. On the right, double-click the Global Entitlement.
  14. On the Local Pools tab, click Add to add pools from this pod.

Monitoring

  1. Once Global Entitlements are enabled, a new Search Sessions node is added to View Administrator. This allows you to search for sessions across federated pods.
  2. The Dashboard shows the health of remote pods.

Home Sites

Horizon 7 lets you configure Home Sites from within Horizon Administrator. For Global Entitlements, Horizon will prefer pools in the user’s Home Site before looking for pools in remote sites.

  1. On the left, click Users and Groups.
  2. On the right, switch to the Home Site tab, and click Add.
  3. Find a user or group for this home site, and click Next.
  4. Select the site to assign the users to and click Finish.
  5. Home Sites can be assigned to both users and groups. User assignments override group assignments.
  6. Each Global Entitlement can have its own Home Site configuration. Double-click a Global Entitlement, switch to the Home Site Override tab, and click Add.
  7. Since you could have a combination of default Home Site for user, default Home Site for group, and Global Entitlement-specific Home Sites, it’s helpful to know which Home Site is effective for each user and Entitlement. On the Users and Groups page, on the Home Site tab, if you switch to the Resolution sub-tab, you can find a user name, click Look Up and see which Home Site is assigned to the user for each entitlement.

Related Pages

VMware Horizon 7 – RDS Farms/Pools

Last Modified: May 13, 2018 @ 2:56 pm

Navigation

This post applies to all VMware Horizon versions 7.0 and newer

Change Log

Overview

Before following this procedure, build a master RDS Session Host.

This post details VMware Horizon configuration for Remote Desktop Session Host (RDS) Horizon Agents. Virtual Desktops are detailed at Master Virtual Desktop and Virtual Desktop Pools.

Before you can publish applications or desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts then these are different RDS Farms.

Horizon supports up to 200 RDS farms, each with up to 200 RDS hosts.

Once the RDS Farms are created, you publish resources from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

VMware Tech Paper Best Practices For Published Applications And Desktops in VMware Horizon 7:

  • vSphere Best Practices – Hardware, Network Adapters, ESXi BIOS Settings, ESXi Power Management
  • Core Services Best Practices – Active Directory, DNS, DHCP, NTP, KMS, RDS Licensing
  • ESXi Host Sizing Best Practices
  • RDSH Configuration Best Practices – Optimization
  • Horizon 7 Best Practices – Instant Clones, Load Balancing
  • User Environment Management Best Practices – Horizon Smart Policies, Folder Redirection, User Profiles, Printers, Hardware Graphics Acceleration
  • App Volumes Best Practices – dedicated AppStacks
  • Antivirus Best Practices
  • Maintenance Operations Best Practices – scheduled reboots

RDS Farms – Instant Clones and Composer Linked Clones

Horizon 7.1 and newer offers two methods of creating RDS Farm linked clones:

  • Instant Clones
  • Composer Linked Clones

Instant Clones are the preferred method. Here is the process: Instant Clones for RDSH in VMware Horizon 7.1 YouTube video

  1. You select a snapshot from a master image.
  2. Horizon creates a template VM that boots from the master snapshot. After some prep, the template VM shuts down and creates a new snapshot.
  3. The template snapshot is copied to a Replica VM on every LUN (datastore) that will host RDS Farm VMs.
  4. For each datastore, Horizon creates a Parent VM on every host in the cluster. This parent VM is powered on and running at all times.
  5. The linked clones can finally be created by forking the parent VM to new linked clone VMs. Notes:
    1. Once the Parent VMs are created, creating/recreating linked clones is fast. But it takes time to create all of the Parent VMs.
    2. And the Parent VMs consume RAM on every host. If you have multiple datastores and/or multiple pools, then there are multiple Parent VMs per host, all of them consuming RAM.
  6. You can schedule a periodic reboot of the Instant Clones, which causes the Instant Clone machines to refresh (revert) from the parent VM.
  7. Instant Clones require Distributed vSwitch and Distributed Port Group with Static Binding and Fixed Allocation. Standard vSwitch is not supported. Multi VLAN and vGPU for Instant Clones in VMware Horizon 7.1 YouTube video.

The other Linked Clone option is Horizon Composer. Here are some notes:

  • When Composer creates Linked Clones, Composer uses SysPrep with Customization Specifications. SysPrep is slow.
  • SysPrep is also used whenever the RDS farm is updated with a new master image snapshot.
  • No View Storage Accelerator.
  • No Rebalance.
  • No Refresh. The machines are persistent until you Recompose the farm.
    • The delta disks continue to grow until you Recompose the farm.
    • You can enable Space Reclamation to shrink the delta disks as files are deleted.

Customization Specification – Composer Linked Clones only

If you are using Instant Clones (7.1 and newer), then skip to creating the RDS farm. Customization Specifications are only needed for Composer Linked Clones.

  1. In vCenter, from the Home page, click Customization Specification Manager.
  2. Click the icon to create a new Customization Specification.
  3. In the Specify Properties page, give the spec a name and click Next.
  4. In the Set Registration Information page, enter your normal settings and click Next.
  5. In the Set Computer Name page, select Use the virtual machine name and click Next.
  6. In the Enter Windows License page, select Per seat and click Next.
  7. In the Set Administrator Password page, enter the local administrator password and click Next.
  8. In the Time Zone page, select the time zone and click Next.
  9. In the Run Once page, click Next.
  10. In the Configure Network page, leave it set to Use standard network settings. Horizon requires the VMs to be configured for DHCP. Click Next.
  11. In the Set Workgroup or Domain page, enter credentials that can join the machines to the domain, and click Next.
  12. In the Set Operating System Options page, leave the box checked, and click Next.
  13. In the Ready to complete page, click Finish.

Create an Automatic Farm – Instant Clones and Composer Linked Clones

To create an RDS Farm of linked clones, do the following:

  1. Make sure your RDS master Agent has the VMware Horizon Instant Clone Agent or VMware Horizon View Composer Agent feature installed. You can install one or the other, but not both.
  2. Make sure your RDS master Agent is configured for DHCP.
  3. Computer Group Policy – Make sure the Master VM is in the same OU as the Linked Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See VMware 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  4. Shut down the master image.
  5. Edit the specs of the master VM to match the specs you want the linked clones to have.
  6. Take a snapshot of the master image.
  7. In Horizon Administrator, on the left, expand Resources, and click Farms.
  8. On the right, click Add.
  9. In the Type page, select Automated Farm, and click Next.
  10. In the vCenter Server page, select Instant clones or View Composer linked clones depending on which agent you have installed on your RDS master Agent machine.
  11. Select the vCenter Server, and click Next.
  12. In the Identification and Settings page, enter a name for the Farm. A VM folder with the same name will be created in vCenter.
  13. In the Farm Settings section, set Default Display protocol to VMware Blast.
  14. In Horizon 7.3.1 and newer, if you set the Default display protocol to PCoIP, then HTML5 Blast won’t work unless Allow users to choose protocol is set to Yes. See VMware Communities Upgraded from 7.0.1 to 7.3.1, getting “You cannot access your applications or desktops”… error.  💡
  15. Horizon 7.2 supports Pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
  16. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  17. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  18. To access the Pools/Farm from a web browser using HTML Blast, check the Enabled box next to Allow HTML Access.
  19. Horizon 7.4 adds a new Allow Session Collaboration checkbox.

    1. This setting enables a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.

    2. The invite is a URL that you can run (or click) on the collaborator’s machine that has Horizon Client 4.7 or newer installed.
    3. To give control to the collaborator, double-click the green icon to open the Session Collaboration window. Or open the icon in the system tray.

    4. Adam Gleeson at VMware Horizon Virtual Desktop Session Collaboration explains the limitations of this feature.  💡
  20. Click Next.
  21. In the Provisioning Settings page, enter a naming pattern. Make sure the name includes {n:fixed=3} or something like that.
  22. Enter the number of machines to create, and click Next.
  23. In the Storage Optimization page, click Next.
  24. In the vCenter Settings page, click Browse next to each option, and make a selection.
  25. When selecting a datastore, Instant Clones sets the Storage Overcommit to Unbounded automatically. For Composer Linked Clones, set it to Unbounded. Click OK, and then click Next.

  26. If Composer, in the Advanced Storage Options page, decide if you want space reclamation or not. Space reclamation does reduce disk space but increases IOPS while the operation is occurring. If space reclamation is enabled, also configure a Blackout window so the increased IOPS does not affect production usage. Scroll down.
  27. If you scroll down, you’ll see an option for Transparent Page Sharing. By default it is disabled. You can enable it by setting it to Global. This should reduce some memory consumption. Click Next.
  28. For both Instant Clones and Composer, in the Guest Customization page, select an OU.
  29. Consider the Allow reuse of pre-existing computer accounts check box.
  30. For Composer Linked Clones, select a customization specification, and click Next.
  31. In the Ready to Complete page, click Finish.
  32. If you double-click the farm, on the RDS Hosts tab, you can see the progress of the farm creation operation.
  33. If Composer, since RDS Farms use SysPrep, it will take some time before they become available.
  34. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool, or an Application Pool, or both.

Add more RDS Hosts to an Automatic Farm – Instant Clones and Composer Linked Clones

  1. On the left, expand Resources, and click Farms.
  2. On the right, highlight an existing Automated Farm, and click Edit.
  3. Switch to the Provisioning Settings tab, and change the Max number of machines. Then click OK.
  4. For Instant Clones, if the parent VM is already running on destination host/datastore, then it should only take a minute to add the new VM.
  5. Composer Linked Clones use SysPrep, which takes a while to add the virtual machines. The new VMs reboot several times during the provisioning and customization process.
  6. The farm now has new RDS host(s).

Update an Automatic Farm – Instant Clones and Composer Linked Clones

  1. Power on the master session host.
  2. If App Volumes agent is installed, you might have to disable svservice before you can make changes. See VMware 2129528 Virtual Machine changes are not saved in App Volumes.  💡
  3. After making your changes, shut down the master session host.
  4. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  5. Name the snapshot, and click OK.
  6. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  7. Delete one or more of the snapshots.
  8. In View Administrator, go to Resources > Farms.
  9. Double-click a farm name.
  10. For Composer Linked Clones, before beginning the Maintenance/Recompose operation, edit the Farm, and on the Provisioning Settings tab, consider specifying a minimum number of ready machines during Instant Clone (or View Composer) maintenance operations. If you leave this set to 0, then all machines will be in maintenance mode, and nobody can connect until Maintenance/Recompose is complete. Instant Clones are recreated quickly enough that this setting might not be needed.
  11. If Instant Clones, on the Summary tab, click Maintenance, and then click Schedule.
  12. If Composer Linked Clones, on the Summary tab, click Recompose.
  13. Instant Clones lets you either schedule recurring reboots, or you can change the Schedule to Immediate to update the machines now (or one time in the future). Click Next.
  14. In the Image page, uncheck the box next to Use current parent VM image, select the new snapshot, and click Next.

  15. In the Scheduling page, decide if the reboot should wait for users to logoff, decide when to apply this new image, and then click Next.

  16. In the Ready to Complete page, click Finish.

  17. On the RDS Hosts tab, you can check on the status of the maintenance/recompose task.
  18. If Instant Clones, it will take a few minutes to create a new parent VM. Once the parent VM is created, the Instant Clones are quickly deleted and recreated.
  19. If Composer Linked Clones, Composer uses SysPrep, which means this will take a while.

Instant Clones Maintenance

  1. If you double-click an RDS Farm that contains Instant Clones, and switch to the RDS Hosts tab, you can right-click a machine, and click Recover. This causes the VM to be deleted and recreated, thus reverting to the master image snapshot.

  2. On the Summary tab of the RDS Farm, you can click Maintenance > Schedule to schedule a reboot of every VM in the RDS Farm. Rebooting cases the VMs to revert to the master image snapshot.
  3. Specify how often you want the reboot to occur, and then click Next.
  4. In the Image page, you don’t have to change the snapshot. Click Next.
  5. Decide what to do about logged on users, and click Next.
  6. In the Ready to Complete page, click Finish.
  7. If you click the Maintenance menu again, you can click Reschedule to change when the reboots are scheduled. Or click Cancel.
  8. If you click Schedule again, you can only schedule a one-time update, typically to replace the master image snapshot used by the RDS Farm.
  9. In Horizon 7.1 and newer, ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

RDS Farms – Manual

To create a manual RDS Farm (no linked clones), do the following:

  1. Make sure the View Composer Agent is not installed on your RDS servers and make sure you saw the screen to register the Agent with a Horizon Connection Server.
  2. In View Administrator, expand View Configuration and click Registered Machines. Make sure your manually-built RDS Host is registered and listed on the RDS Hosts tab.

  3. In View Administrator, on the left, expand Resources and click Farms.
  4. On the right, click Add.
  5. In the Type page, select Manual Farm and click Next.
  6. In the Identification and Settings page, enter a name for the Farm.
  7. In the Farm Settings section, set the Default display protocol to VMware Blast.
  8. Horizon 7.2 adds pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
  9. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  10. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  11. Check the Enabled box next to Allow HTML Access.
  12. Horizon 7.4 adds a new Allow Session Collaboration checkbox.

    1. This setting enables a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.

    2. The invite is a URL that you can run (or click) on the collaborator’s machine that has Horizon Client 4.7 or newer installed.
    3. To give control to the collaborator, double-click the green icon to open the Session Collaboration window. Or open the icon in the system tray.

  13. Click Next.
  14. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts. Click Next.
  15. In the Ready to Complete page, click Finish.

Add RDS Host to Manual Farm

  1. On the left, expand Resources and click Farms.
  2. On the right, double-click an existing Farm.
  3. On the right, switch to the RDS Hosts tab and click Add.
  4. Select the new RDS host and click OK.
  5. The farm now has a new RDS host.

Published Desktop

To publish a desktop from an RDS farm, do the following:

  1. In View Administrator, on the left, expand Catalog, and click Desktop Pools.
  2. On the right, click Add.
  3. In the Type page, select RDS Desktop Pool, and click Next.
  4. In the Desktop Pool Identification page, enter an ID and name. They can be different. Click Next.
  5. In the Desktop Pool Settings page:
    1. Horizon 7.3 lets you select a Category Folder where the published icon will be placed on the client’s Start Menu. This applies to Horizon Client 4.6 and newer. See Configuring Start Menu Shortcuts for Desktop and Application Pools at VMware Docs.

    2. Horizon 7.3 adds a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published desktop to that AD group. The published desktop can then only be accessed from the client computers in the AD group. Notes:
  6. Click Next.
  7. In the Select an RDS farm page, select a farm, and click Next.
  8. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes, and click Finish.
  9. In the Entitlements window, click Add.
  10. Browse to an Active Directory group, and click OK.
  11. Then click Close.
  12. If you go to Resources > Farms, double-click your farm, there will be a RDS Pools tab, where you can see which Desktop Pool is associated with this farm.

Published Applications

  1. In View Administrator, on the left, expand Catalog, and click Application Pools.
  2. On the right, click Add.
  3. The purpose of this wizard is to publish applications from an RDS Farm, and entitle them. The entitlements will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times, and select different applications. Once the applications are published, you can change their entitlements individually.
  4. Select one or more applications.
  5. There are additional options at the bottom of the window.

    1. Horizon 7.2 adds a Pre-launch option for published applications. Enable it on at least one application, and entitle the application to the users that need the Pre-launch feature.
    2. Horizon 7.2 adds the ability to assign tags (Connection Server restrictions) to RDS Desktop Pools.
    3. Horizon 7.3 lets you select a Category Folder where the published icon will be placed on the client’s Start Menu. This applies to Horizon Client 4.6 and newer. See Configuring Start Menu Shortcuts for Desktop and Application Pools at VMware Docs.
    4. Horizon 7.3 adds a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published application to that AD group. The published application can then only be accessed from the client computers in the AD group. Notes:
  6. Click Next when done.
  7. Or you can add an application manually by changing the radio button to Add application pool manually. Notice that Explorer is not one of the listed applications, so Explorer will need to be added manually.

    • When publishing Explorer, add the /separate switch. This prevents the full desktop from appearing when launching published Explorer through HTML Blast (Source = RDS Desktop being presented when opening an app at VMware Communities)  💡
  8. Notice the Entitle users box is checked by default. All of the applications in this list will receive the same entitlements. Click Finish.
  9. Then click Add to select a group that can see these icons.
  10. Horizon 7.1 and newer supports Unauthenticated users, which is detailed at Providing Unauthenticated Access for Published Applications at VMware Docs. Click OK when done.




  11. You can run the wizard again to publish more applications with different entitlements.
  12. If you double-click one of the application pools, on the Entitlements tab, you can change the entitlements.
  13. In Horizon 7.1 and newer, icons for the published apps can be changed using PowerShell. See the YouTube video Customizing Horizon RDSH Application Icons.
  14. If you go to Resources > Farms, double-click your farm, and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. Notice you can’t really do anything from here.

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

  • If the user already has a session then anti-affinity is ignored.
  • If the application is launched from within an RDS Desktop then anti-affinity is ignored.
  • Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool at VMware Docs.

Do the following to configure Anti-Affinity:

  1. On the left, expand Catalog, and click Application Pools.
  2. On the right, edit an existing app/pool.
  3. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
  4. In the Anti-Affinity Count field, enter the maximum number of matches that can run on a single RDS Host.

Related Pages

VMware Horizon 7.4 – Master RDS Host

Last Modified: Mar 31, 2018 @ 10:46 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post. Virtual Desktop is detailed in a separate article.

This post applies to all VMware Horizon versions 7.0 and newer, including 7.3.2 and 7.4.0.

Change Log

Hardware

  • The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • As of 7.0.3, Windows Server 2016 is supported for Horizon View Agents.
  • For 2012 R2 or newer, set the vCPUs to 8. For 2008 R2, set the vCPUs to 4. Two is the minimum. See VMware whitepaper for more information.
  • Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device, and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine, and click Edit Settings.
  4. On the VM Options tab, expand Advanced, and then click Edit Configuration.
  5. Click Add Row.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right, and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

User Account Control and SmartScreen

This section is optional.

  1. If Windows 2012 R2, right-click the flag icon by the clock, and click Open Action Center. Or launch it from the Start Menu.
  2. Of if Windows Server 2016, go to Security and Maintenance in the Control Panel.
  3. On the left, click Change User Account Control settings.
  4. To disable UAC, move the slider down to Never Notify, and click OK. Or you can leave it enabled if your security standards require it.
  5. Back in Action Center (or Security and Maintenance), on the left, click Change Windows SmartScreen settings.
  6. Make your selection regarding SmartScreen, and click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right, click the link for Last checked for updates.
  2. In Windows Server 2012 R2, on the left, click Change settings.
  3. If Windows Server 2016, click Advanced Options.
  4. If Windows Server 2012 R2, check the box next to Give me updates for other Microsoft products when I update Windows, and click OK.
  5. If Windows Server 2016, check the box next to Give me updates for other Microsoft products when I update Windows, and then click the back button. Then click Check for Updates.

  6. Windows Update will automatically start checking for updates.
  7. Install any updates it recommends.

Windows Server 2008 R2 Hotfixes

Local Administrators Group

If the Horizon Administrators and members of the Domain Admins group are the same people, then there is nothing to change. Otherwise, add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu, and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

Remote Desktop Session Host

Role and Features – Windows Server 2012 and newer

If this session host is Windows Server 2008 R2, then skip to the next section.

  1. In Server Manager, open the Manage menu, and click Add Roles and Features.
  2. On the Installation Type page, leave it set to Role-based or feature-based installation.
  3. Click Next until you get to the Server Roles page.
  4. Check the box next to Remote Desktop Services, and click Next.
  5. If Windows Server 2012 R2, expand User Interfaces and Infrastructure, and check the box next to Desktop Experience. This adds a bunch of features like Themes, Windows Media Player, Flash, etc. This feature is already installed in Windows Server 2016.
  6. To verify Remote Desktop Services licensing, expand Remote Server Administration Tools > Role Administration Tools > , expand Remote Desktop Services Tools, and check the box next to Remote Desktop Licensing Diagnoser Tool. Click Next when done.
  7. In the Select role services page, check the box next to Remote Desktop Session Host, and click Next.
  8. Then click Install. Restart is required.

Windows Roles – Windows Server 2008 R2

If this session host is running Windows 2008 R2, then the instructions are slightly different.

  1. In Server Manager, right-click Roles, and click Add Roles.
  2. In the Before You Begin page, click Next.
  3. In the Select Server Roles page, check the box next to Remote Desktop Services, and click Next.
  4. In the Introduction to Remote Desktop Services page, click Next.
  5. In the Select Role Services page, check the box next to Remote Desktop Session Host, and click Next.
  6. In the Uninstall and Reinstall Applications for Compatibility page, click Next.
  7. In the Specify Authentication Method for Remote Desktop Session Host page, select Do not require Network Level Authentication, and click Next.
  8. In the Specify Licensing Mode page, select Per User, and click Next.
  9. In the Select User Groups Allowed Access to this RD Session Host Server page, click Add. Browse for Authenticated Users (on the local machine), and click Next.
  10. In the Configure Client Experience page, check the boxes for Audio and video playback and Desktop composition. This causes Desktop Experience to be installed. Click Next.
  11. In the Confirm Installation Selections page, click Install.
  12. In the Installation Results page, click Close.
  13. Click Yes when you are prompted to restart now.
  14. Login to the server. Then click Close.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 or newer is using group policy (local or domain). This also works for Windows Server 2008 R2.

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the Remote Desktop Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled, and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Terminal Services (or Remote Desktop Services), and click RD Licensing Diagnoser.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users with Create Folders permission, and click Remove.
  4. Highlight the line containing Users with Create Files permission, and click Remove.
  5. Click OK to close the Advanced Security Settings window.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue.
  8. Click OK to close the C: drive properties.

Installs

Install/Upgrade VMware Horizon Agent 7.4

View Agent for RDS Hosted Apps Desktops is missing a few features:

To install View Agent on Remote Desktop Services, do the following:

  1. Downloaded Horizon 7.4.0 Agent.
  2. Run the downloaded VMware-viewagent-x86_64-7.4.0.exe.
  3. If you want the URL Content Redirection feature, then you must run the Agent installer with the the following switches: /v URL_FILTERING_ENABLED=1
  4. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  5. In the License Agreement page, select I accept the terms, and click Next.

  6. In the Network protocol configuration page, select IPv4, and click Next.
  7. In the Custom Setup page, several features are disabled by default. Feel free to enable them.
    1. In Horizon Agent 7.1 and newer, VMware Horizon Instant Clone Agent is an option. You can enable either Instant Clone Agent, or Composer Agent, but not both. Or you can leave both unselected so you can add the machine to a Manual RDS Farm. You can’t add this RDS Host to a Manual RDS Farm unless both options are deselected.
    2. Horizon 7.2 and newer have VMware Virtualization Pack for Skype for Business. See Configure Skype for Business at VMware Docs for details.
    3. If you want Scanner Redirection, then enable that feature. Do the same for USB Redirection. Note: Scanner Redirection will impact host density.

    4. Horizon 7.3 adds HTML5 Multimedia Redirection. This feature only works in Google Chrome, by force installing a Chrome plug-in. And it requires a whitelist specified in a group policy. See Configuring HTML5 Multimedia Redirection at VMware Docs.

      • If the feature is working, then the Chrome extension will show REDR.
      • And you’ll see HTML5VideoPlayer.exe on the client side.
    5. Horizon 7.4 adds Device Bridge BAS Plugin, which is used to redirect fingerprint scanners. See Install the Device Bridge BAS Plugin at VMware Docs.
  8. Click Next when done making selections.
  9. Click OK to acknowledge the USB redirection message.
  10. If you see the Register with Horizon 7 Connection Server page, enter the name of a Horizon Connection Server, and click Next. You only see this page if you deselected both View Composer Agent and Instant Clone Agent features.
  11. In the Ready to Install the Program page, click Install.
  12. In the Installer Completed page, click Finish.
  13. Click Yes to restart the server.
  14. If you want to know what features were selected, look in C:\ProgramData\VMware\logs for the latest vmmsi.log_<date>.log file. Search for Feature : to find the list. The ones with Request: Local were installed. More info at Paul Grevink View Agent, what is installed?

  15. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  16. There’s also a new IE add-on.
  17. URL Content Redirection is configured using group policy.

Install/Upgrade User Environment Manager Engine

If you are licensed for User Environment Manager (Horizon Enterprise Edition), install the User Environment Manager Engine. Note: UEM 9.1 and newer can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

  1. Make sure Prevent access to registry editing tools, is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. Download User Environment Manager 9.3.
  3. Run the extracted VMware User Environment Manager 9.3.0 x64.msi.
  4. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the Management Console.

  8. In the Choose License File page, if installing on a View Agent, then no license file is needed. Click Next.
  9. Otherwise, Browse to the license file, and then click Next.
  10. In the Ready to install VMware User Environment Manager page, click Install.
  11. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Horizon Agent Load Balancing Script

If you have multiple identical Remote Desktop Services Hosts in a single RDS Farm, by default, VMware Horizon uses a least connections Load Balancing algorithm. You can change this to performance-based Load Balancing by configuring scripts on each RDS Host. See Configuring Load Balancing for RDS Hosts at VMware Docs.

There are only three levels of load: HIGH, MED, and LOW. Within a load level, Horizon selects an RDS server at random.

Do the following to configure the Load Balancing script:

  1. The script must be placed at C:\Program Files\VMware\VMware View\Agent\scripts on every RDS Host. VMware provided a couple sample scripts that you can use. One script only looks at CPU and the other script only looks at Memory. If you write your own script, make sure it exists in this folder on every RDS Host in the RDS Farm.
  2. Open Services, and configure the VMware Horizon View Script Host service to run automatically.

  3. Then start the service.
  4. In regedit, go to HKLM\Software\VMware, Inc.\VMware VDM\ScriptEvents\RdshLoad.
  5. Create a new String Value. It doesn’t matter what you name it but the script name is recommended.
  6. Modify the String Value and enter cscript.exe “PathToScript”. For example: cscript.exe "C:\Program Files\VMware\VMware View\Agent\scripts\cpuutilisation.vbs"
  7. After setting the registry value, restart the VMware Horizon View Agent service.
  8. After you later add this RDS Host to a RDS Farm in Horizon Administrator, click the Dashboard view.
  9. Expand RDS Farms, expand the farm, and click the RDS Host.
  10. Make sure the Server load is reported.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Symantec

Symantec has a document at Citrix and terminal server best practices for Endpoint Protection detailing best practices when deploying Symantec Endpoint Protection to session hosts.

Virtualization best practices for Endpoint Protection 12.1.2 and later

Virtualization best practices for Endpoint Protection 12.1.1 (RU1) and earlier

Install Applications

Install applications that will be executed on these machines.

VMware Tech Paper Best Practices for Delivering Microsoft Office 365 In VMware Horizon 7 with Published Applications describes how to install Office365 ProPlus Click-to-run with Shared Computer Activation.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide Technical Paper for details on this tool.
  2. Download the VMware OS Optimization Tool VMware fling.
  3. Run the downloaded VMwareOSOptimizationTool.exe.
  4. On the Public Templates tab, update or download templates.
  5. The My Templates tab lets you edit the templates. Click Copy and Edit first.
  6. On the Analyze tab, choose a template.
  7. Then click Analyze on the bottom of the window.
  8. On the Analyze tab, review the optimizations, and make changes as desired. Then on the bottom left, click Optimize.
  9. The History tab lets you rollback the optimizations.

Seal and Snapshot

  1. Go to the properties of the C: drive, and run Disk Cleanup.
  2. On the Tools tab, click Optimize to defrag the drive.
  3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining.
  4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  5. Make sure the master session host is configured for DHCP.
  6. Session hosts commonly have DHCP reservations.

  7. Run antivirus sealing tasks:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
    2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  8. Login Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.
  9. Shutdown the master session host.
  10. Edit the Settings of the master virtual machine, and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  11. Take a snapshot of the master session host. View Composer and Instant Clone require a snapshot.

  12. Use can now use Horizon View Administrator to create RDS Farms.

Full Clone Post-Cloning Tasks

If you used vCenter to clone the machine instead of using Horizon Composer, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep always disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon Agent – uninstall the Horizon Agent and reinstall it so it registers with a Horizon Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon Security Server and Horizon Agents.
  8. View Administrator – In View Administrator, add the new machine to a Remote Desktop Services farm.

Related Pages

VMware Horizon 7 – Virtual Desktop Pools

Last Modified: Mar 15, 2018 @ 10:54 am

This topic details Horizon configuration for Virtual Desktop Agents. RDS Farms are detailed at http://www.carlstalhood.com/vmware-horizon-7-rds-farmspools/.

Navigation

This post applies to all VMware Horizon versions 7.0 and newer

Change Log

Non-Persistent – Instant Clone vs Composer

In general, use Instant Clone, if possible. Here are some advantages of Instant Clone over Composer:

  • No Composer server needed
  • Faster provisioning and recompose – lower IOPS during these operations
  • Instant Clones are always non-persistent. Composer can be mis-configured to not refresh or delete on logoff.
  • If multiple datastores, rebalance is automatic. With Composer, rebalance is a manual operation.
  • Confusing Composer features like Persistent Disks, Disposable Disks, disk space reclamation, etc. are not needed with Instant Clones. Replica Storage Tiering is still an option for Instant Clone.

Requirements for Instant Clones:

  • Horizon Enterprise licenses
  • ESXi 6 Update 1 or newer
  • Virtual Machine hardware version 11 or newer
  • View Storage Accelerator must be enabled
  • Instant Clones were added to RDS Machines in Horizon 7.1 and newer.

Limitations of Instant Clones:

  • Horizon 7.3 and newer supports dedicated pools
  • Like Composer, the master VM snapshot is copied to every LUN containing linked clones. Unlike Composer, an additional machine called the “parent” machine is created on each host and each datastore. These “parent” machines are powered on and consume CPU/Memory/Disk resources.
  • The Master VM and the snapshot used by the Instant Clones cannot be deleted.

Also see VMware Technical White Paper VMware Horizon 7 Instant-Clone Desktops

Infrastructure Prep

  • Each pool points to one vSphere cluster. 32 hosts maximum. If Virtual SAN, 20 hosts maximum.
  • Ensure vSwitch has sufficient ports for the new virtual desktops.
  • Ensure the VLAN has enough DHCP addresses for the desktop pool.
    • Lower the DHCP lease time too.
  • KMS Licensing is required for Windows 7+ and/or Office 2010+
  • The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label, GPU) specified on the master virtual desktop. Adjust accordingly.
  • The parent image should be in the same cluster where the linked clone virtual desktops will be created.
  • If Instant Clone:

Disk space

  • One or more LUNs for storage of the virtual desktops. Maximum of 140 desktops per VMFS5 LUN. 250+ desktops per NFS LUN.
  • By default, Replicas are copied to each LUN that contains virtual desktops. It’s possible to place the Replica and the linked clones on separate LUNs. If you use a dedicated Replica LUN, then there is only one copy of the Replica no matter how many LUNs are used for storing virtual desktops. Note: NFS VAAI requires Replica to be copied to each virtual desktop LUN.
    • If Instant Clone, the “parent” VM on each datastore is powered on and consumes CPU, Memory, and disk space (.vmdk and .vswp).
  • If Composer:
    • Persistent disks can be used to store the user’s profile (but not user-installed applications). To enable Persistent disks, the pool must be Dedicated Assignment. You can place the persistent disks on a LUN that is separate from the linked clones LUN. A better option is to use View Persona or User Environment Manager instead of Persistent disks.
    • Disposable disks. In Dedicated Assignment pools, you have the option of creating Disposable Disks. These disks are always stored with the virtual desktop (you can’t choose a dedicated disposable disk LUN). If you’re planning to frequently refresh the desktops, there’s no point in using Disposable disks.
  • .vswp files. Allocate disk space for memory swap and graphics memory overhead. Any unreserved memory will result in a .vswp file. For example, if the master virtual desktop has 2 GB of RAM configured and none of it is reserved then each linked clone will have a 2 GB .vswp file.

Floating (Non-Persistent) Automatic Desktop Pool

  1. DHCP – Make sure the master VM is configured for DHCP, and is joined to the domain. KMS Licensing is also required.
  2. Provisioning Agent – Ensure Horizon Agent has the imaging component you intend to use. You can install Instant Clone, or Composer, but not both.
  3. If Instant Clone, Persona must be disabled.
  4. Computer Group Policy – Make sure the Master VM is in the same OU as the Linked Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See VMware 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  5. Video memory – If Instant Clone, in vSphere Client, edit the master virtual machine’s settings, expand Video card, and configure the displays and video memory (click the Video Memory Calculator button).
  6. Snapshot – Take a new snapshot of the master image.
  7. If you wish to automate the creation of the pool, Aresh Sarkari at Automating Desktop Pool creation using PowerCLI – VMware Horizon 7.x explains New-HVPool -spec 'C:\temp\DesktopPool\LinkedClone.json' and the contents of the JSON file.
  8. In View Administrator, on the left, expand Catalog, and click Desktop Pools.
  9. On the right, you can clone an existing pool. This action copies many of the settings from the existing pool into the new pool.
  10. Or just click Add.
  11. In the Type page, select Automated Desktop Pool, and click Next.
  12. In the User Assignment page, select Floating, and click Next.
  13. In the vCenter Server page, select either Instant clones, or View Composer linked clones.
  14. Select the vCenter server, and click Next.

  15. Pool name – In the Desktop Pool Identification page, enter a name for the pool. Horizon creates a vCenter VM folder with the same name as the Pool ID.
  16. Display name is the name of the icon displayed in Horizon Client.
  17. Access Group – Assign the pool to an Access group to restrict delegated administration. Note: If you intend to integrate with VMware Identity Manager (aka Workspace ONE), then make sure you select the root (/) Access group. Other Access Groups won’t work. Click Next.
  18. In the Pool Settings page, do the following:
    1. Horizon 7.3 lets you select a Category Folder where the published icon will be placed on the client’s Start Menu. This applies to Horizon Client 4.6 and newer. See Configuring Start Menu Shortcuts for Desktop and Application Pools at VMware Docs.

    2. Change the selection for Automatically logoff after disconnect to After, and specify a disconnect timer.
    3. If View Composer, change the selection for Delete or refresh desktop on logoff to Refresh Immediately. Instant Clones always refresh after logoff.
    4. Horizon 7.1 and newer allows users to restart machines gracefully, instead of a reset.
    5. Scroll down.
    6. In the Remote Display Protocol section, select a Default display protocol. New in Horizon 7 is VMware Blast.
    7. In Horizon 7.3.1 and newer, if you set the Default display protocol to PCoIP, then HTML5 Blast won’t work unless Allow users to choose protocol is set to Yes. See VMware Communities Upgraded from 7.0.1 to 7.3.1, getting “You cannot access your applications or desktops”… error.  💡
    8. Composer and Instant Clone have different options for 3D Renderer. Horizon 7.1 adds an option for NVIDIA GRID VGPU when creating Instant Clones.

      1. Monitors/Resolution – If Composer, increase the number of monitors and resolution. This causes more video memory to be allocated to the VMs. If Instant Clone, these settings are configured on the Master VM’s settings in vSphere Client.
    9. Check the box next to HTML Access.
    10. Horizon 7.4 adds the Allow Session Collaboration checkbox.

      1. This enables a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.

      2. The invite is a URL that you can run (or click) on the collaborator’s machine that has Horizon Client 4.7 or newer installed.
      3. To give control to the collaborator, double-click the green icon to open the Session Collaboration window. Or open the icon in the system tray.

      4. Adam Gleeson at VMware Horizon Virtual Desktop Session Collaboration explains the limitations of this feature.  💡
    11. Click Next.
  19. In the Provisioning Settings page, enter a naming pattern. You can use {n:fixed=3} to specify the location for the incremented numerals. Make sure the naming pattern does not conflict with any existing machines. Note: Instant Clones does not support manual machine names.
  20. Enter the maximum number of desktops to create. You can create all of them now or wait to create them as users connect. When a user connects to one of these desktops, Horizon immediately creates another desktop (up to the maximum) and powers it on.
    1. In Horizon 6.2 and newer, the maximum number of desktops per pool is 2,000. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here.
  21. Enter the number of spare (idle, unassigned, unused) desktops you want powered on. Horizon maintains this number up to the maximum number of desktops.
  22. Click Next.

  23. If Horizon Composer, in the Disposable File Redirection page, select Do not redirect disposable files, and click Next. Since we’re refreshing the desktops on logoff, there’s no need for a separate disposable disk.
  24. In the Storage Optimization page, if you want to use storage tiering, check the box for Select separate datastores for replica and OS disk. Click Next.
  25. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option, and make your selection.
  26. Horizon 7.1 adds the ability to select multiple Networks for the Instant Clones.
  27. If the Parent VM is not showing up in the list then check the box next to Show all parent VMs and click the next to the VM to see the issue.
  28. Instant Clones monitors/resolution – If Instant Clones, the number of monitors configured on the Master Image (snapshot) is displayed. If not correct, delete the snapshot, edit the master VM’s Hardware Settings, expand video card, make your desired changes, and take another snapshot.
  29. Datastores – select one or more datastores on which the virtual desktops will be placed.
  30. If Composer – select your Storage Overcommit preference. Since you are refreshing desktops on every logoff, they should stay small, so Unbounded is probably acceptable. VMware recommends no more than 140 virtual desktops per VAAI-enabled LUN. If the LUN is not VAAI enabled, 64 is the maximum. If Instant Clone, Unbounded is the only option. Click OK when done.

  31. For Select Replica Disk Datastores, select one datastore for the replica, and then click OK.
  32. Then click Next.
  33. If Instant Clone, View Storage Accelerator and Transparent Page Sharing are enabled by default and can’t be disabled. Storage reclamation doesn’t make sense for Instant Clone.
  34. If Composer, in the Advanced Storage Options page, be aware of the following:
    • View Storage Accelerator creates digest files, which consumes disk space. Creation of the digest files requires IOPS. Make sure to set the blackout times so that this digest creation does not happen during peak hours.
    • Reclaim VM disk space is not useful for non-persistent desktops.
  35. If you scroll down, there’s a new Transparent Page Sharing Scope. The default is no sharing. Use one of the other options to enable sharing. Click Next.
  36. In the Guest Customization page, next to AD container, click Browse, and select the OU where virtual desktop computer objects will be placed. Horizon 7.3 lets you type (paste) into the AD container field.
  37. Consider checking the box next to Allow reuse of pre-existing computer accounts. Click Next.

  38. In the Ready to Complete page, you may entitle users now or later. Click Finish.
  39. To check the status of the virtual desktops, go to Catalog > Desktop Pools.
  40. Double-click the pool name.
  41. If you scroll down, the vCenter Server section has a State field.
  42. vSphere Client shows recent tasks.
  43. On the Inventory tab, click Machines (View Composer or InstantClone Details). There’s a refresh button.
  44. You can also view the status of the desktops by looking at the Dashboard.
  45. Your VMs should eventually have a status of Available.
  46. If you encounter issues with View Composer, see VMware 2087379 VMware Horizon View Composer help center
  47. If Instant Clone, the Master VM and the snapshot used by the Instant Clones must not be deleted.

Entitle Virtual Desktops

To make a pool accessible by a user, it must be entitled.

  1. Go to Catalog > Desktop Pools.
  2. Double-click the pool name.
  3. On the Summary tab, click Entitlements, and then Add entitlement.
  4. In the Add Entitlements window, click Add.
  5. Find a group that will have permission to log into these desktops, and click OK.
  6. Then click OK.
  7. For a Persistent pool, go to the Inventory tab to see the desktops. Select a desktop and under More Commands click Assign User.
  8. Find the user and click OK. Repeat to assign users to additional desktops.

Add Machine to Pool

  1. On the left, expand Catalog, and click Desktop Pools.
  2. On the right, highlight an existing Automated Desktop Pool, and click Edit.
  3. Switch to the Provisioning Settings tab, and change the Max number of machines. Then click OK.
  4. With Instant Clones, this won’t take very long.
  5. With Composer, it might take a few minutes for the machine to boot a couple times while running QuickPrep.
  6. The pool now has new machines.

Update a Pool

  1. Power on the master/parent virtual desktop.
  2. If App Volumes agent is installed, you might have to disable svservice before you can make changes. See VMware 2129528 Virtual Machine changes are not saved in App Volumes.  💡
  3. After making your changes, shut down the master virtual desktop.
  4. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  5. Name the snapshot, and click OK.
  6. If you do this often, you’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  7. Delete one or more of the snapshots.
  8. In View Administrator, go to Inventory > Pools.
  9. Double-click a pool name.
  10. For Instant Clones, on the Summary tab, click Push Image, and then click Schedule.
  11. Or if Composer, click View Composer, and then click Recompose.
  12. In the Image page, select the new snapshot. Notice the snapshot’s monitor/resolution settings. Click Next.
  13. In the Scheduling page, decide when to apply this new image, and then click Next.
  14. In the Ready to Complete page, click Finish.
  15. On the Inventory tab, you can click Machines (InstantClone Details) or Desktops (View Composer Details) to check on the status of the push/recompose task. Notice the Pending Image.
  16. For both provisioning methods, the snapshot is copied to each datastore.
  17. For Instant Clone, the snapshot is attached to a Replica, powered on, then powered off. Digest is then computed. Then the Replica is attached to a parent, and the parent is powered on. This takes a bit of time. But the Instant Clones remain accessible until the Replica preparation is complete.
  18. Once Replicas are prepared, for Instant Clones, each machine is rebooted once. While with Composer, each virtual machine is rebooted three times, which can be painful. Composer consumes considerable IOPS and time during Recompose operation. To speed up Recompose, switch to Instant Clones.
  19. Eventually the Pending Image field will be cleared and the desktops are available again.

Host Maintenance – Instant Clones

In Horizon 7.1 and newer, ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

Instant-Clone Maintenance Utilities at VMware Docs:

  • IcUnprotect.cmd – use this utility to unprotect folders and VMs, delete VMs, and detect VMs whose master image or snapshot is deleted.
  • IcMaint.cmd – This command deletes the master images, which are the parent VMs in vCenter Server, from the ESXi host, so that the host can be put into maintenance mode. In Horizon 7.0.3, this utility is the only method to prepare a Instant Clone ESXi host for maintenance mode. Also see VMware 2144808 Entering and exiting maintenance mode for an ESXi host that has Horizon instant clones.

Related Pages

VMware Horizon 7.4 – Master Virtual Desktop

Last Modified: Mar 31, 2018 @ 10:44 am

Navigation

Use this post to build a virtual desktop that will be used as the parent image or source image for additional virtual desktops. There’s a separate article for RDS Session Host.

This post applies to all VMware Horizon versions 7.0 and newer, including 7.3.2 and 7.4.

💡 = Recently Updated

Change Log

Virtual Hardware

Lieven D’hoore has a desktop VM build checklist at VMware Horizon View – Windows 10 Golden Image Creation

  1. The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  2. Set Memory as desired.
  3. For New Hard disk, consider setting Thin provision.
  4. Make sure the virtual desktop is using a SCSI controller.
  5. The master virtual desktop should be configured with a VMXNET 3 network adapter.
  6. When building the master virtual desktop, you will probably boot from an ISO.
  7. Before using View Administrator to create a pool, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  8. There’s no need for the Floppy drive so remove it.
  9. If you have any Serial ports, remove them.
  10. In Device Manager, after installing VMware Tools, make sure the video driver is VMware SVGA 3D.
  11. If not, you can use the driver at C:\Program Files\Common Files\VMware\Drivers\video_wddm.

Windows

Preparation

  • Windows 10 Channels/Versions
  • Partition Alignment. For Windows XP, make sure the partition is aligned. You’ll need to create and partition the disk in advance on another virtual machine and set the partition offset. create partition primary align=1024. Windows 7 doesn’t have this problem.
  • VMware Tools. Install the latest version of VMware Tools and Guest Introspection (formerly known as vShield Endpoint) Driver prior to installing the Horizon 7 Agent.
  • Teradici Audio Driver – https://techsupport.teradici.com/link/portal/15134/15164/Article/1434/Teradici-Virtual-Audio-Driver-1-2-0-Release-Details-15134-1434
  • For the AppVolumes Agent and Imprivata OneSign agent (if applicable), don’t install them until Horizon 7 Agent is installed.

Windows 7 VMXNET 3 Networking Hotfix

For Windows 7 machines:

  1. Ensure the vSphere network port group allows a sufficient number of connected virtual machines.
  2. Make sure Windows 7 Service Pack 1 is installed.
  3. The recommended hotfix for fixing VMXNET 3 is the 3125574 Convenience Rollup.

    1. Run windows6.1-kb3125574-v4-x64.msi.
  4. Or, the minimum hotfix is 2550978 http://support.microsoft.com/kb/2550978.

    1. Run Windows6-1-KB2550978.msu.
  5. Click Yes when asked to install the hotfix.
  6. Click Restart Now.
  7. After installing either hotfix, follow http://support.microsoft.com/kb/315539 to delete ghost NICs.

From Microsoft KB article http://support.microsoft.com/kb/235257: For desktop VMs using VMXnet3 NICs, you can significantly improve the peak video playback performance of your View desktop by simply setting the following registry setting to the value recommended by Microsoft:

  • HKLM\System\CurrentControlSet\Services\Afd\Parameters\FastSendDatagramThreshold to 1500

Windows 7 Black Screen Hotfix

For Windows 7 machines, request and install Microsoft hotfix 2578159: The logon process stops responding in Windows. More info at VMware 2073945 Reconnecting to the VDI desktop with PCoIP displays a black screen.

Windows 7 SHA2 Hotfix

For Windows 7 machines, install Microsoft Security Advisory 3033929, Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2.

Windows 7 Hotfix for AppVolumes

For Windows 7 machines, install the Microsoft hotfix for mountmgr.sys.  More info at VMware 2126775 Logging in to a virtual machine fails or is slow at the Welcome Screen when using VMware AppVolumes,

Power Options

  1. Run Power Options. In Windows 8 and newer, right-click the Start Menu to access Power Options.
  2. Click the arrow to show more plans, and select High performance.
  3. Next to High performance, click Change plan settings.
  4. Change the selection for Turn off the display to Never, and click Save changes.

System Settings

  1. Domain Join. For linked clones, join the machine to the domain.
  2. In System control panel applet (right-click the Start Menu > System), click Remote settings.
  3. Enable Remote Desktop.
  4. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with View Composer.

Windows Profiles v3/v4 Hotfix

Roaming user profiles are tied to the operating system version so profiles on Windows 8.1-based, Windows 10-based, or Windows Server 2012 R2-based computers are incompatible with roaming user profiles in earlier versions of Windows.

Profiles are compatible only between the following client and server operating system pairs:

  • v6 = Windows 10 1607, Windows 10 1703, and Windows Server 2016
  • v5 = Windows 10 1511 and older
  • v4 = Windows 8.1 and Windows Server 2012 R2
  • v3 = Windows 8 and Windows Server 2012
  • v2 = Windows 7 and Windows Server 2008 R2

If Windows 8, install hotfix http://support.microsoft.com/kb/2887239.

If Windows 8.1, ensure update rollup 2887595 is installed. http://support.microsoft.com/kb/2890783

After you apply this update, you must create a registry key before you restart the computer.

  1. Run regedit.
  2. Locate and then tap or click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters
  3. On the Edit menu, point to New, and then tap or click DWORD Value.
  4. Type UseProfilePathExtensionVersion.
  5. Press and hold or right-click UseProfilePathExtensionVersion, and then tap or click Modify.
  6. In the Value data box, type 1, and then tap or click OK.
  7. Exit Registry Editor.

After you configure the UseProfilePathExtensionVersion registry entry, you have to restart the computer. Then, Windows 8.1 creates a user profile and appends the suffix “.v4” to the profile folder name to differentiate it from version 2 of the profile in Windows 7 and version 3 of the profile in Windows 8. Then, Windows 8.1-based computers that have update rollup 2887595 installed and the UseProfilePathExtensionVersion registry entry configured use version 4 of the profile.

Windows 8 creates a new copy of the user profile and appends the suffix “.v3” in the profile folder name to differentiate it from the original version 2 profile for Windows 7. After that, Windows 8-based computers that have this hotfix installed and the UseProfilePathExtensionVersion registry entry configured use the version 3 profile for users.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. VMware App Volumes, Unidesk) or App Streaming (e.g. ThinApp, Microsoft App-V).

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7 contains exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp, etc.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Sophos

Best Practice for running Sophos on virtual systems

Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machines

Symantec

Virtualization best practices for Endpoint Protection 12.1.2 and later

Virtualization best practices for Endpoint Protection 12.1.1 (RU1) and earlier

Symantec Endpoint Protection 12.1 – Non-persistent Virtualization Best Practices

How to prepare a Symantec Endpoint Protection 12.1 client for cloning

Non-persistent desktops:

After you have installed the Symantec Endpoint Protection client and disabled Tamper Protection, open the registry editor on the base image.

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\.
  2. Create a new key named Virtualization.
  3. Under Virtualization, create a key of type DWORD named IsNPVDIClient and set it to a value of 1.

To configure the purge interval for offline non-persistent VDI clients:

  1. In the Symantec Endpoint Protection Manager console, on the Admin page, click Domains.
  2. In the Domains tree, click the desired domain.
  3. Under Tasks, click Edit Domain Properties.
  4. On the Edit Domain Properties > General tab, check the Delete non-persistent VDI clients that have not connected for specified time checkbox and change the days value to the desired number. The Delete clients that have not connected for specified time option must be checked to access the option for offline non-persistent VDI clients.
  5. Click OK.

Make the following changes to the Communications Settings policy:

  1. Configure clients to download policies and content in Pull mode
  2. Disable the option to Learn applications that run on the client computers
  3. Set the Heartbeat Interval to no less than one hour
  4. Enable Download Randomization, set the Randomization window for 4 hours

Make the following changes to the Virus and Spyware Protection policy:

  1. Disable all scheduled scans
  2. Disable the option to “Allow startup scans to run when users log on” (This is disabled by default)
  3. Disable the option to “Run an ActiveScan when new definitions Arrive”

Avoid using features like application learning which send information to the SEPM and rely on client state to optimize traffic flow

Linked clones:

To configure Symantec Endpoint Protection to use Virtual Image Exception to bypass the scanning of base image files

  1. On the console, open the appropriate Virus and Spyware Protection policy.
  2. Under Advanced Options, click Miscellaneous.
  3. On the Virtual Images tab, check the options that you want to enable.
  4. Click OK

Trend Micro

Trend Micro Virtual Desktop Support

VDI Pre-Scan Template Generation Tool

Best practice for setting up Virtual Desktop Infrastructure (VDI) in OfficeScan

Frequently Asked Questions (FAQs) about Virtual Desktop Infrastructure/Support In OfficeScan

Horizon Agent

Horizon Agent 7.4 Installation/Upgrade

Install Horizon Agent on the master virtual desktop:

  1. Only install Horizon Agent after VMware Tools. If you need to update VMware Tools, uninstall Horizon Agent first, upgrade VMware Tools, and then reinstall Horizon Agent.
  2. Check the video driver to make it is VMware SVGA 3D.
  3. Download Horizon 7.4.0 View Agent.
  4. Run the downloaded VMware-viewagent-x86_64-7.4.0.exe.
  5. If you want the URL Content Redirection feature, then you must run the Agent installer with the the following switches: /v URL_FILTERING_ENABLED=1
  6. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Network protocol configuration page, select IPv4, and click Next.
  9. In the Custom Setup page, there are several features not enabled. Feel free to enable them.
    1. Horizon 7.2 and newer have VMware Virtualization Pack for Skype for Business. See Configure Skype for Business at VMware Docs for details.
    2. You can install Instant Clone Agent, or View Composer Agent, but not both.

    3. According to Instant-Clone Desktop Pools at VMware Docs, Persona is not supported with Instant Clones.

    4. If you want Scanner Redirection, then enable that feature. Do the same for USB Redirection. Note: Scanner Redirection will impact host density.
    5. Horizon 7.3 adds HTML5 Multimedia Redirection. This feature only works in Google Chrome, by force installing a Chrome plug-in. And it requires a whitelist specified in a group policy. See Configuring HTML5 Multimedia Redirection at VMware Docs.

      • If the feature is working, then the Chrome extension will show REDR.
      • And you’ll see HTML5VideoPlayer.exe on the client side.
    6. Horizon 7.4 adds a Device Bridge BAS Plugin for redirection of fingerprint scanners. See Install the Device Bridge BAS Plugin at VMware Docs.
  10. Click Next when done making selections.
  11. In the Ready to Install the Program page, click Install.
  12. In the Installer Completed page, click Finish.
  13. Click Yes when asked to restart.
  14. If you want to know what features were selected, look in C:\ProgramData\VMware\logs for the latest vmmsi.log_<date>.log file. Search for Feature : to find the list. The ones with Request: Local were installed. More info at Paul Grevink View Agent, what is installed?

  15. For Horizon Persona (not with Instant Clones), enable the Microsoft Software Shadow Copy Provider service. See Windows 10 with Persona management not syncing at VMware Communities.
  16. If Windows 10 1709 with View Composer, you might have to set delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Security. See VMware 51518 Production Support for VMware Horizon 7.4, 7.3.2, and 7.2 with Win 10 1709 Semi-Annual Channel (SAC) Guest OS  💡
  17. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  18. There’s also a new IE add-on.
  19. URL Content Redirection is configured using group policy.

Install/Upgrade User Environment Manager Engine

If you are licensed for User Environment Manager (Horizon Enterprise Edition), install the User Environment Manager Engine. Note: UEM 9.1 and newer can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. In Windows 8 and newer, open Programs and Features (right-click the Start Menu), and click Turn Windows features on or off.
  3. Select .NET Framework 3.5, and click OK.
  4. Click Download files from Windows Update.
  5. Download User Environment Manager 9.3.
  6. Run the extracted VMware User Environment Manager 9.3.0 x64.msi.
  7. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  8. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  9. In the Destination Folder page, click Next.
  10. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the console.

  11. In the Choose License File page, if installing on a View Agent, then no license file is needed.
  12. Otherwise, Browse to the license file. Then click Next.
  13. In the Ready to install VMware User Environment Manager page, click Install.
  14. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Unity Touch

With the Unity Touch feature, tablet and smart phone users can quickly navigate to a Horizon View desktop application or file from a Unity Touch sidebar. Although end users can specify which favorite applications appear in the sidebar, for added convenience, administrators can configure a default list of favorite applications.

In the Unity Touch sidebar, the favorite applications and favorite files that users specify are stored in the user’s profile. For non-persistent pools, enable Roaming Profiles.

To set the default list of favorite applications:

  1. Navigate to HKLM\Software\Wow6432Node\VMware, Inc.\VMware Unity
  2. Create a string value called FavAppList.
  3. Specify the default favorite applications using format: path-to-app-1|path-to-app-2|path-to-app-3|…. For example:
Programs/Accessories/Accessibility/Speech Recognition.lnk|Programs/VMware/VMware vSphere Client.lnk|Programs/Microsoft Office/Microsoft Office 2010 Tools/Microsoft Office 2010 Language Preferences.lnk

Unity Touch can be disabled by setting HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware Unity\enabled to 0.

For more information, see Configure Favorite Applications Displayed by Unity Touch at VMware Docs.

Direct-Connection Plugin

If you wish to allow direct connections to the Horizon Agent, install the Direct-Connection Plugin. This is not a typical configuration since it allows users to bypass the Horizon Connection Servers, but is useful if you need to restrict a Horizon Agent to only one Horizon Client.

  1. Run the downloaded Direct-Connection Plugin 7.4 (VMware-viewagent-direct-connection–x86_64-7.4.0-xxx.exe).
  2. In the Welcome to the Installation Wizard for View Agent Direct-Connection Plugin page, click Next.
  3. In the End-User License Agreement page, select I accept the terms, and click Next.
  4. In the Configuration Information page, click Next.
  5. In the Ready to install View Agent Direct-Connection Plugin page, click Install.
  6. In the Completed the View Agent Direct-Connection Plugin Setup Wizard page, click Finish.
  7. When running the Horizon Client, enter the FQDN or IP address of the Horizon Agent (virtual desktop).

Composer – Rearm

By default, when View Composer creates linked clones and runs QuikPrep, one of the tasks is to rearm licensing. You can prevent rearm by setting the following registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga
    • SkipLicenseActivation  (DWORD) = 0x1

Dynamic PCoIP Policies

If you wish to change PCoIP Policies (e.g. clipboard redirection, client printers, etc.) based on how the user connects, see VMware Blog Post VMware Horizon View Secret Weapon. The article describes configuring VMware Horizon View Script Host service to run a script to change PCoIP configuration based on the Connection Server that the user connected through. Full script is included in the article.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide Technical Paper for details on this tool.
  2. Download the VMware OS Optimization Tool VMware fling.
  3. Run the extracted VMwareOSOptimizationTool.exe.
  4. On the Public Templates tab, update or download templates.
  5. The My Templates tab lets you edit the templates. Click Copy and Edit first.
  6. On the Analyze tab, choose a template.
  7. Then click Analyze on the bottom of the window.
  8. On the Analyze tab, review the optimizations, and make changes as desired. Then on the bottom left, click Optimize.
  9. The History tab lets you rollback the optimizations.

Additional Optimizations

Additional Windows 10 Optimizations

Additional Windows 7 Optimizations

Microsoft has compiled a list of links to various optimization guides.

It’s a common practice to optimize a Windows 7 virtual machine (VM) template (or image) specifically for VDI use. Usually such customizations include the following.

  • Minimize the footprint, e.g. disable some features and services that are not required when the OS is used in “stateless” or “non-persistent” fashion. This is especially true for disk-intensive workloads since disk I/O is a common bottleneck for VDI deployment. (Especially if there are multiple VMs with the same I/O patterns that are timely aligned).
  • Lock down user interface (e.g. optimize for specific task workers).

With that said the certain practices are quite debatable and vary between actual real-world deployments. Exact choices whether to disable this or that particular component depend on customer requirements and VDI usage patterns. E.g. in personalized virtual desktop scenario there’s much less things to disable since the machine is not completely “stateless”. Some customers rely heavily on particular UI functions and other can relatively easily trade them off for the sake of performance or standardization (thus enhance supportability and potentially security). This is one of the primary reasons why Microsoft doesn’t publish any “VDI Tuning” guide officially.

Though there are a number of such papers and even tools published either by the community or third parties. This Wiki page is aimed to serve as a consolidated and comprehensive list of such resources.

Daniel Ruiz XenDesktop Windows 7 Optimization and GPO’s Settings

Microsoft Whitepaper Performance Optimization Guidelines for Windows 7 Desktop Virtualization

Snapshot

  1. Make sure the master virtual desktop is configured for DHCP.
  2. If connected to the console, run ipconfig /release.
  3. Run antivirus sealing tasks:
  4. Login Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.  💡
  5. Shutdown the master virtual desktop.
  6. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  7. Take a snapshot of the master virtual desktop. View Composer requires a snapshot.

Related Pages

VMware Horizon 7.4 Security Server

Last Modified: Jan 6, 2018 @ 8:41 am

Navigation

This post applies to all VMware Horizon versions 7.0 and newer, including 7.3.2, and 7.4.

💡 = Recently Updated

Changelog

Preparation

Security Servers are intended to be deployed in the DMZ.

Horizon Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Unified Access Gateway (formerly known as Access Point). Note: Some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Docs.

Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371

Firewall Ports

If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.

If your load balancer (e.g. NetScaler, F5) is able to provide persistence across multiple port numbers, then you only need one public IP. For example, in NetScaler, this is called Persistency Groups.

If your load balancer doesn’t support persistence across multiple port numbers, then create three public IPs:

  • Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
  • Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.

 

Firewall Rules for View Connection Server at VMware Docs.

Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:

  • TCP 80
  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions.
  • TCP and UDP 8443 (for Blast)

Open these ports from the Security Servers to internal:

  • If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at VMware Docs.
  • TCP 8009 (AJP13) to the paired internal Horizon Connection Server.
  • TCP 4001 (JMS) to the paired internal Horizon Connection Server.
  • TCP and UDP 4172 (PCoIP) to all internal Horizon Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon Agents.
  • TCP and UDP 22443 (HTML Blast) to all internal Horizon Agents.
  • TCP 9427 (MMR) to all internal Horizon Agents.
  • TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at VMware Docs

Pairing Password

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select the Horizon Connection Server to which the Security Server will be paired. Then click More Commands, and click Specify Security Server Pairing Password.
  4. Enter a temporary password, and click OK.

Install – Security Server

  1. Ensure the Horizon Security Server has 10 GB of RAM and 4 vCPU.
  2. Login to the Horizon Security Server.
  3. Download Horizon 7.4.0 View Connection Server.
  4. Run the downloaded VMware-viewconnectionserver-x86_64-7.4.0.exe.
  5. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  6. In the License Agreement page, select I accept the terms, and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Installation Options page, select Horizon 7 Security Server, and click Next.
  9. In the Paired Horizon 7 Connection Server page, enter the name of the internal Horizon Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
  10. In the Paired Horizon 7 Connection Server Password page, enter the pairing password specified earlier, and click Next.
  11. In the Horizon 7 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN, while the middle URL is an IP address. These can be changed later. Click Next.
  12. In the Firewall Configuration page, click Next.
  13. In the Ready to Install the Program page, click Install.
  14. In the Installer Completed page, click Finish.

SSL

Security Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the public FQDN of the Security Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon 7 Security Server service.

Load Balancing

See Carl Stalhood – Horizon View Load Balancing

Enable PCoIP Secure Gateway

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Right-click the Connection Server that is paired with the Security Server, and click Edit. Note: you can’t configure this directly on the Horizon Security Server, and instead must configure it on the paired Horizon Connection Server.
  4. On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to machine. Also, make sure HTTP(S) Secure Tunnel and Blast Secure Gateway are enabled. Click OK.

Related Pages

VMware Horizon 7.4 Configuration

Last Modified: Apr 22, 2018 @ 8:39 am

Navigation

This post applies to all VMware Horizon versions 7.0 and newer, including 7.3.2 and 7.4.

💡 = Recently Updated

Changelog

  • 2018 Jan 5 – updated Docs links for Horizon 7.4

Preparation

Horizon Service Account

  1. Create an account in Active Directory that Horizon View will use to login to vCenter. This account can also be used by Composer to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for View Composer

This role has all permissions needed for both full clones and linked clones. See Privileges Required for the vCenter Server User and View Composer Privileges Required for the vCenter Server User at VMware Docs.

  1. Create an account in Active Directory that Horizon View will use to login to vCenter.
  2. In vSphere Web Client, on the Home screen, click Roles.
  3. Click the plus icon to add a Role.
  4. Name the role Horizon or similar.
  5. Expand Datastore and enable Allocate space, Browse datastore, and Low level file operations.
  6. Expand Folder, and enable Create folder, and Delete folder.
  7. Expand Global and enable Act as vCenter Server, Disable Methods, Enable Methods, and Manage custom attributes.
  8. Scroll down, and enable Set custom attribute, and System tag.
  9. Expand Host, expand Configuration, and enable Advanced Settings.
  10. Scroll down, and enable System Management.
  11. Enable Network, and everything under it.
  12. For Virtual SAN, enable Profile-driven storage and everything under it. VMware 2094412 When attempting to deploy linked clones using VMware Virtual SAN (VSAN) you receive the error: Unable to connect to PBM sub system PB may be down
  13. Expand Resource, and enable Assign virtual machine to resource pool, and Migrate powered off virtual machine.
  14. Expand Virtual Machine and enable everything under Configuration, Inventory, and Snapshot Management (or State).
  15. Expand Virtual Machine > Interaction, and enable Perform wipe or shrink operations,  Power Off, Power On, Reset, and Suspend. Perform wipe is a recently added permission.
  16. Expand Virtual Machine > Provisioning. Enable Allow disk access, Clone template,  Clone virtual machine, Customize, and Deploy template.
  17. Scroll down, and enable Read customization specifications. Click OK when done.
  18. Browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  19. On the right, switch to the Manage tab, and select the Permissions sub-tab.
  20. Click the plus icon to add a permission.
  21. Under Users and Groups click Add.
  22. Find the Active Directory account that Horizon will use to login to vCenter, click Add, and then click OK.
  23. On the right, under Assigned Role, change it to the Horizon role. Then click OK.
  24. The service account is now listed on the Permissions sub-tab.
  25. From VMware Docs Configure a vCenter Server User for View and View Composer: If you install Horizon Composer on the same machine as Windows vCenter Server, you must make the Horizon service account a local system administrator on the Windows vCenter Server machine.
    1. If you install Horizon Composer on a different machine than Windows vCenter Server, you do not have to make the Horizon service account a local administrator on the Windows vCenter Server machine. However, the Horizon service account must be a local administrator on the Horizon Composer standalone machine.
  26. On the Horizon Composer server, right-click the Start button, and click Computer Management.
  27. Go to System Tools > Local Users and Groups > Groups. Double-click Administrators. Add the Horizon service account, and click OK.

Active Directory Delegation for Instant Clones and Composer

Horizon Composer and Instant Clone create computer objects in Active Directory. Horizon is configured with an Active Directory service account that must be granted permission to create computer objects. See Create a User Account for Instant-Clone Operations at VMware Docs.

  1. Create an OU in Active Directory where the Horizon Agent computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the Horizon Agents OU, and click Delegate Control.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for Instant Clones and/or Horizon Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate, and click Next.
  6. In the Active Directory Object Type page, do the following:
    1. Change the radio button to select Only the following objects in the folder.
    2. Check the boxes next to Create select objects in this folder and Delete selected objects in this folder.
  7. Click Next.
  8. In the Permissions page, check the boxes next to Read All PropertiesWrite All Properties, and Reset Password. Then Next.
  9. In the Completing the Delegation of Control Wizard page, click Finish.
  10. If you are viewing Advanced Features in Active Directory Users & Computers, if you view the properties of the OU, on the Security tab, click Advanced, find your service account, you should see permissions similar to the following.

Events SQL Database

A new empty SQL database is needed for storage of View Events.

  1. Only SQL Server authentication is supported, so make sure it’s enabled on your SQL Server > Security page.
  2. In SQL Server Management Studio, create a new database.
  3. Name it VMwareHorizonEvents or similar. Switch to the Options tab.
  4. Select your desired Recovery model, and click OK.
  5. Under Security > Logins, add a SQL login if one does not exist already. Windows authentication is not supported.
  6. Right-click a SQL login, and click Properties.
  7. On the User Mapping page, check the Map box next to the VMwareHorizonEvents database.
  8. On the bottom, add the user to the db_owner database role. Click OK when done.

Licensing

  1. On the Horizon Connection Server, run the Horizon Administration Console by double-clicking the desktop shortcut. Or, go to https://FQDN/admin.

    1. If Flash is not installed, you are prompted to install it. This won’t work on Windows Server 2012 R2 unless you have the Desktop Experience feature installed. To avoid this, use Chrome.
  2. Login using a Horizon administrator account.
  3. On the left, under View Configuration, click Product Licensing and Usage.
  4. In the right pane, on the top left, click Edit License.
  5. In the Edit License window, enter your license serial number, and click OK.
  6. The license expiration is now displayed.
    1. Note that only Horizon Advanced and above have Application Remoting (published applications).
    2. Note that only Horizon Enterprise have Help Desk.

Administrators

  1. On the left, expand View Configuration, and click Administrators.
  2. On the right, click Add User or Group near the top.
  3. In the Add Administrator Or Permission page, click Add.
  4. Enter the name of a group that you want to grant permissions to, and click Find.
  5. After the group is found, click it to highlight it, and click OK.
  6. Then click Next.
  7. Select the role (e.g. Administrators), and click Next.
  8. Select an access group to which the permission will be applied, and click Finish. Note: If you intend to integrate with VMware Identity Manager, then only pools in the root Access group will sync with Identity Manager. Other Access Groups won’t work.

Help Desk

Horizon 7.2 and newer have a new web-based Help Desk tool at https://MyHorizonFQDN/helpdesk (e.g. https://view.corp.com/helpdesk).

Notes:

  • In Horizon 7.2, only Full Horizon Administrators can login to the Help Desk web page.
  • Horizon 7.3 and newer have Help Desk Administrators roles that can log into the Help Desk tool. Add Help Desk users to the Administrators and Groups tab, and assign them one of the Help Desk roles.

  • Enterprise Licensing – It requires Horizon Enterprise edition license, or Horizon Apps Advanced edition license. Horizon Standard Edition licenses do not include this tool. In Horizon 7.3 and newer, the Product Licensing page indicates if Help Desk is licensed or not.
  • 15 minutes of History – There’s only 15 minutes of collected metric data. Use vRealize Operations for Horizon for longer historical monitoring.
  • See Rob Beekmans Helpdesk functionality added to VMware Horizon 7.2.
  • According to Pascal van de Bor Horizon 7.2: With a little helpdesk from my friends, checkOrigin needs to be disabled to prevent the “Authentication failed, invalid domain, username or password. Please try again” error.

See Troubleshooting Users in Horizon Help Desk Tool at VMware Docs.

vCenter Connection, and optional Horizon Composer

Horizon must connect to vCenter for several reasons:

  • Power manage the virtual machines
  • Create new virtual machines using Instant Clone or Horizon Composer
  • Update virtual machines using Instant Clone or Horizon Composer

If you are adding multiple vCenter servers to Horizon, make sure each vCenter Server has a Unique ID. In vSphere Web Client, go to the vCenter Server > Manage > Settings > General > Edit > Runtime Settings, and confirm that the ID is unique for each vCenter server.

  1. In Horizon Administrator, on the left, expand View Configuration, and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.
  3. In the VC Information page, do the following:
    1. In the Server address field, enter the FQDN of the vCenter server.
    2. In the User Name field, enter the previously created Active Directory account (domainname\username) that Horizon will use to login to vCenter.
    3. Also enter the service account’s password.
  4. Click Next.
  5. If you see a message regarding invalid certificate, click View Certificate. Then click Accept.
  6. In the View Composer page, if you are using Horizon Composer, then do the following:
    1. Select Standalone View Composer Server.
    2. Enter the FQDN of the Composer Server, and the credentials of an account to access the Horizon Composer server. The service account must be a local administrator on the Horizon Composer Server.
  7. Click Next.
  8. If you see an invalid certificate, click View Certificate. Then click Accept.
  9. If you are using Horizon Composer, then in the View Composer Domains page, do the following:
    1. Click Add.
    2. Enter the Full domain name of where the virtual desktop computer objects will be created.
    3. Enter the Active Directory service account credentials that has permission to create computer objects, and click OK.
  10. Then click Next.
  11. In the Storage page, do the following:
    1. Check the box to Enable View Storage Accelerator, and increase the host cache size to 2048. Notes:
      • View Storage Accelerator is required for Instant Clones.
      • View Storage Accelerator causes digest files to be created, thus increasing disk space requirements.
    2. Reclaim VM disk space requires IOPS during its operation. This feature is not needed for Instant Clones.
  12. Click Next.
  13. In the Ready to Complete page, click Finish.

Instant Clone Domain Admins

If you plan to use Instant-Clone to create non-persistent virtual desktops, add an administrator account that can join machines to the domain.

  1. On the left, expand View Configuration, and click Instant Clone Domain Admins.
  2. On the right, click Add.
  3. Select the domain.
  4. Enter credentials of a service account that can join machines to the domain. Click OK.

Disable Check Origin

If you connect to Horizon 7 Connection Server using any DNS name (e.g. load balancing DNS name) that doesn’t match the server’s DNS name, then it might not work unless you disable Origin Check as detailed at VMware 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.

Restrict Remote Access

In Horizon 7.0.2 and newer, the Users and Groups node has a new Remote Access tab.

If you add groups or users to this tab, only these groups and users can login through Unified Access Gateway (formerly known as Access Point) or Security Server.

Users not in the list can’t login through Security Server or Unified Access Gateway (formerly known as Access Point).

Disable Secure Tunnel

By default, internal Horizon Clients connect using Blast or PCoIP to virtual desktops by tunneling through a Horizon Connection Server. It would be more efficient for the internal Horizon Clients to connect directly to the virtual desktops.

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server to highlight it, and click Edit.
  4. On the General tab, uncheck the boxes next to HTTP(S) Secure Tunnel and the two Gateways. Click OK. Note: if you are using HTML5 Blast internally, then disabling the Blast Secure Gateway will cause HTML5 Blast connections to go directly to the Horizon Agent, and the Agent certificate is probably not trusted.

Event Database and Syslog

  1. On the left of Horizon Administrator, expand View Configuration, and click Event Configuration.
  2. On the right, under Event Database, click Edit.
  3. Enter the name of the SQL server.
  4. Select Microsoft SQL Server as the Database type.
  5. Enter the name of the database.
  6. Enter the SQL credentials (no Windows authentication).
  7. Optionally, enter VE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple View installations.
  8. Click OK.
  9. The View Administrator now shows it configured. You can click Edit in the Event Settings section to change the age of events shown in View Administrator.
  10. To add a syslog server, look on the right side of the page.
  11. You can go to Monitoring > Events to view the events in the database.

Event Database SQL Index

VMware Knowledgebase article – The Event database performance in VMware View 6.0.x is extremely slow (2094580): Symptoms:

  • The Event database performance in VMware View 6.0.x is extremely slow when browsing within View
  • High CPU usage on the SQL server, hosting the Event database
  • The larger the Event database becomes, the slower the queries run.

To resolve this issue, create an index. Run this command on your SQL Event database:

CREATE INDEX IX_eventid ON dbo.VDIevent_data (eventid)

Substitute VDIevent_data for the table name using your Event database prefix.

Event Queries

VMware Fling – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – VMware Horizon View Events Database Export Utility: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

VMware Knowledgebase article – Creating SQL views to retrieve the top 50 maximum number of concurrent desktop sessions over a period: This article provides steps to create database views to retrieve the maximum number of concurrent desktop sessions over a period from the event_historical table.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

  1. On the left, under View Configuration, click Global Settings.
  2. On the right, under Global Settings, in the General section, click Edit.
  3. Set the View Administrator Session Timeout. This applies to administrators and help desk. 4320 minutes (72 hours) is the maximum.
  4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user, and requires the user to logon to Horizon Connection Server again.
  5. Under Client-dependent settings, you can set an idle timeout. This is new in Horizon 6. The idle timeout applies to applications only (not desktops). An additional disconnect timeout is configurable in each pool’s settings.
  6. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of View Administrator.
  7. Make other changes as desired. Click OK when done.
  8. To configure an idle timeout for desktop sessions, use the instructions in http://myvirtualcloud.net/vmware-view-disconnect-logoff-or-shutdown-your-vm-when-idle/. Or create a screensaver. http://communities.vmware.com/message/1756450?tstart=0

Global Policies

  1. By default, Multimedia Redirection is disabled. You can enable it by going to Policies > Global Policies.
  2. On the right, click Edit Policies.
  3. Set Multimedia redirection to Allow, and click OK. Notice that Multimedia redirection is not encrypted.

Authentication

How to Set Up 2-Factor Authentication in Horizon View with Google Authenticator:

  1. Linux box with Likewise joined to Active Directory.
  2. Google Authenticator software installed on Linux
  3. Freeradius installed on Linux
  4. Configure View to authenticate with RADIUS
  5. Installation and configuration of Google Authenticator client

Backups

  1. On the left, expand View Configuration, and click Servers.
  2. On the right, in the Connection Servers tab, you can select a Horizon Connection Server, and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.
  3. If you Edit the Horizon Connection Server, on the Backup tab you can schedule automatic backups. This also backs up the View Composer database but not the vCenter database. VMware 1008046 – Performing an end-to-end backup and restore for VMware View Manager.

Tips

VMware Blog Post Top 10 Tips for a Successful Horizon VDI

Related Pages

VMware Horizon 7.4 Connection Server

Last Modified: Feb 3, 2018 @ 9:41 am

Navigation

This post applies to all VMware Horizon versions 7.0 and newer, including 7.3.2 and 7.4.

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Windows Features.

Notes regarding upgrades:

  • Upgrade all Connection Servers during the same maintenance window.
    • Downgrades are not permitted.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • Upgrade Horizon Composer before upgrading the Connection Servers.
    • It’s an in-place upgrade. Just run the Connection Server installer, and click Next a couple times.
    • For Security Servers, in Horizon Administrator, go to paired Connection Server, More Commands > Prepare for Upgrade or Reinstallation.
  • Upgrade the Horizon Group Policy template (.admx) files.
  • Upgrade the Horizon Agents.
    • It’s an in-place upgrade.
    • There’s no hurry. Upgrade the Horizon Agents when time permits.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.

Windows Features

  1. Windows 2016 is supported with Horizon Connection Server 7.1 and newer.
  2. It’s probably helpful to install some administration tools on the Horizon Connection Servers. In Server Manager, click Add Roles and Features.
  3. Click Next until you get to the Features page.
  4. Check the box next to Group Policy Management, and scroll down.
  5. Check the box next to Telnet Client.
  6. If Windows 2012 R2, and if you need Flash Player for Internet Explorer (e.g. to connect to the vSphere Web Client or View Administrator), then expand User Interfaces and Infrastructure, and check the box next to Desktop Experience. Click Add Features when prompted. Desktop Experience is built into Windows 2016.
  7. Expand Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools. Check the box next to AD DS Snap-Ins and Command-Line Tools. You might also want Active Directory module for Windows PowerShell. Then click Next .
  8. Then click Install.
  9. If you installed Desktop Experience, then you might see a message prompting you to reboot. Right-click the Start button to reboot the server. it will reboot twice. Desktop Experience is already installed on Windows 2016.

Install Standard Server 7.4

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between them.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

To install Horizon Connection Server Standard:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for View Connection Server at VMware Docs.
  2. Windows 2016 is supported with Horizon Connection Server 7.1 and newer.
    • Horizon Connection Server 7.0.3 will not install on Windows Server 2016. But Windows 2016 is supported for View Agents.
  3. Horizon Composer cannot be installed on the Horizon Connection Server, and vice versa.
  4. Download Horizon 7.4.0 View Connection Server.
  5. If Horizon Toolbox is installed, uninstall it. You’ll have to reinstall it later, including configuring the SSL certificate again (back up the certificate before uninstalling).
  6. Run the downloaded VMware-viewconnectionserver-x86_64-7.4.0.exe.
  7. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon 7 Standard Server, and click Next.
  11. In the Data Recovery page, enter a password, and click Next.
  12. In the Firewall Configuration page, click Next.
  13. In the Initial Horizon 7 Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  14. In the User Experience Improvement Program page, uncheck the box, and click Next.
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.

Install Replica Server 7.4

Additional internal Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. Download Horizon 7.4.0 View Connection Server.
  3. Run the downloaded VMware-viewconnectionserver-x86_64-7.4.0.exe.
  4. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  5. In the License Agreement page, select I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, select Horizon 7 Replica Server, and click Next.
  8. In the Source Server page, enter the name of another Horizon Connection Server in the group. Then click Next.
  9. In the Firewall Configuration page, click Next.
  10. In the Ready to Install the Program page, click Install.
  11. In the Installer Completed page, click Finish.
  12. Load balance your multiple Horizon Connection Servers.

Horizon Connection Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to Horizon View Administrator.

SSL Ciphers

If you are running Horizon 6 or older, see Sven Huisman: Secure your Horizon View security server: from rating F to A-.

If this Horizon Connection Server or Horizon Security Server is publicly accessible, check it at ssllabs.com.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps. Create a new folder called downloads.
  2. Copy the downloaded Horizon Client for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.

  3. Run Notepad as administrator.
  4. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  5. Go back to the downloads folder, and copy the Horizon Client filename.
  6. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    Client for Windows:link.win64=/downloads/VMware-Horizon-Client-4.6.0-6605044.exe
  7. Then Save the file.
  8. Restart the VMware Horizon View Web Component service.

It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error, then the service is not done starting.

Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.

Branding

Chris Tucker at Brand the VMware View Landing Page – Part 2 details how to brand the Horizon 7.1 and newer portal page.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, Fingerprints, and Windows Hello, is disabled by default. To enable: (source = vDelboy – How to Enable Touch ID in VMware Horizon 6.2 and Configure Biometric Authentication at VMware Docs)

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at VMware Docs.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair, and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using NetScaler 12.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at http://www.carlstalhood.com/delivery-controller-7-15-ltsr-and-licensing/#rdlicensing.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Horizon 7.2 and newer include a web-based Help Desk Tool. Run the following command to enable the timing profiler on each Connection Server instance to view logon segments.

vdmadmin -I -timingProfiler -enable

Horizon Toolbox 7.4.0

Install the Horizon Toolbox Fling on your View Connection Servers. This is a web-based tool that adds the following functionality:

  • Auditing of user sessions
  • Auditing of virtual machine snapshots
  • Auditing of Horizon Client Versions
  • Remote Assistance – users request assistance from administrators
  • Virtual Machine Remote Console
  • Power Policies for Desktop Pools

To use the Toolbox, make sure the following are enabled in your View Connection Server pod:

  • Events database
  • Customer Experience Improvement Program

.NET Framework 3.5 and Remote Assistance

  1. On the Horizon View Connection Server, in Server Manager, click Add Roles and Features.
  2. In the Features page, expand .NET Framework 3.5 Features, and select .NET Framework 3.5.
  3. Scroll down, select Remote Assistance, and click Next. This feature is only needed if you will respond to Remote Assistance requests directly from the Horizon View Connection Server.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server ISO.
  6. Enter the path to the sources folder on the Windows Server ISO, and click OK. Then click Install.

Toolbox Installer

  1. Download the Fling. Check the box next to I have read and agree, and click Download.
  2. If upgrading, you’ll need to uninstall the old version first.

  3. Run the downloaded VMWARE-Horizon-Toolbox-x64-7.4.msi.
  4. In the Welcome to the HorizonToolbox Setup Wizard page, click Next.
  5. In the Select Installation Folder page, select Everyone, and click Next.
  6. In the BannerText page, click Next.
  7. In the Confirm Installation page, click Next.
  8. In the Installation Complete page, click Close.
  9. After the progress bar reaches 100%, click the X icon to close the installation window.

Firewall

  1. Run Windows Firewall with Advanced Security.
  2. Create a new Inbound Rule for port 18443.
  3. Select Port and, click Next.
  4. Enter TCP 18443 as the local port, and click Next.
  5. Allow the connection, and click Next.
  6. Name the rule Horizon Toolbox or something like that. Click Finish.

Toolbox Certificate

Horizon Toolbox comes with a self-signed certificate. It can be replaced by doing the following:

  1. Copy a certificate .pfx file to C:\Program Files\VMware\HorizonToolbox\HorizonToolbox7.4\conf.
  2. Edit the file server.xml that’s in the same conf folder. Make sure your text editor is elevated (as administrator).
  3. In your text editor, do the following:
    1. Scroll down to the <Connector port=”18443″ section (near line 85).
    2. Change the keystoreFile attribute to the name of your .pfx file.
    3. Change the keystorePass attribute to the password for your .pfx file.
    4. Add a new attribute keystoreType="PKCS12"
  4. Close and save the file.
  5. Restart the Apache Tomcat 8.5 Tomcat8 service.
  6. Point your browser to https://view.corp.local:18443/toolbox and there should be no certificate error. Note: it takes several seconds for the toolbox Tomcat service to start; you can watch it in Task Manager.

Login to Horizon Toolbox

  1. Point your browser to https://view.corp.local:18443/toolbox
  2. Login using Horizon Administrator credentials.
  3. The first time you login, you might be prompted for passwords to eventdb and vcenter. Enter the passwords, and click Set.
  4. The primary benefit of Horizon Toolbox is the Auditing reports. This data comes from the Events database. Find more info on these features at the Fling website.
  5. The Console Access tab lets you access the console of your Horizon Agent virtual machines.

Toolbox Remote Assistance

Note: The new Help Desk website is preferred over Toolbox Remote Assistance.

  1. On the Horizon Agent machine, navigate to the View Connection Server Horizon Toolbox folder \\vcs01\c$\Program Files\VMware\HorizonToolbox\HorizonToolbox7.4\webapps\toolbox\static\ra, and run Horizon_Remote_Assistance_Installer_v1035.exe.

    1. You might be prompted to install .NET Framework 3.5.


    2. Click Install for End User.
    3. Click OK to launch Remote Assistance.
    4. Close Remote Assistance.
    5. When done, click Finish.
  2. Users can initiate a request by clicking the Horizon Remote Assistance icon on the desktop.
  3. Click OK to submit a request.

  4. Support people can see support requests in the Toolbox interface, at Management > Remote Assistance, and switch to the Remote Assistance Requests tab.

Logon Monitoring

The VMware Logon Monitor Fling is built into Horizon 7.1 and newer.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent. The Fling website has a PDF that explains how to also store them on a file share.

Inside each session log file are logon time statistics. 

VMware Horizon 7.4 Composer

Last Modified: Jan 6, 2018 @ 8:40 am

Navigation

This post applies to all VMware Horizon versions 7.0 and newer, including 7.3.2, and 7.4.

Changelog

Planning

vCenter Server planning:

  • A single vCenter Server can handle 10,000 VMs. However, this is a single point of failure. VMware recommends separate vCenter servers for each 2,000 or 4,000 VMs. More vCenter Servers means more concurrent vCenter operations, especially if your pools are configured for Refresh on Logoff.
    • Horizon 7.2 and newer supports 4,000 VMs per vCenter Server.
    • Horizon 7.1 and older supports 2,000 VMs per vCenter Server.
  • Each ESXi cluster is managed by one vCenter Server.
  • Don’t use existing vCenter servers. Build separate vCenter servers for the vSphere clusters that host Agent VMs. Horizon licenses include vCenter licenses, so there’s no excuse to not use separate vCenter servers.

Horizon View Composer server planning:

A remote SQL Server is needed for databases:

  • vCenter database
  • Horizon Composer database
  • Horizon Events database
  • Supported SQL versions are listed on the Solution/Database Interoperability tab at VMware Product Interoperability Matrices.

SQL Server Preparation

Only SQL Authentication is supported.

  1. Open the properties of the SQL Server.
  2. On the Security page, make sure SQL Server authentication is enabled.
  3. Create a new SQL database for View Composer.
  4. Call it VMwareHorizonComposer or similar. Then switch to the Options page.
  5. Select your desired Recovery model, and click OK.
  6. View Composer only supports SQL authentication on remote SQL servers. Expand Security, right-click Logins, and click New Login to create a new SQL login.
  7. Name the new account.
  8. Select SQL Server authentication.
  9. Enter a password for the new account.
  10. Uncheck the box next to Enforce password policy.
  11. Then switch to the User Mapping page.
  12. On the User Mapping page, in the upper half, check the Map box for VMwareHorizonComposer.
  13. On the bottom, check the box for the db_owner role, and click OK.

SQL Native Client

  1. Go to the SQL 2016 Feature Pack, and download sqlncli.msi.

  2. On the Horizon View Composer server, run sqlncli.msi.
  3. In the Welcome to the Installation Wizard for SQL Server 2012 Native Client page, click Next.
  4. In the License Agreement page, select I accept, and click Next.
  5. In the Feature Selection page, click Next.
  6. In the Ready to Install the Program page, click Install.
  7. In the Completing the SQL Server 2012 Native Client installation page, click Finish.

ODBC

  1. On the Horizon View Composer server, run ODBC Data Sources (64-bit).
  2. On the System DSN tab, click Add.
  3. Select SQL Server Native Client, and click Finish.
  4. Enter the name HorizonComposer for the DSN, and enter the SQL server name. Click Next.
  5. Change the selection to With SQL Server authentication, and enter the credentials of the new ViewComposer SQL account. Then click Next.
  6. Check the box next to Change the default database, and select the VMwareHorizonComposer database. Then click Next.
  7. Click Finish.
  8. Click OK twice.

Install – Composer

  1. Don’t install on Horizon Connection Server: Horizon Composer cannot be installed on the Horizon Connection Server. They must be separate machines.
    1. Extra Memory for vCenter: If you install Horizon Composer on a Windows vCenter server, VMware recommends adding 8 GB of RAM to the server. See VMware 2105261 Intermittent provisioning issues and generic errors when Composer and vCenter Server are co-installed
    2. vCenter Service Account: if you install Horizon Composer on a Windows vCenter server, login as the same account that was used to install vCenter. See VMware 2017773 Installing or upgrading View Composer fails with error: The wizard was interrupted before VMware View Composer could be completely installed
  2. Internet access for CRL checking: If the Horizon Composer server does not have Internet access, see VMware 2081888 Installing Horizon View Composer fails with the error: Error 1920 Service VMware Horizon View Composer (svid) failed to start
  3. Certificate: If you install a certificate now, Composer installer will prompt you to select it during installation. Or, you can replace the certificate later.
  4. DownloadHorizon 7.4.0 View Composer.
  5. Install: Run the downloaded VMware-viewcomposer-7.4.0.exe.

    1. If you’re prompted to install .NET 4.6.1, click Yes.
    2. Then run the downloaded NDP462-KB3151802-Web.exe.
    3. Check the box next to I have read and accept the license terms, and click Install.
  6. In the Welcome to the Installation Wizard for VMware Horizon 7 Composer page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Database Information page, enter the name of the ODBC DSN.
  10. Enter the SQL account credentials (no Windows accounts), and click Next. For remote SQL databases, only SQL accounts will work. The SQL account must be db_owner of the database.
  11. The VMware Horizon 7 Composer Port Settings page appears. If you already installed a valid certificate on the Composer server, select Use an existing SSL certificate, and select the certificate. Click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Click Yes when asked to restart the computer.
  15. If you encounter installation issues, see VMware 2087379 VMware Horizon View Composer help center

Administrator Permissions

If Horizon View Composer is installed on a standalone server (not on vCenter), Horizon Connection Server will need a service account with administrator permissions on the Horizon View Composer server. Add your Horizon View Composer Service Account to the local Administrators group.

Composer Certificate

  1. Open the MMC Certificates snap-in (certlm.msc).
  2. Make sure your Composer certificate private key is exportable. Try exporting the certificate, and make sure Yes, export the private key is a selectable option.

  3. Stop the VMware Horizon 7 Composer service.
  4. In the certificates console, double-click your Composer certificate. On the Details tab, note the Thumbprint.
  5. Run Command Prompt as Administrator
  6. Change the directory to C:\Program Files (x86)\VMware\VMware View Composer.
  7. Run sviconfig -operation=replacecertificate -delete=false.
  8. Select the certificate that matches the thumbprint you noted earlier.
  9. Then restart the VMware Horizon 7 Composer service.

SQL Database Maintenance

SQL password: The password for the SQL account is stored in C:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe.config. To change the password, run SviConfig ‑operation=SaveConfiguration as detailed at VMware 1022526 The View Composer service fails to start after the Composer DSN password is changed.

Database Move: To move the database to a new SQL server, you must uninstall Composer and reinstall it. See VMware 2081899 VMware Horizon View Composer fails to work properly after migrating the Composer database to a new SQL server

Related Pages