VMware Horizon 7.3.1 Configuration

Last Modified: Dec 16, 2017 @ 10:43 am

Navigation

This post applies to all VMware Horizon versions 7.0 and newer

💡 = Recently Updated

Preparation

Horizon Service Account

  1. Create an account in Active Directory that Horizon View will use to login to vCenter. This account can also be used by Composer to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for View Composer

This role has all permissions needed for both full clones and linked clones. See Privileges Required for the vCenter Server User and View Composer Privileges Required for the vCenter Server User at VMware Docs.

  1. Create an account in Active Directory that Horizon View will use to login to vCenter.
  2. In vSphere Web Client, on the Home screen, click Roles.
  3. Click the plus icon to add a Role.
  4. Name the role Horizon or similar.
  5. Expand Datastore and enable Allocate space, Browse datastore, and Low level file operations.
  6. Expand Folder, and enable Create folder, and Delete folder.
  7. Expand Global and enable Act as vCenter Server, Disable Methods, Enable Methods, and Manage custom attributes.
  8. Scroll down, and enable Set custom attribute, and System tag.
  9. Expand Host, expand Configuration, and enable Advanced Settings.
  10. Scroll down, and enable System Management.
  11. Enable Network, and everything under it.
  12. For Virtual SAN, enable Profile-driven storage and everything under it. VMware 2094412 When attempting to deploy linked clones using VMware Virtual SAN (VSAN) you receive the error: Unable to connect to PBM sub system PB may be down
  13. Expand Resource, and enable Assign virtual machine to resource pool, and Migrate powered off virtual machine.
  14. Expand Virtual Machine and enable everything under Configuration, Inventory, and Snapshot Management (or State).
  15. Expand Virtual Machine > Interaction, and enable Perform wipe or shrink operations,  Power Off, Power On, Reset, and Suspend. Perform wipe is a recently added permission.
  16. Expand Virtual Machine > Provisioning. Enable Allow disk access, Clone template,  Clone virtual machine, Customize, and Deploy template.
  17. Scroll down, and enable Read customization specifications. Click OK when done.
  18. Browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  19. On the right, switch to the Manage tab, and select the Permissions sub-tab.
  20. Click the plus icon to add a permission.
  21. Under Users and Groups click Add.
  22. Find the Active Directory account that Horizon will use to login to vCenter, click Add, and then click OK.
  23. On the right, under Assigned Role, change it to the Horizon role. Then click OK.
  24. The service account is now listed on the Permissions sub-tab.
  25. From VMware Docs Configure a vCenter Server User for View and View Composer: If you install Horizon Composer on the same machine as Windows vCenter Server, you must make the Horizon service account a local system administrator on the Windows vCenter Server machine.
    1. If you install Horizon Composer on a different machine than Windows vCenter Server, you do not have to make the Horizon service account a local administrator on the Windows vCenter Server machine. However, the Horizon service account must be a local administrator on the Horizon Composer standalone machine.
  26. On the Horizon Composer server, right-click the Start button, and click Computer Management.
  27. Go to System Tools > Local Users and Groups > Groups. Double-click Administrators. Add the Horizon service account, and click OK.

Active Directory Delegation for Instant Clones and Composer

Horizon Composer and Instant Clone create computer objects in Active Directory. Horizon is configured with an Active Directory service account that must be granted permission to create computer objects. See Create a User Account for Instant-Clone Operations at VMware Docs.

  1. Create an OU in Active Directory where the Horizon Agent computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the Horizon Agents OU, and click Delegate Control.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for Instant Clones and/or Horizon Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate, and click Next.
  6. In the Active Directory Object Type page, do the following:
    1. Change the radio button to select Only the following objects in the folder.
    2. Check the boxes next to Create select objects in this folder and Delete selected objects in this folder.
  7. Click Next.
  8. In the Permissions page, check the boxes next to Read All PropertiesWrite All Properties, and Reset Password. Then Next.
  9. In the Completing the Delegation of Control Wizard page, click Finish.
  10. If you are viewing Advanced Features in Active Directory Users & Computers, if you view the properties of the OU, on the Security tab, click Advanced, find your service account, you should see permissions similar to the following.

Events SQL Database

A new empty SQL database is needed for storage of View Events.

  1. Only SQL Server authentication is supported, so make sure it’s enabled on your SQL Server > Security page.
  2. In SQL Server Management Studio, create a new database.
  3. Name it VMwareHorizonEvents or similar. Switch to the Options tab.
  4. Select your desired Recovery model, and click OK.
  5. Under Security > Logins, add a SQL login if one does not exist already. Windows authentication is not supported.
  6. Right-click a SQL login, and click Properties.
  7. On the User Mapping page, check the Map box next to the VMwareHorizonEvents database.
  8. On the bottom, add the user to the db_owner database role. Click OK when done.

Licensing

  1. On the Horizon Connection Server, run the Horizon Administration Console by double-clicking the desktop shortcut. Or, go to https://FQDN/admin.

    1. If Flash is not installed, you are prompted to install it. This won’t work on Windows Server 2012 R2 unless you have the Desktop Experience feature installed. To avoid this, use Chrome.
  2. Login using a Horizon administrator account.
  3. On the left, under View Configuration, click Product Licensing and Usage.
  4. In the right pane, on the top left, click Edit License.
  5. In the Edit License window, enter your license serial number, and click OK.
  6. The license expiration is now displayed.
    1. Note that only Horizon Advanced and above have Application Remoting (published applications).
    2. Note that only Horizon Enterprise have Help Desk.

Administrators

  1. On the left, expand View Configuration, and click Administrators.
  2. On the right, click Add User or Group near the top.
  3. In the Add Administrator Or Permission page, click Add.
  4. Enter the name of a group that you want to grant permissions to, and click Find.
  5. After the group is found, click it to highlight it, and click OK.
  6. Then click Next.
  7. Select the role (e.g. Administrators), and click Next.
  8. Select an access group to which the permission will be applied, and click Finish. Note: If you intend to integrate with VMware Identity Manager, then only pools in the root Access group will sync with Identity Manager. Other Access Groups won’t work.

Help Desk

Horizon 7.2 and newer have a new web-based Help Desk tool at https://MyHorizonFQDN/helpdesk (e.g. https://view.corp.com/helpdesk).

Notes:

  • In Horizon 7.2, only Full Horizon Administrators can login to the Help Desk web page.
  • Horizon 7.3 and newer have Help Desk Administrators roles that can log into the Help Desk tool. Add Help Desk users to the Administrators and Groups tab, and assign them one of the Help Desk roles.

  • Enterprise Licensing – It requires Horizon Enterprise edition license, or Horizon Apps Advanced edition license. Horizon Standard Edition licenses do not include this tool. In Horizon 7.3 and newer, the Product Licensing page indicates if Help Desk is licensed or not.
  • 15 minutes of History – There’s only 15 minutes of collected metric data. Use vRealize Operations for Horizon for longer historical monitoring.
  • See Rob Beekmans Helpdesk functionality added to VMware Horizon 7.2.
  • According to Pascal van de Bor Horizon 7.2: With a little helpdesk from my friends, checkOrigin needs to be disabled to prevent the “Authentication failed, invalid domain, username or password. Please try again” error.

See Troubleshooting Users in Horizon Help Desk Tool at VMware Docs.

vCenter Connection, and optional Horizon Composer

Horizon must connect to vCenter for several reasons:

  • Power manage the virtual machines
  • Create new virtual machines using Instant Clone or Horizon Composer
  • Update virtual machines using Instant Clone or Horizon Composer

If you are adding multiple vCenter servers to Horizon, make sure each vCenter Server has a Unique ID. In vSphere Web Client, go to the vCenter Server > Manage > Settings > General > Edit > Runtime Settings, and confirm that the ID is unique for each vCenter server.

  1. In Horizon Administrator, on the left, expand View Configuration, and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.
  3. In the VC Information page, do the following:
    1. In the Server address field, enter the FQDN of the vCenter server.
    2. In the User Name field, enter the previously created Active Directory account (domainname\username) that Horizon will use to login to vCenter.
    3. Also enter the service account’s password.
  4. Click Next.
  5. If you see a message regarding invalid certificate, click View Certificate. Then click Accept.
  6. In the View Composer page, if you are using Horizon Composer, then do the following:
    1. Select Standalone View Composer Server.
    2. Enter the FQDN of the Composer Server, and the credentials of an account to access the Horizon Composer server. The service account must be a local administrator on the Horizon Composer Server.
  7. Click Next.
  8. If you see an invalid certificate, click View Certificate. Then click Accept.
  9. If you are using Horizon Composer, then in the View Composer Domains page, do the following:
    1. Click Add.
    2. Enter the Full domain name of where the virtual desktop computer objects will be created.
    3. Enter the Active Directory service account credentials that has permission to create computer objects, and click OK.
  10. Then click Next.
  11. In the Storage page, do the following:
    1. Check the box to Enable View Storage Accelerator, and increase the host cache size to 2048. Notes:
      • View Storage Accelerator is required for Instant Clones.
      • View Storage Accelerator causes digest files to be created, thus increasing disk space requirements.
    2. Reclaim VM disk space requires IOPS during its operation. This feature is not needed for Instant Clones.
  12. Click Next.
  13. In the Ready to Complete page, click Finish.

Instant Clone Domain Admins

If you plan to use Instant-Clone to create non-persistent virtual desktops, add an administrator account that can join machines to the domain.

  1. On the left, expand View Configuration, and click Instant Clone Domain Admins.
  2. On the right, click Add.
  3. Select the domain.
  4. Enter credentials of a service account that can join machines to the domain. Click OK.

Disable Check Origin

If you connect to Horizon 7 Connection Server using any DNS name (e.g. load balancing DNS name) that doesn’t match the server’s DNS name, then it might not work unless you disable Origin Check as detailed at VMware 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.

Restrict Remote Access

In Horizon 7.0.2 and newer, the Users and Groups node has a new Remote Access tab.

If you add groups or users to this tab, only these groups and users can login through Unified Access Gateway (formerly known as Access Point) or Security Server.

Users not in the list can’t login through Security Server or Unified Access Gateway (formerly known as Access Point).

Disable Secure Tunnel

By default, internal Horizon Clients connect using Blast or PCoIP to virtual desktops by tunneling through a Horizon Connection Server. It would be more efficient for the internal Horizon Clients to connect directly to the virtual desktops.

  1. In View Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server to highlight it, and click Edit.
  4. On the General tab, uncheck the boxes next to HTTP(S) Secure Tunnel and the two Gateways. Click OK. Note: if you are using HTML5 Blast internally, then disabling the Blast Secure Gateway will cause HTML5 Blast connections to go directly to the Horizon Agent, and the Agent certificate is probably not trusted.

Event Database and Syslog

  1. On the left of Horizon Administrator, expand View Configuration, and click Event Configuration.
  2. On the right, under Event Database, click Edit.
  3. Enter the name of the SQL server.
  4. Select Microsoft SQL Server as the Database type.
  5. Enter the name of the database.
  6. Enter the SQL credentials (no Windows authentication).
  7. Optionally, enter VE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple View installations.
  8. Click OK.
  9. The View Administrator now shows it configured. You can click Edit in the Event Settings section to change the age of events shown in View Administrator.
  10. To add a syslog server, look on the right side of the page.
  11. You can go to Monitoring > Events to view the events in the database.

Event Database SQL Index

VMware Knowledgebase article – The Event database performance in VMware View 6.0.x is extremely slow (2094580): Symptoms:

  • The Event database performance in VMware View 6.0.x is extremely slow when browsing within View
  • High CPU usage on the SQL server, hosting the Event database
  • The larger the Event database becomes, the slower the queries run.

To resolve this issue, create an index. Run this command on your SQL Event database:

CREATE INDEX IX_eventid ON dbo.VDIevent_data (eventid)

Substitute VDIevent_data for the table name using your Event database prefix.

Event Queries

VMware Fling – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – VMware Horizon View Events Database Export Utility: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

VMware Knowledgebase article – Creating SQL views to retrieve the top 50 maximum number of concurrent desktop sessions over a period: This article provides steps to create database views to retrieve the maximum number of concurrent desktop sessions over a period from the event_historical table.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

  1. On the left, under View Configuration, click Global Settings.
  2. On the right, under Global Settings, in the General section, click Edit.
  3. Set the View Administrator Session Timeout. This applies to administrators and help desk. 4320 minutes (72 hours) is the maximum.
  4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user, and requires the user to logon to Horizon Connection Server again.
  5. Under Client-dependent settings, you can set an idle timeout. This is new in Horizon 6. The idle timeout applies to applications only (not desktops). An additional disconnect timeout is configurable in each pool’s settings.
  6. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of View Administrator.
  7. Make other changes as desired. Click OK when done.
  8. To configure an idle timeout for desktop sessions, use the instructions in http://myvirtualcloud.net/vmware-view-disconnect-logoff-or-shutdown-your-vm-when-idle/. Or create a screensaver. http://communities.vmware.com/message/1756450?tstart=0

Global Policies

  1. By default, Multimedia Redirection is disabled. You can enable it by going to Policies > Global Policies.
  2. On the right, click Edit Policies.
  3. Set Multimedia redirection to Allow, and click OK. Notice that Multimedia redirection is not encrypted.

Authentication

How to Set Up 2-Factor Authentication in Horizon View with Google Authenticator:

  1. Linux box with Likewise joined to Active Directory.
  2. Google Authenticator software installed on Linux
  3. Freeradius installed on Linux
  4. Configure View to authenticate with RADIUS
  5. Installation and configuration of Google Authenticator client

Backups

  1. On the left, expand View Configuration, and click Servers.
  2. On the right, in the Connection Servers tab, you can select a Horizon Connection Server, and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.
  3. If you Edit the Horizon Connection Server, on the Backup tab you can schedule automatic backups. This also backs up the View Composer database but not the vCenter database. VMware 1008046 – Performing an end-to-end backup and restore for VMware View Manager.

Tips

VMware Blog Post Top 10 Tips for a Successful Horizon VDI

Related Pages

13 thoughts on “VMware Horizon 7.3.1 Configuration”

      1. I have a question. Ia m trying to connect to an events Database MS SQL but it is an instance “sql05\events” the database is called ViewEvents. Can I connect to an instance? IS there special Syntax?

  1. Hi,
    I am using VMware vSphere 5.5 and VMWare horizon 7.0.2
    I have increased LUN size in SAN Storage
    I Have increased Datastore size through vCenter.
    Still its not reflecting in Horizon 7 Dashboard.
    what and how to do to reflect that size in Horizon 7.0.2 under Dashboard>Datastore Details> Capacity (GB)…??
    can anyone send me the procedure or hints to increase/reflect the same size.
    Thanks

  2. Hi Carl,
    I have just upgraded my Dev environment to 7.3.1 and having a couple of issues.
    1. Using Chrome, the Admin page to the connection server FQDN is blank even if I configure the locked.properties and restart services. I have also cleared cache and rebooted my laptop with no luck. The only way I ca use Chrome is by pointing to the balance DNS name that matches the trusted certificate name.
    2. When I create a dedicated linked-clone pool and try to “Remove” all VMs from it to start the provisioning over, Horizon renames the VMs not from -01 but from the next number after the highest number of the old VM. Example, I have 10 VMs in a pool (-01,-02,-03.. until -10), when I remove, the VMs are named -11,-12 and so on instead of starting over from -01. Also, the option “Allow reuse of existing AD computer accounts” is enabled on this pool.

    Any idea on hoe to fix the above? Did you experience any of this yourself?

  3. Server error : null, Instant Desktop Creation Failed Horizon 7.2

    I received this when trying to use 2 or more vlans with the instant clone pool, this pops up at the point you would click finish for the pools. but if i select parent vlan then it continues just fine.

    Thoughts?

  4. I was wondering about Horizon 7 in a multi-tenant solution using PODs. I know you need AD in the Management block but can you point the Desktop pool to a Customers AD?

    1. I suspect the domains need to be trusted.

      If not, then another option is Identity manager with SAML authentication and TrueSSO.

  5. Hi Carl, i think i have one for ya that is difficult. We have horizon 7 installed and running w/ LC’s. It works great. We now want to install a Ubuntu Desktop pool. I have installed ubuntu 12.04 and configured it to log into active directory perfectly. Even registers in DNS.
    THen, i install the agent. it doesn’t work. I try to connect locally to tcp 22443 and it fails. If i look at the registered machines in View Configuration, that linux VM doesn’t register.
    On the Horizon 7 diagram, the ports aren’t listed for linux.
    We have tried this on both centos and ubuntu. Same ol’ story.

    1. It took me a little while but I think I got it on Ubuntu 12.04.

      Delete /etc/vmware/viewagent-machine.cfg and viewagent-config.txt if they exist. Run the following:

      ./install_viewagent.sh -A yes -M no -b vcs01.corp.local -d corp.local -u admin -p Pass0wrd -k ad01.corp.local -n ubuntu01.corp.local

      I suspect that “-M no” is the key but I could be wrong.

      I used the log files in /var/log/vmware to troubleshoot. And I looked in the actual script file to see what’s is supposed to do.

  6. If the Vcneter is appliance, what should be done at step 25?

    25.The service account also must be a local administrator on the vCenter server. In Server Manager, go to Tools > Computer Management.

    Thanks.

    1. Also a good catch. I updated the text to clarify that the account only needs admin on the View Composer server.

Leave a Reply