VMware Horizon 7.3.2 Connection Server

Last Modified: Dec 15, 2017 @ 7:32 pm

Navigation

This post applies to all VMware Horizon versions 7.0 and newer

ūüí° = Recently Updated

Changelog

Upgrade

If you are performing a new install, skip to Windows Features.

Notes regarding upgrades:

  • Upgrade all Connection Servers during the same maintenance window.
    • Downgrades are not permitted.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • Upgrade Horizon Composer before upgrading the Connection Servers.
    • It’s an in-place upgrade. Just run the Connection Server installer, and click Next a couple times.
    • For Security Servers, in Horizon Administrator, go to paired Connection Server, More Commands > Prepare for Upgrade or Reinstallation.
  • Upgrade the Horizon Group Policy template (.admx) files.
  • Upgrade the Horizon Agents.
    • It’s an in-place upgrade.
    • There’s no hurry. Upgrade the Horizon Agents when time permits.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.

Windows Features

  1. Windows 2016 is supported with Horizon Connection Server 7.1 and newer.
  2. It’s probably helpful to install some administration tools on the Horizon Connection Servers. In Server Manager, click Add Roles and Features.
  3. Click Next until you get to the Features page.
  4. Check the box next to Group Policy Management, and scroll down.
  5. Check the box next to Telnet Client.
  6. If Windows 2012 R2, and if you need Flash Player for Internet Explorer (e.g. to connect to the vSphere Web Client or View Administrator), then expand User Interfaces and Infrastructure, and check the box next to Desktop Experience. Click Add Features when prompted. Desktop Experience is built into Windows 2016.
  7. Expand Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools. Check the box next to AD DS Snap-Ins and Command-Line Tools. You might also want Active Directory module for Windows PowerShell. Then click Next .
  8. Then click Install.
  9. If you installed Desktop Experience, then you might see a message prompting you to reboot. Right-click the Start button to reboot the server. it will reboot twice. Desktop Experience is already installed on Windows 2016.

Install Standard Server 7.3.2

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between them.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

To install Horizon Connection Server Standard:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for View Connection Server at VMware Docs.
  2. Windows 2016 is supported with Horizon Connection Server 7.1 and newer. Horizon Connection Server 7.0.3 will not install on Windows Server 2016. But Windows 2016 is supported for View Agents.
  3. Horizon Composer cannot be installed on the Horizon Connection Server, and vice versa.
  4. Go to the downloaded Horizon 7.3.2 Connection Server, and run VMware-viewconnectionserver-x86_64-7.3.2.exe.
  5. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  6. In the License Agreement page, select I accept the terms, and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Installation Options page, select Horizon 7 Standard Server, and click Next.
  9. In the Data Recovery page, enter a password, and click Next.
  10. In the Firewall Configuration page, click Next.
  11. In the Initial Horizon 7 Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  12. In the User Experience Improvement Program page, uncheck the box, and click Next.
  13. In the Ready to Install the Program page, click Install.
  14. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.

Install Replica Server 7.3.2

Additional internal Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. Go to the downloaded Horizon 7.3.2 Connection Server and run VMware-viewconnectionserver-x86_64-7.3.2.exe.
  3. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  4. In the License Agreement page, select I accept the terms, and click Next.
  5. In the Destination Folder page, click Next.
  6. In the Installation Options page, select Horizon 7 Replica Server, and click Next.
  7. In the Source Server page, enter the name of another Horizon Connection Server in the group. Then click Next.
  8. In the Firewall Configuration page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. Load balance your multiple Horizon Connection Servers.

Horizon Connection Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to Horizon View Administrator.

SSL Ciphers

If you are running Horizon 6 or older, see Sven Huisman: Secure your Horizon View security server: from rating F to A-.

If this Horizon Connection Server or Horizon Security Server is publicly accessible, check it at ssllabs.com.

Horizon Portal ‚Äď Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps. Create a new folder called downloads.
  2. Copy the downloaded Horizon Client for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.

  3. Run Notepad as administrator.
  4. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  5. Go back to the downloads folder, and copy the Horizon Client filename.
  6. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    Client for Windows:link.win64=/downloads/VMware-Horizon-Client-4.6.0-6605044.exe
  7. Then Save the file.
  8. Restart the VMware Horizon View Web Component service.

It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error, then the service is not done starting.

Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.

Branding

Chris Tucker at¬†Brand the VMware View Landing Page ‚Äď Part 2 details how to brand the Horizon 7.1 and newer portal page.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

iOS TouchID

vDelboy – How to Enable Touch ID in VMware Horizon 6.2

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at VMware Docs.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair, and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using NetScaler 12.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at http://www.carlstalhood.com/delivery-controller-7-15-ltsr-and-licensing/#rdlicensing.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Horizon 7.2 and newer include a web-based Help Desk Tool. Run the following command to enable the timing profiler on each Connection Server instance to view logon segments.

vdmadmin -I -timingProfiler -enable

Horizon Toolbox 7.3.0

Install the Horizon Toolbox Fling on your View Connection Servers. This is a web-based tool that adds the following functionality:

  • Auditing of user sessions
  • Auditing of virtual machine snapshots
  • Auditing of Horizon Client Versions
  • Remote Assistance ‚Äď users request assistance from administrators
  • Virtual Machine Remote Console
  • Power Policies for Desktop Pools

To use the Toolbox, make sure the following are enabled in your View Connection Server pod:

  • Events database
  • Customer Experience Improvement Program

.NET Framework 3.5 and Remote Assistance

  1. On the Horizon View Connection Server, in Server Manager, click Add Roles and Features.
  2. In the Features page, expand .NET Framework 3.5 Features, and select .NET Framework 3.5.
  3. Scroll down, select Remote Assistance, and click Next. This feature is only needed if you will respond to Remote Assistance requests directly from the Horizon View Connection Server.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server ISO.
  6. Enter the path to the sources folder on the Windows Server ISO, and click OK. Then click Install.

Toolbox Installer

  1. Download the Fling. Check the box next to I have read and agree, and click Download.
  2. If upgrading, you’ll need to uninstall the old version first.

  3. Run the downloaded VMWARE-Horizon-Toolbox-x64-7.3-20171130.msi.
  4. In the Welcome to the HorizonToolbox Setup Wizard page, click Next.
  5. In the Select Installation Folder page, select Everyone, and click Next.
  6. In the BannerText page, click Next.
  7. In the Confirm Installation page, click Next.
  8. In the Installation Complete page, click Close.
  9. After the progress bar reaches 100%, click the X icon to close the installation window.

Firewall

  1. Run Windows Firewall with Advanced Security.
  2. Create a new Inbound Rule for port 18443.
  3. Select Port and, click Next.
  4. Enter TCP 18443 as the local port, and click Next.
  5. Allow the connection, and click Next.
  6. Name the rule Horizon Toolbox or something like that. Click Finish.

Toolbox Certificate

Horizon Toolbox comes with a self-signed certificate. It can be replaced by doing the following:

  1. Copy a certificate .pfx file to C:\Program Files\VMware\HorizonToolbox\HorizonToolbox7.3\conf.
  2. Edit the file server.xml that’s in the same conf folder. Make sure your text editor is elevated (as administrator).
  3. In your text editor, do the following:
    1. Scroll down to the <Connector port=”18443″ section (near line 85).
    2. Change the keystoreFile attribute to the name of your .pfx file.
    3. Change the keystorePass attribute to the password for your .pfx file.
    4. Add a new attribute keystoreType=”PKCS12″
  4. Close and save the file.
  5. Restart the Apache Tomcat 8.5 Tomcat8 service.
  6. Point your browser to https://view.corp.local:18443/toolbox and there should be no certificate error.

Login to Horizon Toolbox

  1. Point your browser to https://view.corp.local:18443/toolbox
  2. Login using Horizon Administrator credentials.
  3. The first time you login, you might be prompted for passwords to eventdb and vcenter. Enter the passwords, and click Set.
  4. The primary benefit of Horizon Toolbox is the Auditing reports. This data comes from the Events database. Find more info on these features at the Fling website.
  5. The Console Access tab lets you access the console of your Horizon Agent virtual machines.

Toolbox Remote Assistance

Note: The new Help Desk website is preferred over Toolbox Remote Assistance.

  1. On the Horizon Agent machine, navigate to the View Connection Server Horizon Toolbox folder \\vcs01\c$\Program Files\VMware\HorizonToolbox\HorizonToolbox7.3\webapps\toolbox\static\ra, and run Horizon_Remote_Assistance_Installer_v1035.exe.

    1. You might be prompted to install .NET Framework 3.5.


    2. Click Install for End User.
    3. Click OK to launch Remote Assistance.
    4. Close Remote Assistance.
    5. When done, click Finish.
  2. Users can initiate a request by clicking the Horizon Remote Assistance icon on the desktop.
  3. Click OK to submit a request.

  4. Support people can see support requests in the Toolbox interface, at Management > Remote Assistance, and switch to the Remote Assistance Requests tab.

Logon Monitoring

The VMware Logon Monitor Fling is built into Horizon 7.1 and newer.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent. The Fling website has a PDF that explains how to also store them on a file share.

Inside each session log file are logon time statistics. 

30 thoughts on “VMware Horizon 7.3.2 Connection Server”

  1. Hi Carl,
    The HelpDesk Tool with the timing profiler shows 10 seconds to login, while the logon monitor logs shows 7.8 seconds, from what i checked with a stopwatch the timing profiler is much more accurate,
    how come? did you notice it too?

  2. Carl,
    I’m trying to do in place upgrade to 7.3 from 7.1. In the past was straight forward upgrade by executing the connection server exe. like you said in your notes Now for some reason installation it stuck on License agreement windows and it won’t go any further by clicking Next. There is no error message anywhere. I checked in the vminst.log I see this – “Found CEIP enabled flag HAS NOT been set.” End Logging.
    I don’t recall doing anything with CEIP during the install.
    Composer has been upgraded successfully without any issue.We have 3 connection servers and upgrade process is stopping on the same spot on all of them.
    Do you have any idea why installation is not continue?
    Thanks

    1. i had the same problem. the only solution was to deinstall the connection server and then reinstall the new one. it keeps all the settings…

      1. Thanks. I did that already and it was successfull, but then I had issue with provisioning machines from Composer. What option did you choose when installing the new one? I did Replica, but I didn’t remove my ADAM database. I couldn’t find any specific explanation if the database is upgraded during the install.

          1. Had similar Issues. Could get past the CEIP with support but other Problems let the installation roll back. Horizon 7.3 Downloads have been removed by VMware. Info from Support: Wait for 7.3.1 :-/

      1. I was able to upgrade by Christoff’s solution. Removing and installing the new version, but like I said in my comments you may have some other issues after that. Andreas also mention that he worked with the Vmware support and they suggested to him to wait for 7.3.1 version. I did check Vmware download site and currently there is no downloads available under 7.3.

    2. It is worth mentioning that VMware has pulled the 7.3 update from the site and is advising customers who downloaded it to NOT install at this time. There are some major production stopping issues if you proceed with the upgrade. They are thinking of releasing an updated release next week, according to what I was told on the phone.

  3. Hi. How do i configure same URL for external and internal traffic, if it is possible. With the current configuration trying to get the same URL, I am getting ssl validation error for internal traffic. Using wildcard cert in the setup.

    1. Internally, when you ping the DNS name, what IP does it resolve to? Is it a load balancer? If so, do you have a valid certificate on it?

      Are you internally connecting from thin clients? If so, did you push the root certificate to the thin clients?

      Do you have separate Connection Servers for internal? If so, did you disable the Secure Gateways?

      1. The DNS entry internally is one of the Connection Server (Standard one in my case) address. I manually change the DNS entry in case of a CS failure.

        I have 3 CS in the setup. All 3 has the Secure Gateway and Secure Tunnel are disabled in it. No separate CS for internal.

        When having the Secure Gateway and Secure Tunnel disabled, my external connection works fine.

        Internal connection get SSL validation error for blast connections thru HTML.

        1. Ok. That means the certificate installed on each Horizon Agent is not trusted. One option is to proxy the Blast connections through a Connection Server by enabling the Blast Secure Gateway. Another option is to use UAG internally. Another option is to replace the certificates on every Horizon Agent.

          1. I am using the same wildcard cert in the Horizon Agent as well. Just that I am not using the “”vdm” friendly name. Is that necessary? Tried it with friendly name as well. If this is wrong one for the Horizon Agent. Which one needs to be used? Tried to click cert which throws the error before it reloads, I could see the wildcard which I have installed.

  4. Hey Carl, thanks again for the great documentation! Just an FYI, first time i tried to log on to the helpdesk portal I received the following error: ‚ÄúAuthentication failed, invalid domain, username or password. Please try again‚ÄĚ.

    I followed Pascal van de Bor’s blog: https://pascalswereld.nl/2017/07/02/horizon-7-2-with-a-little-helpdesk-from-my-friends/ (Thanks Pascal!) to solved the issue.

    See for reference: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2144768

  5. It seems as if once we updated to 7.0.3, we are seeing a crazy amount of warnings. We are seeing a ton of “Unable to Launch pool…is not ready to accept connections” as well as The pending session for user…has expired” These are occurring on our internal pools as well as the pools our external users connect to. The parent VM has the latest client. I am at a loss as what this could be and i’m sure there are plenty of things it could be.

    We haven’t heard any screams about users being disconnected or anything along those lines, but those calls may not be getting through the helpdesk to us.

    Any ideas/suggestions? Anything would be appreciated at this point.

    Thanks!!

    1. It’s the securegateway.exe on the connection servers. I have had a total nightmare with this sofar and not resolved yet. My advise is to not upgrade to 7 if you are using secure gateways services for PCoIP connections.

  6. Just an addition to Horizon Toolbox and upgrading to a newer Horizon Connection server version.

    If you have Toolbox installed, make sure to uninstall this first before you do an in place upgrade on the connection server. The Tomcat service and Web component service freak out and Horizon View administrator won’t work after in place upgrade.

  7. Hi Carl, you’re blog is awesome! If you’re ever in Charleston SC I would love to buy you dinner. ūüôā Question: Do you know if Remote Assistance can be initiated in both directions? For example, can an administrator request to view a users desktop? Would need for the user to accept or deny the request…

  8. Carl thank you for this Post. it was really good. I’m impressed. I did run into an issue with the new version of Horizon Toolbox. I installed the new version 2.1.2. If I were to set a pfx file like you did and specified the new attribute keystoreType=‚ÄĚPKCS12″, Tomcat would not restart. Instead, I removed this extra setting, and then everything worked and the site was signed.

    Thank you again.

    1. It works for me in 2.1.2 with the keystoreType. I noticed that one of your quotes is a curly quote instead of a straight quote.

  9. Hello Carl! Tank you for this post. I have a problem, after the installation, I don’t see all of the Vmware services when i open the services.msc. I only have 2 services running: the blast secure gateway and the Security Gateway Component services.
    Do you know what can cause this issue?

  10. hey i like your blog. Just setting up Horizon 7 in my dev environment. I am looking at the replica connection server. I guess it functions exactly like a front end webserver that is load balanced behind an F5?

    1. Kind of. It also has an LDAP directory that replicates with other Connection Servers.

      The Connection Server is just a broker. It selects a Horizon Agent for the user and tells the user to connect directly to the Agent.

Leave a Reply