VMware Horizon 7.1.0 Connection Server

Last Modified: Mar 25, 2017 @ 9:10 am

Navigation

💡 = Recently Updated

Windows Features

  1. Windows 2016 is supported with Horizon Connection Server 7.1 and newer.
  2. It’s probably helpful to install some administration tools on the Horizon Connection Servers. In Server Manager, click Add Roles and Features.
  3. Click Next until you get to the Features page.
  4. Check the box next to Group Policy Management, and scroll down.
  5. Check the box next to Telnet Client.
  6. If Windows 2012 R2, and if you need Flash Player for Internet Explorer (e.g. to connect to the vSphere Web Client or View Administrator), then expand User Interfaces and Infrastructure, and check the box next to Desktop Experience. Click Add Features when prompted. Desktop Experience is built into Windows 2016.
  7. Expand Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools. Check the box next to AD DS Snap-Ins and Command-Line Tools. You might also want Active Directory module for Windows PowerShell. Then click Next .
  8. Then click Install.
  9. If you installed Desktop Experience, then you might see a message prompting you to reboot. Right-click the Start button to reboot the server. it will reboot twice. Desktop Experience is already installed on Windows 2016.

Install Standard Server 7.1.0

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between them.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 2,000 virtual desktops.

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for View Connection Server at VMware Pubs.
  2. Windows 2016 is supported with Horizon Connection Server 7.1 and newer. Horizon Connection Server 7.0.3 will not install on Windows Server 2016. But Windows 2016 is supported for View Agents.
  3. Horizon Composer cannot be installed on the Horizon Connection Server, and vice versa.
  4. Go to the downloaded Horizon 7 Connection Server, and run VMware-viewconnectionserver-x86_64-7.1.0.exe.
  5. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  6. In the License Agreement page, select I accept the terms, and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Installation Options page, select Horizon 7 Standard Server, and click Next.
  9. In the Data Recovery page, enter a password, and click Next.
  10. In the Firewall Configuration page, click Next.
  11. In the Initial Horizon 7 Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  12. In the User Experience Improvement Program page, uncheck the box, and click Next.
  13. In the Ready to Install the Program page, click Install.
  14. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.

Install Replica Server 7.1.0

Additional internal Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 2000 virtual desktops.

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. Go to the downloaded Horizon 7 Connection Server and run VMware-viewconnectionserver-x86_64-7.1.0.exe.
  3. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  4. In the License Agreement page, select I accept the terms and click Next.
  5. In the Destination Folder page, click Next.
  6. In the Installation Options page, select Horizon 7 Replica Server and click Next.
  7. In the Source Server page, enter the name of another Horizon Connection Server in the group. Then click Next.
  8. In the Firewall Configuration page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. If this is VMware View 6.x, and if you are adding this Replica server to a Pod that is already enabled for Global Entitlements, see VMware 2080521 Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.

Horizon Connection Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to Horizon View Administrator.

SSL Ciphers

If you are running Horizon 6 or older, see Sven Huisman: Secure your Horizon View security server: from rating F to A-.

If this Horizon Connection Server or Horizon Security Server is publicly accessible, check it at ssllabs.com.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps. Create a new folder called downloads.
  2. Copy the downloaded Horizon Client for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.

  3. Run Notepad as administrator.
  4. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  5. Go back to the downloads folder, and copy the Horizon Client filename.
  6. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    Client for Windows:link.win64=/downloads/VMware-Horizon-Client-4.4.0-5171611.exe
  7. Then Save the file.
  8. Restart the VMware Horizon View Web Component service.

It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error then the service is not done starting.

Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

iOS TouchID

vDelboy – How to Enable Touch ID in VMware Horizon 6.2

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at pubs.vmware.com.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair, and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon View Load Balancing using NetScaler 11.1.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at http://www.carlstalhood.com/delivery-controller-7-8/#rdlicensing.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp  💡

Horizon Toolbox 2

Install the Horizon Toolbox Fling on your View Connection Servers. This is a web-based tool that adds the following functionality:

  • Auditing of user sessions
  • Auditing of virtual machine snapshots
  • Auditing of Horizon Client Versions
  • Remote Assistance – users request assistance from administrators
  • Virtual Machine Remote Console
  • Power Policy for pools

To use the Toolbox, make sure the following are enabled in your View Connection Server pod:

  • Events database
  • Customer Experience Improvement Program

.NET Framework 3.5 and Remote Assistance

  1. On the Horizon View Connection Server, in Server Manager, click Add Roles and Features.
  2. In the Features page, expand .NET Framework 3.5 Features, and select .NET Framework 3.5.
  3. Scroll down, select Remote Assistance, and click Next. This feature is only needed if you will respond to Remote Assistance requests directly from the Horizon View Connection Server.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server ISO.
  6. Enter the path to the sources folder on the Windows Server ISO, and click OK. Then click Install.

Toolbox Installer

  1. Download the Fling. Check the box next to I have read and agree, and click Download.
  2. Run the downloaded VMWARE-Horizon-Toolbox-x64-2.1.3.msi.
  3. In the Welcome to the HorizonToolbox Setup Wizard page, click Next.
  4. In the Select Installation Folder page, select Everyone, and click Next.
  5. In the BannerText page, click Next.
  6. In the Confirm Installation page, click Next.
  7. In the Installation Complete page, click Close.

Firewall

  1. Run Windows Firewall with Advanced Security.
  2. Create a new Inbound Rule for port 18443.
  3. Select Port and, click Next.
  4. Enter TCP 18443 as the local port, and click Next.
  5. Allow the connection, and click Next.
  6. Name the rule Horizon Toolbox or something like that. Click Finish.

Toolbox Certificate

Horizon Toolbox comes with a self-signed certificate. It can be replaced by doing the following:

  1. Copy a certificate .pfx file to C:\Program Files\VMware\HorizonToolbox\HorizonToolbox2.1.3\conf.
  2. Edit the file server.xml that’s in the same conf folder. Make sure your text editor is elevated (as administrator).
  3. Scroll down to the <Connector port=”18443″ section (near line 85).
  4. Change the keystoreFile attribute to the name of your .pfx file.
  5. Change the keystorePass attribute to the password for your .pfx file.
  6. Add a new attribute keystoreType=”PKCS12″
  7. Close and save the file.
  8. Restart the Apache Tomcat 8.0 Tomcat8 service.
  9. Point your browser to https://view.corp.local:18443/toolbox.
  10. Login using View Administrator credentials.

Toolbox Remote Assistance

  1. On the Horizon Agent machine, navigate to the View Connection Server Horizon Toolbox folder \\vcs01\c$\Program Files\VMware\HorizonToolbox\HorizonToolbox2.1.3\webapps\toolbox\static\ra and run Horizon_Remote_Assistance_Installer_v1035.exe.
  2. You might be prompted to install .NET Framework 3.5.
  3. Click Install for End User.
  4. Click OK to launch Remote Assistance.
  5. Close Remote Assistance.
  6. When done, click Finish.
  7. Users can initiate a request by clicking the Horizon Remote Assistance icon on the desktop.
  8. Click OK to submit a request.

  9. Support people can see support requests in the Toolbox interface on the Remote Assistance tab.

9 thoughts on “VMware Horizon 7.1.0 Connection Server”

  1. It seems as if once we updated to 7.0.3, we are seeing a crazy amount of warnings. We are seeing a ton of “Unable to Launch pool…is not ready to accept connections” as well as The pending session for user…has expired” These are occurring on our internal pools as well as the pools our external users connect to. The parent VM has the latest client. I am at a loss as what this could be and i’m sure there are plenty of things it could be.

    We haven’t heard any screams about users being disconnected or anything along those lines, but those calls may not be getting through the helpdesk to us.

    Any ideas/suggestions? Anything would be appreciated at this point.

    Thanks!!

  2. Just an addition to Horizon Toolbox and upgrading to a newer Horizon Connection server version.

    If you have Toolbox installed, make sure to uninstall this first before you do an in place upgrade on the connection server. The Tomcat service and Web component service freak out and Horizon View administrator won’t work after in place upgrade.

  3. Hi Carl, you’re blog is awesome! If you’re ever in Charleston SC I would love to buy you dinner. 🙂 Question: Do you know if Remote Assistance can be initiated in both directions? For example, can an administrator request to view a users desktop? Would need for the user to accept or deny the request…

  4. Carl thank you for this Post. it was really good. I’m impressed. I did run into an issue with the new version of Horizon Toolbox. I installed the new version 2.1.2. If I were to set a pfx file like you did and specified the new attribute keystoreType=”PKCS12″, Tomcat would not restart. Instead, I removed this extra setting, and then everything worked and the site was signed.

    Thank you again.

    1. It works for me in 2.1.2 with the keystoreType. I noticed that one of your quotes is a curly quote instead of a straight quote.

  5. Hello Carl! Tank you for this post. I have a problem, after the installation, I don’t see all of the Vmware services when i open the services.msc. I only have 2 services running: the blast secure gateway and the Security Gateway Component services.
    Do you know what can cause this issue?

  6. hey i like your blog. Just setting up Horizon 7 in my dev environment. I am looking at the replica connection server. I guess it functions exactly like a front end webserver that is load balanced behind an F5?

    1. Kind of. It also has an LDAP directory that replicates with other Connection Servers.

      The Connection Server is just a broker. It selects a Horizon Agent for the user and tells the user to connect directly to the Agent.

Leave a Reply