VMware Horizon 7 Connection Server

Last Modified: Dec 25, 2016 @ 6:02 pm

Navigation

💡 = Recently Updated

Windows Features

  1. It’s probably helpful to install some administration tools on the Horizon Connection Servers. In Server Manager, open the Manage menu, and click Add Roles and Features.
  2. Click Next until you get to the Features page.
  3. Check the box next to Group Policy Management, and scroll down.
  4. Check the box next to Telnet Client.
  5. If you need Flash Player for Internet Explorer (e.g. to connect to the vSphere Web Client or View Administrator), then expand User Interfaces and Infrastructure, and check the box next to Desktop Experience.
  6. Click Add Features when prompted.
  7. Expand Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools. Check the box next to AD DS Snap-Ins and Command-Line Tools. You might also want Active Directory module for Windows PowerShell. Then click Next .
  8. Then click Install.
  9. You might see a message prompting you to reboot. Right-click the Start button to reboot the server. it will reboot twice.

Install Standard Server 7.0.3

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between them.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 2,000 virtual desktops.

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. View Composer cannot be installed on the Horizon Connection Server.
  3. View Connection Server 7.0.3 will not install on Windows Server 2016. But Windows 2016 is supported for View Agents.
  4. Go to the downloaded Horizon 7 Connection Server, and run VMware-viewconnectionserver-x86_64-7.0.3.exe.
  5. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  6. In the License Agreement page, select I accept the terms, and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Installation Options page, select Horizon 7 Standard Server, and click Next.
  9. In the Data Recovery page, enter a password and click Next.
  10. In the Firewall Configuration page, click Next.
  11. In the Initial Horizon 7 Administrators page, enter an AD group containing your Horizon administrators and click Next.
  12. In the User Experience Improvement Program page, uncheck the box and click Next.
  13. In the Ready to Install the Program page, click Install.
  14. In the Installer Completed page, uncheck the box next to Show the readme file and click Finish.

Install Replica Server 7.0.3

Additional internal Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 2000 virtual desktops.

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. Go to the downloaded Horizon 7 Connection Server and run VMware-viewconnectionserver-x86_64-7.0.3.exe.
  3. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  4. In the License Agreement page, select I accept the terms and click Next.
  5. In the Destination Folder page, click Next.
  6. In the Installation Options page, select Horizon 7 Replica Server and click Next.
  7. In the Source Server page, enter the name of another Horizon Connection Server in the group. Then click Next.
  8. In the Firewall Configuration page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. If you are adding this Replica server to a Pod that is already enabled for Global Entitlements, see Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.

Horizon Connection Server Certificate

  1. Run mmc, add the Certificates snap-in and point it to Computer > Local Machine. Or run certlm.msc.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details then click Properties.
  4. On the Private Key tab, click Key options to expand it and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it and click Properties.
  6. On the General tab, clear the Friendly name field and click OK.
  7. Right-click your Certificate Authority-signed certificate and click Properties.
  8. Note: the private key of the certificate you use for Horizon Connection Server must be exportable. To verify, try exporting the certificate. If the option to export the private key is grayed out then this certificate will not work.
  9. On the General tab, in the Friendly name field, enter the text vdm and click OK. Note: only one certificate can have vdm as the Friendly name.
  10. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to View Administrator.
  11. If the VMware Horizon View Security Gateway Component won’t start then your certificate doesn’t have an exportable private key. The private key must be exportable.

SSL Ciphers

If you are running Horizon 6 or older, see Sven Huisman: Secure your Horizon View security server: from rating F to A-.

If this Horizon Connection Server or Horizon Security Server is publicly accessible, check it at ssllabs.com.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server, the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps. Create a new folder called downloads.
  2. Copy the downloaded Horizon Clients to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.

  3. Run Notepad as administrator.
  4. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  5. Go back to the downloads folder and copy the Horizon Client filename.
  6. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. The following example shows a link for Horizon Client for Windows x64:
    link.win64=/downloads/VMware-Horizon-Client-x86_64-4.0.1-3698521.exe
    Then Save the file.
  7. Restart the VMware Horizon View Web Component service.

It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error then the service is not done starting.

Now when you click the link to download the client it will grab the file directly from the Horizon Connection Server.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…

  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

iOS TouchID

vDelboy – How to Enable Touch ID in VMware Horizon 6.2

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1 and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at pubs.vmware.com.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1 and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon View Load Balancing using NetScaler 11.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at http://www.carlstalhood.com/delivery-controller-7-8/#rdlicensing.

Antivirus

VMware Technical Paper Antivirus Considerations for VMware Horizon 7:

  • General antivirus configuration
  • Exclusions for each Horizon component

Horizon Toolbox 2

Install the Horizon Toolbox Fling on your View Connection Servers. This is a web-based tool that adds the following functionality:

  • Auditing of user sessions
  • Auditing of virtual machine snapshots
  • Auditing of Horizon Client Versions
  • Remote Assistance – users request assistance from administrators
  • Virtual Machine Remote Console
  • Power Policy for pools

To use the Toolbox, make sure the following are enabled in your View Connection Server pod:

  • Events database
  • Customer Experience Improvement Program

.NET Framework 3.5 and Remote Assistance

  1. On the View Connection Server, in Server Manager, open the Manage menu and click Add Roles and Features.
  2. In the Features page, select .NET Framework 3.5.
  3. Scroll down, select Remote Assistance and click Next. This feature is only needed if you will respond to Remote Assistance requests directly from the View Connection Server.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server 2012 R2 ISO.
  6. Enter the path to the sources folder on the Windows Server 2012 R2 ISO and click OK. Then click Install.

Toolbox Installer

  1. Download the Fling. Check the box next to I have read and agree and click Download.
  2. Run the downloaded VMWARE-Horizon-Toolbox-x64-2.1.2.msi.
  3. In the Welcome to the HorizonToolbox Setup Wizard page, click Next.
  4. In the Select Installation Folder page, select Everyone and click Next.
  5. In the BannerText page, click Next.
  6. In the Confirm Installation page, click Next.
  7. In the Installation Complete page, click Close.

Firewall

  1. Run Windows Firewall with Advanced Security.
  2. Create a new Inbound Rule for port 18443.
  3. Select Port and click Next.
  4. Enter TCP 18443 as the local port and click Next.
  5. Allow the connection and click Next.
  6. Name the rule Horizon Toolbox or something like that. Click Finish.

Toolbox Certificate

Horizon Toolbox comes with a self-signed certificate. It can be replaced by doing the following:

  1. Copy a certificate .pfx file to C:\Program Files\VMware\HorizonToolbox\HorizonToolbox2.1.2\conf.
  2. Edit the file server.xml that’s in the same conf folder.
  3. Scroll down to the <Connector port=”18443″ section (near line 85).
  4. Change the keystoreFile attribute to the name of your .pfx file.
  5. Change the keystorePass attribute to the password for your .pfx file.
  6. Add a new attribute keystoreType=”PKCS12″
  7. Close and save the file.
  8. Restart the Apache Tomcat 8.0 Tomcat8 service.
  9. Point your browser to https://view.corp.local:18443/toolbox.
  10. Login using View Administrator credentials.

Toolbox Remote Assistance

  1. On the Horizon Agent machine, navigate to the View Connection Server Horizon Toolbox folder \\vcs01\c$\Program Files\VMware\HorizonToolbox\HorizonToolbox2.1.2\webapps\toolbox\static\ra and run Horizon_Remote_Assistance_Installer_v1035.exe.
  2. You might be prompted to install .NET Framework 3.5.
  3. Click Install for End User.
  4. Click OK to launch Remote Assistance.
  5. Close Remote Assistance.
  6. When done, click Finish.
  7. Users can initiate a request by clicking the Horizon Remote Assistance icon on the desktop.
  8. Click OK to submit a request.

  9. Support people can see support requests in the Toolbox interface on the Remote Assistance tab.

7 thoughts on “VMware Horizon 7 Connection Server”

  1. Hi Carl, you’re blog is awesome! If you’re ever in Charleston SC I would love to buy you dinner. 🙂 Question: Do you know if Remote Assistance can be initiated in both directions? For example, can an administrator request to view a users desktop? Would need for the user to accept or deny the request…

  2. Carl thank you for this Post. it was really good. I’m impressed. I did run into an issue with the new version of Horizon Toolbox. I installed the new version 2.1.2. If I were to set a pfx file like you did and specified the new attribute keystoreType=”PKCS12″, Tomcat would not restart. Instead, I removed this extra setting, and then everything worked and the site was signed.

    Thank you again.

    1. It works for me in 2.1.2 with the keystoreType. I noticed that one of your quotes is a curly quote instead of a straight quote.

  3. Hello Carl! Tank you for this post. I have a problem, after the installation, I don’t see all of the Vmware services when i open the services.msc. I only have 2 services running: the blast secure gateway and the Security Gateway Component services.
    Do you know what can cause this issue?

  4. hey i like your blog. Just setting up Horizon 7 in my dev environment. I am looking at the replica connection server. I guess it functions exactly like a front end webserver that is load balanced behind an F5?

    1. Kind of. It also has an LDAP directory that replicates with other Connection Servers.

      The Connection Server is just a broker. It selects a Horizon Agent for the user and tells the user to connect directly to the Agent.

Leave a Reply