VMware Horizon 7.10 Composer

Last Modified: Sep 17, 2019 @ 1:34 pm

Navigation

This post applies to all VMware Horizon versions 7.0 and newer, including 7.5.2 (ESB), and 7.10.

Change Log

Planning

If you’re doing Instant Clones, then you don’t need Horizon Composer. Composer is only needed for the older method of creating Linked Clones. However, Instant Clones requires Horizon Enterprise Edition, so maybe Composer is your only option.

vCenter Server planning:

  • A single vCenter Server can handle 10,000 VMs. However, this is a single point of failure. VMware recommends separate vCenter servers for each 2,000 or 4,000 VMs. More vCenter Servers means more concurrent vCenter operations, especially if your pools are configured for Refresh on Logoff.
    • Horizon 7.2 and newer supports 4,000 VMs per vCenter Server.
    • Horizon 7.1 and older supports 2,000 VMs per vCenter Server.
  • Each ESXi cluster is managed by one vCenter Server.
  • Don’t use existing vCenter servers. Build separate vCenter servers for the vSphere clusters that host Agent VMs. Horizon licenses include vCenter licenses, so there’s no excuse to not use separate vCenter servers.

Horizon View Composer server planning:

A remote SQL Server is needed for databases:

  • vCenter database
  • Horizon Composer database
  • Horizon Events database
  • Supported SQL versions are listed on the Solution/Database Interoperability tab at VMware Product Interoperability Matrices.

SQL Server Preparation

Only SQL Authentication is supported.

  1. Open the properties of the SQL Server.
  2. On the Security page, make sure SQL Server authentication is enabled.
  3. Create a new SQL database for View Composer.
  4. Call it VMwareHorizonComposer or similar. Then switch to the Options page.
  5. Select your desired Recovery model, and click OK.
  6. View Composer only supports SQL authentication on remote SQL servers. Expand Security, right-click Logins, and click New Login to create a new SQL login.
  7. Name the new account.
  8. Select SQL Server authentication.
  9. Enter a password for the new account.
  10. Uncheck the box next to Enforce password policy.
  11. Then switch to the User Mapping page.
  12. On the User Mapping page, in the upper half, check the Map box for VMwareHorizonComposer.
  13. On the bottom, check the box for the db_owner role, and click OK.

SQL Native Client

  1. Download SQL Native Client (sqlncli.msi).
  2. On the Horizon View Composer server, run sqlncli.msi.
  3. In the Welcome to the Installation Wizard for SQL Server 2012 Native Client page, click Next.
  4. In the License Agreement page, select I accept, and click Next.
  5. In the Feature Selection page, click Next.
  6. In the Ready to Install the Program page, click Install.
  7. In the Completing the SQL Server 2012 Native Client installation page, click Finish.

ODBC

  1. On the Horizon View Composer server, run ODBC Data Sources (64-bit) from the Start Menu.
  2. On the System DSN tab, click Add.
  3. Select SQL Server Native Client, and click Finish.
  4. Enter the name HorizonComposer for the DSN, and enter the SQL server name. Click Next.
  5. Change the selection to With SQL Server authentication, and enter the credentials of the new ViewComposer SQL account. Then click Next.
  6. Check the box next to Change the default database, and select the VMwareHorizonComposer database. Then click Next.
  7. Click Finish.
  8. Click OK twice.

Install/Upgrade Composer

  1. Upgrade can be performed in-place.
  2. Windows Server 2019 is supported with Horizon Composer 7.8 and newer.
  3. Don’t install on Horizon Connection Server: Horizon Composer cannot be installed on the Horizon Connection Server. Composer and Connection Server must be separate machines.
  4. Extra Memory for vCenter: If you install Horizon Composer on a Windows vCenter server, VMware recommends adding 8 GB of RAM to the server. See VMware 2105261 Intermittent provisioning issues and generic errors when Composer and vCenter Server are co-installed
    1. vCenter Service Account: if you install Horizon Composer on a Windows vCenter server, login as the same account that was used to install vCenter. See VMware 2017773 Installing or upgrading View Composer fails with error: The wizard was interrupted before VMware View Composer could be completely installed
  5. Internet access for CRL checking: If the Horizon Composer server does not have Internet access, see VMware 2081888 Installing Horizon View Composer fails with the error: Error 1920 Service VMware Horizon View Composer (svid) failed to start
  6. Certificate: If you install a certificate now, Composer installer will prompt you to select it during installation. Or, you can replace the certificate later.
  7. DownloadHorizon 7.10.0 View Composer or Horizon 7.5.2 (ESB) View Composer.

  8. Install: Run the downloaded VMware-viewcomposer-7.10.0.exe or VMware-viewcomposer-7.5.2.exe (ESB).

    1. If you’re prompted to install .NET 4.6.1, click Yes.
    2. Then run the downloaded NDP462-KB3151802-Web.exe.
    3. Check the box next to I have read and accept the license terms, and click Install.
  9. In the Welcome to the Installation Wizard for VMware Horizon 7 Composer page, click Next.
  10. In the License Agreement page, select I accept the terms, and click Next.
  11. In the Destination Folder page, click Next.
  12. In the Database Information page, enter the name of the ODBC DSN.
  13. Enter the SQL account credentials (no Windows accounts), and click Next. For remote SQL databases, only SQL accounts will work. The SQL account must be db_owner of the database.
  14. The VMware Horizon 7 Composer Port Settings page appears. If you already installed a valid certificate on the Composer server, select Use an existing SSL certificate, and select the certificate. Click Next.
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, click Finish.
  17. Click Yes when asked to restart the computer.
  18. If you encounter installation issues, see VMware 2087379 VMware Horizon View Composer help center

Administrator Permissions

If Horizon View Composer is installed on a standalone server (not on vCenter), Horizon Connection Server will need a service account with administrator permissions on the Horizon View Composer server. Add your Horizon View Composer Service Account to the local Administrators group.

Composer Certificate

  1. Open the MMC Certificates snap-in (certlm.msc).
  2. Make sure your Composer certificate private key is exportable. Try exporting the certificate, and make sure Yes, export the private key is a selectable option.

  3. Stop the VMware Horizon 7 Composer service.
  4. In the certificates console, double-click your Composer certificate. On the Details tab, note the Thumbprint.
  5. Run Command Prompt as Administrator
  6. Change the directory to C:\Program Files (x86)\VMware\VMware View Composer.
  7. Run sviconfig -operation=replacecertificate -delete=false.
  8. Select the certificate that matches the thumbprint you noted earlier.
  9. Then restart the VMware Horizon 7 Composer service.

SQL Database Maintenance

SQL password: The password for the SQL account is stored in C:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe.config. To change the password, run SviConfig ‑operation=SaveConfiguration as detailed at VMware 1022526 The View Composer service fails to start after the Composer DSN password is changed.

Database Move: To move the database to a new SQL server, you must uninstall Composer and reinstall it. See VMware 2081899 VMware Horizon View Composer fails to work properly after migrating the Composer database to a new SQL server

Related Pages

VMware vRealize Operations for Horizon 6.4

Last Modified: Sep 2, 2018 @ 7:51 am

Navigation

This post is for 6.4 and older. See vRealize Operations for Horizon 6.5 and newer.

💡 = Recently Updated

Planning

What’s New: VMware vRealize Operations 6.5:

  • Log Insight integration
  • vRealize Business for Cloud integration
  • Automatic upgrade of in-guest End Point Operations agents
  • Higher scalability
  • Webhooks for connections with other platforms (e.g. Slack)

VMware Blog Post VMware vRealize Operations for Horizon and Published Applications 6.4, Part 1: What’s New: In this release, you will find the following features:

vROps Webinar Series 2016 – Part 12 – What’s New with vROps 6.4 – 1 hour, 13 minute YouTube video.

vRealize Operations 6.3: What’s New, Hint it just got even better at VMware Blogs contains screenshots of the new features in vROps 6.3.

VMware 2146615 vRealize Operations Manager 6.3 Sizing Guidelines:

Download Files

  1. Download vRealize Operations Manager 6.4 appliance, which is listed on vROps for Horizon download page. Or download vRealize Operations Manager 6.5 appliance. VMware’s Product Interoperability Matrix indicates that both versions are compatible.

  2. Go to the download page for vRealize Operations for Horizon 6.4.
  3. Download the vRealize Operations for Horizon Adapter.
  4. Download the vRealize Operations for Horizon Broker Agent 64-Bit.
  5. Download the vRealize Operations for Horizon Desktop Agent.

Deploy Appliance

  1. In vSphere Web Client, navigate to the vCenter object, right-click it, and click Deploy OVF Template.
  2. In the Select Source page, select Local file, browse to the vRealize Operations 6.4 .ova file, or vRealize Operations 6.5 .ova file, and click Next.
  3. In the Review details page, click Next.

  4. If you see a Accept EULAs page, click Accept, and then click Next.
  5. In the Select name and folder page, enter a name for the appliance, select a folder, and click Next.
  6. If you see a Deployment Configuration page, select a size, and then click Next.
  7. In the Select a resource page, select a cluster, and then click Next.
  8. In the Storage page, select Thin Provision, select a datastore, and then click Next.
  9. In the Setup networks page, select a port group and click Next.
  10. In the Customize template page, select a time zone.
  11. Expand Networking Properties.
  12. Enter the IP address information for the appliance. You can also specify the time zone. Then click Next.
  13. In the Ready to Complete page, check the box next to Power on after deployment, and then click Finish.

Create Cluster

  1. Power on the new virtual appliance.
  2. Wait for the appliance to start.
  3. Use a browser to go to https://IPAddress/admin. If you see a Service unavailable message, wait a couple minutes and try again.
  4. You might also see this message. Try again.
  5. On the bottom of the page, click New Installation.
  6. In the Getting Started page, click Next.
  7. In the Set Administrator Password page, enter a password based on the listed requirements. Click Next.
  8. In the Choose Certificate page, you can upload a PEM certificate.

    The Certificate file must have .pem extension. It will not accept any other extension. Also, make sure the certificate file has both the certificate and keyfile.  If there are intermediate Certificate Authorities, add them to the PEM file. Click Next when done.
  9. In the Deployment Settings page, enter a name for the master node.
  10. Enter a NTP Server Address and click Add. Then click Next.
  11. In the Ready to Complete page, click Finish.

Start Cluster

  1. From the https://IPAddress/admin page, click Start vRealize Operations Manager.
  2. Click Yes. This will take several minutes.
  3. Log into the appliance.
  4. On the Welcome page, click Next.
  5. In the Accept EULA page, check the box next to I accept the terms, and click Next.
  6. In the Enter Product License Key page, enter the vRealize Operations license key, click Validate License Key, and click Next. Note: there is a separate license for vROps for Horizon that will be entered later.
  7. In the Customer Experience Improvement Program page, make a choice, and click Next.
  8. In the Ready to Complete page, click Finish.

Patch/Upgrade Appliance

  1. Download the Upgrade Pack or Hot Patch from the vRealize Operations 6.4 download page or vRealize Operations 6.5 download page.
  2. Use a browser to go to https://vROpsIP/admin and login as admin.
  3. On the left, switch to the Software Update page.
  4. On the right, click Install a Software Update.
  5. Click Browse and browse to an upgrade or Hot Patch .pak file downloaded from vmware.com. You must upgrade the operating system first (.pak file name containing VA-OS), and then upgrade vRealize Operations Manager (file name without OS in it).
  6. Click Upload.

  7. Click Next.

  8. In the End User License Agreement page, check the box next to I accept the terms and click Next.
  9. Installation begins.
  10. After rebooting and logging in again, the Software Update page shows that the update has been completed.

  11. After upgrading both the OS and vROps, the System Status page should show version 6.4.0.4276418.

Configure vSphere Adapter

  1. Login to the appliance.
  2. Go to Administration > Solutions.
  3. Highlight the VMware vSphere Solution, and click the Configure button in the toolbar.
  4. In the Configure adapters page, highlight the vCenter Adapter.
  5. On the bottom, enter a name for the vCenter adapter.
  6. Enter the address of the vCenter server.
  7. Click the plus icon to add a Credential.
  8. Enter credentials for the vCenter server, and click OK.
  9. Click Test Connection.
  10. Click OK to accept the certificate.
  11. Click OK to acknowledge that the test was successful.
  12. Click Save Settings when done.
  13. Click OK to acknowledge that adapter instance was successfully saved.
  14. Click Close.
  15. Note: it takes four weeks for vRealize Operations to determine dynamic thresholds.
  16. Additional adapters can be downloaded from VMware Solution Exchange – https://solutionexchange.vmware.com/store

vSphere SSON

  1. In the vRealize Operations console, go to Administration > Authentication Sources.
  2. On the right, click the green plus icon.
  3. Enter a display name.
  4. From the Source Type drop-down select SSO SAML.
  5. Enter the FQDN of the Platform Services Controller.
  6. Enter credentials of an account that is in the Single Sign-on Admins group.
  7. Select Grant administrator role to vRealize Operations Manager for future configuration.
  8. Click Test.
  9. Check the box to Accept this Certificate, and click OK.
  10. Click OK to acknowledge that the test was successful.
  11. Click OK.
  12. The Import User Groups wizard launches automatically. In the Import User Groups page, enter a group name, click Search, and then select the group. Click Next.
  13. On the Roles and Objects page, from the Select Role drop-down select Administrator.
  14. Check the box next to Assign this role to the group.
  15. Check the box next to Allow access to all objects in the system. Click Finish.
  16. You can now login using a vCenter Single Sign-on account.

Session Timeout

  1. The vRealize Operations webpage defaults to 30 minutes timeout. To change it, go to Administration > Global Settings and click the pencil icon.
  2. The maximum value for Session Timeout is 34560. Click OK.

Alerting

  1. In vRealize Operations console, go to Administration > Outbound Settings.
  2. On the right, click the green plus icon.
  3. From the Plugin Type drop-down select Standard Email Plugin.
  4. Give the Instance a name.
  5. Enter the SMTP information and click Test.
  6. Click OK to acknowledge that the test was successful.
  7. Then click Save.
  8. You can then go to Content > Notifications, and create notifications.
  9. Give the rule a name.
  10. For Method, select the Standard Email Plugin and the instance you created earlier.
  11. Enter recipients.
  12. Select Triggers and Criticality. Click Save.

Install Horizon Adapter 6.4 PAK File

  1. Login to the vRealize Operations appliance web page.
  2. Go to Administration > Solutions.
  3. On the right, click the green plus icon.
  4. In the Select Solution page, click Browse.
  5. Browse to VMware-vrops-viewadapter-6.4…pak and select it.
  6. Click Upload.
  7. Click Next.
  8. In the End User License Agreement page, check the box next to I accept the terms, and click Next.
  9. After it’s done installing, in the Install page, click Finish.

Horizon Adapter Licensing

  1. In the vRealize Operations web page, go to Administration > Licensing.
  2. On the right, click the green plus icon.
  3. Select VMware Horizon.
  4. Enter the vROps for Horizon license key and click Validate. Note: this key is different than the vRealize Operations key.
  5. Click Save.

Configure Horizon Adapter

Here are some guidelines regarding the Horizon adapter:

  • You can only have one Horizon adapter per vRealize Operations appliance.
  • Each adapter can handle up to 10,000 virtual desktops.
  • Multiple Horizon pods can point to a single adapter.

Do the following to create and configure a Horizon adapter:

  1. In vRealize Operations Manager, go back to Administration > Solutions.
  2. On the right, highlight the VMware Horizon adapter, and click the Configure icon.
  3. On the top part, highlight the Horizon Adapter.
  4. On the bottom, give the adapter a Display Name and an Adapter ID.
  5. Click the green plus icon to add a credential.
  6. Give the credential a name. Enter a new password (shared key), and click OK. You’ll use this password later.
  7. Click Test Connection.
  8. Click OK to acknowledge that the test was successful.
  9. On the bottom right, click Save Settings.
  10. Click OK.
  11. Then click Close.

Enable SSH

VMware Knowledgebase article – Enabling SSH access in vRealize Operations Manager 6.0.x (2100515):

  1. Connect to the vRealize Operations Manager virtual machine console.
  2. Press Alt+F1, and login as root.
    Note: By default there is no root password configured.
  3. Start the SSH service by running the command:
    service sshd start
  4. To configure SSH to start automatically run this command:
    chkconfig sshd on

Appliance Firewall for Horizon Adapter

  1. Login as root to the CLI of the appliance using SSH, or the virtual machine console.
  2. Use vi to edit the file /opt/vmware/etc/vmware-vcops-firewall.conf.
  3. Look for the TCPPORTS line that adds 3091:3094. Right below that line, add a new line containing TCPPORTS=”$TCPPORTS 3099:3101″. In vi, press i to enter insert mode and then press <Esc> to exit insert mode.
  4. Enter :wq to save the file and exit.
  5. Run /etc/init.d/vmware-vcops-firewall restart.
  6. If you have vRealize Operations for Horizon Desktop Agents that are older than 6.2, then you’ll need to enable TLS 1.0 by editing the properties file. See Create an Instance of the Horizon Adapter at pubs.vmware.com for more information.
  7. If you have more than 1,000 Desktop Agents, see VMware 2096607 Adjusting the ARP cache on a vRealize Operations Manager remote collector node

Install Horizon Broker Agent

  1. Login to one View Connection Server in your pod. Only install the Broker Agent on one View Connection Server in each pod.
  2. Run the downloaded VMware-v4vbrokeragent-x86_64-6.4.0.exe.
  3. In the Welcome to the VMware vRealize Operations for Horizon Broker Agent Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Ready to install the Broker Agent page, click Install.
  6. In the Completed the VMware vRealize Operations for Horizon Broker Agent Setup Wizard page, click Finish.

Configure Horizon Broker Agent

  1. The Configuration tool will appear immediately after installation. Or launch vRealize Operations View Broker Agent Settings from the Start Menu.
  2. In the Pair Adapter page, enter the IP address of the vRealize Operations appliance, enter 3091 for the port, enter the adapter password, and click Pair.
  3. After broker pairing is successful, click Next. If this doesn’t work, make sure the firewall ports are opened on the vRealize Operations appliance.
  4. In the View Connection Server page, enter credentials for Horizon View, and click Test.
  5. Then click Next.
  6. In the Event DB and Desktop page, enter the SQL credentials to access the Events database, and click Test.
  7. Then click Next.
  8. In the Configure App Volumes Managers to Monitoring page, enter the App Volumes info and click Test. Click the plus icon to move it to the bottom. Then click Next.
  9. In the Monitor Access Point with Broker Agent page, enter a name, enter the Access Point IP, enter 9443 as the port, enter the admin credentials, and click Test.
  10. Click the plus icon to move the Access Point appliance to the bottom. Then click Next.
  11. In the Intervals and Timeouts page, click Next.
  12. In the Configure the Logging parameters page, click Next.
  13. In the Broker Agent Service page, click Start. Then click Next.
  14. In the Review changes page, click Finish.
  15. In the vRealize Operations web console, from the Home page, you can view the Horizon Adapter Self Health dashboard to verify that the adapter and broker agent are functional.

Desktop Agent

The Desktop Agent should be installed on every Horizon Agent machine. Horizon 7 Agents come with vROps Desktop Agents. If you’re not running the latest version of Horizon 7 Agent, then upgrade the vROps Desktop Agent on those machines.

  1. Run the downloaded vRealize Operations for Horizon Desktop Agent 6.4.0 (VMware-v4vdeskopagent-x86_64-6.4.0.exe).
  2. In the Welcome to the VMware vRealize Operations for Horizon Desktop Agent Setup Wizard agent, click Next.
  3. In the End-User License Agreement page, check the box next to I accept the terms in the License Agreement and click Next.
  4. In the Ready to install the Desktop Agent page, click Install.
  5. In the Completed the VMware vRealize Operations for Horizon Desktop Agent Setup Wizard page, click Finish.
  6. If you go to C:\Program Files\VMware\VMware View\Agent\bin and view the properties of the v4pa_agent.exe file, then you’ll see the installed version of the Desktop Agent.

Related Pages

VMware Identity Manager Load Balancing

Last Modified: Jul 20, 2019 @ 1:53 pm

This topic assumes you’ve already setup one Identity Manager appliance as detailed at https://www.carlstalhood.com/vmware-identity-manager/

Navigation

💡 = Recently Updated

Change Log

NetScaler ADC Configuration

TLS 1.0 is disabled in Identity Manager 2.6 and newer. If your load balancer does not support TLS 1.2, then see 2144805 Enabling TLS 1.0 protocol in VMware Identity Manager.

  • NetScaler MPX/SDX added TLS 1.2 on the back end in 10.5 build 58.
  • NetScaler VPX added TLS 1.2 on the back end in 11.0 build 65.

In Identity Manager 2.7 and newer, VMware recommends a minimum of three nodes. See Recommended Number of Nodes in VMware Identity Manager Cluster at VMware Docs.

Setup the load balancing before you clone the appliance. GUI instructions in this section. Or skip to the CLI Commands.

  1. In your NetScaler ADC, go to Traffic Management > Load Balancing > Monitors, and add a monitor.
  2. Give the monitor a name and select HTTP-ECV as the Type. (Source = Proper VMware Identity Manager Node Monitoring when using F5 BIG-IP Appliances-UPDATED at VMware Communities)
  3. In the Basic Parameters section:
    1. In the Send String field, enter GET /SAAS/API/1.0/REST/system/health/heartbeat
    2. In the Receive String field, enter ok
    3. Check the box next to Secure. Ignore the SSL Profile field.
  4. Scroll down and click Create.
  5. Go to Traffic Management > Load Balancing > Servers, and add three servers that point to the IP addresses of your planned three Identity Manager appliances. These don’t have to exist yet.

  6. Go to Traffic Management > Load Balancing > Service Groups and add a Service Group.

    1. Give the Service Group a name.
    2. The protocol is SSL. Note: if you configured certificate-based client authentication in Identity Manager, then use SSL_BRIDGE instead of SSL.
    3. Scroll down and click OK to close the Basic Settings section.
    4. Bind three members to it, and specify port 443.
    5. Click OK to finish adding members.
    6. On the right, add the Settings section.
    7. On the left, in the Settings section, check the box for Client IP, and enter X-Forwarded-For in the Header field.
    8. Bind a monitor, and select the Identity Manager monitor you created earlier.
  7. Go to Traffic Management > SSL > Certificates > Server Certificates, and install a certificate that matches your Identity Manager FQDN.
  8. Go to Traffic Management > Load Balancing > Virtual Servers, and add a Virtual Server.

    1. Give the Load Balancing Virtual Server a name.
    2. Protocol = SSL. Note: if you configured certificate-based client authentication in Identity Manager, then use SSL_BRIDGE instead of SSL.
    3. Enter a VIP.
    4. Click OK to close the Basic Settings section.
  9. Bind the Service Group created earlier.
  10. Bind the certificate. This certificate must match the name users will use to access Identity Manager.
  11. Configure Persistence:
    1. While still editing the Virtual Server, on the right, in the Advanced Settings column, click Persistence to move it to the left.
    2. On the left, in the Persistence section, select SOURCEIP, and give it a timeout of 60 minutes or more. COOKIEINSERT might not work with some mobile devices.
    3. Click OK to save the Persistence settings. If you don’t click OK, then your persistence settings won’t be saved.
  12. Enable WebSockets for Outbound Connectors:
    1. While still editing the Virtual Server, on the right, in the Advanced Settings column, click Profiles to move it to the left.
    2. On the left, in the Profiles section, next to HTTP Profile, click Add.
    3. The primary purpose of this HTTP Profile is to enable WebSockets so name it accordingly.
    4. As you scroll down, optionally check the box next to HTTP/2.
    5. Scroll down to the bottom and optionally check the boxes next to Mark HTTP/0.9 requests as invalid, Mark CONNECT Requests as Invalid, Mark TRACE Requests as Invalid, and Drop Invalid HTTP requests,
    6. At the bottom right, check the box next to Enable WebSocket connections.
    7. Click Create to finish creating the HTTP Profile.
    8. Back in the Profile section, make sure your new HTTP Profile is selected, and then click OK to close the Profiles section. Make sure you click OK in this section or your new HTTP Profile won’t be enabled.
  13. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind an A+ Cipher Group, and enable Strict Transport Security.
    bind ssl vserver MyvServer -certkeyName MyCert
    
    set ssl vserver MyvServer -ssl3 DISABLED -tls12 ENABLED
    
    unbind ssl vserver MyvServer -cipherName ALL
    
    bind ssl vserver MyvServer -cipherName SSLLabs-APlus
    
    bind ssl vserver MyvServer -eccCurveName ALL
  14. Create another Load Balancing Virtual Server on HTTP port 80 and configure it to redirect HTTP to HTTPS.

CLI Commands

Here are the CLI Commands for the configuration shown above:

add server IM01 10.2.2.61
add server IM02 10.2.2.25
add server IM03 10.2.2.26
add server 127.0.0.1 127.0.0.1
add lb monitor identity-manager HTTP-ECV -send "GET /SAAS/API/1.0/REST/system/health/heartbeat" -recv ok -secure YES
add service AlwaysUp 1.1.1.1 HTTP 80 -healthMonitor NO
add serviceGroup svcgrp-IdentityManager SSL -cip ENABLED X-Forwarded-For
bind serviceGroup svcgrp-IdentityManager IM01 443
bind serviceGroup svcgrp-IdentityManager IM02 443
bind serviceGroup svcgrp-IdentityManager IM03 443
bind serviceGroup svcgrp-IdentityManager -monitorName identity-manager
add ns httpProfile httpProfile-WebSockets -dropInvalReqs ENABLED -markHttp09Inval ENABLED -markConnReqInval ENABLED -markTraceReqInval ENABLED -webSocket ENABLED -http2 ENABLED -builtin MODIFIABLE
add lb vserver lbvip-IdentityManager-SSL SSL 10.2.5.202 443 -persistenceType SOURCEIP -timeout 60 -httpProfileName httpProfile-WebSockets
add lb vserver identity.corp.com-HTTP-SSLRedirect HTTP 10.2.5.202 80
add responder action http_to_ssl_redirect_responderact redirect "\"https://\" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE"
add responder policy http_to_ssl_redirect_responderpol HTTP.REQ.IS_VALID http_to_ssl_redirect_responderact
bind lb vserver identity.corp.com-HTTP-SSLRedirect AlwaysUp
bind lb vserver lbvip-IdentityManager-SSL svcgrp-IdentityManager
bind lb vserver identity.corp.com-HTTP-SSLRedirect -policyName http_to_ssl_redirect_responderpol -priority 100 -gotoPriorityExpression END -type REQUEST
set ssl vserver lbvip-IdentityManager-SSL -sslRedirect ENABLED -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
bind ssl vserver lbvip-IdentityManager-SSL -cipherName SSLLabs-APlus
bind ssl vserver lbvip-IdentityManager-SSL -certkeyName WildCorpCom
bind ssl vserver lbvip-IdentityManager-SSL -eccCurveName ALL

Identity Manager Load Balancing FQDN

Identity Manager must be able to connect to the Load Balanced FQDN on HTTPS 443. The load balancing certificate must match the Load Balanced FQDN and must be trusted by Identity Manager. See below to import a root certificate to Identity Manager. Also see VMware Blog Post Workspace Portal – Trouble Changing the FQDN.

  1. In the Identity Manager appliance, go to Appliance Settings > Manage Configuration.
  2. On the left, click Install SSL Certificates.
  3. On the right, switch to the Trusted CAs tab.
  4. Paste in the root certificate in PEM (Base64) format. Click Add.
  5. Click OK to restart the appliance.

  6. On the left, click the Identity Manager FQDN page.
  7. Enter the FQDN that resolves to the VIP on the load balancer, and click Save.
  8. The appliance will restart.
  9. Connect to the load balanced DNS name, select System Domain, and login as admin.
  10. Go to Catalog > Settings.
  11. On the left, click New End User Portal UI.
  12. On the right, click Enable New Portal UI if it’s not already enabled.
  13. You should then be able to login to the User Portal and get your list of apps.

Clone Appliance

In Identity Manager 2.7 and newer, VMware recommends a minimum of three nodes. See Recommended Number of Nodes in VMware Identity Manager Cluster at VMware Docs.

  1. Login to the appliance console.
  2. If you see the file /etc/udev/rules.d/70-persistent-net.rules, delete it.
  3. Shut down the original Identity Manager appliance.
  4. Right-click the Identity Manager appliance and clone it to a new Virtual Machine.
  5. Give the cloned appliance a name.
  6. In the Select clone options page, do not customize, and do not power on the machine. The original VM should be powered on before powering on the new VM. Click Next.
  7. After cloning is complete, edit the IP address of the new appliance.
    1. Unfortunate, vApp Options are not editable from the HTML5 vSphere Client so you’ll have to switch to the Flash client.
    2. Right-click the newly cloned machine and click Edit Settings.
    3. Switch to the vApp Options tab.
    4. Expand Networking Properties.
    5. Edit the Host Name and IP Address. Then click OK.
  8. The original Identity Manager appliance can be powered on. Don’t power on the cloned appliance until the original is powered on.
  9. Wait for the original appliance to fully boot (you see the blue screen).
  10. Once the original appliance is running (the blue login screen is shown), you can power on the cloned appliance.
  11. Once both appliances are booted, login to one of them and run curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'. Make sure it says two nodes and status is green. It might take a couple minutes before the two nodes become clustered. You might have to reboot the cloned node before it joins the cluster.
  12. In Identity Manager Administration Console, go to Dashboard > System Diagnostics Dashboard.
  13. All nodes should be shown with green check mark status.
  14. Repeat this entire section to clone to a third appliance.

Additional Connector

This section is only needed in Identity Manager 3.3 and older that has the Embedded Connector. Identity Manager 19.03 and newer uses external connectors so skip ahead to add the cloned appliance to NetScaler ADC.

  1. In the Admin Portal, go to Identity & Access Management > Setup > Connectors. Find the new cloned Connector and click Join Domain.
  2. Select the domain name.
  3. Enter credentials that can join the domain, and click Join Domain.
  4. On the Connectors tab, click the blue hostname link for the original Connector.
  5. Switch to the Auth Adapters tab and note which ones are enabled.
  6. Click each enabled adapter and note its settings.
  7. Back in the Connectors screen, click the blue link for the hostname of the new cloned Connector.
  8. Switch to the Auth Adapters tab.
  9. Click the link for any adapter you want to enable and configure it.
  10. Repeat for any other adapters that need to be enabled and configured.
  11. If you go back to Identity & Access Management > Setup > Connectors, notice that both connectors are enabled for Authentication, but only one of them is enabled for Sync. Only one Connector can perform directory sync. To change the configured Connector, see Enabling Directory Sync on Another Instance in the Event of a Failure at VMware Pubs.

Add Cloned Appliance to NetScaler ADC

  1. In NetScaler ADC, go to Traffic Management > Load Balancing > Servers, and add a Server for the new appliance.

  2. Go to Traffic Management > Load Balancing > Service Groups, and edit the existing Identity Manager Service Group.
  3. Click the Members section.
  4. Bind a new Member and select the new appliance on Port 443. The rest of Load Balancing should already have been configured.

Multi-datacenter

For multi-datacenter, see Component Design: VMware Identity Manager Architecture at VMware Workspace ONE and VMware Horizon Reference Architecture.

Also see Deploying VMware Identity Manager in a Secondary Data Center for Failover and Redundancy at VMware Docs.

  • The database in the primary datacenter is replicated to the secondary datacenter.
  • The Identity Manager appliances in the secondary datacenter have read-only connectivity to the database in the secondary datacenter.
  • Active-active data centers is not supported. The secondary data center is a hot stand-by.
  • Horizon Connection Server groups are configured in failover order.
  • NetScaler GSLB or F5 GTM handles failover of the Identity Manager DNS name.
  • Here’s a typical architecture:

VMware Identity Manager 19.03.0.0

Last Modified: Jun 27, 2019 @ 7:22 am

Navigation

💡 = Recently Updated

Change Log

Planning

Identity Manager is a component of VMware Workspace ONE.

  • For Horizon, Identity Manager enables SAML authentication, and integration of additional apps from Citrix and the web (e.g. SaaS).
  • For full functionality, Identity Manager should be paired with AirWatch (not detailed in this post).

System and Network Configuration Requirements at VMware Docs.

From Component Design: VMware Identity Manager Architecture in the VMware Workspace ONE and VMware Horizon Reference Architecture:

Single data center:

Multiple data centers:

VMware Blog Post What’s New in VMware Identity Manager 19.03

Upgrade

Version 19.03 no longer includes the embedded Connector so you must deploy one or two Windows machines to run the external connector. The embedded Connector can be migrated to the external Windows connector.

You can upgrade from version 3.2.0.1 or 3.3 directly to version 19.03.0.0. To upgrade from a version prior to 3.2.0.1, you must first upgrade to version 3.2.0.1.

Upgrading can be performed online, or offline. Both are performed from the command line. See About Upgrading to VMware Identity Manager 19.03.0.0 (Linux) at VMware Docs.

Make sure the Identity Manager SQL Service Account is a db_owner on the Identity Manager database. You can remove the permission after the upgrade.

For clusters, remove all nodes except one from the load balancer and upgrade the node that is still connected to the load balancer. Then upgrade the remaining nodes.

If you don’t have an Windows-based Connector and need to migrate from the Embedded Connector, then do the following:

  1. Download the VMware Identity Manager Standalone Connector Installer for Windows. You’ll install this later.
  2. From the same page, download the Cluster Migration Support Tools.
  3. Enable ssh access for the root account if you haven’t already.
  4. WinSCP to the Identity Manager appliance and upload the cluster-support.tgz file to the /root directory. After uploading the file, don’t close WinSCP yet.
  5. SSH (e.g. Putty) to the appliance as root.
  6. Run /usr/local/horizon/update/updatemgr.hzn updateinstaller
  7. You’ll be prompted to enter passwords for the cluster file.

  8. Back in WinSCP, download the .enc file that was created. You might have to refresh WinSCP to see the file.
  9. Then back in SSH, run /usr/local/horizon/update/updatemgr.hzn update
  10. Updating will take several minutes.
  11. Run the check command again to see if there are any other updates available.
  12. Then reboot the appliance.
  13. Build a Windows 2016 server. Windows 2019 is not supported yet. For redundancy, you can build two Windows servers.
  14. Copy the .enc file to the C: drive of the Windows server. It will not work from a UNC path.
  15. On the Windows server, run VMware_Identity_Manager_Connector_19.03.0.0_Installer.exe to install the Connector.
  16. Click Next through a few obvious screens and then check the box when asked Are you migrating your Connector.
  17. Browse to the local .enc file, enter the password specified earlier, and then click Next.
  18. In the next page, verify the hostname, and then click Next.
  19. In the domain user account page, note that some of the authentication methods require the connector to run as a service account so you might as well set that up now. Click Next.

    • The service account must be a local administrator on the Connector server.
  20. Click Next through the end of the wizard.
  21. Click No when prompted to load the Connector’s admin page because the Connector should already be configured.
  22. If Windows Firewall is enabled, then add a rule to permit inbound TCP 8443. This rule allows you to configure Authentication adapters from a remote machine.
  23. In Identity Manager Admin, at Identity & Access Management > Setup > Connectors, you can delete the old embedded connector.
  24. In Identity & Access Management (Manage), click the Identity Providers tab.
  25. Configure the Built-in IdP with the Connectors in Outbound Mode.
  26. Then click the link for the Workspace IdP.
  27. In the IdP Hostname field, edit the URL to point to the external Windows connector. With outbound mode, this URL is only used for Kerberos authentication, if enabled.

After upgrading from 3.0 and older:

  1. In the admin console, go to Catalog > Virtual Apps Collection. This is a new feature in 3.1 and newer.
  2. On the top right, click Add Virtual Apps, and then click Horizon View On-Premises.
  3. If you see an introduction page, then click Get Started.
  4. Select a connector, and then click Migrate Configurations.
  5. You can now manage the Horizon connections from Catalog > Virtual Apps Collection.

Preparation

DNS Configuration

If you intend to build multiple appliances (3 or more) and load balance them, specify a unique DNS name for each appliance. The Load Balancing DNS name is different from the appliance DNS names. For example:

  • Appliance 1 = im01.corp.local
  • Appliance 2 = im02.corp.local
  • Appliance 3 = im03.corp.local
  • Load Balancing Name = identity.corp.com. This name is used both internally and externally.

Identity Manager DNS names are separate from Horizon DNS names.

You’ll need SSL certificates that match these names.

Each of these DNS names must have a corresponding reverse DNS pointer record.

  1. Create DNS records for the virtual appliances.
  2. Create reverse pointer records too. Reverse pointer records are required.

LDAP Accounts

  1. All accounts synced with Identity Manager must have First Name, Last Name, and E-mail Address configured, including the Bind account.
  2. Create a new Active Directory group for your Identity Manager users. The Domain Users group will not work. For Horizon integration, assign this group to your pools instead of assigning Domain Users.

SQL Database

If you want to build multiple Identity Manager appliances and load balance them, configure them with an external database (e.g. Microsoft SQL).

For a script that performs all required SQL configuration, see Configure a Microsoft SQL Database at VMware Docs.

  1. In SQL Management Studio, create a New Query.
  2. Copy the SQL commands from VMware Docs and paste them into the New Query window.
    1. For Windows Authentication, copy the commands from Configure the Microsoft SQL Database with Windows Authentication Mode.
    2. For SQL Authentication, copy the commands from Configure Microsoft SQL Database Using Local SQL Server Authentication Mode.
    3. Change the values in the brackets.
    4. According to Rob Beekmans at Deploying VMware Workspace One 3.x – database setup, mandatory or changeable parameters?, in Identity Manager 3.0 and newer, you can change any of the parameters, except that the database schema (but not database name) must be saas.
  3. Then click Execute.

OVF Deployment

  1. Download the Identity Manager 19.03.0.0 SVA OVA file.
  2. If your vCenter is 6.5 Update 2 or newer, then you can use the newer HTML5 vSphere Client. Otherwise, use the older Flash vSphere Web Client.
  3. In the vSphere Web Client, right-click a cluster, and click Deploy OVF Template.
  4. In the Select source page, browse to the identity-manager-19.03.0.0-13322314_OVF10.ova file, and click Next.

  5. In the Select name and location page, enter a name for the VM, and click Next.
  6. In the Select a resource page, select a cluster, and click Next.
  7. In the Review details page, click Next.
  8. In the Accept License Agreements page, click Accept, and then click Next.
  9. In the Select storage page, select Thin Provision, select a datastore, and click Next.
  10. In the Select networks page, select the network for the appliance. You can deploy it either internally, or in the DMZ. If in the DMZ, you can later install Identity Manager Connectors in the internal network in outbound only mode. Click Next.
  11. In the Customize template page:
    1. Make a choice regarding Customer Experience Improvement Program.
    2. Select a time zone.
    3. Expand Networking Properties if it’s not already expanded.
    4. The Networking Properties are displayed in a different order depending on which vSphere Web Client you’re using.
    5. Host Name – Enter a hostname for the first appliance.
      • If you intend to build multiple appliances and load balance them, then each appliance needs a unique name that does not match the load balanced name. If you only want to build one appliance, then the appliance Host Name should match whatever users will use to access Identity Manager.
    6. DNS and Gateway – In the Networking Properties section, enter the standard DNS and Gateway information.
    7. According to Install the VMware Identity Manager OVA File at VMware Docs, the Domain Name and Domain Search Path fields are not used.
    8. IP Address – Enter the IP address that is configured in DNS for the host name. DNS reverse lookup for this IP address must resolve to the appliance Host Name.
  12. Click Next.
  13. In the Ready to complete page, click Finish.

Setup Wizard

  1. Power on the appliance.
  2. Wait for the appliance to power on and fully boot.
  3. Go to https://myIMFQDN to access the Identity Manager Setup Wizard.
    Note: you must connect to the DNS name. Connecting to the IP address will cause problems during the database setup process.
  4. In the Get Started page, click Continue.
  5. In the Set Passwords page, enter passwords for the three accounts, and click Continue.

  6. In the Select Database page, change it to External Database.
    Note: this page will only function properly if your address bar has a DNS name instead of an IP address.
  7. For SQL authentication, enter a JDBC URL similar to the following, enter the credentials for the Horizon SQL account, and then click Test Connection.
    jdbc:sqlserver://mysqlserver.corp.local;DatabaseName=saas;multiSubnetFailover=true

  8. For Windows authentication, enter a JDBC URL similar to the following, enter credentials for the Horizon Windows service account, and then click Test Connection.
    jdbc:jtds:sqlserver://<hostname_or_IP_address:port#>/<database_name>;integratedSecurity=true;domain=<domainname>;useNTLMv2=true;multiSubnetFailover=true

  9. The top of the screen should say Connection test successful.
  10. Then click Continue.

  11. In the Setup Review page, click the link to log in to the Admin Console.

SSH – Enable Root Access

This is optional. Enabling root access lets you use root credentials when using WinSCP to connect to the appliance. Instructions can be found at VMware Blog Post Enabling SSH in Horizon Workspace Virtual Appliances.

  1. Putty to the Identity Manager appliance.
  2. Login as sshuser.
  3. Run su – and enter the root password.
  4. Run vi /etc/ssh/sshd_config.
  5. Scroll down to line 49 (PermitRootLogin).
  6. Press <i> on the keyboard to change to insert mode.
  7. Go to the end of the line and change no to yes.
  8. Press <ESC> to exit insert mode.
  9. Type :x to save the file and exit.
  10. Run /etc/rc.d/sshd restart.

Identity Manager Certificate

The Windows Connectors require the Identity Manager certificate to be trusted. Generate a new appliance certificate using a trusted Certificate Authority and install the certificate on the appliance.

  1. Login to the Identity Manager web page as the admin user in the System Domain.
  2. Switch to the tab named Appliance Settings.
  3. Click the Manage Configuration button.
  4. Login using the root password.
  5. On the left, click the page named Install SSL Certificates.
  6. On the right, click Choose File next to Import Certificate File.
  7. Identity Manager 19.03 and newer let you browse to a .pfx file instead of a PEM file.
  8. In the Password field, enter the .pfx password.
  9. Click Save.
  10. It will take several minutes for the certificate to be installed and the appliance to restart.

Load Balancing

Identity Manager can be cloned, clustered, load balanced, and globally load balanced as shown below. Source = Component Design: VMware Identity Manager Architecture in the VMware Workspace ONE and VMware Horizon Reference Architecture

To clone multiple Identity Manager appliances and load balance them, see one of the following:

Note: TLS 1.0 is disabled in Identity Manager 2.6 and newer. If your load balancer does not support TLS 1.2, then see 2144805 Enabling TLS 1.0 protocol in VMware Identity Manager 2.6.

  • NetScaler MPX/SDX added TLS 1.2 on the back end in 10.5 build 58.
  • NetScaler VPX added TLS 1.2 on the back end in 11.0 build 65.

Windows Connector

Identity Manager 19.03 and newer no longer include an embedded connector. Instead, build one or more Windows connectors.

  1. Load balance your Identity Manager appliances so the Connector can connect to the Load Balanced FQDN instead of a single Identity Manager appliance.
  2. Build one or more Windows machines on the internal network that will host the Windows connector. The Windows machines must be joined to the domain.
  3. The Identity Manager certificate must be trusted by the Connector servers.
  4. Login to the Identity Manager administration console through the load balanced FQDN as the admin user in the System Domain.
  5. On the top tabs, switch to Identity & Access Management.
  6. On the sub-menu bar, on the far right, click Setup.
  7. On the sub-menu bar, on the left, click Connectors.
  8. Click the blue Add Connector button.
  9. Give the Connector a name and click Generate Activation Code.
  10. Copy the Activation Code. You’ll need this later.
  11. On the Windows machine, run VMware_Identity_Manager_Connector_19.03.0.0_Installer.exe.
  12. In the Welcome to the Installation Wizard for VMware Identity Manager Connector page, click Next.
  13. In the License Agreement page, click I accept the terms, and then click Next.
  14. In the Destination Folder page, click Next.
  15. Click Yes when asked to install JRE.
  16. Don’t check Are you migrating your Connector and click Next.
  17. Review the hostname and click Next.
  18. Check the box next to Would you like to run the Connector Service as a domain user account. Enter service account credentials. And then click Next.

    • Some authentication methods require the Connector to run as a domain user account.
    • The service account must be added to the local Administrators group.
  19. In the Ready to Install the Program page, click Install.
  20. In the Installation Wizard Completed page, click Finish
  21. Click Yes when prompted to open the admin console (https://idmc01.corp.local:8443/) for the Connector.
  22. If Windows Firewall is enabled, then add a rule to permit Inbound TCP 8443. This rule allows you to configure Authentication adapters from a remote machine.
  23. Try to use Chrome instead of Internet Explorer.
  24. In the Get Started page, click Continue.
  25. In the Set Passwords page, enter passwords, and then click Continue
  26. In the Activate Connector page, paste in the Activation Code you got from the Identity Manager appliance and then click Continue.

    • If you see a message about unable to find a valid certificate, then you might have to paste in the Root CA certificate.

Configuration

  1. Login to the Identity Manager web page as the admin user in the System Domain.

    • Note: if you mis-configure Access Policies and lock yourself out of the main Identity Manager logon page, then add /SAAS/login/0 to the end of the URL (e.g. https://identity.corp.com/SAAS/login/0) to login directly to the System Domain.
  2. Switch to the Identity & Access Management tab.
  3. On the top right, switch to the Setup view.
  4. On the left, switch to the User Attributes sub-tab.
  5. Scroll down. Check the boxes next to distinguishedName and userPrincipalName. These are needed for Horizon.
  6. In the Add other attributes to use section, click the plus icon.
  7. Enter objectGUID.
  8. Click the green plus and add mS-DS-ConsistencyGuid. These are needed for Office 365 integration.
  9. Then click Save.
  10. On the top right, switch to the Manage view.
  11. On the Directories tab, click Add DirectoryAdd Active Directory over LDAP/IWA.
  12. Enter a Directory Name.
  13. Change it to Active Directory (integrated Windows Authentication).
  14. Select a Sync Connector. You can select more Sync Connectors later.
  15. Scroll down.
  16. Enter the LDAP Bind credentials. Click Save & Next.
  17. Select the domains you want to sync, and click Next.
  18. In the Map User Attributes page, scroll down, select any missing attribute, and click Next.
  19. In the Select the Groups page, click the plus icon to add a DN.
  20. Enter a Base DN in LDAP format, and click Find Groups.
  21. Click Select.
  22. Search for your Identity Users group and select it. Don’t select Domain Users since it won’t work.
  23. Click Next.
  24. In the Select the Users page, click Next.
  25. In the Review page, click Edit.
  26. Select a more frequent sync schedule, and click Save.
  27. Click Sync Directory.

  28. You can click the link to view the Sync log.
  29. You can also click the directory name, and then click Sync log to view the log.

  30. Sync Settings can be changed by clicking the button on the right.

Connector Outbound Mode

To enable Connector outbound mode (outbound ports only):

  1. Go to Identity & Access Management > Manage > Identity Providers.
  2. Click the link for the Built-in Identity Provider.
  3. In the Users section, check the box next to your directory.
  4. In the Network section, select a range.
  5. In the Connector(s) section, select the first connector and click Add Connector.
  6. If you have another connector for the same domain(s), select the second connector and click Add Connector.
  7. In the Connector Authentication Methods section, check the box next to Password (cloud deployment).
  8. Then click Save.
  9. In Identity & Access Management (Manage), click the Policies tab.
  10. Edit the default_access_policy_set.
  11. Click the link for the first rule.
  12. Next to then the user may authenticate using, change it to Password (cloud deployment). Then save the rule.
  13. Repeat for all other rules in the policy.
  14. Click Next and then click Save.

Sync Connector Redundancy

  1. In the Identity Manager console, in the Identity & Access Management page, switch to the Manage view, and click Identity Providers.
  2. Click the link for the Workspace Identity Provider.
  3. Scroll down. Select the second connector. Enter the Bind password. Click Add Connector.
  4. On the left, click the Directories link.
  5. Click the link for your Active Directory domain.
  6. On the right, click the Sync Settings button.
  7. Switch to the Sync Connectors tab.
  8. Select the second connector and click the plus icon.
  9. You can order the connectors in failover order. Click Save.

Sync Group Membership

By default, Identity Manager does not synchronize group members. You can force a sync.

  1. Go to Users & Groups > Groups.
  2. Notice that the groups are Not Synced. Click the link for a group.
  3. Switch to the Users tab. Then click the Sync Users button.

Logon Experience

  1. Go to Identity & Access Management > Setup > Preferences.
  2. On the bottom, Identity Manager 2.9.1 and newer lets you optionally hide the Domain Drop-Down menu. Then select the unique identifier that Identity Manager will use to find the user’s domain (typically UPN). Identity Manager 3.3 and newer can show a Domain Drop-Down if a unique domain cannot be identified.
  3. The user will be prompted to enter the unique identifier.

Administrators

Identity Manager 3.2 and newer:

  1. Go to the Roles tab.
  2. You can add a Role. See VMware Blog Post Introducing Role-Based Access Control (RBAC) in VMware Identity Manager 3.2.
  3. Select an existing role (e.g. Super Admin), and click Assign.
  4. Search for the user that you want to assign the role to. If the user doesn’t show up, then make sure you are syncing the user, or sync the members of a group that the user is a member of.
  5. Then click Save.

Identity Manager 3.1 and older:

  1. You can promote individual users (but not groups) to administrators. In the Admin console, on the top left, click the Users & Groups tab.
  2. Switch to the Users sub-tab.
  3. Click a username. Note: you might not see users until a group is assigned to a resource (e.g. Horizon Pool).
  4. Scroll down.
  5. In Identity Manager 3.1 and older, you can change the Role drop-down to Administrator. Click Save.

License

  1. Switch to the tab named Appliance Settings.
  2. On the left, click License.
  3. On the right, enter the license key, and click Save. A Horizon Advanced or Horizon Enterprise license key will work.

SMTP

  1. On the top, click the Appliance Settings tab,
  2. On the left, click the SMTP node.
  3. On the right, enter your mail server information, and click Save.

Kerberos Authentication

Kerberos lets users Single Sign-on to the Identity Manager web page. Some notes on Kerberos authentication:

  • It only works for Windows clients.
  • The clients connect to the Connectors so firewall must permit the inbound connection on TCP 443. Outbound only does not work with Kerberos.
    • For High Availability, load balance your Connectors.
  • The Connector (or load balancer) must have a valid, trusted certificate.
  • The Connector’s FQDN (or load balancer FQDN) must be in Internet Explorer’s Local Intranet zone.

Connector Certificate

To upload a certificate to the Connector:

  1. Point Chrome to https://myConnectorFQDN:8443/cfg
  2. Click the link for Appliance Configurator.
  3. Login using the Connector’s password.
  4. On the left is Install SSL Certificates.
  5. On the right is the tab named Server Certificate.
  6. Next to Import Certificate File, click Choose File.
  7. Identity Manager 19.03 and newer support .pfx files. If you select a .pfx, there’s no need to select a Private Key file.
  8. In the Password field, enter the password for the .pfx file.
  9. Click Save.
  10. It will take several minutes to install the certificate and restart the Connector service.

TCP 443 Inbound

TCP 443 must be opened inbound to the Connectors. You might have to add TCP 443 to a Windows Firewall rule.

Enable Kerberos authentication on the Connector

  1. Login to the Windows Connector machine.
  2. Go to C:\VMware\VMwareIdentityManager\Connector\usr\local\horizon\scripts.
  3. Right-click setupKerberos.bat and Run as administrator. (source = VMware 2149753 Run Script to Resolve Kerberos Initialization Error in VMware Identity Manager Connector on Windows)
  4. The script will prompt you for credentials that can create a user account in Active Directory.
  5. Login to the Identity Manager administration web page.
  6. On the top, go to the Identity & Access Management tab.
  7. On the right, change to the Setup view.
  8. On the left, click the Connectors sub-tab.
  9. Click the blue hostname link for the Connector.
  10. Switch to the Auth Adapters tab.
  11. You may enable Kerberos or other authentication adapters from this page by clicking the Adapter Name.
  12. Enter sAMAccountName as the Directory UID Attribute.
  13. Check the box next to Enable Windows Authentication.
  14. For High Availability, you can load balance your Connectors, check Enable Redirect, and then enter the load balanced FQDN.
  15. Click Save. The Authentication Adapters page will show it as Enabled.

Configure Policy to use Kerberos

  1. After enabling the Kerberos adapter, in Identity Manager 3.2 and newer, go to Identity & Access Management > Manage > Policies and click Network Ranges.

    • In Identity Manager 3.1 and older, go to Identity & Access Management > Setup > Network Ranges.
  2. Add a Network Range for internal networks if you haven’t already.
  3. Go to Identity & Access Management > Manage > Policies.
  4. In Identity Manager 3.2 and newer, click Edit Default Policy.

    • In Identity Manager 3.1 and older, click the link for default_access_policy_set.
  5. In Identity Manager 3.2 and newer, click Next to go to the Configuration page.
  6. Click Add Policy Rule. Or Click the plus icon to add a Policy Rule.

  7. Select a Network Range.
  8. For user is trying to access content from, set it to Web Browser.
  9. Identity Manager 2.9.1 adds a Edit Groups button to policy rules, which allows different authentication methods for different groups. When enabled, Identity Manager asks the user for username only, and then looks up group membership to determine which authentication methods should be used. See Configuring Access Policy Settings at VMware Docs.
  10. Select Kerberos as the first authentication method.
  11. Select Password as the second authentication method. Click Save or OK.

  12. Drag the new Policy Rule to move it to the top. Then click Next and Save.

Customize Appearance

  1. If you go to Identity & Access Management > Setup > Custom Branding, on the Names & Logos tab you can change the browser’s title and favicon.
  2. If you then switch to the Sign-In Screen page, you can upload a logo, upload an image, and change colors.
  3. If you go to Identity & Access Management > Manage > Password Recovery Assistant, you can configure a link to a password recovery tool, or change the Forgot password message.
  4. If you scroll down you can optionally Show detailed message to End User when authentication fails.
  5. Click Catalog, and then click Settings.
  6. On the left, click User Portal Branding.
  7. Make changes to Logos, colors, etc.

Resources

Horizon Administrator – Enable SAML Authentication

  1. Login to Horizon Administrator.
  2. On the left, under View Configuration, click Servers.
  3. On the right, switch to the Connection Servers tab.
  4. Select a Connection Server, and click Edit.
  5. On the Authentication tab, change Delegation of authentication to VMware Horizon to Allowed.
  6. Click Manage SAML Authenticators.
  7. Click Add.
  8. In the Label field, enter a descriptive label.
  9. In the Metadata URL field, enter the Identity Manager FQDN.
  10. In the Administration URL field, enter the Identity Manager FQDN, and click OK.
  11. If you see a certificate error, click View Certificate, and then click Accept.
  12. Or click OK if server’s identity was verified.
  13. Click OK to close the Manage SAML Authenticators window.
  14. Horizon 7.2 adds a Workspace ONE mode, which forces all Horizon Clients to connect through Identity Manager instead of directly to the Connection Servers. Delegation of authentication must be set to Required before Workspace ONE mode can be enabled.
  15. The Horizon Administrator dashboard shows you the status of the SAML Authenticator under Other components.

Identity Manager – Virtual Apps Collection for Horizon View

If your Identity Manager is version 3.1 through 3.3, skip ahead to the instructions for 3.1 through 3.3.

If your Identity Manager is version 3.0 or older, skip ahead to the instructions for 3.0 and older.

If your Identity Manager is version 19.03 or newer:

  1. In the Identity Manager Admin Portal, click the Catalog tab, and then click Virtual Apps Collection.
  2. If you see Introducing Virtual Apps Collection page, click Get Started.
  3. Click the SELECT link in the Horizon box.
  4. Give the Horizon Connection a name.
  5. Arrange the Sync Connector appliances in priority order. Click Next.
  6. Click Add a Pod.
  7. Enter the FQDN of a Connection Server in the Pod.
  8. Enter Horizon View admin credentials in UPN format. The account needs at least Read Only Administrator access to Horizon.
  9. Click Add.
  10. You can optionally add more pods and then enable the Cloud Pod Architecture option. Click Next when done.
  11. Change the Sync Frequency as desired.
  12. Click Next when done.
  13. Click Save & Configure Network Range. The connection is tested at this time.
  14. The URLs for accessing Horizon are defined in each Network Range. For each URL, create Network Ranges. Or click All Ranges.
  15. Near the bottom, in the Client Access FQDN field, enter the FQDN that users in this Network Range use to login to Horizon. Then click Save. Note: the Horizon FQDN is different than the Identity Manager FQDN.
  16. After the Horizon Virtual Apps Collection is added, select it, and click Sync.

    • Note: whenever you make a change to the pools in Horizon Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync.
  17. In the Calculating Sync Actions page, click Save.
  18. If you go to Catalog > Virtual Apps, you will see your synced Application and Desktop pools.
  19. Skip ahead to the Horizon Pools Catalog section.

Identity Manager 3.1 through Identity Manager 3.3

Horizon Connection (Virtual Apps Collection) instructions for Identity Manager 3.1 through Identity Manager 3.3:

  1. In the Identity Manager Admin Portal, click the Catalog tab, and then click Virtual Apps.
  2. On the top right, click Virtual App Configuration.
  3. If you see Introducing Virtual Apps Collection page, click Get Started.
  4. On the top right, click Add Virtual Apps, and then click Horizon View On-Premises.
  5. In the Horizon View On-Premises page, configure the following:
    1. Give the Horizon Connection a name.
    2. Choose a Sync Connector appliance.
    3. Enter the FQDN of a Connection Server in the Pod.
    4. Enter Horizon View admin credentials in UPN format. The account needs at least Read Only Administrator access to Horizon.
    5. Scroll down.
    6. Notice the link to Add Horizon Pod. This is for Could Pod Architecture.
    7. Check the box next to Perform Directory Sync.
    8. Change the Sync Frequency as desired.
    9. Activation Policy can be Automatic or User-ActivatedUser-Activated means users have to go to the App Center to add the icons to the My Apps portal.
    10. Click Save when done.
  6. After the Horizon connection is added, on the right side of the screen, click Sync.
    • Note: whenever you make a change to the pools in View Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync Now.
  7. In the Calculating Sync Actions page, click Save.
  8. Click the blue Refresh link until the sync is completed.
  9. If you go to Catalog > Virtual Apps, you will see your synced Application and Desktop pools.
  10. Skip ahead to the Horizon Pools Catalog section.

Identity Manager 3.0 and older

Horizon Connection Instructions for Identity Manager 3.0 and older:

  1. In the Identity Manager Admin Portal, click the Catalog tab, and then click Application Catalog.
  2. Click Manage Desktop Applications, and then click Horizon View On-Premises.
  3. Click one of the connectors.
  4. Check the box next to Enable Horizon View Applications and Desktops.
  5. Enter the address of a Horizon Connection Server (or load balanced FQDN). Note: reverse IP lookup must be functional for this DNS name.
  6. Enter View Administrator credentials in userPrincipalName format. The account needs at least Read Only Administrator access to Horizon.
  7. Notice the link to Add Horizon Pod. This is for Could Pod Architecture.
  8. Deployment Type can be Automatic or User-Activated. User-Activated means users have to go to the App Center to add the icons to the My Apps portal.
  9. Specify the Viewpool sync frequency, and click Save. New pools created in Horizon Administrator don’t show up in Identity Manager until a sync is performed.
  10. Near the top of the screen you might see red text. Click Invalid SSL Cert.
  11. In the Certificate Information page, click Accept.
  12. Near the bottom of the page click Sync Now. Note: whenever you make a change to the pools in View Administrator, you must either wait for the next automatic Sync time, or you can return to this screen and click Sync Now.
  13. If sync fails, see VMware 2091744 Synchronizing VMware Horizon View Pool in Workspace Portal fails with the error: Failed to complete View sync due to a problem with the View Connection Server.
  14. Then click Save and Continue. Note: whatever groups are entitled to Horizon Pools and Applications must also be synced (Active Directory) with Identity Manager.

Horizon Pools Catalog

  1. In the Identity Manager Admin console, at Catalog > Virtual Apps, you can see the Horizon View icons. Only the pools in the root Access Group are synced.
  2. Click an icon and then click View Assignments.
  3. Make sure entitlements are listed. Entitlements are defined in Horizon Administrator, and not in Identity Manager. Identity Manager merely syncs the entitlements from Horizon.
  4. Only AD groups synced to Identity Manager will be displayed. Domain Users won’t sync to Identity Manager, so entitle the Horizon pools to AD groups other than Domain users.
  5. If you make changes in Horizon Administrator, then manually sync the Virtual Apps Collection so the changes are reflected in Identity Manager.
  6. Back in the Virtual Apps list, if you check the box next to one of the icons, you can place the icon in a Category by clicking the Categories menu.
    • You can select or or more existing categories.
    • Or type in a new category name at the top of the list.
  7. The category is then displayed next to the catalog item.
  8. Identity Management 3.1 adds a Recommended category.

  9. In Identity Manager 3.2 and newer, go to Catalog > Settings.
  10. On the left, click User Portal Configuration.
  11. From this screen, you can control tab visibility, and put recommended apps in the Bookmarks tab. Click Save when done.

Separate Horizon View Connection Server groups (e.g. multi-datacenter) can be configured in failover order. See Configure Failover Order of Horizon View and Citrix-based Resources at VMware Docs.

Identity Manager – Horizon URLs

The URL used to launch a Horizon icon from Identity Manager can be different for each Network Range. For internal users, the URL should point to the load balanced VIP for the Connection Servers. For external users, the URL should point to load balanced Unified Access Gateways.

In Identity Manager 19.03 and newer:

  1. Go to Catalog > Virtual Apps Collection.
  2. Click the link for a Virtual Apps Collection.
  3. Click Edit Network Range.
  4. Click an existing Network Range, or create a new one.
  5. Near the bottom, in the Client Access FQDN field, enter the FQDN that users on this Network Range should use to access Horizon. Then click Save. Note that the FQDN for Horizon is different than the FQDN for Identity Manager.

In Identity Manager 3.3 and older:

  1. In the Identity Manager administrator interface, go to Identity & Access Management (Manage) > Policies sub-tab > Network Ranges.

    • Before 3.2, this was located under Identity & Access Management > Setup view > Network Ranges.
  2. You can edit the default ALL RANGES, or add a new Network Range.


  3. In Identity Manager 3.1 and older, you can specify the Horizon URL for the IP range from here. You can have different Horizon Client Access URLs for different IP ranges (e.g. internal vs external). For external users, the URL points to Access Points or Horizon Security Servers.
  4. In Identity Manager 3.2 and newer, after creating the Network Ranges, go to Catalog > Virtual Apps.
  5. On the top right, click Virtual App Settings.
  6. Click a Network Range.
  7. In the Client Access URL Host field, enter the FQDN that resolves to the internal Connection Server load balancer, or the external Unified Access Gateway load balancer. Then click Finish.

Identity Manager User Portal

The User Portal is the interface that non-administrators see after logging in. Administrators can switch to the User Portal by clicking the username on the top right and clicking User Portal.

Administrators in the User Portal can switch to the Administration Console by clicking the username on the top right.

Some User Portal features:

  1. When a user logs in to the Identity Manager web page the pool icons will be displayed.
  2. When the user clicks an icon, you can use either Horizon client or Browser for opening a pool. To set the default launch method:
    1. On the top right, click your name, and click Settings.
    2. On the left, click Preferences.
    3. Make your choice and click Save.
    4. The Horizon Client option has a link to download and Install the Horizon Client.
  3. Back in the icons list, when the user clicks Open next to an icon, there’s a link to Install the Horizon Client.
  4. To mark an icon as a Bookmark, click the bookmark icon next to each app.
  5. Or click an app icon to open the app’s Description page, and then click Bookmark.
  6. Then you can click Bookmarks tab to display only icons that are marked as Bookmarks.
  7. If you configured Categories, they are listed in the left side of the page. When you click a category, only the icons in that category are displayed.

VMware Horizon 6 – Cloud Pod Architecture

Last Modified: Sep 2, 2018 @ 7:50 am

Navigation

Planning

Cloud Pod Architecture lets you create a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

  • Entitlements can be local or global. Local means pools only in a single pod. Global means merging pools from multiple pods into a single entitlement.
    • Don’t configure both global and local entitlements for the same pool.
    • A single pool can only belong to one global entitlement.
    • Global Entitlements work in a single pod (good for large pools). Or you can you have multiple pods and multiple sites.
    • Horizon 6.2 supports Global Entitlements for applications. However, it’s one application per global entitlement.
  • Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a Horizon 6 Connection Server. The Horizon 6 Connection Server then uses Global Entitlements to select a pod/pool/desktop.
  • By default, pools in pods in the same site as the Horizon 6 Connection Server that the View Client is connected to are preferred over pools in remote sites. Use Home Sites to override this behavior. Home Sites are assigned to Active Directory user groups.
  • For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
  • The Horizon 6 Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 22389 and TCP 8472. Make sure these ports are open.
  • View Administrator includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Limits:

  • Max users = 20,000
  • Max Pods = 4
  • Max Sites = 2
  • Max Horizon 6 Connection Servers = 20

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

  • Use F5 GTM or NetScaler GSLB to connect users to a Horizon 6 Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
  • The Horizon 6 Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
  • User’s PCoIP session goes through the initially connected Horizon 6 Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route PCoIP through a Horizon 6 Connection Server in the remote pod. In fact, the Horizon 6 Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this PCoIP traffic.

Initialize First Pod

  1. In View Administrator, on the left, expand View Configuration and click Cloud Pod Architecture.
  2. On the right, click Initialize the Cloud Pod Architecture feature.
  3. Click OK to initialize.
  4. A status page is displayed.
  5. Click OK to reload the client.
  6. On the left, expand View Configuration and click Cloud Pod Architecture.
  7. Feel free to rename the federation.

  8. On the left, expand View Configuration and click Sites.
  9. Rename the Default First Site to be more descriptive.

  10. If you click the site to highlight it, you can rename the Pod to make it more descriptive.

  11. If you add a Replica server after global entitlements are enabled, see Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.
  12. See Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

  1. Connect to View Administrator in the 2nd pod.
  2. On the left, expand View Configuration and click Cloud Pod Architecture.
  3. On the right, click Join the pod federation.
  4. Enter the name of an existing Horizon 6 Connection Server that is already joined to the federation.
  5. Enter credentials and click OK.
  6. The Join status is displayed.
  7. Click OK to reload the client.
  8. On the left, expand View Configuration and click Sites.
  9. If this pod is in a different site then click Add to create a new site.
  10. Give the site a name and click OK.
  11. Highlight the 1st site.
  12. On the bottom, highlight the new pod and click Edit.
  13. Rename the pod and put it in the 2nd site. Click OK.

Global Entitlements

Do not create both global and local entitlements for the same pool otherwise users might see two icons.

  1. In View Administrator, on the left, expand Catalog and click Global Entitlements.
  2. On the right, click Add.
  3. In the Type page, select Desktop Entitlement or Application Entitlement and click Next.
  4. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one entitlement per application so include the application name.
  5. Make other selections. The Use home site checkbox tells the global entitlement to respect user home sites but the user home sites can only be configured at the command line (lmvutil). Click Next.
  6. If creating a Desktop Entitlement then there are more options.
  7. In the Users and Groups page, add users that can see the icon. Click Next.
  8. In the Ready to Complete page, click Finish.
  9. Double-click the new global entitlement.
  10. On the Local Pools tab, click Add.
  11. Select the pools you want to add and click Add. Remember, only one app per Global Entitlement.
  12. Go to another pod and view the Global Entitlements.
  13. On the right, double-click the Global Entitlement.
  14. On the Local Pools tab, click Add to add pools from this pod.

Monitoring

  1. Once Global Entitlements are enabled, a new Search Sessions node is added to View Administrator. This allows you to search for sessions across federated pods.
  2. The Dashboard shows the health of remote pods.

Home Sites

Home sites can’t be specified in View Administrator so use lmvutil instead:

  • lmvutil provides almost no feedback.
  • Its parameter names are case sensitive.
  • It requires you to authenticate for every single command.
  • There are different commands for groups vs users.
  • Home sites for groups don’t understand nesting.

Do the following to create home sites and assign them to users:

  1. Run Command Prompt as administrator.
  2. To create home sites for users, see pubs.vmware.com.

Related Pages

VMware Horizon 6 – Virtual Desktop Pools

Last Modified: Sep 2, 2018 @ 7:50 am

This topic details View configuration for Virtual Desktop Agents. RDS Farms are detailed at https://www.carlstalhood.com/horizon-6-rds-farmspools/.

Navigation

Prep

  • Each pool points to one vSphere cluster. 32 hosts maximum. If Virtual SAN, 20 hosts maximum.
  • Ensure vSwitch has sufficient ports for the new virtual desktops.
  • Ensure the VLAN has enough DHCP addresses for the desktop pool.
    • Lower the DHCP lease time too.
  • KMS Licensing is required for Windows 7+ and/or Office 2010+
  • The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  • The parent image should be in the same cluster where the linked clone virtual desktops will be created.

Disk space:

  • One or more LUNs for storage of the virtual desktops. Maximum of 140 desktops per VMFS5 LUN. Up to 250+ desktops per NFS LUN.
  • By default, Replicas are copied to each LUN that contains virtual desktops. It’s possible to place the Replica and the linked clones on separate LUNs. If you use a dedicated Replica LUN, then there is only one copy of the Replica no matter how many LUNs are used for storing virtual desktops. Note: NFS VAAI requires Replica to be copied to each virtual desktop LUN.
  • Persistent disks can be used to store the user’s profile (but not user-installed applications). To enable Persistent disks, the pool must be Dedicated Assignment. You can place the persistent disks on a LUN that is separate from the linked clones LUN. A better option is to use View Persona or User Environment Manager instead of Persistent disks.
  • Disposable disks. In Dedicated Assignment pools, you have the option of creating Disposable Disks. These disks are always stored with the virtual desktop (you can’t choose a dedicated disposable disk LUN). If you’re planning to frequently refresh the desktops, there’s no point in using Disposable disks.
  • .vswp files. Allocate disk space for memory swap and graphics memory overhead. Any unreserved memory will result in a .vswp file. For example, if the master virtual desktop has 2 GB of RAM configured and none of it is reserved then each linked clone will have a 2 GB .vswp file.

Floating (Non-Persistent) Desktop Pool

  1. In View Administrator, on the left, expand Catalog and click Desktop Pools.
  2. On the right, you can clone an existing pool. This copies many of the settings from the existing pool into the new pool.
  3. Or just click Add.
  4. In the Type page, select Automated Desktop Pool and click Next.
  5. In the User Assignment page, select Floating and click Next.
  6. In the vCenter Server page, select View Composer linked clones. Select the vCenter server and click Next.
  7. In the Pool Identification page, enter a name for the pool. A VM folder with the Pool ID as the name will be created in vCenter. Also, assign the pool to an Access group to restrict delegated administration. Note: If you intend to integrate with VMware Identity Manager, then make sure you select the root Access group. Other Access Groups won’t work. Click Next.
  8. In the Pool Settings page do the following:
    1. Change the selection for Automatically logoff after disconnect to After and specify a disconnect timer.
    2. Change the selection for Delete or refresh desktop on logoff to Refresh Immediately.
    3. Change the selection for Allow users to choose protocol to No. Then make your desired choices for 3D rendering and Maximum monitors. If not using 3D, max out the number of monitors and the resolution. This will grant more video RAM for each desktop if their video card is set to automatic.
    4. Note: Windows 7 MMR (H.264 only) requires 3D rendering to be enabled.
    5. Scroll down.
    6. Check the box next to HTML Access.
    7. HTML Access requires monitor resolution to be 1920×1200 or higher.
    8. Click Next.
  9. In the Provisioning Settings page, enter a naming pattern. You can use {n:fixed=3} to specify the location for the incremented numerals. Make sure the naming pattern does not conflict with any existing machines.
  10. Enter the maximum number of desktops to create. You can create all of them now or wait to create them as users connect. When a user connects to one of these desktops, View immediately creates another desktop (up to the maximum) and powers it on.
  11. Enter the number of spare (idle, unassigned, unused) desktops you want powered on. View maintains this number up to the maximum number of desktops.
  12. In Horizon 6.2, the maximum number of desktops per pool is 2,000. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here. Click Next.
  13. In the Disposable File Redirection page, select Do not redirect disposable files and click Next. Since we’re refreshing the desktops on logoff, there’s no need for a separate disposable disk.
  14. In the Storage Optimization page, check the box for Select separate datastores for replica and OS disk if you want to use storage tiering. Click Next.
  15. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option and make your selection.
  16. If the Parent VM is not showing up in the list then check the box next to Show all parent VMs and click the next to the VM to see the issue.
  17. For Linked clone datastores, select one or more datastores on which the virtual desktops will be placed. Select your Storage Overcommit preference. Since you are refreshing desktops on every logoff, they should stay small so Unbounded is probably acceptable. VMware recommends no more than 140 virtual desktops per VAAI-enabled LUN. If the LUN is not VAAI enabled, 64 is the maximum. Click OK when done.
  18. For Select Replica Disk Datastores, select one datastore for the replica and then click OK.
  19. Then click Next.
  20. In the Advanced Storage Options page, be aware of the following:
    • View Storage Accelerator creates digest files, which consumes disk space. Creation of the digest files requires IOPS. Make sure to set the blackout times so that this digest creation does not happen during peak hours.
    • Reclaim VM disk space is not useful for non-persistent desktops.
  21. If you scroll down, there’s a new Transparent Page Sharing Scope. The default is no sharing. Use one of the other options to enable sharing. Click Next.
  22. In the Guest Customization page, next to AD container, click Browse and select the OU where virtual desktop computer objects will be placed.
  23. Consider checking the box next to Allow reuse of pre-existing computer accounts. Click Next.
  24. In the Ready to Complete page, you may entitle users now or later. Click Finish.
  25. To check the status of the virtual desktops, go to Catalog > Desktop Pools.
  26. Double-click the pool name.
  27. On the Inventory tab, click Desktops (View Composer Details). There’s a refresh button.
  28. You can also view the status of the desktops by looking at the Dashboard.
  29. Your VMs should eventually have a status of Available.
  30. If you encounter issues with View Composer, see VMware 2087379 VMware Horizon View Composer help center

Entitle Virtual Desktops

To make a pool accessible by a user, it must be entitled.

  1. Go to Catalog > Desktop Pools.
  2. Double-click the pool name.
  3. On the Settings tab, click Entitlements.
  4. In the Entitlements window, click Add.
  5. Find a group that will have permission to log into these desktops and click OK.
  6. Then click OK.
  7. For a Persistent pool, go to the Inventory tab to see the desktops. Select a desktop and under More Commands click Assign User.
  8. Find the user and click OK. Repeat to assign users to additional desktops.

Update a Pool

  1. Power on the master/parent virtual desktop.
  2. After making your changes, shut down the master virtual desktop.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. Name the snapshot and click OK.
  5. If you do this often, you’ll need to periodically delete the older snapshots. Right-click the master VM and click Manage Snapshots.
  6. Delete one or more of the snapshots.
  7. In View Administrator, go to Inventory > Pools.
  8. Double-click a pool name.
  9. On the Settings tab, click View Composer and then click Recompose.
  10. In the Image page, select the new snapshot and click Next.
  11. In the Scheduling page, decide when to apply this new image and then click Next.
  12. In the Ready to Complete page, click Finish.
  13. On the Inventory tab, you can click Desktops (View Composer Details) to check on the status of the recompose task.

Related Pages

VMware Horizon 6 – Master Virtual Desktop

Last Modified: Sep 2, 2018 @ 7:53 am

Use this post to build a virtual desktop that will be used as the parent image or source image for additional virtual desktops.

Navigation

💡 = Recently Updated

Hardware

  1. The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  2. Set Memory as desired.
  3. For New Hard disk, consider setting Thin provision.
  4. Make sure the virtual desktop is using a SCSI controller.
  5. The master virtual desktop should be configured with a VMXNET 3 network adapter.
  6. When building the master virtual desktop, you will probably boot from an ISO.
  7. Before using View Administrator to create a pool, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  8. There’s no need for the Floppy drive so remove it.
  9. If you have any Serial ports, remove them.
  10. In Device Manager, after installing VMware Tools, make sure the video driver is VMware SVGA 3D.
  11. If not, you can use the driver at C:\Program Files\Common Files\VMware\Drivers\video_wddm.

Windows

Operating System Selection

As of Horizon 6.2, Windows 10 is supported. However, Multimedia Redirection is not supported.

Preparation

  • Partition Alignment. For Windows XP, make sure the partition is aligned. You’ll need to create and partition the disk in advance on another virtual machine and set the partition offset. create partition primary align=1024. Windows 7 doesn’t have this problem.
  • VMware Tools. Install the latest version of VMware Tools and Guest Introspection (formerly known as vShield Endpoint) Driver prior to installing the Horizon 6 Agent.
  • Teradici Audio Driver – https://techsupport.teradici.com/link/portal/15134/15164/Article/1434/Teradici-Virtual-Audio-Driver-1-2-0-Release-Details-15134-1434
  • For the AppVolumes Agent and Imprivata OneSign agent (if applicable), don’t install them until Horizon 6 Agent is installed.

Windows 7 Networking Hotfix

  1. Ensure the vSphere network port group allows a sufficient number of connected virtual machines.
  2. Make sure Windows 7 Service Pack 1 is installed.
  3. Download hotfix 2550978 from http://support.microsoft.com/kb/2550978.
  4. Run Windows6-1-KB2550978.msu.
  5. Click Yes when asked to install the hotfix.
  6. Click Restart Now.

Follow http://support.microsoft.com/kb/315539 to delete ghost NICs

For desktop VMs using VMXnet3 NICs, you can significantly improve the peak video playback performance of your View desktop by simply setting the following registry setting to the value recommended by Microsoft:

HKLM\System\CurrentControlSet\Services\Afd\Parameters\FastSendDatagramThreshold to 1500

[As discussed in a Microsoft KB article http://support.microsoft.com/kb/235257]

Black Screen Hotfix

VMware 2073945 – Reconnecting to the VDI desktop with PCoIP displays a black screen: Request and Install Microsoft hotfix 2578159: The logon process stops responding in Windows.

Power Options

  1. Run Power Options. In Windows 8 and newer, right-click the Start Menu to access Power Options.
  2. Click the arrow to show more plans and select High performance.
  3. Next to High performance, click Change plan settings.
  4. Change the selection for Turn off the display to Never and click Save changes.

System Settings

  1. Domain Join. For linked clones, join the machine to the domain.
  2. In System control panel applet (right-click the Start Menu > System), click Remote settings.
  3. Enable Remote Desktop.
  4. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with View Composer.

Windows Profiles v3/v4 Hotfix

Roaming user profiles are tied to the operating system version so profiles on Windows 8.1-based, Windows 10-based, or Windows Server 2012 R2-based computers are incompatible with roaming user profiles in earlier versions of Windows.

Profiles are compatible only between the following client and server operating system pairs:

  • Windows 10 and Windows Server 2016
  • Windows 8.1 and Windows Server 2012 R2
  • Windows 8 and Windows Server 2012
  • Windows 7 and Windows Server 2008 R2
  • Windows Vista and Windows Server 2008

If Windows 8, install hotfix http://support.microsoft.com/kb/2887239.

If Windows 8.1, ensure update rollup 2887595 is installed. http://support.microsoft.com/kb/2890783

After you apply this update, you must create a registry key before you restart the computer.

  1. Run regedit.
  2. Locate and then tap or click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters
  3. On the Edit menu, point to New, and then tap or click DWORD Value.
  4. Type UseProfilePathExtensionVersion.
  5. Press and hold or right-click UseProfilePathExtensionVersion, and then tap or click Modify.
  6. In the Value data box, type 1, and then tap or click OK.
  7. Exit Registry Editor.

After you configure the UseProfilePathExtensionVersion registry entry, you have to restart the computer. Then, Windows 8.1 creates a user profile and appends the suffix “.v4” to the profile folder name to differentiate it from version 2 of the profile in Windows 7 and version 3 of the profile in Windows 8. Then, Windows 8.1-based computers that have update rollup 2887595 installed and the UseProfilePathExtensionVersion registry entry configured use version 4 of the profile.

Windows 8 creates a new copy of the user profile and appends the suffix “.v3” in the profile folder name to differentiate it from the original version 2 profile for Windows 7. After that, Windows 8-based computers that have this hotfix installed and the UseProfilePathExtensionVersion registry entry configured use the version 3 profile for users.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. VMware App Volumes, Unidesk) or App Streaming (e.g. ThinApp, Microsoft App-V).

Antivirus

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Anti-Virus Practices for VMware Viewhttp://www.vmware.com/files/pdf/VMware-View-AntiVirusPractices-TN-EN.pdf

Sophos

Best Practice for running Sophos on virtual systemshttp://www.sophos.com/en-us/support/knowledgebase/110507.aspx and Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machineshttp://www.sophos.com/en-us/support/knowledgebase/12561.aspx

Symantec

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1http://www.symantec.com/business/support/index?page=content&id=TECH173650

Symantec Endpoint Protection 12.1 – Non-persistent Virtualization Best Practiceshttp://www.symantec.com/business/support/index?page=content&id=TECH180229

How to prepare a Symantec Endpoint Protection 12.1 client for cloninghttp://www.symantec.com/business/support/index?page=content&id=HOWTO54706

Non-persistent desktops:

After you have installed the Symantec Endpoint Protection client and disabled Tamper Protection, open the registry editor on the base image.

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\.
  2. Create a new key named Virtualization.
  3. Under Virtualization, create a key of type DWORD named IsNPVDIClient and set it to a value of 1.

To configure the purge interval for offline non-persistent VDI clients:

  1. In the Symantec Endpoint Protection Manager console, on the Admin page, click Domains.
  2. In the Domains tree, click the desired domain.
  3. Under Tasks, click Edit Domain Properties.
  4. On the Edit Domain Properties > General tab, check the Delete non-persistent VDI clients that have not connected for specified time checkbox and change the days value to the desired number. The Delete clients that have not connected for specified time option must be checked to access the option for offline non-persistent VDI clients.
  5. Click OK.

Make the following changes to the Communications Settings policy:

  1. Configure clients to download policies and content in Pull mode
  2. Disable the option to Learn applications that run on the client computers
  3. Set the Heartbeat Interval to no less than one hour
  4. Enable Download Randomization, set the Randomization window for 4 hours

Make the following changes to the Virus and Spyware Protection policy:

  1. Disable all scheduled scans
  2. Disable the option to “Allow startup scans to run when users log on” (This is disabled by default)
  3. Disable the option to “Run an ActiveScan when new definitions Arrive”

Avoid using features like application learning which send information to the SEPM and rely on client state to optimize traffic flow

Linked clones:

To configure Symantec Endpoint Protection to use Virtual Image Exception to bypass the scanning of base image files

  1. On the console, open the appropriate Virus and Spyware Protection policy.
  2. Under Advanced Options, click Miscellaneous.
  3. On the Virtual Images tab, check the options that you want to enable.
  4. Click OK

Trend Micro

Trend Micro Virtual Desktop Support

VDI Pre-Scan Template Generation Tool

Best practice for setting up Virtual Desktop Infrastructure (VDI) in OfficeScan

Frequently Asked Questions (FAQs) about Virtual Desktop Infrastructure/Support In OfficeScan

Horizon 6 Agent 6.2.2

Horizon 6 Agent Installation

Install Horizon 6 Agent on the master virtual desktop:

  1. Only install Horizon 6 Agent after VMware Tools. If you need to update VMware Tools, uninstall Horizon 6 Agent first, upgrade VMware Tools, and then reinstall Horizon 6 Agent.
  2. Check the video driver to make it is VMware SVGA 3D.
  3. Go to the downloaded Horizon 6 Agent 6.2.2. Run VMware-viewagent-6.2.2.exe.
  4. In the Welcome to the Installation Wizard for VMware Horizon View Agent page, click Next.
  5. In the License Agreement page, select I accept the terms and click Next.
  6. In the Network protocol configuration page, select IPv4 and click Next.
  7. In the Custom Setup page, if you want Scanner Redirection then enable that feature. Do the same for USB Redirection. Note: Scanner Redirection will impact host density. Click Next when done making selections.
  8. Click OK to acknowledge the message regarding USB redirection security.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. Click Yes when asked to restart.

User Environment Manager Engine

If you are licensed for User Environment Manager (Horizon Enterprise Edition), install the User Environment Manager Engine.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. In Windows 8 and newer, open Programs and Features (right-click the Start Menu) and click Turn Windows features on or off.
  3. Select .NET Framework 3.5 and click OK.
  4. Click Download files from Windows Update.
  5. Go to the extracted User Environment Manager 9.0 folder and run VMware User Environment Manager 9.0 x64.msi.
  6. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  7. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  8. In the Destination Folder page, click Next.
  9. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the console.

  10. In the Choose License File page, if installing on a View Agent then no license file is needed.
  11. Otherwise, Browse to the license file. Then click Next.
  12. In the Ready to install VMware User Environment Manager page, click Install.
  13. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Unity Touch

With the Unity Touch feature, tablet and smart phone users can quickly navigate to a Horizon View desktop application or file from a Unity Touch sidebar. Although end users can specify which favorite applications appear in the sidebar, for added convenience, administrators can configure a default list of favorite applications.

In the Unity Touch sidebar, the favorite applications and favorite files that users specify are stored in the user’s profile. For non-persistent pools, enable Roaming Profiles.

To set the default list of favorite applications:

  1. Navigate to HKLM\Software\Wow6432Node\VMware, Inc.\VMware Unity
  2. Create a string value called FavAppList.
  3. Specify the default favorite applications using format: path-to-app-1|path-to-app-2|path-to-app-3|…. For example:
Programs/Accessories/Accessibility/Speech Recognition.lnk|Programs/VMware/VMware vSphere Client.lnk|Programs/Microsoft Office/Microsoft Office 2010 Tools/Microsoft Office 2010 Language Preferences.lnk

Unity Touch can be disabled by setting HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware Unity\enabled to 0.

For more information, see the Feature Pack Installation and Administration guide at http://www.vmware.com/support/pubs/view_pubs.html.

Direct-Connection Plugin

If you wish to allow direct connections to the Horizon 6 Agent, install the Direct-Connection Plugin. This is not a typical configuration since it allows users to bypass the Horizon 6 Connection Servers but is useful if you need to restrict a Horizon 6 Agent to only one Horizon Client.

  1. Run the downloaded Direct-Connection Plugin (VMware-viewagent-direct-connection-6.2-xxx-exe.
  2. In the Welcome to the Installation Wizard for View Agent Direct-Connection Plugin page, click Next.
  3. In the End-User License Agreement page, select I accept the terms and click Next.
  4. In the Configuration Information page, click Next.
  5. In the Ready to install View Agent Direct-Connection Plugin page, click Install.
  6. In the Completed the View Agent Direct-Connection Plugin Setup Wizard page, click Finish.
  7. When running the Horizon Client, enter the FQDN or IP address of the Horizon 6 Agent (virtual desktop).

Composer – Rearm

By default, when View Composer creates linked clones and runs QuikPrep, one of the tasks is to rearm licensing. You can prevent this by setting the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga

SkipLicenseActivation  DWORD           0x1

Dynamic PCoIP Policies

If you wish to change PCoIP Policies (e.g. clipboard redirection, client printers, etc.) based on how the user connects, see VMware Blog Post VMware Horizon View Secret Weapon. The article describes configuring VMware Horizon View Script Host service to run a script to change PCoIP configuration based on the Connection Server that the user connected through. Full script is included in the article.

VMware OS Optimization Tool

  1. Download the VMware OS Optimization Tool VMware fling.
  2. Run the downloaded VMwareOSOptimizationTool_1050.msi.
  3. On the Analyze tab, on the bottom left, click Analyze.
  4. Check both boxes and click Continue to Analyze.
  5. Review the optimizations and make changes as desired. Then on the bottom left click Optimize.
  6. Click the FAILED links for more information.
  7. The History tab lets you rollback the optimizations.
  8. The Templates tab lets you edit the optimizations. You can create your own template or edit an existing template.
  9. Also see VMware 2100337 Improving log in time for floating desktops on DaaS and Horizon View for deletion of ActiveSetup registry keys that slow down 1st login. These optimizations do not appear to be included in VMware’s OS optimization tool.  💡

Snapshot

  1. Make sure the master virtual desktop is configured for DHCP.
  2. If connected to the console, run ipconfig /release.
  3. Run antivirus sealing tasks:
  4. Shutdown the master virtual desktop.
  5. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  6. Take a snapshot of the master virtual desktop. View Composer requires a snapshot.

Related Pages

VMware Horizon 6 Security Server

Last Modified: Sep 2, 2018 @ 7:53 am

Navigation

Preparation

Security Servers are intended to be deployed in the DMZ.

Horizon View Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Access Point.

Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371

Firewall Ports

If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.

If there are two Security Servers and you intend to load balance them, create three public IPs:

  • Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
  • Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.

Note: your load balancer might be able to provide persistence across multiple port numbers and thus there’s no need for the server-specific public IPs. For example, in NetScaler this is called Persistency Groups.

Firewall Rules for View Connection Server at pubs.vmware.com.

Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:

  • TCP 80
  • TCP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions.
  • TCP 8443 (for HTML Blast)

Open these ports from the Security Servers to internal:

  • If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at pubs.vmware.com.
  • TCP 8009 (AJP13) to the paired internal Horizon 6 Connection Server.
  • TCP 4001 (JMS) to the paired internal Horizon 6 Connection Server.
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP 22443 (HTML Blast) to all internal Horizon View Agents.
  • TCP 9427 (MMR) to all internal Horizon View Agents.
  • TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at pubs.vmware.com

Pairing Password

  1. In View Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select the Horizon 6 Connection Server to which the Security Server will be paired. Then click More Commands and click Specify Security Server Pairing Password.
  4. Enter a password and click OK.

Install – Security Server

  1. Ensure the Horizon 6 Security Server has 10 GB of RAM and 4 vCPU.
  2. Login to the Horizon 6 Security Server.
  3. Go to the downloaded Horizon 6 Connection Server 6.2.2 and run VMware-viewconnectionserver-x86_64-6.2.2.exe.
  4. In the Welcome to the Installation Wizard for VMware Horizon 6 Connection Server page, click Next.
  5. In the License Agreement page, select I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, select Horizon 6 Security Server and click Next.
  8. In the Paired Horizon 6 Connection Server page, enter the name of the internal Horizon 6 Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
  9. In the Paired Horizon 6 Connection Server Password page, enter the pairing password specified earlier and click Next.
  10. In the Horizon 6 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN while the middle URL is an IP address. These can be changed later. Click Next.
  11. In the Firewall Configuration page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.

SSL

Horizon 6 Security Server Certificate

  1. Run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the HTTPS Secure Tunnel URL or import a wildcard certificate. If using a load balancer, the FQDN must match the load balancer FQDN, not the Security Server FQDN. Also, the private key must be exportable.
  3. Note: the private key must be exportable. You can either click Details to mark the key as exportable or use IIS to create the certificate.
  4. After creating the certificate, try exporting it. If the option to export the private key is grayed out then this certificate will not work.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it and click Properties.
  6. On the General tab, clear the Friendly name field and click OK.
  7. Right-click your Certificate Authority-signed certificate and click Properties.
  8. On the General tab, in the Friendly name field, enter the text vdm and click OK. Note: only one certificate can have vdm as the Friendly name.
  9. Then restart the VMware Horizon 6 Security Server service.
  10. If the VMware Horizon View Security Gateway Component won’t start then your certificate doesn’t have an exportable private key. The private key must be exportable.

Global Accepted Ciphers

VMware 2121183 Response to CVE-2015-4000 (a.k.a., Logjam) for Horizon View and Horizon 6 products: The default global acceptance and proposal policies are defined in View LDAP attributes. These policies apply to all Horizon 6 Connection Server instances in a replicated group and all security servers paired with them. To change a global policy, you can edit View LDAP on any Horizon 6 Connection Server instance.

For details about how to navigate to the correct View LDAP attributes, see the topics called Global Acceptance and Proposal Policies Defined and Change the Global Acceptance and Proposal Policies in the View Security guide. Note that although these links point to the 6.2 version of the guide, the topics are the same as those in the 5.2/5.3 and 6.0 versions of the guide.

  • Change the pae-ClientSSLSecureProtocols attribute and the pae-ServerSSLSecureProtocols attribute as follows:
    pae-ClientSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"
    
    pae-ServerSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"
    

    This setting enables TLSv1.2 by default, to make use of the new cipher suites you will be adding when you set the next attributes.

  • Change the pae-ClientSSLCipherSuites attribute and the pae-ServerSSLCipherSuites attribute as follows:
    pae-ClientSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    SSL_RSA_WITH_RC4_128_SHA"
    
    pae-ServerSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    SSL_RSA_WITH_RC4_128_SHA"

Note that although these cipher suites are shown on separate lines to improve readability, when you edit this attribute, enter the cipher suites on one line with no spaces after the commas.

Also note that the last cipher suite shown in the list, SSL_RSA_WITH_RC4_128_SHA, should be omitted if all connecting clients support AES cipher suites.

To add 256-bit versions of the cipher suites, follow the instructions in the topic JCE Policy Files to Support High-Strength Cipher Suites in the View Security guide.

SSL Ciphers – Horizon 6 Security Server

Sven Huisman: Secure your Horizon View security server: from rating F to A-: see the blog post for detailed instructions.

  1. Update the JCE Policy Files to Support High-Strength Cipher Suites
  2. Use ADSIEdit to change pae-ServerSSLCipherSuites, pae-ServerSSLSecureProtocols, pae-ClientSSLCipherSuites, and pae-ClientSSLSecureProtocols
  3. Or you can edit C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties

  4. If this Horizon 6 Connection Server or View Security Server is publicly accessible, check it at ssllabs.com.

Disable RC4 – Blast Secure Gateway

VMware 2122359 Disable RC4 on Blast Secure Gateway: RC4 is already disabled in Horizon 6.2. Follow this procedure for older versions of Horizon View.

  1. Run an elevated text editor and open the file C:\Program Files\VMware\VMware View\Server\appblastgateway\lib\absg-config.js.
  2. Scroll down to line 111 and change :RC4: to :!RC4:.

Load Balancing

See Carl Stalhood – Horizon View Load Balancing

Enable PCoIP Secure Gateway

  1. In View Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server that is paired with the Security Server and click Edit. Note: you can’t configure this directly on the Horizon 6 Security Server and instead must configure it on the paired Horizon 6 Connection Server.
  4. On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to desktop. Also, make sure Secure Tunnel and Blast Secure Gateway are enabled. Click OK.

Related Pages

VMware Horizon 6 Configuration

Last Modified: Sep 2, 2018 @ 7:53 am

Navigation

Preparation

Horizon Service Account

  1. Create an account in Active Directory that View will use to login to vCenter. This account can also be used by Composer to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for View Composer

This role has all permissions needed for both full clones and linked clones.

  1. Create an account in Active Directory that View will use to login to vCenter.
  2. In vSphere Web Client, on the Home screen, click Roles.
  3. Click the plus icon to add a Role.
  4. Name the role View or similar.
  5. Expand Datastore and enable Allocate space, Browse datastore, and Low level file operations.
  6. Expand Folder and enable Create folder, and Delete folder.
  7. Expand Global and enable Act as vCenter Server, Disable Methods, Enable Methods, and Manage custom attributes.
  8. Scroll down and enable Set custom attribute and System tag.
  9. Expand Host, expand Configuration and enable Advanced Settings.
  10. Scroll down and enable System Management.
  11. Enable Network and everything under it.
  12. For Virtual SAN, enable Profile-driven storage and everything under it. VMware 2094412 – When attempting to deploy linked clones using VMware Virtual SAN (VSAN) you receive the error: Unable to connect to PBM sub system PB may be down

  13. Expand Resource and enable Assign virtual machine to resource pool and Migrate powered off virtual machine.
  14. Expand Virtual Machine and enable everything under Configuration, Inventory, and Snapshot Management (or State).
  15. Expand Virtual Machine > Interaction and enable Power Off, Power On, Reset, and Suspend.
  16. Expand Virtual Machine > Provisioning. Enable Allow disk access, Clone virtual machine, Customize, and Deploy template.
  17. Scroll down and enable Read customization specifications. Click OK when done.
  18. Browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  19. On the right, switch to the Manage tab and select the Permissions sub-tab.
  20. Click the plus icon to add a permission.
  21. Under Users and Groups click Add.
  22. Find the Active Directory account that View will use to login to vCenter, click Add and then click OK.
  23. On the right, under Assigned Role, change it to View Composer Administrator. Then click OK.
  24. The service account is now listed on the Permissions sub-tab.
  25. The service account also must be a local administrator on the vCenter server. In Server Manager, go to Tools > Computer Management.
  26. Go to System Tools > Local Users and Groups > Groups. Double-click Administrators. Add the View service account and click OK.

Active Directory Delegation

View Composer uses an Active Directory account to create computer objects in Active Directory. This service account must be granted permission to create computer objects.

  1. Create an OU in Active Directory where the virtual desktop computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the OU where the computer objects will be stored and click Delegate Control. This wizard is not included in Active Directory Administrative Center.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for View Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate and click Next.
  6. In the Active Directory Object Type page, click Next.
  7. In the Permissions page, check the three boxes under Show these permissions.
  8. In the Permissions section, check the boxes next to Read All Properties and Write All Properties.

  9. In the Permissions section, scroll down and check the boxes next to Create Computer objects and Delete Computer objects. Click Next.
  10. In the Completing the Delegation of Control Wizard page, click Finish.

Events SQL Database

A new empty SQL database is needed for storage of View Events. Only SQL authentication is supported.

  1. In SQL Server Management Studio, create a new database.
  2. Name it VMwareViewEvents or similar. Switch to the Options tab.
  3. Select your desired Recovery model and click OK.

  4. Add a SQL login if one does not exist already. Windows authentication is not supported.
  5. Right-click a SQL login and click Properties.
  6. On the User Mapping page, check the Map box next to the VMwareViewEvents database.
  7. On the bottom, add the user to the db_owner database role. Click OK when done.

Licensing

  1. Run the Horizon 6 Administration Console by double-clicking the desktop shortcut. Or, go to https://FQDN/admin.
  2. If Flash is not installed, you are prompted to install it. This won’t work on Windows Server 2012 unless you have the Desktop Experience feature installed. To avoid this, use Chrome.
  3. Login using a Horizon View administrator account.
  4. On the left, under View Configuration, click Product Licensing and Usage.
  5. On the top left of the right pane, click Edit License.
  6. In the Edit License window, enter your license serial number and click OK.
  7. The license expiration is now displayed. Note that only Horizon Advanced and above have Application Remoting (published applications).

Administrators

  1. On the left, expand View Configuration and click Administrators.
  2. On the right, click Add User or Group near the top.
  3. In the Add Administrator Or Permission page, click Add.
  4. Enter the name of a group that you want to grant permissions to and click Find.
  5. After the group is found, click it to highlight it and click OK.
  6. Then click Next.
  7. Select the role (e.g. Administrators) and click Next.
  8. Select an access group to which the permission will be applied and click Finish. Note: If you intend to integrate with VMware Identity Manager, then only pools in the root Access group will sync with Identity Manager. Other Access Groups won’t work.

Help Desk

None of the built-in roles are useful for Help Desk. Create a new role.

  1. On the right, switch to the Roles tab and click Add Role.
  2. Name the role Help Desk or similar.
  3. Check the box next to Console Interaction and scroll down.
  4. Check the box next to Manage Machine and click OK.
  5. To further restrict Help Desk permissions, on the Access Groups tab, create an Access Group. Pools can be placed in an Access Group and if an administrator only has permission to one Access Group then pools in other access groups cannot be managed. Note: If you intend to integrate with VMware Identity Manager, then only pools in the root Access group will sync with Identity Manager. Other Access Groups won’t work.

  6. Switch back to the Administrators and Groups tab and click Add User or Group.
  7. In the Add Administrator Or Permission window, click Add, find your Help Desk group and click Next.
  8. Click the Help Desk role to highlight it and click Next.
  9. Check the box next to an Access Group to which the permissions will be applied and click Finish. Note: If you intend to integrate with VMware Identity Manager, then only pools in the root Access group will sync with Identity Manager. Other Access Groups won’t work.
  10. The group is added to the list and the role is shown on the right.

vCenter and View Composer

If you are adding multiple vCenter servers, make sure each vCenter Server has a Unique ID. In vSphere Web Client, go to the vCenter Server > Manage > Settings > General > Edit > Runtime Settings and confirm that the ID is unique for each vCenter server.

  1. On the left, expand View Configuration and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.
  3. In the Server address field, enter the FQDN of the vCenter server.
  4. In the User Name field, enter the Active Directory account that View will use to login to vCenter as detailed earlier in this post. Also enter the password.
  5. Click Next.
  6. If you see a message regarding invalid certificate, click View Certificate.
  7. Then click Accept.
  8. In the View Composer page, select Standalone View Composer Server. Enter the FQDN of the server and the credentials of an account to access the View Composer server. The service account must be a local administrator on the View Composer Server. Click Next.
  9. If you see an invalid certificate, click View Certificate.
  10. Then click Accept.
  11. In the View Composer Domains page, click Add.
  12. Enter the Full domain name of where the virtual desktop computer objects will be created.
  13. Enter the Active Directory service account credentials that has permission to create computer objects and click OK. Then click Next.
  14. In the Storage page, check the box to Enable View Storage Accelerator and increase the host cache size to 2048. View Storage Accelerator causes digest files to be created thus increasing disk space requirements. Reclaim VM disk space requires IOPS during its operation. Click Next.
  15. In the Ready to Complete page, click Finish.

Disable Secure Tunnel

By default, Horizon Clients connect to virtual desktops by tunneling through a Horizon 6 Connection Server. It would be more efficient for the Horizon Clients to connect directly to the virtual desktops.

  1. In View Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server and click Edit.
  4. On the General tab, uncheck the box next to HTTP(S) Secure Tunnel. Also, make sure the other Secure Gateways are not enabled. Click OK. Note: if you are using HTML Blast internally then disabling the gateway will cause Blast connections to go directly to the Agent and the Agent certificate is probably not trusted.

Event Database and Syslog

  1. On the left of View Administrator, expand View Configuration and click Event Configuration.
  2. On the right, under Event Database, click Edit.
  3. Enter the name of the SQL server.
  4. Select Microsoft SQL Server as the Database type.
  5. Enter the name of the database.
  6. Enter the SQL credentials (no Windows authentication).
  7. Optionally, enter VE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple View installations.
  8. Click OK.
  9. The View Administrator now shows it configured. You can change the age of events shown in View Administrator.
  10. To add a syslog server, look on the right side of the page.
  11. You can go to Monitoring > Events to view the events in the database.

Event Database SQL Index

VMware Knowledgebase article – The Event database performance in VMware View 6.0.x is extremely slow (2094580): Symptoms:

  • The Event database performance in VMware View 6.0.x is extremely slow when browsing within View
  • High CPU usage on the SQL server, hosting the Event database
  • The larger the Event database becomes, the slower the queries run.

To resolve this issue, create an index. Run this command on your SQL Event database:

CREATE INDEX IX_eventid ON dbo.VDIevent_data (eventid)

Substitute VDIevent_data for the table name using your Event database prefix.

Event Queries

VMware Fling – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – VMware Horizon View Events Database Export Utilty: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

VMware Knowledgebase article – Creating SQL views to retrieve the top 50 maximum number of concurrent desktop sessions over a period: This article provides steps to create database views to retrieve the maximum number of concurrent desktop sessions over a period from the event_historical table.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

  1. On the left, under View Configuration, click Global Settings.
  2. On the right, under Global Settings, click Edit.
  3. Set the View Administrator Session Timeout. This applies to administrators and help desk. 4320 minutes (72 hours) is the maximum.
  4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user and requires the user to logon to Horizon 6 Connection Server again.
  5. Under Client-dependent settings, you can set an idle timeout. This is new in Horizon 6. The idle timeout applies to applications only (not desktops). An additional disconnect timeout is configurable in each pool’s settings.
  6. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of View Administrator.
  7. Make other changes as desired. Click OK when done.
  8. To configure an idle timeout for desktop sessions, use the instructions in http://myvirtualcloud.net/vmware-view-disconnect-logoff-or-shutdown-your-vm-when-idle/. Or create a screensaver. http://communities.vmware.com/message/1756450?tstart=0

Global Policies

  1. By default, Multimedia Redirection is disabled. You can enable it by going to Policies > Global Policies.
  2. On the right, click Edit Policies.
  3. Set Multimedia redirection to Allow and click OK. Notice that Multimedia redirection is not encrypted.

Authentication

How to Set Up 2-Factor Authentication in Horizon View with Google Authenticator:

  1. Linux box with Likewise joined to Active Directory.
  2. Google Authenticator software installed on Linux
  3. Freeradius installed on Linux
  4. Configure View to authenticate with RADIUS
  5. Installation and configuration of Google Authenticator client

Backups

  1. On the left, expand View Configuration and click Servers.
  2. On the right, in the Connection Servers tab you can select a Horizon 6 Connection Server and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.
  3. If you Edit the Horizon 6 Connection Server, on the Backup tab you can schedule automatic backups. This also backs up the View Composer database but not the vCenter database. VMware 1008046 – Performing an end-to-end backup and restore for VMware View Manager.

Related Pages

VMware Horizon 6 Connection Server

Last Modified: Sep 2, 2018 @ 7:53 am

Navigation

💡 = Recently Updated

Windows Features

  1. It’s probably helpful to install some administration tools on the Horizon 6 Connection Servers. In Server Manager, open the Manage window and click Add Roles and Features.
  2. Click Next until you get to the Features page.
  3. Check the box next to Group Policy Management and scroll down.
  4. Check the box next to Telnet Client.
  5. If you need Flash Player (e.g. to connect to the vSphere Web Client or View Administrator), then expand User Interfaces and Infrastructure and check the box next to Desktop Experience.

  6. Click Add Features when prompted.
  7. Expand Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools. Check the box next to Active Directory Administrative Center. Click Add Features when prompted. Then click Next .
  8. Then click Install.
  9. You will see a message prompting you to reboot. Right-click the Start button to reboot the server. it will reboot twice.

Install Standard Server 6.2.2

The first Horizon 6 Connection Server must be a Standard Server. Subsequent Horizon 6 Connection Servers are Replicas. Once Horizon 6 Connection Server is installed, there is no difference between them.

A production Horizon 6 Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon 6 Connection Server can handle 2,000 virtual desktops.

  1. Ensure the Horizon 6 Connection Server has 10 GB of RAM and 4 vCPU.
  2. View Composer cannot be installed on the Horizon 6 Connection Server.
  3. Go to the downloaded Horizon 6 Connection Server 6.2.2 and run VMware-viewconnectionserver-x86_64-6.2.2.exe.
  4. In the Welcome to the Installation Wizard for VMware Horizon 6 Connection Server page, click Next.
  5. In the License Agreement page, select I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, select Horizon 6 Standard Server and click Next.
  8. In the Data Recovery page, enter a password and click Next.
  9. In the Firewall Configuration page, click Next.
  10. In the Initial Horizon 6 View Administrators page, enter an AD group containing your Horizon administrators and click Next.
  11. In the User Experience Improvement Program page, uncheck the box and click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, uncheck the box next to Show the readme file and click Finish.

Install Replica Server 6.2.2

Additional internal Horizon 6 Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon 6 Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon 6 Connection Server can handle 2000 virtual desktops.

  1. Ensure the Horizon 6 Connection Server has 10 GB of RAM and 4 vCPU.
  2. Go to the downloaded Horizon 6 Connection Server 6.2.2 and run VMware-viewconnectionserver-x86_64-6.2.2.exe.
  3. In the Welcome to the Installation Wizard for VMware Horizon 6 Connection Server page, click Next.
  4. In the License Agreement page, select I accept the terms and click Next.
  5. In the Destination Folder page, click Next.
  6. In the Installation Options page, select Horizon 6 Replica Server and click Next.
  7. In the Source Server page, enter the name of another Horizon 6 Connection Server in the group. Then click Next.
  8. In the Firewall Configuration page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. If you are adding this Replica server to a Pod that is already enabled for Global Entitlements, see Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.

Horizon 6 Connection Server Certificate

  1. Run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details then click Properties.
  4. On the Private Key tab, click Key options to expand it and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it and click Properties.
  6. On the General tab, clear the Friendly name field and click OK.
  7. Right-click your Certificate Authority-signed certificate and click Properties.
  8. Note: the private key of the certificate you use for Horizon 6 Connection Server must be exportable. To verify, try exporting the certificate. If the option to export the private key is grayed out then this certificate will not work.
  9. On the General tab, in the Friendly name field, enter the text vdm and click OK. Note: only one certificate can have vdm as the Friendly name.
  10. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to View Administrator.
  11. If the VMware Horizon View Security Gateway Component won’t start then your certificate doesn’t have an exportable private key. The private key must be exportable.

SSL Ciphers

Sven Huisman: Secure your Horizon View security server: from rating F to A-: see the blog post for detailed instructions.

  1. Update the JCE Policy Files to Support High-Strength Cipher Suites.
  2. Use ADSIEdit to change pae-ServerSSLCipherSuites, pae-ServerSSLSecureProtocols, pae-ClientSSLCipherSuites, and pae-ClientSSLSecureProtocols
  3. Or you can edit C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties

  4. If this Horizon 6 Connection Server or Horizon 6 Security Server is publicly accessible, check it at ssllabs.com.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon 6 Connection Server, the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon 6 Connection Server.

      1. On the Horizon 6 Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps. Create a new folder called downloads.
      2. Copy the downloaded Horizon Clients to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.

      3. Run Notepad as administrator.
      4. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
      5. Go back to the downloads folder and copy the Horizon Client filename.
      6. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. The following example shows a link for Horizon Client for Windows x64:
        link.win64=/downloads/VMware-Horizon-View-Client-x86_64-3.5.2-3150477.exe
        Then Save the file.
      7. Restart the VMware Horizon View Web Component service.

It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error then the service is not done starting.

Now when you click the link to download the client it will grab the file directly from the Horizon 6 Connection Server.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon 6 Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon 6 Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…

  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

iOS TouchID

vDelboy – How to Enable Touch ID in VMware Horizon 6.2

  1. On the Horizon 6 Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1 and click Add. Click OK. The change takes effect immediately.

Ciphers

VMware 2130289 Using client drive redirection or file association with the secure tunnel enabled might have performance issues

When using client drive redirection (CDR) or file association with the secure tunnel enabled, you might encounter performance issues when transferring CDR data between Horizon Clients and remote desktop machines. (File association is the ability to open local files with a remote application.)

Amend your acceptance policies to remove the following GCM-based cipher suites:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

To change a global acceptance policy, you can edit a single-valued attribute, pae-ServerSSLCipherSuites, in View LDAP on any View Connection Server instance. This attribute lists the cipher suites used by View Connection Server or security server. Take these steps:

  1. Start the ADSI Edit utility on your View Connection Server computer.
  2. In the Console tree, select Connect to.
  3. In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name DC=vdi, DC=vmware, DC=int.
  4. In the Select or type a domain or server text box, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server computer followed by 389. For example: localhost:389 or mycomputer.mydomain.com:389
  5. Expand the ADSI Edit Tree, expand OU=properties, select OU=global, and select CN=common in the right pane.
  6. On the object CN=common, OU=global, OU=properties, select the pae-ServerSSLCipherSuites
  7. Set the following list of cipher suites:
    \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA

    Remove the line breaks that were inserted in the preceding list for clarity. The order of the cipher suites is unimportant.

  8. Restart the VMware Horizon View Connection Server service.

For more information about setting acceptance policies for cipher suites, see “Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server” in the View Security guide at http://pubs.vmware.com/horizon-62-view/topic/com.vmware.horizon-view.security.doc/GUID-7F6963F5-D5FC-47B2-9AE7-1FE5B8600723.html.

Load Balancing

See Carl Stalhood’s Horizon View Load Balancing using NetScaler 11.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon 6 Connection Servers by following the procedure at https://www.carlstalhood.com/controller/#rdlicensinginstall.

Horizon Toolbox 2

Install the Horizon Toolbox Fling on your View Connection Servers. This is a web-based tool that adds the following functionality:

  • Auditing of user sessions
  • Auditing of virtual machine snapshots
  • Auditing of Horizon Client Versions
  • Remote Assistance – users request assistance from administrators
  • Virtual Machine Remote Console
  • Power Policy for pools

To use the Toolbox, make sure the following are enabled in your View Connection Server pod:

  • Events database
  • Customer Experience Improvement Program

.NET Framework 3.5 and Remote Assistance

  1. On the View Connection Server, in Server Manager, open the Manage menu and click Add Roles and Features.
  2. In the Features page, select .NET Framework 3.5.
  3. Scroll down, select Remote Assistance and click Next. This feature is only needed if you will respond to Remote Assistance requests directly from the View Connection Server.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server 2012 R2 ISO.
  6. Enter the path to the sources folder on the Windows Server 2012 R2 ISO and click OK. Then click Install.

Toolbox Installer

  1. Download the Fling. Check the box next to I have read and agree and click Download.
  2. Run the downloaded VMWARE-Horizon-Toolbox-x64-2.0.1.msi.
  3. In the Welcome to the HorizonToolbox Setup Wizard page, click Next.
  4. In the Select Installation Folder page, select Everyone and click Next.
  5. In the Confirm Installation page, click Next.
  6. In the Installation Complete page, click Close.

Firewall

  1. Run Windows Firewall with Advanced Security.
  2. Create a new Inbound Rule for port 18443.
  3. Select Port and click Next.
  4. Enter TCP 18443 as the local port and click Next.
  5. Allow the connection and click Next.
  6. Name the rule Horizon Toolbox or something like that. Click Finish.

Toolbox Certificate

Horizon Toolbox comes with a self-signed certificate. It can be replaced by doing the following:

  1. Copy a certificate .pfx file to C:\Program Files\VMware\HorizonToolbox\HorizonToolbox2.0.1\conf.
  2. Edit the file server.xml that’s in the same conf folder.
  3. Scroll down to the <Connector port=”18443″ section (near line 85).
  4. Change the keystoreFile attribute to the name of your .pfx file.
  5. Change the keystorePass attribute to the password for your .pfx file.
  6. Add a new attribute keystoreType=”PKCS12″
  7. Close and save the file.
  8. Restart the Apache Tomcat 8.0 Tomcat8 service.
  9. Point your browser to https://view.corp.local:18443/toolbox.
  10. Login using View Administrator credentials.

Toolbox Remote Assistance

  1. On the Horizon 6 Agent machine, navigate to the View Connection Server Horizon Toolbox folder \\vcs01\c$\Program Files\VMware\HorizonToolbox\HorizonToolbox2.0.1\webapps\toolbox\static\ra and run Horizon_Remote_Assistance_Installer_v1035.exe.
  2. You might be prompted to install .NET Framework 3.5.
  3. Click Install for End User.
  4. Click OK to launch Remote Assistance.
  5. Close Remote Assistance.
  6. When done, click Finish.
  7. Users can initiate a request by clicking the Horizon Remote Assistance icon on the desktop.
  8. Click OK to submit a request.

  9. Support people can see support requests in the Toolbox interface on the Remote Assistance tab.