VMware Horizon 6 Composer

Last Modified: Sep 2, 2018 @ 7:50 am

Navigation

Planning

vCenter Server planning:

  • A single vCenter Server can handle 10,000 VMs. However, this is a single point of failure. VMware recommends separate vCenter servers for each 2,000 VMs. More vCenter Servers means more concurrent vCenter operations, especially if your pools are configured for Refresh on Logoff.
  • Each ESXi cluster is managed by one vCenter Server.
  • Don’t use existing vCenter servers. Build separate vCenter servers for the vSphere clusters that host Agent VMs. Horizon licenses includes vCenter licenses so there’s no excuse to not use separate vCenter servers.

Horizon Composer server planning:

  • Each vCenter Server requires its own View Composer. There’s a one-to-one mapping.
  • View Composer cannot be installed on a Horizon 6 Connection Server.
  • View Composer server with 2vCPU, 4 GB RAM can support up to 2,000 virtual machines with up to 1,000 per pool.
  • View Composer server with 4 vCPU, 10 GB RAM can support up to 10,000 virtual machines with up to 2,000 per pool.

A remote SQL Server is needed for databases:

  • vCenter database
  • Horizon Composer database
  • Horizon Events database
  • Supported SQL versions are listed at pubs.vmware.com.

SQL Server Preparation

Only SQL Authentication is supported.

  1. Open the properties of the SQL Server.
  2. On the Security page, make sure SQL Server authentication is enabled.
  3. Create a new SQL database for View Composer.
  4. Call it VMwareViewComposer or similar. Then switch to the Options page.
  5. Select your desired Recovery model and click OK.
  6. View Composer only supports SQL authentication on remote SQL servers. Expand Security, right-click Logins and click New Login to create a new SQL login.
  7. Name the new account.
  8. Select SQL Server authentication.
  9. Enter a password for the new account.
  10. Uncheck the box next to Enforce password policy.
  11. Then switch to the User Mapping page.
  12. On the User Mapping page, check the Map box for VMwareViewComposer.
  13. On the bottom, check the box for the db_owner role and click OK.

.NET Framework 3.5.1

  1. Composer requires .NET Framework 3.5.1, which is not installed by default on Windows Server 2012 R2. In Server Manager, open the Manage menu and click Add Roles and Features.
  2. In the Before You Begin page, click Next.
  3. In the Select installation type page, click Next.
  4. In the Select destination server page, click Next.
  5. In the Select server roles page, click Next.
  6. In the Select features page, expand .NET Framework 3.5 features and select .NET Framework 3.5. Click Next.
  7. In the Confirm installation selections page, click Specify an alternate source path. Note: you will need the Windows Server 2012 R2 media.
  8. Enter the path to the \sources\sxs folder on the Windows Server 2012 R2 media and click OK.
  9. Then click Install.
  10. In the Results page, click Close.

SQL Native Client

  1. On the View Composer server, run sqlncli.msi.
  2. In the Welcome to the Installation Wizard for SQL Server 2012 Native Client page, click Next.
  3. In the License Agreement page, select I accept and click Next.
  4. In the Feature Selection page, click Next.
  5. In the Ready to Install the Program page, click Install.
  6. In the Completing the SQL Server 2012 Native Client installation page, click Finish.

ODBC

  1. On the View Composer server, run ODBC Data Sources (64-bit).
  2. On the System DSN tab, click Add.
  3. Select SQL Server Native Client and click Finish.
  4. Enter the name ViewComposer for the DSN and enter the SQL server name. Click Next.
  5. Change the selection to With SQL Server authentication and enter the credentials of the new ViewComposer SQL account. Then click Next.
  6. Check the box next to Change the default database and select the VMwareViewComposer database. Then click Next.
  7. Click Finish.
  8. Click OK twice.

Install – Composer

  1. Don’t install on Horizon 6 Connection Server: View Composer cannot be installed on the Horizon 6 Connection Server. They must be separate machines. View Composer is typically installed on vCenter server for less than 1000 linked clones.
  2. Extra Memory for vCenter: If you install View Composer on a vCenter server, VMware recommends adding 8 GB of RAM to the server. See VMware 2105261 Intermittent provisioning issues and generic errors when Composer and vCenter Server are co-installed
  3. vCenter Service Account: if you install View Composer on a vCenter server, login as the same account that was used to install vCenter. See VMware 2017773 Installing or upgrading View Composer fails with error: The wizard was interrupted before VMware View Composer could be completely installed
  4. Internet access for CRL checking: If the View Composer server does not have Internet access, see VMware 2081888 Installing Horizon View Composer fails with the error: Error 1920 Service VMware Horizon View Composer (svid) failed to start
  5. Install: Go to the downloaded View Composer 6.2.2 and run VMware-viewcomposer-6.2.2.exe.
  6. In the Welcome to the Installation Wizard for VMware Horizon 6 Composer page, click Next.
  7. In the License Agreement page, select I accept the terms and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Database Information page, enter the name of the ODBC DSN.
  10. Enter the SQL account credentials (no Windows accounts) and click Next. For remote SQL databases, only SQL accounts will work. The SQL account must be db_owner of the database.
  11. In the VMware Horizon 6 Composer Port Settings page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Click Yes when asked to restart the computer.
  15. If you encounter installation issues, see VMware 2087379 VMware Horizon View Composer help center

Administrator Permissions

If View Composer is installed on a standalone server (not on vCenter), Horizon 6 Connection Server will need a service account with administrator permissions on the View Composer server. Add your View Composer Service Account to the local Administrators group.

Composer Certificate

  1. Stop the VMware Horizon 6 Composer service.
  2. Open the MMC Certificates snap-in. Open your Certificate Authority-signed certificate and on the Details tab note the Thumbprint.
  3. Run Command Prompt as Administrator
  4. Change the directory to C:\Program Files (x86)\VMware\VMware View Composer.
  5. Run sviconfig -operation=replacecertificate -delete=false.
  6. Select your Certificate Authority-signed certificate. Use the thumbprint to verify.
  7. Then restart the VMware Horizon 6 Composer service.

SQL Database Maintenance

SQL password: The password for the SQL account is stored in C:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe.config. To change the password, run SviConfig ?operation=SaveConfiguration as detailed at VMware 1022526 The View Composer service fails to start after the Composer DSN password is changed.

Database Move: To move the database to a new SQL server, you must uninstall Composer and reinstall it. See VMware 2081899 VMware Horizon View Composer fails to work properly after migrating the Composer database to a new SQL server

Related Pages

VMware Unified Access Gateway 3.6

Last Modified: Jul 14, 2019 @ 4:20 pm

Navigation

💡 = Recently Updated

Change Log

Overview

Unified Access Gateway provides remote connectivity to internal Horizon Agent machines. For an explanation of how this works (i.e. traffic flow), see Understanding Horizon Connections at VMware Tech Zone. 💡

Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:

  • You don’t need to build extra Connection Servers just for pairing. However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
  • Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
  • No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
  • Additional security with DMZ authentication. Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.

However:

  • It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.

Horizon View Security Server is still developed and supported so you’re welcome to use that instead of Unified Access Gateway. But some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Docs.

More information at VMware Blog Post Technical Introduction to VMware Unified Access Gateway for Horizon Secure Remote Access.

Horizon Compatibility – Refer to the interoperability matrix for the latest compatibility data for each version of Unified Access Gateway.

UAG Editions – Unified Access Gateway (UAG) 3.4 newer come in three editions – Standard, Advanced, and Enterprise. UAG 3.5 removed the editions. UAG 3.3 never had editions. To avoid editions, don’t deploy UAG 3.4.

Download one of the following versions of UAG:

Then download the PowerShell deployment scripts on the same UAG download page.

Firewall

VMware Technical White Paper Blast Extreme Display Protocol in Horizon 7, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at VMware Docs.

Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

  • TCP and UDP 443 (includes Blast Extreme)
  • TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Unified Access Gateways to internal:

  • TCP 443 to internal Connection Servers (through a load balancer)
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

Network Profile

Note: in Unified Access Gateway 3.3 and later, Network Protocol Profile is no longer necessary and you can skip this section.

  1. Before importing the Unified Access Gateway OVF, you will need to configure a Network Profile. In vSphere Web Client, go to the Datacenter object. On the right, switch to the Manage (or Configure) tab > Network Protocol Profiles.
  2. Click the plus icon.

  3. In the Select name and network page, enter a name, select the DMZ VM Network for your Unified Access Gateway appliance, and click Next.

  4. In the Configure IPv4 page, enter the subnet information, and Gateway.
  5. Don’t configure an IP pool. Click Next.
  6. In the Ready to complete page, click Finish.
  7. If you are configuring multiple NICs on your Unified Access Gateway, create Network Protocol Profile for the remaining subnets.

Import OVF

Mark Benson at VMware Communities Using PowerShell to Deploy VMware Unified Access Gateway has a PowerShell script that runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.

In UAG 3.3.1.0 and newer, the PowerShell deployment script is downloadable from the UAG 3.6, UAG 3.5 or UAG 3.3.2.0 download page.

Some notes regarding the PowerShell script:

  • If the OVA path has spaces in it, do not include quotes in the .ini file. The script adds the quotes automatically.
  • For the target parameter, specify a cluster name instead of a host. If spaces, there’s no need for quotes. For example:
    target=vi://admin@corp.local:PASSWORD@vcenter02.corp.local/Datacenter/host/Cluster 1
  • Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g. https://www.urlencoder.org/) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does.

There is no upgrade process for Unified Access Gateway. You must delete the old appliance and deploy a new one. To speed up the deployment, either use the PowerShell deployment script, or export the settings from the old appliance and import into the new appliance.

Upgrade

To upgrade from an older appliance, you delete the old appliance, and import the new one. Before deleting the older appliance, export your settings:

  1. Login to the UAG at https://<Your_UAG_IP>:9443/admin/index.html.
  2. In the Configure Manually section, click Select.
  3. Scroll down to the Support Settings section, and then click the JSON button next to Export Unified Access Gateway Settings.

Deploy

To deploy the Unified Access Gateway using VMware vSphere Client:

  1. Download UAG. Refer to the compatibility matrix for the latest compatibility data for each version.
  2. In vSphere Client, right-click a cluster, and click Deploy OVF Template. Note: the HTML5 UI client in vSphere 6.5 Update 2 and newer might work for single NIC. But multi-NIC is only supported in the Flash UI (source = Hilko Lantinga in the comments)

  3. Select Local File. In the Select source page, browse to the downloaded euc-unified-access-gateway-3.6.0.0.ova file, and click Next.


  4. In the Select name and location page, give the machine a name, and click Next.

  5. In the Review Details page, click Next.
  6. In the Select configuration page, select a Deployment Configuration. See DMZ Design for VMware Unified Access Gateway and the use of Multiple NICs at VMware Communities. Click Next.

  7. In the Select storage page, select a datastore, select a disk format, and click Next.

  8. Even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs. UAG typically goes in the DMZ.
  9. In the Customize template page, select STATICV4, and scroll down. Note: HTML5 UI vSphere Web client displays the settings in a different order than the Flash vSphere Client.
  10. In the NIC1 (eth0) IPv4 address field, enter the NIC1 (eth0) IPv4 address. Scroll down.
  11. Enter DNS addresses, Gateway, and Subnet Mask. Scroll down.

  12. Scroll down and enter more IP info.
  13. Scroll down.
  14. Enter a Unified Gateway Appliance Name.
  15. Scroll down. Expand Password Options, and enter passwords.

  16. In UAG 3.5 and newer, there’s a new checkbox for Enable SSH.
  17. Click Next.
  18. In the Ready to complete page, click Finish.

UAG Admin Interface

  1. Power on the Unified Access Gateway appliance.
  2. If the appliance initially boots with the wrong IP, then a reboot might fix it.
  3. In Unified Access Gateway and Access Point 2.8 and later, you can point your browser to https://My_UAG_IP:9443/admin/index.html, and login as admin.

Import Settings

  1. If you have previously exported settings, you can import it now by clicking Select in the Import Settings section.
  2. Browse to the previously exported UAG_Settings.json file and then click Import.
  3. It should say UAG settings imported successfully.
  4. Press <F5> on your keyboard to refresh the browser.

Configure Horizon Settings

  1. To manually configure the appliance, under Configure Manually, click Select.
  2. Next to Edge Service Settings, click Show.
  3. Next to Horizon Settings, click the gear icon.
  4. Change Enable Horizon to Yes.
  5. As you fill in these fields, hover over the information icon to see the syntax.
  6. The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers.

    1. For the Connection Server URL Thumb print, get the thumbprint from the internal Horizon View certificate. Point your browser to the internal Horizon View Connection Server FQDN (load balanced), and click the padlock icon to open the certificate. If using Chrome, you have to open the Developer Tools (F12), switch to the Security tab, and then click View Certificate. If you don’t see the Security tab, then click the double right arrows.
    2. On the Details tab, copy the Thumbprint.
  7. In the Proxy Destination URL Thumb Prints field, type in sha1= and paste the certificate thumbprint.
  8. At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character. Press the arrow keys on the keyboard to find it. Then delete the hidden character.
  9. Enable the three PCOIP, Blast, and Tunnel Gateways and perform the following configurations:
    1. For PCOIP External URL, enter the external IP or external FQDN and :4172. The IP or FQDN should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways.
    2. For Blast External URL, enter https://<FQDN>:443 (e.g. https://view.corp.com:443). This FQDN should resolve to your external load balancer that’s load balancing UDP 443 and TCP 443 to multiple Unified Access Gateways.
    3. For Tunnel External URL, enter https://<FQDN>:443 (e.g. https://view.corp.com:443). This FQDN should resolve to your external load balancer that’s load balancing TCP 443 to multiple Unified Access Gateways.
    4. The external load balancer must be capable of using the same persistence across multiple port numbers. On NetScaler, this feature is called Persistency Group. On F5, the feature is called Match Across.
  10. Then click More.
  11. Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server. You can edit the Proxy Pattern and add /|/downloads(.*) to the list so users can also download Horizon Clients that are stored on your Horizon View Connection Servers.
  12. Scroll down and click Save when done.
  13. If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services.

    • If all you see is Not Configured, then refresh your browser and then click the Refresh Status icon.
  14. In your Horizon Connection Servers, the Secure Gateways (e.g. PCoIP Gateway) should be disabled.
    1. Go to Horizon Console or Horizon Administrator.
    2. Expand Settings and click Servers. Or expand View Configuration, and click Servers.

    3. On the right, switch to the tab named Connection Servers.

    4. Highlight your Connection Servers, and click Edit.

    5. Then uncheck or disable all three Tunnels/Gateways.

    6. If Horizon 7, HTML Access won’t work through Unified Access Gateway unless you disable Origin Check or configure the Connection Server’s locked.properties with the UAG addresses. Also see 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.

Add UAG to Horizon Administrator

In Horizon 7.7 and newer, you can add UAG 3.4 and newer to Horizon Administrator so you can check its status in the Dashboard.

  1. In UAG Admin console, under Advanced Settings, click the gear icon next to System Configuration.
  2. At the top of the page, change the UAG Name to a friendly name. You’ll use this name later.
  3. Click Save at the bottom of the page.
  4. In Horizon Console, on the left, expand Settings and click Servers. Or in Horizon Administrator, on the left, expand View Configuration and then click Servers.

  5. On the right, switch to the tab named Gateways.

  6. Click the Register button.

  7. In the Gateway Name field, enter the friendly name you specified earlier, and then click OK.

  8. Use a Horizon Client to connect through a Unified Access Gateway. Horizon Console and/or Horizon Administrator only detects the UAG status for active sessions.
  9. In Horizon Administrator (not Horizon Console), on the top left, click Dashboard.
  10. In the middle, expand Gateways and click your gateway to see its status.
  11. In Horizon Administrator, you can go to Monitoring > Sessions to see the Gateway that users are connected to.

Other UAG Configurations

  1. If you want Unified Access Gateway to authenticate users using non-AD methods (e.g. two-factor), enable the Authentication Settings section, and configure the settings as appropriate for your requirements. See Configuring Authentication in DMZ at VMware Docs.
  2. Ciphers are configured under Advanced Settings > System Configuration.

    • Carlo Costanzo at How to get an A+ from Qualys SSLLabs on your Horizon UAG deployment recommends the following cipher suites: 💡
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • Also enable Honor Cipher Order.
    • Syslog is also configured here.
    • In UAG 3.6 and newer, at the bottom of the System Configuration page are several settings for SNMP, DNS, and NTP.
  3. UAG 3.6 and newer let you add static routes to each NIC.
    1. Click Network Settings.
    2. Click the gear icon next to a NIC.
    3. Click IPv4 Configuration to expand it and then configure IPv4 Static Routes.
  4. UAG supports High Availability Settings.

    1. With the High Availability Virtual IP address, you might not need load balancing of the UAG appliances. See Unified Access Gateway High Availability at VMware Docs.
      1. The High Availability feature requires three IP addresses and three DNS names:
        1. One IP/FQDN for the High Availability Virtual IP.
        2. And one IP/FQDN for each appliance/node.
      2. The Horizon Edge Gateways should be set to node-specific IP addresses and node-specific DNS names. Each appliance is set to a different IP/FQDN.
      3. The Virtual IP (and its DNS name) is only used for the High Availability configuration.
      4. The YouTube videos What’s New Unified Access Gateway 3 4 and High Availability on VMware Unified Access Gateway Feature Walk-through explain the High Availability architecture.
    2. Set the Mode to ENABLED.
    3. Enter a new Virtual IP Address which is active on both appliances.
    4. Enter a unique Group ID between 1 and 255 for the subnet.
    5. Click Save.
    6. On the second appliance, configure the exact same High Availability Settings.
  5. To upload a valid certificate, scroll down to the Advanced Settings section, and next to TLS Server Certificate Settings, click the gear icon.

    1. In Unified Access Gateway 3.2 and newer, you can apply the uploaded certificate to Internet InterfaceAdmin Interface, or both.
    2. In Unified Access Gateway 3.0 and newer, change the Certificate Type to PFX, browse to a PFX file, and then enter the password. This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway.
    3. Leave the Alias field blank.
    4. Click Save.

    5. If you changed the Admin Interface certificate, then you will be prompted to close the browser window and re-open it.
  6. Or, you can upload a PEM certificate/key (this is the only option in older UAG). Next to Private Key, click the Select link.

    1. Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
    2. Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
    3. Click Save when done.
  7. UAG 3.1 and newer have an Endpoint Compliance Check feature. The feature requires an OPSWAT subscription. The OPSWAT agent is deployed to endpoints out-of-band. It’s pass/fail. See Endpoint Compliance Checks for Horizon at VMware Docs. And the YouTube video Endpoint Compliance Checks: New VMware Horizon Security Feature.

  8. Scroll down to Support Settings and click the icon next to Export Unified Access Gateway Settings to save the settings to a JSON file. If you need to rebuild your Unified Access Gateway, simply import the the JSON file.
  9. If you point your browser to the Unified Access Gateway external URL, you should see the Horizon View Connection Server portal page. Horizon Clients should also work to the Unified Access Gateway URL.

Monitor Sessions

In UAG 3.4 and newer, in the UAG Admin interface,

  • At the top of the page, next to Edge Service Settings, you can see the number of Active Sessions on this appliance.
  • At the bottom of the page, under Support Settings, click Edge Service Session Statistics to see more details.

In older versions of UAG, to see existing Horizon connections going through UAG, point your browser to https://uag-hostname-or-ip-addr:9443/rest/v1/monitor/stats.

Andrew Morgan at Viewing VMware Unified Access Gateway statistics with REST created a PowerShell module that calls this REST API.

Logs and Troubleshooting

In Access Point 2.8, and Unified Access Gateway (2.9 and newer), you can download logs from the Admin Interface.

You can also review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

By default, tcpdump is not installed on UAG. To install it, login to the console and run /etc/vmware/gss-support/install.sh

Load Balancing

If NetScaler, see https://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-netscaler-12/ load balance Unified Access Gateways.

For VMware NSX load balancing of Unified Access Gateways, see the VMware® NSX for vSphere End-User Computing Design Guide 1.2.

Related Pages

VMware User Environment Manager 9.8

Last Modified: Jul 26, 2019 @ 7:48 am

Navigation

This post applies to all User Environment Manager versions including: 9.4.1 (ESB), and 9.8.

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new installation, skip to the Installation Prerequisites section.

When upgrading an existing installation of User Environment Manager, upgrade the FlexEngine on the Horizon Agents first.

From UEM Upgrade 8.7 to 9.2.1 at VMware Communities: The newest FlexEngine (v9.2.1) can still interpret the INI files from v8.7. After your clients (FlexEngine) have been upgraded, you can upgrade the management console, which allow for new options, like elevated privileges and others, which (when enabled) can now be correctly interpreted by the upgraded clients (FlexEngine). After that update the ADMX files.

Installation Prerequisites

Before performing the procedures detailed on this page, make sure you’ve imported the UEM GPO ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for User Environment Manager.

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

VMware Workspace Tech Zone has an excellent Quick-Start Tutorial for User Environment Manager. It’s around 130 printed pages.

Mandatory Profile

Mandatory Profile Creation instructions:

If you want to use User Environment Manager with a Mandatory Profile then follow these basic instructions to create the mandatory profile.

Note: these instructions no longer work in Windows 10 1703. See James Rankin How to create mandatory profiles in Windows 10 Creators Update (1703) for updated instructions.

  1. The mandatory profile is stored in a sub-folder of a file share. Either identify an existing file share (e.g. UEMConfig) or create a new file share.
  2. Login to the Horizon 6 Agent machine as a template account. Do any desired customizations. Logoff.
  3. Make sure you are viewing hidden files and system files.
  4. Copy C:\Users\%username% to your fileshare and rename the folder to mandatory.v2 or something similar. It is important that .v2 (or .v3 or .v4 or .v5 or .v6 depending on the operating system version) is on the end of the path. (e.g. \\fs01\UEMConfig\mandatory.v6).
  5. Note: the mandatory profile must be a subfolder of the file share. You cannot share the mandatory profile directly.
  6. You can copy C:\Users\Default instead of copying a template user. If so, remove the hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
  7. Rename \\fs01\UEMConfig\mandatory.v6\ntuser.dat to ntuser.man.
  8. Delete the NTUSER.DAT log files.
  9. Open the AppData folder and delete the Local and LocalLow folders.
  10. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file and the security/trusted.certs file. Delete the Java cache, tmp and logs.
  11. Open regedit.exe.
  12. Click HKEY_LOCAL_MACHINE to highlight it.
  13. Open the File menu and click Load Hive.
  14. Browse to the mandatory profile and open NTUSER.MAN in the Mandatory profile folder.
  15. Name it a or similar.
  16. Go to HKLM\a, right-click it and click Permissions.
  17. Add Authenticated Users and give it Full Control. Click OK.
  18. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ for some suggestions.
  19. Also see How to create a Windows Server 2012 / Windows 8 Mandatory Profile for more profile cleanup.
  20. Highlight HKLM\a.
  21. Open the File menu and click Unload Hive.
  22. Create/Edit a GPO that applies to the Horizon 6 Agents and configure the following GPO settings:
    • Computer Configuration | Policies | Administrative Templates | System | User Profiles
      • Do not check for user ownership of Roaming Profile Folders = enabled
      • Set roaming profile path for all users logging onto this computer = \\fs01\UEMConfig\mandatory (Do not include the .v6 in this path)
    • Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles
      • Use mandatory profiles on the RD Session Host server = enabled
      • Set path for Remote Desktop Services Roaming User Profile = \\fs01\UEMConfig\mandatory (Do not include the .v6 in this path)

UEM Console Installation

  1. Download User Environment Manager 9.8.0 or User Environment Manager 9.4.1 (ESB).

  2. Run the downloaded VMware User Environment Manager 9.8 x64.msi or VMware User Environment Manager 9.4.1 x64.msi (ESB).

  3. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Destination Folder page, click Next.
  6. In the Choose Setup Type page, click Custom.
  7. In the Custom Setup page, change the selections so that only the console is selected, and click Next.
  8. In the Ready to install VMware User Environment Manager page, click Install.
  9. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Configure User Environment Manager

Here is a summary of the major User Environment Manager functionality:

  • Personalization (aka import/export user settings) – saves application and Windows settings to a file share. This is the roaming profiles functionality of User Environment Manager. You configure folders and registry keys that need to be saved. The import/export can happen at logon/logoff or during application launch/exit.
    • Pre-configure application settings – configures files and registry keys for specific applications so users don’t have to do it themselves. Some examples: disable splash screen, default folder save location, database server name, etc.
    • Selfsupport tool – users can use this tool to restore their application settings.
  • User Environment – configures Windows settings like drive mappings, Explorer settings, printer mappings, etc. This is similar to group policy but offers significantly more options for conditional filtering. User Environment Manager can configure any registry setting defined in an ADMX file.
    • User Environment Manager only supports user settings. Computer settings should be configured using group policy.
    • Best practice is to not mix User Environment Manager and user group policy. Pick one tool. If the same setting is configured in both locations then group policy will win.
    • UEM 9.6 adds Windows Server 2019 as an Operating System condition.
  • Horizon Smart Policies – Use Horizon Conditions (e.g. client IP) to control device mappings (e.g. client printing) and PCoIP/Blast Bandwidth Profile.
  • Privilege Elevation (UEM 9.2 and newer)  – allow apps to run as administrator even though user is not an administrator. Installers can also be elevated.

Links:

To perform an initial configuration of User Environment Manager, do the following:

  1. Launch the User Environment Manager Management Console from the Start Menu.
  2. Enter the path to the UEMConfig share, and click OK.
  3. These Settings checkboxes define what is displayed in the management console. Leave it set to the defaults, and click OK.
  4. In the Personalization ribbon, on the far right, click Easy Start.
  5. Select your version of Office, and click OK.
  6. Click OK when prompted that configuration items have been successfully installed.
  7. Review the pre-configured settings to make sure they are acceptable. For example, User Environment Manager might create a Wordpad shortcut (User Environment > Shortcuts) that says (created by VMware UEM).
  8. To roam the Start Menu in Windows 10 1703, see VMware 2150422 How to roam Windows 10 Start Menu layout.
    1. Go to Personalization, click a folder, click Create Config File, select Create a custom config file, and give it a name.
    2. On the Import/Export tab, paste these two lines:
      [IncludeRegistryTrees]
      HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStore
    3. Save the UEM Config file.
  9. Go to User Environment > Policy Settings. If there is a setting to Remove Common Program Groups, then click Edit.

    1. Consider adding a condition so it doesn’t apply to administrators.
  10. You can run Triggered Tasks when a session is reconnected, or workstation is unlocked. This is useful for re-evaluating Smart Policies, as detailed below.

    • UEM 9.4 adds a new Trigger for All AppStacks Attached.
  11. UEM 9.3 adds a setting to store Outlook OST file on App Volumes writable volume. Go to User Environment tab. Right-click App Volumes and create a setting. Check the box next to Store Offline Outlook Data File (.ost) on writable volume. Configure other fields as desired. Note: this setting only applies to new Outlook profiles. More info in the YouTube video VMware User Environment Manager Outlook OST on App Volumes User Writable Volume Feature Walkthrough.

Links:

Horizon Smart Policies

  1. In UEM 9.0 and newer, go to User EnvironmentHorizon Smart Policies, and create a policy.
  2. UEM 9.8 adds several new Smart Policy Settings, including Drag and drop. See VMware User Environment Management 9.8 Feature Walk-Through at YouTube. 💡
  3. On the Conditions tab, you can use any of the available conditions, including the Horizon Client Property conditions. Note: UEM 9.2 has more conditions (e.g. Active Directory Site Name) than prior versions.

  4. You can also enter a Horizon Client Property condition that corresponds to the ViewClient_ registry keys. In the Property field, type in a property name (remove ViewClient_ from the property name). See VMware Blog Post Enhancing Your VMware Horizon 7 Implementation with Smart Policies. And the 28-page PDF Reviewer’s Guide for View in Horizon 7: Smart Policies, VMware Horizon 7.

  5. UEM 9.1 and newer has Endpoint Platform as a policy condition. Create a Policy, go to the Conditions tab, and select the Endpoint Platform condition. UEM 9.8 adds Chrome to the Platform list.
  6. UEM 9.8 adds Matches Regex to some of the conditions (e.g. Endpoint name and Horizon Client Property > Pool name).

  7. To reapply Horizon Policies when users reconnect to an existing session, go to User Environment > Triggered Tasks, and click Create. Or you can edit one of the existing Triggered Tasks settings.
  8. Change the Trigger to Session Reconnected.
  9. Change the Action to User Environment refresh. Select Horizon Smart Policies, and click Save.

Application Blocking and Privilege Elevation

  1. UEM 9.0 adds an Application Blocking feature. To enable it, go to User Environment > Application Blocking, and click the Global Configuration button.
  2. Check the box to Enable Application Blocking. Specify Conditions where, if true, then App Blocking is enabled. These are the same conditions available in other policies and settings. Click OK.
  3. Then you can create an Application Blocking setting to designate the folders that users can run executables from, or what file hashes are allowed.
  4. You can add folders that allow or block apps. Any executable in these paths will be allowed or blocked. By default, executables in Windows and Program Files (including x86) are allowed.
  5. UEM 9.1 and newer allows File Hashes in addition to File Paths. Set the Type to Hash-based, click Add, browse to an executable, UEM will compute the hash, and add it to the list.
  6. UEM 9.2 and newer supports Publisher-based allow. Set the Type to Publisher-based, click Add, browse to an executable, UEM will read the certificate, and add it to the list. Note: A challenge with hash-bashed and publisher-based rules is that the policy might have to be updated whenever the app is updated.
  7. UEM 9.2 adds a Privilege Elevation feature, which allows executables to run as administrator even if users are not administrators. To enable it, go to User Environment > Privilege Elevation, and click the Global Configuration button.
  8. Check the box to Enable Privilege Elevation. Specify Conditions where, if true, then Privilege Elevation is enabled. These are the same conditions available in other policies and settings.
  9. If you allow installers to be elevated, elevate the installer’s child processes too, check the box. This checkbox only applies to installers. Child processes of elevated applications is enabled when creating a Privilege Elevation configuration setting.
  10. When an application is elevated, the user can be asked to allow it. This prompt is intended to inform the user that the application has more permissions than it should, and thus be careful with this application. Click OK.
  11. Then you can create a Privilege Elevation setting to designate the applications that should be elevated. The applications can be specified by a path, a hash, or a publisher certificate. These are essentially the same options as Application Blocking.
  12. Path-based user-installed application lets you elevate installers. The other three options elevate applications, but not installers.
  13. The child processes checkbox applies to applications.
  14. UEM 9.4 adds Argument-based elevated application, which lets you elevate specific scripts and/or Control Panel applets. For details, see the YouTube video VMware User Environment Manager 9.4 Argument Based Privilege Elevation Feature Walk-through.
  15. UEM Group Policy settings can be enabled to log both Application Blocking and Privilege Elevation to Event Viewer

Personalization and UEM Templates

VMware has provided a list of Personalization Templates to simplify your configuration.

  1. To save user settings at logoff and restore at logon, you must specify the settings to save.  Easy Start created a bunch of configurations on the Personalization tab.
  2. You can see what settings these save by clicking Manage, and then Expand.

  3. To save more settings, select a folder (or create a new folder), and then click Create Config File.
  4. A wizard appears. You can use one of the built-in Windows Common Setting or Application Templates. Or you can create your own. UEM 9.2 has more built-in templates than previous versions.


    • UEM 9.4 adds a Windows Common Setting for Windows 10 Start Menu – Windows 10 1703 and higher
  5. The VMware community also uploads additional templates to VMware Communities.
  6. In UEM 9.5 and newer, the UEM Console has a button in the ribbon to Download Config Templates. You will need a My VMware account to access it. See Ivan de Mes VMware UEM 9.5 introduces the VMware Marketplace for templates.
  7. The Browse button on top lets you choose where in the tree you want to save the new Config File.
  8. For older versions of UEM, download a template, and import it.
    1. In the UEM Console, on the Personalization tab, click the Configure button to locate your UEM Configuration file share.

    2. Extract the downloaded templates to the General\Applications folder in the UEM Config Share.

    3. The downloaded template should then show up in the Personalization tab under the Applications folder. If you don’t see it, click the Refresh Tree icon.

Additional UEM Configuration

User Environment Manager 8.7 and newer has a UEMResult feature that lets you see what settings were applied to the user. The .xml file is only updated at logoff. To enable for a particular user, go to the user’s Logs folder and create a folder named UEMResult. At logoff, UEM will put an .xml file in this folder. More information in Appendix G of the User Environment Manager Administrator Guide.

From VMware 2113514 Enabling debug logging for a single user in VMware User Environment Manager: To configure FlexEngine to log at debug level for a single user, create an empty FlexDebug.txt file in the same folder as the standard log file for this user. This triggers FlexEngine to switch to debug logging for this particular user.

UEM Application Profiler

This tool cannot be installed on a machine that has FlexEngine installed:

  1. .NET Framework 3.5 is required.
  2. In the User Environment Manager files, in the Optional Components folder, run VMware UEM Application Profiler 9.6 x64.msi or VMware UEM Application Profiler 9.4 x64.msi (ESB).

  3. In the Welcome to the VMware User Environment Manager Application Profiler Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Custom Setup page, click Next.
  6. In the Ready to install VMware User Environment Manager Application Profiler page, click Install.
  7. In the Completed the VMware User Environment Manager Application Profiler Setup Wizard page, click Finish.

You may now use the tool to determine where applications store their settings and export a default application configuration that can be pushed out using User Environment Manager.

UEM Support Tool

vDelboy – VMware UEM Helpdesk Support Tool

Do the following to configure the environment for the support tool:

  1. In the User Environment Manager Console, click the star icon on the top left, and click Configure Helpdesk Support Tool.
  2. Click Add.
  3. In the Profile archive path field, enter the user folder share (the same one configured in User Environment Manager GPO). At the end of the path, enter \[UserFolder]\Archives.
  4. Check the other two boxes. The paths should be filled in automatically. Make sure they match what you configured in the User Environment Manager group policy object. Click OK.
  5. Click Save.
  6. VMware recommends creating a new GPO for the Support Tool. This GPO should apply only to the support personnel.

  7. On the Scope tab, change the filtering so it applies to UEM Support and UEM Admins. If this GPO applies to machines with group policy loopback processing enabled, then also add Domain Computers.
  8. Edit the GPO.
  9. Go to User Configuration | Policies | Administrative Templates | VMware UEM | Helpdesk Support Tool.
  10. Double-click the setting UEM configuration share.
  11. Enable the setting, and enter the path to the UEMConfig share. Click OK.
  12. Consider enabling the remaining GPO settings. Read the Explain text or refer to the documentation.

Do the following to install the support tool.

  1. .NET Framework 3.5 is required.
  2. Some support tool functions require the FlexEngine to be installed on the help desk machine.
  3. In the extracted User Environment Manager files is an Optional Components folder. From inside that folder run VMware UEM Helpdesk Support Tool 9.6 x64.msi or VMware UEM Helpdesk Support Tool 9.4 x64.msi (ESB).

  4. In the Welcome to the VMware UEM Helpdesk Support Tool Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to install VMware UEM Helpdesk Support Tool page, click Install.
  8. In the Completed the VMware UEM Helpdesk Support Tool Setup Wizard page, click Finish.

Once the Helpdesk Support Tool is installed, you can launch it from the Start Menu, search for users, and then perform operations on the archives.

Related Pages

Horizon Group Policy and Profiles

Last Modified: Jul 7, 2019 @ 7:08 am

Navigation

This post applies to all VMware Horizon versions 7.0 and newer

💡 = Recently Updated

Change Log

Roaming Profiles Overview

VMware has three options for persisting user settings when the user logs off:

  • Persona can be used for virtual desktops. This is preferred over Microsoft’s roaming profiles. However, VMware seems to be deprecating Persona in favor of User Environment Manager since Persona doesn’t work on newer versions of Windows 10.
  • Microsoft Roaming Profiles – Persona is not supported on Remote Desktop Session Host so use Microsoft’s native roaming profiles instead.
    • Microsoft’s Roaming Profiles do not merge settings from multiple sessions so if you have users connecting to multiple RDS farms then each RDS farm should have separate roaming profile shares.
  • User Environment Manager – If you are licensed for Horizon Enterprise then you can use VMware’s User Environment Manager. This is a very configurable product that is generally preferred over Persona and Microsoft Roaming Profiles. It works on both virtual desktops and Remote Desktop Session Hosts.
    • User Environment Manager runs on top of other profile solutions. User Environment Manager can run on top of mandatory profiles so that anything not saved by User Environment Manager is discarded on logoff.
    • Or you can use User Environment Manager to persist settings for specific applications and use roaming profiles (Persona or Microsoft) to persist the remaining settings.
    • VMware has published a KB article 2118056 Migrate VMware Persona Management to VMware User Environment Manager.

Roaming Profiles File Shares

File Shares Summary

Detailed steps for creating the profile shares are detailed in the next sections. This section provides a summary of the required shares.

  • In general, DFS Namespaces are supported for each of these shares but the namespace must point to only one target (no multi-master replication).
  • The User Environment Manager Configuration folder can be replicated.
  • Folder Redirection should be configured for all roaming profile methods. You can either create a new file share or you can redirect profile folders to the users’ home directories.

For All Profile Types, if you are not redirecting profile folders to the users’ home directories then create one file share for Folder Redirection:

  • \\server\Redirect
    • Admins = Full Control
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

If User Environment Manager, create two file shares:

  • \\server\UEMConfig – stores UEM configuration
    • UEM Admins = Full Control
    • UEM Users = Read
    • UEM Support = Read
  • \\server\UEMProfiles
    • UEM Admins = Full Control
    • UEM Support = Modify
    • UEM Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

According to VMware 2113665 Imports and exports in VMware User Environment Manager are slow, the two UEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

If Persona, create one file share for each operating system and bitness:

  • \\server\PersonaWin7x64
    • Persona Admins = Full Control
    • Persona Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control
  • \\server\PersonaWin10x64
    • Persona Admins = Full Control
    • Persona Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

If Microsoft Roaming Profiles, create multiple file shares. Each RDS farm needs a separate profile share.

  • \\server\RDSProfiles1
    • Horizon Admins = Full Control
    • Horizon Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control
  • \\server\RDSProfiles2
    • Horizon Admins = Full Control
    • Horizon Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Create and Share the Folders

  1. On your file server, make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it PersonaWin10x64RDSProfilesFarm1, UEMConfig, or UEMProfiles or similar. If you need both Persona and Microsoft roaming profiles, create separate folders for each. If using UEM, create the UEM shares as summarized earlier.
  3. Open the folder’s Properties.
  4. On the Sharing tab, click Advanced Sharing.
  5. Check the box to share the folder.
  6. Click Permissions.
  7. Give Full Control to Everyone. Click OK.
  8. For Persona and RDSProfiles shares, click Caching.
  9. Select No files or programs. Click OK, and then click Close.
  10. According to VMware 2113665 Imports and exports in VMware User Environment Manager are slow, the two UEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Folder Permissions

The following procedure works for any of the profile and redirection folders listed in the file shares summary except for the UEMConfig folder.

Lieven D’hoore has VMware Horizon View – Script to create Persona Management Repositories, Shares and Permissions.

  1. Open the properties of the new shared folder.
  2. On the Security tab, click Edit.
  3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
  4. Add CREATOR OWNER, and give it Full Control. This grants users Full Control of the folders they create. Click OK.
  5. Now click Advanced.
  6. Highlight the Everyone permission entry, and click Edit.
  7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.

VMware Fling – Horizon View Persona Management Share Validation Tool:

  1. Download the tool, and extract it.
  2. From a command line, run VMWVvpValidator.exe with the share parameter, the path to the Persona or RDSProfiles share, and the group that should have access to the share.
  3. This will create a VMWVvpValidatortxt file in the same folder that contains the executable. Open it.
  4. Scroll down and there should be no errors. If there are, fix them as detailed in the report.

Access Based Enumeration

Also enable access based enumeration. With this setting enabled, users can only see folders to which they have access.

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it.
  3. Right-click the new share, and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration and click OK.

GPO Templates

Windows Group Policy Templates

Unfortunately, there are some differences between the GPO templates for Windows Server, and the GPO templates for  Windows 10. You’ll need to download the full set of templates.

Follow the procedure at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#admtemp to download and install the Administrative Templates (.admx) for Windows 10 and Windows Server 2016.

Horizon Group Policy Templates

Some of the policy settings in this topic require group policy templates from the Horizon GPO Bundle, which can be downloaded from the VMware Horizon Download Page.

For Horizon 7.9, download Horizon 7.9.0 View GPO Bundle (aka VMware-Horizon-Extras-Bundle-5.1.0)

For Horizon 7.5.2 (ESB), download VMware Horizon 7.5.0 View GPO Bundle.

  1. Go to the downloaded VMware-Horizon-View-Extras-Bundle.zip file, and extract the files.
  2. Copy the .admx files, and en-US folder, to the clipboard.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL), and paste the .admx files. Overwrite any older files.

  4. Horizon 7.3 and newer have an .admx file in the ThinPrint\ADMX folder.
  5. Copy the .admx file, and en-US folder, to the clipboard.
  6. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL), and paste the .admx files. Overwrite any older files.
  7. When you edit group policy objects, you can now edit Horizon settings.

User Environment Manager GPO Templates

If you are licensed for User Environment Manager, copy the UEM GPO ADMX templates to PolicyDefinitions. Note: UEM 9.1 and newer can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

  1. Download User Environment Manager 9.8.0 or User Environment Manager 9.4.1 (ESB) if you haven’t already.

  2. Go to the extracted User Environment Manager files, and in the Administrative Templates (ADMX) folder, copy the files and the folder.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL), and paste the files and folder. Overwrite any older files.

  4. You will find VMware UEM GPO settings in the User Half of a GPO.

Create Group Policy Objects

  1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all Horizon Agent computer objects (virtual desktops and Remote Desktop Session Hosts).
  2. Then create sub-OUs, one for each pool or RDS Farm.
  3. Move the Horizon Agent machines from the Computers container to one of the OUs created in step 2.
  4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Horizon Agent Computer Settings and link it to the parent OU created in step 1. If this policy should apply to all pools, then link it to the parent OU. Or you can link it to pool-specific sub-OUs.

  5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled. User settings do not belong in this GPO.
  6. Create and link two new GPOs to the Session host OU (in addition to the Horizon Agent Computer Settings GPO). One of the GPOs is called Horizon Agent All Users (including admins), and the other is called Horizon Agent Non-Admin Users (lockdown). The Non-Admin Users GPO can either be linked to the parent OU, or to the session host sub-OUs. Locking down sessions is more common for Remote Desktop Session Hosts.

  7. Modify the properties of both of these GPOs, and disable the Computer Configuration portion of the GPO.
  8. Click the Horizon Agent Non-Admin Users GPO to highlight it.
  9. On the right, switch to the Delegation tab, and click Add.
  10. Find your Horizon Admins group, and click OK.
  11. Change the Permissions to Edit settings, and click OK.
  12. Then on the Delegation tab, click Advanced.
  13. For Horizon Admins, place a check mark in the Deny column for the Apply Group Policy permission. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
  14. Click Yes when asked to continue.
  15. For the other two GPOs, add Horizon Admins with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

GPOs for Roaming Profiles (Persona and RDS)

You will need separate profile configurations for each Horizon Agent type (virtual desktops, RDS, operating system version, operating system bitness, etc.) Each profile configuration needs a different GPO. Note: if you are licensed for User Environment Manager, then you can skip this section.

  1. Right-click one of the Remote Desktop Session Host sub-OUs, and create a new GPO.
  2. Name it Horizon Agent RDS Farm 1 Profiles or similar. This policy will use Microsoft’s native roaming profiles instead of Persona. Note: each RDS farm should have a separate roaming profile share.
  3. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  4. If you have additional Remote Desktop Session Host sub-OUs (one for each RDS Farm), right-click one of them and create another GPO with a different name. Each RDS Farm needs a different profile path.

  5. Right-click a virtual desktop sub-OU, and click Create a GPO in this domain.
  6. Name it Horizon Agent Persona Win10 or similar, and click OK. Each operating system version should point to a different file share, so include the operating system version in the GPO name.
  7. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  8. If you have additional virtual desktop sub-OUs of the same operating system, right-click the OU, and click Link an Existing GPO.
  9. Select the Horizon Agent Persona Win10 GPO, and click OK.
  10. For desktop pools running a different operating system, create a new Persona GPO. Each Persona GPO will point to a different share.
  11. The final group policy object framework will look like this: some GPOs linked to the parent OU and pool-specific GPOs linked to the sub-OUs. Each sub-OU needs different GPOs for different roaming profile configurations.

Agent Computer Settings

These GPO settings should be applied to the Horizon Agents.

General Computer Settings

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Configure the GPO Computer Settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  3. In addition, VMware 2121183 Response to CVE-2015-4000 (a.k.a., Logjam) for Horizon View and Horizon 6 products has a list of recommended ciphers for Windows. These ciphers are configured at Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_RC4_128_SHA
    The article also details how to enable TLS 1.2 in Windows.

Remote Desktop Users Group

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Under Computer Config > Windows Settings > Security Settings, right-click Restricted Groups, and click Add Group.
  3. Browse to the group of users (e.g. Domain Users) that will be added to the Remote Desktop Users group on the virtual desktops. Click OK.
  4. In the bottom half of the window, click Add to specify that this group is a member of:
  5. Enter Remote Desktop Users, and click OK twice.

VMware Integrated Printing

Horizon 7.7 and newer have a new Universal Print Driver named VMware Integrated Printing or VMware Advanced Printing, which replaces ThinPrint. Integrated Printing is an optional feature of the Horizon Agent installer and requires Horizon Client 4.10 for Windows, Horizon Client 5.1 for Linux and Horizon Client 5.1 for Mac.

You can use Group Policy to select whether Native Print Drivers are preferred over the Universal Print Driver. The GPO settings only apply if the VMware Integrated Printing feature is installed on the Horizon Agent.

  1. Make sure the Horizon 7.7 or newer GPO Templates are installed.
  2. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer Configuration | Policies | Administrative Templates | VMware Integrated Printing (or VMware Advanced Printing). This node only appears in ADMX templates from Horizon 7.7 and newer.
  4. Edit the setting Printer Driver Selection.
  5. Enable the setting, and then consider setting it to Always use UPD to avoid needing to install any printer drivers on the Horizon Agent machines. This is particularly beneficial for multi-user RDSH machines.

Horizon 7.8 and newer supports filtering of redirected client printers.

VMware Integrated Printing also supports Location Based Printing.

  1. In the Horizon 7.7 or newer Extras Bundle (GPO templates), find the file named LBP.xml.
  2. Edit the file. This is an XML document that can contain multiple <Policy> nodes. The file is commented.
  3. When done editing the LBP.xml file, copy it to C:\ProgramData\VMware on each Horizon Agent machine. It’s probably easiest to use Group Policy Preferences (or computer startup script) to download this file when the Horizon Agent machines boots.

User Environment Manager (UEM) Group Policy

User Environment Manager works for both virtual desktops and Remote Desktop Session Hosts, so there’s no need to configure separate profiles for both of those environments.

Most of the User Environment Manager GPO settings are user settings, not computer settings.

Note: UEM 9.1 can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

From Chris Halstead VMware User Environment Manager (UEM) – Part 1 – Overview / Installation and VMware Deployment Guide VMware User Environment Manager Deployed in 60 Minutes or Less:

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. User Environment Manager requires one computer setting. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer Configuration | Policies | Administrative Templates | System | Logon.
  4. Double-click Always wait for the network at computer startup and logon.
  5. Enable the setting, and click OK.
  6. Close the group policy editor.
  7. The remaining settings are user settings. Edit the Horizon Agent All Users GPO. This GPO should apply to the Horizon Agents, and Loopback processing should already be enabled on those machines.
  8. Go to User Configuration | Policies | Administrative Templates | VMware UEM | FlexEngine.
  9. If you are running User Environment Manager on top of mandatory profiles, then double-click Certificate support for mandatory profiles.
  10. Enable the setting, and click OK.
  11. Double-click Flex config files.
  12. Enable the setting.
  13. Enter \\server\uemconfig\general. The general folder will be created by User Environment Manager. Click OK.
  14. Double-click FlexEngine Logging.

    1. Enable the setting.
    2. Enter \\server\uemprofiles\%username%\logs. User Environment Manager will create these folders. Click OK.
  15. UEM 9.0 and newer has a setting named Paths unavailable at logon. By default, users are blocked from logging in if the UEM file share is not reachable.

  16. Double-click the setting Profile archive backups.

    1. Enable the setting.
    2. Type in \\server\uemprofiles\%username%\backups.
    3. Enter the number of desired backups, check the box for daily backups, and click OK.
  17. Double-click Profile archives.

    1. Enable the setting.
    2. Type in \\server\uemprofiles\%username%\archives.
    3. Check the box next to Retain file modification dates. Source = Anyway to save ‘Date Modified’? at VMware Communities.
    4. Click OK.
  18. Double-click the setting RunFlexEngine as Group Policy Extension.
  19. Enable the setting, and click OK.
  20. If you are using the Privilege Elevation feature, consider enabling Privilege elevation logging to the Windows event log.

  21. Same for Application blocking logging to the Windows event log.
  22. Go to User configuration | Policies | Windows Settings | Scripts (Logon/Logoff).
  23. Double-click Logoff.
  24. Click Add.
  25. In the Script Name field, enter C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe.
  26. In the Script Parameters field, enter -s.
  27. Click OK.

User Environment Manager is configured in a separate console application. See the instructions at https://www.carlstalhood.com/vmware-user-environment-manager/.

UEM Changelog

From YouTube video User Environment Manager 9.6 What’s New Overview:

  1. On the left, click the node named Management Console under VMware UEM
  2. On the right, UEM 9.6 adds two new settings for Changelog.
  3. Log changes to disk stores the log in the UEM share at \\server\UEMConfig\Changelog\general. Note that administrators usually have permission to modify this location so they could modify this changelog.
  4. Log changes to the Windows event log stores the log in the Application Log in Event Viewer of the local console machine and not in any central server.
  5. You can also enable the Changelog in the UEM Management Console by clicking the ribbon button named Configure.
  6. Switch to the tab named Configuration Changelog to enable the two settings.
  7. Each configuration item in UEM Management Console shows a tab named Changelog after changes are recorded.

Persona Configuration

This section does not apply to Remote Desktop Session Hosts or Instant Clones.

If you are using User Environment Manager with Mandatory profiles then skip this section.

Roaming profiles (Persona) are optional for persistent virtual desktops. They are most applicable to non-persistent virtual desktops.

  1. VMware article 2105270 – Verify that ICMP is enabled between the Horizon Agent and the domain controller, and as well as the Horizon Agent and the Persona Management Repository
  2. Install the Horizon GPO ADMX files if you haven’t already.
  3. Edit one of the Horizon Agent Persona GPOs that applies to the virtual desktops (not Remote Desktop Session Hosts).
  4. Configure the following GPO settings:
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  5. Go to Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration | Persona Management | Roaming & Synchronization.
  6. On the right, double-click Manage user persona.
  7. Enable the setting. It defaults to 10 minutes. Click OK.
  8. Double-click Persona repository location, and enable the setting.
  9. Enter the path to the file share created for Persona. Append %username%.
  10. Check the box next to Override Active Directory user profile path. Click OK.
  11. Double-click Roam local settings folders, and enable it. Click OK.
  12. Double-click Files and folders excluded from roaming, and enable it. Then click Show.
  13. Enter the values shown below, and then click OK twice.
    $Recycle.Bin
    Tracing
    AppData\LocalLow
    AppData\Local\GroupPolicy
    AppData\Local\Packages
    AppData\Local\Microsoft\Office\15.0\Lync\Tracing
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows\CD Burning
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Local\Windows Live
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images
    AppData\Local\Google\Chrome\User Data\Default\JumpListIcons
    AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
  14. Double-click Files and folders excluded from roaming (exceptions), and enable it. Then click Show.
  15. Enter the exceptions shown below and click OK twice.
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
  16. Configure %AppData%\Thinstall as a folder to background download. If you are using Thinapps, this will speed up the launch time of Thinapps.

RDS Roaming Profiles

This section applies to Remote Desktop Session Hosts, not virtual desktops.

If you are using User Environment Manager with Mandatory profiles then skip this section.

  1. Edit the Horizon Agent RDS Farm1 Profiles GPO.
  2. Configure the following GPO settings.
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Delete cached copies of roaming profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  3. Go to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles.
  4. On the right, open the setting Set path for Remote Desktop Services Roaming User Profile.
  5. Enable the setting and enter the path to the file share. Do not append %username%.
  6. If you haven’t already done this in a parent OU, also configure the Remote Desktop Services settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  7. If you wish to enable the Aero style for Remote Desktop Session Host sessions, go to User Configuration | Policies | Administrative Templates | Control Panel | Personalization.
  8. Open the setting Force a specific visual style file.
  9. Enable the setting and enter the following path:
    %windir%\resources\Themes\Aero\aero.msstyles

  10. VMware recommends enabling RunOnce as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#runonce.

Horizon Agent Settings

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration. Click Agent Configuration.
  4. If Horizon 7.8 or newer, on the right, double-click DPI Synchronization Per Connection.
  5. This setting is disabled by default. You can optionally enable it so DPI is reconfigured on reconnect instead of only on initial logon.

PCoIP Configuration

Steve Dunne:

Here are some general PCoIP optimization settings:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | PCoIP Session Variables. Click Overridable Administrator Defaults.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and select Enabled in both directions. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting named Configure drag and drop direction.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold. 💡


  8. Horizon 7.0.2 and newer have the ability to filter specific clipboard formats.
  9. Double-click Configure the PCoIP session audio bandwidth limit. For WAN connection users, VMware recommends setting this to 100 – 150 Or you can start with 300 Kbps and reduce as needed.

Real-Time Audio-Video

VMware validated Horizon 7.9’s Real-Time Audio-Video feature with Microsoft Teams. Here are sizing recommendations:

  • Minimum setting of 4vCPU 4GB RAM as a published desktop configuration
  • RTAV video resolution configured with 640 x 480p

Real-Time Audio-Video (RTAV) is one of the options that can be selected when installing Horizon Agent. To ensure that Audio is captured by RTAV instead of by USB redirection, exclude audio from USB redirection is described in the next section.

To configure RTAV video resolution, do the following:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration, expand View RTAV Configuration and click View RTAV Webcam Settings.
  4. On the right, double-click Resolution – Default image resolution height in pixels
  5. Enable the setting and set it to 480 pixels. Click OK.
  6. On the right, double-click Resolution – Default image resolution width in pixels.
  7. Enable the setting and enter 640. Click OK.
  8. There are two more GPO settings for Max height and width. If these are not configured then there is no maximum.

USB Redirection Settings

VMware TechPaper USB Device Redirection, Configuration, and Usage in View Virtual Desktops details the following:

  • PCoIP zero clients use a PCoIP virtual channel for USB. No extra network ports needed.
  • All other PCoIP clients, including Windows, Mac, etc., use TCP 32111 between the Horizon Client and the Horizon Agent.
  • If Secure Tunnel is enabled, the USB traffic is sent to the Horizon Security Server on TCP 443. It is then forwarded to the Horizon Agent on 32111.
  • USB performance across the WAN can be slow.
  • Webcams are only supported using RTAV (Real-Time Audio-Video).
  • USB3 uses too much bandwidth for most WANs. USB3 is supported in Horizon Agent 6.0.1 and Horizon Client 3.1.
  • Linux clients do not let you choose USB devices. Instead, all USB devices are redirected.
  • USB device redirection can be filtered. Multi-interface USB devices can be split. See the TechPaper for details.
  • In Horizon 6.1 and Horizon Client 3.3, USB storage devices can be redirected to Remote Desktop Session Host.
  • Client Downloadable only GPO settings are downloaded to the Horizon Client when the Horizon Client first connects to the Horizon Agent.
  • USB GPO Settings on the Horizon Agent can either override or merge the Horizon Client USB GPO settings. Merge means that if Horizon Client settings exist then the Horizon Agent settings are ignored.
  • The Exclude All Devices setting is overridden by other Include
  • USB Redirection logs are located at %PROGRAMDATA%\VMware\VDM\logs\debug-*.txt. Look for <vmware-view-usbd>
  • How to configure USB Redirection rules on Windows, Mac, and Linux.

If you intend to use the Real-Time Audio-Video feature, then disable USB redirection of audio and video so it is instead accessed through the optimized virtual channel. RTAV and USB Redirection do not apply to Remote Desktop Session Host.

You can also use this procedure to block USB storage devices from being mapped.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Policies | Administrative Templates | VMware View Agent Configuration, and click View USB Configuration.
  4. On the right, double-click Exclude Device Family.
  5. Change the selection to Enabled.
  6. Enter o:audio-in;o:video.
  7. If you want to block USB storage devices, add o:storage to the list. Click OK.

Blast Settings

The full Horizon Client 4.0 and newer can use UDP when connecting to Horizon 7 Agents using Blast.

  • VMware Blog Post Deep Dive into VMware Horizon Blast Extreme Adaptive Transport – Blast Extreme Adaptive Transport is enabled by default in VMware Horizon View 7.1 and Horizon Client 4.4. If the clients are connecting from outside the demilitarized zone (DMZ), you would also need to have VMware Unified Access Gateway (not Security Server) to take full advantage of the new transport. The adaptive transport will automatically sense the network for UDP availability and will fallback to legacy Blast TCP if UDP is not available.

Blast by default only allows clipboard redirection from client-to-server. This can be changed in group policy.

If you want file transfer in HTML5 Blast, then you must configure clipboard from server-to-client (or both directions). (Source = VMware UEM release notes)

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. Expand Policies | Administrative Templates, and click VMware Blast.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and then make your choice. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting to Configure drag and drop direction.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold. 💡


  8. Horizon 7.6 and newer have settings to add DSCP markings to the Blast protocol. See VMware Blast Policy Settings at VMware Docs.
  9. On the right, double-click UDP Protocol.
  10. You can optionally enable UDP protocol. Click OK.
  11. Horizon 7.4 introduced the H.264 High Color Accuracy setting.

  12. Horizon 7.0.2 and newer have a setting for H.264 Quality Levels.

  13. Also, 7.0.2 adds clipboard format filtering.
  14. If enabled UDP protocol, then on your master image, reboot the machine so it reads the GPO settings. Look in the file C:\ProgramData\VMware\VMware Blast\Blast-Service.log to make sure UDP is enabled. If not, reboot the machine again. After it’s enabled, snapshot the master machine and push it to your Pools.

URL Content Redirection

URL Content Redirection is a new feature in Horizon 7 that allows IE URLs to be redirected from Agent-to-Client or from Client-to-Agent. This feature requires:

  • URL Redirection component installed from command line on Horizon 7 Agent.
  • URL Redirection component installed from command line on Horizon Client 4.0.
  • If Horizon Client is installed on a Horizon Agent machine, you can install URL Redirection for one or the other, but not both.
  • Internet Explorer 9 or later only
  • GPO Settings

URL Redirection GPO settings apply to both Horizon Agents and Horizon Clients depending on the source of the redirection. For Agent-to-Client redirection, edit a GPO that applies to the Horizon Agents. For Client-to-Agent redirection, edit a GPO that applies to the Horizon Clients.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Expand Computer Configuration | Policies | Administrative Templates, and click VMware Horizon URL Redirection.
  3. On the right, double-click IE policy: Automatically activate newly installed plugins, and enable it. If you don’t configure this, then users are required to activate the IE add-on manually.
  4. On the right, double-click Url Redirection Enabled and enable the setting. The setting description says it’s enabled by default, but actually it’s not.
  5. On the right, double-click Url Redirection Protocol ‘http’.
  6. For Agent-to-Client, configure clientRules and agentRules. clientRules are redirected from Agent-to-Client. However, agentRules override clientRules. This lets you redirect every URL to client but keep some URLs on the agent. Separate multiple rules with a semicolon.
  7. For Client-to-Agent, configure agentRules. Anything that matches will be redirected to the remoteItem (name of published icon) accessible through brokerHostname.
  8. In the User half of a GPO that applies to Horizon Agents with Loopback Processing enabled, Horizon 7.4 added a new policy setting to automatically install the URL Content Redirection extension in Chrome. This setting should be applied to both the Horizon Agents, and the Horizon Clients.

Collaboration Settings

Horizon 7.4 and newer have a Collaboration feature, which has some group policy settings.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates, expand VMware View Agent Configuration, and click Collaboration.

  4. On the right, you can configure settings like the Maximum number of invited collaborators. The limit is 10.

User Lockdown Settings

Edit the Horizon Agent Non-Admin Users GPO, and configure the settings detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#lockdown.

User Application Settings

Edit the Horizon All Users GPO and configure settings for applications (Internet Explorer, Office, etc.) as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#ie and https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#office2013.

Redirected Profile Folders

In addition to roaming profiles, also configure Redirected Profile Folders as detailed at https://www.carlstalhood.com/citrix-profile-management/#redirected. Anything redirected will not be copied locally by Persona, RDS profiles, or VMware UEM.

VMware Flash Optimizer

  1. Horizon Agent installs something called the Flash Optimizer. When a user launches Internet Explorer, a prompt is displayed to Enable the add-on. To get rid of this message, do the following.
  2. We need the add-on CLSID. In Internet Explorer, click the gear icon and click Manage add-ons.

  3. Highlight the VMware Adobe Flash Optimizer and click More information on the bottom left.
  4. Click Copy.
  5. Paste the contents into Notepad. Then look for the Class ID line and copy it.
  6. Edit the Horizon Agent All Users GPO.
  7. Go to User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Security Features | Add-on Management.
  8. On the right, open Add-on List.
  9. Enable the setting, and click Show.
  10. In the Value name field, paste in the Class ID, including the curly braces.
  11. In the Value field, enter 1 to force the add-on to be enabled. Click OK twice.

Related Pages

VMware Horizon Clients 5.1

Last Modified: Jul 7, 2019 @ 7:17 am

Navigation

This article applies to all Horizon Clients for Windows, including 5.1.

💡 = Recently Updated

Change Log

Windows 10 Support

  • Horizon Client 4.8 is the first version to support Windows 10 1803

Install – Horizon Client Manual

The Horizon Clients can be downloaded from http://www.vmware.com/go/viewclients.

  1. Logon to the client machine as an administrator. Administrative rights are required for the Horizon Client installation. You can also push the client silently as described in the next section.
  2. Open a browser and enter the name of your Horizon Connection Server in the address bar (e.g. https://view.corp.local). Use https://.
  3. Click the Install VMware Horizon Client link. If the Horizon Clients are installed on the Connection Server, the client will download immediately. Or, you’ll be taken to vmware.com to download the client.
  4. If you are redirected to the  https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon_clients/5_0, then find the VMware Horizon Client for Windows, and click Go to Downloads.
  5. Then click Download.
  6. On the client machine, run the downloaded VMware-Horizon-Client-5.1.0.exe.

    • If you want to use the URL Content Redirection feature in Horizon 7, run the installer with the following switch: /v URL_FILTERING_ENABLED=1
  7. In the Install VMware Horizon Client page, click Agree & Install. Or you can click Customize Installation.

    1. If you selected Customize Installation, you can enter a Default connection server, install Skype Pack, etc.
    2. Horizon Client 4.8 adds an option to automatically select IPv4 or IPv6.
    3. Click Agree & Install when done.
  8. In the Success page, click Finish.
  9. Click Restart Now when prompted to restart.

Verify URL Redirection

  1. To verify that URL Content Redirection is installed, verify the presence of the file C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-url-protocol-launch-helper.exe.
  2. There’s also a new IE add-on.
  3. URL Content Redirection is configured using group policy.

Software Updates

  1. Horizon Client 4.1 and newer has an online update feature that can be enabled using group policy.
  2. Install the Horizon 7.8 GPO templates if you haven’t already.
  3. Create or edit a GPO that is linked to an OU containing the Horizon Client machines. These are the end-user PCs, not the virtual desktops.
  4. Go to Computer Configuration | Policies | Administrative Templates | VMware Horizon Client Configuration | Enable Horizon Client online update. It’s disabled by default.
  5. Once the GPO setting is enabled, in the Horizon Client, click the hamburger icon on the top right, and click Software Updates.

Install – Horizon Client Silent

Installing Horizon Client From the Command Line at VMware Docs has instructions on how to install the Horizon Client silently. Common methods for installing the client silently include: SCCM and Active Directory Group Policy Computer Startup Script.

Launch Horizon Client

To launch a View Desktop or application manually:

  1. From the Start Menu run VMware Horizon Client.

    1. Horizon Client 4.7 and newer has a GPO setting to prevent the Client from being launched multiple times.
    2. Install the Horizon GPO templates if you haven’t already.
    3. Create or edit a GPO that is linked to an OU containing the Horizon Client machines. These are the end-user PCs, not the virtual desktops.
    4. The Block multiple Horizon Client instances per Windows session setting is at Computer Configuration | Policies | Administrative Templates | VMware Horizon Client Configuration.

  2. To change SSL certificate verification, open the Options (hamburger) menu, and click Configure SSL. This is also configurable using Group Policy as detailed at Certificate Validation below.

  3. If there is no server in the list, then use the New Server button on the top left or click Add Server.
  4. Enter the load balanced FQDN for the Connection Server.
  5. You can click the Options menu to Hide the selector after launching an item.
  6. If you want to perform pass-through authentication, click the hamburger icon, and select Log in as current user. This option is only available if selected during installation, the client machine was rebooted, and is not prohibited using group policy.
  7. Horizon 7.2 and newer have Recursive Unlock, which is enabled by default. See Using the Log In as Current User Feature Available with Windows-Based Horizon Client at VMware Docs.
  8. If you have apps published to an Unauthenticated User, click the hamburger icon, and select Log in anonymously using Unauthenticated Access.
  9. Before connecting to the server, click the hamburger icon, and then click Configure VMware Blast.
  10. In Horizon Client 4.8 and newer, network condition is determined automatically and no longer configurable in the client.
    1. If your Horizon Client is older than 4.8, then adjust the network condition and click OK. This affects TCP vs UDP for Blast connectivity. Excellent = TCP only. Typical = UDP if the ports are open. Poor = UDP plus packet duplication, which is best for 20% packet loss networks. More info in the Technical White Paper Blast Extreme Display Protocol In Vmware Horizon 7.
  11. You can optionally enable Allow High Color Accuracy.
  12. Double-click the server.
  13. If the certificate is not trusted, click Show Certificate, and then click Continue. To disable this prompt, see Certificate Validation below.
  14. Enter your username and password, and then click Login.
  15. Horizon 7.8 no longer sends the domain list by default but you can enable it in Horizon Administrator. Or, instruct users to login using their userPrincipalNames.
  16. If you see too many domains in the Domain list:
    1. You can filter them by running the vdmadmin -N command. See Configuring Domain Filters Using the ‑N Option at VMware Docs.
    2. Horizon 7.1 and newer have an option to Hide domain list in client user interface. If you enable this in Global Settings, then users must enter UPN, or Domain\Username.

  17. If any of your published applications or desktops are configured with a Category Folder, click Yes when asked for shortcuts to appear in your Start Menu or desktop.

    • Horizon Client 5.1 has an interesting command line switch -installShortcutsThenQuit that connects to a Connection Server, creates the shortcuts on Start Menu and Desktop, and then quits. Here is sample syntax: 💡
      vmware-view.exe -serverURL serverurl -loginAsCurrentUser true -installShortcutsThenQuit
  18. If any of your published application icons have Pre-launch enabled, then a session will be started on one of the Horizon Agents that hosts the icon. All it does is create a session; the icon that Pre-launch was enabled on is not launched until the user double-clicks the icon. When the user launches any icon published from the Horizon Agent, it will launch quickly.
    1. After the user closes the Horizon Client, the Pre-launch session remains disconnected for the duration specified in the RDS Farm.
  19. If you have a bunch of icons, click one of the icons, and then start typing in the name of the icon and it will highlight.
  20. If the pool settings allow it, you can right-click an icon, click Settings, and then select a protocol. VMware Blast is the recommended protocol.

    1. If you click the gear icon on the top right…
    2. On the VMware Blast page you can optionally enable High Color Accuracy.
  21. Either double-click an icon, or right-click an icon, and click Launch.
  22. When connecting, you might be prompted to access your local files.

    • You can change your file sharing options by clicking the gear icon and switching to the Sharing page.
  23. If you are connected to a remote desktop, you can use the menu at the top of the screen. An interesting option is Autoconnect to this Desktop. This setting is stored on the Horizon Connection Server in LDAP and there doesn’t appear to be any way to automate enabling it.
  24. In Horizon Client 4.4 and newer, administrators can enable a Pool Setting that allows users to Restart the remote desktop gracefully.

  25. The Horizon Client also has a taskbar jump list showing recently launched applications and desktops.
  26. Some of the menu items in Horizon Client 5.0 and newer can be hidden by configuring Group Policy using the Horizon GPO Templates.

Tom Fenton How To Determine Your Horizon View Desktop Protocol: View Administrator > Sessions node, netstat, and registry.

VMware Fling View Auto-Connection Utility: The View Auto-Connection Utility allows you to connect the VMware View Client automatically into a View desktop or an application pool when the system starts up.

Shortcuts and Favorites

In the Horizon Client, once you are connected to a server, you can right-click an icon and click Create Shortcut to Desktop or Add to Start Menu.

In the Horizon Client, you can right-click an icon, and Mark as Favorite. Favorites are stored in the LDAP database on the Horizon Connection Server.

  1. This places a star icon on the top-right of the application or desktop.
  2. On the top right of the Horizon Client, you can switch to the Favorites View so that only icons selected as Favorites are displayed.
  3. Or switch back to the All View.

Support information

  1. On the Question Mark menu is Support Information.
  2. Users can click this to find the client name, client operating system, Horizon Client version, the Horizon Connection Server name, and currently connected desktops.

Certificate Validation

When you connect to a Horizon Connection Server, and if the certificate is not trusted or valid, then the user is prompted to accept the certificate. You can disable this prompt for any client machine that can be controlled using group policy.

  1. Copy the Horizon .admx files to PolicyDefinitions if you haven’t already.
  2. Create a GPO that is linked to an OU containing the Horizon Client machines. These are the end-user PCs, not the virtual desktops.
  3. Edit the GPO.
  4. Go to Computer Configuration | Policies | Administrative Templates | VMware Horizon Client Configuration | Scripting Definitions.
  5. On the right, double-click Server URL.
  6. Set the URL to your Horizon View URL, and click OK.
  7. On the left, click Security Settings. On the right, open the setting Certificate verification mode.
  8. Enable the setting and make your choice. No Security will disable the certificate prompt. Then click OK.

Device Redirection

Client Drive Redirection

  1. When you connect to a Horizon Agent that has Client Drive Redirection enabled, you are prompted to allow file redirection.
  2. By default, only the user’s local profile is redirected.
  3. You can redirect more folders or drives by clicking the Options menu, and clicking Share Folders.
  4. In the Sharing tab, add drives or folders, and then click OK.
  5. The folders or drives you added are now visible within Explorer in the Horizon Desktop.
  6. Client Drive Redirection also works in published applications.
  7. Horizon Agent 7.7 and newer with Horizon Client 4.10 and newer let you drag files from the local machine into the remote machine. This is drag only. You can’t copy/paste. If you drag the file onto a remote application, then then application opens the file.

    1. This feature can be disabled and/or controlled in a GPO that applies to the Horizon Agent. Make sure the Horizon 7.7 GPO templates are installed. In the Computer half of the GPO, go to Administrative Templates > VMware Blast and edit the setting Configure drag and drop direction.
    2. The Configure drag and drop direction setting is also configurable for PCoIP under the Computer-half node named PCoIP Session Variables > Overridable Administrative Defaults.
  8. To change Client Drive Redirection settings in published applications, go back to the Horizon Client, right-click an icon, and click Settings. Or use the gear icon on the top right.
  9. The client drive redirection prompt configuration is stored in %appdata%\VMware\VMware Horizon View Client\prefs.txt. You can edit this file to disable the prompt. See Rob Beekmans Customizing the VMware Horizon Client sharing pop-up for more info.

Serial Port Redirection

  1. If you connect to a Horizon Agent that has Serial Port Redirection enabled, then a new icon will appear in the system tray.
  2. Right-click the icon to map the remote COM port to the local COM port.

Scanner Redirection

From VMware BlogsScanner Redirection in Horizon with View: we have added scanner redirection to Horizon with View for use with both VDI desktops and Remote Desktop Session Host (RDSH) applications and desktops. The new scanner redirection functionality in View works by capturing the entire image at the client with the scanning device, compressing the image, and sending that compressed image to the guest in the data center, where the image is presented by a “virtual scanner device” to the application that requested the image capture. The scanner redirection functionality supports both TWAIN and WIA scanning modes, and allows images to be captured from both scanners and other imaging devices (such as webcams).

The scanner redirection functionality requires the Horizon Agent version 6.0.2 or later, and the Windows Horizon Client 3.2 or later.

When you install the Horizon Agent component, be sure to select the scanner redirection feature if you want to use it; it is disabled by default. If you are installing the feature onto a server-based OS (Windows Server 2008 R2 or Windows Server 2012 R2) for either VDI desktops or RDSH desktops or applications, then be sure that the Desktop Experience feature (a Microsoft operating system feature) is installed on the server OS first. (This is a prerequisite for installing scanners in a server-based OS.)

After a user makes a connection from a compatible Windows Horizon Client to the new Horizon Agent, a new tool-tray application icon appears. The user clicks the icon to reveal the compatible image acquisition devices available for scanning.

The default mode of operation is, however, that “it should just work,” and the seamless hosted application should be able to acquire an image without needing manual intervention. The user may need to adjust the preferences if more than one imaging device is connected to the client machine, and the user wants to select a specific scanner, or if the user wants to adjust the scan resolution, and so on.

Scanner Redirection Preferences, available by clicking Preferences from the tool-tray icon, allows further configuration of the scanning process, for example, adjusting the default compression applied to the scanning. This can greatly reduce the bandwidth needed to transmit the image (the compression is applied on the client side before the image is transmitted to the guest), but, of course, the more an image is compressed, the lower the image quality. In addition, in the Scanner Redirection Preferences, options are available to adjust the default image capture device (for example, automatic mode, last-used, or an absolute specified device).

These preferences can also be adjusted by way of Group Policy options in the guest OS. A new GPO file (available in the Horizon with View GPO Bundle) allows this configuration. See Configuring Scanner Redirection in Setting Up Desktop and Application Pools in View for more information

Scanner Redirection Caveats

From VMware Communities:

  • Scanner redirection does not create a device on your virtual desktop that matches the name of the actual scanner.  It creates a generic scanner in Device Manager called VMWare Virtual WIA Scanner (or VMWare Virtual TWAIN Scanner I am assuming).  For us this stinks because the image capture software our client uses (Vertex by Jack Henry), has a prepopulated list of scanners you can select.  So if we plug in a Canon-CR50 and select Canon CR50/80 in the application, it does not recognize that this scanner is attached to the virtual desktop.
    1. There is a tick box option in the scanner preferences dialog box titled “Use vendor defined names for TWAIN scanners”. This should solve the issue you mention and we added it specifically to cover the problematic use case you mention.
    2. This only applies to TWAIN scans, WIA can’t use the vendor name.
  • You must install a TWAIN or WIA driver on your thin client.  If you can’t find a TWAIN or WIA driver, you are out of luck.  For teller check image scanners, we have found no TWAIN or WIA drivers for the TellerScan TS-230, TS-240, or the Canon CR-55.  We have found a TWAIN driver for the Canon CR-50 (from the Canon Europe site no less), but issue #1 above means we are out of luck.

Client Printers

Horizon 7.7 and newer with Horizon Client 4.10 and newer have a new VMware Integrated Printing (aka VMware Advanced Printing) feature that replaces the older ThinPrint technology.

When printing from an application, if you highlight a printer and click Preferences, the VMware Horizon icon on the Layout tab shows you that this printer is using VMware Integrated Printing.

If you open the client printer Properties as an administrator, on the Advanced tab, you will see the VMware Universal EMF Driver.

If older ThinPrint:

  • Inside the virtual desktop, if you go to Devices and Printers, it will look a little weird. To see all of the client printers, right-click on the TP printer and use the expandable menus.
  • But when you print from an application, all printers appear normally.

File Type Association

Some published applications might have file types associated with them. When you double-click a file with the configured extension, you might be prompted to open the file using the remote application.

In Horizon Client, if you right-click an icon and click Settings:

  • On the Sharing page, you can disable this functionality.

It’s also configurable in the client-side registry at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM\Client by creating a String value at named AllowFileRedirection and setting it to false. See VMware Communities for more information.

Session Collaboration

Horizon 7.4 and newer have an Allow Session Collaboration checkbox in Pool Settings and RDS Farm Settings.

This setting enables a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.

The invite is a URL that you can run (or click) on the collaborator’s machine that has Horizon Client 4.7 or newer installed.

To give control to the collaborator, double-click the green icon to open the Session Collaboration window. Or open the icon in the system tray.

Performance Tracker

Horizon Agent 7.5 and newer have an optional component called Performance Tracker.

When installing Horizon Agent, the last option is Horizon Performance Tracker. It is deselected by default.

After it’s installed in an RDS farm, you can publish the Performance Tracker as an Application Pool.

Or connect to a Desktop, and launch it from the Desktop icon.

It can display protocol performance information in graphical or tabular form. The overview UI also shows the name of the Horizon Agent machine.

There’s also a Floating Bar option.

Performance Tracker can be configured to launch automatically:

  1. On a Horizon Agent machine that has Performance Tracker installed, go to C:\Program Files\vmware\Horizon Performance Tracker\admx.
  2. Rename the en_us folder to en-us (dash instead of underscore). It is misspelled.
  3. Copy the .admx file and the en-us folder to the clipboard.
  4. Go to PolicyDefinitions in your domain’s Sysvol (e.g. \\corp.local\sysvol\corp.local\Policies\PolicyDefinitions) and paste the files.

    • If you don’t have PolicyDefinitions in your Sysvol, then instead paste them in C:\Windows\PolicyDefinitions.
  5. Edit a GPO that applies to the Horizon Agents. These are Computer settings.
  6. Go to Computer Configuration | Policies | Administrative Templates | VMware Horizon Performance Tracker.
  7. On the right, you’ll see two options for auto starting the Performance Tracker.
  8. Both settings let you Show or Hide the overview UI.
  9. If Hide is selected, then users can open the Tracker from the systray icon.

HTML Blast

From the Horizon Connection Server webpage, you can click the VMware Horizon View HTML Access link to launch a desktop or application inside your browser. While Internet Explorer 9 is supported, some functionality, like clipboard and audio, is only available in Internet Explorer 10 and newer, Chrome and Firefox.

In Horizon 6.2 and later, you can launch applications as well as desktops from HTML Blast.

If you click the star icon then you can Mark the icon as a Favorite. Favorites are stored in the LDAP database on the Horizon Connection Server.

Applications and desktops are launched within the browser window. You can click the vertical lines on the left to switch to a different application or desktop.

You can open the Copy & Paste panel to copy between the local machine and the remote machine.

Thin Clients

VMware View Thin Client Compatibility Guide – Thin Client Device and Model Information. It shows thin client models and the version of Horizon View that is supported with the model.

Repurposed PCs

From Chris Halstead VMware Horizon View AutoConnection Utility: I decided to write an app in .NET that is essentially a wrapper for the View Client.  It creates the command line variables based on what the user configures in the GUI and automatically connects to the specified desktop or application pool.  All of the user configured information is stored in the registry under the current user hive.

The application silently and automatically connects into either a desktop or application pool each time a user logs in by placing it in the startup folder.

Once you have tested your connection, you are ready to enable AutoConnection.  You enable AutoConnection by checking the “Enable AutoConnection” box.   A common use case would be to place the .exe in the Windows startup folder so that every time a user logs in it will automatically connect to the Virtual Desktop.

This will run the application with the GUI hidden and will automatically connect to the specified pool.   The application will minimize to the system tray and a balloon will indicate the connection process is occurring.

Horizon Client Group Policy – Security Settings

The Horizon GPO Bundle includes policy templates for the Horizon Client. See https://www.carlstalhood.com/horizon-group-policy-and-profiles/#viewtemplates to install the ADMX files.

Here are some security GPO settings recommended (VMware Horizon with View Security Hardening Overview) by VMware:

GPO Setting
Computer Config | Policies | Administrative Templates | VMware Horizon Client Configuration | Scripting definitions

Disable 3rd-party Terminal Server plugins = enabled

Computer Config | Policies | Administrative Templates | VMware Horizon Client Configuration | Security Settings

Allow command line credentials  = disabled

Certificate verification mode = enabled, Full Security

Default value of the ‘Log in as current user’ checkbox = disabled

Display option to Log in as current user = disabled

Servers Trusted for Delegation = enabled

 

VMware Horizon 6 – Master RDS Host

Last Modified: Sep 2, 2018 @ 7:52 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post.

Hardware

  • The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • For 2012 R2, set the vCPUs to 8. For 2008 R2, set the vCPUs to 4. Two is the minimum. See VMware whitepaper for more information.
  • Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine and click Edit Settings.
  4. On the VM Options tab, expand Advanced and then click Edit Configuration.
  5. Click Add Row.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

User Account Control and SmartScreen

This section is optional.

  1. Right-click the flag icon by the clock and click Open Action Center. Or launch it from the Start Menu.
  2. On the left click Change User Account Control settings.
  3. To disable UAC, move the slider down to Never Notify and click OK. Or you can leave it enabled if your security standards require it.
  4. Back in Action Center, on the left, click Change Windows SmartScreen settings.
  5. Make your selection regarding SmartScreen and click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right click the link for Last checked for updates.
  2. On the left, click Change settings.
  3. Check the box next to Give me updates for other Microsoft products when I update Windows and click OK.
  4. Windows Update will automatically start checking for updates.
  5. Install any updates it recommends.

Windows Server 2008 R2 Hotfixes

If this is a Windows Server 2008 R2 session host, at a minimum, request and install the Windows hotfixes listed at Citrix CTX129229 Recommended Hotfixes for XenApp 6.x on Windows Server 2008 R2. Scroll down to the Microsoft Hotfixes section.

Microsoft 2483177 You cannot play back an H.264 video file or an AAC audio file on a computer that is running Windows Server 2008 R2 with the Desktop Experience feature enabled. From the hotfix description: the Desktop Experience feature in Windows Server 2008 R2 does not include decoders for the H.264 and AAC formats.

The following file is available for download from the Microsoft Download Center:

Download the Desktop Experience Decoder Update for Windows Server 2008 R2 package now.

File Sharing

By default on Windows 2012, if Windows Firewall is enabled, then all file shares are blocked. You can’t even connect to C$ from a different machine. To facilitate remote management, consider enabling file sharing.

  1. To enable sharing, by the clock, right-click the network icon and click Open Network and Sharing Center.
  2. On the left, click Change advanced sharing settings.
  3. Select Turn on file and printer sharing.
  4. Select Tun on network discovery.

Windows Firewall – Remote Management

By default, Windows Server 2012 blocks remote management tools. For example, you can’t use Event Viewer on server 1 to access the event logs on server 2.

  1. Run Windows Firewall with Advanced Security.
  2. On the left, click Inbound Rules.
  3. On the right, right-click COM+ Network Access (DCOM-In) and click Enable Rule.
  4. Highlight all three Remove Event Log rules, right-click, and click Enable Rule.

Local Administrators Group

If the Horizon Administrators and members of the Domain Admins group are the same people, then there is nothing to change. Otherwise, add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

Remote Desktop Session Host

Role and Features – Windows Server 2012

If this session host is Windows Server 2008 R2 then skip to the next section.

  1. In Server Manager, open the Manage menu and click Add Roles and Features.
  2. Click Next until you get to the Server Roles page.
  3. Check the box next to Remote Desktop Services and click Next.
  4. Check the box next to Group Policy Management and scroll down.
  5. Expand User Interfaces and Infrastructure and check the box next to Desktop Experience. This adds a bunch of features like Themes, Windows Media Player, Flash, etc.
  6. Check the box next to Telnet Client and scroll up.
  7. Expand Remote Server Administration Tools > Role Administration Tools > AD Delivery Services and AD LDS Tools > AD DS Tools. Check the box next to Active Directory Administrative Center.
  8. To verify Remote Desktop Services licensing, expand Remote Desktop Services Tools and check the box next to Remote Desktop Licensing Diagnoser Tool. Click Next when done.
  9. In the Select role services page, check the box next to Remote Desktop Session Host and click Next.
  10. If desired, click the Restart box, then click Install. Restart is required.

Windows Roles – Windows Server 2008 R2

If this session host is running Windows 2008 R2 then the instructions are slightly different.

  1. In Server Manager, right-click Roles and click Add Roles.
  2. In the Before You Begin page, click Next.
  3. In the Select Server Roles page, check the box next to Remote Desktop Services and click Next.
  4. In the Introduction to Remote Desktop Services page, click Next.
  5. In the Select Role Services page, check the box next to Remote Desktop Session Host and click Next.
  6. In the Uninstall and Reinstall Applications for Compatibility page, click Next.
  7. In the Specify Authentication Method for Remote Desktop Session Host page, select Do not require Network Level Authentication and click Next.
  8. In the Specify Licensing Mode page, select Per User and click Next.
  9. In the Select User Groups Allowed Access to this RD Session Host Server page, click Add. Browse for Authenticated Users (on the local machine) and click Next.
  10. In the Configure Client Experience page, check the boxes for Audio and video playback and Desktop composition. This causes Desktop Experience to be installed. Click Next.
  11. In the Confirm Installation Selections page, click Install.
  12. In the Installation Results page, click Close.
  13. Click Yes when you are prompted to restart now.
  14. Login to the server. Then click Close.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 is using group policy (local or domain). This also works for Windows Server 2008 R2.

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled and enter the names of the RD Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Terminal Services and click RD Licensing Diagnoser.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users and Create Folders and click Remove.
  4. Highlight the line containing Users and Special and click Remove. Click OK

  5. Click Yes to confirm the permissions change.
  6. If you see any of these Error Applying Security windows, click Continue.
  7. Click OK to close the C: drive properties.

Installs

VMware Horizon 6 Agent 6.2.2

View Agent for RDS Hosted Apps Desktops is missing a few features:

  • No Generic USB Redirection. USB Flash Drives and hard drives are supported.
  • No Real-Time Audio Video
  • No serial port redirection
  • No Persona. Instead use VMware User Environment Manager (Horizon Enterprise) or Microsoft’s roaming profiles

To install View Agent on Remote Desktop Services, do the following:

  1. Go to the downloaded Horizon 6 Agent x64 6.2.2 and run VMware-viewagent-x86_64-6.2.2.exe.
  2. In the Welcome to the Installation Wizard for VMware Horizon 6 Agent page, click Next.
  3. In the License Agreement page, select I accept the terms and click Next.
  4. If you see a message about Desktop OS Configuration then you need to cancel the installer and install the Remote Desktop Session Host role.
  5. In the Network protocol configuration page, select IPv4 and click Next.
  6. In the Custom Setup page, enable Scanner Redirection if desired. Same for USB Redirection.
  7. Client Drive Redirection is a new feature in Horizon 6 Agent 6.1. The description indicates that the file transfers are not encrypted.
  8. VMware Horizon View Composer Agent is a new feature of Horizon 6 Agent 6.2. If you are building a pool of Remote Desktop Session Hosts then install this feature. Note: if you are not building linked clones then don’t select this option or else you won’t be able to select the machine in a Manual RDS Farm in View Administrator.
  9. Click Next when done making selections.
  10. Click OK to acknowledge the USB redirection message.
  11. If you see the Register with Horizon 6 Connection Server page, enter the name of a Horizon 6 Connection Server and click Next. You only see this page if not installing the View Composer Agent.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Click Yes to restart the server.

User Environment Manager Engine

If you are licensed for User Environment Manager (Horizon Enterprise Edition), install the User Environment Manager Engine.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. In Server Manager, open the Manage menu and click Add Roles and Features.
  3. In the Features page, select .NET Framework 3.5 and click Next.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server 2012 R2 ISO.
  6. Enter the path to the sources folder on the Windows Server 2012 R2 ISO and click OK. Then click Install.
  7. Go to the extracted User Environment Manager 9.0 files and run VMware User Environment Manager 9.0 x64.msi.
  8. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  9. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  10. In the Destination Folder page, click Next.
  11. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the console.

  12. In the Choose License File page, if installing on a View Agent then no license file is needed. Click Next.
  13. Otherwise, Browse to the license file and then click Next.
  14. In the Ready to install VMware User Environment Manager page, click Install.
  15. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Horizon Agent Load Balancing Script

If you have multiple identical Remote Desktop Services Hosts in a single RDS Farm, by default, VMware Horizon uses a least connections Load Balancing algorithm. You can change this to performance-based Load Balancing by configuring scripts on each RDS Host. See Configuring Load Balancing for RDS Hosts at pubs.vmware.com.

There are only three levels of load: HIGH, MED, and LOW. Within a load level, Horizon selects an RDS server at random.

Do the following to configure the Load Balancing script:

  1. The script must be placed at C:\Program Files\VMware\VMware View\Agent\scripts on every RDS Host. VMware provided a couple sample scripts that you can use. One script only looks at CPU and the other script only looks at Memory. If you write your own script, make sure it exists in this folder on every RDS Host in the RDS Farm.
  2. Open Services and configure the VMware Horizon View Script Host service to run automatically.

  3. Then start the service.
  4. In regedit, go to HKLM\Software\VMware, Inc.\VMware VDM\ScriptEvents\RdshLoad.
  5. Create a new String Value. It doesn’t matter what you name it but the script name is recommended.
  6. Modify the String Value and enter cscript.exe “PathToScript”. For example: cscript.exe "C:\Program Files\VMware\VMware View\Agent\scripts\cpuutilisation.vbs"
  7. After setting the registry value, restart the VMware Horizon View Agent service.
  8. After you later add this RDS Host to a farm, in View Administrator, click the Dashboard view.
  9. Expand RDS Farms, expand the farm and click the RDS Host.
  10. Make sure the Server load is reported.

Antivirus

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Symantec

Symantec has a document at http://www.symantec.com/business/support/index?page=content&id=TECH91070 detailing best practices when deploying Symantec Endpoint Protection to session hosts.

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1  – http://www.symantec.com/docs/TECH173650

Install Applications

Install applications that will be executed on these machines.

VMware OS Optimization Tool

  1. Download the VMware OS Optimization Tool VMware fling.
  2. Run the downloaded VMwareOSOptimizationTool_1050.msi.
  3. On the Analyze tab, on the bottom left, click Analyze.
  4. Check both boxes and click Continue to Analyze.
  5. Review the optimizations and make changes as desired. Then on the bottom left click Optimize.
  6. Click the FAILED links for more information.
  7. The History tab lets you rollback the optimizations.
  8. The Templates tab lets you edit the optimizations. You can create your own template or edit an existing template.

Citrix has published a document with several registry modifications that are supposed to improve server performance. You can access it at http://support.citrix.com/article/CTX131577.

Another list of optimizations can be found at http://www.citrixtools.net/Resources/Articles/articleType/ArticleView/articleId/5610/Windows-2008-R2-Remote-Desktop-and-XenApp-6-Tuning-Tips-Update.aspx.

Seal and Snapshot

  1. Go to the properties of the C: drive and run Disk Cleanup.
  2. On the Tools tab, click Optimize to defrag the drive.
  3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining.
  4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  5. Make sure the master session host is configured for DHCP.
  6. Session hosts commonly have DHCP reservations.

  7. Run antivirus sealing tasks:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
    2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  8. Shutdown the master session host.
  9. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  10. Take a snapshot of the master session host. View Composer requires a snapshot.

  11. Use can now use Horizon View Administrator to create RDS Farms.

Full Clone Post-Cloning Tasks

If you used vCenter to clone the machine instead of using Horizon 6 Composer, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep always disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon 6 Agent – uninstall the Horizon 6 Agent and reinstall it so it registers with a Horizon 6 Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon 6 Security Server and Horizon 6 Agents.
  8. View Administrator – In View Administrator, add the new machine to a Remote Desktop Services farm.

 

VMware Horizon 6 – RDS Farms/Pools

Last Modified: Mar 27, 2016 @ 10:02 am

Navigation

Overview

Before following this procedure, build a master RDS Session Host.

This post details VMware Horizon configuration for Remote Desktop Session Host Horizon View Agents. Virtual Desktops are detailed elsewhere.

Before you can publish applications or desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts then these are different RDS Farms.

Horizon 6 supports up to 200 RDS farms, each with up to 200 RDS hosts.

Once the RDS Farms are created, you publish resources from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

RDS Farms – Linked Clones

You can use View Composer to create RDS linked clones. Here are some missing features and other notes:

  • No QuickPrep. Uses SysPrep with Customization Specifications instead. SysPrep is slower than QuickPrep. SysPrep is also performed during Recompose operations.
  • No View Storage Accelerator.
  • No Rebalance.
  • No Refresh. The machines are persistent until you Recompose the farm.
    • The delta disks continue to grow until you Recompose the farm.
    • You can enable Space Reclamation to shrink the delta disks as files are deleted.
  • DHCP is required.

Customization Specification

If you want to use View Composer then SysPrep requires a Customization Specification in vCenter. QuickPrep is not supported with RDS farms.

  1. In vCenter, from the Home page, click Customization Specification Manager.
  2. Click the icon to create a new Customization Specification.
  3. In the Specify Properties page, give the spec a name and click Next.
  4. In the Set Registration Information page, enter your normal settings and click Next.
  5. In the Set Computer Name page, select Use the virtual machine name and click Next.
  6. In the Enter Windows License page, select Per seat and click Next.
  7. In the Set Administrator Password page, enter the local administrator password and click Next.
  8. In the Time Zone page, select the time zone and click Next.
  9. In the Run Once page, click Next.
  10. In the Configure Network page, leave it set to Use standard network settings. Horizon 6 requires the VMs to be configured for DHCP. Click Next.
  11. In the Set Workgroup or Domain page, enter credentials that can join the machines to the domain and click Next.
  12. In the Set Operating System Options page, leave the box checked and click Next.
  13. In the Ready to complete page, click Finish.

Create an Automatic Farm

To create a farm of linked clones, do the following:

  1. Make sure your RDS View Agents have the VMware Horizon View Composer Agent feature installed.
  2. In View Administrator, on the left, expand Resources and click Farms.
  3. On the right, click Add.
  4. In the Type page, select Automated Farm and click Next.
  5. In the vCenter Server page, select the vCenter Server and View Composer and click Next.
  6. In the Identification and Settings page, enter a name for the Farm. A folder with the same name will be created in vCenter.
  7. Allow users to choose protocol should be set to No.
  8. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  9. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  10. Check the box next to Allow HTML Access and click Next.
  11. In the Provisioning Settings page, enter a naming pattern. Make sure the name includes {n:fixed=3} or something like that.
  12. Enter the number of machines to create and click Next.
  13. In the Storage Optimization page, click Next.
  14. In the vCenter Settings page, click Browse next to each option and make a selection.
  15. When selecting a datastore, set the Storage Overcommit to Unbounded. Click OK and then click Next.
  16. In the Advanced Storage Options page, decide if you want space reclamation or not. Space reclamation does reduce disk space but increases IOPS while the operation is occurring. If space reclamation is enabled, also configure a Blackout window so the increased IOPS does not affect production usage. Scroll down.
  17. If you scroll down you’ll see an option for Transparent Page Sharing. By default it is disabled. You can enable it by setting it to Global. This should reduce some memory consumption. Click Next.
  18. In the Guest Customization page, select an OU.
  19. Select a customization specification and click Next.
  20. In the Ready to Complete page, click Finish.
  21. On the RDS Hosts tab you can see the progress of the farm creation operation.
  22. Since RDS Farms use SysPrep, it will take some time before they become available.
  23. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool or an Application Pool or both.

Add RDS Host to Automatic Farm

  1. On the left, expand Resources and click Farms.
  2. On the right, highlight an existing Farm and click Edit.
  3. Switch to the Provisioning Settings tab and change the Max number of machines. Then click OK.
  4. Since this is based on SysPrep, it will take a while to add the virtual machine. The new VMs reboot several times during the provisioning and customization process.
  5. The farm now has new RDS host(s).

Update an Automatic Farm

  1. Power on the master session host.
  2. After making your changes, shut down the master session host.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. Name the snapshot and click OK.
  5. You’ll need to periodically delete the older snapshots. Right-click the master VM and click Manage Snapshots.
  6. Delete one or more of the snapshots.
  7. In View Administrator, go to Resources > Farms.
  8. Double-click a farm name.
  9. Before beginning the Recompose operation, edit the Farm and on the Provisioning Settings tab consider specifying a minimum number of ready machines during View Composer maintenance operations. If you leave this set to 0 then all machines will be in maintenance mode and nobody can connect until Recompose is complete.
  10. On the Summary tab, click Recompose.
  11. In the Image page, select the new snapshot and click Next.
  12. In the Scheduling page, decide when to apply this new image and then click Next.
  13. In the Ready to Complete page, click Finish.
  14. On the RDS Hosts tab, you can check on the status of the recompose task. Since RDS Farms use SysPrep, this will take a while.

RDS Farms – Manual

To create a manual RDS Farm, do the following:

  1. Make sure the View Composer Agent is not installed on your RDS servers and make sure you saw the screen to register the Agent with a Horizon 6 Connection Server.
  2. In View Administrator, expand View Configuration and click Registered Machines. Make sure your manually built RDS Host is registered and listed on the RDS Hosts tab.

  3. In View Administrator, on the left, expand Resources and click Farms.
  4. On the right, click Add.
  5. In the Identification and Settings page, enter a name for the Farm.
  6. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  7. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  8. Check the box next to Allow HTML Access and click Next.
  9. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts. Click Next.
  10. In the Ready to Complete page, click Finish.

Add RDS Host to Manual Farm

  1. On the left, expand Resources and click Farms.
  2. On the right, double-click an existing Farm.
  3. On the right, switch to the RDS Hosts tab and click Add.
  4. Select the new RDS host and click OK.
  5. The farm now has a new RDS host.

Published Desktop

To publish a desktop from an RDS farm, do the following:

  1. In View Administrator, on the left, expand Catalog and click Desktop Pools.
  2. On the right, click Add.
  3. In the Type page, select RDS Desktop Pool and click Next.
  4. In the Desktop Pool Identification page, enter an ID and name. They can be different. Click Next.
  5. In the Desktop Pool Settings page, click Next.
  6. In the Select an RDS farm page, select a farm and click Next.
  7. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes and click Finish.
  8. In the Entitlements window, click Add.
  9. Browse to an Active Directory group and click OK.
  10. Then click Close.
  11. If you go to Resources > Farms, double-click your farm and switch to the RDS Pools tab, you can see which Desktop Pool is associated with this farm.

Published Applications

  1. In View Administrator, on the left, expand Catalog and click Application Pools.
  2. On the right, click Add.
  3. The purpose of this wizard is to publish applications from an RDS Farm and entitle them. The entitlements will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times and select different applications. Once the applications are published, you can change their entitlements individually. Click Next after selecting one or more applications.
  4. Or you can add an application manually by changing the radio button to Add application pool manually. Notice that Explorer is not one of the listed applications so that one will need to be done manually.
  5. Notice the Entitle users box is checked by default. All of the applications in this list will receive the same entitlements. Click Finish.
  6. Then click Add to select a group that can see these icons. Click OK when done.
  7. You can run the wizard again to publish more applications with different entitlements.
  8. If you double-click one of the application pools, on the Entitlements page you can change the entitlements.
  9. If you go to Resources > Farms, double-click your farm, and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. Notice you can’t really do anything from here.

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

  • If the user already has a session then anti-affinity is ignored.
  • If the application is launched from within an RDS Desktop then anti-affinity is ignored.
  • Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool at pubs.vmware.com.

Do the following to configure Anti-Affinity:

  1. On the left, expand Catalog and click Application Pools.
  2. On the right, edit an existing app/pool.
  3. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
  4. In the Anti-Affinity Count field, enter the maximum number of matches that can run on a single RDS Host.

Horizon View Load Balancing – NetScaler 11

Last Modified: Sep 2, 2018 @ 7:52 am

Navigation

Use this procedure to load balance Horizon View Connection Servers, Horizon View Security Servers, and/or VMware Access Points.

Overview

Servers/Appliances

There are two VMware-provided remote access solutions for Horizon:

Access Points are preferred over Security Servers for the following reasons:

  • No need to pair with internal Connection Servers. This simplifies the configuration.
  • Linux appliance instead of Windows server.
  • Authentication can be offloaded to Access Point. This includes: Smart Cards, RSA, and RADIUS.

If you are using Access Points instead of Security Servers then you’ll have the following machines in a highly available Horizon infrastructure:

  • Two Internal Connection Servers – these need to be load balanced on an internal VIP. Internal users connect to the internal VIP.
  • Two DMZ Access Point appliances – these need to be load balanced on a DMZ VIP. External users connect to the DMZ VIP. Access Points connect to the internal VIP.

With Security Servers instead of Access Points, a typical Horizon Infrastructure will have at least six connection servers:

  • Two Internal Connection Servers – these need to be load balanced on an internal VIP. Internal users connect to the internal VIP.
  • Two DMZ Security Servers – these need to be load balanced on a DMZ VIP. External users connect to the DMZ VIP. Each Security Servers connects directly to a “paired” Connection Servers.
  • The DMZ Security Servers are paired with two additional internal “paired” Connection Servers. There is no need to load balance the internal Paired Connection Servers. However, we do need to monitor them.

Since Security Servers are paired with Connection Servers, you need to configure load balancing monitors to disable the Security Server if the paired Connection Server is not accessible. Since Access Points are not paired with Connection Servers, you don’t need this special monitoring configuration.

Protocols/Ports

Horizon 7 introduces a new Blast Extreme protocol. VMware Technical White Paper Blast Extreme Display Protocol in Horizon 7.

For VMware Access Point, Blast Extreme only needs TCP and UDP 443 only. HTML Access in Horizon 7 also uses Blast Extreme protocol (TCP/UDP 443). If you use VMware Access Point with Blast Extreme exclusively, then the number of ports is minimal, and load balancing configuration is simplified. Here are typical load balancing port requirements for Access Point with Blast Extreme only:

  • TCP 443
  • UDP 443

Note: UDP is disabled by default, but it can be enabled using a Blast GPO setting.

For View Security Servers, and Blast Extreme protocol only, then the following load balancing ports are needed. Note: Access Point supports 443 port sharing, but Security Servers do not.

  • TCP 443
  • TCP 8443
  • UDP 8443

Note: UDP is disabled by default, but it can be enabled using a Blast GPO setting.

For all other configurations that don’t use Blast Extreme (PCoIP, HTML Blast), the following ports must be load balanced:

  • TCP 443
  • TCP 4172
  • UDP 4172
  • TCP 8443

If you are load balancing internal Connection Servers only, and if the Secure Gateways are disabled, then the only port you need to load balance is:

  • TCP 443

VMware requires server persistence to apply across multiple load balanced port numbers. If a user is load balanced to a particular View Connection Server on TCP 443, then the connection on UDP 4172 must go the same View Connection Server. Normally load balancing persistence only applies to a single port number, so whatever sever was selected on 443 won’t be considered for the 4172 connection. But in NetScaler, you can configure a Persistency Group to use a single persistency across multiple load balancing vServers (different port numbers). In F5, you configure Match Across.

Also see Load Balancing with Access Point by Mark Benson at VMware Communities  💡

This topic primarily focuses on NetScaler GUI configuration. Alternatively, you can skip directly to the CLI commands.

Horizon 7 Origin Check

Horizon 7 might not accept your load balanced DNS name unless it’s the same name configured in the Connection Server’s Secure Tunnel configuration. You can change this behavior by disabling Origin Check as detailed at VMware 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7. Note: this configuration is almost mandatory for Access Points since Secure Tunnel is disabled on the Connection Servers.

Load Balancing Monitors

Users connect to Connection Servers, Security Servers, and Access Point appliances on multiple ports: TCP 443, UDP 443, TCP 8443, UDP 8443, TCP 4172, and UDP 4172. Users will initially connect to TCP port 443 and then be redirected to one of the other ports on the same server/appliance initially used for the TCP 443 connection. If TCP 443 is up but UDP 4172 is down on the same server/appliance then you probably wan’t to take TCP 443 down too. To facilitate this, create a monitor for each of the ports and bind all of the monitors to the TCP 443 service. Then if any of the monitors goes down then TCP 443 is also take down.

Note: TLS 1.0 is disabled in Horizon View 6.2.1 and newer. If your NetScaler supports TLS 1.2 on the back end then this isn’t a problem. Back-end TLS 1.2 was added to NetScaler MPX/SDX in 10.5 build 58. And it was added to NetScaler VPX in 11.0 build 65. For older NetScaler builds, you’ll need to enable TLS 1.0 (and HTML Blast) in Horizon or else the monitors won’t work.

In NetScaler VPX 11.0 build 64, secure HTTP monitors attached to SSL_BRIDGE services try to use TLS 1.2 instead of TLS 1.0. To fix this problem, run set ssl parameter -svctls1112disable enable -montls1112disable enable as detailed at CTX205578 Back-End Connection on TLS 1.1/1.2 from NetScaler to IIS Servers Break.

SSL Monitor

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it Horizon-SSL or similar.
  4. Change the Type drop-down to HTTP-ECV.
  5. On the Standard Parameters tab, in the Destination Port field, enter 443.
  6. Scroll down and check the box next to Secure.
  7. On the Special Parameters tab, in the Send String section, enter GET /broker/xml
  8. In the Receive String section, enter clientlaunch-default
  9. Scroll down and click Create.

PCoIP Monitor

  1. On the right, click Add.
  2. Name it Horizon-PCoIP or similar.
  3. Change the Type drop-down to TCP.
  4. On the Standard Parameters tab, in the Destination Port field, enter 4172.
  5. Scroll down and click Create.

Blast Monitor

  1. On the right, click Add.
  2. Name it Horizon-Blast or similar.
  3. Change the Type drop-down to TCP.
  4. On the Standard Parameters tab, in the Destination Port field, enter 8443.
  5. Scroll down and click Create.

Paired Connection Server Monitor

Note: the steps in this section do not apply to Access Points or internal Connection Servers.

View Security Servers are paired with View Connection Servers. If the paired View Connection Server is down, then we should probably stop sending users to the corresponding View Security Server. Let’s create a monitor that has a specific IP address in it.

  1. Right-click the existing Horizon-SSL monitor and click Add.
  2. Normally a monitor does not have any Destination IP defined, which means it uses the IP address of the service that it is bound to. However, we intend to bind this monitor to the View Security Server but we need it to monitor the paired View Connection Server, which is a different IP address. Type in the IP address of the paired View Connection Server. Then rename the monitor so it includes the View Connection Server name. Click Create.
  3. Since we are embedding an IP address into the monitor, you have to create a separate monitor for each paired Connection Server IP. Create another monitor. Specify the IP of the other paired Connection Server. Click Create.

Load Balancing Servers

Create Server Objects for the DMZ Security Servers, DMZ Access Point appliances and the internal non-paired Connection Servers. Do not create Server Objects for the Paired Connection Servers.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the Access Point, Horizon Connection Server, or Horizon Security Server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding Access Points, Horizon Connection Servers, and/or Horizon Security Servers.

Load Balancing Services

Overview

Services vs Service Groups:

  • For Security Servers, if the paired Connection Server is down, then we need the Security Server to go down too. One of the monitors bound to the Security Server contains the IP address of the paired Connection Server. Since each Security Server is paired with a different Connection Server, that means each Security Server will have a unique monitoring configuration. This precludes us from adding multiple Security Servers to a single Service Group since you can only have one monitor configuration for the entire Service Group. Instead, create separate Services (multiple port numbers) for each Security Server.
    • Individual services per server are only needed for TCP 443. The other ports can be service groups.
  • For Access Points, there is no special monitoring configuration and thus these appliances could be added to Service Groups (one for each port number).
  • For internal Connection Servers (non-paired), there is no special monitoring configuration and thus these appliances could be added to one Service Group. Internal Connection Servers usually only need TCP 443 load balanced.

For Internal Connection Servers (not the paired servers), load balancing monitoring is very simple:

  • Create a service group for SSL 443.
  • To verify server availability, monitor port TCP 443 on the same server.
  • If tunneling is disabled then internal users connect directly to View Agents and UDP/TCP 4172 and TCP 8443 are not used on Internal Connection Servers. There’s no need to create service groups and monitors for these ports.

Security Servers and Access Point appliances are more complex:

  • For Blast Extreme protocol through Access Points, if UDP is not enabled, then you only need services for TCP 443. If UDP is enabled, then you also need load balancing services for UDP 443.
  • For Blast Extreme protocol through View Security Servers, if UDP is not enabled, then you only need services for TCP 443 and TCP 8443. If UDP is enabled, then you also need load balancing services for UDP 8443.
  • For PCoIP protocol, all traffic initially connects on TCP 443. The Horizon clients then connect to UDP 4172 on the same Security Server or Access Point. If 4172 is down, then 443 should be taken down. Bind monitors for each port to the TCP 443 service. If any of the monitors fails (e.g. 4172 is down), then TCP 443 is taken down and NetScaler will no longer forward traffic to TCP 443 on that particular server/appliance.
  • Each Security Server is paired with an internal Connection Server. If the internal Connection Server is down then the Security Server should be taken down. This requires custom monitors for each Security Server. This is not a problem for Access Points.

Load Balancing Services Configuration Summary

The summaries are split into PCoIP vs Blast Extreme, and View Security Servers vs Access Points. If you are using both PCoIP and Blast Extreme, combine their configurations.

Two Access Points for Blast Extreme: if they are named VAP01 and VAP02, the load balancing service configuration for Blast Extreme in Horizon 7 (no PCoIP) is summarized as follows (scroll down for detailed configuration):

  • Service Group, Protocol = SSL_BRIDGE
    • Members = VAP01 and VAP02
    • Port = 443
    • Monitor = SSL (443)
  • Service Group, Protocol = UDP (this service group is only needed if Blast Extreme UDP is enabled)
    • Members = VAP01 and VAP02
    • Port = 443
    • Monitor = SSL (443) or ping

Two Access Points for PCoIP protocol: if they are named VAP01 and VAP02, the load balancing service configuration for PCoIP is summarized as follows (scroll down for detailed configuration):

  • Service Group, Protocol = SSL_BRIDGE
    • Members = VAP01 and VAP02
    • Port = 443
    • Monitor = SSL (443)
  • Service Group, Protocol = TCP
    • Members = VAP01 and VAP02
    • Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service Group, Protocol = UDP
    • Members = VAP01 and VAP02
    • Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service Group, Protocol = SSL_BRIDGE
    • Members = VAP01 and VAP02
    • Port = 8443
    • Monitor = Blast (8443)
  • Service Group, Portocol = UDP
    • Members = VAP01 and VAP02
    • Port = 8443
    • Monitor = Blast (8443)

Two Security Servers for Blast Extreme: if they are named VSS01 and VSS02, the load balancing service configuration for Blast Extreme in Horizon 7 (no PCoIP) is summarized as follows (scroll down for detailed configuration):

  • Service Group, Protocol = SSL_BRIDGE
    • Members = VSS01 and VSS02
    • Port = 443
    • Monitor = SSL (443)
  • Service Group, Protocol = SSL_BRIDGE
    • Members = VSS01 and VSS02
    • Port = 8443
    • Monitor = Blast (8443)
  • Service Group, Protocol = UDP (this service group is only needed if Blast Extreme UDP is enabled)
    • Members = VSS01 and VSS02
    • Port = 8443
    • Monitor = SSL (443) or ping

Two View Security Servers with PCoIP: If the View Security Servers are named VSS01 and VSS02, the load balancing service configuration for PCoIP is summarized as follows (scroll down for detailed configuration):

  • Server = VSS01, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) for paired View Connection Server VCS01.
  • Server = VSS02, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) for paired View Connection Server VCS02.
  • Service Group, Protocol = UDP
    • Members = VSS01 and VSS02
    • Port = 443
    • Monitor = SSL (443) or ping
  • Service Group, Protocol = TCP
    • Members = VSS01 and VSS02
    • Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service Group, Protocol = UDP
    • Members = VSS01 and VSS02
    • Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service Group, Protocol = SSL_BRIDGE
    • Members = VSS01 and VSS02
    • Port = 8443
    • Monitor = Blast (8443)
  • Service Group, Portocol = UDP
    • Members = VSS01 and VSS02
    • Port = 8443
    • Monitor = Blast (8443)

TCP 443 Load Balancing Services

Here are general instructions for the TCP 443 Horizon load balancing services. These instructions detail the more complicated Security Server configuration, since each Security Server needs to monitor its paired Connection Servers. If you are load balancing Access Point or internal Connection Servers, you could configure a Service Group instead of individual services. See the above configuration summaries for your specific configuration.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Services.
  2. On the right, click Add.
  3. Give the Service a descriptive name (e.g. svc-VSS01-SSL).
  4. Change the selection to Existing Server and select the Access Point, Security Server or internal (non-paired) Connection Server you created earlier.
  5. Change the Protocol to SSL_BRIDGE, and click OK.
  6. On the left, in the Monitors section, click where it says 1 Service to Load Balancing Monitor Binding.
  7. Ignore the current monitor and click Add Binding.
  8. Click the arrow next to Click to select.
  9. Select the Horizon-SSL monitor and click Select.
  10. Then click Bind.
  11. If you are load balancing PCoIP through a View Security Server or Access Point, add monitors for PCoIP Secure Gateway (4172) and Blast Secure Gateway (8443) too. If 4172 or 8443 fails, then 443 needs to be marked DOWN.

  12. If this is a Security Server, also add a monitor that has the IP address of the paired Connection Server. If the paired Connection Server is down, then the Security Server needs to marked as DOWN so NetScaler needs to stop sending connections to this Security Server.
  13. The Last Response should indicate Success. If you bound multiple monitors to the Service, then the member will only be UP if all monitors succeed. There’s a refresh button on the top-right. Click Close when done.
  14. Then click Done.
  15. Right-click the first service and click Add.
  16. Change the name to match the second Horizon Server or Access Point.
  17. Select Existing Server and use the Server drop-down to select to the second Horizon Server.
  18. The remaining configuration is identical to the first server. Click OK.
  19. You will need to configure the monitors again. They will be identical to the first server except for the monitoring of the paired View Connection Server. Click Done when done.

Other Ports Load Balancing Services

Here are general instructions for the remaining Horizon services. These instructions use Service Groups but you could just as easily add Services instead. See the above summaries for your specific configuration.

  1. On the left, go to Traffic Mgmt > Load Balancing > Service Groups.
  2. On the right, click Add.
  3. Name it svcgrp-Horizon-UDP443 or similar. UDP 443 is for Blast Extreme in Horizon 7 through Access Points. If View Security Servers, the name should be svcgrp-Horizon-UDP8443.
  4. Change the Protocol to UDP. Click OK.
  5. Click where it says No Service Group Member.
  6. Change the selection to Server Based and then click Click to select.
  7. Select your multiple Security Servers or multiple Access Points and click Select.
  8. If Access Points, enter 443 as the Port. If View Security Servers, enter 8443 as the port. Click Create.
  9. Click OK.
  10. On the right, in the Advanced Settings column, add the Monitors section.
  11. Click where it says No Service Group to Monitor Binding.
  12. Click to select.
  13. Select the Horizon-SSL monitor, click Select, and then click Bind.
  14. Click Done.
  15. Add another Service Group for PCoIP on TCP 4172.
    1. Name = svcgrp-Horizon-PCoIPTCP or similar.
    2. Protocol = TCP

    3. Members = multiple Security Servers or multiple Access Points.
    4. Port = 4172.
    5. Monitors = Horizon-PCoIP. You can add the other monitors if desired.
  16. Add another Service Group for PCoIP on UDP 4172.
    1. Name = svcgrp-Horizon-PCoIPUDP or similar.
    2. Protocol = UDP

    3. Members = multiple Security Servers or multiple Access Points
    4. Port = 4172.
    5. Monitors = Horizon-PCoIP. You can add the other monitors if desired.
  17. Add another Service Group for SSL_BRIDGE 8443.
    1. Name = svcgrp-Horizon-TCP8443 or similar.
    2. Protocol = SSL_BRIDGE
    3. Members = multiple Security Servers or multiple Access Points
    4. Port = 8443.
    5. Monitors = Horizon-Blast. You can add the other monitors if desired.
  18. If you haven’t done this already, add another Service Group for UDP 8443 (Blast Extreme in Horizon 7).
    1. Name = svcgrp-Horizon-UDP8443 or similar.
    2. Protocol = UDP
    3. Members = multiple Security Servers or multiple Access Points
    4. Port = 8443.
    5. Monitors = Horizon-Blast. You can add the other monitors if desired.
  19. The five service groups should look something like this:

Load Balancing Virtual Servers

Create separate load balancing vServers for internal and DMZ.

  • Internal VIP load balances the non-paired Internal Connections Servers. Access Point appliances also use this VIP to access the internal Connection Servers.
  • DMZ VIP load balances the Security Servers or Access Point appliances.

The paired View Connection Servers do not need to be load balanced.

For the internal Connection Servers you only need a load balancer for SSL_BRIDGE 443. If tunneling is disabled then you don’t need load balancers for the other ports (UDP/TCP 4172 and SSL_BRIDGE 8443).

However, Security Servers and Access Points listen on more ports so you will need separate load balancers for each port number. Here is a summary of their Virtual Servers, all listening on the same IP address. Depending on the configured protocol, you might not need all of these Virtual Servers.

  • Virtual Server on SSL_BRIDGE 443 – bind both Horizon SSL_BRIDGE 443 Services.
  • Virtual Server on UDP 443 (Horizon 7) – bind the UDP 443 service group.
  • Virtual Server on UDP 4172 – bind the PCoIPUDP service group.
  • Virtual Server on TCP 4172 – bind the PCoIPTCP service group.
  • Virtual Server on SSL_BRIDGE 8443 – bind the SSL_BRIDGE 8443 service group.
  • Virtual Server on UDP 8443 (Horizon 7) – bind the UDP 8443 service group.

Do the following to create the Virtual Servers:

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right click Add.
  3. Name it Horizon-SSL-LB or similar.
  4. Change the Protocol to SSL_BRIDGE.
  5. Specify a new VIP. This one VIP will be used for all of the Virtual Servers.
  6. Enter 443 as the Port.
  7. Click OK.
  8. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
  9. Click the arrow next to Click to select.
  10. Select the two View-SSL Services and click Select.
  11. Click Bind.
  12. Click Continue.
  13. Then click Done. Persistency will be configured later.
  14. If this is Horizon 7, and if this is an Access Point, then create another Load Balancing Virtual Server for UDP 443:
    1. Same VIP as the TCP 443 Load Balancer.
    2. Protocol = UDP, Port = 443
    3. Service Group Binding = the UDP 443 Service Group
  15. If this is a Security Server or Access Point, then create another Load Balancing Virtual Server for PCoIP UDP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = UDP, Port = 4172
    3. Service Group Binding = the PCoIP UDP Service Group.
  16. If this is a Security Server or Access Point, then create another Load Balancing Virtual Server for PCoIP TCP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = TCP, Port = 4172
    3. Service Group Binding = the PCoIP TCP Service Group
  17. If this is a Security Server or Access Point, then create another Load Balancing Virtual Server for SSL_BRIDGE 8443:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = SSL_BRIDGE, Port = 8443
    3. Service Group Binding = the TCP 8443 SSL_BRIDGE Service Group
  18. If this is a Security Server or Access Point, then create another Load Balancing Virtual Server for UDP 8443:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = UDP, Port = 8443
    3. Service Group Binding = the UDP 8443 SSL_BRIDGE Service Group
  19. This gives you six Virtual Servers on the same VIP but different protocols and port numbers.

Persistency Group

For Security Servers and Access Points, users will first connect to SSL_BRIDGE 443 and be load balanced. Subsequent connections to the other port numbers must go to the same load balanced server. Create a Persistency Group to facilitate this.

For internal View Connection Servers, then you probably only have one SSL_BRIDGE load balancer for those servers, and thus you could configure persistence directly on that one load balancing vServer instead of creating a Persistency Group. However, since the Security Servers and Access Points have multiple load balancing vServers on different ports, then you need to bind them together into a Persistency Group.

  1. On the left, under Traffic Management, expand Load Balancing and click Persistency Groups.
  2. On the right, click Add.
  3. Give the Persistency Group a name (e.g. Horizon).
  4. Change the Persistence to SOURCEIP.
  5. Enter a timeout that is equal to or greater than the timeout in Horizon View Administrator, which defaults to 10 hours (600 minutes).
  6. In the Virtual Server Name section, click Add.
  7. Move all six Security Server / Access Point Load Balancing Virtual Servers to the right. Click Create.

CLI Commands

Here’s a list of CLI commands for the most basic configuration of two Access Points with Blast Extreme only (no PCoIP):

add server VAP01 10.2.2.187
add server VAP02 10.2.2.24
add lb monitor Horizon-SSL HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -secure YES
add serviceGroup svcgrp-Horizon-SSL SSL_BRIDGE
add serviceGroup svcgrp-Horizon-UDP443 UDP
bind serviceGroup svcgrp-Horizon-SSL VAP01 443
bind serviceGroup svcgrp-Horizon-SSL VAP02 443
bind serviceGroup svcgrp-Horizon-SSL -monitorName Horizon-SSL
bind serviceGroup svcgrp-Horizon-UDP443 VAP01 443
bind serviceGroup svcgrp-Horizon-UDP443 VAP02 443
bind serviceGroup svcgrp-Horizon-UDP443 -monitorName Horizon-SSL
add lb vserver Horizon-SSL-LB SSL_BRIDGE 10.2.2.204 443
add lb vserver Horizon-UDP443-LB UDP 10.2.2.204 443
bind lb vserver Horizon-SSL-LB svcgrp-Horizon-SSL
bind lb vserver Horizon-UDP443-LB svcgrp-Horizon-UDP443
bind lb group Horizon Horizon-SSL-LB
bind lb group Horizon Horizon-UDP443-LB
set lb group Horizon -persistenceType SOURCEIP -timeout 600

Here’s a list of CLI commands for the more complicated Security Server configuration:

add server VSS01 10.2.2.187
add server VSS02 10.2.2.24
add lb monitor Horizon-PCoIP TCP -destPort 4172
add lb monitor Horizon-Blast TCP -destPort 8443
add lb monitor Horizon-SSL HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -secure YES
add lb monitor Horizon-SSL-VCS01 HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -destIP 10.2.2.19 -destPort 443 -secure YES
add lb monitor Horizon-SSL-VCS02 HTTP-ECV -send "GET /broker/xml" -recv clientlaunch-default -destIP 10.2.2.20 -destPort 443 -secure YES
add service svc-VSS01-SSL VSS01 SSL_BRIDGE 443
add service svc-VSS02-SSL VSS02 SSL_BRIDGE 443
bind service svc-VSS02-SSL -monitorName Horizon-SSL-VCS02
bind service svc-VSS02-SSL -monitorName Horizon-SSL
bind service svc-VSS02-SSL -monitorName Horizon-Blast
bind service svc-VSS02-SSL -monitorName Horizon-PCoIP
bind service svc-VSS01-SSL -monitorName Horizon-SSL-VCS01
bind service svc-VSS01-SSL -monitorName Horizon-Blast
bind service svc-VSS01-SSL -monitorName Horizon-PCoIP
bind service svc-VSS01-SSL -monitorName Horizon-SSL
add serviceGroup svcgrp-Horizon-UDP443 UDP
add serviceGroup svcgrp-Horizon-PCoIPTCP TCP
add serviceGroup svcgrp-Horizon-PCoIPUDP UDP
add serviceGroup svcgrp-Horizon-TCP8443 SSL_BRIDGE
add serviceGroup svcgrp-Horizon-UDP8443 UDP
bind serviceGroup svcgrp-Horizon-UDP443 VSS01 443
bind serviceGroup svcgrp-Horizon-UDP443 VSS02 443
bind serviceGroup svcgrp-Horizon-UDP443 -monitorName Horizon-SSL
bind serviceGroup svcgrp-Horizon-PCoIPTCP VSS01 4172
bind serviceGroup svcgrp-Horizon-PCoIPTCP VSS02 4172
bind serviceGroup svcgrp-Horizon-PCoIPTCP -monitorName Horizon-PCoIP
bind serviceGroup svcgrp-Horizon-PCoIPUDP VSS01 4172
bind serviceGroup svcgrp-Horizon-PCoIPUDP VSS02 4172
bind serviceGroup svcgrp-Horizon-PCoIPUDP -monitorName Horizon-PCoIP
bind serviceGroup svcgrp-Horizon-TCP8443 VSS01 8443
bind serviceGroup svcgrp-Horizon-TCP8443 VSS02 8443
bind serviceGroup svcgrp-Horizon-TCP8443 -monitorName Horizon-Blast
bind serviceGroup svcgrp-Horizon-UDP8443 VSS01 8443
bind serviceGroup svcgrp-Horizon-UDP8443 VSS02 8443
bind serviceGroup svcgrp-Horizon-UDP8443 -monitorName Horizon-Blast
add lb vserver Horizon-SSL-LB SSL_BRIDGE 10.2.2.204 443
add lb vserver Horizon-UDP443-LB UDP 10.2.2.204 443
add lb vserver Horizon-PCoIPUDP-LB UDP 10.2.2.204 4172
add lb vserver Horizon-PCoIPTCP-LB TCP 10.2.2.204 4172
add lb vserver Horizon-8443TCP-LB SSL_BRIDGE 10.2.2.204 8443
add lb vserver Horizon-8443UDP-LB UDP 10.2.2.204 8443
bind lb vserver Horizon-SSL-LB svc-VSS01-SSL
bind lb vserver Horizon-SSL-LB svc-VSS02-SSL
bind lb vserver Horizon-UDP443-LB svcgrp-Horizon-UDP443
bind lb vserver Horizon-PCoIPTCP-LB svcgrp-Horizon-PCoIPTCP
bind lb vserver Horizon-PCoIPUDP-LB svcgrp-Horizon-PCoIPUDP
bind lb vserver Horizon-8443TCP-LB svcgrp-Horizon-TCP8443
bind lb vserver Horizon-8443UDP-LB svcgrp-Horizon-UDP8443
bind lb group Horizon Horizon-SSL-LB
bind lb group Horizon Horizon-UDP443-LB
bind lb group Horizon Horizon-PCoIPUDP-LB
bind lb group Horizon Horizon-PCoIPTCP-LB
bind lb group Horizon Horizon-8443TCP-LB
bind lb group Horizon Horizon-8443UDP-LB
set lb group Horizon -persistenceType SOURCEIP -timeout 600

Horizon View Configuration – Security Servers

This section is not needed for Access Points. For Access Points, the secure gateways should be disabled, not enabled.

  1. On the Security Servers (or Connection Servers), request a certificate that matches the FQDN that resolves to the Load Balancing VIP.
  2. Make sure the private key is exportable.
  3. Set the Friendly Name to vdm and restart the View Security Server services.
  4. In View Administrator, go to View Configuration > Servers.
  5. On the right, switch to the Security Servers tab.
  6. Highlight a server and click Edit.
  7. Change the URLs to the FQDN that resolves to the load balancing VIP.
  8. Change the PCoIP URL to the VIP. For View Security Servers, this is typically a public IP that is NAT’d to the DMZ Load Balancing VIP.

Horizon View Load Balancing – NetScaler 10.5

Last Modified: Jan 4, 2019 @ 7:55 am

Navigation

Use this procedure to load balance Horizon View Connection Servers, Horizon View Security Servers, and/or VMware Access Points.

Overview

A typical Horizon View Installation will have at least six connection servers:

  • Two Internal View Connection Servers – these need to be load balanced on an internal VIP
  • Two DMZ View Security Servers – these need to be load balanced on a DMZ VIP
  • The DMZ View Security Servers are paired with two additional internal View Connection Servers. There is no need to load balance the internal Paired Connection Servers. However, we do need to monitor them.

If you are using Access Points instead of Security Servers then you’ll have the following machines. Server pairing is not necessary.

  • Two Internal View Connection Servers – these need to be load balanced on an internal VIP
  • Two DMZ VMware Access Point appliances – these need to be load balanced on a DMZ VIP

This topic is focused on traditional View Security Servers but could be easily adapted for Access Point appliances. The difference is that with Access Points there are no paired servers and thus there’s no need to monitor the paired servers. The VIP ports are identical for both solutions.

Monitors

Users connect to Horizon View Connection Server, Horizon View Security Server, and Access Point appliances on four ports: TCP 443, TCP 8443, TCP 4172, and UDP 4172. Users will initially connect to port 443 and then be redirected to one of the other ports on the same server initially used for the 443 connection. If one of the ports is down, the entire server should be removed from load balancing. To facilitate this, create a monitor for each of the ports (except UDP 4172).

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it View-PCOIP or similar.
  4. Change the Type drop-down to TCP.
  5. In the Destination Port field, enter 4172.
  6. Scroll down and click Create.
  7. On the right, click Add.
  8. Name it View-Blast or similar.
  9. Change the Type drop-down to TCP.
  10. In the Destination Port field, enter 8443.
  11. Scroll down and click Create.
  12. On the right, click Add.
  13. Name it View-SSL or similar.
  14. Change the Type drop-down to HTTP-ECV.
  15. In the Destination Port field, enter 443.
  16. Scroll down and check the box next to Secure.
  17. On the Special Parameters tab, in the Send String section, enter GET /broker/xml/
  18. In the Receive String section, enter clientlaunch-default.
  19. Scroll down and click Create.
  20. View Security Servers are paired with View Connection Servers. If the paired View Connection Server is down, then we should probably stop sending users to the corresponding View Security Server. Let’s create a monitor that has a specific IP address in it. Right-click the existing View-SSL or View-SSLAdv monitor and click Add.

  21. Note: this step does not apply to Access Points. Normally a monitor does not have any Destination IP defined, which means it uses the IP address of the service that it is bound to. However, we intend to bind this monitor to the View Security Server but we need it to monitor the paired View Connection Server, which is a different IP address. Type in the IP address of the paired View Connection Server. Then rename the monitor so it includes the View Connection Server name.
  22. Note: this step does not apply to Access Points. Since we are embedding an IP address into the monitor, you have to create a separate monitor for each paired View Connection Server IP.

Servers

Create Server Objects for the DMZ Security Servers and the internal non-paired Connection Servers. Do not create Server Objects for the Paired Connection Servers.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the View Connection Server or View Security Server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding View Connection Servers or View Security Servers.

Services

If deploying View Security Servers, create Services Objects for the DMZ Security Servers and the internal non-paired Connection Servers. Do not create Services Objects for the Paired Connection Servers.

If deploying Access Points, create Services Objects for the DMZ Access Point appliances and the internal Connection Servers

Each connection server and security server needs separate Service objects. Each Security Server listens on multiple port numbers and thus there will be multiple Services Objects for each Security Server.

For Internal Connection Servers (not the paired servers), load balancing monitoring is very simple:

  • Create services for SSL 443
  • To verify server availability, monitor port TCP 443 on the same server.
  • If tunneling is disabled then internal users connect directly to View Agents and UDP/TCP 4172 and TCP 8443 are not used on Internal Connection Servers. There’s no need to create services and monitors for these ports.

Security Servers and Access Points are more complex:

  • The PCoIP Secure Gateway and HTML Blast Secure Gateway are typically enabled on Security Servers and Access Points but they are not typically enabled on internal Connection Servers.
  • All traffic initially connects on TCP 443. For Security Servers and Access Points, the clients then connect to UDP 4172 or TCP 8443 on the same Security Server. If UDP 4172 or TCP 8443 are down, then you probably want to make sure TCP 443 is also brought down.
  • Each Security Server is paired with an internal Connection Server. If the internal Connection Server is down then the Security Server should be taken down. This does not apply to Access Points.
  • To accommodate these failure scenarios, bind multiple monitors to the View Security Server or Access Point load balancing Services. If any of the monitors fails then NetScaler will no longer forward traffic to 443 on that particular server.

If you have two View Security Servers or Access Points named VSS01 and VSS02, the configuration is summarized as follows (scroll down for detailed configuration):

  • Service = VSS01, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) on paired View Connection Server VCS01. This monitor is not needed on Access Points.
  • Service = VSS02, Protocol = SSL_BRIDGE, Port = 443
    • Monitors = PCoIP (TCP 4172), SSL (443), and Blast (8443)
    • Monitor = SSL (443) on paired View Connection Server VCS02. This monitor is not needed on Access Points.
  • Service = VSS01, Protocol = TCP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS02, Protocol = TCP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS01, Protocol = UDP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS02, Protocol = UDP, Port = 4172
    • Monitor = PCoIP (TCP 4172)
  • Service = VSS01, Protocol = SSL_BRIDGE, Port = 8443
    • Monitor = Blast (8443)
  • Service = VSS02, Protocol = SSL_BRIDGE, Port = 8443
    • Monitor = Blast (8443)

If you are not using HTML Blast then you can skip 8443. If you are not using PCoIP Secure Gateway, then you can skip the 4172 ports.

  1. On the left, expand Traffic Management, expand Load Balancing, and click Services.
  2. On the right, click Add.
  3. Give the Service a descriptive name (e.g. svc-VSS01-SSL).
  4. Change the selection to Existing Server and select the View Security Server or internal (non-paired) View Connection Server you created earlier.
  5. Change the Protocol to SSL_BRIDGE and click OK.
  6. On the left, in the Monitors section, click where it says 1 Service to Load Balancing Monitor Binding.
  7. Click Add Binding.
  8. Click the arrow next to Click to select.
  9. Select the View-SSL monitor and click OK.
  10. Then click Bind.
  11. If this is a View Security Server, add monitors for PCoIP and HTML Blast. If any of those services fails, then 443 needs to be marked DOWN.

  12. If this is a View Security Server, also add a monitor that has the IP address of the paired View Connection Server. If the paired View Connection Server is down, then stop sending connections to this View Security Server.
  13. The Last Response should indicate Success. If you bound multiple monitors to the Service, then the member will only be UP if all monitors succeed. There’s a refresh button on the top-right. Click Close when done.
  14. Then click Done.
  15. Right-click the first service and click Add.
  16. Change the name to match the second View Server.
  17. Use the Server drop-down to select to the second View Server.
  18. The remaining configuration is identical to the first server. Click OK.
  19. You will need to configure the monitors again. They will be identical to the first server except for the monitoring of the paired View Connection Server. Click Done when done.

  20. Add another Service for PCoIP on TCP 4172.
    1. Name = svc-VSS01-PCoIPTCP or similar.
    2. Server = Existing Server, select the first View Server.
    3. Protocol = TCP
    4. Port = 4172.
    5. Monitors = View-PCoIP. You can add the other monitors if desired.
  21. Repeat for the 2nd View Security Server.
  22. Add another Service for PCoIP on UDP 4172.
    1. Name = svc-VSS01-PCoIPUDP or similar.
    2. Existing Server = first View Server
    3. Protocol = UDP
    4. Port = 4172.
    5. Monitors = View-PCoIP. You can add the other monitors if desired.
  23. Repeat for the 2nd View Server.
  24. Add another Service for HTML Blast on SSL_BRIDGE 8443.
    1. Name = svc-VSS01-HTMLBlast or similar.
    2. Existing Server = the first View Server
    3. Protocol =
    4. Port = 8443.
    5. Monitors = View-Blast. You can add the other monitors if desired.
  25. Repeat for the 2nd View Server.
  26. The eight services should look something like this:
  27. Repeat these instructions to add the internal (non-paired) View Connection Servers except that you only need to add services for SSL_BRIDGE 443 and only need monitoring for 443.

Load Balancing Virtual Servers

Create separate load balancers for internal and DMZ.

  • Internal load balances the two non-paired Internal View Connections Servers.
  • DMZ load balances the two View Security Servers or Access Point appliances.

The paired View Connection Servers do not need to be load balanced.

For the internal View Connection Servers you only need a load balancer for SSL_BRIDGE 443. If tunneling is disabled then you don’t need load balancers for the other ports (UDP/TCP 4172 and SSL_BRIDGE 8443).

However, tunneling is enabled on the View Security Servers and Access Point appliances so you will need separate load balancers for each port number. Here is a summary of the Virtual Servers:

  • Virtual Server on SSL_BRIDGE 443 – bind both View SSL Services.
  • Virtual Server on UDP 4172 – bind both View PCoIPUDP Services.
  • Virtual Server on TCP 4172 – bind both View PCoIPTCP Services.
  • Virtual Server on SSL_BRIDGE 8443 – bind both View Blast Services.

Do the following to create the Virtual Servers:

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right click Add.
  3. Name it View-SSL-LB or similar.
  4. Change the Protocol to SSL_BRIDGE.
  5. Specify a new internal VIP. This one VIP will be used for all of the Virtual Servers.
  6. Enter 443 as the Port.
  7. Click OK.
  8. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server Service Binding.
  9. Click the arrow next to Click to select.
  10. Select the two View-SSL Services and click OK.
  11. Click Bind.
  12. Click OK.
  13. Then click Done. Persistency will be configured later.
  14. If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP UDP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = UDP, Port = 4172
    3. Services = the PCoIP UDP Services.
  15. If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for PCoIP TCP 4172:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = TCP, Port = 4172
    3. Services = the PCoIP TCP Services.
  16. If this is a View Security Server or Access Point or if tunneling is enabled then create another Load Balancing Virtual Server for HTML Blast SSL_BRIDGE 8443:
    1. Same VIP as the 443 Load Balancer.
    2. Protocol = SSL_BRIDGE, Port = 8443
    3. Services = the HTML Blast SSL_BRIDGE Services.
  17. This gives you four Virtual Servers on the same VIP but different protocols and port numbers.

Persistency Group

For Security Servers and Access Point appliances, users will first connect to SSL_BRIDGE 443 and be load balanced. Subsequent connections to the other port numbers must go to the same load balanced server. Create a Persistency Group to facilitate this.

If tunneling is disabled on the internal View Connection Servers then you probably only have one load balancer for those servers and thus you could configure persistence directly on that one load balancer instead of creating a Persistency Group. However, since the View Security Servers have multiple load balancers then you need to bind them together in a Persistency Group.

  1. On the left, under Traffic Management, expand Load Balancing and click Persistency Groups.
  2. On the right, click Add.
  3. Give the Persistency Group a name (e.g. View).
  4. Change the Persistence to SOURCEIP.
  5. Enter a timeout that is equal to or greater than the timeout in View Administrator, which defaults to 10 hours (600 minutes).
  6. In the Virtual Server Name section, click Add.
  7. Move all four View Security Server / Access Point Load Balancing Virtual Servers to the right. Click Create.

Horizon View Configuration

  1. On the View Security Servers (or View Connection Servers), request a certificate that matches the FQDN that resolves to the Load Balancing VIP.
  2. Make sure the private key is exportable.
  3. Set the Friendly Name to vdm and restart the View Security Server services.
  4. In View Administrator, go to View Configuration > Servers.
  5. On the right, switch to the Security Servers tab.
  6. Highlight a server and click Edit.
  7. Change the URLs to the FQDN that resolves to the load balancing VIP.
  8. Change the PCoIP URL to the VIP. For View Security Servers, this is typically a public IP that is NAT’d to the DMZ Load Balancing VIP.