Omnissa Horizon True SSO with UAG SAML

Last Modified: Jul 27, 2024 @ 10:24 am

Navigation

Change Log

Overview

To configure SAML on Unified Access Gateway (UAG) you must have the following versions:

  • UAG 3.8 or newer
  • Connection Servers 7.11 or newer
  • For Windows 10 version 2004, deploy Horizon 2103 (8.2) or newer.

True SSO is optional.

  • SAML does not provide the user’s password to Horizon, which means that Horizon cannot perform single sign-on to the Horizon Agent machine and thus the Horizon Agent machine will prompt the user to login again. This usually means the user has to login twice.
  • To eliminate the second logon on the Horizon Agent machine, implement True SSO, which generates certificates for each user and then uses those certificates to automatically sign into the Horizon Agent machine.

Horizon Enrollment Servers ask Microsoft Certificate Authority servers to generate the SSO certificates for each user. This is an identity operation and thus the Horizon Enrollment Servers should be treated like Domain Controllers.

When you use Horizon Client to connect to a UAG that is SAML-enabled:

  1. It opens the default browser and prompts the user to sign into your SAML Identity Provider. If the user is already signed in then the user won’t see any sign-in prompt.
  2. After sign-in, the browser will then prompt the user to open Horizon Client.
  3. If the user locks the desktop then the user will need to know the local Active Directory password to unlock it.

Certificate Authority

Horizon Enrollment Servers can use a Microsoft Certificate Authority that already exists. Or you can install Microsoft Certificate Authority on the Horizon Enrollment Servers. If you have two Enrollment Servers, then install Microsoft Certificate Authority on both of the servers.

  1. Install Microsoft Certificate Authority from Server Manager > Manage > Add Roles and Features.
  2. Select Active Directory Certificate Services.
  3. The only Role Service needed for True SSO is Certification Authority.

The Microsoft Certificate Authority must be an Enterprise CA.

  1. After role installation, click the flag icon and then click the link to Configure Active Directory Certificate Services.
  2. In the Setup Type page, select Enterprise CA.
  3. In the CA Type page, if you already have a Root CA, then you can select Subordinate CA. Otherwise, you need at least one Root CA in your environment.

After Microsoft CA is installed, run the following commands:

certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS
certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
sc stop certsvc
sc start certsvc

If you just built a new Certificate Authority server then True SSO won’t work until you run gpupdate /force on all of your Domain Controllers and Horizon Agent machines. Or wait several hours for group policy to update.

Certificate Template

  1. On the Certificate Authority machine, from Start Menu, run Certification Authority.
  2. Right-click the Certificate Templates node and click Manage.
  3. Right-click the Smartcard Logon template and click Duplicate Template.
  4. On the Compatibility tab, change the drop-down for Certification Authority to Windows Server 2008 R2.
  5. Change the drop-down for Certificate recipient to Windows 7 / Server 2008 R2.
  6. On the General tab, name it True SSO or similar.
  7. Change the Validity Period to 1 day or similar.
  8. On the Request Handling tab, change the drop-down for Purpose to Signature and smartcard logon.
  9. Check the box next to For automatic renewal of smart card certificates, use the existing key if a new key cannot be created.
  10. On the Cryptography tab, change the drop-down for Provider Category to Key Storage Provider.
  11. On the Server tab, check the top box for Do not store certificates and requests in the CA database.
  12. Uncheck the bottom box for Do not include revocation information in issued certificates.
  13. On the Issuance Requirements tab, check the box next to This number of authorized signatures and enter 1 as the value.
  14. Change the drop-down for Policy type required in signature to Application policy.
  15. Change the drop-down for Application policy to Certificate Request Agent.
  16. At the bottom, change the selection to Valid existing certificate.
  17. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  18. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  19. Back in the Certificate Templates Console, right-click the Enrollment Agent (Computer) template and click Properties.
  20. On the Security tab, add your Horizon Enrollment Servers computer objects. This can be an AD group instead of individual servers.
  21. For each Enrollment Server computer object, on the bottom, check the Allow box for the Enroll permission. Click OK when done.
  22. Close the Certificate Templates Console.
  23. Back in the Certification Authority Console, with Certificate Templates highlighted on the left, if your environment has multiple CAs but this CA is dedicated to True SSO, then delete all templates from the right. Note: Domain Controllers must have certificates installed so make sure you have at least one other CA that is issuing Domain Controller certificates.
  24. Right-click Certificate Templates and click New > Certificate Template to Issue.
  25. Select Enrollment Agent (Computer) and click OK.
  26. Issue another certificate template but this time select the True SSO template.
  27. Your CA should now show the two templates.
  28. If you have a second CA, and if it is dedicated to True SSO, then delete all templates from that CA. Then configure it to issue the same two templates.

Enrollment Server

Horizon Enrollment Server must be installed on dedicated machine(s) that don’t have any other Horizon components installed.

  1. Login to the new Horizon Enrollment Server that has at least 4 GB of RAM.
  2. Run certlm.msc.
  3. Expand Personal, then right-click Certificates, expand All Tasks, and click Request New Certificate.

    1. In the Before You Begin page, click Next.
    2. In the Select Certificate Enrollment Policy page, click Next.
    3. In the Request Certificates page, check the box next to Enrollment Agent (Computer) and then click Enroll.
    4. In the Certificate Installation Results page, click Finish.
    5. Notice the expiration date on the Enrollment Agent certificate. Make sure you renew it before it expires.
  4. Go to the downloaded Horizon software and run VMware-Horizon-Connection-Server-x86_x64.exe.
  5. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, change the selection to Horizon Enrollment Server and click Next.
  8. In the Firewall Configuration page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. If Microsoft CA is installed on the Enrollment Server, then run regedit.
    1. Go to HKLM\Software\VMware, Inc.\VMware VDM.
    2. Create a new Key named Enrollment Service.
    3. Under Enrollment Service, create a new String (REG_SZ) value named PreferLocalCa and set it to 1.
    4. Also add string values for UseKerberosAuthenticationToCa = false and UseNTLMAuthenticationToCa = true
  12. If you have two Enrollment Servers, then repeat this entire section on the other server. This includes requesting the Enrollment Agent certificate, installing the Enrollment Server software, and setting the PreferLocalCa registry value.

Trust

  1. Log in to a Connection Server and run certlm.msc.
  2. On the left, expand VMware Horizon View Certificates and then click Certificates.
  3. On the right, find the certificate with the Friendly Name vdm.ec, right-click it, expand All Tasks, and then click Export. All Connection Servers have the same certificate so you only need to export from one of the Connection Servers.
  4. In the Export Private Key page, select No, do not export the private key, and then click Next.
  5. In the Export File Format page, leave it set to DER, and then click Next.
  6. Save the certificate to a file that you can access from your Enrollment Server(s).
  7. Log in to an Enrollment Server and run certlm.msc.
  8. On the left, right-click VMware Horizon View Enrollment Server Trusted Roots, expand All Tasks, and click Import.
  9. In the Welcome to the Certificate Import Wizard page, click Next.
  10. In the File to Import page, browse to the certificate that you exported from the Connection Server and then click Next.
  11. In the Certificate Store page, VMware Horizon View Enrollment Server Trusted Roots should already be selected so just click Next.
  12. In the Completing the Certificate Import Wizard page, click Finish.
  13. Repeat the certificate import process on the other Horizon Enrollment Server.

SAML to UAG

  1. Login to your SAML Identity Provider (IdP) and create an application for Unified Access Gateway.
  2. For Okta, see Omnissa Tech Zone.
  3. Azure AD has a gallery application to make configuration easier. Or use the following values:
    • Identifier = https://*.HORIZON_UAG_FQDN.com/portal
    • Reply URL (Assertion Consume Service URL = https://<HORIZON_UAG_FQDN>/portal/samlsso
  4. When done, it should look something like this:
  5. Download the Federation Metadata XML from your Identity Provider. The Metadata Url doesn’t seem to work.
  6. Login to your UAG admin page (https://<HORIZON_UAG_FQDN>:9443/admin).
  7. Select Configure Manually.
  8. Scroll down to the section named Identity Bridging Settings and click Upload Identity Provider Metadata.
  9. In Unified Access Gateway 2312 and newer, click Upload IDP Metadata.
  10. Click Select in the IDP Metadata row.
  11. Browse to the metadata .xml file and then click Save.
  12. At the top of the page, next to Edge Service Settings click SHOW.
  13. Next to Horizon Settings click the gear icon.
  14. At the bottom of the page, click More.
  15. At the top of the page, change the drop-down for Auth Methods to SAML.
  16. Change the drop-down for Identity Provider to the SAML Identifier in the Metadata that you just imported.
  17. At the bottom of the page click Save.
  18. Login to Horizon Console.
  19. In the left menu, go to Settings > Servers.
  20. On the right, click the tab named Connection Servers.
  21. Highlight a Connection Server that UAG talks to and click Edit.
  22. Switch to the tab named Authentication.
  23. Change the drop-down for Delegation of Authentication to VMware Horizon (SAML 2.0 Authenticator) to Allowed.
  24. Click the button named Manage SAML Authenticators.
  25. Click Add.
  26. Change the selection for Type to Static. Dynamic seems to only be valid for Omnissa Access.
  27. Go to your Metadata .xml file and edit it with a text editor. Then copy its contents to your clipboard.
  28. Back in Horizon Console, in the SAML Metadata field, paste in the contents.
  29. Give your SAML 2.0 Authenticator a name and click OK.
  30. Click OK to close the Manage SAML Authenticators window.
  31. Edit other Connection Servers that UAG talks to and go to the Authentication tab.
  32. Set SAML 2.0 Authenticator to Allowed and then click the Manage SAML Authenticators button.
  33. The previously created SAML Authenticator should already be there so just click Edit.
  34. At the bottom, check the box next to Enabled for Connection Server and then click OK. Repeat on any other Connection Server that UAG talks to.
  35. In Horizon Console, if you go to Monitor > Dashboard and then click VIEW in the System Health section.
  36. On the left go to Other Components. On the right go to the tab named SAML 2.0. You should see your SAML Authenticator.

Enable True SSO

Login to one of the Connection Servers and open a Command Prompt as administrator. The commands in this section have case sensitive parameter names. These commands are vdmutil, not vdmadmin.

Run the following command to add each Enrollment Server. Notes:

  • For the --authPassword fields, you enter "*" (with quotes) to be prompted to enter the password instead of specifying it at the command line.
  • --authAs fields do not include the domain name since domain is a different field.
vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --add --enrollmentServer enroll-server1-fqdn,enroll-server2-fqdn

Run the following command to see the available certificate authorities and certificate templates for a particular domain.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --environment --list --enrollmentServer enroll-server-fqdn --domain domain-fqdn

Run the following command to enable the Enrollment Servers for a particular domain. This syntax configures the Enrollment Servers as active/passive (failover). Note: certificateServer is the CA name from the previous command and not the server’s FQDN.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --create --connector --domain domain-fqdn --template TrueSSO-template-name --primaryEnrollmentServer enroll-server-fqdn --secondaryEnrollmentServer enroll-server-fqdn --certificateServer ca1-common-name1,ca2-common-name --mode enabled

Run the following command to see the SAML Authenticators configured in Horizon Console.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --list --authenticator

Run the following command to enable True SSO for a particular SAML Authenticator. Enter either ENALBED or ALWAYS.

vdmUtil --authAs admin-username --authDomain domain-name --authPassword admin-user-password --truesso --authenticator --edit --name authenticator-name --truessoMode {ENABLED|ALWAYS}

For more info, see Command-line Reference for Configuring True SSO at Omnissa Docs.

If you prefer to load balance your Enrollment Servers instead of active/passive, do the following:

  1. On a Connection Server, run adsiedit.msc.
  2. Change the Connection Point to dc=vdi,dc=vmware,dc=int.
  3. Change the Computer to localhost and then click OK.
  4. On the left, expand Properties, and then click Global.
  5. On the right, double-click Common.
  6. Find pae-NameValuePair in the list and Edit it.
  7. Enter cs-view-certsso-enable-es-loadbalance=true and then click Add.
  8. Click OK a couple times to close everything.

You can view the status of True SSO in Horizon Console.

  1. In Horizon Console, go to Monitor > Dashboard and on the right, in the System Health section, click VIEW.
  2. With Components selected on the left, on the right is a tab named TrueSSO.

Omnissa Horizon 2406: Cloud Pod Architecture

Last Modified: Jul 29, 2024 @ 9:03 am

Navigation

This article applies to all Horizon versions 2006 (8.0) and newer.

Change Log

Planning

Cloud Pod Architecture lets you publish a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

  • Global Entitlements – Entitlements are the same thing as published icons. When you create an entitlement (local or global), you are publishing an icon from a pool.
    • For local entitlement, the icon is only published from one pool.
    • For global entitlement, the icon can be published from multiple pools. The pools can be in one pod or from multiple pods.
    • Don’t configure both global and local entitlements for the same pool.
    • A single pool can only belong to one global entitlement.
    • For applications, only one application per global entitlement.
  • Pod Federation – Global entitlements can’t be created until a Pod Federation is created. This federation could be one pod or multiple pods.
    • The pods can be separated into sites. Each site can contain multiple pods.
  • Global Load Balancing – Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a globally available Horizon Connection Server. The connected Horizon Connection Server then uses Global Entitlements to select a site/pod/pool.
    • When a user launches a Global Entitlement, the Connection Server selects a pod based on the Global Entitlement Scoping, which can be All Sites, Within site, or Within Pod. This is from the perspective of the Connection Server the user is currently connected to. Horizon will prefer the local pod if possible.
    • Users or groups can be assigned to Home Sites. Global Entitlements can be configured to prefer Home Sites over the normal site/pod selection criteria.
  • Dedicated Assignment – For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
  • Firewall Ports – The Horizon Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 135, TCP 22389, TCP 22636, and TCP 8472. Make sure these ports are open. More info at Ray Heffer VMware Horizon 7.4 Network Ports for Cloud Pod Architecture

  • RBAC – Horizon Console includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Cloud Pod Architecture Topology Limits Horizon 8 at Omnissa Docs:

  • Max users = 250,000
  • Max Pods = 50
  • Max Sessions per Pod = 12,000
  • Max Sites = 15
  • Max Connection Servers per Pod = 7
  • Max Horizon Connection Server Instances = 350

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

  • Use F5 GTM or NetScaler GSLB to connect users to a Horizon Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
  • The Horizon Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
  • User’s PCoIP session goes through the initially connected Horizon Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route Blast/PCoIP through a Horizon Connection Server in the remote pod. In fact, the Horizon Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this Blast/PCoIP traffic.
  • Note: Horizon Cloud Universal Broker doesn’t have this problem.

For more information on multi-datacenter design for Horizon, see Workspace ONE and Horizon Reference Architecture, which includes the following:

  • Omnissa Access
  • App Volumes
  • Horizon Cloud Pod Architecture
  • Dynamic Environment Manager
  • SQL AlwaysOn Availability Groups
  • Networking
  • Storage (e.g., vSAN)
  • Active Directory
  • Distributed File System
  • Global Load Balancing

Initialize First Pod

  1. In Horizon Console, expand Settings and click Cloud Pod Architecture.
  2. On the right, click Initialize the Cloud Pod Architecture feature.
  3. Click OK to initialize.
  4. A status page is displayed.
  5. On the right, feel free to rename the federation by clicking the Edit button. This is the Federation, not the Pod.

    • Enter a new name.
  6. On the left, expand Settings, and click Sites.
  7. On the right, in the top half, highlight the first site, and then click the Edit button to rename the Default First Site to be more descriptive. Sites can contain multiple pods. Site is typically a geo location or data center.

    • Enter a Site name.
    • Site URL is a feature in 2406 and newer. It lets you specify a datacenter-specific FQDN that Blast is redirected to when Cloud Pod Architecture chooses a Horizon Agent machine in that site. This avoids sending the Blast connection across the datacenter interconnect. UAG 2406 and newer supports the feature.
  8. Click the Site to highlight it to reveal the Pods on the bottom half of the window.
  9. Highlight the pod on the bottom and click Edit to make the name more descriptive.

    • Enter a Pod name.
  10. See Omnissa 2080522 Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

  1. Connect to Horizon Console in the second pod.
  2. On the left, expand Settings, and click Cloud Pod Architecture.
  3. On the right, click Join the pod federation.
  4. Enter the name of an existing Horizon Connection Server that is already joined to the federation.
  5. Enter credentials and click OK.
  6. The Join status is displayed.
  7. On the left, expand Settings, and click Sites.
  8. If this pod is in a different site, then in the top half of the window click Add to create a new site.
  9. Give the site a name and click OK.

    • Site URL is a feature in 2406 and newer. It lets you specify a datacenter-specific FQDN that Blast is redirected to when Cloud Pod Architecture chooses a Horizon Agent machine in that site. This avoids sending the Blast connection across the datacenter interconnect. UAG 2406 and newer supports the feature.
  10. Highlight the first site.
  11. On the bottom, highlight the new pod, and click Edit.
  12. Rename the pod and put it in the 2nd site. Click OK.
  13. The top of Horizon Console shows you which Pod you are administering. You might have to refresh the page to see the correct Pod name after it was renamed.

Global Entitlements

Global Entitlements contain one or more Local Pools from one or more pods. Connections to the Global Entitlement can be load balanced across the member pods and pools.

Do not create both Global Entitlements and Local Entitlements for the same pool otherwise users might see two icons. Create the local pool, but don’t entitle it (i.e. don’t assign users). Instead, create a Global Entitlement and add the local pool to it.

  1. Before creating a Global Entitlement go to Inventory > Desktops or Inventory > Applications, click a pool name, scroll down to the Pool Settings section and record the settings. Your Global Entitlement must have the same settings.
  2. In Horizon Console, on the left, expand Inventory, and click Global Entitlements.
  3. On the right, click Add.
  4. In the Type page, select Desktop Entitlement or Application Entitlement, and click Next.
  5. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one Global Entitlement per application so include the application name.
    • Horizon 2006 and newer can specify a Display Name that is different than the name of the entitlement.
    • Horizon 2103 and newer can set a Federation Access Group to restrict administrator access to this Global Entitlement. You can create Federation Access Groups in the Horizon Console at Settings > Administrators, and on the right is a tab named Federation Access Groups. You can edit the Global Entitlement later to specify a Federation Access Group.
  6. Scroll down.
  7. Scroll down for more settings:
    1. You can configure tag restrictions (Connection Server restrictions) from this wizard.
    2. You can select a Category Folder where the published icon will be placed on the client’s Start Menu or Desktop. This feature requires Horizon Client 4.6 and newer.
    3. Configure Category Folder. You can type in a new folder or select an existing one. Specify whether the shortcut should appear on the Start Menu, Desktop, or both.
  8. Scroll down to the Policies section and configure the following. Note: these settings must match the Local Pool or you won’t be able to add the Local Pool to the Global Entitlement. Some of these settings can’t be changed without deleting the Global Entitlement and recreating it.
    1. For Desktop Entitlements, the User Assignment field (Floating or Dedicated) must match the Local Pools.
    2. Scope determines from which which site/pod the Local Pool is selected. Users connect to a specific Connection Server. Scope specifies if the Local Pool can be selected from any any pod in any site, from any pod in the same site as the Connection Server that the user connected to, or from the same pod as the Connection Server that the user connected to. For Dedicated Assignment pools, the user always connects to the assigned desktop no matter which Connection Server the user initially connected to.
    3. The Use home site checkbox tells the global entitlement to respect user home sites. When you assign a user to a home site, when the user launches the global entitlement, it tries to find a Local Pod in the same site as the user’s home site. This helps keep the user’s session close to the user’s data (e.g. home directory, roaming profile).
    4. Change the Default display protocol to VMware Blast. These settings must match the Local Pools.
    5. Horizon 2306 (8.10) and newer have a Session Distribution Policy to distribute sessions across the local resources in the Global Entitlement. Horizon 2309 (8.11) supports either Session Count or Load Index.
    6. For Desktop entitlements, you can allow users to Restart their machines or use Session Collaboration, or initiate separate sessions from different client devices. These settings must match the Local Pools.
    7. For Application entitlements, there’s a Pre-launch checkbox. If you need the Pre-launch feature, then enable the Pre-launch checkbox on at least one application, and entitle the application to the users that need the Pre-launch feature. These settings must match the Local Pools.
    8. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published icon to that computer AD group. The published icon can then only be accessed from the client computers in the AD group.

      Notes:

    9. For Application Entitlements, there’s a selection for Multi-Session Mode. Pre-launch must be disabled to enable this setting.
    10. Make other selections.
  9. Click Next when done.
  10. In the Users and Groups page, add users that can see the icon associated with the Global Entitlement. Click Next.
  11. In the Ready to Complete page, click Finish.
  12. Global Entitlements won’t work until you add some Local Pools to it. Make sure your Horizon Console is connected to the Pod that has the Local Pool.
  13. On the left, expand Inventory and click Global Entitlements.
  14. On the right, click the link for the name of the Global Entitlement. Global Entitlements are synced to every pod.
  15. Switch to the Local Pools tab and click Add.
  16. Select the local pools you want to add and click Add. Remember, only add one app per Global Entitlement. Also, you can only add pools from the local pod. To add pools from a different pod, you must point your Horizon Console browser to the other pod and edit the Global Entitlement from there.
  17. If the GUI won’t let you add the local pool then try it from the command line to see the actual problem. lmvutil parameter names are case sensitive. Some settings can only be changed by deleting the Global Entitlement and recreating it.
  18. Point your Horizon Console to another pod and view the Global Entitlements.
  19. On the right, click the hyperlink for the name of the Global Entitlement and follow the same procedure to add Local Pools. Horizon will automatically load balance user connections across all local pools based on the Scope policy (All Sites, Within Site, or Within Pod) in the Global Entitlement and Home Sites.
  20. A backup global entitlement delivers remote desktops or published applications when the primary global entitlement fails to start a session because of problems such as insufficient pool capacity or unavailable pods.
    1. Create a new Global Entitlement containing the backup pools.
      • The new Global Entitlement for backup should have the same settings as the production Global Entitlement.
      • You don’t have to assign anybody to the new Global Entitlement that will be the backup.
    2. Add Local Pools to the new Global Entitlement that will be the backup for when prod is down.
    3. Edit the production Global Entitlement.
    4. Scroll down to Backup Global Entitlement and click Browse.
    5. Change the selection to Backup Global Entitlement, select the Global Entitlement that will backup this one. Click Submit.
  21. Horizon Console, at Inventory > Desktops can show if a Local Pool is a member of a Global Entitlement. Scroll to the right to see the Global Entitlement column. This column doesn’t seem to be visible for Applications.

Monitoring

  1. Once Global Entitlements are enabled, a new Search Sessions node is added, which allows you to search for sessions across federated pods. Brokering Pod is the pod containing the Connection Sever that the user initially connected to to get the list of icons as opposed to the pod that contains the Local Pool that the session is actually launched from.
  2. The Monitor > Dashboard in Horizon Console shows the health of remote pods.

Home Sites

The Home Sites feature causes Global Entitlements to prefer local pools in the user’s Home Site before looking for pools in remote sites.

  1. Configure your Cloud Pod Architecture with multiple Sites and at least one Pod per Site.
  2. In Horizon Console, on the left, click Users and Groups.
  3. On the right, switch to the Home Site Assignment tab and click Add.
  4. Find a user or group for this home site, and click Next.
  5. Select the site to assign the users to and click Finish. This list of sites comes from your Cloud Pod Sites configuration.
  6. Home Sites can be assigned to both users and groups. User assignments override group assignments.
  7. Edit your Global Entitlement and ensure that Use Home Site is checked. You can optionally require that each user has a Home Site.
  8. Each Global Entitlement can have its own Home Site configuration that overrides the global Home Site configuration.
    • In Horizon Console, click the hyperlink for the Global Entitlement’s name, switch to the tab named Home Site Override, and then click Add.

  9. Since you could have a combination of default Home Site for user, default Home Site for group, and Global Entitlement-specific Home Sites, it’s helpful to know which Home Site is effective for each user and Entitlement.
    • In Horizon Console, in the Users and Groups node, switch to the Home Site Resolution tab. Find a user, and it will show you the Home Site Resolution for a specific Global Entitlement.

Related Pages

Omnissa Horizon 2406: RDS Farms/Pools

Last Modified: Jul 30, 2024 @ 4:28 am

Navigation

This post applies to all Horizon versions 2006 (aka 8.0) and newer.

Change Log

  • 2023 Oct 28 – Published AppsSingle Application Launch Limit in Horizon 2309
  • 2021 Jan 10 – Disable Published Application in Horizon 2012 (8.1) and newer.
  • 2021 Jan 9 – updated screenshots for Horizon 2012 (8.1)
  • 2020 Aug 14 – updated entire article for Horizon 2006 (8.0)

Overview

This post details Horizon configuration for Remote Desktop Session Host (RDS) Horizon Agents. Virtual Desktops are detailed at Master Virtual Desktop and Virtual Desktop Pools.

Before following this procedure, build a master RDS Session Host.

Before you can publish applications or RDS desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts, then these are different RDS Farms.

Once the RDS Farms are created, you publish icons from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

Omnissa Tech Paper Best Practices For Published Applications And Desktops in Horizon:

  • vSphere Best Practices – Hardware, Network Adapters, ESXi BIOS Settings, ESXi Power Management
  • Core Services Best Practices – Active Directory, DNS, DHCP, NTP, KMS, RDS Licensing
  • ESXi Host Sizing Best Practices
  • RDSH Configuration Best Practices – Optimization
  • Horizon 7 Best Practices – Instant Clones, Load Balancing
  • User Environment Management Best Practices – Horizon Smart Policies, Folder Redirection, User Profiles, Printers, Hardware Graphics Acceleration
  • App Volumes Best Practices – dedicated AppStacks
  • Antivirus Best Practices
  • Maintenance Operations Best Practices – scheduled reboots

RDS Farms – Instant Clones

For a description of Instant Clones, see Instant Clones for RDSH in VMware Horizon 7.1 YouTube video.

  1. You select a snapshot from a master image.
  2. Horizon creates a template VM that boots from the master snapshot. After some prep, the template VM shuts down and creates a new snapshot.
  3. The template snapshot is copied to a Replica VM on every LUN (datastore) that will host RDS Farm VMs.
  4. For each datastore, Horizon creates a Parent VM on every host in the cluster. This parent VM is powered on and running at all times.
    • Horizon 2306 (8.10) and newer now default to no longer creating parent virtual machines.
  5. The linked clones can finally be created by forking the parent VM to new linked clone VMs. Notes:
    1. Once the Parent VMs are created, creating/recreating linked clones is fast. But it takes time to create all of the Parent VMs.
    2. And the Parent VMs consume RAM on every host. If you have multiple datastores and/or multiple pools, then there are multiple Parent VMs per host, all of them consuming RAM.
  6. You can schedule a periodic reboot of the Instant Clones, which causes the Instant Clone machines to refresh (revert) from the parent VM.
  7. Instant Clones require Distributed vSwitch and Distributed Port Group with Static Binding and Fixed Allocation. Standard vSwitch is not supported. Multi VLAN and vGPU for Instant Clones in VMware Horizon 7.1 YouTube video.

Create an Automatic RDS Farm

Instant Clones in Horizon 2303 and newer require vSphere 7 or newer. vSphere 6.7 and older will not work.

Master Image Preparation

  1. Make sure your RDS gold Agent has the VMware Horizon Instant Clone Agent feature installed.
  2. Make sure your RDS master Agent is configured for DHCP.
  3. Computer Group Policy – Make sure the Master VM is in the same OU as the Instant Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See Omnissa 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  4. Shut down the master image.
  5. Edit the specs of the master VM to match the specs you want the linked clones to have.
  6. Take a snapshot of the master image.
  7. In Horizon Console, on the left, expand Inventory, and click Farms.
  8. On the right, click Add.
  9. In the Type page, select Automated Farm, and click Next.
  10. In the vCenter Server page, select Instant Clone, select the vCenter Server, and then click Next. Notice that Composer is no longer an option.
  11. In the Storage Optimization page, click Next.
  12. In the Identification and Settings page:
    1. Enter a name for the Farm. A VM folder with the same name will be created in vCenter.
    2. Note: There’s no place to set the Display Name here. You do that later when creating a Desktop Pool.
    3. Scroll down to the Farm Settings section.
    4. Horizon supports Pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    5. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    6. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in Global Settings.
    7. There’s a Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
    8. Max sessions per RDS Host will block connections if this number is exceeded. You can leave it set to Unlimited.
  13. Click Next.
  14. The Load Balancing Settings page lets you configure what metrics are used for even distribution of users across the farm. By default, only Session Count is considered. You can add other metrics like CPU or Memory. Click Next.
  15. In the Provisioning Settings page:
    1. Enter a Naming Pattern. Make sure the name includes {n:fixed=3} or something like that. Computer names must be 15 characters or less.
    2. In Farm Sizing, enter the number of machines to create.
  16. Click Next.
  17. In the vCenter Settings page, click Browse next to each option and make a selection. These are self-explanatory. Make sure VM Folder Location doesn’t have any spaces in it. Scroll down to see all options. Then click Next.
  18. In the Guest Customization page:
    1. Select an OU to place the new virtual machines. This should be an OU that is configured with group polices for the RDSH machines.
    2. Consider the Allow reuse of pre-existing computer accounts check box.
  19. Click Next.
  20. In the Ready to Complete page, click Submit.

To view the status of RDS Farm creation:

  1. Click the farm name.
  2. The bottom of the Summary tab shows you the State of the Publishing progress.

  3. You can watch the progress in vSphere Client. It goes through a couple longer tasks, including cloning the snapshot, and creating a digest file.
  4. Eventually the tab named RDS Hosts will show the new virtual machines.
  5. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool, or an Application Pool, or both.

Add more RDS Hosts to an Automatic Farm

To add RDS hosts to an existing RDS Automatic Farm.

  1. On the left, expand Inventory, and click Farms.
  2. Click the link for an automated farm.
  3. On the right, click Edit.
  4. Switch to the Provisioning Settings tab and change the Max number of machines. Then click OK.
  5. It should not take long to add the new VM.
  6. The RDS Hosts tab of the RDS farm shows the new RDS host(s).

Update an Automatic Farm

Master Image Preparation

  1. Power on the master session host.
  2. Login and make changes.
  3. After making your changes, shut down the master session host.
  4. Right-click the virtual machine, and take snapshot. You must create a new snapshot.
  5. Name the snapshot, and click OK.
  6. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  7. Delete one or more of the snapshots.
  8. In Horizon Console, go to Inventory > Farms.
  9. Click the farm name’s link.
  10. On the Summary tab, click Maintain, and then click Schedule.
  11. One option is to schedule Recurring reboots, which revert the RDS Hosts to a clean state.
  12. To push out an updated Master Image, change the Schedule to Immediate.
  13. Select Start Now, or select Start at a future date/time. Click Next.
  14. In the Image page, uncheck the box next to Use current golden image, select the new snapshot, and click Next.
  15. In the Scheduling page, decide if the reboot should wait for users to logoff or force them off and then click Next.
  16. In the Ready to Complete page, click Finish.
  17. The RDS Farm’s Summary tab (scroll down) shows you that it’s publishing the new image.

  18. After the image is published, on the RDS Hosts tab, you can check on the status of the maintenance task.

Instant Clones Maintenance

To perform Instant Clone Maintenance:

  1. If you click an Instant Clones RDS Farm name…
  2. And switch to the RDS Hosts tab, you can select a machine, and then click Recover, this causes the VM to be deleted and recreated, thus reverting to the master image snapshot.

  3. On the Summary tab of the RDS Farm, you can click Maintain > Schedule to schedule a reboot of every VM in the RDS Farm. Rebooting causes the VMs to revert to the master image snapshot.
  4. Specify how often you want the reboot to occur, and then click Next.
  5. In the Image page, you don’t have to change the snapshot. Click Next.
  6. Decide what to do about logged on users, and click Next.
  7. In the Ready to Complete page, click Finish.
  8. If you click the Maintain menu again, you can click Reschedule to change when the reboots are scheduled. Or click Cancel.
  9. If you click Schedule again, you can only schedule a one-time update, typically to replace the master image snapshot used by the RDS Farm.
  10. ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

RDS Farms – Manual

If you are building your RDSH Machines manually (e.g. cloned manually in vCenter; no Instant Clones), then add the manually created machines to a Manual Farm.

  • All RDS machines added to a single Manual Farm should be identical because Horizon will load balance across the servers in the farm.

To create a manual RDS Farm:

  1. Make sure the Instant Clone Agent is not installed on your manual RDS servers, and make sure you saw the screen to register the Agent with a Horizon Connection Server.

    • Verify registration at Settings > Registered Machines.
  2. On the left, expand Inventory, and click Farms.
  3. On the right, click Add.
  4. In the Type page, select Manual Farm, and click Next.
  5. In the Identification and Settings page, enter a name for the Farm. Scroll down.
  6. Scroll down to the Farm Settings section.
    1. There is a pre-launch option. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    2. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    3. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in Configuration > Global Settings.
    4. There is an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
  7. Click Next.
  8. The Load Balancing Settings page lets you configure what metrics are used for even distribution of users across the farm. By default, only Session Count is considered. You can add other metrics like CPU or Memory. Click Next.
  9. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts that are registered with Horizon Console. Click Next.
  10. In the Ready to Complete page, click Submit.
  11. If you click the farm name…
  12. On the RDS Hosts tab, you can click Add to add more registered RDS Hosts. Make sure every Host in the RDS Farm is identical.

Publish Desktop

To publish a desktop from a load balanced RDS Farm (Automatic Farm or Manual Farm):

  1. In Horizon Console, on the left, expand Inventory, and click Desktops.
  2. On the right, click Add.
  3. In the Type page, select RDS Desktop Pool, and click Next.
  4. In the Desktop Pool ID page, enter an ID and name. They can be different. The ID cannot contain spaces. Click Next.
  5. In the Desktop Pool Settings page:
    1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu.
    2. You can type in a new category folder name or select an existing one. Also select Shortcut Locations.
    3. There is a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published desktop to that computer AD group. The published desktop can then only be accessed from the client computers in the AD group.
    4. Notes on Client Restrictions:
  6. Click Next.
  7. In the Select an RDS farm page, select a farm, and click Next. The farm can be either Instant Clone or Manual.
  8. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes, and click Submit.
  9. In the Entitlements window, click Add.
  10. Browse to an Active Directory group, and click OK.
  11. Then click Close.
  12. If you go to Inventory > Farms, click your farm name, there will be a RDS Pools tab, where you can see which Desktop Pool is associated with this farm. An RDS Farm can only belong to one Desktop Pool.

Publish Applications

To publish apps from an RDS Farm (automatic farm or manual farm):

  1. In Horizon Console, on the left, expand Inventory, and click Applications.
  2. On the right, click Add, and then click Add from Installed Applications.
  3. In the Select Applications page, select a RDS Farm.
  4. The purpose of this wizard is to publish applications from an RDS Farm and then assign them to users (aka entitlement). The entitlements (aka user assignments) will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times and select different applications. Once the applications are published, you can change their entitlements individually.
  5. Select one or more applications. Notice that File Explorer is not one of the options. You can manually add that application later. Scroll down.
  6. There are additional options at the bottom of the Select Applications page. Notice the Entitle users box is checked by default.

    1. There’s a Pre-launch option for published applications. You can optionally enable it on at least one application, and then entitle the pre-launch application to the users that need the Pre-launch feature.
    2. Horizon 2309 and newer let you restrict applications to a Single Application Launch Limit.
    3. You can assign tags for Connection Server restrictions, which lets you control visibility of icons for internal users vs external users.
    4. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop.
    5. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published application to that computer AD group. The published application can then only be accessed from the client computers in the AD group. Notes on Client Restriction:
  7. Click Next when done.
  8. The Edit Applications page lets you rename (Display name) the published icons. Click Submit when done.
  9. Click Add to select a group that can see all of the applications that you selected. This is the normal entitlement process.

    1. There is an option for Unauthenticated users, which is detailed at Entitle Unauthenticated Access Users to Published Applications at Omnissa Docs.
    2. Before you can configure Uauthenticated Access on published applications, you must add a Domain Account that will be used for anonymous access at Users and Groups > Unauthenticated Access.
    3. Then go to Settings > Servers and Edit a Connection Server.
    4. On the Authentication tab…
    5. …enable Unauthenticated Access, and select the Default unauthenticated access user account.
    6. Back in your entitlement, you select Unauthenticated Users, and entitle it to the Domain User that is your anonymous account.
  10. You can run the Add Application Pool wizard again to publish more applications with different entitlements (aka user assignments).
  11. If you click the name one of the application pools…
  12. …on the Entitlements tab, you can change the entitlements

Manual Application Publishing

Instead of publishing an existing application from the Start Menu, you can add an application manually:

  1. Go to Inventory > Applications, click Add, and select Add Manually.
  2. File Explorer is an application that has to be added manually. Select an RDS Farm and then enter the path to the application.

  3. When publishing Explorer, add the /separate switch. This prevents the full desktop from appearing when launching published Explorer through HTML Blast.
  4. There are more settings at the bottom of the page.

Icon for Published Application

  1. You can select an Application Pool, then open the Application Icon menu and click Associate Application Icon.

Published App Monitoring

If you click a Farm name, you can view Sessions connected to that Farm and the published application each user is running. Monitor > Sessions does not show published application information, but RDS Farm > Sessions does.

  1. In Horizon Console, on the left, expand Inventory and click Farms.
  2. On the the right, click the link for one of the farms.
  3. Switch to the tab named Sessions.
  4. As you scroll down the table you’ll see sessions with Type = Application.
  5. If you scroll to the right, you’ll see the Application Name in the far-right column.

Show application pools associated with RDS Farm

  1. If you go to Inventory > Farms, click your farm name…
  2. …and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. You can click the link for a pool to be taken to the pool’s property pages.

Disable Application

Horizon 2012 (8.1) and newer let you disable an application pool. Go to Inventory > Applications, select one or more applications, click the More menu, and click Disable Application Pool.

When the application is disabled, the application icon is removed from Horizon Client at next refresh. If the user tries to launch the icon before it has been removed, then the message is “This application is currently not available”.

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

  • If the user already has a session, then anti-affinity is ignored.
  • If the application is launched from within an RDS Desktop, then anti-affinity is ignored.
  • Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool in Horizon Console at Omnissa Docs.

Do the following to configure Anti-Affinity in Horizon Console:

  1. On the left, go to Inventory > Applications.
  2. On the right, edit an existing application pool.
  3. Scroll down. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
  4. In the Anti-Affinity Count field, enter the maximum number of process name matches that can run on a single RDS Host.

Related Pages

Omnissa Horizon 2412: Master RDS Host

Last Modified: Jan 31, 2025 @ 10:46 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host (RDSH) that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post. Virtual Desktop is detailed in a separate article.

This post applies to all Horizon versions 2006 (aka 8.0) and newer.

Change Log

Hardware

  • The session host pools will use the same hardware specs (e.g., vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • Set the vCPUs to 8. Two is the minimum.
  • Typical memory for an 8-vCPU session host is 24 – 48 GB (e.g., 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device, and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Adapter. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine, and click Edit Settings.
  4. On the VM Options tab, expand Advanced, and then click Edit Configuration.
  5. Click Add Configuration Params.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

See Omnissa Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.

The latest versions of VMware Tools resolve security vulnerabilities.

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right, and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right, click the link for Last checked for updates.
  2. Click Advanced Options.
  3. Check the box next to Give me updates for other Microsoft products when I update Windows, and then click the back button. Then click Check for Updates.

  4. Windows Update will automatically start checking for updates.
  5. Install any updates it recommends.

Local Administrators Group

Add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu, and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users with Create Folders permission, and click Remove.
  4. Highlight the line containing Users with Create Files permission, and click Remove.
  5. Click OK to close the Advanced Security Settings window.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue.
  8. Click OK to close the C: drive properties.

Installs

Install/Upgrade Horizon Agent

To install Horizon Agent on Remote Desktop Session Host (RDSH), do the following:

  1. Latency – In Horizon 2106 (8.3) and newer, maximum latency between Horizon Agent machine and Connection Server is 120ms. Older versions of Horizon have lower maximum latencies.
  2. Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2 are supported.
    • Windows Server 2022 is supported in Horizon 2111 (8.4) and newer.
  3. VMware Tools – install VMware Tools before you install Horizon Agent.
    1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    2. See Omnissa Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
  4. Download Horizon Agent 2412 (8.14)
  5. Run the downloaded Omnissa-Horizon-Agent-x86_64-2412-8.14.0.exe.
  6. If you want the URL Content Redirection feature, then you must run the Agent installer with the following switches: /v URL_FILTERING_ENABLED=1.
  7. If you want the UNC Path Redirection feature in 8.7 and newer, then you must run the Agent installer with the following switches: /v ENABLE_UNC_REDIRECTION=1. You can combine the two switches.
  8. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  9. In Desktop OS Configuration page, select RDS Mode and click Next.

    1. Click OK to install the role.
    2. Restart the machine.
    3. After restart, login, and re-run the Agent installer.
  10. In the Network protocol configuration page, select IPv4, and click Next.
  11. In the Custom Setup page, several features are disabled by default. Horizon Smart Policies in Dynamic Environment Manager (DEM) can control some of these features but only if the features are installed.
    1. USB Redirection is an option.
    2. If this RDS Host will be a master image for an Instant Clone farm, then install the Instant Clone Agent. For manual farms, don’t select this feature.
    3. Scanner Redirection is an option. Note: Scanner Redirection will impact host density.
    4. Serial Port Redirection is an option.
    5. There’s an option for Horizon Performance Tracker, which adds a program to the Agent machine that can show the user performance of the remote session. You can publish the Tracker.

    6. In Horizon 2206 and newer, Storage Drive Redirection provides faster performance than Client Drive Redirection.
  12. Click Next when done making selections.
  13. Click OK to acknowledge the USB redirection message.
  14. If you see the Register with Horizon Connection Server page, enter the name of a Horizon Connection Server, and click Next. You only see this page if you deselected the Instant Clone Agent feature. Registration is necessary for Manual RDS Farms (no Instant Clones).
  15. In the Ready to Install the Program page, Horizon Agent 2306 and newer have an option to Automatically restart system on successful completion. Click Install.
  16. In the Installer Completed page, click Finish.
  17. Click Yes to restart the server.
  18. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  19. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  20. There’s also an IE add-on.
  21. URL Content Redirection is configured using group policy.
  22. To verify installation of the UNC Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UncRedirection.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

All editions of Horizon 2006 (8.0) and newer are entitled to Dynamic Environment Management (DEM).

  • Horizon Standard Edition and Horizon Advanced Edition are entitled to DEM Standard Edition, which only has personalization features that replace Persona. If you are using FSLogix Profile Containers for profiles, then you probably don’t need DEM Standard Edition.
  • Horizon Enterprise Edition is entitled to DEM Enterprise Edition, which has all DEM features, including Smart Policies, Privilege Elevation, etc.

DEM 2006 and newer Agents (FlexEngines) require additional configuration to enable DEM Computer Settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at Omnissa Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\\fs01\bin\Omnissa\DEM\Omnissa-DEM-Enterprise-2412-10.14\Omnissa Dynamic Environment Manager Enterprise 2412 10.14 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

To install DEM Agent:

 

  1. Windows 10 Compatibility – See Omnissa 57386 Omnissa Dynamic Environment Manager and Windows 10 Versions Support Matrix
  2. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
  3. DEM 2412 (10.14) is the latest release.
  4. Based on your entitlement, download either DEM 2412 (10.14) Enterprise Edition, or DEM 2412 (10.14) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  5. Run the extracted Omnissa Dynamic Environment Manager Enterprise 2412 10.14 x64.msi.
  6. In the Welcome to the Omnissa Dynamic Environment Manager Enterprise Setup Wizard page, check the box next to I accept and click Next.