Navigation
This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.
- Change Log
- Upgrade
- Install/Upgrade Connection Server
- Horizon Connection Server Certificate
- Horizon Portal:
- LDAP Edits
- Load Balancing
- Remote Desktop Licensing
- Antivirus
- Help Desk Tool – Timing Profiler
- Logon Monitoring
💡 = Recently Updated
Change Log
- 2023 Mar 31 – updated entire article for VMware Horizon 2303 (8.9)
- 2023 Jan 20 – added Horizon Console Certificate Management in Horizon 2212.
- 2023 Jan 13 – updated entire article for VMware Horizon 2212 (8.8)
- 2022 Nov 8 – updated entire links for VMware Horizon 2111.1 (8.4).1
- 2022 Oct 21 – updated entire article for VMware Horizon 2209 (8.7)
- 2022 July 21 – updated entire article for VMware Horizon 2206 (8.6)
- 2022 Mar 10 – Install – updated screenshots for newer build with log4j 2.17.1
- 2021 Dec 1 – updated entire article for VMware Horizon 2111 (8.4)
- 2021 July 16 – updated entire article for VMware Horizon 2106 (8.3)
- 2021 Mar 23 – updated entire article for VMware Horizon 2103 (8.2)
- 2020 Jan 10 – Upgrade – added link to VMware 80781 Knowledge DML scripts for data population of new columns in view Events Database
- 2021 Jan 8 – updated entire article for VMware Horizon 2012 (8.1)
- 2020 Aug 14 – updated entire article for VMware Horizon 2006 (8.0)
Upgrade
If you are performing a new install, skip to Install Horizon Connection Server.
Notes regarding upgrades:
- For supported upgrade paths (which version can be upgraded to which other version), see VMware Interoperability Matrix.
- Horizon 7 license key does not work in Horizon 2006 (8.0) and newer. You’ll need to upgrade your license key to Horizon 8.
- Horizon 8.x no longer supports Horizon Clients 5.x and older. 💡
- According to VMware 78445 Update sequence for Horizon 7.X and its compatible VMware products, App Volumes Managers are upgraded before upgrading Connection Servers.
- Upgrade all Connection Servers during the same maintenance window.
- Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
- Horizon 2006 (8.0) and newer do not support Security Servers. The replacement is Unified Access Gateway.
- Composer is deprecated in Horizon 2006 (8.0) and newer. Composer was removed from Horizon 2012 (8.1) and newer. All editions of Horizon 2006 (8.0) and newer support Instant Clones. See Modernizing VDI for a New Horizon at VMware Tech Zone for migration instructions.
- Downgrades are not permitted.
- You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
- For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
- All Connection Servers in the pod must be online before starting the upgrade.
- It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
- Once the first Connection Server is upgraded, Horizon 2006 (8.0) and newer lets you upgrade the remaining Connection Servers concurrently.
- After upgrading all Connection Servers to Horizon 2012 (8.1) or newer, see VMware 80781 Knowledge DML scripts for data population of new columns in view Events Database to backfill the Events Database with column data to improve Events query performance.
- Upgrade the Horizon Group Policy template (.admx) files in sysvol.
- Upgrade the Horizon Agents.
- Persona is no longer supported. Persistent Disks are no longer supported. The replacement is VMware Dynamic Environment Manager. Or Microsoft FSLogix. See Modernizing VDI for a New Horizon at VMware Tech Zone for migration instructions.
- If DEM Agent or App Volumes Agent are installed, then uninstall them before you upgrade the Horizon Agent. See VMware 2118048 Agent installation order for Horizon View, Dynamic Environment Manager, and App Volumes.
- If you want to upgrade VMware Tools, then uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent, DEM Agent and App Volumes Agent. See VMware 2118048 Agent installation order for Horizon View, Dynamic Environment Manager, and App Volumes.
- Otherwise, Horizon Agent is an in-place upgrade. Just run the installer on your gold images and full clones.
- There’s no hurry. Upgrade the Horizon Agents when time permits.
- DEM Console should not be upgraded until all DEM Agents are upgraded.
- Upgrade the Horizon Clients.
- Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.
Install/Upgrade Horizon Connection Server
The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between Standard and Replica.
A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 4,000 user connections.
Horizon 2303 (8.9) is the latest release. Starting August 2020, VMware switched to a YYMM versioning format.
- Horizon 2212 (8.8) is also an Extended Service Branch (ESB) release, which is supported for 3 years from the January 2023 release date.
- Horizon 2111.1 (8.4.1) is an Extended Service Branch (ESB) release, which is supported for 3 years from the November 2021 release date.
To install the first Horizon Connection Server:
- Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at VMware Docs.
- Horizon 2111 (8.4) and newer support Windows Server 2022.
- Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. Horizon 2111 adds support for Windows Server 2022. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8 2006 and newer.
- Horizon 2006 (8.0) and newer no longer need Flash.
- Instant Clones in Horizon 2303 and newer require vSphere 7 or newer. vSphere 6.7 and older will not work.
- Download Horizon 2303 (8.9) Horizon Connection Server.
- Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.8.0.exe.
- In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
- In the License Agreement page, select I accept the terms, and click Next.
- In the Destination Folder page, click Next.
- In the Installation Options page, select Horizon Standard Server, and click Next.
- In Horizon 2006 (8.0) and newer, it is no longer possible to disable HTML Access for specific pools.
- In the Data Recovery page, enter a password, and click Next.
- In the Firewall Configuration page, click Next.
- In the Initial Horizon Administrators page, enter an AD group containing your Horizon administrators, and click Next.
- In the User Experience Improvement Program page, uncheck the box, and click Next.
- In the Operational Data Collection page, click Next.
- In the Operational Data Collection page, click Next.
- In the Ready to Install the Program page, click Install.
- In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.
Install Horizon Connection Server Replica
Additional Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.
A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.
To install Horizon Connection Server Replica:
- Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at VMware Docs.
- Horizon 2111 (8.4) and newer support Windows Server 2022.
- Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8 2006.
- Horizon 2006 (8.0) and newer no longer need Flash.
- Download Horizon 2303 (8.9) Horizon Connection Server.
- Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.9.0.exe.
- In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
- In the License Agreement page, select I accept the terms, and click Next.
- In the Destination Folder page, click Next.
- In the Installation Options page, select Horizon Replica Server, and click Next.
- In the Source Server page, enter the name of another Horizon Connection Server in the pod. Then click Next.
- In the Firewall Configuration page, click Next.
- In the Ready to Install the Program page, click Install.
- In the Installer Completed page, click Finish.
- Load balance your multiple Horizon Connection Servers.
- Horizon Console > Settings > Servers > Connection Servers tab shows multiple servers in the pod.
Horizon Connection Server Certificate
Horizon Console Certificate Management
Horizon 2212 and newer have a Certificate Management section in the Horizon Console under Settings.
-
- The Administrators role in Horizon does not include the Certificate Management permission. Go to Settings > Administrators. On the right, switch to the tab named Role Privileges. Click Add.
- Name the role CertificateManagement or similar. Select the Manage Certificates privilege and click OK.
- Switch to the tab named Administrators and Groups. Select your Horizon Admins group and click Add Permissions.
- Select your new CertificateManagement role and click Finish.
- If you log out, log back in, and then go to Settings > Certificate Management, the buttons should no longer be grayed out. You can either import an existing cert, or click Generate CSR to create a new cert. If you click Generate CSR, then there’s no way to use this interface to combine the signed certificate with the key, so it’s probably better to use some other method of creating a certificate and export it as a .pfx file.
- Click Import to upload a PFX file to the Connection Server that you are currently connected to. You’ll have to repeat this process on each Connection Server.
- In certlm.msc on the Connection Server, notice that it sets the vdm friendly name on the imported cert, but it doesn’t remove the vdm friendly name from the old cert. You’ll need to manually remove the vdm friendly name from the old cert.
- Then open services.msc and restart the VMware Horizon View Security Gateway Component.
- Repeat this process on the other Connection Servers.
- The Administrators role in Horizon does not include the Certificate Management permission. Go to Settings > Administrators. On the right, switch to the tab named Role Privileges. Click Add.
Install Cert Manually
Alternatively, install a certificate without using Horizon Console:
- Run certlm.msc. Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
- Request a new certificate with a common name that matches the FQDN of the Connection Server or import a wildcard certificate.
- Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
- On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
- In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
- On the General tab, clear the Friendly name field, and click OK.
- Right-click your Certificate Authority-signed certificate, and try to export it.
- On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
- Right-click your Certificate Authority-signed certificate, and click Properties.
- On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
- Then restart the VMware Horizon View Connection Server service. It will take several minutes before you can connect to Horizon Administrator Console.
- Horizon Console > Monitor > Dashboard > System Health > View > Components > Connection Servers should show the TLS Certificate as Valid.
Horizon Portal – Client Installation Link
If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.
- On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
- Create a new folder called downloads.
- Copy the downloaded Horizon Client 2303 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
- Run Notepad as administrator.
- Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
- Go back to the downloads folder and copy the Horizon Client filename.
- In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
link.win64=/downloads/VMware-Horizon-Client-2303-8.9.0-21444108.exe
- Then Save the file.
- Restart the VMware Horizon View Web Component service or restart the entire Connection Server.
- It will take a few seconds for the ws_TomcatService process to start, so be patient. If you get a 503 error, then the service is not done starting.
- Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
- Repeat these steps on each Connection Server.
Portal Branding
Chris Tucker at Horizon View 7.X – Branding the Logon page details how to brand the Horizon portal page.
LDAP Edits
Mobile Client – Save Password
If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.
- On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
- Right-click ADSI Edit, and click Connect to.
- Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
- Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
- Navigate to Properties > Global. On the right, double-click CN=Common.
- Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
- Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.
Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello
Biometric authentication, including Touch ID, Face ID, and Fingerprints, is disabled by default. To enable: (source = Configure Biometric Authentication at VMware Docs)
- On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
- Right-click ADSI Edit and click Connect to…
- Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
- Change the second selection to Select or type a domain or server and enter localhost. Click OK.
- Navigate to Properties > Global. On the right, double-click CN=Common.
- Find the attribute pae-ClientConfig and double-click it.
- Enter the line
BioMetricsTimeout=-1
, and click Add. Click OK. The change takes effect immediately.
Load Balancing
See Carl Stalhood’s Horizon Load Balancing using Citrix NetScaler ADC.
Remote Desktop Licensing
If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-2203-ltsr-and-licensing/#rdlicensing.
Antivirus
VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp
Help Desk Tool Timing Profiler
Run the following command to enable the timing profiler on each Connection Server instance to view logon segments in Help Desk tool. See VMware Docs for more info.
vdmadmin -I -timingProfiler -enable
Related Pages
- Back to VMware Horizon 8
I am planning to upgrade OS on my Connection servers (running version 2211) from Windows 2016 to 2019. What would be the correct procedure? Can I just do the in-place upgrade? I would appreciate your suggestions.
BTW, I have always followed your BLOG to implement my Connection servers to the environment and they are running solid from the day one. Thank you in advance.
Regards,
Sayed Ahmad
I would add a Replica server, reconfigure the load balancer to send traffic to the new server instead of the old server, and then remove the old server. If any UAGs connect directly to the old server, then reconfigure the UAGs too.
Another option is to power off the old server and rebuild it from scratch with the new OS but same name as old. Then install Connection Server Replica.
Hello,
we are Customizing the VMware Horizon Connection Server Login Screen
we disabled the download page, but now we want to also change the text below the credential screen where there is “privacy policy” and downloads option but i don’t see where to change it after the first download screen is disabled. like in the picture in the bottom on this link
https://nolabnoparty.com/en/vmware-horizon-8-customize-the-login-page/
What is a good monitoring for the Horizon Enviroment apart from VM realize operations manager?
ControlUp is a popular tool.
Out of interest, obviously manually uninstalling DEM from around 5k machines is not an option. Is there a preferred method to achieve the uninstall and then agent upgrade across these machines?
Hi Carl!
Help please! I have a problem with my connection server, I set in webadmin flag Smart card authentication for administrators as Required and now I can’t open that webadmin 🙁 restore from previous backup didn’t helping 🙁
Maybe you know where Horizon CS stores that settings in filesystem?
Thank you!
Settings are usually stored in LDAP. I’m not sure where you can find that setting in adsiedit.msc.
Did you tried to enable smart card auth only for admins but not for users? I tried to set for users not allowed and for administrators required or optional but when I connecting to CS via Client app is asking smartcard? Why it’s happening? I don’t need auth for internal user by smartcards.
at the client horizon agent connecting to the connection server the SSL cert is verified, however after the user’s smart card credentials are entered an “SSL error occured” message is thrown. I followed the keystore guide from the vmware KB and restarted the service but it did not fix it. What could be a possible cause of this?
Hi,
I have a design question:
We have two connection servers and no UAG. We use a load balancer from Barracuda to load balance the two connections servers.
Do we have to use one certificate for all three instances (horizon.company.xx for CS1+CS2+LB)?
Right now we have three different certificates. I’ve added all three hosts to the locked.properties. Access to the Horizon Admin console works fine, but when I try to open a blast session for a vm I get the failure:
The host name in the certificate is invalid or does not match
In the UAG config under Edge Settings > Horizon Settings is the Blast URL. This URL should resolve to your load balancer VIP that has a certificate that matches the URL.
Another option is for each UAG to send Blast traffic to itself, but this would require three public IPs for the load balancer plus each UAG appliance instead of just one public IP for the load balancer.
Hi Carl,
we don’t use a UAG. We only have two connection servers.
In Horizon Console, go to Servers > Connection Servers. Edit one. There’s a field for Blast Secure Gateway. What is the URL? If the Blast Secure Gateway is enabled then the certificate on the Connection Server must match that URL. Normally Blast Secure Gateway is not enabled since UAG is doing it instead.
On the Certificate Management Section its grayed out for me. So when I go to Administrator to add the “Role Privileges”. Then I click add, I don’t have privilege for certificate management. So is their a way to create new privileges so I can manage my certificates?
You can ignore my question. I figured it out, thanks.
Need to migrate the standard connection server from a 2012 server MS OS to 2019 MS OS. Can I create a replica of the 2012 connection server or does the new 2019 need to be a standard deployment? We have another connection server that used the 2012 standard to replicate from as well. If I have to use standard for the 2019 OS buildout does that also mean i need to replicate the other connection server off the new 2019 standard?
If your current Connection Server version supports Window Server 2019, then add it as a Replica server.
Should there be a shared DNS entry for the horizon server address for the two connection servers.
For example.
A record: connectionserver1.domain.com IP address
a record: connectionserve2.domain.com IP address
A record examplevdi.domain.com IP Address IP address
Thanks,
Scott
examplevdi should point to a load balancer VIP. If you don’t have a load balancer, then you can try creating examplevdi twice with each Connection Server IP and rely on DNS Round Robin.
We are currently using the built-in HA features for UAGS and a primary connection server and a replica connection server. No load balancer. Had the primary connection server go down and connections failed to the replica. Started digging into DNS and found we never add an entry for examplevdi.domain.com for the replica server.
So two records pointing to examplevdi.domain.com. 1 for the connection and a 2nd for the replica correct?
Thanks!
Two DNS records for same FQDN are usually DNS Round Robin. Note that DNS servers don’t monitor if an IP address is reachable or not so if a server goes down the half the DNS requests will go to an inaccessible IP address. Load balancers monitor the servers.
So if a primary connection server goes down and there is no load balancer then manual intervention should happen by changing the DNS record to point to the replica? Or is there a better way to go about it?
Correct. Load balancer is the best option. Citrix NetScaler ADC has an Express Edition that is free.
I’m running two Horizon 8 (2111) connection servers and I noticed that all space reclamation operations are initiated by the same connection server (the “2nd one”, i.e. CS02), according to the event database.
Is this normal behaviour?