VMware Unified Access Gateway 2312

Last Modified: Jan 31, 2024 @ 6:19 am

Navigation

💡 = Recently Updated

Change Log

Overview

Unified Access Gateway provides remote connectivity to internal Horizon Agent machines. For an explanation of how this works (i.e., traffic flow), see Understanding Horizon Connections at VMware Tech Zone.

Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:

  • You don’t need to build extra Connection Servers just for pairing. However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
  • Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
  • No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
  • Additional security with DMZ authentication. Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.

However:

  • It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.

Horizon View Security Server has been removed from Horizon 2006 (aka Horizon 8).

More information at VMware Blog Post Technical Introduction to VMware Unified Access Gateway for Horizon Secure Remote Access.

Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.

  • The latest version of UAG is 2312, which is newer than version 3.10. Version 2312 means December 2023 in YYMM format.
    • You usually want the Non-FIPS version.
    • Then download the PowerShell deployment scripts on the same UAG download page.
  • If you are running an ESB version of Horizon, then make sure you run the ESB version of Unified Access Gateway. Get it from the same page as your Horizon download.
    1. Use the Select Version drop-down to select the version of Horizon you have deployed.
    2. Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
    3. Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.
    4. Then download the PowerShell deployment scripts on the same UAG download page.
  •  

Firewall

VMware Technical White Paper Blast Extreme Display Protocol in Horizon, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at VMware Docs.

Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Unified Access Gateways to internal:

  • TCP 443 to internal Connection Servers (through a load balancer)
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

PowerShell Deploy Script

Mark Benson at VMware Communities Using PowerShell to Deploy VMware Unified Access Gateway has a PowerShell script that runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.

If you prefer to use vSphere Client to Deploy the OVF file, skip ahead to Upgrade or Deploy.

In UAG 3.3.1.0 and newer, the PowerShell deployment script is downloadable from the UAG download page.

The PowerShell deploy script requires the OVF Tool:

  1. There’s ovftool 4.4.3 for vSphere 7.

  2. Download the VMware OVF Tool for Windows 64-bit.
  3. If OVF Tool is already installed, then you’ll have to uninstall the old version before you can upgrade it.
  4. On the machine where you will run the UAG Deploy script, install VMware-ovftool-4.4.3-…-win.x86_64.msi.
  5. In the Welcome to the VMware OVF Tool Setup Wizard page, click Next.
  6. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  7. In the Destination Folder page, click Next.
  8. In the Ready to install VMware OVF Tool page, click Install.
  9. In the Completed the VMware OVF Tool Setup Wizard page, click Finish.

Create or Edit a UAG .ini configuration file:

  1. Extract the downloaded uagdeploy PowerShell scripts for your version of Unified Access Gateway.
  2. If you have an existing UAG appliance, then you can download an INI of the configuration from the UAG Administrator page.

    • Or copy and edit one of the downloaded .ini files, like uag2-advanced.ini.
  3. A full explanation of all configuration settings can be found at Using PowerShell to Deploy VMware Unified Access Gateway at VMware Communities.
  4. For any value that has spaces, do not include quotes in the .ini file. The script adds the quotes automatically.
  5. The name setting specifies the name of the virtual machine in vCenter. If this VM name already exists in vCenter, then OVF Tool will delete the existing VM and replace it.
  6. Add a uagName setting and specify a friendly name. You’ll later add this name to Horizon Console so you can view the health of the UAG appliance in Horizon Console.
  7. You can optionally enable SSH on the appliance by adding sshEnabled=true.
  8. For the source setting, enter the full path to the UAG .ova file.
  9. For the target setting, leave PASSWORD in upper case. Don’t enter an actual password. OVF Tool will instead prompt you for the password.
  10. For the target setting, specify a cluster name instead of a host. If spaces, there’s no need for quotes. For example:
    target=vi://admin@corp.local:PASSWORD@vcenter02.corp.local/Datacenter/host/Cluster 1
  11. Specify the exact datastore name for the UAG appliance.
  12. Optionally uncomment the diskMode setting.
  13. For a onenic configuration (recommended), set the netInternet, netManagementNetwork, and netBackendNetwork settings to the same port group name.
  14. Multiple dns servers are space delimited.
  15. For pfxCerts, UNC paths don’t work. Make sure you enter a local path (e.g. C:\). OVA Source File can be UNC, but the .pfx file must be local.
  16. There’s no need to enter the .pfx password in the .ini file since the uagdeploy.ps1 script will prompt you for the password.
  17. proxyDestinationUrl should point to the internal load balancer for the Horizon Connection Servers. If the DNS name ends in .local, then see 78611 DNS Related Troubleshooting With Unified Access Gateway 3.7 and newer which is based on Photon 3 and Roderik de Block VMware UAG not using DNS.
  18. For proxyDestinationUrlThumbprints, paste in the sha256 or higher thumbprint of the Horizon Connection Server certificate in the format shown.
    • If your Horizon Connection Servers each have different certificates, then you can include multiple thumbprints (comma separated).
  19. Make sure there’s no hidden character between sha256 and the beginning of the thumbprint. Or you can just paste the thumbprint without specifying sha256. Note: sha1 is no longer supported. Edge and Chrome can show sha256 certificate fingerprint.
  20. Change the ExternalUrl entries to an externally-resolvable DNS name and a public IP address. For multiple UAGs, the FQDNs and public IP address should resolve to the load balancer. Note: your load balancer must support persistence across multiple port numbers (443, 8443, 4172).

When you run the PowerShell script, if the UAG appliance already exists, then the PowerShell script will replace the existing appliance. There’s no need to power off the old appliance since the OVF tool will do that for you.

  1. Open an elevated PowerShell prompt.
  2. Paste in the path to the uagdeploy.ps1 file. If there are quotes around the path, then add a & to the beginning of the line so PowerShell executes the path instead of just echoing the string.
  3. Add the -iniFile argument and enter the path to the .ini file that you modified. Press <Enter> to run the script.
  4. You’ll be prompted to enter the root password for the UAG appliance. Make sure the password meets password complexity requirements.
  5. You’ll be prompted to enter the admin password for the UAG appliance. Make sure the password meets password complexity requirements.
  6. For CEIP, enter yes or no.
  7. For .pfx files, you’ll be prompted to enter the password for the .pfx file. Note: the .pfx file must be local, not UNC.
  8. OVF Tool will prompt you for the vCenter password. Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g., https://www.urlencoder.org/) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does.
  9. The deploy script will display the IP address of the powered on UAG appliance.
  10. Review settings in the UAG admin interface.
  11. Add the new UAG appliance to Horizon Console.

Upgrade

To upgrade from an older appliance, you delete the old appliance and import the new one. Before deleting the older appliance, export your settings:

  1. Login to the UAG at https://<Your_UAG_IP>:9443/admin/index.html.
  2. In the Configure Manually section, click Select.
  3. Scroll down to the Support Settings section, and then click the JSON button next to Export Unified Access Gateway Settings.
  4. Note: the exported JSON file does not include the UAG certificate, so you’ll also need the .pfx file. If RADIUS is configured, then during import you’ll be prompted to enter the RADIUS secret.

Deploy New

Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.

  • The latest version of UAG is 2312, which is newer than version 3.10. Version 2312 means December 2023 in YYMM format.
    • You usually want the Non-FIPS version.
    • Then download the PowerShell deployment scripts from the same UAG download page.
  • If you are running an ESB version of Horizon, then make sure you run the ESB version of Unified Access Gateway. Get it from the same page as your Horizon download.
    1. Use the Select Version drop-down to select the version of Horizon you have deployed.
    2. Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
    3. Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.
    4. Then download the PowerShell deployment scripts on the same UAG download page.

To deploy the Unified Access Gateway using VMware vSphere Client:

  1. Unified Access Gateway Deployment Utility fling can be used instead of vSphere Client Deploy OVF.
  2. If vSphere Client, right-click a cluster, and click Deploy OVF Template.
  3. Select Local File and click Upload Files. In the Open window, browse to the downloaded euc-unified-access-gateway.ova file, and click Next.
  4. In the Select a name and folder page, give the machine a name, and click Next.
  5. In the Review Details page, click Next.
  6. In the Select configuration page, select a Deployment Configuration. See DMZ Design for VMware Unified Access Gateway and the use of Multiple NICs at VMware Communities. Click Next.
  7. In the Select storage page, select a datastore, select a disk format, and click Next.
  8. In the Select networks page, even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs. UAG typically goes in the DMZ.
  9. In the Customize template page, select STATICV4, and scroll down.
  10. In the NIC1 (eth0) IPv4 address field, enter the NIC1 (eth0) IPv4 address. Scroll down.
  11. Enter DNS addresses, Gateway, and Subnet Mask. Scroll down.
  12. Scroll down and enter more IP info.
  13. Scroll down.
  14. Enter a Unified Gateway Appliance Name.
  15. Scroll down.
  16. UAG 2207 and newer let you specify the local root username.
  17. Enter passwords.

    • UAG 20.12 (2012) and newer let you specify Password Policy settings when deploying the OVF.
  18. Scroll down and enter the password for the admin user.
  19. UAG 2207 and newer have an adminreset command if you mess up the admin interface login. There’s also an adminpwd command to reset the password.
  20. UAG 2207 and newer have an option to enable DISA STIG compliance, usually on the FIPS version of UAG.
  21. In UAG 3.5 and newer, there’s a new checkbox for Enable SSH.
  22. In UAG 3.9 and newer, there’s an option to login using a SSH key/pair instead of a password.
  23. Newer versions of UAG have more SSH options.
  24. UAG 2207 adds Commands to Run on First Boot or Every Boot.
  25. Click Next.
  26. In the Ready to complete page, click Finish.

UAG Admin Interface

  1. Power on the Unified Access Gateway appliance.
  2. If the appliance initially boots with the wrong IP, then a reboot might fix it.
  3. Point your browser to https://My_UAG_IP:9443/admin/index.html and login as admin. It might take a few minutes before the admin page is accessible.
  4. UAG 2207 and newer have an adminreset command if you mess up the admin interface login. There’s also an adminpwd command to reset the password.

Import Settings

  1. If you have previously exported settings, you can import it now by clicking Select in the Import Settings section.
  2. Browse to the previously exported UAG_Settings.json file and then click Import. Note that this json file might have old settings, like old ciphers. Review the file to ensure you’re not importing legacy configurations. If the .json file has a SHA-1 thumbprint, then edit the file and replace it with SHA-256 thumbprint (fingerprint).
  3. It should say UAG settings imported successfully. If you don’t see this, then your .json file probably has a SHA-1 thumbprint.
  4. Press <F5> on your keyboard to refresh the browser.
  5. The .json file does not include the certificate so you’ll have to do that separately. In the Admin console, in the Advanced Settings section, click TLS Server Certificate Settings.
  6. In the top row labelled Apply certificate to, select Internet interface.
  7. Change the drop-down for Certificate Type to PFX.
  8. In the row Upload PFX, click Select and browse to your PFX file.
  9. In the Password field, enter the PFX password and then click Save.

Configure Horizon Settings

  1. To manually configure the appliance, under Configure Manually, click Select.
  2. Next to Edge Service Settings, click Show.
  3. Next to Horizon Settings, click the gear icon.
  4. Change Enable Horizon to Yes.
  5. As you fill in these fields, hover over the information icon to see the syntax.
  6. The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers. If the DNS name ends in .local, then see 78611 DNS Related Troubleshooting With Unified Access Gateway 3.7 and newer which is based on Photon 3 and Roderik de Block VMware UAG not using DNS.

    1. For the Connection Server URL Thumbprint, get the thumbprint from the internal Horizon View certificate. Point your browser to the internal Horizon View Connection Server FQDN (load balanced) and click the padlock icon to open the certificate.
    2. On the Details tab, copy the SHA-256 Fingerprint. Note that SHA-1 thumbprint is no longer supported.
  7. In the Proxy Destination URL Thumb Prints field, type in sha256= and paste the certificate thumbprint.
  8. At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character. Press the arrow keys on the keyboard to find it. Then delete the hidden character.
  9. Enable the three PCOIP, Blast, and Tunnel Gateways and perform the following configurations:
    1. For PCOIP External URL, enter the external IP and :4172. The IP should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways.
    2. For Blast External URL, enter https://<FQDN>:8443 (e.g. https://view.corp.com:8443). This FQDN should resolve to your external load balancer that’s load balancing UDP 8443 and TCP 8443 to multiple Unified Access Gateways.
    3. For Enable UDP Tunnel Server, enable the setting.
    4. For Tunnel External URL, enter https://<FQDN>:443 (e.g., https://view.corp.com:443). This FQDN should resolve to your external load balancer that’s load balancing TCP 443 to multiple Unified Access Gateways.
    5. The external load balancer must be capable of using the same persistence across multiple port numbers. On NetScaler, this feature is called Persistency Group. On F5, the feature is called Match Across.
  10. Then click More.
  11. Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server. You can edit the Proxy Pattern and add |/downloads(.*) to the list so users can also download Horizon Clients that are stored on your Horizon Connection Servers. Make sure you click Save at least once so it saves the default Proxy Pattern. Then go back in and add |/downloads(.*) to the end of the Proxy Pattern but inside the last parentheses.
  12. Scroll down and click Save when done.
  13. If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services.

    • If all you see is Not Configured, then refresh your browser and then click the Refresh Status icon.
  14. In your Horizon Connection Servers, the Secure Gateways (e.g. PCoIP Gateway) should be disabled.
    1. Go to Horizon Console.
    2. Expand Settings and click Servers.
    3. On the right, switch to the tab named Connection Servers.
    4. Highlight your Connection Servers and click Edit.
    5. Then uncheck or disable all three Tunnels/Gateways.
    6. HTML Access probably won’t work through Unified Access Gateway. You’ll probably see the message Failed to connect to the Connection Server.
    7. To fix this, configure on each Connection Server the file C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties to disable Origin Check (checkOrigin=false) or configure the Connection Server’s locked.properties with the UAG addresses. Also see 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.
    8. Horizon 2106 and newer enable CORS by default so you’ll need to either disable CORS by adding enableCORS=false to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties, or configure the portalHost entries in locked.properties as detailed at 85801 Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access.
    9. After modifying the locked.properties file, restart the VMware Horizon View Security Gateway Component service.

Add UAG to Horizon Console

In Horizon 7.7 and newer, you can add UAG 3.4 and newer to Horizon Console so you can check its status in the Dashboard.

  1. In UAG Admin console, under Advanced Settings, click the gear icon next to System Configuration.
  2. At the top of the page, change the UAG Name to a friendly name. You’ll use this case-sensitive name later.
  3. Click Save at the bottom of the page.
  4. In Horizon Console, on the left, expand Settings and click Servers.
  5. On the right, switch to the tab named Gateways.
  6. Click the Register button.
  7. In the Gateway Name field, enter the case-sensitive friendly name you specified earlier, and then click OK.

See status of UAG appliances:

  1. Use a Horizon Client to connect through a Unified Access Gateway. Horizon Console only detects the UAG status for active sessions.
  2. In Horizon Console 7.10 and newer, to see the status of the UAG appliances, on the top left, expand Monitor and click Dashboard.
  3. In the top-left block named System Health, click VIEW.
  4. With Components highlighted on the left, on the right, switch to the tab named Gateway Servers.
  5. This tab shows the status of the UAG appliances, including its version. If you don’t see this info, then make sure you launch a session through the UAG.

To see the Gateway that users are connected to:

  1. In Horizon Console 7.10 or newer, go to Monitor > Sessions.
  2. Search for a session and notice the Security Gateway column. It might take a few minutes for it to fill in.

UAG Authentication

SAML is configured in UAG 3.8 and newer in the Identity Bridging Settings section.

  1. Upload Identity Provider Metadata.
  2. Then in UAG Admin > Edge Service Settings > Horizon Settings > More (bottom of page), you can set Auth Methods (near top of page) to SAML only, which requires True SSO implementation, or SAML and Passthrough, which requires two logins: one to IdP, and one to Horizon.
  3. For complete True SSO instructions, see https://www.carlstalhood.com/vmware-horizon-true-sso-uag-saml/.
  4. For Okta and True SSO, see Enabling SAML 2.0 Authentication for Horizon with Unified Access Gateway and Okta: VMware Horizon Operational Tutorial at VMware Tech Zone.
  5. For Azure MFA, see Sean Massey Integrating Microsoft Azure MFA with VMware Unified Access Gateway 3.8.

For RADIUS authentication:

  1. Enable the Authentication Settings section and configure the settings as appropriate for your requirements. See Configuring Authentication in DMZ at VMware Docs.

    • When configuring RADIUS, if you click More, there’s a field for Login page passphrase hint.
  2. Then in Edge Service Settings > Horizon Settings > More (bottom of page), you can set Auth Methods (near top of page) to RADIUS.
  3. If you scroll down the Horizon Settings page you’ll see additional fields for RADIUS.
  4. In UAG 3.8 and newer, Passcode label field can be customized for MFA providers like Duo.
  5. If your RADIUS is doing Active Directory authentication (e.g. Microsoft Network Policy Server with Azure MFA), then Enable Windows SSO so the user isn’t prompted twice for the password.

Other UAG Configurations

  1. UAG 3.8 and newer shows when the admin password expires in Account Settings in the Advanced Settings section.

  2. Ciphers are configured under Advanced Settings > System Configuration.

    • The default ciphers in UAG 2212 are the following and include support for TLS 1.3.
      TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • In UAG older than 2103, Syslog is also configured here. In UAG 2103 and newer, Syslog is in a different menu as described below.
    • At the bottom of the System Configuration page are several settings for SNMP, DNS, and NTP.
    • UAG 20.12 (2012) and newer support SNMPv3.
    • UAG 3.10 and newer have Admin Disclaimer Text.
    • You can add NTP Servers.
  3. Session Timeout is configured in System Configuration. It defaults to 10 hours.
  4. UAG 3.6 and newer let you add static routes to each NIC.
    1. Click Network Settings.
    2. Click the gear icon next to a NIC.
    3. Click IPv4 Configuration to expand it and then configure IPv4 Static Routes.
  5. UAG 2103 and newer have a different menu item for Syslog Server Settings.

    • You can specify up to two Syslog servers.
    • You can include System Messages.
    • UAG 2207 supports MQTT when adding Syslog servers.
  6. UAG 20.09 (2009) and newer can automatically install patches/updates when the appliance reboots.
    1. In the Advanced Settings section, click Appliance Updates Settings.
    2. For Apply Updates Scheme, select an option. Click Save.
  7. UAG supports High Availability Settings.

    1. With the High Availability Virtual IP address, you might not need load balancing of the UAG appliances. See Unified Access Gateway High Availability at VMware Docs.
      1. The High Availability feature requires three IP addresses and three DNS names:
        1. One IP/FQDN for the High Availability Virtual IP.
        2. And one IP/FQDN for each appliance/node.
      2. The Horizon Edge Gateways should be set to node-specific IP addresses and node-specific DNS names. Each appliance is set to a different IP/FQDN.
      3. The Virtual IP (and its DNS name) is only used for the High Availability configuration.
      4. The YouTube videos What’s New Unified Access Gateway 3 4 and High Availability on VMware Unified Access Gateway Feature Walk-through explain the High Availability architecture.
    2. Set the Mode to ENABLED.
    3. Enter a new Virtual IP Address which is active on both appliances.
    4. Enter a unique Group ID between 1 and 255 for the subnet.
    5. Click Save.
    6. On the second appliance, configure the exact same High Availability Settings.
  8. To upload a valid certificate, scroll down to the Advanced Settings section, and next to TLS Server Certificate Settings, click the gear icon.

    1. In Unified Access Gateway 2312 and newer, click Edit in the Internet section.
    2. In Unified Access Gateway 3.2 and newer, you can apply the uploaded certificate to Internet InterfaceAdmin Interface, or both.
    3. In Unified Access Gateway 3.0 and newer, change the Certificate Type to PFX, browse to a PFX file, and then enter the password. This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway. If your load balancer is terminating SSL, then the certificate on the UAG must be identical to the certificate on the load balancer.
    4. Leave the Alias field blank.
    5. Click Save.

    6. If you changed the Admin Interface certificate, then you will be prompted to close the browser window and re-open it.
  9. Or, you can upload a PEM certificate/key (this is the only option in older UAG). Next to Private Key, click the Select link.

    1. Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
    2. Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
    3. Click Save when done.
  10. UAG 3.1 and newer have an Endpoint Compliance Check feature. The feature requires an OPSWAT subscription. Newer versions of UAG can deploy the OPSWAT agent. It’s pass/fail. See Configure OPSWAT as the Endpoint Compliance Check Provider for Horizon at VMware Docs.

    • UAG 3.9 and newer let you upload the Opswat Endpoint Compliance on-demand agent executables. Horizon Client downloads the executables from UAG and runs them. See Upload OPSWAT MetaAccess on-demand agent Software on Unified Access Gateway at VMware Docs.
    • In UAG 20.09 and newer, Outbound Proxy Settings can be configured to allow UAG to contact the Opswat servers when checking for device compliance.

  11. Scroll down to Support Settings and click the icon next to Export Unified Access Gateway Settings to save the settings to a JSON file. If you need to rebuild your Unified Access Gateway, simply import the the JSON file.

    • The exported JSON file does not include the UAG certificate, so you’ll also need the .pfx file.
  12. If you point your browser to the Unified Access Gateway external URL, you should see the Horizon Connection Server portal page. Horizon Clients should also work to the Unified Access Gateway URL.

Monitor Sessions

In UAG 3.4 and newer, in the UAG Admin interface,

  • At the top of the page, next to Edge Service Settings, you can see the number of Active Sessions on this appliance.
  • At the bottom of the page, under Support Settings, click Edge Service Session Statistics to see more details.

In older versions of UAG, to see existing Horizon connections going through UAG, point your browser to https://uag-hostname-or-ip-addr:9443/rest/v1/monitor/stats.

Logs and Troubleshooting

You can download logs from the Admin Interface by clicking the icon next to Log Archive.

You can also review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

By default, tcpdump is not installed on UAG. To install it, login to the console and run /etc/vmware/gss-support/install.sh

Load Balancing

If NetScaler, see https://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-netscaler-12/ load balance Unified Access Gateways.

For VMware NSX load balancing of Unified Access Gateways, see the VMware® NSX for vSphere End-User Computing Design Guide 1.2.

To help with load balancing affinity, UAG 3.8 and newer can redirect the load balanced DNS name to a node-specific DNS name. This is configured in Edge Service Settings > Horizon Settings > More (bottom of page).

Related Pages

VMware Dynamic Environment Manager (DEM) 2312

Last Modified: Jan 25, 2024 @ 7:14 am

Navigation

As of version 9.9, User Environment Manager (UEM) was renamed to Dynamic Environment Manager (DEM).

This post applies to all Dynamic Environment Manager (aka User Environment Manager) versions including DEM 2312 (10.12) ESB, DEM 2212 (10.8) ESB, DEM 2111 ESB (10.4), and DEM 9.9 (ESB).

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new installation, skip to the Installation Prerequisites section.

When upgrading an existing installation of DEM or UEM, upgrade the FlexEngine on the Horizon Agents first.

The newest FlexEngine can still interpret the INI files from older DEM console. After your clients (FlexEngine) have been upgraded, you can upgrade the management console, which allow for new options, like elevated privileges and others, which (when enabled) can now be correctly interpreted by the upgraded clients (FlexEngine). After that update the ADMX files.

DEM 2203 and newer move FlexEngine licensing to the configuration share and DEM console. If you are upgrading existing FlexEngines, then the previous license will continue functioning. New FlexEngines need the new licensing configuration method.

Installation Prerequisites

Before performing the procedures detailed on this page, make sure you’ve created the DEM File Shares, imported the DEM GPO ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for Dynamic Environment Manager.

VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

VMware Workspace Tech Zone has an excellent Quick-Start Tutorial for User Environment Manager. It’s around 130 printed pages.

Mandatory Profile

At user logon, DEM restores profile archives on top of a Windows profile, which is typically a local profile, or a mandatory profile.

If your Horizon Agent machines are single-user, non-persistent that reboot at logoff, then local profiles are essentially the same as mandatory.

If your Horizon Agent machines are multi-user machines (e.g. RDSH) that don’t reboot every day, then you might need a process to delete local profiles when the user logs off. Here are some options:

  • Schedule a delprof2.exe script that runs daily.
  • Configure mandatory profiles, which are automatically deleted a logoff.
  • A more advanced option is to add users to the local Guests group, which causes their profile to be deleted at logoff.

If you choose Mandatory profile, then here are some mandatory profile creation instructions:

DEM Console Installation

As of version 9.9, User Environment Manager (UEM) was renamed to Dynamic Environment Manager (DEM).

In Horizon 2006 (aka 8.0), DEM is available in all editions of Horizon. There are two editions of DEM, each with different downloads and different DEM capabilities.

  • Horizon 8 (2006+) Enterprise Edition and Horizon 7.13 Enterprise Edition are entitled to DEM Enterprise Edition, which has all features.
  • Horizon 8 (2006+) Standard Edition and Horizon 8 Advanced Edition are entitled to DEM Standard Edition, which is limited primarily to Personalization features. If you are using FSLogix Profile Containers, then you don’t need DEM Standard Edition.

DEM 2312 (10.12) is the latest release. DEM 2312 (10.12) is an Extended Support Branch (ESB). DEM 2212 (10.8) is an Extended Support Branch (ESB).

  1. Based on your entitlement, download either DEM 2312 (10.12) Enterprise Edition or DEM 2312 (10.12) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  2. If upgrading, don’t upgrade the DEM Console until all of your DEM Agents have been upgraded.
  3. On your administrator machine, run the downloaded VMware Dynamic Environment Manager 2312 10.12 x64.msi.
  4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Choose Setup Type page, click Custom.
  8. In the Custom Setup page, change the selections so that only the console is selected and then click Next.
  9. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  10. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.

Configure Dynamic Environment Manager

Here is a summary of the major Dynamic Environment Manager functionality:

  • Personalization (aka import/export user settings) – saves application and Windows settings to a file share. This is the roaming profiles functionality of Dynamic Environment Manager. You configure folders and registry keys that need to be saved. The import/export can happen at logon/logoff or during application launch/exit.
    • Pre-configure application settings – configures files and registry keys for specific applications so users don’t have to do it themselves. Some examples: disable splash screen, default folder save location, database server name, etc.
    • Selfsupport tool – users can use this tool to restore their application settings.
    • DEM Standard Edition supports all Personalization features.
  • User Environment – configures Windows settings like drive mappings, Explorer settings, printer mappings, etc. This is similar to group policy but offers significantly more options for conditional filtering. Dynamic Environment Manager can configure any registry setting defined in an ADMX file.
    • DEM Standard Edition only has a limited set of User Environment settings (e.g., drive mappings). Most User Environment features require DEM Enterprise Edition.
    • Most settings in DEM are only for users, not computers. DEM 2006 (aka 10.0) and newer support ADMX templates for Computer Settings. In older DEM, use Group Policy to configure Computer Settings.
    • Best practice is to not mix Dynamic Environment Manager and user group policy. Pick one tool. If the same setting is configured in both locations then group policy will win.
    • UEM 9.6 and newer support Windows Server 2019 as an Operating System condition.
  • Horizon Smart Policies – Use Horizon Conditions (e.g., client IP) to control device mappings (e.g., client printing) and PCoIP/Blast Bandwidth Profile.
  • Privilege Elevation (UEM 9.2 and newer) – allow apps to run as administrator even though user is not an administrator. Installers can also be elevated.

Links:

Initial Configuration (Easy Start)

To perform an initial configuration of Dynamic Environment Manager, do the following:

  1. Launch the DEM Management Console from the Start Menu.
  2. Enter the path to the DEMConfig share and click OK.
  3. DEM Console 2306 and newer might ask you to join VMware Customer Experience Improvement Program (CEIP).
  4. These Settings checkboxes define what is displayed in the management console. Leave it set to the defaults and click OK. You can later click the Configure button from the ribbon to change these settings.

  5. In the Personalization ribbon, on the far right, click Easy Start.
  6. Select your version of Office and click OK. Office 2019 and Office 2016 are essentially the same.
  7. Click OK when prompted that configuration items have been successfully installed.
  8. Review the pre-configured settings to make sure they are acceptable. For example, on the ribbon named User Environment, under Shortcuts, Dynamic Environment Manager might create a Wordpad shortcut that says (created by VMware UEM). You can either Disable this item, or delete it.

  9. Go to the ribbon name User Environment. On the left, expand Windows Settings and click Policy Settings. On the right, if there is a setting to Remove Common Program Groups, then click Edit.

    1. Consider adding a condition so it doesn’t apply to administrators.

DEM Licensing

DEM 2203 and newer moved FlexEngine Agent licensing to the DEM Configuration Share and DEM Console.

  1. Download the Production License File from the same place you downloaded DEM:  DEM 2312 (10.12) Enterprise Edition, or DEM 2312 (10.12) Standard Edition.
  2. In the DEM console, click the top-left star icon and then click License.
  3. Click Manage.
  4. Choose License File and then select the downloaded VMware-DEM-10.11.0-GA.lic file.
  5. Click OK.

DEM Console places the license info in the DEM Configuration Share file under \general\FlexRepository\AgentConfiguration.

Common Configurations

  1. DEM 2303 (10.9) and newer have a Search button to help you find configuration files.
  2. To roam the Start Menu in Windows 10 1703 and newer, see VMware 2150422 How to roam Windows 10 Start Menu layout.
    1. Go to the ribbon named Personalization, click a folder, and click Create Config File.
    2. Select Use a Windows Common Setting and click Next.
    3. Select Windows 10 Start Menu – Windows 10 Version 1703 and higher. This option is only available in newer versions of DEM. It should work with Windows Server 2019, but it doesn’t apply to Windows Server 2016, which is actually version 1607.
    4. Enter a file name. DEM will create a .zip file for each user with this name. Click Finish when done.
  3. You can run Triggered Tasks when a session is reconnected, workstation is unlocked, or on a schedule (DEM 2306 and newer). This is useful for re-evaluating Smart Policies, as detailed below.

    • DEM 2111 and newer have a Trigger named App Volumes logon-time apps delivered. This was renamed from the older All AppStacks Attached trigger. It was renamed because App Volumes 2111 supports on-demand apps.

    • DEM 2306 (10.10) and newer have a Schedule trigger.

    • You can pick one of the predefined Actions or choose Run custom command to run a script. Some scripts might need an additional configuration under Privilege Elevation.
  4. UEM 9.3 and newer have a setting to store Outlook OST file on App Volumes writable volumes. Go to the ribbon named User Environment. Right-click App Volumes and create a setting. Check the box next to Store Offline Outlook Data File (.ost) on writable volume. Configure other fields as desired. Note: this setting only applies to new Outlook profiles. More info in the YouTube video VMware User Environment Manager Outlook OST on App Volumes User Writable Volume Feature Walkthrough.

Links:

Horizon Smart Policies

Horizon Smart Policies let you control (e.g. disable) Horizon functionality for external users or other conditions.

  1. In UEM 9.0 and newer, go to User EnvironmentHorizon Smart Policies, and create a policy.
  2. DEM 9.11 has an expanded list of settings configurable using Horizon Smart Policies.
  3. DEM 2309 (10.11) and newer can control FIDO2 and Storage drive.
  4. DEM 2306 (10.10) and newer can control Browser Content Redirection.
  5. UEM 9.8 and newer have many Horizon Smart Policy Settings, including Drag and drop. See VMware User Environment Management 9.8 Feature Walk-Through at YouTube.
  6. On the Conditions tab, you can use any of the available conditions, including the Horizon Client Property conditions.

    • To detect external users, select Horizon Client Property > Client Location = External. UAG and Security Server set the session’s location to External.
  7. You can also enter a Horizon Client Property condition that corresponds to the ViewClient_ registry keys. In the Property field, type in a property name (remove ViewClient_ from the property name). See VMware Blog Post Enhancing Your VMware Horizon 7 Implementation with Smart Policies. And the 28-page PDF Reviewer’s Guide for View in Horizon 7: Smart Policies, VMware Horizon 7.

  8. There’s Endpoint Platform as a policy condition. Create a Policy, go to the Conditions tab, and select the Endpoint Platform condition.
  9. Some of the conditions have Matches Regex. For example, Endpoint name and Horizon Client Property > Pool name.

  10. To reapply Horizon Policies when users reconnect to an existing session, go to User Environment > Triggered Tasks, and click Create. Or you can edit one of the existing Triggered Tasks settings.

    1. Change the Trigger to Session Reconnected.
    2. Change the Action to User Environment refresh. Select Horizon Smart Policies and click Save.

Application Blocking

  1. UEM 9.0 adds an Application Blocking feature. To enable it, go to User Environment > Application Blocking, and click the Global Configuration button.
  2. Check the box to Enable Application Blocking. Specify Conditions where, if true, then App Blocking is enabled. These are the same conditions available in other policies and settings. Click OK.
  3. Then you can create an Application Blocking setting to designate the folders that users can run executables from, or what file hashes are allowed.
  4. You can add folders that allow or block apps. Any executable in these paths will be allowed or blocked. By default, executables in Windows and Program Files (including x86) are allowed.
  5. UEM 9.1 and newer allows File Hashes in addition to File Paths. Set the Type to Hash-based, click Add, browse to an executable, UEM will compute the hash, and add it to the list.
  6. UEM 9.2 and newer supports Publisher-based allow. Set the Type to Publisher-based, click Add, browse to an executable, UEM will read the certificate, and add it to the list. Note: A challenge with hash-bashed and publisher-based rules is that the policy might have to be updated whenever the app is updated.

Privilege Elevation

  1. UEM 9.2 adds a Privilege Elevation feature, which allows executables to run as administrator even if users are not administrators. To enable it, go to User Environment > Privilege Elevation, and click the Global Configuration button.
  2. Check the box to Enable Privilege Elevation. Specify Conditions where, if true, then Privilege Elevation is enabled. These are the same conditions available in other policies and settings.
  3. If you allow installers to be elevated, elevate the installer’s child processes too, check the box. This checkbox only applies to installers. Child processes of elevated applications is enabled when creating a Privilege Elevation configuration setting.
  4. When an application is elevated, the user can be asked to allow it. This prompt is intended to inform the user that the application has more permissions than it should, and thus be careful with this application. Click OK.
  5. Then you can create a Privilege Elevation setting to designate the applications that should be elevated. The applications can be specified by a path, a hash, or a publisher certificate. These are essentially the same options as Application Blocking.
  6. Path-based user-installed application lets you elevate installers. The other three options elevate applications, but not installers.
  7. The child processes checkbox applies to applications.
  8. UEM 9.4 adds Argument-based elevated application, which lets you elevate specific scripts and/or Control Panel applets. For details, see the YouTube video VMware User Environment Manager 9.4 Argument Based Privilege Elevation Feature Walk-through.
  9. DEM Group Policy settings can be enabled to log both Application Blocking and Privilege Elevation to Event Viewer

Computer Settings

DEM Enterprise Edition 2006 and newer can deploy computer-based ADMX settings.

  • Domain Computers must have Read permission to the DEM Config file share.

DEM 2006 and newer Agents (FlexEngines) must be configured to enable computer settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at VMware Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. If you use group policy, then make sure the group policy applies to your master image. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at VMware Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at VMware Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2312-10.12-GA\VMware Dynamic Environment Manager Enterprise 2312 10.12 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

Do the following to enable Computer Environment settings in the DEM Console:

  1. In the DEM Management Console, at the right side of any ribbon, click Configure.
  2. At the bottom of the General tab, check the box next to Computer Environment.
  3. A new Computer Environment ribbon is added. DEM 2009 and newer have Startup Tasks and Shutdown Tasks.
  4. With ADMX-based Settings highlighted on the left, click Manage Templates in the ribbon.
  5. At the bottom of the window, click Add Folder.
  6. If you have PolicyDefinitions in your SYSVOL, then browse to that. Or you can point it to C:\Windows\PolicyDefinitions. Click OK.
  7. Click OK after import is successful. DEM copied the .admx files into the DEM Config share. You can run this again any time to update templates.
  8. With ADMX-based Settings selected on the left, click Create in the ribbon.
  9. At the bottom, click Select Categories.
  10. Select a category where your setting is located and click OK.
  11. At the top of the window click Edit Policies.
  12. Only the settings for your chosen categories are shown. Configure these settings the same way you would configure them in group policy. Then close the window.
  13. DEM shows the configured settings.
  14. On the Conditions tab, you can add conditions. Obviously the user-based conditions will not be available for computer-based settings.

Personalization and DEM Templates

VMware has provided a list of Personalization Templates to simplify your configuration.

  1. To save user settings at logoff and restore at logon, you must specify the settings to save.  Easy Start created a bunch of configurations on the Personalization ribbon. Note: DEM 9.11 adds a Find box to this ribbon.
  2. You can see what settings these save. On the tab named Import / Export, on the top right, click Manage, and then click Expand.

    1. Click Yes to expand it.

    2. After reviewing the config, click a different Personalization setting, and then click No to not save your changes.
  3. To save more profile settings at logoff, on the ribbon named Personalization, select a folder (or create a new folder), and then click Create Config File.
  4. A wizard appears. You can use one of the built-in Windows Common Setting or Application Templates. Or you can create your own.


    • DEM 9.10 and newer have a Windows Common Setting named Default applications – File type associations and protocols. For details, see Ivan de Mes at Managing File Type Associations (FTA) natively using Dynamic Environment Manager.

      • Also enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
      • To avoid a delay in applying FTAs after login, VMware 83679 recommends setting HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Serialize\StartupDelayInMSec (DWORD) = 0.
    • UEM 9.4 and newer have a Windows Common Setting for Windows 10 Start Menu – Windows 10 1703 and higher
  5. In UEM 9.5 and newer, the DEM Console has a button in the ribbon to Download Config Templates. You will need a My VMware account to access it. See Ivan de Mes VMware UEM 9.5 introduces the VMware Marketplace for templates.
  6. The Browse button on top lets you choose where in the tree you want to save the new Config File.
  7. DEM 9.11 and newer have a Find box.
  8. For older versions of UEM, download a template, and import it.
    1. In the DEM Console, on the Personalization tab, click the Configure button to locate your DEM Configuration file share.

    2. Extract the downloaded templates to the General\Applications folder in the DEM Config Share.

    3. The downloaded template should then show up in the Personalization tab under the Applications folder. If you don’t see it, click the Refresh Tree icon.
  9. DirectFlex – to speed up logins, enable DirectFlex whenever possible. Instead of restoring the files during logon and thus delaying the login, DirectFlex restores the settings on-demand when the user launches the application. DirectFlex can be enabled on most application configurations. However, Windows settings (e.g. Start Menu) should be loaded during login rather than on-demand after login.

Additional DEM Configuration

User Environment Manager 8.7 and newer has a UEMResult feature that lets you see what settings were applied to the user. The .xml file is only updated at logoff. To enable for a particular user, go to the user’s Logs folder and create a folder named UEMResult. At logoff, DEM will put an .xml file in this folder. More information at VMware Docs.

From VMware 2113514 Enabling debug logging for a single user in VMware User Environment Manager: To configure FlexEngine to log at debug level for a single user, create an empty FlexDebug.txt file in the same folder as the standard log file for this user. This triggers FlexEngine to switch to debug logging for this particular user.

DEM Application Profiler

This tool cannot be installed on a machine that has FlexEngine (aka DEM Agent) installed:

  1. .NET Framework 3.5 is required.
  2. In the Dynamic Environment Manager files, in the Optional Components folder, run VMware DEM Application Profiler 10.6 x64.msi. DEM 2312 (10.12) includes version 10.6 of the Profiler.
  3. In the Welcome to the VMware DEM Application Profiler Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Custom Setup page, click Next.
  6. In the Ready to install VMware DEM Application Profiler page, click Install.
  7. In the Completed the VMware DEM Application Profiler Setup Wizard page, click Finish.

You may now use the tool to determine where applications store their settings and export a default application configuration that can be pushed out using Dynamic Environment Manager.

DEM Support Tool

vDelboy – VMware UEM Helpdesk Support Tool

Do the following to configure the environment for the support tool:

  1. In the Dynamic Environment Manager Console, click the star icon on the top left, and click Configure Helpdesk Support Tool.
  2. Click Add.
  3. In the Profile archive path field, enter the user folder share (the same one configured in Dynamic Environment Manager GPO). At the end of the path, enter \[UserFolder]\Archives.
  4. Check the other two boxes. The paths should be filled in automatically. Make sure they match what you configured in the Dynamic Environment Manager group policy object. Click OK.
  5. Click Save.
  6. VMware recommends creating a new GPO for the Support Tool. This GPO should apply only to the support personnel.

  7. On the Scope tab, change the filtering so it applies to DEM Support and DEM Admins. If this GPO applies to machines with group policy loopback processing enabled, then also add Domain Computers.
  8. Edit the GPO.
  9. Go to User Configuration | Policies | Administrative Templates | VMware UEM | Helpdesk Support Tool.
  10. Double-click the setting DEM configuration share.
  11. Enable the setting, and enter the path to the DEMConfig share. Click OK.
  12. Consider enabling the remaining GPO settings. Read the Explain text or refer to the documentation.

Do the following to install the support tool.

  1. .NET Framework 3.5 is required.
  2. Some support tool functions require the FlexEngine (aka DEM Agent) to be installed on the help desk machine.
  3. In the extracted Dynamic Environment Manager files is an Optional Components folder. From inside that folder run VMware DEM Helpdesk Support Tool 2111 10.4 x64.msi. This tool was not updated for the DEM 2312 (10.12) release.
  4. In the Welcome to the VMware DEM Helpdesk Support Tool Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to install VMware DEM Helpdesk Support Tool page, click Install.
  8. In the Completed the VMware DEM Helpdesk Support Tool Setup Wizard page, click Finish.

Once the Helpdesk Support Tool is installed, you can launch it from the Start Menu, search for users, and then perform operations on the archives.

Related Pages

Horizon Group Policy and Profiles

Last Modified: Jan 25, 2024 @ 10:15 am

Navigation

This post applies to all VMware Horizon versions 7.0, and newer, including Horizon 2312 (8.12).

💡 = Recently Updated

Change Log

Roaming Profiles Options

There are several options for persisting user profile settings when the user logs off:

  • VMware Dynamic Environment Manager (DEM) – DEM is a very configurable product that is generally preferred over Persona and Microsoft Roaming Profiles. It works on both virtual desktops and Remote Desktop Session Hosts.
    • In Horizon 2006 (8.0) and newer, DEM Personalization features are available in all editions of Horizon.
    • In Horizon 7, only Horizon Enterprise Edition is entitled to VMware’s Dynamic Environment Manager.
    • VMware Dynamic Environment Manager (DEM) is the new name for VMware User Environment Manager (UEM). VMware renamed User Environment Manager 9.9 and newer to DEM to avoid confusion with Workspace ONE Unified Endpoint Management (also UEM), which is actually AirWatch mobility management. User Environment Manager is sometimes called “little UEM”, while AirWatch is sometimes called “big UEM”.
    • DEM persists settings for specific applications instead of persisting the entire profile. Saved application settings are stored in separate .zip files (aka profile archives) for each application so you can restore one .zip file without affecting the other .zip files. Many of these DEM profile archive .zip files can be restored to multiple operating system versions, whereas other monolithic profile solutions are tied to a specific operating system version.
    • DEM restores profile archives on top of other profile solutions. One option is mandatory profiles so that anything not saved by DEM is discarded on logoff.
    • VMware KB article 2118056 Migrate VMware Persona Management to VMware User Environment Manager.
  • VMware Persona saves the entire user profile, meaning it is a “set and forget” roaming profile solution that is similar to Microsoft’s native roaming profiles or Citrix Profile Management.
    • VMware Persona is not included in Horizon 2006 (8.0) and newer. If you are using Persona in Horizon 7, then before upgrading, see VMware Tech Zone Modernizing VDI for a New Horizon to migrate off of Persona.
    • VMware Persona is included in all editions of Horizon 7.
    • However, Persona doesn’t work on newer versions of Windows 10, Persona doesn’t work on RDSH Horizon Agents, and Persona doesn’t work on Instant Clones.
    • In practice, DEM is the only viable profile option from VMware, but DEM requires Horizon 7 Enterprise Edition, or upgrade to Horizon 2006 (8.0)
  • VMware App Volumes Writable Volumes – App Volumes Writable Volumes can store the user’s profile and roam the writable volume to different Horizon Agent machines.
    • App Volumes requires Horizon Enterprise Edition.
    • App Volumes is a separate infrastructure (e.g. separate servers, separate agents) that must be built, learned, maintained, and supported.
    • Writable Volumes are stored as .vmdk files on vSphere datastores. For backup/restore, you can replicate the .vmdk files to multiple datastores, including multiple data centers.
    • When Writable Volumes are combined with DEM, then Outlook search indexes can be stored on the Writable Volumes.
    • Writable Volumes can only be mounted on one Horizon Agent machine at a time.
  • VMware Persistent Disks – VMware Horizon Composer can generate persistent disks for each dedicated desktop machine. User profile is redirected to the persistent disk so the user profile will be available after the machine is refreshed.
    • In Horizon 2006 (8.0) and newer, Composer and Persistent Disks are deprecated. Composer has been removed from Horizon 2012 (8.1) and newer. Before upgrading, see VMware Tech Zone Modernizing VDI for a New Horizon to migrate off of Persona.
    • Persistent Disk only stores the user’s profile. It does not store user-installed applications. If you need to persist user-installed applications, then implement App Volumes Writable Volumes instead.
    • Persistent Disks were brought to Instant Clones in Horizon 2306 (8.10) and newer. See Using Persistent Disks for Dedicated Instant Clones at VMware Docs.
    • Persistent Disks are only an option for Dedicated Assignment pools, meaning that the Persistent Disks do not float between machines. Administrators can manually detach a Persistent Disk from one machine and attach it to a different machine.
    • Persistent Disks are stored as .vmdk files on vSphere datastores. How do you back them up and restore them, especially if they are not currently mounted on a running virtual machine?
  • Microsoft FSLogix – FSLogix Profile Containers can store the entire user profile in a .vhdx file that is stored on a file share.
    • FSLogix is free for almost all virtual desktop and RDSH customers. If you’re not licensed for DEM, then FSLogix is a viable alternative.
    • FSLogix is known for roaming the Outlook Search Index and other special Office 365 files.
    • FSLogix Profile Container is very similar to VMware Persistent Disks and Microsoft User Experience Virtualization in that the entire profile is stored in the .vhdx file. Watch out for disk space consumption on the file share. And concurrent access to the .vhdx can be challenging.
    • FSLogix Profile Container configuration is “set and forget” since it doesn’t need separate configuration for each application.
  • Microsoft Roaming Profiles – a last-case alternative is native Microsoft roaming profiles. However, there are many limitations.
    • Microsoft’s Roaming Profiles cause longer login times since the entire profile is downloaded before the user can interact with the desktop or application. This is not a problem in other roaming profile solutions.
    • Microsoft’s Roaming Profiles do not merge settings from multiple sessions so if you have users connecting to multiple RDS farms (or multiple desktop pools) then each RDS farm should have separate roaming profile shares.

Roaming Profiles File Shares

File Shares Design

This section provides a summary of the required shares. See Create and Share the Folders for Detailed steps for creating the profile shares.

There are typically several types of file share paths:

  • Roaming Profiles – stores DEM profile archives, FSLogix .vhdx Profile Containers, etc.
    • Roaming profiles (or DEM profile archives) are stored in a separate sub-folder for each user that only the one user has access to.
    • FSLogix, VMware Persona and Microsoft Roaming Profiles are monolithic profiles that are tied to a specific operating system version. If you are supporting multiple operating systems, or if users are connecting to multiple, concurrent pools/farms, then create a separate Roaming Profile share path for each operating system version. For example, you might have separate Roaming Profile shares for Windows 10 and Windows Server 2019.
      • Theoretically, DEM Personalization Archives can be used across multiple operating system versions.
  • Folder Redirection – stores profile folders that you want to persist but you don’t want to store with the roaming profile. These folders are typically Documents, Downloads, Desktop, and Favorites. Folder Redirection speeds up restoration of roaming profiles. AppData should not be redirected to this file share path.
    • Each user has a separate sub-folder that only the one user has access to.
    • Folder Redirection can be accessed from multiple operating system versions so there’s no need to create multiple Folder Redirection share paths.
  • Home Directories – users store Documents and other personal data in Home Directories.
    • Folder Redirection can be stored in Home Directories instead of in a separate Folder Redirection file share path.
    • Home Directories might be located on multiple file servers. If these file servers are in branch offices instead of data centers, then Folder Redirection should be stored on file servers in the data center that contains Horizon Agents.
  • DEM Configuration Share – VMware Dynamic Environment Manager (DEM) stores its configuration in a file share.

These file shares for a particular user can only be located in one data center. Neither VMware nor Microsoft support multi-master replication (aka merge replication) of user profiles, home directories, and folder redirection. If you use DFS Namespaces, then the DFS Namespace path must point to only one target.

  • Horizon users should connect to Horizon Agents in the same data center as the file servers that contain the user’s profile, folder redirection, and home directory. If you have active Horizon Agents in multiple data centers, then you can configure Horizon Cloud Pod Home Sites so that specific users connect to specific data centers. If users connect to a Horizon Agent that is not in the same data center as the user’s file servers, then the files are retrieved across the Data Center Interconnect, which might take longer than desired.
  • The DEM Configuration Share is primarily read-only so multi-master replication is less of a concern.

Here are NTFS permissions for each of the profile file share types:

DEM Profile Archives share:

  • \\server\DEMProfiles
    • DEM Admins = Full Control
    • DEM Support = Modify
    • DEM Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Dynamic Environment Manager (DEM) Configuration share:

  • \\server\DEMConfig – stores DEM configuration
    • DEM Admins = Full Control
    • DEM Users = Read
    • DEM Support = Read
    • Domain Computers = Read – for DEM computer ADMX

Non-DEM Monolithic Roaming Profiles share: (example includes multiple shares for multiple operating systems)

  • \\server\Profiles\Win10
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control
  • \\server\Profiles\Win19
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Folder Redirection share:

  • \\server\Redirect
    • Admins = Full Control
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

According to VMware 2113665 Imports and exports in VMware User Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Create and Share the Folders

  1. On your file server, make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it  DEMConfig, or DEMProfiles or similar. See File Shares Design for design info on the share paths that should be created.
  3. Open the folder’s Properties.
  4. On the Sharing tab, click Advanced Sharing.
  5. Check the box to share the folder.
  6. Click Permissions.
  7. Give Full Control to Everyone. Click OK.
  8. Click Caching.
  9. Select No files or programs. Click OK twice, and then click Close.
  10. According to VMware 2113665 Imports and exports in VMware User Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Folder Permissions

The following procedure works for any of the profile and redirection folders listed in the file shares design except for the DEMConfig folder.

Lieven D’hoore has VMware Horizon View – Script to create Persona Management Repositories, Shares and Permissions.

  1. Open the Properties of the new shared folder.
  2. On the Security tab, click Advanced.

    1. Click Disable Inheritance.
    2. Click Convert inherited permissions.
    3. Click OK to close Advanced Security Settings.
  3. On the Security tab, click Edit.

    1. For the Everyone or the Authenticated Users entry or the Users entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
    2. Add CREATOR OWNER, and give it Full Control. This grants users Full Control of the folders they create.
    3. Click OK to close the Permissions window.
  4. Click Advanced again.
  5. Highlight the Everyone permission entry or the Authenticated Users permission entry or the Users permission entry and click Edit.
  6. At the top of the window, change the Applies to selection to This folder only. This prevents the Everyone permission from flowing down to newly created profile folders.
  7. Remove all other permission entries that grant access to Users, Domain Users, Everyone, or Authenticated Users. There should only be one of these types of permission entries.
  8. Click OK twice to close the Security and Properties windows.

VMware Fling – Horizon View Persona Management Share Validation Tool:

  1. Download the tool, and extract it.
  2. From a command line, run VMWVvpValidator.exe with the share parameter, the path to the Persona or RDSProfiles share, and the group that should have access to the share.
  3. This will create a VMWVvpValidatortxt file in the same folder that contains the executable. Open it.
  4. Scroll down and there should be no errors. If there are, fix them as detailed in the report.

Access Based Enumeration

With access based enumeration enabled, users can only see folders to which they have access.

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it.
  3. Right-click the new share, and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration and click OK.

GPO Templates

Windows Group Policy Templates

Unfortunately, there are some differences between the GPO templates for Windows Server, and the GPO templates for  Windows 10. You’ll need to download the full set of templates.

Follow the procedure at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#admtemp to download and install the Administrative Templates (.admx) for Windows 10.

Horizon Group Policy Templates

Some of the policy settings in this topic require group policy templates from the Horizon GPO Bundle, which can be downloaded from the VMware Horizon Download Page.

For Horizon 2312 (8.12) ESB, download Horizon GPO Bundle 8.12 (VMware-Horizon-Extras-Bundle-2312-8.12.0).

For Horizon 2212 ESB (8.8), download Horizon GPO Bundle 8.8 (VMware-Horizon-Extras-Bundle-2212-8.8.0).

Install the Group Policy files:

  1. Go to the downloaded VMware-Horizon-View-Extras-Bundle.zip file and extract the files.
  2. Copy the .admx files, and en-US folder, to the clipboard.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the .admx files. Overwrite any older files.

  4. Horizon 7.13 has an .admx file in the ThinPrint\ADMX folder. Horizon 2006 (8.0) and newer no longer include ThinPrint, so this .admx is not available in Horizon 2006 (8.0) and newer.
    1. Copy the .admx file, and en-US folder, to the clipboard.
    2. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the .admx files. Overwrite any older files.
  5. When you edit group policy objects, you can now edit Horizon settings.

Dynamic Environment Manager GPO Templates

Download and copy the DEM GPO ADMX templates to PolicyDefinitions. DEM can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

In Horizon 2006 (8.0) and newer, DEM is available in all editions of Horizon. There are two editions of DEM, each with different downloads and different ADMX templates.

In Horizon 7, DEM is only available for Horizon Enterprise Edition customers. Horizon 7 Enterprise Edition customers can download DEM Enterprise Edition.

  1. Based on your entitlement, download either DEM 2312 (10.12) Enterprise Edition, or DEM 2312 (10.12) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  2. Go to the extracted Dynamic Environment Manager files, and in the Administrative Templates (ADMX) folder, copy the files and the folder.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the files and folder. Overwrite any older files.

  4. If you are upgrading from UEM 9.8 or older to DEM 9.9 or newer, then look in PolicyDefinitions for VMware UEM.admx files and delete them.
  5. You will find VMware DEM GPO settings in the User Half of a GPO.

VMware DEM FlexEngine Advanced Settings are available in a different GPO template.

  1. Go to https://kb.vmware.com/s/article/2145286.
  2. On the right is an Attachments box. Download the .zip file.
  3. Extract the files. Then copy the file and folder.
  4. Go to your PolicyDefinitions folder and paste them.

Microsoft Edge GPO Templates

VMware Horizon Browser Redirection requires installation of an Edge extension. Install the Edge GPO Templates so you can force install the Edge extension.

  1. Download the Edge ADMX templates from Microsoft Edge for business. Select your version of Edge and then click GET POLICY FILES.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \windows\admx folder, copy the msedge*.admx files and the en-US folder.
  4. Go to PolicyDefinitions in your SYSVOL (e.g., \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files and en-US folder.

Google Chrome GPO Templates

VMware Horizon Browser Redirection requires installation of a Chrome extension. Install the Chrome GPO Templates so you can force install the Chrome extension.

  1. Download the Google Chrome ADMX templates from Set Chrome Browser policies on managed PCs.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \policy_templates\windows\admx folder, copy the chrome.admx and google.admx files.
  4. Go to PolicyDefinitions in your SYSVOL (e.g. \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files.
  5. Go back to the extracted Google Chrome templates in the \policy_templates\windows\admx folder and copy the en-US folder.
  6. Go to back to PolicyDefinitions in your SYSVOL and paste the en-US folder. It will add .adml files to the existing en-US folder.

Create Group Policy Objects

  1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all Horizon Agent computer objects (virtual desktops and Remote Desktop Session Hosts).
  2. Then create sub-OUs, one for each pool or RDS Farm.
  3. Move the Horizon Agent machines from the Computers container to one of the OUs created in step 2.
  4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Horizon Agent Computer Settings and link it to the parent OU created in step 1. If this policy should apply to all pools, then link it to the parent OU. Or you can link it to pool-specific sub-OUs.

  5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled. User settings do not belong in this GPO.
  6. Create and link two new GPOs to the Session host OU (in addition to the Horizon Agent Computer Settings GPO). One of the GPOs is called Horizon Agent All Users (including admins), and the other is called Horizon Agent Non-Admin Users (lockdown). The Non-Admin Users GPO can either be linked to the parent OU, or to the session host sub-OUs. Locking down sessions is more common for Remote Desktop Session Hosts.

  7. Modify the properties of both of these GPOs and disable the Computer Configuration portion of the GPO.
  8. Click the Horizon Agent Non-Admin Users GPO to highlight it.
  9. On the right, switch to the Delegation tab, and click Add.
  10. Find your Horizon Admins group, and click OK.
  11. Change the Permissions to Edit settings, and click OK.
  12. Then on the Delegation tab, click Advanced.
  13. For Horizon Admins, place a check mark in the Deny column for the Apply Group Policy permission. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
  14. Click Yes when asked to continue.
  15. For the other two GPOs, add Horizon Admins with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

GPOs for Roaming Profiles (Persona and RDS)

You will need separate profile configurations for each Horizon Agent type (virtual desktops, RDS, operating system version, operating system bitness, etc.) Each profile configuration needs a different GPO. Note: if you are licensed for Dynamic Environment Manager, then you can skip this section.

  1. Right-click one of the Remote Desktop Session Host sub-OUs, and create a new GPO.
  2. Name it Horizon Agent RDS Farm 1 Profiles or similar. This policy will use Microsoft’s native roaming profiles instead of Persona. Note: each RDS farm should have a separate roaming profile share.
  3. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  4. If you have additional Remote Desktop Session Host sub-OUs (one for each RDS Farm), right-click one of them and create another GPO with a different name. Each RDS Farm needs a different profile path.

  5. Right-click a virtual desktop sub-OU, and click Create a GPO in this domain.
  6. Name it Horizon Agent Persona Win10 or similar, and click OK. Each operating system version should point to a different file share, so include the operating system version in the GPO name.
  7. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  8. If you have additional virtual desktop sub-OUs of the same operating system, right-click the OU, and click Link an Existing GPO.
  9. Select the Horizon Agent Persona Win10 GPO, and click OK.
  10. For desktop pools running a different operating system, create a new Persona GPO. Each Persona GPO will point to a different share.
  11. The final group policy object framework will look like this: some GPOs linked to the parent OU and pool-specific GPOs linked to the sub-OUs. Each sub-OU needs different GPOs for different roaming profile configurations.

Agent Computer Settings

These GPO settings should be applied to the Horizon Agents.

General Computer Settings

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Configure the GPO Computer Settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.

Remote Desktop Users Group

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Under Computer Config > Windows Settings > Security Settings, right-click Restricted Groups, and click Add Group.
  3. Browse to the group of users (e.g. Domain Users) that will be added to the Remote Desktop Users group on the virtual desktops. Click OK.
  4. In the bottom half of the window, click Add to specify that this group is a member of:
  5. Enter Remote Desktop Users, and click OK twice.

VMware Integrated Printing

Horizon 7.7 and newer have a new Universal Print Driver named VMware Integrated Printing or VMware Advanced Printing, which replaces ThinPrint. Integrated Printing is an optional feature of the Horizon Agent installer and requires Horizon Client 4.10 for Windows, Horizon Client 5.1 for Linux and Horizon Client 5.1 for Mac.

You can use Group Policy to configure Integrated Printing. (e.g. select whether Native Print Drivers are preferred over the Universal Print Driver). The GPO settings only apply if the VMware Integrated Printing feature is installed on the Horizon Agent.

  1. Make sure the Horizon 2012 (8.1) or newer GPO Templates are installed. Some Integrated Printing GPO settings are available in Horizon 7.7 and newer.
  2. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration | VMware Integrated Printing (or VMware Advanced Printing). This node only appears in ADMX templates from Horizon 7.7 and newer.
    • In Horizon 2012 (8.1) and newer, the GPO settings were moved under the VMware View Agent Configuration folder.
    • In Horizon 2012 (8.1) and newer, the Integrated Printing settings are also available in the user half at User Configuration > Policies > Administrative Templates > VMware View Agent Configuration > VMware Integrated Printing. User settings override computer settings.
  4. Horizon 2106 (8.3) and newer have a setting name Default settings for UPD printers that lets you set duplex, color, and compression defaults.

  5. In Horizon 2012 (8.1) and newer, Do not change default printer prevents the client default printer from overriding the remote default printer.
  6. Edit the setting Printer Driver Selection.
  7. Enable the setting, and then consider setting it to Always use UPD to avoid needing to install any printer drivers on the Horizon Agent machines. This is particularly beneficial for multi-user RDSH machines.
  8. In Horizon 2012 (8.1) and newer, Printer Name Schema lets you change the names of the redirected printers.

  9. Horizon 2303 and newer have Enable server printer redirection, which causes the Horizon Agent to connect directly to the print servers instead of routing the print job through the Horizon Client. Print drivers are probably needed on the Agent machine.
  10. Horizon 7.8 and newer supports filtering of redirected client printers.

VMware Integrated Printing also supports Location Based Printing.

  1. In the Horizon 7.7 or newer Extras Bundle (GPO templates), find the file named LBP.xml.
  2. Edit the file. This is an XML document that can contain multiple <Policy> nodes. The file is commented.
  3. When done editing the LBP.xml file, copy it to C:\ProgramData\VMware on each Horizon Agent machine. It’s probably easiest to use Group Policy Preferences (or computer startup script) to download this file when the Horizon Agent machines boots.

Dynamic Environment Manager (DEM) Group Policy

Most of the Dynamic Environment Manager GPO settings are user settings, not computer settings. DEM 2006 (aka 10.0) and newer support ADMX files for computers.

Note: UEM 9.1 can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

From VMware Tech Zone Quick-Start Tutorial for VMware Dynamic Environment Manager and Chris Halstead VMware User Environment Manager (UEM) – Part 1 – Overview / Installation.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. Dynamic Environment Manager requires one computer setting. Edit the Horizon Agent Computer Settings GPO.

    1. Go to Computer Configuration | Policies | Administrative Templates | System | Logon.
    2. Double-click Always wait for the network at computer startup and logon.
    3. Enable the setting, and click OK.
    4. Close the group policy editor.
  3. If you use DEM 9.10 or newer to roam File Type Associations, then enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
  4. The remaining settings are user settings. Edit the Horizon Agent All Users GPO. This GPO should apply to the Horizon Agents, and Loopback processing should already be enabled on those machines.
  5. Go to User Configuration | Policies | Administrative Templates | VMware DEM | FlexEngine.
  6. If you are running Dynamic Environment Manager on top of mandatory profiles, then double-click Certificate support for mandatory profiles.

    1. Enable the setting, and click OK.
  7. Double-click Flex config files.

    1. Enable the setting.
    2. Enter \\server\demconfig\general. The general folder will be created by the Dynamic Environment Manager management console. Click OK.
  8. Double-click FlexEngine Logging.

    1. Enable the setting.
    2. Enter \\server\demprofiles\%username%\logs. Dynamic Environment Manager will create these folders. Click OK.
  9. UEM 9.0 and newer has a setting named Paths unavailable at logon. By default, users are blocked from logging in if the DEM file share is not reachable.

  10. Double-click the setting Profile archive backups.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\backups.
    3. Enter the number of desired backups, check the box for daily backups, and click OK.
  11. In DEM 2111 and newer, you can store Profile Archives in OneDrive for Business by configuring the setting OneDrive for Business integration.
  12. To store Profile archives in a file share, double-click Profile archives.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\archives.
    3. Check the box next to Retain file modification dates. Source = Anyway to save ‘Date Modified’? at VMware Communities.
    4. Click OK.
  13. In DEM 2111 and newer, simply enable the setting Run FlexEngine at logon and logoff.
  14. For DEM prior to version 2111, configure the group policy extension and logoff script:
    1. Double-click the setting RunFlexEngine as Group Policy Extension.
    2. Enable the setting, and click OK.
    3. Go to User configuration | Policies | Windows Settings | Scripts (Logon/Logoff).
    4. Double-click Logoff.
    5. Click Add.
    6. In the Script Name field, enter C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe.
    7. In the Script Parameters field, enter -s.
    8. Click OK.
  15. If you are using the Privilege Elevation feature, consider enabling Privilege elevation logging to the Windows event log.

  16. Same for Application blocking logging to the Windows event log.
  17. You can download and install a separate ADMX file containing DEM Advanced Settings.
    1. You can use group policy to Disable DEM agent features on certain OUs. For example, you might not want Personalization on some pools.
    2. DEM 2111 and newer can enable DEM ADMX Settings to override GPOs by enabling the setting Override existing user policy settings.
  18. If DEM 2006 or newer, you can optionally enable DEM Computer ADMX settings.
    1. In the DEM Config share, make sure Domain Computers has Read permission to the folders.
    2. Edit a GPO that applies computer settings to the Horizon Agent machines (e.g. Horizon Agent Computer Settings).
    3. Go to Computer Configuration | Preferences | Windows Settings | Registry.
    4. Add a New Registry Item.

      1. Key Path = SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration
      2. Value name = Enabled
      3. Value type = REG_DWORD
      4. Value data = 1. Click OK.
    5. Create another registry item.

      1. Key Path = SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration
      2. Value name = ConfigFilePath
      3. Value type = REG_SZ
      4. Value data = the path to your DEM Config share, including the general folder. Click OK.
      5. For more registry values, see VMware Docs FlexEngine Configuration for Computer Environment Settings.

Now that DEM is enabled, you can configure Dynamic Environment Manager by using a separate console application. See the instructions at https://www.carlstalhood.com/vmware-user-environment-manager/.

DEM Changelog

From YouTube video User Environment Manager 9.6 What’s New Overview:

  1. On the left, click the node named Management Console under VMware DEM
  2. On the right, UEM 9.6 adds two new settings for Changelog.
  3. Log changes to disk stores the log in the DEM share at \\server\DEMConfig\Changelog\general. Note that administrators usually have permission to modify this location so they could modify this changelog.
  4. Log changes to the Windows event log stores the log in the Application Log in Event Viewer of the local console machine and not in any central server.
  5. You can also enable the Changelog in the DEM Management Console by clicking the ribbon button named Configure.
  6. Switch to the tab named Configuration Changelog to enable the two settings.
  7. Each configuration item in DEM Management Console shows a tab named Changelog after changes are recorded.

Persona Configuration

This section does not apply to Remote Desktop Session Hosts, Instant Clones, or newer versions of Windows 10. It also does not apply to Horizon 2006 (8.0) and newer.

If you are using Dynamic Environment Manager then skip this section.

  1. Verify that ICMP is enabled between the Horizon Agent and the domain controller, and as well as the Horizon Agent and the Persona Management Repository.
  2. Install the Horizon GPO ADMX files if you haven’t already.
  3. Edit one of the Horizon Agent Persona GPOs that applies to the virtual desktops (not Remote Desktop Session Hosts).
  4. Configure the following GPO settings:
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  5. Go to Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration | Persona Management | Roaming & Synchronization.
  6. On the right, double-click Manage user persona.
  7. Enable the setting. It defaults to 10 minutes. Click OK.
  8. Double-click Persona repository location, and enable the setting.
  9. Enter the path to the file share created for Persona. Append %username%.
  10. Check the box next to Override Active Directory user profile path. Click OK.
  11. Double-click Roam local settings folders, and enable it. Click OK.
  12. Double-click Files and folders excluded from roaming, and enable it. Then click Show.
  13. Enter the values shown below, and then click OK twice.
    $Recycle.Bin
    Tracing
    AppData\LocalLow
    AppData\Local\GroupPolicy
    AppData\Local\Packages
    AppData\Local\Microsoft\Office\15.0\Lync\Tracing
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows\CD Burning
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Local\Windows Live
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images
    AppData\Local\Google\Chrome\User Data\Default\JumpListIcons
    AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
  14. Double-click Files and folders excluded from roaming (exceptions), and enable it. Then click Show.
  15. Enter the exceptions shown below and click OK twice.
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
  16. Configure %AppData%\Thinstall as a folder to background download. If you are using Thinapps, this will speed up the launch time of Thinapps.

RDS Roaming Profiles

This section applies to Remote Desktop Session Hosts, not virtual desktops.

If you are using Dynamic Environment Manager or FSLogix, then skip this section.

  1. Edit the Horizon Agent RDS Farm1 Profiles GPO.
  2. Configure the following GPO settings.
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Delete cached copies of roaming profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  3. Go to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles.
  4. On the right, open the setting Set path for Remote Desktop Services Roaming User Profile.
  5. Enable the setting and enter the path to the file share. Do not append %username%.
  6. If you haven’t already done this in a parent OU, also configure the Remote Desktop Services settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  7. If you wish to enable the Aero style for Remote Desktop Session Host sessions, go to User Configuration | Policies | Administrative Templates | Control Panel | Personalization.
  8. Open the setting Force a specific visual style file.
  9. Enable the setting and enter the following path:
    %windir%\resources\Themes\Aero\aero.msstyles

  10. VMware recommends enabling RunOnce as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#runonce.

Horizon Agent Settings

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration. Click Agent Configuration.
  4. Horizon 2306 and newer have a setting called Allow FIDO2 authenticator access. Combine it with FIDO2 allow list, which defaults to only allowing Chrome, Edge, and Firefox.

  5. RDSH idle timer is configured using Microsoft RDSH GPO settings and are not Horizon-specific. The Horizon 2106 and newer GPO templates have the RDS timers in the VMware View Agent Configuration node or you can configure the RDS timers in the normal Microsoft Remote Desktop Session Host node. Both sets of GPO settings set the same registry values.
  6. Horizon 7.10 and newer has an Idle Time Until Disconnect (VDI) for virtual desktops. This setting does not apply to RDSH.
  7. In Horizon 7.10 or newer, you can use Group Policy to configure a Disconnect Session Time Limit for virtual desktops. This GPO setting overrides the pool setting Logoff after Disconnect.
  8. If Horizon 7.8 or newer, on the right, double-click DPI Synchronization Per Connection.
  9. This setting is disabled by default. You can optionally enable it so DPI is reconfigured on reconnect instead of only on initial logon.
  10. Horizon 2106 and newer have a Screen-capture blocking setting. This setting is available in both the computer half and the user half of the GPO. User half overrides computer half.

    • Screen-capture blocking requires Horizon Agent 2106 and Horizon Client 2106 (8.3). To prevent older Horizon Clients from connecting, in Horizon Console, go to Settings > Global Settings. On the right is a tab named Client Restriction Settings. Click Edit. Check the boxes for the various client operating systems and enter 8.3.0 (2106) as the required minimum version.

  11. Horizon 2303 and newer have a setting called Screen-capture For Media Offloaded Solution. This setting adds a Print Screen button to the Horizon Client toolbar. When pressed, the screenshot is saved to the Pictures folder on the remote desktop. The advantage of this feature is that it captures Teams redirection, Multimedia Redirection, multiple monitors, and Watermark.



  12. Horizon 2111 and newer have a setting for Key Logger Blocking. This setting is available in both the computer half and the user half of the GPO. User half overrides computer half. Use Client Restriction Settings to prevent Horizon Clients older than 2111 from connecting.

PCoIP Configuration

Steve Dunne:

Here are some general PCoIP optimization settings:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | PCoIP Session Variables. Click Overridable Administrator Defaults.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and select Enabled in both directions. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting named Configure drag and drop direction.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold.


  8. Horizon 7.0.2 and newer have the ability to filter specific clipboard formats.
  9. Double-click Configure the PCoIP session audio bandwidth limit. For WAN connection users, VMware recommends setting this to 100 – 150 Or you can start with 300 Kbps and reduce as needed.

Real-Time Audio-Video

VMware validated Horizon 7.9’s Real-Time Audio-Video feature with Microsoft Teams. Here are sizing recommendations:

  • Minimum setting of 4vCPU 4GB RAM as a published desktop configuration
  • RTAV video resolution configured with 640 x 480p

Real-Time Audio-Video (RTAV) is one of the options that can be selected when installing Horizon Agent. To ensure that Audio is captured by RTAV instead of by USB redirection, exclude audio from USB redirection is described in the next section.

To configure RTAV video resolution, do the following:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration, expand View RTAV Configuration and click View RTAV Webcam Settings.
  4. On the right, double-click Resolution – Default image resolution height in pixels
  5. Enable the setting and set it to 480 pixels. Click OK.
  6. On the right, double-click Resolution – Default image resolution width in pixels.
  7. Enable the setting and enter 640. Click OK.
  8. There are two more GPO settings for Max height and width. If these are not configured then there is no maximum.

USB Redirection Settings

VMware TechPaper USB Device Redirection, Configuration, and Usage in View Virtual Desktops details the following:

  • PCoIP zero clients use a PCoIP virtual channel for USB. No extra network ports needed.
  • All other PCoIP clients, including Windows, Mac, etc., use TCP 32111 between the Horizon Client and the Horizon Agent.
  • If Secure Tunnel is enabled, the USB traffic is sent to the Horizon Security Server on TCP 443. It is then forwarded to the Horizon Agent on 32111.
  • USB performance across the WAN can be slow.
  • Webcams are only supported using RTAV (Real-Time Audio-Video).
  • USB3 uses too much bandwidth for most WANs. USB3 is supported in Horizon Agent 6.0.1 and Horizon Client 3.1.
  • Linux clients do not let you choose USB devices. Instead, all USB devices are redirected.
  • USB device redirection can be filtered. Multi-interface USB devices can be split. See the TechPaper for details.
  • In Horizon 6.1 and Horizon Client 3.3, USB storage devices can be redirected to Remote Desktop Session Host.
  • Client Downloadable only GPO settings are downloaded to the Horizon Client when the Horizon Client first connects to the Horizon Agent.
  • USB GPO Settings on the Horizon Agent can either override or merge the Horizon Client USB GPO settings. Merge means that if Horizon Client settings exist then the Horizon Agent settings are ignored.
  • The Exclude All Devices setting is overridden by other Include
  • USB Redirection logs are located at %PROGRAMDATA%\VMware\VDM\logs\debug-*.txt. Look for <vmware-view-usbd>
  • How to configure USB Redirection rules on Windows, Mac, and Linux.

If you intend to use the Real-Time Audio-Video feature, then disable USB redirection of audio and video so it is instead accessed through the optimized virtual channel. RTAV and USB Redirection do not apply to Remote Desktop Session Host.

You can also use this procedure to block USB storage devices from being mapped.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Policies | Administrative Templates | VMware View Agent Configuration, and click View USB Configuration.
  4. On the right, double-click Exclude Device Family.
  5. Change the selection to Enabled.
  6. Enter o:audio-in;o:video.
  7. If you want to block USB storage devices, add o:storage to the list. Click OK.

Blast Settings

The full Horizon Client 4.0 and newer can use UDP when connecting to Horizon 7 Agents using Blast.

  • VMware Tech Zone VMware Blast Extreme Optimization Guide
  • VMware Blog Post Deep Dive into VMware Horizon Blast Extreme Adaptive Transport – Blast Extreme Adaptive Transport is enabled by default in VMware Horizon View 7.1 and Horizon Client 4.4. If the clients are connecting from outside the demilitarized zone (DMZ), you would also need to have VMware Unified Access Gateway (not Security Server) to take full advantage of the new transport. The adaptive transport will automatically sense the network for UDP availability and will fallback to legacy Blast TCP if UDP is not available.

Blast by default only allows clipboard redirection from client-to-server. This can be changed in group policy.

If you want file transfer in HTML5 Blast, then you must configure clipboard from server-to-client (or both directions).

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. In Horizon 2012 (8.1) and newer, expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration and click Clipboard Redirection.
    1. In versions earlier than Horizon 2012 (8.1), expand Policies | Administrative Templates, and click VMware Blast.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and then make your choice. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting to Configure drag and drop direction. In Horizon 2012 (8.1) and newer it’s under the separate VMware View Agent Configuration | Drag and Drop node instead of VMware Blast.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold. In Horizon 2012 (8.1) and newer it’s under the separate VMware View Agent Configuration | Drag and Drop node instead of VMware Blast.


  8. In the VMware Blast node, Horizon 2212 and newer have a setting called Blast Optimizer that adjusts multiple settings for better user experience or better performance.

  9. Horizon 2312 and newer support Build to Lossless.
  10. Horizon 2303 and newer have a setting called Cursor Warping that moves the client mouse when sudden cursor movements are detected in the remote Agent.

  11. Horizon 7.6 and newer have settings to add DSCP markings to the Blast protocol. See VMware Blast Policy Settings at VMware Docs.
  12. On the right, double-click UDP Protocol.
  13. You can optionally enable UDP protocol. Click OK.
  14. Horizon 7.4 introduced the H.264 High Color Accuracy setting.

  15. Horizon 7.0.2 and newer have a setting for H.264 Quality Levels.

  16. If you enabled UDP protocol, then on your master image, reboot the machine so it reads the GPO settings. Look in the file C:\ProgramData\VMware\VMware Blast\Blast-Service.log to make sure UDP is enabled. If not, reboot the machine again. After it’s enabled, snapshot the master machine and push it to your Pools.

Watermark

Horizon 2006 (8.0) and newer has a Watermark feature. It works for both apps and desktops.

For limitations of this feature, see Configuring a Digital Watermark at VMware Docs.

  1. Make sure the Horizon 2006 or newer GPO Templates are installed.
  2. Edit the Horizon Agent All Users Settings GPO. This is a User GPO setting so make sure GPO Loopback Processing is enabled in the Computer Settings GPO.
  3. Go to User Configuration | Policies | Administrative Templates | VMware View Agent Configuration | Watermark.
  4. Edit the setting Watermark Configuration.
  5. See the Help text for explanation of the setting.

Teams Optimization

Horizon Agent 2006 (or newer) and Horizon Client 2006 (or newer) can offload Microsoft Teams media (audio/video) to the client device. Horizon 7.13 with Horizon Client 5.5 can offload Microsoft Teams media (audio/video) to the client device.

Newer versions of Horizon support more Teams features:

  • Horizon 2312 (8.12) and newer support blur backgrounds, select effects, or select an available background image.
  • Horizon 2306 (8.10) and newer support simulcast, which allows multiple streams at multiple resolutions.
  • Horizon 2303 (8.9) and newer support individual application sharing in VDI and RDSH desktop sessions.
  • Horizon 2203 (8.5) and newer support Give and take control of screen sharing.
  • Horizon 2106 (8.3) and newer can offload to Linux and Mac clients in addition to Windows clients.
  • E911 and Location-Based Routing require Mac client (2111 and later) and Windows client (5.5.4 and later; 2111 and later) only. Not supported for Linux client.

In Horizon 2212 and newer, Teams Optimization is enabled by default. In older Horizon, it is disabled by default. For requirements and limitations, see Configuring Media Optimization for Microsoft Teams at VMware Docs.

  1. Make sure the Horizon 7.13 or Horizon 2006 or newer GPO Templates are installed.
  2. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer  Configuration | Policies | Administrative Templates | VMware View Agent Configuration | VMware HTML5 Features | VMware WebRTC Redirection Features.
  4. Edit the setting Enable Media Optimization for Microsoft Teams.
  5. Set it to Enabled.

Browser Redirection

VMware Browser Redirection redirects the contents of the browser to be rendered by the client machine instead of the Horizon Agent machine. VMware Browser Redirection in Horizon 2106 and newer supports both Chrome and Edge. HTML5 Multimedia Redirection is the older feature. See VMware Docs.

  1. Edit a GPO that applies to the Horizon Agents.
  2. Expand Computer Configuration, expand Administrative Templates, expand VMware View Agent Configuration, and click VMware HTML5 Features.
  3. On the right, enable the setting Enable VMware HTML5 Features. This setting is only available in Horizon 7.10 and newer.

  4. In Horizon 7.10 and newer:
    1. On the left, under VMware HTML5 Features, click VMware Browser Redirection.
    2. On the right, enable the setting Enable VMware Browser Redirection.
    3. Also enable the setting Enable Browser Redirection feature for Microsoft Edge (Chromium) Browser. This setting requires Horizon 2106 (8.3) or newer.
    4. On the right, configure the setting Enable URL list for VMware Browser Redirection.
    5. Enable the setting and click Show.
    6. Add a list of URLs that you want the client to render. Use wildcards in the path.
  5. The older feature is VMware HTML5 Multimedia Redirection, which you can optionally enable. See Configuring HTML5 Multimedia Redirection at VMware Docs.

  6. Install the Edge GPO Templates if you haven’t already.
  7. In either the computer half or user half of a group policy, expand Policies, expand Administrative Templates, expand Microsoft Edge, and click Extensions.
  8. On the right, double-click the setting Control which extensions are installed silently.

    1. Enable the setting and click Show.
    2. For VMware Horizon Browser Redirection in Horizon 7.10 and newer, enter the following:
      demgbalbngngkkgjcofhdiiipjblblob;https://clients2.google.com/service/update2/crx

    3. For the older HTML5 Multimedia Redirection in Horizon 7.3 and newer, enter the following. You can do either extension, but not both. If you enable both extensions, then they will conflict with each other.
      ljmaegmnepbgjekghdfkgegbckolmcok;https://clients2.google.com/service/update2/crx

    4. When you log into a Horizon Agent session, the extension should automatically be added to Edge.
  9. Install the Chrome GPO Templates if you haven’t already.
  10. In either the computer half or user half of a group policy, expand Policies, expand Administrative Templates, expand Google, expand Google Chrome, and click Extensions.
  11. On the right, double-click the setting Configure the list of force-installed apps and extensions.

    1. Enable the setting and click Show.
    2. For VMware Horizon Browser Redirection in Horizon 7.10 and newer, enter the following:
      demgbalbngngkkgjcofhdiiipjblblob;https://clients2.google.com/service/update2/crx

    3. For the older HTML5 Multimedia Redirection in Horizon 7.3 and newer, enter the following. You can do either extension, but not both. If you enable both extensions, then they will conflict with each other.
      ljmaegmnepbgjekghdfkgegbckolmcok;https://clients2.google.com/service/update2/crx

    4. When you log into a Horizon Agent session, the extension should automatically be added to Chrome.
  12. When you navigate to a URL on the configured URL List, if the redirection feature is working, then the Chrome extension will show REDR.

  13. And you’ll see HTML5VideoPlayer.exe on the client side.

UNC Path Redirection

Horizon 2209 and newer can redirect network links inside Outlook from agent-to-client or from client-to-agent.

  1. Install the Horizon 2209 or newer GPO ADMX files if you haven’t already.
  2. In the computer half of a GPO, find the settings under Computer Configuration | Policies | Administrative Templates and click VMware Horizon UNC Path Redirection.
  3. First enable the feature by setting Enable UNC Path Redirection.
  4. Then configure UNC Path Redirection Filter Rule. For agent-to-client, add paths in the Client Rules box. The other boxes are for client-to-agent. Regular Expressions are supported as detailed at VMware Docs.
  5. When installing Horizon Agent 2209 or higher, add /v ENABLE_UNC_REDIRECTION=1 to the command line.
  6. When installing Horizon Client 2209 or higher, add /v ENABLE_UNC_REDIRECTION=1 to the command line.

URL Content Redirection

URL Content Redirection allows web browser URLs to be redirected from Agent-to-Client or from Client-to-Agent. This feature requires:

  • URL Redirection component installed from command line on Horizon Agent.
  • URL Redirection component installed from command line on Horizon Client.
  • If Horizon Client is installed on a Horizon Agent machine, you can install URL Redirection for one or the other, but not both.
  • Internet Explorer 9 or later only
  • GPO Settings

URL Redirection GPO settings apply to both Horizon Agents and Horizon Clients depending on the source of the redirection. For Agent-to-Client redirection, edit a GPO that applies to the Horizon Agents. For Client-to-Agent redirection, edit a GPO that applies to the Horizon Clients.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Expand Computer Configuration | Policies | Administrative Templates and click VMware Horizon URL Redirection.
  3. On the right, double-click IE policy: Automatically activate newly installed plugins, and enable it. If you don’t configure this, then users are required to activate the IE add-on manually.
  4. On the right, double-click Url Redirection Enabled and enable the setting. The setting description says it’s enabled by default, but actually it’s not.
  5. On the right, double-click Url Redirection Protocol ‘http’.
  6. For Agent-to-Client, configure clientRules and agentRules. clientRules are redirected from Agent-to-Client. However, agentRules override clientRules. This lets you redirect every URL to client but keep some URLs on the agent. Separate multiple rules with a semicolon.
  7. For Client-to-Agent, configure agentRules. Anything that matches will be redirected to the remoteItem (name of published icon) accessible through brokerHostname.
  8. In the User half of a GPO that applies to Horizon Agents with Loopback Processing enabled, Horizon 7.4 added a new policy setting to automatically install the URL Content Redirection extension in Chrome. This setting should be applied to both the Horizon Agents, and the Horizon Clients.

Collaboration Settings

Horizon 7.4 and newer have a Collaboration feature, which has some group policy settings.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates, expand VMware View Agent Configuration, and click Collaboration.

  4. On the right, you can configure settings like the Maximum number of invited collaborators. The limit is 10.

User Lockdown Settings

Edit the Horizon Agent Non-Admin Users GPO, and configure the settings detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#lockdown.

User Application Settings

Edit the Horizon All Users GPO and configure settings for applications (Internet Explorer, Office, etc.) as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#ie and https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#office2013.

Redirected Profile Folders

In addition to roaming profiles, configure Redirected Profile Folders as detailed at https://www.carlstalhood.com/citrix-profile-management/#redirected. Anything redirected will not be copied locally by Persona, RDS profiles, or VMware DEM.

VMware Flash Optimizer

  1. Horizon Agent installs something called the Flash Optimizer. When a user launches Internet Explorer, a prompt is displayed to Enable the add-on. To get rid of this message, do the following.
  2. We need the add-on CLSID. In Internet Explorer, click the gear icon and click Manage add-ons.

  3. Highlight the VMware Adobe Flash Optimizer and click More information on the bottom left.
  4. Click Copy.
  5. Paste the contents into Notepad. Then look for the Class ID line and copy it.
  6. Edit the Horizon Agent All Users GPO.
  7. Go to User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Security Features | Add-on Management.
  8. On the right, open Add-on List.
  9. Enable the setting, and click Show.
  10. In the Value name field, paste in the Class ID, including the curly braces.
  11. In the Value field, enter 1 to force the add-on to be enabled. Click OK twice.

Related Pages

VMware Horizon Clients 2312

Last Modified: Jan 25, 2024 @ 7:29 am

Navigation

This article applies to all versions of Horizon Client for Windows, including versions 2312 and 5.5.6.

💡 = Recently Updated

Change Log

Horizon Client Versions

Starting August 2020, the client versioning changed to a YYMM format. Horizon Client 2312 is the latest release.

  • Horizon 8.x no longer supports Horizon Client 5.x and older.
  • Features, like ThinPrint, were removed from Horizon Client 2006 and newer, so don’t use the 2xxx (8.x) clients with Horizon 7.13 and older.
  • Microsoft Teams optimization features depend on Horizon Client version and Horizon Agent version. See VMware Knowledgebase Article 86475 MS Teams Optimization Feature Compatibility Matrix for Horizon 7 and Horizon 8 Recent Releases.
  • Windows 21H2 and Windows 11 are supported with Horizon Client 2111.
  • Horizon Client 2006 and newer no longer support Windows 7, Windows 8.1, or Windows 10 1809.

The Software Updates feature of Horizon Client 5.5 will not upgrade to Horizon Client 2006 or newer. Instead, you must manually download Horizon Client 2006 or newer and install it.

Horizon Client 5.5.3 and newer resolve security vulnerabilities.

Connection Server can be configured to prevent older clients from connecting. Find it in the Global Settings node in Horizon Console.

Windows 10 / Windows 11 Support

  • Windows 10 22H2 and Windows 11 22H2 are supported with Horizon Client 2209 (8.7) and newer.
  • Windows 10 21H2 and Windows 11 are supported with Horizon Client 2111 (8.4) and newer.
  • Windows 10 21H1 is supported with Horizon Client 2103 (8.2) and newer.
  • Windows 10 20H2 is supported with Horizon Client 2012 (8.1) and newer.
  • Windows 10 2004 is supported with Horizon Client 2006 (8.0) and newer
  • Windows 10 1909 is supported with Horizon Client 5.3 and newer
  • Windows 10 1803 is supported with Horizon Client 4.8 and newer

Manual Installation of Horizon Client

The Horizon Clients can be downloaded from http://www.vmware.com/go/viewclients.

  1. Logon to the client machine as an administrator. Administrative rights are required for the Horizon Client installation. You can also push the client silently as described in the next section.
  2. Open a browser and enter the name of your Horizon Connection Server in the address bar (e.g. https://view.corp.local). Use https://.
  3. Click the Install VMware Horizon Client link. If the Horizon Clients are installed on the Connection Server, the client will download immediately. Or, you’ll be taken to vmware.com to download the client.
  4. If you are redirected to the Clients download page (https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_horizon_clients/horizon_8), then find the VMware Horizon Client for Windows, and click Go to Downloads. Note: if you are running Horizon 7, then use the Change Version drop-down to select Horizon 7 (5.0) instead of Horizon 8.

  5. Then click Download Now.
  6. On the client machine, run the downloaded VMware-Horizon-Client-2312-8.12.exe.

    • If you want to use the URL Content Redirection feature in Horizon 7 and newer, run the installer with the following switch: /v URL_FILTERING_ENABLED=1.
    • If you want the UNC Path Redirection feature in 2209 (8.7) and newer, then you run the Client installer with the following switches: /v ENABLE_UNC_REDIRECTION=1. You can combine the two switches.
  7. Click Agree & Install. Or you can click Customize Installation. Horizon Client 2203 and newer has an option to Enable Keylogger Blocking, but only in Custom installation. Or Horizon Client 2309 and later let you enable Keylogger Blocking in the Settings interface.

    1. If you selected Customize Installation, you can enter a Default connection server, install Teams Optimization, etc.
    2. Horizon Client 2203 and newer has an option to Enable Keylogger Blocking.
    3. Click Agree & Install when done.
  8. In the Success page, click Finish.
  9. Click Restart Now when prompted to restart.
  10. Note: Horizon Client 2106 and newer have an updated user interface.

Verify URL Redirection

  1. To verify that URL Content Redirection is installed, verify the presence of the file C:\Program Files\VMware\VMware Horizon View Client\vmware-url-protocol-launch-helper.exe.
  2. There’s also an IE add-on.
  3. URL Content Redirection is configured using group policy.

Software Updates

  1. In the Horizon Client, click the hamburger icon on the top right, and click Software Updates. It will be green if there is an update available. Note: Horizon Client 5.5 will not offer an upgrade to Horizon Client 2006 or newer.
  2. There is an option to Show pop-up message when there is an update.
  3. The Horizon GPO Templates for Horizon Client have GPO settings to control the pop-up message. The settings are Update message pop-up and Allow user to skip Horizon Client update.

Install – Horizon Client Silent

Installing Horizon Client From the Command Line at VMware Docs has instructions on how to install the Horizon Client silently. Common methods for installing the client silently include: SCCM and Active Directory Group Policy Computer Startup Script.

Keylogger Blocking

Horizon Client 2309 and newer let you enable Keylogger Blocking if you did not select it during installation.

  1. In Horizon Client, before you open a server, click the Settings button.
  2. On the Security page, set Keylogger Blocking to On. Then restart the Horizon Client.

Launch Horizon Client

To launch a View Desktop or application manually:

  1. From the Start Menu run VMware Horizon Client.

    1. Horizon Client 4.7 and newer has a GPO setting to prevent the Client from being launched multiple times.
    2. Install the Horizon GPO templates if you haven’t already.
    3. Create or edit a GPO that is linked to an OU containing the Horizon Client machines. These are the end-user PCs, not the virtual desktops.
    4. The Block multiple Horizon Client instances per Windows session setting is at Computer Configuration | Policies | Administrative Templates | VMware Horizon Client Configuration.

  2. To change SSL certificate verification:
    • In Horizon Clients version 2106 and newer, click the Settings button on the top right. Switch to the SSL Configuration page. Then make a selection. This is also configurable using Group Policy as detailed at Certificate Validation below.


    • In Horizon Clients older than version 2106, open the Options (hamburger) menu, and click Configure SSL. This is also configurable using Group Policy as detailed at Certificate Validation below.

  3. If there is no server in the list, then use the New Server button on the top left or click Add Server on the top right.

  4. Enter the load balanced FQDN for the Connection Server and click Connect.

  5. You can click the Options menu to Hide the selector after launching an item.

  6. If you want to perform pass-through authentication, click the hamburger icon, and select Log in as current user. This option is only available if selected during installation, the client machine was rebooted, and is not prohibited using group policy. Also, the Connection Server must allow Log on as current user.

  7. Horizon 7.2 and newer have Recursive Unlock, which is enabled by default. See Using the Log In as Current User Feature Available with Windows-Based Horizon Client at VMware Docs.
  8. If you have apps published to an Unauthenticated User, click the hamburger icon, and select Unauthenticated access or Log in anonymously using Unauthenticated Access.

  9. Before connecting to the server, click Settings and then switch to the VMware Blast page. Or click the hamburger icon and then click Configure VMware Blast.

  10. In Horizon Client 4.8 and newer, network condition is determined automatically and no longer configurable in the client.
    1. If your Horizon Client is older than 4.8, then adjust the network condition and click OK. This affects TCP vs UDP for Blast connectivity. Excellent = TCP only. Typical = UDP if the ports are open. Poor = UDP plus packet duplication, which is best for 20% packet loss networks. More info in the Technical White Paper VMware Blast Extreme Display Protocol in Horizon 7.
  11. You can optionally enable Allow High Color Accuracy.

  12. In Horizon Client 2106 and Horizon Agent 2106 and newer, High Efficiency Video Decoding (HEVC) is enabled by default.
  13. Horizon Client 5.2 and newer have an option to Allow Blast connections to use operating system proxy settings, which is deselected by default. You can configure a client-side group policy to enable proxy. Or users can manually enable it.
  14. Double-click the server.

  15. If the certificate is not trusted, click Show Certificate, and then click Continue. To disable this prompt, see Certificate Validation below.

  16. Enter your username and password, and then click Login.

    • Horizon 7.8 and newer no longer send the domain list by default but you can enable it in Horizon Console. Or, instruct users to login using their userPrincipalNames.

  17. If you see too many domains in the Domain list:
    1. You can filter them by running the vdmadmin -N command. See Configuring Domain Filters Using the ‑N Option at VMware Docs.
    2. Horizon 7.1 and newer have an option to Hide domain list in client user interface. If you enable this in Global Settings, then users must enter UPN, or Domain\Username. This is the same place you can configure Horizon to send the Domain List to the client.

  18. If any of your published applications or desktops are configured with a Category Folder, click Yes when asked for shortcuts to appear in your Start Menu or desktop.


    • Horizon Client 5.1 and newer have an interesting command line switch -installShortcutsThenQuit that connects to a Connection Server, creates the shortcuts on Start Menu and Desktop, and then quits. Here is sample syntax:
      vmware-view.exe -serverURL serverurl -loginAsCurrentUser true -installShortcutsThenQuit
  19. If any of your published application icons have Pre-launch enabled, then a session will be started on one of the Horizon Agents that hosts the icon. All it does is create a session; the icon that Pre-launch was enabled on is not launched until the user double-clicks the icon. When the user launches any icon published from the Horizon Agent, it will launch quickly.

    • After the user closes the Horizon Client, the Pre-launch session remains disconnected for the duration specified in the RDS Farm.
  20. If you have a bunch of icons, click one of the icons and then start typing in the name of the icon and it will highlight.
  21. If the pool settings allow it, you can right-click an icon and then select a protocol. VMware Blast is the recommended protocol.


    1. When editing a pool, you can force users to use a particular protocol by setting Allow Users to Choose Protocol = No.
    2. In Horizon Console, at Monitor > Sessions, if you scroll to the right, you can see which Protocol the clients are using.
  22. You can synchronize num lock and cap lock status.
    1. Right-click a desktop icon and click Settings.

    2. The left side of the screen shows all published desktops. On the right, enable the option to Automatically synchronize the keypad, scroll, and cap lock keys.

    3. You can also automatically enable this setting by configuring a client-side group policy setting.
  23. Either double-click an icon, or right-click an icon, and click Launch.

  24. When connecting, you might be prompted to access your local files.

    • You can change your file sharing options by clicking the Settings button (or gear icon) and switching to the Data Sharing (or Sharing page.

  25. If you are connected to a remote desktop, you can use the menu at the top of the screen, click the three dots, and then click Settings.. An interesting option is Autoconnect to this Desktop. This setting is stored on the Horizon Connection Server in LDAP and there doesn’t appear to be any way to automate enabling it.


  26. In Horizon Client 4.4 and newer, administrators can enable a Desktop Pool Setting that allows users to Restart the remote desktop gracefully.

  27. Horizon can show the client’s battery status in the remote desktop. The user will have to click the up arrow in the system tray to see the battery icon. The battery icon is shown in both single-user Virtual Desktops and multi-user RDS Desktops.
  28. There are client-side group policy settings to define a hotkey combination for grabbing and releasing input focus.
  29. The Horizon Client also has a taskbar jump list showing recently launched applications and desktops.
  30. Some of the menu items in Horizon Client can be hidden by configuring Group Policy using the Horizon GPO Templates.

VMware Fling View Auto-Connection Utility: The View Auto-Connection Utility allows you to connect the VMware View Client automatically into a View desktop or an application pool when the system starts up.

Shortcuts and Favorites

In the Horizon Client, once you are connected to a server, you can right-click an icon and click Create Shortcut to Desktop or Add to Start Menu.

In the Horizon Client, each desktop/app icon has a star icon you can click, or right-click an icon and Mark as Favorite. Favorites are stored in the LDAP database on the Horizon Connection Server.


  1. On the top right of the Horizon Client, you can switch to the Favorite view so that only icons selected as Favorites are displayed.

  2. Or switch back to the All View by deselecting the Favorite button.

Support information

  1. In Horizon Client 2106 and newer, in the menu is About VMware Horizon Client.

    1. Or on the Question Mark menu is Support Information.
  2. Users can click this to find the client name, client operating system, Horizon Client version, the Horizon Connection Server name, and entitled desktops.

Certificate Validation

When you connect to a Horizon Connection Server, and if the certificate is not trusted or valid, then the user is prompted to accept the certificate. You can disable this prompt for any client machine that can be controlled using group policy.

  1. Copy the Horizon .admx files to PolicyDefinitions if you haven’t already.
  2. Create a GPO that is linked to an OU containing the Horizon Client machines. These are the end-user PCs, not the virtual desktops.
  3. Edit the GPO.
  4. Go to Computer Configuration | Policies | Administrative Templates | VMware Horizon Client Configuration | Scripting Definitions.
  5. On the right, double-click Server URL.
  6. Set the URL to your Horizon View URL and click OK.
  7. On the left, click Security Settings. On the right, open the setting Certificate verification mode.
  8. Enable the setting and make your choice. No Security will disable the certificate prompt. Then click OK.

Horizon 2306 (8.10) and newer with Horizon Client 2306 (8.10) and newer can enforce certificate checking on the client.

  1. Go to Settings > Global Settings > Client Desired Configuration and click Edit.
  2. Make your choices and click OK.

Device Redirection

Client Drive Redirection

  1. When you connect to a Horizon Agent that has Client Drive Redirection enabled, you are prompted to allow file redirection.

  2. By default, only the user’s local profile is redirected.
  3. You can redirect more folders or drives by opening Settings, or click the Options menu, and click Share Folders.

  4. In the Drive & Folder Sharing tab (or Sharing tab), on the Global Sharing sub-tab, add drives or folders.

    • Horizon Client 2206 and newer with Horizon Agent 2206 and newer have an Exclusive Sharing tab that lets you share a client drive exclusively with the remote desktop for faster file transfer performance. The Storage Drive Redirection feature is installed by default on Horizon Agent 2206 and newer.
  5. The folders or drives you added are now visible within Explorer in the Horizon Desktop.
  6. Client Drive Redirection also works in published applications.
  7. Horizon Agent 7.7 and newer with Horizon Client 4.10 and newer let you drag files from the local machine into the remote machine. This is drag only. You can’t copy/paste. If you drag the file onto a remote application, then then application opens the file.

    1. This feature can be disabled and/or controlled in a GPO that applies to the Horizon Agent. Make sure the Horizon 7.7 or newer GPO templates are installed. In the Computer half of the GPO, go to Administrative Templates > VMware Blast and edit the setting Configure drag and drop direction.
    2. The Configure drag and drop direction setting is also configurable for PCoIP under the Computer-half node named PCoIP Session Variables > Overridable Administrative Defaults.
  8. The client drive redirection prompt configuration is stored in %appdata%\VMware\VMware Horizon View Client\prefs.txt. You can edit this file to disable the prompt. See Rob Beekmans Customizing the VMware Horizon Client sharing pop-up for more info.

  9. Horizon has some GPO settings for Client Drive Redirection that let you control drive letters for client drives in the remote session. Install the Horizon GPO Templates if you haven’t already. Edit a GPO that applies to the Horizon Agents. Then find the settings under VMware View Agent Configuration > VMware Horizon Client Drive Redirection.

Serial Port Redirection

  1. If you connect to a Horizon Agent that has Serial Port Redirection enabled, then a new icon will appear in the system tray.
  2. Right-click the icon to map the remote COM port to the local COM port.

Scanner Redirection

From VMware Blogs Scanner Redirection in Horizon with View: we have added scanner redirection to Horizon with View for use with both VDI desktops and Remote Desktop Session Host (RDSH) applications and desktops. The new scanner redirection functionality in View works by capturing the entire image at the client with the scanning device, compressing the image, and sending that compressed image to the guest in the data center, where the image is presented by a “virtual scanner device” to the application that requested the image capture. The scanner redirection functionality supports both TWAIN and WIA scanning modes and allows images to be captured from both scanners and other imaging devices (such as webcams).

The scanner redirection functionality requires the Horizon Agent version 6.0.2 or later, and the Windows Horizon Client 3.2 or later.

When you install the Horizon Agent component, be sure to select the scanner redirection feature if you want to use it; it is disabled by default. If you are installing the feature onto a server-based OS (Windows Server 2008 R2 or Windows Server 2012 R2) for either VDI desktops or RDSH desktops or applications, then be sure that the Desktop Experience feature (a Microsoft operating system feature) is installed on the server OS first. (This is a prerequisite for installing scanners in a server-based OS.)

After a user makes a connection from a compatible Windows Horizon Client to the new Horizon Agent, a new tool-tray application icon appears. The user clicks the icon to reveal the compatible image acquisition devices available for scanning.

The default mode of operation is, however, that “it should just work,” and the seamless hosted application should be able to acquire an image without needing manual intervention. The user may need to adjust the preferences if more than one imaging device is connected to the client machine, and the user wants to select a specific scanner, or if the user wants to adjust the scan resolution, and so on.

Scanner Redirection Preferences, available by clicking Preferences from the tool-tray icon, allows further configuration of the scanning process, for example, adjusting the default compression applied to the scanning. This can greatly reduce the bandwidth needed to transmit the image (the compression is applied on the client side before the image is transmitted to the guest), but, of course, the more an image is compressed, the lower the image quality. In addition, in the Scanner Redirection Preferences, options are available to adjust the default image capture device (for example, automatic mode, last-used, or an absolute specified device).

These preferences can also be adjusted by way of Group Policy options in the guest OS. A new GPO file (available in the Horizon with View GPO Bundle) allows this configuration. See Configuring Scanner Redirection in Setting Up Desktop and Application Pools in View for more information

Scanner Redirection Caveats

From VMware Communities:

  • Scanner redirection does not create a device on your virtual desktop that matches the name of the actual scanner.  It creates a generic scanner in Device Manager called VMWare Virtual WIA Scanner (or VMWare Virtual TWAIN Scanner I am assuming).  For us this stinks because the image capture software our client uses (Vertex by Jack Henry), has a prepopulated list of scanners you can select.  So if we plug in a Canon-CR50 and select Canon CR50/80 in the application, it does not recognize that this scanner is attached to the virtual desktop.
    1. There is a tick box option in the scanner preferences dialog box titled “Use vendor defined names for TWAIN scanners”. This should solve the issue you mention, and we added it specifically to cover the problematic use case you mention.
    2. This only applies to TWAIN scans, WIA can’t use the vendor name.
  • You must install a TWAIN or WIA driver on your thin client.  If you can’t find a TWAIN or WIA driver, you are out of luck.  For teller check image scanners, we have found no TWAIN or WIA drivers for the TellerScan TS-230, TS-240, or the Canon CR-55.  We have found a TWAIN driver for the Canon CR-50 (from the Canon Europe site no less), but issue #1 above means we are out of luck.

Client Printers

Horizon 7.7 and newer with Horizon Client 4.10 and newer have a new VMware Integrated Printing (aka VMware Advanced Printing) feature that replaces the older ThinPrint technology. ThinPrint is no longer available in Horizon Agent 2006 and newer.

When printing from an application, if you highlight a printer and click Preferences, the VMware Horizon icon on the Layout tab shows you that this printer is using VMware Integrated Printing.

If you open the client printer Properties as an administrator, on the Advanced tab, you will see the VMware Universal EMF Driver.

If older ThinPrint:

  • Inside the virtual desktop, if you go to Devices and Printers, it will look a little weird. To see all of the client printers, right-click on a TP printer and use the expandable menus.
  • But when you print from an application, all printers appear normally.

File Type Association

Some published applications might have file types associated with them. When you double-click a file with the configured extension, you might be prompted to open the file using the remote application.

In Horizon Client, if you right-click an icon and click Settings:

  • On the Applications page (or Sharing page), you can disable this functionality.

It’s also configurable in the client-side registry at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VDM\Client by creating a String value at named AllowFileRedirection and setting it to false. See VMware Communities for more information.

Session Collaboration

Horizon 7.4 and newer have an Allow Session Collaboration checkbox in Pool Settings and RDS Farm Settings.

This setting enables a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.

The invite is a URL that you can run (or click) on the collaborator’s machine that has Horizon Client 4.7 or newer installed.

To give control to the collaborator, double-click the green icon to open the Session Collaboration window. Or open the icon in the system tray.

Performance Tracker

Horizon Agent 7.5 and newer have an optional component called Performance Tracker.

When installing Horizon Agent, the last option is Horizon Performance Tracker. It is deselected by default.

After it’s installed in an RDS farm, you can publish the Performance Tracker as an Application Pool

Or connect to a Desktop and launch it from the Desktop icon.

It can display protocol performance information in graphical or tabular form. The overview UI also shows the name of the Horizon Agent machine.

There’s also a Floating Bar option.

Performance Tracker can be configured to launch automatically:

  1. Install the Horizon GPO templates if you haven’t already.
  2. Edit a GPO that applies to the Horizon Agents. These are Computer settings.
  3. Go to Computer Configuration | Policies | Administrative Templates | VMware Horizon Performance Tracker.
  4. On the right, you’ll see two options for auto starting the Performance Tracker.
  5. Both settings let you Show or Hide the overview UI.
  6. If Hide is selected, then users can open the Tracker from the systray icon.

HTML Blast

From the Horizon Connection Server webpage, you can click the VMware Horizon View HTML Access link to launch a desktop or application inside your browser. While Internet Explorer 9 is supported, some functionality, like clipboard and audio, is only available in Internet Explorer 10 and newer, Chrome and Firefox.

In Horizon 6.2 and later, you can launch applications as well as desktops from HTML Blast.

If you click the star icon then you can Mark the icon as a Favorite. Favorites are stored in the LDAP database on the Horizon Connection Server.

Applications and desktops are launched within the browser window. You can click the vertical lines on the left to switch to a different application or desktop.

You can open the Copy & Paste panel to copy between the local machine and the remote machine.

Thin Clients

VMware View Thin Client Compatibility Guide – Thin Client Device and Model Information. It shows thin client models and the version of Horizon View that is supported with the model.

Repurposed PCs

From Chris Halstead VMware Horizon View AutoConnection Utility: I decided to write an app in .NET that is essentially a wrapper for the View Client.  It creates the command line variables based on what the user configures in the GUI and automatically connects to the specified desktop or application pool.  All of the user configured information is stored in the registry under the current user hive.

The application silently and automatically connects into either a desktop or application pool each time a user logs in by placing it in the startup folder.

Once you have tested your connection, you are ready to enable AutoConnection.  You enable AutoConnection by checking the “Enable AutoConnection” box.   A common use case would be to place the .exe in the Windows startup folder so that every time a user logs in it will automatically connect to the Virtual Desktop.

This will run the application with the GUI hidden and will automatically connect to the specified pool.   The application will minimize to the system tray and a balloon will indicate the connection process is occurring.

Horizon Client Group Policy – Security Settings

The Horizon GPO Bundle includes policy templates for the Horizon Client. See https://www.carlstalhood.com/horizon-group-policy-and-profiles/#viewtemplates to install the ADMX files.

Here are some security GPO settings recommended (VMware Horizon with View Security Hardening Overview) by VMware:

GPO Setting

Computer Config | Policies | Administrative Templates | VMware Horizon Client Configuration | Scripting definitions

Disable 3rd-party Terminal Server plugins = enabled

Computer Config | Policies | Administrative Templates | VMware Horizon Client Configuration | Security Settings

Allow command line credentials  = disabled

Certificate verification mode = enabled, Full Security

Default value of the ‘Log in as current user’ checkbox = disabled

Display option to Log in as current user = disabled

Servers Trusted for Delegation = enabled

 

VMware Horizon 6 – Master RDS Host

Last Modified: Sep 2, 2018 @ 7:52 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post.

Hardware

  • The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • For 2012 R2, set the vCPUs to 8. For 2008 R2, set the vCPUs to 4. Two is the minimum. See VMware whitepaper for more information.
  • Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine and click Edit Settings.
  4. On the VM Options tab, expand Advanced and then click Edit Configuration.
  5. Click Add Row.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

User Account Control and SmartScreen

This section is optional.

  1. Right-click the flag icon by the clock and click Open Action Center. Or launch it from the Start Menu.
  2. On the left click Change User Account Control settings.
  3. To disable UAC, move the slider down to Never Notify and click OK. Or you can leave it enabled if your security standards require it.
  4. Back in Action Center, on the left, click Change Windows SmartScreen settings.
  5. Make your selection regarding SmartScreen and click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right click the link for Last checked for updates.
  2. On the left, click Change settings.
  3. Check the box next to Give me updates for other Microsoft products when I update Windows and click OK.
  4. Windows Update will automatically start checking for updates.
  5. Install any updates it recommends.

Windows Server 2008 R2 Hotfixes

If this is a Windows Server 2008 R2 session host, at a minimum, request and install the Windows hotfixes listed at Citrix CTX129229 Recommended Hotfixes for XenApp 6.x on Windows Server 2008 R2. Scroll down to the Microsoft Hotfixes section.

Microsoft 2483177 You cannot play back an H.264 video file or an AAC audio file on a computer that is running Windows Server 2008 R2 with the Desktop Experience feature enabled. From the hotfix description: the Desktop Experience feature in Windows Server 2008 R2 does not include decoders for the H.264 and AAC formats.

The following file is available for download from the Microsoft Download Center:

Download the Desktop Experience Decoder Update for Windows Server 2008 R2 package now.

File Sharing

By default on Windows 2012, if Windows Firewall is enabled, then all file shares are blocked. You can’t even connect to C$ from a different machine. To facilitate remote management, consider enabling file sharing.

  1. To enable sharing, by the clock, right-click the network icon and click Open Network and Sharing Center.
  2. On the left, click Change advanced sharing settings.
  3. Select Turn on file and printer sharing.
  4. Select Tun on network discovery.

Windows Firewall – Remote Management

By default, Windows Server 2012 blocks remote management tools. For example, you can’t use Event Viewer on server 1 to access the event logs on server 2.

  1. Run Windows Firewall with Advanced Security.
  2. On the left, click Inbound Rules.
  3. On the right, right-click COM+ Network Access (DCOM-In) and click Enable Rule.
  4. Highlight all three Remove Event Log rules, right-click, and click Enable Rule.

Local Administrators Group

If the Horizon Administrators and members of the Domain Admins group are the same people, then there is nothing to change. Otherwise, add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

Remote Desktop Session Host

Role and Features – Windows Server 2012

If this session host is Windows Server 2008 R2 then skip to the next section.

  1. In Server Manager, open the Manage menu and click Add Roles and Features.
  2. Click Next until you get to the Server Roles page.
  3. Check the box next to Remote Desktop Services and click Next.
  4. Check the box next to Group Policy Management and scroll down.
  5. Expand User Interfaces and Infrastructure and check the box next to Desktop Experience. This adds a bunch of features like Themes, Windows Media Player, Flash, etc.
  6. Check the box next to Telnet Client and scroll up.
  7. Expand Remote Server Administration Tools > Role Administration Tools > AD Delivery Services and AD LDS Tools > AD DS Tools. Check the box next to Active Directory Administrative Center.
  8. To verify Remote Desktop Services licensing, expand Remote Desktop Services Tools and check the box next to Remote Desktop Licensing Diagnoser Tool. Click Next when done.
  9. In the Select role services page, check the box next to Remote Desktop Session Host and click Next.
  10. If desired, click the Restart box, then click Install. Restart is required.

Windows Roles – Windows Server 2008 R2

If this session host is running Windows 2008 R2 then the instructions are slightly different.

  1. In Server Manager, right-click Roles and click Add Roles.
  2. In the Before You Begin page, click Next.
  3. In the Select Server Roles page, check the box next to Remote Desktop Services and click Next.
  4. In the Introduction to Remote Desktop Services page, click Next.
  5. In the Select Role Services page, check the box next to Remote Desktop Session Host and click Next.
  6. In the Uninstall and Reinstall Applications for Compatibility page, click Next.
  7. In the Specify Authentication Method for Remote Desktop Session Host page, select Do not require Network Level Authentication and click Next.
  8. In the Specify Licensing Mode page, select Per User and click Next.
  9. In the Select User Groups Allowed Access to this RD Session Host Server page, click Add. Browse for Authenticated Users (on the local machine) and click Next.
  10. In the Configure Client Experience page, check the boxes for Audio and video playback and Desktop composition. This causes Desktop Experience to be installed. Click Next.
  11. In the Confirm Installation Selections page, click Install.
  12. In the Installation Results page, click Close.
  13. Click Yes when you are prompted to restart now.
  14. Login to the server. Then click Close.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 is using group policy (local or domain). This also works for Windows Server 2008 R2.

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled and enter the names of the RD Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Terminal Services and click RD Licensing Diagnoser.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users and Create Folders and click Remove.
  4. Highlight the line containing Users and Special and click Remove. Click OK

  5. Click Yes to confirm the permissions change.
  6. If you see any of these Error Applying Security windows, click Continue.
  7. Click OK to close the C: drive properties.

Installs

VMware Horizon 6 Agent 6.2.2

View Agent for RDS Hosted Apps Desktops is missing a few features:

  • No Generic USB Redirection. USB Flash Drives and hard drives are supported.
  • No Real-Time Audio Video
  • No serial port redirection
  • No Persona. Instead use VMware User Environment Manager (Horizon Enterprise) or Microsoft’s roaming profiles

To install View Agent on Remote Desktop Services, do the following:

  1. Go to the downloaded Horizon 6 Agent x64 6.2.2 and run VMware-viewagent-x86_64-6.2.2.exe.
  2. In the Welcome to the Installation Wizard for VMware Horizon 6 Agent page, click Next.
  3. In the License Agreement page, select I accept the terms and click Next.
  4. If you see a message about Desktop OS Configuration then you need to cancel the installer and install the Remote Desktop Session Host role.
  5. In the Network protocol configuration page, select IPv4 and click Next.
  6. In the Custom Setup page, enable Scanner Redirection if desired. Same for USB Redirection.
  7. Client Drive Redirection is a new feature in Horizon 6 Agent 6.1. The description indicates that the file transfers are not encrypted.
  8. VMware Horizon View Composer Agent is a new feature of Horizon 6 Agent 6.2. If you are building a pool of Remote Desktop Session Hosts then install this feature. Note: if you are not building linked clones then don’t select this option or else you won’t be able to select the machine in a Manual RDS Farm in View Administrator.
  9. Click Next when done making selections.
  10. Click OK to acknowledge the USB redirection message.
  11. If you see the Register with Horizon 6 Connection Server page, enter the name of a Horizon 6 Connection Server and click Next. You only see this page if not installing the View Composer Agent.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Click Yes to restart the server.

User Environment Manager Engine

If you are licensed for User Environment Manager (Horizon Enterprise Edition), install the User Environment Manager Engine.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. In Server Manager, open the Manage menu and click Add Roles and Features.
  3. In the Features page, select .NET Framework 3.5 and click Next.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server 2012 R2 ISO.
  6. Enter the path to the sources folder on the Windows Server 2012 R2 ISO and click OK. Then click Install.
  7. Go to the extracted User Environment Manager 9.0 files and run VMware User Environment Manager 9.0 x64.msi.
  8. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  9. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  10. In the Destination Folder page, click Next.
  11. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the console.

  12. In the Choose License File page, if installing on a View Agent then no license file is needed. Click Next.
  13. Otherwise, Browse to the license file and then click Next.
  14. In the Ready to install VMware User Environment Manager page, click Install.
  15. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Horizon Agent Load Balancing Script

If you have multiple identical Remote Desktop Services Hosts in a single RDS Farm, by default, VMware Horizon uses a least connections Load Balancing algorithm. You can change this to performance-based Load Balancing by configuring scripts on each RDS Host. See Configuring Load Balancing for RDS Hosts at pubs.vmware.com.

There are only three levels of load: HIGH, MED, and LOW. Within a load level, Horizon selects an RDS server at random.

Do the following to configure the Load Balancing script:

  1. The script must be placed at C:\Program Files\VMware\VMware View\Agent\scripts on every RDS Host. VMware provided a couple sample scripts that you can use. One script only looks at CPU and the other script only looks at Memory. If you write your own script, make sure it exists in this folder on every RDS Host in the RDS Farm.
  2. Open Services and configure the VMware Horizon View Script Host service to run automatically.

  3. Then start the service.
  4. In regedit, go to HKLM\Software\VMware, Inc.\VMware VDM\ScriptEvents\RdshLoad.
  5. Create a new String Value. It doesn’t matter what you name it but the script name is recommended.
  6. Modify the String Value and enter cscript.exe “PathToScript”. For example: cscript.exe "C:\Program Files\VMware\VMware View\Agent\scripts\cpuutilisation.vbs"
  7. After setting the registry value, restart the VMware Horizon View Agent service.
  8. After you later add this RDS Host to a farm, in View Administrator, click the Dashboard view.
  9. Expand RDS Farms, expand the farm and click the RDS Host.
  10. Make sure the Server load is reported.

Antivirus

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Symantec

Symantec has a document at http://www.symantec.com/business/support/index?page=content&id=TECH91070 detailing best practices when deploying Symantec Endpoint Protection to session hosts.

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1  – http://www.symantec.com/docs/TECH173650

Install Applications

Install applications that will be executed on these machines.

VMware OS Optimization Tool

  1. Download the VMware OS Optimization Tool VMware fling.
  2. Run the downloaded VMwareOSOptimizationTool_1050.msi.
  3. On the Analyze tab, on the bottom left, click Analyze.
  4. Check both boxes and click Continue to Analyze.
  5. Review the optimizations and make changes as desired. Then on the bottom left click Optimize.
  6. Click the FAILED links for more information.
  7. The History tab lets you rollback the optimizations.
  8. The Templates tab lets you edit the optimizations. You can create your own template or edit an existing template.

Citrix has published a document with several registry modifications that are supposed to improve server performance. You can access it at http://support.citrix.com/article/CTX131577.

Another list of optimizations can be found at http://www.citrixtools.net/Resources/Articles/articleType/ArticleView/articleId/5610/Windows-2008-R2-Remote-Desktop-and-XenApp-6-Tuning-Tips-Update.aspx.

Seal and Snapshot

  1. Go to the properties of the C: drive and run Disk Cleanup.
  2. On the Tools tab, click Optimize to defrag the drive.
  3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining.
  4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  5. Make sure the master session host is configured for DHCP.
  6. Session hosts commonly have DHCP reservations.

  7. Run antivirus sealing tasks:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
    2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  8. Shutdown the master session host.
  9. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  10. Take a snapshot of the master session host. View Composer requires a snapshot.

  11. Use can now use Horizon View Administrator to create RDS Farms.

Full Clone Post-Cloning Tasks

If you used vCenter to clone the machine instead of using Horizon 6 Composer, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep always disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon 6 Agent – uninstall the Horizon 6 Agent and reinstall it so it registers with a Horizon 6 Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon 6 Security Server and Horizon 6 Agents.
  8. View Administrator – In View Administrator, add the new machine to a Remote Desktop Services farm.

 

VMware Horizon 6 – RDS Farms/Pools

Last Modified: Nov 6, 2020 @ 7:28 am

Navigation

Overview

Before following this procedure, build a master RDS Session Host.

This post details VMware Horizon configuration for Remote Desktop Session Host Horizon View Agents. Virtual Desktops are detailed elsewhere.

Before you can publish applications or desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts then these are different RDS Farms.

Horizon 6 supports up to 200 RDS farms, each with up to 200 RDS hosts.

Once the RDS Farms are created, you publish resources from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

RDS Farms – Linked Clones

You can use View Composer to create RDS linked clones. Here are some missing features and other notes:

  • No QuickPrep. Uses SysPrep with Customization Specifications instead. SysPrep is slower than QuickPrep. SysPrep is also performed during Recompose operations.
  • No View Storage Accelerator.
  • No Rebalance.
  • No Refresh. The machines are persistent until you Recompose the farm.
    • The delta disks continue to grow until you Recompose the farm.
    • You can enable Space Reclamation to shrink the delta disks as files are deleted.
  • DHCP is required.

Customization Specification

If you want to use View Composer then SysPrep requires a Customization Specification in vCenter. QuickPrep is not supported with RDS farms.

  1. In vCenter, from the Home page, click Customization Specification Manager.
  2. Click the icon to create a new Customization Specification.
  3. In the Specify Properties page, give the spec a name and click Next.
  4. In the Set Registration Information page, enter your normal settings and click Next.
  5. In the Set Computer Name page, select Use the virtual machine name and click Next.
  6. In the Enter Windows License page, select Per seat and click Next.
  7. In the Set Administrator Password page, enter the local administrator password and click Next.
  8. In the Time Zone page, select the time zone and click Next.
  9. In the Run Once page, click Next.
  10. In the Configure Network page, leave it set to Use standard network settings. Horizon 6 requires the VMs to be configured for DHCP. Click Next.
  11. In the Set Workgroup or Domain page, enter credentials that can join the machines to the domain and click Next.
  12. In the Set Operating System Options page, leave the box checked and click Next.
  13. In the Ready to complete page, click Finish.

Create an Automatic Farm

To create a farm of linked clones, do the following:

  1. Make sure your RDS View Agents have the VMware Horizon View Composer Agent feature installed.
  2. In View Administrator, on the left, expand Resources and click Farms.
  3. On the right, click Add.
  4. In the Type page, select Automated Farm and click Next.
  5. In the vCenter Server page, select the vCenter Server and View Composer and click Next.
  6. In the Identification and Settings page, enter a name for the Farm. A folder with the same name will be created in vCenter.
  7. Allow users to choose protocol should be set to No.
  8. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  9. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  10. Check the box next to Allow HTML Access and click Next.
  11. In the Provisioning Settings page, enter a naming pattern. Make sure the name includes {n:fixed=3} or something like that.
  12. Enter the number of machines to create and click Next.
  13. In the Storage Optimization page, click Next.
  14. In the vCenter Settings page, click Browse next to each option and make a selection.
  15. When selecting a datastore, set the Storage Overcommit to Unbounded. Click OK and then click Next.
  16. In the Advanced Storage Options page, decide if you want space reclamation or not. Space reclamation does reduce disk space but increases IOPS while the operation is occurring. If space reclamation is enabled, also configure a Blackout window so the increased IOPS does not affect production usage. Scroll down.
  17. If you scroll down you’ll see an option for Transparent Page Sharing. By default it is disabled. You can enable it by setting it to Global. This should reduce some memory consumption. Click Next.
  18. In the Guest Customization page, select an OU.
  19. Select a customization specification and click Next.
  20. In the Ready to Complete page, click Finish.
  21. On the RDS Hosts tab you can see the progress of the farm creation operation.
  22. Since RDS Farms use SysPrep, it will take some time before they become available.
  23. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool or an Application Pool or both.

Add RDS Host to Automatic Farm

  1. On the left, expand Resources and click Farms.
  2. On the right, highlight an existing Farm and click Edit.
  3. Switch to the Provisioning Settings tab and change the Max number of machines. Then click OK.
  4. Since this is based on SysPrep, it will take a while to add the virtual machine. The new VMs reboot several times during the provisioning and customization process.
  5. The farm now has new RDS host(s).

Update an Automatic Farm

  1. Power on the master session host.
  2. After making your changes, shut down the master session host.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. Name the snapshot and click OK.
  5. You’ll need to periodically delete the older snapshots. Right-click the master VM and click Manage Snapshots.
  6. Delete one or more of the snapshots.
  7. In View Administrator, go to Resources > Farms.
  8. Double-click a farm name.
  9. Before beginning the Recompose operation, edit the Farm and on the Provisioning Settings tab consider specifying a minimum number of ready machines during View Composer maintenance operations. If you leave this set to 0 then all machines will be in maintenance mode and nobody can connect until Recompose is complete.
  10. On the Summary tab, click Recompose.
  11. In the Image page, select the new snapshot and click Next.
  12. In the Scheduling page, decide when to apply this new image and then click Next.
  13. In the Ready to Complete page, click Finish.
  14. On the RDS Hosts tab, you can check on the status of the recompose task. Since RDS Farms use SysPrep, this will take a while.

RDS Farms – Manual

To create a manual RDS Farm, do the following:

  1. Make sure the View Composer Agent is not installed on your RDS servers and make sure you saw the screen to register the Agent with a Horizon 6 Connection Server.
  2. In View Administrator, expand View Configuration and click Registered Machines. Make sure your manually built RDS Host is registered and listed on the RDS Hosts tab.

  3. In View Administrator, on the left, expand Resources and click Farms.
  4. On the right, click Add.
  5. In the Identification and Settings page, enter a name for the Farm.
  6. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
  7. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in View Configuration > Global Settings.
  8. Check the box next to Allow HTML Access and click Next.
  9. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts. Click Next.
  10. In the Ready to Complete page, click Finish.

Add RDS Host to Manual Farm

  1. On the left, expand Resources and click Farms.
  2. On the right, double-click an existing Farm.
  3. On the right, switch to the RDS Hosts tab and click Add.
  4. Select the new RDS host and click OK.
  5. The farm now has a new RDS host.

Published Desktop

To publish a desktop from an RDS farm, do the following:

  1. In View Administrator, on the left, expand Catalog and click Desktop Pools.
  2. On the right, click Add.
  3. In the Type page, select RDS Desktop Pool and click Next.
  4. In the Desktop Pool Identification page, enter an ID and name. They can be different. Click Next.
  5. In the Desktop Pool Settings page, click Next.
  6. In the Select an RDS farm page, select a farm and click Next.
  7. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes and click Finish.
  8. In the Entitlements window, click Add.
  9. Browse to an Active Directory group and click OK.
  10. Then click Close.
  11. If you go to Resources > Farms, double-click your farm and switch to the RDS Pools tab, you can see which Desktop Pool is associated with this farm.

Published Applications

  1. In View Administrator, on the left, expand Catalog and click Application Pools.
  2. On the right, click Add.
  3. The purpose of this wizard is to publish applications from an RDS Farm and entitle them. The entitlements will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times and select different applications. Once the applications are published, you can change their entitlements individually. Click Next after selecting one or more applications.
  4. Or you can add an application manually by changing the radio button to Add application pool manually. Notice that Explorer is not one of the listed applications so that one will need to be done manually.
  5. Notice the Entitle users box is checked by default. All of the applications in this list will receive the same entitlements. Click Finish.
  6. Then click Add to select a group that can see these icons. Click OK when done.
  7. You can run the wizard again to publish more applications with different entitlements.
  8. If you double-click one of the application pools, on the Entitlements page you can change the entitlements.
  9. If you go to Resources > Farms, double-click your farm, and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. Notice you can’t really do anything from here.

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

  • If the user already has a session then anti-affinity is ignored.
  • If the application is launched from within an RDS Desktop then anti-affinity is ignored.
  • Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool at pubs.vmware.com.

Do the following to configure Anti-Affinity:

  1. On the left, expand Catalog and click Application Pools.
  2. On the right, edit an existing app/pool.
  3. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
  4. In the Anti-Affinity Count field, enter the maximum number of matches that can run on a single RDS Host.

NetScaler Gateway 11 – RDP Proxy

Last Modified: Nov 7, 2020 @ 6:35 am

RDP Proxy

NetScaler 10.5.e and NetScaler 11 support RDP Proxy through NetScaler Gateway. No VPN required. There are two ways of launching RDP sessions through NetScaler Gateway RDP Proxy:

  • Bookmarks on the Clientless Access portal page.
  • After logging in, change the URL in the browser to /rdpproxy/MyRDPServer. MyRDPServer can be IP or DNS.

You can have one Gateway vServer that authenticates the user and a different Gateway vServer to proxy the RDP connection. The Gateways use Secure Ticket Authority (STA) for mutual authentication. See Stateless RDP Proxy at docs.citrix.com for more information.  💡

Links:

Here are some requirements for RDP Proxy:

  • NetScaler Enterprise Edition or Platinum Edition.
  • NetScaler Gateway Universal Licenses for each user.
  • TCP 443 and TCP 3389 opened to the NetScaler Gateway Virtual Server.
  • TCP 3389 opened from the NetScaler SNIP to the RDP Servers.

Do the following to configure RDP Proxy:

  1. Expand NetScaler Gateway, expand Policies, right-click RDP and click Enable Feature.
  2. Click RDP on the left. On the right, switch to the Client Profiles tab and click Add.
  3. Give the Client Profile a name and configure it as desired. Scroll down.
  4. In the RDP Host field, enter the FQDN that resolves to the RDP Proxy listener, which is typically the same FQDN as NetScaler Gateway.
  5. Near the bottom is a Pre Shared Key. Enter a password and click OK. You’ll need this later.
  6. On the right, switch to the Server Profiles tab and click Add.
  7. Give the Server Profile a name.
  8. Enter the IP of the Gateway Virtual Server you’re going to bind this to.
  9. Enter the same Pre Shared Key you configured for the RDP Client Profile. Click Create.
  10. If you want to  put RDP bookmarks on the Clientless Access portal page, on the left, expand NetScaler Gateway, expand Resources, and click Bookmarks.
  11. Alternatively, Simon Gottschlag Publish RDP Proxy Link via StoreFront shows how NetScaler Rewrite can insert an RDP Proxy link into a StoreFront web page.  💡
  12. On the right, click Add.
  13. Give the Bookmark a name.
  14. For the URL, enter rdp://MyRDPServer using IP or DNS.
  15. Check the box next to Use NetScaler Gateway As a Reverse Proxy and click Create.
  16. Create more bookmarks as desired.
  17. Create or edit a session profile/policy.
  18. On the Security tab, set Default Authorization Action to ALLOW. Or you can use Authorization policies to control access.
  19. On the Remote Desktop tab, select the RDP Client Profile you created earlier.
  20. If you want to use Bookmarks, on the Client Experience tab, set Clientless Access to On.
  21. On the Published Applications tab, make sure ICA Proxy is OFF.
  22. Edit or Create your Gateway Virtual Server.
  23. In the Basic Settings section, click More.
  24. Use the RDP Server Profile drop-down to select the RDP Server Profile you created earlier.
  25. Scroll down. Make sure ICA Only is not checked.
  26. Bind a certificate.
  27. Bind authentication policies.
  28. Bind the session policy/profile that has the RDP Client Profile configured.
  29. You can bind Bookmarks to either the NetScaler Gateway Virtual Server or to a AAA group. To bind to the NetScaler Gateway Virtual Server, on the right, in the Advanced Settings section, click Published Applications.
  30. On the left, in the Published Applications section, click where it says No Url.
  31. Bind your Bookmarks.
  32. Since this NetScaler Gateway Virtual Server has ICA Only unchecked, make sure your NetScaler Gateway Universal licenses are configured correctly. On the left, expand NetScaler Gateway and click Global Settings.
  33. On the right, click Change authentication AAA settings.
  34. Change the Maximum Number of Users to your licensed limit.
  35. If you want to connect to RDP servers using DNS, make sure DNS servers are configured on the appliance (Traffic Management > DNS > Name Servers).
  36. If you want to use the short names instead of FQDNs, add a DNS Suffix (Traffic Management > DNS > DNS Suffix).
  37. Connect to your Gateway and login.
  38. If you configured Bookmarks, simply click the Bookmark.
  39. Or you can change the address bar to /rdpproxy/MyRDPServer. You can enter IP address (e.g. rdpproxy/192.168.1.50) or DNS names (/rdpproxy/myserver).
  40. Then open the downloaded .rdp file.
  41. You can view the currently connected users by going to NetScaler Gateway > Policies > RDP and on the right is the Connections tab.

NetScaler SDX 11

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

LOM IP Configuration

There are two ways to set the IP address of the Lights Out Module (LOM):

  • Crossover Ethernet cable from a laptop with an IP address in the 192.168.1.0 network.
  • ipmitool from the NetScaler SDX XenServer command line

Ipmitool Method:

  1. On NetScaler SDX appliance, SSH to the XenServer IP address (this is not the Service VM IP). On NetScaler MPX appliance, SSH to the NetScaler NSIP.
  2. Default XenServer credentials are root/nsroot. Default MPX credentials are nsroot/nsroot.
  3. If MPX, run shell. XenServer is already in the shell.
  4. Run the following:
    ipmitool lan set 1 ipaddr x.x.x.x
    ipmitool lan set 1 netmask 255.255.255.0
    ipmitool lan set 1 defgw ipaddr x.x.x.x

  5. You should now be able to connect to the LOM using a browser.

Laptop method:

  1. Configure a laptop with static IP address 192.168.1.10 and connect it to the Lights Out Module port.
  2. In a Web browser, type the IP address of the LOM port. For initial configuration, type the port’s default address: http://192.168.1.3
  3. In the User Name and Password boxes, type the administrator credentials. The default username and password are nsroot/nsroot.
  4. In the Menu bar, click Configuration and then click Network.
  5. Under Options, click Network and type values for the following parameters:
    1. IP Address—The IP address of the LOM port.
    2. Subnet Mask—The mask used to define the subnet of the LOM port.
    3. Default Gateway—The IP address of the router that connects the appliance to the network.
  6. Click Save.
  7. Disconnect the laptop and instead connect a cable from a switch to the Lights Out Module.

LOM Firmware Upgrade

The LOM firmware at https://www.citrix.com/downloads/netscaler-adc/components/lom-firmware-upgrade differs depending on the hardware platform. The LOM firmware for the 8000 series is different than the 11000 series. Do not mix them up.

Note: the SDX Update Bundle does not include LOM firmware update so you must update it separately.

  1. Determine which firmware level you are currently running. You can point your browser to the LOM and login to the see the firmware level. Or you can run ipmitool mc info from the XenServer shell.
  2. If your LOM firmware is older than 3.0.2, follow the instructions at http://support.citrix.com/article/CTX137970 to upgrade the firmware.
  3. If your LOM firmware is version 3.02 or later, follow the instructions at http://support.citrix.com/article/CTX140270 to upgrade the firmware. This procedure is shown below.
  4. Now that the firmware is version 3.0.2 or later, you can upgrade to 3.39. Click the Maintenance menu and then click Firmware Update.
  5. On the right, click Enter Update Mode.
  6. Click OK when prompted to enter update mode.
  7. Click Choose File and browse to the extracted bin file.
  8. After the file is uploaded, click Upload Firmware.
  9. Click Start Upgrade.
  10. The Upgrade progress will be displayed.
  11. After upgrade is complete, click OK to acknowledge the 1 minute message.
  12. The LOM will reboot.
  13. After the reboot, login and notice that the LOM firmware is now 3.39.

SDX IP Configuration

Default IP for Management Service is 192.168.100.1/16 bound to interface 0/1. Use laptop with crossover cable to reconfigure. Point browser to http://192.168.100.1. Default login is nsroot/nsroot.

Default IP for XenServer is 192.168.100.2/16. Default login is root/nsroot. Note: XenServer IP and Management Service IP must be on the same subnet.

There should be no need to connect to XenServer directly. Instead, all XenServer configuration (e.g. create new VM) is performed through the Management Service (SVM). To change the XenServer IP, make the change through the Management Service as detailed below:

  1. Point a browser to http://192.168.100.1 and login as nsroot/nsroot.
  2. When you first login to the SDX Management Service, the Welcome! Wizard appears. Click Management Network.
  3. Configure the IP addresses. Management Service IP Address and XenServer IP Address must be different but on the same subnet.
  4. You can change the password at this time or later. Click Done.
  5. Click the System Settings box.
  6. Enter a Host Name.
  7. Select the time zone and click Continue.
  8. Click the Licenses box.
  9. Click Add New License.
  10. In the Manage Licenses section, allocate licenses normally.

  11. Then click Continue.

Another way to login to the Management Service virtual machine is through the serial port. This is actually the XenServer Dom0 console. Once logged in to XenServer, run ssh 169.254.0.10 to access the Management Service virtual machine. Then follow instructions at http://support.citrix.com/article/CTX130496 to change the IP.

The console of the Management Service virtual machine can be reached by running the following command in the XenServer Dom0 shell (SSH or console):

xe vm-list params=name-label,dom-id name-label="Management Service VM"

Then run /usr/lib/xen/bin/xenconsole <dom-id>

Or if 11.0 build 64 or newer, run /usr/lib64/xen/bin/xenconsole <dom-id>

Management Service Firmware – Upgrade to 11.0

NetScaler SDX 11.0 and newer now bundle all updates in a single package. To take advantage of this improved installation experience, you must first upgrade the Service VM to 11.0. Once it’s 11.0 you no longer need to upgrade the Service VM separately from the rest of the appliance.

  1. If your SDX SVM (Management Service) is running 10.5 build 57 or newer then you can skip this section and proceed with installing the SDX Bundle.
  2. NetScaler SDX 11.0 build 55 contains a separate installer for just the Management Service (SVM Upgrade Package).  The newer builds of NetScaler SDX 11.0 don’t seem to have a separate SVM Upgrade Package so you’ll need to upgrade SVM to 11.0 build 55 first. Then use the Software Bundle method to upgrade beyond build 55 as detailed in the next section.
  3. If the webpage says NetScaler SDX on top then you are connected to the Service VM.
  4. Switch to the Configuration tab.
  5. In the navigation pane, expand Management Service, and then click Software Images.
  6. In the right pane, click Upload.
  7. In the Upload Management Service Software Image dialog box, click Browse, navigate to the folder that contains the build-svm file, and then double-click the build file.
  8. Click Upload.

To upgrade the Management Service:

  1. In the navigation pane, click System.
  2. In the System pane, under System Administration, click Upgrade Management Service.
  3. In the Upgrade Management Service dialog box, in Build File, select the file of the build to which you want to upgrade the Management Service.
  4. If you see a Documentation File field, ignore it.
  5. Click OK.
  6. Click Yes if asked to continue.
  7. If desired, go back to the Software Images node and delete older firmware files.

SDX Platform Software Bundle

Starting with SDX 11.0, all updates are bundled together and installed at once.

  1. Make sure your Management Service (SVM) is running SDX 11.0 or newer. If not, see the separate SVM upgrade procedure in the previous section.
  2. Download the latest SDX Platform Software bundle from Downloads > NetScaler ADC > Service Delivery Appliances.

  3. Login to the SDX Management Service, go to Configuration > System.
  4. On the right, in the right column, click Upgrade Appliance.
  5. Browse to the build-sdx-11.0.tgz software bundle and click OK.

  6. It should show you the estimated installation time. Check boxes next to the instances that need configs saved. Click Upgrade.
  7. Click Yes to continue with the upgrade.
  8. The Management Service displays installation progress.

    Once the upgrade is complete, click Login.
  9. The Information page will be displayed showing the version of XenServer, Management Service (Build), etc.

Management Service NTP

  1. On the Configuration tab, in the navigation pane, expand System, and then click NTP Servers.
  2. To add a new NTP server, in the right pane, click Add.
  3. In the Create NTP Server dialog box enter the NTP server name (e.g. pool.ntp.org) and click Create.
  4. In the right pane click NTP Synchronization.
  5. In the NTP Synchronization dialog box, select Enable NTP Sync. Click OK.

Management Service Alerting

Syslog

  1. On the Configuration tab, expand System > Auditing and click Syslog Servers.
  2. In the right pane click the Add button.
  3. Enter a name for the server.
  4. Enter the IP address of the Syslog server.
  5. Select log levels and click Create.
  6. On the right is Syslog Parameters.
  7. You can configure the Date Format and Time Zone. Click OK.

Mail Notification

  1. On the Configuration tab, expand System > Notifications and click Email.
  2. In the right pane, on the Email Servers tab, click Add.
  3. Enter the DNS name of the mail server and click Create.
  4. In the right pane, switch to the Email Distribution List tab and click Add.
  5. Enter a name for the mail profile.
  6. Enter the destination email address and click Create.

System SNMP

  1. Go to System > SNMP.
  2. On the right, click Configure SNMP MIB.
  3. Enter information as desired and click OK. Your SNMP management software will read this information.
  4. Under the SNMP node, configure normal SNMP including: Trap Destinations, Managers, Alarms, etc.

  5. MIBs can be downloaded from the Downloads tab.

Instance SNMP

  1. The instances will send SNMP traps to the Service VM. To get alerted for these traps, in the Configuration page, in the navigation pane, expand NetScaler, expand Events, and click Event Rules.
  2. On the right, click Add.
  3. Give the rule a name.
  4. Select the Major and Critical severities and move them to the right. Scroll down.
  5. For the other sections, if you don’t configure anything then you will receive alerts for all of the devices, categories, and failure objects. If you configure any of them then only the configured entities will be alerted. Scroll down.
  6. Click Save.
  7. Select an Email Distribution List and click Done.

Management Service nsroot Password and AAA

To change the password of the default user account

  1. On the Configuration tab, in the navigation pane, expand System, and then click Users.
  2. In the Users pane, click the default user account, and then click Edit.
  3. In the Configure System User dialog box, in Password and Confirm Password, enter the password of your choice. Click OK.

To create a user account

  1. In the navigation pane, expand System, and then click Users. The Users pane displays a list of existing user accounts, with their permissions.
  2. To create a user account, click Add.
  3. In the Create System User or Modify System User dialog box, set the following parameters:
    • Name*—The user name of the account. The following characters are allowed in the name: letters a through z and A through Z, numbers 0 through 9, period (.), space, and underscore (_). Maximum length: 128. You cannot change the name.
    • Password*—The password for logging on to the appliance.
    • Confirm Password*—The password.
    • Session Timeout
    • Groups —The user’s privileges on the appliance. Possible values:
      • owner—The user can perform all administration tasks related to the Management Service.
      • readonly—The user can only monitor the system and change the password of the account.
  4. Click Create. The user that you created is listed in the Users pane.

AAA Authentication

  1. If you would like to enable LDAP authentication for the Service VM, do that under Configuration > System > Authentication > LDAP.
  2. In the right pane, click Add.
  3. This is configured identically to NetScaler. Enter a Load Balancing VIP for LDAP. Change the Security Type to SSL and Port to 636. Scroll down.
  4. Enter the Base DN in LDAP format.
  5. Enter the bind account.
  6. Check the box for Enable Change Password.
  7. Click Retrieve Attributes and scroll down.
  8. For Server Logon Attribute select sAMAccountName.
  9. For Group Attribute select memberOf.
  10. For Sub Attribute Name select cn.
  11. To prevent unauthorized users from logging in, configure a Search Filter. Scroll down.
  12. If desired configure Nested Group Extraction
  13. Click Create.
  14. Expand System, expand User Administration and click Groups.
  15. Click Add.
  16. Enter the case sensitive name of the Active Directory group.
  17. Select the admin permission.
  18. Configure the Session Timeout. Click Create.
  19. On the left, under System, click User Administration.
  20. On the right click User Lockout Configuration.
  21. If desired, check the box next to Enable User Lockout and configure the maximum logon attempts. Click OK.
  22. On the left, under System, click Authentication.
  23. On the right, click Authentication Configuration.
  24. Change the Server Type to LDAP.
  25. Select the LDAP server you created and click OK.

SSL Certificate and Encryption

Replace SDX Management Service Certificate

Before enabling secure access to the Management Service web console, you probably want to replace the Management Service certificate.

  1. PEM format: The certificate must be in PEM format. The Management Service does not provide any mechanism for converting a PFX file to PEM. You can convert from PFX to PEM by using the Import PKCS#12 task in a NetScaler instance.
  2. On the left, click System.
  3. On the right, click Install SSL Certificate.
  4. Select the certificate and key files in PEM format. If the key file is encrypted, enter the password. Then click OK. The Management Service will restart so there will be an interruption.


  5. After the Management Service restarts, connect to it using HTTPS. You can’t make this change if you are connected using HTTP.
  6. On the Configuration tab, click System.
  7. On the right, click Change System Settings.
  8. Check the box next to Secure Access Only and click OK. This forces you to use HTTPS to connect to the Management Service.

SSL Encrypt Management Service to NetScaler Communication

From http://support.citrix.com/article/CTX134973: Communication from the Management Service to the NetScaler VPX instances is HTTP by default. If you want to configure HTTPS access for the NetScaler VPX instances, then you have to secure the network traffic between the Management Service and NetScaler VPX instances. If you do not secure the network traffic from the Management Service configuration, then the NetScaler VPX Instance State appears as Out of Service and the Status shows Inventory from instance failed.

  1. Log on to the Management Service .
  2. On the Configuration tab, click System.
  3. On the right, click Change System Settings.
  4. Change Communication with NetScaler Instance to https, as shown in the following screen shot:
  5. Run the following command on the NetScaler VPX instance, to change the Management Access (-gui) to SECUREONLY:

set ns ip ipaddress -netmask netmask -arp ENABLED -icmp ENABLED -vServer DISABLED -telnet ENABLED -ftp ENABLED -gui SECUREONLY -ssh ENABLED -snmp ENABLED - mgmtAccess ENABLED -restrictAccess DISABLED -dynamicRouting ENABLED -ospf DISABLED -bgp DISABLED -rip DISABLED -hostRoute DISABLED -vrID 0

Or in the NetScaler instance management GUI go to Network > IPs, open the NSIP and then check the box next to Secure access only.

SDX/XenServer LACP Channels

To use LACP, configure Channels in the Management Service, which creates them in XenServer. Then when provisioning an instance, connect it to the Channel.

  1. In the Management Service, on the Configuration tab, expand System and click Channels.
  2. On the right, click Add.
  3. Select a Channel ID.
  4. For Type, select LACP or STATIC. If using Cisco vPC then LACP is required. The other two options are for switch independent load balancing.
  5. In the Interfaces tab, click Add.
  6. Move the Channel Member interfaces to the right by clicking the plus icon.
  7. On the Settings tab, for LACP you can select Long or Short, depending on switch configuration. Short is the default.
  8. Click Create when done.
  9. Click Yes when asked to proceed.
  10. The channel will then be created on XenServer.

VPX Instances – Provision

To create an admin profile

Admin profiles specify the user credentials that are used by the Management Service when provisioning the NetScaler instances, and later when communicating with the instances to retrieve configuration data. The user credentials specified in an admin profile are also used by the client when logging on to the NetScaler instances through the CLI or the configuration utility.

The default admin profile for an instance specifies a user name of nsroot, and the password is also nsroot. This profile cannot be modified or deleted. However, you should override the default profile by creating a user-defined admin profile and attaching it to the instance when you provision the instance. The Management Service administrator can delete a user-defined admin profile if it is not attached to any NetScaler instance.

Important: Do not change the password directly on the NetScaler VPX instance. If you do so, the instance becomes unreachable from the Management Service. To change a password, first create a new admin profile, and then modify the NetScaler instance, selecting this profile from the Admin Profile list.

  1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Admin Profiles.
  2. In the Admin Profiles pane, click Add.
  3. In the Create Admin Profile dialog box, set the following parameters:
    • Profile Name*—Name of the admin profile. The default profile name is nsroot. You can create user-defined profile names.
    • User Name—User name used to log on to the NetScaler instances. The user name of the default profile is nsroot and cannot be changed.
    • Password*—The password used to log on to the NetScaler instance. Maximum length: 31 characters.
    • Confirm Password*—The password used to log on to the NetScaler instance.
  4. Click Create. The admin profile you created appears in the Admin Profiles pane.

To upload a NetScaler VPX .xva file

You must upload a NetScaler VPX .xva file to the SDX appliance before provisioning the NetScaler VPX instances.

  1. Download the Virtual Appliance XVA from the SDX Software Bundle Download Page.
  2. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Software Images.
  3. On the right, switch to the XVA Files tab and then click Upload.
  4. In the Upload NetScaler Instance XVA dialog box, click Browse and select the XVA image file that you want to upload. Click Upload. The XVA image file appears in the NetScaler XVA Files pane after it is uploaded.

To provision a NetScaler instance

  1. On the Configuration tab, in the navigation pane, expand NetScaler Configuration, and then click Instances.
  2. In the NetScaler Instances pane, click Add.
  3. In the Provision NetScaler Wizard follow the instructions in the wizard.
  4. Click Create. The NetScaler instance you provisioned appears in the NetScaler Instances pane.

The wizard will ask for the following info:

  • Name* – The host name assigned to the NetScaler instance.
  • IP Address* – The NetScaler IP (NSIP) address at which you access a NetScaler instance for management purposes. A NetScaler instance can have only one NSIP. You cannot remove an NSIP address.
  • Netmask* – The subnet mask associated with the NSIP address.
  • Gateway* – The default gateway that you must add on the NetScaler instance if you want access through SSH or the configuration utility from an administrative workstation or laptop that is on a different network.
  • Nexthop to Management Service (11.0 build 64 and newer) – Adds a static route on the NSIP network so SDX Management Service can communicate with the instance NSIP. Only needed if instance default gateway and instance NSIP are on separate networks.  💡
  • XVA File* – The .xva image file that you need to provision. This file is required only when you add a NetScaler instance.
  • Feature License* – Specifies the license you have procured for the NetScaler. The license could be Standard, Enterprise, and Platinum.
  • Admin Profile* – The profile you want to attach to the NetScaler instance. This profile specifies the user credentials that are used by the Management Service to provision the NetScaler instance and later, to communicate with the instance to retrieve configuration data. The user credentials used in this profile are also used while logging on to the NetScaler instance by using the GUI or the CLI. It is recommended that you change the default password of the admin profile. This is done by creating a new profile with a user-defined password. For more information, see Configuring Admin Profiles.
  • Total Memory (MB)* – The total memory allocated to the NetScaler instance.
  • #SSL Cores* – Number of SSL cores assigned to the NetScaler instance. SSL cores cannot be shared. The instance is restarted if you modify this value.
  • Throughput (Mbps)* – The total throughput allocated to the NetScaler instance. The total used throughput should be less than or equal to the maximum throughput allocated in the SDX license. If the administrator has already allocated full throughput to multiple instances, no further throughput can be assigned to any new instance.
  • Packets per second* – The total number of packets received on the interface every second.
  • CPU – Assign a dedicated core or cores to the instance or the instance shares a core with other instance(s).
  • User Name* – The root user name for the NetScaler instance administrator. This user has superuser access, but does not have access to networking commands to configure VLANs and interfaces. (List of non-accessible commands will be listed here in later versions of this document)
  • Password* – The password for the root user.
  • Shell/Sftp/Scp Access* – The access allowed to the NetScaler instance administrator.
  • Interface Settings – This specifies the network interfaces assigned to a NetScaler instance. You can assign interfaces to an instance. For each interface, if you select Tagged, specify a VLAN ID.
    • Important:The interface ID numbers of interfaces that you add to an instance do not necessarily correspond to the physical interface numbering on the SDX appliance. For example, if the first interface that you associate with instance 1 is SDX interface 1/4, it appears as interface 1/1 when you log on to the instance and view the interface settings, because it is the first interface that you associated with instance 1.
    • If a non-zero VLAN ID is specified for a NetScaler instance interface, all the packets transmitted from the NetScaler instance through that interface will be tagged with the specified VLAN ID. If you want incoming packets meant for the NetScaler instance that you are configuring to be forwarded to the instance through a particular interface, you must tag that interface with the VLAN ID you want and ensure that the incoming packets specify the same VLAN ID.
    • For an interface to receive packets with several VLAN tags, you must specify a VLAN ID of 0 for the interface, and you must specify the required VLAN IDs for the NetScaler instance interface.
  • NSVLAN ID – An integer that uniquely identifies the NSVLAN. Minimum value: 2. Maximum value: 4095.
  • Tagged – Designate all interfaces associated with the NSVLAN as 802.1q tagged interfaces.
  • Interfaces – Bind the selected interfaces to the NSVLAN.

 

Here are screenshots from the wizard:

  1. In the Provision NetScaler section, enter a name for the instance.
  2. Enter the NSIP, mask, and Gateway.
  3. Nexthop to Management Service is new in 11.0 build 64 and newer. If the default gateway is on a different network than the NSIP, then enter a next hop router address on the NSIP network so the SDX Management Service can communicate with the NSIP.  💡
  4. In the XVA File field, you can Browse > Local to select an XVA file on your file system. Or you can Browse > Appliance and select an XVA file that has already been uploaded.

  5. Change the Feature License to Platinum.
  6. Select an Admin Profile created earlier.
  7. Enter a Description. Scroll down.
  8. In the Resource Allocation section, change the Total Memory to 4096.
  9. For SSL Chips, specify between 1 and 16.
  10. For Throughput, partition your licensed bandwidth. If you are licensed for 8 Gbps, make sure the total of all VPX instances does not exceed that number.
  11. Burstable is also an option. Fixed bandwidth can’t be shared with other instances. Burstable can be shared. See Bandwidth Metering in NetScaler SDX at docs.citrix.com
  12. For CPU, select one of the Dedicated options. Then scroll down.
  13. In the Instance Administration section, enter a new local account that will be created on the VPX. This is in addition to the nsroot user. Note, not all functionality is available to this account. Scroll down.
  14. In the Network Settings section, leave 0/1 selected and deselect 0/2.
  15. Click Add to connect the VPX to more interfaces.
  16. If you have Port Channels, select one of the LA interfaces.
  17. Try not configure any VLAN settings here. If you do, XenServer filters the VLANs available to the VPX instance. Changing the VLAN filtering settings later probably requires a reboot. Click Add.
  18. In the Management VLAN Settings section, do not configure anything in this section unless you need to tag the NSIP VLAN. Click Done.
  19. After a couple minutes the instance will be created. Click Close.
  20. In your Instances list, click the IP address to launch the VPX management console. Do the following at a minimum (instructions in the NetScaler System Configuration page):
    1. Enable MAC Based Forwarding – System > Settings > Configure Modes > MAC Based Forwarding
    2. Add SNIPs for each VLAN – System > Network > IPs
    3. Add VLANs and bind to SNIPs – System > Network > VLANs
    4. Change default gateway – System > Network > Routes > 0.0.0.0
    5. Create another instance on a different SDX and High Availability pair them together – System > High Availability

Applying the Administration Configuration

At the time of provisioning a NetScaler VPX instance, the Management Service creates some policies, instance administration (admin) profile, and other configuration on the VPX instance. If the Management Service fails to apply the admin configuration at this time due to any reason (for example, the Management Service and the NetScaler VPX instance are on different subnetworks and the router is down or if the Management Service and NetScaler VPX instance are on the same subnet but traffic has to pass through an external switch and one of the required links is down), you can explicitly push the admin configuration from the Management Service to the NetScaler VPX instance at any time.

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. In the NetScaler Configuration pane, click Apply Admin Configuration.
  3. In the Apply Admin Configuration dialog box, in Instance IP Address, select the IP address of the NetScaler VPX instance on which you want to apply the admin configuration.
  4. Click OK.

VPX Instances – Manage

You may login to the VPX instance and configure everything normally. SDX also offers the ability to manage IP address and SSL certificates from SDX rather than from inside the VPX instance. The SDX Management Service does not have the ability to create certificates so it’s probably best to do that from within the VPX instance.

To view the console of a NetScaler instance

  1. Connect to the Management Service using https.
  2. Viewing the console might not work unless you replace the Management Service certificate.
  3. In the Management Service, go to Configuration > NetScaler > Instances.
  4. On the right, right-click an instance and click Console.
  5. The instance console then appears.
  6. Another option is to use the Lights Out Module and the xl console command as detailed at Citrix Blog Post SDX Remote Console Access of VIs.

 

To start, stop, delete, or restart a NetScaler instance

  1. On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
  2. In the Instances pane, right-click the NetScaler instance on which you want to perform the operation, and then click Start or Shut Down or Delete or Reboot.
  3. In the Confirm message box, click Yes.

 

Creating a Subnet IP Address on a NetScaler Instance

You can create or delete a SNIP during runtime without restarting the NetScaler instance.

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. In the NetScaler Configuration pane, click Create IP.
  3. In the Create NetScaler IP dialog box, specify values for the following parameters.
    • IP Address* – Specify the IP address assigned as the SNIP or the MIP address.
    • Netmask* – Specify the subnet mask associated with the SNIP or MIP address.
    • Type* – Specify the type of IP address. Possible values: SNIP.
    • Save Configuration* – Specify whether the configuration should be saved on the NetScaler. Default value is false.
    • Instance IP Address* – Specify the IP address of the NetScaler instance.
  4. Click Create.

Create a VLAN on a NetScaler instance

  1. Go to NetScaler > Instances.
  2. Right-click an instance and click VLAN Bindings.
  3. Click Add.
  4. Enter a VLAN ID and select an interface.
  5. Check the box for Tagged if needed.
  6. Notice there’s no way to bind a SNIP. You do that inside the instance. Click Create.

To save the configuration on a NetScaler instance

  1. On the Configuration tab, in the navigation pane, click NetScaler.
  2. In the NetScaler pane, click Save Configuration.
  3. In the Save Configuration dialog box, in Instance IP Address, select the IP addresses of the NetScaler instances whose configuration you want to save.
  4. Click OK.

Change NSIP of VPX Instance

If you change NSIP inside of VPX instead of using the Modify Instance wizard in the Service VM, see article http://support.citrix.com/article/CTX139206 to adjust the XenServer settings.

Enable Call Home

  1. On the Configuration tab, in the navigation pane, click the NetScaler node.
  2. On the right, click Call Home.
  3. Enter an email address to receive communications regarding NetScaler Call Home.
  4. Check the box next to Enable Call Home.
  5. Select the instances to enable Call Home and click OK.
  6. You can view the status of Call Home by expanding NetScaler and clicking Call Home.
  7. The right pane indicates if it’s enabled or not. You can also configure Call Home from here.

VPX Instance – Firmware Upgrade

Upload NetScaler Firmware Build Files

To upgrade a VPX instance from the Management Service, first upload the firmware build file.

  1. Download the NetScaler firmware using the normal method.
  2. In the Configuration tab, on the left, expand NetScaler and click Software Images.
  3. On the right, in the Software Images tab click Upload.
  4. Browse to the build…tgz file and click Open.

Upgrading Multiple NetScaler VPX Instances

You can upgrade multiple instances at the same time.

  1. To prevent any loss of the configuration running on the instance that you want to upgrade, save the configuration on the instance before you upgrade the instance.
  2. On the Configuration tab, in the navigation pane, expand NetScaler and click Instances.
  3. Right-click an instance and click Upgrade.
  4. In the Upgrade NetScaler dialog box, in Build File, select the NetScaler upgrade build file of the version you want to upgrade to. Ignore the Documentation File. Click OK.

Management Service Monitoring

  1. To view syslog, in the navigation pane, expand System, click Auditing and then click Syslog Message in the right pane.
  2. To view the task log, in the navigation pane, expand Diagnostics, and then click Task Log.
  3. To view Management Service events, on the Configuration tab, in the expand System and click Events.
  4. NetScaler > Entities lets you see the various Load Balancing entities configured on the instances.

  5. To view instance alerts, go to NetScaler > Events > All Events.

  6. There is also event reporting.

Management Service Backups

The SDX appliance automatically keeps three backups of the Service VM configuration that are taken daily at 12:30 am.

Backups in NetScaler SDX 11.0 contain the following:

  • Single bundle image
  • NetScaler XVA image
  • NetScaler upgrade image
  • Management Service image
  • Management Service configuration
  • NetScaler SDX configuration
  • NetScaler configuration

You can go to Management Service > Backup Files to backup or restore the appliance’s configuration. And you can download the backup files.

You can configure the number of retained backups by clicking System on the left and then clicking Backup Policy in the right pane.

Web Interface Load Balancing – NetScaler 11

Last Modified: Nov 6, 2020 @ 7:24 am

Navigation

This procedure is only needed if you are running Web Interface instead of StoreFront.

Monitor

  1. On the left, expand Traffic Management, expand Load Balancing, and click Monitors.
  2. On the right, click Add.
  3. Name it Web Interface or similar.
  4. Change the Type drop-down to CITRIX-WEB-INTERFACE.
  5. If you will use SSL to communicate with the Web Interface servers, then scroll down and check the box next to Secure.
  6. Switch to the Special Parameters tab.
  7. In the Site Path field, enter the path of a XenApp Web site (e.g. /Citrix/XenApp/).
    • Make sure you include the slash (/) on the end of the path or else the monitor won’t work.
    • The site path is also case sensitive.
  8. Click Create.

Servers

  1. On the left, expand Traffic Management, expand Load Balancing, and click Servers.
  2. On the right, click Add.
  3. Enter a descriptive server name, usually it matches the actual server name.
  4. Enter the IP address of the server.
  5. Enter comments to describe the server. Click Create.
  6. Continue adding Web Interface servers.

Service Group

  1. On the left, expand Traffic Management, expand Load Balancing, and click Service Groups.

  2. On the right, click Add.
  3. Give the Service Group a descriptive name (e.g. svcgrp-WI-SSL).
  4. Change the Protocol to HTTP or SSL. If the protocol is SSL, ensure the Web Interface Monitor has Secure enabled.
  5. Scroll down and click OK.
  6. Click where it says No Service Group Member.
  7. If you did not create server objects then enter the IP address of a Web Interface Server. If you previously created a server object then change the selection to Server Based and select the server object.
  8. Enter 80 or 443 as the port. Then click Create.

  9. To add more members, click where it says 1 Service Group Member and then click Add. Click Close when done.

  10. On the right, under Advanced Settings, click Monitors.
  11. On the left, in the Monitors section, click where it says No Service Group to Monitor Binding.
  12. Click the arrow next to Click to select.
  13. Select the Web Interface monitor and click Select.
  14. Then click Bind.
  15. To verify if the monitor is working or not, on the left, in the Service Group Members section, click the Service Group Members line.

  16. Highlight a member and click Monitor Details.
  17. The Last Response should indicate that Set-Cookie header was found. Click Close twice when done.
  18. Then click Done.

Load Balancing Virtual Server

  1. Create or install a certificate that will be used by the SSL Virtual Server. This certificate must match the DNS name for the load balanced Web Interface servers.
  2. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  3. On the right click Add.
  4. Name it Web Interface-SSL-LB or similar.
  5. Change the Protocol to SSL.
  6. Specify a new internal VIP.
  7. Enter 443 as the Port.
  8. Click OK.
  9. On the left, in the Services and Service Groups section, click where it says No Load Balancing Virtual Server ServiceGroup Binding.
  10. Click the arrow next to Click to select.
  11. Select your Web Interface Service Group and click Select.
  12. Click Bind.
  13. Click Continue.
  14. Click where it says No Server Certificate.
  15. Click the arrow next to Click to select.
  16. Select the certificate for this Web Interface Load Balancing Virtual Server and click Select.
  17. Click Bind.
  18. Click Continue.
  19. On the right, in the Advanced Settings column, click Persistence.
  20. Select SOURCEIP persistence. Note: COOKIEINSERT also works with Web Interface. However, it doesn’t work with StoreFront.
  21. Set the timeout to match the timeout of Web Interface.
  22. The IPv4 Netmask should default to 32 bits.
  23. Click OK.
  24. If you haven’t enabled the Default SSL Profile, then perform other normal SSL configuration including: disable SSLv3, bind a Modern Cipher Group, and enable Strict Transport Security.
    bind ssl vserver MyvServer -certkeyName MyCert
    
    set ssl vserver MyvServer -ssl3 DISABLED -tls11 ENABLED -tls12 ENABLED
    
    unbind ssl vserver MyvServer -cipherName ALL
    
    bind ssl vserver MyvServer -cipherName Modern
    
    bind ssl vserver MyvServer -eccCurveName ALL
    
    bind lb vserver MyvServer -policyName insert_STS_header -priority 100 -gotoPriorityExpression END -type RESPONSE

SSL Redirect – Down vServer Method

If you created an SSL Virtual Server that only listens on SSL 443, users must enter https:// when navigating to the website. To make it easier for the users, create another load balancing Virtual Server on the same VIP that listens on HTTP 80 and then redirects the user’s browser to reconnect on SSL 443. This section details the Down vServer method. Alternatively you can configure the Responder method.

  1. On the left, under Traffic Management > Load Balancing, click Virtual Servers.

  2. On the right, find the SSL Virtual Server you’ve already created, right-click it and click Add. Doing it this way copies some of the data from the already created Virtual Server.
  3. Change the name to indicate that this new Virtual Server is an SSL Redirect.
  4. Change the Protocol to HTTP on Port 80.
  5. The IP Address should already be filled in. It must match the original SSL Virtual Server. Click OK.
  6. Don’t select any services. This vServer must intentionally be marked down so the redirect will take effect. Click Continue.
  7. On the right, in the Advanced Settings column, click Protection.
  8. In the Redirect URL field, enter the full URL including https://. For example: https://citrix.company.com/Citrix/XenApp. Click OK.
  9. Click Done.
  10. When you view the SSL redirect Virtual Server in the list, it will have a state of DOWN. That’s OK. The Port 80 Virtual Server must be DOWN for the redirect to work.

Global Server Load Balancing (GSLB) – NetScaler 11

Last Modified: Nov 7, 2020 @ 6:34 am

Navigation

💡 = Recently Updated

GSLB Planning

GSLB is nothing more than DNS. GSLB is not in the data path. GSLB receives a DNS query and GSLB sends back an IP address, which is exactly how a DNS server works. However, GSLB can do some things that DNS servers can’t do:

  • Don’t give out an IP address unless it is UP (monitoring)
    • If active IP address is down, give out the passive IP address (active/passive)
  • Give out the IP address that is closest to the user (proximity load balancing)
  • Give out different IPs for internal vs external (DNS View)

GSLB is only useful if you have a single DNS name that could resolve to two or more IP addresses. If there’s only one IP address then use normal DNS instead.

Citrix Blog Post Global Server Load Balancing: Part 1 explains how DNS queries work and how GSLB fits in.

Citrix has a good DNS and GSLB Primer.

When configuring GSLB, don’t forget to ask “where is the data?”. For XenApp/XenDesktop, DFS multi-master replication of user profiles is not supported so configure “home” sites for users. More information at Citrix Blog Post XenDesktop, GSLB & DR – Everything you think you know is probably wrong!

GSLB can be enabled both externally and internally. For external GSLB, configure it on the DMZ NetScaler appliances and expose it to the Internet. For internal GSLB, configure it on internal NetScaler appliances. Note: Each NetScaler appliance only has one DNS table so if you try to use one NetScaler for both public and internal then be aware that external users can query for internal GSLB-enabled DNS names. As described by Phil Bossman in the comments, you can use a Responder policy to prevent external users from reading internal DNS names.  💡

add policy patset GSLB_INTERNAL
bind policy patset GSLB_INTERNAL internalHostname.gslb.domain.com -index 1
add responder action DNS_Empty_Response respondwith DNS.NEW_RESPONSE
add responder policy GSLB_DNS_Empty_Response "(!(CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8)||CLIENT.IP.SRC.IN_SUBNET(192.0.0.0/16)||CLIENT.IP.SRC.IN_SUBNET(172.0.0.0/12)) && DNS.REQ.QUESTION.DOMAIN.CONTAINS_ANY(\"GSLB_INTERNAL\"))" DNS_Empty_Response
bind responder global GSLB_DNS_Empty_Response 100 END -type DNS_REQ_DEFAULT

For internal and external GSLB of the same DNS name on the same appliance, you can use DNS Policies and DNS Views to return different IP addresses depending on where users are connecting from. Citrix CTX130163 How to Configure a GSLB Setup for Internal and External Users Using the Same Host Name.

However, GSLB monitoring applies to the entire GSLB Service so it would take down both internal and external GSLB. If you need different GSLB monitoring for internal and external of the same DNS name, try CNAME:

  • External citrix.company.com:
    • Configure NetScaler GSLB for citrix.company.com.
    • On public DNS, delegate citrix.company.com to the NetScaler DMZ ADNS services.
  • Internal citrix.company.com:
    • Configure NetScaler GSLB for citrixinternal.company.com or something like that.
    • On internal DNS, create CNAME for citrix.company.com to citrixinternal.company.com
    • On internal DNS, delegate citrixinternal.company.com to NetScaler internal ADNS services.

 

Some IP Addresses are needed on each NetScaler pair:

  • ADNS IP: An IP that will listen for ADNS queries. For external, create a public IP for the ADNS IP and open UDP 53 so Internet-based DNS servers can access it. This can be an existing SNIP on the appliance.
  • GSLB Site IP / MEP IP: A GSLB Site IP that will be used for NetScaler-to-NetScaler communication, which is called MEP or Metric Exchange Protocol. The IP for ADNS can also be used for MEP / GSLB Site.
    • RPC Source IP: If running NetScaler 11.0 build 64 or newer then the GSLB Site IP can be anything and RPC traffic (MEP) can be sourced from the GSLB IP. For older NetScaler builds, RPC traffic is sourced from a SNIP, even if this is different than the GSLB Site IP. In older builds, it’s less confusing if you use a SNIP as the GSLB Site IP.
    • Public IP: For external GSLB, create public IPs that are NAT’d to the GSLB Site IPs. The same public IP used for ADNS can also be used for MEP. MEP should be routed across the Internet so NetScaler can determine if the remote datacenter has Internet connectivity or not.
    • MEP Port: Open port TCP 3009 between the two NetScaler GSLB Site IPs. Make sure only the NetScalers can access this port on the other NetScaler. Do not allow any other device on the Internet to access this port. This port is encrypted.
    • GSLB Sync Ports: To use GSLB Configuration Sync, open ports TCP 22 and TCP 3008 from the NSIP (management IP) to the remote public IP that is NAT’d to the GSLB Site IP. The GSLB Sync command runs a script in BSD shell and thus NSIP is always the Source IP.
  • DNS Queries: The purpose of GSLB is to resolve a DNS name to one of several potential IP addresses. These IP addresses are usually public IPs that are NAT’d to existing Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIPs in each datacenter.
  • IP Summary: In summary, for external GSLB, you will need a minimum of two public IPs in each datacenter:
    • One public IP that is NAT’d to the IP that is used for ADNS and MEP (GSLB Site IP). You only need one IP for ADNS / MEP no matter how many GSLB names are configured. MEP (GSLB Site IP) can be a different IP, if desired.
    • One public IP that is NAT’d to a Load Balancing, SSL Offload, Content Switching, or NetScaler Gateway VIP.
    • If you GSLB-enable multiple DNS names, each DNS name usually resolves to different IPs. This usually means that you will need additional public IPs NAT’d to additional VIPs.

ADNS

  1. Identify an NetScaler-owned IP that you will use for ADNS. This is typically a SNIP.
  2. Configure a public IP for the ANDS Service IP and configure firewall rules.
  3. On the left, expand Load Balancing and click Services.
  4. On the right, click Add.
  5. Name the service ADNS or similar.
  6. In the IP Address field, enter an appliance SNIP.
  7. In the Protocol field, select ADNS. Then click OK.
  8. Scroll down and click Done.
  9. On the left of the console, expand System, expand Network and then click IPs.
  10. On the right, you’ll see the SNIP as now being marked as the ADNS svc IP. If you don’t see this yet, click the Refresh icon.
  11. Repeat on the other appliance in the other datacenter.

Metric Exchange Protocol

  1. Select an IP to be the GSLB Site IP. In NetScaler 11.0 build 64 and newer, this can be any IP. In older builds, you can use the same SNIP and same public IP used for ADNS.
  2. Open the firewall rules for Metric Exchange Protocol.
  3. On the left, expand Traffic Management, right-click GSLB and enable the feature.
  4. Expand GSLB and click Sites.
  5. On the right, click Add.
  6. Add the local site first. Enter a descriptive name and in the Site Type select LOCAL.
  7. In the Site IP Address field, enter an IP that this appliance will listen for MEP traffic. This IP must be in the default Traffic Domain. (Note: NetScaler 11.0 build 64 supports GSLB in Admin Partitions).
  8. For external GSLB, in the Public IP Address field, enter the public IP that is NAT’d to the GSLB Site IP. For internal GSLB, there’s no need to enter anything in the Public IP field. Click Create.
  9. Go back to System > Network > IPs and verify that the IP is now marked as a GSLB site IP. If you don’t see it yet, click the Refresh button.
  10. If you want to use the GLSB Sync Config feature, then you’ll need to edit the GSLB site IP and enable Management Access.
  11. When you enable Management Access on a dedicated GSLB site IP, SSH is already selected by default. That’s all you need.
  12. Go to the other appliance and also create the local GSLB site using its GSLB site IP and its public IP that is NAT’d to the GSLB site IP.
  13. In System > Network > IPs on the remote appliance, there should now be a GSLB site IP. This could be a SNIP. If GSLB Sync is desired, enable management access on that IP and ensure SSH is enabled.
  14. Now on each appliance add another GSLB Site, which will be the remote GSLB site.
  15. Enter a descriptive name and select REMOTE as the Site Type.
  16. Enter the other appliance’s actual GSLB Site IP as configured on the appliance. This IP does not need to be reachable.
  17. In the Public IP field, enter the public IP that is NAT’d to the GSLB Site IP on the other appliance. For MEP, TCP 3009 must be open to this IP from the local GSLB Site IP. For GSLB sync, TCP 22, and TCP 3008 must be open to this IP from the local NSIP. Click Create.
  18. Repeat on the other appliance.
  19. MEP will not function yet since the NetScalers are currently configured to communicate unencrypted on TCP 3011. To fix that, on the left, expand System, expand Network and click RPC.
  20. On the right, edit the new RPC address (the other site’s GSLB Site IP) and click Open.
  21. On the bottom, check the box next to Secure.
  22. In NetScaler 11.0 build 64 or newer, if your GSLB Site IP is not a SNIP then you’ll need to change the RPC Node to use the local GSLB Site IP as the source IP. Uncheck IPv6 first. Then enter the local GSLB Site IP. Click OK when done.
  23. Do the same thing on the other appliance.
  24. If you go back to GSLB > Sites, you should see it as active.

GSLB Services

GSLB Services represent the IP addresses that are returned in DNS Responses. DNS Query = DNS name. DNS Response = IP address.

GSLB should be configured identically on both NetScalers. Since you have no control over which NetScaler will receive the DNS query, you must ensure that both NetScalers are giving out the same DNS responses.

Create the same GSLB Services on both NetScalers:

  1. Start on the appliance in the primary data center. This appliance should already have a traffic Virtual Server (NetScaler Gateway, Load Balancing, or Content Switching) for the DNS name that you are trying to GSLB enable.
  2. On the left, expand Traffic Management > GSLB and click Services.
  3. On the right, click Add.
  4. The service name should be similar to the DNS name that you are trying to GSLB. Include the site name in the service name.
  5. Select the LOCAL Site.
  6. On the bottom part, select Virtual Servers and then select a Virtual Server that is already defined on this appliance. It should automatically fill in the other fields. If you see a message asking if you wish to create a service object, click Yes.
  7. Scroll up and make sure the Service Type is SSL. It’s annoying that NetScaler doesn’t set this drop-down correctly.
  8. The Public IP field contains the actual IP Address that the GSLB ADNS service will hand out. Make sure this Public IP is user accessible. It doesn’t even need to be a NetScaler owned IP.
  9. Scroll down and click OK.
  10. If the GSLB Service IP is a VIP on the local appliance, then GSLB will simply use the state of the local traffic Virtual Server (Load Balancing, Content Switching, or Gateway). If the GSLB Service IP is a VIP on a remote appliance, then GSLB will use MEP to ask the other appliance for the state of the remote traffic Virtual Server. In both cases, there’s no need to bind a monitor to the GSLB Service.
  11. However, you can also bind monitors directly to the GSLB Service. Here are some reasons for doing so:
    • If the GSLB Service IP is a NetScaler-owned traffic VIP, but the monitors bound the traffic Virtual Server are not the same ones you want to use for GSLB. When you bind monitors to the GSLB Services, the monitors bound to the traffic Virtual Server are ignored.
    • If the GSLB Service IP is in a non-default Traffic Domain, then you will need to attach a monitor since GSLB cannot determine the state of Virtual Servers in non-default Traffic Domains.
    • If the GSLB Service IP is not hosted on a NetScaler, then only GSLB Service monitors can determine if the Service IP is up or not.
  12. If you intend to do GSLB active/active and if you need site persistence then you can configure your GSLB Services to use Connection Proxy or HTTP Redirect. See Citrix Blog Post Troubleshooting GSLB Persistence with Fiddler for more details.
  13. Click Done.
  14. On the other datacenter NetScaler, create a GSLB Service.
  15. Select the REMOTE site that is hosting the service.
  16. Since the service is on a different appliance and not this one, you won’t be able to select it using the Virtual Servers option. Instead, select New Server.
  17. For the Server IP, enter the actual VIP configured on the other appliance. This local NetScaler will use GSLB MEP to communicate with the remote NetScaler to find a traffic Virtual Server with this VIP. The remote NetScaler respond if the remote traffic Virtual Server is up or not. The remote Server IP configured here does not need to be directly reachable by this local appliance. If the Server IP is not owned by either NetScaler, then you will need to bind monitors to your GSLB Service.
  18. In the Public IP field, enter the IP address that will be handed out to clients. This is the IP address that users will use to connect to the service. For Public DNS, you enter a Public IP that is usually NAT’d to the traffic VIP. For internal DNS, the Public IP and the Server IP are usually the same.
  19. Scroll up and change the Service Type to match the Virtual Server defined on the other appliance..
  20. Click OK.
  21. Just like the other appliance, you can also configure Site Persistence and GSLB Service Monitors. Click Done when done.
  22. Create more GSLB Services, one for each traffic VIP. GSLB is useless if there’s only one IP address to return. You should have multiple IP addresses (VIPs) through which a web service (e.g. NetScaler Gateway) can be accessed. Each of these VIPs is typically in different datacenters, or on different Internet circuits. The mapping between DNS name and IP addresses is configured in the GSLB vServer, as detailed in the next section.

GSLB Virtual Server

The GSLB Virtual Server is the entity that the DNS name is bound to. GSLB vServer then gives out the IP address of one of the GSLB Services that is bound to it.

Configure the GSLB vServer identically on both appliances:

  1. On the left, expand Traffic Management > GLSB, and click Virtual Servers.
  2. On the right, click Add.
  3. Give the GSLB vServer a descriptive name. For active/active, you can name it the same as your DNS name. For active/passive, you will create two GSLB Virtual Servers, one for each datacenter, so include Active or Passive in the Virtual Server name.
  4. Click OK.
  5. If you intend to bind multiple GSLB Services to this GSLB vServer, then you can optionally check the box for Send all “active” service IPs. By default, GSLB only gives out one IP per DNS query. This checkbox always returns all IPs, but the IPs are ordered based on the GSLB Load Balancing Method and/or GSLB Persistence.
  6. On the right, in the Advanced Settings column, click Service.
  7. On the left, click where it says No GSLB Virtual Server to GSLBService Binding.
  8. Click the arrow next to Click to select.
  9. Check the box next to an existing GSLB Service and click Select. If your GSLB is active/passive then only bind one service.
  10. If your GSLB is active/active then bind multiple GSLB Services. Also, you’d probably need to configure GSLB persistence (Source IP or cookies).
  11. Click Bind.
  12. On the right, in the Advanced Settings column, click Domains.
  13. On the left, click where it says No GSLB Virtual Server Domain Binding.
  14. Enter the FQDN that GSLB will resolve.
  15. If this GSLB is active/passive, there are two options:
    • Use the Backup IP field to specify the IP address that will be handed out if the primary NetScaler is inaccessible or if the VIP on the primary appliance is marked down for any reason.
    • Or, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.
  16. Click Bind.
  17. If this is active/active GSLB, you can edit the Method section to enable Static Proximity. This assumes the Geo Location database has already been installed on the appliance.
  18. Also for active/active, if you don’t want to use Cookie-based persistence, then you can use the Persistence section to configure Source IP persistence.
  19. Click Done.
  20. If you are configuring active/passive using the backup GSLB Virtual Server method, create a second GSLB Virtual Server that has the passive GSLB service bound to it. Don’t bind a Domain to the second GSLB Virtual Server. Then edit the Active GSLB Virtual Server and use the Backup Virtual Server section to select the second GSLB Virtual Server.

  21. On the left, if you expand Traffic ManagementDNS, expand Records and click Address Records, you’ll see a new DNS record for the GSLB domain you just configured. Notice it is marked as GSLB DOMAIN.

  22. Configure identical GSLB Virtual Servers on the other NetScaler appliance. Both NetScalers must be configured identically.
  23. You can also synchronize the GSLB configuration with the remote appliance by going to Traffic Management > GSLB.
  24. On the right, click Synchronize configuration on remote sites.
  25. Use the check boxes on the top, if desired. It’s usually a good idea to Preview the changes before applying them. Then click OK to begin synchronization.

Some notes regarding GSLB Sync:

  • It’s probably more reliable to do it from the CLI by running sync gslb config and one of the config options (e.g. -preview).
  • GSLB Sync runs as a script on the BSD shell and thus always uses the NSIP as the source IP.
  • GSLB Sync connects to the remote GSLB Site IP on TCP 3008 (if RPC is Secure) and TCP 22.

Test GSLB

  1. To test GSLB, simply point nslookup to the ADNS services and submit a DNS query for one of the DNS names bound to a GSLB vServer. Run the query multiple times to make sure you’re getting the response you expect.
  2. Both NetScaler ADNS services should be giving the same response.
  3. To simulate a failure, disable the traffic Virtual Server.
  4. Then the responses should change. Verify on both ADNS services.

  5. Re-enable the traffic Virtual Server, and the responses should return to normal.


DNS Delegation

If you are enabling GSLB for the domain gateway.corp.com, you’ll need to create a delegation at the server that is hosting the corp.com DNS zone. For public GSLB, you need to edit the public DNS zone for corp.com.

DNS Delegation instructions will vary depending on what product host’s the public DNS zone. This section details Microsoft DNS, but it should be similar in BIND or web-based DNS products.

There are two ways to delegate GSLB-enabled DNS names to NetScaler ADNS:

  • Delegate the individual record. For example, delegate gateway.corp.com to the two NetScaler ADNS services (gslb1.corp.com and gslb2.corp.com).
  • Delegate an entire subzone. For example, delegate the subzone gslb.corp.com to the two NetScaler ADNS services. Then create a CNAME record in the parent DNS zone for gateway.corp.com that is aliased to gateway.gslb.corp.com. When DNS queries make it to NetScaler, they will be for gateway.gslb.corp.com and thus gateway.gslb.corp.com needs to be bound to the GSLB Virtual Server instead of gateway.corp.com. For additional delegations, simply create more CNAME records.

This section covers the first method – delegating an individual DNS record:

  1. Run DNS Manager.
  2. First, create Host Records pointing to the ADNS services running on the NetScalers in each data center. These host records for ADNS are used for all GSLB delegations no matter how many GSLB delegations you need to create.
  3. The first Host record is gslb1 (or similar) and should point to the ADNS service (Public IP) on one of the NetScaler appliances.
  4. The second Host record is gslb2 and should point to the ADNS Service (public IP) on the other NetScaler appliance.
  5. If you currently have a host record for the service that you are delegating to GSLB (gateway.corp.com), delete it.
  6. Right-click the parent DNS zone and click New Delegation.
  7. In the Welcome to the New Delegation Wizard page, click Next.
  8. In the Delegated Domain Name page, enter the left part of the DNS record that you are delegating (e.g. gateway). Click Next.
  9. In the Name Servers page, click Add.
  10. This is where you specify gslb1.corp.com and gslb2.corp.com. Enter gslb1.corp.com and click Resolve. Then click OK. If you see a message about the server not being authoritative for the zone, ignore the message.
  11. Then click Add to add the other GSLB ADNS server.
  12. Once both ADNS servers are added to the list, click Next.
  13. In the Completing the New Delegation Wizard page, click Finish.
  14. If you run nslookup against your Microsoft DNS server, it will respond with Non-authoritative answer. That’s because it got the response from NetScaler and not from itself.

That’s all there is to it. Your NetScalers are now DNS servers. For active/passive, the NetScalers will hand out the public IP address of the primary data center. When the primary data center is not accessible, GSLB will hand out the GSLB Service IP bound to the Backup GSLB vServer.

Geo Location Database

If you want to use DNS Policies or Static Proximity GSLB Load Balancing or Responders based on user’s location, import a geo location database.

NetScaler 11 has a built-in database at /var/netscaler/inbuilt_db/ that you can use. Or you can download a database. Common free databases are:

For IP2Location, see the blog post Add IP2Location Database as NetScaler’s Location File for instructions on how to import.

To Download GeoLite Legacy:

  1. Download the GeoLite Country database CSV from http://dev.maxmind.com/geoip/legacy/geolite/.
  2. Note: GeoLite City is actually two files that must be merged as detailed at Citrix Blog Post GeoLite City as NetScaler location database. GeoLite Country doesn’t need any preparation.
  3. Upload the extracted database (.csv file) to the NetScaler appliance at /var/netscaler/locdb.

To import the Geo database (including the built-in database):

  1. In the NetScaler GUI, on the left, expand AppExpert, expand Location and click Static Database (IPv4).
  2. On the right, click Add.
  3. Change the Import From selection to File.
  4. Click Browse.
  5. For the built-in database, browse to /var/netscaler/inbuilt_db/ and open Citrix_NetScaler_InBuild_GeoIP_DB.csv.
  6. Or browse to the Geo Location database file you uploaded and open it.
  7. In the Location Format field, if using the built-in database, select netscaler.
  8. If using GeoLite Country, select geoip-country.
  9. Click Create.
  10. When you open a GSLB Service, the public IP will be translated to a location.

You can use the Geo locations in a DNS Policy, static proximity GSLB Load Balancing, or Responders: