VMware Horizon 6 – Cloud Pod Architecture

Last Modified: Sep 2, 2018 @ 7:50 am

Navigation

Planning

Cloud Pod Architecture lets you create a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

  • Entitlements can be local or global. Local means pools only in a single pod. Global means merging pools from multiple pods into a single entitlement.
    • Don’t configure both global and local entitlements for the same pool.
    • A single pool can only belong to one global entitlement.
    • Global Entitlements work in a single pod (good for large pools). Or you can you have multiple pods and multiple sites.
    • Horizon 6.2 supports Global Entitlements for applications. However, it’s one application per global entitlement.
  • Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a Horizon 6 Connection Server. The Horizon 6 Connection Server then uses Global Entitlements to select a pod/pool/desktop.
  • By default, pools in pods in the same site as the Horizon 6 Connection Server that the View Client is connected to are preferred over pools in remote sites. Use Home Sites to override this behavior. Home Sites are assigned to Active Directory user groups.
  • For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
  • The Horizon 6 Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 22389 and TCP 8472. Make sure these ports are open.
  • View Administrator includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Limits:

  • Max users = 20,000
  • Max Pods = 4
  • Max Sites = 2
  • Max Horizon 6 Connection Servers = 20

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

  • Use F5 GTM or NetScaler GSLB to connect users to a Horizon 6 Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
  • The Horizon 6 Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
  • User’s PCoIP session goes through the initially connected Horizon 6 Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route PCoIP through a Horizon 6 Connection Server in the remote pod. In fact, the Horizon 6 Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this PCoIP traffic.

Initialize First Pod

  1. In View Administrator, on the left, expand View Configuration and click Cloud Pod Architecture.
  2. On the right, click Initialize the Cloud Pod Architecture feature.
  3. Click OK to initialize.
  4. A status page is displayed.
  5. Click OK to reload the client.
  6. On the left, expand View Configuration and click Cloud Pod Architecture.
  7. Feel free to rename the federation.

  8. On the left, expand View Configuration and click Sites.
  9. Rename the Default First Site to be more descriptive.

  10. If you click the site to highlight it, you can rename the Pod to make it more descriptive.

  11. If you add a Replica server after global entitlements are enabled, see Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.
  12. See Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

  1. Connect to View Administrator in the 2nd pod.
  2. On the left, expand View Configuration and click Cloud Pod Architecture.
  3. On the right, click Join the pod federation.
  4. Enter the name of an existing Horizon 6 Connection Server that is already joined to the federation.
  5. Enter credentials and click OK.
  6. The Join status is displayed.
  7. Click OK to reload the client.
  8. On the left, expand View Configuration and click Sites.
  9. If this pod is in a different site then click Add to create a new site.
  10. Give the site a name and click OK.
  11. Highlight the 1st site.
  12. On the bottom, highlight the new pod and click Edit.
  13. Rename the pod and put it in the 2nd site. Click OK.

Global Entitlements

Do not create both global and local entitlements for the same pool otherwise users might see two icons.

  1. In View Administrator, on the left, expand Catalog and click Global Entitlements.
  2. On the right, click Add.
  3. In the Type page, select Desktop Entitlement or Application Entitlement and click Next.
  4. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one entitlement per application so include the application name.
  5. Make other selections. The Use home site checkbox tells the global entitlement to respect user home sites but the user home sites can only be configured at the command line (lmvutil). Click Next.
  6. If creating a Desktop Entitlement then there are more options.
  7. In the Users and Groups page, add users that can see the icon. Click Next.
  8. In the Ready to Complete page, click Finish.
  9. Double-click the new global entitlement.
  10. On the Local Pools tab, click Add.
  11. Select the pools you want to add and click Add. Remember, only one app per Global Entitlement.
  12. Go to another pod and view the Global Entitlements.
  13. On the right, double-click the Global Entitlement.
  14. On the Local Pools tab, click Add to add pools from this pod.

Monitoring

  1. Once Global Entitlements are enabled, a new Search Sessions node is added to View Administrator. This allows you to search for sessions across federated pods.
  2. The Dashboard shows the health of remote pods.

Home Sites

Home sites can’t be specified in View Administrator so use lmvutil instead:

  • lmvutil provides almost no feedback.
  • Its parameter names are case sensitive.
  • It requires you to authenticate for every single command.
  • There are different commands for groups vs users.
  • Home sites for groups don’t understand nesting.

Do the following to create home sites and assign them to users:

  1. Run Command Prompt as administrator.
  2. To create home sites for users, see pubs.vmware.com.

Related Pages

VMware Horizon 6 – Virtual Desktop Pools

Last Modified: Sep 2, 2018 @ 7:50 am

This topic details View configuration for Virtual Desktop Agents. RDS Farms are detailed at https://www.carlstalhood.com/horizon-6-rds-farmspools/.

Navigation

Prep

  • Each pool points to one vSphere cluster. 32 hosts maximum. If Virtual SAN, 20 hosts maximum.
  • Ensure vSwitch has sufficient ports for the new virtual desktops.
  • Ensure the VLAN has enough DHCP addresses for the desktop pool.
    • Lower the DHCP lease time too.
  • KMS Licensing is required for Windows 7+ and/or Office 2010+
  • The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  • The parent image should be in the same cluster where the linked clone virtual desktops will be created.

Disk space:

  • One or more LUNs for storage of the virtual desktops. Maximum of 140 desktops per VMFS5 LUN. Up to 250+ desktops per NFS LUN.
  • By default, Replicas are copied to each LUN that contains virtual desktops. It’s possible to place the Replica and the linked clones on separate LUNs. If you use a dedicated Replica LUN, then there is only one copy of the Replica no matter how many LUNs are used for storing virtual desktops. Note: NFS VAAI requires Replica to be copied to each virtual desktop LUN.
  • Persistent disks can be used to store the user’s profile (but not user-installed applications). To enable Persistent disks, the pool must be Dedicated Assignment. You can place the persistent disks on a LUN that is separate from the linked clones LUN. A better option is to use View Persona or User Environment Manager instead of Persistent disks.
  • Disposable disks. In Dedicated Assignment pools, you have the option of creating Disposable Disks. These disks are always stored with the virtual desktop (you can’t choose a dedicated disposable disk LUN). If you’re planning to frequently refresh the desktops, there’s no point in using Disposable disks.
  • .vswp files. Allocate disk space for memory swap and graphics memory overhead. Any unreserved memory will result in a .vswp file. For example, if the master virtual desktop has 2 GB of RAM configured and none of it is reserved then each linked clone will have a 2 GB .vswp file.

Floating (Non-Persistent) Desktop Pool

  1. In View Administrator, on the left, expand Catalog and click Desktop Pools.
  2. On the right, you can clone an existing pool. This copies many of the settings from the existing pool into the new pool.
  3. Or just click Add.
  4. In the Type page, select Automated Desktop Pool and click Next.
  5. In the User Assignment page, select Floating and click Next.
  6. In the vCenter Server page, select View Composer linked clones. Select the vCenter server and click Next.
  7. In the Pool Identification page, enter a name for the pool. A VM folder with the Pool ID as the name will be created in vCenter. Also, assign the pool to an Access group to restrict delegated administration. Note: If you intend to integrate with VMware Identity Manager, then make sure you select the root Access group. Other Access Groups won’t work. Click Next.
  8. In the Pool Settings page do the following:
    1. Change the selection for Automatically logoff after disconnect to After and specify a disconnect timer.
    2. Change the selection for Delete or refresh desktop on logoff to Refresh Immediately.
    3. Change the selection for Allow users to choose protocol to No. Then make your desired choices for 3D rendering and Maximum monitors. If not using 3D, max out the number of monitors and the resolution. This will grant more video RAM for each desktop if their video card is set to automatic.
    4. Note: Windows 7 MMR (H.264 only) requires 3D rendering to be enabled.
    5. Scroll down.
    6. Check the box next to HTML Access.
    7. HTML Access requires monitor resolution to be 1920×1200 or higher.
    8. Click Next.
  9. In the Provisioning Settings page, enter a naming pattern. You can use {n:fixed=3} to specify the location for the incremented numerals. Make sure the naming pattern does not conflict with any existing machines.
  10. Enter the maximum number of desktops to create. You can create all of them now or wait to create them as users connect. When a user connects to one of these desktops, View immediately creates another desktop (up to the maximum) and powers it on.
  11. Enter the number of spare (idle, unassigned, unused) desktops you want powered on. View maintains this number up to the maximum number of desktops.
  12. In Horizon 6.2, the maximum number of desktops per pool is 2,000. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here. Click Next.
  13. In the Disposable File Redirection page, select Do not redirect disposable files and click Next. Since we’re refreshing the desktops on logoff, there’s no need for a separate disposable disk.
  14. In the Storage Optimization page, check the box for Select separate datastores for replica and OS disk if you want to use storage tiering. Click Next.
  15. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option and make your selection.
  16. If the Parent VM is not showing up in the list then check the box next to Show all parent VMs and click the next to the VM to see the issue.
  17. For Linked clone datastores, select one or more datastores on which the virtual desktops will be placed. Select your Storage Overcommit preference. Since you are refreshing desktops on every logoff, they should stay small so Unbounded is probably acceptable. VMware recommends no more than 140 virtual desktops per VAAI-enabled LUN. If the LUN is not VAAI enabled, 64 is the maximum. Click OK when done.
  18. For Select Replica Disk Datastores, select one datastore for the replica and then click OK.
  19. Then click Next.
  20. In the Advanced Storage Options page, be aware of the following:
    • View Storage Accelerator creates digest files, which consumes disk space. Creation of the digest files requires IOPS. Make sure to set the blackout times so that this digest creation does not happen during peak hours.
    • Reclaim VM disk space is not useful for non-persistent desktops.
  21. If you scroll down, there’s a new Transparent Page Sharing Scope. The default is no sharing. Use one of the other options to enable sharing. Click Next.
  22. In the Guest Customization page, next to AD container, click Browse and select the OU where virtual desktop computer objects will be placed.
  23. Consider checking the box next to Allow reuse of pre-existing computer accounts. Click Next.
  24. In the Ready to Complete page, you may entitle users now or later. Click Finish.
  25. To check the status of the virtual desktops, go to Catalog > Desktop Pools.
  26. Double-click the pool name.
  27. On the Inventory tab, click Desktops (View Composer Details). There’s a refresh button.
  28. You can also view the status of the desktops by looking at the Dashboard.
  29. Your VMs should eventually have a status of Available.
  30. If you encounter issues with View Composer, see VMware 2087379 VMware Horizon View Composer help center

Entitle Virtual Desktops

To make a pool accessible by a user, it must be entitled.

  1. Go to Catalog > Desktop Pools.
  2. Double-click the pool name.
  3. On the Settings tab, click Entitlements.
  4. In the Entitlements window, click Add.
  5. Find a group that will have permission to log into these desktops and click OK.
  6. Then click OK.
  7. For a Persistent pool, go to the Inventory tab to see the desktops. Select a desktop and under More Commands click Assign User.
  8. Find the user and click OK. Repeat to assign users to additional desktops.

Update a Pool

  1. Power on the master/parent virtual desktop.
  2. After making your changes, shut down the master virtual desktop.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. Name the snapshot and click OK.
  5. If you do this often, you’ll need to periodically delete the older snapshots. Right-click the master VM and click Manage Snapshots.
  6. Delete one or more of the snapshots.
  7. In View Administrator, go to Inventory > Pools.
  8. Double-click a pool name.
  9. On the Settings tab, click View Composer and then click Recompose.
  10. In the Image page, select the new snapshot and click Next.
  11. In the Scheduling page, decide when to apply this new image and then click Next.
  12. In the Ready to Complete page, click Finish.
  13. On the Inventory tab, you can click Desktops (View Composer Details) to check on the status of the recompose task.

Related Pages

VMware Horizon 6 – Master Virtual Desktop

Last Modified: Sep 2, 2018 @ 7:53 am

Use this post to build a virtual desktop that will be used as the parent image or source image for additional virtual desktops.

Navigation

💡 = Recently Updated

Hardware

  1. The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  2. Set Memory as desired.
  3. For New Hard disk, consider setting Thin provision.
  4. Make sure the virtual desktop is using a SCSI controller.
  5. The master virtual desktop should be configured with a VMXNET 3 network adapter.
  6. When building the master virtual desktop, you will probably boot from an ISO.
  7. Before using View Administrator to create a pool, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  8. There’s no need for the Floppy drive so remove it.
  9. If you have any Serial ports, remove them.
  10. In Device Manager, after installing VMware Tools, make sure the video driver is VMware SVGA 3D.
  11. If not, you can use the driver at C:\Program Files\Common Files\VMware\Drivers\video_wddm.

Windows

Operating System Selection

As of Horizon 6.2, Windows 10 is supported. However, Multimedia Redirection is not supported.

Preparation

  • Partition Alignment. For Windows XP, make sure the partition is aligned. You’ll need to create and partition the disk in advance on another virtual machine and set the partition offset. create partition primary align=1024. Windows 7 doesn’t have this problem.
  • VMware Tools. Install the latest version of VMware Tools and Guest Introspection (formerly known as vShield Endpoint) Driver prior to installing the Horizon 6 Agent.
  • Teradici Audio Driver – https://techsupport.teradici.com/link/portal/15134/15164/Article/1434/Teradici-Virtual-Audio-Driver-1-2-0-Release-Details-15134-1434
  • For the AppVolumes Agent and Imprivata OneSign agent (if applicable), don’t install them until Horizon 6 Agent is installed.

Windows 7 Networking Hotfix

  1. Ensure the vSphere network port group allows a sufficient number of connected virtual machines.
  2. Make sure Windows 7 Service Pack 1 is installed.
  3. Download hotfix 2550978 from http://support.microsoft.com/kb/2550978.
  4. Run Windows6-1-KB2550978.msu.
  5. Click Yes when asked to install the hotfix.
  6. Click Restart Now.

Follow http://support.microsoft.com/kb/315539 to delete ghost NICs

For desktop VMs using VMXnet3 NICs, you can significantly improve the peak video playback performance of your View desktop by simply setting the following registry setting to the value recommended by Microsoft:

HKLM\System\CurrentControlSet\Services\Afd\Parameters\FastSendDatagramThreshold to 1500

[As discussed in a Microsoft KB article http://support.microsoft.com/kb/235257]

Black Screen Hotfix

VMware 2073945 – Reconnecting to the VDI desktop with PCoIP displays a black screen: Request and Install Microsoft hotfix 2578159: The logon process stops responding in Windows.

Power Options

  1. Run Power Options. In Windows 8 and newer, right-click the Start Menu to access Power Options.
  2. Click the arrow to show more plans and select High performance.
  3. Next to High performance, click Change plan settings.
  4. Change the selection for Turn off the display to Never and click Save changes.

System Settings

  1. Domain Join. For linked clones, join the machine to the domain.
  2. In System control panel applet (right-click the Start Menu > System), click Remote settings.
  3. Enable Remote Desktop.
  4. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with View Composer.

Windows Profiles v3/v4 Hotfix

Roaming user profiles are tied to the operating system version so profiles on Windows 8.1-based, Windows 10-based, or Windows Server 2012 R2-based computers are incompatible with roaming user profiles in earlier versions of Windows.

Profiles are compatible only between the following client and server operating system pairs:

  • Windows 10 and Windows Server 2016
  • Windows 8.1 and Windows Server 2012 R2
  • Windows 8 and Windows Server 2012
  • Windows 7 and Windows Server 2008 R2
  • Windows Vista and Windows Server 2008

If Windows 8, install hotfix http://support.microsoft.com/kb/2887239.

If Windows 8.1, ensure update rollup 2887595 is installed. http://support.microsoft.com/kb/2890783

After you apply this update, you must create a registry key before you restart the computer.

  1. Run regedit.
  2. Locate and then tap or click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters
  3. On the Edit menu, point to New, and then tap or click DWORD Value.
  4. Type UseProfilePathExtensionVersion.
  5. Press and hold or right-click UseProfilePathExtensionVersion, and then tap or click Modify.
  6. In the Value data box, type 1, and then tap or click OK.
  7. Exit Registry Editor.

After you configure the UseProfilePathExtensionVersion registry entry, you have to restart the computer. Then, Windows 8.1 creates a user profile and appends the suffix “.v4” to the profile folder name to differentiate it from version 2 of the profile in Windows 7 and version 3 of the profile in Windows 8. Then, Windows 8.1-based computers that have update rollup 2887595 installed and the UseProfilePathExtensionVersion registry entry configured use version 4 of the profile.

Windows 8 creates a new copy of the user profile and appends the suffix “.v3” in the profile folder name to differentiate it from the original version 2 profile for Windows 7. After that, Windows 8-based computers that have this hotfix installed and the UseProfilePathExtensionVersion registry entry configured use the version 3 profile for users.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. VMware App Volumes, Unidesk) or App Streaming (e.g. ThinApp, Microsoft App-V).

Antivirus

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Anti-Virus Practices for VMware Viewhttp://www.vmware.com/files/pdf/VMware-View-AntiVirusPractices-TN-EN.pdf

Sophos

Best Practice for running Sophos on virtual systemshttp://www.sophos.com/en-us/support/knowledgebase/110507.aspx and Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machineshttp://www.sophos.com/en-us/support/knowledgebase/12561.aspx

Symantec

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1http://www.symantec.com/business/support/index?page=content&id=TECH173650

Symantec Endpoint Protection 12.1 – Non-persistent Virtualization Best Practiceshttp://www.symantec.com/business/support/index?page=content&id=TECH180229

How to prepare a Symantec Endpoint Protection 12.1 client for cloninghttp://www.symantec.com/business/support/index?page=content&id=HOWTO54706

Non-persistent desktops:

After you have installed the Symantec Endpoint Protection client and disabled Tamper Protection, open the registry editor on the base image.

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\.
  2. Create a new key named Virtualization.
  3. Under Virtualization, create a key of type DWORD named IsNPVDIClient and set it to a value of 1.

To configure the purge interval for offline non-persistent VDI clients:

  1. In the Symantec Endpoint Protection Manager console, on the Admin page, click Domains.
  2. In the Domains tree, click the desired domain.
  3. Under Tasks, click Edit Domain Properties.
  4. On the Edit Domain Properties > General tab, check the Delete non-persistent VDI clients that have not connected for specified time checkbox and change the days value to the desired number. The Delete clients that have not connected for specified time option must be checked to access the option for offline non-persistent VDI clients.
  5. Click OK.

Make the following changes to the Communications Settings policy:

  1. Configure clients to download policies and content in Pull mode
  2. Disable the option to Learn applications that run on the client computers
  3. Set the Heartbeat Interval to no less than one hour
  4. Enable Download Randomization, set the Randomization window for 4 hours

Make the following changes to the Virus and Spyware Protection policy:

  1. Disable all scheduled scans
  2. Disable the option to “Allow startup scans to run when users log on” (This is disabled by default)
  3. Disable the option to “Run an ActiveScan when new definitions Arrive”

Avoid using features like application learning which send information to the SEPM and rely on client state to optimize traffic flow

Linked clones:

To configure Symantec Endpoint Protection to use Virtual Image Exception to bypass the scanning of base image files

  1. On the console, open the appropriate Virus and Spyware Protection policy.
  2. Under Advanced Options, click Miscellaneous.
  3. On the Virtual Images tab, check the options that you want to enable.
  4. Click OK

Trend Micro

Trend Micro Virtual Desktop Support

VDI Pre-Scan Template Generation Tool

Best practice for setting up Virtual Desktop Infrastructure (VDI) in OfficeScan

Frequently Asked Questions (FAQs) about Virtual Desktop Infrastructure/Support In OfficeScan

Horizon 6 Agent 6.2.2

Horizon 6 Agent Installation

Install Horizon 6 Agent on the master virtual desktop:

  1. Only install Horizon 6 Agent after VMware Tools. If you need to update VMware Tools, uninstall Horizon 6 Agent first, upgrade VMware Tools, and then reinstall Horizon 6 Agent.
  2. Check the video driver to make it is VMware SVGA 3D.
  3. Go to the downloaded Horizon 6 Agent 6.2.2. Run VMware-viewagent-6.2.2.exe.
  4. In the Welcome to the Installation Wizard for VMware Horizon View Agent page, click Next.
  5. In the License Agreement page, select I accept the terms and click Next.
  6. In the Network protocol configuration page, select IPv4 and click Next.
  7. In the Custom Setup page, if you want Scanner Redirection then enable that feature. Do the same for USB Redirection. Note: Scanner Redirection will impact host density. Click Next when done making selections.
  8. Click OK to acknowledge the message regarding USB redirection security.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. Click Yes when asked to restart.

User Environment Manager Engine

If you are licensed for User Environment Manager (Horizon Enterprise Edition), install the User Environment Manager Engine.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. In Windows 8 and newer, open Programs and Features (right-click the Start Menu) and click Turn Windows features on or off.
  3. Select .NET Framework 3.5 and click OK.
  4. Click Download files from Windows Update.
  5. Go to the extracted User Environment Manager 9.0 folder and run VMware User Environment Manager 9.0 x64.msi.
  6. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  7. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  8. In the Destination Folder page, click Next.
  9. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the console.

  10. In the Choose License File page, if installing on a View Agent then no license file is needed.
  11. Otherwise, Browse to the license file. Then click Next.
  12. In the Ready to install VMware User Environment Manager page, click Install.
  13. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Unity Touch

With the Unity Touch feature, tablet and smart phone users can quickly navigate to a Horizon View desktop application or file from a Unity Touch sidebar. Although end users can specify which favorite applications appear in the sidebar, for added convenience, administrators can configure a default list of favorite applications.

In the Unity Touch sidebar, the favorite applications and favorite files that users specify are stored in the user’s profile. For non-persistent pools, enable Roaming Profiles.

To set the default list of favorite applications:

  1. Navigate to HKLM\Software\Wow6432Node\VMware, Inc.\VMware Unity
  2. Create a string value called FavAppList.
  3. Specify the default favorite applications using format: path-to-app-1|path-to-app-2|path-to-app-3|…. For example:
Programs/Accessories/Accessibility/Speech Recognition.lnk|Programs/VMware/VMware vSphere Client.lnk|Programs/Microsoft Office/Microsoft Office 2010 Tools/Microsoft Office 2010 Language Preferences.lnk

Unity Touch can be disabled by setting HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware Unity\enabled to 0.

For more information, see the Feature Pack Installation and Administration guide at http://www.vmware.com/support/pubs/view_pubs.html.

Direct-Connection Plugin

If you wish to allow direct connections to the Horizon 6 Agent, install the Direct-Connection Plugin. This is not a typical configuration since it allows users to bypass the Horizon 6 Connection Servers but is useful if you need to restrict a Horizon 6 Agent to only one Horizon Client.

  1. Run the downloaded Direct-Connection Plugin (VMware-viewagent-direct-connection-6.2-xxx-exe.
  2. In the Welcome to the Installation Wizard for View Agent Direct-Connection Plugin page, click Next.
  3. In the End-User License Agreement page, select I accept the terms and click Next.
  4. In the Configuration Information page, click Next.
  5. In the Ready to install View Agent Direct-Connection Plugin page, click Install.
  6. In the Completed the View Agent Direct-Connection Plugin Setup Wizard page, click Finish.
  7. When running the Horizon Client, enter the FQDN or IP address of the Horizon 6 Agent (virtual desktop).

Composer – Rearm

By default, when View Composer creates linked clones and runs QuikPrep, one of the tasks is to rearm licensing. You can prevent this by setting the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga

SkipLicenseActivation  DWORD           0x1

Dynamic PCoIP Policies

If you wish to change PCoIP Policies (e.g. clipboard redirection, client printers, etc.) based on how the user connects, see VMware Blog Post VMware Horizon View Secret Weapon. The article describes configuring VMware Horizon View Script Host service to run a script to change PCoIP configuration based on the Connection Server that the user connected through. Full script is included in the article.

VMware OS Optimization Tool

  1. Download the VMware OS Optimization Tool VMware fling.
  2. Run the downloaded VMwareOSOptimizationTool_1050.msi.
  3. On the Analyze tab, on the bottom left, click Analyze.
  4. Check both boxes and click Continue to Analyze.
  5. Review the optimizations and make changes as desired. Then on the bottom left click Optimize.
  6. Click the FAILED links for more information.
  7. The History tab lets you rollback the optimizations.
  8. The Templates tab lets you edit the optimizations. You can create your own template or edit an existing template.
  9. Also see VMware 2100337 Improving log in time for floating desktops on DaaS and Horizon View for deletion of ActiveSetup registry keys that slow down 1st login. These optimizations do not appear to be included in VMware’s OS optimization tool.  💡

Snapshot

  1. Make sure the master virtual desktop is configured for DHCP.
  2. If connected to the console, run ipconfig /release.
  3. Run antivirus sealing tasks:
  4. Shutdown the master virtual desktop.
  5. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  6. Take a snapshot of the master virtual desktop. View Composer requires a snapshot.

Related Pages

VMware Horizon 6 Security Server

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

Preparation

Security Servers are intended to be deployed in the DMZ.

Horizon View Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Access Point.

Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371

Firewall Ports

If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.

If there are two Security Servers and you intend to load balance them, create three public IPs:

  • Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
  • Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.

Note: your load balancer might be able to provide persistence across multiple port numbers and thus there’s no need for the server-specific public IPs. For example, in NetScaler this is called Persistency Groups.

Firewall Rules for View Connection Server at pubs.vmware.com.

Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:

  • TCP 80
  • TCP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions.
  • TCP 8443 (for HTML Blast)

Open these ports from the Security Servers to internal:

  • If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at pubs.vmware.com.
  • TCP 8009 (AJP13) to the paired internal Horizon 6 Connection Server.
  • TCP 4001 (JMS) to the paired internal Horizon 6 Connection Server.
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP 22443 (HTML Blast) to all internal Horizon View Agents.
  • TCP 9427 (MMR) to all internal Horizon View Agents.
  • TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at pubs.vmware.com

Pairing Password

  1. In View Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select the Horizon 6 Connection Server to which the Security Server will be paired. Then click More Commands and click Specify Security Server Pairing Password.
  4. Enter a password and click OK.

Install – Security Server

  1. Ensure the Horizon 6 Security Server has 10 GB of RAM and 4 vCPU.
  2. Login to the Horizon 6 Security Server.
  3. Go to the downloaded Horizon 6 Connection Server 6.2.2 and run VMware-viewconnectionserver-x86_64-6.2.2.exe.
  4. In the Welcome to the Installation Wizard for VMware Horizon 6 Connection Server page, click Next.
  5. In the License Agreement page, select I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, select Horizon 6 Security Server and click Next.
  8. In the Paired Horizon 6 Connection Server page, enter the name of the internal Horizon 6 Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
  9. In the Paired Horizon 6 Connection Server Password page, enter the pairing password specified earlier and click Next.
  10. In the Horizon 6 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN while the middle URL is an IP address. These can be changed later. Click Next.
  11. In the Firewall Configuration page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.

SSL

Horizon 6 Security Server Certificate

  1. Run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the HTTPS Secure Tunnel URL or import a wildcard certificate. If using a load balancer, the FQDN must match the load balancer FQDN, not the Security Server FQDN. Also, the private key must be exportable.
  3. Note: the private key must be exportable. You can either click Details to mark the key as exportable or use IIS to create the certificate.
  4. After creating the certificate, try exporting it. If the option to export the private key is grayed out then this certificate will not work.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it and click Properties.
  6. On the General tab, clear the Friendly name field and click OK.
  7. Right-click your Certificate Authority-signed certificate and click Properties.
  8. On the General tab, in the Friendly name field, enter the text vdm and click OK. Note: only one certificate can have vdm as the Friendly name.
  9. Then restart the VMware Horizon 6 Security Server service.
  10. If the VMware Horizon View Security Gateway Component won’t start then your certificate doesn’t have an exportable private key. The private key must be exportable.

Global Accepted Ciphers

VMware 2121183 Response to CVE-2015-4000 (a.k.a., Logjam) for Horizon View and Horizon 6 products: The default global acceptance and proposal policies are defined in View LDAP attributes. These policies apply to all Horizon 6 Connection Server instances in a replicated group and all security servers paired with them. To change a global policy, you can edit View LDAP on any Horizon 6 Connection Server instance.

For details about how to navigate to the correct View LDAP attributes, see the topics called Global Acceptance and Proposal Policies Defined and Change the Global Acceptance and Proposal Policies in the View Security guide. Note that although these links point to the 6.2 version of the guide, the topics are the same as those in the 5.2/5.3 and 6.0 versions of the guide.

  • Change the pae-ClientSSLSecureProtocols attribute and the pae-ServerSSLSecureProtocols attribute as follows:
    pae-ClientSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"
    
    pae-ServerSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"
    

    This setting enables TLSv1.2 by default, to make use of the new cipher suites you will be adding when you set the next attributes.

  • Change the pae-ClientSSLCipherSuites attribute and the pae-ServerSSLCipherSuites attribute as follows:
    pae-ClientSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    SSL_RSA_WITH_RC4_128_SHA"
    
    pae-ServerSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    SSL_RSA_WITH_RC4_128_SHA"

Note that although these cipher suites are shown on separate lines to improve readability, when you edit this attribute, enter the cipher suites on one line with no spaces after the commas.

Also note that the last cipher suite shown in the list, SSL_RSA_WITH_RC4_128_SHA, should be omitted if all connecting clients support AES cipher suites.

To add 256-bit versions of the cipher suites, follow the instructions in the topic JCE Policy Files to Support High-Strength Cipher Suites in the View Security guide.

SSL Ciphers – Horizon 6 Security Server

Sven Huisman: Secure your Horizon View security server: from rating F to A-: see the blog post for detailed instructions.

  1. Update the JCE Policy Files to Support High-Strength Cipher Suites
  2. Use ADSIEdit to change pae-ServerSSLCipherSuites, pae-ServerSSLSecureProtocols, pae-ClientSSLCipherSuites, and pae-ClientSSLSecureProtocols
  3. Or you can edit C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties

  4. If this Horizon 6 Connection Server or View Security Server is publicly accessible, check it at ssllabs.com.

Disable RC4 – Blast Secure Gateway

VMware 2122359 Disable RC4 on Blast Secure Gateway: RC4 is already disabled in Horizon 6.2. Follow this procedure for older versions of Horizon View.

  1. Run an elevated text editor and open the file C:\Program Files\VMware\VMware View\Server\appblastgateway\lib\absg-config.js.
  2. Scroll down to line 111 and change :RC4: to :!RC4:.

Load Balancing

See Carl Stalhood – Horizon View Load Balancing

Enable PCoIP Secure Gateway

  1. In View Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server that is paired with the Security Server and click Edit. Note: you can’t configure this directly on the Horizon 6 Security Server and instead must configure it on the paired Horizon 6 Connection Server.
  4. On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to desktop. Also, make sure Secure Tunnel and Blast Secure Gateway are enabled. Click OK.

Related Pages

VMware Horizon 6 Configuration

Last Modified: Sep 2, 2018 @ 7:53 am

Navigation

Preparation

Horizon Service Account

  1. Create an account in Active Directory that View will use to login to vCenter. This account can also be used by Composer to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for View Composer

This role has all permissions needed for both full clones and linked clones.

  1. Create an account in Active Directory that View will use to login to vCenter.
  2. In vSphere Web Client, on the Home screen, click Roles.
  3. Click the plus icon to add a Role.
  4. Name the role View or similar.
  5. Expand Datastore and enable Allocate space, Browse datastore, and Low level file operations.
  6. Expand Folder and enable Create folder, and Delete folder.
  7. Expand Global and enable Act as vCenter Server, Disable Methods, Enable Methods, and Manage custom attributes.
  8. Scroll down and enable Set custom attribute and System tag.
  9. Expand Host, expand Configuration and enable Advanced Settings.
  10. Scroll down and enable System Management.
  11. Enable Network and everything under it.
  12. For Virtual SAN, enable Profile-driven storage and everything under it. VMware 2094412 – When attempting to deploy linked clones using VMware Virtual SAN (VSAN) you receive the error: Unable to connect to PBM sub system PB may be down

  13. Expand Resource and enable Assign virtual machine to resource pool and Migrate powered off virtual machine.
  14. Expand Virtual Machine and enable everything under Configuration, Inventory, and Snapshot Management (or State).
  15. Expand Virtual Machine > Interaction and enable Power Off, Power On, Reset, and Suspend.
  16. Expand Virtual Machine > Provisioning. Enable Allow disk access, Clone virtual machine, Customize, and Deploy template.
  17. Scroll down and enable Read customization specifications. Click OK when done.
  18. Browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  19. On the right, switch to the Manage tab and select the Permissions sub-tab.
  20. Click the plus icon to add a permission.
  21. Under Users and Groups click Add.
  22. Find the Active Directory account that View will use to login to vCenter, click Add and then click OK.
  23. On the right, under Assigned Role, change it to View Composer Administrator. Then click OK.
  24. The service account is now listed on the Permissions sub-tab.
  25. The service account also must be a local administrator on the vCenter server. In Server Manager, go to Tools > Computer Management.
  26. Go to System Tools > Local Users and Groups > Groups. Double-click Administrators. Add the View service account and click OK.

Active Directory Delegation

View Composer uses an Active Directory account to create computer objects in Active Directory. This service account must be granted permission to create computer objects.

  1. Create an OU in Active Directory where the virtual desktop computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the OU where the computer objects will be stored and click Delegate Control. This wizard is not included in Active Directory Administrative Center.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for View Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate and click Next.
  6. In the Active Directory Object Type page, click Next.
  7. In the Permissions page, check the three boxes under Show these permissions.
  8. In the Permissions section, check the boxes next to Read All Properties and Write All Properties.

  9. In the Permissions section, scroll down and check the boxes next to Create Computer objects and Delete Computer objects. Click Next.
  10. In the Completing the Delegation of Control Wizard page, click Finish.

Events SQL Database

A new empty SQL database is needed for storage of View Events. Only SQL authentication is supported.

  1. In SQL Server Management Studio, create a new database.
  2. Name it VMwareViewEvents or similar. Switch to the Options tab.
  3. Select your desired Recovery model and click OK.

  4. Add a SQL login if one does not exist already. Windows authentication is not supported.
  5. Right-click a SQL login and click Properties.
  6. On the User Mapping page, check the Map box next to the VMwareViewEvents database.
  7. On the bottom, add the user to the db_owner database role. Click OK when done.

Licensing

  1. Run the Horizon 6 Administration Console by double-clicking the desktop shortcut. Or, go to https://FQDN/admin.
  2. If Flash is not installed, you are prompted to install it. This won’t work on Windows Server 2012 unless you have the Desktop Experience feature installed. To avoid this, use Chrome.
  3. Login using a Horizon View administrator account.
  4. On the left, under View Configuration, click Product Licensing and Usage.
  5. On the top left of the right pane, click Edit License.
  6. In the Edit License window, enter your license serial number and click OK.
  7. The license expiration is now displayed. Note that only Horizon Advanced and above have Application Remoting (published applications).

Administrators

  1. On the left, expand View Configuration and click Administrators.
  2. On the right, click Add User or Group near the top.
  3. In the Add Administrator Or Permission page, click Add.
  4. Enter the name of a group that you want to grant permissions to and click Find.
  5. After the group is found, click it to highlight it and click OK.
  6. Then click Next.
  7. Select the role (e.g. Administrators) and click Next.
  8. Select an access group to which the permission will be applied and click Finish. Note: If you intend to integrate with VMware Identity Manager, then only pools in the root Access group will sync with Identity Manager. Other Access Groups won’t work.

Help Desk

None of the built-in roles are useful for Help Desk. Create a new role.

  1. On the right, switch to the Roles tab and click Add Role.
  2. Name the role Help Desk or similar.
  3. Check the box next to Console Interaction and scroll down.
  4. Check the box next to Manage Machine and click OK.
  5. To further restrict Help Desk permissions, on the Access Groups tab, create an Access Group. Pools can be placed in an Access Group and if an administrator only has permission to one Access Group then pools in other access groups cannot be managed. Note: If you intend to integrate with VMware Identity Manager, then only pools in the root Access group will sync with Identity Manager. Other Access Groups won’t work.

  6. Switch back to the Administrators and Groups tab and click Add User or Group.
  7. In the Add Administrator Or Permission window, click Add, find your Help Desk group and click Next.
  8. Click the Help Desk role to highlight it and click Next.
  9. Check the box next to an Access Group to which the permissions will be applied and click Finish. Note: If you intend to integrate with VMware Identity Manager, then only pools in the root Access group will sync with Identity Manager. Other Access Groups won’t work.
  10. The group is added to the list and the role is shown on the right.

vCenter and View Composer

If you are adding multiple vCenter servers, make sure each vCenter Server has a Unique ID. In vSphere Web Client, go to the vCenter Server > Manage > Settings > General > Edit > Runtime Settings and confirm that the ID is unique for each vCenter server.

  1. On the left, expand View Configuration and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.
  3. In the Server address field, enter the FQDN of the vCenter server.
  4. In the User Name field, enter the Active Directory account that View will use to login to vCenter as detailed earlier in this post. Also enter the password.
  5. Click Next.
  6. If you see a message regarding invalid certificate, click View Certificate.
  7. Then click Accept.
  8. In the View Composer page, select Standalone View Composer Server. Enter the FQDN of the server and the credentials of an account to access the View Composer server. The service account must be a local administrator on the View Composer Server. Click Next.
  9. If you see an invalid certificate, click View Certificate.
  10. Then click Accept.
  11. In the View Composer Domains page, click Add.
  12. Enter the Full domain name of where the virtual desktop computer objects will be created.
  13. Enter the Active Directory service account credentials that has permission to create computer objects and click OK. Then click Next.
  14. In the Storage page, check the box to Enable View Storage Accelerator and increase the host cache size to 2048. View Storage Accelerator causes digest files to be created thus increasing disk space requirements. Reclaim VM disk space requires IOPS during its operation. Click Next.
  15. In the Ready to Complete page, click Finish.

Disable Secure Tunnel

By default, Horizon Clients connect to virtual desktops by tunneling through a Horizon 6 Connection Server. It would be more efficient for the Horizon Clients to connect directly to the virtual desktops.

  1. In View Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server and click Edit.
  4. On the General tab, uncheck the box next to HTTP(S) Secure Tunnel. Also, make sure the other Secure Gateways are not enabled. Click OK. Note: if you are using HTML Blast internally then disabling the gateway will cause Blast connections to go directly to the Agent and the Agent certificate is probably not trusted.

Event Database and Syslog

  1. On the left of View Administrator, expand View Configuration and click Event Configuration.
  2. On the right, under Event Database, click Edit.
  3. Enter the name of the SQL server.
  4. Select Microsoft SQL Server as the Database type.
  5. Enter the name of the database.
  6. Enter the SQL credentials (no Windows authentication).
  7. Optionally, enter VE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple View installations.
  8. Click OK.
  9. The View Administrator now shows it configured. You can change the age of events shown in View Administrator.
  10. To add a syslog server, look on the right side of the page.
  11. You can go to Monitoring > Events to view the events in the database.

Event Database SQL Index

VMware Knowledgebase article – The Event database performance in VMware View 6.0.x is extremely slow (2094580): Symptoms:

  • The Event database performance in VMware View 6.0.x is extremely slow when browsing within View
  • High CPU usage on the SQL server, hosting the Event database
  • The larger the Event database becomes, the slower the queries run.

To resolve this issue, create an index. Run this command on your SQL Event database:

CREATE INDEX IX_eventid ON dbo.VDIevent_data (eventid)

Substitute VDIevent_data for the table name using your Event database prefix.

Event Queries

VMware Fling – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – VMware Horizon View Events Database Export Utilty: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

VMware Knowledgebase article – Creating SQL views to retrieve the top 50 maximum number of concurrent desktop sessions over a period: This article provides steps to create database views to retrieve the maximum number of concurrent desktop sessions over a period from the event_historical table.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

  1. On the left, under View Configuration, click Global Settings.
  2. On the right, under Global Settings, click Edit.
  3. Set the View Administrator Session Timeout. This applies to administrators and help desk. 4320 minutes (72 hours) is the maximum.
  4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user and requires the user to logon to Horizon 6 Connection Server again.
  5. Under Client-dependent settings, you can set an idle timeout. This is new in Horizon 6. The idle timeout applies to applications only (not desktops). An additional disconnect timeout is configurable in each pool’s settings.
  6. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of View Administrator.
  7. Make other changes as desired. Click OK when done.
  8. To configure an idle timeout for desktop sessions, use the instructions in http://myvirtualcloud.net/vmware-view-disconnect-logoff-or-shutdown-your-vm-when-idle/. Or create a screensaver. http://communities.vmware.com/message/1756450?tstart=0

Global Policies

  1. By default, Multimedia Redirection is disabled. You can enable it by going to Policies > Global Policies.
  2. On the right, click Edit Policies.
  3. Set Multimedia redirection to Allow and click OK. Notice that Multimedia redirection is not encrypted.

Authentication

How to Set Up 2-Factor Authentication in Horizon View with Google Authenticator:

  1. Linux box with Likewise joined to Active Directory.
  2. Google Authenticator software installed on Linux
  3. Freeradius installed on Linux
  4. Configure View to authenticate with RADIUS
  5. Installation and configuration of Google Authenticator client

Backups

  1. On the left, expand View Configuration and click Servers.
  2. On the right, in the Connection Servers tab you can select a Horizon 6 Connection Server and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.
  3. If you Edit the Horizon 6 Connection Server, on the Backup tab you can schedule automatic backups. This also backs up the View Composer database but not the vCenter database. VMware 1008046 – Performing an end-to-end backup and restore for VMware View Manager.

Related Pages

VMware Horizon 6 Connection Server

Last Modified: Nov 7, 2020 @ 6:35 am

Navigation

💡 = Recently Updated

Windows Features

  1. It’s probably helpful to install some administration tools on the Horizon 6 Connection Servers. In Server Manager, open the Manage window and click Add Roles and Features.
  2. Click Next until you get to the Features page.
  3. Check the box next to Group Policy Management and scroll down.
  4. Check the box next to Telnet Client.
  5. If you need Flash Player (e.g. to connect to the vSphere Web Client or View Administrator), then expand User Interfaces and Infrastructure and check the box next to Desktop Experience.

  6. Click Add Features when prompted.
  7. Expand Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools. Check the box next to Active Directory Administrative Center. Click Add Features when prompted. Then click Next .
  8. Then click Install.
  9. You will see a message prompting you to reboot. Right-click the Start button to reboot the server. it will reboot twice.

Install Standard Server 6.2.2

The first Horizon 6 Connection Server must be a Standard Server. Subsequent Horizon 6 Connection Servers are Replicas. Once Horizon 6 Connection Server is installed, there is no difference between them.

A production Horizon 6 Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon 6 Connection Server can handle 2,000 virtual desktops.

  1. Ensure the Horizon 6 Connection Server has 10 GB of RAM and 4 vCPU.
  2. View Composer cannot be installed on the Horizon 6 Connection Server.
  3. Go to the downloaded Horizon 6 Connection Server 6.2.2 and run VMware-viewconnectionserver-x86_64-6.2.2.exe.
  4. In the Welcome to the Installation Wizard for VMware Horizon 6 Connection Server page, click Next.
  5. In the License Agreement page, select I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Installation Options page, select Horizon 6 Standard Server and click Next.
  8. In the Data Recovery page, enter a password and click Next.
  9. In the Firewall Configuration page, click Next.
  10. In the Initial Horizon 6 View Administrators page, enter an AD group containing your Horizon administrators and click Next.
  11. In the User Experience Improvement Program page, uncheck the box and click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, uncheck the box next to Show the readme file and click Finish.

Install Replica Server 6.2.2

Additional internal Horizon 6 Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon 6 Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon 6 Connection Server can handle 2000 virtual desktops.

  1. Ensure the Horizon 6 Connection Server has 10 GB of RAM and 4 vCPU.
  2. Go to the downloaded Horizon 6 Connection Server 6.2.2 and run VMware-viewconnectionserver-x86_64-6.2.2.exe.
  3. In the Welcome to the Installation Wizard for VMware Horizon 6 Connection Server page, click Next.
  4. In the License Agreement page, select I accept the terms and click Next.
  5. In the Destination Folder page, click Next.
  6. In the Installation Options page, select Horizon 6 Replica Server and click Next.
  7. In the Source Server page, enter the name of another Horizon 6 Connection Server in the group. Then click Next.
  8. In the Firewall Configuration page, click Next.
  9. In the Ready to Install the Program page, click Install.
  10. In the Installer Completed page, click Finish.
  11. If you are adding this Replica server to a Pod that is already enabled for Global Entitlements, see Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.

Horizon 6 Connection Server Certificate

  1. Run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details then click Properties.
  4. On the Private Key tab, click Key options to expand it and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it and click Properties.
  6. On the General tab, clear the Friendly name field and click OK.
  7. Right-click your Certificate Authority-signed certificate and click Properties.
  8. Note: the private key of the certificate you use for Horizon 6 Connection Server must be exportable. To verify, try exporting the certificate. If the option to export the private key is grayed out then this certificate will not work.
  9. On the General tab, in the Friendly name field, enter the text vdm and click OK. Note: only one certificate can have vdm as the Friendly name.
  10. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to View Administrator.
  11. If the VMware Horizon View Security Gateway Component won’t start then your certificate doesn’t have an exportable private key. The private key must be exportable.

SSL Ciphers

Sven Huisman: Secure your Horizon View security server: from rating F to A-: see the blog post for detailed instructions.

  1. Update the JCE Policy Files to Support High-Strength Cipher Suites.
  2. Use ADSIEdit to change pae-ServerSSLCipherSuites, pae-ServerSSLSecureProtocols, pae-ClientSSLCipherSuites, and pae-ClientSSLSecureProtocols
  3. Or you can edit C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties

  4. If this Horizon 6 Connection Server or Horizon 6 Security Server is publicly accessible, check it at ssllabs.com.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon 6 Connection Server, the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon 6 Connection Server.

      1. On the Horizon 6 Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps. Create a new folder called downloads.
      2. Copy the downloaded Horizon Clients to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.

      3. Run Notepad as administrator.
      4. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
      5. Go back to the downloads folder and copy the Horizon Client filename.
      6. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. The following example shows a link for Horizon Client for Windows x64:
        link.win64=/downloads/VMware-Horizon-View-Client-x86_64-3.5.2-3150477.exe
        Then Save the file.
      7. Restart the VMware Horizon View Web Component service.

It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error then the service is not done starting.

Now when you click the link to download the client it will grab the file directly from the Horizon 6 Connection Server.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon 6 Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon 6 Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…

  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

iOS TouchID

vDelboy – How to Enable Touch ID in VMware Horizon 6.2

  1. On the Horizon 6 Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1 and click Add. Click OK. The change takes effect immediately.

Ciphers

VMware 2130289 Using client drive redirection or file association with the secure tunnel enabled might have performance issues

When using client drive redirection (CDR) or file association with the secure tunnel enabled, you might encounter performance issues when transferring CDR data between Horizon Clients and remote desktop machines. (File association is the ability to open local files with a remote application.)

Amend your acceptance policies to remove the following GCM-based cipher suites:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

To change a global acceptance policy, you can edit a single-valued attribute, pae-ServerSSLCipherSuites, in View LDAP on any View Connection Server instance. This attribute lists the cipher suites used by View Connection Server or security server. Take these steps:

  1. Start the ADSI Edit utility on your View Connection Server computer.
  2. In the Console tree, select Connect to.
  3. In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name DC=vdi, DC=vmware, DC=int.
  4. In the Select or type a domain or server text box, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server computer followed by 389. For example: localhost:389 or mycomputer.mydomain.com:389
  5. Expand the ADSI Edit Tree, expand OU=properties, select OU=global, and select CN=common in the right pane.
  6. On the object CN=common, OU=global, OU=properties, select the pae-ServerSSLCipherSuites
  7. Set the following list of cipher suites:
    \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA

    Remove the line breaks that were inserted in the preceding list for clarity. The order of the cipher suites is unimportant.

  8. Restart the VMware Horizon View Connection Server service.

For more information about setting acceptance policies for cipher suites, see “Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server” in the View Security guide at http://pubs.vmware.com/horizon-62-view/topic/com.vmware.horizon-view.security.doc/GUID-7F6963F5-D5FC-47B2-9AE7-1FE5B8600723.html.

Load Balancing

See Carl Stalhood’s Horizon View Load Balancing using NetScaler 11.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon 6 Connection Servers by following the procedure at https://www.carlstalhood.com/controller/#rdlicensinginstall.

Horizon Toolbox 2

Install the Horizon Toolbox Fling on your View Connection Servers. This is a web-based tool that adds the following functionality:

  • Auditing of user sessions
  • Auditing of virtual machine snapshots
  • Auditing of Horizon Client Versions
  • Remote Assistance – users request assistance from administrators
  • Virtual Machine Remote Console
  • Power Policy for pools

To use the Toolbox, make sure the following are enabled in your View Connection Server pod:

  • Events database
  • Customer Experience Improvement Program

.NET Framework 3.5 and Remote Assistance

  1. On the View Connection Server, in Server Manager, open the Manage menu and click Add Roles and Features.
  2. In the Features page, select .NET Framework 3.5.
  3. Scroll down, select Remote Assistance and click Next. This feature is only needed if you will respond to Remote Assistance requests directly from the View Connection Server.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server 2012 R2 ISO.
  6. Enter the path to the sources folder on the Windows Server 2012 R2 ISO and click OK. Then click Install.

Toolbox Installer

  1. Download the Fling. Check the box next to I have read and agree and click Download.
  2. Run the downloaded VMWARE-Horizon-Toolbox-x64-2.0.1.msi.
  3. In the Welcome to the HorizonToolbox Setup Wizard page, click Next.
  4. In the Select Installation Folder page, select Everyone and click Next.
  5. In the Confirm Installation page, click Next.
  6. In the Installation Complete page, click Close.

Firewall

  1. Run Windows Firewall with Advanced Security.
  2. Create a new Inbound Rule for port 18443.
  3. Select Port and click Next.
  4. Enter TCP 18443 as the local port and click Next.
  5. Allow the connection and click Next.
  6. Name the rule Horizon Toolbox or something like that. Click Finish.

Toolbox Certificate

Horizon Toolbox comes with a self-signed certificate. It can be replaced by doing the following:

  1. Copy a certificate .pfx file to C:\Program Files\VMware\HorizonToolbox\HorizonToolbox2.0.1\conf.
  2. Edit the file server.xml that’s in the same conf folder.
  3. Scroll down to the <Connector port=”18443″ section (near line 85).
  4. Change the keystoreFile attribute to the name of your .pfx file.
  5. Change the keystorePass attribute to the password for your .pfx file.
  6. Add a new attribute keystoreType=”PKCS12″
  7. Close and save the file.
  8. Restart the Apache Tomcat 8.0 Tomcat8 service.
  9. Point your browser to https://view.corp.local:18443/toolbox.
  10. Login using View Administrator credentials.

Toolbox Remote Assistance

  1. On the Horizon 6 Agent machine, navigate to the View Connection Server Horizon Toolbox folder \\vcs01\c$\Program Files\VMware\HorizonToolbox\HorizonToolbox2.0.1\webapps\toolbox\static\ra and run Horizon_Remote_Assistance_Installer_v1035.exe.
  2. You might be prompted to install .NET Framework 3.5.
  3. Click Install for End User.
  4. Click OK to launch Remote Assistance.
  5. Close Remote Assistance.
  6. When done, click Finish.
  7. Users can initiate a request by clicking the Horizon Remote Assistance icon on the desktop.
  8. Click OK to submit a request.

  9. Support people can see support requests in the Toolbox interface on the Remote Assistance tab.

VMware Horizon 6 Composer

Last Modified: Sep 2, 2018 @ 7:50 am

Navigation

Planning

vCenter Server planning:

  • A single vCenter Server can handle 10,000 VMs. However, this is a single point of failure. VMware recommends separate vCenter servers for each 2,000 VMs. More vCenter Servers means more concurrent vCenter operations, especially if your pools are configured for Refresh on Logoff.
  • Each ESXi cluster is managed by one vCenter Server.
  • Don’t use existing vCenter servers. Build separate vCenter servers for the vSphere clusters that host Agent VMs. Horizon licenses includes vCenter licenses so there’s no excuse to not use separate vCenter servers.

Horizon Composer server planning:

  • Each vCenter Server requires its own View Composer. There’s a one-to-one mapping.
  • View Composer cannot be installed on a Horizon 6 Connection Server.
  • View Composer server with 2vCPU, 4 GB RAM can support up to 2,000 virtual machines with up to 1,000 per pool.
  • View Composer server with 4 vCPU, 10 GB RAM can support up to 10,000 virtual machines with up to 2,000 per pool.

A remote SQL Server is needed for databases:

  • vCenter database
  • Horizon Composer database
  • Horizon Events database
  • Supported SQL versions are listed at pubs.vmware.com.

SQL Server Preparation

Only SQL Authentication is supported.

  1. Open the properties of the SQL Server.
  2. On the Security page, make sure SQL Server authentication is enabled.
  3. Create a new SQL database for View Composer.
  4. Call it VMwareViewComposer or similar. Then switch to the Options page.
  5. Select your desired Recovery model and click OK.
  6. View Composer only supports SQL authentication on remote SQL servers. Expand Security, right-click Logins and click New Login to create a new SQL login.
  7. Name the new account.
  8. Select SQL Server authentication.
  9. Enter a password for the new account.
  10. Uncheck the box next to Enforce password policy.
  11. Then switch to the User Mapping page.
  12. On the User Mapping page, check the Map box for VMwareViewComposer.
  13. On the bottom, check the box for the db_owner role and click OK.

.NET Framework 3.5.1

  1. Composer requires .NET Framework 3.5.1, which is not installed by default on Windows Server 2012 R2. In Server Manager, open the Manage menu and click Add Roles and Features.
  2. In the Before You Begin page, click Next.
  3. In the Select installation type page, click Next.
  4. In the Select destination server page, click Next.
  5. In the Select server roles page, click Next.
  6. In the Select features page, expand .NET Framework 3.5 features and select .NET Framework 3.5. Click Next.
  7. In the Confirm installation selections page, click Specify an alternate source path. Note: you will need the Windows Server 2012 R2 media.
  8. Enter the path to the \sources\sxs folder on the Windows Server 2012 R2 media and click OK.
  9. Then click Install.
  10. In the Results page, click Close.

SQL Native Client

  1. On the View Composer server, run sqlncli.msi.
  2. In the Welcome to the Installation Wizard for SQL Server 2012 Native Client page, click Next.
  3. In the License Agreement page, select I accept and click Next.
  4. In the Feature Selection page, click Next.
  5. In the Ready to Install the Program page, click Install.
  6. In the Completing the SQL Server 2012 Native Client installation page, click Finish.

ODBC

  1. On the View Composer server, run ODBC Data Sources (64-bit).
  2. On the System DSN tab, click Add.
  3. Select SQL Server Native Client and click Finish.
  4. Enter the name ViewComposer for the DSN and enter the SQL server name. Click Next.
  5. Change the selection to With SQL Server authentication and enter the credentials of the new ViewComposer SQL account. Then click Next.
  6. Check the box next to Change the default database and select the VMwareViewComposer database. Then click Next.
  7. Click Finish.
  8. Click OK twice.

Install – Composer

  1. Don’t install on Horizon 6 Connection Server: View Composer cannot be installed on the Horizon 6 Connection Server. They must be separate machines. View Composer is typically installed on vCenter server for less than 1000 linked clones.
  2. Extra Memory for vCenter: If you install View Composer on a vCenter server, VMware recommends adding 8 GB of RAM to the server. See VMware 2105261 Intermittent provisioning issues and generic errors when Composer and vCenter Server are co-installed
  3. vCenter Service Account: if you install View Composer on a vCenter server, login as the same account that was used to install vCenter. See VMware 2017773 Installing or upgrading View Composer fails with error: The wizard was interrupted before VMware View Composer could be completely installed
  4. Internet access for CRL checking: If the View Composer server does not have Internet access, see VMware 2081888 Installing Horizon View Composer fails with the error: Error 1920 Service VMware Horizon View Composer (svid) failed to start
  5. Install: Go to the downloaded View Composer 6.2.2 and run VMware-viewcomposer-6.2.2.exe.
  6. In the Welcome to the Installation Wizard for VMware Horizon 6 Composer page, click Next.
  7. In the License Agreement page, select I accept the terms and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Database Information page, enter the name of the ODBC DSN.
  10. Enter the SQL account credentials (no Windows accounts) and click Next. For remote SQL databases, only SQL accounts will work. The SQL account must be db_owner of the database.
  11. In the VMware Horizon 6 Composer Port Settings page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Click Yes when asked to restart the computer.
  15. If you encounter installation issues, see VMware 2087379 VMware Horizon View Composer help center

Administrator Permissions

If View Composer is installed on a standalone server (not on vCenter), Horizon 6 Connection Server will need a service account with administrator permissions on the View Composer server. Add your View Composer Service Account to the local Administrators group.

Composer Certificate

  1. Stop the VMware Horizon 6 Composer service.
  2. Open the MMC Certificates snap-in. Open your Certificate Authority-signed certificate and on the Details tab note the Thumbprint.
  3. Run Command Prompt as Administrator
  4. Change the directory to C:\Program Files (x86)\VMware\VMware View Composer.
  5. Run sviconfig -operation=replacecertificate -delete=false.
  6. Select your Certificate Authority-signed certificate. Use the thumbprint to verify.
  7. Then restart the VMware Horizon 6 Composer service.

SQL Database Maintenance

SQL password: The password for the SQL account is stored in C:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe.config. To change the password, run SviConfig ?operation=SaveConfiguration as detailed at VMware 1022526 The View Composer service fails to start after the Composer DSN password is changed.

Database Move: To move the database to a new SQL server, you must uninstall Composer and reinstall it. See VMware 2081899 VMware Horizon View Composer fails to work properly after migrating the Composer database to a new SQL server

Related Pages

Omnissa Unified Access Gateway 2406

Last Modified: Aug 6, 2024 @ 1:24 am

Navigation

💡 = Recently Updated

Change Log

Overview

Unified Access Gateway provides remote connectivity to internal Horizon Agent machines. For an explanation of how this works (i.e., traffic flow), see Understanding Horizon Connections at Omnissa Tech Zone.

Unified Access Gateway (formerly known as Access Point) is a replacement for Horizon Security Servers. Advantages include:

  • You don’t need to build extra Connection Servers just for pairing. However, you might want extra Horizon Connection Servers so you can filter pools based on tags.
  • Between Unified Access Gateway and Horizon Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
  • No need to enable Gateway/Tunnel on the internal Horizon Connection Servers.
  • Additional security with DMZ authentication. Some of the Authentication methods supported on Unified Access Gateway are RSA SecurID, RADIUS, CAC/certificates, etc.

However:

  • It’s Linux. You can deploy and configure the appliance without any Linux skills. But you might need some Linux skills during troubleshooting.

Horizon View Security Server has been removed from Horizon 2006 (aka Horizon 8).

More information at VMware Blog Post Technical Introduction to VMware Unified Access Gateway for Horizon Secure Remote Access.

Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.

  • The latest version of UAG is 2406.
    • You usually want the Non-FIPS version.
    • Then download the PowerShell deployment scripts on the same UAG download page.
  • If you are running an ESB version of Horizon, then make sure you run the ESB version of Unified Access Gateway. Get it from the same page as your Horizon download.
    1. Use the Select Version drop-down to select the version of Horizon you have deployed.
    2. Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
    3. Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.
    4. Then download the PowerShell deployment scripts on the same UAG download page.
  •  

Firewall

Omnissa Tech Zone Blast Extreme Display Protocol in Horizon, and Firewall Rules for DMZ-Based Unified Access Gateway Appliances at Omnissa Docs.

Open these ports from any device on the Internet to the Unified Access Gateway Load Balancer VIP:

  • TCP and UDP 443
  • TCP and UDP 4172. UDP 4172 must be opened in both directions. (PCoIP)
  • TCP and UDP 8443 (for HTML Blast)

Open these ports from the Unified Access Gateways to internal:

  • TCP 443 to internal Connection Servers (through a load balancer)
  • TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
  • TCP 32111 (USB Redirection) to all internal Horizon View Agents.
  • TCP and UDP 22443 (Blast Extreme) to all internal Horizon View Agents.
  • TCP 9427 (MMR and CDR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Unified Access Gateway appliance IPs:

  • TCP 9443 (REST API)
  • TCP 80/443 (Edge Gateway)

PowerShell Deploy Script

Omnissa Docs Using PowerShell to Deploy VMware Unified Access Gateway. The script runs OVF Tool to deploy and configure Unified Access Gateway. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway.

If you prefer to use vSphere Client to Deploy the OVF file, skip ahead to Upgrade or Deploy.

The PowerShell deployment script is downloadable from the UAG download page.

The PowerShell deploy script requires the OVF Tool:

  1. Download ovftool from Broadcom.
  2. If OVF Tool is already installed, then you’ll have to uninstall the old version before you can upgrade it.
  3. On the machine where you will run the UAG Deploy script, install VMware-ovftool-…-win.x86_64.msi.
  4. In the Welcome to the VMware OVF Tool Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to install VMware OVF Tool page, click Install.
  8. In the Completed the VMware OVF Tool Setup Wizard page, click Finish.

Create or Edit a UAG .ini configuration file:

  1. Extract the downloaded uagdeploy PowerShell scripts for your version of Unified Access Gateway.
  2. If you have an existing UAG appliance, then you can download an INI of the configuration from the UAG Administrator page.

    • Or copy and edit one of the downloaded .ini files, like uag2-advanced.ini.
  3. A full explanation of all configuration settings can be found at Using PowerShell to Deploy Unified Access Gateway at Omnissa Docs.
  4. For any value that has spaces, do not include quotes in the .ini file. The script adds the quotes automatically.
  5. The name setting specifies the name of the virtual machine in vCenter. If this VM name already exists in vCenter, then OVF Tool will delete the existing VM and replace it.
  6. Add a uagName setting and specify a friendly name. You’ll later add this name to Horizon Console so you can view the health of the UAG appliance in Horizon Console.
  7. You can optionally enable SSH on the appliance by adding sshEnabled=true.
  8. For the source setting, enter the full path to the UAG .ova file.
  9. For the target setting, leave PASSWORD in upper case. Don’t enter an actual password. OVF Tool will instead prompt you for the password.
  10. For the target setting, specify a cluster name instead of a host. If spaces, there’s no need for quotes. For example:
    target=vi://admin@corp.local:PASSWORD@vcenter02.corp.local/Datacenter/host/Cluster 1
  11. Specify the exact datastore name for the UAG appliance.
  12. Optionally uncomment the diskMode setting.
  13. For a onenic configuration (recommended), set the netInternet, netManagementNetwork, and netBackendNetwork settings to the same port group name.
  14. Multiple dns servers are space delimited.
  15. For pfxCerts, UNC paths don’t work. Make sure you enter a local path (e.g. C:\). OVA Source File can be UNC, but the .pfx file must be local.
  16. There’s no need to enter the .pfx password in the .ini file since the uagdeploy.ps1 script will prompt you for the password.
  17. proxyDestinationUrl should point to the internal load balancer for the Horizon Connection Servers.
  18. For proxyDestinationUrlThumbprints, paste in the sha256 or higher thumbprint of the Horizon Connection Server certificate in the format shown.
    • If your Horizon Connection Servers each have different certificates, then you can include multiple thumbprints (comma separated).
  19. Make sure there’s no hidden character between sha256 and the beginning of the thumbprint. Or you can just paste the thumbprint without specifying sha256. Note: sha1 is no longer supported. Edge and Chrome can show sha256 certificate fingerprint.
  20. Change the ExternalUrl entries to an externally-resolvable DNS name and a public IP address. For multiple UAGs, the FQDNs and public IP address should resolve to the load balancer. Note: your load balancer must support persistence across multiple port numbers (443, 8443, 4172).

When you run the PowerShell script, if the UAG appliance already exists, then the PowerShell script will replace the existing appliance. There’s no need to power off the old appliance since the OVF tool will do that for you.

  1. Open an elevated PowerShell prompt.
  2. Paste in the path to the uagdeploy.ps1 file. If there are quotes around the path, then add a & to the beginning of the line so PowerShell executes the path instead of just echoing the string.
  3. Add the -iniFile argument and enter the path to the .ini file that you modified. Press <Enter> to run the script.
  4. You’ll be prompted to enter the root password for the UAG appliance. Make sure the password meets password complexity requirements.
  5. You’ll be prompted to enter the admin password for the UAG appliance. Make sure the password meets password complexity requirements.
  6. For CEIP, enter yes or no.
  7. For .pfx files, you’ll be prompted to enter the password for the .pfx file. Note: the .pfx file must be local, not UNC.
  8. OVF Tool will prompt you for the vCenter password. Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g., https://www.urlencoder.org/) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does.
  9. The deploy script will display the IP address of the powered on UAG appliance.
  10. Review settings in the UAG admin interface.
  11. Add the new UAG appliance to Horizon Console.

Upgrade

To upgrade from an older appliance, you delete the old appliance and import the new one. Before deleting the older appliance, export your settings:

  1. Login to the UAG at https://<Your_UAG_IP>:9443/admin/index.html.
  2. In the Configure Manually section, click Select.
  3. Scroll down to the Support Settings section, and then click the JSON button next to Export Unified Access Gateway Settings.
  4. Note: the exported JSON file does not include the UAG certificate, so you’ll also need the .pfx file. If RADIUS is configured, then during import you’ll be prompted to enter the RADIUS secret.

Deploy New

Horizon Compatibility – Refer to the interoperability matrix to determine which version of Unified Access Gateway is compatible with your version of Horizon.

  • The latest version of UAG is 2406.
    • You usually want the Non-FIPS version.
  • If you are running an ESB version of Horizon, then make sure you run the ESB version of Unified Access Gateway. Get it from the same page as your Horizon download.
    1. Use the Select Version drop-down to select the version of Horizon you have deployed.
    2. Then open the downloads for the edition that you are entitled to: Standard, Advanced, or Enterprise.
    3. Scroll down the page to see the Unified Access Gateway downloads. You usually want the Non-FIPS version.

To deploy the Unified Access Gateway using VMware vSphere Client:

  1. If vSphere Client, right-click a cluster, and click Deploy OVF Template.
  2. Select Local File and click Upload Files. In the Open window, browse to the downloaded euc-unified-access-gateway.ova file, and click Next.
  3. In the Select a name and folder page, give the machine a name, and click Next.
  4. In the Review Details page, click Next.
  5. In the Select configuration page, select a Deployment Configuration. See Network Segments at Unified Access Gateway Architecture at Omnissa Tech Zone. Click Next.
  6. In the Select storage page, select a datastore, select a disk format, and click Next.
  7. In the Select networks page, even if you select Single NIC, the OVF deployment wizard asks you for multiple NICs. UAG typically goes in the DMZ.
  8. In the Customize template page, select STATICV4, and scroll down.
  9. In the NIC1 (eth0) IPv4 address field, enter the NIC1 (eth0) IPv4 address. Scroll down.
  10. Enter DNS addresses, Gateway, and Subnet Mask. Scroll down.
  11. Scroll down and enter more IP info.
  12. Scroll down.
  13. Enter a Unified Gateway Appliance Name.
  14. Scroll down.
  15. UAG 2207 and newer let you specify the local root username.
  16. Enter passwords.

    • UAG 20.12 (2012) and newer let you specify Password Policy settings when deploying the OVF.
  17. Scroll down and enter the password for the admin user.
  18. UAG 2207 and newer have an adminreset command if you mess up the admin interface login. There’s also an adminpwd command to reset the password.
  19. UAG 2207 and newer have an option to enable DISA STIG compliance, usually on the FIPS version of UAG.
  20. There’s a checkbox for Enable SSH.
  21. In UAG 3.9 and newer, there’s an option to login using a SSH key/pair instead of a password.
  22. Newer versions of UAG have more SSH options.
  23. UAG 2207 adds Commands to Run on First Boot or Every Boot.
  24. Click Next.
  25. In the Ready to complete page, click Finish.

UAG Admin Interface

  1. Power on the Unified Access Gateway appliance.
  2. Point your browser to https://My_UAG_IP:9443/admin/index.html and login as admin. It might take a few minutes before the admin page is accessible.
  3. UAG 2207 and newer have an adminreset command if you mess up the admin interface login. There’s also an adminpwd command to reset the password.

Import Settings

  1. If you have previously exported settings, you can import it now by clicking Select in the Import Settings section.
  2. Browse to the previously exported UAG_Settings.json file and then click Import. Note that this json file might have old settings, like old ciphers. Review the file to ensure you’re not importing legacy configurations. If the .json file has a SHA-1 thumbprint, then edit the file and replace it with SHA-256 thumbprint (fingerprint).
  3. It should say UAG settings imported successfully. If you don’t see this, then your .json file probably has a SHA-1 thumbprint.
  4. Press <F5> on your keyboard to refresh the browser.
  5. The .json file does not include the certificate so you’ll have to do that separately. In the Admin console, in the Advanced Settings section, click TLS Server Certificate Settings.
  6. In the top row labelled Apply certificate to, select Internet interface.
  7. Change the drop-down for Certificate Type to PFX.
  8. In the row Upload PFX, click Select and browse to your PFX file.
  9. In the Password field, enter the PFX password and then click Save.

Configure Horizon Settings

  1. To manually configure the appliance, under Configure Manually, click Select.
  2. Click the slider for Edge Service Settings.
  3. Click the slider for Enable Horizon.
  4. As you fill in these fields, hover over the information icon to see the syntax.
  5. The Connection Server URL should point to the internal load balanced DNS name (URL) for your internal Connection Servers.

    1. For the Connection Server URL Thumbprint, get the thumbprint from the internal Horizon certificate. Point your browser to the internal Horizon Connection Server FQDN (load balanced) and click the padlock icon to open the certificate.
    2. On the Details tab, copy the SHA-256 Fingerprint. Note that SHA-1 thumbprint is no longer supported.
  6. In the Proxy Destination URL Thumb Prints field, type in sha256= and paste the certificate thumbprint.
  7. At the beginning of the Thumbprint field, immediately after the equals sign, there might be a hidden character. Press the arrow keys on the keyboard to find it. Then delete the hidden character.
  8. Enable the three PCOIP, Blast, and Tunnel Gateways and perform the following configurations:
    1. For PCOIP External URL, enter the external IP and :4172. The IP should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways.
    2. For Blast External URL, enter https://<FQDN>:8443 (e.g. https://view.corp.com:8443). This FQDN should resolve to your external load balancer that’s load balancing UDP 8443 and TCP 8443 to multiple Unified Access Gateways.
    3. For Enable UDP Tunnel Server, enable the setting.
    4. For Tunnel External URL, enter https://<FQDN>:443 (e.g., https://view.corp.com:443). This FQDN should resolve to your external load balancer that’s load balancing TCP 443 to multiple Unified Access Gateways.
    5. The external load balancer must be capable of using the same persistence across multiple port numbers. On NetScaler, this feature is called Persistency Group. On F5, the feature is called Match Across.
  9. Then click More.
  10. Unified Access Gateway has a default list of paths it will forward to the Horizon Connection Server. You can edit the Proxy Pattern and add |/downloads(.*) to the list so that users can also download Horizon Clients that are stored on your Horizon Connection Servers as detailed elsewhere at carlstalhood.com. Make sure you click Save at least once so it saves the default Proxy Pattern. Then go back in and add |/downloads(.*) to the end of the Proxy Pattern but inside the last parentheses. In UAG 2406, the default Proxy Pattern looks something like below:

    (/|/view-client(.*)|/portal(.*)|/appblast(.*)|/iwa(.*)|/downloads(.*))
  11. Scroll down and click Save when done.
  12. If you click the arrow next to Horizon Settings, then it shows you the status of the Edge services.

    • If all you see is Not Configured, then refresh your browser and then click the Refresh Status icon.
  13. In your Horizon Connection Servers, the Secure Gateways (e.g. PCoIP Gateway) should be disabled.
    1. Go to Horizon Console.
    2. Expand Settings and click Servers.
    3. On the right, switch to the tab named Connection Servers.
    4. Highlight your Connection Servers and click Edit.
    5. Then uncheck or disable all three Tunnels/Gateways.
    6. HTML Access probably won’t work through Unified Access Gateway. You’ll probably see the message Failed to connect to the Connection Server.
    7. To fix this, configure on each Connection Server the file C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties to disable Origin Check (checkOrigin=false) or configure the Connection Server’s locked.properties with the UAG addresses. Also see 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.
    8. Horizon 2106 and newer enable CORS by default so you’ll need to either disable CORS by adding enableCORS=false to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties, or configure the portalHost entries in locked.properties as detailed at 85801 Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access.
    9. After modifying the locked.properties file, restart the VMware Horizon View Security Gateway Component service.

Add UAG to Horizon Console

In Horizon 7.7 and newer, you can add UAG 3.4 and newer to Horizon Console so you can check its status in the Dashboard.

  1. In UAG Admin console, under Advanced Settings, click the gear icon next to System Configuration.
  2. At the top of the page, change the UAG Name to a friendly name. You’ll use this case-sensitive name later.
  3. Click Save at the bottom of the page.
  4. In Horizon Console, on the left, expand Settings and click Servers.
  5. On the right, switch to the tab named Gateways.
  6. Click the Register button.
  7. In the Gateway Name field, enter the case-sensitive friendly name you specified earlier, and then click OK.

See status of UAG appliances:

  1. Use a Horizon Client to connect through a Unified Access Gateway. Horizon Console only detects the UAG status for active sessions.
  2. In Horizon Console 7.10 and newer, to see the status of the UAG appliances, on the top left, expand Monitor and click Dashboard.
  3. In the top-left block named System Health, click VIEW.
  4. With Components highlighted on the left, on the right, switch to the tab named Gateway Servers.
  5. This tab shows the status of the UAG appliances, including its version. If you don’t see this info, then make sure you launch a session through the UAG.

To see the Gateway that users are connected to:

  1. In Horizon Console 7.10 or newer, go to Monitor > Sessions.
  2. Search for a session and notice the Security Gateway column. It might take a few minutes for it to fill in.

UAG Authentication

SAML is configured in UAG 3.8 and newer in the Identity Bridging Settings section.

  1. Upload Identity Provider Metadata.
  2. Then in UAG Admin > Edge Service Settings > Horizon Settings > More (bottom of page), you can set Auth Methods (near top of page) to SAML only, which requires True SSO implementation, or SAML and Passthrough, which requires two logins: one to IdP, and one to Horizon.
  3. For complete True SSO instructions, see https://www.carlstalhood.com/vmware-horizon-true-sso-uag-saml/.
  4. For Okta and True SSO, see Enabling SAML 2.0 Authentication for Horizon with Unified Access Gateway and Okta: VMware Horizon Operational Tutorial at Omnissa Tech Zone.
  5. For Azure MFA, see Sean Massey Integrating Microsoft Azure MFA with VMware Unified Access Gateway 3.8.

For RADIUS authentication:

  1. Enable the Authentication Settings section and configure the settings as appropriate for your requirements. See Configuring Authentication in DMZ at VMware Docs.

    • When configuring RADIUS, if you click More, there’s a field for Login page passphrase hint.
  2. Then in Edge Service Settings > Horizon Settings > More (bottom of page), you can set Auth Methods (near top of page) to RADIUS.
  3. If you scroll down the Horizon Settings page, you’ll see additional fields for RADIUS.
  4. In UAG 3.8 and newer, Passcode label field can be customized for MFA providers like Duo.
  5. If your RADIUS is doing Active Directory authentication (e.g. Microsoft Network Policy Server with Azure MFA), then Enable Windows SSO so the user isn’t prompted twice for the password.

Other UAG Configurations

  1. UAG 3.8 and newer shows when the admin password expires in Account Settings in the Advanced Settings section.

  2. Ciphers are configured under Advanced Settings > System Configuration.

    • The default ciphers in UAG 2406 are the following and include support for TLS 1.3.
      TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • In UAG older than 2103, Syslog is also configured here. In UAG 2103 and newer, Syslog is in a different menu as described below.
    • At the bottom of the System Configuration page are several settings for SNMP, DNS, and NTP.
    • UAG 20.12 (2012) and newer support SNMPv3.
    • UAG 3.10 and newer have Admin Disclaimer Text.
    • You can add NTP Servers.
  3. Session Timeout is configured in System Configuration. It defaults to 10 hours.
  4. UAG 3.6 and newer let you add static routes to each NIC.
    1. Click Network Settings.
    2. Click the gear icon next to a NIC.
    3. Click IPv4 Configuration to expand it and then configure IPv4 Static Routes.
  5. UAG 2103 and newer have a different menu item for Syslog Server Settings.

    • You can specify up to two Syslog servers.
    • You can include System Messages.
    • UAG 2207 supports MQTT when adding Syslog servers.
  6. UAG 20.09 (2009) and newer can automatically install patches/updates when the appliance reboots.
    1. In the Advanced Settings section, click Appliance Updates Settings.
    2. For Apply Updates Scheme, select an option. Click Save.
  7. UAG supports High Availability Settings.

    1. With the High Availability Virtual IP address, you might not need load balancing of the UAG appliances. See Unified Access Gateway High Availability at Omnissa Docs.
      1. The High Availability feature requires three IP addresses and three DNS names:
        1. One IP/FQDN for the High Availability Virtual IP.
        2. And one IP/FQDN for each appliance/node.
      2. The Horizon Edge Gateways should be set to node-specific IP addresses and node-specific DNS names. Each appliance is set to a different IP/FQDN.
      3. The Virtual IP (and its DNS name) is only used for the High Availability configuration.
      4. The YouTube video High Availability on VMware Unified Access Gateway Feature Walk-through explains the High Availability architecture.
    2. Set the Mode to ENABLED.
    3. Enter a new Virtual IP Address which is active on both appliances.
    4. Enter a unique Group ID between 1 and 255 for the subnet.
    5. Click Save.
    6. On the second appliance, configure the exact same High Availability Settings.
  8. To upload a valid certificate, scroll down to the Advanced Settings section, and next to TLS Server Certificate Settings, click the gear icon.

    1. In Unified Access Gateway 2312 and newer, click Edit in the Internet section.
    2. In Unified Access Gateway 3.2 and newer, you can apply the uploaded certificate to Internet InterfaceAdmin Interface, or both.
    3. In Unified Access Gateway 3.0 and newer, change the Certificate Type to PFX, browse to a PFX file, and then enter the password. This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway. If your load balancer is terminating SSL, then the certificate on the UAG must be identical to the certificate on the load balancer.
    4. Leave the Alias field blank.
    5. Click Save.

    6. If you changed the Admin Interface certificate, then you will be prompted to close the browser window and re-open it.
  9. Or, you can upload a PEM certificate/key (this is the only option in older UAG). Next to Private Key, click the Select link.

    1. Browse to a PEM keyfile. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted.
    2. Browse to a PEM certificate file (Base-64) that contains the server certificate, and any intermediate certificates. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway.
    3. Click Save when done.
  10. UAG 3.1 and newer have an Endpoint Compliance Check feature. The feature requires an OPSWAT subscription. Newer versions of UAG can deploy the OPSWAT agent. It’s pass/fail. See Configure OPSWAT as the Endpoint Compliance Check Provider for Horizon at VMware Docs.

    • UAG 3.9 and newer let you upload the Opswat Endpoint Compliance on-demand agent executables. Horizon Client downloads the executables from UAG and runs them. See Upload OPSWAT MetaAccess on-demand agent Software on Unified Access Gateway at VMware Docs.
    • In UAG 20.09 and newer, Outbound Proxy Settings can be configured to allow UAG to contact the Opswat servers when checking for device compliance.

  11. Scroll down to Support Settings and click the icon next to Export Unified Access Gateway Settings to save the settings to a JSON file. If you need to rebuild your Unified Access Gateway, simply import the the JSON file.

    • The exported JSON file does not include the UAG certificate, so you’ll also need the .pfx file.
  12. If you point your browser to the Unified Access Gateway external URL, you should see the Horizon Connection Server portal page. Horizon Clients should also work to the Unified Access Gateway URL.

Monitor Sessions

In UAG 3.4 and newer, in the UAG Admin interface,

  • At the top of the page, next to Edge Service Settings, you can see the number of Active Sessions on this appliance.
  • At the bottom of the page, under Support Settings, click Edge Service Session Statistics to see more details.

In older versions of UAG, to see existing Horizon connections going through UAG, point your browser to https://uag-hostname-or-ip-addr:9443/rest/v1/monitor/stats.

Logs and Troubleshooting

You can download logs from the Admin Interface by clicking the icon next to Log Archive.

You can also review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

By default, tcpdump is not installed on UAG. To install it, login to the console and run /etc/vmware/gss-support/install.sh

Load Balancing

If NetScaler, see https://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-citrix-adc/ load balance Unified Access Gateways.

To help with load balancing affinity, UAG 3.8 and newer can redirect the load balanced DNS name to a node-specific DNS name. This is configured in Edge Service Settings > Horizon Settings > More (bottom of page).

Related Pages

Omnissa Dynamic Environment Manager (DEM) 2406

Last Modified: Jul 28, 2024 @ 5:25 am

Navigation

As of version 9.9, User Environment Manager (UEM) was renamed to Dynamic Environment Manager (DEM).

This post applies to all Dynamic Environment Manager (aka User Environment Manager) versions including DEM 2312 (10.12) ESB, DEM 2212 (10.8) ESB, DEM 2111 ESB (10.4), and DEM 9.9 (ESB).

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new installation, skip to the Installation Prerequisites section.

When upgrading an existing installation of DEM or UEM, upgrade the FlexEngine on the Horizon Agents first.

The newest FlexEngine can still interpret the INI files from older DEM console. After your clients (FlexEngine) have been upgraded, you can upgrade the management console, which allow for new options, like elevated privileges and others, which (when enabled) can now be correctly interpreted by the upgraded clients (FlexEngine). After that update the ADMX files.

DEM 2203 and newer move FlexEngine licensing to the configuration share and DEM console. If you are upgrading existing FlexEngines, then the previous license will continue functioning. New FlexEngines need the new licensing configuration method.

Installation Prerequisites

Before performing the procedures detailed on this page, make sure you’ve created the DEM File Shares, imported the DEM GPO ADMX templates, created the GPOs for Horizon, and configured the Horizon GPOs for Dynamic Environment Manager.

Omnissa Tech Zone Antivirus Considerations in a Horizon Environment: exclusions for Horizon, App Volumes, User Environment Manager, ThinApp

Omnissa Workspace Tech Zone has an excellent Quick-Start Tutorial for Dynamic Environment Manager. It’s around 130 printed pages.

Local Profile

At user logon, DEM restores profile archives on top of a Windows profile, which is typically a local profile.

If your Horizon Agent machines are single-user, non-persistent that reboot at logoff, then local profiles are deleted at logoff.

If your Horizon Agent machines are multi-user machines (e.g. RDSH) that don’t reboot every day, then you might need a process to delete local profiles when the user logs off. Here are some options:

  • Schedule a delprof2.exe script that runs daily.
  • A more advanced option is to add users to the local Guests group, which causes their profile to be deleted at logoff.

DEM Console Installation

In Horizon 2006 (aka 8.0), DEM is available in all editions of Horizon. There are two editions of DEM, each with different downloads and different DEM capabilities.

  • Horizon 8 (2006+) Enterprise Edition and Horizon 7.13 Enterprise Edition are entitled to DEM Enterprise Edition, which has all features.
  • Horizon 8 (2006+) Standard Edition and Horizon 8 Advanced Edition are entitled to DEM Standard Edition, which is limited primarily to Personalization features. If you are using FSLogix Profile Containers, then you don’t need DEM Standard Edition.

DEM 2406 (10.13) is the latest release. DEM 2312 (10.12) is an Extended Support Branch (ESB). DEM 2312 (10.12) is an Extended Support Branch (ESB).

  1. Based on your entitlement, download either DEM 2406 (10.13) Enterprise Edition or DEM 2406 (10.13) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  2. If upgrading, don’t upgrade the DEM Console until all of your DEM Agents have been upgraded.
  3. On your administrator machine, run the downloaded VMware Dynamic Environment Manager 2406 10.13 x64.msi.
  4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, check the box next to I accept and click Next.
  5. In the Destination Folder page, click Next.
  6. In the Choose Setup Type page, click Custom.
  7. In the Custom Setup page, change the selections so that only the console is selected and then click Next.
  8. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  9. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.

Configure Dynamic Environment Manager

Here is a summary of the major Dynamic Environment Manager functionality:

  • Personalization (aka import/export user settings) – saves application and Windows settings to a file share. This is the roaming profiles functionality of Dynamic Environment Manager. You configure folders and registry keys that need to be saved. The import/export can happen at logon/logoff or during application launch/exit.
    • Pre-configure application settings – configures files and registry keys for specific applications so users don’t have to do it themselves. Some examples: disable splash screen, default folder save location, database server name, etc.
    • Selfsupport tool – users can use this tool to restore their application settings.
    • DEM Standard Edition supports all Personalization features.
  • User Environment – configures Windows settings like drive mappings, Explorer settings, printer mappings, etc. This is similar to group policy but offers significantly more options for conditional filtering. Dynamic Environment Manager can configure any registry setting defined in an ADMX file.
    • DEM Standard Edition only has a limited set of User Environment settings (e.g., drive mappings). Most User Environment features require DEM Enterprise Edition.
    • Most settings in DEM are only for users, not computers. DEM 2006 (aka 10.0) and newer support ADMX templates for Computer Settings. In older DEM, use Group Policy to configure Computer Settings.
    • Best practice is to not mix Dynamic Environment Manager and user group policy. Pick one tool. If the same setting is configured in both locations then group policy will win.
    • UEM 9.6 and newer support Windows Server 2019 as an Operating System condition.
  • Horizon Smart Policies – Use Horizon Conditions (e.g., client IP) to control device mappings (e.g., client printing) and PCoIP/Blast Bandwidth Profile.
  • Privilege Elevation (UEM 9.2 and newer) – allow apps to run as administrator even though user is not an administrator. Installers can also be elevated.

Links:

Initial Configuration (Easy Start)

To perform an initial configuration of Dynamic Environment Manager, do the following:

  1. Launch the DEM Management Console from the Start Menu.
  2. Enter the path to the DEMConfig share and click OK.
  3. DEM Console 2306 and newer might ask you to join Omnissa Customer Experience Improvement Program (CEIP).
  4. In the ribbon, click Configure. These Settings checkboxes define what is displayed in the management console. Leave it set to the defaults and click OK.
  5. In the Personalization ribbon, on the far right, click Easy Start.
  6. Select your version of Office and click OK. Office 2019 and Office 2016 are essentially the same.
  7. Click OK when prompted that configuration items have been successfully installed.
  8. Review the pre-configured settings to make sure they are acceptable. For example, on the ribbon named User Environment, under Shortcuts, Dynamic Environment Manager might create a Wordpad shortcut that says (created by VMware UEM). You can either Disable this item or delete it.

  9. Go to the ribbon name User Environment. On the left, expand Windows Settings and click Policy Settings. On the right, if there is a setting to Remove Common Program Groups, then click Edit.

    1. Consider adding a condition so it doesn’t apply to administrators.

DEM Licensing

DEM 2203 and newer moved FlexEngine Agent licensing to the DEM Configuration Share and DEM Console.

  1. Download the Production License File from the same place you downloaded DEM:  DEM 2312 (10.12) Enterprise Edition, or DEM 2312 (10.12) Standard Edition.
  2. In the DEM console, click the top-left star icon and then click License.
  3. Click Manage.
  4. Choose License File and then select the downloaded VMware-DEM-10.13.0-GA.lic file.
  5. Click OK.

DEM Console places the license info in the DEM Configuration Share file under \general\FlexRepository\AgentConfiguration.

Common Configurations

  1. DEM 2303 (10.9) and newer have a Search button to help you find configuration files.
  2. To roam the Start Menu in Windows 10 1703 and newer:
    1. Go to the ribbon named Personalization, click a folder, and click Create Config File.
    2. Select Use a Windows Common Setting and click Next.
    3. Select Windows 10 Start Menu – Windows 10 Version 1703 and higher. This option is only available in newer versions of DEM. It should work with Windows Server 2019, but it doesn’t apply to Windows Server 2016, which is actually version 1607.
    4. Enter a file name. DEM will create a .zip file for each user with this name. Click Finish when done.
  3. You can run Triggered Tasks when a session is reconnected, workstation is unlocked, or on a schedule (DEM 2306 and newer). This is useful for re-evaluating Smart Policies, as detailed below.

    • DEM 2111 and newer have a Trigger named App Volumes logon-time apps delivered. This was renamed from the older All AppStacks Attached trigger. It was renamed because App Volumes 2111 supports on-demand apps.

    • DEM 2306 (10.10) and newer have a Schedule trigger.

    • You can pick one of the predefined Actions or choose Run custom command to run a script. Some scripts might need an additional configuration under Privilege Elevation.
  4. UEM 9.3 and newer have a setting to store Outlook OST file on App Volumes writable volumes. Go to the ribbon named User Environment. Right-click App Volumes and create a setting. Check the box next to Store Offline Outlook Data File (.ost) on writable volume. Configure other fields as desired. Note: this setting only applies to new Outlook profiles. More info in the YouTube video VMware User Environment Manager Outlook OST on App Volumes User Writable Volume Feature Walkthrough.

Links:

Horizon Smart Policies

Horizon Smart Policies let you control (e.g. disable) Horizon functionality for external users or other conditions.

  1. In UEM 9.0 and newer, go to User EnvironmentHorizon Smart Policies, and create a policy.
  2. DEM 9.11 has an expanded list of settings configurable using Horizon Smart Policies.
  3. DEM 2309 (10.11) and newer can control FIDO2 and Storage drive.
  4. DEM 2306 (10.10) and newer can control Browser Content Redirection.
  5. UEM 9.8 and newer have many Horizon Smart Policy Settings, including Drag and drop. See VMware User Environment Management 9.8 Feature Walk-Through at YouTube.
  6. On the Conditions tab, you can use any of the available conditions, including the Horizon Client Property conditions.

    • To detect external users, select Horizon Client Property > Client Location = External. UAG and Security Server set the session’s location to External.
  7. You can also enter a Horizon Client Property condition that corresponds to the ViewClient_ registry keys. In the Property field, type in a property name (remove ViewClient_ from the property name). See VMware Blog Post Enhancing Your VMware Horizon 7 Implementation with Smart Policies.

  8. There’s Endpoint Platform as a policy condition. Create a Policy, go to the Conditions tab, and select the Endpoint Platform condition.
  9. Some of the conditions have Matches Regex. For example, Endpoint name and Horizon Client Property > Pool name.

  10. To reapply Horizon Policies when users reconnect to an existing session, go to User Environment > Triggered Tasks, and click Create. Or you can edit one of the existing Triggered Tasks settings.

    1. Change the Trigger to Session Reconnected.
    2. Change the Action to User Environment refresh. Select Horizon Smart Policies and click Save.

Application Blocking

  1. UEM 9.0 adds an Application Blocking feature. To enable it, go to User Environment > Application Blocking, and click the Global Configuration button.
  2. Check the box to Enable Application Blocking. Specify Conditions where, if true, then App Blocking is enabled. These are the same conditions available in other policies and settings. Click OK.
  3. Then you can create an Application Blocking setting to designate the folders that users can run executables from, or what file hashes are allowed.
  4. You can add folders that allow or block apps. Any executable in these paths will be allowed or blocked. By default, executables in Windows and Program Files (including x86) are allowed.
  5. UEM 9.1 and newer allows File Hashes in addition to File Paths. Set the Type to Hash-based, click Add, browse to an executable, UEM will compute the hash, and add it to the list.
  6. UEM 9.2 and newer supports Publisher-based allow. Set the Type to Publisher-based, click Add, browse to an executable, UEM will read the certificate, and add it to the list. Note: A challenge with hash-bashed and publisher-based rules is that the policy might have to be updated whenever the app is updated.

Privilege Elevation

  1. UEM 9.2 adds a Privilege Elevation feature, which allows executables to run as administrator even if users are not administrators. To enable it, go to User Environment > Privilege Elevation, and click the Global Configuration button.
  2. Check the box to Enable Privilege Elevation. Specify Conditions where, if true, then Privilege Elevation is enabled. These are the same conditions available in other policies and settings.
  3. If you allow installers to be elevated, elevate the installer’s child processes too, check the box. This checkbox only applies to installers. Child processes of elevated applications is enabled when creating a Privilege Elevation configuration setting.
  4. When an application is elevated, the user can be asked to allow it. This prompt is intended to inform the user that the application has more permissions than it should, and thus be careful with this application. Click OK.
  5. Then you can create a Privilege Elevation setting to designate the applications that should be elevated. The applications can be specified by a path, a hash, or a publisher certificate. These are essentially the same options as Application Blocking.
  6. Path-based user-installed application lets you elevate installers. The other three options elevate applications, but not installers.
  7. The child processes checkbox applies to applications.
  8. UEM 9.4 adds Argument-based elevated application, which lets you elevate specific scripts and/or Control Panel applets. For details, see the YouTube video VMware User Environment Manager 9.4 Argument Based Privilege Elevation Feature Walk-through.
  9. DEM Group Policy settings can be enabled to log both Application Blocking and Privilege Elevation to Event Viewer

Computer Settings

DEM Enterprise Edition 2006 and newer can deploy computer-based ADMX settings.

  • Domain Computers must have Read permission to the DEM Config file share.

DEM 2006 and newer Agents (FlexEngines) must be configured to enable computer settings. You can either configure registry settings on each DEM Agent machine, or in DEM Agent 2103 and newer you can use an installer command-line switch. Both are detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs.

  • Group Policy Preferences can push these registry keys to the Horizon Agent machines. Or you can manually modify the registry in your master images. If you use group policy, then make sure the group policy applies to your master image. The minimum registry values are Enabled and ConfigFilePath as detailed at Perform Installation with Computer Environment Settings Support at Omnissa Docs. For the list of additional registry values, see FlexEngine Configuration for Computer Environment Settings at Omnissa Docs.
  • Command line install looks something like below. The command line installer switch sets the same ConfigFilePath and Enabled registry values as shown above.
    msiexec /i "\\fs01\bin\VMware\DEM\VMware-DEM-Enterprise-2406-10.13-GA\VMware Dynamic Environment Manager Enterprise 2406 10.13 x64.msi" /qn COMPENVCONFIGFILEPATH=\\fs01\DEMConfig\general

Do the following to enable Computer Environment settings in the DEM Console:

  1. In the DEM Management Console, at the right side of any ribbon, click Configure.
  2. At the bottom of the General tab, check the box next to Computer Environment.
  3. A new Computer Environment ribbon is added. DEM 2009 and newer have Startup Tasks and Shutdown Tasks.
  4. With ADMX-based Settings highlighted on the left, click Manage Templates in the ribbon.
  5. At the bottom of the window, click Add Folder.
  6. If you have PolicyDefinitions in your SYSVOL, then browse to that. Or you can point it to C:\Windows\PolicyDefinitions. Click OK.
  7. Click OK after import is successful. DEM copied the .admx files into the DEM Config share. You can run this again any time to update templates.
  8. With ADMX-based Settings selected on the left, click Create in the ribbon.
  9. At the bottom, click Select Categories.
  10. Select a category where your setting is located and click OK.
  11. At the top of the window click Edit Policies.
  12. Only the settings for your chosen categories are shown. Configure these settings the same way you would configure them in group policy. Then close the window.
  13. DEM shows the configured settings.
  14. On the Conditions tab, you can add conditions. Obviously the user-based conditions will not be available for computer-based settings.

Personalization and DEM Templates

Omnissa has provided a list of Personalization Templates to simplify your configuration.

  1. To save user settings at logoff and restore at logon, you must specify the settings to save.  Easy Start created a bunch of configurations on the Personalization ribbon. Note: DEM 9.11 adds a Search box to this ribbon.
  2. You can see what settings these save. On the tab named Import / Export, on the top right, click Manage, and then click Expand.

    1. Click Yes to expand it.

    2. After reviewing the config, click a different Personalization setting, and then click No to not save your changes.
  3. To save more profile settings at logoff, on the ribbon named Personalization, select a folder (or create a new folder), and then click Create Config File.
  4. A wizard appears. You can use one of the built-in Windows Common Setting or Application Templates. Or you can create your own.


    • DEM 9.10 and newer have a Windows Common Setting named Default applications – File type associations and protocols. For details, see Ivan de Mes at Managing File Type Associations (FTA) natively using Dynamic Environment Manager.

      • Also enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
      • To avoid a delay in applying FTAs after login, Omnissa 83679 recommends setting HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Serialize\StartupDelayInMSec (DWORD) = 0.
    • UEM 9.4 and newer have a Windows Common Setting for Windows 10 Start Menu – Windows 10 1703 and higher
  5. Download a template and import it.
    1. In the DEM Console, on the Personalization tab, click the Configure button to locate your DEM Configuration file share.

    2. Extract the downloaded templates to the General\Applications folder in the DEM Config Share.

    3. The downloaded template should then show up in the Personalization tab under the Applications folder. If you don’t see it, click the Refresh Tree icon.
  6. DirectFlex – to speed up logins, enable DirectFlex whenever possible. Instead of restoring the files during logon and thus delaying the login, DirectFlex restores the settings on-demand when the user launches the application. DirectFlex can be enabled on most application configurations. However, Windows settings (e.g. Start Menu) should be loaded during login rather than on-demand after login.

Additional DEM Configuration

User Environment Manager 8.7 and newer has a UEMResult feature that lets you see what settings were applied to the user. The .xml file is only updated at logoff. To enable for a particular user, go to the user’s Logs folder and create a folder named UEMResult. At logoff, DEM will put an .xml file in this folder. More information at Omnissa Docs.

From Omnissa 2113514 Enabling debug logging for a single user in VMware Dynamic Environment Manager: To configure FlexEngine to log at debug level for a single user, create an empty FlexDebug.txt file in the same folder as the standard log file for this user. This triggers FlexEngine to switch to debug logging for this particular user.

DEM Application Profiler

This tool cannot be installed on a machine that has FlexEngine (aka DEM Agent) installed:

  1. .NET Framework 3.5 is required.
  2. In the Dynamic Environment Manager files, in the Optional Components folder, run VMware DEM Application Profiler 10.6 x64.msi. DEM 2406 (10.13) includes version 10.6 of the Profiler.
  3. In the Welcome to the VMware DEM Application Profiler Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  5. In the Custom Setup page, click Next.
  6. In the Ready to install VMware DEM Application Profiler page, click Install.
  7. In the Completed the VMware DEM Application Profiler Setup Wizard page, click Finish.

You may now use the tool to determine where applications store their settings and export a default application configuration that can be pushed out using Dynamic Environment Manager.

DEM Support Tool

vDelboy – VMware UEM Helpdesk Support Tool

Do the following to configure the environment for the support tool:

  1. In the Dynamic Environment Manager Console, click the star icon on the top left, and click Configure Helpdesk Support Tool.
  2. Click Add.
  3. In the Profile archive path field, enter the user folder share (the same one configured in Dynamic Environment Manager GPO). At the end of the path, enter \[UserFolder]\Archives.
  4. Check the other two boxes. The paths should be filled in automatically. Make sure they match what you configured in the Dynamic Environment Manager group policy object. Click OK.
  5. Click Save.
  6. Omnissa recommends creating a new GPO for the Support Tool. This GPO should apply only to the support personnel.

  7. On the Scope tab, change the filtering so it applies to DEM Support and DEM Admins. If this GPO applies to machines with group policy loopback processing enabled, then also add Domain Computers.
  8. Edit the GPO.
  9. Go to User Configuration | Policies | Administrative Templates | VMware DEM | Helpdesk Support Tool.
  10. Double-click the setting DEM configuration share.
  11. Enable the setting, and enter the path to the DEMConfig share. Click OK.
  12. Consider enabling the remaining GPO settings. Read the Explain text or refer to the documentation.

Do the following to install the support tool.

  1. .NET Framework 3.5 is required.
  2. Some support tool functions require the FlexEngine (aka DEM Agent) to be installed on the help desk machine.
  3. In the extracted Dynamic Environment Manager files is an Optional Components folder. From inside that folder run VMware DEM Helpdesk Support Tool 2111 10.4 x64.msi. This tool was not updated for the DEM 2406 (10.13) release.
  4. In the Welcome to the VMware DEM Helpdesk Support Tool Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
  6. In the Destination Folder page, click Next.
  7. In the Ready to install VMware DEM Helpdesk Support Tool page, click Install.
  8. In the Completed the VMware DEM Helpdesk Support Tool Setup Wizard page, click Finish.

Once the Helpdesk Support Tool is installed, you can launch it from the Start Menu, search for users, and then perform operations on the archives.

Related Pages

Horizon Group Policy and Profiles

Last Modified: Jul 29, 2024 @ 3:27 am

Navigation

This post applies to all Horizon versions 7.0, and newer, including Horizon 2406 (8.13).

💡 = Recently Updated

Change Log

Roaming Profiles Options

There are several options for persisting user profile settings when the user logs off:

  • Dynamic Environment Manager (DEM) – DEM is a very configurable product that is generally preferred over Persona and Microsoft Roaming Profiles. It works on both virtual desktops and Remote Desktop Session Hosts.
    • In Horizon 2006 (8.0) and newer, DEM Personalization features are available in all editions of Horizon.
    • In Horizon 7, only Horizon Enterprise Edition is entitled to Dynamic Environment Manager.
    • Dynamic Environment Manager (DEM) is the new name for User Environment Manager (UEM). VMware renamed User Environment Manager 9.9 and newer to DEM to avoid confusion with Workspace ONE Unified Endpoint Management (also UEM), which is actually AirWatch mobility management. User Environment Manager is sometimes called “little UEM”, while AirWatch is sometimes called “big UEM”.
    • DEM persists settings for specific applications instead of persisting the entire profile. Saved application settings are stored in separate .zip files (aka profile archives) for each application so you can restore one .zip file without affecting the other .zip files. Many of these DEM profile archive .zip files can be restored to multiple operating system versions, whereas other monolithic profile solutions are tied to a specific operating system version.
    • DEM restores profile archives on top of other profile solutions. One option is mandatory profiles so that anything not saved by DEM is discarded on logoff.
    • Omnissa KB article 2118056 Migrate Persona Management to Dynamic Environment Manager.
  • Persona saves the entire user profile, meaning it is a “set and forget” roaming profile solution that is similar to Microsoft’s native roaming profiles or Citrix Profile Management.
    • Persona is not included in Horizon 2006 (8.0) and newer. If you are using Persona in Horizon 7, then before upgrading, see Omnissa Tech Zone Modernizing VDI for a New Horizon to migrate off of Persona.
    • Persona is included in all editions of Horizon 7.
    • However, Persona doesn’t work on newer versions of Windows 10, Persona doesn’t work on RDSH Horizon Agents, and Persona doesn’t work on Instant Clones.
    • In practice, DEM is the only viable profile option from Omnissa, but DEM requires Horizon 7 Enterprise Edition, or upgrade to Horizon 2006 (8.0)
  • App Volumes Writable Volumes – App Volumes Writable Volumes can store the user’s profile and roam the writable volume to different Horizon Agent machines.
    • App Volumes requires Horizon Enterprise Edition.
    • App Volumes is a separate infrastructure (e.g. separate servers, separate agents) that must be built, learned, maintained, and supported.
    • Writable Volumes are stored as .vmdk files on vSphere datastores. For backup/restore, you can replicate the .vmdk files to multiple datastores, including multiple data centers.
    • When Writable Volumes are combined with DEM, then Outlook search indexes can be stored on the Writable Volumes.
    • Writable Volumes can only be mounted on one Horizon Agent machine at a time.
  • Persistent Disks – Horizon Composer can generate persistent disks for each dedicated desktop machine. User profile is redirected to the persistent disk so the user profile will be available after the machine is refreshed.
    • In Horizon 2006 (8.0) and newer, Composer and Persistent Disks are deprecated. Composer has been removed from Horizon 2012 (8.1) and newer. Before upgrading, see Omnissa Tech Zone Modernizing VDI for a New Horizon to migrate off of Persona.
    • Persistent Disk only stores the user’s profile. It does not store user-installed applications. If you need to persist user-installed applications, then implement App Volumes Writable Volumes instead.
    • Persistent Disks were brought to Instant Clones in Horizon 2306 (8.10) and newer. See Using Persistent Disks for Dedicated Instant Clones at Omnissa Docs.
    • Persistent Disks are only an option for Dedicated Assignment pools, meaning that the Persistent Disks do not float between machines. Administrators can manually detach a Persistent Disk from one machine and attach it to a different machine.
    • Persistent Disks are stored as .vmdk files on vSphere datastores. How do you back them up and restore them, especially if they are not currently mounted on a running virtual machine?
  • Microsoft FSLogix – FSLogix Profile Containers can store the entire user profile in a .vhdx file that is stored on a file share.
    • FSLogix is free for almost all virtual desktop and RDSH customers. If you’re not licensed for DEM, then FSLogix is a viable alternative.
    • FSLogix is known for roaming the Outlook Search Index and other special Office 365 files.
    • FSLogix Profile Container is very similar to Persistent Disks and Microsoft User Experience Virtualization in that the entire profile is stored in the .vhdx file. Watch out for disk space consumption on the file share. And concurrent access to the .vhdx can be challenging.
    • FSLogix Profile Container configuration is “set and forget” since it doesn’t need separate configuration for each application.
  • Microsoft Roaming Profiles – a last-case alternative is native Microsoft roaming profiles. However, there are many limitations.
    • Microsoft’s Roaming Profiles cause longer login times since the entire profile is downloaded before the user can interact with the desktop or application. This is not a problem in other roaming profile solutions.
    • Microsoft’s Roaming Profiles do not merge settings from multiple sessions so if you have users connecting to multiple RDS farms (or multiple desktop pools) then each RDS farm should have separate roaming profile shares.

Roaming Profiles File Shares

File Shares Design

This section provides a summary of the required shares. See Create and Share the Folders for Detailed steps for creating the profile shares.

There are typically several types of file share paths:

  • Roaming Profiles – stores DEM profile archives, FSLogix .vhdx Profile Containers, etc.
    • Roaming profiles (or DEM profile archives) are stored in a separate sub-folder for each user that only the one user has access to.
    • FSLogix, Persona and Microsoft Roaming Profiles are monolithic profiles that are tied to a specific operating system version. If you are supporting multiple operating systems, or if users are connecting to multiple, concurrent pools/farms, then create a separate Roaming Profile share path for each operating system version. For example, you might have separate Roaming Profile shares for Windows 10 and Windows Server 2019.
      • Theoretically, DEM Personalization Archives can be used across multiple operating system versions.
  • Folder Redirection – stores profile folders that you want to persist, but you don’t want to store with the roaming profile. These folders are typically Documents, Downloads, Desktop, and Favorites. Folder Redirection speeds up restoration of roaming profiles. AppData should not be redirected to this file share path.
    • Each user has a separate sub-folder that only the one user has access to.
    • Folder Redirection can be accessed from multiple operating system versions so there’s no need to create multiple Folder Redirection share paths.
  • Home Directories – users store Documents and other personal data in Home Directories.
    • Folder Redirection can be stored in Home Directories instead of in a separate Folder Redirection file share path.
    • Home Directories might be located on multiple file servers. If these file servers are in branch offices instead of data centers, then Folder Redirection should be stored on file servers in the data center that contains Horizon Agents.
  • DEM Configuration Share – Dynamic Environment Manager (DEM) stores its configuration in a file share.

These file shares for a particular user can only be located in one data center. Neither Omnissa nor Microsoft support multi-master replication (aka merge replication) of user profiles, home directories, and folder redirection. If you use DFS Namespaces, then the DFS Namespace path must point to only one target.

  • Horizon users should connect to Horizon Agents in the same data center as the file servers that contain the user’s profile, folder redirection, and home directory. If you have active Horizon Agents in multiple data centers, then you can configure Horizon Cloud Pod Home Sites so that specific users connect to specific data centers. If users connect to a Horizon Agent that is not in the same data center as the user’s file servers, then the files are retrieved across the Data Center Interconnect, which might take longer than desired.
  • The DEM Configuration Share is primarily read-only so multi-master replication is less of a concern.

Here are NTFS permissions for each of the profile file share types:

DEM Profile Archives share:

  • \\server\DEMProfiles
    • DEM Admins = Full Control
    • DEM Support = Modify
    • DEM Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Dynamic Environment Manager (DEM) Configuration share:

  • \\server\DEMConfig – stores DEM configuration
    • DEM Admins = Full Control
    • DEM Users = Read
    • DEM Support = Read
    • Domain Computers = Read – for DEM computer ADMX

Non-DEM Monolithic Roaming Profiles share: (example includes multiple shares for multiple operating systems)

  • \\server\Profiles\Win10
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control
  • \\server\Profiles\Win19
    • Admins = Full Control
    • Support = Modify
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

Folder Redirection share:

  • \\server\Redirect
    • Admins = Full Control
    • Users = Read/Execute, Create Folders – this folder only
    • Creator Owner = Full Control

According to Omnissa 2113665 Imports and exports in VMware Dynamic Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Create and Share the Folders

  1. On your file server, make sure file and printer sharing is enabled.
  2. On the file server that will host the file share, create a new folder and name it  DEMConfig, or DEMProfiles or similar. See File Shares Design for design info on the share paths that should be created.
  3. Open the folder’s Properties.
  4. On the Sharing tab, click Advanced Sharing.
  5. Check the box to share the folder.
  6. Click Permissions.
  7. Give Full Control to Everyone. Click OK.
  8. Click Caching.
  9. Select No files or programs. Click OK twice, and then click Close.
  10. According to Omnissa 2113665 Imports and exports in Dynamic Environment Manager are slow, the two DEM shares should be excluded from antivirus scanning. The article also details some antivirus exclusions for the FlexEngine installed on the Horizon Agent machines.

Folder Permissions

The following procedure works for any of the profile and redirection folders listed in the file shares design except for the DEMConfig folder.

Lieven D’hoore has VMware Horizon View – Script to create Persona Management Repositories, Shares and Permissions.

  1. Open the Properties of the new shared folder.
  2. On the Security tab, click Advanced.

    1. Click Disable Inheritance.
    2. Click Convert inherited permissions.
    3. Click OK to close Advanced Security Settings.
  3. On the Security tab, click Edit.

    1. For the Everyone or the Authenticated Users entry or the Users entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
    2. Add CREATOR OWNER, and give it Full Control. This grants users Full Control of the folders they create.
    3. Click OK to close the Permissions window.
  4. Click Advanced again.
  5. Highlight the Everyone permission entry or the Authenticated Users permission entry or the Users permission entry and click Edit.
  6. At the top of the window, change the Applies to selection to This folder only. This prevents the Everyone permission from flowing down to newly created profile folders.
  7. Remove all other permission entries that grant access to Users, Domain Users, Everyone, or Authenticated Users. There should only be one of these types of permission entries.
  8. Click OK twice to close the Security and Properties windows.

Access Based Enumeration

With access based enumeration enabled, users can only see folders to which they have access.

  1. In Server Manager, on the left, click File and Storage Services.
  2. If you don’t see Shares then you probably need to close Server Manager and reopen it.
  3. Right-click the new share, and click Properties.
  4. On the Settings page, check the box next to Enable access-based enumeration and click OK.

GPO Templates

Windows Group Policy Templates

Unfortunately, there are some differences between the GPO templates for Windows Server, and the GPO templates for  Windows 10. You’ll need to download the full set of templates.

Follow the procedure at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#admtemp to download and install the Administrative Templates (.admx) for Windows 10.

Horizon Group Policy Templates

Some of the policy settings in this topic require group policy templates from the Horizon GPO Bundle, which can be downloaded from the Omnissa Horizon Download Page.

For Horizon 2406 (8.13), download Horizon GPO Bundle 8.13 (VMware-Horizon-Extras-Bundle-2406-8.13.0)

For Horizon 2312.1 (8.12.1) ESB, download Horizon GPO Bundle 8.12.1 (VMware-Horizon-Extras-Bundle-2312-8.12.1).

Install the Group Policy files:

  1. Go to the downloaded VMware-Horizon-View-Extras-Bundle.zip file and extract the files.
  2. Copy the .admx files and en-US folder to the clipboard.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the .admx files. Overwrite any older files.

  4. Horizon 7.13 has an .admx file in the ThinPrint\ADMX folder. Horizon 2006 (8.0) and newer no longer include ThinPrint, so this .admx is not available in Horizon 2006 (8.0) and newer.
    1. Copy the .admx file, and en-US folder, to the clipboard.
    2. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the .admx files. Overwrite any older files.
  5. When you edit group policy objects, you can now edit Horizon settings.

Dynamic Environment Manager GPO Templates

Download and copy the DEM GPO ADMX templates to PolicyDefinitions. DEM can also work without Active Directory (Group Policy); see Omnissa 2148324 Configuring advanced DEM settings in NoAD mode for details.

In Horizon 2006 (8.0) and newer, DEM is available in all editions of Horizon. There are two editions of DEM, each with different downloads and different ADMX templates.

In Horizon 7, DEM is only available for Horizon Enterprise Edition customers. Horizon 7 Enterprise Edition customers can download DEM Enterprise Edition.

  1. Based on your entitlement, download either DEM 2312 (10.12) Enterprise Edition, or DEM 2312 (10.12) Standard Edition. For ESB Horizon, download the DEM version included with your ESB version of Horizon.

  2. Go to the extracted Dynamic Environment Manager files, and in the Administrative Templates (ADMX) folder, copy the files and the folder.
  3. Go to \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (if it exists), or C:\Windows\PolicyDefinitions on the group policy editing machines (if PolicyDefinitions doesn’t exist in SYSVOL) and paste the files and folder. Overwrite any older files.

  4. If you are upgrading from UEM 9.8 or older to DEM 9.9 or newer, then look in PolicyDefinitions for VMware UEM.admx files and delete them.
  5. You will find VMware DEM GPO settings in the User Half of a GPO.

VMware DEM FlexEngine Advanced Settings are available in a different GPO template.

  1. Go to https://kb.omnissa.com/s/article/2145286.
  2. Click the link to download the ADMX file.
  3. Extract the files. Then copy the file and folder.
  4. Go to your PolicyDefinitions folder and paste them.

Microsoft Edge GPO Templates

Horizon Browser Redirection requires installation of an Edge extension. Install the Edge GPO Templates so you can force install the Edge extension.

  1. Download the Edge ADMX templates from Microsoft Edge for business. Select your version of Edge and then click GET POLICY FILES.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \windows\admx folder, copy the msedge*.admx files and the en-US folder.
  4. Go to PolicyDefinitions in your SYSVOL (e.g., \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files and en-US folder.

Google Chrome GPO Templates

Horizon Browser Redirection requires installation of a Chrome extension. Install the Chrome GPO Templates so you can force install the Chrome extension.

  1. Download the Google Chrome ADMX templates from Set Chrome Browser policies on managed PCs.
  2. Extract the .zip file.
  3. Go to the extracted files. In the \policy_templates\windows\admx folder, copy the chrome.admx and google.admx files.
  4. Go to PolicyDefinitions in your SYSVOL (e.g. \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions) and paste the .admx files.
  5. Go back to the extracted Google Chrome templates in the \policy_templates\windows\admx folder and copy the en-US folder.
  6. Go to back to PolicyDefinitions in your SYSVOL and paste the en-US folder. It will add .adml files to the existing en-US folder.

Create Group Policy Objects

  1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all Horizon Agent computer objects (virtual desktops and Remote Desktop Session Hosts).
  2. Then create sub-OUs, one for each pool or RDS Farm.
  3. Move the Horizon Agent machines from the Computers container to one of the OUs created in step 2.
  4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Horizon Agent Computer Settings and link it to the parent OU created in step 1. If this policy should apply to all pools, then link it to the parent OU. Or you can link it to pool-specific sub-OUs.

  5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled. User settings do not belong in this GPO.
  6. Create and link two new GPOs to the Session host OU (in addition to the Horizon Agent Computer Settings GPO). One of the GPOs is called Horizon Agent All Users (including admins), and the other is called Horizon Agent Non-Admin Users (lockdown). The Non-Admin Users GPO can either be linked to the parent OU, or to the session host sub-OUs. Locking down sessions is more common for Remote Desktop Session Hosts.

  7. Modify the properties of both of these GPOs and disable the Computer Configuration portion of the GPO.
  8. Click the Horizon Agent Non-Admin Users GPO to highlight it.
  9. On the right, switch to the Delegation tab, and click Add.
  10. Find your Horizon Admins group, and click OK.
  11. Change the Permissions to Edit settings, and click OK.
  12. Then on the Delegation tab, click Advanced.
  13. For Horizon Admins, place a check mark in the Deny column for the Apply Group Policy permission. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
  14. Click Yes when asked to continue.
  15. For the other two GPOs, add Horizon Admins with Edit Settings permission. But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

GPOs for Roaming Profiles (Persona and RDS)

You will need separate profile configurations for each Horizon Agent type (virtual desktops, RDS, operating system version, operating system bitness, etc.) Each profile configuration needs a different GPO. Note: if you are licensed for Dynamic Environment Manager, then you can skip this section.

  1. Right-click one of the Remote Desktop Session Host sub-OUs, and create a new GPO.
  2. Name it Horizon Agent RDS Farm 1 Profiles or similar. This policy will use Microsoft’s native roaming profiles instead of Persona. Note: each RDS farm should have a separate roaming profile share.
  3. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  4. If you have additional Remote Desktop Session Host sub-OUs (one for each RDS Farm), right-click one of them and create another GPO with a different name. Each RDS Farm needs a different profile path.

  5. Right-click a virtual desktop sub-OU, and click Create a GPO in this domain.
  6. Name it Horizon Agent Persona Win10 or similar, and click OK. Each operating system version should point to a different file share, so include the operating system version in the GPO name.
  7. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group, and give it Edit Settings permission.
  8. If you have additional virtual desktop sub-OUs of the same operating system, right-click the OU, and click Link an Existing GPO.
  9. Select the Horizon Agent Persona Win10 GPO, and click OK.
  10. For desktop pools running a different operating system, create a new Persona GPO. Each Persona GPO will point to a different share.
  11. The final group policy object framework will look like this: some GPOs linked to the parent OU and pool-specific GPOs linked to the sub-OUs. Each sub-OU needs different GPOs for different roaming profile configurations.

Agent Computer Settings

These GPO settings should be applied to the Horizon Agents.

General Computer Settings

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Configure the GPO Computer Settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.

Remote Desktop Users Group

  1. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  2. Under Computer Config > Windows Settings > Security Settings, right-click Restricted Groups, and click Add Group.
  3. Browse to the group of users (e.g. Domain Users) that will be added to the Remote Desktop Users group on the virtual desktops. Click OK.
  4. In the bottom half of the window, click Add to specify that this group is a member of:
  5. Enter Remote Desktop Users, and click OK twice.

VMware Integrated Printing

Horizon 7.7 and newer have a new Universal Print Driver named VMware Integrated Printing or VMware Advanced Printing, which replaces ThinPrint. Integrated Printing is an optional feature of the Horizon Agent installer and requires Horizon Client 4.10 for Windows, Horizon Client 5.1 for Linux and Horizon Client 5.1 for Mac.

You can use Group Policy to configure Integrated Printing. (e.g. select whether Native Print Drivers are preferred over the Universal Print Driver). The GPO settings only apply if the VMware Integrated Printing feature is installed on the Horizon Agent.

  1. Make sure the Horizon 2012 (8.1) or newer GPO Templates are installed. Some Integrated Printing GPO settings are available in Horizon 7.7 and newer.
  2. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration | VMware Integrated Printing (or VMware Advanced Printing). This node only appears in ADMX templates from Horizon 7.7 and newer.
    • In Horizon 2012 (8.1) and newer, the GPO settings were moved under the VMware View Agent Configuration folder.
    • In Horizon 2012 (8.1) and newer, the Integrated Printing settings are also available in the user half at User Configuration > Policies > Administrative Templates > VMware View Agent Configuration > VMware Integrated Printing. User settings override computer settings.
  4. Horizon 2106 (8.3) and newer have a setting name Default settings for UPD printers that lets you set duplex, color, and compression defaults.

  5. In Horizon 2012 (8.1) and newer, Do not change default printer prevents the client default printer from overriding the remote default printer.
  6. Edit the setting Printer Driver Selection.
  7. Enable the setting, and then consider setting it to Always use UPD to avoid needing to install any printer drivers on the Horizon Agent machines. This is particularly beneficial for multi-user RDSH machines.
  8. In Horizon 2012 (8.1) and newer, Printer Name Schema lets you change the names of the redirected printers.

  9. Horizon 2303 and newer have Enable server printer redirection, which causes the Horizon Agent to connect directly to the print servers instead of routing the print job through the Horizon Client. Print drivers are probably needed on the Agent machine.
  10. Horizon 7.8 and newer supports filtering of redirected client printers.

VMware Integrated Printing also supports Location Based Printing.

  1. In the Horizon 7.7 or newer Extras Bundle (GPO templates), find the file named LBP.xml.
  2. Edit the file. This is an XML document that can contain multiple <Policy> nodes. The file is commented.
  3. When done editing the LBP.xml file, copy it to C:\ProgramData\VMware on each Horizon Agent machine. It’s probably easiest to use Group Policy Preferences (or computer startup script) to download this file when the Horizon Agent machines boots.

Dynamic Environment Manager (DEM) Group Policy

Most of the Dynamic Environment Manager GPO settings are user settings, not computer settings. DEM 2006 (aka 10.0) and newer support ADMX files for computers.

Note: UEM 9.1 can also work without Active Directory (Group Policy); see Omnissa 2148324 Configuring advanced UEM settings in NoAD mode for details.

From Omnissa Tech Zone Quick-Start Tutorial for VMware Dynamic Environment Manager and Chris Halstead VMware User Environment Manager (UEM) – Part 1 – Overview / Installation.

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. Dynamic Environment Manager requires one computer setting. Edit the Horizon Agent Computer Settings GPO.

    1. Go to Computer Configuration | Policies | Administrative Templates | System | Logon.
    2. Double-click Always wait for the network at computer startup and logon.
    3. Enable the setting, and click OK.
    4. Close the group policy editor.
  3. If you use DEM 9.10 or newer to roam File Type Associations, then enable the GPO setting Do not show the ‘new application installed’ notification at Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer.
  4. The remaining settings are user settings. Edit the Horizon Agent All Users GPO. This GPO should apply to the Horizon Agents, and Loopback processing should already be enabled on those machines.
  5. Go to User Configuration | Policies | Administrative Templates | VMware DEM | FlexEngine.
  6. If you are running Dynamic Environment Manager on top of mandatory profiles, then double-click Certificate support for mandatory profiles.

    1. Enable the setting, and click OK.
  7. Double-click Flex config files.

    1. Enable the setting.
    2. Enter \\server\demconfig\general. The general folder will be created by the Dynamic Environment Manager management console. Click OK.
  8. Double-click FlexEngine Logging.

    1. Enable the setting.
    2. Enter \\server\demprofiles\%username%\logs. Dynamic Environment Manager will create these folders. Click OK.
  9. UEM 9.0 and newer has a setting named Paths unavailable at logon. By default, users are blocked from logging in if the DEM file share is not reachable.

  10. Double-click the setting Profile archive backups.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\backups.
    3. Enter the number of desired backups, check the box for daily backups, and click OK.
  11. In DEM 2111 and newer, you can store Profile Archives in OneDrive for Business by configuring the setting OneDrive for Business integration.
  12. To store Profile archives in a file share, double-click Profile archives.

    1. Enable the setting.
    2. Type in \\server\demprofiles\%username%\archives.
    3. Check the box next to Retain file modification dates. Source = Anyway to save ‘Date Modified’? at VMware Communities.
    4. Click OK.
  13. In DEM 2111 and newer, simply enable the setting Run FlexEngine at logon and logoff.
  14. For DEM prior to version 2111, configure the group policy extension and logoff script:
    1. Double-click the setting RunFlexEngine as Group Policy Extension.
    2. Enable the setting, and click OK.
    3. Go to User configuration | Policies | Windows Settings | Scripts (Logon/Logoff).
    4. Double-click Logoff.
    5. Click Add.
    6. In the Script Name field, enter C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe.
    7. In the Script Parameters field, enter -s.
    8. Click OK.
  15. If you are using the Privilege Elevation feature, consider enabling Privilege elevation logging to the Windows event log.

  16. Same for Application blocking logging to the Windows event log.
  17. You can download and install a separate ADMX file containing DEM Advanced Settings.
    1. You can use group policy to Disable DEM agent features on certain OUs. For example, you might not want Personalization on some pools.
    2. DEM 2111 and newer can enable DEM ADMX Settings to override GPOs by enabling the setting Override existing user policy settings.
  18. If DEM 2006 or newer, you can optionally enable DEM Computer ADMX settings.
    1. In the DEM Config share, make sure Domain Computers has Read permission to the folders.
    2. Edit a GPO that applies computer settings to the Horizon Agent machines (e.g. Horizon Agent Computer Settings).
    3. Go to Computer Configuration | Preferences | Windows Settings | Registry.
    4. Add a New Registry Item.

      1. Key Path = SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration
      2. Value name = Enabled
      3. Value type = REG_DWORD
      4. Value data = 1. Click OK.
    5. Create another registry item.

      1. Key Path = SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration
      2. Value name = ConfigFilePath
      3. Value type = REG_SZ
      4. Value data = the path to your DEM Config share, including the general folder. Click OK.
      5. For more registry values, see Omnissa Docs FlexEngine Configuration for Computer Environment Settings.

Now that DEM is enabled, you can configure Dynamic Environment Manager by using a separate console application. See the instructions at https://www.carlstalhood.com/vmware-user-environment-manager/.

DEM Changelog

From YouTube video User Environment Manager 9.6 What’s New Overview:

  1. On the left, click the node named Management Console under VMware DEM
  2. On the right, UEM 9.6 adds two new settings for Changelog.
  3. Log changes to disk stores the log in the DEM share at \\server\DEMConfig\Changelog\general. Note that administrators usually have permission to modify this location so they could modify this changelog.
  4. Log changes to the Windows event log stores the log in the Application Log in Event Viewer of the local console machine and not in any central server.
  5. You can also enable the Changelog in the DEM Management Console by clicking the ribbon button named Configure.
  6. Switch to the tab named Configuration Changelog to enable the two settings.
  7. Each configuration item in DEM Management Console shows a tab named Changelog after changes are recorded.

Persona Configuration

This section does not apply to Remote Desktop Session Hosts, Instant Clones, or newer versions of Windows 10. It also does not apply to Horizon 2006 (8.0) and newer.

If you are using Dynamic Environment Manager then skip this section.

  1. Verify that ICMP is enabled between the Horizon Agent and the domain controller, and as well as the Horizon Agent and the Persona Management Repository.
  2. Install the Horizon GPO ADMX files if you haven’t already.
  3. Edit one of the Horizon Agent Persona GPOs that applies to the virtual desktops (not Remote Desktop Session Hosts).
  4. Configure the following GPO settings:
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  5. Go to Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration | Persona Management | Roaming & Synchronization.
  6. On the right, double-click Manage user persona.
  7. Enable the setting. It defaults to 10 minutes. Click OK.
  8. Double-click Persona repository location, and enable the setting.
  9. Enter the path to the file share created for Persona. Append %username%.
  10. Check the box next to Override Active Directory user profile path. Click OK.
  11. Double-click Roam local settings folders, and enable it. Click OK.
  12. Double-click Files and folders excluded from roaming, and enable it. Then click Show.
  13. Enter the values shown below, and then click OK twice.
    $Recycle.Bin
    Tracing
    AppData\LocalLow
    AppData\Local\GroupPolicy
    AppData\Local\Packages
    AppData\Local\Microsoft\Office\15.0\Lync\Tracing
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows\CD Burning
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Local\Windows Live
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images
    AppData\Local\Google\Chrome\User Data\Default\JumpListIcons
    AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
  14. Double-click Files and folders excluded from roaming (exceptions), and enable it. Then click Show.
  15. Enter the exceptions shown below and click OK twice.
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
  16. Configure %AppData%\Thinstall as a folder to background download. If you are using Thinapps, this will speed up the launch time of Thinapps.

RDS Roaming Profiles

This section applies to Remote Desktop Session Hosts, not virtual desktops.

If you are using Dynamic Environment Manager or FSLogix, then skip this section.

  1. Edit the Horizon Agent RDS Farm1 Profiles GPO.
  2. Configure the following GPO settings.
    • Administrative Templates | System | User Profiles
      • Add the Administrators security group to roaming user profiles = enabled
      • Delete cached copies of roaming profiles = enabled
      • Do not check for user ownership of Roaming Profile Folders = enabled
  3. Go to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles.
  4. On the right, open the setting Set path for Remote Desktop Services Roaming User Profile.
  5. Enable the setting and enter the path to the file share. Do not append %username%.
  6. If you haven’t already done this in a parent OU, also configure the Remote Desktop Services settings as detailed at https://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
  7. If you wish to enable the Aero style for Remote Desktop Session Host sessions, go to User Configuration | Policies | Administrative Templates | Control Panel | Personalization.
  8. Open the setting Force a specific visual style file.
  9. Enable the setting and enter the following path:
    %windir%\resources\Themes\Aero\aero.msstyles

  10. VMware recommends enabling RunOnce as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#runonce.

Horizon Agent Settings

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration. Click Agent Configuration.
  4. Horizon 2306 and newer have a setting called Allow FIDO2 authenticator access. Combine it with FIDO2 allow list, which defaults to only allowing Chrome, Edge, and Firefox.

  5. RDSH idle timer is configured using Microsoft RDSH GPO settings and are not Horizon-specific. The Horizon 2106 and newer GPO templates have the RDS timers in the VMware View Agent Configuration node or you can configure the RDS timers in the normal Microsoft Remote Desktop Session Host node. Both sets of GPO settings set the same registry values.
  6. Horizon 7.10 and newer has an Idle Time Until Disconnect (VDI) for virtual desktops. This setting does not apply to RDSH.
  7. In Horizon 7.10 or newer, you can use Group Policy to configure a Disconnect Session Time Limit for virtual desktops. This GPO setting overrides the pool setting Logoff after Disconnect.
  8. If Horizon 7.8 or newer, on the right, double-click DPI Synchronization Per Connection.
  9. This setting is disabled by default. You can optionally enable it so DPI is reconfigured on reconnect instead of only on initial logon.
  10. Horizon 2106 and newer have a Screen-capture blocking setting. This setting is available in both the computer half and the user half of the GPO. User half overrides computer half.

    • Screen-capture blocking requires Horizon Agent 2106 and Horizon Client 2106 (8.3). To prevent older Horizon Clients from connecting, in Horizon Console, go to Settings > Global Settings. On the right is a tab named Client Restriction Settings. Click Edit. Check the boxes for the various client operating systems and enter 8.3.0 (2106) as the required minimum version.

  11. Horizon 2303 and newer have a setting called Screen-capture For Media Offloaded Solution. This setting adds a Print Screen button to the Horizon Client toolbar. When pressed, the screenshot is saved to the Pictures folder on the remote desktop. The advantage of this feature is that it captures Teams redirection, Multimedia Redirection, multiple monitors, and Watermark.



  12. Horizon 2111 and newer have a setting for Key Logger Blocking. This setting is available in both the computer half and the user half of the GPO. User half overrides computer half. Use Client Restriction Settings to prevent Horizon Clients older than 2111 from connecting.

PCoIP Configuration

Steve Dunne:

Here are some general PCoIP optimization settings:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. On the left, expand Computer Configuration | Policies | Administrative Templates | PCoIP Session Variables. Click Overridable Administrator Defaults.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and select Enabled in both directions. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting named Configure drag and drop direction.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold.


  8. Horizon 7.0.2 and newer have the ability to filter specific clipboard formats.
  9. Double-click Configure the PCoIP session audio bandwidth limit. For WAN connection users, Omnissa recommends setting this to 100 – 150 Or you can start with 300 Kbps and reduce as needed.

Real-Time Audio-Video

Omnissa validated Horizon 7.9’s Real-Time Audio-Video feature with Microsoft Teams. Here are sizing recommendations:

  • Minimum setting of 4vCPU 4GB RAM as a published desktop configuration
  • RTAV video resolution configured with 640 x 480p

Real-Time Audio-Video (RTAV) is one of the options that can be selected when installing Horizon Agent. To ensure that Audio is captured by RTAV instead of by USB redirection, exclude audio from USB redirection is described in the next section.

To configure RTAV video resolution, do the following:

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration, expand View RTAV Configuration and click View RTAV Webcam Settings.
  4. On the right, double-click Resolution – Default image resolution height in pixels
  5. Enable the setting and set it to 480 pixels. Click OK.
  6. On the right, double-click Resolution – Default image resolution width in pixels.
  7. Enable the setting and enter 640. Click OK.
  8. There are two more GPO settings for Max height and width. If these are not configured then there is no maximum.

USB Redirection Settings

VMware TechPaper USB Device Redirection, Configuration, and Usage in View Virtual Desktops details the following:

  • PCoIP zero clients use a PCoIP virtual channel for USB. No extra network ports needed.
  • All other PCoIP clients, including Windows, Mac, etc., use TCP 32111 between the Horizon Client and the Horizon Agent.
  • If Secure Tunnel is enabled, the USB traffic is sent to the Horizon Security Server on TCP 443. It is then forwarded to the Horizon Agent on 32111.
  • USB performance across the WAN can be slow.
  • Webcams are only supported using RTAV (Real-Time Audio-Video).
  • USB3 uses too much bandwidth for most WANs. USB3 is supported in Horizon Agent 6.0.1 and Horizon Client 3.1.
  • Linux clients do not let you choose USB devices. Instead, all USB devices are redirected.
  • USB device redirection can be filtered. Multi-interface USB devices can be split. See the TechPaper for details.
  • In Horizon 6.1 and Horizon Client 3.3, USB storage devices can be redirected to Remote Desktop Session Host.
  • Client Downloadable only GPO settings are downloaded to the Horizon Client when the Horizon Client first connects to the Horizon Agent.
  • USB GPO Settings on the Horizon Agent can either override or merge the Horizon Client USB GPO settings. Merge means that if Horizon Client settings exist then the Horizon Agent settings are ignored.
  • The Exclude All Devices setting is overridden by other Include
  • USB Redirection logs are located at %PROGRAMDATA%\VMware\VDM\logs\debug-*.txt. Look for <vmware-view-usbd>
  • How to configure USB Redirection rules on Windows, Mac, and Linux.

If you intend to use the Real-Time Audio-Video feature, then disable USB redirection of audio and video so it is instead accessed through the optimized virtual channel. RTAV and USB Redirection do not apply to Remote Desktop Session Host.

You can also use this procedure to block USB storage devices from being mapped.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO, and click Edit.
  3. Expand Policies | Administrative Templates | VMware View Agent Configuration, and click View USB Configuration.
  4. On the right, double-click Exclude Device Family.
  5. Change the selection to Enabled.
  6. Enter o:audio-in;o:video.
  7. If you want to block USB storage devices, add o:storage to the list. Click OK.

Blast Settings

The full Horizon Client 4.0 and newer can use UDP when connecting to Horizon 7 Agents using Blast.

  • Omnissa Tech Zone VMware Blast Extreme Optimization Guide
  • VMware Blog Post Deep Dive into VMware Horizon Blast Extreme Adaptive Transport – Blast Extreme Adaptive Transport is enabled by default in VMware Horizon View 7.1 and Horizon Client 4.4. If the clients are connecting from outside the demilitarized zone (DMZ), you would also need to have VMware Unified Access Gateway (not Security Server) to take full advantage of the new transport. The adaptive transport will automatically sense the network for UDP availability and will fallback to legacy Blast TCP if UDP is not available.

Blast by default only allows clipboard redirection from client-to-server. This can be changed in group policy.

If you want file transfer in HTML5 Blast, then you must configure clipboard from server-to-client (or both directions).

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. In Horizon 2012 (8.1) and newer, expand Computer Configuration | Policies | Administrative Templates | VMware View Agent Configuration and click Clipboard Redirection.
    1. In versions earlier than Horizon 2012 (8.1), expand Policies | Administrative Templates, and click VMware Blast.
  4. On the right, double-click Configure clipboard redirection.

    • Enable the setting, and then make your choice. Click OK.
  5. Horizon 7.6 and newer have a setting for Configure clipboard audit that audits to the Agent’s Event Viewer any clipboard copy/paste from agent to client.

  6. Horizon 7.7 and newer have a setting to Configure drag and drop direction. In Horizon 2012 (8.1) and newer it’s under the separate VMware View Agent Configuration | Drag and Drop node instead of VMware Blast.

  7. Horizon 7.9 and newer have settings for Configure drag and drop format (drag and drop direction for each format) and Configure drag and drop size threshold. In Horizon 2012 (8.1) and newer it’s under the separate VMware View Agent Configuration | Drag and Drop node instead of VMware Blast.


  8. In the VMware Blast node, Horizon 2212 and newer have a setting called Blast Optimizer that adjusts multiple settings for better user experience or better performance.

  9. Horizon 2312 and newer support Build to Lossless.
  10. Horizon 2303 and newer have a setting called Cursor Warping that moves the client mouse when sudden cursor movements are detected in the remote Agent.

  11. Horizon 7.6 and newer have settings to add DSCP markings to the Blast protocol. See VMware Blast Policy Settings at Omnissa Docs.
  12. On the right, double-click UDP Protocol.
  13. You can optionally enable UDP protocol. Click OK.
  14. Horizon 7.4 introduced the H.264 High Color Accuracy setting.

  15. Horizon 7.0.2 and newer have a setting for H.264 Quality Levels.

  16. If you enabled UDP protocol, then on your master image, reboot the machine so it reads the GPO settings. Look in the file C:\ProgramData\VMware\VMware Blast\Blast-Service.log to make sure UDP is enabled. If not, reboot the machine again. After it’s enabled, snapshot the master machine and push it to your Pools.

Watermark

Horizon 2006 (8.0) and newer has a Watermark feature. It works for both apps and desktops.

For limitations of this feature, see Configuring a Digital Watermark at Omnissa Docs.

  1. Make sure the Horizon 2006 or newer GPO Templates are installed.
  2. Edit the Horizon Agent All Users Settings GPO. This is a User GPO setting so make sure GPO Loopback Processing is enabled in the Computer Settings GPO.
  3. Go to User Configuration | Policies | Administrative Templates | VMware View Agent Configuration | Watermark.
  4. Edit the setting Watermark Configuration.
  5. See the Help text for explanation of the setting.

Teams Optimization

Horizon Agent 2006 (or newer) and Horizon Client 2006 (or newer) can offload Microsoft Teams media (audio/video) to the client device. Horizon 7.13 with Horizon Client 5.5 can offload Microsoft Teams media (audio/video) to the client device.

Newer versions of Horizon support more Teams features:

  • Horizon 2312 (8.12) and newer support blur backgrounds, select effects, or select an available background image.
  • Horizon 2306 (8.10) and newer support simulcast, which allows multiple streams at multiple resolutions.
  • Horizon 2303 (8.9) and newer support individual application sharing in VDI and RDSH desktop sessions.
  • Horizon 2203 (8.5) and newer support Give and take control of screen sharing.
  • Horizon 2106 (8.3) and newer can offload to Linux and Mac clients in addition to Windows clients.
  • E911 and Location-Based Routing require Mac client (2111 and later) and Windows client (5.5.4 and later; 2111 and later) only. Not supported for Linux client.

In Horizon 2212 and newer, Teams Optimization is enabled by default. In older Horizon, it is disabled by default. For requirements and limitations, see Configuring Media Optimization for Microsoft Teams at Omnissa Docs.

  1. Make sure the Horizon 7.13 or Horizon 2006 or newer GPO Templates are installed.
  2. Edit the Horizon Agent Computer Settings GPO.
  3. Go to Computer  Configuration | Policies | Administrative Templates | VMware View Agent Configuration | VMware HTML5 Features | VMware WebRTC Redirection Features.
  4. Edit the setting Enable Media Optimization for Microsoft Teams.
  5. Set it to Enabled.

Browser Content Redirection

Browser Content Redirection redirects the contents of the browser to be rendered by the client machine instead of the Horizon Agent machine. Browser Content Redirection in Horizon 2106 and newer supports both Chrome and Edge. HTML5 Multimedia Redirection is the older feature. See Omnissa Docs.

  1. Edit a GPO that applies to the Horizon Agents.
  2. Expand Computer Configuration, expand Administrative Templates, expand VMware View Agent Configuration, and click VMware HTML5 Features.
  3. On the right, enable the setting Enable VMware HTML5 Features. This setting is only available in Horizon 7.10 and newer.

  4. In Horizon 7.10 and newer:
    1. On the left, under VMware HTML5 Features, click VMware Browser Redirection.
    2. On the right, enable the setting Enable VMware Browser Redirection.
    3. Also enable the setting Enable Browser Redirection feature for Microsoft Edge (Chromium) Browser. This setting requires Horizon 2106 (8.3) or newer.
    4. On the right, configure the setting Enable URL list for VMware Browser Redirection.
    5. Enable the setting and click Show.
    6. Add a list of URLs that you want the client to render. Use wildcards in the path.
  5. The older feature is HTML5 Multimedia Redirection, which you can optionally enable. See Configuring HTML5 Multimedia Redirection at Omnissa Docs.

  6. Install the Edge GPO Templates if you haven’t already.
  7. In either the computer half or user half of a group policy, expand Policies, expand Administrative Templates, expand Microsoft Edge, and click Extensions.
  8. On the right, double-click the setting Control which extensions are installed silently.

    1. Enable the setting and click Show.
    2. For Horizon Browser Redirection in Horizon 7.10 and newer, enter the following:
      demgbalbngngkkgjcofhdiiipjblblob;https://clients2.google.com/service/update2/crx

    3. For the older HTML5 Multimedia Redirection in Horizon 7.3 and newer, enter the following. You can do either extension, but not both. If you enable both extensions, then they will conflict with each other.
      ljmaegmnepbgjekghdfkgegbckolmcok;https://clients2.google.com/service/update2/crx

    4. When you log into a Horizon Agent session, the extension should automatically be added to Edge.
  9. Install the Chrome GPO Templates if you haven’t already.
  10. In either the computer half or user half of a group policy, expand Policies, expand Administrative Templates, expand Google, expand Google Chrome, and click Extensions.
  11. On the right, double-click the setting Configure the list of force-installed apps and extensions.

    1. Enable the setting and click Show.
    2. For Horizon Browser Redirection in Horizon 7.10 and newer, enter the following:
      demgbalbngngkkgjcofhdiiipjblblob;https://clients2.google.com/service/update2/crx

    3. For the older HTML5 Multimedia Redirection in Horizon 7.3 and newer, enter the following. You can do either extension, but not both. If you enable both extensions, then they will conflict with each other.
      ljmaegmnepbgjekghdfkgegbckolmcok;https://clients2.google.com/service/update2/crx

    4. When you log into a Horizon Agent session, the extension should automatically be added to Chrome.
  12. When you navigate to a URL on the configured URL List, if the redirection feature is working, then the Chrome extension will show REDR.

  13. And you’ll see HTML5VideoPlayer.exe on the client side.

UNC Path Redirection

Horizon 2209 and newer can redirect network links inside Outlook from agent-to-client or from client-to-agent.

  1. Install the Horizon 2209 or newer GPO ADMX files if you haven’t already.
  2. In the computer half of a GPO, find the settings under Computer Configuration | Policies | Administrative Templates and click VMware Horizon UNC Path Redirection.
  3. First enable the feature by setting Enable UNC Path Redirection.
  4. Then configure UNC Path Redirection Filter Rule. For agent-to-client, add paths in the Client Rules box. The other boxes are for client-to-agent. Regular Expressions are supported as detailed at Omnissa Docs.
  5. When installing Horizon Agent 2209 or higher, add /v ENABLE_UNC_REDIRECTION=1 to the command line.
  6. When installing Horizon Client 2209 or higher, add /v ENABLE_UNC_REDIRECTION=1 to the command line.

URL Content Redirection

URL Content Redirection allows web browser URLs to be redirected from Agent-to-Client or from Client-to-Agent. This feature requires:

  • URL Redirection component installed from command line on Horizon Agent.
  • URL Redirection component installed from command line on Horizon Client.
  • If Horizon Client is installed on a Horizon Agent machine, you can install URL Redirection for one or the other, but not both.
  • Internet Explorer 9 or later only
  • GPO Settings

URL Redirection GPO settings apply to both Horizon Agents and Horizon Clients depending on the source of the redirection. For Agent-to-Client redirection, edit a GPO that applies to the Horizon Agents. For Client-to-Agent redirection, edit a GPO that applies to the Horizon Clients.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Expand Computer Configuration | Policies | Administrative Templates and click VMware Horizon URL Redirection.
  3. On the right, double-click IE policy: Automatically activate newly installed plugins, and enable it. If you don’t configure this, then users are required to activate the IE add-on manually.
  4. On the right, double-click Url Redirection Enabled and enable the setting. The setting description says it’s enabled by default, but actually it’s not.
  5. On the right, double-click Url Redirection Protocol ‘http’.
  6. For Agent-to-Client, configure clientRules and agentRules. clientRules are redirected from Agent-to-Client. However, agentRules override clientRules. This lets you redirect every URL to client but keep some URLs on the agent. Separate multiple rules with a semicolon.
  7. For Client-to-Agent, configure agentRules. Anything that matches will be redirected to the remoteItem (name of published icon) accessible through brokerHostname.
  8. In the User half of a GPO that applies to Horizon Agents with Loopback Processing enabled, Horizon 7.4 added a new policy setting to automatically install the URL Content Redirection extension in Chrome. This setting should be applied to both the Horizon Agents, and the Horizon Clients.

Collaboration Settings

Horizon 7.4 and newer have a Collaboration feature, which has some group policy settings.

  1. Install the Horizon GPO ADMX files if you haven’t already.
  2. Right-click the Horizon Agent Computer Settings GPO and click Edit.
  3. Expand Computer Configuration | Policies | Administrative Templates, expand VMware View Agent Configuration, and click Collaboration.

  4. On the right, you can configure settings like the Maximum number of invited collaborators. The limit is 10.

User Lockdown Settings

Edit the Horizon Agent Non-Admin Users GPO, and configure the settings detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#lockdown.

User Application Settings

Edit the Horizon All Users GPO and configure settings for applications (Internet Explorer, Office, etc.) as detailed at https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#ie and https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#office2013.

Redirected Profile Folders

In addition to roaming profiles, configure Redirected Profile Folders as detailed at https://www.carlstalhood.com/citrix-profile-management/#redirected. Anything redirected will not be copied locally by Persona, RDS profiles, or DEM.

Related Pages