VMware Horizon 2006: Cloud Pod Architecture

Last Modified: Aug 14, 2020 @ 3:48 pm

Navigation

This article applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

Change Log

  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka 8.0)

Planning

Cloud Pod Architecture lets you publish a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

  • Global Entitlements – Entitlements are the same thing as published icons. When you create an entitlement (local or global), you are publishing an icon from a pool.
    • For local entitlement, the icon is only published from one pool.
    • For global entitlement, the icon can be published from multiple pools. The pools can be in one pod or from multiple pods.
    • Don’t configure both global and local entitlements for the same pool.
    • A single pool can only belong to one global entitlement.
    • For applications, only one application per global entitlement.
  • Pod Federation – Global entitlements can’t be created until a Pod Federation is created. This federation could be one pod or multiple pods.
    • The pods can be separated into sites. Each site can contain multiple pods.
  • Global Load Balancing – Use Citrix ADC GSLB or F5 GTM to connect Horizon Clients to a globally available Horizon Connection Server. The connected Horizon Connection Server then uses Global Entitlements to select a site/pod/pool.
    • When a user launches a Global Entitlement, the Connection Server selects a pod based on the Global Entitlement Scoping, which can be All Sites, Within site, or Within Pod. This is from the perspective of the Connection Server the user is currently connected to. Horizon will prefer the local pod if possible.
    • Users or groups can be assigned to Home Sites. Global Entitlements can be configured to prefer Home Sites over the normal site/pod selection criteria.
  • Dedicated Assignment – For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
  • Firewall Ports – The Horizon Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 135, TCP 22389, TCP 22636, and TCP 8472. Make sure these ports are open. More info at Ray Heffer VMware Horizon 7.4 Network Ports for Cloud Pod Architecture.
  • RBAC – Horizon Console includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Cloud Pod Limits in Horizon 2006 and newer:

  • Max users = 250,000
  • Max Pods = 50
  • Max Sessions per Pod = 12,000
  • Max Sites = 15
  • Max Connection Servers per Pod = 7
  • Max Horizon Connection Server Instances = 350

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

  • Use F5 GTM or NetScaler GSLB to connect users to a Horizon Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
  • The Horizon Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
  • User’s PCoIP session goes through the initially connected Horizon Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route Blast/PCoIP through a Horizon Connection Server in the remote pod. In fact, the Horizon Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this Blast/PCoIP traffic.
  • Note: Horizon Cloud Universal Broker doesn’t have this problem.

For more information on multi-datacenter design for Horizon, see VMware Workspace ONE and VMware Horizon Reference Architecture, which includes the following:

  • Identity Manager
  • App Volumes
  • Horizon Cloud Pod Architecture
  • Dynamic Environment Manager
  • SQL AlwaysOn Availability Groups
  • Nnetworking
  • Storage (e.g vSAN)
  • Active Directory
  • Distributed File System
  • Global Load Balancing

Initialize First Pod

  1. In Horizon Console, expand Settings and click Cloud Pod Architecture.
  2. On the right, click Initialize the Cloud Pod Architecture feature.
  3. Click OK to initialize.
  4. A status page is displayed.
  5. On the right, feel free to rename the federation by clicking the Edit button.

    • Enter a new name.
  6. On the left, expand Settings, and click Sites.
  7. On the right, in the top half, highlight the first site, and then click the Edit button to rename the Default First Site to be more descriptive.

    • Enter a Site name.
  8. Click the Site to highlight it to reveal the Pods on the bottom half of the window.
  9. Highlight the pod and click Edit to make the name more descriptive.

    • Enter a Pod name.
  10. See VMware 2080522 Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

  1. Connect to Horizon Console in the second pod.
  2. On the left, expand Settings, and click Cloud Pod Architecture.
  3. On the right, click Join the pod federation.
  4. Enter the name of an existing Horizon Connection Server that is already joined to the federation.
  5. Enter credentials, and click OK.
  6. The Join status is displayed.
  7. On the left, expand Settings, and click Sites.
  8. If this pod is in a different site, then in the top half of the window click Add to create a new site.
  9. Give the site a name, and click OK.
  10. Highlight the first site.
  11. On the bottom, highlight the new pod, and click Edit.
  12. Rename the pod and put it in the 2nd site. Click OK.
  13. The top of Horizon Console shows you which Pod you are administering. You might have to refresh the page to see the correct Pod name after it was renamed.

Global Entitlements

Pools and Entitlements are two different things. You can create a pool without entitling anybody to the pool. Entitlements create icons.

Local Entitlements and Global Entitlements are two different things. Global Entitlements are created separately, and then you assign pools from multiple pods to the Global Entitlement. Connections can be load balanced across the pods and pools.

Do not create both Global Entitlements and Local Entitlements for the same pool otherwise users might see two icons. Create the local pool, but don’t entitle it. Instead, create a Global Entitlement and add the local pool to it.

  1. In Horizon Console, on the left, expand Inventory, and click Global Entitlements.
  2. On the right, click Add.
  3. In the Type page, select Desktop Entitlement or Application Entitlement, and click Next.
  4. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one entitlement per application so include the application name. In Horizon 2006 and newer, you can now specify a Display Name that is different than the name of the entitlement.
  5. Scroll down for more settings:
    1. You can configure tag restrictions (Connection Server restrictions) from this wizard.
    2. You can select a Category Folder where the published icon will be placed on the client’s Start Menu. This feature requires Horizon Client 4.6 and newer.
    3. You can put the published icon on the endpoint’s desktop too.
    4. Configure Category Folder.
  6. Scroll down to the Policies section and configure the following:
    1. Scope determines from which which site/pod the Horizon Agent is selected.
    2. The Use home site checkbox tells the global entitlement to respect user home sites.
    3. Change the Default display protocol to VMware Blast.
    4. You can allow users to reset/restart their machines.
    5. There’s a Pre-launch checkbox. If you need the Pre-launch feature, then enable the Pre-launch checkbox on at least one application, and entitle the application to the users that need the Pre-launch feature.
    6. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published icon to that computer AD group. The published icon can then only be accessed from the client computers in the AD group.

      Notes:

    7. There’s a selection for Multi-Session Mode. Pre-launch must be disabled to enable this setting.
    8. Make other selections.
  7. Click Next when done.
  8. In the Users and Groups page, add users that can see the icon associated with the Global Entitlement. Click Next.
  9. In the Ready to Complete page, click Finish.
  10. On the right, click the link for the name of the Global Entitlement.
  11. Switch to the Local Pools tab.
  12. On the Local Pools tab, click Add.
  13. Select the local pools you want to add and click Add. Remember, only add one app per Global Entitlement. Also, you can only add pools from the local pod. To add pools from a different pod, you must point your Horizon Console browser to the other pod and edit the Global Entitlement from there.
  14. Go to another pod and view the Global Entitlements.
  15. On the right, click the hyperlink for the name of the Global Entitlement.
  16. On the Local Pools tab, click Add to add pools from this pod.
  17. You can configure backup global entitlements. A backup global entitlement delivers remote desktops or published applications when the primary global entitlement fails to start a session because of problems such as insufficient pool capacity or unavailable pods.
    1. Create a Backup Global Entitlement containing the backup pools. You don’t have to assign anybody to the Backup Global Entitlement.
    2. Edit the production Global Entitlement.
    3. Under Backup Global Entitlement, click Browse.
    4. Change the selection to Backup Global Entitlement, select the Backup Global Entitlement and click Submit.
  18. Horizon Console, at Inventory > Desktops can show if a Local Pool is a member of a Global Entitlement. Scroll to the right to see the Global Entitlement column.

Monitoring

  1. Once Global Entitlements are enabled, a new Search Sessions node is added, which allows you to search for sessions across federated pods.
  2. The Dashboard in Horizon Console shows the health of remote pods.

Home Sites

The Home Sites feature causes Global Entitlements to prefer pools in the user’s Home Site before looking for pools in remote sites.

  1. Configure your Cloud Pod Architecture with multiple Sites and at least one Pod per Site.
  2. In Horizon Console, on the left, click Users and Groups.
  3. On the right, switch to the Home Site Assignment tab.
  4. Click Add.
  5. Find a user or group for this home site, and click Next.
  6. Select the site to assign the users to and click Finish.
  7. Home Sites can be assigned to both users and groups. User assignments override group assignments.
  8. Edit your Global Entitlement and ensure that Use Home Site is checked. You can optionally require that each user has a Home Site.
  9. Each Global Entitlement can have its own Home Site configuration that overrides the global Home Site configuration.
    • In Horizon Console, click the hyperlink for the Global Entitlement’s name, switch to the tab named Home Site Override, and then click Add.

  10. Since you could have a combination of default Home Site for user, default Home Site for group, and Global Entitlement-specific Home Sites, it’s helpful to know which Home Site is effective for each user and Entitlement.
    • In Horizon Console, in the Users and Groups node, switch to the Home Site Resolution tab. Find a user, and it will show you the Home Site Resolution.

Related Pages

VMware Horizon 2006: RDS Farms/Pools

Last Modified: Aug 14, 2020 @ 3:40 pm

Navigation

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

Change Log

  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka 8.0)

Overview

This post details VMware Horizon configuration for Remote Desktop Session Host (RDS) Horizon Agents. Virtual Desktops are detailed at Master Virtual Desktop and Virtual Desktop Pools.

Before following this procedure, build a master RDS Session Host.

Before you can publish applications or RDS desktops, you must create an RDS Farm. An RDS Farm is a collection of identical (cloned) Remote Desktop Session Hosts. Applications must be installed identically on every machine in the farm. If you have different applications on different Remote Desktop Session Hosts, then these are different RDS Farms.

Once the RDS Farms are created, you publish icons from them by either creating a Desktop Pool or an Application Pool or both. When creating a Desktop Pool or Application Pool, all members of the RDS Farm are selected. It is not possible to select a subset of Farm members.

VMware Tech Paper Best Practices For Published Applications And Desktops in VMware Horizon 7:

  • vSphere Best Practices – Hardware, Network Adapters, ESXi BIOS Settings, ESXi Power Management
  • Core Services Best Practices – Active Directory, DNS, DHCP, NTP, KMS, RDS Licensing
  • ESXi Host Sizing Best Practices
  • RDSH Configuration Best Practices – Optimization
  • Horizon 7 Best Practices – Instant Clones, Load Balancing
  • User Environment Management Best Practices – Horizon Smart Policies, Folder Redirection, User Profiles, Printers, Hardware Graphics Acceleration
  • App Volumes Best Practices – dedicated AppStacks
  • Antivirus Best Practices
  • Maintenance Operations Best Practices – scheduled reboots

RDS Farms – Instant Clones

For a description of Instant Clones, see Instant Clones for RDSH in VMware Horizon 7.1 YouTube video.

  1. You select a snapshot from a master image.
  2. Horizon creates a template VM that boots from the master snapshot. After some prep, the template VM shuts down and creates a new snapshot.
  3. The template snapshot is copied to a Replica VM on every LUN (datastore) that will host RDS Farm VMs.
  4. For each datastore, Horizon creates a Parent VM on every host in the cluster. This parent VM is powered on and running at all times.
  5. The linked clones can finally be created by forking the parent VM to new linked clone VMs. Notes:
    1. Once the Parent VMs are created, creating/recreating linked clones is fast. But it takes time to create all of the Parent VMs.
    2. And the Parent VMs consume RAM on every host. If you have multiple datastores and/or multiple pools, then there are multiple Parent VMs per host, all of them consuming RAM.
  6. You can schedule a periodic reboot of the Instant Clones, which causes the Instant Clone machines to refresh (revert) from the parent VM.
  7. Instant Clones require Distributed vSwitch and Distributed Port Group with Static Binding and Fixed Allocation. Standard vSwitch is not supported. Multi VLAN and vGPU for Instant Clones in VMware Horizon 7.1 YouTube video.

Create an Automatic RDS Farm

If you upgrade vCenter to 6.7 or newer, then you must upgrade your ESXi hosts to 6.7 or newer at the same time. Afterwards, take a new snapshot of the master image and perform a push operation. See Upgrade Instant-Clone Desktop Pools When You Upgrade vCenter Server to vSphere 6.7 or Later at VMware Docs.

Master Image Preparation

  1. Make sure your RDS master Agent has the VMware Horizon Instant Clone Agent feature installed.
  2. Make sure your RDS master Agent is configured for DHCP.
  3. Computer Group Policy – Make sure the Master VM is in the same OU as the Instant Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See VMware 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  4. Shut down the master image.
  5. Edit the specs of the master VM to match the specs you want the linked clones to have.
  6. Take a snapshot of the master image.
  7. In Horizon Console, on the left, expand Inventory, and click Farms.
  8. On the right, click Add.
  9. In the Type page, select Automated Farm, and click Next.
  10. In the vCenter Server page, select Instant Clone, select the vCenter Server, and then click Next.
  11. In the Storage Optimization page, click Next.
  12. In the Identification and Settings page:
    1. Enter a name for the Farm. A VM folder with the same name will be created in vCenter.
    2. Note: There’s no place to set the Display Name here. You do that later when creating a Desktop Pool.
    3. Scroll down to the Farm Settings section.
    4. Horizon supports Pre-launch. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    5. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    6. For Log off disconnected sessions, specify a disconnect timer. This is in addition to the idle timer configured in Global Settings.
    7. There’s a Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
    8. Max sessions per RDS Host will block connections if this number is exceeded. You can leave it set to Unlimited.
  13. Click Next.
  14. The Load Balancing Settings page lets you configure what metrics are used for even distribution of users across the farm. By default, only Session Count is considered. You can add other metrics like CPU or Memory. Click Next.
  15. In the Provisioning Settings page:
    1. Enter a Naming Pattern. Make sure the name includes {n:fixed=3} or something like that. Computer names must be 15 characters or less.
    2. In Farm Sizing, enter the number of machines to create.
  16. Click Next.
  17. In the vCenter Settings page, click Browse next to each option and make a selection. These are self-explanatory. Scroll down to see all options. Then click Next.
  18. In the Guest Customization page:
    1. Select an OU to place the new virtual machines. This should be an OU that is configured with group polices for the RDSH machines.
    2. Consider the Allow reuse of pre-existing computer accounts check box.
  19. Click Next.
  20. In the Ready to Complete page, click Submit.

To view the status of RDS Farm creation:

  1. Click the farm name.
  2. The bottom of the Summary tab shows you the State of the Publishing progress.

  3. You can watch the progress in vSphere Client. It goes through a couple longer tasks, including cloning the snapshot, and creating a digest file.
  4. Eventually the tab named RDS Hosts will show the new virtual machines.
  5. Once the RDS Hosts are created, you publish resources from them by either creating a Desktop Pool, or an Application Pool, or both.

Add more RDS Hosts to an Automatic Farm

To add RDS hosts to an existing RDS Automatic Farm.

  1. On the left, expand Inventory, and click Farms.
  2. Click the link for an automated farm.
  3. On the right, click Edit.
  4. Switch to the Provisioning Settings tab and change the Max number of machines. Then click OK.
  5. It should not take long to add the new VM.
  6. The RDS Hosts tab of the RDS farm shows the new RDS host(s).

Update an Automatic Farm

Master Image Preparation

  1. Power on the master session host.
  2. Login and make changes.
  3. After making your changes, shut down the master session host.
  4. Right-click the virtual machine, and take snapshot. You must create a new snapshot.
  5. Name the snapshot, and click OK.
  6. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  7. Delete one or more of the snapshots.
  8. In Horizon Console, go to Inventory > Farms.
  9. Click the farm name’s link.
  10. On the Summary tab, click Maintain, and then click Schedule.
  11. One option is to schedule Recurring reboots, which revert the RDS Hosts to a clean state.
  12. To push out an updated Master Image, change the Schedule to Immediate.
  13. Select Start Now, or select Start at a future date/time. Click Next.
  14. In the Image page, uncheck the box next to Use current parent VM image, select the new snapshot, and click Next.
  15. In the Scheduling page, decide if the reboot should wait for users to logoff or force them off and then click Next.
  16. In the Ready to Complete page, click Finish.
  17. The RDS Farm’s Summary tab (scroll down) shows you that it’s publishing the new image.

  18. After the image is published, on the RDS Hosts tab, you can check on the status of the maintenance task.

Instant Clones Maintenance

To perform Instant Clone Maintenance:

  1. If you click an Instant Clones RDS Farm name…
  2. And switch to the RDS Hosts tab, you can select a machine, and then click Recover, this causes the VM to be deleted and recreated, thus reverting to the master image snapshot.

  3. On the Summary tab of the RDS Farm, you can click Maintain > Schedule to schedule a reboot of every VM in the RDS Farm. Rebooting causes the VMs to revert to the master image snapshot.
  4. Specify how often you want the reboot to occur, and then click Next.
  5. In the Image page, you don’t have to change the snapshot. Click Next.
  6. Decide what to do about logged on users, and click Next.
  7. In the Ready to Complete page, click Finish.
  8. If you click the Maintain menu again, you can click Reschedule to change when the reboots are scheduled. Or click Cancel.
  9. If you click Schedule again, you can only schedule a one-time update, typically to replace the master image snapshot used by the RDS Farm.
  10. ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

RDS Farms – Manual

RDSH Machines in Manual Farms are cloned manually in vCenter. Instant Clones are not used.

To create a manual RDS Farm:

  1. Make sure neither the View Composer Agent nor the Instant Clone Agent is installed on your RDS servers, and make sure you saw the screen to register the Agent with a Horizon Connection Server.
  2. On the left, expand Inventory, and click Farms.
  3. On the right, click Add.
  4. In the Type page, select Manual Farm, and click Next.
  5. In the Identification and Settings page, enter a name for the Farm.
  6. Scroll down to the Farm Settings section.
    1. There is a pre-launch option. If pre-launch is enabled on a published app, when the user logs into Horizon Client, an empty RDS Session is immediately established. When the user double clicks an icon, the program launches quickly since there’s already a pre-launched session. When the user closes Horizon Client, the pre-launch session is disconnected for the duration specified here. The minimum duration is 10 minutes.
    2. For Empty session timeout, set it to 1 minute. For When timeout occurs, set it to Log off. You usually want the session to end when users close all of their applications.
    3. For Log off disconnect sessions, specify a disconnect timer. This is in addition to the idle timer configured in Configuration > Global Settings.
    4. There is an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate. See Session Collaboration for details.
  7. Click Next.
  8. The Load Balancing Settings page lets you configure what metrics are used for even distribution of users across the farm. By default, only Session Count is considered. You can add other metrics like CPU or Memory. Click Next.
  9. In the Select RDS Hosts, select one or more identical Remote Desktop Session Hosts. Click Next.
  10. In the Ready to Complete page, click Submit.
  11. If you click the farm name…
  12. On the RDS Hosts tab, you can click Add to add more registered RDS Hosts. Make sure every Host in the RDS Farm is identical.

Publish Desktop

To publish a desktop from an RDS Farm:

  1. In Horizon Console, on the left, expand Inventory, and click Desktops.
  2. On the right, click Add.
  3. In the Type page, select RDS Desktop Pool, and click Next.
  4. In the Desktop Pool ID page, enter an ID and name. They can be different. The ID cannot contain spaces. Click Next.
  5. In the Desktop Pool Settings page:
    1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu.
    2. You can type in a new category folder name, or select an existing one. Also select Shortcut Locations.
    3. There is a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published desktop to that computer AD group. The published desktop can then only be accessed from the client computers in the AD group.
    4. Notes on Client Restrictions:
  6. Click Next.
  7. In the Select an RDS farm page, select a farm, and click Next. The farm can be either Instant Clone or Manual.
  8. In the Ready to Complete page, check the box next to Entitle users after this wizard finishes, and click Submit.
  9. In the Entitlements window, click Add.
  10. Browse to an Active Directory group, and click OK.
  11. Then click Close.
  12. If you go to Inventory > Farms, click your farm name, there will be a RDS Pools tab, where you can see which Desktop Pool is associated with this farm. An RDS Farm can only belong to one Desktop Pool.

Publish Applications

To publish apps from an RDS Farm:

  1. In Horizon Console, on the left, expand Inventory, and click Applications.
  2. On the right, click Add, and then click Add from Installed Applications.
  3. In the Select Applications page, select a RDS Farm.
  4. The purpose of this wizard is to publish and entitle applications from an RDS Farm. The entitlements will apply to all of the applications you select on this page. If you want different entitlements for different applications, run this wizard multiple times and select different applications. Once the applications are published, you can change their entitlements individually.
  5. Select one or more applications. Notice that File Explorer is not one of the options. You can manually add that application later.
  6. There are additional options at the bottom of the Select Applications page. Notice the Entitle users box is checked by default.

    1. There’s a Pre-launch option for published applications. You can optionally enable it on at least one application, and then entitle the pre-launch application to the users that need the Pre-launch feature.
    2. You can assign tags for Connection Server restrictions, which lets you control visibility of icons for internal users vs external users.
    3. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop.
    4. There’s a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published application to that computer AD group. The published application can then only be accessed from the client computers in the AD group. Notes on Client Restriction:
  7. Click Next when done.
  8. The Edit Applications page lets you rename the published icons. Click Submit when done.
  9. Click Add to select a group that can see these icons. This is the normal entitlement process.

    1. There is an option for Unauthenticated users, which is detailed at Providing Unauthenticated Access for Published Applications at VMware Docs.
    2. Before you can configure Uauthenticated Access on published applications, you must add a Domain Account that will be used for anonymous access at Users and Groups > Unauthenticated Access.
    3. Then go to Settings > Servers and Edit a Connection Server.
    4. On the Authentication tab…
    5. …enable Unauthenticated Access, and select the Default unauthenticated access user account.
    6. Back in your entitlement, you select Unauthenticated Users, and entitle it to the Domain User that is your anonymous account.
  10. You can run the Add Application Pool wizard again to publish more applications with different entitlements.
  11. If you click the name one of the application pools…
  12. …on the Entitlements tab, you can change the entitlements

Manual Application Publishing

Instead of publishing an existing application from the Start Menu, you can add an application manually:

  1. Go to Inventory > Applications, click Add, and select Add Manually.
  2. File Explorer is an application that has to be added manually.

  3. When publishing Explorer, add the /separate switch. This prevents the full desktop from appearing when launching published Explorer through HTML Blast (Source = RDS Desktop being presented when opening an app at VMware Communities)

Icon for Published Application

  1. You can select an Application Pool, then open the Application Icon menu and click Associate Application Icon.

Published App Monitoring

If you click a Farm name, you can view Sessions connected to that Farm and the published application each user is running. Monitor > Sessions does not show published application information, but RDS Farm > Sessions does.

  1. In Horizon Console, on the left, expand Inventory and click Farms.
  2. On the the right, click the link for one of the farms.
  3. Switch to the tab named Sessions.
  4. As you scroll down the table you’ll see sessions with Type = Application.
  5. If you scroll to the right, you’ll see the Application Name in the far-right column.

Show application pools associated with RDS Farm

  1. If you go to Inventory > Farms, click your farm name…
  2. …and switch to the RDS Pools tab, you can see which Application Pools (published applications) are associated with this farm. You can click the link for a pool to be taken to the pool’s property pages.

Anti-affinity

You can configure Horizon to restrict the number of instances of an application running on a particular RDS host. Here are some limitations:

  • If the user already has a session then anti-affinity is ignored.
  • If the application is launched from within an RDS Desktop then anti-affinity is ignored.
  • Not recommended for Horizon Mobile clients.

See Configure an Anti-Affinity Rule for an Application Pool in Horizon Console at VMware Docs.

Do the following to configure Anti-Affinity in Horizon Console:

  1. On the left, go to Inventory > Applications.
  2. On the right, edit an existing application pool.
  3. Scroll down. In the Anti-Affinity Patterns field, enter process names to match. Wildcards are supported. Each match is counted.
  4. In the Anti-Affinity Count field, enter the maximum number of process name matches that can run on a single RDS Host.

Related Pages

VMware Horizon 2006: Master RDS Host

Last Modified: Aug 16, 2020 @ 5:49 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host (RDSH) that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post. Virtual Desktop is detailed in a separate article.

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

Change Log

  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka 8.0)

Hardware

  • The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • Set the vCPUs to 8. Two is the minimum. See VMware whitepaper for more information.
  • Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device, and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Adapter. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine, and click Edit Settings.
  4. On the VM Options tab, expand Advanced, and then click Edit Configuration.
  5. Click Add Configuration Params.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right, and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right, click the link for Last checked for updates.
  2. If Windows Server 2016 or 2019, click Advanced Options.

    • In Windows Server 2012 R2, on the left, click Change settings.
  3. If Windows Server 2016 or 2019, check the box next to Give me updates for other Microsoft products when I update Windows, and then click the back button. Then click Check for Updates.

    • If Windows Server 2012 R2, check the box next to Give me updates for other Microsoft products when I update Windows, and click OK.
  4. Windows Update will automatically start checking for updates.
  5. Install any updates it recommends.

Local Administrators Group

Add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu, and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users with Create Folders permission, and click Remove.
  4. Highlight the line containing Users with Create Files permission, and click Remove.
  5. Click OK to close the Advanced Security Settings window.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue.
  8. Click OK to close the C: drive properties.

Installs

Install/Upgrade VMware Horizon Agent

To install Horizon Agent on Remote Desktop Session Host (RDSH), do the following:

  1. Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2 are supported.
  2. VMware Tools – Only install Horizon Agent after you install VMware Tools.
    1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    2. See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
    3. If VMware Tools 11.x, VMware recommends running the following: (source = VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x)
  3. Download Horizon Agent 2006.
  4. Run the downloaded VMware-Horizon-Agent-x86_64-8.0.0.exe.
  5. If you want the URL Content Redirection feature, then you must run the Agent installer with the the following switches: /v URL_FILTERING_ENABLED=1
  6. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In Desktop OS Configuration page, select RDS Mode and click Next.

    1. Click OK to install the role.
    2. Restart the machine.
    3. After restart, login, and re-run the Agent installer.
  9. In the Network protocol configuration page, select IPv4, and click Next.
  10. In the Custom Setup page, several features are disabled by default. Feel free to enable them.
    1. USB Redirection is an option.
    2. For Instant Clone RDS Farms, select VMware Horizon Instant Clone Agent. For Manual RDS Farms (no Instant Clone), don’t select the Instant Clone Agent.
    3. VMware Virtualization Pack for Skype for Business is an option. See Configure Skype for Business at VMware Docs for details.
    4. Scanner Redirection is an option. Note: Scanner Redirection will impact host density.
    5. Serial Port Redirection is an option.
    6. There’s an option for Horizon Performance Tracker, which adds a program to the Agent machine that can show the user performance of the remote session. You can publish the Tracker.

    7. For unauthenticated users, there’s a Hybrid Logon option.
  11. Click Next when done making selections.
  12. Click OK to acknowledge the USB redirection message.
  13. If you see the Register with Horizon Connection Server page, enter the name of a Horizon Connection Server, and click Next. You only see this page if you deselected both View Composer Agent and Instant Clone Agent features. Registration is necessary for Manual RDS Farms (no Instant Clones).
  14. In the Ready to Install the Program page, click Install.
  15. In the Installer Completed page, click Finish.
  16. Click Yes to restart the server.
  17. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  18. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  19. There’s also an IE add-on.
  20. URL Content Redirection is configured using group policy.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

All editions of Horizon 2006 are entitled to Dynamic Environment Management (DEM).

  • Horizon Standard Edition and Horizon Advanced Edition are entitled to DEM Standard Edition, which only has personalization features that replace Persona. If you are using FSLogix Profile Containers for profiles, they you probably don’t need DEM Standard Edition.
  • Horizon Enterprise Edition is entitled to DEM Enterprise Edition, which has all DEM features, including Smart Policies, Privilege Elevation, etc.

To install DEM Agent:

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
  2. Based on your entitlement, download either DEM 2006 Standard Edition, or DEM 2006 Enterprise Edition.

  3. Run the extracted VMware Dynamic Environment Manager Enterprise 10.0 x64.msi.
  4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In Choose Setup Type page, click Custom.
  8. In the Custom Setup page, click Next. Note: the DEM Management Console is typically installed on an administrator’s machine.
  9. In the Choose License File page, if installing on a Horizon Agent, then no license file is needed.
  10. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  11. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  12. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value. (Source = VMware 2151440 Smart card SSO fails when you use User Environment Manager with a zero client)
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1
  13. DEM is enabled using Group Policy and configured using the DEM Management Console.

Logon Monitoring

By default, in services.msc, the VMware Horizon View Logon Monitor service is not running. Set it to Automatic and start it.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent.

Inside each session log file are logon time statistics.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 and newer is using group policy (local group policy or domain group policy).

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled, and enter the names of the Remote Desktop Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled, and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Remote Desktop Services, and click RD Licensing Diagnoser. If you don’t see this option, then install it as a Windows Feature under RSAT.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

Antivirus

VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment contains exclusions for Horizon View, App Volumes, Dynamic Environment Manager, ThinApp, etc.

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Symantec

Symantec links:

Trend Micro

Trend Micro Links:

Sophos

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

  • Install Traps Agent for Windows:
    • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
    • Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Install Applications

Install applications that will be executed on these machines.

VMware Tech Zone Best Practices for Delivering Microsoft Office 365 In VMware Horizon 7 with Published Applications describes how to install Office365 ProPlus Click-to-run with Shared Computer Activation.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide for details on this tool.
  2. Download the VMware OS Optimization Tool VMware fling.
  3. Run the extracted VMwareOSOptimizationTool.exe.
  4. Go to the Public Templates tab and download or update your templates.
  5. On the Optimize tab, choose a template.
  6. Then click Analyze on the bottom of the window.
  7. On the Optimize tab, review the optimizations, and make changes as desired. Then on the bottom left, click Optimize.
  8. The History tab lets you rollback the optimizations.

Seal and Snapshot

  1. Go to the properties of the C: drive, and run Disk Cleanup.
  2. On the Tools tab, click Optimize to defrag the drive.
  3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining.
  4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  5. Make sure the master session host is configured for DHCP.
  6. Session hosts commonly have DHCP reservations.

  7. Run antivirus sealing tasks. For example:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
    2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  8. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.
  9. Shutdown the master session host.
  10. Edit the Settings of the master virtual machine, and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  11. If Instant Clones, take a snapshot of the master session host.

  12. Use can now use Horizon Console to create RDS Farms.

Full Clone Post-Cloning Tasks

If you use vCenter to clone the machine instead of using Horizon Instant Clones, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep always disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon Agent – uninstall the Horizon Agent and reinstall it so it registers with a Horizon Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon Security Server and Horizon Agents.
  8. Horizon Console – In Horizon Console, add the new machine to a Remote Desktop Services farm.

Related Pages

VMware Horizon 2006: Virtual Desktop Pools

Last Modified: Aug 16, 2020 @ 5:50 am

This article details Horizon pool configuration for Virtual Desktops. RDS Farms and pools are detailed in a separate article at https://www.carlstalhood.com/vmware-horizon-8-rds-farms-pools/.

Navigation

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

Change Log

  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka 8.0)

Non-Persistent – Instant Clones

All editions of Horizon 2006 include Instant Clones so there is no need to use Composer. Composer is deprecated in Horizon 2006 and will be removed in a future release.

Notes on Instant Clones:

  • The master VM snapshot is copied to every LUN containing instant clones. Composer does the same.
  • If you deploy 12+ VMs per host of the same pool, then “Parent” machines are created on each ESXi host for each datastore. These “parent” machines are powered on and consume CPU/Memory/Disk resources. If you have six hosts and three datastores containing instant clones, then Horizon creates 18 parent virtual machines. Composer does not need parent virtual machines.
    • For lower density, Horizon 2006 supports Smart Provisioning, which eliminates the need for “Parent” machines. See the Smart Provisioning YouTube video for an overview.
  • Persistent disks are not supported with Instant Clones.
    • An alternative is Microsoft FSLogix, or VMware App Volumes Writable Volumes
  • See Instant-Clone Desktop Pools at VMware Docs.
  • Also see VMware Technical White Paper VMware Horizon 7 Instant-Clone Desktops and RDSH Servers

Infrastructure Prep

  • Each desktop pool points to one vSphere cluster.
  • Ensure vSwitch has sufficient ports for the new virtual desktops.
    • Instant clones require static port binding with the elastic port allocation. Do not change the port binding to ephemeral.
  • Ensure the VLAN has enough DHCP addresses for the desktop pool.
  • KMS Licensing is required – MAK licensing is not supported
  • The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label, GPU) specified on the master virtual desktop. Adjust accordingly.
  • The master image should be in the same vSphere cluster where the instant clone virtual desktops will be created.
  • ESXi must be version 6 update 1 or newer
  • Master VM must be version hardware version 11 or newer
  • In Horizon Console, add Instant Clone Domain Accounts
  • In Horizon Console, enable View Storage Accelerator on your vCenter connection.
  • If you upgrade vCenter to 6.7 or later, then you must upgrade your ESXi hosts to 6.7 or later at the same time. Afterwards, take a new snapshot of the master image and perform a push operation. See Upgrade Instant-Clone Desktop Pools When You Upgrade vCenter Server to vSphere 6.7 or Later at VMware Docs.

Disk space

  • One or more LUNs (datastores) for storage of the virtual desktops.
  • By default, Replicas are copied to each LUN that contains virtual desktops.
    • It’s possible to place the Replica and the instant clones on separate LUNs. If you use a dedicated Replica LUN, then there is only one copy of the Replica no matter how many LUNs are used for storing virtual desktops.
    • Note: NFS VAAI requires the Replica to be copied to each virtual desktop LUN.
  • .vswp files – Plan for disk space for memory swap and graphics memory overhead. If the master virtual desktop has 4 GB of RAM configured and if none of its memory is reserved then each linked clone will have a 4 GB .vswp file.
    • To reduce the size of the .vswp files, edit each virtual desktop and reserve its memory. Whatever memory is reserved will be subtracted from the .vswp file size.
  • Instant Clone Delta disks – Delta disks start small whenever the virtual desktop boots and grow until the user logs off of the virtual desktop and it reboots.

Non-Persistent, Floating, Automatic, Instant Clone Desktop Pool

Master Image Preparation

Do the following on the master image that the virtual desktops will link to:

  1. Video Memory – shut down the master, Edit Settings (hardware) in vSphere client, expand Video card, and set video memory. More video memory means more client monitors. The maximum number of displays and maximum resolution of client monitors depends on the ESXi version, the Horizon version, and the Windows version with newest versions providing the greatest number of client monitors.
  2. DHCP – Make sure the master VM is configured for DHCP.
  3. Join domain – Join the master VM to the domain.
  4. Computer Group Policy – Make sure the Master VM is in the same OU as the Instant Clones so the Master VM will get the computer-level GPO settings. Run gpupdate on the master after moving the VM to the correct OU. New Instant Clones do not immediately refresh group policy so the group policy settings must already be applied to the master VM. See VMware 2150495 Computer-based Global Policy Objects (GPOs) that require a reboot to take effect are not applied on instant clones.
  5. KMS Licensing or Active Directory-Based Activation is required.
  6. Snapshot – Shut down the master image and take a new snapshot.

Floating Pool

Use Horizon Console to create an Instant Clone pool:

  1. Login to Horizon Console.
  2. On the left, under Inventory, click Desktops.
  3. On the right, if you select an existing pool, you can click Duplicate to copy the settings to a new pool.
  4. On the right, click Add.
  5. In the Type page, select Automated desktop pool.
  6. In the vCenter Server page, select Instant Clone, select a vCenter server, and click Next.
  7. In the User Assignment page, select Floating, and click Next.
  8. In the Storage Optimization page, if you want to use storage tiering, check the box for Select separate datastores for replica and OS disk. Click Next.
  9. In the Desktop Pool Identification page, do the following:
    1. Give the pool a unique ID, which is not shown to the users. Horizon creates a vCenter VM folder with the same name as the Pool ID.
    2. Enter a Display name, which is shown to the users.
    3.  If you intend to use Identity Manager (aka VMware Access), then leave Access group set to /. Otherwise, if you intend to delegate administration of this pool, then select an Access group that the delegated administrators have been assigned to.
  10. Click Next.
  11. In the Provisioning Settings page, do the following:
    1. in Virtual Machine Naming, enter a Naming Pattern. You can use {n:fixed=3} to specify the location for incremented numerals in the machine names. Make sure the naming pattern does not conflict with any existing machines. Remember, the maximum computer name length is 15 characters.
    2. In Desktop Pool Sizing, enter the maximum number of desktops to create. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here. If your desktop pool size exceeds a single VLAN, then you can create multiple pools and combine them into a Cloud Pod Global Entitlement.
    3. Select Provision all machines up-front to create all of the machines now.
    4. Or select Provision machines on demand, which tells Horizon to create the machines (up to the maximum) as users connect.
    5. If you’re not creating all machines up-front, then specify the Number of spare (powered on) machines. As users connect, Horizon creates more machines to try to keep this number of spare machines running and waiting for a new connection.
  12. Click Next.
  13. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option, and make your selection.
  14. If the Parent VM (aka Master VM) is not showing up in the list, then check the box next to Show all parent VMs and click the … next to the VM to see the issue.
  15. Instant Clones monitors/resolution – the number of monitors configured on the Master Image (snapshot) is displayed. If not correct, delete the snapshot, edit the master VM’s Hardware Settings, expand video card, make your desired changes, and take another snapshot.
  16. Scroll down for more settings.
  17. Datastores – select one or more datastores on which the virtual desktops will be placed.
    • If you selected to put Replica on a different datastore, then you’ll have another Browse button for Replica disk datastores.
  18. When selecting Networks, you can use the Network from the parent image, or uncheck the box and select a different network.
  19. Click Next when done.
  20. In the Desktop Pool Settings page:
    1. You can select a Category Folder where the published icon will be placed on the client’s Start Menu and/or Desktop.

      1. Change the selection to Select a category folder from the folder list.
      2. You can type in a new category, or select an existing one.
      3. Then click Submit.
    2. In the Desktop Pool Settings page, Horizon Enterprise Edition lets you select a Session Type, which means you can optionally publish applications from virtual desktops.
    3. Change the selection for Logoff after disconnect to After, and specify a disconnect timer.

      • You can also use Group Policy to configure this. The GPO overrides the pool setting. Install the Horizon GPO Templates if you haven’t already. Edit a GPO that applies to the Horizon Agents. Find the Disconnect Session Time Limit (VDI) setting at VMware View Agent Configuration > Agent Configuration.
      • Horizon also has an Idle Time Until Disconnect (VDI) for virtual desktops. Note: RDSH idle timer is configured using Microsoft RDSH GPO settings, not Horizon GPO settings.
    4. You can allow users to restart their machines.
    5. If you choose Dedicated assignment instead of Floating assignment, there’s an option for Refresh OS disk after logoff. Leaving it set to Always is strongly recommended. The other options cause the delta disk to grow, and will cause data loss surprise for the users when you later push a new image. Instant Clones floating assignment pools always refresh on logoff.
    6. Reclaim VM disk space is also an option for Dedicated assignment pools. Floating assignment pools always refresh on logoff so there’s no need to reclaim disk space.
  21. Click Next.
  22. In the Remote Display Settings page:
    1. In 3D Renderer, there’s an option for NVIDIA GRID VGPU if you have GPUs installed.
    2. There’s an Allow Session Collaboration checkbox, which adds a VMware Horizon Collaboration icon in the system tray of the remote desktop, which lets you invite users to collaborate.  See Session Collaboration for details.
  23. Click Next.
  24. In the Guest Customization page,
    1. Next to AD container, click Browse, and select the OU where virtual desktop computer objects will be placed. You can type (paste) into the AD container field.
    2. Consider checking the box next to Allow reuse of pre-existing computer accounts.
  25. Click Next.
  26. In the Ready to Complete page, you may entitle users now, or leave it unchecked and do it later. Click Submit.

If you opted to add entitlements now:

  1. In the Add Entitlements window, click Add.
  2. Find a group that will have permission to log into these desktops, and click OK.
  3. Then click OK.

To check the status of the virtual desktops:

  1. Go to Inventory > Desktops.
  2. You might have to click the refresh icon on the top right to see the new pool.
  3. Click the link for the pool name.
  4. On the Summary page, if you scroll down, the vCenter Server section has a State field where you can see the status of the pool creation process.  It takes several minutes to publish the master image snapshot. After the snapshot is copied to the Replica, vSphere creates a digest file for View Storage Accelerator, which takes a few more minutes.
  5. Horizon Console has a Pending Image progress bar that doesn’t update automatically. To refresh it, scroll up and click the refresh icon.

  6. You can watch the progress in vSphere Client’s Recent Tasks list. In high-density pools, Instant Clones are forked from the cp-parent machine. In low-density pools, Instant Clones are cloned from the cp-replica.


  7. Eventually the pool’s tabs named Machines and Machines (InstantClone Details) will show the new machines.
  8. iccleanup.cmd can show you (list) the structure of the Instant Clones. For higher-density pools, there is a cp-parent at the bottom of the hierarchy. For Smart Provisioning of lower-density pools, there is no cp-parent.

If you wish to automate the creation of the pool, Aresh Sarkari at Automating Desktop Pool creation using PowerCLI – VMware Horizon 7.x explains New-HVPool -spec 'C:\temp\DesktopPool\LinkedClone.json' and the contents of the JSON file.

Entitle Virtual Desktops

To make a pool accessible by a user, it must be entitled.

  1. In Horizon Console, go to Inventory > Desktops.
  2. Click the link for a pool name.
  3. Switch to the Entitlements tab to see the existing entitlements.
  4. Click Add entitlements.
  5. In the Add Entitlements window, click Add.
  6. Find a group that will have permission to log into these desktops, and click OK.
  7. Then click OK.

Add Machine to Pool

  1. In Horizon Console, on the left, expand Inventory, and click Desktops.
  2. On the right, click the link for an existing Desktop Pool.
  3. At the top, click Edit.
  4. Switch to the Provisioning Settings tab, scroll down, and change the Max number of machines. Then click OK.
  5. With Instant Clones, this won’t take very long. In high-density pools, the new machine is forked from the cp-parent. In low-density pools, the new machine is cloned from the cp-replica.

  6. If you open the pool, the tabs named Machines and Machines (InstantClone Details) show the new machines.

Update a Pool

Master Image Preparation

  1. Power on the master/parent virtual desktop.
  2. After making your changes, shut down the master virtual desktop.
  3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
  4. You’ll need to periodically delete the older snapshots. Right-click the master VM, and click Manage Snapshots.
  5. Delete one or more of the snapshots.
  6. In Horizon Console, go to Inventory > Desktops.
  7. Click the link for a pool name.
  8. On the Summary tab, click Maintain, and then click Schedule.
  9. In the Image page, select the new snapshot. Notice the snapshot’s monitor/resolution settings. Click Next.
  10. In the Scheduling page, decide when to apply this new image. If you select Force users to log off, notice you can customize the logoff message in Global Settings. Click Next.
  11. In the Ready to Complete page, click Finish.
  12. The pool’s Summary tab, near the bottom, indicates that the image is being pushed.

  13. You can click the tab named Machines (InstantClone Details) to check on the status of the push task. Notice the Pending Image.
  14. The snapshot is copied to each datastore.
  15. The snapshot is attached to a Replica, powered on, then powered off. Digest is then computed.
  16. Then the Replica is attached to a parent, and the parent is powered on. This all takes a bit of time. But the existing Instant Clones remain accessible until the Replica preparation is complete.
  17. Once Replicas are prepared, each machine is rebooted once.
  18. Eventually the Pending Image field will be cleared and the desktops are available again.

Host Maintenance – Instant Clones

ESXi hosts running Instant Clones can be placed into maintenance mode without any special instructions.

Instant-Clone Maintenance Utilities at VMware Docs:

  • IcCleanup.cmd – use this utility to unprotect and delete some or all of the internal VMs created by instant clones. This is the easiest method of cleaning up Instant Clone internal machines.
  • IcUnprotect.cmd – use this utility to unprotect folders and VMs, delete VMs, and detect VMs whose master image or snapshot is deleted.
  • IcMaint.cmd – This command deletes the master images, which are the parent VMs in vCenter Server, from the ESXi host, so that the host can be put into maintenance mode. This utility generally isn’t needed. Also see VMware 2144808 Entering and exiting maintenance mode for an ESXi host that has Horizon instant clones.

Related Pages

VMware Horizon 2006: Master Virtual Desktop

Last Modified: Aug 14, 2020 @ 2:50 pm

Navigation

Use this post to build a virtual desktop that will be used as the parent image (aka source image, aka master image, aka gold image) for additional virtual desktops. There’s a separate article for RDS Session Host.

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka 8.0)

Virtual Hardware

Lieven D’hoore has a desktop VM build checklist at VMware Horizon View – Windows 10 Golden Image Creation

  1. The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
  2. For New Hard disk, consider setting Thin provision.
  3. Make sure the virtual desktop is using a SCSI controller.
  4. The master virtual desktop should be configured with a VMXNET 3 network adapter.
  5. When building the master virtual desktop, you will probably boot from an ISO.
  6. Before using Horizon Administrator to create a pool based off of this master image, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  7. There’s no need for the Floppy drive so remove it.
  8. If you have any Serial ports, remove them.

Windows

VMware TechZone Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop

Preparation

Power Options

  1. Run Power Options. Right-click the Start Menu to access Power Options.
  2. Click Additional power settings.
  3. Select Ultimate Performance, or click the arrow to show more plans, and select High performance.
  4. Next to the power plan, click Change plan settings.
  5. Change the selection for Turn off the display to Never, and click Save changes.
  6. You can also configure these setting using group policy.

System Settings

  1. Domain Join. Use sysdm.cpl to join the machine to the domain. Also see VMware 2150495 Computer-based Global Policy Objects (GPOs) that require reboot are not applied on instant clones.
  2. In System control panel applet (sysdm.cpl), on the Remote tab, enable Remote Desktop.
  3. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with Instant Clones.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. VMware App Volumes, Microsoft MSI-X App Attach, Liquidware FlexApp) or App Streaming (e.g. ThinApp, Microsoft App-V). Note: logins are fastest if apps are installed in the master image. All app layering/streaming technologies introduce a logon delay. You can use Microsoft FSLogix App Masking to hide applications and Start Menu shortcuts that users should not see.

Antivirus

VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment contains exclusions for Horizon View, App Volumes, Dynamic Environment Manager, ThinApp, etc.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Carbon Black

Interoperability of VMware Carbon Black and Horizon (79180)

Symantec

Symantec links:

Trend Micro

Trend Micro Links:

Sophos

Sophos Endpoint Security and Control: Best Practice for running Sophos on virtual systems: we’ve amassed the following practical information about how you can optimize our software to work with this technology.

Sophos Endpoint Security and Control: Installation and configuration considerations for Sophos Anti-Virus on a Remote Desktop Services server: It maybe desirable to disable the Sophos AutoUpdate shield icon

Sophos Endpoint Security and Control: How to include current version of Sophos in a disk image for cloned virtual machines: This procedure will make sure that the produced target/cloned computers:

  • Get their distinct identity with Enterprise Console, under which they can be subsequently managed.
  • Have the desired version of Sophos Anti-Virus already installed and configured on the created image.

Palo Alto Traps

  • Install Traps Agent for Windows:
    • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed.
    • Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed.

Windows Defender Antivirus

Configuring Microsoft Defender Antivirus for non-persistent VDI machines – Microsoft Blog

Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment – Microsoft Docs

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Cylance

CTX232722 Unable to launch application with Cylance Memory Protection Enabled. Cylance must be run in compatibility mode in order to the VDA and Cylance to run on the same machine. See the article for detailed instructions.

Horizon Agent

Horizon Agent Installation/Upgrade

Install Horizon Agent on the master virtual desktop. Upgrades are performed in-place.

  1. See VMware 2149393 Supported Windows 10 Guest Operating Systems for Horizon Agent and Remote Experience, for Horizon 8 2006 and Later
  2. VMware Tools – Only install Horizon Agent after you install VMware Tools.
    1. If you need to update VMware Tools, uninstall Horizon Agent, upgrade VMware Tools, and then reinstall Horizon Agent.
    2. See VMware Product Interoperability Matrices for supported versions of VMware Tools with different versions of Horizon Agent.
    3. If VMware Tools 11.x, VMware recommends running the following: (source = VMware 78434 Performance issues for Horizon 7 when using VMware VMTools 11.x)
      C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe" config set appinfo disabled true
  3. Download Horizon Agent 2006.
  4. Run the downloaded VMware-Horizon-Agent-x86_64-8.0.0.exe.
  5. If you want the URL Content Redirection feature, then you must run the Agent installer with the the following switches: /v URL_FILTERING_ENABLED=1
  6. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Network protocol configuration page, select IPv4, and click Next.
  9. In the Custom Setup page, there are several features not enabled by default. Feel free to enable them.
    1. If you want USB Redirection, then enable that feature.
    2. If you run Skype, then enable VMware Virtualization Pack for Skype for Business. See Configure Skype for Business at VMware Docs for details.
    3. You can install Instant Clone Agent, or View Composer Agent, but not both. Since Horizon 2006 supports Instant Clones in all editions, there’s no need for Composer Agent.
    4. Horizon Agent 2006 does not include Persona.
    5. If you want Scanner Redirection, then enable that feature. Note: Scanner Redirection will impact host density.
    6. Horizon Performance Tracker adds a program to the Agent that can show the user performance of the remote session. You can publish the Tracker.

    7. Horizon 2006 no longer includes ThinPrint (aka Virtual Printing). VMware Integrated Printing is the replacement for ThinPrint and requires Horizon Client 4.10 or newer.
    8. Horizon 2006 no longer includes vRealize Operations for Horizon.
  10. Click Next when done making selections.
  11. In the Ready to Install the Program page, click Install.
  12. In the Installer Completed page, click Finish.
  13. Click Yes when asked to restart.
  14. If you want to know what features were selected during installation, look in HKLM\Software\VMware, Inc.\Installer\Features_HorizonAgent. Or look in the installation log files as detailed at Paul Grevink View Agent, what is installed?

  15. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  16. There’s also an IE add-on.
  17. URL Content Redirection is configured using group policy.

Install/Upgrade Dynamic Environment Manager (DEM) Agent

All editions of Horizon 2006 are entitled to Dynamic Environment Management (DEM).

  • Horizon Standard Edition and Horizon Advanced Edition are entitled to DEM Standard Edition, which only has personalization features that replace Persona. If you are using FSLogix Profile Containers for profiles, then you probably don’t need DEM Standard Edition.
  • Horizon Enterprise Edition is entitled to DEM Enterprise Edition, which has all DEM features, including Smart Policies, Privilege Elevation, etc.

Windows 10 Compatibility:

  • DEM 2006 (aka 10.0) and newer support Windows 10 version 2004.

To install DEM Agent:

  1. Make sure Prevent access to registry editing tools is not enabled in any GPO since this setting prevents the FlexEngine from operating properly.
  2. Based on your entitlement, download either DEM 2006 Standard Edition, or DEM 2006 Enterprise Edition.

  3. Run the extracted VMware Dynamic Environment Manager Enterprise 10.0 x64.msi.
  4. In the Welcome to the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Next.
  5. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  6. In the Destination Folder page, click Next.
  7. In Choose Setup Type page, click Custom.
  8. In the Custom Setup page, click Next. Note: the DEM Management Console is typically installed on an administrator’s machine.
  9. In the Choose License File page, if installing on a Horizon Agent, then no license file is needed. Click Next.
  10. In the Ready to install VMware Dynamic Environment Manager Enterprise page, click Install.
  11. In the Completed the VMware Dynamic Environment Manager Enterprise Setup Wizard page, click Finish.
  12. If you have PCoIP Zero Clients that map USB devices (e.g. USB drives), then you might have to set the following registry value. (Source = VMware 2151440 Smart card SSO fails when you use User Environment Manager with a zero client)
    • HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB
      • UemFlags (DWORD) = 1
  13. DEM is enabled using Group Policy and configured using the DEM Management Console.

Logon Monitoring

By default, in services.msc, the VMware Horizon View Logon Monitor service is not running. Set it to Automatic and start it.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent.

Inside each session log file are logon time statistics.

Unity Touch

With the Unity Touch feature, tablet and smart phone users can quickly navigate to a Horizon View desktop application or file from a Unity Touch sidebar. Although end users can specify which favorite applications appear in the sidebar, for added convenience, administrators can configure a default list of favorite applications.

In the Unity Touch sidebar, the favorite applications and favorite files that users specify are stored in the user’s profile. For non-persistent pools, enable Roaming Profiles.

To set the default list of favorite applications:

  1. Navigate to HKLM\Software\Wow6432Node\VMware, Inc.\VMware Unity
  2. Create a string value called FavAppList.
  3. Specify the default favorite applications using format: path-to-app-1|path-to-app-2|path-to-app-3|…. For example:
Programs/Accessories/Accessibility/Speech Recognition.lnk|Programs/VMware/VMware vSphere Client.lnk|Programs/Microsoft Office/Microsoft Office 2010 Tools/Microsoft Office 2010 Language Preferences.lnk

Unity Touch can be disabled by setting HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware Unity\enabled to 0.

For more information, see Configure Favorite Applications Displayed by Unity Touch at VMware Docs.

ClonePrep – Rearm

By default, when Horizon creates Instant Clones, one of the tasks that ClonePrep performs is to rearm licensing. You can prevent rearm by setting the following registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga
    • SkipLicenseActivation  (DWORD) = 0x1

Dynamic PCoIP Policies

If you wish to change PCoIP Policies (e.g. clipboard redirection, client printers, etc.) based on how the user connects, see VMware Blog Post VMware Horizon View Secret Weapon. The article describes configuring VMware Horizon View Script Host service to run a script to change PCoIP configuration based on the Connection Server that the user connected through. Full script is included in the article.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide for details on this tool.
  2. Download the VMware OS Optimization Tool VMware fling.
  3. Run the extracted VMwareOSOptimizationTool.exe.
  4. Go to the Public Templates tab and download or update your templates.
  5. On the Optimize tab, choose a template.
  6. Then click Analyze on the bottom of the window.
  7. On the Optimize tab, review the optimizations, and make changes as desired. Then on the bottom left, click Optimize.
  8. The History tab lets you rollback the optimizations.
  9. The Finalize tab contains tasks that should be run every time you seal your master image.

Additional Optimizations

Additional Windows 10 Optimizations

Snapshot

  1. Make sure the master virtual desktop is configured for DHCP.
  2. If connected to the console, run ipconfig /release.
  3. Run antivirus sealing tasks. For example:
  4. Base Image Script Framework (BIS-F) automates many image sealing tasks. The script is configurable using Group Policy.

  5. Shutdown the master virtual desktop.
  6. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  7. Take a snapshot of the master virtual desktop. Instant Clones requires a snapshot.

Related Pages

VMware Horizon 2006 Configuration

Last Modified: Aug 15, 2020 @ 5:31 am

Navigation

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka Horizon 8)

Preparation

Horizon Service Account

  1. Create an account in Active Directory that VMware Horizon will use to login to vCenter. This account can also be used by Instant Clones to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for Horizon

This role has all permissions needed for both full clones and instant clones. See Privileges Required for the vCenter Server User With Instant Clones at VMware Docs.

See the Product Interoperability Matrix for supported vCenter versions.

Create vSphere Role:

  1. In vSphere Web Client, go to Administration.
  2. In the Roles node, click the plus icon to add a Role.
  3. If you are using vTPM, then on the left, click Cryptographic operations. On the right, enable Clone, Decrypt, Direct Access, Encrypt, and Manage KMS. Scroll down on the right to see more Cryptographic operations permissions.

    1. While still in Cryptographic operations, scroll down and enable Migrate and Register host.
  4. On the left, click Datastore. On the right, enable Allocate space, Browse datastore, and Low level file operations.
  5. On the left, click Folder. On the right, enable Create folder, and Delete folder.
  6. On the left, click Global. On the right, enable Act as vCenter Server, Disable Methods, and Enable Methods, and then scroll down on the right to see more Global permissions.

    1. While still in Global, enable, Manage custom attributes, Set custom attribute, and System tag.
  7. On the left, click Host. On the right, in the Configuration section, enable Advanced Settings. Then scroll down on the right to see more Host settings.

    1. While still in Host, scroll down to the Inventory section and click Modify cluster.
  8. On the left, click Network. On the right, enable All Network Privileges.
  9. For Virtual SAN, enable Profile-driven storage and everything under it. VMware 2094412 When attempting to deploy linked clones using VMware Virtual SAN (VSAN) you receive the error: Unable to connect to PBM sub system PB may be down
  10. On the left, click Resource. On the right, enable Assign virtual machine to resource pool, and Migrate powered off virtual machine.
  11. On the left, click Storage views. On the right, enable View.
  12. On the left, click Virtual Machine. On the right, click Change Configuration to enable all Configuration permissions. Scroll down on the right to see more Virtual machine permissions.

    1. While still in Virtual Machine, scroll down and click Edit Inventory to enable all Inventory permissions.
    2. While still in Virtual Machine, scroll down to the Interaction section, enable Connect devices, and then click See more privileges.
    3. While still in Virtual Machine, scroll down and enable Perform wipe or shrink operations,  Power Off, Power On, Reset, and Suspend.
    4. While still in Virtual Machine, scroll down to the Provisioning section and enable Allow disk access, Clone template, and Clone virtual machine. Then click See more privileges.
    5. While still in Virtual Machine, scroll down and enable Customize guest, Deploy template, and Read customization specifications.
    6. While still in Virtual Machine, scroll down and click Snapshot Management to enable all Snapshot permissions.
  13. Click Next.
  14. Name it Horizon or similar. Then click Finish

Assign role to service account:

  1. Create an account in Active Directory that Horizon will use to login to vCenter.
  2. In vSphere Web Client, in Hosts and Clusters view, browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  3. On the right, select the tab named Permissions.
  4. Click the plus icon to add a permission.
  5. In the Add Permission dialog box, do the following:
    1. Change the User domain.
    2. Search for the service account.
    3. Change the Role to the one you created in the previous section.
    4. Check the box next to Propagate to children.
  6. Click OK.
  7. The service account is now listed on the Permissions tab.

Active Directory Delegation for Instant Clones

Horizon Instant Clones create computer objects in Active Directory. Horizon is configured with an Active Directory service account that must be granted permission to create computer objects. See Create a User Account for Instant-Clone Operations at VMware Docs.

  1. Create an OU in Active Directory where the Horizon Agent computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the Horizon Agents OU, and click Delegate Control.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for Instant Clones and/or Horizon Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate, and click Next.
  6. In the Active Directory Object Type page, do the following:
    1. Change the radio button to select Only the following objects in the folder.
    2. Check the boxes next to Create select objects in this folder and Delete selected objects in this folder.
  7. Click Next.
  8. In the Permissions page, check the boxes next to Read All PropertiesWrite All Properties, and Reset Password. Then Next.
  9. In the Completing the Delegation of Control Wizard page, click Finish.
  10. If you are viewing Advanced Features in Active Directory Users & Computers, if you view the properties of the OU, on the Security tab, click Advanced, find your service account, you should see permissions similar to the following.

Events SQL Database

A new empty SQL database is needed for storage of Horizon Events.

  1. Only SQL Server authentication is supported, so make sure it’s enabled on your SQL Server > Properties > Security page.
  2. In SQL Server Management Studio, create a new database.
  3. Name it VMwareHorizonEvents or similar. Switch to the Options tab.
  4. Select your desired Recovery model, and click OK.
  5. Under Security > Logins, add a SQL login if one does not exist already. Windows authentication is not supported.
  6. Right-click a SQL login, and click Properties.
  7. On the User Mapping page, check the Map box next to the VMwareHorizonEvents database.
  8. On the bottom, add the user to the db_owner database role. Click OK when done.

Horizon Consoles

On the desktop of the Horizon Connection Server is an icon to launch Horizon Administrator Console. This console no longer needs Flash. The older Flex console has been removed from Horizon 2006. Don’t use Internet Explorer.

The URL entered in the browser must either be https://localhost, or the Secure Tunnel URL (Horizon Console > Settings > Servers > Connection Servers tab > Edit). By default the Secure Tunnel URL is the FQDN of the Connection Server. If you don’t use one of these URLs then you’ll see a Login Failed message. If you want to use a different URL than the Secure Tunnel URL (e.g. short name instead of FQDN), then configure checkOrigin=false in locked.properties file as detailed at VMware 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon.


Licensing

To configure licensing:

  1. Open Horizon Console.
  2. Login using a Horizon administrator account.
  3. On the left, expand Settings and click Product Licensing and Usage.
  4. In the right pane, on the top left, click Edit License.
  5. In the Edit License window, enter your Horizon 8 (Horizon 2006) license serial number, and click OK. Horizon 7 license keys will not work.
  6. Licensing information is displayed:
    • License expiration is shown.
    • Instant Clones are available in all editions. See Horizon Perpetual Feature Comparison.
    • Application Remoting (published applications) requires Horizon Advanced Edition.
    • Teams Optimization requires Horizon Advanced Edition.
    • Session Collaboration requires Horizon Enterprise Edition.
    • Help Desk tool requires Horizon Enterprise Edition.
    • App Volumes requires Horizon Enterprise Edition.
    • Smart Policies (Dynamic Environment Manager) requires Horizon Enterprise Edition.
    • Rest APIs require Horizon Enterprise Edition.

Horizon Administrators

To configure Horizon Administrators:

  1. In Horizon Console, expand Settings, and click Administrators.
  2. On the right, near the top, click Add User or Group.
  3. In the Select administrators or groups page, click Add.
  4. Enter the name of a group that you want to grant Horizon Administrator permissions to, and click Find.
  5. After the group is found, check the box next to the group (or highlight the group), and then click OK.
  6. Continue adding groups, or just click Next.
    Note: This wizard only lets you select one role; so, only add groups that will have the same role assigned. You can run the wizard multiple times.
  7. In the Select a role page, select the role (e.g. Administrators or Help Desk Administrators, which grants access to the Help Desk tool). Then click Next.
  8. Select an Access Group to which the permission will be applied and then click Finish.
    • Access Groups let you designate permissions to specific pools instead of to all pools.
    • Not every role can be applied to Access Groups. E.g. Help Desk role is a global role and can’t be limited to specific pools.
    • Note: If you intend to integrate Horizon with VMware Identity Manager (aka VMware Access), then only pools in the Root Access group will sync with Identity Manager. Other Access Groups won’t work.

Help Desk Website

Horizon has a web-based Help Desk tool built into Horizon Connection Server.

  • In Horizon Console, simply enter a user name in the search box at the top of the page.
  • VMware also has an alternative Horizon Helpdesk Utility Fling

The Desktops and Applications tabs let you see what the user is entitled to. You can even export these lists.

On the Sessions tab, click a session to see more details.

On the Details tab, scroll down to find action buttons like Remote Assistance. These buttons are kind of hidden.

Keep scrolling down and you’ll see Logon Segments.

The Processes tab lets you end processes in the user’s session.

Notes on the Help Desk feature:

  • Enterprise Licensing – Help Desk tool requires Horizon Enterprise edition license, or Horizon Apps Advanced edition license. Horizon Standard Edition licenses do not include this tool. The Product Licensing page indicates if Help Desk is licensed or not.
  • Horizon has a built-in Help Desk Administrators role that enables members to use the Help Desk tool.

    • Add Help Desk users to the Administrators and Groups tab, and assign them one of the Help Desk roles.
  • 15 minutes of History – There’s only 15 minutes of collected metric data.

See Troubleshooting Users in Horizon Help Desk Tool at VMware Docs.

vCenter Connection

Horizon must connect to vCenter for several reasons:

  • Power manage the virtual machines
  • Create new virtual machines using Instant Clones
  • Update virtual machines using Instant Clones

See the Product Interoperability Matrix for supported vCenter versions.

If you are adding multiple vCenter servers to Horizon, make sure each vCenter Server has a Unique ID. In vSphere Client, go to the vCenter Server > Configure > Settings > General > Edit > Runtime Settings, and confirm that the ID is unique for each vCenter server.

To add the vCenter connection:

  1. In Horizon Console expand Settings, and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.
  3. In the VC Information page, do the following:
    1. In the Server address field, enter the FQDN of the vCenter server.
    2. In the User Name field, enter the previously created Active Directory account (domainname\username) that Horizon will use to login to vCenter.
    3. Also enter the service account’s password.
  4. Click Next.
  5. If you see a message regarding invalid certificate, click View Certificate. Then click Accept.

  6. In the View Composer page, select Do not use View Composer. There’s no need to use Composer since all editions of Horizon 2006 include Instant Clones. Click Next.
  7. In the Storage page, do the following:
    1. Reclaim VM disk space requires IOPS during its operation. It’s only useful for the rare persistent Instant Clones use case and thus is generally unchecked.
    2. Check the box to Enable View Storage Accelerator and increase the host cache size up to 32768. Notes:
      • View Storage Accelerator is required for Instant Clones replica disks.
      • The cache size value is removed from RAM and that RAM is no longer accessible to virtual machines.
      • Higher host cache sizes should speed up Instant Clone Smart Provisioning (without parent image).
  8. Click Next.
  9. In the Ready to Complete page, click Submit.

Instant Clone Domain Accounts

If you plan to use Instant-Clone to create non-persistent virtual desktops, then add an administrator account that can join machines to the domain.

  1. In Horizon Console, on the left, expand Settings and click Instant Clone Domain Accounts.
  2. On the right, click Add.
  3. Select the domain.
  4. Enter credentials of a service account that can join machines to the domain. Click OK.

Restrict Remote Access

The Users and Groups node has a Remote Access tab. If you add groups or users to this tab, then only these groups and users can login through Unified Access Gateway (UAG).

Users not in the list can’t login through Unified Access Gateway (UAG).

Disable Secure Tunnel

By default, internal Horizon Clients connect to Horizon Agents by tunneling (proxying) Blast or PCoIP through a Horizon Connection Server. It would be more efficient if the internal Horizon Clients connect directly to the Horizon Agents instead of going through a Connection Server.

  • If the tunnels are enabled, and if you reboot the Connection Server, then user connections will drop.
  • If the tunnels are disabled, then rebooting the Connection Server will not affect existing connections.

To disable the tunnels:

  1. In Horizon Console, on the left, expand Settings, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Click the Connection Server to highlight it, and click Edit.
  4. On the General tab, uncheck the boxes next to HTTP(S) Secure Tunnel and the PCoIP Secure Gateway.
  5. For Blast Secure Gateway, change it to Use Blast Secure Gateway for only HTML Access connections to machine. Click OK.

Event Database and Syslog

To add the Events Database:

  1. In Horizon Console, on the left, expand Settings and click Event Configuration.
  2. On the right, under Event Database, click Edit.
  3. In the Edit Event Database dialog box, do the following:
    1. Enter the name of the SQL server.
    2. Select Microsoft SQL Server as the Database type.
    3. Enter the name of the database.
    4. Enter the SQL account credentials (no Windows authentication).
    5. Optionally, enter HE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple Horizon installations.
  4. Click OK.
  5. On the right, in the Event Settings section, you can click Edit to change the age of events shown in Horizon Console or Horizon Administrator.
  6. To add a Syslog server, look on the right side of the page.
  7. There are configuration options for logging to a file (Events to File System).
  8. You can go to Monitor > Events to view the events in the database.

Event Database SQL Index

VMware Knowledgebase article – The Event database performance in VMware Horizon View 6.x and 7.0.x is extremely slow: Symptoms:

  • The Event database performance in VMware View 6.0.x is extremely slow when browsing within View
  • High CPU usage on the SQL server, hosting the Event database
  • The larger the Event database becomes, the slower the queries run.

To resolve this issue, create an index. Run this command on your SQL Event database:

CREATE INDEX IX_eventid ON dbo.VDIevent_data (eventid)

Substitute VDIevent_data for the table name using your Event database prefix.

Event Queries

VMware Fling – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – VMware Horizon View Events Database Export Utility: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

VMware Knowledgebase article 2089816 – Creating SQL views to retrieve the top 50 maximum number of concurrent desktop sessions over a period: This article provides steps to create database views to retrieve the maximum number of concurrent desktop sessions over a period from the event_historical table.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

  1. In Horizon Console, on the left, expand Settings and click Global Settings.
  2. On the right, under Global Settings, in the General Settings tab, click Edit.
  3. Set the View Administrator session timeout. 4320 minutes (72 hours) is the maximum.
  4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user and requires the user to logon to Horizon Connection Server again.
  5. Under Client-dependent settings you can set an idle timeout. This is a disconnect, not logoff.

    • In a pool’s Desktop Pool Settings, you can configure Log Off After Disconnect.
  6. Other methods of configuring an idle timeout for desktop sessions:
  7. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of Horizon Console.
  8. The Send domain list option is unchecked by default, which means users must enter a domain name instead of picking one from a list. Check this box (and uncheck Hide domain list) to restore functionality from Horizon 7.7 and earlier. See VMware Blog Post Changes in Logon for VMware Horizon.
  9. Make other changes as desired. Click OK when done.

Log On as Current User is also disabled by default. To enable this client feature:

  1. In Horizon Console, on the left, expand Settings, and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Highlight a Connection Server and click Edit.
  4. Switch to the Authentication tab.
  5. Scroll down. Check the box next to Accept logon as current user. Click OK.

Client Version Restrictions

Horizon can restrict connections to a minimum version of Horizon Client.

  1. In Horizon Console, on the left, expand Settings, and click Global Settings.
  2. On the right, switch to the tab named Client Restriction Settings.
  3. Click Edit.
  4. For each client type, enter a minimum version number. Additional options are available if you scroll down.
  5. Block Additional Clients blocks all clients other than the ones you selected. One use case is to block HTML Access.
  6. You can customize the message that users see if their client is too old. This feature requires Horizon Client 2006 (aka 8.0) or newer.
  7. Click OK when done.
  8. The client version is enforced when you try to launch an icon.

Global Policies

By default, Multimedia Redirection is disabled. You can enable it in Global Policies.

  1. In Horizon Console, go to Settings > Global Policies.
  2. On the right, click Edit Policies.
  3. Set Multimedia redirection (MMR) to Allow, and click OK. Notice that Multimedia redirection is not encrypted.

Backups

Connection Server LDAP Backup can be configured in Horizon Console.

  1. in Horizon Console, on the left, expand Settings and click Servers.
  2. On the right, switch to the Connection Servers tab.
  3. Select a Horizon Connection Server, and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.
  4. To change automatic backup settings, Edit the Horizon Connection Server, and switch to the Backup tab.
  5. You can schedule automatic backups. See VMware 1008046 Performing an end-to-end backup and restore for VMware View Manager.

Tips

VMware Blog Post Top 10 Tips for a Successful Horizon VDI

Related Pages

VMware Horizon Connection Server 2006

Last Modified: Aug 14, 2020 @ 2:31 pm

Navigation

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Install Horizon Connection Server.

Notes regarding upgrades:

  • Horizon 7 license key does not work in Horizon 2006 (aka Horizon 8). You’ll need to upgrade your license key.
  • Upgrade all Connection Servers during the same maintenance window.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • Horizon 2006 does not support Security Servers. The replacement is Unified Access Gateway.
    • Composer is deprecated in Horizon 2006. All editions of Horizon 2006 support Instant Clones. See Modernizing VDI for a New Horizon at VMware Tech Zone for migration instructions.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
    • Once the first Connection Server is upgraded, Horizon 2006 lets you upgrade the remaining Connection Servers concurrently.
  • Upgrade the Horizon Group Policy template (.admx) files.
  • Upgrade the Horizon Agents.
    • Persona is no longer supported. Persistent Disks are deprecated. The replacement is VMware Dynamic Environment Manager. Or Microsoft FSLogix. See Modernizing VDI for a New Horizon at VMware Tech Zone for migration instructions.
    • It’s an in-place upgrade.
    • There’s no hurry. Upgrade the Horizon Agents when time permits.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.

Install Horizon Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between Standard and Replica.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 4,000 user connections.

Horizon 2006 is the latest release. In August 2020, VMware switched to a YYMM versioning format.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at VMware Docs.
  2. Horizon 2006 supports Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8 2006.
  3. Horizon 2006 no longer needs Flash.
  4. Download Horizon 2006 Horizon Connection Server.
  5. If Horizon Toolbox is installed, uninstall it.
  6. Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.0.0.exe.
  7. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon Standard Server, and click Next.

    • In Horizon 2006, it is no longer possible to disable HTML Access for specific pools.
  11. In the Data Recovery page, enter a password, and click Next.
  12. In the Firewall Configuration page, click Next.
  13. In the Initial Horizon Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  14. In the User Experience Improvement Program page, uncheck the box, and click Next.
  15. In the Ready to Install the Program page, click Install.
  16. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.

Install Horizon Connection Server Replica

Additional Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at VMware Docs.
  2. Horizon 2006 supports Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8 2006.
  3. Horizon 2006 no longer needs Flash.
  4. Download Horizon 2006 Horizon Connection Server.
  5. If Horizon Toolbox is installed, uninstall it.
  6. Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.0.0.exe.
  7. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon Replica Server, and click Next.
  11. In the Source Server page, enter the name of another Horizon Connection Server in the pod. Then click Next.
  12. In the Firewall Configuration page, click Next.
  13. In the Ready to Install the Program page, click Install.
  14. In the Installer Completed page, click Finish.
  15. Load balance your multiple Horizon Connection Servers.
  16. Horizon Console > Settings > Servers > Connection Servers tab shows multiple servers in the pod.

Horizon Connection Server Certificate

  1. Run certlm.msc. Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several minutes before you can connect to Horizon Administrator Console.
  12. Horizon Console > Monitor > Dashboard > System Health > View > Components > Connection Servers should show the TLS Certificate as Valid.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
  2. Create a new folder called downloads.
  3. Copy the downloaded Horizon Client 2006 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
  4. Run Notepad as administrator.
  5. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  6. Go back to the downloads folder and copy the Horizon Client filename.
  7. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    link.win64=/downloads/VMware-Horizon-Client-2006-8.0.0-16531419.exe
  8. Then Save the file.
  9. Restart the VMware Horizon View Web Component service, or restart the entire Connection Server.
  10. It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error, then the service is not done starting.
  11. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  12. Repeat these steps on each Connection Server.

Portal Branding

Chris Tucker at Horizon View 7.X – Branding the Logon page details how to brand the Horizon portal page.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, Fingerprints, and Windows Hello, is disabled by default. To enable: (source = Configure Biometric Authentication at VMware Docs)

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure Horizon to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at VMware Docs.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair, and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using Citrix ADC 12.1.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-1912-ltsr-and-licensing/#rdlicensing.

Antivirus

VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Run the following command to enable the timing profiler on each Connection Server instance to view logon segments in Help Desk tool.

vdmadmin -I -timingProfiler -enable

Related Pages

VMware vRealize Operations for Horizon 6.7.0

Last Modified: Feb 28, 2020 @ 8:20 am

Navigation

💡 = Recently Updated

Change Log

Planning

vRealize Operations for Horizon is composed of several components:

  • vRealize Operations Manager appliance – this is the same vROps appliance deployed for monitoring of vSphere infrastructures, and hence it can monitor the vSphere clusters that are hosting the Horizon Agents.
  • Horizon Adapter for vRealize Operations – this is a .pak file installed on a vROps appliance. The Horizon Adapter receives data from one or more Broker Agents.
    • Broker Agent is installed on top of a Horizon Collection Server in each Horizon pod. The Broker Agent collects information from Horizon Connection Servers (e.g. events database), and feeds the data to the Horizon Adapter running on a vRealize Operations Manager appliance. The Broker Agent can also collect data from Unified Access Gateway, and App Volumes.
  • vROps Dashboards, Reports, and Alerts for Horizon – these display the information collected by the Horizon Adapter. Installation of the Horizon Adapter .pak file automatically imports the Dashboards, Reports, and Alerts.

The Horizon Adapter and Broker Agent should be the same version.

The vROps Horizon monitoring solution components have different versions:

vRealize Operations Manager 6.6 and newer has a new HTML5 user interface that looks quite different from vRealize Operations Manager 6.5 and older, thus necessitating a new post. See the post vRealize Operations for Horizon 6.4 for the older vROps user interface, and older Horizon Adapters.

vRealize Operations for Horizon comes with two licenses:

  • vRealize Operations Manager Enterprise license – enables vSphere monitoring for Horizon workloads. The license does not entitle vSphere monitoring of non-Horizon workloads.
  • vRealize Operations for Horizon Adapter license – enables the Horizon Adapter to collect data from the Horizon Broker Agent for a specific number of Horizon Agent machines. The Horizon 7 Enterprise License can also be used to license the Adapter.

VMware Blog Post Introducing the vRealize Operations Sizing Tool and https://vropssizer.vmware.com/sizing-wizard/choose-installation.

VMware 2093783 vRealize Operations Manager Sizing Guidelines:

Links to descriptions of new features in vRealize Operations Manager 6.6 and newerfupgra:

If you have Log Insight, there’s also a Content Pack for Horizon View. See VMware Blog Post Horizon View Content pack for vRealize Log Insight

Deploy New vROps Appliance

If you are upgrading an existing vROps appliance, skip ahead to the Patch/Upgrade Appliance section.

For new installations of vROps, download the following:

  1. See VMware’s Product Interoperability Matrix to determine which combinations of vROPs and Horizon Adapter are compatible with your version of Horizon. Also see the 6.7.1 Adapter Release Notes.
    • 6.7.1 Adapter supports VMware Horizon 7.7 or later
    • 6.7.1 Adapter requires vRealize Operations Manager 8.0 or later
    • 6.7.1 Adapter supports VMware App Volumes 2.14.8 to 2.18
    • 6.7.1 Adapter supports VMware Unified Access Gateway 3.6 and later
  2. If vRealize Operations Manager for Horizon 6.7.1, then download vRealize Operations Manager 8.0 from the vRealize Operations Manager for Horizon 6.7.0 download page.
  3. If vRealize Operations Manager for Horizon 6.6.0, download vRealize Operations Manager 7.5 – Appliance installation.
  4. If vROps 7.0, go to the VMware vRealize Operations Manager 7.0.0 download page and download the security patch. It’s the top entry named vRealize Operations Manager – Virtual Appliance Security Patch and dated 2018-12-18.

To deploy a new vROps appliance:

  1. In vSphere Web Client, navigate to a Cluster, right-click it, and click Deploy OVF Template.
  2. In the Select an OVF template page, select Local file, browse to the vRealize Operations Manager .ova file, and click Next.



  3. In the Select a name and folder page, give the VM a name, and click Next.
  4. In the Select a compute resource page, select a cluster, and click Next.
  5. In the Review details page, click Next.


  6. In the License Agreements page, check the box next to I accept all license agreements, and then click Next.
  7. In the Configuration page, select a size, and then click Next.
  8. In the Select Storage page, select Thin Provision, select a datastore, and then click Next.
  9. In the Select networks page, select a port group, and click Next.
  10. In the Customize template page:
    1. Select a time zone.
    2. Enter the IP address information for the appliance.

  11. Then click Next.
  12. In the Ready to Complete page, click Finish.


Create vROps Cluster

If you are upgrading an existing vROps appliance, skip ahead to the Patch/Upgrade Appliance section.

  1. Power on the new vROps virtual appliance.
  2. Wait for the appliance to start.

  3. Use a browser to go to https://IPAddress/admin. If you see a Service unavailable message, wait a couple minutes and try again.
  4. On the bottom of the page, click New Installation.
  5. In the Getting Started page, click Next.

  6. In the Set Administrator Password page, enter a password based on the listed requirements. Click Next.

  7. In the Choose Certificate page, you can upload a PEM certificate.

    1. The Certificate file must have .pem extension. It will not accept any other extension.
    2. Make sure the certificate file has both the certificate and keyfile combined into a single file.
    3. If there are intermediate Certificate Authorities, add them to the PEM file. CA certificates go below the server certificate.
  8. Click Next when done.
  9. In the Deployment Settings page:
    1. Enter a name for the master node.
    2. Enter a NTP Server Address, and click Add.
  10. Then click Next.

  11. In vRealize Operations Manager 8.0 and newer, you can optionally select an Availability Mode. Click Next.
  12. In the Add Nodes page, you can optionally add Remote Collector nodes. Click Next when done.

  13. In the Ready to Complete page, click Finish.

Start Cluster

  1. From the https://IPAddress/admin page, click the button labelled Start vRealize Operations Manager.

  2. Click Yes. This will take several minutes.

  3. Log into the appliance using the admin account.
  4. On the Welcome page, click Next.
  5. In the Accept EULA page, check the box next to I accept the terms, and click Next.
  6. In the Enter Product License Key page, enter the vRealize Operations Manager for Horizon license key, click Validate License Key, and click Next. Note: there is a separate license for the Horizon Adapter that will be entered later.
  7. In the Customer Experience Improvement Program page, make a choice, and click Next.
  8. In the Ready to Complete page, click Finish.

Patch/Upgrade vROps Appliance

Download Patch

To patch a vROps appliance, download the latest patch from the vROps download page.

The vROps security patch for vROps Manager 6.7 or vROps Manager 7.0 is required for Horizon Adapter 6.6.0. There is no security patch for vROps 7.5.

  1. Go to the VMware vRealize Operations Manager 7.0.0 download page or VMware vRealize Operations Manager 6.7.0 download page.
  2. Download the security patch. It’s the top entry named vRealize Operations Manager – Virtual Appliance Security Patch and dated 2018-12-18. You’ll install this after vROps is upgraded.

Download Version Upgrade

If you are upgrading vROps from an older version, download the following:

  1. Go to the VMware vRealize Operations 8.0 download page, VMware vRealize Operations Manager 7.5 download page, VMware vRealize Operations Manager 7.0.0 download page, or VMware vRealize Operations Manager 6.7.0 download page.
  2. Download the Upgrade Assessment Tool.


  3. For vRealize Operations Manager 7.5 and older, download the Virtual Application Operating System upgrade. You’ll install this patch first. vRealize Operations Manager 8.0 no longer has a separate download for Operating System upgrade.

  4. Download the Virtual Appliance upgrade. You’ll install this after you upgrade the operating system.


  5. For vROps 7.0, download the security patch. It’s the top entry named vRealize Operations Manager – Virtual Appliance Security Patch and dated 2018-12-18. You’ll install this patch after vROps is upgraded.

Install Patch or Upgrade vROps

Do the following to upgrade the vROps appliance or install a patch. You might have to perform this procedure several times to complete the upgrade. Also see Brandon Lee Upgrade to VMware vRealize Operations Manager 7.5.

  1. Use a browser to go to https://vROpsIP/admin, and login as admin.
  2. On the left, switch to the Software Update page.
  3. On the right, click Install a Software Update.
  4. Click Browse and browse to an upgrade or Security Patch .pak file downloaded from vmware.com.
  5. If you are upgrading from an older version of vROps, then you must upgrade install several .pak files in a specific order:
    1. Start with the Upgrade Assessment Tool, which is the file named APUAT.


    2. For vRealize Operations Manager 7.5 and older, upgrade the operating system, which is the file with VA-OS in the name. This step is not needed in vRealize Operations Manager 8.0 and newer.

    3. Then upgrade the vROps virtual appliance by installing the .pak file with VA in the name but without OS in the name.


    4. Finally, for vROps 7.0, install the security patch.
  6. If you are not upgrading the vROps version, and if vROps Manager 6.7 or 7.0, then simply install the Security Patch.

  7. Click Upload. Uploading and staging will take a bit of time.
    • Upgrading to 8.0 – separate OS upgrade is no longer needed:

    • Upgrading to 7.5:

    • Upgrading to 7.0:
  8. Click Next.
    • Upgrading to 8.0 – separate OS upgrade is no longer needed:

    • Upgrading to 7.5:


    • Upgrading to 7.0:
  9. In the End User License Agreement page, check the box next to I accept the terms, and click Next.
  10. In the Update Information page, click Next.
    • Upgrading to 8.0:

    • Upgrading to 7.5:


  11. In the Install Software Update page, click Install.
  12. The installation will take a while.
  13. If you installed the Upgrade Assessment Tool:
    1. On the left, click Support.
    2. On the right, switch to the tab named Support Bundles.
    3. Click the Download button for the bundle.
    4. Extract the downloaded .zip file.
    5. Go to apuat-data\report and double-click index.html.
    6. For more info, see VMware 57283 Using the Upgrade Assessment Tool for vRealize Operations Manager 7.5.
  14. Some upgrades or patches require a reboot.
  15. After rebooting and logging in again, the Software Update page shows that the update has been completed.


  16. vROps 7.0 and newer might warn you to set Password Recovery Settings on the Administrator Settings page.
  17. Click Install a Software Update again to install more .pak files as described earlier in this section.
  18. After upgrading vROps, install the security patch.

Configure vSphere Adapter

vRealize Operations Manager 8.0 and newer

  1. Login to the appliance at https://vROps_IP/ui. This is the ui path instead of the admin path.
  2. After logging in, at the top, click Administration.
  3. On the left, expand Solutions and click Cloud Accounts.
  4. On the right, click Add Account.
  5. In the Account Types page, click vCenter.
  6. Give the Cloud Account a name.
  7. In the Connect Information section, enter the address of the vCenter Server.
  8. Next to the Credential field, click the plus icon.
  9. Enter vCenter credentials and click OK.
  10. Click Test Connection.
  11. Click Accept to accept the certificate.
  12. Click OK when prompted that Test connection successful.
  13. Next to the Action Credentials field, click the plus icon.
  14. Enter vCenter credentials, and then click OK.
  15. You can optionally click Define Monitoring Goals.
  16. At the top of the page is a tab named vSAN where you can provide alternate vSAN credentials.
  17. The tab named Service Discovery requires the latest version of VMware Tools (e.g. 11.0.1).
  18. Click Add when done.

vRealize Operations Manager 7.5 and older

  1. Login to the appliance at https://vROps_IP/ui. This is the ui path instead of the admin path.
  2. Go to Administration > Solutions.
  3. Highlight the VMware vSphere Solution.
  4. On the bottom half of the window, highlight the vCenter Adapter, and then click the Configure icon on the toolbar.
  5. In the Display Name field, enter a name for the vCenter adapter.
  6. In the vCenter Server field, enter the address of the vCenter server.
  7. Click the green plus icon to add a Credential.
  8. In the Manage Credential window:
    1. Give the credential a name.
    2. Enter credentials for the vCenter server.
    3. Click OK.
  9. Back in the Manage Solution window, click the Test Connection link.

    1. In the Review and Accept Certificate window, click Accept to accept the certificate.
    2. In the Info window, click OK to acknowledge that the test was successful.
  10. Back in the Manage Solution window, on the bottom right, click Save Settings.

    1. In the Info window, click OK to acknowledge that the adapter instance was successfully saved.
  11. Click Close to close the Manage Solution window.
  12. Note: it takes four weeks for vRealize Operations Manager to determine dynamic thresholds.

Active Directory Authentication

  1. In the vRealize Operations Manager console, in the top of the page, click Administration.
  2. On the left, expand Access, and click Authentication Sources.
  3. On the right, click the green plus icon.
  4. In the Source Display Name field, enter a display name. This name will appear on the logon page as shown below.
  5. From the Source Type drop-down, select Active Directory.
  6. In the Domain/Subdomain field, enter the DNS name of your Active Directory domain.
  7. Enter credentials of a LDAP bind service account.
  8. Check the box next to Use SSL/TLS.
  9. On the bottom of the window, click Test.

    1. In the Review and Accept Certificate window, check the box next to Accept this certificate, and click OK.
    2. In the Info window, click OK to acknowledge that the test was successful.
  10. Click OK to close the Add Source for User and Group Import window.
  11. On the left, click Access > Access Control.
  12. On the right, switch to the User Groups tab.
  13. In the toolbar, click the Import Group icon.
  14. In the Import User Groups page, ensure your Active Directory source is selected, enter your Horizon Administrators group name, click Search, and then select the group. Click Next.
  15. On the Roles and Objects page, from the Select Role drop-down, select Administrator.
  16. Check the box next to Assign this role to the group.
  17. Check the box next to Allow access to all objects in the system. Click Finish.
  18. Click Yes when warned about access to all Objects in the system.
  19. On the top right, click the person icon, and click Log Out.
  20. Change the drop-down to the Active Directory source, and login as an Active Directory account.

Session Timeout

  1. The vRealize Operations web page defaults to 30 minutes timeout. To change it, go to Administration > Management > Global Settings.
  2. In the row labelled Session Timeout, click the pencil icon.
  3. The maximum value for Session Timeout is 34560. Click Save.

Alerting

  1. In vRealize Operations console, go to Administration > Outbound Settings.
  2. On the right, click the green plus icon.
  3. From the Plugin Type drop-down, select Standard Email Plugin.
  4. Give the Instance a name.
  5. Enter the SMTP information
  6. On the bottom, click Test.

    1. In the Test Connection window, click OK to acknowledge that the test was successful.
  7. Then click Save to close the Add/Edit Outbound Instance window.
  8. You can then go to Alerts > Alert Settings > Notification Settings, and create notifications.
  9. Give the notification rule a name.
  10. For Method, select the Standard Email Plugin, and the outbound instance you created earlier.
  11. Enter Recipients.
  12. Select Triggers and Criticality. Click Save.

Install Horizon Adapter PAK File on vROps

Download the vROps for Horizon components for both new installs and upgrades:

  1. From the vRealize Operations for Horizon 6.7.1 download page, or from the vRealize Operations for Horizon 6.6.0 download page, download the vRealize Operations for Horizon Adapter.

  2. On the same page, also download the vRealize Operations for Horizon Broker Agent 64-Bit.

To install or upgrade the Horizon Adapter:

  1. Login to the vRealize Operations appliance web page (/ui path).
  2. Go to Administration > Solutions > Repository.

  3. On the right, scroll down, and then click Add/Upgrade or click Add a Management Pack.

  4. In the Select Solution page, click Browse.
  5. Browse to the Horizon Adapter .pak file and select it.

  6. Back in the Add Solution wizard, click Upload.

  7. After upload is complete, click Next.

  8. In the End User License Agreement page, check the box next to I accept the terms, and click Next.
  9. The Install page appears and installation begins automatically.
  10. After it’s done installing, in the Install page, click Finish.
  11. If you have NVIDIA GPUs, also install the NVIDIA Virtual GPU Management Pack for vRealize Operations.

Horizon Adapter Licensing

  1. In the vRealize Operations web page, go to Administration > Management > Licensing.
  2. On the right, click the green plus icon.
  3. In the Select product or solution drop-down, select VMware Horizon.
  4. Enter the vROps for Horizon license key, and click Validate. Note: you enter the Adapter key (or Horizon 7 Enterprise key), not the vRealize Operations Manager key.
  5. Click Save to close the Add License window.
  6. You might have to add objects to the License Groups as detailed at Associate Horizon Objects with Your vRealize Operations for Horizon License Key at VMware Docs.

Configure Horizon Adapter

Here are some guidelines regarding the Horizon Adapter:

  • You can only have one Horizon adapter per vRealize Operations appliance.
  • Each adapter can handle up to 10,000 virtual desktops.
  • Multiple Horizon pods can point to a single Adapter.

vRealize Operations Manager 8.0 and newer

Do the following to create and configure a Horizon Adapter:

  1. At the top of the page, click the tab named Administration.
  2. On the left, expand Solutions, and click Other Accounts.
  3. On the right, click the button labelled Add Account.
  4. In the Account Types page, click the button named Horizon Adapter.
  5. Give the Account a Name.
  6. Give the Adapter ID a name.
  7. Next to the Credential field, click the plus icon.
  8. Enter a Credential name.
  9. Enter a new secret key. You’ll enter this key later when installing the Broker Agent.
  10. Click OK.
  11. Click Test Connection.
  12. Click OK when prompted that test connection successful.
  13. At the bottom of the page, click Add.

vRealize Operations Manager 7.5 and older

Do the following to create and configure a Horizon Adapter:

  1. In vRealize Operations Manager, go back to Administration > Solutions > Configuration.
  2. On the right, in the top half, highlight the VMware Horizon solution.
  3. On the bottom right, highlight the Horizon Adapter and click the Configure icon.
  4. On the top part, highlight the Horizon Adapter.
  5. On the bottom, give the adapter a Display Name, and an Adapter ID.
  6. Click the green plus icon to add a credential.

    1. Give the credential a name.
    2. Enter a new password (shared key), and click OK to close the Manage Credential window. You’ll use this password later when configuring the Broker Agent.
  7. Back in the Manage Solution window, click Test Connection.

    1. In the Info window, click OK to acknowledge that the test was successful.
  8. On the bottom right, click Save Settings.

    1. In the Info window, click OK.
  9. Then click Close to close the Manage Solution window.

Enable SSH

If vROps 7.0 and newer:

  1. Point your browser to the /admin path at the vROps address.
  2. In the System Status page, in the row containing a node, on the far right is a slider to enable SSH.


  3. SSH to the appliance and login as admin.
  4. When you su to the root account, the initial root password is blank (not defined) and you’ll be prompted to enter a new root password.

If vROps Manager 6.7 or older, see VMware Knowledgebase article – Enabling SSH access in vRealize Operations Manager 6.0.x (2100515):

  1. Connect to the vRealize Operations Manager virtual machine console.
  2. Press Alt+F1, and login as root.
    Note: By default there is no root password configured. Just press <Enter>, and you’ll be prompted to enter a root password.
  3. Start the SSH service by running the command:
    service sshd start
  4. To configure SSH to start automatically run this command:
    chkconfig sshd on

Install Horizon Broker Agent

Only install the Broker Agent on one Horizon Connection Server in each pod.

  1. Log in to one Horizon Connection Server in your Horizon pod.
  2. Run the downloaded VMware-v4vbrokeragent-x86_64-6.7.1-15585151 or VMware-v4vbrokeragent-x86_64-6.6.0.exe.

  3. In the Welcome to the VMware vRealize Operations for Horizon Broker Agent Setup Wizard page, click Next.

  4. In the End-User License Agreement page, check the box next to I accept the terms in the License Agreement, and click Next.
  5. In the Ready to install the Broker Agent page, click Install.
  6. In the Completed the VMware vRealize Operations for Horizon Broker Agent Setup Wizard page, click Finish.

Configure Horizon Broker Agent

  1. The Configuration tool will appear immediately after installation. Or launch vRealize Operations for Horizon Broker Agent Settings from the Start Menu.
  2. In the Pair Adapter page, enter the IP address of the vRealize Operations appliance, enter 3091 for the port, enter the adapter password (configured earlier), and click Pair.
  3. After broker pairing is successful, click Next. If this doesn’t work, make sure the firewall ports are opened on the vRealize Operations appliance.
  4. In the Connection Server page, enter credentials for Horizon View, and click Test.
  5. Then click Next.
  6. In the Event DB and Desktop Pool page, enter the SQL credentials to access the Events database, and click Test.
  7. Then click Next.
  8. In the Configure App Volumes page, enter the App Volumes info, and click Test. Click the plus icon to add it to the list. Then click Next.
  9. In the Monitor Unified Access Gateway page, enter an appliance name, enter the UAG IP, enter 9443 as the port, enter the admin credentials, and click Test.
  10. Click the plus icon to add the Unified Access Gateway appliance to the list. Then click Next.
  11. In the Intervals and Timeouts page, click Next.
  12. In the Logging page, click Next.
  13. In the Broker Agent Service page, click Start. Then click Next.
  14. In the Ready to Complete page, click Finish.
  15. In the vRealize Operations web console (/ui), from the Dashboards page, you can view the Horizon Adapter Self Health dashboard to verify that the adapter and broker agent are functional.

Use vROps for Horizon

Cameron Fore at Location analysis using vROPs for Horizon explains how to create Custom Groups per branch location and report (super metric) average latency for each location.

Cameron Fore at How to leverage Historic User Reporting in vROPs for Horizon 6.5 provides a dashboard to show Horizon User History.

Related Pages

Detailed Change Log

Last Modified: Sep 24, 2020 @ 11:12 am

This post lists all minor and major changes made to carlstalhood.com since June 2019.

VMware Horizon 7 – Cloud Pod Architecture

Last Modified: Mar 19, 2020 @ 7:14 am

Navigation

This article applies to all VMware Horizon versions 7.0 and newer

Change Log

Planning

Cloud Pod Architecture lets you publish a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

  • Global Entitlements – Entitlements are the same thing as published icons. When you create an entitlement (local or global), you are publishing an icon from a pool.
    • For local entitlement, the icon is only published from one pool.
    • For global entitlement, the icon can be published from multiple pools. The pools can be in one pod or from multiple pods.
    • Don’t configure both global and local entitlements for the same pool.
    • A single pool can only belong to one global entitlement.
    • For applications, only one application per global entitlement.
  • Pod Federation – Global entitlements can’t be created until a Pod Federation is created. This federation could be one pod or multiple pods.
    • The pods can be separated into sites. Each site can contain multiple pods.
  • Global Load Balancing – Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a globally available Horizon Connection Server. The connected Horizon Connection Server then uses Global Entitlements to select a site/pod/pool.
    • When a user launches a Global Entitlement, the Connection Server selects a pod based on the Global Entitlement Scoping, which can be All Sites, Within site, or Within Pod. This is from the perspective of the Connection Server the user is currently connected to. Horizon will prefer the local pod if possible.
    • Users or groups can be assigned to Home Sites. Global Entitlements can be configured to prefer Home Sites over the normal site/pod selection criteria.
  • Dedicated Assignment – For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
  • Firewall Ports – The Horizon Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 135, TCP 22389, TCP 22636, and TCP 8472. Make sure these ports are open. More info at Ray Heffer VMware Horizon 7.4 Network Ports for Cloud Pod Architecture.
  • RBAC – View Administrator includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Cloud Pod Limits in Horizon 7.11 and newer:

  • Max users = 250,000
  • Max Pods = 50
  • Max Sessions per Pod = 12,000
  • Max Sites = 15
  • Max Connection Servers per Pod = 7
  • Max Horizon Connection Server Instances = 350

Cloud Pod Limits in Horizon 7.8 and newer:

  • Max users = 250,000
  • Max Pods = 50
  • Max Sessions per Pod = 10,000
  • Max Sites = 15
  • Max Connection Servers per Pod = 7
  • Max Horizon Connection Server Instances = 350

Cloud Pod Limits in Horizon 7.6:

  • Max users = 200,000
  • Max Pods = 25
  • Max Sessions per Pod = 10,000
  • Max Sites = 10
  • Max Connection Servers per Pod = 7
  • Max Horizon Connection Server Instances = 175

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

  • Use F5 GTM or NetScaler GSLB to connect users to a Horizon Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
  • The Horizon Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
  • User’s PCoIP session goes through the initially connected Horizon Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route Blast/PCoIP through a Horizon Connection Server in the remote pod. In fact, the Horizon Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this Blast/PCoIP traffic.

For more information on multi-datacenter design for Horizon 7, see VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture, which is an 88-page document that includes the following:

  • Identity Manager
  • App Volumes
  • Horizon 7 Cloud Pod Architecture
  • User Environment Manager
  • SQL AlwaysOn Availability Groups
  • Nnetworking
  • Storage (e.g vSAN)
  • Active Directory
  • Distributed File System
  • Global Load Balancing

Initialize First Pod

As of Horizon 7.8, Cloud Pod can be configured in Horizon Console (https://myConnectionServer/newadmin).

  1. In Horizon Console, expand Settings and click Cloud Pod Architecture. Or in View Administrator, on the left, expand View Configuration, and click Cloud Pod Architecture.

  2. On the right, click Initialize the Cloud Pod Architecture feature.
  3. Click OK to initialize.

  4. A status page is displayed.

  5. If prompted, click OK to reload the client.

    • Then on the left, expand View Configuration, and click Cloud Pod Architecture.
  6. On the right, feel free to rename the federation by clicking the Edit button.

    1. Enter a new name.

  7. On the left, expand Settings (or View Configuration), and click Sites.

  8. On the right, in the top half, highlight the first site, and then click the Edit button to rename the Default First Site to be more descriptive.

    1. Enter a Site name.

  9. Click the Site to highlight it to reveal the Pods on the bottom half of the window.
  10. Highlight the pod and click Edit to make the name more descriptive.

    1. Enter a Pod name.

  11. See VMware 2080522 Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

  1. Connect to View Administrator or Horizon Console in the second pod.
  2. On the left, expand Settings (or View Configuration), and click Cloud Pod Architecture.
  3. On the right, click Join the pod federation.

  4. Enter the name of an existing Horizon Connection Server that is already joined to the federation.
  5. Enter credentials, and click OK.

  6. The Join status is displayed.
  7. If prompted, click OK to reload the client.
  8. On the left, expand Settings (or View Configuration, and click Sites.

  9. If this pod is in a different site, then in the top half of the window click Add to create a new site.

  10. Give the site a name, and click OK.

  11. Highlight the first site.
  12. On the bottom, highlight the new pod, and click Edit.

  13. Rename the pod and put it in the 2nd site. Click OK.

  14. In Horizon 7.7 and newer, the top of Horizon Administrator shows you which Pod you are administering. You might have to refresh the page to see the correct Pod name after it was renamed.

Global Entitlements

Pools and Entitlements are two different things. You can create a pool without entitling anybody to the pool.

Local Entitlements and Global Entitlements are two different things. Global Entitlements are created separately, and then you assign pools from multiple pods to the Global Entitlement.

Do not create both Global Entitlements and Local Entitlements for the same pool otherwise users might see two icons. Create the local pool, but don’t entitle it. Instead, create a Global Entitlement and add the local pool to it.

  1. In Horizon Console (or View Administrator), on the left, expand Inventory (or Catalog), and click Global Entitlements.

  2. On the right, click Add.

  3. In the Type page, select Desktop Entitlement or Application Entitlement, and click Next.

  4. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one entitlement per application so include the application name.
  5. Horizon 7.2 and newer lets you configure tag restrictions (Connection Server restrictions) from this wizard.
  6. Horizon 7.3 and newer lets you select a Category Folder where the published icon will be placed on the client’s Start Menu. This feature requires Horizon Client 4.6 and newer.
  7. Horizon 7.5 and newer let you put the published icon on the endpoint’s desktop too. See Create Shortcuts for a Desktop Pool at VMware Docs.

    1. Configure Category Folder.

  8. Scroll down to the Policies section and configure the following:
    1. The Use home site checkbox tells the global entitlement to respect user home sites.
    2. Change the Default display protocol to VMware Blast.

    3. In newer versions of Horizon, you can allow users to reset/restart their machines.
    4. Check the box next to HTML Access.
    5. Horizon 7.2 adds a Pre-launch checkbox. If you need the Pre-launch feature, then enable the Pre-launch checkbox on at least one application, and entitle the application to the users that need the Pre-launch feature.
    6. Horizon 7.3 adds a checkbox named Client Restrictions. When this is enabled, you can add Client Computer Accounts to an AD Group and entitle the published icon to that computer AD group. The published icon can then only be accessed from the client computers in the AD group.

      Notes:

      • Windows clients only. If the this feature is enabled, then all non-Windows clients are blocked.
      • Horizon Client 4.6 and newer. All other versions are blocked.
      • In Horizon 7.8 and newer, the Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container. For older versions of Horizon, the computers must be in the Computer container.
      • See Implementing Client Restrictions for Desktop and Application Pools at VMware Docs.
    7. Horizon 7.7 and newer have a selection for Multi-Session Mode. Pre-launch must be disabled to enable this setting.
    8. Make other selections.
  9. Click Next when done.
  10. In the Users and Groups page, add users that can see the icon associated with the Global Entitlement. Click Next.

  11. In the Ready to Complete page, click Finish.

  12. Double-click the new global entitlement or click the link for the name of the Global Entitlement.

  13. Switch to the Local Pools tab.
  14. On the Local Pools tab, click Add.

  15. Select the local pools you want to add and click Add. Remember, only add one app per Global Entitlement. Also, you can only add pools from the local pod. To add pools from a different pod, you must point your Horizon Administrator or Horizon Console to the other pod and edit the Global Entitlement from there.

  16. Go to another pod and view the Global Entitlements.
  17. On the right, double-click the Global Entitlement or click the hyperlink for the name of the Global Entitlement.

  18. On the Local Pools tab, click Add to add pools from this pod.

  19. Horizon Console 7.11 and newer can configure backup global entitlements. A backup global entitlement delivers remote desktops or published applications when the primary global entitlement fails to start a session because of problems such as insufficient pool capacity or unavailable pods.
    1. Create a Backup Global Entitlement containing the backup pools. You don’t have to assign anybody to the Backup Global Entitlement.
    2. Edit the production Global Entitlement.
    3. Under Backup Global Entitlement, click Browse.
    4. Change the selection to Backup Global Entitlement, select the Backup Global Entitlement and click Submit.
  20. Horizon Console 7.11 and newer at Inventory > Desktops can show if a Local Pool is a member of a Global Entitlement.

Monitoring

  1. Once Global Entitlements are enabled, a new Search Sessions node is added, which allows you to search for sessions across federated pods. The Search Sessions node is available in Horizon Console 7.9.

  2. The Dashboard in Horizon Administrator shows the health of remote pods. The Dashboard has not yet been added to Horizon Console.

Home Sites

The Home Sites feature causes Global Entitlements to prefer pools in the user’s Home Site before looking for pools in remote sites.

Horizon 7 lets you configure Home Sites for users from within Horizon Administrator. Horizon 7.8 lets you configure Home Sites for users from within Horizon Console.

  1. Configure your Cloud Pod Architecture with multiple Sites and at least one Pod per Site.
  2. In Horizon Console or Horizon Administrator, on the left, click Users and Groups.

  3. On the right, switch to the Home Site tab (or Home Site Assignment tab).
  4. Click Add.

  5. Find a user or group for this home site, and click Next.

  6. Select the site to assign the users to and click Finish.

  7. Home Sites can be assigned to both users and groups. User assignments override group assignments.

  8. Edit your Global Entitlement and ensure that Use Home Site is checked. You can optionally require that each user has a Home Site.
  9. Each Global Entitlement can have its own Home Site configuration that overrides the global Home Site configuration.
    • In Horizon Console, click the hyperlink for the Global Entitlement’s name, switch to the tab named Home Site Override, and then click Add.

    • In Horizon Administrator, double-click a Global Entitlement, switch to the Home Site Override tab, and click Add.
  10. Since you could have a combination of default Home Site for user, default Home Site for group, and Global Entitlement-specific Home Sites, it’s helpful to know which Home Site is effective for each user and Entitlement.
    • In Horizon Console, in the Users and Groups node, switch to the Home Site Resolution tab. Find a user, and it will show you the Home Site Resolution.
    • In Horizon Administrator, on the Users and Groups page, on the Home Site tab, if you switch to the Resolution sub-tab, you can find a user name, click Look Up and see which Home Site is assigned to the user for each entitlement.

Related Pages