VMware Horizon 7.13.3 Configuration

Last Modified: Mar 22, 2023 @ 5:46 am

Navigation

This post applies to all VMware Horizon 7 versions including 7.13.3.

💡 = Recently Updated

Change Log

Preparation

Horizon Service Account

  1. Create an account in Active Directory that Horizon View will use to login to vCenter. This account can also be used by Composer and Instant Clones to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for View Composer

This role has all permissions needed for both full clones and linked clones. See Privileges Required for the vCenter Server User and View Composer and Instant Clone Privileges Required for the vCenter Server User at VMware Docs.

See the Product Interoperability Matrix for supported vCenter versions.

Create vSphere Role:

  1. In vSphere Web Client, go to Administration.
  2. In the Roles node, click the plus icon to add a Role.
  3. If you are using vTPM, then on the left, click Cryptographic operations. On the right, enable Clone, Decrypt, Direct Access, Encrypt, and Manage KMS. Scroll down on the right to see more Cryptographic operations permissions.

    1. While still in Cryptographic operations, scroll down and enable Migrate and Register host.
  4. On the left, click Datastore. On the right, enable Allocate space, Browse datastore, and Low level file operations.
  5. On the left, click Folder. On the right, enable Create folder, and Delete folder.
  6. On the left, click Global. On the right, enable Act as vCenter Server, Disable Methods, and Enable Methods, and then scroll down on the right to see more Global permissions.

    1. While still in Global, enable, Manage custom attributes, Set custom attribute, and System tag.
  7. On the left, click Host. On the right, in the Configuration section, enable Advanced Settings. Then scroll down on the right to see more Host settings.

    1. While still in Host, scroll down to the Inventory section and click Modify cluster.
  8. On the left, click Network. On the right, enable All Network Privileges.
  9. For Virtual SAN, enable Profile-driven storage and everything under it. VMware 2094412 When attempting to deploy linked clones using VMware Virtual SAN (VSAN) you receive the error: Unable to connect to PBM sub system PB may be down
  10. On the left, click Resource. On the right, enable Assign virtual machine to resource pool, and Migrate powered off virtual machine.
  11. On the left, click Storage views. On the right, enable View.
  12. On the left, click Virtual Machine. On the right, click Change Configuration to enable all Configuration permissions. Scroll down on the right to see more Virtual machine permissions.

    1. While still in Virtual Machine, scroll down and click Edit Inventory to enable all Inventory permissions.
    2. While still in Virtual Machine, scroll down to the Interaction section, enable Connect devices, and then click See more privileges.
    3. While still in Virtual Machine, scroll down and enable Perform wipe or shrink operations,  Power Off, Power On, Reset, and Suspend.
    4. While still in Virtual Machine, scroll down to the Provisioning section and enable Allow disk access, Clone template, and Clone virtual machine. Then click See more privileges.
    5. While still in Virtual Machine, scroll down and enable Customize guest, Deploy template, and Read customization specifications.
    6. While still in Virtual Machine, scroll down and click Snapshot Management to enable all Snapshot permissions.
  13. Click Next.
  14. Name it Horizon or similar. Then click Finish

Assign role to service account:

  1. Create an account in Active Directory that Horizon View will use to login to vCenter.
  2. In vSphere Web Client, in Hosts and Clusters view, browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  3. On the right, select the tab named Permissions.
  4. Click the plus icon to add a permission.
  5. In the Add Permission dialog box, do the following:
    1. Change the User domain.
    2. Search for the service account.
    3. Change the Role to the one you created in the previous section.
    4. Check the box next to Propagate to children.
  6. Click OK.
  7. The service account is now listed on the Permissions tab.
  8. From VMware Docs Configure a vCenter Server User for Horizon 7 and View Composer: If you install Horizon Composer on the same machine as Windows vCenter Server, you must make the Horizon service account a local system administrator on the Windows vCenter Server machine.
    • If you install Horizon Composer on a different machine than Windows vCenter Server, you do not have to make the Horizon service account a local administrator on the Windows vCenter Server machine. However, the Horizon service account must be a local administrator on the Horizon Composer standalone machine.
  9. On the Horizon Composer server, right-click the Start button, and click Computer Management.
  10. Go to System Tools > Local Users and Groups > Groups. Double-click Administrators. Add the Horizon service account, and click OK.

Active Directory Delegation for Instant Clones and Composer

Horizon Composer and Instant Clones create computer objects in Active Directory. Horizon is configured with an Active Directory service account that must be granted permission to create computer objects. See Create a User Account for Instant-Clone Operations at VMware Docs.

  1. Create an OU in Active Directory where the Horizon Agent computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the Horizon Agents OU, and click Delegate Control.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for Instant Clones and/or Horizon Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate, and click Next.
  6. In the Active Directory Object Type page, do the following:
    1. Change the radio button to select Only the following objects in the folder.
    2. Check the boxes next to Create select objects in this folder and Delete selected objects in this folder.
  7. Click Next.
  8. In the Permissions page, check the boxes next to Read All PropertiesWrite All Properties, and Reset Password. Then Next.
  9. In the Completing the Delegation of Control Wizard page, click Finish.
  10. If you are viewing Advanced Features in Active Directory Users & Computers, if you view the properties of the OU, on the Security tab, click Advanced, find your service account, you should see permissions similar to the following.

Events SQL Database

A new empty SQL database is needed for storage of View Events.

  1. Only SQL Server authentication is supported, so make sure it’s enabled on your SQL Server > Properties > Security page.
  2. In SQL Server Management Studio, create a new database.
  3. Name it VMwareHorizonEvents or similar. Switch to the Options tab.
  4. Select your desired Recovery model, and click OK.
  5. Under Security > Logins, add a SQL login if one does not exist already. Windows authentication is not supported.
  6. Right-click a SQL login, and click Properties.
  7. On the User Mapping page, check the Map box next to the VMwareHorizonEvents database.
  8. On the bottom, add the user to the db_owner database role. Click OK when done.

Horizon Consoles

On the desktop of the Horizon Connection Server is an icon to launch Horizon 7 Administrator Console.

Horizon 7.5 and newer have two administrator consoles:

  • Horizon Console (HTML5)
  • Horizon Administrator (Flex) – Flash-based

In Horizon versions 7.5 through 7.10, Horizon Console was not yet feature complete so most administrators continue to use the Flash-based Horizon Administrator. In these versions, you can access Horizon Console by navigating to https://viewConnectionServer/newadmin (add /newadmin to the end of your Connection Server FQDN). Or click the Horizon Console link at the top right of the Horizon Administrator console.

In Horizon 7.10 and newer, Horizon Console is feature complete and is now the primary administrator interface. The Flash-based Horizon Administrator is now deprecated.

In Horizon 7.11 and later:

  • When you connect to Horizon Administrator (/admin at the end of the Connection Server URL), you are prompted to choose between Horizon Console and Horizon Administrator. In prior versions of Horizon, going to /admin always opens the Flash-based administrator console.
  • If you navigate to /newadmin, it will redirect you to /admin where you can choose between the two consoles.
  • You can go directly to the Flash-based administrator console by navigating to /flexadmin.

Horizon Console 7.11 and newer’s Dashboard can show you the CPU/Memory of the Connection Servers:

  1. On the top left, expand Monitor and click Dashboard.
  2. On the right, in the top-left block named System Health, click VIEW.
  3. With Components selected on the left, the first tab on the right is Connection Servers. It shows you a list of Connection Servers in the pod and each server’s CPU and Memory Consumption.

Licensing

As of Horizon 7.9, Horizon Licensing can be configured in either the new HTML5-based Horizon Console or the classic Flash-based Horizon Administrator.

  1. Open Horizon Console or Horizon Administrator.
  2. Login using a Horizon administrator account.

  3. In Horizon Console on the left, expand Settings and click Product Licensing and Usage.

    1. Or in Horizon Administrator, on the left, under View Configuration, click Product Licensing and Usage.
  4. In the right pane, on the top left, click Edit License.

  5. In the Edit License window, enter your license serial number, and click OK.
  6. Licensing information is displayed:
    • License expiration is shown.
    • Application Remoting (published applications) requires Horizon Advanced Edition.
    • Skype Optimization requires Horizon Advanced Edition.
    • In Horizon 7.13, Instant Clones are available in all editions of Horizon. Prior to 7.13, Instant Clones requires Horizon Enterprise Edition.
    • Session Collaboration requires Horizon Enterprise Edition.
    • Help Desk tool requires Horizon Enterprise Edition.

Horizon Administrators

To configure Horizon Administrators:

  1. In Horizon Console 7.8 or newer, on the left, expand Settings, and click Administrators.

    • Or in Horizon Administrator, on the left, expand View Configuration, and click Administrators.
  2. On the right, near the top, click Add User or Group.

  3. In the Select administrators or groups page, click Add.

  4. Enter the name of a group that you want to grant Horizon Administrator permissions to, and click Find.
  5. After the group is found, check the box next to the group (or highlight the group), and then click OK.

  6. Continue adding groups, or just click Next.
    Note: This wizard only lets you select one role; so, only add groups that will have the same role assigned. You can run the wizard multiple times.
  7. In the Select a role page, select the role (e.g. Administrators). Newer versions of Horizon include a built-in Help Desk Administrators role, which grants access to the Help Desk tool. Then click Next.

  8. Select an access group to which the permission will be applied and then click Finish.
    • Access Groups let you designate permissions to specific pools instead of to all pools.
    • Note: If you intend to integrate Horizon with VMware Identity Manager (aka VMware Access), then only pools in the Root Access group will sync with Identity Manager. Other Access Groups won’t work.

Help Desk Website

Horizon 7.2 and newer have a new web-based Help Desk tool built into Horizon Connection Server.

  • In Horizon Console (Horizon 7.5 and newer), simply enter a user name in the search box.
  • VMware also has an alternative Horizon Helpdesk Utility Fling
  • For Horizon 7.2 through 7.4, go to https://HorizonFQDN/helpdesk (e.g. https://view.corp.com/helpdesk).

The Desktops and Applications tabs let you see what the user it entitled to. You can even export these lists.

On the Sessions tab, click a session to see more details.

On the Details tab, scroll down to find action buttons like Remote Assistance. These buttons are kind of hidden.

Keep scrolling down and you’ll see Logon Segments.

The Processes tab lets you end processes in the user’s session.

Notes on the Help Desk feature:

  • Enterprise Licensing – Help Desk tool requires Horizon Enterprise edition license, or Horizon Apps Advanced edition license. Horizon Standard Edition licenses do not include this tool. In Horizon 7.3 and newer, the Product Licensing page indicates if Help Desk is licensed or not.

  • In Horizon 7.2, only Full Horizon Administrators can login to the Help Desk web page.
  • Horizon 7.3 and newer have built-in Help Desk Administrators roles that can log into the Help Desk tool.

    • Add Help Desk users to the Administrators and Groups tab, and assign them one of the Help Desk roles.

  • 15 minutes of History – There’s only 15 minutes of collected metric data. Use vRealize Operations for Horizon for longer historical monitoring.
  • See Rob Beekmans Helpdesk functionality added to VMware Horizon 7.2.
  • According to Pascal van de Bor Horizon 7.2: With a little helpdesk from my friends, checkOrigin needs to be disabled to prevent the “Authentication failed, invalid domain, username or password. Please try again” error.

See Troubleshooting Users in Horizon Help Desk Tool at VMware Docs.

vCenter Connection, and optional Horizon Composer

Horizon must connect to vCenter for several reasons:

  • Power manage the virtual machines
  • Create new virtual machines using Instant Clones or Horizon Composer
  • Update virtual machines using Instant Clones or Horizon Composer

See the Product Interoperability Matrix for supported vCenter versions.

If you are adding multiple vCenter servers to Horizon, make sure each vCenter Server has a Unique ID. In vSphere Web Client, go to the vCenter Server > Manage > Settings > General > Edit > Runtime Settings, and confirm that the ID is unique for each vCenter server.

  1. In Horizon Console 7.8 or newer, on the left, expand Settings, and click Servers.

    • Or in Horizon Administrator, on the left, expand View Configuration, and click Servers.
  2. In the right pane, in the vCenter Servers tab, click Add.

  3. In the VC Information page, do the following:
    1. In the Server address field, enter the FQDN of the vCenter server.
    2. In the User Name field, enter the previously created Active Directory account (domainname\username) that Horizon will use to login to vCenter.
    3. Also enter the service account’s password.
  4. Click Next.

  5. If you see a message regarding invalid certificate, click View Certificate. Then click Accept.


  6. In the View Composer page, if you are using Horizon Composer, then do the following:
    1. Select Standalone View Composer Server.
    2. Enter the FQDN of the Composer Server, and the credentials of an account to access the Horizon Composer server. The service account must be a local administrator on the Horizon Composer Server.
  7. Click Next.

  8. If you see an invalid certificate, click View Certificate. Then click Accept.


  9. If you are using Horizon Composer, then in the View Composer Domains page, do the following:
    1. Click Add.

    2. Enter the Full domain name of where the virtual desktop computer objects will be created.
    3. Enter the Active Directory service account credentials that has permission to create computer objects, and click Submit.

  10. Then click Next.
  11. In the Storage page, do the following:
    1. Reclaim VM disk space requires IOPS during its operation. This feature is not needed for Instant Clones.
    2. Check the box to Enable Horizon Storage Accelerator, and increase the host cache size to 2048. Notes:
      • Horizon Storage Accelerator is required for Instant Clones.
      • Horizon Storage Accelerator causes digest files to be created, thus increasing disk space requirements and increasing how long it takes to Recompose a pool.
  12. Click Next.

  13. In the Ready to Complete page, click Submit.

Instant Clone Domain Accounts

If you plan to use Instant-Clone to create non-persistent virtual desktops, then add an administrator account that can join machines to the domain.

  1. In Horizon Console 7.9 or newer, on the left, expand Settings and click Instant Clone Domain Accounts.

    • Or in Horizon Administrator, on the left, expand View Configuration, and click Instant Clone Domain Accounts.
  2. On the right, click Add.

  3. Select the domain.
  4. Enter credentials of a service account that can join machines to the domain. Click OK.

Disable Check Origin

If you connect to Horizon Connection Server using any DNS name (e.g. load balancing DNS name) that doesn’t match the server’s DNS name, then it might not work unless you disable Origin Check as detailed at VMware 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7.

Restrict Remote Access

The Users and Groups node has a new Remote Access tab. You can configure this in either the Horizon Console or in Horizon Administrator.

If you add groups or users to this tab, only these groups and users can login through Unified Access Gateway (UAG) or Security Server.

Users not in the list can’t login through Unified Access Gateway (UAG) or Security Server.

Disable Secure Tunnel

By default, internal Horizon Clients connect to Horizon Agents by tunneling (proxying) Blast or PCoIP through a Horizon Connection Server. It would be more efficient if the internal Horizon Clients connect directly to the Horizon Agents instead of going through a Connection Server.

  • If the tunnels are enabled, and if you reboot the Connection Server, then user connections will drop.
  • If the tunnels are disabled, then rebooting the Connection Server will not affect existing connections.

To disable the tunnels in either Horizon Console or Horizon Administrator:

  1. In Horizon Console, on the left, expand Settings, and click Servers.

    • Or in Horizon Administrator, on the left, expand View Configuration, and click Servers.
  2. On the right, switch to the Connection Servers tab.

  3. Click the Connection Server to highlight it, and click Edit.

  4. On the General tab, uncheck the boxes next to HTTP(S) Secure Tunnel and the two Gateways. Click OK.
  5. Note: if you are using HTML5 Blast internally, then disabling the Blast Secure Gateway will cause HTML5 Blast connections to go directly to the Horizon Agent, and the Agent certificate is probably not trusted. Newer versions of Horizon have an option to use Blast Secure Gateway only for HTML Access.

Event Database and Syslog

  1. In Horizon Console 7.9 or newer, on the left, expand Settings and click Event Configuration.

    • Or in Horizon Administrator, expand View Configuration, and click Event Configuration.
  2. On the right, under Event Database, click Edit.

  3. In the Edit Event Database dialog box, do the following:
    1. Enter the name of the SQL server.
    2. Select Microsoft SQL Server as the Database type.
    3. Enter the name of the database.
    4. Enter the SQL account credentials (no Windows authentication).
    5. Optionally, enter VE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple View installations.
  4. Click OK.

  5. On the right, in the Event Settings section, you can click Edit to change the age of events shown in Horizon Console or Horizon Administrator.

  6. To add a Syslog server, look on the right side of the page.

  7. There are configuration options for logging to a file (Events to File System).

  8. You can go to Monitor > Events to view the events in the database.

Event Database SQL Index

VMware Knowledgebase article – The Event database performance in VMware View 6.0.x is extremely slow (2094580): Symptoms:

  • The Event database performance in VMware View 6.0.x is extremely slow when browsing within View
  • High CPU usage on the SQL server, hosting the Event database
  • The larger the Event database becomes, the slower the queries run.

To resolve this issue, create an index. Run this command on your SQL Event database:

CREATE INDEX IX_eventid ON dbo.VDIevent_data (eventid)

Substitute VDIevent_data for the table name using your Event database prefix.

Event Queries

VMware Fling – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – VMware Horizon View Events Database Export Utility: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

VMware Knowledgebase article – Creating SQL views to retrieve the top 50 maximum number of concurrent desktop sessions over a period: This article provides steps to create database views to retrieve the maximum number of concurrent desktop sessions over a period from the event_historical table.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

  1. In Horizon Console 7.9 or newer, on the left, expand Settings and click Global Settings. Or in Horizon Administrator, on the left, under View Configuration, click Global Settings.

  2. On the right, under Global Settings, in the General Settings tab (or General section), click Edit.

  3. Set the Connection Server Session Timeout (7.13 only) or View Administrator session timeout, which applies to both administrators and help desk. 4320 minutes (72 hours) is the maximum.


  4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user, and requires the user to logon to Horizon Connection Server again.

  5. Under Client-dependent settings you can set an idle timeout. This is a disconnect, not logoff.

  6. To configure an idle timeout for desktop sessions:
  7. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of Horizon Administrator.

  8. In Horizon 7.8 and newer, the Send domain list option in Horizon Console and Horizon Administrator is unchecked by default, which means users must enter a domain name instead of picking one from a list. Check this box to restore functionality from Horizon 7.7 and earlier. See VMware Blog Post Changes in Logon for VMware Horizon. Note: This setting is configurable in Horizon Console 7.10 and newer.

  9. Make other changes as desired. Click OK when done.

Horizon 7.8 and newer disable “Log On as Current User” by default. To enable this client feature:

  1. In Horizon Console 7.10 or newer, on the left, expand Settings, and click Servers.

    • Or in Horizon Administrator, on the left, expand View Configuration and click Servers.
  2. On the right, switch to the Connection Servers tab.

  3. Highlight a Connection Server and click Edit.

  4. Switch to the Authentication tab.

  5. Scroll down. Check the box next to Accept logon as current user. Click OK.

Horizon 7.11 and newer can restrict connections to a minimum version of Horizon Client. 💡

  1. In Horizon Console 7.11 or newer, on the left, expand Settings, and click Global Settings.
  2. On the right, switch to the tab named Client Restriction Settings.
  3. Click Edit.
  4. For each client type, enter a minimum version number. Click OK when done.
  5. The client version is enforced when you try to launch an icon.

Global Policies

By default, Multimedia Redirection is disabled. You can enable it in Global Policies.

  1. In Horizon Console 7.8 or newer, go to Settings > Global Policies. Or in Horizon Administrator, go to Policies > Global Policies.

  2. On the right, click Edit Policies.

  3. Set Multimedia redirection to Allow, and click OK. Notice that Multimedia redirection is not encrypted.

Backups

Connection Server LDAP Backup and Composer Database Backups can be configured in Horizon Administrator, or in Horizon Console.

  1. in Horizon Console 7.8 or newer, on the left, expand Settings and click Servers. Or in Horizon Administrator, on the left, expand View Configuration, and click Servers.

  2. On the right, switch to the Connection Servers tab.

  3. Select a Horizon Connection Server, and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.

  4. To change automatic backup settings, Edit the Horizon Connection Server, and switch to the Backup tab.

  5. you can schedule automatic backups. This also backs up the View Composer database but not the vCenter database. See VMware 1008046 Performing an end-to-end backup and restore for VMware View Manager.

Tips

VMware Blog Post Top 10 Tips for a Successful Horizon VDI

Related Pages

73 thoughts on “VMware Horizon 7.13.3 Configuration”

  1. Hi Carl,

    Hope all is well.

    This is a multitiered issue.

    We’ve been trying to update Horizon 7.5.2 to Horizon 8 but have been unsuccessful.

    We continue to get errors stating that linked clone pools/farms are present, but there are NONE in our build. That is, we have NOT set up any pools/farms — cloned or otherwise. We’ve done a database check, as well as checked the OUs in ASDI; but again, none can be found. Also — side note — our Horizon 7 version doesn’t have an option for iccleanup.cmd to allow us to check that way.

    We’ve verified our license is good, too.

    We’ve also tried to set the radio button “Do not use View Compose” in the server settings of Horizon, but we get an error saying that the entry can’t be saved in vCenter.

    We’re able to ping vCenter and ping from vCenter to our ViewConnect VM.

    Any help or insight you can provide would be appreciated.

    Many thanks in advance!

      1. The latest logs indicate that there are issues connecting to vCenter.

        Among others, I’ve seen an error with “vcenter..com:443/sdk”

        When I copy and paste that into my browser I’m unable to access it.

        Hope that helps.

        Thanks!

  2. Hello Carl

    After upgrading to 7.13.2 from 7.13.1, I’m not able to provision VM. Getting AD container is not available error.
    What could be issue and what is the solution

          1. No Carl. That is the issue after the update not able to get the OU details. AD container is not available error.

          2. You can look in logs under C:\ProgramData\VMware\VDM\logs.

            Otherwise, you might have to call VMware Support.

  3. Hello, Carl. How are you? This is my second chance to leave a message on your excellent blog.

    I have wondered why VMware did not expand the host cache size of CRBC for a long time.

    I lately observed that the host cache size for storage accelerator had been significantly increased from 2G to 32G since Horizon 7.10 or later (not sure, but definitely in 7.13 and 8. I could not find any comments regarding this from VMware official blogs or any release notes.

    I guess it can be a definite advantage over other vendors if it works as it says when it come to VDI market. Almost entire OS disk can be accessed through not way slower storage, but super fast in memory cache!! Is not it true?

    I would like to share one old, but still meaningful article from VMTN which is related to storage accelerator.

    https://blogs.vmware.com/euc/2012/05/view-storage-accelerator-in-practice.html

    1. I think this feature only caches reads, not writes. Most storage arrays don’t have a problem with read performance. As blocks are modified, then the read cache is invalidated. Whatever you allocate for Storage Accelerator can no longer be used by Virtual Machines.

  4. Is the helpdesk administrators role in version 7.13 different than the one in version 7.8 and earlier ? In the 7.13 version the helpdesk administrators role does not have the ability to Assign/UnAssign user to a VM.

  5. Hello Carl,

    Need you valuable advice and assistance here.
    Running 7.13
    2 x connection servers.
    F5 load balancer in front.
    Internal users will use Thick client as well as HTML5 Access.
    Same TLS certificate is used on F5 virtual server config as well as Connection servers. (F5 configured done using iApps template)
    Certificate is issued by internal CA. subnet name is desktop.domain.com, also added FQDN of 2 x connection servers and desktop.domain.com as DNS names.
    F5 configuration related to certificate can be viewed at https://ibb.co/BN2Schv

    When user access using HTML5, I am getting “ERR_connection_refused”
    the URL of browser does not goes to Desktop instance IP, which is my intended purpose of passing traffic through CS servers.

    Will you please help me here.

    Additionally, Users from outside organization will also connect using Think client as well as HTML5, via other DMZ F5 and UAG. but that is for later parts, 1st want to get internal suffs working.

    Thank you.

    1. Blast uses port TCP 8443 on the client-side (to F5) and TCP 22443 from F5 to the Horizon Agents. Are these ports open?

        1. In Horizon Console > Settings > Servers > Connection Server > Edit, in the Blast Secure Gateway field, what is selected? It should be set to “Do not use” since F5 will handle it.

          1. connection servers “Blast Secure gateway” was set to “Use Blast Secure Gateway for only HTML Access connections to machine” with URL as “https://desktop.domain.com:8443”

            Upon reading the F5 guide word by word, Under “Modifying your connection servers to support HTML5 clients” states “If using a BIG-IP version 12.1 and later only: You can leave the Use Secure Tunnel connection to
            desktop/machine checked (for example, this box must be checked if using USB redirection). If checked,
            the External URL field should contain the URL pointing to the View Connection Server (i.e. the View
            Connection Server FQDN).”

            I changed to FQDN of Connection servers.

            And to my surprise, Users connection to Desktop Instance is seamless!.

            I do not understand, since F5 is set to “Yes, Blast conn. should go through F5” (https://ibb.co/Qv5pKhs), also the configuration asks to provide the Subnet of Desktop instances, from which I understand is, F5 will forward traffic to the Subnet.

            In case, “Do not use Blast secure gateway” is selected, the User is re-directed to Desktop instance IP with cert warning.

    2. Create a file called install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties.
      Either add a line:
      checkOrigin=false
      or a line
      balancedHost=load-balancer-name
      where load-balancer-name is the hostname used in the URL by the remote access user. e.g. myvdi.myco.com.
      See Documentation for VMware Horizon 7 version 7.0

  6. I tried to setup default domain in Horizon 7.12 as below

    vdmadmin -N -domains -include -domain mydomain.local -add

    but from html client when I put the username and password got the error ” domain name is invalid”

  7. I’m using the Horizon 7.12 when I click on connection Server. I’m not able to see “More Commands” to enter the password paring for the security server installation. kindly help…

  8. Hi Carl I am trying to add an UAG in Horizon Administration console, but it says N/D into IP and version Fields. It seems the connection is reached by UAG. We have test the ports and we have put the UAG in the same VLAN for testing purposes. We have issued some SSL certificates for Connection server and the UAG, but the result is the same. Could you help me?

    Thanks in advance and kind regards.

    1. The only resolution I’ve seen for this is to be sure to register the UAG with the exact same name found in the “UAG Name” field on the System Settings section of the UAG config. This appears to work for most people, however we have tried this and are still getting the same behavior you are seeing.

  9. Hi,

    I’m using the Horizon 7.11 when I click on Server, connection server. I’m not able to see “More Commands” to enter the password for the security server. This is my first time trying to install Horizon and I really appreciate any help. Could you please tel me what to do?

      1. Hi Carl,

        Thanks for your reply. I’m trying to access Horizon Administrator (Flex) but it won’t even load, I only have access either to localhost/admin or to (Vmware Horizon HTML Access) I’m not even able to access the portal, I always get the error message (you are not entitled to access this system). As I told you before, I’m really new to this system and I did a lot of research and have watched a lot of videos, but even I cannot pass this point.

        Thank you for any help.

        1. Are you using Chrome? If so, did you configure checkOrigin=false in locked.properties? If not, then you must use the exact URL specified in the Connection Server’s HTTPS Gateway field.

          1. Thank you Carl,

            I have redeployed everything, went to the 7.8 Version and now everything is running as required. I will be testing and if I face any issues, I know the person who I have to ask.

            Have a nice day

  10. In the version 7.10 Html5 web console shows an internal error for only the Events and Sessions tab not for other sections. Flash browser based access of the admin console works as expected. Any ideas Carl??

  11. I have just upgraded to Horizon v7.9. When utilizing the HTML5 admin page, the vCenter server cannot be selected when creating manual desktop pool. However, it is available if I choose an automatic pool. Also, the vCenter server is able to be selected as normal through the old admin page.

    Any thoughts?

  12. Do you know if Horizon Enterprise Edition will be added to the VMUG Package ? I would like to be able to test EMU in depth and 60 days is a little short.

    Thanks!

  13. Hey Carl,

    Do you happen to know how to change the logout time on the /newadmin portal? I currently have 3x Horizon 7 environments (7.3.3 prod, 7.9.0 test, 7.9.0 new prod) and the 15min default timeout is making me lose my mind. To make matters worse, username and domain tracking hasn’t worked on the HTML5 pages in any of the Horizon 7 versions I have tested.

    Also, I don’t think the /helpdesk timeout has ever coincided with the flash administrator timeout. Typically we set the flash admin portal to timeout after 120mins.

    Thanks,

    Erik

  14. Good Morning Carl. I had a setup of Horzion 7.5 up and running, the cert expired and even after renewing it, I am getting a “Err_SSL_VERSION_OR_CIPHER_MISMATCH” on it I cant seem to find anything online about correcting the problems. Any ideas? Thank you so much for your time

    1. For the new certificate, is the private key exportable? Try exporting it to make sure it can be exported.

  15. Hi Carl,

    Not sure if will explain it correctly first, let me know you got the idea 🙂

    I have change our writable domain for Horizon VDI and vSphere environment. Right now for Writable DC we are using DC which is on Cloud and communicating via VPN and we want to make another writable DC locally so not being depended from VPN. For example right now its communicating with DC 192.168.100.5 and needs to be changed to DC 192.168.200.6

    Can you please advice.

    Thank’s

    1. Aren’t domain controllers usually chosen based on the configuration in Active Directory Sites?

  16. I have a question and was hoping that you could provide some insight. I have built out and maintain three large corporate horizon view 7.x instances. Production, Test/Dev, and DR. Do you have, or could you provide any insight as to what a your recommended backup strategy is for ensuring continuity of the connection servers and composer db in the event that there is an issue. Our backup teams utilize netbackup. The issue we ran into is when the master connection server was getting backed up, it would cause intermittent packet loss which would cause users sessions to be disconnected. Our Prod environment serves for 2,500 users. Any information would be great., I have utilized the VMware method of backing up the ldap db etc. But that is pretty convoluted and in the event of a disaster would take a while to essentially re-build this environment.

      1. Using both pcoip and blast. We were really touting blast, but blast tends to consume higher amounts of cpu and is effectively a wash in overall performance.

      2. Yes sir. Our topology is 2 security servers bound to two external connection servers and two internal connection servers. internal and external vips transit through BigIp. VIP used is specified by the source connection request.

  17. Hello Carl

    Have you seen any updated material on setting up 2-Factor Authentication in Horizon View with Google Authenticator

  18. Dear Carl,

    thank you for the wonderful information. I’ve setup a small lab for Horizon 7. The strange thing is when i create an instant pool i cannot select the Vcenter Server. However when I select Full Clones the Vcenter Server information pops up and im able to proceed. Now because of this I’m unable to create Instant Clone Pool. My Vcenter is 6.7, Esxi is 6.5. There is one strange thing which i noticed on Vcenter, it gives a warning that your evaluation license will expire. However I have added a production license using the console. So in short Horizon has Production Enterprise License, Esxi has Production License.
    Can you please let me know what could be the issue.

  19. Currently trialing Horizon 7.5 on my environment, and on entering the license key I get ‘License data could not be obtained for this product type’

    I’m stuck on how to get past this 🙁

  20. Hi Carl,
    Thank you very much to create this document for all of us. Do you know there is any way to get the information regarding who last time use/login on the Horizon VDI machines in the Horizon View 7.0? Currently we are trying to find out which user last time use the VDI VM, if no one is using from long time (more than 6 months) then we can ask them to decommissioned those VMs. Please advise.
    Thanks,
    Siraj

  21. Thanks Carl. Both sensible suggestions. Adds a bit of complexity that I really hoped Access Points had avoided compared with Security Servers of old, but there you go. I’ll push for a wildcard but will go with your suggestion if needs must. Many thanks.

  22. With regard to when you mention:

    “if you are using HTML5 Blast internally, then disabling the Blast Secure Gateway will cause HTML5 Blast connections to go directly to the Horizon Agent, and the Agent certificate is probably not trusted”

    I have this exact issue. Blast Secure Gateway must be disabled when using Access Points as I understand it. Have you found any way around this, apart from VMware’s recommended method of using a wildcard cert on the master image? My client is not keen on using a wildcard, however it seems to me it may be unavoidable in this scenario?

    1. Maybe setup different Connection Servers for internal vs external. Or add UAGs for internal connections.

      1. I have a question. Ia m trying to connect to an events Database MS SQL but it is an instance “sql05\events” the database is called ViewEvents. Can I connect to an instance? IS there special Syntax?

  23. Hi,
    I am using VMware vSphere 5.5 and VMWare horizon 7.0.2
    I have increased LUN size in SAN Storage
    I Have increased Datastore size through vCenter.
    Still its not reflecting in Horizon 7 Dashboard.
    what and how to do to reflect that size in Horizon 7.0.2 under Dashboard>Datastore Details> Capacity (GB)…??
    can anyone send me the procedure or hints to increase/reflect the same size.
    Thanks

    1. I think you need to add new data-store and use feature like parlance for linked clone pool, I am not sure if the problem that you highlighted is solved in newer version on horizon or not.

  24. Hi Carl,
    I have just upgraded my Dev environment to 7.3.1 and having a couple of issues.
    1. Using Chrome, the Admin page to the connection server FQDN is blank even if I configure the locked.properties and restart services. I have also cleared cache and rebooted my laptop with no luck. The only way I ca use Chrome is by pointing to the balance DNS name that matches the trusted certificate name.
    2. When I create a dedicated linked-clone pool and try to “Remove” all VMs from it to start the provisioning over, Horizon renames the VMs not from -01 but from the next number after the highest number of the old VM. Example, I have 10 VMs in a pool (-01,-02,-03.. until -10), when I remove, the VMs are named -11,-12 and so on instead of starting over from -01. Also, the option “Allow reuse of existing AD computer accounts” is enabled on this pool.

    Any idea on hoe to fix the above? Did you experience any of this yourself?

  25. Server error : null, Instant Desktop Creation Failed Horizon 7.2

    I received this when trying to use 2 or more vlans with the instant clone pool, this pops up at the point you would click finish for the pools. but if i select parent vlan then it continues just fine.

    Thoughts?

  26. I was wondering about Horizon 7 in a multi-tenant solution using PODs. I know you need AD in the Management block but can you point the Desktop pool to a Customers AD?

    1. I suspect the domains need to be trusted.

      If not, then another option is Identity manager with SAML authentication and TrueSSO.

  27. Hi Carl, i think i have one for ya that is difficult. We have horizon 7 installed and running w/ LC’s. It works great. We now want to install a Ubuntu Desktop pool. I have installed ubuntu 12.04 and configured it to log into active directory perfectly. Even registers in DNS.
    THen, i install the agent. it doesn’t work. I try to connect locally to tcp 22443 and it fails. If i look at the registered machines in View Configuration, that linux VM doesn’t register.
    On the Horizon 7 diagram, the ports aren’t listed for linux.
    We have tried this on both centos and ubuntu. Same ol’ story.

    1. It took me a little while but I think I got it on Ubuntu 12.04.

      Delete /etc/vmware/viewagent-machine.cfg and viewagent-config.txt if they exist. Run the following:

      ./install_viewagent.sh -A yes -M no -b vcs01.corp.local -d corp.local -u admin -p Pass0wrd -k ad01.corp.local -n ubuntu01.corp.local

      I suspect that “-M no” is the key but I could be wrong.

      I used the log files in /var/log/vmware to troubleshoot. And I looked in the actual script file to see what’s is supposed to do.

  28. If the Vcneter is appliance, what should be done at step 25?

    25.The service account also must be a local administrator on the vCenter server. In Server Manager, go to Tools > Computer Management.

    Thanks.

    1. Also a good catch. I updated the text to clarify that the account only needs admin on the View Composer server.

Leave a Reply

Your email address will not be published. Required fields are marked *