VMware Horizon 7.11 Connection Server

Last Modified: Jan 18, 2020 @ 10:40 am

Navigation

This post applies to all VMware Horizon versions 7.0 and newer, including 7.11, 7.10.1 (ESB), and 7.5.4 (ESB).

ūüí° = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Install Horizon 7 Standard Connection Server.

Notes regarding upgrades:

  • Upgrade all Connection Servers during the same maintenance window.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • Upgrade Horizon Composer before upgrading the Connection Servers.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
      • If upgrading from version 7.7 or older to version 7.8 or newer, then be aware of authentication changes.
    • For Security Servers, in Horizon Administrator, go to paired Connection Server, More Commands > Prepare for Upgrade or Reinstallation.
  • Upgrade the Horizon Group Policy template (.admx) files.
  • Upgrade the Horizon Agents.
    • It’s an in-place upgrade.
    • There’s no hurry. Upgrade the Horizon Agents when time permits.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.

Install Horizon 7 Standard Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between them.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

Horizon 7.11 is the latest release.

Horizon 7.10.1 is an Extended Service Branch (ESB).

  • ESBs will be released once a year.
  • Once released, they will be actively supported for 24 months.
  • During those 24 months, there will be 3 scheduled Service Pack updates, SP1 will be released 6 months after the initial release, SP2 will be released 3 months after SP1, and SP3 will be released 6 months after SP2.
  • Service Packs do not include any new features.
  • VMware¬†52845¬†FAQ: Horizon 7, App Volumes, UEM Extended Service Branches (ESB)
  • The 7.10.1 download page only has Agents. To see the rest of the downloads,¬†use the Select Version drop-down to choose 7.10.0.

Horizon 7.5.4, Unified Access Gateway 3.3.1, User Environment Management 9.4.1, and App Volumes 2.14.8, are also Extended Service Branch (ESB).

  • The 7.5.4 download page only has Agents. To see the rest of the files, use the Select Version drop-down to choose 7.5.3.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for View Connection Server at VMware Docs.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Horizon Composer cannot be installed on the Horizon Connection Server, and vice versa.
  5. Horizon Administrator is a Flash-based console. Chrome browser includes Flash.
    • Horizon Console (/newadmin) is HTML5 and does not need Flash. Horizon 7.10’s Horizon Console is almost feature complete.
  6. Download Horizon 7.11.0 View Connection Server, Horizon 7.10.0 (ESB) View Connection Server, or Horizon 7.5.3 (ESB) View Connection Server.


    • The Horizon 7.10.1 download page only has Agents. To see the rest of the downloads, use the Select Version drop-down to choose 7.10.0.
    • The Horizon 7.5.4 download page only has Agents. To see the rest of the files, use the Select Version drop-down to choose 7.5.3.
  7. If Horizon Toolbox is installed, uninstall it. You’ll have to reinstall it later, including configuring the SSL certificate again (back up the certificate before uninstalling). Note: the Horizon Toolbox developers have not been updating Horizon Toolbox for newer versions of Horizon Connection Server.
  8. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.11.0.exe, VMware-Horizon-Connection-Server-x86_64-7.10.0.exe or VMware-viewconnectionserver-x86_64-7.5.3.exe (ESB).


  9. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  10. If you are upgrading from version 7.7 or older to version 7.8 or newer, then acknowledge the authentication changes warning by clicking OK.
  11. In the License Agreement page, select I accept the terms, and click Next.
  12. In the Destination Folder page, click Next.
  13. In the Installation Options page, select Horizon 7 Standard Server, and click Next.
  14. In the Data Recovery page, enter a password, and click Next.
  15. In the Firewall Configuration page, click Next.
  16. In the Initial Horizon 7 Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  17. In the User Experience Improvement Program page, uncheck the box, and click Next.
  18. In the Ready to Install the Program page, click Install.
  19. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.
  20. If you upgraded to Horizon 7.8 or newer and want to re-enable Logon as current user:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Servers. Or in Horizon Administrator, on the left, go to View Configuration > Servers.

    2. On the right, switch to the tab named Connection Servers.
    3. Highlight the server you just upgraded and click Edit.

    4. Switch to the tab named Authentication.

    5. Scroll down, check the box next to Accept logon as current user and then click OK.

  21. If you upgraded to Horizon 7.8 or newer and want to re-enable sending the domain list to Horizon Client:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Global Settings. Or in Horizon Administrator, on the left, go to View Configuration > Global Settings.
    2. On the right, in the General section, click the Edit button.

    3. Near the bottom, check the box next to Send domain list. You might want to uncheck Hide domain list in client user interface. Then click OK.

Install Horizon 7 Replica Connection Server

Additional internal Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Download Horizon 7.11.0 View Connection Server, Horizon 7.10.0 (ESB) View Connection Server, or Horizon 7.5.3 (ESB) View Connection Server.


    • The Horizon 7.10.1 download page only has Agents. To see the rest of the downloads, use the Select Version drop-down to choose 7.10.0.
    • The 7.5.4 download page only has Agents. To see the rest of the files, use the Select Version drop-down to choose 7.5.3.
  5. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.11.0.exe, VMware-Horizon-Connection-Server-x86_64-7.10.0.exe or VMware-viewconnectionserver-x86_64-7.5.3.exe (ESB)


  6. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Installation Options page, select Horizon 7 Replica Server, and click Next.
  10. In the Source Server page, enter the name of another Horizon Connection Server in the group. Then click Next.
  11. In the Firewall Configuration page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Load balance your multiple Horizon Connection Servers.

Horizon Connection Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to Horizon View Administrator.

Horizon Portal ‚Äď Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
  2. Create a new folder called downloads.
  3. Copy the downloaded Horizon Client 5.2 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
  4. Run Notepad as administrator.
  5. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  6. Go back to the downloads folder, and copy the Horizon Client filename.
  7. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    link.win64=/downloads/VMware-Horizon-Client-5.2.0-14570289.exe
  8. Then Save the file.
  9. Restart the VMware Horizon View Web Component service, or restart the entire Connection Server.
  10. It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error, then the service is not done starting.
  11. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  12. Repeat these steps on each Connection Server.

Portal Branding

Chris Tucker at Horizon View 7.X РBranding the Logon page details how to brand the Horizon 7.1 and newer portal page.

LDAP Edits

Horizon Console Timeout

The HTML5 Horizon Console (https://MyConnectionServer/newadmin) has a default timeout of 10 minutes. Changing the Horizon Administrator timeout will not affect the Horizon Console timeout. You can use adsiedit.msc to increase the Horizon Console timeout.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-APISessionTimeout, and click Edit.
  7. Enter a value in minutes. Click OK.

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, Fingerprints, and Windows Hello, is disabled by default. To enable: (source = vDelboy РHow to Enable Touch ID in VMware Horizon 6.2 and Configure Biometric Authentication at VMware Docs)

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at VMware Docs.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair, and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using NetScaler 12.1.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-7-15-ltsr-and-licensing/#rdlicensing.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Horizon 7.2 and newer include a web-based Help Desk Tool. Run the following command to enable the timing profiler on each Connection Server instance to view logon segments.

vdmadmin -I -timingProfiler -enable

Horizon Toolbox 7.8.0

Note: this version of Horizon Toolbox might not support Horizon 7.9, 7.10, or 7.11.

Install the Horizon Toolbox Fling on your View Connection Servers. This is a web-based tool that adds the following functionality:

  • Auditing of user sessions
  • Auditing of virtual machine snapshots
  • Auditing of Horizon Client Versions
  • Remote Assistance ‚Äď users request assistance from administrators
  • Virtual Machine Remote Console
  • Power Policies for Desktop Pools

To use the Toolbox, make sure the following are enabled in your View Connection Server pod:

  • Events database
  • Customer Experience Improvement Program

.NET Framework 3.5 and Remote Assistance

  1. On the Horizon View Connection Server, in Server Manager, click Add Roles and Features.
  2. In the Features page, expand .NET Framework 3.5 Features, and select .NET Framework 3.5.
  3. Scroll down, select Remote Assistance, and click Next. This feature is only needed if you will respond to Remote Assistance requests directly from the Horizon View Connection Server.
  4. In the Confirmation page, click Specify an alternate source path.
  5. Mount or extract the Windows Server ISO.
  6. Enter the path to the sources folder on the Windows Server ISO, and click OK. Then click Install.

Toolbox Installer

  1. Download the Fling. Check the box next to I have read and agree, and click Download.
  2. If upgrading, you’ll need to uninstall the old version first.

  3. Run the downloaded ToolBoxSetup.msi.
  4. In the Welcome to the HorizonToolbox Setup Wizard page, click Next.
  5. In the Select Installation Folder page, select Everyone, and click Next.
  6. In the BannerText page, click Next.
  7. In the Confirm Installation page, click Next.
  8. In the Installation Complete page, click Close.
  9. After the progress bar reaches 100%, click the X icon to close the installation window.

Firewall

  1. Run Windows Firewall with Advanced Security.
  2. Create a new Inbound Rule for port 18443.
  3. Select Port and, click Next.
  4. Enter TCP 18443 as the local port, and click Next.
  5. Allow the connection, and click Next.
  6. Name the rule Horizon Toolbox or something like that. Click Finish.

Toolbox Certificate

Horizon Toolbox comes with a self-signed certificate. It can be replaced by doing the following:

  1. Copy a certificate .pfx file to C:\Program Files\VMware\HorizonToolbox\HorizonToolbox7.4\conf.
  2. Edit the file server.xml that’s in the same conf folder. Make sure your text editor is elevated (as administrator).
  3. In your text editor, do the following:
    1. Scroll down to the <Connector port=”18443″ section (near line 85).
    2. Change the keystoreFile attribute to the name of your .pfx file.
    3. Change the keystorePass attribute to the password for your .pfx file.
    4. Add a new attribute keystoreType="PKCS12"
  4. Close and save the file.
  5. Restart the Apache Tomcat 8.5 Tomcat8 service.
  6. Point your browser to https://view.corp.local:18443/toolbox and there should be no certificate error. Note: it takes several seconds for the toolbox Tomcat service to start; you can watch it in Task Manager.

Login to Horizon Toolbox

  1. Point your browser to https://view.corp.local:18443/toolbox
  2. Login using Horizon Administrator credentials.
  3. The first time you login, you might be prompted for passwords to eventdb and vcenter. Enter the passwords, and click Set.
  4. The primary benefit of Horizon Toolbox is the Auditing reports. This data comes from the Events database. Find more info on these features at the Fling website.
  5. The Console Access tab lets you access the console of your Horizon Agent virtual machines.

Toolbox Remote Assistance

Note: The new Help Desk website is preferred over Toolbox Remote Assistance.

  1. On the Horizon Agent machine, navigate to the View Connection Server Horizon Toolbox folder \\vcs01\c$\Program Files\VMware\HorizonToolbox\HorizonToolbox7.4\webapps\toolbox\static\ra, and run Horizon_Remote_Assistance_Installer_v1035.exe.

    1. You might be prompted to install .NET Framework 3.5.


    2. Click Install for End User.
    3. Click OK to launch Remote Assistance.
    4. Close Remote Assistance.
    5. When done, click Finish.
  2. Users can initiate a request by clicking the Horizon Remote Assistance icon on the desktop.
  3. Click OK to submit a request.

  4. Support people can see support requests in the Toolbox interface, at Management > Remote Assistance, and switch to the Remote Assistance Requests tab.

Logon Monitoring

The VMware Logon Monitor Fling is built into Horizon 7.1 and newer.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent. The Fling website has a PDF that explains how to also store them on a file share.

Inside each session log file are logon time statistics. 

114 thoughts on “VMware Horizon 7.11 Connection Server”

  1. Hi Carl,

    VMwares product documentation specifies using netbios names when declaring additional domains via vdmadmin.

    https://docs.vmware.com/en/VMware-Horizon-7/7.11/horizon-console-administration/GUID-3E9924EC-1554-43E5-A812-84F9711909A5.html

    In a world where netbios has long been deprecated and disabled on nic interfaces can you provide any detail on why VMware are requiring netbios for Horizon & how it would work for connecting Connection Servers to additional domains (not the native domain that the specific windows server is joined to) in a different subnet (netbios name resolution is a broadcast & won’t traverse a router).

    Trying to understand an issue where a multi domain solution stopped seeing additional domains after upgrading to 7.8 and above, works fine with FQDN’s on 7.7.

    Thanks

    1. Every Active Directory domain has a NetBIOS name in addition to it’s DNS name. When you log into windows, you typically enter NetBIOS_Domain\username. The domain’s DNS name is typically only used for UPN logins.

      Note: computer names are also NetBIOS names, which is why they need to be 15 characters or less.

Leave a Reply to Rafael Cancel reply