VMware Horizon 7.13.3 Connection Server

Last Modified: Mar 22, 2023 @ 5:43 am

Navigation

This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Install Horizon 7 Standard Connection Server.

Notes regarding upgrades:

  • Upgrade all Connection Servers during the same maintenance window.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • Upgrade Horizon Composer before upgrading the Connection Servers.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
      • If upgrading from version 7.7 or older to version 7.8 or newer, then be aware of authentication changes.
    • For Security Servers, in Horizon Administrator, go to paired Connection Server, More Commands > Prepare for Upgrade or Reinstallation.
  • Upgrade the Horizon Group Policy template (.admx) files.
  • Upgrade the Horizon Agents.
    • It’s an in-place upgrade.
    • There’s no hurry. Upgrade the Horizon Agents when time permits.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.

Install Horizon 7 Standard Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between them.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

Horizon 7.13.3 is the last release of Horizon 7 and will be supported until May 2023. VMware recommends upgrading all Horizon 7 implementations to Horizon 8.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for View Connection Server at VMware Docs.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Horizon Composer cannot be installed on the Horizon Connection Server, and vice versa.
  5. The older Horizon Administrator (/flexadmin) is a Flash-based console. After December 2020, Chrome will no longer support Flash.
    • Horizon Console (/newadmin) is HTML5 and does not need Flash.
  6. Download Horizon 7.13.3 View Connection Server.
  7. If Horizon Toolbox is installed, uninstall it.
  8. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.13.3.exe.
  9. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  10. If you are upgrading from version 7.7 or older to version 7.8 or newer, then acknowledge the authentication changes warning by clicking OK.
  11. In the License Agreement page, select I accept the terms, and click Next.
  12. In the Destination Folder page, click Next.
  13. In the Installation Options page, select Horizon 7 Standard Server, and click Next.
  14. In the Data Recovery page, enter a password, and click Next.
  15. In the Firewall Configuration page, click Next.
  16. In the Initial Horizon 7 Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  17. In the User Experience Improvement Program page, uncheck the box, and click Next.
  18. In the Ready to Install the Program page, click Install.
  19. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.
  20. If you upgraded to Horizon 7.8 or newer and want to re-enable Logon as current user:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Servers. Or in Horizon Administrator, on the left, go to View Configuration > Servers.

    2. On the right, switch to the tab named Connection Servers.
    3. Highlight the server you just upgraded and click Edit.

    4. Switch to the tab named Authentication.

    5. Scroll down, check the box next to Accept logon as current user and then click OK.

  21. If you upgraded to Horizon 7.8 or newer and want to re-enable sending the domain list to Horizon Client:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Global Settings. Or in Horizon Administrator, on the left, go to View Configuration > Global Settings.
    2. On the right, in the General section, click the Edit button.

    3. Near the bottom, check the box next to Send domain list. You might want to uncheck Hide domain list in client user interface. Then click OK.

Install Horizon 7 Replica Connection Server

Additional internal Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Download Horizon 7.13.3 View Connection Server.
  5. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.13.3.exe.
  6. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Installation Options page, select Horizon 7 Replica Server, and click Next.
  10. In the Source Server page, enter the name of another Horizon Connection Server in the group. Then click Next.
  11. In the Firewall Configuration page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Load balance your multiple Horizon Connection Servers.

Horizon Connection Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to Horizon View Administrator.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
  2. Create a new folder called downloads.
  3. Copy the downloaded Horizon Client 5.2 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
  4. Run Notepad as administrator.
  5. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  6. Go back to the downloads folder, and copy the Horizon Client filename.
  7. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    link.win64=/downloads/VMware-Horizon-Client-5.2.0-14570289.exe
  8. Then Save the file.
  9. Restart the VMware Horizon View Web Component service, or restart the entire Connection Server.
  10. It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error, then the service is not done starting.
  11. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  12. Repeat these steps on each Connection Server.

Portal Branding

Chris Tucker at Horizon View 7.X – Branding the Logon page details how to brand the Horizon 7.1 and newer portal page.

LDAP Edits

Horizon Console Timeout

The HTML5 Horizon Console (https://MyConnectionServer/newadmin) has a default timeout of 10 minutes. Changing the Horizon Administrator timeout will not affect the Horizon Console timeout. You can use adsiedit.msc to increase the Horizon Console timeout.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-APISessionTimeout, and click Edit.
  7. Enter a value in minutes. Click OK.

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, Fingerprints, and Windows Hello, is disabled by default. To enable: (source = vDelboy – How to Enable Touch ID in VMware Horizon 6.2 and Configure Biometric Authentication at VMware Docs)

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at VMware Docs.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair, and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using NetScaler 12.1.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-7-15-ltsr-and-licensing/#rdlicensing.

Antivirus

VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Horizon 7.2 and newer include a web-based Help Desk Tool. Run the following command to enable the timing profiler on each Connection Server instance to view logon segments.

vdmadmin -I -timingProfiler -enable

Logon Monitoring

The VMware Logon Monitor Fling is built into Horizon 7.1 and newer.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent. The Fling website has a PDF that explains how to also store them on a file share.

Inside each session log file are logon time statistics. 

238 thoughts on “VMware Horizon 7.13.3 Connection Server”

  1. Hello, Is anyone else getting failed login when trying to get into the Horizon HTML5 Console on 7.11? fails every time on HTML5 but works perfectly on the older Flash console. Its not that whole CheckOrigin=False thingy manifesting in other ways is it?

  2. Has any had an issue upgrading from 7.7 to 7.10 and then can no longer see a child domain in the Horizon Administrator console?

    1. same issue in 7.11, child domain no longer can be seen even after adding with ‘vdmadmin’ command. I’ve opened a case with VMware who replicated the issue, hopefully will have a fix soon.

  3. Hello, Carl. I love your guides. I haved installed UAG and horizon view server following your guides.
    It worked perfectly. But it stopped working suddenly(or not). I was using LetsEncrypt certificates for UAG,View server.
    After I replaced certificates(import new pfx and change thumbprint, friendly name), when I try to connect to vm,
    connections failed and the message shown as below.
    “Error putting route. Reason – Connection refused: localhost/127.0.0.1:8123”

    Where should we look? please give me some advices

  4. Hi Carl,

    i am facing issue in some of the clients where vmware horizon client unbale to connect VDi with error “invalid license info for-rds-license: Missing client id”.
    What could be problem ?
    HP thin client is running with windows 10 Enterprise 2016 version.

    Thanks in advance.

      1. Did you ever figure anything out on this? We see this on a handful of terminals and updating horizon client appears to be a quick workaround. We’ve typically seen this after updating connection managers. I had opened a ticket a while ago and VMware was not helpful.

  5. Hi Carl! Not sure what I am doing wrong here but I have 3 of my connection servers behind a load balancer, I have created a internal CA signed cert on each of our connection servers and added the SAN name for the cluster on each cert. I have added the checkorigin and balancedhost entries on the locked.properties file and we also configured the netscaler to do the SSL bypass per your load balancing guide but were still having issues with the Horizon client. When pointing the Horizon client to the load balancer host name I get an error stating “The tunnel server presented a certificate that didnt match the expected certificate” error. Can you please help point me in the right direction to fix this?

    1. You mean load balancing is configured for SSL_BRIDGE?

      On the Connection Servers, for the certificate, is the private key exportable? Did you move the vdm friendly name to the new certificate?

  6. Great article, thank you so much! I’ve done upgrade to 7.9 and i have a problem with Avast Pro Antivirus I couldnt upgrade Horizon Agent to 7.9 (rolling action error) until I deleted Avast. And my zero clients with Terradici firmware 4.8.2 wasn’t able to connect to Horizon until I updated them to 5.5.1, all my client with fw version 5.4 working like a charm.

    Looking forward for your new great articles.

  7. Hello,
    On Connection Server, I want to use a certificate issued by our internal CA Server. I have imported the certificate and changed the friendly name to vdm. Restarted service. But, clients connection fails with error – “Error – An SSL error occured”

  8. Hello,

    After upgrading my connection server 7.9 my physical workstations that were accessed via horizon view are no longer accessible. I have installed the upgraded agent on the physical workstations and i can see them listed in the admin portal as available.

    When a user attempts to connect from outside of the organization via RDP protocol they get an error stating: The connection to the remote computer failed. Their was an unexpected RDP disconnection. Microsoft RDP error code = 4. I tried both Blast and PCoIP which all these worked prior the the connection server upgrade. Blast and PCoIP appear like they are going to connect …and then they get the “The connection to the remote computer ended”

    The events log on the connection server show the following…”The agent running on machine “——” has accepted an allocated session for user “———“.

    Do I need to make any changes to my network firewall to allow these connections to work?

    Connecting to my virtual workstations outside of the office are fine and work as expected. Its just that the physical workstations are no longer accessible.

    Interesting this started after the upgrade to the connection server which I went from 7.4 to 7.9 and upgrade went smoothly.

    Thoughts?

  9. Hello Carl,
    is the Logon Monitoring still supported? There us nothing official about it, but with Horizon 7.6+ it seems not working anymore. Many people having problems getting the LM working, including myself.

    Read about it here: https://communities.vmware.com/thread/604965

    Do you have any intel on this matter?

    I am currently testing Horizon 7.9, but without Enterpirse license and helpdesk-tool there no way investigation logon times.

    Kind regards
    Patrick

  10. Have a question that I’m hoping you could share some insight on, I have 3 RDS farms 1 hosting Office, 1 hosting Project and Visio, and 1 hosting an ERP application. All published as seamless applications, now the ERP software can be used to open documents such as Word, Excel etc etc if the application is available. What I’d like to do is install the Horizon Client on the farm with the ERP software (is this advisable when that farm is also being used to publish apps?) and second if it’s ok to do so is there a way to get the Horizon Client to automatically login and place the shortcuts in the menu so that file type redirection works without priming the account before hand?

    Thanks

    1. You might have to write a script to launch the Horizon Client at logon. Maybe something like this:

      “C:\Program Files\VMware\VMware View\Client\bin\wswc.exe” -loginascurrentuser true -serverurl “boker name”

      1. Thanks, will have to give that a try. I wish VMware would release something like the Citrix Offline-plugin. I’m curious what would happen if logged into the server where I’m publishing applications from and I open the Horizon published app. I guess some testing still to do before I figure out what all the quirks are and if any can be worked around.

  11. Dear Carl,
    i have this horizon issue in my infrastructure, any ideas

    vCenter:
    No Problem Detected , Certificate is untrusted but the thumbprint for the certificate is accepted.

    On one of my connection servers :

    The service is not working properly.
    SSL Certificate: Unknown

    Thanks for your time!

  12. So we are doing a migration from Citrix 7.15 to VMware 7.7 published applications . Strange fact ,when we install the VMware 7.7 agent on Citrix server with VDA 7.15 it installs with no problem, The problem is when you reboot the server any other changes do not stick after a reboot . So if you install a hot fix , put files on the server desktop they are all gone after a reboot . We tried all available VMware Horizon 7.x agents and it only works with 7.4 and below .

  13. Hello,

    I am trying to upgrade to 7.8 and keep getting an error “failed to generate ssl certificates” It stops the install and rolls everything back. VMware is thinking is HBSS related but still having issues. Any thoughts would be great.

    Thanks

  14. Hi Carl,

    Is there any chance to change the server name for connection server? I have to change the server name that we are accessing through Horizon Client.

    Thank you.

  15. Hi Carl, using Horizon Agent Direct connection 7.8 and trying to replace the default SSL certificate with a valid wildcard cert, however upon restart of the Horizon View agent service the wildcard cert disappears and a new copy of the self-signed/local cert is back, with the friendly vdmdefault in properties – any ideas why it’s getting reinstated?

  16. Hi Carl,

    I need an help that i have an Horizon view 7.6 last week onwards my VDI machines are not powering on automatically even i set the power policy for the Desktop pool “Ensure machines are always powered on” its not happening i have to do it manually every time, Kindly advice.

    Regards
    Thiru

  17. Hello,
    I would need your help please. We have a Windows virtual machine vCenter Server 5.5 and a Horizon View 7.3.2
    I plan to install a new Windows virtual machine vCenter Server in 6.5 version.
    All the VDI VM are in a manuel desktop pool.

    Once this new vCenter Server 6.5 VM is installed, I plan to add it in the 7.3.2 View administrator
    I have read this VMware KB article https://kb.vmware.com/s/article/57368 concerning a restriction about moving a vcenter for an Horizon view environment.

    Do you confirm that I have to apply this KB in order to move manuel VDI VM desktops from the between vCenter Server 5.5 to 6.5 VMware vCenter Server

    1. The article says this:

      “In a Manual Desktop Pool, the desktop VMs are managed by vCenter Server or some other source. The machines (typically Full clone Agent VMs) can be removed from the pool in Horizon Administrator (select the option Remove VMs from View Manager only) and then migrated manually to a new location, such as a new cluster under a new vCenter, using new storage. From there, they can be added to a new or existing Full Clone Manual pool and re-assigned to the appropriate user.”

      1. Hi Carl, It’s on a different topic altogether, I have installed the JMP Server(7.7), however when adding it to the Horizon Console, getting the error, “The JMP server is unavailable” . Its not a production environment and by default JMP should have accepted the connection, could you please have a post on that.

  18. Why this please?

    Upgrade all Connection Servers during the same maintenance window.

    If I am not doing any recomposes or provisioning , I can do it in separate windows?

    ( Doing 7.4 -> 7.5 )

    wanted to do composer and one connection server, then the next day switch connections to the other server, then upgrade the original

    1. “If you do not upgrade all Connection Server instances in a replicated group, the health indicators in the Horizon Administrator dashboard might show that one or more instances are in an error state. This situation arises because different versions supply different kinds of data. The solution is to upgrade all instances in the replicated group.” https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-upgrades/GUID-661FC6A5-7B57-4863-B10A-454375447AEE.html

  19. Hi Carl, I need an help regarding to deploy Horizon view 7.7 , i am planning to get it done with VCSA 6.0 will it work with Horizon view i have to create separate database for the Horizon view in SQL or else i can use the same vcenter presql? Kindly guide me how to proceed with Horizon view 7.7 with VCSA? also let me know this is advisable VCSA with Horizon view.

    Note:- This is new environment

      1. I am asking about if i use the VCSA for Horizon view, what about the database for Composer have to use the separate SQL instance for that and separate server for composer. Previously we will use the composer on Vcenter itself. Kindly advice.

          1. Thank You Carl. I am going to prepare the new environment as mentioned below,

            1. VCSA 6.0
            2. Composer Server (Windows)
            3. SQL Server (Windows)( 3 Instance Composer, Event and Update manager)
            4. Update Manager (Windows)
            5. Connection Server (Windows)

            Note :- We are using Windows Vcenter but i have to change it now because in future Windows Vcenter will be rolled out it seems can you conform that whether i have choose the right platform for the new environment.

            Thanks in Advance.

  20. Hi Carl,
    Thank you.
    I have ran into an issue, I upgraded Horizon View from 7.3.2 to 7.7.0.
    I am connecting to my vdi through Dell WYSE terminal, I enter the connection server address, click Connect and get an error ‘View Connection Server Communication error’.
    I have checked the settings, enabled TLS, in the logs, it doesn’t give me much information as to why it is failing.
    Any ideas as to why or if you need any more information, please let me know.
    Much appreciated.

    1. This is usually but not exclusively firmware on thin clients. Teradici (PCoIP) based thin clients get their Horizon Client version from their firmware level. If it is too old you will eventually get these kinds of errors. We had the same issue with HP Zero clients that were woefully out of date on version 4.8.0. They could connect to 7.3.2 but when we upgraded to 7.6 (then 7.7) they got the View Connection Server Communications error. Updating the firmware to 5.5.1 resolved it.

  21. Hi Carl,
    at the Moment I am running 7.1.0 build-5170113.

    Is there a need to Upgrade? Do I lack Features/Performance/Security?
    Under the Hood there are Server 2012R2 Machines. I would migrate to a SRV 2016 if I had to reinstall.
    Our Environment runs fairly stable.

    Which Upgrades would you recommend?

    You are doing a great Job here. Via PayPal I would love to buy you a Coffee.

    Best Regards,

    Wolther

    1. See https://kb.vmware.com/s/article/52845 for info on Extended Service Branch.

      The downloads page for each version has a link to Release Notes for that version so you can see new features and bug fixes.

      If you’re doing App Volumes, then you might want to upgrade more frequently to get bug fixes and performance improvements.

  22. Hey Carl I have a question for you, love the View Horizon HowTo. I am install Horizon 7.6 in my home lab. My setup is kind of like yours in the howto’s that I have a .local domain and have a additional mycompany.com forwarder in the DNS server. I do own a wildcard SSL cert for mycompany.com. So I guess the question is do I use the cert on my connection server or stick to using a .local one. And my second question is which isn’t for this particular thread is when I get to installing the security server do I set the URLs up for the mycompany.com plubic address, adding the address to my DNS sever and do I use my single public IP as the PCoIP address or do I use the IP of the Security server? I use a pfSense firewall and HAProxy forward my HTTP/S traffic to my various servers.

    Thanks!

    1. It depends on where you want to connect from. If from external, then you want the public IP. If you can modify HOSTS files, then the FQDN and certificate can be anything.

      Note: I would be using UAG instead of Security Server.

  23. Hello Carl!

    I am having this issue where i am creating desktop pools using Windows 7 (32-bits) and it keeps on initializing. Is this a known issue in 7.5.1?

  24. Something changed in 7.6 with HTTPS and Blast. Upgrading a (7.5) connection server to 7.6 and it broke my netscaler load balancing… Not sure what yet…
    I can bypass the LB, seems to work.. But if I try and use the LB, just says the services are down (HTTPS and BLAST)

    1. My issues seems to be on the netscaler, as I am getting a “Time out during SSL handshake stage” NS version 11.1 Build 57.11 nc

      1. Some NetScalers don’t TLS 1.2 ciphers in the default backend cipher group. I sometimes have to enable the Default SSL profile, then edit the ciphers in the backend cipher group. A network trace can show you SSL Handshake issues.

  25. Hi Carl, thanks for all your great articles. It seems like all of my horizon google queries get routed straight to your blog. Do you know if there is a way for horizon clients to authenticate as the vdm_user to windows 10 desktops and leave them at the windows login screen where they can then login? I am trying to create a more user-friendly login page for a kiosk zero client. Thanks!

  26. Good Afternoon Carl, I’ve create a Cert on my Connection Server 1, do i need to create one on my second Connection Server?

    1. You can export the existing cert and import it to the other server. Or you can generate a new cert with new keys on the second server.

    2. Thanks. Also my vCenter Server is a 6.5 VCSA, will it work? The reason I ask is that will not let me enable the storage size and gives me an error about bad username and password when I try to add it.

        1. Thanks for the info. I was able to get all my servers added in the Admin Console. Now I get a error when trying to login to the Horizon Client that the View Connection Server License key is invalid. Do i need a really key? Does it not run for 60 days with an eval key like vSphere?

  27. Hey Carl, thanks for the excellent guides – I’ve referenced them many times!

    Have you ever thought of doing one on VMware vRealize Operations for Horizon? It seems like a separate product that has its own intricacies and does not follow the Horizon or vROPs release cycle. For example, I’m using Horizon 7.4 and vROPs 6.7, but the latest vRealize Operations for Horizon version is 6.51.

    I believe many people have vROPs and would love to be able to get the advanced Horizon display protocol statistics, user session information, dashboards and alerts. A good guide on how to connect the dots would be very useful!

    1. FYI, vROPS 6.7 is not support on any version of Horizon currently. My ticket with vmware said you wont get proper data (if any from the desktops)

    1. So far, I’ve been unsuccessful with installing JMP. I keep getting a uem-migrate error about client certificate or database user.

      1. I keep getting that error. Documentation says you need to install the SQL cert on you JMP server in the local computer store. I did this but still no luck. If you uncheck use SSL for the DB connection it will install. I found that the ODBC it builds is using the SQL Server ODBC 10.0 drivers. I can’t get encryption working with them (SQL Server 2016). If I install 13.0 drivers and build the ODBC it works with encryption but the installer will replace the ODBC with the 10.0 one. I got it installed without encryption but cant get View registered with it. Keeps going between either JMP server is unrecognized or SSO Token error. I have set the time sync up on all the servers.

      2. I was also getting this uem-migrate error even when unchecking “use SSL for DB connection”. It turns out that if you install your SQL database on the JMP server, the installer will automatically find “(local)\SQLEXPRESS”, connect to it fine, and get most of the way through the installation before failing with that error.

        You just need to use the actual hostname of the JMP server (i.e. “HORIZON-JMP\SQLEXPRESS”) instead of the auto-populated value for installation to succeed.

  28. Hey Carl,

    Great document!

    I need some guidance. I have 2 Horizon View 7.1 sites with about 120 VDI user sessions and 350 RDSH. vCenter Server 6.5 on both sites. Hosts are connected to vSAN 6.5 on a 10gb network.

    What are the design requirements to configure and install vROPS for Horizon 6.5.1 on Horizon View 7.1 or 7.3?

  29. Hi,

    I have installed horizon 6: the composer is on the same vCenter server and all is working fine. Now the task is to install the horizon 7, so I installed the View, Composer, Replica each one in a server. The vCenter is the same for both (Horizon 6 and Horizon 7). When I want to run a new machine on Horizon 7, I receive a message: clone error.

    ¿Do you know what could be the issue in this topology?

  30. Carl,

    I was able to fix my client download issue by adding “|/downloads(.*)” to the UAG’s Proxy Pattern

  31. When trying to download the client “Horizon Portal – Client Installation Link” going trhough the UAG I get a Error 404
    “No webpage was found for the web address:”
    HTTP ERROR 404

    If I go straight to the connection server it downloads the client file no problem.

    1. I am seeing the same thing. Internally the download works fine but when accessing from the Internet the browser says the file does not exit at the location specified. I am guessing the client installer needs to be copied to the UAG?

  32. Carl, Great info. Sorry it this is off topic but are you familiar with App Volumes, specifically which anti-virus software is compatible. We have a client that has all the appstacks working just fine, except when they have managed McAfee running on VDIs. Thanks.

    1. smadaras,
      It is not a good idea to layer antivirus software. Just put it on your master machine and it will be fine. We are using Mcafee MOVE configured like that and no problem here.

  33. Thanks for you docs and may i ask a question?I am on going a PoC in customer environment ,The customer wants to using Touch ID login to Horizon Desktop so I replicated default certification of Security and Connection Server by a certificate issue by internal CA, and the Security server has public to the Internet (Internal domain name is diffre the external domain name), I was installed internal CA root certificate in my iPhone 8 , But I can login to Horizon and the error is “Untrusted Horizon connection, VMware Horizon can’t validate your connection,Please contact your administrator”
    My Question is Can I using internal CA certificate to login the Horizon except the Horizon client option ” Didn’t validate server certificate”

  34. Hi Carl,

    First of all thank you for the really helpful blog.

    Could you please advise for one topic.

    I’m planing to upgrade Connection server which is on Server 2012 to Server 2016.
    Is it fine to create second Connection server as a replica which will be on server 2016 and after its been configured to disable the first (Standard) Connection Server which is on server 2012?
    Or should I export configuration from 2012 and import it to 2016?

    Thank’s in advance.

  35. Hi Carl,
    The HelpDesk Tool with the timing profiler shows 10 seconds to login, while the logon monitor logs shows 7.8 seconds, from what i checked with a stopwatch the timing profiler is much more accurate,
    how come? did you notice it too?

  36. Carl,
    I’m trying to do in place upgrade to 7.3 from 7.1. In the past was straight forward upgrade by executing the connection server exe. like you said in your notes Now for some reason installation it stuck on License agreement windows and it won’t go any further by clicking Next. There is no error message anywhere. I checked in the vminst.log I see this – “Found CEIP enabled flag HAS NOT been set.” End Logging.
    I don’t recall doing anything with CEIP during the install.
    Composer has been upgraded successfully without any issue.We have 3 connection servers and upgrade process is stopping on the same spot on all of them.
    Do you have any idea why installation is not continue?
    Thanks

    1. i had the same problem. the only solution was to deinstall the connection server and then reinstall the new one. it keeps all the settings…

      1. Thanks. I did that already and it was successfull, but then I had issue with provisioning machines from Composer. What option did you choose when installing the new one? I did Replica, but I didn’t remove my ADAM database. I couldn’t find any specific explanation if the database is upgraded during the install.

          1. Had similar Issues. Could get past the CEIP with support but other Problems let the installation roll back. Horizon 7.3 Downloads have been removed by VMware. Info from Support: Wait for 7.3.1 :-/

      1. I was able to upgrade by Christoff’s solution. Removing and installing the new version, but like I said in my comments you may have some other issues after that. Andreas also mention that he worked with the Vmware support and they suggested to him to wait for 7.3.1 version. I did check Vmware download site and currently there is no downloads available under 7.3.

    2. It is worth mentioning that VMware has pulled the 7.3 update from the site and is advising customers who downloaded it to NOT install at this time. There are some major production stopping issues if you proceed with the upgrade. They are thinking of releasing an updated release next week, according to what I was told on the phone.

  37. Hi. How do i configure same URL for external and internal traffic, if it is possible. With the current configuration trying to get the same URL, I am getting ssl validation error for internal traffic. Using wildcard cert in the setup.

    1. Internally, when you ping the DNS name, what IP does it resolve to? Is it a load balancer? If so, do you have a valid certificate on it?

      Are you internally connecting from thin clients? If so, did you push the root certificate to the thin clients?

      Do you have separate Connection Servers for internal? If so, did you disable the Secure Gateways?

      1. The DNS entry internally is one of the Connection Server (Standard one in my case) address. I manually change the DNS entry in case of a CS failure.

        I have 3 CS in the setup. All 3 has the Secure Gateway and Secure Tunnel are disabled in it. No separate CS for internal.

        When having the Secure Gateway and Secure Tunnel disabled, my external connection works fine.

        Internal connection get SSL validation error for blast connections thru HTML.

        1. Ok. That means the certificate installed on each Horizon Agent is not trusted. One option is to proxy the Blast connections through a Connection Server by enabling the Blast Secure Gateway. Another option is to use UAG internally. Another option is to replace the certificates on every Horizon Agent.

          1. I am using the same wildcard cert in the Horizon Agent as well. Just that I am not using the “”vdm” friendly name. Is that necessary? Tried it with friendly name as well. If this is wrong one for the Horizon Agent. Which one needs to be used? Tried to click cert which throws the error before it reloads, I could see the wildcard which I have installed.

  38. Hey Carl, thanks again for the great documentation! Just an FYI, first time i tried to log on to the helpdesk portal I received the following error: “Authentication failed, invalid domain, username or password. Please try again”.

    I followed Pascal van de Bor’s blog: https://pascalswereld.nl/2017/07/02/horizon-7-2-with-a-little-helpdesk-from-my-friends/ (Thanks Pascal!) to solved the issue.

    See for reference: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2144768

  39. It seems as if once we updated to 7.0.3, we are seeing a crazy amount of warnings. We are seeing a ton of “Unable to Launch pool…is not ready to accept connections” as well as The pending session for user…has expired” These are occurring on our internal pools as well as the pools our external users connect to. The parent VM has the latest client. I am at a loss as what this could be and i’m sure there are plenty of things it could be.

    We haven’t heard any screams about users being disconnected or anything along those lines, but those calls may not be getting through the helpdesk to us.

    Any ideas/suggestions? Anything would be appreciated at this point.

    Thanks!!

    1. It’s the securegateway.exe on the connection servers. I have had a total nightmare with this sofar and not resolved yet. My advise is to not upgrade to 7 if you are using secure gateways services for PCoIP connections.

  40. Just an addition to Horizon Toolbox and upgrading to a newer Horizon Connection server version.

    If you have Toolbox installed, make sure to uninstall this first before you do an in place upgrade on the connection server. The Tomcat service and Web component service freak out and Horizon View administrator won’t work after in place upgrade.

  41. Hi Carl, you’re blog is awesome! If you’re ever in Charleston SC I would love to buy you dinner. 🙂 Question: Do you know if Remote Assistance can be initiated in both directions? For example, can an administrator request to view a users desktop? Would need for the user to accept or deny the request…

  42. Carl thank you for this Post. it was really good. I’m impressed. I did run into an issue with the new version of Horizon Toolbox. I installed the new version 2.1.2. If I were to set a pfx file like you did and specified the new attribute keystoreType=”PKCS12″, Tomcat would not restart. Instead, I removed this extra setting, and then everything worked and the site was signed.

    Thank you again.

    1. It works for me in 2.1.2 with the keystoreType. I noticed that one of your quotes is a curly quote instead of a straight quote.

  43. Hello Carl! Tank you for this post. I have a problem, after the installation, I don’t see all of the Vmware services when i open the services.msc. I only have 2 services running: the blast secure gateway and the Security Gateway Component services.
    Do you know what can cause this issue?

  44. hey i like your blog. Just setting up Horizon 7 in my dev environment. I am looking at the replica connection server. I guess it functions exactly like a front end webserver that is load balanced behind an F5?

    1. Kind of. It also has an LDAP directory that replicates with other Connection Servers.

      The Connection Server is just a broker. It selects a Horizon Agent for the user and tells the user to connect directly to the Agent.

Leave a Reply

Your email address will not be published. Required fields are marked *