VMware Horizon 7.13.3 Connection Server

Last Modified: Mar 22, 2023 @ 5:43 am


This post applies to all VMware Horizon 7 versions including 7.13.3 (ESB).

💡 = Recently Updated

Change Log


If you are performing a new install, skip to Install Horizon 7 Standard Connection Server.

Notes regarding upgrades:

  • Upgrade all Connection Servers during the same maintenance window.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • Upgrade Horizon Composer before upgrading the Connection Servers.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
      • If upgrading from version 7.7 or older to version 7.8 or newer, then be aware of authentication changes.
    • For Security Servers, in Horizon Administrator, go to paired Connection Server, More Commands > Prepare for Upgrade or Reinstallation.
  • Upgrade the Horizon Group Policy template (.admx) files.
  • Upgrade the Horizon Agents.
    • It’s an in-place upgrade.
    • There’s no hurry. Upgrade the Horizon Agents when time permits.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.

Install Horizon 7 Standard Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between them.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

Horizon 7.13.3 is the last release of Horizon 7 and will be supported until May 2023. VMware recommends upgrading all Horizon 7 implementations to Horizon 8.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for View Connection Server at VMware Docs.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Horizon Composer cannot be installed on the Horizon Connection Server, and vice versa.
  5. The older Horizon Administrator (/flexadmin) is a Flash-based console. After December 2020, Chrome will no longer support Flash.
    • Horizon Console (/newadmin) is HTML5 and does not need Flash.
  6. Download Horizon 7.13.3 View Connection Server.
  7. If Horizon Toolbox is installed, uninstall it.
  8. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.13.3.exe.
  9. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  10. If you are upgrading from version 7.7 or older to version 7.8 or newer, then acknowledge the authentication changes warning by clicking OK.
  11. In the License Agreement page, select I accept the terms, and click Next.
  12. In the Destination Folder page, click Next.
  13. In the Installation Options page, select Horizon 7 Standard Server, and click Next.
  14. In the Data Recovery page, enter a password, and click Next.
  15. In the Firewall Configuration page, click Next.
  16. In the Initial Horizon 7 Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  17. In the User Experience Improvement Program page, uncheck the box, and click Next.
  18. In the Ready to Install the Program page, click Install.
  19. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.
  20. If you upgraded to Horizon 7.8 or newer and want to re-enable Logon as current user:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Servers. Or in Horizon Administrator, on the left, go to View Configuration > Servers.

    2. On the right, switch to the tab named Connection Servers.
    3. Highlight the server you just upgraded and click Edit.

    4. Switch to the tab named Authentication.

    5. Scroll down, check the box next to Accept logon as current user and then click OK.

  21. If you upgraded to Horizon 7.8 or newer and want to re-enable sending the domain list to Horizon Client:
    1. In Horizon Console 7.10 or newer, on the left, expand Settings and click Global Settings. Or in Horizon Administrator, on the left, go to View Configuration > Global Settings.
    2. On the right, in the General section, click the Edit button.

    3. Near the bottom, check the box next to Send domain list. You might want to uncheck Hide domain list in client user interface. Then click OK.

Install Horizon 7 Replica Connection Server

Additional internal Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

  • In Horizon 7.2 and newer, each Horizon Connection Server can handle 4,000 connections.
  • In Horizon 7.1 and newer, each Horizon Connection Server can handle 2,000 connections.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU.
  2. Windows Server 2019 is supported with Horizon Connection Server 7.8 and newer.
  3. Windows Server 2016 is supported with Horizon Connection Server 7.1 and newer.
  4. Download Horizon 7.13.3 View Connection Server.
  5. Run the downloaded VMware-Horizon-Connection-Server-x86_64-7.13.3.exe.
  6. In the Welcome to the Installation Wizard for VMware Horizon 7 Connection Server page, click Next.
  7. In the License Agreement page, select I accept the terms, and click Next.
  8. In the Destination Folder page, click Next.
  9. In the Installation Options page, select Horizon 7 Replica Server, and click Next.
  10. In the Source Server page, enter the name of another Horizon Connection Server in the group. Then click Next.
  11. In the Firewall Configuration page, click Next.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Load balance your multiple Horizon Connection Servers.

Horizon Connection Server Certificate

  1. Run certlm.msc (Windows 2012+). Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to Horizon View Administrator.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
  2. Create a new folder called downloads.
  3. Copy the downloaded Horizon Client 5.2 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
  4. Run Notepad as administrator.
  5. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  6. Go back to the downloads folder, and copy the Horizon Client filename.
  7. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
  8. Then Save the file.
  9. Restart the VMware Horizon View Web Component service, or restart the entire Connection Server.
  10. It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error, then the service is not done starting.
  11. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  12. Repeat these steps on each Connection Server.

Portal Branding

Chris Tucker at Horizon View 7.X – Branding the Logon page details how to brand the Horizon 7.1 and newer portal page.

LDAP Edits

Horizon Console Timeout

The HTML5 Horizon Console (https://MyConnectionServer/newadmin) has a default timeout of 10 minutes. Changing the Horizon Administrator timeout will not affect the Horizon Console timeout. You can use adsiedit.msc to increase the Horizon Console timeout.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-APISessionTimeout, and click Edit.
  7. Enter a value in minutes. Click OK.

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, Fingerprints, and Windows Hello, is disabled by default. To enable: (source = vDelboy – How to Enable Touch ID in VMware Horizon 6.2 and Configure Biometric Authentication at VMware Docs)

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Disallow Non-empty Pool Deletion

Configure View to Disallow the Deletion of a Desktop Pool That Contains Desktop Machines at VMware Docs.

  1. On the Horizon Connection Server, run ADSI Edit.
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-NameValuePair, and double-click it.
  7. Enter the line cs-disableNonEmptyPoolDelete=1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using NetScaler 12.1.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-7-15-ltsr-and-licensing/#rdlicensing.


VMware Tech Paper Antivirus Considerations for VMware Horizon 7: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Horizon 7.2 and newer include a web-based Help Desk Tool. Run the following command to enable the timing profiler on each Connection Server instance to view logon segments.

vdmadmin -I -timingProfiler -enable

Logon Monitoring

The VMware Logon Monitor Fling is built into Horizon 7.1 and newer.

The logon logs are stored at C:\programdata\VMware\VMware Logon Monitor\Logs on each Horizon Agent. The Fling website has a PDF that explains how to also store them on a file share.

Inside each session log file are logon time statistics. 

238 thoughts on “VMware Horizon 7.13.3 Connection Server”

  1. Hi Carl,

    We are using Horizon Connection Server Verrsion 2111, all is working the whole week. All users are able to connect to their clients from Monday until Thursday, everyweek on Thursday for a reason all clients are unreachable, I got the event on the connection Server
    “The agent running on machine XXX has contacted the connection server and sent a startup message”. Restarting the machine will not solve the issue, only recovering the whole machines is the solution until now, I don’t know what the problem is, I have tried with a new golden image, same issue. Now I’m planing to move to a new Server (2019) and Horizon 8.7 with a new Golden Image Windows 11 22H2. I don’t know if there any known issues with Windows 11 and Horizon 8.7.

    Thanks Carl

    1. Hi Carl,

      I noticed this morning, all Machines were in a Blue Screen mode ” your device ran into a problem and needs to restart”. I don’t know why are they restarting on Thursday and not on any other day in the week. How can I find out in the settings if there is any timer to boot them to solve this issue?
      When I saw this error message I have just restarted the machines but This issue is not solved for all of them, some are rebooting randomly. I have to recover them only this solution will solve the issue.

  2. Hi Carl,

    From your experience of previous Horizon implementations and upgrades, is the move from Horizon 7 to Horizon 8 a relatively straightforward in place upgrade or would a cleaner (less risky) and preferred approach be to go with new implementation on new infrastructure?
    We have a medium to large scale desktop environment running Horizon 7.13.
    Aside from the deprecation and removal of the View Composers, is the upgrade any different to lets say going from 7.10 -> 7.13?

    Many Thanks!

    1. Upgrade is the same as it has always been except for removal of components (e.g., composer, ThinPrint, Security Server). There’s no need to rebuild the Connection Servers, but you might have to rebuild the pools to remove Composer. Upgrading the Operating System of the Connection Server requires more consideration.

  3. Hi Carl
    I enabled Biometric on both my connection server and composed a new desktop for myself from a new desktop pool which was using a new image and a snapshot. I do not get the Horizon client to pass through my faceID or windows Hello. It asks me to loing to the Horizon client.
    But when i provide my un/pw on my laptop and launch Horizon client, I’m able to pass through and the desktop gets composed without Horizon client prompting for a login prompt.

    Could you please help where I’m going wrong here.

  4. Hello There – Will this upgrade also require the upgrade of the other components, such as Security Servers? Thanks! -Jeff

  5. Hello Carl, first, awesome guide!
    We’re running into an odd situation though. We currently have two connection servers in place and are attempting to add a third. We’re able to install the horizon connection software fine, but when we import our wildcard certificate to the computer’s certificate store, the new connection server stops working. We can still access the box, but not the horizon connection server pages it serves. This is even before changing the self-signed cert by removing the vdm friendly name and adding that to the wildcard. If we remove the wildcard cert, it remains broken until we revert to a checkpoint before the cert was added. I’m not sure why just adding the cert knocks it for a loop.

    1. When you imported the cert, did you choose the option to mark the private key as exportable?

      The logs (C:\Programdata\VMware\VDM\Logs) might show you the issue.

  6. Hi Carl,

    I have one question that in Horizon view ,

    VMware Horizon 7 Administrator
    7.10.0 build – 14584133

    Changing the licenses from Concurrent to named user will have any impact to users?


  7. Hey Carl, we have a problem after upgrading to 7.13.1 in the auto pools. “Unable to connect to View Composer server……Could not send Message. All services on connection server and composer server are started. We can do any new rollouts in our pools. Have u andy idea?

  8. Hello Carl, you’ve got a great site!
    I’ve already followed a lot of your posts…

    I’ve got one question.
    I’ve got 2 connection servers 7 installed. The first one won’t anymore restart after reboot.
    What’s for you the best option for me ?
    I’ve already try to add a new connection server but the installation failed at the very last moment…
    Does the error maybe come from the fact that the main server is unavailable ? Should I remove it from the installation with the vdmadmin -S command before continuing?
    I suppose that recreate my first server and restore the ldf backup is not a viable option as I’ve got the replication server that’s working right now.

    Thank you !


  9. Hello Carl,

    We have a user whose Connection Server is on 7.13 and Vsphere on 6.0. Now he wants to check if Vsphere 6.5 is compatible with CON Server 7.13.

    Your advise please.

  10. Hi Carl,

    We have updated from Horizon 7.11 to Horizon 7.13.0, and we’re having some issues with Kerberos.
    In 7.11, there was a krb5.conf (C:\ProgramData\Vmware\VDM\KRB\krb5.conf). But, after upgrading to 7.13.0, the folder and the file have disappeared.
    Do you know if there is any change regarding this?
    Many thanks in advance,

    1. Carl, forget about my question.
      We followed KB 2147129 some moths ago, and we modified pae-NameValuePair in path “CN=Common,OU=Global,OU=Properties,DC=vdi,DC=vmware,DC=int” and add cs-useManualKrb5Conf=true.
      We’ve just removed it, and C:\ProgramData\Vmware\VDM\KRB\krb5.conf was created again.
      Many thanks!!!

  11. Hello,

    We tried to migrate our infrastructure from version 7.10 to version 7.13 and we get the following message when a user tries to connect either with the client or on the web:

    failed retrieving launch items:
    ClientLaunchTimer [overallTimeOut=0, minThreshold=3,startSessionTimeOut=60, isExpired=true]

    Est-ce que vous avez une idée pour nous aider ?

    (désolé pour mon anglais je suis français…)

  12. Hello Carl,
    I cannot find info regarding compatibility between Horizon agent 7.12 and Horizon Connection 7.0.3
    Can Horizon agent machines on noted version can be registered and work along with Horizon Connection server version 7.0.3?
    We are planning upgrade Horizon environment from version 7.0.3 to version 7.12.. I have made a plan and prepare everything for upgrade. Environment only consist two Connection servers, agents and clients…
    This question I have asked in case we need to make rollback.

    Thank you very much for your answer.

  13. Hi Carl,
    This is a little off-topic, but I thought I’d run it by you. We’re a VMware service provider, providing hosted servers to customers who are already using our broadband transport services. We’re also an internal user of Horizon (and I’m a grateful consumer of your advice in the past).

    I have an internal project under way separating our internal VMware infrastructure from the infrastructure support our customers. Essentially, that has involved spinning up a new vCenter server and creating clusters on it for our internal hosts. That’s been easy enough. Now I’m at the point where I’m going to move the hosts supporting our Horizon environment over to this new cluster. Moving the hosts is easy enough, but I’m a little concerned about moving the connection servers. I’m wondering if you’ve done a migration of Horizon connection servers from one vCenter to another, and if so, were there any significant gotchas that I should be watching for.

    With everything else being the same, it seems like it should be as simple as (1) powering down all the Horizon desktops (after putting them in maintenance mode, of course), then (2) powering down the connection servers. Next up (3) would be migrating the hosts to the new cluster. Step (4) would be to bring the connection servers back up, and (5) change the settings on the connection servers to point to the new vCenter server. Finally (6) the Horizon desktops could be powered back up and removed from maintenance mode.

    Any advice you have on this would be much appreciated. Thanks!

    1. There shouldn’t be any problem with moving Connection Servers to any cluster/host assuming that the Connection Servers still have connectivity to the vCenter that manages the hosts/clusters where the virtual desktops are running. I assume you’re not asking about moving the virtual desktops.

      1. Hi Carl,
        We’ll actually be moved the virtual desktops as well. Before doing anything else, those VDI instances will be powered off, but we’ll leave them on their existing hosts. Those hosts will then move to a cluster managed by the new vCenter. Once things are powered back on, the connection servers will talk to the new vCenter server, and that vCenter server will communicate with the hosts under its control. The virtual desktops will remain managed by the connection servers, but that will be done through the new vCenter instance.

        In effect, I’m taking the entire VDI infrastructure (hosts, connection servers, VDI instances) and moving them from one vCenter to another. The only thing the new infrastructure has in common with the old is the shared storage and uplink switches.

        1. If the machines are linked clones, then you can’t move them to different vCenter. Instead you’ll have to delete the pools and remake them.

          If the machines are full clones, then there shouldn’t be any problem moving them. Hopefully Horizon can find them in the new vCenter connection instead of the old vCenter connection.

          1. Thanks Carl.
            In this case, the machines are dedicated named instance full clones, all part of a single pool. Their UUIDs (or other identifiers) will be unchanged. I’m with you – I’m hoping that the connection server will recognize them automatically. I’ll snapshot the connection servers in advance, and likely do the same with the desktops. If the migration fails, I’ll move everything back and revert to those snapshots.

            Thanks for your comments on this!

  14. Hello Carl,

    We are going to upgrade from 7.8 to 7.13 and it appears it is a straight forward upgrade. From what I have read, these are the steps:
    1) snapshot connection servers
    2) Upgrade connection server 1, reboot
    3) Upgrade connection server 2, reboot
    4) Upgrade connection server 3, reboot
    5) upgrade Horizon agent on golden images

    We do have a load balancer in front of the connection servers but nothing has to be done with that, correct?

    There is no down time, correct?

    Did I miss anything?

    Thank you!

    1. There might be some connectivity issues for new users trying to login but no downtime for people already connected assuming the Blast/PCoIP Gateways are disabled on the Connection Servers.

  15. hello dear Carl,

    I have some trouble since I moved to 7.13 (I was in 7.11) :
    My users are unable to connect in LAN mode to the pools if they are not entitled in the Remote access tab !

    We have done several cross tests and the result is that to have access to the different pools, the security group they are part of must have “remote access” rights in view!

    Before (in version 7.6, 7.10 or 7.11) not !!!!!!!!

    Is it the normal behavior ?


    1. Are they connecting through a UAG? Or an F5 APM? Is the Blast/PCoIP Secure Gateway enabled on the Connection Server?

      1. Hello,

        We have 4 connection server, accessed by 3 kind of users :
        • Internal users  they use « portailvdi.appli » URL, pointing to a dedicated load balancer device configured with 4 real servers (connection server)
        • Internet users  they use « portailvdi.ag2rlamondiale.fr» URL, pointing to a dedicated load balancer device configured with 2 real servers (UAG). UAG internet n°1 is then « paired » with Connection Server 1 and UAG internet n°2 is « paired » with Connection Server 2
        • Extranet users  they use « portailvdi-extranet.ag2rlamondiale.fr» URL, pointing to a dedicated load balancer device configured with 2 real servers (UAG). UAG extranet n°1 is then « paired » with Connection Server 1 and UAG extranet n°2 is « paired » with Connection Server 2

        Our problem only concerns internal users access.

        1. We have exact the same problem.
          Updated from 7.12 to 7.13.1, now user in LAN need to be in the Remote Access tab.

          Did you solve this issue?

          1. We something figured out. It you are connecting through a Load Balancer (Kemp), the user can not login. If you login directly on one of the connection server, the user can login fine!

          2. Hello Dear Matthias,

            After a VMware SR, we had an engineer and he told us officially that if you go to you connection servers from a “VIP” loadbalanced is the normal behavior = you have to add your users to the Remote Access tab like they’r coming from the outside !!!!!!


          3. Hi, where is this new remote access right configured from? where do i click to see it? is it only visible in 2106?

          4. On the left, click Users and Groups. On the right is the Remote Access tab.

  16. Hello Carl, We are using in the Platform vsphere 6.5U3 and horizon version 7.5.2 (connection server), VDI are configured instant clone non persistency. We have done a failover test , power off the Esxi and HA kicks in , but end user experience is like that : cannot resume his previous session or old vdi vm, the user have to relogin BUT got a new VM VDI .

    Which configuration change we have to do to ensure that end user still use original VDI , please thank you in advance Carl !!

  17. Hi Carl,
    Recently i re-generated my VC certificate due to certificate expired, i have tried to import the new cert to the horizon server. Although horizon connection server dashboard show green for vcenter, the associated datastores r missing. when trying to recompose of existing VM pool failed due to unable to find any VC.
    Need some guidance on how to resolve the issue.


    1. There might be some info in the VDM logs on the Connection Servers, but it’s probably best to call VMware Support.

      1. Hello Carl, Im planning to support a client with 7.7 upgrade to 7.13, they have 2008 r2 as connection broker, i have planned to build 2016 server and build in place connection broker to 7.13 environment, how do i approach this process decomm for older environement

  18. Hello,

    Have a question regarding Connection server 7.8. We are implementing a UAG and moving away from security server. I have provisioned another 7.8 connection server but i cannot add it to the cluster of connection servers. Legacy console is gone and 7.8 new admin does not have all features.

    I guess i have 2 questions:

    1. how do I add the new connection server to the cluster
    2. Can I upgrade connection servers and composer without esx at first and can i run 7.13 with 7.8 view agents on the machines?

  19. Hi Carl,

    Thanks for your content. I was hoping you might be able to answer a question of mine:

    I have a Horizon View 7.7 environment and I’ve just lost the Composer database (permanently, unrecoverable). I want to take this opportunity to now upgrade to 7.13 as it’s long overdue but I’m not sure how to go about this now I don’t have any composer server. Am I better off just starting from scratch with my VMware deployment and building a new environment over a weekend?

    And another Q if you don’t mind.. I have a security server which uses 2FA (with a Windows authentication server and 2FA with Microsoft account). I see 7.13 wants UAG’s to be used, can these function in the same way as existing security servers?

    Thanks a lot.

    1. I assume you have pools that you can’t delete? If you have the option of rebuilding, then do it.

      Yes, UAG supports RADIUS authentication.

  20. Hi Carl,

    In the production Connections servers, suddently it shows system health red both connection servers.

    If i see the log it shows:
    [CertmatchingTrustManager]invalid certificates (as expected) for vcenter:443 InvalidCertificateException[reasons:notTrusted;cantCheckRevoked;subject: ‘C=US, CN=vcenter
    Fetched reference objects for instance Publish VC cert Task Instance at URl: vcenter:443/sdk in a seconds. CBRC supported by VC: true
    VMs checked for reconfiguration: 450; not checked for reconfiguration: 0

    What would be possible reason for this. Where i can look in?

    Thanks in advance.

    1. Go to Settings > Servers > vCenter tab. Edit the vCenter. Click OK and maybe it will ask you to verify the certificate.

  21. Hi Carl,

    i have Horizon View Administrator 7.13 installed and have recently installed Horizon Toolbox v7.8.1 on my connection server. I can’t seem to get pass the popup requesting the eventdb password and vcenter password. It does not specify the username. I have typed in the passwords for the eventdb and vcenter admin user and clicked on set but nothing happens. It also does not show the domain filed at the logon screen. Any idea what could be wrong?

    1. I think it’s enabled by default. You can block it by configuring Client Restrictions, which is a tab on the right of Global Settings.

  22. Hi Carl,
    We have a strange issue and we hope you can help us.
    On a fresh install, after installing replica server with Web access, the server is not accessible neither on port 80 or 443.
    Horizon Web Component service is started.
    A netstat show that the server is not listening on non of this port (443 or 80).
    We opened a case with VmWare support but they just told us to do a fresh install on a newly deployed server.. We did it but same issue.
    What did we miss ? Could you help ?
    Thanks in advance,
    Best regards

      1. Nop nothing in logs, no IIS installed or other software that could use 80/443 ports… and nothing with netstat.
        Really strange behaviour.
        Also if it could help but don’t know if it’s relevant: during installation Broker vdm-ec cert was not imported from first broker, so we had to import it manually to successfully install replica server.
        Anyway thanks for the help,

        1. I have the same problem when doing a new install of Horizon 7 Standard Server on a Server 2019. New system build, nothing else ever on it.

          1. I will let you know as soon as we have a valid answer from VmWare but actually our support case is still on study… Glad to know we are not the only one with this issue on Win 2019 server , but sorry for you aswell…

        2. Hello Colin, we also experienced these issues after a fresh install of Horizon View 7.13 and Windows Server 2019 and were initially stumped. However, the View Admin GUI was accessible on the connection server as soon as the network card was disabled.
          After several tests and investigations we were able to solve the problem using the vdmadmin command
          to check the domain-lists and with the include-command
          we had put the required domain in the white-list.
          All other domains were taken out. No other new ldap calls to other trusted domains had been in the log files during and after the Horizon Services had come up.
          Since then everything runs smoothly.
          Maybe you work with several domains/trusted domains in your environment, too ?

          Regards Ralf

          1. Hi Ralf,
            I will give it a try and investigate that way.
            Thanks a lot, at least you give me something to look at… VmWare support actually don’t know what can cause our issue and is lost…
            I will told you if it’s same issue with trusted domains.

          2. Hi,
            We finally managed to get his replica server working. It Seems that it was an issue with the certificates, as always…
            We follow this trouleshooting plan :
            • Uninstall the Connection server software
            • Don’t remove the ADAM database.
            • Remove all 6 Certs in the VMware Horizon View Certificates Certificate store. (incl the vdm.ec cert)
            • Then delete the Self signed cert in the Personal certificates store.
            • Remove or rename the CA signed cert from the cert store.
            • Re-boot
            • Re-install the Connection server software as a replica
            And it worked…
            Which is strange cause we already tried to reinstall replica server on a new fresh server without success…(same issue)
            Anyway if it can help someone 😉
            Thanks for the help everyone.

  23. Great Website

    I am trying to upgrade to 7.10 and keep getting an error “failed to generate ssl certificates” It stops the install and rolls everything back. Any suggestions? Thanks!

    1. Are you asking if Security Servers should be removed from the console before you upgrade to 7.13? Only the Flash client can remove the Security Servers do it in Flash before Flash goes away. 7.13 still has the Flash console.

  24. Hey Carl

    any recommendation on upgrading the OS of the connection servers. Currently on server 2012 R2. Want to go to 2019. upgrade to 7.13 was completed successfully

    1. I suspect you’d have to build new Connection Servers and add them to the existing pod. Then decommission the older ones. Be mindful of load balancing configurations.

  25. Hi Carl,
    After upgrading to 7.12, the Security Servers tab is gone from View Configuration > Servers. We were able to use the flexadmin URL (https://[connectionserver].fqdn/flexadmin) to access the old view, but that won’t be accessible after December when Flash solidifies as a “no-no”.

    In 7.12…
    How can Security Servers be managed in the new Horizon interface without using the Flexadmin URL?

    Likewise, where is the option to configure a “Server pairing password” for an upgrade in 7.12?

    Thank you for your previous response about the 7.8-7.12 upgrade path.


    1. I would not expect any Security Server pages in the HTML5 Horizon Console. VMware really wants you to migrate to Unified Access Gateway.

  26. Hi Carl,
    We have 2 each of 2012r2 connection and security servers (and composer), running 7.8. We need to update due to old Apache versions. Can they be upgraded directly to 7.12?

    Thank you,

  27. Hi Carl, is there any implications on relation Golden Image Agent and Connection Server if the versions are different. For example, Horizon Agent on GI is 7.12 and Horizon Connection server is running on 7.10.1. Is it mandatory to upgrade Connection Server as well?

    Thank you in advance.

    1. I think you can upgrade the Connection Servers before you upgrade the agent, but I’m not sure if it works in the opposite order.

  28. Hi Carl,
    We are planning to upgrade our vCenter 6.0 build 3634793 to Vcenter 6.7. Our current vCenter 6.0 is Windows based vCenter with External PSC and External SQL server and is supporting 500 instant Clone VDI machines on horizon 7.11. I found below article to Migrate vCenter from Windows to appliance using migration assistant tool but the problem is that it’s a general vCenter migration and doesn’t say anything specific about Horizon part so I wasnt sure if it’s the best way to perform this migration because during the migration there will be times when vCenter becomes unresponsive and in past when something like that happened our instant clones start throwing errors. Let me know if you have any suggestions or guide to handle this type of migrations. Thanks.


    1. Do it during a maintenance window. After migration, do a Push Image on your pools so it resets the vCenter connection.

      1. Thanks Carl, Do we need to disable all instant clone pools in that vCenter before performing this migration or need to perform anything from the Horizon side?

  29. Anyone experience disconnect issues when connecting to a Windows Server 2019 RDS host? I’m on Horizon 7.12, UAG 3.10, vSphere 6.7U3, NSX-T 2.5.1 (providing load balancing of CS and UAG) I have removed the Local\Temp folder from the cleanup task that runs every 7 days but it seems I can get about a day and a half connected and then if I reconnect it’ll last maybe an hour or two and disconnect but if I log out then it last for a day and a half again. I think it’s only Windows Server 2019 as my workloads are on 2016 and nobody has said anything and if they were getting booted out randomly I’d hear about it. I looked in the VMware Horizon Community and couldn’t find anything, haven’t asked a question yet in there. Thought I’d start here, thanks.

  30. Hi Carl, I’ve just rebuilt my connection servers to win2016, for credential guard (VBS) security. At the same time, I updated them from Horizon View 7.10 to 7.12. My Security servers are still running win2012. I’m trying to upgrade them to Horizon View 7.12, but am getting Java VM Launch error when it tries to connect to the paired connection server. The .dll path is in my personal User profile. Do you think I might need to update the C++ Redistributables. Kind of new to this stuff. Not necessarily flying blind. But, maybe with a patch over one eye. Thanks for any light you can shed.

    1. Were you ever able to resolve the Error: Could not create the Java Virtual Machine. Similar issue recently upgrading my security server to 7.13.1

  31. Hi Carl,
    I was hoping you could help me.
    We have a new deployment of horizon 7.12 with UAG for remote users. My problem is that we are now going to have users alternate days working remotely and in the office. How can I configure the horizon client on their windows laptops to connect to the connection server when they’re In the office and connect through UAG when they’re working remotely? VMware support told me it was a certificate issue and to just add the connection server fqdn to the certificate. This didn’t work for me. Am I doing something wrong or is this not even possible?

    1. You could use the same DNS name for both internal Connection Server load balancing and for external UAG load balancing.

  32. Carl, would you be so kind as to answer my question ?

    Hello, I’ve got horizon 7.4 and esxi 6.5U1 with vcenter 6.5U1. Do you thing the best path to upgrade my enviroment is:
    a). upgrade vcenter from 6.5U1 to 6.7U3,
    b) upgrade esxi from 6.5U1 to 6.7U3,
    c) upgrade horizon from 7.4 to 7.12 (first compose, then connection server – upgrade inplace or new installation ?)


    first upgrade horizon, then vcenter and esxi servers? Which method do you thing is saver?

      1. Thanks for your reply.
        So, in my case, as you wrote “Horizon 7.4 does not support vCenter 6.7U3 so you’ll need to upgrade Horizon first.”
        First upgrade horizon directly from 7.4 to 7.12 and then vcenter and esxi hosts ?

        The second question: horizon upgrade by installing new composer and connection server and then remove old servers (composer and connection server) or is it possible to upgrade in place composer and connection servers.

        1. Yes, upgrade Horizon first.

          If you’re not changing the operating system version, then you can do in-place upgrades.

  33. Hi Carl,

    We’ve had a Horizon environment for quite some time. Recently we stood up another environment at our DR site. We had everything working properly, but last week after a reboot of the Connection server the AD LDS Instance service failed to start. We’ve done a store of the Connection server to no avail. Is there an environment change that could be causing this? Our concern is that a reboot of our production server may result with the same issue there.

      1. Below is what I see in the ADAM Event log.

        Active Directory Lightweight Directory Services could not be initialized.

        The directory service cannot recover from this error.

        User Action
        Restore the local directory service from backup media.

        Additional Data
        Error value:
        -1811 JET_errFileNotFound, File not found

        And this is what is in the VDM log multiple times.

        2020-07-14T10:55:50.915-05:00 INFO (0B34-0678) [wmiprvse] Program ‘wmiprvse – WMI Provider Host’ started, version=10.0.14393.2155 (rs1_release_1.180305-1842), pid=0xB34, buildtype=release, usethread=0, closeafterwrite=0, sessionId=0
        2020-07-14T10:55:51.040-05:00 DEBUG (0B34-0678) [wmiprvse] Sending RPC initiate shared memory request, protocol=ncalrpc, endpoint=wsnm_sharedMem, clientPid=2868
        2020-07-14T10:55:51.040-05:00 ERROR (0B34-0678) [wmiprvse] Failed to initiate shared memory over RPC, server initiate failed. 1722 (The RPC server is unavailable.)
        2020-07-14T10:55:51.040-05:00 WARN (0B34-0678) [wmiprvse] CORE::SharedMemChannel::Connect(): Channel (null) (0x0000000000000000): SharedMem Connect to NodeManager FAILED: RPC initiated sharedmem connect failed, reason=hostUnreachable
        2020-07-14T10:55:51.040-05:00 DEBUG (0B34-0678) [wmiprvse] CORE::MessageChannel::MessageChannel(): Channel (null) (0x00000232D64B52F0): MessageChannel CREATED
        2020-07-14T10:55:52.087-05:00 DEBUG (0B34-0678) [wmiprvse] coreIP: Unable to connect to ‘VCONNECTION-DR’, no address served
        2020-07-14T10:55:52.087-05:00 WARN (0B34-0678) [wmiprvse] SocketChannel: Unable to connect to VCONNECTION-DR:32111
        2020-07-14T10:55:52.087-05:00 DEBUG (0B34-0678) [wmiprvse] CORE::MessageChannel::~MessageChannel(): Channel (null) (0x00000232D64B52F0): DELETED

  34. Hi Carl,

    I am having active passive setup for production environment. And planning to upgrade to latest version 7.12. Before proceeding with production i want to built an development environmemt.

    Can i use same vcenter server for development lab.

    Thanks in advance as i know you would be having to my question

  35. Carl,

    Great articles as always. I did have one point of information that perhaps you could clarify. In my environment, we did setup 2 connection servers, a primary and a replica. We also have a Kemp VLB load balancing the 2. What is the proper method for upgrading them in a nondisruptive way? We do not have tunneling enabled, so users are connecting directly to their persistent VDI’s through the UAG’s. Should I disable a connection server inside of Horizon? Inside of the Kemp console? Both? One server was rebooted post windows updates and every connection was disconnected. both connection servers stopped accepting connections even though only 1 was rebooted.

    1. I usually disable on the load balancer.

      Restarting one should not affect the other. And restarting one should not drop connections if tunneling truly is disabled.

  36. Hi Carl,
    Is it possible to collect source PC IP address or Thin client IP address from where we launching our Horizon VDI?
    Can we collect this report from VROPs or can we create dashboard fro the same?
    I am using Horizon 7 a
    I need to know users’s desktop , laptop IP from where he is accessing my Horizon VDI.


    1. Horizon Help Desk shows Client IP in real time. Horizon Toolbox used to collect info like this. Do you see the Client IP in the Horizon Events database? If so, you can query the database. Otherwise, you can create a login script to capture the data.

  37. Carl,

    We recently setup a new environment with two connection servers. One of them is working correctly, but the other one is getting a “ERR_SSL_VERSION_OR_CIPHER_MISMATCH” error in Chrome when trying to access the admin page. Triple checked and the cert does have the private key as well as it being exportable. We are confused as to why this one is happening on this server but not the other. Any help would be appreciated.

    1. Kyle,
      look in cdeveloper ode in chrome when connecting to the CS server and check what ciphers are being negotiated, it could be that the CS is trying to negotiate a CIPHER that chrome isn’t happy with.

  38. Hi Carl,
    Is there a way to get the list of horizon client versions used by the users. I know that we can see it in new html5 admin console but I am looking for list of 1000 users so looking them individually wont work. I tried vrops 8 too but I could find a way to get it. Please help. Thanks.

    1. The Horizon Toolbox can collect that info, assuming Toolbox works for your version of Horizon.

      Otherwise, write a script to log HKCU -> Volatile Environment -> ViewClient_Client_Version or environment variable, ViewClient_Client_Version.

  39. Hi there,

    currently running a horizon environment, with one security server in dmz and 2 connection servers – version 7.2

    I wanted to upgrade the environment – switchting to UAG Server 3.8 in the DMZ and 2 new 7.11 servers with latest windows os.

    I though easiest way with almost zero downtime would just be establish a second parallel horizon environment and when everything is working, just switch the vms / physical machines from the current horizon environment to the new one.

    But after reading your article, I’m not quite sure if this even is possible to do so?

    Thanks for the help

    1. If your pools are non-persistent, then you can use your existing masters to rebuild the pools in the new environment. Or create new masters with new OS version.

      For existing persistent, Full Clone machines, you can add them to a Manual pool on the new environment. If they are linked clones, then you might have to convert them to Full Clones first by cloning each one.

      1. Sry for asking again, never done that – last upgrade/migration from 6.x to 7.x with new windows server was done by someone else.

        Saying “master in new environment” you mean it is possible to install a new connection server and build a completely new group of them with a different connection url and all. (in the same vm environment)
        I’m just “scared” to break my running view environment or the ldap database ..


  40. Carl,

    I have recently installed a Horizon 7.11 test environment on an evaluation license.. Every time I try to get a machine added to a manual desktop pool, it usually takes about a minute before the status reflects with an Error state in the web portal. Looking in the log file, I see a debug message with following:

    [CertMatchingTrustManager] invalid certificate (as expected) for X.X.X.X:443 InvalidCertificateException[reasons;notTrusted;CantCheckRevoked; message: ‘ValidateCertificateChain Result: FAIL, EndEntityReasons: cantCheckRevoked, ChainReasons: partialChain, noTrust’]

    I exported the self-signed cert from VCenter and added it as a trusted root for my Horizon server but still run into the same issue.

    Analyzing the agent side logs, I see the following:

    [AgentJmsConfig] Attempting to securely pair agent for JMS communication
    [AgentMessageSecurityHandler] Configuring message security (ENHANCED)
    [JMSMessageSecurity] Failed to sign message: cannot sign message
    [BrokerUpdateUtility] Published CHANGEKEY request
    [BrokerUpdateUtility] Timeout waiting for success response

    The kb articles posted on VMware mentioned you can use the self-signed for testing purposes but I’m not seeing documentation on how to establish trust between VCenter and Horizon. Can you assist and/or point me in the right direction?


    1. Do you have an internal Certificate Authority that all machines can access? If not, I would install the Microsoft CA role somewhere and use it to generate internal certificates with a reachable CRL. This error looks like a problem with the Connection Serer certificate.

  41. Hi Carl,
    Great post!
    I seem to be unable to log into the Horizon Console after a fresh install. I tried with both domain controller and local users. Neither seems to work. Any tips on where to look for solutions? I’ve searched google in vain. Thank you in advance.

    1. The person that installed the product should be able to log in. I assume you see the logon page, because it doesn’t always appear in Chrome.

  42. Hi Carl. Just wanted to thank you for your very informative blog. I setup horizon a year ago here at my work. If it weren’t for your blog i would have probably been stuck many a times had to had to depend on the vmware’s website and kb articles. I seriously think they were made by robots for robots. Your in depth explainations have made even upgrading the environment painless whereas reading on vmware horizon how to upgrade they make it sound like everything is going to break . Your step by step visual documentation is a life saver. Thank you so much.. I have become a huge fan of your knowledge.

  43. I’ve got 2 Connection servers, currently running 2008R2 and Horizon 7.3.2. Normally I would just update Horizon in place, but if I want to replace the servers with Svr 2019, what would be the easiest way? Can I add in the two new 2019 servers and promote one to the primary and then remove the 2008R2? Or would another method be easier?

    Thanks for the article…I always come back to your page when trying to upgrade.

    1. I would probably in-place upgrade your existing Connection Servers to 7.8 or newer for 2019 support. Then add new 2019 Connection Servers. Hopefully no Security Servers. Don’t forget pool tagging. Swap the Connection Servers out on the load balancers. Then shut down the old connection servers and run the vdmadmin -S command to remove them from LDAP.

  44. Hey it’s great post.
    I have one question that.

    I have total 6 connection servers. with 7.10 what is process should I follow up.
    means : first install master from 7.10 to 7.11 while selecting the standard server for master server.

    For other connection servers od i need to install in each server by logging or if master server upgraded to 7.11 so the other connection server will automatically upgrade ?

    or we have to login each connection server and install by selecting the standard…..next….next..?

    1. Each server needs to be upgraded separately. Order doesn’t matter. All server should be upgraded in the same maintenance window.

  45. Hi Carl,

    VMwares product documentation specifies using netbios names when declaring additional domains via vdmadmin.


    In a world where netbios has long been deprecated and disabled on nic interfaces can you provide any detail on why VMware are requiring netbios for Horizon & how it would work for connecting Connection Servers to additional domains (not the native domain that the specific windows server is joined to) in a different subnet (netbios name resolution is a broadcast & won’t traverse a router).

    Trying to understand an issue where a multi domain solution stopped seeing additional domains after upgrading to 7.8 and above, works fine with FQDN’s on 7.7.


    1. Every Active Directory domain has a NetBIOS name in addition to it’s DNS name. When you log into windows, you typically enter NetBIOS_Domain\username. The domain’s DNS name is typically only used for UPN logins.

      Note: computer names are also NetBIOS names, which is why they need to be 15 characters or less.

      1. Thanks Carl,

        our answer was 7.12. VMware have reinstated the ability to use FQDN’s. I still can’t understand why they’d remove the use of FQDN’s & mandate netbios but thats not an issue any more.

Leave a Reply

Your email address will not be published. Required fields are marked *