Omnissa Horizon 8 Console Configuration

Last Modified: Jan 29, 2025 @ 2:00 pm

Navigation

This post applies to all Omnissa Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

  • 2023 July 8 – Global SettingsHorizon Agent Restrictions in Horizon 2306 (8.10) and newer
  • 2021 Sep 30 – Horizon Console – added step to disable CORS for Horizon 2106 and newer to fix HTML Access
  • 2021 Jan 8 – updated entire article for Horizon 2012 (8.1)
  • 2020 Aug 14 – updated entire article for Horizon 2006 (aka Horizon 8)

Preparation

Horizon Service Account

  1. Create an account in Active Directory that Omnissa Horizon will use to login to vCenter. This account can also be used by Instant Clones to create computer accounts in Active Directory.
  2. Make sure the password does not expire.
  3. Domain User is sufficient. Permissions will be delegated where needed.

vCenter Role for Horizon

This role has all permissions needed for both full clones and instant clones. See Privileges Required for the vCenter Server User With Instant Clones at Omnissa Docs.

See the Product Interoperability Matrix for supported vCenter versions.

Create vSphere Role:

  1. In vSphere Web Client, click the hamburger menu icon and then click Administration.
  2. In the Roles node, click NEW to add a Role.
  3. Give the new role a name.
  4. If you are using vTPM, then on the left, click Cryptographic operations. On the right, enable Clone, Decrypt, Direct Access, Encrypt, and Manage KMS. Scroll down on the right to see more Cryptographic operations permissions.

    1. While still in Cryptographic operations, scroll down and enable Migrate and Register host.
  5. On the left, click Datastore. On the right, enable Allocate space, and Browse datastore.
  6. On the left, click Folder. On the right, enable Create folder, and Delete folder.
  7. On the left, click Global. On the right, enable Act as vCenter Server, Disable Methods, and Enable Methods, and then scroll down on the right to see more Global permissions.

    1. While still in Global, enable Manage custom attributes, and Set custom attribute.
  8. On the left, click Host. On the right, in the Configuration section, enable Advanced Settings. Then scroll down on the right to see more Host settings.

    1. While still in Host, scroll down to the Inventory section and click Modify cluster.
  9. On the left, click Network. On the right, enable Assign network.
  10. For Virtual SAN, enable Profile-driven storage and everything under it.
  11. On the left, click Resource. On the right, enable Assign virtual machine to resource pool, and Migrate powered on virtual machine.
  12. On the left, click Virtual Machine. On the right, click Change Configuration to enable all Configuration permissions. Scroll down on the right to see more Virtual machine permissions.

    1. While still in Virtual Machine, scroll down and select everything under Edit Inventory.
    2. While still in Virtual Machine, scroll down to the Interaction section, enable Connect devices, and then click See more privileges.
    3. While still in Virtual Machine, scroll down and enable Perform wipe or shrink operations,  Power off, Power on, Reset, and Suspend.
    4. While still in Virtual Machine, scroll down to the Provisioning section and enable Allow disk access, Clone template, and Clone virtual machine. Then click See more privileges.
    5. While still in Virtual Machine, scroll down and enable Customize guest, Deploy template, and Read customization specifications.
    6. While still in Virtual Machine, scroll down and click Snapshot Management to enable all Snapshot permissions.
  13. Click Create.

Assign role to service account:

  1. Create an account in Active Directory that Horizon will use to login to vCenter.
  2. In vSphere Web Client, in Hosts and Clusters view, browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
  3. On the right, select the tab named Permissions.
  4. Click the plus icon to add a permission.
  5. In the Add Permission dialog box, do the following:
    1. Change the User domain.
    2. Search for the service account.
    3. Change the Role to the one you created in the previous section.
    4. Check the box next to Propagate to children.
  6. Click OK.
  7. The service account is now listed on the Permissions tab.

Active Directory Delegation for Instant Clones

Horizon Instant Clones create computer objects in Active Directory. Horizon is configured with an Active Directory service account that must be granted permission to create computer objects. See Create a User Account for Instant-Clone Operations at Omnissa Docs.

  1. Create an OU in Active Directory where the Horizon Agent computer objects will be stored.
  2. In Active Directory Users & Computers, right-click the Horizon Agents OU, and click Delegate Control.
  3. In the Welcome to the Delegation of Control Wizard page, click Next.
  4. In the Users or Groups page, add the Active Directory service account for Instant Clones and/or Horizon Composer. Then click Next.
  5. In the Tasks to Delegate page, select Create a custom task to delegate, and click Next.
  6. In the Active Directory Object Type page, do the following:
    1. Change the radio button to select Only the following objects in the folder.
    2. Check the boxes next to Create select objects in this folder and Delete selected objects in this folder.
  7. Click Next.
  8. In the Permissions page, check the boxes next to Read All PropertiesWrite All Properties, and Reset Password. Then Next.
  9. In the Completing the Delegation of Control Wizard page, click Finish.
  10. If you are viewing Advanced Features in Active Directory Users & Computers, if you view the properties of the OU, on the Security tab, click Advanced, find your service account, you should see permissions similar to the following.

Events SQL Database

Horizon 2103 (8.2) and newer support PostgreSQL. See Prepare a PostgreSQL Database for Event Reporting at Omnissa Docs.

Horizon 2106 (8.3) and newer support SSL to the events database. See SSL Connection to Event Database at Omnissa Docs.

A new empty SQL database is needed for storage of Horizon Events.

  1. Only SQL Server authentication is supported, so make sure it’s enabled on your SQL Server > Properties > Security page.
  2. In SQL Server Management Studio, create a new database.
  3. Name it OmnissaHorizonEvents or similar. Switch to the Options tab.
  4. Select your desired Recovery model and click OK.
  5. Under Security > Logins, add a SQL login if one does not exist already. Windows authentication is not supported.
  6. Right-click a SQL login and click Properties.
  7. On the User Mapping page, check the Map box next to the OmnissaHorizonEvents database.
  8. On the bottom, add the user to the db_owner database role. Click OK when done.

Horizon Consoles

On the desktop of the Horizon Connection Server is an icon to launch Horizon Administrator Console. Don’t use Internet Explorer.

The URL entered in the browser must either be https://127.0.0.1/admin, or the Secure Tunnel URL (Horizon Console > Settings > Servers > Connection Servers tab > Edit). By default, the Secure Tunnel URL is the FQDN of the Connection Server.

If you don’t use one of these URLs then you’ll see 421 Unknown or a Login Failed message.


If you want to use a different URL than the Secure Tunnel URL (e.g., short name instead of FQDN, or load balanced name instead of server name), then go to C:\Program Files\Omnissa\Horizon\Server\sslgateway\conf or C:\Program Files\VMware\VMware View\Server\sslgateway\conf, edit or create locked.properties file, and enter the following:

allowUnexpectedHost=true
checkOrigin=false
enableCORS=false

More details at Omnissa 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon and 85801 Cross-Origin Resource Sharing (CORS) with Horizon 8 and loadbalanced HTML5 access. allowUnexpectedHost defaults to false in Horizon 2306 and Horizon 2212.1 and newer. Another option is to add portalHost entries as detailed at Allow Omnissa Horizon Web Client Through a Gateway at Omnissa Docs.

Then restart Omnissa Horizon Secure Gateway service.

Licensing

Horizon Licenses are available either as product keys or as cloud subscription licenses. For cloud subscription licenses, Horizon 2406 and newer can activate the license without needing an Edge Gateway but the Edge Gateway is still recommended to avoid renewing the activation every 90 days. Download the Edge Gateway from the Horizon Cloud next-gen control plane and connect it to a Connection Server. See Deploying a Horizon Edge Gateway for Horizon 8 Environments at Omnissa Tech Zone.

VMware Horizon 8 license keys must be replaced by Omnissa Horizon 8 license keys within 60 days of upgrading to Horizon 2412 or newer.

In the Horizon Administrator Console:

  1. Open Horizon Administrator Console and login.
  2. On the left, expand Settings and click Product Licensing and Usage.
  3. You’ll be asked to activate SaaS subscription license or Term/Perpetual license. Term and Perpetual are license keys.
  4. If SaaS subscription, then login to Horizon Cloud and complete the wizard.
  5. If Term or Perpetual, then enter your license key.
  6. If Term or Perpetual, then licensing information is displayed:
    • License expiration is shown.
    • Instant Clones are available in all editions.
    • Application Remoting (published applications) requires Horizon Advanced Edition.
    • Teams Optimization requires Horizon Advanced Edition.
    • Session Collaboration requires Horizon Enterprise Edition.
    • Help Desk tool is available in all editions.
    • App Volumes requires Horizon Enterprise Edition.
    • Smart Policies (Dynamic Environment Manager) requires Horizon Enterprise Edition.
    • Rest APIs require Horizon Enterprise Edition.

Horizon Administrators

To configure Horizon Administrators:

  1. In Horizon Console, expand Settings, and click Administrators.
  2. On the right, near the top, on the Administrators and Groups tab, click Add.
  3. In the Select administrators or groups page, click Add.
  4. Enter the name of a group that you want to grant Horizon Administrator permissions to and click Find.
  5. After the group is found, check the box next to the group (or highlight the group), and then click OK.
  6. Continue adding groups or just click Next.
    Note: This wizard only lets you select one role; so, only add groups that will have the same role assigned. You can run the wizard multiple times.
  7. In the Select a role page, select the role (e.g. Administrators or Help Desk Administrators, which grants access to the Help Desk tool). Then click Next.
  8. Select an Access Group to which the permission will be applied and then click Finish.
    • Access Groups let you designate permissions to specific pools instead of to all pools.
    • Federation Access Groups are available in Horizon 2103 (8.2) and newer and let you restrict admin permissions to specific Global Entitlements (Cloud Pod Architecture).
    • In Horizon 2206 and newer, Help Desk role can be assigned to Access Groups.

Help Desk Website

Horizon has a web-based Help Desk tool built into Horizon Connection Server.

  • In Horizon Console, simply enter a username in the User Search box at the top of the page.

The Desktops and Applications tabs let you see what the user is entitled to. You can even export these lists.

On the Sessions tab, click a session to see more details.

On the Details tab, scroll down to find action buttons like Remote Assistance. These buttons are kind of hidden.

Keep scrolling down and you’ll see Logon Segments.

The Processes tab lets you end processes in the user’s session.

Notes on the Help Desk feature:

  • Enterprise Licensing – Help Desk tool requires Horizon Enterprise edition license, or Horizon Apps Advanced edition license. Horizon Standard Edition licenses do not include this tool. The Product Licensing page indicates if Help Desk is licensed or not.
  • Horizon has a built-in Help Desk Administrators role that enables members to use the Help Desk tool.