VMware Horizon Connection Server 2206 (8.6)

Last Modified: Jul 21, 2022 @ 10:00 am

Navigation

This post applies to all VMware Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Install Horizon Connection Server.

Notes regarding upgrades:

  • For supported upgrade paths (which version can be upgraded to which other version), see VMware Interoperability Matrix.
  • Horizon 7 license key does not work in Horizon 2006 (8.0) and newer. You’ll need to upgrade your license key to Horizon 8.
  • Horizon 8.x no longer supports Horizon Clients 5.x and older. 💡
  • According to VMware 78445 Update sequence for Horizon 7.X and its compatible VMware products, App Volumes Managers are upgraded before upgrading Connection Servers.
  • Upgrade all Connection Servers during the same maintenance window.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • Horizon 2006 (8.0) and newer do not support Security Servers. The replacement is Unified Access Gateway.
    • Composer is deprecated in Horizon 2006 (8.0) and newer. Composer was removed from Horizon 2012 (8.1) and newer. All editions of Horizon 2006 (8.0) and newer support Instant Clones. See Modernizing VDI for a New Horizon at VMware Tech Zone for migration instructions.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
    • Once the first Connection Server is upgraded, Horizon 2006 (8.0) and newer lets you upgrade the remaining Connection Servers concurrently.
    • After upgrading all Connection Servers to Horizon 2012 (8.1) or newer, see VMware 80781 Knowledge DML scripts for data population of new columns in view Events Database to backfill the Events Database with column data to improve Events query performance.
  • Upgrade the Horizon Group Policy template (.admx) files in sysvol.
  • Upgrade the Horizon Agents.
  • DEM Console should not be upgraded until all DEM Agents are upgraded.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded.

Install/Upgrade Horizon Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between Standard and Replica.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 4,000 user connections.

Horizon 2206 (8.6) is the latest release. Starting August 2020, VMware switched to a YYMM versioning format.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at VMware Docs.
  2. Horizon 2111 (8.4) and newer support Windows Server 2022.
  3. Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8 2006.
  4. Horizon 2006 (8.0) and newer no longer need Flash.
  5. Download Horizon 2206 Horizon Connection Server.

  6. Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.6.0.exe.
  7. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon Standard Server, and click Next.

    • In Horizon 2006 (8.0) and newer, it is no longer possible to disable HTML Access for specific pools.
  11. In the Data Recovery page, enter a password, and click Next.
  12. In the Firewall Configuration page, click Next.
  13. In the Initial Horizon Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  14. In the User Experience Improvement Program page, uncheck the box, and click Next.
  15. In the Operational Data Collection page, click Next.
  16. In the Operational Data Collection page, click Next.
  17. In the Ready to Install the Program page, click Install.
  18. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.

Install Horizon Connection Server Replica

Additional Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at VMware Docs.
  2. Horizon 2111 (8.4) and newer support Windows Server 2022.
  3. Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8 2006.
  4. Horizon 2006 (8.0) and newer no longer need Flash.
  5. Download Horizon 2206 (8.6) Horizon Connection Server.

  6. Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.6.0.exe.
  7. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  8. In the License Agreement page, select I accept the terms, and click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon Replica Server, and click Next.
  11. In the Source Server page, enter the name of another Horizon Connection Server in the pod. Then click Next.
  12. In the Firewall Configuration page, click Next.
  13. In the Ready to Install the Program page, click Install.
  14. In the Installer Completed page, click Finish.
  15. Load balance your multiple Horizon Connection Servers.
  16. Horizon Console > Settings > Servers > Connection Servers tab shows multiple servers in the pod.

Horizon Connection Server Certificate

  1. Run certlm.msc. Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several minutes before you can connect to Horizon Administrator Console.
  12. Horizon Console > Monitor > Dashboard > System Health > View > Components > Connection Servers should show the TLS Certificate as Valid.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
  2. Create a new folder called downloads.
  3. Copy the downloaded Horizon Client 2106 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
  4. Run Notepad as administrator.
  5. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  6. Go back to the downloads folder and copy the Horizon Client filename.
  7. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. Note: In Horizon Client 4.3 and newer, there’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client.
    link.win64=/downloads/VMware-Horizon-Client-2106-8.3.0-18287501.exe
  8. Then Save the file.
  9. Restart the VMware Horizon View Web Component service, or restart the entire Connection Server.
  10. It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error, then the service is not done starting.
  11. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  12. Repeat these steps on each Connection Server.

Portal Branding

Chris Tucker at Horizon View 7.X – Branding the Logon page details how to brand the Horizon portal page.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, Fingerprints, and Windows Hello, is disabled by default. To enable: (source = Configure Biometric Authentication at VMware Docs)

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using Citrix ADC 12.1.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-1912-ltsr-and-licensing/#rdlicensing.

Antivirus

VMware Tech Zone Antivirus Considerations in a VMware Horizon Environment: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Run the following command to enable the timing profiler on each Connection Server instance to view logon segments in Help Desk tool.

vdmadmin -I -timingProfiler -enable

Related Pages

137 thoughts on “VMware Horizon Connection Server 2206 (8.6)”

  1. Hello Carl, I have migrated the connection server from 2111 to 2206 but after the client can’t connect anymore. UAG are configured in 2103 but not registered anymore on the connection server… any idea?

  2. Have anyone experienced an issue with SSO with launching a machine? I updated the connection server to 2206 along with the newer agent on the golden image. I noticed now when I launch a desktop, it loads Other User instead if automatically logging in with the SSO defined in the global settings. I have it set to never discard SSO timeout. Not sure if it is something with the new version or if something may be broken in my golden image.

  3. Hello Carl,

    We are planning a full datacenter shutdown, including power. After maintenance, everything will be powered back on. All systems are on a single vCenter. My question is, are there any special considerations for the Horizon VDI systems that should be employed?

    Thanks.

    1. SQL should be running before App Volumes boots.

      Connection Servers should be running before Horizon Agents boot.

  4. Carl, we updated connection servers from 2111 to 2206 after that, VCenter server will no longer communicate with connection servers.
    Debug log shows:
    java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA512withRSA (RSA 4096bits)

    it was working prior to the update with same cert. any ideas ?

        1. I’m having the same issue as Jeff, I have yet to find a fix. I was looking through the jre security file looking for a section that would explain the change but I have not been able to identify it.

          1. We have the same problem. After updating to 2206, it is no longer possible to connect to vCenter. Is there already a solution or fix?

      1. Carl, is there any feedback from VMware? I did all kinds of things in java.security file but nothing works. This is regarding the “java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA512withRSA (RSA 4096bits).” Prior version of Horizon worked fine. Only Horizon 2206 has this issue.

      2. the error in the log was: Algorithm constraints check failed on signature algorithm: SHA512withRSA (RSA 4096bits), the solution from VMware support was to reissue the certificate from the CA with SHA256withRSA (2048 bit). (by the way the initial certificate was in place for over a year without issue)

        1. I have the same problem after updating to 2206, im using a 2k certificate and get the error
          Algorithm constraints check failed on signature algorithm: SHA256withECDSA

    1. So VMware TAM here, and I have a customer who brought this up. Does anyone have an open SR on this that I can use for reference? Trying to do a deeper dive on this to see what needs to be done.

      1. Unfortunately it is for us. It is essentially saying that App Layering shouldn’t be used with Horizon.

        1. I think they are removing it because of low demand, especially since Citrix bought them. Horizon has App Volumes.

  5. Hi Carl,

    I’m afraid the “cs-disableNonEmptyPoolDelete=1” setting doesn’t work anymore in Horizon 8. I just tried it in 2111 and it let me delete a manual desktop pool with one machine in it, even though I set cs-disableNonEmptyPoolDelete=1.

    1. Thanks for noticing this. I can’t find any Horizon 8 docs with that setting so you may be right.

  6. Hello Carl,

    After replacing expired certificate on connection server (with .pfx certificate with included the key), service VMware Horizon View Blast Secure Gateway is in paused state and I cannot open Horizon Administrator(The connection for this site is not securelocalhost uses an unsupported protocol.
    ERR_SSL_VERSION_OR_CIPHER_MISMATCH
    Unsupported protocol
    The client and server don’t support a common SSL protocol version or cipher suite.)

    Can you suggest something?

    1. Try exporting the cert with private key to a new PFX file and then re-import it. I had a similar problem recently.

    2. I have exactly the same issue. I had to allow export of the private key during the import process to fix the issue.

  7. Hi carl, I have an 7.13.1 environment and have moved all pools to instant clones. Uag’s are at 2111.2. I need to upgrade to horizon 8 and was wondering with the connection servers, right now they are 2012 vms and I’d like to upgrade them to server 2019 at the same time. Can i upgrade the current 7.13.1 connection servers to 8 and add in/switch/replace out the replicas with new 8 ones on srvr2019 or is there a step I’m missing?

    Thank you,

      1. Supported yes but since 2012 will be eol sooner rather than later I want to replace it with a more current os.

        1. Yes, it is supported to upgrade to Horizon 8 on your existing servers. Then you can swap them out with new servers running the same version of Horizon. Don’t forget load balancers need to point to the new servers.

  8. Hi Carl,

    using the Configuring Untrusted Domains (https://docs.vmware.com/en/VMware-Horizon/2103/horizon-console-administration/GUID-13DEE5BB-E029-430C-834D-EF4E85A723E4.html ) feature.

    Is it possible to have 1 central ‘repository’ for VDI-connection server, saying 1 master domain for us as ICT Provider, and add only add the different user domain for all customers who want to use our VDI-stack?

    This would mean we could deliver/manage our whole environment with 1 VDI server.

  9. Hi Carl. After stoping and starting VMware Horizon View Connection Server (log4j scripted mitigation) we got error: Server’s certificate is pending validation. In logs there is also: ERROR (0C40-1990) [BrokerCertificateGeneration] Certificate Cycling error occurred: com/vmware/vdi/messagesecurity/Identity. The server was reverted to the snapshot but problem remained. Even when we rdp directly to this Connection Server and try to run https://localhost/admin the site is not responding. We have two Connection Servers 2006 and two UAGs 3.10. Still waiting for VMware support. Any ideas what to check?

      1. Thank you for your immediate response. I have tried to set CertificateRevocationCheckType registry value not to perform certificate revocation checking, unfortunately without success. When I run netstat there is nothing related to 443 port.

  10. Happen to know if you’ve got a grace period on getting everything upgraded and remain in a working state? I’d like to go from 7.13.1 to 2011 but I’d like to keep the Agent on 7.13.1 and Client on 5.5 in a working state while I get to and upgrade the Agent and Client on end user workstations here and there, I don’t want to try and do all that in a single weekend. Prefer to upgrade group A agent and client while group B, C and D are still working with the old agent and client.

    1. I don’t think VMware has documented that anywhere. But I’ve seen customers way behind on Agent upgrades.

    2. Just wanted to add that this is working currently, I’ve got UAG on 2111.2, Connection Servers on 2111, DEM (Upgraded to 2111 on all agent hosts), Agents are still 7.13.1 and Client 5.5. I mainly had to do this because I’m using ThinPrint and wanted to make sure ThinPrint would continue to work with the old agent and client with an updated front end.

  11. Hi Carl, thanks for this doc, it has been very helpful!
    I’m facing some issues while installing a new site. I’ve installed the first standard server without any issues (8.4 2111) on W2019. Now, when I try to install Replica server, it keeps rolling back at the end of the installation.
    In logs, I found this:

    adamInstUtil: 02/22/22 06:25:23 — CA exec: VMAdamForceSyncFromReplica
    adamInstUtil: 02/22/22 06:25:23 Running LDAP replica synch on replica instance
    adamInstUtil: 02/22/22 06:25:33 Child exited with code 0
    adamInstUtil: 02/22/22 06:25:33 Child exited with code 0
    adamInstUtil: 02/22/22 06:25:33 End Logging
    adamInstUtil: 02/22/22 06:25:37 Begin Logging
    adamInstUtil: 02/22/22 06:25:37 — CA exec: VMAdamReplicaImportCMS
    adamInstUtil: 02/22/22 06:25:37 Getting Property CustomActionData = IPv4
    adamInstUtil: 02/22/22 06:25:37 This server does not have latest CMS key.
    adamInstUtil: 02/22/22 06:25:39 ERROR: Cannot bootstrap CMS: Cannot connect to any node, attempts=1, last-error=SSPI auth failed
    adamInstUtil: 02/22/22 06:25:39 End Logging

    Also this:
    === Logging stopped: 2/22/2022 6:26:05 ===
    MSI (c) (C4:D8) [06:26:05:126]: Note: 1: 1708
    MSI (c) (C4:D8) [06:26:05:126]: Product: VMware Horizon Connection Server — Installation operation failed.

    MSI (c) (C4:D8) [06:26:05:126]: Windows Installer installed the product. Product Name: VMware Horizon Connection Server. Product Version: 8.4.0.19067837. Product Language: 1033. Manufacturer: VMware, Inc.. Installation success or error status: 1603.

    MSI (c) (C4:D8) [06:26:05:126]: Grabbed execution mutex.
    MSI (c) (C4:D8) [06:26:05:126]: Cleaning up uninstalled install packages, if any exist
    MSI (c) (C4:D8) [06:26:05:126]: MainEngineThread is returning 1603
    === Verbose logging stopped: 2/22/2022 6:26:05 ===

    And this:
    2022-02-22 06:26:05| BootStrapper-build-18841740| Did not find file/directory: “C:\Users\VDSADM~1\AppData\Local\Temp\2\\vmreboot.tmp”
    2022-02-22 06:26:05| BootStrapper-build-18841740| The reboot file does not exist
    2022-02-22 06:26:05| BootStrapper-build-18841740| Did not find file/directory: “C:\Users\VDSADM~1\AppData\Local\Temp\2\\vmwareboot.tmp”
    2022-02-22 06:26:05| BootStrapper-build-18841740| The reboot file does not exist
    2022-02-22 06:26:05| BootStrapper-build-18841740| Util_NeedReboot: Reboot not needed.
    2022-02-22 06:26:05| BootStrapper-build-18841740| Returned to [E:\software]
    2022-02-22 06:26:05| BootStrapper-build-18841740| Cleaning up temp dir “C:\Users\VDSADM~1\AppData\Local\Temp\2\VMWBA3E.tmp\”
    2022-02-22 06:26:05| BootStrapper-build-18841740| Deleting [C:\Users\VDSADM~1\AppData\Local\Temp\2\VMWBA3E.tmp\]
    2022-02-22 06:26:05| BootStrapper-build-18841740| Setup exit code is: 1603
    2022-02-22 06:26:05| BootStrapper-build-18841740| End Logging

    Both VMs are brand new W2019.
    I’ve tried to re-install Replica after removing AD-LDS, reg keys, folder and certs, but no luck.
    Do you have a clue what could be causing this?

    Thanks!!!

      1. Firewalls none, but we have Sentinel One in both VMs (both are placed in same VLAN).
        Regarding GPOs, I took a quick look over them but I will have to check with the proper team.
        Do you feel like this can be causing the issue?
        Thanks!!

        1. Hi, I’m currently facing a quite similar issue with a customer. The problem occurs on Server 2019, 2012 R2 doesn’t seem to be affected. Also upgrading from 7.11.x to 8.4 2111 worked fine on Server 2019. I’m suspecting this to be a bug within the current version.

    1. Hello, i have exactly same problem extending current W2012R2 Connection Servers with new replicas on W2019 Servers. There is exactly same issue with interruption of replica installation during AD/LDS replication with error: ERROR: Cannot bootstrap CMS: Cannot connect to any node, attempts=2, last-error=Channel timeout/abort during auth. Matias, Carl, did you find the solution? Thanks a lot! Ondrej

  12. Hello Carl,
    I am unfortunately a complete beginner in the Horizon 8 field.
    At the moment I am looking for the hardware and system requirements for Horizon. All results come out to Connection Server, as well as in your super block on your website. Now my question do I not need specific requirements for vCenter server, vSphere for implementation? I know that these components can be implemented as a server as well as a VM but by running multiple VMs (respectively sessions) I also need specific compute power or not? What about AppVolume and ThinApp?

    Thanks in advance for your answer.

    Many greetings
    Thomas

    1. What is the maximum usage you are designing for? Number of concurrent users? RDSH vs VDI? Non-persistent vs persistent? Etc. VMware Partners usually assist with sizing and architecture. As you mentioned, there’s more to this than just Horizon.

      1. The maximum usage is 200 concurrent employees with Named User licenses in daily operation. The VDI Instant Clone technology is to be used via the Just-in-Time PLatform. This creates the required VMs from the golden image when they are requested. Unfortunately, I cannot use support from VMware partners. Is there no rule of thumb or guideline values from VMware for dimensioning the computing power as with the connection server? Furthermore I only found information that the Connection Server has to run on a seperate system without other activated Windows roles or Horizon components. Can the other components run on a shared server if they have been virtualized?

  13. Hi Carl,

    I have a very weird experience with certificates that I want to import using a pfx file. Of course I’m importing it into the local computer store under “My certificates”.
    I’m marking the private key as exportable during the import, I add the display name “vdm” and verify that it is the only certificate with this display name.
    I verify that the private key is exportable.
    But still the Connection Server won’t accept the certificate and throw out a ERR_SSL_VERSION_OR_CIPHER_MISMATCH
    If I generate the request on this server this does not happen. Then everything is fine. This happens only when I’m importing a certificate using pfx.
    The private key permissions seem to be ok, similar to the certificate with the locally created request.
    Do you have any idea what might cause this strange behavior?
    We’re using a build from around the 20th of January 2022.

      1. Yes, the public key is RSA 2048-bit.
        What I forgot to mention before is that we have two connection servers in our environment and I have configured the certificate as a SAN certificate with all the necessary alternative DNS names we need for both connection servers.
        I did the request for it on our first Connection Server and then imported the certificate to this first Connection Server. This server runs just fine with the certificate.
        But when I export it including the private key and then import it as described in my former post the second Connection Server simply doesn’t accept the certificate.
        The point is that the first Connection Server where the request was created runs just fine while the second one won’t accept the certificate despite me ensuring that all required steps have been done correctly.
        When I do the same request on the second Connection Server the newly created certificate then works just fine on the second server but then I have the same problems with this new certificate on the first Connection Server.
        Additionally both Connection Server are newly installed Windows 2019 Server VMs. That’s why I also don’t think that this is an issue with ECDSA

        1. Do the logs in C:\Programdata\VMware\VDM\logs give you any more insight?

          Did you import the cert under local machine (certlm.msc) and not for your user account (certmgr.msc)?

          1. It turned out that VMware doesn’t like it when you create the request using the MMC and chose the “Webserver” template which is a typical step you do when you create a request for your own Windows CA. As it looks like that information is stored somewhere in the request and some things seem to be done a little bit differently while the private key is stored within the system. This doesn’t have an effect as long as you merge the certificate with the private key on that system. There the certificate still will be accepted by the VMware Connection Server software. But when you export it into a PFX and import it on another system the VMware Connection Server software on that system then rejects the certificate.

            The only solution seems to be to create the request using certreq and to ensure NOT to add any template information for the Windows CA into the INF file. SAN extension is fine but the moment you add any template information for the Windows CA into it you will experience the same issue.
            It is ok however to select the “Webserver” template when you submit the request through the web interface of the Windows CA.
            When you now merge the certificate and the private key, export it as PFX and then import it on the second system the VMware Connection Server software now will accept the imported certificate.
            Maybe you want to add this information to your tutorial above.

            Thanks for your hints, the logs and a post on the web pointed me to the right direction.

  14. Hi Carl. Great content as always. Is there any upgrade path from UAG 3.9 to 2111? Our Connection servers are on 2006 also. Thanks!

  15. We disabled CORS but still had problems with HTML5 access. We had to enable Allow Origin Header Re-Write on the UAGs for the affected Connection Servers. Our case may be unique, we had a load balancer in the mix.

  16. Hi Carl,

    if we need to upgrade an OS that runs the connection server what would be the best way to do this?

    I assume just uninistalling it via control panel and then install it on the replacement?

    thanks

    1. To keep the exising Horizon config, do the following:

      1. In-place upgrade existing Connection Servers to a version that supports your desired operating system version.
      2. Build new Connection Servers and join to pod.
      3. Decommision the old Connection Servers.

  17. I cannot get a 2111 connection server to add a vcenter 6.5.0 appliance no matter what I try. I’ve tried all combinations of admin@vsphere.local, domain\admin, admin@domain, etc. Any ideas on what’s happening in this new version? The vcenter side shows the logins through the wizard in the events. Thanks!

  18. Thank you very much for your work. I hope you can help me and my team. We are trying to proxy connections to my UAG (2106) through cloudflare. I’m experiencing http 429 error, too many connections. Looking at uag esmanager.log I see an enormous number of opened channels by Cloudflare IP until I get the message “too many connections opened”. Even if I change the value of concurrent channels in the UAG settings to 0, the connection breaks (cloudflare opens about 74 channels).
    Regards,
    Caledot

  19. Hi Carl!

    Couple of questions. Upgrading 7.13.0 to 8.x. Do I need to delete existing linked clone pools? Is there an upgrade path for least disruption?

    If you have an existing CA custom certificate, do you still need to follow instructions for certificates?

    TIA,
    Ken

    1. I don’t think that’s a problem. Just don’t rename it.

      Update your load balancer and/or UAG with the new IP address.

    2. I tried to change the IP address of a 6.x connection server several years ago and it did not like it. I found out you would have to uninstall and reinstall the connection server software and keep the ADAM database. With that said, newer versions may not be as particular.

  20. Carl ol’ Bean!
    I’m currently standing up a single-host installation (it’s just for a few interim users), so it’s good to know my go-to bailout guy for 20+ years is, as usual, already way ahead of me! Questions are likely forthcoming. 🙂

  21. Hello Sir,

    I work in a DoD facility that requires two-factor authentication. However, we will be entertaining external customers who are not CAC (Common Access Card) authentication. They have acquired External Certificate Authority (ECA) Certificates. I have added their CA Certs to the UAG. The UAG let’s them through and provides them a list of Entitled Desktop Pools. When they select a pool, the connection server replies with “Connect a Smart Card” message.

    Am I missing a configuration somewhere (pae-ClientAuthEnabled ?) or is a hard token required. If yes, will Medium Token Assurance suffice?

    Thank you for your time. -Doug

      1. Thank you for the quick reply. Looking over my previous post, I may not have been clear. The Smart Card tokens work with with no issues. The user with the External Soft Certs can get through the UAG no problem. The problem is that once the UAG retrieves the Desktop Pools from the Connection Servers, for the user with the Soft Certs, they prompt him to “Insert a Smart Card”.

        I feel this is probably just a simple configuration issue. I just can’t find it. NOTE: I have the External Certificate Authority certs on the UAG, but not the Connection Servers. Do I also need to add the ECAs to the Connection Servers?

        1. The smartcard still needs to be map to an AD user account… Make sure they can login to physical desktop first with their smartcard, that has to work first. Once AD is validated to work with the smartcard then you create a java keystore file with all the root CA configured and edit the connection server “locked.properties”. For DoD root CA you get this from the InstallRoot that DISA provides, add the external CA as well.
          REF:
          https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-console-administration/GUID-FEF318EF-EB8E-46F3-B432-3444F8A31D28.html
          https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-console-administration/GUID-965A7946-605E-40A9-8808-32D27C318F70.html

      2. Hi carl
        I want to new install vmware horizon view 2111 in my compony but
        My problem is i dont see any option to add composer server in horizon 2111 .how to do that.
        My vcsa is appliance and not windows base
        Please help me
        Thanks

  22. Hi Carl,

    Out of all Horizon 8 articles in the web, your one seems the most detailed, with procedure to troubleshoot if any. One thing is missing on your site – App Volumes 4.x. Will you please write up that or can you suggest me some great very detailed App Vol 4.x and DEM article, step by step guide? Really appreciated.

  23. Hello Carl,

    In step 14 (load balancing connection server) is enough adding a pair of connection servers in administración console or it is mandatory to balancing them through netscaler or other balancer ? Thanks in advance

    1. In Horizon Client you enter a server URL. That Server URL can be a single Connection Server, or it can be a load balanced pool of Connection Servers. Horizon does not do load balancing on its own so you’d need an external load balancer. Citrix has a Freemium edition of Citrix ADC.

  24. Hi Carl,

    Do you know if Horizon 8 works with AD 2008? I know AD 2008 is EOL but we haven’t updated it yet.
    Many thanks!!!

  25. Has anyone seen this when trying to add a replica server to a 2006 setup ( I have 2 connection servers currently )

    The installer rolls back at the end and in Horizon install logs it has errors such as these

    adamInstUtil: 09/24/21 15:50:13 — CA exec: VMAdamSetLDAPProperties
    adamInstUtil: 09/24/21 15:50:13 Getting property ADAM_PRIMARY_NAME =
    adamInstUtil: 09/24/21 15:50:13 Standard instance install
    adamInstUtil: 09/24/21 15:50:14 Failed to open LDAP connection to localhost. Server Down.
    adamInstUtil: 09/24/21 15:50:14 End Logging
    adamInstUtil: 09/24/21 15:50:20 Begin Logging

    it appears to open an LDAP connection just fine to the current server

    I used to have Cloud pod activated but decomissioned that a long time ago but I wonder if that is causing any errors

    this is my evidence of the ldap connection looking ok

    damInstUtil: 09/30/21 13:06:39 DN = ou=Groups,dc=vdi,dc=vmware,dc=int
    adamInstUtil: 09/30/21 13:06:39 User has “Full” View rights at the top level.
    adamInstUtil: 09/30/21 13:06:39 dnsHostName obtained from Primary LDAP server is GS2-SCON01.connect-365.net
    adamInstUtil: 09/30/21 13:06:39 currentTime obtained from Primary LDAP server is 20210930120639.0Z
    adamInstUtil: 09/30/21 13:06:39 Parsed LDAP time from remote server is 20210930120639.
    adamInstUtil: 09/30/21 13:06:39 Time difference is 0 seconds (which is within the tolerable range).
    adamInstUtil: 09/30/21 13:06:39 Connection to primary LDAP server at gs2-scon01 OK using dnsHostName of primary GS2-SCON01.connect-365.net.
    adamInstUtil: 09/30/21 13:06:39 Setting property ADAM_PRIMARY_NAME = GS2-SCON01.connect-365.net
    adamInstUtil: 09/30/21 13:06:39 Setting property ADAM_PRIMARY_OK = 1
    adamInstUtil: 09/30/21 13:06:39 Highest View server version number found is 800
    adamInstUtil: 09/30/21 13:06:39 LDAP Unbind OK
    adamInstUtil: 09/30/21 13:06:39 End Logging
    adamInstUtil: 09/30/21 13:06:39 Begin Logging

    Found a few posts about checking paw-linkmodeenabled isnt set if you dont have CLoud pod but that didnt seem to help

  26. For those who have redirected the download client link to the method specified in the article and get a 404 error when trying to follow the links *and* you are using a UAG appliance, there is a change in the UAG configuration that needs to be made in order to allow the URL to pass through correctly.

    Under Horizon Settings -> More -> Proxy Pattern, you need to add “|/downloads(.*)” (without the double-quotes) so that the UAG knows to proxy the path to the /downloads folder, otherwise it will reject it, and you get that nice 404 error even though the file is there.

    Took me a minute to figure that out. If you have more than one UAG, it will need to be done to each one.

  27. Not sure if have encountered this but when I typically access my connection server for admin purposes on an internal FQDN /admin. After upgrading from 8 2103 to 8 2106 when I access the /admin of the connection server internal FQDN it directs to the external URL on the UAGs. As soon as I do a snapshot rollback to 8 2103 I can access the /admin extension using the internal FQDN.

      1. We had the same issue using a HA Proxy to access /admin and @Adam G. suggested to use
        “portalHost” property:
        We are using something like:

        checkOrigin=false
        portalHost.1=uag.company.com
        portalHost.2=ha-proxy.company.com

        Giuseppe

    1. I’m having the exact opposite problem on Horizon 8.4. New install with UAG 21.11. VDI connections work as expected to the external FQDN. When I access /admin, it redirects to the internal FQDN of the server. Haven’t found any info\solution to this, unless it’s by design in 8.4? Since I’m using an external FQDN cert, it’s just an annoyance.

  28. Is there i can check monthly license VDI usage for vmware horizon view?
    All I can see in the connection server is live data.
    It doesn’t provide any historic data.

  29. Hi Carl, thanks for the awesome article. I’m running UAG 2012, and planning the upgrade to 2013. Per your instructions, I need to export the current certificate in .pfx format, but Windows only allows me to export in .CER and .P7B format. Do you have a write up on how to export .pfx?

    1. I’m guessing your private key can’t be exported, or you’re not on a machine that has the private key installed. To create .pfx, when exporting the cert, you select the option to export the private key.

    2. Hi Carl,
      Thanks again for the article, I already on Horizon 8 (2006), do you have any blog on the steps to go to Horizon 2013. Everything I have seen is on upgrading from Horizon 7

  30. Thanks for the detailed information. I had to upgrade the license on my.vmware.com website first before I could get the updated license and download the new versions.
    Also I couldn’t get the customized webpage with Horizon client download working. The link shows everything correctly when I hover over the download but then chrome throws an error “page cannot be found” when clicking it.

    1. For the download link, is that through UAG? Or is it directly to the Connection Server? I just did it last weekend and it worked.

      1. I setup the download link through the connection server and by creating a downloads folder right on the server.

  31. Greetings from Russia Carl. Thank you for your informative articles. There is a task to bind each account to a specific IP address so that it is impossible to connect from other IP addresses. For example: user1 possible connect from 8.8.8.8, but impossible from 1.1.1.1 Thank you fro your answer. Good luck!

    1. Maybe you can do a login script in DEM or Group Policy where after login it checks ViewClient_IP_Address and if not valid then logs off the user.

  32. Hello
    I upgrade from 7.12 to 2012 and I only have issues with HTML access from internal browsers

    I have selected the gateway for only html access on my connection servers

    The problem is that the clients browsers is redirected to the vm on port 22443 and it says that the certificate is not trusted (witch is not i know) but it should have stayed on the load balanced address and beeing tunnelled from the connections servers

    From the internet i dont have this behavior because the uag are beeing used

    I openned a case with vmware and they told me that it is normal , that i should try to put a wildcard certificate on my VMs

    The other option would be to have all my traffic internal and external going through the uag

    It is the only way ??

      1. No blast gateway is on for HTML only, and it was working fine with 7.12
        the setting is like: https://cs01.domain.com:8443

        If i use the fqdn of the CS server in the browser it’s working fine but if I use the load balanced name I get redirected to the vm IP:22443

        I have a F5 load balanced VIP
        The VIP as rules that if it’s from inside (10.0.0.0/8) go to the CS servers otherwise go to the UAG servers

  33. The interop matrix shows our current version of vmware tools as “incompatible” (11.0.0) with Horizon 2006, however testing in our lab showed it to work with 11.0.0. Upgrading tools on persistent desktops proves to be challenging and we would only like to do it once. What are your thoughts on proceeding to 2006 even though tools does not show as compatible??

    Thanks for your time and have a great day.

    1. I suspect it’s a question of supportability. If you call support, they will probably ask you to upgrade.

      1. Which we plan to do, but we would prefer to not do it twice, since it it so intrusive with a persistent desktop.

        Our non-persistent pools will be easy….well easier….LOL

        Thanks for the prompt reply and have a good day.

  34. Hi Carl,
    Is there any recipe to install Teams as machine wide installation on horizon instant clone master image. I currently have teams that comes with office 365 package that installs on its own when user login. It takes about a minute to see teams shortcut on the desktop. Also, It does initial setup everytime a user login so I think we need to setup DEM configuration for it as well.

      1. I already tried installing Teams using
        msiexec /i /l*v ALLUSER=1 ALLUSERS=1
        and my DEM settings are

        [IncludeFolderTrees]
        \Teams
        \Microsoft\Teams
        \Microsoft\IdentityCache

        but DEM doesnt remembers any of the teams configurations and ask user to enter credentials. I was wondering if there’s any working DEM setup for teams.

  35. Hi Carl,
    We are currently running Horizon 7.11 with Appvolumes 2.18 and DEM 9.10. We deployed McAfee ENS on VDI instant clone image some time ago which bumped up CPU demand by around 15% in vROPS and now we added Dell Secureworks antivirus which again increased CPU demand by another 20% in vROPS. Overall CPU demand now is more than 100% in vROPS. However, In vCenter Esxi host usage on average is around 80%. I was wondering if there is any recipe to deploy multiple Antiviruses on the instant clone Master image or the installation order which might help bringing CPU demand lower. Thanks in advance.

  36. Hello Carl
    In Horizon 7.x, because has composer function, so we usually let composer db as horizon event db
    Now, Horizon 2012, no longer use composer function, do you suggestion the db installation in where?
    How do you fell DEM with SQL Server for event db as a solution?

    Thank you!

    1. You can create a database on any SQL server. SQL Express has database size limitations. Production environments use a licensed SQL server.

  37. Hi,
    If I upgrade my Horizon 2006 connection servers to Horizon 2012 that was released yesterday do I need to do the Horizon Connection Server Certificate section also? I already have this certs

  38. Hi Carl,
    I’m trying to upgrade the connection servers from 7.13 to 8 and I’m getting the following error :

    Product: VMware Horizon Connection Server — This installer can not upgrade over the existing Horizon connection server version. Please uninstall the existing version before attempting to install this version.

    Do you have any ideas ?

    Thanks,
    Emanuel

      1. Hi Carl, I just ran into this after upgrading Horizon Standard to 7.13 in order to move to instant clones and upgrade to 2006, and now my project to get to Horizon 8 came to stand still! Do you have any idea when the next release of Horizon 8 will be out? I couldn’t Google up anything about future releases. Thanks

        1. Historically they’ve been releasing every quarter so I assume very soon.

          What feature of Horizon 8 2006 is compelling as compared to Horizon 7.13?

          1. Thanks Carl! We were on 7.11 standard and in order to prepare for the future demise of 7 and linked clones, we assumed we should upgrade to Horizon 8. Over the holidays was my maintenance window for this project. I was advised the path was through 7.13. So I just never expected that I would be stopped short of 8! And actually as far as I can tell your comments are the only place this is documented. Were are fine, there is no feature issue. , I was just surprised and a bit disappointed when I ran that installer this morning. Our maintenance windows for upgrade projects only come once every four months. Thanks

  39. Hi Carl,

    Sorry for asking something which may not related tl this page. For Citrix portal it is possible to launch the Citrix client/workspace(not HTML5) from the web portal, I would like to check if i could do the same on Horizon(without IDM)? Thanks.

    Rgd,
    Willis

  40. hi, in our environment the horizon server has an alternative “friendly name ” A-DNS Entry… everytime i want to access the adminpage from our friendly name – the login fails. only login via FQDN works. is there someting i´ve missed?

      1. Hi Carl,

        I have added the locked.properties file on my both connection servers. Restarted the connection server service and the servers itself but still receive the same error. “Login Failed”. It is working only using IE browser. I need to use the modern browsers like before the upgrade it was working.

        Please help.

        1. Hi Muhammad and Carl,
          I’ve got the same problem. I’ve used the checkOrigin=false line in many verions of Horizon. But it doesn’t seem to work in the 8.3 version.

          1. Same here.
            After upgrading 2103 to 2106 the ha proxy in front of CS stopped working.
            Does someone have a fix?

          2. We had the same issue upgrading to 2106 and chrome users, we needed to add the portalHost property:

            checkOrigin=false
            portalHost=my.company.com

            Hope this helps!

          3. I confirm that adding another “portalHost” line worked for me.
            We are using something like:

            checkOrigin=false
            portalHost.1=uag.company.com
            portalHost.2=ha-proxy.company.com

  41. Love the work that you do. Keep it up and thank you!

    I’m currently running 7.12. Is it possible to build a new set of server running 2006 connected to the same vCenter?

    I don’t have a Dev environment so I wondered if this is possible if I don’t want to upgrade a “Working environment”

    So can I have 7.12 and 2006 connected to the same vCenter?

    Thanks

  42. Thank you for your reply. If older agent 7.8 can not connect to Horizon 8 connection server then whats your advice to upgrade Production environment where we have Windows 10 1809 7+ Images with 10+ Pools, 2 x connection servers (7.8), 2 x app vol 2.17, 1 x UEM 9.8 and 2 x UAG 3.5 to Horizon 8, Windows 1909 or 2004, App Vol 4.x, UAG 3.10 and DEM 10.0?

    Is fling app vol migration utility support migrating appstack from 2.17 to 4.x?

    Thank you.

    1. I think the Fling requires you to be on 2.18.

      You might have to upgrade to newer Horizon 7 before you can upgrade to Horizon 8.

      1. You mean from 7.8 –> 7.12 –> 8 ? Windows 10 1809 doesn’t support with Horizon 8 and Windows 10 1909 doesn’t support with Horizon 7.8. So thinking how to do the upgrade without disturbing users as its in production environment.

        Any ideas to upgrade the whole setup to latest releases?

        Thanks.

        1. Yes, upgrade Connection Servers to 7.12. Then rebuild your pools with Win10 1909 and Horizon Agent 7.12. Then you can upgrade everything to Horizon 8.

          1. Or If I go with New environment of VMware Horizon 8, App Vol 4.x, New Master Image of Windows 10 1909 or 2004 with all the latest agents and recreate all pools? Which one you think will be better way in terms of time, maintenance windows and any other issues?

            Also do you think I have to recreate 50+ appstacks fresh on App vol 4.x or fling can migrate without any issue.

            Thank you.

          2. Building a new environment is certainly cleaner. However, it’s probably a new DNS name, especially during testing. Cutovers are risky.

  43. Thank you Carls. I am using Horizon 7.8 with Windows 10 1809. I read Horizon 8 doesn’t suppport Windows 1809 and 7.8 doesn’t support 1909 in that case how to upgrade the prodcution environment.
    Also I use App vol 2.17 with 50+ Appstacks and 300+ writable and want to migrate to Appvol 4.X. What you recommend to upgrade from 2.17 –> 2.18–> 4.x and migrate the appstacks and writables. How to migrate appstacks to 4.x environment and is there any compatibility issue?

    Thank you.

      1. Hi Carl after upgrade from 2111 to 2206 External access are getting error – Connection Server FQDN: Name or Service not Know

Leave a Reply to Niels Cancel reply