Omnissa Horizon Connection Server 2406 (8.13)

Last Modified: Jul 27, 2024 @ 7:49 am

308 Comments

Navigation

This post applies to all Omnissa Horizon versions 2006 (aka 8.0) and newer.

💡 = Recently Updated

Change Log

Upgrade

If you are performing a new install, skip to Install Horizon Connection Server.

Notes regarding upgrades:

  • For supported upgrade paths (which version can be upgraded to which other version), see Omnissa Interoperability Matrix.
  • Horizon 7 license key does not work in Horizon 2006 (8.0) and newer. You’ll need to upgrade your license key to Horizon 8.
  • Horizon 8.x no longer supports Horizon Clients 5.x and older.
  • According to Omnissa 78445 Update sequence for Horizon 7.X and its compatible VMware products, App Volumes Managers are upgraded before upgrading Connection Servers.
  • Upgrade all Connection Servers during the same maintenance window.
    • Horizon Agents cannot be upgraded until the Connection Servers are upgraded.
    • Horizon 2006 (8.0) and newer do not support Security Servers. The replacement is Unified Access Gateway.
    • Composer was removed from Horizon 2012 (8.1) and newer. All editions of Horizon 2006 (8.0) and newer support Instant Clones. See Modernizing VDI for a New Horizon at Omnissa Tech Zone for migration instructions.
    • Downgrades are not permitted.
      • You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots.
    • For Cloud Pod Architecture, you don’t have to upgrade every pod at once. But upgrade all of them as soon as possible.
    • All Connection Servers in the pod must be online before starting the upgrade.
    • It’s an in-place upgrade. Just run the Connection Server installer and click Next a couple times.
    • Once the first Connection Server is upgraded, Horizon 2006 (8.0) and newer lets you upgrade the remaining Connection Servers concurrently.
    • After upgrading all Connection Servers to Horizon 2012 (8.1) or newer, see Omnissa 80781 Knowledge DML scripts for data population of new columns in view Events Database to backfill the Events Database with column data to improve Events query performance.
  • Upgrade the Horizon Group Policy template (.admx) files in sysvol.
  • Upgrade the Horizon Agents.
  • DEM Console should not be upgraded until all DEM Agents are upgraded.
  • Upgrade the Horizon Clients.
    • Horizon Clients can be upgraded any time before the rest of the infrastructure is upgraded.

Install/Upgrade Horizon Connection Server

The first Horizon Connection Server must be a Standard Server. Subsequent Horizon Connection Servers are Replicas. Once Horizon Connection Server is installed, there is no difference between Standard and Replica.

A production Horizon Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon Connection Server can handle 4,000 user connections.

Horizon 2406 (8.13) is the latest release.

To install the first Horizon Connection Server:

  1. Ensure the Horizon Connection Server has 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at Omnissa Docs.
  2. Horizon 2111 (8.4) and newer support Windows Server 2022.
  3. Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8.
  4. Horizon 2312 and newer no longer support Windows Server 2012 R2.
  5. Horizon 2006 (8.0) and newer no longer need Flash.
  6. Instant Clones in Horizon 2303 and newer require vSphere 7 or newer. vSphere 6.7 and older will not work.
  7. Download Horizon 2406 (8.13) Horizon Connection Server.
  8. Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.13.0.exe.
  9. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  10. In the Destination Folder page, click Next.
  11. In the Installation Options page, select Horizon Standard Server, and click Next.
  12. In the Data Recovery page, enter a password, and click Next.
  13. In the Firewall Configuration page, click Next.
  14. In the Initial Horizon Administrators page, enter an AD group containing your Horizon administrators, and click Next.
  15. In the User Experience Improvement Program page, uncheck the box, and click Next.
  16. In the Operational Data Collection page, click Next.
  17. In the Ready to Install the Program page, click Install.
  18. In the Installer Completed page, uncheck the box next to Show the readme file, and click Finish.

Install Horizon Connection Server Replica

Additional Horizon Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon Connection Server should have at least 10 GB of RAM and 4 vCPU.

To install Horizon Connection Server Replica:

  1. Ensure the Horizon Connection Server has at least 10 GB of RAM and 4 vCPU. Source = Hardware Requirements for Horizon Connection Server at Omnissa Docs.
  2. Horizon 2111 (8.4) and newer support Windows Server 2022.
  3. Horizon 2006 (8.0) and newer support Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. See 78652 Supported Operating Systems and MSFT Active Directory Domain Functional Levels for VMware Horizon 8.
  4. Horizon 2312 and newer no longer support Windows Server 2012 R2.
  5. Horizon 2006 (8.0) and newer no longer need Flash.
  6. Download Horizon 2406 (8.13) Horizon Connection Server.
  7. Run the downloaded VMware-Horizon-Connection-Server-x86_64-8.13.0.exe.
  8. In the Welcome to the Installation Wizard for VMware Horizon Connection Server page, click Next.
  9. In the Destination Folder page, click Next.
  10. In the Installation Options page, select Horizon Replica Server, and click Next.
  11. In the Source Server page, enter the name of another Horizon Connection Server in the pod. Then click Next.
  12. In the Firewall Configuration page, click Next.
  13. In the Ready to Install the Program page, click Install.
  14. In the Installer Completed page, click Finish.
  15. Load balance your multiple Horizon Connection Servers.
  16. Horizon Console > Settings > Servers > Connection Servers tab shows multiple servers in the pod.

Horizon Connection Server Certificate

Horizon Console Certificate Management

Horizon 2212 and newer have a Certificate Management section in the Horizon Console under Settings. Horizon 2312 and newer can manage cluster certificates in addition to machine certificates.

    1. The Administrators role in Horizon does not include the Certificate Management permission. Go to Settings > Administrators. On the right, switch to the tab named Role Privileges. Click Add.
    2. Name the role CertificateManagement or similar. Select the Manage Certificates privilege, which might be on page 2. Click OK.
    3. Switch to the tab named Administrators and Groups. Select your Horizon Admins group and click Add Permissions.
    4. Select your new CertificateManagement role and click Finish.
    5. If you log out, log back in, and then go to Settings > Certificate Management, the buttons should no longer be grayed out. You can either import an existing cert, or click Generate CSR to create a new cert. If you click Generate CSR, then there’s no way to use this interface to combine the signed certificate with the key, so it’s probably better to use some other method of creating a certificate and export it as a .pfx file.
    6. Click Import to upload a PFX file to the Connection Server that you are currently connected to. For Machine Identity, you’ll have to repeat this process on each Connection Server.
    7. In certlm.msc on the Connection Server, notice that it sets the vdm friendly name on the imported cert, but it doesn’t remove the vdm friendly name from the old cert. You’ll need to manually remove the vdm friendly name from the old cert.
    8. Then open services.msc and restart the VMware Horizon View Security Gateway Component.
    9. Repeat this process on the other Connection Servers.

Install Cert Manually

Alternatively, install a certificate without using Horizon Console:

  1. Run certlm.msc. Or run mmc, add the Certificates snap-in, and point it to Computer > Local Machine.
  2. Request a new certificate with a common name that matches the FQDN of the Connection Server or import a wildcard certificate.
  3. Note: the private key must be exportable. If using the Computer template, click Details, and then click Properties.
  4. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable.
  5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties.
  6. On the General tab, clear the Friendly name field, and click OK.
  7. Right-click your Certificate Authority-signed certificate, and try to export it.
  8. On the Export Private Key page, make sure Yes, export the private key is selectable. If the option to export the private key is grayed out, then this certificate will not work. Click Cancel.
  9. Right-click your Certificate Authority-signed certificate, and click Properties.
  10. On the General tab, in the Friendly name field, enter the text vdm, and click OK. Note: only one certificate can have vdm as the Friendly name.
  11. Then restart the VMware Horizon View Connection Server service. It will take several minutes before you can connect to Horizon Administrator Console.
  12. Horizon Console > Monitor > Dashboard > System Health > View > Components > Connection Servers should show the TLS Certificate as Valid.

Horizon Portal – Client Installation Link

If you point your browser to the Horizon Connection Server (without /admin in the path), the Install VMware Horizon Client link redirects to the Omnissa.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon Connection Server.

  1. On the Horizon Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps.
  2. Create a new folder called downloads.
  3. Copy the downloaded Horizon Client 2406 for Windows to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
  4. Run Notepad as administrator.
  5. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
  6. Go back to the downloads folder and copy the Horizon Client filename.
  7. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. There’s only one Horizon client for both 32-bit and 64-bit. The following example shows a link for the Horizon win64 client. 
    link.win64=/downloads/VMware-Horizon-Client-2406-8.13.0-9986028157.exe
  8. Then Save the file.
  9. Restart the VMware Horizon View Web Component service or restart the entire Connection Server.
  10. It will take a few seconds for the ws_TomcatService process to start, so be patient. If you get a 503 error, then the service is not done starting.
  11. Now when you click the link to download the client, it will grab the file directly from the Horizon Connection Server.
  12. Repeat these steps on each Connection Server.

Portal Branding

Chris Tucker at Horizon View 7.X – Branding the Logon page details how to brand the Horizon portal page.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon Connection Server to allow mobile clients (iOS, Android) to save user passwords.

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit, and click Connect to.
  3. Change the first selection to Select or type a Distinguished Name, and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server, and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout, and click Edit.
  7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.

Biometric Authentication – iOS Touch ID, iOS Face ID, Fingerprints, Windows Hello

Biometric authentication, including Touch ID, Face ID, and Fingerprints, is disabled by default. To enable: (source = Configure Biometric Authentication at Omnissa Docs)

  1. On the Horizon Connection Server, run ADSI Edit (adsiedit.msc).
  2. Right-click ADSI Edit and click Connect to…
  3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
  4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
  5. Navigate to Properties > Global. On the right, double-click CN=Common.
  6. Find the attribute pae-ClientConfig and double-click it.
  7. Enter the line BioMetricsTimeout=-1, and click Add. Click OK. The change takes effect immediately.

Load Balancing

See Carl Stalhood’s Horizon Load Balancing using Citrix NetScaler.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon Connection Servers by following the procedure at https://www.carlstalhood.com/delivery-controller-2402-ltsr-and-licensing/#rdlicensing.

Antivirus

Omnissa Tech Zone Antivirus Considerations in a VMware Horizon Environment: exclusions for Horizon View, App Volumes, User Environment Manager, ThinApp

Help Desk Tool Timing Profiler

Run the following command to enable the timing profiler on each Connection Server instance to view logon segments in the Help Desk tool. See Omnissa Docs for more info.

vdmadmin -I -timingProfiler -enable

Related Pages

308 thoughts on “Omnissa Horizon Connection Server 2406 (8.13)”

  1. Hi Carl,
    Quick question that maybe you have seen before. Upgraded from 7.13 to 8 (2309). Everything went well as far as I can tell. Clients are zero clients managed through Teradici. Only thing that changed was the Horizon Connection Server version but now, Smart Card authentication does not work for users. The zero clients recognize the smart card being inserted, but it never prompts for PIN and goes directly to username/pw window since we have it set for optional. No errors with Connection Server/Pools/VMs but turning on TRACE reveals “Failing Certificate authentication, bypassing for OPTIONAL mode”. Certificates and chain appear to be correct. Appreciate any help.

    Reply

      1. Second article was in fact what I see in the logs, however we went to 2309 already and just as a check, I restarted the Security Gateway Component. My certificate settings are set with SID and UPN checked.
        I have an open call with Omnissa, however they also just as perplexed.

        Reply

  2. Team

    I have updated from 2312 to 2406 Build 8.13.0 and now when I create a new pool I get the following error.

    Error during Provisioning Initial publish failed: Fault type is AD_FAULT_FATAL – com.vmware.daas.cloneprep.ldap.LdapException: unable to create connection pool, resultCode=82 (local error), errorMessage=An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: LoginException(Pre-authentication information was invalid (24)), ldapSDKVersion=5.1.3, revision=028e004da97e22a274a4116316a73d0a90526e4b

    Steps :
    1) opened a support ticket and response was to do the following
    ase follow the below KB and implement :
    • Solution 2: Set pae-AdDomainSite to manually specify the correct site.
    • Solution 3: Set pae-AdDomainControllers to the local Domain Controllers only.
    KB: https://kb.omnissa.com/s/article/2147129?lang=en_US

    I want to check with you all before handing the KB . Please let me know if that is the solution.

    Reply

    1. I had this happen to me when upgrading from 2312 to 2406. I ended up getting it to work by creating another horizon admin account. For some reason, it didn’t like the original account.

      Reply

  3. Hello Carl!
    After upgrading the Horizon Connection server from 2306 to 2312.1, after restart Connection server or RDS hosts v8.12 becomes agent unreachable, VMware support team can’t figure out what the problem is. Any hint?
    We tried to troubleshoot on CHANGEKEY / ports checking for JMS etc..
    There is no issue with RDS host version 8.10 issue only with RDS host version 8.12

    Reply

  4. Horizon Portal – Client Installation Link – 404 Errors directly to/from Connection servers.

    Trying to make a small QoL improvement for my users has turned into a rock I wish I never turned over.

    I’ve updated the “portal-links-html-access.properties file, specifically the following lines:

    link.win32=/downloads/VMware-Horizon-Client-2406-8.13.0-9986028157.exe
    link.win64=/downloads/VMware-Horizon-Client-2406-8.13.0-9986028157.exe

    I’ve created the “downloads” directory under C:\Program Files\VMware\VMware View\Server\broker\webapps\ and copied the VMware-Horizon-Client-2406-8.13.0-9986028157.exe installer into this directory.

    I’ve restarted the Horizon server.

    And I’ve completed these steps on all 6 connection servers.

    I’ve even updated the UAG proxy pattern in preperation for it working externally. But I can’t get it to work internally directly to the FQDN of the connection servers, bypassing the internal load balancer.

    Even from the connection server itself, via https://localhost I can’t download the client installer. I receive a 404 error when I click on “Install VMware Horizon Client”

    Is this an issue with 2406?

    Reply

  5. We have an intermittent issue happening after Horizon connection server restart. Horizon services are up but not functional. The following entries are continuously logged in the Horizon connection server’s logs:

    DEBUG (07F8-1200) [JMSTunnelSSLSocketFactory] Received certificate with subject: cn=router/

    ERROR (07F8-1200) [JMSTunnelSSLSocketFactory] Certificate thumbprint verification failed, no matching thumbprint. Presented identity: router/

    The mentioned certificates are Horizon’s internal certificates, not vdm. Restarting the HCS does not fix the issue. Reinstalling Horizon on the server does fix the issue and absolutely no reconfiguration (i.e. vdm certificate, locked.properties config file) is necessary. So far we’ve found the internal certificates seem to have been renewed 1-2 days before restarting the connection server and observing the issue. We’re running Horizon 2306.

    Anyone ever had such an issue?

    Reply

        1. Thanks! at least its documented. Yesterday I reviewed the logs and found the error, looked at certs.msc and found the vmware tunnel certs expired. Searched VMWare docs how to renew and didn’t find anything. Searched internet with the log error and found another post where gentleman removed AD LDS (features and Server Manager) and removed/installed so I took this approach. According to the KB I missed a couple points but nonetheless it’s back up.
          Thanks for posting the KB!

          Reply

  6. Carl, Can we remove horizon admin account from Global Administrators view for audit purpose ? is there any impact if we remove horizon admin account and add any different account from domain ?

    Please reply

    Reply

  7. Hi Carl,

    After moving from Cisco ASAs to Palos our users are encountering this error VDPCONNECT_CONNECT_TLS while jumping over to the VDI when using Blast.

    My networking team, and Palo support, are not able to observe any issues. The only KB article about this in VMware site is not applicable because it’s not the connection server cert that’s the problem but failing to connect on the 8443 port of the VDI. My assumption is the Palo is interfering/mangling the cert of the tunnel to the user’s machine.

    Thanks for the help!

    Reply

  8. Hello,
    I’ve just upgraded 23.12.1 to 24.06 and it seems that the local client installation links doesn’t work anymore and I get a “Not Found” result.
    It seems that ws_tunnelservice.exe is the service filtering this request.
    Has anyone had this issue and maybe a solution?
    Thanks!

    Reply

    1. same here. Did you ever get a fix?
      I’ve been banging my head into a wall trying to upgrade from 8.10 -> 8.12
      the upgrade runs successful, but after the upgrade it fails to listen on ports 80 and 443. That’s why the localhost url doesn’t work.
      VMware is telling me they believe it’s the AV
      I’m disabling the AV and I’m going to attempt to upgrade again and see what happens.

      Reply

    2. Well, I have found an (admittedly very hacky) way around this – just move the downloads folder into the portal folder! It’s obviously designed to host the web client and not anything else, but the Connection Server seems to not have any specific rules to check where exactly does one go in that folder – so comes the “fix”.

      Reply

      1. Can you expand on this? You placed the downloads folder into c:\program files\vmware\vmware view\server\broker\webapps\portal folder?

        I still get the 404 error after trying that simply fix/hack.

        Reply

  9. We have three vmware horizon windows 2022 connection servers in a cluster. Version 8.12. When we want to update to the latest and first Omnissa 8.13 version, the setup interrupts with an error 1603. Any ideas?

    Reply

      1. Thanks a lot for your fast response.
        Logs says:

        adamInstUtil: 08/05/24 13:58:38 Begin Logging
        adamInstUtil: 08/05/24 13:58:38 — CA exec: VMCheckExistenceOfSecurityServerEntriesInLDAP
        adamInstUtil: 08/05/24 13:58:38 Attempting LDAP connection to VCS1:389
        adamInstUtil: 08/05/24 13:58:40 LDAP Connect to VCS1:389 OK
        adamInstUtil: 08/05/24 13:58:40 LDAP Bind OK
        adamInstUtil: 08/05/24 13:58:40 — VMCheckExistenceOfSecurityServerEntriesInLDAP() : Search for pae-VDMSecurityServer=1 at OU=Server,OU=Properties,dc=vdi,dc=vmware,dc=int failed: 32 (Objectt not found) -> ?????? Connection Server works flowless
        adamInstUtil: 08/05/24 13:58:40 End Logging
        2024-08-05 13:58:43| BootStrapper-build-0| InstallProduct() returned: 1603
        2024-08-05 13:58:43| BootStrapper-build-0| Util_NeedReboot: Checking if we need to reboot
        2024-08-05 13:58:43| BootStrapper-build-0| Did not find file/directory: “C:\Users\admin.ned\AppData\Local\Temp\\vmreboot.tmp”
        2024-08-05 13:58:43| BootStrapper-build-0| The reboot file does not exist
        2024-08-05 13:58:43| BootStrapper-build-0| Did not find file/directory: “C:\Users\admin.ned\AppData\Local\Temp\\vmwareboot.tmp”
        2024-08-05 13:58:43| BootStrapper-build-0| The reboot file does not exist
        2024-08-05 13:58:43| BootStrapper-build-0| Util_NeedReboot: Reboot not needed.
        2024-08-05 13:58:43| BootStrapper-build-0| Returned to [V:\VMWare\View 8.13]
        2024-08-05 13:58:43| BootStrapper-build-0| Cleaning up temp dir “C:\Users\admin.ned\AppData\Local\Temp\VMW2DDD.tmp\”
        2024-08-05 13:58:43| BootStrapper-build-0| Deleting [C:\Users\userxxxx\AppData\Local\Temp\VMW2DDD.tmp\]
        2024-08-05 13:58:43| BootStrapper-build-0| Setup exit code is: 1603
        2024-08-05 13:58:43| BootStrapper-build-0| End Logging

        Reply

  10. Hi! I am currently experiencing issues with thin clients and horizon, I noticed in the VM horizon GUI, the machine identity is invalid and when I try to login via horizon on the thin clients, there’s a certification issue, I’m not sure how to go about this from here? What am I missing?

    Reply

  11. Hi guys! After upgrading the Horizon Connection server from 2312 to 2312.1, every day the Connection server randomly becomes unavailable for HTTPS connections and I have to restart the “Horizon View Security Gateway Component” service to restore functionality, but with the downside of disconnecting all clients. I can’t figure out what the problem is. Any hint?

    Reply

      1. No load balancer, just a connection server that had no problem before the upgrade. Client connections are made through the Blast protocol to the connection server (no direct connection) from clients to VDI. Monitor? Just what is installed by default.

        Reply

    2. Hi David,
      Have you found a solution for this issue?
      Experiencing the same issue after upgrading 2312.1

      Reply

      1. Hello Steph,
        Unfortunately, I did not find any solution. In the meantime I updated vCenter to 2406 and set a service restart overnight. I have two separate environments with different hardware architecture experiencing the same issue, one more often than the other.

        Reply

        1. Thanks David. We have services set to restart as well. Good to know that upgrading 2406 didn’t fix it.

          Reply

          1. Hi Steph!
            It seems that updating to 2406 actually fixed the problem (it’s already been twelve days with no service restart and no service interruption).

      2. We should pull back to 2312. We had the same problem with 2312.1, after rolling back to 2312 everything got better. The problem is in the openjdk libraries.

        Reply

  12. Hi

    I am using palo alto global protectin horizon vdi, once we login to vdi using horizon client and gp get connected we loose vdi connection from horizon. As gp install another network card and connect to there gate on internet.

    Basically it create vpn

    If there any way we can use 2 nic on vdi?
    What configuration need made we never loose connection our network used for horizon client

    Reply

    1. Can you use a SSL connection to GP? With that type of connection there is no IP address exchange so your connection to the VDI remains.

      Reply

  13. Hello Carl,

    We have Horizon 2303 running on windows server 2016 (CS, Appvolumes and DEM).
    We’re planning 2022 OS Upgrade and we are tempt to go for an inplace upgrade.
    Have you experience any issues with this kind of upgrades for Horizon components?

    Thank you!

    Reply

  14. Hi Carl,
    when i run certlm.msc to request a new certificate, it show Certificate type are not available, not like your step 3 in part Install Cert Manually in your guide. How can i fix this? Should i install CA server on AD server and generate CSR from connection server and import to CA Server ?

    Reply

    1. Either you don’t have an Enterprise CA, or your computer account doesn’t have access to the certificate templates.

      Reply

  18. Hello Carl,

    since the update to 2312 we have the problem that both Connection Servers run on 100 CPU. Regardless of whether it is the Server 2012 R2 or Server 2022 operating system, the process is “C:\Program Files\VMware\VMware View\Server\appblastgateway\node.exe”. There are a lot of “Node.js JavaScript Runtime” open.

    Does anyone else have the problem?

    Greetings Björn

    Reply

      1. No, unfortunately not. The problem still exists. I have uninstalled all third-party software and also Endpoint Protection. Only the Connection Server software is still installed. I have also already updated to 2312.1

        Reply

        1. I have the same issue. We have two CS in replication. I have updated only the first CS with 2312.1. I’ve increase the vCPU from 4 to 6 and the Ram from 8GB to 12GB. Now the CPU load is around the 85%.
          The old CS with 2111 (4vCPU and 8GB Ram) has an average CPU Load less of 10%

          Reply

          1. The same issue here. Multiple Node.JS “C:\Program Files\VMware\VMware View\Server\appblastgateway\node.exe” processes.

            Anyone found the solution?

          2. I’m still working with this problem. If you stop Blast Secure Gateway the CPU utilizzation decrease since to go 3%.
            I found that my certificate on Connection Server is still SHA1 and i need to renew the Certificate of my CA from SHA1 to SHA256, but I still have Microsoft Strong Cryptographic Provider for my CA so I need to migrate the Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP). I’m not sure that will solve the problem, but I need to do it.

          3. Hi Gianni!

            For some reason couldn’t reply to your latest comment. Can you please ping me in telegram @NikoNazaroff? Maybe together we can find solution faster

          4. Hi Niko,
            I will back in the office on 8th August. So I’m not able to do any test for now. I checked that all my Horizon Client users are working ( with Blast Protocol) also if I have disabled the Blast Security Gateway ( that works with https).
            On 9 August I’ve planned the migration of my CA to deploy SHA256 certificate that is mandatory requirements not only for CS.
            I will inform you here after the upgrade if I have solved the problem or not.
            Anyway thanks for your support.

          5. Gianni,

            Got it! We’ll keep in touch then. If I have any progress I’ll let you know too

          6. It’s possible to set up tunneling of Blast user sessions through CS. Disable it. I sometimes had such a joke after CS update.

    2. I seem to have found the reason. The certificate I used before was issued by an internal CA. The algorithm may be too old. I did an experiment and replaced it with Godaddy, and the CPU utilization became less than 5%.

      Reply

  19. Hi Carl,

    I am still getting a 404 error. This had been running fine for a very long time, and stopped suddenly. I have edited the portal-links-html-access.properties on both connection servers, and restarted the VMware Horizon View Web Component on both connection server.

    Do you have any idea on what else could be causing this?

    Reply

  21. When upgrading VMware tools on the Connection servers. Does this drop active user connections? Or does this just prevent new sessions while upgrading?

    Reply

    1. Is the Blast Secure Gateway enabled on your Connection Server? If so, then any network interruption will drop connections going through the Blast Secure Gateway.

      Reply

  22. Hi Carl

    In My environments we have three Connection Servers installed horizon view 2111,and we configed the FSlogix to roaming users profiles and O365 Settings include Teams etc.
    Recently I want upgrade to Horizon 2312 due to that end users expect to have a Permanent disk likes D:\ Drive to store their personal documents and svn files.
    Can I upgrade to 2312 from the current environment directly?I have a little bit afraid about the data of end users which roamed with FSlogix.
    Do you have the best practice for the upgrade?
    or could you tell me how can i do for the best upgrade way to ensure that data could’nt lost duing the upgrade progress.

    Reply

    1. You can upgrade directly to 2312 – https://interopmatrix.vmware.com/Upgrade?productId=569

      Microsoft FSLogix is completely separate from Horizon. Are you planning to upgrade the operating system on your Horizon Agent machines? If not, then FSLogix will continue to function.

      Horizon is mostly upgraded in-place. The main exception is Unified Access Gateway, which is a replacement.

      Reply

      1. Hi Carl,

        Thanks for your answers,I’m not planning upgrade the Windows OS.
        One more things I want confirm that is if the FSLogix will continue to function after upgrade,the end users profiles data are still stored on the VHDx disks or will redirection to the new Permanent disk?

        Many thanks in advance.
        Kind Regards

        Reply

  24. Hello Carl,

    It’s a really great article.
    I’ve Installed two Horizon 8 servers, and registered them with a shared DNS record (DNS Round Robin) and modified the client installation link. It works well until the Round Robin redirects the download link to the Replica Horizon 8 server, in this case I get an error 404. I made the necessary modifications on the replica server as well.

    Do you have any idea what might be wrong?

    Horizon Portal – Client Installation Link

    Reply

    1. Did you modify portal-links-html-access.properties on both servers? Then did you restart the service on both servers?

      Reply

  25. Hi Carl,
    i am looking for a solution so that the horizon client connection to our Vmware horizon environment can only be accessed from company owned laptops.
    Do you have any advise how to achieve this?
    Many thanks in advance.
    Kind Regards
    Gerard

    Reply

  26. We are planning to upgrade Horizon 8 2309, seeking compatibility with the old master image, which is running Windows 10 1809.1773.4974 with Agent 8.0 and Horizon client version 2006.

    Will it be supported for Horizon 8.2309, or do we have to upgrade the desktop OS to the latest version with the new Agent 2309?

    Looks client 2006 will be supported for Horizon 2309, but I am not sure about the desktop client parent image. Will it be supported for the old agent with the new Horizon 2309?

    Reply

  27. Hi, We have recently been plagued with a weird problem. In one of our persistent dedicated VM environments it seems that some users after a disconnection (Where the session is disconnected, but the VM is not rebooted and windows is not logged off) are unable to reconnect. They receive an error “VDPCONNECT_GATEWAY_ERROR:The connection to the remote computer encountered a gateway error.” Upon rebooting the VM or Consoling in and restarting the Horizon Blast service, the user is able to connect back in. Anyone have any ideas about this or have seen this themselves? They are all currently on 2309, however, we have tried reinstalling the full stack (Tools, Agent, Nvidia driver), we’ve tried downgrading the agents to 2306-2303. We’ve rebooted connection servers and UAGs. Just about everything I can think of short of rebuilding the VMs. This does not affect all users who are a member of the pool, however, it is very reproducible by disconnecting from the VM and attempting to reconnect.

    Reply

    1. Hello, I was curious if you ever found out what was causing the “VDPCONNECT_GATEWAY_ERROR” you ran into. I recently brought my test UAG’s up to latest version and i’m running into this. It’s kind of inconsistent at the moment. Logging into a Instant clone pool (where i’m not currently in) and it throws this error. Others are able to access with no issues.

      Reply

      1. Unfortunately my answer is the answer nobody loves….It just stopped happening. We theorize it was related to our DCs as we were in the process of decomming 12r2 DCs for 2022 DCs and so roles were being shifted around and DCs were going offline and coming online but we have no proof. Just logged on one week and noticed that there was no reports of the issue.

        Reply

        1. We used to see that VDPCONNECT_GATEWAY_ERROR error. We theorized that our load balanced UAGs or more so the F5 front ending the UAGs may have inadvertently caused this. The idea was that the users initial connection was via UAG1. A subsequent connection the F5 may send this user to UAG2. The Session or secured tunnel would tear down since the route for the reconnect wanted to go through UAG1.

          We added a 10 hour “stickiness” to the F5 for connections, so within a 10 hour window, the F5 would always send that users connection to the same UAG.

          Additionally, we changed the connection server settings in the UAG to instead of pointing to an internal F5 that front end the connection servers we pointed each UAG to a specific connection server in the cluster (kinda like we had to do with the old Security Servers). We didn’t lose any failover since the F5 in the DMZ would be able to direct traffic should a Connection Server or UAG go down.

          Since making this change we have all but eliminate this specific issue.

          Reply

        2. Did your issue stop happening on the same version of Horizon or did you upgrade the UAG’s? Seems like since 2312 agent, we have had these VDP Gateway errors as well. We have about 350 users and we get a handful of them weekly. A Horizon agent Blast service restart typically resolves but sometimes we have to restart the VM. We removed 2312 completely, upgraded all tools to 12.4, then install Horizon 2312.1 agent and we still seem to get them but not as often as before. Logs appear to make it look network related, but we really haven’t changed anything network related so struggling to make this go away. Anyone else battling this as well that may have had some better luck?

          Reply

    2. Awesome work and very helpful advice. I think this should be a top article for those who have the following errors:
      1. Failed to resolve proxying route for request.
      2. The connection to the remote computer ended.
      3. The connection to the remote computer failed. “it is possible that remote connections are not enabled on the remote computer or that the computer on network is too busy.
      4. VDPCONNECT_REJECTED: the connection to the remote computer has been refused

      Fix action was as recommended below:
      proxyDestinationUrl=https://cs1.domain.com:443 or Connection Broker IP:443 with sha256=thumbprint
      tunnelExternalUrl=https://uag1.domain.com:443 or UAGIP:443
      blastExternalUrl=https://uag1.domain.com:8443 OR UAG IP:8443
      pcoipExternalUrl=1.1.1.3:4172 UAG IP
      locked.properties file needs to have
      checkOrigin=flase
      portalHost.1=UAG DNS or IP without https://
      HTTP(S) Secure Tunnel needs to be unchecked with Horizon Admin Connection Broker Settings
      PCOIP Secure Gateway needs to be unchecked with Horizon Admin Connection Broker Settings
      Do not use Blast Secure Gateway Option needs to be selected under Blast Secure Gateway.
      Reboot Connection Broker.

      Reply

  28. Hello Carl,

    We’re implementing Azure MFA with UAG’s on Horizon 2303.
    After MFA authentication the login page (Lunching Horizon Client…) remains opened for users in the background and the client starts loading. Is there any way we can get rid of this page or to be closed automatically somehow?

    Reply

  29. We have two diff environments : One has version 8.2.0-17736878 (Horizon 8 2103) & the other has version 8.4.0- 19828360 (Horizon 8 ver 2111).
    Can both be upgraded to version 2306 directly ?

    Reply

  30. Hello Karl. I have a question. There is a cloud pod architecture consisting of 3 sites, each site has 1 pod. On the first and second sites, all connection servers are version 2303, and on the third, 2306. On each of the sites, a local Automated Desktop Pool (instant clone) is configured, Global Entitlements are also configured for this pool and tied to the local pool on each of the sites. In Global Entitlements Scope is set to “All Sites”. I disable the local pool with Global Entitlements on the third site – I connect to any connections server of the third site with version 2306 and I want to connect to a virtual machine on sites with version 2303, the error “This desktop is currently not available” appears, although there are prepared free virtual machines there.
    In the log it writes:
    LMV: Attempt to launch DESKTOP for GE Test-poll on SITE (Default-First-Site) unsuccessful, will continue trying. Launch error: null
    LMV: connetion-server1: Initiated desktop launch request for user Test_user, entitlement Test-poll(ID:) from site: XXX, pod: 3_pod, Scope: ANY, Session Distribution policy: NONE
    LMV: connetion-server1: Looking for DESKTOP… Scope: ANY, site: XXXX, pod: 3_pod
    LMV: connetion-server1: Attempting to launch connection on site: XXXX, name: 3_site
    LMV: connetion-server1: Looking for DESKTOP… Scope: SITE, site: XXXX, pod: 3_pod
    LMV: connetion-server1: There are no entitled pods in site XXXX to satisfy the DESKTOP request
    LMV: connetion-server1: Attempting to launch connection on site: , name: 2_site
    LMV: connetion-server1: Launch: Making remote DESKTOP request to SITE XXXX
    LMV: connetion-server1: Attempting to launch connection on site: Default-First-Site, name: 1_site
    LMV: connetion-server1: Launch: Making remote DESKTOP request to SITE Default-First-Site
    Finished processing: desktop-connection, Result: error, Error Code: DESKTOP_LAUNCH_ERROR, Error Message: failed launching connection: , User Message: This desktop is currently not available. Please try connecting to this desktop again later, or contact your system administrator.
    [XmlServlet] (SESSION:XXXXX) End processing: [com.vmware.vdi.broker.xml.ProcessorDesktopConnection@3f6683f4]
    Response 200 OK

    Also, if I connect to a virtual machine on sites with version 2303, I do not shut down and connect from a third site with version 2303, I am given this virtual machine. What could be the problem? Can you tell me where to look?

    Reply

        1. thank you for your response. just a follow up question. Did Vmware end up recommending to match all sites to same version ? In our case, we have currently have 2209 and when upgraded one of the POD to 2309, the above issue occurred. we are waiting to hear from VMware.

          Reply

          1. In our case, we quickly raised the minimum test infrastructure and provided test updates from 2303 to 2306 and from 2303 to 2309. The problem arose in both cases, until we updated the second POD and the connection appeared, then the third POD. When upgrading from 2306 to 2309 there was no problem.

  31. Hi Carl,
    we have upgraded in our test environment from 8.1 to 2212.1 ESB
    now have true SSO error “Denied by policy module” from enrollment server to CA doesn’t connect to get cert.
    We have F5 in between was working in 8.1. Is this a known issue? should we stage upgrade to a earlier
    version then upgrade again to 2212.1 ESB.

    Reply

    1. Double-check the configuration of the certificate template.

      Is your CA dedicated to True SSO? Or is it shared? Did a different CA administrator change something?

      Is your enrollment certificate still valid (not expired)?

      Reply

  32. Hi, we are running Horizon 7.13 (linked-clone) on Windows 2012 R2
    There is a need to replace the OS to 2019 or 2022. Instead upgrading the existing (in-place upgrade) Windows and Horizon on the existing machine, we are planning to deploy a new one instead, then perform configuration and testing first (Instant Clone) then perform a cutover once test is done. Do you think this this is practical and doable?

    Reply

    1. Since you haven’t converted to Instant Clones yet then it probably doesn’t matter if you build a new pod or simply swap servers in the existing pod. To test the new pod, it will need a new DNS name, or you can modify the HOSTS file on the test client machines.

      Reply

  33. Hi,

    Do you recommend going from 2212 to 2303 then 2306 ?

    I went from 2212 directly to 2306 and it was a disaster, had to revert to my snapshots.

    Thank you

    Reply

      1. The true SSO was not working anymore,
        and after rebooting the connection servers I was not able to login anymore, it was not showing me the domain under the login prompt.

        Reply

        1. so, here’s what I did, in case somebody face the same problems.

          Updated 2212 to 2212.1
          Updated from 2212.1 to 2303
          Updated from 2303 to 2306

          I made a snapshot at each step, and everything is working fine now

          Reply

  35. Hi, Carl
    we have migrated our two Horizon 2006 Connection server to version 2303.
    We have only one instant clone pool, everything seem to work but when we disconnect a VM or we “maintain” the pool with the new image (with the updated agent”) we get this error:
    Error during Provisioning Cloning of VM VD-xx55 has failed: Fault type is AD_FAULT_FATAL – com.vmware.daas.cloneprep.ldap.LdapException: unable to create connection pool, resultCode=82 (local error), errorMessage=An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: LoginException(KDC has no support for encryption type (14)), ldapSDKVersion=5.1.3, revision=028e004da97e22a274a4116316a73d0a90526e4b

    The previous version works with no problem, maintain, new pool, and so on.
    We have a single site AD with 2 domain controllers.

    Any suggestion?
    thaks.

    Reply

      1. Hi Carl,

        I have the same issues – but I have a new Service Account created and have followed these articles https://kb.vmware.com/s/article/2012377 & https://kb.vmware.com/s/article/2147129 with no luck – However, Connection Server 1 is missing this entire folder “VDM” – C:\ProgramData\VMware\”VDM”

        Publish Error: Fault type is AD_FAULT_FATAL – com.vmware.daas.cloneprep.ldap.LdapException: unable to create connection pool, resultCode=82 (local error), errorMessage=An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: LoginException(Client not found in Kerberos database (6)), ldapSDKVersion=5.1.3, revision=028e004da97e22a274a4116316a73d0a90526e4b

        Any thoughts?

        Reply

      1. Yes – following Carl suggestion (we had a Vmware case open for 1 month but they give us other non risolutive fixes….).
        Here the steps:
        1 – create new AD account following VMware kb 92285
        2 – add this account to Horizon Console and create a test pool that uses it.
        2 – in the 2006 version you CANNOT edit the AD account for the instant clone domain Join in the web interface, so you need to edit it on the connection server manualy with ADSIedit (be sure to take backup with vdmexport > backup.LDF
        and snapshot the Connection servers before)
        3 – in ADSIedit go to OU=Server Groups -> CN=”your TEST pool name” and look for pae-NgvcAdDN – copy the CN=xxxx (is the id of the new AD user)
        4 – then go to OU=Server Groups -> CN=”your PRODUCTION pool name” and look for pae-NgvcAdDN (copy all the content of the field for backup purpose and replace only the CN with the new one)
        5 – restart Horizon services or reboot the connection server (if you have replica connection servers you need to edit only once…)
        thats it..

        Reply

        1. Thank you for your feedback.

          I found the settings after connecting to the right destination in ADSI edit. Going to try.

          Reply

          1. Basicaly you need to change the AD user Horizon uses to join VD to the domain (as Vmware says here:https://kb.vmware.com/s/article/92285).
            In order to do so, you need to manualy change the CN=xxxx parameter of the pool through ADSIedit.
            But to know which CN=xxxx correspond of the new user, you must add a test pool with the new account to see it in ASDI edit.

  36. I’m running Horizon 8 2111.1 on Server 2019. I want to move to 2212 ESB and install connection server and RDSH hosts on server 2022. I just finished deploying a new Vcenter cluster. I’ve migrated all VMs but Horizon onto the new cluster. Both clusters are on the same network subnet but are two sperate Vcenters.
    I’m fine with setting up Horizon from scratch on the new cluster but I wasn’t sure if this would cause any issues. If I install connection server on a VM in the new cluster, will it cause any issues with the existing Horizon environment?
    What is the best approach here?
    Thanks
    These guides have been a tremendous help over the years.

    Reply

    1. You could add a second vCenter to your existing Connection Server. Or you can build a new pod of Connection Servers. Multiple pods can share a single vCenter server if that’s what you’re asking.

      Reply

  37. I am planning to upgrade OS on my Connection servers (running version 2211) from Windows 2016 to 2019. What would be the correct procedure? Can I just do the in-place upgrade? I would appreciate your suggestions.
    BTW, I have always followed your BLOG to implement my Connection servers to the environment and they are running solid from the day one. Thank you in advance.

    Regards,
    Sayed Ahmad

    Reply

    1. I would add a Replica server, reconfigure the load balancer to send traffic to the new server instead of the old server, and then remove the old server. If any UAGs connect directly to the old server, then reconfigure the UAGs too.

      Another option is to power off the old server and rebuild it from scratch with the new OS but same name as old. Then install Connection Server Replica.

      Reply

  40. Out of interest, obviously manually uninstalling DEM from around 5k machines is not an option. Is there a preferred method to achieve the uninstall and then agent upgrade across these machines?

    Reply

  41. Hi Carl!
    Help please! I have a problem with my connection server, I set in webadmin flag Smart card authentication for administrators as Required and now I can’t open that webadmin 🙁 restore from previous backup didn’t helping 🙁
    Maybe you know where Horizon CS stores that settings in filesystem?
    Thank you!

    Reply

    1. Settings are usually stored in LDAP. I’m not sure where you can find that setting in adsiedit.msc.

      Reply

      1. Did you tried to enable smart card auth only for admins but not for users? I tried to set for users not allowed and for administrators required or optional but when I connecting to CS via Client app is asking smartcard? Why it’s happening? I don’t need auth for internal user by smartcards.

        Reply

        1. Have you fixed this issue? Were you able to require smart card auth for admins in Horizon admin console but not for users (no certifcate prompt in Horizon client)?

          Reply

      2. I found the setting. Out of STIG compliance, Admin console login must be set to Smart Card Required. But, if there are issues with your pki environment, how do you change it, if you can’t authenticate to the console? Carl is right. It’s in adsiedit.msc. Connect using Carl’s steps above in the article. Got to Properties > Server. Double click a CN= to get to it’s Properties. Find pae-CertAuthAdmin and click Edit. Change setting to 0 or 1. Setting 0 is “Not Allowed”. Setting 1 is “Optional”. And Setting 2 is “Required”. Bounce the Horizon server services and you will be able to login explicitly to the Horizon Admin Console.

        Reply

  42. at the client horizon agent connecting to the connection server the SSL cert is verified, however after the user’s smart card credentials are entered an “SSL error occured” message is thrown. I followed the keystore guide from the vmware KB and restarted the service but it did not fix it. What could be a possible cause of this?

    Reply

  43. Hi,
    I have a design question:
    We have two connection servers and no UAG. We use a load balancer from Barracuda to load balance the two connections servers.
    Do we have to use one certificate for all three instances (horizon.company.xx for CS1+CS2+LB)?
    Right now we have three different certificates. I’ve added all three hosts to the locked.properties. Access to the Horizon Admin console works fine, but when I try to open a blast session for a vm I get the failure:
    The host name in the certificate is invalid or does not match

    Reply

    1. In the UAG config under Edge Settings > Horizon Settings is the Blast URL. This URL should resolve to your load balancer VIP that has a certificate that matches the URL.

      Another option is for each UAG to send Blast traffic to itself, but this would require three public IPs for the load balancer plus each UAG appliance instead of just one public IP for the load balancer.

      Reply

        1. In Horizon Console, go to Servers > Connection Servers. Edit one. There’s a field for Blast Secure Gateway. What is the URL? If the Blast Secure Gateway is enabled then the certificate on the Connection Server must match that URL. Normally Blast Secure Gateway is not enabled since UAG is doing it instead.

          Reply

  44. On the Certificate Management Section its grayed out for me. So when I go to Administrator to add the “Role Privileges”. Then I click add, I don’t have privilege for certificate management. So is their a way to create new privileges so I can manage my certificates?

    Reply

  45. Need to migrate the standard connection server from a 2012 server MS OS to 2019 MS OS. Can I create a replica of the 2012 connection server or does the new 2019 need to be a standard deployment? We have another connection server that used the 2012 standard to replicate from as well. If I have to use standard for the 2019 OS buildout does that also mean i need to replicate the other connection server off the new 2019 standard?

    Reply

  46. Should there be a shared DNS entry for the horizon server address for the two connection servers.

    For example.
    A record: connectionserver1.domain.com IP address
    a record: connectionserve2.domain.com IP address
    A record examplevdi.domain.com IP Address IP address

    Thanks,
    Scott

    Reply

    1. examplevdi should point to a load balancer VIP. If you don’t have a load balancer, then you can try creating examplevdi twice with each Connection Server IP and rely on DNS Round Robin.

      Reply

      1. We are currently using the built-in HA features for UAGS and a primary connection server and a replica connection server. No load balancer. Had the primary connection server go down and connections failed to the replica. Started digging into DNS and found we never add an entry for examplevdi.domain.com for the replica server.

        So two records pointing to examplevdi.domain.com. 1 for the connection and a 2nd for the replica correct?

        Thanks!

        Reply

        1. Two DNS records for same FQDN are usually DNS Round Robin. Note that DNS servers don’t monitor if an IP address is reachable or not so if a server goes down the half the DNS requests will go to an inaccessible IP address. Load balancers monitor the servers.

          Reply

          1. So if a primary connection server goes down and there is no load balancer then manual intervention should happen by changing the DNS record to point to the replica? Or is there a better way to go about it?

          2. Correct. Load balancer is the best option. Citrix NetScaler ADC has an Express Edition that is free.

  47. I’m running two Horizon 8 (2111) connection servers and I noticed that all space reclamation operations are initiated by the same connection server (the “2nd one”, i.e. CS02), according to the event database.
    Is this normal behaviour?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *