UAG Files: Not using the right proxy pattern breaks HTML view-client

While working at a Workspace ONE project we were implementing a Unified Access Gateways (UAG) for untrusted connections to reach the workspace. Untrusted connections could be Wifi or the big bad interweb. They have two routes, all users reaching the Workspace aka Identity Manager (vIDM Proxy and vIDM) for authentication and choosing the entitlements and the second route after selecting a desktop route and using a tunneled UAG to connect to the Horizon desktop resources. With the latter the user has the option to select the Horizon Client or the browser, both are allowed and should reach the desktop. Do we hear a should? Yes, should. The Horizon client is connecting to the desktop, so an okay here. When using the HTML Web client we were greeted with a 404 error. Hey, wait?!?

Next steps get out the violin and start investigating.

Sherlock investigate UAG

Continue reading UAG Files: Not using the right proxy pattern breaks HTML view-client

Blog Search Queries answers: EUC Unified Access Gateway default password

I have seen some search terms on this site lately involving the same query as described in the title of the article: the EUC Unified Access Gateway (UAG) default password. I would like to answer those queries in this post. And to be short, direct and for some blunt, there isn’t any default. You will have to set the password of root and the password of admin in the deployment of the UAG appliance, or is changed via VAMI or the Admin console. I have done this myself a couple of times, with all sorts of VMware appliances, but the main thing for UAG, AP and IDM is that redeployment is much easier than trying to fix issues (and is stable, saves hassle and breaking heads). But what you would like if something goes amiss with deployment or changing, probably regarding some required special characters of admin, is to use some of the options to regain access to the system and try to find out what went wrong (we want to know the why don’t we?!?). If you have worked out the why with the option of regaining access, it is still advisable to redeploy with that knowledge. The procedure of resetting the passwords of root and admin are described in the rest of the article. You might just need the admin procedure if your root password is known and working.

Continue reading Blog Search Queries answers: EUC Unified Access Gateway default password

vROPS: Upgrading vROPS for Horizon 6.5 and vROPS 6.6

As announced at https://blogs.vmware.com/euc/2017/09/vrealize-operations-for-horizon-published-apps-6-5.html vROPS for Horizon 6.5 was released on 21 September. Next, to some expected improvements, there are two bonuses to this upgrade:
– one, you can upgrade to vROPS 6.6 which was not supported with vROPS for Horizon 6.4.
– two, you can use NVidia Virtual GPU Management Pack to get some long wished insights of GPUs in the Horizon environments. This one I will described in a later blog post.
– And maybe three, support for the current App Volumes versions and Unified Access Gateways. They were working in vROPS for Horizon 6.4, but not with supported versions.

The starting point to go to vROPS for Horizon 6.5 is either green-fielding to vROPS for Horizon version 6.5, in which you don’t need this blog post; or starting with a current version of vROPS for Horizon 6.4 and want to upgrade. Upgrading to vROPS for Horizon 6.5 is step one, upgrading to vROPS 6.6 is optional but highly recommended. Both will be described in this blog post.

Continue reading vROPS: Upgrading vROPS for Horizon 6.5 and vROPS 6.6

NSX for Desktop: Jumpstart microsegmentation with Horizon Service Installer fling

 

We fortunately see a lot more NSX with EUC deployments. Used for microsegmentation of the virtual desktop infrastructure, virtual desktop security protection and load balancing of the workspace components (see my previous post here: https://www.pascalswereld.nl/2017/06/09/euc-layers-horizon-connectivity-from-nsx-load-balancers-with-love/).

I want to focus a bit on the microsegmentation and mainly on the NSX service profiles,  groups and standard set of rules for EUC with VMware Horizon. Currently neither NSX for Desktop as Horizon ships with a prepared set to use. Well the Horizon suite does not ship with NSX in any form, what is still a miss in my humble opinion. It can be a little difficult I know.

This blog post will try to focus on the expected to be part of your desktop environment and Horizon components and their NSX rules. Focussing on static Horizon services, static Infrastructure services and dynamic applications based on group membership. And using a fling to get them in your environment. I also have added more services and rules to the fling configuration file, and put up a github project to manage these changes. You can download an updated yml file from there, details a little later on so do read or scroll ahead ;). This is a work in progress as I am also just working on it in my current project.

Continue reading NSX for Desktop: Jumpstart microsegmentation with Horizon Service Installer fling

Horizon 7.2: With a little helpdesk from my friends

On June 20th the latest version of Horizon was released, namely Horizon 7.2. The highlights of this release include the added Horizon Help Desk tool, and general availability of Skype for Business enhancements in the Horizon environment to enable Horizon users to use Skype in a production environment. You can for example find the VMware Virtualization Pack for Skype in the Horizon Agent installer.

Both features are what organizations often asked about, so it is good that these are included in this release. Other somewhat important are the usual upgrade release updates, scale and product interoperability improvements. As expected and delivered, nothing fancy here.

Helpdesk Login

Continue reading Horizon 7.2: With a little helpdesk from my friends

vRealize Log Insight broadening the Horizon: Active Directory integration deploy VMware Identity Manager

At a customer I am working on the design of vRealize Log Insight. With the authentication objective we can choose from the sources local, Active Directory or VMware Identity Manager. In the latest release (4.5) it is clearly stated that authentication configuration of Active Directory directly from Log Insight is depreciated.

Deprecated vRLI

Edit: Unlike some previous information going around, Active Directory from Log Insight directly is still supported. Quote from updated VMware Knowledge base article: Although direct connectivity from VMware vRealize Log Insight to Active Directory is still supported in Log Insight 4.5, it may be removed in a future version.

But I think it will still be very beneficial to move to vIDM sooner then later.

Continue reading vRealize Log Insight broadening the Horizon: Active Directory integration deploy VMware Identity Manager

VCAP-DTM Deploy Achievement Unlocked with some exam time management tips for you

After my exam earlier was postponed due to some problems between Pearson VUE and VMware Lab communications, I did my VCAP-DTM deploy last Friday. And it was a pass on the first attempt 🙂 Woohoo.

The exam is a whopping 3,4 (or somewhat with 205 minutes) hours getting through tasks where time management is the most important piece. Well next to actually knowing what you need to be doing. I missed some questions in the end, but 30 questions seem to be enough to barely pass. I was a bit slow as deployment is something I do differently in real life, irritated about the backspace not working (arrow del key combination is not my cookie) while my Pavlov keeps hitting that key and in the last part of the exam I had to keep pushing radio buttons several times before they got active.

VCAP Passed

Continue reading VCAP-DTM Deploy Achievement Unlocked with some exam time management tips for you

EUC Layers: Horizon Connectivity or From NSX Load Balancers with Love

Another layer that will hit your end users is the connectivity from the client device to the EUC solution. No intermitted errors allowed in this communication. Users very rarely like connection server are not reachable pop-ups. Getting your users securely and reliably connected to your organization’s data, desktops, and applications while guaranteeing connection quality and performance is key for any EUC solution. For a secure workspace protecting and reacting to threats as they happen even makes software-defined networking more important for EUC. The dynamic software is required. And that all for any place, any device, and anytime solution. And if something breaks well….

Rest of the fire

One of the first things we talk about is the need for reliable load balance several components as they scale out. And for not getting into all the networking bits in one blog post, I am sticking with load balancing for this part.

As Horizon does not have a one package deal with networking or load balancing, you have to look use an add-on to the Horizon offering or outside the VMware Product suite. Options are:

  • interacting with physical components,
  • depending on other infrastructure components such as DNS RR (that is a poor man’s load balancing) preferably with something extra like Infoblox DNS RR with service checks,
  • using virtual appliances like Kemp or NetScaler VPX. VPX Express is a great free load balancer and more.
  • Specific Software-Defined Networking for desktops, using NSX for Desktop as an add-on. Now instantly that question pops up why isn’t NSX included in, for example, Horizon Enterprise like vSAN? I have no idea but probably has something to do money (and cue Pink Floyd for the earworm).

And some people will also hear about the option of doing nothing. Nothing isn’t an option if you have two components. At a minimum, you will have to do a manual or scripted way of redirecting your users to the second component when the first hits the load mark, needs maintenance or fails. I doubt that you or your environment will remain long loved when trying this in a manual way…..

The best fit all depends on what you are trying to achieve with the networking as a larger picture or for example load balancing specifically. Are you load balancing the user connections to two connection servers for availability, doing tunneled desktop sessions, or doing a cloud pod architecture over multiple sites and thus globally. That all has to be taken into account.

In this blog post, I want to show you using NSX for load balancing connection server resources.

Horizon Architecture and load balancers

Where in the Horizon architecture do we need load balancers? Well, the parts that connect to our user sessions and a scaled out for resources or availability. We need them in our local pods and global load balancers when we have several sites.

Externally:

  • Unified Access Gateway (formally known as Access point)
  • Security Server (if you happen to have that one lying around)

Internally:

  • Workspace ONE/vIDM.
  • Connection Servers within a Pod, with or without CPA. However, with CPA we need some more than just local traffic.
  • AppVolumes Managers.

And maybe you have other components to load balance, such as multiple vROPS analytical nodes for user interface load not hitting one node. As long as the node the Horizon for adapter connects to or from is not load balanced.

Load Balancers

To improve the availability of all these kind of components, a load balancer is used to publish a single virtual service that internal or external clients connect to. For example, for the connection server load balanced configuration, the load balancer serves as a central point for authentication traffic flow between clients and the Horizon infrastructure, sending clients to the best performing and most available connection server instance. I will keep the lab a bit simple by just load balancing two connection server resources.

Want to read up more about load balancing CPA? EUC Junkie Bearded VDI Junkie vHojan (https://twitter.com/vhojan) has an excellent blog post about CPA and impact of certain load balancing decisions. Read it here https://vhojan.nl/deploy-cpa-without-f5-gtm-nsx/.

For this one here, on to the Bat-Lab….

Bat-Labbing NSX Edge Load Balancing

Let’s make the theory stick and get it up and running in a Horizon lab I have added to Ravello. Cloned from an application blueprint I use for almost all my Horizon labs and ready for adding a load balancing option NSX for Desktop. The scenario is load balancing the connection servers. In this particular example, we are going to one-armed. this means the load balancer node will live on the same network segment as the connection servers. Start your engines!

Deploying NSX Manager

How do your get NSX in Ravello? Well either deploy it on a nested ESXi or import method to deploy NSX directly on Ravello Cloud AWS or GC. I’m doing the last. As you did not set a password you can log in to the manager with user admin and password ‘default’.
That is the same password you can use to go to enable mode, type enable. And if you wish config t for configuration mode. Flashback to my Cisco days :))….In configuration mode, you can set hostnames, IP and such via CLI.
But the easiest way is to type setup in basic/enable mode. Afterwards, you should be able to login via the HTTPS interface. Use that default password and we are in.

NSX - vTestlab

Add a vCenter registration for allowing NSX components to be deployed. On to the vSphere Web Client. Add this point you must register an NSX license else you will fail to deploy the NSX Edge Security Gateway Appliance.

Next prepare the cluster for a network fabric to receive the Edges. Goto Installation and click the Host Preparation tab. Prepare hosts in your cluster you want to deploy to (and have licensed for VDI components or NSX for Desktop is no option). Click on actions – install when you are all set.

NSX - Prepare Host

For this Edge Load Balancer services deployment, you don’t need a VXLAN or NSX Controller. So for this blog part, I will skip this.

Next up deploying an NSX Edge. Go to NSX Edge and client on the green cross to add. Fill in the details, configure a minimum of one interface (depending on the deployment type) as I am using a one-arm – select the pools, networks and fill in the details. In a production, you would also want some sort of cluster for your load balancers, but I have only deployed one for now. Link the network to a logical switch, distributed vSwitch or standard vswitch. I have only one, so the same network standard vSwitch. Put in the IP addresses. Put in a gateway and decide on your firewall settings. And let it deploy the OVA.

If you forgot to allow for nested in the /etc/vmware/config and get You are running VMware ESX through an incompatible hypervisor error. Add vmx.allowNested = “TRUE” to that file on the ESXi host nested on Ravello. Run /sbin/auto-backup.sh after that. If you retry the deployment this will normally work.

Load Balancing

We have two connection servers in vTestLab

Connection Servers

Go back to the vSphere web client and double-click the just created NSX edge. Go to Manage and tab Load Balancer. Enable the Load Balancer.

Horizon LB - Enable Global

Create an Application Profile. For this configuration, I used an SSL pass-through for HTTPS protocol with SSL-Session persistence in the below example. The single threaded NSX reallyt realy suitable for SSL offloading here. But I should have read the documentation a bit better as source IP is documented. Testing shows the source IP persistence works better. Probably SSL sessions are reinitiated somewhere along the line, and SSL-sessionid gives you a new desktop more often than with source IP.

For this setup, you can leave the default HTTPS service monitor. Normally you would also want to have service checks on for example the Blast gateway (8443) or PCoIP (4172) if components use this.
Next setup your pool to include your virtual servers (the connection servers) and the service check, monitor port, and connections to take into account.

NSX Hor Pool Detail

Next up create the virtual server with the load balancing VIP and match that one to the just created pool.

Virtual Server

After this look at the status and select pool

NSX Pool Status.png

Both are up.
You can now test if an HTTPS to 10.0.0.12 will show you the connection server login page.

Connected.png

Connected. Using HTML Access will fail with an error connecting to the connection server (Horizon 7.1) as I did not change the origin checking. You can disable this protection by adding the following entry to the file locked.properties (C:\Program Files\VMware\VMware View\Server\sslgateway\conf) on each connection server:

balancedHost=URL via loadbalancer such as vdi.euc.nl
portalHost.1=UAG FQDN
portalHost.2=UAG FQDN
portalHost.3=UAG FQDN
checkOrigin=false

Restart the VMware Horizon View Connection Server service.
And of course, you would add a DNS record to 10.0.0.12 to let your users use the connection to the connection servers, like vdi.vtest.lab. And use an SSL certificate with that name.

Now the last check if the load balancing is working correctly. I kill off one of the connection servers.

Man down

And let see what the URL is doing now:

Admin after man down

Perfect the load balancer connects to the remaining connection server. This time for the admin page.

This concludes this small demonstration of using NSX for Load Balancing Horizon components.

– Happy load balancing the EUC world!

Sources: vmware.com

EUC Layers: Dude, where’s my settings?

With this blog post I am continuing my EUC Layers series. As I didn’t know that I started one there is no real order to follow. Other that it seems to be somewhat from the user perspective, as that seems a big part in End User Computing. But I cannot guarantee that will be the right order at the end of things.

If you would like to read back the other parts you can find them here:

For this part I would like to ramble on and sing my song about an important part for the user experience, User Environment Management.

User Environment

Organisations will grant its users access to certain workspaces, an application, a desktop and or parts of data required or supporting the users role within the business processes. With that these users are granted access to one or more operating systems below that workspace or application. This organization would also like to apply some kind of corporate policy to ensure the user works with the appropriate level(s) of access for doing their job and keeping organizations data secure. Or in some cases to comply with rules and regulations and thus making the users job a bit difficult at the same time.

On the other side of the force, each user will have a preferred way of using the workspace and will tend to make all sorts of changes that enable these users to work efficiently as human possible. An example of these changes are look and feel options and e-mail signatures.

The combination of the organization policy and the user preferences is the User Environment Layer, also called persona also called user personality.

Whether a user is accessing a virtual desktop or a published application, the requirement for a consistent experience for users across all resources is one of the essential objectives and requirements for End User Computing solutions. If you don’t have a way of managing the UE, you will have disgruntled users and not much of a productive solution.

Dude

Managing the User Environment

Managing the User Environment is complicated as there are a lot of factors and variables in the End User environment. Further complexity is added by what will be needed to be managed from the organization perspective and what does your users expect.

Next to this yet an other layer is added to this complexity, the workspaces are often not just one dominating technology, but a combination of several pooled technologies. Physical desktops pools, Virtual desktops pools, 3D engineering pools, application pools and so on.

That means that a user does not always log on to the same virtual desktop each time, or log on to a published application on another device still wanting to have the same settings to the application and the application on the virtual desktop. A common factor is that the operating system layer is a Windows-based OS. Downside is, several versions and a lot of application options. We should make sure that user profiles are portable in one way or another from one session to the next one.

It is absolutely necessary that using different versions pooled workspaces that the method of deploying applications and settings to users is fast, robust and automated. From the user context and operational management.

Sync Personality

User Environment Managers

And cue the software solutions that will abstract the user data and the corporate policies from the delivered operating system and applications. And manage centrally.

The are a lot of solutions that provide a part of the puzzle with profile management and such. And some will provide a more complete UEM solution like:

  • RES ONE Workspace (previously known as RES Workspace Manager),
  • Ivanti Environment Manager (previously known as AppSense Environment Manager),
  • LiquidLabs Profile Unity,
  • VMware User Environment Manager (previously known as Immidio).

And probably some more…

Which one works best is up to your requirements and the fit with the rest of the used solution components. Use the one the fits the bill for your organisation now and in a future interaction. And look for some guidance and experience from the field via the community or the Intarweb.

User Profile Strategy

All the UEM solutions offer an abstraction for the Windows User Profile. The data and settings normally in the Windows User Profile are captured and saved to a central location. When the user session is started on the desktop, context changes, application starts or stops, or sessions are stopped, interaction between (parts of) the central location and the Windows Profile is done to maintain a consistent user experience across any desktop. Just in the time when they are needed, and not bulk loaded on startup.

The Windows Profile itself comes in following flavours:

  • Roaming. Settings and data is saved to a network location. Default the complete profile is copied at log in and log out to any computer the user starts the session. The bits that will be copied or not can be tweaked with policies.
  • Local. Settings and data is saved locally to the desktop. This remains on the desktop. When roaming settings and data are not copied and a new profile is created with a new session.
  • Mandatory. All user sessions use a prepared user profile. All user changes done to the profile are delete when user session are logged off.
  • Temporary. Something fubarred. This profile only comes in to play when an error condition prevents the user’s profile from loading. Temporary profiles are deleted at the end of each session, and changes made by the user to desktop settings and files are lost when the user logs off. Not using this with UEM.

The choice of Windows profile used with(in) the UEM solution often depends on to be architecture and the phase you are doing, starting point and where to go. For example starting with the bloating and error prone roaming profiles, UEM side-by-side for capturing the current settings and moving to clean mandatory profiles. Folder Redirection in the mix for centralized user data and presto.

Use mandatory as de facto wherever possible, it is a great fit for virtual desktops, published applications and host/terminal servers in combination with a UEM solution.

The User Profile strategy should also include something to mitigate against the Windows Profile versions. OS versions are incorporated with different profile versions. Without some UEM solution you cannot roam settings between a V2 and V3 profile. So when migrating or moving between different versions is not possible without tooling. The following table is created with the information from TechNet about User Profiles.

Windows OS User Profile Version
Windows XP and Windows Server 2003 First version without .
Windows Vista and Windows Server 2008 .V2
Windows 7 and Windows Server 2008 R2 .V2
Windows 8 and Windows Server 2012 .V3 (after the software update and registry key are applied)
.V2 (before the software update and registry key are applied)
Windows 8.1 and Windows Server 2012 R2 .V4 (after the software update and registry key are applied)
.V2 (before the software update and registry key are applied)
Windows 10 .V5
Windows 10, 1703 and 1607 .V6

Next to that UEM offers to move settings for the user context from Group Policies and login/logoff scripts, again lowering the amount of policies and scripts at login and logoff. And improving the user experience by lowering those waiting times to actually having what you need just in the time you need it.

And what your organization user environment strategy is, what do you want to manage and control, what to capture for users and applications, and what not.

VMware User Environment Manager

With VMware Horizon often VMware UEM will be used. And what do we need for VMware UEM?

In short VMware UEM is a Windows-based application, which consists of the following main components:

  • Active Directory Group Policy for configuration of the VMware User Environment Manager.
  • UEM configuration share on a file repository.
  • UEM User Profile Archives share on a file repository.
  • The UEM agent or FlexEngine in the Windows Guest OS where the settings are to be applied or captured.
  • For using UEM in offline conditions and synchronizing when a the device connects to the network again.
  • UEM Management Console for centralized management of settings, policies, profiles and config files.
  • The Self-Support or Helpdesk Tool. For resetting to a previous settings state or troubleshooting for level 1 support.
  • The Application Profiler for creating application profile templates., Just run your application with Appliction profiler and Application Profiler automatically analyzes where it stores its file and registry configuration. The analysis results in an optimized Flex config file, which can then be edited in the Application Profiler or used as is in the UEM environment.

UEM will work with the UEM shares and engine components available to the environment. With the latest release Active Directory isn’t a required dependency with the alternative NoAD mode. The last three are for management purposes.

All coming together in the following architecture diagram:

UEM Architecture

That’s it, no need for further redundant application managers and database requirements. In fact UEM will utilize components that organization already have in place. Pretty awesomesauce.

I am not going to cover installation and configuration of UEM, there are already a lot of resources available on the big bad web. Two excellent resources are http://www.carlstalhood.com/vmware-user-environment-manager/ or https://chrisdhalstead.net/2015/04/23/vmware-user-environment-manager-uem-part-1-overview-installation/. And of course VMware blogs and documentation center.

Important for the correct usage of UEM is to keep in mind that the solution works in the user context. Pre-Windows Session settings or computer settings will not be in UEM. And it will not solve application architecture misbehaviour. It can help with some duct tape, but it wont solve an application architecture changes from version 1 to version 4.

VMware UEM continually evolves with even tighter integration with EUC using VMware Horizon Smart Policies, Application Provisioning integrations, Application authorizations, new templates and so on.

Happy Managing the User Environment!

Sources: vmware.com, microsoft.com, res.com, ivanti.com, liquidwarelabs.com

EUC: Can I kick it – upgrading to Horizon 7.1

The 16th of March was a good day. The NLVMUG was going on in the Netherlands (great event!) , great weather and Horizon 7.1 went GA. And I wanted to get my TestLab up and running with that version, and take a little peek if there are any of my’s in the upgrade. See what and where things are changed. So why not write-up this pirate’s adventure….

Upgrade Procedure and Interoperability

Before the upgrade it is important to know in which order the bits are to be upgraded, are we doing an in place or new VM deployment and does new versions still work with other components in the environment or are those also needed to be upgraded or break the upgrade.

The upgrade procedure is more or less the same as with the previous ones:

  • Check the status of the components. If there currently are health issues, fix them before the upgrade. Or use the upgrade to try to fix your issue if they are named as a fix in the release notes.
  • Get out your password manager for database passwords and so on.
  • Complete backups and snapshots. Don’t forget databases and such!
  • Disable provisioning and upgrade Composers. Provisioning can only be enabled when all components are upgraded.
  • Disable connection server and upgrade connection server. If you have more you can do one at a time to leave your users the option to connect. Disable connection server in Horizon admin and load balancer.
  • Optional Upgrade Paired Connection Server and Security Server. Disable connection and prepare security server for upgrade in the Horizon Admin, and in load balancer. First upgrade the paired connection server and then the Security server.
  • Upgrade the Horizon Agent.
  • Upgrade the Horizon Clients.
  • Upgrade the GPO’s to ADMX’s.

Note: during an upgrade it is allowed, or supported, that some older versions interact with the new versions. For example first upgrade the composer in a maintenance window and in the following the connections servers. Just don’t let that upgrade window take for ages.

Your environment probably will have some other upgrades like other Horizon suite components, vSphere, Tools, Windows versions and so on. Be sure to have the steps breakdown before doing any upgrades.

Check if the component versions can work together by checking the VMware Product Interoperability Matrices at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php#interop. Be sure to put in all the VMware solutions you are using. And check with vendors of components outside of the VMware scope. Don’t forget your Zero or Thin Client vendors!

Find a red in there, well stop right there before upgrading.

Trasure map

I have my testlab in the cloud. So for not breaking all the bits, I am cloning my lab in a new lab that I will use for the upgrade. Pretty nice functionality!

Announcement and location

While preparing for the upgrade bit to download we have some time to browse through the 7.1 announcements. Sure you have seen to VMware announcement or blog write ups where you can choose from. If not, ITQ Master of Drones and EUC Laurens has a post on the announcement bit that you can find over here: https://www.vdrone.nl/whats-new-vmware-horizon-7-1/.

Downloads, well easy pease they are in the usual my.vmware.com spot (linkie to the VMware spot: https://my.vmware.com/group/vmware/info?slug=desktop_end_user_computing/vmware_horizon/7_1). Have an active SnS and your entitled to get the upgrade bits or else go for an evaluation.

Grab - Download Horizon 7.1

And while your at it get the ADMX files for all of the Horizon GPO. Thumbs up, finally they are there VMware. Better late than never.

Upgrade Procedure

I have the following components in my vTestlab that need upgrading: Horizon Composer because of the current desktop pools, Horizon Connection Server and databases that are running because of these services. And Horizon Agent in the desktop pools.

For my testlab I used a saved blueprint of my VCAP-DTM lab and used that blueprint to publish a new testlab in Ravello.

After the upgrade I have to check the following components that interact with Horizon, vIDM and vROPS for Horizon. And client connections of course.

Composer

After disabling the provisioning of the desktop pools, log on to your composer server.

Capture - Disable Provisioning Desktop Pool

On the composer server start the installer. After the startup it detects that an upgrade should take place.

Capture - Composer Upgrade

  1. Click next,
  2. Accept the EULA,
  3. Check your destination folder,
  4. Check database settings and input password,
  5. Check port and certificate settings. Note: if you create a new SSL certificate you will have to retrust that one in Horizon. I am reusing the SSL certificate so I select the one installed,
  6. Check and push the install button,
  7. Grab a coffee and check status,
  8. Finish,
  9. Restart server,
  10. Rinse and repeat for other composers in your environment,
  11. If you are done with all components in your desktop block, don’t forget to enable provisioning of the desktop pool!

Connection Server

After disabling the connection server you are going to work on, log on to the connection server.

Capture - Disable connection serverSelect the connection server and click the disable button.

On the connection server start the installer. Like the composer upgrade, the installer will detect it is in an upgrade scenario.Capture - Horizon Connection Upgrade

  1. Click next,
  2. Accept the EULA,
  3. Check and push the install button,
  4. Grab another coffee and check status,
  5. Finish and read the read me. Yes really, depending where your coming from there are some pointers in there to check or change to make your life simpler,
  6. Open a browser to your upgraded host and look at that spiffy portal,
  7. Open the admin console and check connection to other components,
  8. Enable your connection server,
  9. Rinse and repeat for others,
  10. (don’t forget your load balancers….)

Look at that pretty new portal

Capture - Horizon Portal

unfortunately the administration console GUI isn’t changed and flash (ahaaaa) is still around. Sad panda…..

Don’t forget to check if vIDM and vROPS for Horizon isn’t broken. I had to repair/restart the broker agent with vROPS. And have a little patience for the metrics to flow back in.

Agent

I have got an RDSH Hosted application farm server, I will be updating that agent. And some desktop pools, but the procedure is the same. First off, disabling access to the RDSH. Well that depends on the amount of servers you have in the farm and what your hosting from it. Disable hosted desktop pool for example. With my test lab its one server, so disabling the farm would be sufficient. Heck I am the only user so letting everything running would only bug my multiple personalities (who said that?!?).

With several servers you could maintenance one by removing it from the farm. Be sure to have your farm running with the same versions. Or have a cloned pool, just update the template.

On the RDSH host start the installer. Again the installer will notice it is an upgrade.

  1. Click next,
  2. Accept the EULA,
  3. Check your IP version,
  4. Custom setup components, but we are not adding just upgrading click next,
  5. (manual only) Check registered settings RDSH with connection server,
  6. Next and Install,
  7. Finish and reboot,
  8. Enable hosts or pools when the farm is done.

What’s new in the admin?

Instance Clone pools have the option to select specific vLANs for that pool or use the VM network of the template snapshot.

Capture - IC Select Networks

In Global Settings – you have two new client settings:

Capture - Global Settings client

  • hide server information in client interface. You will only see the lock if the certificate is trusted, but not https://connectiontoserver.fq.dn.
  • hide domain list in client interface. Only the username and password boxes are shown. The drop down with the domains are gone. Great for use cases where you want to hide the domain or there is a sh*t load of domains in there. Users have to remember there UPN.

With client user interface this is the Horizon Client and the HTML client (for the domain list the URL is still in your browser if you haven’t hidden that in another way).

Capture - HTML client no domain

Mind that this is currently not working if the Horizon client is pushed from AirWatch to iOS.

In global settings you can also add an automatic refresh of the admin interface (can’t remember if this was already in) or display some MOTD or legal pre-login to all your users. This must be accepted by all your users before able to logon.

What is missing from the admin?

As @jketels already mentioned on twitter:

Still no VLAN selection support for Dedicated and Floating pools. Only Instant-Clones have this new option available. #Horizon #View 7.1 pic.twitter.com/ehYCnZa4nB

— Joey Ketels (@jketels) March 17, 2017

The network selection you can only do from the GUI in instant clone desktop pools. The network selection (step 7 in vCenter settings) are not available in for example Linked clone pools. And like networks are not used in a CPA multiple POD deployment, or all other reasons that a lot of customers are using multi vLANs for the desktop pools. Again a missed opportunity. And no, linked clones are not yet depreciated or planned to be so support this from the GUI. Well if needed, with PowerShell you can still get this in for your linked clones.

That’s it

That it, core components are upgraded and running happily. I probably still have to find out a bit more about what has been changed within this release but for a start it looks pretty slick and without to much of a hassle.

– Happy getting your Horizon going the distance!

Sources: vmware.com, vdrone.nl