Determine User Accounts
- vCenter Server
> vSphere Web client > Administration > Users & Groups > hor_vcenter (vsphere.local)
Ref#1 - p.101 - Privileges Required for the vCenter Server User
- Composer Server
Ref#1 - p.102 - View Composer Privileges Required for the vCenter Server User
Note: When View Composer is NOT collocated with vCenter Server, create and add a standalone View Composer Server user to the local Administrators on Composer server
- Composer AD Operations
a) Create a separate account for Composer AD Operations
b) Delegate permissions to account in the OU where AD objects will be stored:
- Create Computer Objects
- Delete Computer Objects
- Write All Properties permissions
c) Ensure that permissions apply to child objects of the OU
- Instant Clone Operations - same setup as Composer AD Operations account
Ref#1: Horizon 7 Installation - VMware Horizon 7.0
Ref#2: Horizon 7 Installation - VMware Horizon 7.5
AD Delegation Example
- Open ADUC (dsa.msc)
- Right-click Horizon Virtual Desktops OU
- Delegate Control...
- Select hor_compadops (Horizon Composer AD Ops) and Next
- Create a custom task to delegate, Next
- Only the following objects in the folder
+ Create selected objects in this folder
+ Delete selected objects in this folder, Next
- General, Property-specific
+ Read
+ Read All Properties (Objects)
+ Write All Properties (Objects)
+ Reset password, Next
- Finish
Repeat this on relevant OUs and for accounts you require
How to View or Delete Active Directory Delegated Permissions
View or Remove Active Directory Delegated Permissions (PowerShell script)
Create and Modify Horizon Settings
Configure vCenter Server connection
- in View Administrator > View Configuration > Servers
- add vCenter / Security Servers / Connection Servers
- vCenter - hor_vcenter@vsphere.local
- vCenter - Storage - Reclaim VM disk space & Enable View Storage Accelerator
Configure external URL settings
- in View Administrator > View Configuration > Servers > Connection Servers > Edit...
!!! for PCoIP you must use IP Address !!!
Configure Instant Clone Domain Admins
- in View Administrator > View Configuration > Instant Clone Domain Admins > Add...
Configure the Events database settings
- create horizonevent SQL DB with Full recovery model
- create horizonevent SQL user with db_owner rights on horizonevent DB w SQL auth
- in View Administrator > View Configuration > Event Configuration > Event Database - Edit... button
- Table prefix is optional setting in case there are multiple Horizon infrastructures
- Event Settings > Edit...
Configure the Syslog server
- in View Administrator > View Configuration > Event Configuration > Syslog section
- this syslog data is not encrypted when sent over the network
Enable Horizon View Storage Accelerator
- enables Content-based read cache feature
Understanding CBRC (Content Based Read Cache)
Why is Content-Based Read Cache (CBRC) so important for Horizon View and VSAN
Configure SSL
- View Administrator > Click red square in System Health (top left corner)
- Connection server and Security server - Untrusted Certificate
if using internal AD integrated PKI
- duplicate Web Server template
- General > Name (for example Web Server Horizon)
- Request handling > Allow private key to be exported
- Subject Name > Supply in the request
- Security > Add Domain Computers Read, Write & Enroll privileges
- in certsrv \ Certificate Templates mmc
- right-click Certificate Templates > New > Cert Template to Issue
- select Web Server Horizon template and click OK
Note: !!! VMware products look for "vdm" in Certificate's friendly name !!!
Replace Connection Server Certificate
- open Computer Certificates MMC Console
- right-click Personal\Certificates > All Tasks > Request New Certificate...
- Next on Before you begin, Select Active Directory Enrollment Policy, click Next
- Select newly customised Web Server Horizon Template and click on
More information is required to enroll for this certificate. Click here to configure settings
- Subject Tab
Subject Name > Common name = url of what users are going to be using (connection1.company.pri - example)
- General Tab - Friendly name - "vdm"
- check Private Key tab > Key options > Make private key exportable is ticked
- Click OK and Click Enroll and Finish button
- Check the Certificate in MMC Console - that is has "vdm" friendly name
- Open services.msc MMC console, browse to VMware Horizon View Connection Server service and restart it
- test is by opening https://<connection >FQDN/admin and verify if you get "green padlock"
Replace Composer Server Certificate
- process is essentially the same than Connection server except:
- common name = composer1.company.pri
- General > Friendly name is empty
- open services.msc MMC Console and Stop VMware Horizon 7 Composer Service
- open elevated CMD prompt and cd to "c:\program files (x86)\VMware View Composer"
- Run sviconfig.exe -operation=ReplaceCertificate -delete-false command
- Select newly created certificate (option 1) Subject: CN=composer1.company.pri
- in services.msc MMC Console and Start VMware Horizon 7 Composer Service
Verify Connection and Composer Certificates
- vCenter Server
> vSphere Web client > Administration > Users & Groups > hor_vcenter (vsphere.local)
Ref#1 - p.101 - Privileges Required for the vCenter Server User
- Composer Server
Ref#1 - p.102 - View Composer Privileges Required for the vCenter Server User
Note: When View Composer is NOT collocated with vCenter Server, create and add a standalone View Composer Server user to the local Administrators on Composer server
- Composer AD Operations
a) Create a separate account for Composer AD Operations
b) Delegate permissions to account in the OU where AD objects will be stored:
- Create Computer Objects
- Delete Computer Objects
- Write All Properties permissions
c) Ensure that permissions apply to child objects of the OU
- Instant Clone Operations - same setup as Composer AD Operations account
Ref#1: Horizon 7 Installation - VMware Horizon 7.0
Ref#2: Horizon 7 Installation - VMware Horizon 7.5
AD Delegation Example
- Open ADUC (dsa.msc)
- Right-click Horizon Virtual Desktops OU
- Delegate Control...
- Select hor_compadops (Horizon Composer AD Ops) and Next
- Create a custom task to delegate, Next
- Only the following objects in the folder
+ Create selected objects in this folder
+ Delete selected objects in this folder, Next
- General, Property-specific
+ Read
+ Read All Properties (Objects)
+ Write All Properties (Objects)
+ Reset password, Next
- Finish
Repeat this on relevant OUs and for accounts you require
How to View or Delete Active Directory Delegated Permissions
View or Remove Active Directory Delegated Permissions (PowerShell script)
Create and Modify Horizon Settings
Configure vCenter Server connection
- in View Administrator > View Configuration > Servers
- add vCenter / Security Servers / Connection Servers
- vCenter - hor_vcenter@vsphere.local
- vCenter - Storage - Reclaim VM disk space & Enable View Storage Accelerator
Configure external URL settings
- in View Administrator > View Configuration > Servers > Connection Servers > Edit...
!!! for PCoIP you must use IP Address !!!
Configure Instant Clone Domain Admins
- in View Administrator > View Configuration > Instant Clone Domain Admins > Add...
Configure the Events database settings
- create horizonevent SQL DB with Full recovery model
- create horizonevent SQL user with db_owner rights on horizonevent DB w SQL auth
- in View Administrator > View Configuration > Event Configuration > Event Database - Edit... button
- Table prefix is optional setting in case there are multiple Horizon infrastructures
- Event Settings > Edit...
Configure the Syslog server
- in View Administrator > View Configuration > Event Configuration > Syslog section
- this syslog data is not encrypted when sent over the network
Enable Horizon View Storage Accelerator
- enables Content-based read cache feature
Understanding CBRC (Content Based Read Cache)
Why is Content-Based Read Cache (CBRC) so important for Horizon View and VSAN
Configure SSL
- View Administrator > Click red square in System Health (top left corner)
- Connection server and Security server - Untrusted Certificate
if using internal AD integrated PKI
- duplicate Web Server template
- General > Name (for example Web Server Horizon)
- Request handling > Allow private key to be exported
- Subject Name > Supply in the request
- Security > Add Domain Computers Read, Write & Enroll privileges
- in certsrv \ Certificate Templates mmc
- right-click Certificate Templates > New > Cert Template to Issue
- select Web Server Horizon template and click OK
Note: !!! VMware products look for "vdm" in Certificate's friendly name !!!
Replace Connection Server Certificate
- open Computer Certificates MMC Console
- right-click Personal\Certificates > All Tasks > Request New Certificate...
- Next on Before you begin, Select Active Directory Enrollment Policy, click Next
- Select newly customised Web Server Horizon Template and click on
More information is required to enroll for this certificate. Click here to configure settings
- Subject Tab
Subject Name > Common name = url of what users are going to be using (connection1.company.pri - example)
- General Tab - Friendly name - "vdm"
- check Private Key tab > Key options > Make private key exportable is ticked
- Click OK and Click Enroll and Finish button
- Check the Certificate in MMC Console - that is has "vdm" friendly name
- Open services.msc MMC console, browse to VMware Horizon View Connection Server service and restart it
- test is by opening https://<connection >FQDN/admin and verify if you get "green padlock"
Replace Composer Server Certificate
- process is essentially the same than Connection server except:
- common name = composer1.company.pri
- General > Friendly name is empty
- open services.msc MMC Console and Stop VMware Horizon 7 Composer Service
- open elevated CMD prompt and cd to "c:\program files (x86)\VMware View Composer"
- Run sviconfig.exe -operation=ReplaceCertificate -delete-false command
- Select newly created certificate (option 1) Subject: CN=composer1.company.pri
- in services.msc MMC Console and Start VMware Horizon 7 Composer Service
Verify Connection and Composer Certificates
- test is by opening https://<connection >FQDN/admin and click on System Health
- Connection and Composer servers should show green color (i.e. OK)
Replace Security Server Certificate
- on Security Server open Certificates MMC console for Local Computer and Current User
- open IE and go to https://<pki-server>/certsrv and log in with domain credentials
- Download a CA Certificate ...
- Import Root PKI Cert to Local Machine > Trusted Root Certification Authorities
- back to IE and /certsrv site - Request a certificate
- submit an advanced certificate request
- create a request and submit to CA and click Yes on site attempting to perform a digital cert op
- select Web Server Horizon Template
- Name: type externally accessible FQDN i.e. security1.company.com
- Check Mark keys as exportable is selected
- click Submit button and click Yes on site attempting to perform a digital cert op
- click Install this certificate hyperlink
- go to Certificates MMC Console - User > Personal > Certificates (as cert got installed there)
- export the cert with private key, .PFX format and Export all extended properties
- type password and save (on Desktop)
- install .PFX file to Local Machine, type password
- tick > Mark thi skey as exportable
> Include all extended properties
- select to place it in Personal Store
- back to Certificates MMC console - in Local Computer\Personal\Certificates
- Change "vdm" to "old" on self-signed cert and set "vdm" friendly name on newly imported one
- Restart VMware Horizon View Security Gateway Component Service
- Check -> go to External Win10 Desktop, open IE and go to https://security1.company.com
Replace Access Point Certificate
trick is to convert .pfx certificate to .pem certificate using openssl tool
- https://<accessIP>:9443/admin/index.html
- Configure Manually
- Advanced Settings > SSL Server Certificate Settings
- on domain joined PC open Certificates MMC console for Local Computer
- right-click Personal\Certificates > All Tasks > Request New Certificate...
- Next on Before you begin, Select Active Directory Enrollment Policy, click Next
- Select newly customised Web Server Horizon Template and click on
More information is required to enroll for this certificate. Click here to configure settings
- Subject Tab
Subject Name > Common name = url of what users are going to be using (accesspoint.company.pri - example)
- check Private Key tab > Key options > Make private key exportable is ticked
- Click OK and Click Enroll and Finish button
- go to Certificates MMC Console - Computer > Personal > Certificates
- export the cert with private key, .PFX format, Include all certs in path and Export all extended properties
- type password and save (on Desktop)
- once exported, delete certificate from the store
- open CMD prompt and go to c:\program files\vmware\vmware tools and locate openssl.exe
- run command openssl.exe pkcs12 -in MyCert.pfx -out MyCert.pem -nodes
- run command openssl.exe rsa -in MyCert.em -out MyCert.key
- back to Access Point - Configure Manually > Advanced Settings > SSL Server Certificate Settings
- select MyCert.key file for Private Key
- select MyCert.pem file for Certificate Chain and click Save
- still in Configure Manually > General Settings > Edge Service Settings - Show
- click on Horizon Settings and change Proxy Destination URL Thumbs Prints
- update entry - example sha1=36 3c a8 .... - Always prefix thumb print with hash algorithm
- Check -> go to External Win10 Desktop, open IE and go to https://accesspoint.company.com/portal
Configure RBAC (Role-based Access Control)
Using Access Groups to Delegate Administration of Pools and Farms
- https://<connection>/admin > View Configuration > Administrators
- concept Who, What, Where
- Who - Administrators and Groups
- What - Roles
- Where - Access Groups
Authentication for RSA, Secure Cards and RADIUS
- https://<connection>/admin > View Configuration > Servers
- Connection Servers tab, select Connection Server and click Edit...
- Authentication tab > View Authentication
Setting Up User Authentication
Set Up RSA Authentication Manager For Multi-Factor Authentication
Configure SAML Authenticator
Create a SAML Authenticator on a Horizon 7 Connection Server
Configure SAML 2.0 Authenticators in View Administrator
SAML (Security Assertion Markup Language)
Configure Multi-site/Pod Deployment
- Each Connection Server can support 2000 simultaneous connections
- Each deployment can support 7 ConnectionServers (incl. 2 backups) and 10000 simultaneous connections
- Connections Servers in a deployment are geographically collocated
- Horizon Cloud Pod connects multipls deployments for scale-out to 50000 simultaneous connections or multiple sites
- Users in a multi-site deployment are designated a Home Site to ensure local resources are used first
- Cloud Pods are generally used with floating assignment desktop pools
- https://<connection>/admin > View Configuration > Cloud Pod Architecture
- Initialize the Cloud Pod Architecture feature
for subsequent connection servers > Join the pod federation
-enabling Pod feature has turned on Home Site tab in Inventory > Users and Groups
- Connection and Composer servers should show green color (i.e. OK)
Replace Security Server Certificate
- on Security Server open Certificates MMC console for Local Computer and Current User
- open IE and go to https://<pki-server>/certsrv and log in with domain credentials
- Download a CA Certificate ...
- Import Root PKI Cert to Local Machine > Trusted Root Certification Authorities
- back to IE and /certsrv site - Request a certificate
- submit an advanced certificate request
- create a request and submit to CA and click Yes on site attempting to perform a digital cert op
- select Web Server Horizon Template
- Name: type externally accessible FQDN i.e. security1.company.com
- Check Mark keys as exportable is selected
- click Submit button and click Yes on site attempting to perform a digital cert op
- click Install this certificate hyperlink
- go to Certificates MMC Console - User > Personal > Certificates (as cert got installed there)
- export the cert with private key, .PFX format and Export all extended properties
- type password and save (on Desktop)
- install .PFX file to Local Machine, type password
- tick > Mark thi skey as exportable
> Include all extended properties
- select to place it in Personal Store
- back to Certificates MMC console - in Local Computer\Personal\Certificates
- Change "vdm" to "old" on self-signed cert and set "vdm" friendly name on newly imported one
- Restart VMware Horizon View Security Gateway Component Service
- Check -> go to External Win10 Desktop, open IE and go to https://security1.company.com
Replace Access Point Certificate
trick is to convert .pfx certificate to .pem certificate using openssl tool
- https://<accessIP>:9443/admin/index.html
- Configure Manually
- Advanced Settings > SSL Server Certificate Settings
- on domain joined PC open Certificates MMC console for Local Computer
- right-click Personal\Certificates > All Tasks > Request New Certificate...
- Next on Before you begin, Select Active Directory Enrollment Policy, click Next
- Select newly customised Web Server Horizon Template and click on
More information is required to enroll for this certificate. Click here to configure settings
- Subject Tab
Subject Name > Common name = url of what users are going to be using (accesspoint.company.pri - example)
- check Private Key tab > Key options > Make private key exportable is ticked
- Click OK and Click Enroll and Finish button
- go to Certificates MMC Console - Computer > Personal > Certificates
- export the cert with private key, .PFX format, Include all certs in path and Export all extended properties
- type password and save (on Desktop)
- once exported, delete certificate from the store
- open CMD prompt and go to c:\program files\vmware\vmware tools and locate openssl.exe
- run command openssl.exe pkcs12 -in MyCert.pfx -out MyCert.pem -nodes
- run command openssl.exe rsa -in MyCert.em -out MyCert.key
- back to Access Point - Configure Manually > Advanced Settings > SSL Server Certificate Settings
- select MyCert.key file for Private Key
- select MyCert.pem file for Certificate Chain and click Save
- still in Configure Manually > General Settings > Edge Service Settings - Show
- click on Horizon Settings and change Proxy Destination URL Thumbs Prints
- update entry - example sha1=36 3c a8 .... - Always prefix thumb print with hash algorithm
- Check -> go to External Win10 Desktop, open IE and go to https://accesspoint.company.com/portal
Configure RBAC (Role-based Access Control)
Using Access Groups to Delegate Administration of Pools and Farms
- https://<connection>/admin > View Configuration > Administrators
- concept Who, What, Where
- Who - Administrators and Groups
- What - Roles
- Where - Access Groups
Authentication for RSA, Secure Cards and RADIUS
- https://<connection>/admin > View Configuration > Servers
- Connection Servers tab, select Connection Server and click Edit...
- Authentication tab > View Authentication
Setting Up User Authentication
Set Up RSA Authentication Manager For Multi-Factor Authentication
Configure SAML Authenticator
Create a SAML Authenticator on a Horizon 7 Connection Server
Configure SAML 2.0 Authenticators in View Administrator
SAML (Security Assertion Markup Language)
Configure Multi-site/Pod Deployment
- Each Connection Server can support 2000 simultaneous connections
- Each deployment can support 7 ConnectionServers (incl. 2 backups) and 10000 simultaneous connections
- Connections Servers in a deployment are geographically collocated
- Horizon Cloud Pod connects multipls deployments for scale-out to 50000 simultaneous connections or multiple sites
- Users in a multi-site deployment are designated a Home Site to ensure local resources are used first
- Cloud Pods are generally used with floating assignment desktop pools
- https://<connection>/admin > View Configuration > Cloud Pod Architecture
- Initialize the Cloud Pod Architecture feature
for subsequent connection servers > Join the pod federation
-enabling Pod feature has turned on Home Site tab in Inventory > Users and Groups