This is the final segment into the Horizon Console and is focusing on the Settings section.
This blog is part of a group of bite-sized segments, as follows:
Settings (this blog)
NOTE: The following is based on Horizon version 2006; newer versions of Horizon may have subtle differences in the options available.
Settings
Typically, the Settings section of the Horizon Console is where you would initially configure your Horizon environment once it has been deployed. This post covers all aspects of this section; therefore as this write up is lengthy, use the links below to navigate through the different settings and options available.
Servers
Within the Servers tab, you can add, modify or remove vCenter Server(s) that will be used to provision virtual desktops. You can add your gateway servers to get the health status, plus you can also configure Horizon Connection Server settings, as shown below.
vCenter Servers
Based on the 'pod and block' design, you can add multiple vCenter Servers to your Horizon environment. Each vCenter Server can serve a specific use-case to or support the whole virtual desktop infrastructure.
Adding vCenter Server has been blogged by me before and can be accessed by clicking HERE.
When you select an existing vCenter Server, various tabs become available to manage the vCenter Server, as shown below.
Table 1 below describes the information shown for existing vCenter Servers added to the Horizon Console.
Table 1: vCenter Server Details
Edit vCenter Server
You can change various settings when you click on the Edit tab, as shown in Table 2 below.
Table 2: Edit vCenter Server
Remove vCenter Server
You can also remove an added vCenter Server from the Horizon Console. Before removing a vCenter Server, if any virtual desktops and pools using the vCenter Server, they first need to be deleted, as prompted when you click on the Remove tab.
Disable Provisioning vCenter Server
When you click on the Disable Provisioning tab, the vCenter Server no longer provisions new virtual desktops or applications. No existing sessions are affected by this.
Enable Provisioning vCenter Server
If a vCenter Server's provisioning is disabled, by clicking on the Enable Provisioning tab, the vCenter Server begins to provision new virtual desktops or applications.
Gateways
The Gateways tab displays the information of the gateways used to access the Horizon environment. Typically, if you use VMware Unified Access Gateway appliances for secure access from untrusted networks, these appliances will be added to this section.
As shown in the figure above, only two (2) options available, Register and Unregister.
When you click on the Register tab, you are prompted to enter the name of the gateway. This name has to be precisely the same as as it is configured on the gateway; otherwise the gateway's status will remain unknown.
Table 3 below describes the information displayed once a gateway has been added.
Table 3: Gateways
To remove the gateway from the Horizon Console, select the gateway from the list and click on the Unregister tab.
Connection Servers
The Connection Servers tab displays all the Connection Servers within the pod. Information such as version number and status is also shown.
When you select an existing Connection Server, additional tabs become active.
Disable Connection Server
By default, the Connection Servers are enabled within the pod to provision virtual desktops and applications. The Disable tab can be used to take a Connection Server offline for maintenance or upgrades. During the time the Connection Server is disabled, it does not participate in any provisioning tasks.
Edit Connection Server
The Edit tab allows you to make changes to the settings for that Connection Server.
There are three (3) options that can be configured: General, Authentication and Backup.
General
Tags
The Tags field allows you to assign a unique tag to the Connection Server. Tags are helpful when you require specific Connection Servers within the pod to manage specific desktop or application pools with a matching tag assigned. Any desktop or application pool that does not have a tag assigned or has a different tag gets managed by other Connection Servers in the pod.
HTTP(s) Secure Tunnel
When the Use Secure Tunnel connection to machine option is unchecked, and after the Connection Server has brokered a connection, the communion between the Horizon Client and the virtual desktop or application is direct.
However, when you check this option, the Horizon Client makes a second HTTPS connection through the Connection Server, which carries various data between the Horizon Client and the virtual resource; this is called Tunnelling. The connection becomes dependant on the Connection Server and any interruption with the Connection Server will cause the session between the client and virtual resource to drop.
When enabled, all the clients establish a connection to the Connection Server via the external URL. By default, this is the FQDN of the Connection Server; however, you can change this if required. The URL has to have a resolvable DNS name and be accessible from all networks, and cannot be a load balancer URL (if used).
PCoIP Secure Gateway
By enabling Use PCoIP Secure Gateway for PCoIP connections to machine, a further connection is made through the Connection Server to allow for PCoIP traffic to pass through between the client and the virtual resource.
By default, this is the IP address of the Connection Server.
Blast Secure Gateway
There are several options available to configure the Blast Secure Gateway:
Use Blast Secure Gateway for all Blast connections to machine. All connections that use the VMware Blast Extreme protocol go via the Connection Server.
You can limit the use of the Blast gateway only to HTML Access clients by enabling Use Blast Secure Gateway for only HTML Access connections to machine.
You can disable the use of the Blast gateway altogether by selecting Do not use Blast Secure Gateway.
By default, this is the FQDN of the Connection Server.
NOTE: If you use VMware Unified Access Gateway or any other gateway for external clients, the PCoIP and Blast gateway options should be disabled on the Connection Servers.
Authentication
The next tab is Authentication.
SAML Authentication
The Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) option allows you to integrate your Connection Server with a SAML authenticator. In the figure below, my SAML authenticator is integrated with VMware Workspace ONE Access to publish virtual desktops and applications from Horizon to Workspace ONE Access.
There are three (3) options that can be set:
Disabled - There is no SAML authentication configured, and Horizon resources can only be launched using the Horizon Client or HTML Access.
Allowed - You have the option to launch Horizon resources from the Horizon Client and through VMware Workspace ONE Access or a third-party access point, such as another gateway or a load balancer.
Required - With this option selected, virtual desktops and applications cannot be launched directly from the Horizon Client. Instead, they can only be launched from VMware Workspace ONE Access or a third-party access gateway.
When the Allowed or the Required options are selected, the Manage SAML Authenticators tab becomes available, as shown in the figure below.
When you click on the Manage SAML Authenticators tab, you can Add, Edit or Remove your SAML authenticators.
When adding a new SAML Authenticator, you first select the type:
Dynamic - choose this when integrating Horizon with VMware Workspace ONE Access.
Static - select this when configuring VMware Unified Access Gateway or a third-party gateway.
The Label provides a unique name that identifies the SAML authenticator.
Optionally, add a description of the use of this SAML authenticator.
If you selected the type as dynamic, the Metadata URL and Administrator URL fields become available, as shown in the figure below.
The Metadata URL retrieves all the required information to exchange SAML information between Horizon and the provider. You need to replace the text which states YOUR SAML AUTHENTICATOR NAME with the FQDN or IP address of your VMware Workspace ONE Access environment.
Optionally, you can enter the Administrator URL, which points to the VMware Workspace ONE Access Connector web interface.
The Enabled for Connection Server checkbox allows you to disable the SAML authenticator.
If you selected the type as static, then the SAML Metadata field becomes available, as shown in the figure below.
In the SAML Metadata field, you copy the metadata generated on your VMware Unified Access Gateway or third-party gateway and paste it in this field.
The Edit tab allows you to modify any of the settings mentioned above, and the Remove tab enables you to delete the SAML authenticator from the Horizon Console.
If the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) is set to Required, the Enable Workspace ONE mode option become available as shown below.
When this option is enabled, all connections to the Horizon Connection Server are redirected to the VMware Workspace ONE web portal (as specified in the Workspace ONE Server Hostname field) to access the virtual desktops and applications.
Another option that becomes available when you enable Enable Workspace ONE mode is Block connections from clients that don't support Workspace ONE mode.
The next part of the configuration focuses on the authentication itself.
NOTE: If the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) is set to Required, the following options are greyed out and are not applicable.
Smart card authentication for users
There are three (3) options that can be selected using the drop-down list:
Not allowed - only traditional Windows username and password authentication are allowed.
Optional - provide the users with the option to use a smart card or Windows username and password for authentication.
Required - only smart card authentication is allowed.
NOTE: Before enabling smart card authentication, follow the prerequisites required as documented in the VMware Horizon Administration guide available at VMware Horizon Documentation.
When you enable Disconnect user session sessions on smart card removal, when the user removes their smart card from the reader, the user's session is disconnected. When they reinsert their smart card, the same session continues. This option is not available when the Smart card authentication for users is set to Not allowed.
You also enable Allow smart card user name hints, which can be used in environments where a single, smart card certificate can authenticate multiple user accounts. This option is not available when the Smart card authentication for users is set to Not allowed.
Unauthenticated Access
This option is used to configure users to access their Horizon Apps without requiring their Active Directory credentials. The setup and requirements have been detailed in a previous blog post as part of this intermediate grouping and can be accessed HERE.
NOTE: If the Smart card authentication for users is set to Required, this option is not available to configure.
Current User Authentication
If you use the Log in as current user option in the Horizon Client (Windows), the user credentials and other authentication information are passed to the Connection Server and to the virtual desktop for single sign-on. Enable Accept logon as current user to allow the Connection Server to accept this information and store it whist the session is active.
Advanced Authentication
If you use RSA SecurID or RADIUS to provide two-factor authentication to access your virtual resources, you can configure these in this section.
NOTE: Applying two-factor authentication affects all users who connect to the Connection Servers, whether internal users or external users. Suppose you require only external users to be prompted for 2FA. In that case, you should either have dedicated Connection Servers for external users or configure 2FA on your gateway and not on the Connection Servers.
There are three (3) options that can be selected using the drop-down list:
Disabled - do not use any 2FA.
RSA SecurID - integrate the Connection Server with RSA SecurID.
RADIUS - integrate the Connection Server with your RADIUS environment.
RSA SecurID
To integrate the Connection Server with your RSA SecurID, upload the sdconf.rec file.
When the Enforce SecurID and Windows user name matching option is enabled, the user name must exactly match what is in Active Directory. If there is a mismatch, the user is unable to log in.
In the event of troubleshooting RSA SecurID authentication, there are times when the Clear node secret option has to be selected.
RADIUS
When the Enforce 2-factor and Windows user name matching option is enabled, the user name must exactly match what is in Active Directory. If there is a mismatch, the user is unable to log in.
If the Use the same user name and password for RADIUS and Windows authentication is enabled, the RADIUS credentials are passed through to the virtual desktop, and the user is not prompted to enter their credentials.
If you don't already have an authenticator configured to your RADIUS server, select Create New Authenticator from the drop-down list.
Provide an Authenticator Name to distinguish this configuration from others that you may have.
Optionally, enter a Description.
You can enter custom Username and Passcode labels that the users see when accessing the Connection Server. This is also optional to set.
Provide the Hostname/Address of your primary RADIUS server.
If required, change the Authentication Port from the default of 1812.
If your RADIUS server collects accounting information, change the Accounting Port to any number other than 0.
Select the Authentication Type to what you are using; the options are PAP, MSCHAP1 and MSCHAP2.
Enter the Shared Secret, Server Timeout, and Max Attempts that are configured on your RADIUS server.
Optionally, enter the Realm Prefix and Realm Suffix that is automatically sent to the RADIUS server along with the username.
Optionally, you can configure a secondary server, select Use a secondary server if primary is unavailable and complete the fields.
The final part of the authentication tab is the Horizon Administrator Authentication.
This option allows you to authenticate to the Horizon Console using smart card authentication.
There are three (3) options that can be selected using the drop-down list:
Not allowed - smart card authentication is disabled.
Optional - provide the Horizon administrators with the option to use a smart card or Windows username and password for authentication.
Required - only smart card authentication is allowed.
Backup
You can schedule the backup of the Horizon LDAP repository that resides on the Connection Server. By default, this is set to daily at midnight.
The Automatic Backup Frequency allows you to set how often you wish to backup the Connection Server. The options are:
Every hour - starts on the hour.
Every 6 hours - begins at midnight and then every six (6) hours.
Every 12 hours - takes a backup at midnight and then one at midday.
Every day - starts at midnight.
Every 2 days - begins at midnight on Saturday, Monday, Wednesday and Friday.
Every week - takes a backup at midnight, every Saturday.
Every 2 weeks - backup starts at midnight, every other Saturday.
Never - no backups are scheduled.
The Backup Time Offset (Minutes) allows you to set the backup with an offset from midnight. For example, if you enter 30, the backup will occur at 00:30. As a best practice, I always offset each Connection Server in the pod, so there is always a different copy on each Connection Server until the backups are complete.
The Max Number of Backups allows you to set the number of backups to keep. Once the tenth backup is reached, the oldest backup file is deleted.
The Folder Location is where the backup files are kept. It is recommended that this folder be incorporated into your broader server backup strategy.
When you install the first Horizon Connection Server, you are prompted to enter a Data Recovery Password. This password is used to encrypt the backup files and is required in the event you need to restore the Horizon configuration file. You can change the password by clicking on the Change data recovery password tab.
Instant Clone Domain Accounts
Before creating instant clone desktop pools, a user account needs to be made in Active Directory. Typically, this account should be treated as any service account. This account allows Horizon to interact with Active Directory to manage the virtual desktops, such as domain join.
Click on the Add tab to add an account.
The Full domain name is automatically populated based on the domain that the Connection Servers belong to. If you have multiple domains in a trust relationship, use the drop-down to select your domain. Enter the username and password for the account.
If you already have an account set, the Edit tab allows you to update the account password if it has changed.
The Remove tab deletes the account from the Horizon Console.
Product Licensing and Usage
The Product Licensing and Usage section is the very first place you are redirected to when you install your very first Horizon Connection Server.
Licensing
Under Licensing, click the Edit License tab to enter a new Horizon license key.
Depending on your license, the features of that license are displayed as shown below.
Usage
The Usage tab displays information regarding Horizon license usage, both current and historical.
If required, use the tabs to reset the counts.
Customer Experience Program
Finally, the Customer Experience Program allows VMware to collect information regarding the usage of Horizon. If you opted out during the installation of the first Horizon Connection Server, then the program setting is disabled, as shown below.
You can change the settings by clicking on the Edit Settings tab.
By enabling Join the VMware Customer Experience Improvement Program, you agree to the terms and conditions of the program. The Geographic Location allows you to select the region you are based in.
The Business Vertical allows you to set the industry you are based in.
Last but not least, select the Number of Employees in the organisation.
Global Settings
The Global Settings section allows you to configure settings that are applied to the whole Horizon pod. There are three (3) tabs that can be configured; General Settings, Security Settings and Clients Restriction Settings.
General Settings
Click on the Edit tab to configure the general settings.
View Administrator Session Timeout
The View Administrator Session Timeout allows you to specify how long the Horizon Console remains active when it is idle. This setting only applies to the Horizon administrators and not the users and clients. The default timeout is 30 minutes. The minimum timeout you can set is 10 minutes, and the maximum timeout is 4,320 minutes (72 hours).
Forcibly Disconnect Users
The Forcibly Disconnect Users option allows you to specify whether or not to disconnect all desktops and applications after a specified timeout. The options are Never or After. The default setting is After 600 minutes.
In scenarios where the client does not support applications, if the timeout is set to Never or is greater than 1,200 minutes, the maximum timeout is set to 1,200 minutes.
Single Sign-On (SSO)
You can choose to Enable or Disable SSO.
By enabling SSO, the user's credentials entered into the Horizon Client are cached by the Connection Server and passed through to the virtual desktop or application, so the user is not prompted to enter them again. This setting is Enabled by default.
This setting has to be Enabled If you use the True SSO feature, introduced in VMware Horizon or later (True SSO will be covered in the expert competency).
Disconnect Applications and Discard SSO Credentials for Idle Users
This setting is only applicable to Horizon applications and not virtual desktops. This setting allows you to disconnect the application session if no keyboard or mouse activity is not detected. It also discards the SSO credentials, so the user must authenticate again to resume their session.
You can specify Never or After. If you select After, enter the number of minutes, with 999 minutes being the maximum allowed.
Discard SSO Credentials
This setting allows you to discard the cached credentials after a specified time.
You can specify Never or After. If you select After, enter the number of minutes, with 999 minutes being the maximum allowed.
NOTE: This option is not available if you Disable the Single Sign-On (SSO) option.
Enable automatic status updates
If Enabled, this option updates the global status area of the Horizon Console every five (5) minutes. It also updates the Dashboard page under Monitor every five (5) minutes when it is active.
Display a Pre-Login Message
When Enabled, it displays a message (for example, a disclaimer) when users log into their virtual resources.
Display Warning Before Forced Logoff
When this option is Enabled, a user is presented with a message that their session will be logged off when you force a logoff. The forced logoff can be done per session or at the pool level.
You can set a timer on when the session is sent a forced logoff command to when the session ends. This gives the users sufficient time to save any work they may have open within the session. The default is five (5) minutes.
Enable Windows Server Desktops
You have the the option to use Windows Servers that are running the Horizon Agent to be used as virtual desktops when this setting is Enabled.
Clean Up Credentials When Tab Closed for HTML Access
When this option is Enabled, if a user closes the browser tab running the virtual desktop or application, the user's cached credentials are deleted, and the user has to re-authenticate again.
Hide Server information in Client User Interface
When this option is Disabled, the Connection Server URL or the Horizon load balancer URL is shown in the Horizon Client (as exhibited in the left-side figure below).
When Enabled, the server URL is not shown in the client (as displayed in the right-side figure below).
Hide Domain List in Client User Interface
If this option is Enabled, the domain list is not displayed to the user in the Horizon Client (see the above figure).
Send Domain List
If this option is Enabled, the domain dropdown list is displayed to the user in the Horizon Client. However, this option is overridden by the Hide Domain List in Client User Interface if Enabled.
Enable 2 Factor Reauthentication
If this option is Enabled, the user has to re-authenticate with their 2FA after an idle session has timed out.
Security Settings
The next tab is Security Setting.
Reauthenticate Secure Tunnel Connections After Network Interruption
If there is a network disconnect between the Horizon Client and the Connection Server, the user is prompted to re-authenticate again to resume their session if this setting is Enabled.
Message Security Mode
The Message Security Mode is a communication mechanism that sends JMS messages between Horizon components, such as the Horizon Agent and the Connection Server.
By default, when the first Connection Server in the pod is installed, the Message Security Mode is set to Enhanced mode. In Enhanced mode, the connections are made over SSL and controls the types of JMS messages that are shared. As shown in the figure below, the option to change the mode is greyed out.
NOTE: VMware recommends leaving the Message Security Mode as Enhanced as this offers the highest level of security between the communication of the Horizon components.
If you do require to change the Message Security Mode, follow the steps below:
1. Open a console to any of the Connection Servers within the pod.
2. Open ADSI Edit and enter the following details:
Connection Point:= DC=vdi,DC=vmware,DC=int.
Computer: localhost:389.
3. Browse to: OU=Properties, OU=Global, CN=Common.
Double-click on pae-MsgSecMode, as shown below.
Change the setting to ON and apply the change.
4. Open Services and restart the VMware Horizon View Message Bus Component service as
shown below.
5. After the service has restarted, the option to change the Message Security Mode in the Horizon
Console is available.
The options are:
Disabled
The Message Security Mode is disabled.
Mixed
The Message Security Mode is Enabled, however it is not enforced.
Enabled
When you select this option, Horizon uses a combination of message signing and encryption. JMS messages are rejected if there is a signature mismatch, it is invalid, or if the message was modified after it was signed.
In addition, you can enable IPSec to encrypt all the JMS messages between Connection Server instances.
When you install the first Connection Server, you are prompted to enter a Data Recovery Password. This password is used to encrypt the Horizon LDAP configuration when it is backed up and is required in the event of a restore. This option allows you to change the Data Recovery Password after the Horizon installation.
Client Restriction Settings
The final tab in the Global Settings is Client Restriction Setting.
The Client Restriction Settings allows you to control which Horizon Clients can connect to your environment. For example, suppose Microsoft Teams is used within your Horizon environment. In that case, you may want to enforce that only Horizon Client version 2006 and later are allowed as these clients contain optimisation for Microsoft Teams.
For the following platforms, you can select to Block Connections from Client Version(s) or Warn Users Connecting from Specific Client Version(s):
Windows
Linux
iOS
Android
If you select Block Connections from Client Version(s), you can choose from Earlier Than or Specific as the client version.
The following platforms only allow you to Block Connections from Client Version(s) Earlier Than:
UWP
Chrome
HTML Access
Use the Block Additional Clients option to block platforms other than the ones mentioned above. You can specify a custom message to display or use the default message when you enable this option.
Registered Machines
The Registered Machines displays RDS hosts that are managed by VMware vCenter Server and machines that are not but have the Horizon Agent installed. These machines are populated here when the relevant desktop pool(s) or Farms have been created.
RDS Hosts
Various information is displayed under the RDS Hosts tab regarding the RDS host(s), as described in table 4 below.
Table 4: RDS Hosts
Edit
When you select an RDS host from the list, the Edit tab becomes available. There is only a single setting that can be edited, the Number of Connections.
The options are No More Than and Unlimited. Review your assessment data to determine the number of connections per RDS host. The default setting is No More Than 150.
Remove
The Remove tab allows you to delete an RDS host from the Horizon Console. As the figure above shows, the Remove tab is unavailable if the RDS host is a member of a Farm. First, delete the RDS host from the Farm and then use this option to remove it from Horizon.
More
The More tab allows disabling an RDS host, so it no longer serves any connections in the Farm.
Others
The Others tab displays machines that are not managed by VMware vCenter Server but have the Horizon Agent installed and a part of the Horizon inventory. For example, if you have created a desktop pool managing your physical desktop PC through VMware Horizon for remote access, these machines will appear under this tab.
The only option available for this tab is Remove. Before removing the machine from the Horizon Console, it must be deleted from the desktop pool first.
Administrators
The Administrators tab allows you to create, modify and delete roles, permissions and privileges for accessing the Horizon Console.
Administrators and Groups
The first tab is Administrators and Groups. When you install your first Horizon Connection Server in the pod, you are prompted to enter a username or group name that will have administrative permissions to the Horizon Console, and this account is displayed here.
Click on the Add User or Group tab to add other accounts to have permissions to interact with the Horizon Console.
Once you have searched for the user or group, you wish to add, ensure you select it and proceed.
Next, you are prompted to select the Permissions to give to this account, select the relevant permission to continue.
A Permission in Horizon Console is essentially a role you assign with certain privileges, as discussed further below in this section.
The final step of adding the account is to select the Access Group. By default, only the Root(/) Access Group exists.
You can remove any user or group from the Horizon Console administration by selecting the name and clicking on the Remove User or Group tab.
If required, you can add or remove permissions of an existing account.
Role Privileges
Horizon includes predefined Roles that cannot be removed or edited. If you require a custom role, click on the Add Role tab.
Provide a name for the new role and select the customer privilege(s) required.
Role Permissions
The Role Permissions tab allows you to assign administrator user(s) or group(s) to a role.
You cannot remove any of the predefined roles in the Horizon Console; however, you can add or remove permissions from them.
Access Group
An Access Group is an administrative construct that you assign to desktop pools and farms when you create them. Only the members of the Access Group have permission to the resources to which they are assigned. By default, any Root(/) Access Group member has full permission to all resources.
Cloud Pod Architecture
The Horizon Cloud Pod Architecture (CPA) feature allows you to provide high availability across multiple Horizon pods.
The configuration of CPA is covered in detail in another blog post that can be accessed HERE.
Event Configuration
The Event Configuration section is where you configure reporting and logging for all events that occur with Horizon.
Event Database
The Event Database stores all information regarding Horizon administration, pool creation, pool modification, virtual desktop access, and so much more.
Click Edit under Event Database.
VMware Horizon does not have an internal database server; therefore, you will need to create a database instance on an external source. Microsoft SQL Server, Oracle, or PostgreSQL* database types are supported. Refer to the database interoperability matrix to find the versions supported.
*PostgreSQL support became available from Horizon 2103 onwards.
Database Name - enter the FQDN of your database server.
Database Type - select the type of database platform you use.
Port - enter the port number for the communication to the database.
Database Name - enter the name of the database instance.
User Name and Password - enter the credentials for the account that has permissions to the database instance.
Table Prefix - the table prefix identifies which Horizon installation the tables belong to. This is useful if you have multiple Horizon instances.
Event Settings
The Events Settings options allow you to configure how much historical data is shown in the Horizon Console, under Monitor > Events.
The Show events in View Administrator for: option specifies how far back to display events in the Horizon Console. The options are:
1 Week
2 Weeks
3 Weeks
1 Month
2 Months
3 Months (default)
6 Months
You can also specify what Horizon classes new events by selecting Classify events as new for: The options are:
1 Day
2 Days (default)
3 Days
Syslog
You can integrate your Horizon environment with a Syslog server for centralised logging.
Enter the IP address of your Syslog collector and the port number. All events that are recorded in the Horizon Console are also logged on the Syslog server.
Events to File System
The third option available for event logging is to save the events to a file in a Syslog format.
If you select Always, then the log files are written locally.
The Log to File on Error is the default setting. Local log files are only generated if Horizon could not write the information to the Events database or the Syslog server (if they were configured).
Selecting Never ensures that no log files are created.
The default location for the log files is %ProgramData%\VMware\VDM\events\.
If you require the log file to be saved to a network share, click on the Add tab under Copy to Location.
Enter the UNC Path to the file share where you wish to store the log files.
Enter the credentials to authenticate to the file share.
Global Policies
The Horizon Policies control the following settings:
Multimedia Redirection (MMR)
USB Access
PCoIP Hardware Acceleration
Under Global Policies, the above settings can be configured to apply to the whole pod as a default configuration. However, at a pool level or user level, these settings can be overridden if required.
Multimedia Redirection (MMR) is set to Deny by default. MMR should not be confused with Microsoft Teams optimisation or Skype for Business optimisation, as these are configured at the Horizon Client and Horizon Agent level. MMR is a Windows Media Foundation filter that forwards multimedia data from specific codecs on the virtual desktops to the client system.
USB Access determines whether or not you allow USB Devices to be redirected into your virtual desktop session. If this is set to Deny, it does not impact USB printer redirection or USB scanner redirection. The default setting is Allow.
The PCoIP Hardware Acceleration setting is only applicable to clients that are using the Teradici PCoIP chipset. This setting allows for smooth and stable video playback by offloading the display to the hardware accelerator.
This concludes this bite-sized segment on the Horizon Console that focused on the Server section as well as completing the whole Zero to Hero Part 2 (Intermediate) level.
In the next blog, I will be starting the Advanced level, which focuses on:
Planning for Horizon
Understanding the business and technical requirements for VDI projects
How to define and map use-cases for VDI
Deep dive look into the VMware Horizon architecture based on the business outcomes and goals