• Surj Randhawa

VMware Horizon - Zero to Hero Series - Part 2 (Intermediate) - Segment 4

This is the final segment into the Horizon Console and is focusing on the Settings section.

This blog is part of a group of bite-sized segments, as follows:

NOTE: The following is based on Horizon version 2006; newer versions of Horizon may have subtle differences in the options available.

Settings












Typically, the Settings section of the Horizon Console is where you would initially configure your Horizon environment once it has been deployed. This post covers all aspects of this section; therefore as this write up is lengthy, use the links below to navigate through the different settings and options available.

Servers

vCenter Servers

Gateways

Connection Servers

Instant Clone Domain Accounts

Product Licensing and Usage

Licensing

Usage

Customer Experience Program

Global Settings

General Settings

Security Settings

Client Restriction Settings

Registered machines

RDS Hosts

Others

Administrators

Administrators and Groups

Role Privileges

Role Permissions

Access Groups

Cloud Pod Architecture

Event Configuration

Event Database

Event Settings

Syslog

Events to File System

Global Policies

Servers























Within the Servers tab, you can add, modify or remove vCenter Server(s) that will be used to provision virtual desktops. You can add your gateway servers to get the health status, plus you can also configure Horizon Connection Server settings, as shown below.




vCenter Servers

Based on the 'pod and block' design, you can add multiple vCenter Servers to your Horizon environment. Each vCenter Server can serve a specific use-case to or support the whole virtual desktop infrastructure.

Adding vCenter Server has been blogged by me before and can be accessed by clicking HERE.

When you select an existing vCenter Server, various tabs become available to manage the vCenter Server, as shown below.

Table 1 below describes the information shown for existing vCenter Servers added to the Horizon Console.

Table 1: vCenter Server Details


Edit vCenter Server

You can change various settings when you click on the Edit tab, as shown in Table 2 below.


Table 2: Edit vCenter Server

Remove vCenter Server

You can also remove an added vCenter Server from the Horizon Console. Before removing a vCenter Server, if any virtual desktops and pools using the vCenter Server, they first need to be deleted, as prompted when you click on the Remove tab.




Disable Provisioning vCenter Server

When you click on the Disable Provisioning tab, the vCenter Server no longer provisions new virtual desktops or applications. No existing sessions are affected by this.

Enable Provisioning vCenter Server

If a vCenter Server's provisioning is disabled, by clicking on the Enable Provisioning tab, the vCenter Server begins to provision new virtual desktops or applications.

Gateways




The Gateways tab displays the information of the gateways used to access the Horizon environment. Typically, if you use VMware Unified Access Gateway appliances for secure access from untrusted networks, these appliances will be added to this section.

As shown in the figure above, only two (2) options available, Register and Unregister.

When you click on the Register tab, you are prompted to enter the name of the gateway. This name has to be precisely the same as as it is configured on the gateway; otherwise the gateway's status will remain unknown.

Table 3 below describes the information displayed once a gateway has been added.

Table 3: Gateways

To remove the gateway from the Horizon Console, select the gateway from the list and click on the Unregister tab.

Connection Servers






The Connection Servers tab displays all the Connection Servers within the pod. Information such as version number and status is also shown.

When you select an existing Connection Server, additional tabs become active.

Disable Connection Server

By default, the Connection Servers are enabled within the pod to provision virtual desktops and applications. The Disable tab can be used to take a Connection Server offline for maintenance or upgrades. During the time the Connection Server is disabled, it does not participate in any provisioning tasks.

Edit Connection Server

The Edit tab allows you to make changes to the settings for that Connection Server.

There are three (3) options that can be configured: General, Authentication and Backup.

General

Tags

The Tags field allows you to assign a unique tag to the Connection Server. Tags are helpful when you require specific Connection Servers within the pod to manage specific desktop or application pools with a matching tag assigned. Any desktop or application pool that does not have a tag assigned or has a different tag gets managed by other Connection Servers in the pod.

HTTP(s) Secure Tunnel

When the Use Secure Tunnel connection to machine option is unchecked, and after the Connection Server has brokered a connection, the communion between the Horizon Client and the virtual desktop or application is direct.

However, when you check this option, the Horizon Client makes a second HTTPS connection through the Connection Server, which carries various data between the Horizon Client and the virtual resource; this is called Tunnelling. The connection becomes dependant on the Connection Server and any interruption with the Connection Server will cause the session between the client and virtual resource to drop.

When enabled, all the clients establish a connection to the Connection Server via the external URL. By default, this is the FQDN of the Connection Server; however, you can change this if required. The URL has to have a resolvable DNS name and be accessible from all networks, and cannot be a load balancer URL (if used).

PCoIP Secure Gateway

By enabling Use PCoIP Secure Gateway for PCoIP connections to machine, a further connection is made through the Connection Server to allow for PCoIP traffic to pass through between the client and the virtual resource.

By default, this is the IP address of the Connection Server.

Blast Secure Gateway

There are several options available to configure the Blast Secure Gateway:

  • Use Blast Secure Gateway for all Blast connections to machine. All connections that use the VMware Blast Extreme protocol go via the Connection Server.

  • You can limit the use of the Blast gateway only to HTML Access clients by enabling Use Blast Secure Gateway for only HTML Access connections to machine.

  • You can disable the use of the Blast gateway altogether by selecting Do not use Blast Secure Gateway.

By default, this is the FQDN of the Connection Server.

NOTE: If you use VMware Unified Access Gateway or any other gateway for external clients, the PCoIP and Blast gateway options should be disabled on the Connection Servers.

Authentication

The next tab is Authentication.

SAML Authentication

The Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) option allows you to integrate your Connection Server with a SAML authenticator. In the figure below, my SAML authenticator is integrated with VMware Workspace ONE Access to publish virtual desktops and applications from Horizon to Workspace ONE Access.

There are three (3) options that can be set:

  • Disabled - There is no SAML authentication configured, and Horizon resources can only be launched using the Horizon Client or HTML Access.

  • Allowed - You have the option to launch Horizon resources from the Horizon Client and through VMware Workspace ONE Access or a third-party access point, such as another gateway or a load balancer.

  • Required - With this option selected, virtual desktops and applications cannot be launched directly from the Horizon Client. Instead, they can only be launched from VMware Workspace ONE Access or a third-party access gateway.

When the Allowed or the Required options are selected, the Manage SAML Authenticators tab becomes available, as shown in the figure below.

When you click on the Manage SAML Authenticators tab, you can Add, Edit or Remove your SAML authenticators.

When adding a new SAML Authenticator, you first select the type:

Dynamic - choose this when integrating Horizon with VMware Workspace ONE Access.

Static - select this when configuring VMware Unified Access Gateway or a third-party gateway.

The Label provides a unique name that identifies the SAML authenticator.

Optionally, add a description of the use of this SAML authenticator.

If you selected the type as dynamic, the Metadata URL and Administrator URL fields become available, as shown in the figure below.

The Metadata URL retrieves all the required information to exchange SAML information between Horizon and the provider. You need to replace the text which states YOUR SAML AUTHENTICATOR NAME with the FQDN or IP address of your VMware Workspace ONE Access environment.

Optionally, you can enter the Administrator URL, which points to the VMware Workspace ONE Access Connector web interface.

The Enabled for Connection Server checkbox allows you to disable the SAML authenticator.

If you selected the type as static, then the SAML Metadata field becomes available, as shown in the figure below.

In the SAML Metadata field, you copy the metadata generated on your VMware Unified Access Gateway or third-party gateway and paste it in this field.

The Edit tab allows you to modify any of the settings mentioned above, and the Remove tab enables you to delete the SAML authenticator from the Horizon Console.

If the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) is set to Required, the Enable Workspace ONE mode option become available as shown below.

When this option is enabled, all connections to the Horizon Connection Server are redirected to the VMware Workspace ONE web portal (as specified in the Workspace ONE Server Hostname field) to access the virtual desktops and applications.

Another option that becomes available when you enable Enable Workspace ONE mode is Block connections from clients that don't support Workspace ONE mode.

The next part of the configuration focuses on the authentication itself.

NOTE: If the Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) is set to Required, the following options are greyed out and are not applicable.

Smart card authentication for users

There are three (3) options that can be selected using the drop-down list:

  • Not allowed - only traditional Windows username and password authentication are allowed.

  • Optional - provide the users with the option to use a smart card or Windows username and password for authentication.

  • Required - only smart card authentication is allowed.

NOTE: Before enabling smart card authentication, follow the prerequisites required as documented in the VMware Horizon Administration guide available at VMware Horizon Documentation.

When you enable Disconnect user session sessions on smart card removal, when the user removes their smart card from the reader, the user's session is disconnected. When they reinsert their smart card, the same session continues. This option is not available when the Smart card authentication for users is set to Not allowed.

You also enable Allow smart card user name hints, which can be used in environments where a single, smart card certificate can authenticate multiple user accounts. This option is not available when the Smart card authentication for users is set to Not allowed.

Unauthenticated Access

This option is used to configure users to access their Horizon Apps without requiring their Active Directory credentials. The setup and requirements have been detailed in a previous blog post as part of this intermediate grouping and can be accessed HERE.

NOTE: If the Smart card authentication for users is set to Required, this option is not available to configure.

Current User Authentication

If you use the Log in as current user option in the Horizon Client (Windows), the user credentials and other authentication information are passed to the Connection Server and to the virtual desktop for single sign-on. Enable Accept logon as current user to allow the Connection Server to accept this information and store it whist the session is active.

Advanced Authentication

If you use RSA SecurID or RADIUS to provide two-factor authentication to access your virtual resources, you can configure these in this section.

NOTE: Applying two-factor authentication affects all users who connect to the Connection Servers, whether internal users or external users. Suppose you require only external users to be prompted for 2FA. In that case, you should either have dedicated Connection Servers for external users or configure 2FA on your gateway and not on the Connection Servers.

There are three (3) options that can be selected using the drop-down list:

  • Disabled - do not use any 2FA.

  • RSA SecurID - integrate the Connection Server with RSA SecurID.

  • RADIUS - integrate the Connection Server with your RADIUS environment.

RSA SecurID

To integrate the Connection Server with your RSA SecurID, upload the sdconf.rec file.

When the Enforce SecurID and Windows user name matching option is enabled, the user name must exactly match what is in Active Directory. If there is a mismatch, the user is unable to log in.

In the event of troubleshooting RSA SecurID authentication, there are times when the Clear node secret option has to be selected.

RADIUS

When the Enforce 2-factor and Windows user name matching option is enabled, the user name must exactly match what is in Active Directory. If there is a mismatch, the user is unable to log in.

If the Use the same user name and password for RADIUS and Windows authentication is enabled, the RADIUS credentials are passed through to the virtual desktop, and the user is not prompted to enter their credentials.

If you don't already have an authenticator configured to your RADIUS server, select Create New Authenticator from the drop-down list.

Provide an Authenticator Name to distinguish this configuration from others that you may have.

Optionally, enter a Description.

You can enter custom Username and Passcode labels that the users see when accessing the Connection Server. This is also optional to set.

Provide the Hostname/Address of your primary RADIUS server.

If required, change the Authentication Port from the default of 1812.

If your RADIUS server collects accounting information, change the Accounting Port to any number other than 0.

Select the Authentication Type to what you are using; the options are PAP, MSCHAP1 and MSCHAP2.

Enter the Shared Secret, Server Timeout, and Max Attempts that are configured on your RADIUS server.

Optionally, enter the Realm Prefix and Realm Suffix that is automatically sent to the RADIUS server along with the username.

Optionally, you can configure a secondary server, select Use a secondary server if primary is unavailable and complete the fields.


The final part of the authentication tab is the Horizon Administrator Authentication.

This option allows you to authenticate to the Horizon Console using smart card authentication.

There are three (3) options that can be selected using the drop-down list:

  • Not allowed - smart card authentication is disabled.

  • Optional - provide the Horizon administrators with the option to use a smart card or Windows username and password for authentication.

  • Required - only smart card authentication is allowed.

Backup

You can schedule the backup of the Horizon LDAP repository that resides on the Connection Server. By default, this is set to daily at midnight.

The Automatic Backup Frequency allows you to set how often you wish to backup the Connection Server. The options are:

  • Every hour - starts on the hour.

  • Every 6 hours - begins at midnight and then every six (6) hours.

  • Every 12 hours - takes a backup at midnight and then one at midday.

  • Every day - starts at midnight.

  • Every 2 days - begins at midnight on Saturday, Monday, Wednesday and Friday.

  • Every week - takes a backup at midnight, every Saturday.

  • Every 2 weeks - backup starts at midnight, every other Saturday.

  • Never - no backups are scheduled.

The Backup Time Offset (Minutes) allows you to set the backup with an offset from midnight. For example, if you enter 30, the backup will occur at 00:30. As a best practice, I always offset each Connection Server in the pod, so there is always a different copy on each Connection Server until the backups are complete.

The Max Number of Backups allows you to set the number of backups to keep. Once the tenth backup is reached, the oldest backup file is deleted.

The Folder Location is where the backup files are kept. It is recommended that this folder be incorporated into your broader server backup strategy.

When you install the first Horizon Connection Server, you are prompted to enter a Data Recovery Password. This password is used to encrypt the backup files and is required in the event you need to restore the Horizon configuration file. You can change the password by clicking on the Change data recovery password tab.


Instant Clone Domain Accounts




















Before creating instant clone desktop pools, a user account needs to be made in Active Directory. Typically, this account should be treated as any service account. This account allows Horizon to interact with Active Directory to manage the virtual desktops, such as domain join.




Click on the Add tab to add an account.










The Full domain name is automatically populated based on the domain that the Connection Servers belong to. If you have multiple domains in a trust relationship, use the drop-down to select your domain. Enter the username and password for the account.

If you already have an account set, the Edit tab allows you to update the account password if it has changed.

The Remove tab deletes the account from the Horizon Console.

Product Licensing and Usage
















The Product Licensing and Usage section is the very first place you are redirected to when you install your very first Horizon Connection Server.

Licensing




Under Licensing, click the Edit License tab to enter a new Horizon license key.

Depending on your license, the features of that license are displayed as shown below.

Usage

The Usage tab displays information regarding Horizon license usage, both current and historical.

If required, use the tabs to reset the counts.

Customer Experience Program

Finally, the Customer Experience Program allows VMware to collect information regarding the usage of Horizon. If you opted out during the installation of the first Horizon Connection Server, then the program setting is disabled, as shown below.

You can change the settings by clicking on the Edit Settings tab.

By enabling Join the VMware Customer Experience Improvement Program, you agree to the terms and conditions of the program. The Geographic Location allows you to select the region you are based in.

The Business Vertical allows you to set the industry you are based in.

Last but not least, select the Number of Employees in the organisation.


Global Settings













The Global Settings section allows you to configure settings that are applied to the whole Horizon pod. There are three (3) tabs that can be configured; General Settings, Security Settings and Clients Restriction Settings.

General Settings




Click on the Edit tab to configure the general settings.

View Administrator Session Timeout

The View Administrator Session Timeout allows you to specify how long the Horizon Console remains active when it is idle. This setting only applies to the Horizon administrators and not the users and clients. The default timeout is 30 minutes. The minimum timeout you can set is 10 minutes, and the maximum timeout is 4,320 minutes (72 hours).

Forcibly Disconnect Users


The Forcibly Disconnect Users option allows you to specify whether or not to disconnect all desktops and applications after a specified timeout. The options are Never or After. The default setting is After 600 minutes.


In scenarios where the client does not support applications, if the timeout is set to Never or is greater than 1,200 minutes, the maximum timeout is set to 1,200 minutes.

Single Sign-On (SSO)

You can choose to Enable or Disable SSO.

By enabling SSO, the user's credentials entered into the Horizon Client are cached by the Connection Server and passed through to the virtual desktop or application, so the user is not prompted to enter them again. This setting is Enabled by default.

This setting has to be Enabled If you use the True SSO feature, introduced in VMware Horizon or later (True SSO will be covered in the expert competency).

Disconnect Applications and Discard SSO Credentials for Idle Users

This setting is only applicable to Horizon applications and not virtual desktops. This setting allows you to disconnect the application session if no keyboard or mouse activity is not detected. It also discards the SSO credentials, so the user must authenticate again to resume their session.

You can specify Never or After. If you select After, enter the number of minutes, with 999 minutes being the maximum allowed.

Discard SSO Credentials

This setting allows you to discard the cached credentials after a specified time.

You can specify Never or After. If you select After, enter the number of minutes, with 999 minutes being the maximum allowed.

NOTE: This option is not available if you Disable the Single Sign-On (SSO) option.

Enable automatic status updates

If Enabled, this option updates the global status area of the Horizon Console every five (5) minutes. It also updates the Dashboard page under Monitor every five (5) minut