Deploy VMware Horizon View (Part 2)

KB ID 0001609

Back in part one we setup SQL and our Composer server, now we will deploy our VMware Horizon View Connection Server(s).

Install VMware Horizon View Connection Server

On a domain joined Windows server, download and launch the Connection Server installer.

Accept the EULA > Next > Acept or change the install location > Next > Select Horizon ‘Standard’  Server > Next > Set a data recovery password > Next.

Select configure the Windows Firewall > Next > Type in a domain account, (I typically use the domain administrator, you may wish to use another account > Next > Untick the  UEIP > Next  > Next > Finish.

Deploying Additional Horizon Connection Servers

Repeat the install on any additional connection servers BUT this time choose Horizon Replica Server, and specify your first connection server as the ‘Source Server’.

Note: I don’t Deploy Horizon Security Servers any more, it’s much easier to deploy a UAG.

VMware Unified Access Gateway: Horizon Deployment

To access the Horizon Administrator console you will need Flash, this is not normally enabled on Windows Server. To enable it follow this article.

You can now login to Horizon Administrator.

Configuring VMware Horizon Connection Server(s)

First you need to enter your Horizon Licence > View Configuration > Product Licensing and Usage > Edit Licence > Paste yours in > OK.

Vire Configuration > Servers. >vCenter Servers > Add > Type in your vCenter details > Next.

If using Horizon Composer, enter the server details > Next.

Add in your domain details > OK > Next.

Accept the defaults > Next.

Finish.

Horizon Connection Server Certificates

Over on the main dashboard at this point you may see some certificate errors. You can either import certificates from your own CA. But Im going to use a wildcard certificate published by a public CA.

I have my wildcard certificate in PFX format, so I can simply double click it and import it like so. (Note: Remember to I port if to local machine).

Finish the import wizard.

On the connection server settings you will need to change the URLs to match your certificate. (Note: You will disable this later, if you are also deploying UAG appliances).

Now to swap to the newly imported certificate> Start > mmc.exe > Add/Remove  Snap-In > Certificates > Add.

Computer account > Local computer > OK.

Navigate to Certificates > Personal > Certificates > Locate the certificate that has the friendly name vdm and change its friendly name to vdm-backup.

Now locate your publicly signed certificate and change its friendly name to vdm.

Restart the VMware Horizon View Connection Server service to make the swap.

Configure Horizon Event Database

Back in part one we created the database for this, now we just need to enter the details.

View Configuration > Event Configuration > Edit > Enter you SQL Event Database details,  as shown below, if you have a Named SQL instance it will be on a different port number.

That is your infrastructure setup. Now you simply need to create an image, and deploy that image with a pool, and grant a user entitlement to that pool. Creating an Image is quite a lengthy process, and there is always a much better and up to date guide on doing that on VMWare’s website, so I’m not going to cover it here.

Just remember to make sure you put your image in Audit mode, and always install an agent that is the same version as the connection server, and get the latest version of VMWare Tools on there as well! 

Related Articles, References, Credits, or External Links

NA

Deploy VMware Horizon View (Part 1)

KB ID 0001608

Note: You don’t need VMware Composer, or SQL, to use Horizon, but if you want to deploy ‘Composed’ pools then you will, (also if you want to maintain an events database), so I’ll cover this first.

Below I’m going to create a database for Horizon Composer, and Horizon Events. Then I’ll install Horizon Composer.

Horizon View SQL Installation

Installing SQL is straight forward enough, just remember to enable ‘Mixed Mode Authentication’ when you install it, you will also need to install SQL Management studio which is now a separate download. Start by double checking the authentication > {Server-Name} > Properties > Security > Ensure ‘SQL server and Windows Server Authentication’ > OK.

Horizon Composer Database

Database > New Database > Database name VMwareHorizonComposer > Under options set the recovery option to Full > OK.

Security > Logins > New Login > Login name VMwareHorizon > set a password > untick ‘enforce password history’ > User mapping > Select the new user > and select db_owner > OK.

Horizon Events Database

Database > New Database > Database name VMwareHorizonEvents.

Deploy VMware Horizon Composer

On a domain joined Windows server, that you wish to install VMware Composer on, download the Microsoft SQL Server 2012 Native Client Setup. (Yes it will work with newer version of SQL).

Accept the EULA and then accept all the defaults, (there’s no need to install the SQL Server Native Client SDK).

Finish.

Open the ODBC (64 Bit) management console > System DSN > Add > SQL Server Native Client > Next.

Give the connection a name > Enter the name of you SQL Server, (and optionally an instance name) > Next.

Select ‘With SQL Authentication..’ > Enter the username and password you created above, (from within SQL Management Studio) > Next.

Change the default database to ‘VMWareHorizonDatabase‘ > Next.

Finish.

Test Data Source > Assuming it completes successfully > OK.

Run the VMware Composer Installer.

Accept the EULA > Next > Accept or change the install location > Next > Select the ODBC connection you configured above > Enter the username/password you created in the SQL Management Studio > Next. 

Accept the default port > Next > Next > Finish > ‘Yes’ to reboot.

Note: The remainder of the Horizon Composer configuration is done in ‘Horizon Administrator‘, which will be installed on your Horizon Connection Servers (see Part 2)

Related Articles, References, Credits, or External Links

NA

VMware Unified Access Gateway: Horizon Deployment

KB ID 0001605

Problem

With older versions of Horizon View, we simply deployed another Connection server and called it a Security Server. The drawback of that is, it requires another Windows licence. You can now deploy  VMware UAG (Unified Access Gateway), try to think of it as a ‘Netscaler for VMware’, and like other VMware solutions it’s a small appliance built on VMware’s ‘Photon’ Linux.

Below is a typical deployment and shows you the ports you will be required to open on your firewall to make this work;

You can deploy multiple UAGs and have them behind a load balancer, or point individual UAGs to separate Horizon Connection servers. Her I’m simply deploying one internal Horizon Connection Server, and one VMware UAG in my DMZ.

Step 1: Deploy the UAG Appliance

I’ve covered deploying OVA files before, but essentially download the OVA, and within your vSphere client select deploy OVF template. Navigate to, and select the OVA file you have downloaded from VMware > Next.

Select your Datacenter and optionally folder > Next.

Pick where you want to deploy the appliance (Cluster etc.) > Next.

Review your settings > Next.

I’m deploying into a DMZ so there will be no shortcutting the firewall! > Single NIC > Next.

Select the storage you want to deploy the appliance to > Next.

Confusingly, (as we have picked single NIC?) set them all to the correct port group > Next.

Specify the IP address > Scroll down.

Complete the DNS and IP settings > Give the appliance a name > scroll down.

Untick CEIP > Set the admin, (needed for the web front end), and root (needed for console login) passwords.

Select the edition to deploy (based on your licence) > Next.

Review the settings > Finish.

Step 2: UAG Pre Configuration Tasks

To allow users to access Horizon machines externally, you need to ensure you have granted Remote Access Rights in Horizon Administrator, Note: This is in addition to any Entitlements you have already setup for the machine pools.

Take a copy of the Thumbprint, from the Horizon Connection Server you will be pointing the UAG at, keep it handy you will need it in a minute.

Optionally

If your UAGs are going into a DMZ there’s a chance that they wont be able to resolve internal domain names, (you can specify internal IP addresses of course). I prefer to enter the names/FQDNs of my connections servers, in the appliances hosts file, so it can be resolved. Log into the console as root;

[box]

vi /etc/hosts

[/box]

If you’re unsure how to use vi, (i.e you don’t wear sandals, or have a ginger pony tail.) Press I (insert) make your changes > Press Esc > Type :wq {Enter}.

Step 3: Configure UAG for Horizon

Connect to the UAG with a web browser (https{ip-address}:9443) > Login with the admin account > ‘Configure Manually’.

Optional: Add Certificate

If you have a publicly signed certificate, the easiest way to import it is with a PFX file and a password, (use the search box above, I’ve covered creating PFX files many times). You need to go to Advanced Settings > TLS Server Certificate Settings > Select admin and internet interfaces, (as required) > Browse to the PFX file and enter the password you set, (for the pfx file!) > Save.

General Settings > Edge Service Settings > SHOW > Horizon Settings > Enable Horizon > Save.

Enter the URL of the internal connection Server, and the Thumbprint you took note of, (above) > Enable PCOIP.

Set the external PCIOP URL to the external IP of the UAG, (or load balancer if using one) and add :4172 to the end, Enable Blast > Set the public URL of the UAG, (or load balancer if using one) and add :443 to the end. Enable Tunnel, and set the same URL again with :443 on the end. If you want to, open the ‘more options’ section and take a look at the optional settings, though I’m leaving everything else on the default settings > Save.

Have a cup of coffee, refresh the page a few times > Log off and back on again, and hopefully all the options should ‘go green‘. If not, check the firewall ports, and make sure the UAG can resolve the name of the connection server.

Over in Horizon Administrator > Select each internal connection server and remove ‘Secure Tunnel‘, PCOIP Secure Gateway, and select ‘Do not use Blast Secure Gateway‘ > OK.

You can register the UAGs, in the Gateway section, but you wont see anything change until they have been used ‘in anger’.

You can now test externally by trying to connect with a Horizon Client.

Related Articles, References, Credits, or External Links

NA

VMware Horizon Machines Stuck ‘Customizing’

KB ID 0001595

Problem

In all honesty there’s lots of reasons for this.

I’ll cover the ones that have tripped me up, if you find some new ones feel free to post them below.

Solutions

Before continuing, the image needs to have the Horizon Agent installing within it, and it has to be the SAME version that your Composer and Connection servers are running, (or newer). Also your Horizon servers are connecting to VMware vCenter using an account, (in a lot of cases that will be the domain administrator account, or an account you setup for this reason), make sure that account has global administrator properties in vSphere.

Also in your image install the LATEST version of VMWare Tools, Note: that might be NEWER than the one that you have on your ESX servers, download it and install it manually, (to do this uninstall the old VMWare Tools, then Uninstall the Horizon Agent, then Install the NEW VMWare Tools, then finally reinstall the Horizon Agent again. (Note: If using Horizon Composer, make sure you install the composer option!)

Horizon Inability to get a licence for your KMS Server.

Check this first;

[box]

slmgr /dli

[/box]

It goes without saying you need a network connection (to the right VLAN) before KMS will work. I’ve ran though KMS setup and troubleshooting here.

Horizon Sysprep Problems

For sysprep obviously you need to be deploying images with sysprep and NOT quick prep, if you are using sysprep check the error log, (if the error log is empty, then sysprep is not your problem).

Navigate to: C:\Windows\System32\Sysprep\Panther\setuperr.log

Sysprep Problem 1

Problem 0x0f0043 Failed DeleteInstance AntiSpywareProduct

[box]

Error      [0x0f0043] SYSPRP WinMain:The sysprep dialog box returned FALSE
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0
Error                 SYSPRP MRTGeneralize:107 - ERROR: Failed DeleteInstance AntiSpywareProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP MRTGeneralize:116 - ERROR: Failed DeleteInstance AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0
Error                 SYSPRP MRTGeneralize:107 - ERROR: Failed DeleteInstance AntiSpywareProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP MRTGeneralize:116 - ERROR: Failed DeleteInstance AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904

[/box]

Seen On Window Server 2016 and Windows 10: In your Source Image you need to remove Windows Defender, like so;

[box]

Uninstall-WindowsFeature Windows-Defender-Features

[/box]

Sysprep Problem 2

Problem 0x0f0073

[box]

Error      [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f
Error                 SYSPRP WinMain:Hit failure while processing sysprep re-specialize internal providers; hr = 0x8007001f
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0

[/box]

This is happening because the machine you are using as your image has been sysprepped too many times, you nee to make some changes on the reference image to reset/rearm it, so it can be sysprepped.

On your image machine  run regedit and navigate to;

HKLM > SYSTEM > Setup > Status > Sysprep Status

Ensure the following;

  • CleanupState is set to 2
  • GeneralizationState is set to 7

Open an administrative command window and execure the following commands;

[box]

msdtc -uninstall
msdtc -install

[/box]

Back in registry editor navigate to

HKLM > SOFTWARE > Microsoft > Windows NT > CurrentVersion > SoftwareProtectionPlatform

Set SkipRearm to 1

Try again.

Related Articles, References, Credits, or External Links

NA

Horizon Client ‘Install Failed’

KB ID 0001594

Problem

When attempting to install the VMware Horizon client you see ‘Install Failed’;

Well that’s very descriptive and helpful?

Horizon Client ‘Install Failed’

Firstly make sure you  are NOT trying to install the client software on a Horizon Connection Server, or a Horizon Security Server! If you are not, then the easiest way to get it to install, is to ‘extract’ the .msi installation files, and manually run them. 

In PowerShell navigate to the folder that you download the client .exe file to, and extract its contents with the following command;

[box].\VMware-Horizon-Client-{version-and-build-number}.exe /x[/box]

It looks like nothing has happened, but the files get put in the ‘Temp‘ folder in YOUR user profile, Navigate to C:\Users\{Your-Username}\AppData\Local\Temp

In this location you will find a folder containing the individual install files you require.

From here you can launch the one you want, In my case (VMware Horizon View Client (x64).msi).

Still Not working ‘Install Failed’?

  1. Install the latest C++ VisualRuntime Library
  2. Ensure you have disabled your AV Software, especially if you’re running WebRoot, or Symantec Endpoint Protection, (or at least ensure your AV is not stopping access to c:\windows\system32\drivers\etc\hosts
  3. Grant ‘Full control’ to the c:\windows\system32\drivers\etc\hosts file

Related Articles, References, Credits, or External Links

NA

VMware Horizon: ‘VM With Unsupported Guest OS’

KB ID 0001592

Problem

Seen when attempting to deploy Window Server 2016, as an ‘Image‘ (Parent VM,) with VMware Horizon View.

‘VM With Unsupported Guest OS’

I double checked, and Server 2016 (Standard and DataCenter) were supported, as was Server 2019 (Standard and DataCenter.) The image also had a new version of the VMware Horizon View agent installed in it?

Solution

In my case this was an embarrassingly easy fix, previously I’d deployed Windows 7, 8, and 10 with Horizon View, this was the first time I’d ever deployed a server OS as a VDI image, (With Windows Server Datacenter, this works out cheaper, licensing wise).

By Default: VMware Horizon View does not allow server operating systems, (even though they are supported.) You just need to enable the feature! Launch Horizon Administrator, View Configuration > Global Settings > Edit > Tick ‘Enable Windows Server Desktops‘ > OK.

Doh! That cost me two hours, (hope it saved you some time).

Related Articles, References, Credits, or External Links

NA

VMware Horizon – Replacing Certificates

KB ID 0001547

Problem

I deployed Horizon v7 a while ago for a client, they messaged me to say their wildcard cert was about to expire, could I replace it in the Horizon infrastructure.

On logging in, sure enough;

Connection Server Details
Status: The service has a minor issue
SSL Certificate: About to expire {Date} {Time}

This is why I like VMware, it’s picked up the problem, and pointed me in the right direction, (the connection servers).

Solution

Firstly you will notice I’ve got two connection servers, DO ONE AT A TIME, then if something breaks, you can still get into the manager! If you only have one connection server, I’d suggest taking a snapshot of it first!

Import your new certificate onto the connection server. Make sure you select local computer when you import it.  Then you will notice that your ‘old’ one has a friendly name of ‘vdm‘. Rename vdm to OLD-vdm, then rename the new one to vdm.

Finally, either restart the VMware Horizon View Connection Server service, or reboot the server.

Related Articles, References, Credits, or External Links

NA

VMware: Server Certificate Subject Name Does Not Match

KB ID 0001504

Problem

If you replace the self signed certificate on your Horizon Connection servers, (so that they have a certificate with your ‘public’ address), you will see this error;

Status: Servers’s certificate subject name does not match the server’s External URL.
Server’s certificates is not trusted.

SSL Certificate: Invalid

Solution

At first I thought this was simply a DNS problem, and I needed to setup split DNS. But that’s not the case, you need to change the the connection servers name(s) to the public name(s) in the connection server properties in Horizon Administrator.

After a few minutes the error will disappear.

Related Articles, References, Credits, or External Links

NA

VMware Composer Install Fails

KB ID 0001498

Problem

While attempting to deploy VMware Composer, (in my case version 7) on a windows Server, (in my case 2016 Datacenter). This happened;

Installation Failed

The wizard was interrupted before VMware Horizon7 Composer could be completely installed.

Your system has not been modified. To complete installation at another time please run setup again.

Click Finish to exit the wizard.

Annoyingly I know what it was straight away, because I’d read up on the subject before I started. 

Solution

‘Power Off’ the server, locate its VM > Edit Settings > VM Options > Boot Options > Ensure firmware is set to “EFI (recommended) > Note: It should be by default > Under Secure boot ‘Untick‘ Secure boot (EFI boot only) > OK.

Power the server back on, then retry the VMware Horizon Composer installation.

Related Articles, References, Credits, or External Links

NA

VMware View Connection Server – Stop Session timeouts

KB ID 0000605

Problem

For security reasons, the VMware View Administrator will timeout after a short period of inactivity, and you will see the following.

Server Error
Your session has timed out. Please log in again.
Click OK to be redirected to the login screen.

However if you work in the console a lot, this can get quite annoying.

Solution

From within the View Administrator console > View Configuration > Global settings > Edit > Tick “Enable automatic status updates” > OK > OK.

Note: Another advantage to doing this is, you don’t have to keep pressing refresh to update the interface.

Related Articles, References, Credits, or External Links

NA