• Learning the Basics of VMware Horizon 7.12 – Part 5 – Horizon Connection Server

    June 5, 2020

    Blog, VMware

    There are several steps needed to have a completely installed and configured Horizon Connection Server. In this article, the following steps are completed:

    • SQL preparation
    • vCenter setup
    • SSL Certificate
    • Install Connection Server
    • Connection Server configuration
    • Fix SQL table missing index
    • Install ControlUp Agent
    • Configure the ControlUp and Horizon integration

    Updated 18-Jun-2020

    SQL Preparation

    A Microsoft SQL database is needed for the Connection Server’s events database. The SQL Server must use SQL Server and Windows Authentication mode.

    In the SQL Server Management Studio, right-click the SQL Server and click Properties, as shown in Figure 1.

    Figure 1
    Figure 1

    Click Security, select SQL Server and Windows Authentication mode, and click OK, as shown in Figure 2.

    Figure 2
    Figure 2

    Note: It is important you don’t skip this step. Assuming the SQL Server uses SQL Server authentication will cost you a lot of troubleshooting time later (not that I know anything about that).

    Still in the SQL Server Management Studio, expand Security, expand and right-click Logins, click New Login…, as shown in Figure 3.

    Figure 3
    Figure 3

    As shown in Figure 4, enter a Login name, select SQL Server authentication, enter and confirm a Password, deselect Enforce password history, and click OK.

    Figure 4
    Figure 4

    Note 1: Even if the SQL Server is configured for Windows Authentication, you can still create a SQL Server authentication account and assign it as the owner of a database. Please verify that SQL Server authentication is enabled.

    Note 2: Why must the account use SQL Server authentication? This old VMware KB article, https://kb.vmware.com/s/article/1029537, suggests it is because the connection string is based on old Oracle (Sun) Java Database Connectivity (JDBC). Modern JDBC does support Windows authentication, but I assume VMware doesn’t want to invest the time and money to update their code and go through all the testing and QA time.

    Note 3: Why deselect Enforce password policy? The previously mentioned VMware KB article says to and every how-to article I found on the internet says to. But why? Because if the password changes, you could have issues connecting to the database. But is that really an issue with this specific user account? Not really. I will show and explain later in this article why it isn’t an issue. Thanks to Stephen J. in the vExperts Slack EUC channel for the explanation.

    Still in the SQL Server Management Studio, expand and right-click Databases, and click New Database…, as shown in Figure 5.

    Figure 5
    Figure 5

    Enter a Database name and click the browse button to the far right of Owner, as shown in Figure 6.

    Figure 6
    Figure 6

    Enter the SQL account name, click Check Names and click OK, as shown in Figure 7.

    Figure 7
    Figure 7

    In the left frame, click Options, change the Recovery model to Simple, and click OK, as shown in Figure 8.

    Figure 8
    Figure 8

    Leave the SQL Server Management Studio open. It is needed later to add a missing index to the database just created. The index can’t be added until the Connection Server is connected to the database.

    vCenter Setup

    In vCenter, create two VM and Template Folders. Figure 9 shows the two folders in my vCenter.

    Figure 9
    Figure 9

    These folders are used to place the VMs created by the Connection Server for the RDS and VDI desktop pools.

    Connection Server

    Update 18-Jun-2020: Don’t suffer as I did. Don’t use the default IE11 browser. Install a modern browser like Chrome or the new Microsoft Edge. The Connection Server console is many, many times more responsive on a modern browser than on IE11. I wish I had done that at the beginning of this series.

    Using a Group Policy, the domain’s Root and Intermediate certificates and a personal certificate are automatically installed on the Connection Server.

    Start -> Run -> MMC -> Add/Remove Snap-in… -> Certificates -> Add -> Computer account -> Local computer -> Finish -> OK

    Expand Certificates -> Trusted Root Certification Authorities -> Certificates. Figure 10 shows the domain’s Root certificates.

    Figure 10
    Figure 10

    Collapse Trusted Root Certification Authorities.

    Expand Intermediate Certification Authorities -> Certificates. Figure 11 shows the domain’s Intermediate certificates.

    Figure 11
    Figure 11

    Collapse Intermediate Certification Authorities.

    Expand Certificates -> Personal -> Certificates

    Figure 12 shows the Connection Server’s SSL certificate installed as part of the auto-enrollment policy.

    Figure 12
    Figure 12

    Double-click the Connection Server’s SSL certificate.

    On the Details tab, click Edit Properties…, as shown in Figure 13.

    Figure 13
    Figure 13

    For the Friendly name, type in vdm (all lower case), as shown in Figure 14, and click OK twice.

    Figure 14
    Figure 14

    Doing this step prevents the Connect Server installation from creating a self-signed certificate with “vdm” for the friendly name.

    If the self-signed certificate is created, then you have to remove the “vdm” friendly name from it, give it to the CA-signed certificate, restart the Connection Server service, and relaunch the Horizon Management Console.

    Figure 15 shows the Friendly Name vdm.

    Figure 15
    Figure 15

    Exit and save the mmc console. The console is needed after the Connection Server installation finishes.

    Copy the Connection Server install file to the Connection Server.

    Right-click the Connection Server install file and select Run as administrator.

    Figure 16
    Figure 16

    If UAC is enabled, click Yes.

    Click Next, as shown in Figure 17.

    Figure 17
    Figure 17

    Select I accept the terms in the license agreement and click Next, as shown in Figure 18.

    Figure 18
    Figure 18

    Click Next, as shown in Figure 19.

    Figure 19
    Figure 19

    Keep the three default selections and click Next, as shown in Figure 20.

    Figure 20
    Figure 20

    Enter the required information and click Next, as shown in Figure 21.

    The Horizon database is an LDAP database. When you back up the Connection Server, the Horizon LDAP configuration is exported as encrypted LDIF data. To restore the encrypted backup, you must provide the data recovery password.

    The password must contain between 1 and 128 characters.

    Figure 21
    Figure 21

    Select a Windows Firewall option and click Next, as shown in Figure 22.

    Figure 22
    Figure 22

    Select or enter the initial administrator(s) for Horizon 7 and click Next, as shown in Figure 23.

    Figure 23
    Figure 23

    Select whether to Join the VMware Customer Experience Improvement Program and click Next, as shown in Figure 24.

    Figure 24
    Figure 24

    Click Install, as shown in Figure 25.

    Figure 25
    Figure 25

    The installation of the Connection Several takes several minutes.

    Deselect Show the documentation and click Finish, as shown in Figure 26.

    Figure 26
    Figure 26

    Let’s look at the SSL certificates created by the installation.

    Open the MMC console with the Certificates snap-in saved earlier.

    Expand Certificates -> Personal -> Certificates. Figure 27 shows there are now  five SSL certificates.

    Figure 27
    Figure 27

    If we had not changed the Friendly Name of the domain’s server certificate, there would have been six certificates. If the self-signed certificate were used, any HTTPS connection made to the Connection Server would be untrusted.

    If you are using IGEL, leave the MMC console open. Otherwise, exit the MMC  console.

    Connection Server Configuration

    There is a Horizon 7 Administrator Console icon on the desktop, as shown in Figure 28.

    Figure 28
    Figure 28

    Because the icon is using “localhost” and not the FQDN of the server, you will get an invalid SSL certificate error, as shown in Figure 29.

    Figure 29
    Figure 29

    I prefer to browse to the FQDN of the server. For example https://ConnectionServer.domain.com/admin/. For me, that is  https://h7connection.labaddomain.com/admin/, as shown in Figure 30.

    Figure 30
    Figure 30

    Under Horizon Console (HTML5), click Always use this option, and then click the Launch button, as shown in Figure 31.

    Note: The Flex console is deprecated, so don’t use it.

    Figure 31
    Figure 31

    I increased the size of the browser so I can see more.

    Enter the initial Horizon 7 Administrator account configured during the installation and click Sign in, as shown in Figure 32.

    If you have multiple domains or trusts in place, select the correct domain from the dropdown list.

    Figure 32
    Figure 32

    Click Edit License, as shown in Figure 33.

    Figure 33
    Figure 33

    Enter or Copy & Paste the Horizon 7 License Serial Number and click OK, as shown in Figures 34 and 35.

    Figure 34
    Figure 34
    Figure 35
    Figure 35

    Horizon 7.12 is licensed, as shown in Figure 36.

    Figure 36
    Figure 36

    In the left frame, under Settings, click Servers, as shown in Figure 37.

    Figure 37
    Figure 37

    Under vCenter Servers click the Add button, as shown in Figure 38.

    Figure 38
    Figure 38

    Enter the required information and click Next, as shown in Figure 39.

    Figure 39
    Figure 39

    My vCenter uses the default self-signed certificate. Click View Certificate, as shown in Figure 40.

    Figure 40
    Figure 40

    Click Accept, as shown in Figure 41.

    Figure 41
    Figure 41

    For this lab, only Instant Clones are used, not Linked Clones, so make sure Do not use View Composer is selected and click Next, as shown in Figure 42.

    Figure 42
    Figure 42

    Accept the defaults and click Next, as shown in Figure 43.

    Figure 43
    Figure 43

    Click Submit, as shown in Figure 44.

    Figure 44
    Figure 44

    Figure 45 shows the vCenter server is added.

    Figure 45
    Figure 45

    In the left frame, under Settings, click Instant Clone Domain Accounts, as shown in Figure 46.

    Figure 46
    Figure 46

    Click Add, as shown in Figure 47.

    Figure 47
    Figure 47

    Add an admin account from the domain and click OK, as shown in Figure 48.

    Figure 48
    Figure 48

    Figure 49 shows the account is added.

    Figure 49
    Figure 49

    In the left frame, under Settings, click Global Settings, as shown in Figure 50.

    Figure 50
    Figure 50

    Under Global Settings, General Settings, click Edit, as shown in Figure 51.

    Figure 51
    Figure 51

    I changed the View Administrator Session Timeout to keep the console from timing out while I was taking screenshots. I also selected:

    • Enable automatic status updates
    • Enable Windows Server Desktops
    • Clean Up Credential When Tab Closed for HTML Access

    Make any changes needed and click OK, as shown in Figure 52.

    If you change the View Administrator Session Timeout, you must exit the console and log back in for the change to take effect.

    Figure 52
    Figure 52

    In the left frame, under Settings, click Event Configuration, as shown in Figure 53.

    Figure 53
    Figure 53

    Click Edit, as shown in Figure 54.

    Figure 54
    Figure 54

    Enter the information for the SQL database and user account created earlier and click OK, as shown in Figure 55.

    Note: From back in Figure 4, if you did not deselect Enforce password policy and the password for the account changes, this is where the password is updated. So, it isn’t a lot of effort to allow the account’s password to change and then update the Event database details for the Connection Server.

    If you will have multiple Connection Servers using the same SQL Server, enter a Table Prefix.

    Figure 55
    Figure 55

    Figure 56 shows the database connection is made.

    Figure 56
    Figure 56

    If the database user’s password changes, click Edit to update the password.

    Now that the database connection is established, the database’s schema was updated and there is a missing index in one of the tables. This is covered in https://kb.vmware.com/s/article/2094580.

    Now, go back to the SQL Server and its Management Studio.

    Click the SQL Server and click the refresh button, as shown in Figure 57.

    Figure 57
    Figure 57

    Expand the database created for the Connection Server’s events, expand Tables, and click on dbo.event_data, as shown in Figure 58.

    Figure 58
    Figure 58

    Click New Query, as shown in Figure 59.

    Figure 59
    Figure 59

    As shown in Figure 60, enter the following text in the query window.

    CREATE INDEX IX_eventid ON dbo.event_data (eventid)

    Figure 60
    Figure 60

    Click Execute, as shown in Figure 61.

    Figure 61
    Figure 61

    Figure 62 shows the SQL Query creates the new Index.

    Figure 62
    Figure 62

    As shown in Figure 63, expand the dbo.event_data Table, expand Indexes and the new IX_eventid Index shows.

    Figure 63
    Figure 63

    Exit the SQL Server Management Studio. You do not have to save the query to create the index.

    Back to the Connection Server.

    In the left frame, under Monitor, click Dashboard, as shown in Figure 64.

    Figure 64
    Figure 64

    As seen in Figure 65, System Health should show 0 issues.

    Figure 65
    Figure 65

    Upload SSL Certificate to IGEL UMS

    If you use IGEL, import the Connection Server’s SSL certificate into UMS.

    If you closed the MMC console, open the MMC console with the Certificates snap-in saved earlier.

    Expand Certificates -> Personal -> Certificates.

    Right-click the server’s certificate issued by the domain’s CA, click All Tasks -> Export…, as shown in Figure 66.

    Figure 66
    Figure 66

    Click Next, as shown in Figure 67.

    Figure 67
    Figure 67

    Select No, do not export the private key and click Next, as shown in Figure 68.

    Figure 68
    Figure 68

    Select Base-64 encoded X.509 (.CER), and click Next, as shown in Figure 69.

    Figure 69
    Figure 69

    Save the .cer file to a location reachable by the IGEL UMS server, as shown in Figure 70.

    Figure 70
    Figure 70

    Click OK, as shown in Figure 71.

    Figure 71
    Figure 71

    Go to the UMS server and open the UMS console.

    Right-click on Files and click New file, as shown in Figure 72.

    Figure 72
    Figure 72

    Select Upload local file to UMS server, for Local file enter the same information entered in Figure 70, under File target, change Classification to Common Certificate (all purpose), and click OK, as shown in Figure 73.

    Figure 73
    Figure 73

    Figure 74 shows the added certificate file.

    Figure 74
    Figure 74

    There are a few ways to add the new certificate file to the existing IGEL devices. I’ll use the way that is easy for me to show visually.

    First, let’s see what objects are assigned to one of my IGEL devices.

    In the UMS console, click on an IGEL device (my lab’s UD7), as shown in Figure 75.

    Figure 75
    Figure 75

    In the right frame, look under Assigned objects, as shown in Figure 76.

    Figure 76
    Figure 76

    There are four files assigned to the UD7.

    1. The ControlUp custom partition file.
    2. The domain’s Root CA file.
    3. The domain’s Intermediate certificate file.
    4. The IGEL firmware file.

    In the left frame, click on the Connection Server’s certificate file, and in the right frame, click the “+” by Assigned objects, as shown in Figure 77.

    Figure 77
    Figure 77

    Select the IGEL devices to assign to the certificate file and click OK, as shown in Figure 78.

    Figure 78
    Figure 78

    Select when the update should apply and click OK, as shown in Figure 79.

    Figure 79
    Figure 79

    As shown in Figure 80, select an IGEL device to see the Connection Server’s certificate was assigned.

    Figure 80
    Figure 80

    ControlUp and Horizon Integration

    If you use ControlUp, log in to the ControlUp console.

    From the Home tab, click Add EUC Environment, as shown in Figure 81.

    Figure 81
    Figure 81

    Select VMware Horizon for the Solution/Platform, enter an Environment Name, enter the Connection Server Name/IP, select the Credentials to authenticate to the Connection Server, and click OK, as shown in Figure 82.

    Figure 82
    Figure 82

    If you need to create Credentials, follow these instructions for Local Credentials and these instructions for Shared Credentials (if you use the ControlUp Monitor).

    Figure 83 shows the Horizon environment added to the ControlUp console.

    Figure 83
    Figure 83

    After the master images are created and tested, we will add the ControlUp agent for detailed monitoring of the pooled desktops created.

    Up next: Windows 10 master image creation and agent installation.

     







    About Carl Webster

    Webster is a Sr. Infrastructure Consultant for Conversant Group and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply