Carl Webster Accessibility Statement

Carl Webster is committed to facilitating the accessibility and usability of its website, carlwebster.com, for everyone. Carl Webster aims to comply with all applicable standards, including the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 up to Level AA (WCAG 2.0 AA). Carl Webster is proud of the efforts that we have completed and that are in-progress to ensure that our website is accessible to everyone.

If you experience any difficulty in accessing any part of this website, please feel free to email us at info@carlwebster.com and we will work with you to provide the information or service you seek through an alternate communication method that is accessible for you consistent with applicable law (for example, through telephone support).

  • Learning the Basics of VMware Horizon 7.12 – Questions, Lessons Learned, and Conclusions

    August 10, 2020

    VMware

    [Updated 4-Sep-2021]

    Introduction

    I started this series to learn just the basics of VMware Horizon. I did not read any blogs or articles on setting up Horizon. I watched some of Greg Shields’ Pluralsight course on Horizon 7 when I was confused about some of the permissions needed for the shares and files.

    My goal was to see if it was possible to figure out how to work with Horizon using as many default install options and configurations as possible. As stated in Part 1, I did not want to install any additional software, if at all possible.

    I received a few questions about the 16-part series. One of the questions I got was why I didn’t address creating a master image, image optimization, or profile management in this series. The reality is that there are many different ways to go about this, with a lot of different variables, depending on the company, use cases, [etc.]. For this series, as I wrote in the introduction, I chose to concentrate as closely on the core elements of Horizon as possible. Image creation and optimization are going to be different for every single environment.

    Another question was, why did I show how to remove Horizon? Why not? In a lab, once you have played with and learned Horizon, it may be time for you to use the lab to learn something else. In that case, you need to have at least one method to remove Horizon from your lab other than doing clean installs of ESXi and reformatting all the datastores.

    A few people asked why no external access? I currently have no way to access my lab externally. I am working on that.

    Questions for VMware

    1. Why is SQL Authentication required for Horizon databases? Not well-versed in SQL Server Administration and security, I had three questions about SQL Security when SQL Authentication is used. A friend answered these questions for me, as shown below.
      1. For SQL Authentication, are failed logins recorded in the security event log?
        1. https://stackoverflow.com/questions/6769099/where-are-sql-server-connection-attempts-logged#:~:text=In%20SQL%20Server%20Management%20Studio,location%20can%20be%20determined%20here.
      2. How do you control the SQL authentication password requirements to make sure they follow corporate security guidelines?
        1. https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-ver15
      3. How do you audit SQL user accounts to ensure they follow corporate security guidelines for lockout policy, password required, password set not to expire, the user can’t change password, etc.?
        1. https://www.mssqltips.com/sqlservertip/1088/sql-server-login-properties-to-enforce-password-policies-and-expiration/
      4. Why is there no power management for RDS Farm machines? If an admin or helpdesk person can power manage VDI desktops, there should be a way to perform power management on RDS servers. There cannot be that much difference in the code or APIs between power managing a Windows 10 VM versus a Server 2019 VM? Because there is no power management for RDS servers in the Horizon Management Console, this forces an admin to use two consoles for RDS servers (unless they use PowerCLI for all their management tasks).
      5. When installing the Horizon Agent, the install wizard and the product documentation tell you that enabling Remote Desktop Access is required. Why? As part of my testing, I went back and uninstalled the Horizon Agent (only because there is no Charge/Modify option) and reinstalled it without enabling Remote Desktop Access. I had no problems, in my testing, with accessing published desktops, applications, USB devices, or printing. It would be helpful if the product documentation stated what features, if any, require enabling Remote Desktop Access.

    Lessons Learned

    1. Do not use IE11 for anything.
    2. Run the Connection Server console from a modern browser and not on IE11. The only 3rd party software I “had” to install was Google Chrome. The performance difference on the console between IE11 and Chrome was eye-opening. I should have installed Chrome on the Connection Server’s VM before I installed Connection Server. That would have saved me a lot of time and frustration.
    3. Once a user makes a connection to any published resource, if the Connection Server that made the connection goes down, the user’s connection is instantly dropped. This is because, by default, the Connection Server tunnels the user’s connection.
    4. If you want to test not tunneling connections through the Connection Server.
      1. Connection Server Console
      2. Settings -> Servers -> Connection Servers
      3. Select Server
      4. Edit
      5. Unselect Use Secure Tunnel connection to machine
      6. Unselect Use PCoIP Secure Gateway for PCoIP connections to machine
      7. Select Do not use Blast Secure Gateway
    Figure 1
    Figure 1
    1. If you select Do not use Blast Secure Gateway, you break HTML5 access to published desktops.
      1. Follow https://kb.vmware.com/s/article/2088354 for a resolution.
    2. Make sure you select your required Horizon Agent options correctly the first time. If you need to make any changes to the Agent’s configuration, you must uninstall and reinstall the Agent.
    3. If using Windows 10 1909 Enterprise, it appears that enabling Remote Desktop is not a requirement, contrary to what the documentation states. I do not know about other Windows versions or editions.
    4. My boss asked me to test a VMware Unified Access Gateway scenario, which was not part of this article series. When using the Unified Access Gateway, the UAG Name in the UAG’s System Configuration and the Gateway name in the Connection Server’s System Configuration are case sensitive. If the UAG name is UAG01 and the Gateway name is uag01, the Gateway will show no status information. I had to redeploy my UAG appliance to resolve the case mismatch.

    Conclusions

    I have spent 30 years working with many Citrix products, from the original Citrix MULTIUSER (based on the 1990 Microsoft OS/2) to the current (as of 10-Aug-2020) Citrix Virtual Apps and Desktops 2006. Learning a new product is not always easy, but the EUC Community has helpful people who go out of their way to help.

    Positives

    • Horizon 7 has improved a lot over what I worked with back in 2015.
    • HTML5 client access to published resources is fast and responsive.

    Opportunities for Improvement

    • Reduce resource usage for Parent VMs in vCenter. It would be nice to see a merging of the benefits of linked clones with instant clones—anything to reduce resource usage of parent VMs. Maybe a future version of Horizon can accomplish reducing resource usage?
    • Make it easier to get up and working with Horizon and Connection Server.
      • Here is my only mention of Citrix in this series. Make the install and configuration of the Connection Server as easy as Citrix does with installing Citrix Virtual Apps and Desktops and then Citrix Studio.
    • Give the Horizon Agent a Change/Modify option.
    • Update the Horizon product documentation if enabling Remote Desktop on a Desktop OS is not required. If Remote Desktop access is required, please list the features that require it.
    • Develop a stateful connection between the client’s endpoint and the published resource. If the Connection Server becomes unavailable, users should not lose their existing connection to a published resource. They are not able to make new connections, but existing connections should not break.

    Bottom Line

    Is VMware Horizon worth your time? Is it worth going from the lab to a Proof of Concept (PoC) trial? Is it worth going from a PoC to a Pilot program? Yes, it is.

    No software product is perfect, and every software product has room for improvement. VMware Horizon is no exception. What impressed me most was VMware’s commitment to continually improving, adding features, and fixing issues in Horizon. From the initial release of Horizon 7.0 on 22-Mar-2016 and Horizon 7.12 on 17-Mar-2020, there have been 19 Horizon updates. I am positive that VMware will continue to improve on the features and capabilities of the Horizon product suite.

    Kudos to the VMware Horizon product team for a product worthy of your time and investment.







    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see CarlWebster.com) and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply