• Learning the Basics of VMware Horizon 7.12 – Questions, Lessons Learned, and Conclusions

    August 10, 2020

    VMware

    Introduction

    I started this series to learn just the basics of VMware Horizon. I did not read any blogs or articles on setting up Horizon. I watched some of Greg Shields’ Pluralsight course on Horizon 7 when I was confused about some of the permissions needed for the shares and files.

    My goal was to see if it was possible to figure out how to work with Horizon using as many default install options and configurations as possible. As stated in Part 1, I did not want to install any additional software, if at all possible.

    I received a few questions about the 16-part series. One of the questions that I got was why I didn’t address creating a master image, image optimization, or profile management in this series. The reality is, there are a lot of different ways to go about this, with a lot of different variables, depending on the company, use cases, [etc, etc,]. For this series, as I wrote in the introduction, I chose to concentrate as closely on the core elements of Horizon as possible. Image creation and optimization are going to be different for every single environment.

    Another question was why did I show how to remove Horizon? Why not? In a lab, once you have played with and learned Horizon, it may be time for you to use the lab to learn something else. In that case, you need to have at least one method to remove Horizon from your lab other than doing clean installs of ESXi and reformatting all the datastores.

    A few people asked why no external access? I currently have no way to access my lab externally. I am working on that.

    Questions for VMware

    1. Why is SQL Authentication required for Horizon databases? Not being well-versed in SQL Server Administration and security, I had three questions about SQL Security when SQL Authentication is used. A friend answered these questions for me as shown below.
      1. For SQL Authentication, are failed logins recorded in the security event log?
        1. https://stackoverflow.com/questions/6769099/where-are-sql-server-connection-attempts-logged#:~:text=In%20SQL%20Server%20Management%20Studio,location%20can%20be%20determined%20here.
      2. How do you control the SQL authentication password requirements to make sure they follow corporate security guidelines?
        1. https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-ver15
      3. How do you audit SQL user accounts to make sure they follow corporate security guidelines for requirements like lockout policy, password required, password set to not expire, user can’t change password, etc.?
        1. https://www.mssqltips.com/sqlservertip/1088/sql-server-login-properties-to-enforce-password-policies-and-expiration/
      4. Why is there no power management for RDS Farm machines? If an admin or helpdesk person can power manage VDI desktops, there should be a way to perform power management on RDS servers. There cannot be that much difference in the code or APIs between power managing a Windows 10 VM versus a Server 2019 VM? Because there is no power management for RDS servers in the Horizon Management Console, this forces an admin to use two consoles for RDS servers (unless they use PowerCLI for all their management tasks).
      5. When installing the Horizon Agent, the install wizard and the product documentation tell you that enabling Remote Desktop Access is required. Why? As part of my testing, I went back and uninstalled the Horizon Agent (only because there is no Charge/Modify option) and reinstalled without enabling Remote Desktop Access. I had no problems, in my testing, with accessing published desktops, applications, USB devices, or printing. It would be helpful if the product documentation stated what features, if any, require enabling Remote Desktop Access.

    Lessons Learned

    1. Do not use IE11 for anything.
    2. Run the Connection Server console from a modern browser and not on IE11. The only 3rd party software I “had” to install was Google Chrome. The performance difference on the console between IE11 and Chrome was eye-opening. I should have installed Chrome on the Connection Server’s VM before I installed Connection Server. That would have saved me a lot of time and frustration.
    3. Once a user makes a connection to any published resource, if the Connection Server that made the connection goes down, the user’s connection is instantly dropped. This is because, by default, the Connection Server tunnels the user’s connection.
    4. If you want to test not tunneling connections through the Connection Server.
      1. Connection Server Console
      2. Settings -> Servers -> Connection Servers
      3. Select Server
      4. Edit
      5. Unselect Use Secure Tunnel connection to machine
      6. Unselect Use PCoIP Secure Gateway for PCoIP connections to machine
      7. Select Do not use Blast Secure Gateway
    Figure 1
    Figure 1
    1. If you select Do not use Blast Secure Gateway, you break HTML5 access to published desktops.
      1. Follow https://kb.vmware.com/s/article/2088354 for a resolution.
    2. Make sure you select your required Horizon Agent options correctly the first time. If you need to make any changes to the Agent’s configuration, you are required to uninstall and reinstall the Agent.
    3. If using Windows 10 1909 Enterprise, it appears that enabling Remote Desktop is not a requirement, contrary to what the documentation states. I do not know about other Windows versions or editions.
    4. My boss asked me to test a scenario using the VMware Unified Access Gateway, which was not part of this article series. When using the Unified Access Gateway, the UAG Name in the UAG’s System Configuration and the Gateway name in the Connection Server’s System Configuration are case sensitive. If the UAG name is UAG01 and the Gateway name is uag01, the Gateway will show no status information. I had to redeploy my UAG appliance to resolve the case mismatch.

    Conclusions

    I have spent 30 years working with a multitude of Citrix products from the original Citrix MULTIUSER (based on the 1990 Microsoft OS/2) to the current (as of 10-Aug-2020) Citrix Virtual Apps and Desktops 2006. Learning a new product is not always easy, but the EUC Community has helpful people who go out of their way to help.

    Positives

    • Horizon 7 has improved a lot over what I worked with back in 2015.
    • HTML5 client access to published resources is fast and responsive.

    Opportunities for Improvement

    • Reduce resource usage for Parent VMs in vCenter. It would be nice to see sort of a merging of the benefits of linked-clones with instant clones—anything to reduce resource usage of parent VMs. Maybe a future version of Horizon can accomplish reducing the resource usage?
    • Make it easier to get up and working with Horizon and Connection Server.
      • Here is my only mention of Citrix in this series. Make the install and configuration of the Connection Server as easy as Citrix does with installing Citrix Virtual Apps and Desktops and then Citrix Studio.
    • Give the Horizon Agent a Change/Modify option.
    • Update the Horizon product documentation if enabling Remote Desktop on a Desktop OS is not required. If Remote Desktop access is required, please list the features that require it.
    • Develop a stateful connection between the client’s endpoint and the published resource. If the Connection Server becomes unavailable, a user should not lose their existing connection to a published resource. They are not able to make new connections, but existing connections should not break.

    Bottom Line

    Is VMware Horizon worth your time? Is it worth going from the lab to a Proof of Concept (PoC) trial? Is it worth going from a PoC to a Pilot program? Yes, it is.

    No software product is perfect, and every software product has room for improvement. VMware Horizon is no exception. What impressed me most was VMware’s commitment to continually improving, adding features, and fixing issues in Horizon. From the initial release of Horizon 7.0 on 22-Mar-2016 and Horizon 7.12 on 17-Mar-2020, there have been 19 Horizon updates. I am positive that VMware will continue to improve on the features and capabilities of the Horizon product suite.

    Kudos to the VMware Horizon product team for a product worthy of your time and investment.







    About Carl Webster

    Webster is a Sr. Infrastructure Consultant for Conversant Group and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply