Archive | Horizon RSS feed for this section

Black screen when re-connect to VMware Horizon virtual desktop

27 May

We had an issue after we upgraded our EUC Stack, especially VMware App Volumes 2.14 to 2.18.1. Quite a few end-users started reporting black screen when they were trying to re-connect to their desktops post the original session launch. This would mean re-connect post breaks, endpoint screen locks, next working day re-connections, etc.

EUC Environment Details:
VMware Horizon 7.11
VMware App Volumes 2.18.1
VMware Dynamic Environment Manager 9.10
VMware Horizon Client 5.x
VMware Workspace One 3.3

Process of elimination

  • If we re-created the writable volumes of the problematic end-users the black screen issue would go away. This provided us with a clue that the problem lied with VMware App Volumes – Writable Volumes
  • No errors/failures observed within the VMware DEM/Horizon logs
  • Upgrade the Horizon Client to the latest 5.x version to remove any Client related issues
  • We already had the necessary anti-virus exclusion based on VMware Antivirus Considerations in a VMware Horizon 7 Environment

Resolution
After trying out all the usual steps and avoid re-creating writable volumes for problematic end-users, we managed to open a VMware GSS case handled by Karan Ahuja(Very helpful support engineer), which ended been worked by the engineering team(Art Rothstein – Champ in AV Eng Team). Note quite alot of logs, memory dumps, and Procmon were exchanged from the problematic VM using various remote gathering techniques. Finally, the fix was determined as a writable volume snapvol.cfg exclusion. (In our case, the problem is caused by smss.exe using a copy of winlogon.exe that is on the writable volume). After putting this exclusion into all problematic end-users, they stopped seeing Black screen issues upon re-connect.

exclude_path=%SystemRoot%\System32\winlogon.exe
Path exclusion in writable volumes snapvol.cfg

In this blog, I am not outlining the steps on how to add the snapvol.cfg exclusion as my ex-colleague Daniel Bakshi outlines on a VMware blog post on how to do it step by step. I hope you will find this information useful if you encounter intermittent black screen issues.

Thanks,
Aresh Sarkari

Intermittent Clipboard issues on VMware Horizon virtual desktop

18 Apr

Recently, we had an issue within our environment where-in end-users complained of intermittently one-way clipboard not working(Virtual Desktop to Endpoint will fail). The tricky part here was it would happen intermittently to anyone without any set pattern.

Environment Details:
VMware Horizon 7.11
VMware App Volumes 2.18.1
VMware Dynamic Environment Manager 9.10
VMware Horizon Client 5.x

Process of elimination

  • We were not using the Horizon Blast GPO for setting the clipboard.
  • The clipboard was setup using DEM Horizon Smart Policies – Enabled Both Directions
  • Upgrade the Horizon Client to the latest version to remove any Client related issues
  • We already had the anti-virus process exclusion of VMwareViewClipboard.exe
  • We disabled the Writable Volumes, and the clipboard issue will never occur.

Resolution

The above test made it evident that something within the Writable Volumes was causing the intermittent clipboard issue. The next thing that came to mind is adding path/process exclusion within the snapvol.cfg. One may ask how did you determine that path, but recently we have had many application issues that needed exclusion to make them work.

What I didn’t know was which path or process, until the task manager showed a clipboard process for Horizon called – VMwareViewClipboard.exe and its Path – C:\Program Files\Common Files\VMware\Remote Experience\x64. I read many communities post having mentioned this process. However, I wasn’t sure if adding the entire path exclusion made sense as I could see many Horizon process *.exe and wasn’t sure what additional repercussions it can have. I went ahead, adding the below process exclusion.

exclude_process_name=VMwareViewClipboard.exe
Process exclusion in writable volumes snapvol.cfg

Post adding the exclusion, all the end-users with intermittent clipboard issues were always able to do two side clipboard. In this blog, I am not outlining the steps on how to add the snapvol.cfg exclusion as my ex-colleague Daniel Bakshi outlines on a VMware blog post on how to do it step by step.

Update 2nd May 2020
We had a VMware GSS support case open on the same issue, and they came back with a suggestion to exclude this registry path instead of the process exclusions. Note we been told there is no impact with process or registry, but its a good practice to do registry/path exclusions instead of the process. This registry/subkeys are responsible for the Clipboard – DEM Horizon Smart Policies.

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware UEM
Process exclusion in writable volumes snapvol.cfg

I hope you will find this information useful if you encounter intermittent clipboard issues.

Thanks,
Aresh Sarkari

Black Screen on mobile devices during logon – VMware Horizon and VMware Workspace One

17 Dec

We had a strange issue in which end-users reported a black screen when they clicked on their Desktop tile in Workspace One portal on their mobile devices on Android and iOS. The moment they clicked on the endpoint the black screen would go away and it would give the logon banner and normal Windows 10 logon.

Usual Suspects

Our investigation led to Windows Logon Banner applied via the group policy causing the black screen. We were soon able to rule out by disabling the logon banner and the black screen persisted.
The black screen only appear on mobile devices. The Desktop/Laptops you didnt observe the issue.

EUC Stack

VMware Horizon 7.6
VMware App Volumes 2.14.2
VMware Identity Manager 3.3
VMware User Environment Manager 9.4
Windows 10 1803

Resolution

We managed to open the VMware GSS case and a lot of troubleshooting was carried out from re-running the VMware OSOT tool and changing the Power Configuration policy.

The final configuration that resolved the black screen issue:

Open the master image and run PowerShell with administrative rights and execute the following commands:

powercfg -change -monitor-timeout-ac 0
powercfg -change -monitor-timeout-dc 0

(Note – Here 0 means Never)

ScreenSettings

Power and Screen Settings – Windows 10

Make sure you restart the master template post implementing the commands . Take a snapshot and perform “Push-Image” operation in Horizon Administror console.

I hope you will find this information useful if you encounter the Black Screen issue. A big thanks to Manivannan Arul my teammate for his continoursly effort while troubleshooting with GSS.

Thanks,
Aresh Sarkari

Continue reading

VMware EUC – Horizon, UAG, VIDM and AppVolumes – NSX Load Balancing – Health Check Monitors

2 Feb

There is no single place to find a consolidated list of Load balancer health check monitors (aka Service Monitors in NSX) for the VMware EUC products:

I have been using VMware NSX load balancer across the board. The below details will provide an overview of what to enter for the health monitors. Note – If you are using something more meaningful  for your environment leave feedback in the comments section. I will try to implement the same and update the blog later.

VMware Unified Access Gateway (UAG)

Create a new Service Monitor under NSX and call is UAG_https_monitor. Refer to the screenshot for more details.

UAG Service Monitor

Send String: GET /favicon.ico
Send String: GET /favicon.icoSend String: GET /favicon.ico
Send String: GET /favicon.ico
Send String: GET /favicon.ico

VMware Identity Manager (VIDM)

Create a new Service Monitor under NSX and call is VIDM_https_monitor. Refer to the screenshot for more details.

VIDM Service Monitor
Send String: GET /SAAS/auth/login
Response code: 200s

Horizon Connection Servers

Create a new Service Monitor under NSX and call is Horizon_https_monitor. Refer to the screenshot for more details.

image
Send String: GET /broker/xml/
Receive string: /styles/clientlaunch-default

VMware App Volumes

Create a new Service Monitor under NSX and call is AV_https_monitor. Refer to the screenshot for more details.

AV Service Monitor

I hope you will find these monitors useful in monitoring the VMware EUC products.

Thanks,
Aresh Sarkari


Poor man’s Samsung DEX HUB and VMware Horizon Advantage

22 Jun

I had been intrigued by the Samsung DeX mode post its launch but didn’t have the courage to buy the 125$ (Rs. 10,000/- INR) Samsung DeX Station. I was on a look-out for an alternate Hub which could do the DeX mode on my Galaxy S8+ for a lot less. After searching @ AliExpress I finally managed to find a hub called EASYA Thunderbolt 3 USB C to HDMI Adapter DeX Mode for Samsung Galaxy S8/S9 which had some good positive reviews and for 33$

The moment of truth was to plug-in the Galaxy S8+ and try the DeX mode. Attempt-1: Managed to plug the phone to the hub and HDMI monitor as the output. Next thing I noticed was the screen mirror got enabled and DeX Mode pop-up wouldn’t come or get detected.

Attempt-2: Additional to the above I plugged in the Power in the USB-C 3.1 PD Port and magically the pop-up appeared on the phone “Start DeX Mode

If you don’t have the wireless mouse plugged in the entire Galaxy S8+ screen acts like a mouse trackpad which can come-in handy.

EASYA Thunderbolt 3 USB Type-C Hub To HDMI Adapter Dex Mode

Productivity with VMware Horizon:

The Horizon Client available on the Android Store has integration with DeX mode that enables you to use the Virtual Desktop in Full screen mode. I launch my Windows 10 Desktop and use it for an entire day. I was easily able to work on the following applications without any issues

  • Microsoft Outlook Client
  • Chrome and Firefox browser
  • Skype for Business (Audio/Chat Only) – Video was having issues
  • VMware Performance Tracker was showing the CPU and Network Bandwidth Usage graphs in real-time
  • There was no lag or any sign of slowness in any form
  • CPU Usage on the phone at an average of 4-6%

Known Observations:

  • The phone didn’t heat all day during its usage
  • The HUB was reasonably warm during the entire day usage
  • The limited DeX compatible Application works good in full-screen

More Picture on the Usage

DeX Mode and Horizon Client Launch
Horizon Client

DeX Mode and Full Screen – Windows 10 + Dell 24 inch Monitor
Full Screen - Windows 10 VDI

Hardware Setup – Logitech M140 Bluetooth Keyboard + Mouse
Hardware-Setup

More Documentation on Samsung DeX + VMware Horizon

Using Horizon Client with Samsung DeX
Enable the DeX Mode Auto Launch Feature

I hope you find this HUB review and DeX mode usage with Horizon useful and will be able to use it as a daily driver. Let me know if you would like to know more in the comments section

Thanks,
Aresh

vRealize Operations Manager – Monitor Management Packs for Availability and Notification

25 Apr

If you are using multiple vRealize Operations Manager (vROPS) – Management Packs like Horizon, VSAN, NSX and vCenter and want to monitor their availability of the adapter/POD in terms of whether they are “Collecting Data” and get notified via email when the collection of data stops due to unknown reasons. Then go ahead and read further.

If you don’t setup the monitoring one doesn’t get notified until someone logins to the vROPS Manager and see the adapter status physically.

Adapter Status:
vROPS VMware Horizon Management Pack

Collection State/Status:
vROPS - Hoirzon Adapter

To achieve the above its a 3 steps process. You will have to create the following:

  • Custom Symptom Definition
  • Custom Alert Definition
  • Custom Notification

Symptom Definitions

We will create four custom Symptom Definition (SD) for Horizon Adapter, Horizon POD as it collects data, vCenter instances and VSAN Adapter. Following are the SD combined:

Custom Symptom Definitions
  • Horizon Adapter Instance
    • Open the vROPS Manager and navigate to Alerts – Symptom Definitions
    • Click on the +
    • Under the Base Object Type Select – View Adapter Instance
    • Under Metrics Select vRealize Operations Generated – Availability
    • Enter a Symptom Definition Name – SD_Horizon_Adapter_Avail
    • is – Critical
    • metric – is less than
    • Numeric Value – 1
    • Under Advance
      • Wait Cycle – 3
      • Cancel Cycle – 3
      • Recommended – The wait/cancel cycle of 3 means that in case of any failure user will be notified after 15 minutes (3 cycles x default 5 minutes data collection interval)
Symptom - View Adapter Instance
  • vCenter Adapter – vCenter

    • Open the vROPS Manager and navigate to Alerts – Symptom Definitions
    • Click on the +
    • Under the Base Object Type Select – vCenter Server
    • Under Metrics Select vRealize Operations Generated – Availability
    • Enter a Symptom Definition Name – SD_vCenter_Adapter_Avail
    • is – Critical
    • metric – is less than
    • Numeric Value – 1
    • Under Advance
      • Wait Cycle – 3
        • Cancel Cycle – 3
          • Recommended – The wait/cancel cycle of 3 means that in case of any failure user will be notified after 15 minutes (3 cycles x default 5 minutes data collection interval)
      Symptom - vCenter Adapter Instance
      • View POD

        • Open the vROPS Manager and navigate to Alerts – Symptom Definitions
        • Click on the +
        • Under the Base Object Type Select – View POD
        • Under Metrics Select vRealize Operations Generated – Availability
        • Enter a Symptom Definition Name – SD_View_POD_Avail
        • is – Critical
        • metric – is less than
        • Numeric Value – 1
        • Under Advance
          • Wait Cycle – 3
            • Cancel Cycle – 3
              • Recommended – The wait/cancel cycle of 3 means that in case of any failure user will be notified after 15 minutes (3 cycles x default 5 minutes data collection interval)
          Symptom - View POD

          • VSAN Adapter Instance
            • Open the vROPS Manager and navigate to Alerts – Symptom Definitions
            • Click on the +
            • Under the Base Object Type Select – VSAN Adapter Instance
            • Under Metrics Select vRealize Operations Generated – Availability
            • Enter a Symptom Definition Name – SD_VSAN_Adapter_Avail
            • is – Critical
            • metric – is less than
            • Numeric Value – 1
            • Under Advance
              • Wait Cycle – 3
                • Cancel Cycle – 3
                  • Recommended – The wait/cancel cycle of 3 means that in case of any failure user will be notified after 15 minutes (3 cycles x default 5 minutes data collection interval)
              Symptom - VSAN Adapter Instance

              Alert Definitions

              We will create four custom Alert Definition (AD) for Horizon Adapter, Horizon POD as it collects data, vCenter instances and VSAN Adapter. Following are the AD combined:

              Custom Alert Definitions
              • Horizon Adapter Instance
                • Open the vROPS Manager and navigate to Alerts – Alert Definitions
                • Click on the +
                • Enter a Name – AD_Horizon_Adapter
                • Under the Base Object Type Select – View Adapter Instance
                • Under the Alert Impact
                  • Impact – Health
                  • Criticality – Symptom Based
                  • Alert Type and Subtype – Virtualization/Hypervisor: Availability
                  • Wait Cycle – 1
                  • Cancel Cycle – 1
                • Under Add Symptom Definitions
                  • Defined on – Self
                  • Symptom Definition Type – Metric /Property
                  • In the search box enter the previously created Symptom Definition – SD_Horizon_Adapter_Avail
                • Under Add Recommendations – Search and Select “Check if the resources are available. If it isn’t restart it. If it is available check the network connectivity between the remote checks and the resource
              Alert - Horizon Adapter


              • vCenter Adapter Instance
                • Open the vROPS Manager and navigate to Alerts – Alert Definitions
                • Click on the +
                • Enter a Name – AD_vCenter_Adapter
                • Under the Base Object Type Select –  vCenter Server
                • Under the Alert Impact
                  • Impact – Health
                  • Criticality – Symptom Based
                  • Alert Type and Subtype – Virtualization/Hypervisor: Availability
                  • Wait Cycle – 1
                  • Cancel Cycle – 1
                • Under Add Symptom Definitions
                  • Defined on – Self
                  • Symptom Definition Type – Metric /Property
                  • In the search box enter the previously created Symptom Definition – SD_vCenter_Adapter_Avail
                • Under Add Recommendations – Search and Select “Check if the resources are available. If it isn’t restart it. If it is available check the network connectivity between the remote checks and the resource
              Alert - vCenter Adapter
              • View POD
                • Open the vROPS Manager and navigate to Alerts – Alert Definitions
                • Click on the +
                • Enter a Name – AD_View_PODS
                • Under the Base Object Type Select –  View Pod
                • Under the Alert Impact
                  • Impact – Health
                  • Criticality – Symptom Based
                  • Alert Type and Subtype – Virtualization/Hypervisor: Availability
                  • Wait Cycle – 1
                  • Cancel Cycle – 1
                • Under Add Symptom Definitions
                  • Defined on – Self
                  • Symptom Definition Type – Metric /Property
                  • In the search box enter the previously created Symptom Definition – SD_View_PODS_Avail
                • Under Add Recommendations – Search and Select “Check if the resources are available. If it isn’t restart it. If it is available check the network connectivity between the remote checks and the resource
              Alert - View POD
              • VSAN Adapter Instance
                • Open the vROPS Manager and navigate to Alerts – Alert Definitions
                • Click on the +
                • Enter a Name – AD_VSAN_Adapter
                • Under the Base Object Type Select –  vSAN Adapter Instance
                • Under the Alert Impact
                  • Impact – Health
                  • Criticality – Symptom Based
                  • Alert Type and Subtype – Virtualization/Hypervisor: Availability
                  • Wait Cycle – 1
                  • Cancel Cycle – 1
                • Under Add Symptom Definitions
                  • Defined on – Self
                  • Symptom Definition Type – Metric /Property
                  • In the search box enter the previously created Symptom Definition – SD_VSAN_Adapter_Avail
                • Under Add Recommendations – Search and Select “Check if the resources are available. If it isn’t restart it. If it is available check the network connectivity between the remote checks and the resource
              Alert - VSAN Adpater

              Notifications

              We will create four Notification Rules for Horizon Adapter, Horizon POD as it collects data, vCenter instances and VSAN Adapter. Following are the Rules for Email Alerts combined:

              Custom Notification Rules
              • Rule – Horizon Adapter Instance is down
                • Open the vROPS Manager and navigate to Alerts – Notification Settings
                • Click on the +
                • Enter a Name – _Horizon_Adapter is down
                • Under Method Select – Standard Email Plugin
                • Instance – SMTP (previous configured)
                • Enter Recipients – Email Address
                • Notification Trigger – Alert Definition
                • Add the previously created _AD_Horizon_Adapter
              Notification - Horizon Adapter

              • Rule – vCenter Adapter Instance is down
                • Open the vROPS Manager and navigate to Alerts – Notification Settings
                • Click on the +
                • Enter a Name – _vCenter_Adapter is down
                • Under Method Select – Standard Email Plugin
                • Instance – SMTP (previous configured)
                • Enter Recipients – Email Address
                • Notification Trigger – Alert Definition
                • Add the previously created _AD_vCenter_Adapter
              Notification - vCenter Adapter

              • Rule – View POD is down
                • Open the vROPS Manager and navigate to Alerts – Notification Settings
                • Click on the +
                • Enter a Name – _View_POD is down
                • Under Method Select – Standard Email Plugin
                • Instance – SMTP (previous configured)
                • Enter Recipients – Email Address
                • Notification Trigger – Alert Definition
                • Add the previously created _AD_View_POD
              Notification - View POD

              • Rule – VSAN Adapter is down
                • Open the vROPS Manager and navigate to Alerts – Notification Settings
                • Click on the +
                • Enter a Name – _VSAN_Adapter is down
                • Under Method Select – Standard Email Plugin
                • Instance – SMTP (previous configured)
                • Enter Recipients – Email Address
                • Notification Trigger – Alert Definition
                • Add the previously created _AD_VSAN_Adapter
              Notification - VSAN Adapter

              I hope you will find this post useful and will help you improvise on monitoring/alerting of your vROPS Management Packs. A big thanks to Gagik Manukyan in demonstrating the ability to configure this in our internal setup.

              Thanks,
              Aresh Sarkari

              VMware Horizon TrueSSO – Configuration for High Availability and Redundancy

              13 Apr

              In this post I will demonstrate the configuration that are required to deploy the VMware Enrollment Servers for High availability and redundancy. This includes two Certificate Authority CA’s and Enrollment Servers

              TrueSSO Availability and Redundancy


              My colleague Tarique Chowdhury has an excellent post on the TrueSSO Lab Setup. However in that deployment it talks about a single Enrollment Server and Certificate Authority Server.

              This post is not a replacement of the Setting Up TrueSSO guide on VMware Pubs. However the below mentioned two sections complement during the configurations for everything else follow the setup guide/blogs:

              Certificate deployment – Enrollment Agent (Computer).

              Deploying the Enrollment Agent (Computer) certificate onto this server, we are authorizing this ES to act as an Enrollment Agent and generate Certificates on behalf of users.

              Both the Certificate Authority Server Enrollment Agent (Computer) certificate needs to be added. They are added one-by-one. The Personal –> Certificate store should look like below on the ES:

              Enrollment Agent (Computer)

              Configure TrueSSO on the Horizon Connection Servers:

              Step1: Adding both the Enrollment Server (ES) – Adding the ES to the environment, we are able to query the ES about the domain and relevant True SSO info.

              vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --environment --add –enrollmentServer tsso1.askaresh.com,tsso2.askaresh.com

              Adding ES

              Step2 – List both the newly deployed Enrollment Server – We will get info about various components of the environment which will be useful for configuring True SSO.

              vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso1.askaresh.com  --domain askaresh.com

              vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso2.askaresh.com  --domain askaresh.com

              Listing ES

              Step3 – Adding the Connector for TrueSSO – A True SSO Connector is a configuration set where we specify details like ES(s), CA(s) and a Certificate Template to use for a certain Domain. When a Horizon CS gets a request to launch a desktop for an AD user, it will look up True SSO Connector for the domain the user belongs to and will use the components as specified to obtain a Certificate on behalf of the user.

              vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --create --connector --domain askaresh.com --template TrueSSO --primaryEnrollmentServer tsso1.askaresh.com –secondaryEnrollmentServer tsso2.askaresh.com --certificateServer MSSUBCA01-CA,MSSUBCA02-CA --mode enabled

              TrueSSO Connector

              Step4 – List the SAML Authenticator available in Horizon environment – A SAML Authenticator contains the trust and metadata exchange between Horizon View and vIDM. To use True SSO, we need to identify the correct SAML Authenticator and enable True SSO.

              vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --list --authenticator

              Listing SAML

              Step5 – Enable TrueSSO for the SAML Authenticator

              vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --authenticator --edit --name VIDM-PROD --truessoMode ENABLED

              Enable TrueSSO

              Step6 – Check the status on the Horizon Administrator Dashboard
              TrueSSO Dashboard

              I hope you find these steps useful during the TrueSSO Availability and Redundancy configurations.

              Thanks,
              Aresh