Archive | Horizon RSS feed for this section

vRealize Operations Manager – Monitor Management Packs for Availability and Notification

25 Apr

If you are using multiple vRealize Operations Manager (vROPS) – Management Packs like Horizon, VSAN, NSX and vCenter and want to monitor their availability of the adapter/POD in terms of whether they are “Collecting Data” and get notified via email when the collection of data stops due to unknown reasons. Then go ahead and read further.

If you don’t setup the monitoring one doesn’t get notified until someone logins to the vROPS Manager and see the adapter status physically.

Adapter Status:
vROPS VMware Horizon Management Pack

Collection State/Status:
vROPS - Hoirzon Adapter

To achieve the above its a 3 steps process. You will have to create the following:

  • Custom Symptom Definition
  • Custom Alert Definition
  • Custom Notification

Symptom Definitions

We will create four custom Symptom Definition (SD) for Horizon Adapter, Horizon POD as it collects data, vCenter instances and VSAN Adapter. Following are the SD combined:

Custom Symptom Definitions
  • Horizon Adapter Instance
    • Open the vROPS Manager and navigate to Alerts – Symptom Definitions
    • Click on the +
    • Under the Base Object Type Select – View Adapter Instance
    • Under Metrics Select vRealize Operations Generated – Availability
    • Enter a Symptom Definition Name – SD_Horizon_Adapter_Avail
    • is – Critical
    • metric – is less than
    • Numeric Value – 1
    • Under Advance
      • Wait Cycle – 3
      • Cancel Cycle – 3
      • Recommended – The wait/cancel cycle of 3 means that in case of any failure user will be notified after 15 minutes (3 cycles x default 5 minutes data collection interval)
Symptom - View Adapter Instance
  • vCenter Adapter – vCenter

    • Open the vROPS Manager and navigate to Alerts – Symptom Definitions
    • Click on the +
    • Under the Base Object Type Select – vCenter Server
    • Under Metrics Select vRealize Operations Generated – Availability
    • Enter a Symptom Definition Name – SD_vCenter_Adapter_Avail
    • is – Critical
    • metric – is less than
    • Numeric Value – 1
    • Under Advance
      • Wait Cycle – 3
        • Cancel Cycle – 3
          • Recommended – The wait/cancel cycle of 3 means that in case of any failure user will be notified after 15 minutes (3 cycles x default 5 minutes data collection interval)
      Symptom - vCenter Adapter Instance
      • View POD

        • Open the vROPS Manager and navigate to Alerts – Symptom Definitions
        • Click on the +
        • Under the Base Object Type Select – View POD
        • Under Metrics Select vRealize Operations Generated – Availability
        • Enter a Symptom Definition Name – SD_View_POD_Avail
        • is – Critical
        • metric – is less than
        • Numeric Value – 1
        • Under Advance
          • Wait Cycle – 3
            • Cancel Cycle – 3
              • Recommended – The wait/cancel cycle of 3 means that in case of any failure user will be notified after 15 minutes (3 cycles x default 5 minutes data collection interval)
          Symptom - View POD

          • VSAN Adapter Instance
            • Open the vROPS Manager and navigate to Alerts – Symptom Definitions
            • Click on the +
            • Under the Base Object Type Select – VSAN Adapter Instance
            • Under Metrics Select vRealize Operations Generated – Availability
            • Enter a Symptom Definition Name – SD_VSAN_Adapter_Avail
            • is – Critical
            • metric – is less than
            • Numeric Value – 1
            • Under Advance
              • Wait Cycle – 3
                • Cancel Cycle – 3
                  • Recommended – The wait/cancel cycle of 3 means that in case of any failure user will be notified after 15 minutes (3 cycles x default 5 minutes data collection interval)
              Symptom - VSAN Adapter Instance

              Alert Definitions

              We will create four custom Alert Definition (AD) for Horizon Adapter, Horizon POD as it collects data, vCenter instances and VSAN Adapter. Following are the AD combined:

              Custom Alert Definitions
              • Horizon Adapter Instance
                • Open the vROPS Manager and navigate to Alerts – Alert Definitions
                • Click on the +
                • Enter a Name – AD_Horizon_Adapter
                • Under the Base Object Type Select – View Adapter Instance
                • Under the Alert Impact
                  • Impact – Health
                  • Criticality – Symptom Based
                  • Alert Type and Subtype – Virtualization/Hypervisor: Availability
                  • Wait Cycle – 1
                  • Cancel Cycle – 1
                • Under Add Symptom Definitions
                  • Defined on – Self
                  • Symptom Definition Type – Metric /Property
                  • In the search box enter the previously created Symptom Definition – SD_Horizon_Adapter_Avail
                • Under Add Recommendations – Search and Select “Check if the resources are available. If it isn’t restart it. If it is available check the network connectivity between the remote checks and the resource
              Alert - Horizon Adapter


              • vCenter Adapter Instance
                • Open the vROPS Manager and navigate to Alerts – Alert Definitions
                • Click on the +
                • Enter a Name – AD_vCenter_Adapter
                • Under the Base Object Type Select –  vCenter Server
                • Under the Alert Impact
                  • Impact – Health
                  • Criticality – Symptom Based
                  • Alert Type and Subtype – Virtualization/Hypervisor: Availability
                  • Wait Cycle – 1
                  • Cancel Cycle – 1
                • Under Add Symptom Definitions
                  • Defined on – Self
                  • Symptom Definition Type – Metric /Property
                  • In the search box enter the previously created Symptom Definition – SD_vCenter_Adapter_Avail
                • Under Add Recommendations – Search and Select “Check if the resources are available. If it isn’t restart it. If it is available check the network connectivity between the remote checks and the resource
              Alert - vCenter Adapter
              • View POD
                • Open the vROPS Manager and navigate to Alerts – Alert Definitions
                • Click on the +
                • Enter a Name – AD_View_PODS
                • Under the Base Object Type Select –  View Pod
                • Under the Alert Impact
                  • Impact – Health
                  • Criticality – Symptom Based
                  • Alert Type and Subtype – Virtualization/Hypervisor: Availability
                  • Wait Cycle – 1
                  • Cancel Cycle – 1
                • Under Add Symptom Definitions
                  • Defined on – Self
                  • Symptom Definition Type – Metric /Property
                  • In the search box enter the previously created Symptom Definition – SD_View_PODS_Avail
                • Under Add Recommendations – Search and Select “Check if the resources are available. If it isn’t restart it. If it is available check the network connectivity between the remote checks and the resource
              Alert - View POD
              • VSAN Adapter Instance
                • Open the vROPS Manager and navigate to Alerts – Alert Definitions
                • Click on the +
                • Enter a Name – AD_VSAN_Adapter
                • Under the Base Object Type Select –  vSAN Adapter Instance
                • Under the Alert Impact
                  • Impact – Health
                  • Criticality – Symptom Based
                  • Alert Type and Subtype – Virtualization/Hypervisor: Availability
                  • Wait Cycle – 1
                  • Cancel Cycle – 1
                • Under Add Symptom Definitions
                  • Defined on – Self
                  • Symptom Definition Type – Metric /Property
                  • In the search box enter the previously created Symptom Definition – SD_VSAN_Adapter_Avail
                • Under Add Recommendations – Search and Select “Check if the resources are available. If it isn’t restart it. If it is available check the network connectivity between the remote checks and the resource
              Alert - VSAN Adpater

              Notifications

              We will create four Notification Rules for Horizon Adapter, Horizon POD as it collects data, vCenter instances and VSAN Adapter. Following are the Rules for Email Alerts combined:

              Custom Notification Rules
              • Rule – Horizon Adapter Instance is down
                • Open the vROPS Manager and navigate to Alerts – Notification Settings
                • Click on the +
                • Enter a Name – _Horizon_Adapter is down
                • Under Method Select – Standard Email Plugin
                • Instance – SMTP (previous configured)
                • Enter Recipients – Email Address
                • Notification Trigger – Alert Definition
                • Add the previously created _AD_Horizon_Adapter
              Notification - Horizon Adapter

              • Rule – vCenter Adapter Instance is down
                • Open the vROPS Manager and navigate to Alerts – Notification Settings
                • Click on the +
                • Enter a Name – _vCenter_Adapter is down
                • Under Method Select – Standard Email Plugin
                • Instance – SMTP (previous configured)
                • Enter Recipients – Email Address
                • Notification Trigger – Alert Definition
                • Add the previously created _AD_vCenter_Adapter
              Notification - vCenter Adapter

              • Rule – View POD is down
                • Open the vROPS Manager and navigate to Alerts – Notification Settings
                • Click on the +
                • Enter a Name – _View_POD is down
                • Under Method Select – Standard Email Plugin
                • Instance – SMTP (previous configured)
                • Enter Recipients – Email Address
                • Notification Trigger – Alert Definition
                • Add the previously created _AD_View_POD
              Notification - View POD

              • Rule – VSAN Adapter is down
                • Open the vROPS Manager and navigate to Alerts – Notification Settings
                • Click on the +
                • Enter a Name – _VSAN_Adapter is down
                • Under Method Select – Standard Email Plugin
                • Instance – SMTP (previous configured)
                • Enter Recipients – Email Address
                • Notification Trigger – Alert Definition
                • Add the previously created _AD_VSAN_Adapter
              Notification - VSAN Adapter

              I hope you will find this post useful and will help you improvise on monitoring/alerting of your vROPS Management Packs. A big thanks to Gagik Manukyan in demonstrating the ability to configure this in our internal setup.

              Thanks,
              Aresh Sarkari

              VMware Horizon TrueSSO – Configuration for High Availability and Redundancy

              13 Apr

              In this post I will demonstrate the configuration that are required to deploy the VMware Enrollment Servers for High availability and redundancy. This includes two Certificate Authority CA’s and Enrollment Servers

              TrueSSO Availability and Redundancy


              My colleague Tarique Chowdhury has an excellent post on the TrueSSO Lab Setup. However in that deployment it talks about a single Enrollment Server and Certificate Authority Server.

              This post is not a replacement of the Setting Up TrueSSO guide on VMware Pubs. However the below mentioned two sections complement during the configurations for everything else follow the setup guide/blogs:

              Certificate deployment – Enrollment Agent (Computer).

              Deploying the Enrollment Agent (Computer) certificate onto this server, we are authorizing this ES to act as an Enrollment Agent and generate Certificates on behalf of users.

              Both the Certificate Authority Server Enrollment Agent (Computer) certificate needs to be added. They are added one-by-one. The Personal –> Certificate store should look like below on the ES:

              Enrollment Agent (Computer)

              Configure TrueSSO on the Horizon Connection Servers:

              Step1: Adding both the Enrollment Server (ES) – Adding the ES to the environment, we are able to query the ES about the domain and relevant True SSO info.

              vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --environment --add –enrollmentServer tsso1.askaresh.com,tsso2.askaresh.com

              Adding ES

              Step2 – List both the newly deployed Enrollment Server – We will get info about various components of the environment which will be useful for configuring True SSO.

              vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso1.askaresh.com  --domain askaresh.com

              vdmutil --authAs username –authDomain askaresh --authPassword password --truesso --environment --list --enrollmentServer tsso2.askaresh.com  --domain askaresh.com

              Listing ES

              Step3 – Adding the Connector for TrueSSO – A True SSO Connector is a configuration set where we specify details like ES(s), CA(s) and a Certificate Template to use for a certain Domain. When a Horizon CS gets a request to launch a desktop for an AD user, it will look up True SSO Connector for the domain the user belongs to and will use the components as specified to obtain a Certificate on behalf of the user.

              vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --create --connector --domain askaresh.com --template TrueSSO --primaryEnrollmentServer tsso1.askaresh.com –secondaryEnrollmentServer tsso2.askaresh.com --certificateServer MSSUBCA01-CA,MSSUBCA02-CA --mode enabled

              TrueSSO Connector

              Step4 – List the SAML Authenticator available in Horizon environment – A SAML Authenticator contains the trust and metadata exchange between Horizon View and vIDM. To use True SSO, we need to identify the correct SAML Authenticator and enable True SSO.

              vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --list --authenticator

              Listing SAML

              Step5 – Enable TrueSSO for the SAML Authenticator

              vdmutil --authAs username --authDomain askaresh --authPassword password --truesso --authenticator --edit --name VIDM-PROD --truessoMode ENABLED

              Enable TrueSSO

              Step6 – Check the status on the Horizon Administrator Dashboard
              TrueSSO Dashboard

              I hope you find these steps useful during the TrueSSO Availability and Redundancy configurations.

              Thanks,
              Aresh

              Automating Desktop Pool creation using PowerCLI – VMware Horizon 7.x

              17 Jan

              The Desktop Pool Creation using PowerCLI and JSON file is by far the most powerful and advance way of creating desktop pools in Horizon 7.x in a automated way.

              Before you begin with the script and JSON file make sure you have read this blog post “Automating VMware Horizon 7 with VMware PowerCLI 6.5” by Graeme Gordon it explains step by step how to prepare machine and execute the PowerCLI.

              The following is the script (Save as desktoppool.ps1) you will need to execute this script for invoking the desktop pool creation using the advanced functions of the module – New-HVPool -spec ‘path to InstantClone.json file’

              PowerCLI Script for Desktop Pool:

              ################################################################################
              # Create a Linked Clone Desktop Pool in Horizon using PowerCLI and Defining parameters in JSON
              ################################################################################

              #region variables
              ################################################################################
              #                                    Variables                                 #
              ################################################################################
              $cs = ‘cs1-1.domain.com’ #Horizon Connection Server (CS)
              $csUser= ‘aresh’ #User account to connect to CS make sure you have necessary permissions
              $csPassword = ‘abc1234’ #Password for user to connect to Connection Server
              $csDomain = ‘domain’ #Domain for user to connect to Connection Server
              #endregion variables

              #region initialize
              ################################################################################
              #                                    Initialize                                #
              ################################################################################
              # — Initialize All PowerCLI Modules —
              #Importing the Hv.Helper Module for Horizon
              Get-Module -ListAvailable ‘VMware.Hv.Helper’ | Import-Module

              # Connect to Horizon Connection Server API Service
              $hvServer1 = Connect-HVServer -Server $cs -User $csUser -Password $csPassword -Domain $csDomain

              # — Display Available Methods for interacting with the API Service API Service —
              $Services1= $hvServer1.ExtensionData

              #endregion initialize

              #region logic
              ################################################################################
              #                                Main-Logic                                    #
              ################################################################################

              # — Create the pool —
              New-HVPool -spec ‘C:\temp\DesktopPool\LinkedClone.json’

              # — Disconnnect from Horizon API Service —
              Disconnect-HVServer -Server $cs -Confirm
              #endregion logic

              Now let’s take a look at the JSON file for Linked Clone Desktops as all the advanced parameters for the desktop pool creation are defined here. The effort of entering the parameters needs to be performed once usually 70% of parameters are standard across all the pools. During the new pool creation only 5-7 parameters needs to change and rest can remain as-is

              Note – I have entered parameters based on my requirements feel free to modify the values. (Copy/paste the below into a JSON editor to make sure the editing is in correct format. Save the file as LinkedClone.json):

              Linked Clone JSON – (All parameters should be configured through JSON)

              {
                   “Base”: {
                       “Name”: “Aresh-Test”,
                       “DisplayName”: “Aresh linkedclone pool”,
                       “AccessGroup”: “Root”,
                       “Description”: “Created linked clone pool from PowerCLI”
                   },
                   “DesktopSettings”: {
                       “enabled”: true,
                       “deleting”: false,
                       “connectionServerRestrictions”: null,
                       “logoffSettings”: {
                           “powerPolicy”: “TAKE_NO_POWER_ACTION”,
                           “automaticLogoffPolicy”: “AFTER”,
                           “automaticLogoffMinutes”: 4320,
                           “allowUsersToResetMachines”: true,
                           “allowMultipleSessionsPerUser”: false,
                           “deleteOrRefreshMachineAfterLogoff”: “REFRESH”,
                           “refreshOsDiskAfterLogoff”: “NEVER”,
                           “refreshPeriodDaysForReplicaOsDisk”: 5,
                           “refreshThresholdPercentageForReplicaOsDisk”: 10
                       },
                       “displayProtocolSettings”: {
                           “supportedDisplayProtocols”: [“RDP”,
                           “PCOIP”,
                           “BLAST”],
                           “defaultDisplayProtocol”: “BLAST”,
                           “allowUsersToChooseProtocol”: true,
                           “pcoipDisplaySettings”: {
                               “renderer3D”: “DISABLED”,
                               “enableGRIDvGPUs”: false,
                               “vRamSizeMB”: 96,
                               “maxNumberOfMonitors”: 2,
                               “maxResolutionOfAnyOneMonitor”: “WQXGA”
                           },
                           “enableHTMLAccess”: true
                       },
                       “flashSettings”: {
                           “quality”: “NO_CONTROL”,
                           “throttling”: “DISABLED”
                       },
                       “mirageConfigurationOverrides”: {
                           “overrideGlobalSetting”: false,
                           “enabled”: false,
                           “url”: null
                       }
                   },
                   “Type”: “AUTOMATED”,
                   “AutomatedDesktopSpec”: {
                       “ProvisioningType”: “VIEW_COMPOSER”,
                       “VirtualCenter”: “10.x.x.x”,
                       “UserAssignment”: {
                           “UserAssignment”: “FLOATING”,
                           “AutomaticAssignment”: true
                       },
                       “VmNamingSpec”: {
                           “NamingMethod”: “PATTERN”,
                           “PatternNamingSettings”: {
                               “NamingPattern”: “HZ-W10-{n:fixed=3}”,
                               “MaxNumberOfMachines”: 1,
                               “NumberOfSpareMachines”: 1,
                               “ProvisioningTime”: “UP_FRONT”,
                               “MinNumberOfMachines”: null
                           },
                           “SpecificNamingSpec”: null
                       },
                       “VirtualCenterProvisioningSettings”: {
                           “EnableProvisioning”: true,
                           “StopProvisioningOnError”: true,
                           “MinReadyVMsOnVComposerMaintenance”: 0,
                           “VirtualCenterProvisioningData”: {
                               “Template”: null,
                               “ParentVm”: “W101607-STD1”,
                               “Snapshot”: “v1”,
                               “Datacenter”: “vRack-Datacenter”,
                               “VmFolder”: “GM_MasterImages”,
                               “HostOrCluster”: “vcore1c2-0-cluster”,
                               “ResourcePool”: “vcore1c2-0-cluster”
                           },
                           “VirtualCenterStorageSettings”: {
                               “Datastores”: [{
                                   “Datastore”: “vsanDatastore”,
                                   “StorageOvercommit”: “UNBOUNDED”
                               }],
                               “UseVSan”: true,
                               “ViewComposerStorageSettings”: {
                                   “UseSeparateDatastoresReplicaAndOSDisks”: false,
                                   “ReplicaDiskDatastore”: null,
                                   “UseNativeSnapshots”: false,
                                   “SpaceReclamationSettings”: {
                                       “ReclaimVmDiskSpace”: false,
                                       “ReclamationThresholdGB”: null,
                                       “BlackoutTimes”: null
                                   },
                                   “PersistentDiskSettings”: {
                                       “RedirectWindowsProfile”: false,
                                       “UseSeparateDatastoresPersistentAndOSDisks”: null,
                                       “PersistentDiskDatastores”: null,
                                       “DiskSizeMB”: null,
                                       “DiskDriveLetter”: null
                                   },
                                   “NonPersistentDiskSettings”: {
                                       “RedirectDisposableFiles”: false,
                                       “DiskSizeMB”: null,
                                       “DiskDriveLetter”: null
                                   }
                               },
                               “ViewStorageAcceleratorSettings”: {
                                   “useViewStorageAccelerator”: true,
                                   “viewComposerDiskTypes”: “OS_DISKS”,
                                   “regenerateViewStorageAcceleratorDays”: 7,
                                   “BlackoutTimes”: null
                               }
                           },
                           “VirtualCenterNetworkingSettings”: {
                               “Nics”: [{
                                   “Nic”: “nicName”,
                                   “NetworkLabelAssignmentSpecs”: [{
                                       “Enabled”: false,
                                       “networkLabel”: null,
                                       “maxLabelType”: null,
                                       “maxLabel”: null
                                   }]
                               }]
                           }
                       },
                       “VirtualCenterManagedCommonSettings”: {
                           “TransparentPageSharingScope”: “VM”
                       },
                       “CustomizationSettings”: {
                           “CustomizationType”: “QUICK_PREP”,
                           “DomainAdministrator”: “viewcomposer-svc”,
                           “AdContainer”: “OU=HZ-AWF,OU=BLR,OU=Computers”,
                           “ReusePreExistingAccounts”: false,
                           “NoCustomizationSettings”: null,
                           “SysprepCustomizationSettings”: {
                               “customizationSpec”: null
                           },
                           “QuickprepCustomizationSettings”: {
                               “PowerOffScriptName”: null,
                               “PowerOffScriptParameters”: null,
                               “PostSynchronizationScriptName”: null,
                               “PostSynchronizationScriptParameters”: null
                           },
                           “CloneprepCustomizationSettings”: null
                       }
                   },
                   “ManualDesktopSpec”: null,
                   “RdsDesktopSpec”: null,
                   “GlobalEntitlementData”: null,
                   “NetBiosName”: “domain”
              }

              The parameters are self explanatory they are the exact same shown in the Horizon Administrator UI during Desktop Pool Creation. If you need any additional information on the parameters refer to the VMware View API explorer for more details.

              I hope you will find this script and method useful in Automating the Desktop Pool Creation in Horizon. If you have further questions leave a comment or DM on twitter.

              Thanks,
              Aresh Sarkari

              Troubleshooting Horizon TrueSSO aka Horizon Enrollment Server like a Ninja!

              10 Oct

              If you have deployed Horizon TrueSSO feature within your environment. Then the most obvious question is how do you troubleshoot during issues? Let me give you some tips and tricks around troubleshooting TrueSSO aka Enrollment Server feature:

              • If you have two teams split one team managing the Active Directory/Certificate Services and other team managing Horizon infrastructure. Then following are the tips for the Horizon Admins. Install the Microsoft RSAT tools on your domain joined machine or Enrollment Servers and install the AD Certificate Services Tools. This will provide you the ability to see the following snap-ins in read-only mode:
                • Enterprise PKI – Allows you to check the CDP and CRL and Issuing CA Status
                • Certificate Templates – TrueSSO, Enrollment Agent (Computer) Templates etc.
              SNAGHTML6730c9ff

              • Make sure to Enable the Trace logging on the Enrollment Servers and Horizon Agent (within master image) during troubleshooting. It will provide additional details on the error message
                • [HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM]
                  “debugEnabled”=”true”
                  “traceEnabled”=”true”
                • How to know whether the end-users logged in via TrueSSO – Interactive_SmartCard_Logon will be visible in the Horizon Agent (if Trace Log is enable)image
                • If TrueSSO is not used and SAML – CLEAR(Text)_PASSWORD is used you will receive the following in Horizon Agent logs (if trace is enable
                  image
              • If you have two Issuing CA’s for High Availability and redundancy then make sure you import the TrueSSO template by Clicking Certificate Templates > New > Certificate Template to Issue. Select “TrueSsoTemplate” from the “Enable Certificate Templates” dialog and press “OK.” on the other Issuing CA. If you skip this step it will complain in Horizon Administrator dashboard – The primary and secondary enrollment server is not connected to the certificate servers “XXXXXX
              • Read and learn to use the VMWare Fling es_diag.exe it will provide a lot of information from the Horizon Enrollment Server stand point and equip you to troubleshoot issues with Certificate Servers.
                • /ListConfigs
                • /ListEnvironment
                • /EnrollmentTest

              My colleague Tarique Chowdhury has posted few troubleshooting steps in the following post under Section – Testing it will provide more details as to what to look in the logs.

              Log Entries 1
              Log Entries 2

              I hope you find this post useful during the Horizon TrueSSO aka Enrollment Server troubleshooting.

              Thanks,
              Aresh Sarkari

              Top 10 lessons during Horizon TrueSSO deployment aka Horizon Enrollment Servers

              6 Oct

              Recently got an opportunity to deploy the VMware Horizon TrueSSO within our environment. TrueSSO provides user with the True SSO (single sign-on) feature, after users log in to VMware Identity Manager (WorkSpaceOne) using a RSA SecurID authentication(optional), users are not required to enter Active Directory credentials in order to use virtual desktop or hosted application.

              Let me share my top 10 lessons learnt from the deployment:

              1. In the production deployment recommend to size the Enrollment Server Windows VM as same as the Connection Server(ES role is not very resource intensive)
                • CPU – 4 vCPU
                • Memory – 10 GB RAM
                • HDD – 80 GB
              2. Make sure the “Group Scope” is selected as “Universal” for the  Active Directory Group in which the Enrollment Server – Computer Account is added
              3. On the newly created TrueSSO template (SmartCard Login and Client Authentication) make sure under the Security Tab “Authenticated Users” group has Read permissions and The Active Directory group for the Enrollment Servers (Computer Account) has Read and Enroll
              4. If you are deploying more than one Enrollment Server go in the Horizon ADAM database and add the following value to load balance between two Enrollment Servers:
                cs-view-certsso-enable-es-loadbalance=true
              5. For Large scale AD deployments, it is recommend to add the registry for “ConnectToDomains”=domainname.com
                HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service

                ConnectToDomain
              6. Make Sure the template to be used for TrueSSO, you have selected the check box “Do not store certificate and request in the CA database” and run the following command on the CA server. (without quotes)
                “certutil –setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS”

                TrueSSO Template Properties
              7. To support Smartcard Logon the following Requirements must be met by the Domain Controller or Kerberos Authentication Certificate:
                • Template name should be Domain Controller or Kerberos Authentication Certificate
                  Kerberos Template Properties
                • DNS Name should be selected under Subject Name
                  Subject Name Properties
                • Key Usage Extension should be “Digital Signature” and “Key Enciphement
                  Key Usage Extension
              8. Make sure the the CA issuing Domain Controller Certificates has the following requirements met (Use GPO’s to deploy the below)
                • Add the Root Certificate to the Enterprise NTAuth Store
                • Add the Root Certificate to Trusted Root Certification Authorities
                • Add an Intermediate Certificate to Intermediate Certification Authorities
              9. Use the True SSO Diagnostic Utility Fling to troubleshoot Enrollment Server, Active Directory PKI Settings and Enterprise CA
              10. On the Domain Controllers under the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates
                A key with the “Issuing CA Certificate” thumbprint needs to be created on all the domain controllers participating in the TrueSSO. Ideally if the Step 7&8 are done correctly you should not run into this problem. (In our case we had to open-up a Microsoft Case to get this resolved as we were receiving KDC errors.)

              My colleague Tarique Chowdhury has written three awesome blog post on the TrueSSO feature make sure to check them out:

              Introduction https://blogs.vmware.com/euc/2016/03/true-sso-single-sign-on-view-identity-manager-authenticate.html

              Advance https://blogs.vmware.com/euc/2017/02/horizon-7-sso-advanced-features.html

              Setting up in Labhttps://blogs.vmware.com/euc/2016/04/true-sso-setting-up-in-a-lab.html

              I hope you find this post useful during the Horizon TrueSSO deployment

              Thanks,
              Aresh Sarkari

              Horizon 7.2 – RDS Farm with View Composer fails on “Customizing”

              21 Jul

              While creating a RDSH Farm in Horizon 7.2 using View Composer – Linked Clones and Custom Specification Manager the creation would fail on “Customization” within the View Administrator console. Upon investigation within the vCenter the Windows Servers 2012 R2 RDS Session host VM’s where not getting a valid IP and receiving the169.x.x.x APIPA addresses.

              After researching quite a bit the most common solution to the problem was:

              • Un-install and re-install vmwaretools
              • Un-install and re-install Horizon Agent 7.2 on RDS Master Image

              After performing the above two steps the issue completely changed from getting 169.x.x.x APIPA address to a proper DHCP server routable address. However, we are getting a different error this time:

              Windows could not finish configuring the system after a generalized sysprep”.

              windows error-sysprep

              Final Solution

              Within the master image we were using the MacAfee VSE Agent Patch 7 as the antivirus protection. This particular version was causing the issue with the sysprep to fail during customization.

              After following the below MacAfee KB and installing VSE Patch 9 the error was resolved and customizing of the RDS VM as per the Custom Specification Manager was successful.

              Reference Link:
              Windows could not finish configuring the system (Sysprep fails when VirusScan Enterprise Patch 7/8 is included in a Windows installation image)

              I hope this solution will save time to get the Horizon 7.2 RDSH Farm created quickly.

              Thanks,
              Aresh

              Error accessing iOS devices – VMware Horizon View 7.x and F5 BIG IP APM 12.x

              6 Feb

              If you have recently upgraded to Horizon 7.x and use BIG IP APM version 12.1 you may realize that your Apple iPad and iOS devices don’t work. The following error message on the Horizon View Client is noticed. (Screenshot from iPad)

              iPad Error

              Error: The Horizon server connection failed. Error the connection timed out.

              Resolution:
              In our scenario all the other devices such as Android, Windows etc. was working fine. To fix this problem we had to create a new F5 iRule(Name it F5-APM-iOS-fix):

              when HTTP_REQUEST {
              
              if { [HTTP::header "Origin"] ne "" } {
              HTTP::header remove "Origin"
              }
              }
              Note: Make sure you apply this iRule on the existing Horizon View iApp or/else it will not allow you to apply the iRule, may get a error message.

              Reference KB Article:
              K84958121:
              Accessing VMware Horizon 7 through the BIG-IP APM system

              Thanks,
              Aresh

              Collect Horizon View Connection Server Logs in vRealize Log Insight

              12 May

              If you are using the VMware Horizon View Content Pack for Log Insight it will capture the Connection Server logs (Log-Date.txt and Debug-Date.txt etc.). However, it doesn’t work out of the box by deploying the Content Pack alone. You will have to enable the View GPO (vdm_common.adm) onto the Connection Servers in order to get the logs captured by Log Insight. In our scenario without the GPO it was only able to capture the Windows Events Application, System and Security only.

              You need to perform the following steps:

              1. Download the Horizon 6 View GPO Bundle (VMware-Horizon-View-Extras-Bundle-3.5.0-2999900.zip) from https://my.vmware.com Downloads section. The Build number will depend on your version of Horizon View
              2. Extract the View Common Configuration Template (vdm_common.adm) from the zip bundle and copy it over to the domain controller
              3. Create a new OU and name it E.g. ViewServers and move all the Connection Server machine accounts into that OU
              4. Open gpmc.msc on the domain controller go to the newly created OU – ViewServers and “Create a new GPO and link it here” give a name to the GPO as ViewLoginsight and then click on Edit
              5. Go to Computer Configuration –> Policies –> Administrative Templates right click open “Add/Remove Templates” to import the vdm_common.adm file.
              6. Go to Computer Configuration –> Policies –> Administrative Templates –> Classic Administrative Templates (ADM) –> VMware View Common Configuration –> Log Configuration
              7. Select “Send Logs to Syslog server” choose Enabled under the Send logs to Syslog Server type – Debug|LogInsightIPAddress (E.g. Debug|10.10.10.1, Info|10.10.10.1, Trace|10.10.10.1)
              8. On the Connection Server VM make sure you have the following entry added. Navigate to %ProgramData%\VMware\Log Insight Agent\
              9. Open the liagent.ini file in any text Editor (Notepad, Notepad ++ etc.)
              10. Add the following configuration parameters to the file
                [filelog|ViewMain]
                
                directory="C:\ProgramData\VMware\VDM\logs"
                include=log-*.txt;debug-*.txt
                exclude=wsnm_starts.txt
                Note: We are only capturing the logs from Connection Server and not from the View Agent (deployed on the desktops). We have removed the pcoip_server and pcoip_agent from the default string as mentioned under Tech Specs in Solution Exchange portal page.
              11. Save and Restart the VMware Log Insight Agent service.

              You will be able to see the Horizon View Connection Server logs getting captured to the Log Insight Manager: (Example below)

              CSLoginsight

              There is also a detailed blog post on this topic by one of my colleague Sivaprasad click on this link – http://incloudnet.com/2015/01/08/view-loginsight-support/

              Thanks,
              Aresh

              Monitoring Horizon View Connection Server LDAP Replication

              29 Feb

              You wish to monitor the LDAP replication traffic between the Horizon View Connection servers (CS) in your environment, Simply run the following command against all the replicating CS individually. Note: Run the following command on a CS or make sure Windows Remoting enabled to execute from a remote machine.
              CON1:

              repadmin /showrepl con1.example.com:389 /errorsonly
              

              repadmin
              if you got the above response means inbound/outbound replication is successful on this CS

              Suppose you have 4 CS within your environment, you would like to monitor the replication across all of them. One could ‘Schedule a Task’ to check replication every 4 hours between the CS and send the report to concern monitoring team for further action. In my case, I am running this command from a remote machine which has SMTP enabled to send emails.


              CON1 – CON4:

              repadmin /showrepl con1.example.com:389 /errorsonly
              
              repadmin /showrepl con2.example.com:389 /errorsonly
              repadmin /showrepl con3.example.com:389 /errorsonly
              repadmin /showrepl con4.example.com:389 /errorsonly

              Type the following in a notepad and save it as batch file and save as ‘replication.cmd’

              How to check Outbound Partners of Connection Server
              In case you want to see the outbound replication partners of the CS you will have to run the following command on each server.(By default inbound is always visible)

              repadmin /showrepl con1.example.com:389 /repsto
              


              How to check replication status with Cloud Pod Architecture enabled
              The only difference when testing the replication of CS with CPA is the port number is different, you will have to run the following command

              repadmin /showrepl con1.example.com:22389
              


              This was a quick way to monitor the LDAP replication between CS!

              Thanks,
              Aresh

              Installing Horizon View Connection Server 6.2.2 (Replica Server)

              16 Feb

              In this blog post I will be capturing the steps involved in the installation of Replica Connection Servers. The post is mainly for people who want to have a glance at the installation steps for Horizon 6 View Connection Server (64 bit) 6.2.2 – Build Number: 3508079

              View experts please skip this post, if you are already familiar with the steps.

              Installation of the Replica Horizon 6 Connection Server

              Step 1: Right click on the Connection Server package and select ‘Run as Administrator’

              View-CS-Replica

              Step 2: Click on ‘Next’. The version number show’s as ‘6.2.2’

              View-CS-Replica

              Step 3: Click on ‘I accept the terms in the license agreement’ and select ‘Next’

              View-CS-Replica

              Step 4: Leave the installation in the default directory and select ‘Next

              View-CS-Replica

              Step 5: This is the Replica (Second) Connection Server of the environment select ‘Horizon 6 Replica Server’ and ‘Install HTML Access’. ‘IPv4’ is selected by default and click on ‘Next’

              View-CS-Replica

              Step 6: Enter the FQDN of the primary Connection Server ‘con1.example.com’

              View-CS-Replica

              Step 7: Click ‘Configure Windows Firewall automatically’ and select ‘Next’

              View-CS-Replica

              Step 8: Click on ‘Install’ to begin installing Connection Server

              View-CS-Replica

              Step 9: Watch the Progress

              View-CS-Replica

              Step 10: Uncheck ‘Show the readme files’ and click on ‘Finish’

              View-CS-Replica

              Step 11: On your desktop there will be an Icon ‘Horizon 6 Administrator’

              View-CS-Replica

              Step 12: Enter the ‘Username’ and ‘Password’

              View-CS-Replica

              Checkout the next blog post:
              Installing Horizon View Connection Server 6.2.2 (Standard Server)
              Installing Horizon View Composer Server 6.2.2

              Thanks,
              Aresh