Navigation

• Roaming Profiles  Overview
• Roaming Profile Shares:
  • File Shares Summary
  • Create and Share the Folders
  • Folder Permissions
  • Access Based Enumeration
• GPO Templates:
  • Windows Group Policy Templates
  • Horizon View Templates
  • User Environment Manager Templates
• GPOs:
  • Create Group Policy Objects
  • GPOs for Roaming Profiles (Persona and RDS)
• Computer Settings:
  • General Computer Settings
  • Remote Desktop Users Group
  • User Environment Manager Policy
  • Persona Configuration
  • RDS Roaming Profiles
  • PCoIP Configuration
  • USB Redirection Settings
  • HTML Blast Settings
• User Settings:
  • User Lockdown Settings
  • User Application Settings
  • Redirected Profile Folders
  • VMware Flash Optimizer

Roaming Profiles Overview

VMware has three options for persisting user settings when the user logs off:

• View Persona can be used for virtual desktops. This is preferred over Microsoft’s roaming profiles. There is no confirmed date but Persona Management will be going away in the future.
• Microsoft Roaming Profiles – View Persona is not supported on Remote Desktop Session Host or Windows 10 so use Microsoft’s native roaming profiles instead.
  • Microsoft’s Roaming Profiles do not merge settings from multiple sessions so if you have users connecting to multiple RDS farms then each RDS farm should have separate roaming profile shares.
• User Environment Manager – If you are licensed for Horizon Enterprise then you can use VMware’s User Environment Manager. This is a very configurable product that is generally preferred over Persona and Microsoft Roaming Profiles. It works on both virtual desktops and Remote Desktop Session Hosts.
  • User Environment Manager runs on top of other profile solutions. User Environment Manager can run on top of mandatory profiles so that anything not saved by User Environment Manager is discarded on logoff.
  • Or you can use User Environment Manager to persist settings for specific applications and use roaming profiles (Persona or Microsoft) to persist the remaining settings.
  • VMware has published a KB article 2118056 Migrate VMware Persona Management to VMware User Environment Manager.

Roaming Profiles File Shares

File Shares Summary

Detailed steps for creating the profile shares are detailed in the next sections. This section provides a summary of the required shares.

• In general, DFS Namespaces are supported for each of these shares but the namespace must point to only one target (no multi-master replication).
• The User Environment Manager Configuration folder can be replicated.
• Folder Redirection should be configured for all roaming profile methods. You can either create a new file share or you can redirect profile folders to the users’ home directories.

For All Profile Types, if you are not redirecting profile folders to the users’ home directories then create one file share for Folder Redirection:

• \\server\Redirect
  • Admins = Full Control
  • Users = Read/Execute, Create Folders – this folder only
  • Creator Owner = Full Control

If User Environment Manager, create two file shares:

• \\server\UEMConfig – stores UEM configuration
  • UEM Admins = Full Control
  • UEM Users = Read
  • UEM Support = Read
• \\server\UEMProfiles
  • UEM Admins = Full Control
  • UEM Support = Modify
  • UEM Users = Read/Execute, Create Folders – this folder only
  • Creator Owner = Full Control

If View Persona, create one file share for each operating system and bitness:

• \\server\PersonaWin7x64
  • Persona Admins = Full Control
  • Persona Users = Read/Execute, Create Folders – this folder only
  • Creator Owner = Full Control
• \\server\PersonaWin10x64
  • Persona Admins = Full Control
  • Persona Users = Read/Execute, Create Folders – this folder only
  • Creator Owner = Full Control

If Microsoft Roaming Profiles, create multiple file shares. Each RDS farm needs a separate profile share.

• \\server\RDSProfiles1
  • View Admins = Full Control
  • View Users = Read/Execute, Create Folders – this folder only
  • Creator Owner = Full Control
• \\server\RDSProfiles2
  • View Admins = Full Control
  • View Users = Read/Execute, Create Folders – this folder only
  • Creator Owner = Full Control

Create and Share the Folders

1. On your file server, make sure file and printer sharing is enabled.
   
2. On the file server that will host the file share, create a new folder and name it PersonaWin10x64, RDSProfilesFarm1, UEMConfig, or UEMProfiles or similar. If you need both Persona and Microsoft roaming profiles, create separate folders for each. If using UEM, create the UEM shares as summarized earlier.
3. Open the folder’s Properties.
4. On the Sharing tab, click Advanced Sharing.
   
5. Check the box to share the folder.
6. Click Permissions.
   
7. Give Full Control to Everyone. Click OK.
   
8. For Persona and RDSProfiles shares, click Caching.
9. Select No files or programs. Click OK and then click Close.
   

Folder Permissions

The following procedure works for any of the profile and redirection folders listed in the file shares summary except for the UEMConfig folder.

Lieven D’hoore has VMware Horizon View – Script to create Persona Management Repositories, Shares and Permissions.

1. Open the properties of the new shared folder.
2. On the Security tab, click Edit.
3. For the Everyone entry, remove Full Control and Modify. Make sure Write is enabled so users can create new folders.
   
4. Add CREATOR OWNER and give it Full Control. This grants users Full Control of the folders they create. Click OK.
   
5. Now click Advanced.
   
6. Highlight the Everyone permission entry and click Edit.
7. Change the Applies to selection to This folder only. Click OK three times. This prevents the Everyone permission from flowing down to newly created profile folders.
   

VMware Fling – Horizon View Persona Management Share Validation Tool:

1. Download the tool and extract it.
   
2. From a command line, run VMWVvpValidator.exe with the share parameter, the path to the Persona or RDSProfiles share, and the group that should have access to the share.
   
3. This will create a VMWVvpValidatortxt file in the same folder that contains the executable. Open it.
4. Scroll down and there should be no errors. If there are, fix them as detailed in the report.
   

Access Based Enumeration

Also enable access based enumeration. With this setting enabled, users can only see folders to which they have access.

1. In Server Manager, on the left, click File and Storage Services.
2. If you don’t see Shares then you probably need to reboot.
3. Right-click the new share and click Properties.
   
4. On the Settings page, check the box next to Enable access-based enumeration.
   

GPO Templates

Windows Group Policy Templates

Unfortunately there are some differences between the GPO templates for 2012 R2 and the GPO templates for Windows 8.1/10. You’ll need to download the full set of templates.

Follow the procedure at http://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#admtemp to download and install the Administrative Templates for Windows 10.

Horizon View Templates

Some of the policy settings in this topic require loading templates from Horizon 6 View GPO Bundle, which can be downloaded from VMware.com.

User Environment Manager Templates

If you are licensed for User Environment Manager, copy the templates to PolicyDefinitions.

1. Go to the extracted User Environment Manager files and in the Administrative Templates (ADMX) folder, copy the files and the folder.
   
2. Go to your sysvol (e.g. \\corp.local\sysvol) and in the corp.local\Policies folder, if you have a PolicyDefinitions folder, paste the files in this folder.
   
3. If you don’t have PolicyDefinitions in your sysvol then you can alternatively paste them to C:\Windows\PolicyDefinitions on the machine where you are running Group Policy Management Console. However, if you edit group policy from a different machine then you’ll need to copy the files there too.

Create Group Policy Objects

1. Within Active Directory Users and Computers, create a parent Organizational Unit (OU) to hold all Horizon View computer objects (virtual desktops and Remote Desktop Session Hosts).
2. Then create sub-OUs, one for each pool or RDS Farm.
3. Move the Horizon 6 Agent machines from the Computers container to one of the OUs created in step 2.
   
4. Within Group Policy Management Console, create a Group Policy Object (GPO) called Horizon 6 Agent Computer Settings and link it to the parent OU created in step 1. If this policy should apply to all pools then link it to the parent OU. Or you can link it to pool-specific sub-OUs.
   
   
5. Modify the properties of the GPO, on the Details tab, so that the User Configuration portion of the GPO is disabled. User settings do not belong in this GPO.
   
6. Create and link two new GPOs to the Session host OU (in addition to the Horizon 6 Agent Computer Settings GPO). One of the GPOs is called Horizon 6 Agent All Users (including admins) and the other is called Horizon 6 Agent Non-Admin Users (lockdown). The Non-Admin Users GPO can either be linked to the parent OU or to the session host sub-OUs. Locking down sessions is more common for Remote Desktop Session Hosts.
   
   
7. Modify the properties of both of these GPOs and disable the Computer Configuration portion of the GPO.
   
8. Click the Horizon 6 Agent Non-Admin Users GPO to highlight it.
9. On the right, switch to the Delegation tab and click Add.
   
10. Find your Horizon Admins group and click OK.
    
11. Change the Permissions to Edit settings and click OK.
    
12. Then on the Delegation tab click Advanced.
    
13. For Horizon Admins, place a check mark in the Deny column for the Apply Group Policy permission. If desired, you can also deny the GPO to Domain Admins and Enterprise Admins. Click OK.
    
14. Click Yes when asked to continue.
15. For the other two GPOs, add Horizon Admins with Edit Settings But don’t deny Apply Group Policy. The deny entry is only needed on the Lockdown GPO.

GPOs for Roaming Profiles (Persona and RDS)

You will need separate profile configurations for each View Agent type (virtual desktops, RDS, operating system version, operating system bitness, etc.) Each profile configuration needs a different GPO. Note: if you are licensed for User Environment Manager then you can skip this section.

1. Right-click one of the Remote Desktop Session Host sub-OUs and create a new GPO.
   
2. Name it Horizon 6 Agent RDS Farm 1 Profiles or similar. This policy will use Microsoft’s native roaming profiles instead of View Persona. Note: each RDS farm should have a separate roaming profile share.
   
3. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group and give it Edit Settings permission.
   
4. If you have additional Remote Desktop Session Host sub-OUs (one for each RDS Farm), right-click one of them and create another GPO with a different name. Each RDS Farm needs a different profile path.
   
   
5. Right-click a virtual desktop sub-OU and click Create a GPO in this domain.
   
6. Name it Horizon 6 Agent Persona Win7 or similar and click OK. Each operating system version should point to a different file share so include the operating system version in the GPO name.
   
7. Select the new GPO to highlight it. On the right, on the Delegation tab, add the Horizon Admins group and give it Edit Settings permission.
   
8. If you have additional virtual desktop sub-OUs of the same operating system, right-click the OU and click Link an Existing GPO.
   
9. Select the Horizon 6 Agent Persona Win7 GPO and click OK.
   
10. For desktop pools running a different operating system, create a new Persona GPO. Each Persona GPO will point to a different share.
    
11. Since Windows 10 does not support Persona you’ll need to either use regular Microsoft Roaming Profiles or use VMware User Environment Manager if you are licensed for it.
    
12. For the Windows 10 GPO, you can configure the roaming profile path at Computer Config > Policies > Admin Templates > System > User Profiles > Set roaming profile path for all users logging onto this computer. Or you can configure the profile path for each user in Active Directory.
13. The final group policy object framework will look like this: some GPOs linked to the parent OU and pool-specific GPOs linked to the sub-OUs. Each sub-OU needs different GPOs for different roaming profile configurations.
    

Agent Computer Settings

These GPO settings should be applied to the Horizon 6 Agents.

General Computer Settings

1. Right-click the Horizon 6 Agent Computer Settings GPO and click Edit.
   
2. Configure the GPO Computer Settings as detailed at http://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
3. In addition, VMware 2121183 Response to CVE-2015-4000 (a.k.a., Logjam) for Horizon View and Horizon 6 products has a list of recommended ciphers for Windows. These ciphers are configured at Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
   TLS_RSA_WITH_AES_128_CBC_SHA256,
   TLS_RSA_WITH_AES_128_CBC_SHA,
   TLS_RSA_WITH_AES_256_CBC_SHA256,
   TLS_RSA_WITH_AES_256_CBC_SHA,
   TLS_RSA_WITH_RC4_128_SHA
   The article also details how to enable TLS 1.2 in Windows.

Remote Desktop Users Group

1. Right-click the Horizon 6 Agent Computer Settings GPO and click Edit.
   
2. Under Computer Config > Windows Settings > Security Settings, right-click Restricted Groups and click Add Group.
   
3. Browse to the group of users (e.g. Domain Users) that will be added to the Remote Desktop Users group on the virtual desktops. Click OK.
   
4. In the bottom half of the window, click Add to specify that this group is a member of:
   
5. Enter Remote Desktop Users and click OK twice.
   

User Environment Manager Group Policy

User Environment Manager works for both virtual desktops and Remote Desktop Session Hosts so there’s no need to configure separate profiles for both of those environments.

Also, the User Environment Manager GPO settings are user settings, not computer settings.

From Chris Halstead VMware User Environment Manager (UEM) – Part 1 – Overview / Installation and VMware Deployment Guide VMware User Environment Manager Deployed in 60 Minutes or Less:

1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
2. User Environment Manager requires one computer setting. Edit the Horizon 6 Agent Computer Settings GPO.
   
3. Go to Computer Configuration | Policies | Administrative Templates | System | Logon.
4. Double-click Always wait for the network at computer startup and logon.
   
5. Enable the setting and click OK.
6. Close the group policy editor.
7. The remaining settings are user settings. Edit the Horizon 6 Agent All Users GPO. This GPO should apply to the Horizon 6 Agents and Loopback processing should already be enabled on those machines.
   
8. Go to User Configuration | Policies | Administrative Templates | VMware UEM | FlexEngine.
9. If you are running User Environment Manager on top of mandatory profiles then double-click Certificate support for mandatory profiles.
   
10. Enable the setting and click OK.
11. Double-click Flex config files.
    
12. Enter the setting.
13. Enter \\server\uemconfig\general. The general folder will be created by User Environment Manager. Click OK.
    
14. Double-click FlexEngine Logging.
    
15. Enable the setting.
16. Enter \\server\uemprofiles\%username%\logs. User Environment Manager will create these folders. Click OK.
    
17. Double-click the setting Profile archive backups.
    
18. Enable the setting.
19. Type in \\server\uemprofiles\%username%\backups.
20. Enter the number of desired backups, check the box for daily bakups, and click OK.
    
21. Double-click Profile archives.
    
22. Enable the setting.
23. Type in \\server\uemprofiles\%username%\archives and click OK.
    
24. Double-click the setting RunFlexEngine as Group Policy Extension.
    
25. Enable the setting and click OK.
26. Go to User configuration | Policies | Windows Settings | Scripts (Logon/Logoff).
27. Double-click Logoff.
    
28. Click Add.
    
29. In the Script Name field, enter C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe.
30. In the Script Parameters field, enter -s.
31. Click OK.
    
32. Click OK.

User Environment Manager is configured in a separate console application. See the instructions at http://www.carlstalhood.com/vmware-user-environment-manager/.

Persona Configuration

This section does not apply to Remote Desktop Session Hosts or Windows 10 Agents.

If you are using User Environment Manager with Mandatory profiles then skip this section.

Roaming profiles (Persona) are optional for persistent virtual desktops. They are most applicable to non-persistent virtual desktops.

1. VMware article 2105270 – Verify that ICMP is enabled between the View desktop and the domain controller, and as well as the View desktop and the Persona Management Repository
2. Edit one of the Horizon 6 Agent Persona GPOs that applies to the virtual desktops (not Remote Desktop Session Hosts).
   
3. In the View Desktops GPO, go to Computer Configuration > Policies. Right-click Administrative Templates and click Add/Remove Templates.
   
4. Click Add.
5. Browse to the downloaded Horizon View GPO Bundle 3.5.0. Select the ViewPM.adm file and click Open and then click Close.
   
6. Configure the following GPO settings:
   • Administrative Templates | System | User Profiles
     • Add the Administrators security group to roaming user profiles = enabled
     • Do not check for user ownership of Roaming Profile Folders = enabled
7. Go to Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates > VMware Horizon 6 Agent Configuration > Persona Management > Roaming & Synchronization.
8. On the right, double-click Manage user persona.
   
9. Enable the setting. It defaults to 10 minutes. Click OK.
   
10. Double-click Persona repository location and enable the setting.
11. Enter the path to the file share created for Persona. Append %username%.
12. Check the box next to Override Active Directory user profile path. Click OK.
    
13. Double-click Roam local settings folders and enable it. Click OK.
    
14. Double-click Files and folders excluded from roaming and enable it. Then click Show.
    
15. Enter the values shown below and then click OK twice.
    $Recycle.Bin
    Tracing
    AppData\LocalLow
    AppData\Local\GroupPolicy
    AppData\Local\Packages
    AppData\Local\Microsoft\Office\15.0\Lync\Tracing
    AppData\Local\Microsoft\Windows\Temporary Internet Files
    AppData\Local\Microsoft\Windows\Burn
    AppData\Local\Microsoft\Windows\CD Burning
    AppData\Local\Microsoft\Windows Live
    AppData\Local\Microsoft\Windows Live Contacts
    AppData\Local\Microsoft\Terminal Server Client
    AppData\Local\Microsoft\Messenger
    AppData\Local\Microsoft\OneNote
    AppData\Local\Microsoft\Outlook
    AppData\Local\Windows Live
    AppData\Local\Temp
    AppData\Local\Sun
    AppData\Local\Google\Chrome\User Data\Default\Cache
    AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images
    AppData\Local\Google\Chrome\User Data\Default\JumpListIcons
    AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld
    AppData\Roaming\Sun\Java\Deployment\cache
    AppData\Roaming\Sun\Java\Deployment\log
    AppData\Roaming\Sun\Java\Deployment\tmp
16. Double-click Files and folders excluded from roaming (exceptions) and enable it. Then click Show.
    
17. Enter the exceptions shown below and click OK twice.
    AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
    AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    AppData\LocalLow\Sun\Java\Deployment\deployment.properties
18. Configure %AppData%\Thinstall as a folder to background download. If they are using Thinapps, this will speed up the launch time of Thinapps.  If they aren’t there is no harm done.
    

RDS Roaming Profiles

This section applies to Remote Desktop Session Hosts, not virtual desktops.

If you are using User Environment Manager with Mandatory profiles then skip this section.

1. Edit the Horizon 6 Agent RDS Farm1 Profiles GPO.
   
2. Configure the following GPO settings.
   • Administrative Templates | System | User Profiles
     • Add the Administrators security group to roaming user profiles = enabled
     • Delete cached copies of roaming profiles = enabled
     • Do not check for user ownership of Roaming Profile Folders = enabled
3. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles.
4. On the right, open the setting Set path for Remote Desktop Services Roaming User Profile.
   
5. Enable the setting and enter the path to the file share. Do not append %username%.
   
6. If you haven’t already done this in a parent OU, also configure the Remote Desktop Services settings as detailed at http://www.carlstalhood.com/group-policy-objects-vda-computer-settings/#computer.
7. If you wish to enable the Aero style for Remote Desktop Session Host sessions, go to User Configuration > Policies > Administrative Templates > Control Panel > Personalization.
8. Open the setting Force a specific visual style file.
   
9. Enable the setting and enter the following path:
   %windir%\resources\Themes\Aero\aero.msstyles
   
10. VMware recommends enabling RunOnce as detailed at http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#runonce.

PCoIP Configuration

Steve Dunne:

• Horizon View 6 PCoIP – WAN, Limited Bandwidth, Optimise, Tune contains PCoIP optimization settings and their results through a WAN emulator.
• PCoIP Sizing and What’s New from VMworld 2013\2014

Here are some general PCoIP optimization settings:

1. Right-click the Horizon 6 Agent Computer Settings GPO and click Edit.
2. In the View Desktops GPO, go to Computer Configuration > Policies. Right-click Administrative Templates and click Add/Remove Templates.
3. Click Add.
4. Browse to the downloaded Horizon View GPO Bundle 3.5.0. Select the pcoip.adm file and click Open and then click Close.
   
5. Expand Administrative Templates > Classic Administrative Templates > PCoIP Session Variables. Click Overridable Administrator Defaults.
6. On the right, double-click Configure clipboard redirection.
   
7. Enable the setting and select Enabled in both directions. Click OK.
   
8. Double-click Configure the PCoIP session audio bandwidth limit. For WAN connection users, VMware recommends setting this to 100 – 150 Or you can start with 300 Kbps and reduce as needed.
   

USB Redirection Settings

VMware TechPaper USB Device Redirection, Configuration, and Usage in View Virtual Desktops details the following:

• PCoIP zero clients use a PCoIP virtual channel for USB. No extra network ports needed.
• All other PCoIP clients, including Windows, Mac, etc., use TCP 32111 between the View Client and the Horizon 6 Agent.
• If Secure Tunnel is enabled, the USB traffic is sent to the Horizon 6 Security Server on TCP 443. It is then forwarded to the Horizon 6 Agent on 32111.
• USB performance across the WAN can be slow.
• Webcams are only supported using RTAV (Real-Time Audio-Video).
• USB3 uses too much bandwidth for most WANs. USB3 is supported in Horizon 6 Agent 6.0.1 and Horizon Client 3.1.
• Linux clients do not let you choose USB devices. Instead, all USB devices are redirected.
• USB device redirection can be filtered. Multi-interface USB devices can be split. See the TechPaper for details.
• In Horizon 6.1 and Horizon Client 3.3, USB storage devices can be redirected to Remote Desktop Session Host.
• Client Downloadable only GPO settings are downloaded to the View Client when the View Client first connects to the Horizon 6 Agent.
• USB GPO Settings on the Horizon 6 Agent can either override or merge the View Client USB GPO settings. Merge means that if View Client settings exist then the Horizon 6 Agent settings are ignored.
• The Exclude All Devices setting is overridden by other Include
• USB Redirection logs are located at %PROGRAMDATA%\VMware\VDM\logs\debug-*.txt. Look for <vmware-view-usbd>
• How to configure USB Redirection rules on Windows, Mac, and Linux.

If you intend to use the Real-Time Audio-Video feature, then disable USB redirection of audio and video so it is instead accessed through the optimized virtual channel. RTAV and USB Redirection do not apply to Remote Desktop Session Host.

You can also use this procedure to block USB storage devices from being mapped.

1. Right-click the Horizon 6 Agent Computer Settings GPO and click Edit.
2. In the View Desktops GPO, go to Computer Configuration > Policies. Right-click Administrative Templates and click Add/Remove Templates.
3. Click Add.
4. Browse to the downloaded Horizon View GPO Bundle 3.5. Select the vdm_agent.adm file and click Open and then click Close.
   
5. Expand Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration and click View USB Configuration.
6. On the right, double-click Exclude Device Family.
   
7. Change the selection to Enabled.
8. Enter o:audio-in;o:video.
9. If you want to block USB storage devices, add o:storage to the list. Click OK.
   

HTML Blast Settings

HTML Blast by default only allows clipboard redirection from client-to-server. This can be changed in group policy.

1. Right-click the Horizon 6 Agent Computer Settings GPO and click Edit.
2. In the View Desktops GPO, go to Computer Configuration > Policies. Right-click Administrative Templates and click Add/Remove Templates.
3. Click Add.
4. Browse to the downloaded Horizon View GPO Bundle 3.5. Select the vdm_blast.adm file and click Open and then click Close.
   
5. Expand Administrative Templates > Classic Administrative Templates and click View Blast.
6. On the right, double-click Configure clipboard redirection.
   
7. Enable the setting and then make your choice. Click OK.
   

User Lockdown Settings

Edit the Horizon 6 Agent Non-Admin Users GPO and configure the settings detailed at http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#lockdown.

User Application Settings

Edit the Horizon 6 All Users GPO and configure settings for applications (Internet Explorer, Office, etc.) as detailed at http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#ie and http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#office2013.

Redirected Profile Folders

In addition to roaming profiles, also configure Redirected Profile Folders as detailed at http://www.carlstalhood.com/citrix-profile-management/#redirected. Anything redirected will not be copied locally by View Persona, RDS profiles, or VMware UEM.

VMware Flash Optimizer

1. Horizon 6 Agent installs something called the Flash Optimizer. When a user launches Internet Explorer, a prompt is displayed to Enable the add-on. To get rid of this message, do the following.
   
2. We need the add-on CLSID. In Internet Explorer, click the gear icon and click Manage add-ons.
   
   
3. Highlight the VMware Adobe Flash Optimizer and click More information on the bottom left.
   
4. Click Copy.
   
5. Paste the contents into Notepad. Then look for the Class ID line and copy it.
   
6. Edit the Horizon 6 Agent All Users GPO.
7. Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management.
8. On the right, open Add-on List.
   
9. Enable the setting and click Show.
   
10. In the Value name field, paste in the Class ID, including the curly braces.
11. In the Value field, enter 1 to force the add-on to be enabled. Click OK twice.
    

Related Pages

• Back to VMware Horizon 6

Before performing the procedures detailed on this page, make sure you’ve created the GPOs as detailed at http://www.carlstalhood.com/horizon-group-policy-and-profiles/#creategpos and configured the GPOs for User Environment Manager as detailed at http://www.carlstalhood.com/horizon-group-policy-and-profiles/#uempolicy.

Navigation

• Mandatory Profile
• UEM Console Installation
• Configure User Environment Manager
• Desktop Redirection
• UEM Application Profiler
• UEM Support Tool

Mandatory Profile

If you want to use User Environment Manager with a Mandatory Profile then follow these instructions to create the mandatory profile:

1. The mandatory profile is stored in a sub-folder of a file share. Either identify an existing file share (e.g. UEMConfig) or create a new file share.
2. Login to the Horizon 6 Agent machine as a template account. Do any desired customizations. Logoff.
3. Make sure you are viewing hidden files and system files.
   
4. Copy C:\Users\%username% to your fileshare and rename the folder to mandatory.v2 or something similar. It is important that .v2 (or .v3 or .v4 or .v5 depending on the operating system version) is on the end of the path. (e.g. \\fs01\UEMConfig\mandatory.v5).
   • Windows 7 and 2008 R2 = .v2
   • Windows 8.1 and 2012 R2 = .v2 or .v4, depending on if you configured https://support.microsoft.com/en-us/kb/2887239 or not.
   • Windows 10 = .v5
5. Note: the mandatory profile must be a subfolder of the file share. You cannot share the mandatory profile directly.
   
6. You can copy C:\Users\Default instead of copying a template user. If so, remove the hidden attribute. If you use Default as your mandatory, be aware that Active Setup will run every time a user logs in.
   
7. Rename \\fs01\UEMConfig\mandatory.v5\ntuser.dat to ntuser.man.
8. Delete the NTUSER.DAT log files.
   
9. Open the AppData folder and delete the Local and LocalLow folders.
   
10. Java settings are stored in LocalLow so you might want to leave them in the mandatory profile. The only Java files you need are the deployment.properties file, the exception.sites file and the security/trusted.certs file. Delete the Java cache, tmp and logs.
    
11. Open regedit.exe.
12. Click HKEY_LOCAL_MACHINE to highlight it.
    
13. Open the File menu and click Load Hive.
    
14. Browse to the mandatory profile and open NTUSER.MAN in the Mandatory profile folder.
    
15. Name it a or similar.
    
16. Go to HKLM\a, right-click it and click Permissions.
    
17. Add Authenticated Users and give it Full Control. Click OK.
    
18. With the hive still loaded, you can do some cleanup in the registry keys. See http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/ for some suggestions.
19. Also see How to create a Windows Server 2012 / Windows 8 Mandatory Profile for more profile cleanup.
20. Highlight HKLM\a.
    
21. Open the File menu and click Unload Hive.
    
22. Create/Edit a GPO that applies to the Horizon 6 Agents and configure the following GPO settings:
    • Computer Configuration | Policies | Administrative Templates | System | User Profiles
      • Do not check for user ownership of Roaming Profile Folders = enabled
      • Set roaming profile path for all users logging onto this computer = \\fs01\UEMConfig\mandatory (Do not include the .v5 in this path)
    • Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles
      • Use mandatory profiles on the RD Session Host server = enabled
      • Set path for Remote Desktop Services Roaming User Profile = \\fs01\UEMConfig\mandatory (Do not include the .v5 in this path)

UEM Console Installation

1. Browse to the extracted User Environment Manager files and run VMware User Environment Manager 8.7 x64.msi.
   
2. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
   
3. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
   
4. In the Destination Folder page, click Next.
   
5. In the Choose Setup Type page, click Custom.
   
6. In the Custom Setup page, change the selections so that only the console is selected and click Next.
   
7. In the Ready to install VMware User Environment Manager page, click Install.
   
8. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.
   

Configure User Environment Manager

Here is a summary of the major User Environment Manager functionality:

• Personalization (aka import/export) – saves application and Windows settings to a file share. This is the roaming profiles functionality of User Environment Manager. You configure folders and registry keys that need to be saved. The import/export can happen at logon/logoff or during application launch/exit.
  • Pre-configure application settings – configures files and registry keys for specific applications so users don’t have to do it themselves. Some examples: disable splash screen, default folder save location, database server name, etc.
  • Self–support tool – users can use this tool to restore their application settings.
• User Environment – configures Windows settings like drive mappings, Explorer settings, printer mappings, etc. This is similar to group policy but offers significantly more options for conditional filtering. User Environment Manager can configure any registry setting defined in an ADMX file.
  • User Environment Manager only supports user settings. Computer settings should be configured using group policy.
  • Best practice is to not mix User Environment Manager and user group policy. Pick one tool. If the same setting is configured in both locations then group policy will win.

User Environment Manager documentation can be found at pubs.vmware.com.

VMware has posted several User Environment Manager videos at YouTube.

To perform an initial configuration of User Environment Manager, do the following:

1. Launch the User Environment Manager Management Console from the Start Menu.
   
2. Enter the path to the UEMConfig share and click OK.
   
3. These Settings checkboxes define what is displayed in the management console. Leave it set to the defaults and click OK.
   
4. In the Personalization ribbon, on the far right, click Easy Start.
   
5. Select your version of Office and click OK.
   
6. Click OK when prompted that configuration items have been successfully installed.
   
7. Review the pre-configured settings to make sure they are acceptable. For example, User Environment Manager might create a Wordpad shortcut (User Environment > Shortcuts) that says (created by VMware UEM).
   
8. Go to User Environment > Policy Settings. If there is a setting to Remove Common Program Groups, then click Edit.
   
9. Consider adding a condition so it doesn’t apply to administrators.
   

User Environment Manager 8.7 has a new UEMResult feature that lets you see what settings were applied to the user. The .xml file is only updated at logoff. To enable for a particular user, go to the user’s Logs folder and create a folder named UEMResult. At logoff, UEM will put an .xml file in this folder. More information in Appendix G of the User Environment Manager Administrator Guide.

Desktop Redirection

If the Desktop folder is redirected then VMware recommends configuring User Environment Manager to preserve the folder redirection location. Otherwise there could be a timing issue.

1. On the Personalization tab, click Create Config File.
   
2. Select Create a custom config file and click Next.
   
3. Give the Config file a name and click Finish.
   
4. On the Import/Export tab, configure the registry key as shown below. You can also copy the text from VMware 2118056 Migrate VMware Persona Management to VMware User Environment Manager.
   

UEM Application Profiler

This tool cannot be installed on a machine that has FlexEngine installed:

1. .NET Framework 3.5 is required.
2. In the User Environment Manager files, in the Optional Components folder, run VMware UEM Application Profiler 8.7 x64.msi.
   
3. In the Welcome to the VMware User Environment Manager Application Profiler Setup Wizard page, click Next.
   
4. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
   
5. In the Custom Setup page, click Next.
   
6. In the Ready to install VMware User Environment Manager Application Profiler page, click Install.
   
7. In the Completed the VMware User Environment Manager Application Profiler Setup Wizard page, click Finish.
   

You may now use the tool to determine where applications store their settings and export a default application configuration that can be pushed out using User Environment Manager.

• See the documentation for details.
• vDelboy VMware User Environment Manager Application Profiler has an overview of the process.
• VMware Blog Post VMware User Environment Manager and Application Profile Settings details how to use Application Profiler to determine where Chrome settings are stored and upload that configuration to User Environment Manager.

UEM Support Tool

vDelboy – VMware UEM Helpdesk Support Tool

Do the following to configure the environment for the support tool:

1. In the User Environment Manager Console, click the star icon on the top left and click Configure Helpdesk Support Tool.
   
2. Click Add.
   
3. In the Profile archive path field, enter the user folder share (the same one configured in User Environment Manager GPO). At the end of the path, enter \[UserFolder]\Archives.
4. Check the other two boxes. The paths should be filled in automatically. Make sure they match what you configured in the User Environment Manager GPO. Click OK.
   
5. Click Save.
   
6. VMware recommends creating a new GPO for the Support Tool. This GPO should apply only to the support personnel.
   
   
7. On the Scope tab, change the filtering so it applies to UEM Support and UEM Admins. If this applies to machines with loopback processing enabled then also add Domain Computers.
   
8. Edit the GPO.
   
9. Go to User Configuration | Policies | Administrative Templates | VMware UEM | Helpdesk Support Tool.
10. Double-click the setting UEM configuration share.
    
11. Enable the setting and enter the path to the UEMConfig share. Click OK.
    
12. Consider enabling the remaining GPO settings. Read the Explain text or refer to the documentation.
    

Do the following to install the support tool.

1. .NET Framework 3.5 is required.
2. Some support tool functions require the FlexEngine to be installed on the help desk machine.
3. In the extracted User Environment Manager files is an Optional Components folder. From inside that folder run VMware UEM Helpdesk Support Tool 8.7 x64.msi.
   
4. In the Welcome to the VMware UEM Helpdesk Support Tool Setup Wizard page, click Next.
   
5. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
   
6. In the Destination Folder page, click Next.
   
7. In the Ready to install VMware UEM Helpdesk Support Tool page, click Install.
   
8. In the Completed the VMware UEM Helpdesk Support Tool Setup Wizard page, click Finish.
   

Once the Helpdesk Support Tool is installed you can launch it from the Start Menu, search for users, and then perform operations on the archives.

Related Pages

• Back to VMware Horizon 6

Navigation

• Overview
  • Firewall
• Network Profile
• Import OVF
• Certificate Prep
• REST Configuration – Certificate
• REST Configuration – External URLs
• Logs

Overview

Access Point is a replacement for Horizon 6 Security Servers. Advantages include:

• You don’t need to build extra Connection Servers just for pairing. However, you might want extra Horizon 6 Connection Servers so you can filter pools based on tags.
• Between Access Point and Horizon 6 Connection Servers you only need TCP 443. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc. to the View Agents.
• No need to enable Gateway/Tunnel on the internal Horizon 6 Connection Servers.

However:

• It’s Linux so you need some Linux skills.
• No management GUI. Use REST instead.

Firewall

Open these ports from any device on the Internet to the Access Point Load Balancer VIP:

• TCP 80
• TCP 443
• TCP and UDP 4172. UDP 4172 must be opened in both directions.
• TCP 8443 (for HTML Blast)

Open these ports from the Access Points to internal:

• TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
• TCP 32111 (USB Redirection) to all internal Horizon View Agents.
• TCP 22443 (HTML Blast) to all internal Horizon View Agents.
• TCP 9427 (MMR) to all internal Horizon View Agents.

Open these ports from any internal administrator workstations to the Access Point appliance IPs:

• TCP 9443 (REST API)
• TCP 80/443 (Edge Gateway)

Network Profile

1. Before importing the Access Point OVF you will need to configure a Network Profile. In vSphere Web Client, go to the Datacenter object. On the right, switch to the Manage > Network Protocol Profiles tab.
2. Click the plus icon.
   
3. In the Select name and network page, enter a name, select the DMZ VM Network for your Access Point appliance and click Next.
   
4. In the Configure IPv4 page, enter the subnet information and Gateway.
5. Don’t configure an IP pool. Click Next.
   
6. In the Ready to complete page, click Finish.
   

Import OVF

1. In vSphere Web Client, right-click a cluster and click Deploy OVF Template.
   
   
2. In the Select source page, browse to the .ova file and click Next.
   
3. Select a Deployment Configuration. For some reason VMware recommends multiple NICs. It’s more secure to have a single NIC in the DMZ and funnel all traffic through a firewall.
   
4. Give the appliance an IP address.
5. Expand Password Options and enter passwords. Notice the complexity requirements for the passwords. If not complex enough then they won’t work.
   
6. For the Horizon server URL, enter the internal load balanced URL for Horizon. For example: https://view.corp.local:443.
   
7. For the Horzon server thumbprints, get the thumbprint from the internal View certificate. Open the internal View certificate and on the Details tab copy the Thumbprint.
   
8. Go back to the OVF deployment wizard and paste the thumbprint.
9. At the beginning of the thumbprint there might be a hidden character. Remove it. If you don’t remove it then nothing will work. Click Next.
   
10. In the Ready to complete page, finish importing the OVF and power on the appliance.
    

You can also use the OVFTool to import the OVF. When pasting the thumbprint make sure you remove the hidden character at the beginning.

ovftool ‑‑powerOffTarget ‑‑powerOn ‑‑overwrite ‑‑vmFolder=Horizon ‑‑net:Internet="VM Network" --net:ManagementNetwork="VM Network" ‑‑net:BackendNetwork="VM Network" ‑ds=datastore1 ‑‑name="Access Point" ‑‑ipAllocationPolicy=fixedPolicy ‑‑deploymentOption=onenic ‑‑prop:ip0=192.168.123.187 ‑‑prop:viewDestinationURL=https://vcs01.corp.local ‑‑prop:adminPassword=P@ssw0rd ‑‑prop:rootPassword=P@ssw0rd ‑‑prop:viewDestinationURLThumbprints="sha1=‎b6 77 dc 9c 19 94 2e f1 78 f0 ad 4b ec 85 d1 7a f8 8b dc 34" "\\sql01\bin\VMware\Horizon 6\euc-access-point-2.0.0.0-2939373_OVF10.ova" "vi://corp%5cadmin:P@ssw0rd @vcenter01.corp.local/Datacenter/host/Cluster 1"

Certificate Prep

1. Create a PEM certificate and unencrypted private key that matches the DNS name that will resolve to the Access Point appliance’s IP address (or load balancing VIP that directs traffic to multiple Access Point appliances).
2. If your certificate is currently a .pfx file then you’ll first need to convert it to PEM. Install OpenSSL. Then run the following commands. The first command extracts the certificates and key from the .pfx. The second command converts the extracted key to RSA format.

   openssl pkcs12 -in MyCert.pfx -out MyCert.pem –nodes
   
   openssl rsa -in MyCert.pem -out MyCert.key

3. If you open your RSA private key file and/or certificate with Notepad++, notice they are multi-line. JSON requires them to be converted to single lines with \n between each line. Note: make sure it is an RSA PRIVATE KEY. If it doesn’t say RSA then it won’t work.
   
4. Look at the bottom of Notepad++ to determine the EOL type. If Dos\Windows, highlight the entire key or certificate and do a Replace All in Extended mode. Replace \r\n with \\n.
   
   
5. If UNIX, highlight the entire key or certificate and do a Replace All in Extended mode. Replace \n with \\n.
   
   
6. Wherever there used to be a newline it should now be \n and the entire key or certificate should be on one line.
   
   
7. Repeat for both the private key and certificates. If your server certificate was signed by an intermediate, convert the intermediate to a single line too.

REST Configuration – Certificate

1. If you point your browser to https://MyApplianceIP:9443/rest/swagger.yaml it should bring up a list of supported REST commands.
   
   
2. If you scroll down to CertificateChainAndKeyWrapper, notice that it wants the server certificate first, and then intermediate certificate after it.
   
3. In Google Chrome, install the Postman application.
   
4. To launch Postman, look in your taskbar for the Chrome App Launcher. Then run Postman.
   
   
5. In Postman, change Authorization from No Auth to Basic Auth.
   
6. In Postman, configure the Authorization section with the appliance’s REST API credentials. All Postman operations must include the Authorization header.
   
7. In Postman, configure a PUT operation to https://MyApplianceIP:9443/rest/v1/config/certs/ssl.
8. Set the Body to raw > JSON.
   
9. JSON objects are enclosed in braces. When you enter the left brace, Postman should add the second brace automatically.
10. The two parameters are privateKeyPem and certChainPem. Each parameter name is enclosed in quotes. Then put a colon after each parameter name.
    
11. For privateKeyPem, copy and paste the single-line PEM private key prepared earlier. The entire single-line private key should be enclosed in quotes.
12. Make sure there’s a comma at the end of each parameter, except the last parameter. The comma is after the quotes.
    
13. For certChainPem, first copy/paste the server certificate. Make sure there’s a \n at the end of the server certificate.
14. Then copy/paste the intermediate certificate immediately after the first (server) certificate. Both certificates should be on the same line and enclosed in the same quotes.
    
15. Don’t put a comma after the last parameter.
16. Click Send. You should get a 200 response and a JSON containing the certificate. If don’t get a 200 response then check /opt/vmware/gateway/logs/admin.log on the appliance. See the Logs section for more details.
    
    
    

REST Configuration – External URLs

1. To see the current View Edge Service configuration, do a GET to https://MyApplianceIP:9443/rest/v1/config/edgeservice. By default the External URLs won’t be configured.
   
   
2. To configure the External URLs, configure another PUT to https://MyApplianceIP:9443/rest/v1/config/edgeservice/view.
3. See pubs.vmware.com for sample JSON.
4. You must specify the Thumbprint again. This is the same one specified during the import of OVF. If you don’t specify it then it is erased when you click Send.
5. The proxyPattern parameter is missing from the documentation. Set it to "/|/downloads(.*)". The appliance already has default patterns for /broker and /xmlapi so there’s no need to include them here. /downloads is included so users can download the Horizon Client from the Horizon 6 Connection Server.
6. The pcoipExternalUrl parameter is incorrect in the documentation. Do not include https:// at the beginning of the URL.
7. Click Send. You should get a 200 response.
   
8. In your Horizon 6 Connection Servers, there is no need to enable any of the Gateways.
   
   
   

Logs

If you are having trouble with the appliance then you can review the logs at /opt/vmware/gateway/logs. You can less these logs from the appliance console.

Or you can point your browser to https://MyApplianceIP:9443/rest/v1/monitor/support-archive. This will download a .zip file with all of the logfiles. Much easier to read in a GUI text editor.

For initial configuration problems, check out admin.log.

For Horizon View brokering problems, check out esmanager.log.

Navigation

• Planning
• SQL Server Preparation
• .NET Framework 3.5.1
• SQL Native Client
• ODBC
• Install – Composer
• Administrator Permissions
• Composer Certificate
• SQL Database Maintenance

Planning

vCenter Server planning:

• A single vCenter Server can handle 10,000 VMs. However, this is a single point of failure. VMware recommends separate vCenter servers for each 2,000 VMs. More vCenter Servers means more concurrent vCenter operations, especially if your pools are configured for Refresh on Logoff.
• Each ESXi cluster is managed by one vCenter Server.
• Don’t use existing vCenter servers. Build separate vCenter servers for the vSphere clusters that host Agent VMs. Horizon licenses includes vCenter licenses so there’s no excuse to not use separate vCenter servers.

Horizon Composer server planning:

• Each vCenter Server requires its own View Composer. There’s a one-to-one mapping.
• View Composer cannot be installed on a Horizon 6 Connection Server.
• View Composer server with 2vCPU, 4 GB RAM can support up to 2,000 virtual machines with up to 1,000 per pool.
• View Composer server with 4 vCPU, 10 GB RAM can support up to 10,000 virtual machines with up to 2,000 per pool.

A remote SQL Server is needed for databases:

• vCenter database
• Horizon Composer database
• Horizon Events database
• Supported SQL versions are listed at pubs.vmware.com.

SQL Server Preparation

Only SQL Authentication is supported.

1. Open the properties of the SQL Server.
   
2. On the Security page, make sure SQL Server authentication is enabled.
   
3. Create a new SQL database for View Composer.
   
4. Call it VMwareViewComposer or similar. Then switch to the Options page.
   
5. Select your desired Recovery model and click OK.
   
6. View Composer only supports SQL authentication on remote SQL servers. Expand Security, right-click Logins and click New Login to create a new SQL login.
   
7. Name the new account.
8. Select SQL Server authentication.
9. Enter a password for the new account.
10. Uncheck the box next to Enforce password policy.
11. Then switch to the User Mapping page.
    
12. On the User Mapping page, check the Map box for VMwareViewComposer.
13. On the bottom, check the box for the db_owner role and click OK.
    

.NET Framework 3.5.1

1. Composer requires .NET Framework 3.5.1, which is not installed by default on Windows Server 2012 R2. In Server Manager, open the Manage menu and click Add Roles and Features.
   
2. In the Before You Begin page, click Next.
   
3. In the Select installation type page, click Next.
   
4. In the Select destination server page, click Next.
   
5. In the Select server roles page, click Next.
   
6. In the Select features page, expand .NET Framework 3.5 features and select .NET Framework 3.5. Click Next.
   
7. In the Confirm installation selections page, click Specify an alternate source path. Note: you will need the Windows Server 2012 R2 media.
   
8. Enter the path to the \sources\sxs folder on the Windows Server 2012 R2 media and click OK.
   
9. Then click Install.
   
10. In the Results page, click Close.
    

SQL Native Client

1. On the View Composer server, run sqlncli.msi.
   
2. In the Welcome to the Installation Wizard for SQL Server 2012 Native Client page, click Next.
   
3. In the License Agreement page, select I accept and click Next.
   
4. In the Feature Selection page, click Next.
   
5. In the Ready to Install the Program page, click Install.
   
6. In the Completing the SQL Server 2012 Native Client installation page, click Finish.
   

ODBC

1. On the View Composer server, run ODBC Data Sources (64-bit).
   
2. On the System DSN tab, click Add.
   
3. Select SQL Server Native Client and click Finish.
   
4. Enter the name ViewComposer for the DSN and enter the SQL server name. Click Next.
   
5. Change the selection to With SQL Server authentication and enter the credentials of the new ViewComposer SQL account. Then click Next.
   
6. Check the box next to Change the default database and select the VMwareViewComposer database. Then click Next.
   
7. Click Finish.
   
8. Click OK twice.
   

Install – Composer

1. Don’t install on Horizon 6 Connection Server: View Composer cannot be installed on the Horizon 6 Connection Server. They must be separate machines. View Composer is typically installed on vCenter server for less than 1000 linked clones.
2. Extra Memory for vCenter: If you install View Composer on a vCenter server, VMware recommends adding 8 GB of RAM to the server. See VMware 2105261 Intermittent provisioning issues and generic errors when Composer and vCenter Server are co-installed
3. vCenter Service Account: if you install View Composer on a vCenter server, login as the same account that was used to install vCenter. See VMware 2017773 Installing or upgrading View Composer fails with error: The wizard was interrupted before VMware View Composer could be completely installed
4. Internet access for CRL checking: If the View Composer server does not have Internet access, see VMware 2081888 Installing Horizon View Composer fails with the error: Error 1920 Service VMware Horizon View Composer (svid) failed to start
5. Install: Go to the downloaded View Composer 6.2 and run VMware-viewcomposer-6.2.0.exe.
   
6. In the Welcome to the Installation Wizard for VMware Horizon 6 Composer page, click Next.
   
7. In the License Agreement page, select I accept the terms and click Next.
   
8. In the Destination Folder page, click Next.
   
9. In the Database Information page, enter the name of the ODBC DSN.
10. Enter the SQL account credentials (no Windows accounts) and click Next. For remote SQL databases, only SQL accounts will work. The SQL account must be db_owner of the database.
    
11. In the VMware Horizon 6 Composer Port Settings page, click Next.
    
12. In the Ready to Install the Program page, click Install.
    
13. In the Installer Completed page, click Finish.
    
14. Click Yes when asked to restart the computer.
    
15. If you encounter installation issues, see VMware 2087379 VMware Horizon View Composer help center

Administrator Permissions

If View Composer is installed on a standalone server (not on vCenter), Horizon 6 Connection Server will need a service account with administrator permissions on the View Composer server. Add your View Composer Service Account to the local Administrators group.

Composer Certificate

1. Stop the VMware Horizon 6 Composer service.
   
2. Open the MMC Certificates snap-in. Open your Certificate Authority-signed certificate and on the Details tab note the Thumbprint.
   
3. Run Command Prompt as Administrator
   
4. Change the directory to C:\Program Files (x86)\VMware\VMware View Composer.
5. Run sviconfig -operation=replacecertificate -delete=false.
6. Select your Certificate Authority-signed certificate. Use the thumbprint to verify.
   
7. Then restart the VMware Horizon 6 Composer service.
   

SQL Database Maintenance

SQL password: The password for the SQL account is stored in C:\Program Files (x86)\VMware\VMware View Composer\SviWebService.exe.config. To change the password, run SviConfig ‑operation=SaveConfiguration as detailed at VMware 1022526 The View Composer service fails to start after the Composer DSN password is changed.

Database Move: To move the database to a new SQL server, you must uninstall Composer and reinstall it. See VMware 2081899 VMware Horizon View Composer fails to work properly after migrating the Composer database to a new SQL server

Related Pages

• Back to VMware Horizon 6

Navigation

• Windows Features
• Install Standard Server 6.2
• Install Replica Server 6.2
• Horizon 6 Connection Server Certificate
• SSL Ciphers
• Horizon Portal – Client Installation Link
• LDAP Edits
  • Mobile Client – Save Password
  • iOS TouchID
  • Ciphers
• Load Balancing
• Remote Desktop Licensing
• Horizon Toolbox
  • Installation
  • Remote Assistance
  • Device Access Policies

Windows Features

1. It’s probably helpful to install some administration tools on the Horizon 6 Connection Servers. In Server Manager, open the Manage window and click Add Roles and Features.
   
2. Click Next until you get to the Features page.
3. Check the box next to Group Policy Management and scroll down.
   
4. Check the box next to Telnet Client.
   
5. If you need Flash Player (e.g. to connect to the vSphere Web Client or View Administrator), then expand User Interfaces and Infrastructure and check the box next to Desktop Experience.
   
   
6. Click Add Features when prompted.
7. Expand Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools. Check the box next to Active Directory Administrative Center. Click Add Features when prompted. Then click Next .
   
8. Then click Install.
9. You will see a message prompting you to reboot. Right-click the Start button to reboot the server. it will reboot twice.

Install Standard Server 6.2

The first Horizon 6 Connection Server must be a Standard Server. Subsequent Horizon 6 Connection Servers are Replicas. Once Horizon 6 Connection Server is installed, there is no difference between them.

A production Horizon 6 Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon 6 Connection Server can handle 2,000 virtual desktops.

1. Ensure the Horizon 6 Connection Server has 10 GB of RAM and 4 vCPU.
2. View Composer cannot be installed on the Horizon 6 Connection Server.
3. Go to the downloaded Horizon 6 Connection Server 6.2 and run VMware-viewconnectionserver-x86_64-6.2.0.exe.
   
4. In the Welcome to the Installation Wizard for VMware Horizon 6 Connection Server page, click Next.
   
5. In the License Agreement page, select I accept the terms and click Next.
   
6. In the Destination Folder page, click Next.
   
7. In the Installation Options page, select Horizon 6 Standard Server and click Next.
   
8. In the Data Recovery page, enter a password and click Next.
   
9. In the Firewall Configuration page, click Next.
   
10. In the Initial Horizon 6 View Administrators page, enter an AD group containing your Horizon administrators and click Next.
    
11. In the User Experience Improvement Program page, uncheck the box and click Next.
    
12. In the Ready to Install the Program page, click Install.
    
13. In the Installer Completed page, uncheck the box next to Show the readme file and click Finish.
    

Install Replica Server 6.2

Additional internal Horizon 6 Connection Servers are installed as Replicas. After installation, there is no difference between a Replica server and a Standard server.

A production Horizon 6 Connection Server should have 10 GB of RAM and 4 vCPU. Each Horizon 6 Connection Server can handle 2000 virtual desktops.

1. Ensure the Horizon 6 Connection Server has 10 GB of RAM and 4 vCPU.
2. Go to the downloaded Horizon 6 Connection Server 6.2 and run VMware-viewconnectionserver-x86_64-6.2.exe.
   
3. In the Welcome to the Installation Wizard for VMware Horizon 6 Connection Server page, click Next.
4. In the License Agreement page, select I accept the terms and click Next.
5. In the Destination Folder page, click Next.
6. In the Installation Options page, select Horizon 6 Replica Server and click Next.
   
7. In the Source Server page, enter the name of another Horizon 6 Connection Server in the group. Then click Next.
   
8. In the Firewall Configuration page, click Next.
9. In the Ready to Install the Program page, click Install.
10. In the Installer Completed page, click Finish.
11. If you are adding this Replica server to a Pod that is already enabled for Global Entitlements, see Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.

Horizon 6 Connection Server Certificate

1. Run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
2. Request a new certificate with a common name that matches the FQDN of the Connection Server or import a wildcard certificate.
   
3. Note: the private key must be exportable. If using the Computer template, click Details then click Properties.
   
4. On the Private Key tab, click Key options to expand it and check the box next to Mark private key as exportable.
   
5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it and click Properties.
   
6. On the General tab, clear the Friendly name field and click OK.
   
7. Right-click your Certificate Authority-signed certificate and click Properties.
   
8. Note: the private key of the certificate you use for Horizon 6 Connection Server must be exportable. To verify, try exporting the certificate. If the option to export the private key is grayed out then this certificate will not work.
   
9. On the General tab, in the Friendly name field, enter the text vdm and click OK. Note: only one certificate can have vdm as the Friendly name.
   
10. Then restart the VMware Horizon View Connection Server service. It will take several seconds before you can connect to View Administrator.
    
11. If the VMware Horizon View Security Gateway Component won’t start then your certificate doesn’t have an exportable private key. The private key must be exportable.
    

SSL Ciphers

Sven Huisman: Secure your Horizon View security server: from rating F to A-: see the blog post for detailed instructions.

1. Update the JCE Policy Files to Support High-Strength Cipher Suites.
   
2. Use ADSIEdit to change pae-ServerSSLCipherSuites, pae-ServerSSLSecureProtocols, pae-ClientSSLCipherSuites, and pae-ClientSSLSecureProtocols
3. Or you can edit C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties
   
   
4. If this Horizon 6 Connection Server or Horizon 6 Security Server is publicly accessible, check it at ssllabs.com.
   

Horizon Portal – Client Installation Link

If you point your browser to the Horizon 6 Connection Server, the Install VMware Horizon Client link redirects to the VMware.com site for downloading of Horizon Clients. You can change it so that the Horizon Clients can be downloaded directly from the Horizon 6 Connection Server.

1. On the Horizon 6 Connection Server, go to C:\Program Files\VMware\VMware View\Server\broker\webapps. Create a new folder called downloads.
   
2. Copy the Horizon Clients to the new C:\Program Files\VMware\VMware View\Server\broker\webapps\downloads folder.
   
   
3. Run Notepad as administrator.
   
4. Open the file C:\ProgramData\VMware\VDM\portal\portal-links-html-access.properties file with a text editor (as Administrator).
   
5. Go back to the downloads folder and copy the Horizon Client filename.
   
6. In Notepad, modify link.win32 and link.win64 by specifying the relative path to the Horizon Client executable under /downloads. The following example shows a link for Horizon Client for Windows x64:
   link.win64=/downloads/VMware-Horizon-View-Client-x86_64-3.5.0-2999900.exe
   Then Save the file.
   
7. Restart the VMware Horizon View Web Component service.
   

It will take a few seconds for the ws_TomcatService process to start so be patient. If you get a 503 error then the service is not done starting.

Now when you click the link to download the client it will grab the file directly from the Horizon 6 Connection Server.

LDAP Edits

Mobile Client – Save Password

If desired, you can configure Horizon 6 Connection Server to allow mobile clients (iOS, Android) to save user passwords.

1. On the Horizon 6 Connection Server, run ADSI Edit.
   
2. Right-click ADSI Edit and click Connect to…
   
   
3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
   
5. Navigate to Properties > Global. On the right, double-click CN=Common.
   
6. Scroll down, click to highlight pae-ClientCredentialCacheTimeout and click Edit.
   
7. Enter a value in minutes. 0 = no saving of credentials. -1 = no timeout. Click OK.
   

iOS TouchID

vDelboy – How to Enable Touch ID in VMware Horizon 6.2

1. On the Horizon 6 Connection Server, run ADSI Edit.
2. Right-click ADSI Edit and click Connect to…
3. Change the first selection to Select or type a Distinguished Name and enter dc=vdi,dc=vmware,dc=int.
4. Change the second selection to Select or type a domain or server and enter localhost. Click OK.
5. Navigate to Properties > Global. On the right, double-click CN=Common.
   
6. Find the attribute pae-ClientConfig and double-click it.
   
7. Enter the line BioMetricsTimeout=-1 and click Add. Click OK. The change takes effect immediately.
   

Ciphers

VMware 2130289 Using client drive redirection or file association with the secure tunnel enabled might have performance issues

When using client drive redirection (CDR) or file association with the secure tunnel enabled, you might encounter performance issues when transferring CDR data between Horizon Clients and remote desktop machines. (File association is the ability to open local files with a remote application.)

Amend your acceptance policies to remove the following GCM-based cipher suites:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

To change a global acceptance policy, you can edit a single-valued attribute, pae-ServerSSLCipherSuites, in View LDAP on any View Connection Server instance. This attribute lists the cipher suites used by View Connection Server or security server. Take these steps:

1. Start the ADSI Edit utility on your View Connection Server computer.
2. In the Console tree, select Connect to.
3. In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name DC=vdi, DC=vmware, DC=int.
4. In the Select or type a domain or server text box, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server computer followed by 389. For example: localhost:389 or mycomputer.mydomain.com:389
5. Expand the ADSI Edit Tree, expand OU=properties, select OU=global, and select CN=common in the right pane.
6. On the object CN=common, OU=global, OU=properties, select the pae-ServerSSLCipherSuites
7. Set the following list of cipher suites:

   \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
   TLS_RSA_WITH_AES_128_CBC_SHA,
   TLS_RSA_WITH_AES_256_CBC_SHA

   Remove the line breaks that were inserted in the preceding list for clarity. The order of the cipher suites is unimportant.

8. Restart the VMware Horizon View Connection Server service.

For more information about setting acceptance policies for cipher suites, see “Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server” in the View Security guide at http://pubs.vmware.com/horizon-62-view/topic/com.vmware.horizon-view.security.doc/GUID-7F6963F5-D5FC-47B2-9AE7-1FE5B8600723.html.

Load Balancing

See Carl Stalhood’s Horizon View Load Balancing using NetScaler 11.

Remote Desktop Licensing

If you plan to build RDS Hosts, then install Remote Desktop Licensing somewhere. You can install it on your Horizon 6 Connection Servers by following the procedure at http://www.carlstalhood.com/controller/#rdlicensinginstall.

Horizon Toolbox

Overview

VMware White Paper Explore the VMware Horizon 6 Toolbox Auditing and Remote Assistance Capabilities

The Horizon Toolbox is a new web portal that serves as an extension to Horizon View Administrator. It has the following functions:

Auditing

• Sessions:  Shows historical concurrent session trend for last 2 days, last week and last month. Shows current virtual desktop connections by desktop pools, and shows virtual application connections by RDS (Remote Desktop Service) Farms.
• Usage:  Shows accumulated use time of users for last 2 days, last week and last month.  Shows all connections (user name, pool/farm name, machine name, connection time, disconnection time) for the past 2 days, last week, and last month.
• Snapshots:   Shows parent virtual machines of linked clone desktop pools and descendant snapshots in a tree view. The snapshots not in use by linked clone pools are marked in grey, so that the View administrator can remove the snapshots not in use.
• Clients:  Shows statistics for operation systems and versions of View clients in different types of view styles.

Remote Assistance

• Remote Assistance provides the capability for the administrator or IT helpdesk to remotely view and/or control an end-user’s desktop in the Horizon View environment.  (This is also called session shadowing.)

Device Access Policy

Device Access Policy provides a whitelist to control devices that can access Horizon View.

Installation

1. Download the Fling.
   
2. On the each Horizon 6 Connection Server, launch System from the Control Panel.
   
3. On the left click Advanced system settings.
   
4. On the Advanced tab, click Environment Variables.
   
5. On the bottom, click New. This must be a System variable.
   
6. Enter JRE_HOME as the variable name.
7. Enter C:\Program Files\VMware\VMware View\Server\jre\ as the path. Make sure there’s no space on the end.
   
8. Click OK three times.
9. Extract the downloaded Fling and copy it to the C: drive of each Horizon 6 Connection Server.
   
   
10. Go to \HorizonToolbox1.5.2\webapps\toolbox\WEB-INF and edit the file spring-servlet.xml.
    
11. Near line 59, add a new value for 2.0. Save and close the file.
    
12. Run Command Prompt as administrator.
    
13. Switch to C:\HorizonToolbox1.5.2\bin.
14. Run service.bat install. If you see a message about JAVA_HOME then there’s something wrong with your JRE_HOME variable
    
    
15. After installation, run tomcat8w.exe.
    
16. On the Java tab, change the Maximum memory pool to 512 and click Apply.
    
17. On the General tab, click Start.
    
18. Run Windows Firewall with Advanced Security.
    
19. Create a new Inbound Rule for port 18443.
    
    
    
    
20. Point your browser to https://view.corp.local:18443/toolbox.
    
21. Login using View Administrator credentials.
    
22. Open the Auditing menu and click Clients.
    
23. Click Enable Local Auditing.
    
24. Click Accept.
    

Remote Assistance

1. On the Horizon 6 Agent, navigate to the Horizon Toolbox \webapps\toolbox\static\ra and run Horizon_Remote_Assistance_Installer.exe.
   
2. Click Install for End User.
   
3. When done, click Finish.
   
4. Users can initiate a request by clicking the icon on the desktop.
   
   
5. On the support person’s desktop, run the same Horizon Remote Assistance installer.
6. Click Install for Helpdesk.
   
7. Click Finish when done.
   
8. Support people can see support requests in the Toolbox interface at Management > Remote Assistance.
   

Device Access Policies

1. While logged into the Toolbox web interface, go to Management > Device Access Policies.
   
2. Click the link to view the Setup Guide.
   
3. Download  DeviceFilter.exe.
   
4. Place the file somewhere on the Horizon 6 Agent machine.
   
   
5. Edit a GPO that applies to the Horizon 6 Agents. Load the viewagent.adm file.
6. Under VMware View Agent Configuration > Agent Configuration, configure the settings CommandsToRunOnConnect and CommandsToRunOnReconnect.
   
7. Click Show.
   
8. Enter the path to the DeviceFilter.exe located on the Horizon 6 Agent machine. Add -client to the end of the path.
   
9. Repeat for CommandsToRunOnReconnect.

Navigation

• Preparation
  • Horizon Service Account
  • vCenter Role for View Composer
  • Active Directory Delegation
  • Events SQL Database
• Licensing
• Administrators
• Help Desk
• vCenter and View Composer
• Disable Secure Tunnel
• Events Configuration
  • Event Database and Syslog
  • Event Database SQL Index
  • Event Queries
• Global Settings
• Global Policies
• Authentication
• Backups

Preparation

Horizon Service Account

1. Create an account in Active Directory that View will use to login to vCenter. This account can also be used by Composer to create computer accounts in Active Directory.
2. Make sure the password does not expire.
3. Domain User is sufficient. Permissions will be delegated where needed.
   

vCenter Role for View Composer

This role has all permissions needed for both full clones and linked clones.

1. Create an account in Active Directory that View will use to login to vCenter.
2. In vSphere Web Client, on the Home screen, click Roles.
   
3. Click the plus icon to add a Role.
   
4. Name the role View or similar.
5. Expand Datastore and enable Allocate space, Browse datastore, and Low level file operations.
   
6. Expand Folder and enable Create folder, and Delete folder.
   
7. Expand Global and enable Act as vCenter Server, Disable Methods, Enable Methods, and Manage custom attributes.
   
8. Scroll down and enable Set custom attribute and System tag.
   
9. Expand Host, expand Configuration and enable Advanced Settings.
   
10. Scroll down and enable System Management.
    
11. Enable Network and everything under it.
    
12. For Virtual SAN, enable Profile-driven storage and everything under it. VMware 2094412 – When attempting to deploy linked clones using VMware Virtual SAN (VSAN) you receive the error: Unable to connect to PBM sub system PB may be down
    
    
13. Expand Resource and enable Assign virtual machine to resource pool and Migrate powered off virtual machine.
    
14. Expand Virtual Machine and enable everything under Configuration, Inventory, and Snapshot Management (or State).
    
15. Expand Virtual Machine > Interaction and enable Power Off, Power On, Reset, and Suspend.
    
16. Expand Virtual Machine > Provisioning. Enable Allow disk access, Clone virtual machine, Customize, and Deploy template.
    
17. Scroll down and enable Read customization specifications. Click OK when done.
    
18. Browse to the vCenter object. Permissions must be assigned at the vCenter level. It won’t work at any lower level.
19. On the right, switch to the Manage tab and select the Permissions sub-tab.
20. Click the plus icon to add a permission.
    
21. Under Users and Groups click Add.
    
22. Find the Active Directory account that View will use to login to vCenter, click Add and then click OK.
    
23. On the right, under Assigned Role, change it to View Composer Administrator. Then click OK.
    
24. The service account is now listed on the Permissions sub-tab.
    
25. The service account also must be a local administrator on the vCenter server. In Server Manager, go to Tools > Computer Management.
26. Go to System Tools > Local Users and Groups > Groups. Double-click Administrators. Add the View service account and click OK.
    

Active Directory Delegation

View Composer uses an Active Directory account to create computer objects in Active Directory. This service account must be granted permission to create computer objects.

1. Create an OU in Active Directory where the virtual desktop computer objects will be stored.
   
2. In Active Directory Users & Computers, right-click the OU where the computer objects will be stored and click Delegate Control. This wizard is not included in Active Directory Administrative Center.
   
3. In the Welcome to the Delegation of Control Wizard page, click Next.
   
4. In the Users or Groups page, add the Active Directory service account for View Composer. Then click Next.
   
5. In the Tasks to Delegate page, select Create a custom task to delegate and click Next.
   
6. In the Active Directory Object Type page, click Next.
   
7. In the Permissions page, check the three boxes under Show these permissions.
8. In the Permissions section, check the boxes next to Read All Properties and Write All Properties.
   
   
9. In the Permissions section, scroll down and check the boxes next to Create Computer objects and Delete Computer objects. Click Next.
   
10. In the Completing the Delegation of Control Wizard page, click Finish.
    

Events SQL Database

A new empty SQL database is needed for storage of View Events. Only SQL authentication is supported.

1. In SQL Server Management Studio, create a new database.
   
2. Name it VMwareViewEvents or similar. Switch to the Options tab.
   
3. Select your desired Recovery model and click OK.
   
   
4. Add a SQL login if one does not exist already. Windows authentication is not supported.
5. Right-click a SQL login and click Properties.
   
6. On the User Mapping page, check the Map box next to the VMwareViewEvents database.
7. On the bottom, add the user to the db_owner database role. Click OK when done.
   

Licensing

1. Run the Horizon 6 Administration Console by double-clicking the desktop shortcut. Or, go to https://FQDN/admin.
   
2. If Flash is not installed, you are prompted to install it. This won’t work on Windows Server 2012 unless you have the Desktop Experience feature installed. To avoid this, use Chrome.
   
3. Login using a Horizon View administrator account.
   
4. On the left, under View Configuration, click Product Licensing and Usage.
   
5. On the top left of the right pane, click Edit License.
   
6. In the Edit License window, enter your license serial number and click OK.
7. The license expiration is now displayed. Note that only Horizon Advanced and above have Application Remoting (published applications).
   

Administrators

1. On the left, expand View Configuration and click Administrators.
   
2. On the right, click Add User or Group near the top.
   
3. In the Add Administrator Or Permission page, click Add.
   
4. Enter the name of a group that you want to grant permissions to and click Find.
5. After the group is found, click it to highlight it and click OK.
   
6. Then click Next.
7. Select the role (e.g. Administrators) and click Next.
   
8. Select an access group to which the permission will be applied and click Finish.
   

Help Desk

None of the built-in roles are useful for Help Desk. Create a new role.

1. On the right, switch to the Roles tab and click Add Role.
   
2. Name the role Help Desk or similar.
3. Check the box next to Console Interaction and scroll down.
   
4. Check the box next to Manage Machine and click OK.
   
5. To further restrict Help Desk permissions, on the Access Groups tab, create an Access Group. Pools can be placed in an Access Group and if an administrator only has permission to one Access Group then pools in other access groups cannot be managed.
   
   
6. Switch back to the Administrators and Groups tab and click Add User or Group.
   
7. In the Add Administrator Or Permission window, click Add, find your Help Desk group and click Next.
   
8. Click the Help Desk role to highlight it and click Next.
   
9. Check the box next to an Access Group to which the permissions will be applied and click Finish.
   
10. The group is added to the list and the role is shown on the right.
    

vCenter and View Composer

If you are adding multiple vCenter servers, make sure each vCenter Server has a Unique ID. In vSphere Web Client, go to the vCenter Server > Manage > Settings > General > Edit > Runtime Settings and confirm that the ID is unique for each vCenter server.

1. On the left, expand View Configuration and click Servers.
   
2. In the right pane, in the vCenter Servers tab, click Add.
   
3. In the Server address field, enter the FQDN of the vCenter server.
4. In the User Name field, enter the Active Directory account that View will use to login to vCenter as detailed earlier in this post. Also enter the password.
5. Click Next.
   
6. If you see a message regarding invalid certificate, click View Certificate.
   
7. Then click Accept.
8. In the View Composer page, select Standalone View Composer Server. Enter the FQDN of the server and the credentials of an account to access the View Composer server. The service account must be a local administrator on the View Composer Server. Click Next.
   
9. If you see an invalid certificate, click View Certificate.
   
10. Then click Accept.
11. In the View Composer Domains page, click Add.
    
12. Enter the Full domain name of where the virtual desktop computer objects will be created.
13. Enter the Active Directory service account credentials that has permission to create computer objects and click OK. Then click Next.
    
14. In the Storage page, check the box to Enable View Storage Accelerator and increase the host cache size to 2048. View Storage Accelerator causes digest files to be created thus increasing disk space requirements. Reclaim VM disk space requires IOPS during its operation. Click Next.
    
15. In the Ready to Complete page, click Finish.
    

Disable Secure Tunnel

By default, Horizon Clients connect to virtual desktops by tunneling through a Horizon 6 Connection Server. It would be more efficient for the Horizon Clients to connect directly to the virtual desktops.

1. In View Administrator, on the left, expand View Configuration and click Servers.
2. On the right, switch to the Connection Servers tab.
3. Click the Connection Server and click Edit.
   
4. On the General tab, uncheck the box next to HTTP(S) Secure Tunnel. Also, make sure the other Secure Gateways are not enabled. Click OK. Note: if you are using HTML Blast internally then disabling the gateway will cause Blast connections to go directly to the Agent and the Agent certificate is probably not trusted.
   

Event Database and Syslog

1. On the left of View Administrator, expand View Configuration and click Event Configuration.
   
2. On the right, under Event Database, click Edit.
   
3. Enter the name of the SQL server.
4. Select Microsoft SQL Server as the Database type.
5. Enter the name of the database.
6. Enter the SQL credentials (no Windows authentication).
7. Optionally, enter VE_ (or similar) for the Table prefix. This allows you to use the same Events database for multiple View installations.
8. Click OK.
   
9. The View Administrator now shows it configured. You can change the age of events shown in View Administrator.
   
10. To add a syslog server, look on the right side of the page.
    
11. You can go to Monitoring > Events to view the events in the database.
    

Event Database SQL Index

VMware Knowledgebase article – The Event database performance in VMware View 6.0.x is extremely slow (2094580): Symptoms:

• The Event database performance in VMware View 6.0.x is extremely slow when browsing within View
• High CPU usage on the SQL server, hosting the Event database
• The larger the Event database becomes, the slower the queries run.

To resolve this issue, create an index. Run this command on your SQL Event database:

CREATE INDEX IX_eventid ON dbo.VDIevent_data (eventid)

Substitute VDIevent_data for the table name using your Event database prefix.

Event Queries

VMware Fling – Horizon View Event Notifier: collects and sends the alerts via email (SMTP) to users that are specified during the configuration process. It allows aggregation of alerts across multiple Horizon View Pods and for near real-time alerting of Horizon View alerts that are otherwise very difficult to be notified on.

Chris Halstead – VMware Horizon View Events Database Export Utilty: this utility allows administrators to easily apply very detailed filtering to the data and export it to .csv. You can filter on time range,  event severity, event source, session type (Application or Desktop), Usernames and Event Types.  The application allows for extremely granular export of data.   The exported columns can also be customized and the application will export data from both the live and the historical tables in the View Events Database.

VMware Knowledgebase article – Creating SQL views to retrieve the top 50 maximum number of concurrent desktop sessions over a period: This article provides steps to create database views to retrieve the maximum number of concurrent desktop sessions over a period from the event_historical table.

To retrieve the top 50 maximum number of concurrent desktop sessions over a period time from the event_historical table, run this query:

select Count, Time from(select top 50 DOB.<prefix>_data_historical.IntValue as 'Count', DOB.<prefix>_historical.Time as 'Time' from DOB.<prefix>_historical.DOB.<prefix>_data_historical where DOB.<prefix>_historical.EventID = DOB.<prefix>_data_historical.EventID and DOB.<prefix>_data_historical.Name = 'UserCount' and DOB.<prefix>_historical.EventType='BROKER_DAILY_MAX_DESKTOP order by DOB.<prefix>_historical.Time DESC) A Order by Time

Where <prefix> is the prefix for the event table. You can find the prefix that you must use by examining other view definitions, such as user_events.

Global Settings

1. On the left, under View Configuration, click Global Settings.
   
2. On the right, under Global Settings, click Edit.
   
3. Set the View Administrator Session Timeout. This applies to administrators and help desk. 4320 minutes (72 hours) is the maximum.
4. Forcibly disconnect users is an active session timeout. It is not an idle timeout in that it doesn’t care if the user is working or not. The default is 10 hours so consider increasing it. Note: this timer does not log the user out of Windows. Instead it merely disconnects the user and requires the user to logon to Horizon 6 Connection Server again.
5. Under Client-dependent settings, you can set an idle timeout. This is new in Horizon 6. The idle timeout applies to applications only (not desktops). An additional disconnect timeout is configurable in each pool’s settings.
6. Enable automatic status updates enables automatic updating of the table displayed in the top-left corner of View Administrator.
7. Make other changes as desired. Click OK when done.
   
8. To configure an idle timeout for desktop sessions, use the instructions in http://myvirtualcloud.net/?p=872. Or create a screensaver. http://communities.vmware.com/message/1756450?tstart=0

Global Policies

1. By default, Multimedia Redirection is disabled. You can enable it by going to Policies > Global Policies.
   
2. On the right, click Edit Policies.
   
3. Set Multimedia redirection to Allow and click OK. Notice that Multimedia redirection is not encrypted.
   

Authentication

How to Set Up 2-Factor Authentication in Horizon View with Google Authenticator:

1. Linux box with Likewise joined to Active Directory.
2. Google Authenticator software installed on Linux
3. Freeradius installed on Linux
4. Configure View to authenticate with RADIUS
5. Installation and configuration of Google Authenticator client

Backups

1. On the left, expand View Configuration and click Servers.
2. On the right, in the Connection Servers tab you can select a Horizon 6 Connection Server and click Backup Now. Backups can be found in C:\ProgramData\VMware\VDM\backups.
   
3. If you Edit the Horizon 6 Connection Server, on the Backup tab you can schedule automatic backups. This also backs up the View Composer database but not the vCenter database. VMware 1008046 – Performing an end-to-end backup and restore for VMware View Manager.
   

Related Pages

• Back to VMware Horizon 6

Navigation

• Preparation
  • Firewall Ports
  • Pairing Password
• Install – Security Server
• Horizon 6 Security Server Certificate
• SSL
  • Global Accepted Ciphers
  • SSL Ciphers – Horizon 6 Security Server
  • Disable RC4 – Blast Secure Gateway
• Load Balancing
• Enable PCoIP Secure Gateway

Preparation

Security Servers are intended to be deployed in the DMZ.

Horizon View Security Server is installed on Windows. If you prefer a Linux appliance, see VMware Access Point.

Security Considerations for Horizon View 5.2 – http://www.vmware.com/resources/techresources/10371

Firewall Ports

If there is only one Security Server in the DMZ, create a NAT’d public IP to the Security Server. Create a public DNS entry that resolves to this IP address.

If there are two Security Servers and you intend to load balance them, create three public IPs:

• Public IP NAT’d to the load balancer IP. Create a public DNS entry that resolves to this IP address. This is the DNS name that users will enter into their Horizon Clients.
• Public IP NAT’d to each of the Security Servers. Each Security Server must be exposed directly to the Internet. Create public DNS names that resolve to these public IPs. When installing Security Server, specify these public DNS names and not the load balanced DNS name.

Note: your load balancer might be able to provide persistence across multiple port numbers and thus there’s no need for the server-specific public IPs. For example, in NetScaler this is called Persistency Groups.

Firewall Rules for View Connection Server at pubs.vmware.com.

Open these ports from any device on the Internet to all Security Server and Load Balancer public IPs:

• TCP 80
• TCP 443
• TCP and UDP 4172. UDP 4172 must be opened in both directions.
• TCP 8443 (for HTML Blast)

Open these ports from the Security Servers to internal:

• If IPSec is enabled in View Administrator (Global Settings > Security > Edit), open ISAKMP Protocol (UDP 500) and ESP. Or if there is NAT between the Security Server and the Connection Server, open NAT-T ISAKMP (UDP 4500). Configuring a Back-End Firewall to Support IPsec at pubs.vmware.com.
  
• TCP 8009 (AJP13) to the paired internal Horizon 6 Connection Server.
• TCP 4001 (JMS) to the paired internal Horizon 6 Connection Server.
• TCP and UDP 4172 (PCoIP) to all internal Horizon View Agents. UDP 4172 must be opened in both directions.
• TCP 32111 (USB Redirection) to all internal Horizon View Agents.
• TCP 22443 (HTML Blast) to all internal Horizon View Agents.
• TCP 9427 (MMR) to all internal Horizon View Agents.
• TCP 4002 for Enhanced Messaged Security – Change the JMS Message Security Mode to Enhanced at pubs.vmware.com

Pairing Password

1. In View Administrator, on the left, expand View Configuration and click Servers.
   
2. On the right, switch to the Connection Servers tab.
3. Select the Horizon 6 Connection Server to which the Security Server will be paired. Then click More Commands and click Specify Security Server Pairing Password.
   
4. Enter a password and click OK.
   

Install – Security Server

1. Ensure the Horizon 6 Security Server has 10 GB of RAM and 4 vCPU.
2. Login to the Horizon 6 Security Server.
3. Go to the downloaded Horizon 6 Connection Server 6.2 and run VMware-viewconnectionserver-x86_64-6.2.0.exe.
   
4. In the Welcome to the Installation Wizard for VMware Horizon 6 Connection Server page, click Next.
   
5. In the License Agreement page, select I accept the terms and click Next.
   
6. In the Destination Folder page, click Next.
   
7. In the Installation Options page, select Horizon 6 Security Server and click Next.
   
8. In the Paired Horizon 6 Connection Server page, enter the name of the internal Horizon 6 Connection Server that this Security Server will be paired with. If using a hostname, it must be resolvable (edit the local HOSTS file) to the correct IP. Also, the correct firewall ports are required. Click Next.
   
9. In the Paired Horizon 6 Connection Server Password page, enter the pairing password specified earlier and click Next.
   
10. In the Horizon 6 Security Server Configuration page, edit the URLs as appropriate. These URLs must be externally accessible. The top URL is a FQDN while the middle URL is an IP address. These can be changed later. Click Next.
    
11. In the Firewall Configuration page, click Next.
    
12. In the Ready to Install the Program page, click Install.
    
13. In the Installer Completed page, click Finish.
    

SSL

Horizon 6 Security Server Certificate

1. Run mmc, add the Certificates snap-in and point it to Computer > Local Machine.
2. Request a new certificate with a common name that matches the FQDN of the HTTPS Secure Tunnel URL or import a wildcard certificate. If using a load balancer, the FQDN must match the load balancer FQDN, not the Security Server FQDN. Also, the private key must be exportable.
   
3. Note: the private key must be exportable. You can either click Details to mark the key as exportable or use IIS to create the certificate.
   
4. After creating the certificate, try exporting it. If the option to export the private key is grayed out then this certificate will not work.
   
5. In the list of certificates, look for the one that is self-signed. The Issuer will be the local computer name instead of a Certificate Authority. Right-click it and click Properties.
   
6. On the General tab, clear the Friendly name field and click OK.
   
7. Right-click your Certificate Authority-signed certificate and click Properties.
   
8. On the General tab, in the Friendly name field, enter the text vdm and click OK. Note: only one certificate can have vdm as the Friendly name.
   
9. Then restart the VMware Horizon 6 Security Server service.
   
10. If the VMware Horizon View Security Gateway Component won’t start then your certificate doesn’t have an exportable private key. The private key must be exportable.
    

Global Accepted Ciphers

VMware 2121183 Response to CVE-2015-4000 (a.k.a., Logjam) for Horizon View and Horizon 6 products: The default global acceptance and proposal policies are defined in View LDAP attributes. These policies apply to all Horizon 6 Connection Server instances in a replicated group and all security servers paired with them. To change a global policy, you can edit View LDAP on any Horizon 6 Connection Server instance.

For details about how to navigate to the correct View LDAP attributes, see the topics called Global Acceptance and Proposal Policies Defined and Change the Global Acceptance and Proposal Policies in the View Security guide. Note that although these links point to the 6.2 version of the guide, the topics are the same as those in the 5.2/5.3 and 6.0 versions of the guide.

• Change the pae-ClientSSLSecureProtocols attribute and the pae-ServerSSLSecureProtocols attribute as follows:

  pae-ClientSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"
  
  pae-ServerSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"
  

  This setting enables TLSv1.2 by default, to make use of the new cipher suites you will be adding when you set the next attributes.

• Change the pae-ClientSSLCipherSuites attribute and the pae-ServerSSLCipherSuites attribute as follows:

  pae-ClientSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  TLS_RSA_WITH_AES_128_CBC_SHA256,
  TLS_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_RC4_128_SHA"
  
  pae-ServerSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  TLS_RSA_WITH_AES_128_CBC_SHA256,
  TLS_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_RC4_128_SHA"

Note that although these cipher suites are shown on separate lines to improve readability, when you edit this attribute, enter the cipher suites on one line with no spaces after the commas.

Also note that the last cipher suite shown in the list, SSL_RSA_WITH_RC4_128_SHA, should be omitted if all connecting clients support AES cipher suites.

To add 256-bit versions of the cipher suites, follow the instructions in the topic JCE Policy Files to Support High-Strength Cipher Suites in the View Security guide.

SSL Ciphers – Horizon 6 Security Server

Sven Huisman: Secure your Horizon View security server: from rating F to A-: see the blog post for detailed instructions.

1. Update the JCE Policy Files to Support High-Strength Cipher Suites
   
2. Use ADSIEdit to change pae-ServerSSLCipherSuites, pae-ServerSSLSecureProtocols, pae-ClientSSLCipherSuites, and pae-ClientSSLSecureProtocols
3. Or you can edit C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties
   
   
4. If this Horizon 6 Connection Server or View Security Server is publicly accessible, check it at ssllabs.com.
   

Disable RC4 – Blast Secure Gateway

VMware 2122359 Disable RC4 on Blast Secure Gateway: RC4 is already disabled in Horizon 6.2. Follow this procedure for older versions of Horizon View.

1. Run an elevated text editor and open the file C:\Program Files\VMware\VMware View\Server\appblastgateway\lib\absg-config.js.
   
2. Scroll down to line 111 and change :RC4: to :!RC4:.
   

Load Balancing

See Carl Stalhood – Horizon View Load Balancing

Enable PCoIP Secure Gateway

1. In View Administrator, on the left, expand View Configuration and click Servers.
2. On the right, switch to the Connection Servers tab.
3. Click the Connection Server that is paired with the Security Server and click Edit. Note: you can’t configure this directly on the Horizon 6 Security Server and instead must configure it on the paired Horizon 6 Connection Server.
   
4. On the General tab, check the box next to Use PCoIP Secure Gateway for PCoIP connections to desktop. Also, make sure Secure Tunnel and Blast Secure Gateway are enabled. Click OK.
   

Related Pages

• Back to VMware Horizon 6

Use this post to build a virtual desktop that will be used as the parent image or source image for additional virtual desktops.

Navigation

• Hardware
• Windows
  • Operating System Selection
  • Preparation
  • Windows 7 Networking Hotfix
  • Black Screen Hotfix
  • Power Options
  • System Settings
  • Windows Profiles v3/v4 Hotfix
• Install Applications
• Antivirus
• Horizon 6 Agent
  • Horizon 6 Agent Installation
  • User Environment Manager Engine
  • Unity Touch
  • Direct-Connection Plugin
  • Composer – Rearm
• VMware OS Optimization Tool
• Snapshot

Hardware

1. The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
2. Set Memory as desired.
3. For New Hard disk, consider setting Thin provision.
   
4. Make sure the virtual desktop is using a SCSI controller.
   
5. The master virtual desktop should be configured with a VMXNET 3 network adapter.
   
6. When building the master virtual desktop, you will probably boot from an ISO.
7. Before using View Administrator to create a pool, ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
   
8. There’s no need for the Floppy drive so remove it.
   
9. If you have any Serial ports, remove them.
10. In Device Manager, after installing VMware Tools, make sure the video driver is VMware SVGA 3D.
    
11. If not, you can use the driver at C:\Program Files\Common Files\VMware\Drivers\video_wddm.

Windows

Operating System Selection

As of Horizon 6.2, Windows 10 is supported. However, there are some limitations:

• Persona is not supported. Either use VMware User Environment Manager (Horizon Enterprise only) or Microsoft’s roaming profiles.
• Multimedia Redirection is not supported.

Preparation

• Partition Alignment. For Windows XP, make sure the partition is aligned. You’ll need to create and partition the disk in advance on another virtual machine and set the partition offset. create partition primary align=1024. Windows 7 doesn’t have this problem.
• VMware Tools. Install the latest version of VMware Tools and Guest Introspection (formerly known as vShield Endpoint) Driver prior to installing the Horizon 6 Agent.
• Teradici Audio Driver – https://techsupport.teradici.com/link/portal/15134/15164/Article/1434/Teradici-Virtual-Audio-Driver-1-2-0-Release-Details-15134-1434
• For the AppVolumes Agent and Imprivata OneSign agent (if applicable), don’t install them until Horizon 6 Agent is installed.

Windows 7 Networking Hotfix

1. Ensure the vSphere network port group allows a sufficient number of connected virtual machines.
2. Make sure Windows 7 Service Pack 1 is installed.
3. Download hotfix 2550978 from http://support.microsoft.com/kb/2550978.
   
4. Run Windows6-1-KB2550978.msu.
   
5. Click Yes when asked to install the hotfix.
6. Click Restart Now.

Follow http://support.microsoft.com/kb/315539 to delete ghost NICs

For desktop VMs using VMXnet3 NICs, you can significantly improve the peak video playback performance of your View desktop by simply setting the following registry setting to the value recommended by Microsoft:

HKLM\System\CurrentControlSet\Services\Afd\Parameters\FastSendDatagramThreshold to 1500

[As discussed in a Microsoft KB article http://support.microsoft.com/kb/235257]

Black Screen Hotfix

VMware 2073945 – Reconnecting to the VDI desktop with PCoIP displays a black screen: Request and Install Microsoft hotfix 2578159: The logon process stops responding in Windows.

Power Options

1. Run Power Options. In Windows 8 and newer, right-click the Start Menu to access Power Options.
   
2. Click the arrow to show more plans and select High performance.
   
3. Next to High performance, click Change plan settings.
   
4. Change the selection for Turn off the display to Never and click Save changes.
   

System Settings

1. Domain Join. For linked clones, join the machine to the domain.
   
2. In System control panel applet (right-click the Start Menu > System), click Remote settings.
   
3. Enable Remote Desktop.
   
4. Activate Windows with a KMS license if not already activated. Note: only KMS is supported with View Composer.

Windows Profiles v3/v4 Hotfix

Roaming user profiles are tied to the operating system version so profiles on Windows 8.1-based, Windows 10-based, or Windows Server 2012 R2-based computers are incompatible with roaming user profiles in earlier versions of Windows.

Profiles are compatible only between the following client and server operating system pairs:

• Windows 10 and Windows Server 2016
• Windows 8.1 and Windows Server 2012 R2
• Windows 8 and Windows Server 2012
• Windows 7 and Windows Server 2008 R2
• Windows Vista and Windows Server 2008

If Windows 8, install hotfix http://support.microsoft.com/kb/2887239.

If Windows 8.1, ensure update rollup 2887595 is installed. http://support.microsoft.com/kb/2890783

After you apply this update, you must create a registry key before you restart the computer.

1. Run regedit.
2. Locate and then tap or click the following registry subkey:
   HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters
3. On the Edit menu, point to New, and then tap or click DWORD Value.
4. Type UseProfilePathExtensionVersion.
5. Press and hold or right-click UseProfilePathExtensionVersion, and then tap or click Modify.
6. In the Value data box, type 1, and then tap or click OK.
7. Exit Registry Editor.

After you configure the UseProfilePathExtensionVersion registry entry, you have to restart the computer. Then, Windows 8.1 creates a user profile and appends the suffix “.v4” to the profile folder name to differentiate it from version 2 of the profile in Windows 7 and version 3 of the profile in Windows 8. Then, Windows 8.1-based computers that have update rollup 2887595 installed and the UseProfilePathExtensionVersion registry entry configured use version 4 of the profile.

Windows 8 creates a new copy of the user profile and appends the suffix “.v3” in the profile folder name to differentiate it from the original version 2 profile for Windows 7. After that, Windows 8-based computers that have this hotfix installed and the UseProfilePathExtensionVersion registry entry configured use the version 3 profile for users.

Install Applications

Install applications locally if you want them to be available on all virtual desktops created based on this master virtual desktop.

Or you can use a Layering product (e.g. VMware App Volumes, Unidesk) or App Streaming (e.g. ThinApp, Microsoft App-V).

Antivirus

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Anti-Virus Practices for VMware View – http://www.vmware.com/files/pdf/VMware-View-AntiVirusDeployment-WP-en.pdf

Sophos

Best Practice for running Sophos on virtual systems – http://www.sophos.com/en-us/support/knowledgebase/110507.aspx and Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machines – http://www.sophos.com/en-us/support/knowledgebase/12561.aspx

Symantec

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1 – http://www.symantec.com/business/support/index?page=content&id=TECH173650

Symantec Endpoint Protection 12.1 – Non-persistent Virtualization Best Practices – http://www.symantec.com/business/support/index?page=content&id=TECH180229

How to prepare a Symantec Endpoint Protection 12.1 client for cloning – http://www.symantec.com/business/support/index?page=content&id=HOWTO54706

Non-persistent desktops:

After you have installed the Symantec Endpoint Protection client and disabled Tamper Protection, open the registry editor on the base image.

1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\.
2. Create a new key named Virtualization.
3. Under Virtualization, create a key of type DWORD named IsNPVDIClient and set it to a value of 1.

To configure the purge interval for offline non-persistent VDI clients:

1. In the Symantec Endpoint Protection Manager console, on the Admin page, click Domains.
2. In the Domains tree, click the desired domain.
3. Under Tasks, click Edit Domain Properties.
4. On the Edit Domain Properties > General tab, check the Delete non-persistent VDI clients that have not connected for specified time checkbox and change the days value to the desired number. The Delete clients that have not connected for specified time option must be checked to access the option for offline non-persistent VDI clients.
5. Click OK.

Make the following changes to the Communications Settings policy:

1. Configure clients to download policies and content in Pull mode
2. Disable the option to Learn applications that run on the client computers
3. Set the Heartbeat Interval to no less than one hour
4. Enable Download Randomization, set the Randomization window for 4 hours

Make the following changes to the Virus and Spyware Protection policy:

1. Disable all scheduled scans
2. Disable the option to “Allow startup scans to run when users log on” (This is disabled by default)
3. Disable the option to “Run an ActiveScan when new definitions Arrive”

Avoid using features like application learning which send information to the SEPM and rely on client state to optimize traffic flow

Linked clones:

To configure Symantec Endpoint Protection to use Virtual Image Exception to bypass the scanning of base image files

1. On the console, open the appropriate Virus and Spyware Protection policy.
2. Under Advanced Options, click Miscellaneous.
3. On the Virtual Images tab, check the options that you want to enable.
4. Click OK

Trend Micro

Trend Micro Virtual Desktop Support

VDI Pre-Scan Template Generation Tool

Best practice for setting up Virtual Desktop Infrastructure (VDI) in OfficeScan

Frequently Asked Questions (FAQs) about Virtual Desktop Infrastructure/Support In OfficeScan

Horizon 6 Agent 6.2

Horizon 6 Agent Installation

Install Horizon 6 Agent on the master virtual desktop:

1. Only install Horizon 6 Agent after VMware Tools. If you need to update VMware Tools, uninstall Horizon 6 Agent first, upgrade VMware Tools, and then reinstall Horizon 6 Agent.
2. Check the video driver to make it is VMware SVGA 3D.
3. Go to the downloaded Horizon 6 Agent 6.2. Run VMware-viewagent-6.2.0.exe.
   
4. In the Welcome to the Installation Wizard for VMware Horizon View Agent page, click Next.
   
5. In the License Agreement page, select I accept the terms and click Next.
6. In the Network protocol configuration page, select IPv4 and click Next.
7. In the Custom Setup page, if you want Scanner Redirection then enable that feature. Do the same for USB Redirection. Note: Scanner Redirection will impact host density. Click Next when done making selections.
   
8. Click OK to acknowledge the message regarding USB redirection security.
9. In the Ready to Install the Program page, click Install.
10. In the Installer Completed page, click Finish.
11. Click Yes when asked to restart.

User Environment Manager Engine

If you are licensed for User Environment Manager (Horizon Enterprise Edition), install the User Environment Manager Engine.

1. Make sure Prevent access to registry editing tools is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
2. In Windows 8 and newer, open Programs and Features (right-click the Start Menu) and click Turn Windows features on or off.
   
3. Select .NET Framework 3.5 and click OK.
   
4. Click Download files from Windows Update.
   
5. Go to the extracted User Environment Manager folder and run VMware User Environment Manager 8.7 x64.msi.
   
6. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
   
7. In the End-User License Agreement page, check the box next to I accept the terms and click Next.
8. In the Destination Folder page, click Next.
9. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the console.
   
   
10. In the Choose License File page, Browse to the license file. Then click Next.
    
11. In the Ready to install VMware User Environment Manager page, click Install.
12. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Unity Touch

With the Unity Touch feature, tablet and smart phone users can quickly navigate to a Horizon View desktop application or file from a Unity Touch sidebar. Although end users can specify which favorite applications appear in the sidebar, for added convenience, administrators can configure a default list of favorite applications.

In the Unity Touch sidebar, the favorite applications and favorite files that users specify are stored in the user’s profile. For non-persistent pools, enable Roaming Profiles.

To set the default list of favorite applications:

1. Navigate to HKLM\Software\Wow6432Node\VMware, Inc.\VMware Unity
2. Create a string value called FavAppList.
3. Specify the default favorite applications using format: path-to-app-1|path-to-app-2|path-to-app-3|…. For example:

Programs/Accessories/Accessibility/Speech Recognition.lnk|Programs/VMware/VMware vSphere Client.lnk|Programs/Microsoft Office/Microsoft Office 2010 Tools/Microsoft Office 2010 Language Preferences.lnk

Unity Touch can be disabled by setting HKEY_LOCAL_MACHINE\Software\VMware,Inc.\VMware Unity\enabled to 0.

For more information, see the Feature Pack Installation and Administration guide at http://www.vmware.com/support/pubs/view_pubs.html.

Direct-Connection Plugin

If you wish to allow direct connections to the Horizon 6 Agent, install the Direct-Connection Plugin. This is not a typical configuration since it allows users to bypass the Horizon 6 Connection Servers but is useful if you need to restrict a Horizon 6 Agent to only one Horizon Client.

1. Run the downloaded Direct-Connection Plugin (VMware-viewagent-direct-connection-6.2-xxx-exe.
   
2. In the Welcome to the Installation Wizard for View Agent Direct-Connection Plugin page, click Next.
   
3. In the End-User License Agreement page, select I accept the terms and click Next.
4. In the Configuration Information page, click Next.
   
5. In the Ready to install View Agent Direct-Connection Plugin page, click Install.
6. In the Completed the View Agent Direct-Connection Plugin Setup Wizard page, click Finish.
7. When running the Horizon Client, enter the FQDN or IP address of the Horizon 6 Agent (virtual desktop).

Composer – Rearm

By default, when View Composer creates linked clones and runs QuikPrep, one of the tasks is to rearm licensing. You can prevent this by setting the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmware-viewcomposer-ga

SkipLicenseActivation  DWORD           0x1

VMware OS Optimization Tool

1. Download the VMware OS Optimization Tool VMware fling.
   
2. Run the downloaded VMwareOSOptimizationTool_1050.msi.
   
3. On the Analyze tab, on the bottom left, click Analyze.
   
4. Check both boxes and click Continue to Analyze.
   
5. Review the optimizations and make changes as desired. Then on the bottom left click Optimize.
   
6. Click the FAILED links for more information.
   
7. The History tab lets you rollback the optimizations.
   
8. The Templates tab lets you edit the optimizations. You can create your own template or edit an existing template.
   

Snapshot

1. Make sure the master virtual desktop is configured for DHCP.
   
2. If connected to the console, run ipconfig /release.
   
3. Run antivirus sealing tasks:
   • Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
   • Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
4. Shutdown the master virtual desktop.
   
5. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
   
6. Take a snapshot of the master virtual desktop. View Composer requires a snapshot.
   
   

Related Pages

• Back to VMware Horizon 6

This topic details View configuration for Virtual Desktop Agents. RDS Farms are detailed at http://www.carlstalhood.com/horizon-6-rds-farmspools/.

Navigation

• Prep
• Floating (Non-Persistent) Desktop Pool
• Entitle Virtual Desktops
• Update a Pool

Prep

• Each pool points to one vSphere cluster. 32 hosts maximum. If Virtual SAN, 20 hosts maximum.
• Ensure vSwitch has sufficient ports for the new virtual desktops.
• Ensure the VLAN has enough DHCP addresses for the desktop pool.
  • Lower the DHCP lease time too.
• KMS Licensing is required for Windows 7+ and/or Office 2010+
• The virtual desktop pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master virtual desktop. Adjust accordingly.
• The parent image should be in the same cluster where the linked clone virtual desktops will be created.

Disk space:

• One or more LUNs for storage of the virtual desktops. Maximum of 140 desktops per VMFS5 LUN. Up to 250+ desktops per NFS LUN.
• By default, Replicas are copied to each LUN that contains virtual desktops. It’s possible to place the Replica and the linked clones on separate LUNs. If you use a dedicated Replica LUN, then there is only one copy of the Replica no matter how many LUNs are used for storing virtual desktops. Note: NFS VAAI requires Replica to be copied to each virtual desktop LUN.
• Persistent disks can be used to store the user’s profile (but not user-installed applications). To enable Persistent disks, the pool must be Dedicated Assignment. You can place the persistent disks on a LUN that is separate from the linked clones LUN. A better option is to use View Persona or User Environment Manager instead of Persistent disks.
• Disposable disks. In Dedicated Assignment pools, you have the option of creating Disposable Disks. These disks are always stored with the virtual desktop (you can’t choose a dedicated disposable disk LUN). If you’re planning to frequently refresh the desktops, there’s no point in using Disposable disks.
• .vswp files. Allocate disk space for memory swap and graphics memory overhead. Any unreserved memory will result in a .vswp file. For example, if the master virtual desktop has 2 GB of RAM configured and none of it is reserved then each linked clone will have a 2 GB .vswp file.

Floating (Non-Persistent) Desktop Pool

1. In View Administrator, on the left, expand Catalog and click Desktop Pools.
   
2. On the right, you can clone an existing pool. This copies many of the settings from the existing pool into the new pool.
   
3. Or just click Add.
   
4. In the Type page, select Automated Desktop Pool and click Next.
   
5. In the User Assignment page, select Floating and click Next.
   
6. In the vCenter Server page, select View Composer linked clones. Select the vCenter server and click Next.
   
7. In the Pool Identification page, enter a name for the pool. A VM folder with the Pool ID as the name will be created in vCenter. Also, assign the pool to an Access group to restrict delegated administration. Click Next.
   
8. In the Pool Settings page do the following:
   1. Change the selection for Automatically logoff after disconnect to After and specify a disconnect timer.
   2. Change the selection for Delete or refresh desktop on logoff to Refresh Immediately.
   3. Change the selection for Allow users to choose protocol to No. Then make your desired choices for 3D rendering and Maximum monitors. If not using 3D, max out the number of monitors and the resolution. This will grant more video RAM for each desktop if their video card is set to automatic.
   4. Note: Windows 7 MMR (H.264 only) requires 3D rendering to be enabled.
   5. Scroll down.
      
   6. Check the box next to HTML Access.
   7. HTML Access requires monitor resolution to be 1920×1200 or higher.
   8. Click Next.
      
9. In the Provisioning Settings page, enter a naming pattern. You can use {n:fixed=3} to specify the location for the incremented numerals. Make sure the naming pattern does not conflict with any existing machines.
10. Enter the maximum number of desktops to create. You can create all of them now or wait to create them as users connect. When a user connects to one of these desktops, View immediately creates another desktop (up to the maximum) and powers it on.
11. Enter the number of spare (idle, unassigned, unused) desktops you want powered on. View maintains this number up to the maximum number of desktops.
12. In Horizon 6.2, the maximum number of desktops per pool is 2,000. Ensure that the DHCP scope has enough addresses for the Max number of desktops specified here. Click Next.
    
13. In the Disposable File Redirection page, select Do not redirect disposable files and click Next. Since we’re refreshing the desktops on logoff, there’s no need for a separate disposable disk.
    
14. In the Storage Optimization page, check the box for Select separate datastores for replica and OS disk if you want to use storage tiering. Click Next.
    
15. In the vCenter Settings page, most of these are self-explanatory. Click Browse next to each option and make your selection.
    
16. If the Parent VM is not showing up in the list then check the box next to Show all parent VMs and click the … next to the VM to see the issue.
    
17. For Linked clone datastores, select one or more datastores on which the virtual desktops will be placed. Select your Storage Overcommit preference. Since you are refreshing desktops on every logoff, they should stay small so Unbounded is probably acceptable. VMware recommends no more than 140 virtual desktops per VAAI-enabled LUN. If the LUN is not VAAI enabled, 64 is the maximum. Click OK when done.
    
18. For Select Replica Disk Datastores, select one datastore for the replica and then click OK.
    
19. Then click Next.
20. In the Advanced Storage Options page, be aware of the following:
    • View Storage Accelerator creates digest files, which consumes disk space. Creation of the digest files requires IOPS. Make sure to set the blackout times so that this digest creation does not happen during peak hours.
    • Reclaim VM disk space is not useful for non-persistent desktops.
      
21. If you scroll down, there’s a new Transparent Page Sharing Scope. The default is no sharing. Use one of the other options to enable sharing. Click Next.
    
22. In the Guest Customization page, next to AD container, click Browse and select the OU where virtual desktop computer objects will be placed.
23. Consider checking the box next to Allow reuse of pre-existing computer accounts. Click Next.
    
24. In the Ready to Complete page, you may entitle users now or later. Click Finish.
    
25. To check the status of the virtual desktops, go to Catalog > Desktop Pools.
26. Double-click the pool name.
27. On the Inventory tab, click Desktops (View Composer Details). There’s a refresh button.
    
28. You can also view the status of the desktops by looking at the Dashboard.
    
29. Your VMs should eventually have a status of Available.
    
30. If you encounter issues with View Composer, see VMware 2087379 VMware Horizon View Composer help center

Entitle Virtual Desktops

To make a pool accessible by a user, it must be entitled.

1. Go to Catalog > Desktop Pools.
2. Double-click the pool name.
3. On the Settings tab, click Entitlements.
   
4. In the Entitlements window, click Add.
   
5. Find a group that will have permission to log into these desktops and click OK.
   
6. Then click OK.
   
7. For a Persistent pool, go to the Inventory tab to see the desktops. Select a desktop and under More Commands click Assign User.
   
8. Find the user and click OK. Repeat to assign users to additional desktops.

Update a Pool

1. Power on the master/parent virtual desktop.
   
2. After making your changes, shut down the master virtual desktop.
   
3. Right-click the virtual machine and take snapshot. You must create a new snapshot.
   
4. Name the snapshot and click OK.
   
5. If you do this often, you’ll need to periodically delete the older snapshots. Right-click the master VM and click Manage Snapshots.
   
6. Delete one or more of the snapshots.
   
7. In View Administrator, go to Inventory > Pools.
8. Double-click a pool name.
9. On the Settings tab, click View Composer and then click Recompose.
   
10. In the Image page, select the new snapshot and click Next.
    
11. In the Scheduling page, decide when to apply this new image and then click Next.
    
12. In the Ready to Complete page, click Finish.
    
13. On the Inventory tab, you can click Desktops (View Composer Details) to check on the status of the recompose task.
    

Related Pages

• Back to VMware Horizon 6

Navigation

• Planning
• Initialize First Pod
• Additional Pods – Join Federation
• Global Entitlements
• Monitoring
• Home Sites

Planning

Cloud Pod Architecture lets you create a single icon that load balances connections across multiple pools in multiple pods in multiple sites (datacenters).

• Entitlements can be local or global. Local means pools only in a single pod. Global means merging pools from multiple pods into a single entitlement.
  • Don’t configure both global and local entitlements for the same pool.
  • A single pool can only belong to one global entitlement.
  • Global Entitlements work in a single pod (good for large pools). Or you can you have multiple pods and multiple sites.
  • Horizon 6.2 supports Global Entitlements for applications. However, it’s one application per global entitlement.
• Use NetScaler GSLB or F5 GTM to connect Horizon Clients to a Horizon 6 Connection Server. The Horizon 6 Connection Server then uses Global Entitlements to select a pod/pool/desktop.
• By default, pools in pods in the same site as the Horizon 6 Connection Server that the View Client is connected to are preferred over pools in remote sites. Use Home Sites to override this behavior. Home Sites are assigned to Active Directory user groups.
• For Dedicated Assignment pools, global entitlement only helps with the initial connection. Once the user is assigned to a desktop then that desktop is always selected. Users are not automatically provided with a desktop from another site if the site containing their dedicated desktop has gone down. The desktop request will fail because the dedicated desktop isn’t available. The administrator could configure a separate Global Entitlement for the users to provide a floating desktop until such time the original site recovers. That floating entitlement should be arranged to deliver desktops from other sites as required.
• The Horizon 6 Connection Servers participating in Cloud Pod Architecture communicate with each other over TCP 22389 and TCP 8472. Make sure these ports are open.
• View Administrator includes a new administrator privilege: Manage Global Sessions. The regular Administrators role has access to multiple pods. The new Local Administrators role can only manage the local pod.

Limits:

• Max users = 20,000
• Max Pods = 4
• Max Sites = 2
• Max Horizon 6 Connection Servers = 20

Traffic flow (Rob Beekmans – VMware Horizon View Cloud Pod – unwanted routing?):

• Use F5 GTM or NetScaler GSLB to connect users to a Horizon 6 Connection Server in any pod. If active/active, use proximity load balancing to control which pod is initially accessed.
• The Horizon 6 Connection Server looks up the Global Entitlements to determine the destination pod for the Pool.
• User’s PCoIP session goes through the initially connected Horizon 6 Connection Server and across the DCI (Datacenter Interconnect) circuit to the remote pod. There’s no way to re-route PCoIP through a Horizon 6 Connection Server in the remote pod. In fact, the Horizon 6 Connection Servers in the remote pod are never accessed. You need sufficient DCI bandwidth to handle this PCoIP traffic.

Initialize First Pod

1. In View Administrator, on the left, expand View Configuration and click Cloud Pod Architecture.
2. On the right, click Initialize the Cloud Pod Architecture feature.
   
3. Click OK to initialize.
   
4. A status page is displayed.
   
5. Click OK to reload the client.
   
6. On the left, expand View Configuration and click Cloud Pod Architecture.
   
7. Feel free to rename the federation.
   
   
8. On the left, expand View Configuration and click Sites.
   
9. Rename the Default First Site to be more descriptive.
   
   
10. If you click the site to highlight it, you can rename the Pod to make it more descriptive.
    
    
11. If you add a Replica server after global entitlements are enabled, see Setting up the Cloud Pod Architecture feature on a replicated View Connection Server instance.
12. See Restoring View Connection Server instances in a Cloud Pod Architecture pod federation.

Additional Pods – Join Federation

1. Connect to View Administrator in the 2nd pod.
2. On the left, expand View Configuration and click Cloud Pod Architecture.
3. On the right, click Join the pod federation.
   
4. Enter the name of an existing Horizon 6 Connection Server that is already joined to the federation.
5. Enter credentials and click OK.
   
6. The Join status is displayed.
   
7. Click OK to reload the client.
   
8. On the left, expand View Configuration and click Sites.
   
9. If this pod is in a different site then click Add to create a new site.
   
10. Give the site a name and click OK.
    
11. Highlight the 1st site.
12. On the bottom, highlight the new pod and click Edit.
    
13. Rename the pod and put it in the 2nd site. Click OK.
    

Global Entitlements

Do not create both global and local entitlements for the same pool otherwise users might see two icons.

1. In View Administrator, on the left, expand Catalog and click Global Entitlements.
   
2. On the right, click Add.
   
3. In the Type page, select Desktop Entitlement or Application Entitlement and click Next.
   
4. In the Name and Policies page, give the entitlement (icon) a name. For Application Entitlements, it’s one entitlement per application so include the application name.
5. Make other selections. The Use home site checkbox tells the global entitlement to respect user home sites but the user home sites can only be configured at the command line (lmvutil). Click Next.
   
6. If creating a Desktop Entitlement then there are more options.
   
7. In the Users and Groups page, add users that can see the icon. Click Next.
   
8. In the Ready to Complete page, click Finish.
   
9. Double-click the new global entitlement.
   
10. On the Local Pools tab, click Add.
    
11. Select the pools you want to add and click Add. Remember, only one app per Global Entitlement.
    
12. Go to another pod and view the Global Entitlements.
13. On the right, double-click the Global Entitlement.
    
14. On the Local Pools tab, click Add to add pools from this pod.
    

Monitoring

1. Once Global Entitlements are enabled, a new Search Sessions node is added to View Administrator. This allows you to search for sessions across federated pods.
   
2. The Dashboard shows the health of remote pods.
   

Home Sites

Home sites can’t be specified in View Administrator so use lmvutil instead:

• lmvutil provides almost no feedback.
• Its parameter names are case sensitive.
• It requires you to authenticate for every single command.
• There are different commands for groups vs users.
• Home sites for groups don’t understand nesting.

Do the following to create home sites and assign them to users:

1. Run Command Prompt as administrator.
   
2. To create home sites for users, see pubs.vmware.com.

Related Pages

• Back to VMware Horizon 6

Navigation

• Planning
• SQL Database
• Server Prerequisites
• Server Installation
• Configuration Wizard
•  Launch and Login
• Welcome Wizard
• Users
• Direct Import
• Install Capture
  • Prepare Install Capture Machine
  • Configure AppDNA for Install Capture
  • Perform Install Capture
• Self Provisioning
  • Prepare Self Provisioning Machine
  • Perform Self Provisioning Capture
• Solutions

Planning

Your Citrix License Server must have XenApp or XenDesktop Platinum Edition licenses. If you don’t have Platinum Edition licenses then work with a Citrix Partner to perform AppDNA analysis.

AppDNA server should have the following:

• 12 GB of RAM
• 80 GB free disk space for up to 200 applications. 150 GB if more applications.

SQL Server:

• SQL 2008 R2, 2012, or 2014. SQL Express is not supported.
• AppDNA generates load on SQL during install (duration = few hours) and during import and analysis.
• See Optimize AppDNA > Optimize SQL Server at docs.citrix.com.
• Disk space could easily be 20+ GB.

AppDNA can directly import and analyze .msi installers. For non-.msi installers, you’ll need a machine to capture the install process. The machine(s) should be the same operating system as what you are migrating from. The machine can either be directly accessible through a hypervisor, which means AppDNA can automate the capture process. Or it can be any machine where a user can perform Self Provisioning.

SQL Database

1. Create a new SQL database.
   
   
2. On the Options page, the Collation must be Latin1_General_CI_AS.
   
3. Add a service account to SQL logins.
4. On the Server Roles page, add the service account to the bulkadmin role.
   
5. Give the service account db_owner permission to the AppDNA database.
   

Server Prerequisites

1. On the AppDNA Server, open Computer Management. Edit the Administrators group and add the service account.
   
2. In Server Manager, start the Add Roles and Features Wizard.
3. In the Server Roles page, select Web Server (IIS) and click Next.
   
4. In the Select features page, select .NET Framework 3.5 (and 4.5). Click Next.
   
5. In the Select role services page, select HTTP Redirection. Scroll down.
   
6. Scroll down and under Health and Diagnostics select Request Monitor.
   
7. Scroll down and  under Performance select Dynamic Content Compression.
   
8. Scroll down and under Security select Basic Authentication, IP and Domain Restrictions, URL Authorization, and Windows Authentication.
   
9. Scroll down and under Application Development select everything except CGI and WebSocket Protocol.
   
10. Scroll down and check the box next to IIS 6 Management Compatibility, which includes IIS 6 Metabase Compatibility.
11. Also select IIS Management Scripts and Tools and Management Service. Click Next.
    
12. In the Confirm installation selections page, click Specify an alternate source path.
    
13. Browse to the sources folder on the Windows Server 2012 R2 DVD and click OK.
    
14. Click Install.

Server Installation

1. Run the downloaded AppDNA 7.6.5 (Citrix-AppDNA.msi).
   
2. In the Welcome to the Installation Wizard for Citrix AppDNA 7.6.5 page, click Next.
   
3. In the License agreement page, select I accept the terms and click Next.
4. In the Citrix AppDNA Installation Type page, select Complete and click Next.
   
5. In the Citrix AppDNA installation locations page, click Next.
   
6. In the Ready to install Citrix AppDNA page, click Install.
7. In the Installation Wizard Completed page, click Finish.

Configuration Wizard

1. The Configuration wizard launches.
2. If you see a Prerequisites page, click Enable.
   
3. In the Configure AppDNA page, click Next.
   
4. In the Database creation page, enter the SQL server name, enter the database name, and click Next.
   
5. In the AppDNA web site credentials page, enter the credentials of your service account and click Next.
   
6. In the License database page, enter the address of a Citrix License server that has XenApp/XenDesktop Platinum Licenses and click Next.
   
7. In the System check page, click Configure.
   
8. It will probably take several hours to populate the database.
   
9. Click Close when done.
10. See Optimize AppDNA > Optimize IIS at docs.citrix.com.

 Launch and Login

1. Launch AppDNA from the Start Menu.
   
2. Login as administrator and apps3cur3.
   

Welcome Wizard

1. In the Welcome page, click Next.
   
2. This wizard lets you select which modules to enable. The more modules you enable, the longer it takes to analyze an application. Go through each page and make your selections.
   
   
   
   
3. Then click Configure.
   
4. And click Close.
   

Users

1. Open the Administration menu and click Users.
   
2. In the toolbar, click Import from AD.
   
3. Select your Citrix Admins group and click OK.
   
4. On the right, notice that Administrators role is selected by default.
   
5. Open the File menu and click Exit.
   
6. Launch AppDNA again.
7. On the login page, click Options.
   
8. You can check the box next to Integrated Login and click Log On.
   
9. Go back to Administration > Users.
   
10. Edit the administrator account.
    
11. And change its password.
    

Direct Import

1. Switch to the Import & Analyze workspace.
   
2. On the left, under Import, click Applications.
   
3. On the right, switch to the Direct Import tab.
4. Click Browse in the toolbar. Then browse to an .MSI file.
   
5. The .msi files are shown in the list. Use the checkboxes on the left to select the applications.
   
6. Then on the top right click the Import & Analyze button to begin analysis.
   
7. A progress bar is displayed next to the application.
   
8. Analysis begins immediately. You can change the analysis modules by going to Configure > Modules > Wizard.
   
9. After analysis is complete, select a report you want to view and click Finish on the top right.
   
   
   
10. You can also view reports for applications that have already completely analysis by switching to the Reports: Applications workspace.
    
11. On the left, select a report you want to view.
    
12. You might be prompted to select applications. If you want to change this selection later, there’s a Change Selection button on the toolbar.
    
    
13. The report displays a list of applications with color coding. Click an application name to view more details.
    
    

Install Capture

Install Capture lets you import application installers that are not available as MSI files. AppDNA uses a hypervisor connection to automate the Install Capture process. Alternatively, you can do a manual capture using the Self Provisioning process.

Prepare Install Capture Machine

1. Create a share on the AppDNA machine. The captured data is stored in this share.
   
   
   
2. The operating system of the Install Capture machine should match the operating system version you are migrating from.
3. On the Install Capture machine, make sure Remote Desktop is enabled.
   
4. On the Install Capture machine, browse to the AppDNA server in the C$\Program Files (x86)\Citrix\AppDNA\Tools folder and run Citrix AppDNA VM Configuration.msi.
   
5. In the Welcome to the Installation Wizard for Citrix AppDNA VM Configuration page, click Next.
   
6. In the License Agreement page, select I accept the terms and click Next.
7. In the Ready to Install the Program page, click Install.
8. In the Installation Wizard Completed page, click Finish.
9. Click Yes when prompted to reboot.
   
10. You can either take a snapshot now or AppDNA will do it for you.
    

Configure AppDNA for Install Capture

1. In the AppDNA Console, open the Edit menu and click Settings.
   
2. On the left, switch to the Install Capture page.
3. On the right, click New.
   
4. In the Virtual Machine Configuration Wizard page, click Next.
   
5. In the Virtual machine details page, give the configuration a name.
6. Select vSphere and click Next.
   
7. In the vSphere Host Details page, in the Single Sign-on Server field, enter the Platform Services Controller hostname and :7443.
8. In the vCenter Server field, enter the hostname of the vCenter server.
9. Enter credentials that can snapshot and perform power operations on the Install Capture machine. Click Test and then click Next.
   
10. In the vSphere Virtual Machine page, in the list of machines, select the Install Capture machine and click Next.
    
11. In the vSphere Snapshot selection page, if there are no snapshots, click Take Snapshot.
    
12. Click Test. At least confirm that the machine can be reverted to snapshot. Don’t worry if the console doesn’t open. Click Next.
    
13. In the Virtual machine connection page, enter the hostname of the Install Capture machine and click Test. Note: the RemoteAdmin.exe process only runs while somebody is logged into the machine. Click Next.
    
14. In the Capture output location page, enter the UNC path to the file share on the AppDNA server and click Test. Then click Next.
    
15. In the Virtual machine state page, make a selection and click Next.
    
16. In the Virtual machine configuration summary page, click Finish.
    
17. Click Save to close the Settings window.
    

Perform Install Capture

1. Switch to the Import & Analyze workspace.
   
2. On the left, under Import, click Applications.
   
3. On the right, switch to the Install Capture tab and click Browse.
   
4. If you have more than one Install Capture machine, use the drop-down to select the one you want to use.
   
5. On the top right click Import & analyze.
   
   
6. The virtual machine configuration check window is displayed.
   
7. The Install Capture VM will be started.
   
8. Eventually you’ll be prompted to RDP to the Install Capture machine.
   
9. The capture process begins with a snapshot of the Install Capture machine.
   
10. Then the application is installed. This should happen automatically.
    
11. Then a differencing snapshot is taken and uploaded to AppDNA Server.
    
12. Once the Capture process is complete, Analysis begins immediately.
    

Self Provisioning

Self Provisioning is very similar to Install Capture except there’s no need for direct connectivity between AppDNA server and the hypervisor that hosts the Self Provisioning machine. Once the process is started in the AppDNA console, a different user can complete the snapshot process on the Self Provisioning machine.

Prepare Self Provisioning Machine

1. Make sure AppDNA VM Configuration is installed first.
   
2. On the Self Provisioning machine, browse to the AppDNA server in the C$\Program Files (x86)\Citrix\AppDNA\Tools folder and run Citrix AppDNA Self Provisioning Client.msi.
   
   
3. In the Welcome to the Installation Wizard for Citrix AppDNA Self Provisioning Client page, click Next.
   
4. If you see the Pre-Requisites Check page, stop the installer, install the AppDNA VM Configuration Client and then restart this installer.
   
5. In the License Agreement page, select I accept the terms and click Next.
6. In the Destination Folder page, click Next.
7. In the Ready to Install the Program page, click Install.
8. In the Installation Wizard Completed page, click Finish.
9. Take a snapshot of the Self Provisioning machine.
   

Perform Self Provisioning Capture

1. In the AppDNA Console, switch to the Import & Analyze workspace.
   
2. On the left, click Applications.
   
3. On the right switch to the Self Provisioning tab.
4. Then click the Configuration icon in the toolbar.
   
5. In the Self Provisioning page, enter the UNC path to a share that both machines (AppDNA server and Self Provisioning machine) can access.
   
6. In the toolbar click Browse and browse to the application installer.
   
7. Click Publish to push the files to the file share.
   
   
8. Click in the PublishedFile column to access the full path and copy it to the clipboard.
   
9. On the Self Provisioning machine, run the Self Provisioning Client from the Start Menu.
   
10. Paste in the path and click Start.
    
11. After the snapshot is taken, click the Start button and install the application.
    
12. Once the install is complete, another snapshot will be taken and the results will be uploaded to the share. Click Close.
    
13. Back in the AppDNA console, click Refresh Status and make sure the status changes to Complete.
    
14. Make sure the application is selected and then on the right side of the toolbar click Move to Import.
    
15. This moves the application to the Direct Import tab where you can select the application and click Import & Analyze.
    
    
    

Solutions

CitrixTV XenApp Upgrades with AppDNA demonstrates the Solutions feature of AppDNA 7.6 including: XenApp upgrades, operating system image upgrades, and application interoperability. This is also detailed at Configure solutions at docs.citrix.com.

1. For some of the solutions it is helpful to import operating system images of the machines you are moving from and the machines you are moving to..
2. In the Import & Analyze workspace, on the left click Operating Systems.
   
3. On the right, click Download Snapshot Manager. Run this on a operating system image that you want to import.
   
4. Then click Import from MSI to import the MSI file generated by the Snapshot Manager.
   
5. Switch to the Solutions workspace.
   
6. On the top left click Add solution.
   
7. In the Solutions Templates page, select a solution and click Next.
   
8. In the Solution name page, give the solution a name and click Next.
   
9. In the Platform name page, choose the platform you are migrating from and click Next.
   
10. In the Applications page, select the applications you want to analyze and click Next.
    
11. In the Solution platforms page you can change the Target platforms or add more platforms.
12. Click Build.
    

Navigation

• Planning
• Prep:
  • DNS Configuration
  • LDAP Accounts
  • SQL Database
• OVF Deployment
• Configure:
  • Setup Wizard
  • SSH – Enable Root Access
  • Active Directory
  • Administrators
  • License
  • Certificate
  • SMTP
  • Kerberos Authentication
  • Customize Appearance
• Load Balancing
• Resources:
  • View Administrator – Enable SAML Authentication
  • Identity Manager – Enable View Pools
  • Identity Manager – Horizon URLs
  • Identity Manager User Portal

Planning

System and Network Configuration Requirements at pubs.vmware.com

VMware Blog – Results of VMware Workspace Portal 2.1 Tests Exceed Expectations: a single Workspace appliance can handle 30,000 users. Also see Technical White Paper – VMware Workspace Portal Reference Architecture.

Preparation

DNS Configuration

If you intend to build multiple appliances and load balance them, specify a unique DNS name for each appliance. The Load Balancing DNS name is different from the appliance DNS names. For example:

• Appliance 1 = Im01.corp.local
• Appliance 2 = Im02.corp.local
• Load Balancing Name = Identity.corp.com. This name is used both internally and externally.

You’ll need SSL certificates that match these names.

Each of these DNS names must have a corresponding reverse DNS pointer record.

1. Create DNS records for the virtual appliances.
   
2. Create reverse pointer records too. Reverse pointer records is required.
   

LDAP Accounts

1. All accounts synced with Identity Manager must have First Name, Last Name, and E-mail Address configured. This includes the Bind account.
   
2. Create a new Active Directory group for your Identity Manager users. The Domain Users group will not work.
   

SQL Database

If you want to build multiple Identity Manager appliances and load balance them, configure them with an external database (e.g. Microsoft SQL). Or you can follow Using embedded vPostgres in Production for VMware Workspace Portal VA 2.1 (2094258)

1. Create a new database.
   
2. Name it saas. It doesn’t seem to work with any other database name.
   
3. On the Options page, change the Collation to Latin1_General_CS_AS.
4. Set Is Read Committed Snapshot On to True.
   
5. After creating the database, expand the database name, expand Security, right-click Schemas and click New Schema.
   
6. Name the schema saas and click OK.
   
7. Add a new SQL Login.
   
8. Name it horizon. It doesn’t seem to work with any other username.
9. Change it to SQL Server authentication and give it a password.
   
10. Set the Default database to saas.
    
11. On the User Mapping page, map it access to the saas database and give it db_owner permission.
    
12. In the saas database line, click the … in the Default Schema column.
    
13. Enter the saas schema and click OK.
    

OVF Deployment

1. In the vSphere Web Client, right-click a cluster and click Deploy OVF Template.
   
2. In the Select sourcepage, browse to the Identity-Manager-2.4.0 .ova file and click Next.
   
3. In the Review details page, click Next.
   
4. In the Accept License Agreements page, click Accept and click Next.
   
5. In the Select name and folder page, give it a name, select a folder and click Next.
6. In the Select storage page, select Thin Provision, select a datastore, and click Next.
7. In the Setup networks page, select the network for the appliance. Click Next.
   
8. In the Customize template page, select a time zone and make a choice regarding Customer Experience Improvement Program.
   
9. Expand Networking Properties and enter a unique IP address. DNS must contain reverse lookup for this IP address. Click Next.
   
10. In the Ready to complete page, check the box next to Power on after deployment. Or for larger implementations, increase the appliance specs before powering on. Click Finish.
    

Setup Wizard

1. Wait for the appliance to power on and fully boot.
   
2. Go to https://im01.corp.local to access the Identity Manager Setup Wizard. It will redirect you to port 8443.
3. Click Continue.
   
4. In the Set Passwords page, enter passwords for the three accounts and click Continue.
   
   
5. In the Select Database page, change it to External Database.
6. Enter a JDBC URL similar to the following:

   jdbc:sqlserver://sqlserver.corp.local;DatabaseName=saas

7. Enter the credentials for the horizon SQL account and click Test Connection. Then click Continue.
   
   
8. In the Setup Review page, click the link.
   

SSH – Enable Root Access

This is optional. Enabling root access lets you use WinSCP to connect to the appliance using root credentials. Instructions can be found at https://blogs.vmware.com/horizontech/2013/03/how-to-enable-ssh-in-horizon-workspace-virtual-appliances.html.

1. Putty to the Identity Manager appliance.
2. Login as sshuser.
3. Run su and enter the root password.
   
4. Run vi /etc/ssh/sshd_config.
   
5. Scroll down to line 40 (PermitRootLogin).
6. Press <i> on the keyboard to change to insert mode.
7. Go to the end of the line and change no to yes.
   
8. Press <ESC> to exit insert mode.
9. Type :x to save the file and exit.
   
10. Run /etc/rc.d/sshd restart.
    

Configuration

Active Directory

1. Login to the webpage as the admin user.
   
2. You should be on the Identity & Access Management tab.
   
3. On the top right, switch to the Setup view.
   
4. On the left, switch to the User Attributes sub-tab.
   
5. Scroll down. Check the boxes next to distinguishedName and userPrincpalName. Click Save.
   
6. On the right, switch to the Manage view.
   
7. Click Add Directory.
   
8. Change it to Active Directory (integrated Windows Authentication). Note: Domain Controllers are selected at random. You can override this by creating the file domain_krb.properties on the appliance. See Create a Domain Host Lookup File to Override DNS Service Location (SRV) Lookup at pubs.vmware.com.
9. Enter the Active Directory domain DNS name. Scroll down.
   
10. Enter credentials that can join the appliance to the domain.
11. Enter the LDAP Bind credentials. Click Save & Next.
    
12. Select the domains you want to sync and click Next.
    
13. In the Map User Attributes page, click Next.
    
14. In the Select the Groups page, click the plus icon to add a DN.
    
15. Enter a Base DN in LDAP format and click Find Groups.
    
16. Click Select.
    
17. Search for your Identity Users group and select it. Don’t select Domain Users. It won’t work.
    
18. Click Next.
    
19. In the Select the Users page, click Next.
    
20. In the Review page, click Edit.
    
21. Select a more frequent sync schedule and click Save.
    
22. Click Push to Identity Manager.
    
    
23. You can click the link to view the Sync log.
    
24. You can also click the directory name and then click Sync log to view the log.
    
    

Administrators

1. You can promote individual users (but not groups) to administrators. In the Admin console, click the Users & Groups tab.
2. Switch to the Users tab.
3. Click a username.
   
4. On the top left, click where it says Role(s): User.
   
5. Select Promote to Administrator and click Save.
   

License

1. On the Appliance Settings tab, on the left, click License.
2. On the right, enter the license key and click Save.
   

Certificate

1. Use OpenSSL or similar to create the certificate in PEM format. If you have a .pfx, you can use OpenSSL to convert from pkcs12 to PEM. Also use OpenSSL to convert the private key to RSA format.
2. On the Appliance Settings tab, click Manage Configuration.
   
3. Login as your admin account.
   
4. On the left, click Install Certificate.
5. On the right, delete the certificate and key that are currently displayed.
6. Paste in the new PEM certificate and RSA private key. Paste every certificate in the chain: server + intermediate + root. Click Save.
   
7. Click OK to restart the appliance.
   
8. If you uploaded a wildcard certificate then click OK to accept incompatible hostname.
   
9. After rebooting, if you close the browser tab and open a new one, the certificate should be valid and trusted.
   

SMTP

1. On the Appliance Settings tab, on the left click SMTP.
2. On the right, enter your mail server information and click Save.
   

Kerberos Authentication

1. Go to Identity & Access Management > Setup > Connectors.
   
2. Click the blue hostname link for the Connector.
   
3. Switch to the Auth Adapters tab. You may enable Kerberos or other authentication adapters from this page.
   
4. Kerberos lets users Single Sign-on to the Identity Manager web page. It only works for Windows clients. And the Identity Manager FQDN must be in Internet Explorer’s Local Intranet zone.
   
5. After enabling the adapter, go to Identity & Access Management > Setup > Network Ranges.
6. Click Add Network Range.
   
7. Give the Network Range a name.
8. Enter an internal IP Range and click Save.
   
9. Go to Identity & Access Management > Manage > Policies.
10. Click the default Policy.
    
11. Click the plus icon to add a Policy Rule.
    
12. Select the Network Range you just created.
13. Select Kerberos as the first authentication method.
14. Select Password as the second authentication method. Click Save.
    
15. Drag the new Policy Rule to move it to the top. Then click Save.
    

Customize Appearance

1. If you go to Identity & Access Management > Setup > Custom Branding, on the Names & Logos tab you can change the browser’s title and favicon.
   
2. If you then switch to the Sign-In Screen page, you can upload a logo, upload an image, and change colors.
   
3. If you go to Identity & Access Management > Manage > Password Recovery Assistant, you can configure a link to a password recovery tool or change the Forgot password message.
   
4. If you scroll down you can optionally Show detailed message to End User when authentication fails.
   
5. Click Catalog and then click Settings.
   
6. On the left, click User Portal Branding.
   
7. Make changes to Logos, colors, etc.
   

Load Balancing

If you want to build multiple Identity Manager appliances and load balance them then see http://www.carlstalhood.com/VMware-Identity-Manager-Load-Balancing

Resources

View Administrator – Enable SAML Authentication

1. Login to View Administrator.
2. On the left, under View Configuration click Servers.
3. On the right, on the Connection Servers tab, select a Connection Server and click Edit.
   
4. On the Authentication tab, change Delegation of authentication to VMware Horizon to Allowed.
   
5. In the SAML Authenticator drop-down, select Create New Authenticator.
   
6. In the Label field, enter a descriptive label.
7. In the Metadata URL field, enter the Identity Manager FQDN and click OK.
   
8. If you see a certificate error, click View Certificate and then click Accept.
   
9. Click OK to close the Edit Connection Server Settings window.

Identity Manager – Enable View Pools

Separate Horizon 6 Connection Server groups (e.g. multi-datacenter) can be configured in failover order. See Manage Resources Usage in Multiple VMware Identity Manager Data Centers at pubs.vmware.com.

1. Back in the Identity Manager Admin Portal, go to Catalog > Application Catalog.
   
2. Click Manage Desktop Applications and expand View Application.
   
3. Click one of the connectors.
   
4. Check the box next to Enable View Pools.
   
5. Enter the address of a Horizon 6 Connection Server (or load balanced FQDN). Note: reverse IP lookup must be functional for this DNS name.
6. Enter View Administrator credentials in userPrincipalName format. The account needs at least Read Only Administrator access to Horizon.
7. Deployment Type can be Automatic or User-Activated. User-Activated means users have to go to the App Center to add the icons to the My Apps portal.
8. Specify the Viewpool sync frequency and click Save.
   
9. Near the top of the screen you might see red text. Click Invalid SSL Cert.
   
10. In the Certificate Information page, click Accept.
    
11. Near the bottom of the page click Sync Now. Note: whenever you make a change to the pools in View Administrator, you must either wait for the next automatic Sync time or you can return to this screen and click Sync Now.
12. If sync fails, see VMware 2091744 Synchronizing VMware Horizon View Pool in Workspace Portal fails with the error: Failed to complete View sync due to a problem with the View Connection Server.
    
13. Then click Save and Continue. Note: whatever groups are entitled to Horizon Pools and Applications must also be synced (Active Directory) with Identity Manager.
    
14. In the Identity Manager Admin console, on the Catalog tab, you can see the View icons. Only the pools in the root Access Group are synced.
    
15. Click an icon and make sure entitlements are listed. If not, fix the entitlements in Horizon, modify the Active Directory sync settings in Identity Manager, and then Resync the View Pools in Identity Manager.
    
16. If you check the box next to one of the icons, you can place the icon in a Category by clicking the Categories button near the top right and entering a category name.
17. If an existing category doesn’t match your needs, enter a new category name and click Add.
    
18. Then check the box next to the new category.
    
19. The category is then displayed next to the catalog item.
    

Identity Manager – Horizon URLs

1. In the Identity Manager administrator interface, go to Identity & Access Management > Setup > Network Ranges.
   
2. You can edit the default range or add a new range.
   
3. Specify the View URL for the IP range. You can have different Horizon Client Access URLs for different IP ranges (e.g. internal vs external). For external users, the URL points to Access Points or Horizon 6 Security Servers.
   

Identity Manager User Portal

1. When a user logs in to the Identity Manager web page the pool icons will be displayed.
2. The first time the user launches an application or desktop the user is asked to choose a method (Horizon client or Browser) for opening the pool.
   
3. The default preference can be changed by clicking the user’s name and clicking Preferences.
   
4. You can override the default launch behavior by right-clicking the icon, expand Launch and make your selection.
   
5. The same right-click menu lets you mark the icon as a Favorite.
   
6. Then you can click Favorites to display only icons that are marked as Favorites.
   
7. If you enabled categories, use the Categories drop-down to filter the icons. Only the icons in that category are displayed.
   

This topic assumes you’ve already setup one Identity Manager appliance as detailed at http://www.carlstalhood.com/vmware-identity-manager/

Navigation

• NetScaler Configuration
• Load Balancing FQDN
• Clone Appliance
• Additional Connector
• Add to NetScaler
• Multi-datacenter

NetScaler Configuration

Setup the load balancing before you clone the appliance.

1. In your NetScaler, go to Traffic Management > Load Balancing > Monitors and add a monitor.
   
2. Give it a name and select HTTP as the Type.
   
   
3. On the Standard Parameters tab check the box next to Secure.
   
4. On the Special Parameters tab set the HTTP request to GET /SAAS/auth/login.
   
5. Go to Traffic Management > Load Balancing > Servers and add a server that points to the IP address of your Identity Manager appliance.
   
   
6. Go to Traffic Management > Load Balancing > Service Groups and add a Service Group.
   
7. Give it a name.
8. The protocol is SSL.
   
9. Bind a Member to it and specify port 443.
   
10. On the right, add the Settings section.
    
11. Check the box for Client IP and enter X-Forwarded-For.
    
12. Bind a monitor and select the Identity Manager monitor you created earlier.
    
13. Go to Traffic Management > SSL > Certificates and install a certificate.
    
14. Go to Traffic Management > Load Balancing > Virtual Servers and add a Virtual Server.
    
15. Give it a name and enter a VIP.
16. Protocol = SSL.
    
17. Bind the Service Group created earlier.
    
18. Bind the certificate. This certificate must match the name users will use to access Identity Manager.
    
19. On the right add Persistence.
    
20. Select SSLSESSION and give it a timeout of 60 minutes or more.
    
21. Create another Load Balancing Virtual Server on HTTP port 80. Configure it to redirect HTTP to HTTPS.
    
    

Load Balancing FQDN

1. In the Identity Manager appliance, go to Appliance Settings > Manage Configuration.
   
2. On the left, click Install Certificate.
3. On the right, switch to the Terminate SSL on a Load Balancer tab.
4. Paste in the root certificate in PEM (Base64) format. Click Save.
   
5. Click OK to restart the appliance.
   
   
6. On the left, click the Identity Manager FQDN page.
7. Enter the FQDN that resolves to the VIP on the load balancer and click Save.
   
8. The appliance will restart.
   
9. Verify you can connect to the load balanced DNS name and login.
   

Clone Appliance

1. Login to the appliance console.
2. If you see the file /etc/udev/rules.d/70-persistent-net.rules, delete it.
   
3. Shut down the original Identity Manager appliance.
   
4. Clone the Identity Manager appliance.
   
5. Give the cloned appliance a name and select a folder.
   
6. In the Select clone options page, do not customize. Check the box next to Power on virtual machine and click Next.
   
7. In the Customize vApp properties page, expand Networking Properties.
8. Change the hostname and IP address for the new appliance. Click Next and Finish.
   
   
9. Once the appliances are booted, login to one of them and run curl –XGET 'http://localhost:9200/_cluster/health?pretty=true'. Make sure it says two nodes.
   
10. Also run rabbitmqctl cluster_status and make sure it shows both nodes.
    

Additional Connector

1. In the Admin Portal, go to Identity & Access Management > Setup > Connectors and click Add Connector.
   
2. Enter the hostname of the new appliance and click Generate Activation Code.
   
3. Copy the Activation Code.
   
4. Point your browser to the new appliance using https and port 8443.
   
5. The Activate Connector page should be displayed. Paste in the Activation Code and click Next.
   
6. Go back to the Admin Portal > Identity & Access Management > Setup > Connectors. Find the new Connector and click Join Domain.
   
7. Select Custom Domain and enter the domain name.
8. Enter credentials that can join the domain and click Join Domain.
   
9. On the Connectors tab, click the blue hostname link for the original Connector.
   
10. Switch to the Auth Adapters tab and note which ones are enabled.
    
11. Click each enabled adapter and note its settings.
    
12. Back in the Connectors screen, click the blue link for the hostname of the new Connector.
    
13. Switch to the Auth Adapters tab.
    
14. Click the link for PasswordIdpAdapter.
    
15. At the top, check the box next to Enable Password Adapter.
    
16. Fill out the rest of the fields. In addition to the required fields, you also need to fill in the Server Port and the Base DN fields. It won’t work without those fields.
17. Check the box next to Use DNS Service Location.
18. Click Save. There’s no feedback if successful. After saving, refresh the page to make sure it stuck.
    
19. Repeat for any other adapters that need to be enabled and configured.
20. Go to Identity & Access Management > Manage > Identity Providers and click the blue link to edit the existing one.
    
21. Scroll down to the Connector(s) section.
22. In the Add a Connector drop-down, select the second connector, enter the passwords and click Add Connector. Click Save.
    
23. Go back into the Identity Provider, scroll down and look in the IdP Hostname field. It should be the Load Balancing FQDN for your Identity Manager appliances. If not, change it and click Save.
    
24. If you go back to Identity & Access Management > Setup > Connectors, notice that the 2^nd connector is now enabled for Authentication.
    
25. Note: only one Connector can perform directory sync. To change the configured Connector, see Enabling Directory Sync on Cloned Instance in the Event of a Failure at pubs.vmware.com.

Add to NetScaler

1. In NetScaler, go to Traffic Management > Load Balancing > Servers and add a Server for the new appliance.
   
   
2. Go to Traffic Management > Load Balancing > Service Groups and edit the existing Identity Manager Service Group.
   
3. Bind a new Member and select the new appliance on Port 443. The rest of Load Balancing should already have been configured.
   

Multi-datacenter

For multi-datacenter, see Deploying VMware Identity Manager in Secondary Data Center with Active-Active Read-Only Capability at pubs.vmware.com.

• The database in the primary datacenter is replicated to the secondary datacenter.
• The Identity Manager appliances in the secondary datacenter have read-only connectivity to the database in the secondary datacenter.
• Horizon 6 Connection Server groups are configured in failover order.
• NetScaler GSLB or F5 GTM handles failover of the Identity Manager DNS name.

This page contains a list of available XenApp 6.5 updates. It it not meant to be a comprehensive build procedure. Many of the updates are Limited Release and thus are only accessible to Citrix Partners and Citrix Support.

Navigation

• XenApp 6.5 Hotfix Rollup Pack 6
• XenApp 6.5 Hotfixes
• AppCenter 6.5.12
• XenApp Commands Hotfix 4
• Citrix Group Policy Management 1.7.10
• Uninstall Citrix Single Sign-on Console
• HDX WMI Provider Update 1
• HDX MediaStream for Flash 2.0 Hotfix 8
• Server Configuration Tool 1.2 Hotfix 3
• Service Provider Automation Tools
• Citrix Receiver Enterprise 3.4 Update 5
• Offline Plug-in 6.7.5
• Citrix Profile Management 5.2.1
• Universal Print Server Client 7.6 Hotfix 1
• Citrix Group Policy Client Side Extension 1.7 Hotfix 6
• EdgeSight 5.4 Agent Hotfix 6 for XenApp 6
• Web Interface 5.4 Hotfix 2

XenApp 6.5 Hotfix Rollup Pack 6

From CTX120842 Best Practices for Citrix XenApp Hotfix Rollup Pack Installation and Deployment: Citrix recommends the following order of deployment:

• Zone data collector
• Backup zone data collectors
• Database connection server (Applies only to Resource Manager for XenApp 5 for Microsoft Windows Server 2003)
• Primary farm metric server (Applies only to Resource Manager for XenApp 5 for Microsoft Windows Server 2003)
• Backup farm metric server (Applies only to Resource Manager for XenApp 5 for Microsoft Windows Server 2003)
• Member servers

To install a Hotfix Rollup Pack, do the following:

1. Go to the downloaded Hotfix Rollup Pack 6, shift+right-click XA650W2K8R2X64R06.msp and click Copy as path.
   
2. Run cmd.exe elevated.
   
3. Right-click the command prompt and paste the path. Then press <Enter> to run it.
   
   
4. In the Welcome to the Citrix XenApp 6.5 Hotfix Rollup Pack 6 Installation Wizard page, click Next.
   
5. In the Citrix XenApp has been successfully configured page, click Close.
   
6. Click OK when prompted to reboot.
   

XenApp 6.5 Hotfixes

Download post-R06 hotfixes from support.citrix.com by searching for XA650R06*.

If you have several hotfixes to install, create a script similar to the following to install the hotfixes automatically.

for /f %%i in ('dir /b "%~dp0*650W2K8R2R06*.msp"') do (
start /wait msiexec /p "%~dp0%%i" /passive /norestart /l*v "%temp%\%%i.log"
timeout /t 3 /NOBREAK
)
pause

Then run the script elevated.

AppCenter 6.5.12

1. Go to the downloaded Citrix AppCenter 6.5 Hotfix 12 (DSCXAMx650W012) and run XenAppMx.msi.
   
2. If you see this message, click OK.
   
3. After installation, in Programs and Features, Citrix XenApp Management will be shown as version 6.5.12.0.
   

XenApp Commands Hotfix 4

1. Go to the downloaded XenApp Commands Hotfix 4 (DSCXACmd650WX64004) and run XenApp.Commands.Install_x64.msi.
   
2. In the Please read the Citrix XenApp Commands License Agreement page, check the box next to I accept and click Install.
   
3. If you see a Files in Use page, click OK.
   
4. In the Completed the Citrix XenApp Commands Setup Wizard page, click Finish.
   
5. Programs and Features lists Citrix XenApp Commands as version 6.5.4.1.
   

Citrix Group Policy Management 1.7.10

1. Go to the downloaded Citrix Group Policy Management 1.7.10 (GPMx170WX64010) and run CitrixGroupPolicyManagement_x64.msi. It installs automatically.
   
2. Programs and Features shows it as version 1.7.10.0.
   
3. This update adds a new Citrix Policy setting at Computer > Server Settings > Graceful session logoff: ignore process. This is equivalent to LogoffCheckSysModules.
   

Uninstall Citrix Single Sign-on Console

If you have no desire to implement Citrix Single Sign-on then uninstall the console.

1. Go to Programs and Features, right-click Citrix Single Sign-on Console and click Change.
   
2. On the Application Maintenance page, select Remove and click Next.
   
3. On the Citrix Single Sign-On Console Uninstall page, click Next.
   
4. On the Citrix Single Sign-on Console 5.0 has been successfully uninstalled page, click Finish.
   

HDX WMI Provider Update 1

1. Run Programs and Features, right-click Citrix HDX WMI Provider and click Uninstall. Notice that the version is currently 2.0.0.0
   
2. Go to the downloaded Citrix HDX WMI Provider Update 1 (HDXWMIPROV620W2K8R2X64001) and run CitrixHDXWMIProvider-x64.msi. It installs automatically.
   
3. Programs and Features will now show it as version 2.0.1.0.
   

HDX MediaStream for Flash 2.0 Hotfix 8

1. Run Programs and Features, right-click Citrix HDX MediaStream for Flash – Server and click Uninstall. Notice that the version is currently 2.0.0.0
   
2. Go to the downloaded HDXFlash200WX64008 and run CitrixHDXMediaStreamForFlash-ServerInstall-x64.msi.
   
3. If you refresh Programs and Features, it now shows the version as 2.0.8.0.
   

Server Configuration Tool 1.2 Hotfix 3

1. Go to the downloaded Server Configuration Tool 120.003 and run ServerConfigurationInstall.msi. It installs automatically without prompting.
   
2. You can verify installation by looking in Programs and Features. Citrix XenApp Server Configuration Tool should be version 1.2.3.0.
   

Service Provider Automation Tools

1. Run the downloaded CitrixAppDeliverySetupTools.exe.
   
2. Click OK once installation is complete.
   
3. Programs and Features lists Citrix App Delivery Setup Tools as version 1.0.2.300.
   

Citrix Receiver Enterprise 3.4 Update 5

1. Run the downloaded Citrix Receiver Enterprise 3.4 Cumulative Update 5 (CitrixReceiverEnterprise.exe).
   
2. On the Welcome to Citrix Receiver Setup page, click Install.
   
3. Click Yes to reboot when prompted.
   
4. Programs and Features lists Citrix Receiver (Enterprise) as version 13.4.500.4.
   

Offline Plug-in 6.7.5

1. Go to the downloaded Offline Plug-in 6.7.5 and run CitrixOfflinePlugin.exe.
   
2. In the Welcome to the Citrix Offline plug-in Setup page, click Next.
   
3. In the License Agreement page, select I accept the license agreement and click Next.
   
4. In the Client Upgrade Options page, click Next.
   
5. Click OK if prompted that a reboot is required.
   
6. In the Citrix Offline plug-in has been successfully installed page, click Finish.
   
7. Click Yes when prompted to restart.
   
8. Programs and Features lists Citrix Offline Plug-in as version 6.7.5.1.
   

Citrix Profile Management 5.2.1

1. Go to the downloaded Profile Management 5.2.1 (ProfileMgmt-5.2.1) and run ProfileMgt520WX64001.msi.
   
2. In the Welcome to the Citrix Profile management Setup Wizard page, click Next.
   
3. In the End-User License Agreement page, check the box next to I accept the terms in the License Agreement and click Next.
   
4. In the Destination Folder page, click Next.
   
5. In the Ready to install Citrix Profile management page, click Install.
   
6. In the Completed the Citrix Profile management Setup Wizard page, click Finish.
   
7. Click Yes when prompted to restart.
   
8. Programs and Features lists Citrix Profile Management as version 5.2.1.5020.
   

Universal Print Server Client 7.6 Hotfix 1

1. Go to the downloaded Universal Print Server Client 7.6 Hotfix 1 and run UpsClient760WX64001.exe.
   
2. In the License agreement page, check the box next to I accept the terms and click Install.
   
3. In the Completed the Citrix Universal Print Client Setup Wizard page, click Finish.
   
4. Programs and Features lists Citrix Universal Print Client as version 7.6.1.0.
   

Citrix Group Policy Client Side Extension 1.7 Hotfix 6

1. Go to the downloaded Citrix Group Policy Client Side Extension 1.7 Hotfix 6 (GPCSExt170W28KR2X64006) and run CitrixCse_x64.msi. It installs without prompting.
   
2. If you look in Programs and Features, it should show version 1.7.6.0.
   

EdgeSight 5.4 Agent Hotfix 6 for XenApp 6

1. Make sure EdgeSight 5.4 Hotfix 4 (ES540ServerWX64004) is installed on the EdgeSight Server.
   
2. Go to the downloaded EdgeSight 5.4 Agent Hotfix 6 for XenApp 6 and run EdgeSightXA6Agentx64.msi.
   
3. In the Welcome to the EdgeSight for XenApp x64 Setup page, click Next.
   
4. In the End-User License Agreement page, select I accept the terms in the License Agreement and click Next.
   
5. In the Product Information page, enter the company name specified on the EdgeSight web server and click Next.
   
6. The Agent Location page appears. If you are installing the EdgeSight Agent on a XenApp server that will be converted to a Provisioning Server vDisk, change the path for the data files so they reside on the cache disk (D:). If this is a normal XenApp server that boots from the C: drive, leave the data files in their default path. Click Next when done.
   
7. In the Network Settings page, enter the name of your EdgeSight server and click Next.
   
8. In the Ready to Install page, click Install.
   
9. In the EdgeSight for XenApp x64 Setup Complete page, click Finish.
   
10. Click Yes when prompted to reboot.
    
11. Programs and Features displays the version as 5.4.20.35.
    
12. Check out article http://support.citrix.com/article/ctx111062 for information on how to configure antivirus for the EdgeSight Agent. Do not skip this step.
    

Web Interface 5.4 Hotfix 2

Only run this on your Web Interface servers.

1. Run the downloaded Web Interface 5.4 Hotfix 2 WebInterface.exe from WI540MSI002.
   
2. In the Select Language page, click OK.
   
3. In the Welcome to the Web Interface Installation Wizard page, click Next.
   
4. In the License Agreement page, select I accept and click Next.
   
5. In the Installation Location page, click Next.
   
6. In the Location of Clients page, change the selection to Copy the clients to this computer. Then browse to the Citrix Receiver and Plug-ins folder on the XenApp 6.5 DVD and click Next.
   
7. In the Ready to Install page, click Next.
   
8. In the Web Interface Was Successfully Install page, click Finish.
   

These hotfixes are specific to Remote Desktop Session Host, group policies, printing, and SMB redirector and are not included in the normal Windows Update process. To get the hotfix go to the Microsoft KB article’s webpage. There is a link at the top of the page that takes you to a form where you can request the hotfix.

Available Updates for Remote Desktop Services (Terminal Services) on Windows Server 2008 R2 Service Pack 1 – https://support.microsoft.com/kb/2601888.

Citrix CTX129229 Recommended Hotfixes for XenApp 6.x on Windows Server 2008 R2. Scroll down to the Microsoft Hotfixes section.

Here is the list of hotfixes:

• http://support.microsoft.com/kb/969744 – Underlines are missing when you print a document
• http://support.microsoft.com/kb/981070 – “Windows can’t open Add Printer” error in a 64-bit version of Win7 or of Windows Server 2008 R2
• http://support.microsoft.com/kb/981156 – RemoteApp applications are displayed as black windows when you restart the applications in a Remote desktop connection
• http://support.microsoft.com/kb/2028827 – The applications that use the TDI driver for network traffic may stop responding
• http://support.microsoft.com/kb/2065362 – “Unable to log you on because your profile could not be loaded, please contact your administrator” error when you try to log on to a computer
• http://support.microsoft.com/kb/2301288 – A Remote Desktop Services session is disconnected automatically if you apply the “Interactive logon: smart card removal behavior” Group Policy setting
• http://support.microsoft.com/kb/2385838 – Item-level targeting object picker dialog box shows only the domain in which the Gpmc.msc is started
• http://support.microsoft.com/kb/2386759 – Group Policy preference settings for the settings on the Advanced tab in Internet Explorer 8 do not work as expected
• http://support.microsoft.com/kb/2411000 – You cannot read or copy a file that contains an asterisk character in the stream name
• http://support.microsoft.com/kb/2411938 – “An external error has occurred” error when you change the user rights of an account in Local Security Policy (needed for StoreFront)
• http://support.microsoft.com/kb/2424375 – A remote desktop session may be incorrectly disconnected when a smart card is removed in another remote desktop session
• http://support.microsoft.com/kb/2431799 – Stop error 0x0000007E occurs when multiple users establish Remote Desktop Services sessions
• http://support.microsoft.com/kb/2444328 – You cannot access shared files or shared printers
• http://support.microsoft.com/kb/2444677 – Error message when you try to start Explorer.exe: “Server Execution Failed”
• http://support.microsoft.com/kb/2446026 – An application that uses the Remote Desktop Connection ActiveX control to provide virtualized sessions crashes
• http://support.microsoft.com/kb/2460922 – Group Policy preference item-level targeting does not work for 64-bit versions of Windows 7
• http://support.microsoft.com/kb/2462182 – The “Load a specific theme” Group Policy setting is not applied correctly for a new user
• http://support.microsoft.com/kb/2465772 – An application or service that uses Winsock API or Winsock Kernel API may randomly stop responding
• http://support.microsoft.com/kb/2465990 – “0x80041002 (WBEM_E_NOT_FOUND)” error occurs when you try to open a WMI namespace
• http://support.microsoft.com/kb/2466373 – BACKSPACE or arrow keys do not work in MMC
• http://support.microsoft.com/kb/2468345 – Computer intermittently performs poorly or stops responding when the Storport driver
• http://support.microsoft.com/kb/2479169 – “Word did not save the document” error message when you try to save a document
• http://support.microsoft.com/kb/2479710 – Remote Desktop service crashes when Group Policy settings are refreshed after you enable the “Required secure RPC communication” and “Set client connection encryption level” Group Policy settings
• http://support.microsoft.com/kb/2489291 – You cannot start an application to open a file that has an associated file name extension after you specify the file association by using GPP
• http://support.microsoft.com/kb/2492536 – Msinfo32.exe takes a long time to display or export system information on a computer that has many MSI-X-supported devices
• http://support.microsoft.com/kb/2492765 – User account passwords can be changed in the Sysprep Specialize phase of Sysprep.exe
• http://support.microsoft.com/kb/2493006 – Time synchronization is not performed even though the W32Time service is successfully started
• http://support.microsoft.com/kb/2495523 – A crash memory dump file is not created, or hibernation does not work, when you use a SCSIport miniport driver as the startup device driver
• http://support.microsoft.com/kb/2496744 – A black screen is displayed computer tries to enter hibernation
• http://support.microsoft.com/kb/2498549 – A search window opens unexpectedly after you deploy a Group Policy to disable Windows Explorer search elements
• http://support.microsoft.com/kb/2510636 – An update that improves the startup performance
• http://support.microsoft.com/kb/2511290 – A computer continues to use the original printer driver after you update or replace the printer driver
• http://support.microsoft.com/kb/2519550 – An incorrect program icon appears on the task bar in a remote desktop session
• http://support.microsoft.com/kb/2521923 – A program that requires you to use a smart card stops responding in a remote desktop connection
• http://support.microsoft.com/kb/2522743 – You cannot use a calendar control in a RemoteApp application when you use the RDC 7.0 client to connect to the RemoteApp application
• http://support.microsoft.com/kb/2522761 – Windows Explorer stops responding when you extend the full-screen display on a virtual machine to multiple monitors
• http://support.microsoft.com/kb/2522762 – RemoteApp application does not work correctly from RD Web Access
• http://support.microsoft.com/kb/2524478 – The network location profile changes from “Domain” to “Public”
• http://support.microsoft.com/kb/2524668 – The single sign-on feature does not work when you try to start a full remote desktop connection through RD Web Access
• http://support.microsoft.com/kb/2525246 – “0x0000003B” Stop error when you remotely control a Remote Desktop session
• http://support.microsoft.com/kb/2526028 – Printing performance decreases
• http://support.microsoft.com/kb/2526629 – The logon message is not displayed correctly when you connect to a RemoteApp application from a computer that has multiple monitors
• http://support.microsoft.com/kb/2526870 – Windows may stop responding at the Welcome screen after you enter the user credentials to log on to the computer
• http://support.microsoft.com/kb/2534985 – The virtualized application or the system crashes
• http://support.microsoft.com/kb/2536840 – IP addresses that are used for reconnection are not listed completely in the RD Connection Broker setting
• http://support.microsoft.com/kb/2536989 – Single Sign-On (SSO) feature does not work after you enable the RemoteFX feature
• http://support.microsoft.com/kb/2538047 – Audio capture redirection feature does not work after a second remote desktop connection is created
• http://support.microsoft.com/kb/2541119 – Applications may crash
• http://support.microsoft.com/kb/2545479 – A memory leak occurs, and client requests may take a long time, when you run an application that is based on COM+ and that is registered as single-threaded
• http://support.microsoft.com/kb/2545627 – A multithreaded application might crash
• http://support.microsoft.com/kb/2545735 – “The home folder could not be created” error when an administrator tries to set Remote Desktop Services Home Folder for a user account
• http://support.microsoft.com/kb/2545833 – Slow performance occurs when many user authentication requests are handled
• http://support.microsoft.com/kb/2547752 – Credential authentication does not work if you paste credential information by using the Paste shortcut menu command
• http://support.microsoft.com/kb/2548470 – A WebClient service crashes when you connect a WebDav resource
• http://support.microsoft.com/kb/2549724 – “0x00000044” Stop error when you access shared files
• http://support.microsoft.com/kb/2550581 – When you try to access files on a network share, Windows Explorer stops responding
• http://support.microsoft.com/kb/2550944 – Group Policy logon scripts do not run
• http://support.microsoft.com/kb/2550978 – “0x0000007B” Stop error after you replace an identical iSCSI network adapter
• http://support.microsoft.com/kb/2551503 – A mapped drive that has the non-persistent flag set is displayed as a disconnected drive
• http://support.microsoft.com/kb/2553771 – GetGPOList function does not return all GPOs
• http://support.microsoft.com/kb/2554746 – MSMQ service might not send or receive messages after you restart a computer
• http://support.microsoft.com/kb/2555392 – Garbled printouts after the first page if subsetted fonts are used
• http://support.microsoft.com/kb/2559767 – File corruption occurs when you perform file operations on a file server
• http://support.microsoft.com/kb/2560088 – File permissions inherited from one folder persist after the files are moved to another folder
• http://support.microsoft.com/kb/2561285 – You experience a long domain logon time after you deploy Group Policy preferences to the computer
• http://support.microsoft.com/kb/2563214 – “Access denied” error message when you try to access files in a WebDAV shared folder
• http://support.microsoft.com/kb/2563399 – Remote Registry service leaks memory when it handles customized v2 performance counter queries
• http://support.microsoft.com/kb/2564236 – I/O throughput is low when large files are read sequentially
• http://support.microsoft.com/kb/2568041 – You cannot access allowed applications that are managed by AppLocker
• http://support.microsoft.com/kb/2568409 – You cannot run an application desktop toolbar as a RemoteApp
• http://support.microsoft.com/kb/2571388 – A Remote Desktop Services session stops responding during the logoff process
• http://support.microsoft.com/kb/2574501 – Some lines are missing when you try to print an XPS document
• http://support.microsoft.com/kb/2575946 – “Limit the size of the entire roaming user profile cache” Group Policy setting does not work
• http://support.microsoft.com/kb/2577550 – You may wait for up to 30 seconds when you use a smart card to unlock a computer
• http://support.microsoft.com/kb/2578159 – The logon process stops responding
• http://support.microsoft.com/kb/2578214 – An application crashes when it tries to retrieve file information from an invalid or corrupted file
• http://support.microsoft.com/kb/2578764 – Black lines appear in an application window that is displayed by using DirectX and GDI
• http://support.microsoft.com/kb/2579362 – The redirector component may stop responding when it tries to contact many other computers
• http://support.microsoft.com/kb/2579381 – A remote desktop session does not respond to keyboard input or mouse input after it loses the focus
• http://support.microsoft.com/kb/2580346 – Some pop-up windows of a TS RemoteApp application might be hidden
• http://support.microsoft.com/kb/2582112 – Windows stops responding when an application performs many I/O operations to a network share
• http://support.microsoft.com/kb/2582172 – Remote desktop is not displayed in Full-Screen mode when the screen resolution is 1366× 768 pixels
• http://support.microsoft.com/kb/2582203 – A process that is being terminated stops responding
• http://support.microsoft.com/kb/2585233 – “Stop 0x000000AB (SESSION_HAS_VALID_POOL_ON_EXIT)” error when a client logs off from a Windows Server 2008 R2 Remote Desktop Services session
• http://support.microsoft.com/kb/2585853 – Choppy video playback when you play a high-definition video over a remote desktop connection
• http://support.microsoft.com/kb/2587473 – Topmost windows are not always in the topmost position
• http://support.microsoft.com/kb/2590550 – The desktop does not load and only displays a black or blue background after you log on
• http://support.microsoft.com/kb/2592339 – “0x0000007f” Stop error or system stops when you connect to it by using the RDP protocol
• http://support.microsoft.com/kb/2600484 – Certain user folders are absent from the user profile if the folders are excluded from the roaming profile
• http://support.microsoft.com/kb/2604066 – The top-level window of a RemoteApp application becomes unresponsive.
• http://support.microsoft.com/kb/2614066 – Black screen during a Remote Assistance session
• http://support.microsoft.com/kb/2614136 – Some windows of a Remote Desktop Services (Terminal Services) RemoteApp application might not be displayed correctly
• http://support.microsoft.com/kb/2615701 – “Logon Process Initialization Failure” error message and the logon process does not start
• http://support.microsoft.com/kb/2616332 – Output is garbled when you print data or documents by using a service
• http://support.microsoft.com/kb/2617115 – “Stop 0x000000AB (SESSION_HAS_VALID_POOL_ON_EXIT)” error when a client logs off from a Remote Desktop Services session
• http://support.microsoft.com/kb/2617202 – The computer stops responding when you use a WDDM driver
• http://support.microsoft.com/kb/2617687 – Applications or services that start multiple Remote Desktop Services sessions crash
• http://support.microsoft.com/kb/2617878 – You cannot set the LogonTimeout setting after the default RDP listener (RDP-Tcp) is deleted
• http://support.microsoft.com/kb/2618115 – You cannot activate an RD Licensing server or install RDS CALs automatically by using Windows PowerShell
• http://support.microsoft.com/kb/2618574 – Print Spooler service saves the NetBIOS name of the print server
• http://support.microsoft.com/kb/2618837 – GDI objects are not displayed correctly on multiple monitors
• http://support.microsoft.com/kb/2619880 – “The network path was not found” error message when you start a LDAP-related application
• http://support.microsoft.com/kb/2620393 – EUDC fonts are not printed correctly
• http://support.microsoft.com/kb/2620656 – Invalid redirected printers may be available in a Remote Desktop Services session that connects to a RD Session Host server
• http://support.microsoft.com/kb/2621067 – The first-returned IP address is incorrect when you use the getaddrinfo function on a multi-homed computer
• http://support.microsoft.com/kb/2622802 – The Group Policy Client service crashes on a terminal server when multiple users connect to the server at the same time
• http://support.microsoft.com/kb/2633667 – 32-bit NetBIOS applications cannot receive connection close notifications
• http://support.microsoft.com/kb/2625434 – “ERROR_SHARING_VIOLATION” error message in Windows XP or in Windows Server 2003 when you try to open a file on an SMB share on a server
• http://support.microsoft.com/kb/2627489 – Event 1073 is logged after you cancel the logoff process
• http://support.microsoft.com/kb/2634328 – Increased latency occurs on an HTTP connection if the connection is through a load balancer
• http://support.microsoft.com/kb/2634907 – TCP/IP packets that are received out of sequence are discarded
• http://support.microsoft.com/kb/2635500 – Issues when you try to display a large TIFF file that contains multiple pages by using Windows Photo Viewer
• http://support.microsoft.com/kb/2636056 – You cannot select fields in Access 2010 after you open a .zip file in an OLE Objects field
• http://support.microsoft.com/kb/2636585 – Proquota.exe uses incorrect profile quota Group Policy settings
• http://support.microsoft.com/kb/2636613 – Rdpshell.exe process leaks memory when you move a published RemoteApp application’s window on the client side
• http://support.microsoft.com/kb/2637692 – RPC threads may stop responding in Windows 7 or in Windows Server 2008 R2
• http://support.microsoft.com/kb/2638018 – Windows Explorer crashes randomly
• http://support.microsoft.com/kb/2639320 – Performance Monitor data collector set does not collect all required performance counter data
• http://support.microsoft.com/kb/2639505 – Loaded user profiles cannot be unloaded after you run WMI queries for the Win32_StartupCommand class
• http://support.microsoft.com/kb/2642947 – “Index was out of range” error message when a Group Policy report is generated
• http://support.microsoft.com/kb/2645594 – An update to optimize the performance of AMD Bulldozer CPUs
• http://support.microsoft.com/kb/2646168 – “The system cannot find the file specified” error message when you print a document
• http://support.microsoft.com/kb/2646563 – SMB2 directory cache is not updated correctly if a file is deleted
• http://support.microsoft.com/kb/2647169 – Windows Fax and Scan cannot send a fax if Internet Explorer 9 is installed
• http://support.microsoft.com/kb/2647401 – “File Not Found” when you try to open a file in an application
• http://support.microsoft.com/kb/2647409 – Remote Desktop Services sessions are not kept alive as expected
• http://support.microsoft.com/kb/2647452 – Paged pool leaks when you map a network drive and then disconnect it frequently
• http://support.microsoft.com/kb/2647582 – You cannot update the Group Policy settings on a RD Session Host server if IP Virtualization is applied
• http://support.microsoft.com/kb/2647753 – Update rollup for the printing core components
• http://support.microsoft.com/kb/2648397 – You cannot change an expired user account password in a Remote Desktop session from a client computer
• http://support.microsoft.com/kb/2648662 – You cannot install RDS CALs automatically by using Windows PowerShell
• http://support.microsoft.com/kb/2649422 – External users cannot connect to RDS that are published on a RD Gateway server through Forefront UAG
• http://support.microsoft.com/kb/2653385 – Selected subfolder is highlighted unexpectedly when you select the parent folder
• http://support.microsoft.com/kb/2653810 – Security group filter in Group Policy Preferences does not remove a user from a group
• http://support.microsoft.com/kb/2659071 – WinRM does not transfer impersonation tokens correctly
• http://support.microsoft.com/kb/2655998 – Long logon time when you establish an RD session if Printer Redirection is enabled
• http://support.microsoft.com/kb/2659158 – You cannot log on to a domain that uses a disjoint namespace
• http://support.microsoft.com/kb/2661001 – “Please wait for Local Session Manager” message remains for several minutes when you disconnect during the logon process
• http://support.microsoft.com/kb/2661332 – You cannot reestablish a Remote Desktop Services session
• http://support.microsoft.com/kb/2661641 – Explorer.exe process crashes when you close the Display Settings dialog box
• http://support.microsoft.com/kb/2661663 – Stale user profile folders are not deleted completely
• http://support.microsoft.com/kb/2662585 – Printer redirection is not applied to client computers that connect to Remote Desktop Session Host
• http://support.microsoft.com/kb/2664408 – Variable %userdomain% roaming profile path is not resolved correctly
• http://support.microsoft.com/kb/2664055 – Notifications do not appear in the notification area and the View Available Networks feature does not work
• http://support.microsoft.com/kb/2665347 – You cannot connect to a virtual machine by using the Hyper-V Manager MMC snap-in
• http://support.microsoft.com/?id=2665720 – Remote Assistance does not display a desktop that has a resolution of 1366 x 768 correctly
• http://support.microsoft.com/kb/2666484 – “0x0000003B” Stop error on RD Session Host servers that use an RD Connection Broker
• http://support.microsoft.com/kb/2668395 – 32-bit NetBIOS-based application stops responding in an x64-based version of Windows
• http://support.microsoft.com/kb/2670667 – Handle leak occurs in the Audiodg.exe process
• http://support.microsoft.com/kb/2673042 – You experience a long startup time or a long logon time when domain controllers are unavailable
• http://support.microsoft.com/kb/2673347 – Home directory settings that you tried to define by using Group Policy are not applied on a SP1-based VDI client
• http://support.microsoft.com/kb/2675275 – A logoff script is removed incorrectly when you use the GMPC to remove a logon script
• http://support.microsoft.com/kb/2677323 – Handle leak when an application collects performance data
• http://support.microsoft.com/kb/2678068 – Remote Assistance invitation fails in an Active Directory environment
• http://support.microsoft.com/kb/2682011 – Server Manager in Windows Server “8” Beta does not retrieve performance data
• http://support.microsoft.com/kb/2682814 – Windows are displayed incorrectly when you connect to a RemoteApp program
• http://support.microsoft.com/kb/2684793 – Printer security settings are set to the default values incorrectly when you restore a printer
• http://support.microsoft.com/kb/2685088 – The screen saver grace period does not work as expected if the period exceeds 60 seconds
• http://support.microsoft.com/kb/2685909 – Poor performance occurs when you shadow a Remote Desktop session
• http://support.microsoft.com/kb/2690528 – Slow performance when you browse the My Documents folder in the document library
• http://support.microsoft.com/kb/2691156 – The first two bytes of the DWORD registry value for a Group Policy are cleared unexpectedly
• http://support.microsoft.com/kb/2692929 – “0x80041001” error when the Win32_Environment WMI class is queried by multiple requestors
• http://support.microsoft.com/kb/2693187 – “A fatal error occurred” error message when you run the Sysprep command on a VMware virtual machine
• http://support.microsoft.com/kb/2696020 – You are disconnected from a RemoteApp application when you minimize the main frame window of a RemoteApp application that is published
• http://support.microsoft.com/kb/2697479 – Memory leak in Wmiapsrv.exe
• http://support.microsoft.com/kb/2697865 – The Spoolsv.exe process stops responding when you connect to more than 200 network printers
• http://support.microsoft.com/kb/2698155 – On-demand antivirus scans do not work as expected
• http://support.microsoft.com/kb/2699780 – Memory leak in the Remote Registry service
• http://support.microsoft.com/kb/2699817 – RemoteApp session is disconnected when the RDP encryption level is set to Low and RDP compression is disabled
• http://support.microsoft.com/kb/2701851 – An overwrite confirmation dialog box is covered when you overwrite an existing file in an FTP server directory
• http://support.microsoft.com/kb/2701894 – Splwow64 process crashes when you try to print an Adobe document
• http://support.microsoft.com/kb/2705357 – The WMI process stops sending events to WMI clients
• http://support.microsoft.com/kb/2705427 – The Remote Desktop Web Access website does not show any published RemoteApp programs if a RemoteApp source is offline
• http://support.microsoft.com/kb/2705742 – “0x0000003B” Stop error when you use a Citrix XenApp application
• http://support.microsoft.com/kb/2706051 – Wscript.exe process or the Cscript.exe process stops unexpectedly when WSH 5.8 exits
• http://support.microsoft.com/kb/2707157 – WebIO component uses its own DNS cache to resolve an FQDN
• http://support.microsoft.com/kb/2710594 – Memory leak when a file system minifilter driver calls the FltCreateSystemVolumeInformationFolder function
• http://support.microsoft.com/kb/2710870 – DHCPv4 IP address cannot be obtained after you restart a Hyper-V virtual machine
• http://support.microsoft.com/kb/2712331 – Duplicate SID information is added to the MachineLaunchRestriction registry entry when you update the Offer Remote Assistance Group Policy setting
• http://support.microsoft.com/kb/2713128 – A network printer is displayed as offline incorrectly
• http://support.microsoft.com/kb/2715922 – Home folder is not mapped to a client computer when multiple users are logged on to a computer
• http://support.microsoft.com/kb/2716163 – You cannot open a file that is associated with a RemoteApp program
• http://support.microsoft.com/kb/2717541 – Group policy report displays incorrect information
• http://support.microsoft.com/kb/2718841 – “0xc0000005” error message and Windows Explorer stops responding
• http://support.microsoft.com/kb/2719305 – “The system cannot execute the specified program” error when the AppLocker component blocks applications from running
• http://support.microsoft.com/kb/2719347 – Stop error – tcpip.sys
• http://support.microsoft.com/kb/2719704 – “0x0000003B” or “0x000000D5” Stop error – rdpdr.sys
• http://support.microsoft.com/kb/2720345 – Security tab is not displayed in the Properties dialog box
• http://support.microsoft.com/kb/2721341 – Audio output stops intermittently
• http://support.microsoft.com/kb/2726399 – You cannot change the DPI setting through a Remote Desktop session
• http://support.microsoft.com/kb/2727101 – RemoteApp server starts a duplicate instance of a 32-bit RemoteApp application
• http://support.microsoft.com/kb/2727324 – Computer stops responding after you connect to an SMB version 1 server
• http://support.microsoft.com/kb/2728738 – You experience a long logon time when you try to log on to a client computer that uses roaming profiles
• http://support.microsoft.com/kb/2727994 – You cannot open or save Office 2010 documents on a WebDAV file server
• http://support.microsoft.com/kb/2731284 – “33” DOS error code when memory memory-mapped files are cleaned by using the FlushViewOfFile() function (ntfs.sys – 08-10-2012)
• http://support.microsoft.com/kb/2732597 – 0x80070091 error when you perform a drag-and-drop operation to replace a folder in a WebDAV shared folder
• http://support.microsoft.com/kb/2732673 – “Delayed write failed” error message when .pst files are stored on a network file server (rdbss.sys – 07-16-2012)
• http://support.microsoft.com/kb/2733420 – A non-topmost window can be displayed above a window that has the WS_EX_TOPMOST extended window style
• http://support.microsoft.com/kb/2734410 – RPC client application stops responding
• http://support.microsoft.com/kb/2734642 – RDS-based applications crash
• http://support.microsoft.com/kb/2735697 – Computer crashes when you connect to a Citrix XenDesktop virtual machine
• http://support.microsoft.com/kb/2736782 – You cannot save a file by using the Save method of a Recordset object
• http://support.microsoft.com/kb/2737353 – Spoolsv.exe process crashes when you select the “Print to File” option
• http://support.microsoft.com/kb/2737468 – Internet Explorer 8 freezes when you browse a website that is from a less privileged zone
• http://support.microsoft.com/kb/2738974 – Incorrect start time of Group Policy scheduled tasks
• http://support.microsoft.com/kb/2739674 – You cannot connect to remote computers by using the SMB protocol
• http://support.microsoft.com/kb/2740180 – Performance Monitor or a PDH function takes longer than expected to collect performance data
• http://support.microsoft.com/kb/2740374 – A computer that is running Windows Server 2008 R2 SP1 or Windows 7 SP1 freezes under a heavy file I/O load
• http://support.microsoft.com/kb/2740522 – Applications that execute PowerShell scripts crash randomly
• http://support.microsoft.com/kb/2743148 – Non-topmost window appears above a topmost window when you click the Show Desktop button
• http://support.microsoft.com/kb/2743155 – Application crashes when it uses the BitmapImage class to optimize images
• http://support.microsoft.com/kb/2748246 – “The Specified port is unknown” error message when you use GPP to deploy printers
• http://support.microsoft.com/kb/2748302 – Stop error when you use a Citrix XenApp application
• http://support.microsoft.com/kb/2748437 – User profile folder name is displayed as “user name@domain name” when use a UPN to log on
• http://support.microsoft.com/kb/2749262 – Remote Desktop Configuration service crashes together with event ID 1000
• http://support.microsoft.com/kb/2749615 – You cannot enable Server Manager remote management after you install Windows Management Framework 3.0
• http://support.microsoft.com/kb/2750090 – High CPU utilization by the Svchost.exe process and the Lsass.exe process in the Remote Desktop session after you remotely connect to a computer
• http://support.microsoft.com/kb/2750396 – Remote Desktop Services server freezes when you try to log on to or log off the server by using a smart card
• http://support.microsoft.com/kb/2751386 – Group Policy settings and preferences are applied to a roaming profile user who logs on to two computers
• http://support.microsoft.com/kb/2752274 – WH_MOUSE hook receives wrong data when you run a x86-based application to intercept the WM_MOUSEWHEEL messages
• http://support.microsoft.com/kb/2752370 – “0x000000D1” Stop error when you perform a network-related operation (tcpip.sys, fwpkclnt.sys, netio.sys – 9-06-2012)
• http://support.microsoft.com/kb/2752618 – RDS client computer cannot connect to the RDS server by using a remote desktop connection
• http://support.microsoft.com/kb/2753869 – Explorer.exe process crashes when you copy multiple files from one folder to another folder
• http://support.microsoft.com/kb/2754035 – You cannot disable drag-and-drop operations on the Start menu by configuring a registry key
• http://support.microsoft.com/kb/2756041 – Outlook item is unexpectedly copied when you try to move it to a destination folder or desktop by using the drag-and-drop feature
• http://support.microsoft.com/kb/2756999 – Handle leak occurs on a COM client
• http://support.microsoft.com/kb/2761645 – Access Denied error message when a user tries to access a redirected folder share or a home drive share
• http://support.microsoft.com/kb/2764302 – “0x0000001E” Stop error occurs intermittently
• http://support.microsoft.com/kb/2765546 – Icons are not displayed correctly on the taskbar
• http://support.microsoft.com/kb/2768492 – User cannot connect to remote desktop server
• http://support.microsoft.com/kb/2768523 – “0x0000007E” Stop error after you configure a computer to host a web service
• http://support.microsoft.com/kb/2768741 – Visual elements are displayed incorrectly when you connect to a computer using the Remote Desktop Protocol
• http://support.microsoft.com/kb/2769359 – Print job fails when the printer driver isolation feature is set to isolated or shared mode
• http://support.microsoft.com/kb/2769372 – Windows Remote Assistance fails
• http://support.microsoft.com/kb/2769478 – New file or folder does not appear in a Library
• http://support.microsoft.com/kb/2769618 – Cannot play an audio file when an audio file is already playing in Windows Media Player
• http://support.microsoft.com/kb/2769790 – File that a user adds to a remote folder is not displayed in Windows Explorer
• http://support.microsoft.com/kb/2769791 – Windows Audio service stops after you configure remote audio playback
• http://support.microsoft.com/kb/2770175 – RD Gateway service crashes when a client computer tries to connect
• http://support.microsoft.com/kb/2771101 – Folder redirection policy fails after you redirect a folder to a different sub folder
• http://support.microsoft.com/kb/2778831 – “Client Side Rendering Print Provider” registry key growth
• http://support.microsoft.com/kb/2778834 – File becomes corrupted when you try to overwrite the file while it is opened by another user
• http://support.microsoft.com/kb/2778863 – RD Gateway service crashes
• http://support.microsoft.com/kb/2779073 – “Access is denied” error when remote desktop users try to log on to a terminal server
• http://support.microsoft.com/kb/2780102 – “0x0000003B” Stop error when a Remote Desktop Connection Broker and a Windows 7 SP1 or Windows Server 2008 R2 SP1-based computer are in an RDS farm
• http://support.microsoft.com/kb/2780124 – Icon titles of top-level windows in a RemoteApp application are not displayed on the taskbar
• http://support.microsoft.com/kb/2780130 – “0x00000027” Stop error when you try to use a redirected smart card to log on to a remote computer
• http://support.microsoft.com/kb/2780879 – Hotfix improves TCP window scaling
• http://support.microsoft.com/kb/2783429 – High CPU utilization when you use the Print Management snap-in to add a printer
• http://support.microsoft.com/kb/2785146 – Data is corrupted when there is insufficient memory
• http://support.microsoft.com/kb/2786447 – “0x000000AB” Stop error when a Citrix client logs off from a RD Session Host
• http://support.microsoft.com/kb/2786923 – Dialog boxes and new windows displayed as blank in Office 2013 RemoteApps
• https://support.microsoft.com/kb/2789397 – Data corruption and network issues when you run a WFP-based application
• http://support.microsoft.com/kb/2792026 – SMBv2 client computer freezes when the computer is under a heavy load
• http://support.microsoft.com/kb/2793072 – Generic error message when you change your password on a RD Web Access website
• http://support.microsoft.com/kb/2795616 – Lines in EMF file don’t display correctly
• http://support.microsoft.com/kb/2796764 – The “New” option in the shortcut menu is missing for the root folder of a redirected drive
• http://support.microsoft.com/kb/2797136 – Mapped printers are not added to a client computer
• http://support.microsoft.com/kb/2797749 – Explorer.exe process may crash after you add custom properties to a .doc file
• http://support.microsoft.com/kb/2798286 – RemoteApp application session disconnects from a client computer
• http://support.microsoft.com/kb/2798670 – USB audio stream stalls
• http://support.microsoft.com/kb/2798787 – Name of Group Policy preferences for Internet Explorer are displayed incorrectly
• http://support.microsoft.com/kb/2799035 – Certificate Propagation service crashes when you disconnect an RDS client
• http://support.microsoft.com/kb/2799360 – Svchost.exe process that hosts the network location awareness service crashes
• http://support.microsoft.com/kb/2799406 – Poor performance when you use MSXML6.0
• http://support.microsoft.com/kb/2799904 – Folder Redirection policy is not applied to a network share after you update a Group Policy
• http://support.microsoft.com/kb/2800789 – 0xC0000005 Stop error when the SVCHost.exe process that hosts Remote Desktop Services crashes
• http://support.microsoft.com/kb/2801423 – NTFS permission information for a DFS share takes longer than expected to display
• http://support.microsoft.com/kb/2807716 – Error message when you try to map a drive to a network share
• http://support.microsoft.com/kb/2807971 – Internet Explorer takes a long time to open an HTTPS webpage
• http://support.microsoft.com/kb/2809097 – An application that calls the CloseHandle function on a serial port cannot be exited
• http://support.microsoft.com/kb/2809808 – Takes longer than expected to log off from RDS server remotely
• http://support.microsoft.com/kb/2813636 – You cannot log off an RD session 2752618
• http://support.microsoft.com/kb/2815716 – Splwow64.exe process doesn’t end after a print job finishes
• http://support.microsoft.com/kb/2821049 – COM-based application freezes
• http://support.microsoft.com/kb/2821343 – “Access Denied” error message when you try to access a file share that has Access-based Enumeration enabled
• http://support.microsoft.com/kb/2813636 – You cannot log off an RD session
• http://support.microsoft.com/kb/2831347 – Roaming user profiles are corrupted when a monitoring program executes a WMI query
• http://support.microsoft.com/kb/2834976 – Authenticated users are removed from the Remote Desktop Users group after you set the drain mode
• http://support.microsoft.com/kb/2846340 – Duplicate friendly names of network adapters are displayed
• http://support.microsoft.com/kb/2847932 – Language switch fails in a RD session and shortcut menu is not displayed in a RemoteApp session
• http://support.microsoft.com/kb/2853777 – Some text is not printed when you print multiple documents that use the same font in Windows
• http://support.microsoft.com/kb/2856905 – Can’t log on to a Windows Server 2008 R2 SP1-based computer by using a domain user account
• http://support.microsoft.com/kb/2858684 – Not all results are returned by file content search from Windows Explorer
• http://support.microsoft.com/kb/2861819 – Data transfer stops for five seconds in a Windows Socket-based application
• http://support.microsoft.com/kb/2864585 – DSN is not changed or deleted on client computers when you use Group Policy Preferences to configure it
• http://support.microsoft.com/kb/2866519 – You cannot log off from a Remote Desktop session
• http://support.microsoft.com/kb/2866695 – An application stops responding when a file has a circular reference
• http://support.microsoft.com/kb/2867625 – TCP port exhaustion causes key operations to fail when you deploy Group Policy preferences
• http://support.microsoft.com/kb/2868238 – A combo box control selects an unexpected value
• http://support.microsoft.com/kb/2869799 – Group Policy Preferences incorrectly sets a network printer as default
• http://support.microsoft.com/kb/2870437 – Error message when you try to connect to a SQL Server 2012 AlwaysOn failover cluster instance by using the AlwaysOn listener
• http://support.microsoft.com/kb/2871131 – The size of the “HKEY_USERS\.DEFAULT” registry hive continuously increases
• http://www.microsoft.com/en-us/download/details.aspx?id=34595 – Windows Management Framework 3.0 (includes PowerShell 3.0)
• http://support.microsoft.com/kb/2895698 – Users who have the remote audio setting enabled cause the RD Session Host Servers to hang intermittently
• http://support.microsoft.com/kb/2896881 – Long logon time when you use the AddPrinterConnection VBScript command to map printers for users during logon process
• http://support.microsoft.com/kb/2897765 – Outlook crashes when you view an HTML newsletter
• http://support.microsoft.com/kb/2904034 – Error code 0x80070003 when a Group Policy preference is applied
• http://support.microsoft.com/kb/2905412 – Stop error 0xD1 on a Windows-based computer with multiple processors
• http://support.microsoft.com/kb/2905569 – The scroll bar in a 32-bit application does not move

PowerShell