Nested ESXi Virtual Appliances

A logo for a software company

Description automatically generated

In the field of home labs, nested virtualization is the must to be able to create vSphere environments in a short time to test or try new features even in the EUC environment.

To help those who want to use nested virtualization, William Lam has been providing Nested ESXi Virtual Appliances for some years now.

Until a few days ago nested ESXi virtual appliances were available to download from William’s website (https://williamlam.com/) and since yesterday they have been available on the VMware Flings Community (Accessible with a free Broadcom community account that can be created here)

The convenience of using these virtual appliances is the ability to also create automatic scripts to be able to create nested environments such as vSphere clusters, vSAN and VCF (VMware Cloud Foundation) environments in a short time, which can then be used to test Omnissa’s EUC solutions as well.

Here is William’s official post

A screenshot of a phone

Description automatically generated

Nested ESXi Virtual Appliances

EUC, un futuro luminoso per Horizon

A black and white logo

Description automatically generated A logo of a software company

Description automatically generated A logo for a company

Description automatically generated A close up of a logo

Description automatically generated

In questi giorni c’è molto fermento nel mondo dell’EUC (‘End-User Computing) in merito alla comparsa sul mercato di un nuovo nome.

Ma partiamo con ordine, nel lontano 2008 mi avvicino al modo delle VDI (Virtual Desktop Infrastructure) inizialmente con l’automatizzazione di aule corsi, grazie a VMware e al suo prodotto che allora era stato appena rinominato in Horizon View (se non sbaglio precedentemente si chiama VMware VDM….. ancora oggi, nelle installazioni dei Connection Server, troviamo una cartella VDM sotto c:\ProgramData).

A diagram of a timeline

Description automatically generated with medium confidence

Col tempo le soluzione VDI di VMware sono evolute in maniera importante con l’aggiunta prima della tecnologia linked clones e poi con le instant clone (tecnologie che permettono di semplificare notevolmente la vita dell’amministratore delle postazioni di lavoro).

Abbiamo visto l’affiancare a Horizon soluzioni che permettono di sfruttare al meglio le VDI come App Volumes, DEM (Dynamic Environment Manager), Workspace One ecc.…

Poi dall’on-premise è stato portato anche sul Cloud con soluzione come Horizon Cloud on Microsoft Azure.

Anche per la mia carriera lavorativa il mondo delle VDI ha lasciato un solco importante dal 2021 sono vEXPERT (Con specificità nel mondo EUC) e dal 2024 sono EUCExpert e collaboro con VMware/Broadcom nel deploy.

Mi direte ok sono cose che ormai conosciamo ma quindi che cosa è successo??

Bene, sappiamo tutti che VMware è stata acquisita da Broadcom e una delle prime dichiarazioni della nuova proprietà è stata quella di non volere investire sull mondo EUC.

Ma quindi che succede?

Tutto i prodotti EUC di VMware sono riconosciuti tra i leader del mercato dei prodotti VDI e Desktop as a Service sono stati comprati da KKR (Fondo Americano nato nel 1977) per cui nasce Omnissa

A blue and white logo

Description automatically generated

Nata con persone VMware per garantire la stessa qualità e lo stesso sviluppo in innovazione che è stato garantito in questi anni.

In cui continua o parte una nuova vita (scegliete voi) per tutti i prodotti EUC che molti noi conosciamo e apprezziamo  (Horizon ecc…)

Ne vedremo sicuramente delle belle e ci aspetta un futuro luminoso!

EUC, un futuro luminoso per Horizon

VMware Horizon takes a long time to provision Desktop virtual machines

VMware Horizon takes a long time to provision the Desktop virtual machines

We detected a strange situation when changing the sizing (number of desktop VMs) or publishing a new image on the Instant clone Desktop Pool.

The highlighted situation is a very long time in creating one or more VMs from the Gold Image. Following investigation we found that the problem is also present when cloning a VM that is present in the same vSphere environment where the instant clone VDIs are allocated.

In our case it was a vSAN environment, having carried out the first routine checks where no network, disk or compatibility problems were found, we went into the details of the logs and in the case of the clone we found this error message in the logs of the VM that was being cloned.

A screenshot of a computer

Description automatically generated

We have found a workaround and a permanent resolution:

Workaround:

Restart the vCenter service

VMware vService Manager

Resolution:

Check this KB https://kb.vmware.com/s/article/96049 where the problem is fixed on vCenter 8.0 U2b.

VMware Horizon takes a long time to provision Desktop virtual machines

VMware App Volumes 4, version 2312.2

The 28 March VMware released a new version of App Volumes (it is a minor version) to fix some known Issues of previous versions.

VMware App Volumes 4, version 2312.2 Release Notes

In this case, it’s a relief for me because I just happened to find a bug in version 2312 on a customer with vSAN and App Volumes storage group. This version should fix the following issue: In the next few days, I will install the update and possibly update the post.

VMware App Volumes 4, version 2312.2

Approach to updating a horizon infrastructure

When approaching the upgrade of an infrastructure in the EUC world (as with most technologies in the IT world) it is necessary to define a roadmap of activities and follow it carefully. In many cases, IT technology vendors already have update procedures in place that should be followed carefully. When I started working as a consultant, the documentation was very scarce (we are talking about the end of the 20th century and the beginning of the 21st…) and the procedures were poorly documented and only those who took courses or had experience could approach with a certain “tranquility” updates of production environments.

Going back to EUC infrastructures and focusing on the VMware by Broadcom world (still for a while….given the transfer of the technology in question) we have a precise update sequence, especially if we talk about + technologies that interact with each other, and the need to verify the interoperability between the various technologies.

For example, we have this KB that gives us the upgrade sequence of a Horizon 8 infrastructure:

Update sequence for Horizon 7, Horizon 8, and compatible VMware products (78445)

A diagram of software

Description automatically generated

And the ability to use the interoperability portal:

https://interopmatrix.vmware.com/Interoperability

A screenshot of a computer

Description automatically generated

In my ten-year experience in updates and maintenance of vSphere and Horizon infrastructures, it has often happened that I have had to intervene and manage post-upgrade problems, where in most cases the problems were generated by the fact that I did not perform the update in the correct order or even did not complete all the upgrade steps.

For example, I have experienced situations where, following upgrades, the copy and glue to and from VDI sessions no longer worked correctly in a Horizon infrastructure.

In the end, the problem was solved by also performing the update step of the Horizon ADMX templates in Active Directory, something that the customer or whoever had done the update for him had not done.

Approach to updating a horizon infrastructure

VMware Workspace One Access, VMware Horizon, and FIDO2 device

Publishing VDI outside our company network is an activity that has become a necessity for many companies since COVID-19 (employee smart working, workstations dedicated to consultants, etc.). In all the implementations, that I have done in recent years, one of the key points of my installations is the need to implement MFA solutions to increase the level of security.

In this post, I want to explain how to configure the integration of Workspace One Access WS1A, Horizon, and FIDO2 devices (I use a Yubikey 5 Series with NFC and Fingerprint)

A black usb flash drive with a yellow circle and a gold circle

Description automatically generated A hand holding a phone with a sign in the screen

Description automatically generated A hexagon with arrow

Description automatically generated A green computer with a white cloud in the screen

Description automatically generated

What is VMware WorkSpace One Access?

A screenshot of a computer

Description automatically generated

Workspace ONE Access (vmware.com)

What is VMware Horizon?

A screenshot of a computer

Description automatically generated

VMware Horizon | VDI Software Solutions | VMware

What is FIDO2?

FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

FIDO2 – FIDO Alliance

What is Yubikey 5 Series?

Multi-protocol security key, eliminate account takeovers with strong two-factor, multi-factor, and passwordless authentication, and seamless touch-to-sign. Multi-protocol support allows for strong security for legacy and modern environments. A full range of form factors allows users to secure online accounts on all of the devices that they love, across desktops and mobile.

  • Multi-protocol support; FIDO2, U2F, Smart card, OTP, OpenPGP 3
  • USB-A, USB-C, NFC, Lightning
  • IP68 rated, crush resistant, no batteries required, no moving parts

USB-A YubiKey 5 NFC Two Factor Security Key | Yubico

Configure Workspace one Access(WS1A) SaaS for use FIDO2 authentication

Enable Authentication methods on WS1A.

Go to integrations -> Authentication Methods -> Click on FIDO2 -> Enable FIDO2 Adapter

A screenshot of a computer

Description automatically generated

A screenshot of a computer

Description automatically generated

Now we need to associate the authentication method to Identity provider (created to integrate WS1A with Active Directory)

Go to integrations -> Identity providers -> Click on correct IdP -> Flag FIDO2

A screenshot of a computer

Description automatically generated

A screenshot of a computer

Description automatically generated

After associating the FIDO2 to IdP we need to create the policy to enable self-services FIDO2 device registration (it is possible to pre-configure the FIDO2 device registration)

Go to resources -> Policies -> Click on default_access_policy_set -> Edit

A screenshot of a computer

Description automatically generated

Create to rule:

Rule 1 -> enable self-service registration FIDO2 Device

Rule 2 -> enable the login with only FIDO2 Device

In the next image, there are the Policy Rule configurations

A screenshot of a computer

Description automatically generated

Self-service registration key

Insert the Yubikey 5 into to USB port and log to the Workspace One Access portal.

Now the web portal requires two choices:

  • Sign in with Fido2 Authenticator
  • Register your Fido2 Authenticator

To register the device we need to select Register

Login with the correct domain name account

Now we need to select the authenticator

A screen shot of a computer

Description automatically generated

Select another device

Select Security Key where store the passkey

A screenshot of a computer security system

Description automatically generated

A screenshot of a computer security system

Description automatically generated

A screenshot of a computer security system

Description automatically generated

Insert the security pin

A screenshot of a computer

Description automatically generated

Touch the key (there is a fingerprint ….)

A screenshot of a computer

Description automatically generated

A screen shot of a computer security

Description automatically generated

Add a name for the Security Key

A screenshot of a phone

Description automatically generated

Now you are ready to log in with the security key

User Experience login

Access to company workspace one access website

A screen shot of a sign

Description automatically generated

A screenshot of a computer security

Description automatically generated

Insert PIN number associated with FIDO2

A screenshot of a computer security

Description automatically generated

Now touch the key for fingerprint authentication Chiara2013!

A black and white screen with white text

Description automatically generated

You are redirected to Workspace One catalog portal

A screenshot of a computer

Description automatically generated

If you want to show and reset the User FIDO2 device you need to:

Login to Workspace One Access SaaS admin console, go to Accounts, Users and click on the user that you want to reset the device association

A screenshot of a login page

Description automatically generated

Select two-factor authentication

A red arrow pointing to a white background

Description automatically generated

A white and blue rectangle

Description automatically generated

And delete the FIDO2 security key

A screenshot of a computer security key

Description automatically generated

Otherwise, the administrator can associate the new device with the user.

VMware Workspace One Access, VMware Horizon, and FIDO2 device

Horizon 2312, new feature to simplify the Gold Image Linux Configuration

A penguin and microsoft active logo

Description automatically generated

Few people know that it is possible use Linux Distribution to create VDI desktop or Stream Application (Like RDS) to publish it with Horizon.

The desktop pool can to be Instant Clone or Full Clone.

In the last Horizon version (2312) there is a new functionality to configure the agent, the function have to objective to simplify the installation and also configure the OS ((Like the joined to Active Directory domain).

In the Horizon Agent for Linux package there is a new command file:

easyinstall_viewagent.sh

We can use this command for:

  • Configure Linux OS template
  • Install Horizon Agent

For complete all previous steps you can start this command (with root privileges)

./easyinstall_viewagent.sh

The command do:

Platform check

A black screen with white text

Description automatically generated

Now you need to insert information like DNS, Hostname, Domain and Account to join to domain

A screenshot of a computer

Description automatically generated

Now the script check and install missed packages (SSSD etc.…) and make the domain join

A screen shot of a black screen

Description automatically generated

After joined the template to AD domain the script start to install the horizon agent

A screenshot of a computer

Description automatically generated

A black screen with white text

Description automatically generated

Now the Linux GoldI mage is ready to use for create a Horizon instant clone desktop pool or used for Full Clone Desktop Pool.

It is possible to configure the OS and install Horizon Agent in two different steps

  • Configure OS
    • For configure user Linux OS use this command:

./easyinstall_viewagent.sh -c

  • Install Agent
    • After configure the OS we can install the Horizon agent with this command:

./easyinstall_viewagent.sh -i

With this command we can to use some switch value:

Default (Hostname, Domain FQDN, DOMAIN Join User, DOMAIN Join PASSWORD …)

Advanced (The same option of DEFAULT with NTP, HORIZON AGENT FEATURE and other)

Expert (The same option of Advanced with another function)

In this link more information

Use the Easy Setup Tool to Prepare a Linux Machine (vmware.com)

Horizon 2312, new feature to simplify the Gold Image Linux Configuration

VMware Horizon 2312

As usual, every 3 months VMware releases a new version of Horizon (and also of almost all EUC applications)
The following have been available for a few days:
Horizon 8 2312
App Volumes 4 2312
Dynamic Environment Manager 2312
ThinApp 2312

Among the various features released for Horizon 8, the most interesting one is Agent Auto Upgrade:

“The agent auto upgrade feature allows customers to automatically initiate upgrades without manual intervention. To utilize this feature, on-premises systems must have access to CDS servers. Customers without CDS access can establish their webserver, host the agent components, and then register the agent build with the connection server to upgrade agents in VDI/RDSH desktops. This feature requires Horizon Plus or Horizon Universal License, and is available for Full Clone Desktops and RDSH Servers only. To upgrade Horizon Agent in Instant Clone Desktop Pools or RDS Farms, upgrade Horizon Agent on the Golden Image and schedule maintenance to push the new image.”

VMware Horizon 2312