Script for removing and installing Horizon agent

Requirements:

  • Share containing the installation file of the Horizon agent version and a . bat containing the command to silently install the Horizon agent
  • List of VMs on which to perform the operation
  • A user to access vCenter with administrative rights
  • One user to install horizon agent on VMs

The script includes:

  • Credential request
    • First request the user to access the vCenter (line 6)
    • Second request the user to remove and install the Horizon Agent on the VMs (line 8)
  • Import the VM list (line 12)
  • Connecting to the vCenter (line 13)
  • Part a for each machine contained in the file with the list of VMs (line 14)
  • Check if the Horizon Agent is present (line 25)
  • If present, remove it and reboot (line 29), if not present, switch to the installation fa
  • Installing the Horizon agent (line 54)
    • Share mount
    • Running the .bat contained in the share
  • Waiting for the installation to finish and reboot

There are 3 “procedures” in the script

For  verification if the Horizon Agent is installed (line 18 to 20):

$script = @”

Get-WmiObject Win32_Product -filter “Name=’VMware Horizon Agent'” | Select Caption

” @

For the removal the Horizon  agent (line 22 to 24):

$removeapp= @”

wmic Product Where “Name=’VMware Horizon Agent'” Call Uninstall /NoInteractive

” @

For agent installation (Line 50 to 54):

$installapp = @”

New-PSDrive -Name “S” -Root “\\vimng03\share” -Persist -PSProvider “FileSystem”

S:\agentinstallv8.bat

” @

In this last agent installation procedure, you must modify:

  • S 🡪 letter with which the share will be temporarily mounted on the VM (which we can change but must also be modified in the installation file .Bat
  • \\vimng03\share –> put the share where you want the Horizon agent installation file and the installation file .bat
  • S:\agentinstallv8.bat is the file that will install the agent in silently mode

Where inside it is start:

s:\VMware-Horizon-Agent-x86_64-8.0.0-16530789.exe /s /v”/qn ADDLOCAL=BlastUDP,Core,HelpDesk,RDP,RTAV,TSMMR,USB,VmVideo,VmwVaudio,VmwVdisplay,VmwVidd”

to be parameterized according  VMware’s guide.

in my case the file will look like this

#The script need:
#List the VMs name where remove e reinstall the agent (file c:\vdi.txt or where you want)
#Share where is the horizon agent installation file and the file agentinstallv8.bat that contain the silent command for installation
#When the script start ask the vCenter Credential and the Admin User Credential for install the Horizon Agent on the VM
#Credential for access to vCenter
$credential = Get-Credential
#Credential with administrator role for install horizon agent 
$VMCredential = Get-Credential
#vcenter
$vcenter = "<FQDNvCenter>"
#List of VMs where remove e install new agent version
$VDIs = Get-Content "c:\vdi.txt"
connect-viserver $vcenter -Credential $credential
foreach ($VDI in $VDIs){
$VM = Get-VM -Name $VDI
Write-Host "Start remove agent from $VM"
#Script for verify if the agent is installed
$script = @"
Get-WmiObject Win32_Product -filter "Name='VMware Horizon Agent'" | Select Caption 
"@
#Script for remove
$removeapp= @"
wmic Product Where "Name='VMware Horizon Agent'" Call Uninstall /NoInteractive
"@
$value = Invoke-VMScript -VM $VM -ScriptType Powershell -ScriptText $script -GuestCredential $VMCredential 
#Check if horizon agent are install if present the script remove it and reboot the VM
if ($value.ScriptOutput -like "*Horizon*") {
     Write-Host "Horizon agent is installed"
     Invoke-VMScript -VM $VM -ScriptType Powershell -ScriptText $removeapp -GuestCredential $VMCredential -RunAsync
     While(Test-Connection $VM -Quiet -Count 1){
        Write-Progress -Activity "Rebooting $VM" -Status "Waiting for $VM to shut down."
        Start-Sleep -sec 1
     }
     While(!(Test-Connection $VM -Quiet -Count 1)){
        Write-Progress -Activity "Rebooting $VM" -Status "Waiting for $VM to come back up."
        Start-Sleep -sec 1
     }
     if ($value.ScriptOutput -cnotlike "*Horizon*") {
     Write-Host "Agent removed from $VM and $VM rebooted"
     } 
   }
   else { 
   Write-Host "Horizon agent is not installed on $VM" 
   } 

#####Agent Installation
Write-Host "Start the Horizon Agent installation in $VM"
Sleep 15 
#Installation with share change the fileserver,the share name, the labl and the file 
$installapp = @"
New-PSDrive -Name "S" -Root "\\vimng03\share" -Persist -PSProvider "FileSystem"
S:\agentinstallv8.bat
"@
Invoke-VMScript -VM $VM -ScriptType powershell -ScriptText $installapp -GuestCredential $VMCredential -RunAsync
While(Test-Connection $VM -Quiet -Count 1){
        Write-Progress -Activity "Rebooting $VM" -Status "Waiting for $VM to shut down."
        Start-Sleep -sec 1
    }
While(!(Test-Connection $VM -Quiet -Count 1)){
        Write-Progress -Activity "Rebooting $VM" -Status "Waiting for $VM to come back up."
        Start-Sleep -sec 1
    }
Write-Host "$VM after installation is UP" 
$value = Invoke-VMScript -VM $VM -ScriptType Powershell -ScriptText $script -GuestCredential $VMCredential
if ($value.ScriptOutput -like "*Horizon*") {
    Write-Host "New Horizon agent is installed in $VM"
    }
    else
    {
    Write-Host "New Horizon agent is not installed in $VM" 
    }
}
Disconnect-VIServer $vcenter -Force
Script for removing and installing Horizon agent

Upgrade Unified Access Gateway

VMware Horizon infrastructures often have the Unified Access Gateway (UAG) component to enable a secure connection from outside your corporate network to VDI.

This positioning makes the UAG subject to frequent updates, today we will see how to update it.

Download the ISO file of the version we want to update from the VMware Customer Site:

File 
Information 
Unified Access Gateway 2203 for vSphere, Amazon AWS and Google Cloud (Non-FIPS) 
DOWNLOAD NOW 
File size: 2.63 
File type: Ova 
Read More 
Unified Access Gateway (UAG) 2203 for vSphere (FIPS) 
DOWNLOAD NOW 
File size: 2.14 Ga 
File type: ova 
Read More 
Unified Access Gateway WAG) 2203 for Microsoft Azure 
DOWNLOAD Now 
File size: 2.54 GB 
File type: zip 
Read More 
Unified Access Gateway WAG) 2203 PowerShell Scripts 
DOWNLOAD NOW 
File size: 79.4 KB 
File type: zip 
Read More 
MDS checksums. SHAI checksums and SdA256 checksums

Check compatibility with your Horizon infrastructure:

Product Interoperability Matrix (vmware.com)

Add to My Favorite List 
Hide Interoperability 
Compatible IV Incompatible 
Com*tible Put End of 
a 
Put End of 
Not S upgnrted 
VMwere Horizon 
2111 
2106 
2103 
2012 
T 132 - VMwere Horizon 7 
713 1 - VMwere Horizon 7 
T 13 0 - VMwere Horizon 7 
Hide Legacy Releases O 
Past End ot General Support Past End at Technical Guidance 
VMware Unified Access Gateway 
2203 
and 
21112 
and 
2111.1 
and 
2106.2 
and 
2103.1 
and 
2103 
2012 
and 
2009 
3.10

Download the INI file containing the current UAG configuration

  • Access the Unified Access Gateway interface
    • HTTPS://<fqdnUAG>:9443

Using the credentials of the admin user

or 
VMware 
Unified Access Gateway 
dmin Username 
Admin Password 
Login

Once logged in, download the .ini file

A picture containing chart

Description automatically generated

OCSP Settings 
Support Settings 
Support Settings 
Edge Service Session Statistics 
Log Archive 
Log Level Settings 
Export Unified Access Gateway Settings

Retrieving the information needed to complete the configuration file:

  • Certificate for public access and password
  • Certificate for the admin center and its password
  • SAML component XML if integration with AZURE MFA
  • Information on where to deploy (vCenter, Cluster, virtual network, datastore ) the Virtual Appliance of the new UAG

The data indicated will serve me to fill in the fields of the downloaded ini file

Notepad 
File Edit Format 
[General] 
netlnternet= 
View 
Help 
ipø=192.168.247.54 
diskMode= 
ip1=192,168,246.54 
defaultGateway=192.168.247.1 
target= 
ds= 
routes 
2.168.246.1,192.168.4.0/24 192.168.246.1,172.25.2.0/23 192.168.246.1,172.25.6 
netmaskØ=255.255.255. or 
netManagement etwor 
net3ackendNetwork 
• pØA110cationMode=STATICV4 
name= 
deploymentOption=twonic 
forceNetmaskØ=255.255.255. or 
forceNetmask1=255.255.255. or

I summarize the info required in this table

Sector Field Description
General netInternet PortGroup on which to certify the network card that communicates to the internet world *
General diskmode Thin or Thick
General Source Absolute path where the ISO resides
General Target Path of the vSphere infrastructure where we will deploy the virtual appliance
General Ds Datastore where the VM will be created
General netManagementNetwork Portgroup on which to certify the network adapter for UAG management *
General netBackendNetwork Portgroup on which to certify the network adapter for UAG management *
General Name Virtual Machine Name
General uagName Hostname of the UAG (normally to be left that of the UAG to be replaced)
SSLCert pfxCerts Property Path where the SSL Certificate generated by a public CA in password protected PFX format used to access VDI by Horizon Clients resides
SSLCertAdmin pfxCerts Property Path where the SSL Certificate generated by a CA (normally Microsoft and Private) used to secure and validate access to the UAG Management Interface resides
IDPExternalMetadata1 metadataXmlFile Property XML file of the Identity Provider (In this case Azure AD) to enable Azure MFA for access

*VMware recommends at least two network adapters in two different segments for production environments

  • One for internet traffic (I call it the EXT-DMZ)
  • One for traffic to the internal LAN (I call it the INT-DMZ)

It is possible to create environments with 1 or 3 network adapters, in the first case VMware recommends only one card only for test environments, and in the second to also differentiate the management traffic that otherwise, in the two-card configuration would pass through the card that communicates with the internal LAN.

Notepad 
File Edit Format View Help 
l[Generate1] 
net Internet—DPG - EXT•4Zjjj) 
ipe=192.168.247.55 
diskMode—thick 
source—E : - unified - access - gateway- 22.03. 1955Ø 91_OVFI Ø. Ova 
ip1=192,168,246.55 
default-Gateway=192.168.247.1 
target—vi : / /vcaØ7 
ds=vsanDatastore 
routes1=172.16.e.Ø/16 192.168.246.1,192.168.4.0/24 192.168.246.1,172.25.2.0/23 192.168.246.1,172 
netmaskØ=255.255.255. and 
netManagementUetwork 
net8ackendNetwork=DPG - INT - C*IZ 
ipeA110cationMode=STATICV4 
name-VilJAGØ3-22Ø3 
deploymentOption=twonic 
forceNetmaskØ=255.255.255. and 
forceNetmask1-255.255.255. and 
ip1A110cationMode=STATICV4 
net-maski=255,255,255. and 
authenticationT imeout—3ØØØØe 
fipsEnab1ed—fa1se 
sys L ogType=UDP 
uagName=viuage3 
clockSkewT01erance=6Øe

At this point we can proceed with the deployment of the virtual appliance:

  • The first step is Shutdown the old UAG Virtual Appliance (I suppose do you have at least two UAGs with a Load Balancer in front and at least a DNS round-robin for balancing the traffic to the Connection server)

.\uagdeploy.ps1 -iniFile UAG_Settings_VIUAG04.ini

Administrator: Windows PowerShell 
uag ep oy2203> 
uag ep oy. PSI

Allow CEIP

Insert password for PFX Certificate File

Insert a new (or reuse the old) password for the Root account (for access to UAG OS) and Admin account (for access to UAG WEB admin console)

Waiting to complete the UAG Deploy (You can check the process from the vCenter task)

Now the new UAG virtual appliance is up and running!! Test it and apply the same step for all UAG virtual appliances of your VMware Horizon Infrastructure.

Upgrade Unified Access Gateway

Script to see Datastore Permission

Last day in the VMware Community I saw a request for:

“I have AD group like mydomain\mygroup.

This group have access for many datastores.

How i can use powercli to get full list of datastores which the group can manage?”

I made this PowerCLI script:

$cred = Get-Credential
Connect-ViServer <vcenter-FQDN>; -Credential $cred
$datastores = Get-Datastore | Select Name
$groupAD = "domain\group"
$report = @()
foreach ($datastore in $datastores) {
  $report +=  Get-VIPermission
| Where-Object {($_.Entity.Name -Like $datastore.Name) -and ($_.Principal -eq $groupAD)} |Select Principal,Role,@{n='Datastore';E={$datastore.Name}},@{n='Entity';E={$_.Entity.Name}},@{N='Entity Type';E={$_.EntityId.Split('-')[0]}},@{N='vCenter';E={$_.Uid.Split('@:')[1]}}
}
$report | Export-Csv <path\csvfile> -NoTypeInformation

Script to see Datastore Permission

Horizon and Skyline Collector

This is a little guide for connecting the VMware Horizon infrastructure to Skyline service.

The requirement is:

Prerequisites 
The following permissions are required for the account used to add the Horizon Connection Server to the Skyline Collector. These permission are sufficient tor both collecting 
product usage data, and transferring support bundles with Log Assist. 
Administrator (read-only) Role 
Collect Operation Logs

The Administrator (read-only) does not have the Collect Operation Logs Privilege and for this, I need to create a dedicated Role.

Add Role 
* Name 
CollectLogs 
Description 
C) 
C) 
C) 
C) 
Privilege 
Manage Access Groups 
Collect Operation Logs 
Manage Global Configuration and Policies 
Manage Farms and Desktop and Applications Pools 
x 
Description 
Add and remove access groups. 
Collect Operation Logs. 
View and change global policies and view configuration 
settings except for administrator roles and permissions. 
Add, modify, and delete farms Add, modify, delete, and 
entitle desktop and application pools. Add and remove 
Cancel 
OK

We created a service user svcskyline in our Active Directory and now assign it the correct role

Add Administrator Or Permission 
Add 
O 
Select administrators or groups 
C) 
Select a role 
C) 
Remove 
Name 
adx.loc\svcSkyline 
Domains 
adx_loc 
Email

Add Administrator Or Permission 
Select administrators or groups 
0 
Select a role 
O 
Select the access groups 
Role 
Administrators 
Administrators (Read only) 
Agent Registration Administrators 
Global Configuration and Policy Administrators 
Global Configuration and Policy Administrators (Rea 
d only) 
Help Desk Administrators 
Applies to an access group 
Yes 
Yes

Add Administrator Or Permission 
Select administrators or groups 
Select a role 
O 
Select the access groups 
C) 
Access Group 
Root(/)

Repeat for CollectLogs Role

Global Administrators View 
Administrators and Groups 
Role Privileges 
Role Permissions 
Access Groups 
Add user or Group 
Name 
• adx.loc\svcSkyline 
Remove User or Group 
Add Permission 
Role 
Remove Permission 
Administrators (Read only) 
CollectLogs 
Access Group 
Root(/) 
Root(/)

Now add to Skyline Collector the Horizon View

Login to Skyline Collector

https://<fqdnskylinecollector>/

(if you lost the password https://kb.vmware.com/s/article/52652)

vmware 
OVERVIEW 
COLLECTOR 
Skyline"' Collector 
System Status 
Configuration 
Collector Overview 
@ Your Collector is Running

Go to Configuration and select Product Horizon View

PRODUCTS 
vCenter Server 
NSX-V 
NSX-T 
Horizon View 
vRealize Operations 
VMware Cloud Foundation 
vRealize Suite Lifecycle Manager 
vRealize Automation

Select +ADD HORIZON VIEW

Horizon View 
Currenty configured Horizon View products: 
Host 
Status 
Actions 
Currently there are no Horizon View products configured 
Use the "'ADD HORIZON VIEW" button below to configure one. 
+ ADD HORIZON VIEW

Add Horizon View 
FODN/IP Address 
Account username 
Account Password 
ADD 
VCS 1 
vcskyline

Horizon View 
Currenty configured Horizon View products: 
Host 
VCS13 
+ ADD 
Status 
Endpoints Working 
Actions 
HORIZON VIEW

Now on Skyline Advisor Pro console (https://console.cloud.vmware.com/) we have 2 Horizon Connection Server

Inventory Summary 
Last Analysis: Mar 11, 2022 10:13 AM CET 
02 
10 
343 
02 
0 
VMware Cloud Foundation 
vCenter 
Hosts 
Virtual Machines 
vRealize Operations Manager 
Horizon Connection Servers 
NSX-T Object 
NSX-V Object 
vRealize Automation

We’ll attend 24 hours to see the information

Product 
Horizon 
Connection Servers 
v Cen ters 
Status 
O Unknown O 
Virtual Machines 
Initial product "Status" value may take up to 24 
hours to display correctly If this state persists for 
more than that and your Collector is not in state 
"Inactive", please open a support request.

And after 24 hours we have the first Active Findings

P.S. For the finding ID Horizon-Log4jremotecodeexe-VMSA#202128 I applied the Workaround and Skyline Advisor is unable to check this workaround.

Fonte

Horizon View (vmware.com)

Horizon and Skyline Collector

Quick Tip – How to deploy OVF/OVA to multiple…

Quick Tip – How to deploy OVF/OVA to multiple…

For automation purposes, customers use the handy OVFTool, which is a multi-platform command-line utility for uploading or exporting OVF/OVA images. During an upload, users would typically specify the –network argument which will assign the desired vSphere Network to the deployed VM and if […]


VMware Social Media Advocacy

Quick Tip – How to deploy OVF/OVA to multiple…

New VMware Community HCL

New VMware Community HCL

New VMware Community HCL

If you are not using or can not use the official VMware Hardware Compatibility List (HCL) to identify hardware systems and components that are officially supported with a given version of vSphere ESXi, then the experience in finding hardware can be quite daunting for both new and even existing users. Typically, users might start off […]


VMware Social Media Advocacy

New VMware Community HCL

Announcing VMware vRealize Network Insight…

Announcing VMware vRealize Network Insight…

We are excited that today customers now have VMware vRealize® Network Insight™ Universal available. This new solution will give customers the ability to deploy vRealize Network Insight as a SaaS or provide the customer an option to start on-premises then move to SaaS later when they are ready […]


VMware Social Media Advocacy

Announcing VMware vRealize Network Insight…

vSAN Skyline Health History

VMware with vSAN 7.0u2 introduced an interesting functionality on Skyline for reviewing the state of vSAN in the past time

The functionality is disabled by default, if I want to see the Health History I need to only check the correct option.

After enable it I can see all history

and I can select the red icon for to see what happened

On Jan 8, 12:08 we encountered a problem on a vSAN cluster HOST

It is possible to select the day to check the vSAN status, just select the correct date and time

vSAN Skyline Health History

Copy file to VCSA with SCP

Well, in recent weeks we have often talked about how to heal vCenters from the log4j vulnerability.
I guess the first thing we all thought was “What a show VMware support released scripts to run to solve the problem …” and then every one to use WinSCP or similar tools/commands to copy the file …. but many will have found it impossible to copy files using the Root user …. but how SSH works but the SCP command does not work!
Well, the problem comes from the shell associated with the Root user. It is not the classic BASH but the APPLIANCESH.
Then we proceed as follows:

  • Let’s connect in SSH to the vCenter Virtual Appliance
  • We access the Bash SHELL with the command SHELL
  • We enable BASH as the default shell for the root user
  • We run our SCP
  • We re-enable APPLIANCESH for the root user

Copy file to VCSA with SCP