Horizon 2312, new feature to simplify the Gold Image Linux Configuration

A penguin and microsoft active logo

Description automatically generated

Few people know that it is possible use Linux Distribution to create VDI desktop or Stream Application (Like RDS) to publish it with Horizon.

The desktop pool can to be Instant Clone or Full Clone.

In the last Horizon version (2312) there is a new functionality to configure the agent, the function have to objective to simplify the installation and also configure the OS ((Like the joined to Active Directory domain).

In the Horizon Agent for Linux package there is a new command file:

easyinstall_viewagent.sh

We can use this command for:

  • Configure Linux OS template
  • Install Horizon Agent

For complete all previous steps you can start this command (with root privileges)

./easyinstall_viewagent.sh

The command do:

Platform check

A black screen with white text

Description automatically generated

Now you need to insert information like DNS, Hostname, Domain and Account to join to domain

A screenshot of a computer

Description automatically generated

Now the script check and install missed packages (SSSD etc.…) and make the domain join

A screen shot of a black screen

Description automatically generated

After joined the template to AD domain the script start to install the horizon agent

A screenshot of a computer

Description automatically generated

A black screen with white text

Description automatically generated

Now the Linux GoldI mage is ready to use for create a Horizon instant clone desktop pool or used for Full Clone Desktop Pool.

It is possible to configure the OS and install Horizon Agent in two different steps

  • Configure OS
    • For configure user Linux OS use this command:

./easyinstall_viewagent.sh -c

  • Install Agent
    • After configure the OS we can install the Horizon agent with this command:

./easyinstall_viewagent.sh -i

With this command we can to use some switch value:

Default (Hostname, Domain FQDN, DOMAIN Join User, DOMAIN Join PASSWORD …)

Advanced (The same option of DEFAULT with NTP, HORIZON AGENT FEATURE and other)

Expert (The same option of Advanced with another function)

In this link more information

Use the Easy Setup Tool to Prepare a Linux Machine (vmware.com)

Horizon 2312, new feature to simplify the Gold Image Linux Configuration

VMware Horizon 2312

As usual, every 3 months VMware releases a new version of Horizon (and also of almost all EUC applications)
The following have been available for a few days:
Horizon 8 2312
App Volumes 4 2312
Dynamic Environment Manager 2312
ThinApp 2312

Among the various features released for Horizon 8, the most interesting one is Agent Auto Upgrade:

“The agent auto upgrade feature allows customers to automatically initiate upgrades without manual intervention. To utilize this feature, on-premises systems must have access to CDS servers. Customers without CDS access can establish their webserver, host the agent components, and then register the agent build with the connection server to upgrade agents in VDI/RDSH desktops. This feature requires Horizon Plus or Horizon Universal License, and is available for Full Clone Desktops and RDSH Servers only. To upgrade Horizon Agent in Instant Clone Desktop Pools or RDS Farms, upgrade Horizon Agent on the Golden Image and schedule maintenance to push the new image.”

VMware Horizon 2312

DRS and HPE SimpliVity

In recent days, a customer reported an anomaly on an HPE SimpliVity cluster hosting instant clone Horizon VDIs. In detail:

  • vSphere with seven hosts present, two were always at 98% CPU utilization and 90% RAM utilization.
  • Continuous vMotion generated by the VM DRS to and from those two HOSTS.

After a careful analysis, we identified that there were no problems at the vSphere infrastructure level.
The issue was due to a Simplivity feature called IWO.

By disabling IWO and keeping DRS active (Full automatic) I have an optimal balance of CPU and RAM load between hosts at the expense of a slight increase in I/O trip times

Scenario – Even VM Load Distribution

I want even VM load across my cluster in terms of CPU and memory. Data locality and I/O performance are not top priorities. Most applications are CPU and memory intensive, and adding 1ms to 2ms to I/O trip times will not impact application performance.

In this scenario, IWO can be disabled thus ensuring no DRS affinity rules are populated into vCenter server. Suppressing DRS affinity rules will allow VMware DRS or allow you to directly distribute VMs across the cluster as desired to ensure all VMs are adequately resourced in terms of CPU and memory. The ‘Data Access Not Optimized’ alarm can be suppressed within vCenter server.

More information:

https://community.hpe.com/t5/around-the-storage-block/how-vm-data-is-managed-within-an-hpe-simplivity-cluster-part-3/ba-p/7033153

DRS and HPE SimpliVity

Configure ControlUp for VMware Horizon Instant Clone VDI monitoring

In this guide, we will analyze how to configure ControlUP COP (ControlUP on-Premise) to monitor a VMware Horizon 2309 infrastructure with Instant Clone Desktop Pools (we will not cover the installation part of the product)

The following steps are required:

  • Control UP COP Server Component Installation (Optionally use an external SQL instance or SQL EXPRESS present in the Server component installation)
  • Installing the Control UP Console (Can also be installed on the same server)
  • Installing Agent Control Up on the GoldImage
  • Horizon Infrastructure Inventory
  • VirtualMachine Inventory (For this step we can also implement an automatism)

Requirements for the server part:


COP Server
COP Server Console Machine
Machine Windows Server Windows Server orWindows
Operating System Windows Server supported versions:2022,2019,2016 Windows Server supported versions:2022,2019,2016
OR Windows 11, 10
CPU* 2 CPUs 2 CPUs
Memory* 8 GB RAM 8 GB RAM
Disk Space* 10 GB 10 GB
Required Software & Permissions
  • .NET Framework 4.8 or later
  • PowerShell 5.x or later
.NET Framework 4.5 or later

Requirements for Part DB:

MSSQL Versions (Standard, Enterprise, or Express) Maximum Database Size Collation
2022,2019,2017,2016,2014 10 GB SQL_Latin1_General_CP1_CI_AS

Requirements for the VDI part:


ControlUp Agent
ControlUp Agent
Machine No server installation necessary. Deployed onto Windows machines that are monitored by ControlUp(Linux monitored via API).
Operating system Windows Server supported versions:
202220192016 (Core or Full)ORWindows 11, 10
Required installed software .NET 4.5 or later
TCP PORT 40705

A Service Account to access the Horizon infrastructure:

The Read-Only role is sufficient for all monitoring purposes. If you want to perform built-in Horizon actions, then the service account needs the following permissions:

  • Enable Farm and Desktop Pools
  • Manage Machine
  • Manage Sessions
  • Manage Global Sessions (Cloud Pod architecture only)

So what is needed is:

Download the version of ControlUP COP from the VMware site

Log in to the customer portal and in the product area under Desktop & End-User Computing

A screenshot of a computer

Description automatically generated

Log in to OEM Addons

A screenshot of a computer

Description automatically generated

Download the on-premise version

Perform the basic installation

Once the COP version is installed and the console is installed, log in to our ControlUP installation

A screenshot of a computer

Description automatically generated

How to install the agent on the GoldImage:

  1. The agent MSI file is on the downloaded file zip from VMware Portal
  2. Open the Real-Time Console and go to Agent Settings and copy your Agents Authentication Key. The key is used to connect the Agent to your ControlUp environment.

A screenshot of a computer

Description automatically generated

  1. Run the installation of the MSI package on the machine where you want to install the Agent.
  2. During the installation, paste the authentication key that you copied from the Real-Time Console.

A screenshot of a computer

Description automatically generated

  1. Complete the installation. The Agent is installed on the machine and the machine can be monitored from the Real-Time Console.
  2. Take the snapshot
  3. Deploy the new master image on Desktop Pool

Now from the ControlUp Management console, we are able to:

  • Connect our Vmware Horizon infrastructure
  • Connect the instant clone machine

Add Horizon infrastructure:

A screenshot of a computer

Description automatically generated

Add the infrastructure info

A screenshot of a computer

Description automatically generated

Click on OK

A screen shot of a computer

Description automatically generated

Add the pod to the console

A screenshot of a computer

Description automatically generated

Now on the left panel, we have our Horizon infrastructure added.

A screenshot of a computer

Description automatically generated

To monitor correctly our instant clone (after adding the agent) we need to discover the VM like a Machine

A screenshot of a computer

Description automatically generated

Search with the partial name of the VDI machines

A screenshot of a computer

Description automatically generated

Select cancel

A screenshot of a computer error message

Description automatically generated

We are VM on the left control panel in black status

A screenshot of a computer

Description automatically generated

After a few seconds the VDI VM Goes to Green

A screenshot of a computer

Description automatically generated

Auto connect state must be enabled (this function is important when the instant clone VDI is removed and recreated).

A screenshot of a computer

Description automatically generated

Now we can monitoring the Instant-Clone VDI

Check the VDI logon duration

Now we can manage and control the infrastructure, for example, to check the logon duration

A screenshot of a computer

Description automatically generated

A screenshot of a computer

Description automatically generated

What happens when VDI instant clones are regenerated?

If a user disconnects from his VDI of the instant clone type, it is destroyed and recreated, on the ControlUp side this is put in the Red -> Yellow state until it returns to Green

When recreating

A screenshot of a computer

Description automatically generated

After recess

A screenshot of a computer

Description automatically generated

Dynamic inventory

For a dynamic inventory of VDI, we can use Synchronization with Universal Sync Script (I’ll talk about this in a future post)

EUC Synchronization with Universal Sync Script (controlup.com)

After installation, we can schedule or start manually the script to sync my ControlUP with my EUC infrastructure.

References:

How to Deploy the Agent on Your Master Image for PVS/MCS/Linked/Instant Clones (controlup.com)

EUC Synchronization with Universal Sync Script (controlup.com)

ControlUp On-Premises

Configure ControlUp for VMware Horizon Instant Clone VDI monitoring

Steps for Upgrade Horizon 23xx to the next version

The release of new versions of VMware Horizon 8 each quarter of the year (to provide new features and resolve any security holes) entails the need to have a consolidated, conservative update procedure with the least impact on users.
Below I report the procedure that I am using successfully.

User impact:

  • Users already connected to the VDI do not encounter problems or disconnections
  • Users who need to connect during update activities may have problems (normally a maintenance window is declared)

Steps

  • Restarting the Connection Servers Operating System (One at a time is a step preparatory for committing any pending Windows updates), after each reboot check from the Horizon web console that everything is ok
  • Disable Provisioning
  • Shut down all three Connection Servers
  • Snapshot of the VMs hosting the Server connection
  • Turn on the Connection Server (One at a time), after each reboot check from the Horizon web console that everything is ok
  • Backup DB Adam (C:\Program Files\VMware\VMware View\Server\tools\bin\vdmexport.exe > vdmconfig.ldf)
  • Disable and Updating one Connection Server ( disabling the Connection Server being updated puts the connection server offline for the load balancer on the top of the connection servers and it is not used for authenticating users and assigning VDI) and after upgrade enable the Connection Server.
  • Repeat the previous step for all Connection Servers
  • If necessary, reapply the customizations
  • Check from the console that everything is ok

After the horizon upgrade, test the Desktop Pool:

  • Try a connection from internal
  • Try a connection from external
  • Delete a VDI machine
  • Publish a new Master Image

For upgrading three Connection servers all steps necessity of two hours
During the activities, the users connected to the VDI do not encounter any problems

The next step, after complete the Connection Servers upgrade, is to update the Horizon agent on the master image and delete the Connection Servers snapshot

Steps for Upgrade Horizon 23xx to the next version

Use Horizon VDI and VPN client

For us consultants, the VDI used in the Horizon environment can also be useful for having environments where we can install customers’ VPN clients.
Normally we find ourselves having, if the customer does not have Horizon infrastructure to give us access from the outside (Through UAG, MFA … all possible security), different VPN clients to support our customers, with the consequence of possible problems of compatibility between clients and degradation of your laptop.

In my case, I have a Horizon infrastructure in my Home Lab and I have created my own VDI where to install the clients’ VPN clients.
The only change to make, to prevent my Horizon session from ending when I activate a VPN connection, is to enter the following registry key
HKLM\Software\VMware, Inc.\VMware VDM\IpPrefix = n.n.n.n/m (REG_SZ)

where in n.n.n.n is the subnet and m is the number of bits in the subnet mask. Specifically, the network that must be used for the connection between the horizon agent and the various components (Horizon Client, Connection server, etc..)

es:

Use Horizon VDI and VPN client

Enable copy and paste between Guest Operating System and Remote Console

Copy and paste operations between the guest operating system and remote console are deactivated by default. 

To enable it:

  • Browse to the virtual machine in the vSphere Client inventory
  • Right-click the virtual machine and click Edit Settings.
  • Select Advanced Parameters.
  • Add or edit the following parameters.

    isolation.tools.copy.disable False
    isolation.tools.paste.disable False
    isolation.tools.setGUIOptions.enable True
    These options override any settings made in the guest operating system’s VMware Tools control panel.
  • Click OK.
  • (Optional) If you made changes to the configuration parameters, restart the virtual machine.

Enable copy and paste between Guest Operating System and Remote Console

Authenticator APP and Workspace One Access

It is very important to activate MFA (Multi-factor authentication) using applications such as Google Authenticator on corporate services exposed on the internet that require access using credentials.

If we talk about VMware Workspace One Access, a solution that allows us to publish applications and business services on the internet, it is mandatory to activate the MFA.

Since Workspace One Access version 22.09, you can use Authentication Applications such as Microsoft or Google.

Enabling MFA requires a few steps:

  • Enable the “Authenticator APP” authentication method on Workspace One Access
  • Ask the end user to install the APP on their phone or the company one (possibly we can use services that allow us to enrol automatically)
  • At the first access, the user will have to scan the QRcode that appears on the login page of Workspace One Access (in my case we try the access via WEB to workspace one access)

Enable the “Authenticator APP” authentication method on Workspace One Access

Access the Integration menu, select Authentication Methods, enable Authenticator App and select Configure.

Graphical user interface, text, application, email

Description automatically generated

We enable and possibly can change any classic account lock parameters etc …

Graphical user interface, text, application, email

Description automatically generated

At this point, we go to integrations, select identity provider and select our IDP related to the integration with AD

Graphical user interface, text, application, email

Description automatically generated

In the Authentication Methods menu select Authenticator APP

Graphical user interface, text, email

Description automatically generated

At this point, we just need to go and modify the policy used by our users by adding MFA for authentication

We go to the Resources, policies menu, select our policy and modify it

Graphical user interface, text, application, email

Description automatically generated

Graphical user interface, text, application, email

Description automatically generated

We select the rule of our interest (normally we select the one relating to access from public networks because we could reason that those who access from the company network have already done other methods of secure authentication …)

Graphical user interface, text, application, email

Description automatically generated

In the authentication methods used, we add the authenticator app

Graphical user interface, text

Description automatically generated with medium confidence

Graphical user interface, text, application, email

Description automatically generated

From now on, all users who log in to workspace one access and run with the rule we have modified we have the following user experience at the first login:

User experience at login

Go to WorkSpace One Access public URL.

If prompted, they will have to select the domain.

Graphical user interface, application

Description automatically generated

Then they will have to enter username and password

Graphical user interface, application

Description automatically generated

Finally, they will have a QRcode that they will have to use to configure their Authenticator APP (Microsoft or Google). So, in the selected phone app they will have to add an account by reading the QRCODE

Qr code

Description automatically generated

We access our smartphone and launch the authentication application that we will use (in my case I launch Google Authenticator)

Icon

Description automatically generated

We add the new account

Graphical user interface, text, application

Description automatically generated

We select the option to scan a QRCODE and scan it

Enter the passcode generated after scanning the QRCODE in the space provided under the QRcode code on the page WEB

Qr code

Description automatically generated

We will now have an account named WSA (Woekspace One:WSA) linked to our authenticator app

Graphical user interface, text, application

Description automatically generated

From the next login after entering your username and password you will be asked for the access code generated by the user application

Authenticator APP and Workspace One Access

vSphere DRS functionality was impacted due to an unhealthy state vSphere Cluster Service

If you see such an error on the Cluster object of a vSAN (in my case it appeared on two vSAN clusters managed by the same vCenter)

vSphere DRS functionality was impacted due to an unhealthy state vSphere Cluster Service …….

an unhealthy state of the Service cluster

Graphical user interface, text, application, email

Description automatically generated

Errors such as the following in the EAM log. vCenter LOG

EAM.log:

2023-01-26T13:16:39.996Z |  INFO | vim-monitor | VcListener.java | 131 | Retrying in 10 sec.
2023-01-26T13:16:41.432Z | ERROR | vlsi | DispatcherImpl.java | 468 | Internal server error during dispatch
com.vmware.vim.binding.eam.fault.EamServiceNotInitialized: EAM is still loading from database. Please try again later.
        at com.vmware.eam.vmomi.EAMInitRequestFilter.handleBody(EAMInitRequestFilter.java:57) ~[eam-server.jar:?]
        at com.vmware.vim.vmomi.server.impl.DispatcherImpl$SingleRequestDispatcher.handleBody(DispatcherImpl.java:373) [vlsi-server.jar:?]
        at com.vmware.vim.vmomi.server.impl.DispatcherImpl$SingleRequestDispatcher.dispatch(DispatcherImpl.java:290) [vlsi-server.jar:?]
        at com.vmware.vim.vmomi.server.impl.DispatcherImpl.dispatch(DispatcherImpl.java:246) [vlsi-server.jar:?]
        at com.vmware.vim.vmomi.server.http.impl.CorrelationDispatcherTask.run(CorrelationDispatcherTask.java:58) [vlsi-server.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_345]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_345]
        at java.lang.Thread.run(Thread.java:750) [?:1.8.0_345]
2023-01-26T13:16:50.007Z |  INFO | vim-monitor | ExtensionSessionRenewer.java | 190 | [Retry:Login:com.vmware.vim.eam:b55a7f93b59f0f7e] Re-login to vCenter because method: currentTime of managed object: null::ServiceInstance:ServiceInstance failed due to expired client session: null
2023-01-26T13:16:50.007Z |  INFO | vim-monitor | OpId.java | 37 | [vim:loginExtensionByCertificate:913aec585658e328] created from [Retry:Login:com.vmware.vim.eam:b55a7f93b59f0f7e]
2023-01-26T13:16:51.440Z | ERROR | vlsi | DispatcherImpl.java | 468 | Internal server error during dispatch
com.vmware.vim.binding.eam.fault.EamServiceNotInitialized: EAM is still loading from database. Please try again later.


And you see the lack of vCLS VMs in the two vSANs

To resolve the anomaly you must proceed as follows:

  • vCenter Snapshots and Backup
  • Log in to the vCenter Server Appliance using SSH.
  • Run this command to enable access the Bash shell:

shell.set --enabled true

  • Type shell and press Enter.
  • Run this command to retrieve the vpxd-extension solution user certificate and key:

mkdir /certificate

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key

  • Run this command to update the extension’s certificate with vCenter Server.

python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s localhost -u "Administrator@domain.local"

Note: If this produces the error “Hostname mismatch, certificate is not valid for ‘localhost'”, change ‘localhost’ to the FQDN or IP of the vCenter. The process is checking this value against the SAN entries of the certificate.

Note: The default user and domain is Administrator@vsphere.local. If this was changed during configuration, change the domain to match your environment. When prompted, type in the Administrator@domain.local password.

  • Restart EAM and start the rest of the services with these commands:

service-control --stop vmware-eam

service-control --start --all

vSphere DRS functionality was impacted due to an unhealthy state vSphere Cluster Service