Overview

Just released and made generally available on 10/26/2023 is Horizon Version 2309. This is the most current release of Horizon View from VMware. As a reminder this is a majority of the updates below. Look to the links below in the release notes section for full feature information and any additional updates should they happen from VMware.

Horizon Server and Instant Clones

• Session load distribution across CPA pods (load Index approach)
• Published Apps on Demand option to accept App Volumes Manager certificate thumbprint when adding to Horizon.
• Allow Edge Gateway to consume events from Horizon Connection Servers.
• Forensics – enable protection of held VMs from accidental deletion.
• Leverage sysprep workflow to create computer accounts and perform domain join.
• OpenSSL 3.0 upgrade for Connection Server

Client and Agent Release

• RDSH application launch limit
• Per-RX bandwidth reporting.
• Separate screen recording from screen capture blocking.
• Volume improvements.
• ARM Windows support for USB.
• OpenSSL 3.0 upgrade for all clients/agent/etc..

App Volumes

• vSphere 8: True Read-only Feature enablement per Center.
• AVM credential support for file shares.
• Published Apps on Demand option to accept AVM cert thumbprint in Horizon.
• App Volumes in AVD Remote Apps. About App Volumes Deployment on Azure
• App Volumes in Amazon AppStream  2.0. Workflow of App Volumes for Amazon AppStream 2.0

Dynamic Environment Manager

• Dynamic configuration of Horizon FIDO2 web authentication redirection for users.
• Dynamic configuration of Horizon storage drive redirection for users.
• Support for configuring non-policy locations in ADMX-based settings.

Unified Access Gateway

Release Notes

• Horizon Server
• Horizon Client for Android
• Horizon Client for Chrome
• Horizon Client for iOS
• Horizon Client for Linux
• Horizon Client for Mac
• Horizon Client for Windows
• Horizon HTML Access
• App Volumes
• Dynamic Environment Manager

Documentation

• Horizon Server
• Horizon Clients
• App Volumes
• Dynamic Environment Manager

Overview

Have you ever been curious about the process that takes place when you initiate an on-demand launch of an App Volumes application on a Windows Server RDS host? Specifically, let’s consider a scenario where you or your user connects and launches a published app on demand.

Steps

1. User clicks the published app on demand.

2. The App Package is presented to the RDS host via a mounted drive from Horizon View and App Volumes.

3. I am going to now logoff the user and see what happens. Keep in mind this is the only user logged into the machine so since that is the case no one else needs the app. It removes the applications that I was using.

4. As you can see the mounted drives are removed. This is a great feature that allows you to use the same images for multiple applications/use cases. Most times we create specialized farms to entertain certain uses causes which drives friction and complexity

Overview

Just released and made generally available on 07/06/2023 is Horizon Version 2306. This is the most current release of Horizon View from VMware. As a reminder this is a majority of the updates below. Look to the links below in the release notes section for full feature information and any additional updates should they happen from VMware.

This particular release has a ton of cool new enhancements around app volumes and our client agent release (CART). In particular for app volumes we have announced App Volumes Manager on Azure AVD with Azure File Shares (Solution Preview)and App Volumes for Amazon AppStream 2.0 Technical PreviewIn future posts I will be going over some these enhancements.

Horizon Server and Instant Clones

• Session load distribution across CPA pods (Session Count approach).
• Block connection to server if client doesn’t validate certificates.
• Allow admins to configure certificate mapping.
• Persistent disk support for Instant Clones.
• Provide fixed timer for discarding SSO credentials without disconnecting Desktops/Apps.

Client and Agent Release

• Horizon Recording support for LinuxVDI.
• Fido2 WebAuthN redirection Windows Client.
• DEEM: Mac client & .pkg installer
• Mac scanner forward vendor-specific options.

App Volumes

• AV Manager on Azure AVD with Azure File Shares (Solution Preview)
• vSphere 8: Package Attachment Resiliency
• Apps On Demand: URI launch
• App Volumes for Amazon AppStream 2.0 Technical Preview

Dynamic Environment Manager

• Support for periodically refreshing DEM configuration.
• Support for collecting telemetry data from DEM Management console
• Support for configuring Horizon. browser content redirection policy.

Unified Access Gateway

Release Notes

• Horizon Server
• Horizon Client for Android
• Horizon Client for Chrome
• Horizon Client for iOS
• Horizon Client for Linux
• Horizon Client for Mac
• Horizon Client for Windows
• Horizon HTML Access
• App Volumes
• Dynamic Environment Manager

Documentation

• Horizon Server
• Horizon Clients
• App Volumes
• Dynamic Environment Manager

Overview

It’s true that there is no shortage of monitoring choices out there. However, I am extremely excited about one of the newer options provided by VMware as an additional add-on, which is the Digital Employee Experience for VMware Horizon. The great thing about this option is that it utilizes the telemetry data already available from the Horizon Client and Horizon agent, without requiring any new additional installers. In contrast, some other solutions may require the installation of additional binaries, which can be challenging to ask our consumers/users to install, especially when they are unmanaged.

With our next-generation Horizon Control Plane, we have migrated our monitoring to the Workspace ONE Intelligence platform from our CMS (Cloud Monitoring Service). This opens up a whole new world of opportunities for observability and workflow automation using Workspace One Freestyle Orchestrator, notifications and other workflows can be generated from the captured telemetry events. Some of the integrations include Slack Web API, Workspace ONE UEM, Service Now and your own connectors for enterprise systems (REST API’s).

We all strive to create a great experience for our end consumers/users. Our goal is to build secure, performant, and resilient environments. (I’ve often heard from my customers that VDI is the most stable environment.) This monitoring option is an additional step to reinforce the experience we create because certain factors are beyond our control, such as the device they use, the last mile connectivity, and their location.  We track VM performance, network performance, and logon times. We utilize this telemetry to generate an overall organization experience score throughout the day. In this post I will go over briefly what dashboards there are and how to set up a notification on an event from Workspace One Freestyle Orchestrator.

Requirements

• Connect your Horizon deployment to Horizon Cloud using the our edge appliance and have Horizon Cloud manage the deployment.
• One of these licences
  • Horizon Universal subscription
  • Horizon Apps Universal subscription
  • Horizon Apps Standard subscription
• An additional purchase of the Workspace ONE Experience Analytics for Horizon add-on SKU. This will provide the DEEM  Digital Employee Experience for VMware Horizon dashboards.
• Horizon Next-gen tenants are automatically set up with intelligence when provisioned.

Below I will go over some of the dashboard views. In this first screenshot you can see this is your default display of utilization in your universal console. We can do much more inside of Workspace One.

DEEM – Digital Employee Experience Management

Now available as an additional add on is all of the employee experience metrics and scoring as depicted in the screenshot below.  

In here you can see more details on your packet loss score. Additionally you can add  columns if you want just like shown above to further investigate issues.

Creating Notifications for Horizon with Freestyle Orchestrator

In your workspace one console click Freestyle button and add workflow button to start your first  workflow.  

In these two screenshots below you can see the Intelligence data source and the Horizon data source. Intelligence data source has all of the data and telemetry around Digital Employee Experience Management and Horizon has the Horizon components that make up delivery of applications and desktops.

We will go through as an example setting up a workflow to notify an email address of an agent(s) in an errored state. Remember this could be email, slack, service now or your own method. Make sure you select Horizon>Agent Error. Once you have selected that you can chose to execute this workflow manually, schedule it or  automatically which is what I am going to do.

I am going to set my Error Status equals true that way if it is an errored state I will get an email.

Now we are going to add an additional step to send us the email. I am going to add a step in the workflow and select the send email and click add action.

Now before you enter in your email and test it you can view the potential impact of this workflow before you enable it to so how much it impacts you. If you are satisfied with the results just give a name enable it and click save.

Here is an example of some extra connectors you can add. If you are looking to setup additional workflow connectors in Workspace One go to Integrations tab > Workflow connectors > click the add button. 

Overview

Have you ever been curious about the process that takes place when you initiate an on-demand launch of an App Volumes application on a Windows desktop? Specifically, let’s consider a scenario where we have a Windows 10 Operating System with its default Windows Defender antivirus program. In the screenshot provided, we can observe the behavior of the real-time scanning feature of Windows Defender Antivirus.

To provide some context, the Windows Defender Antivirus program is designed to protect your system from potential threats by continuously monitoring files, programs, and activities on your computer. When you launch an App Volumes application on demand, Windows Defender Antivirus kicks in to scan the application and associated files in real time. Notice that their is a new drive mounted with that application. It is aware of that as well.

In the case of the screenshot I mentioned, the machine where the application was launched was connected to the internet. Windows Defender Antivirus, as part of its functionality, relies on internet connectivity to enhance its scanning capabilities. It utilizes the internet to download the latest virus definition updates, access cloud-based protection services, and analyze potential threats against known patterns and signatures.

Steps

1. Provision and entitle an application to be delivered to a user or computer on demand from the App Volumes Manager.
2. Start Process Monitor from Microsoft.
3. Observe results upon clicking on the shortcut in the Process Monitor software.

You can download the Process Monitor from Microsoft Here

Overview

If you have been thinking about leveraging different cloud providers from any one of VMware’s partners, it is important to note that some capabilities might become available at different times in each of the solutions. Also, I think it is important to remember that what I am talking about here is running vSphere in an IaaS model with one of these landing zones, and not native Azure as that would be our Horizon Cloud service on Azure.

What is interesting and makes things a bit easier for you is when you look at each landing zone’s KB, you can assume that any feature not listed in the table is supported. This makes things easier to consume. I have put the KBs together for you below

Feature Parity KB articles for each solution

• Horizon on VMware Cloud on AWS Support (58539)
• VMware Horizon on Azure VMware Solution (AVS) Support (80850)
• VMware Horizon on Google Cloud VMware Engine (GCVE) Support (81922)
• VMware Horizon on Oracle Cloud VMware Solution (OCVS) Support (88202)

Overview

This article is a continuation of my first part for published applications on demand for on-premise horizon. If you got brought to this article via search and need to start from the beginning please start here: Horizon 2212 New Feature App Volumes Apps on Demand Overview and Configuration

First we will go into the Horizon Connection server>Farms>Farm Next we will associate the farm with an App Volumes Manager with the farm. A farm can be associated with one App Volumes manager but a Manger can be associated with many Farms.

Below you can see the new association in the farm.

Next in the Horizon Connection server>Applications>Add>Add from App Volumes Manager 

After this is complete you will be able to launch your horizon client and consume the new published app delivered on demand!

Overview

Just released and made generally available on 03/30/2023 is Horizon Version 2303. This is the most current release of Horizon View from VMware. As a reminder this is a majority of the updates below. Look to the links below in the release notes section for full feature information and any additional updates should they happen from VMware.

Horizon Server and Instant Clones

• Instant Clone Sysprep customization now supports a adding vTPM device for clones.
• Improvement in snapshot management – Snapshot vmdk files of the parent image are now deleted from the datastore when the corresponding snapshots are deleted from the vCenter.
• Instant Clone troubleshooting – Admins can now see timestamp along with pool provisioning errors in the Horizon console.

Client and Agent Release

• Support AV1 Encoding on desktops with Intel ATS-M GPUs
• Windows Client Blast only Bad internet connection warning
• URL redirection rules based on IP address
• BlastCodec support for Mac ARM
• Suppress broker time out message
• Proxy authentication
• Screen shipping for media offload
• Individual Application sharing
• Browser content redirection for Linux client.
• iOS & Android client support for Horizon V2 Next-Gen.
• BlastCodec client performance improvement.
• Improved Blast connection failure diagnostic information.

App Volumes

• Agent Credentials for File Shares

Dynamic Environment Manager

• Support for searching DEM configuration.
• Support for running custom commands as SYSTEM Context.
• Support for FlexEngine command-line option to apply NoAD Settings on-demand.

Release Notes

• Horizon Server
• Horizon Client for Mac
• Horizon Client for Windows
• Horizon Client for Linux
• Horizon Client for iOS
• Horizon Client for Android
• Horizon Client for Chrome
• Horizon HTML Access
• App Volumes
• Dynamic Environment Manager

Documentation

• Horizon Server
• Horizon Clients
• App Volumes
• Dynamic Environment Manager

Overview

One of the latest enhancements in Horizon View 2212 released in January of 2023 is horizon apps on demand. Apps on Demand is a feature in Horizon View 2212 that seeks to address several challenges associated with managing applications in a remote desktop session host (RDSH) environment. One of the primary challenges is the friction involved in the app update process, which can be time-consuming and result in delays and inefficiencies. Apps on Demand solves this by centralized management of applications delivered to generic farm images. Isolation between app and operating systems is key here.

Requirements for Published Apps on Demand

• Horizon 2212 Connection Server
• Horizon Agent 2212
• App Volumes Manager 2212
• App volumes Agent 2212

Apps on Demand Visualized

In the illustrated image below, you can see that applications are delivered to the user in real-time on demand. The green outline represents a single gold or generic image. A new RDSH host could only be stood up when the host reaches a configured threshold capacity. Once again, the farm is not being built around the required applications.

Example of user launch of published application on demand

1. User selects the application from the Horizon Client.
2. The Horizon Connection server communicates with the App Volumes Manager to request the application be attached to an RDSH host.
3. Now the request for an attachment is sent to the vCenter.
4. The disk with the app is now attached to the RDSH host.
5. User is now connected to the application.

Configuration

In order configure app volumes apps on demand you must first add an appvolumes manager to Horizon administration console on the connection server. Once logged go to Settings>Servers>App Volumes Mnagers Tab> Add

After hitting the add button you will see a tooltip and if you click on that it will say “Before you add app volumes manager to horizon connection server, install a valid SSL certificate signed by a trusted CA. n a test environment, you can use the default, self -signed certificate that is added to the truststore” So, before adding your app volumes manager to the connection server,  it is recommended to have a valid certificate, so lets enroll with a trusted CA. However, if you want to use the self-signed certificate. Import the certificate into the trusted root store of the Horizon connection servers. Then restart the connection server service. You can find more information below on how to find that certificate and just import them into the trusted root certificate store of the connection server.

For this I am going to create a new certificate template on my certificate authority which happens to be a Microsoft certificate Authority. Navigate to Certsrv console> certificate templates>manage templates.

Next I will duplicate the web server template with the following settings.

Edit the Application Policies and add Client Authentication

Navigate back to certsrv and right click the certificate templates and click New Certificate template to issue and select the app volumes template previously created and click ok.

Now that you have the template you can create a new certificate from that template to use for App Volumes Manager. For this instance, I am going to log into the app volumes manager windows VM hosting the server and generate a certificate. I start by typing in the search menu cert then you should be able to find the certificate mmc snapin for the local server.

Enter in the following information under common name enter the server name or load balanced name if you have more than one server (LB example ws2022appvol00.lab.local or whatever you want it to be) I put in any of the additional servers FQDN’s below. Also make the private key exportable. Click Enroll.

Now that you have created a certificate you now have to export the certificate. Follow the wizard and select yes export private key option and select the following options in the screenshot below. You will then be directed in the wizard to enter a password (enter password) and to save it to a location.

Once the certificate is exported we can extract the private key from the PFX file and convert the private key to PEM format. Using the commands below with openssl. (this is something that is not part of an os and needs to installed)

openssl pkcs12 –in c:\%yourlocationofsavedfile%\view-appvol01.pfx –nocerts –out c:\ %yourlocationofsavedfile%\appvol.key

 

openssl rsa –in c:\ %yourlocationofsavedfile%\view-appvol01.key -outform PEM –out c:\ %yourlocationofsavedfile%\vappvolpem.key

 

openssl pkcs12 –in c:\ %yourlocationofsavedfile%\view-appvol01.pfx –clcerts –nokeys –out c:\ %yourlocationofsavedfile%\appvolpem.crt

After that is complete you should have the following files. We will now be able to take these files and copy them to the appropriate server.

Next you will need to stop your app volumes services and copy the appvolpem.crt and appvolpem.key files into the app volumes manger’s directory(default: C:\program files(x86)\Cloud Volumes\Manager\nginx\conf). After they are copied into the appropriate directory change the nginix.conf file (make a backup copy of this file somewhere. I copied the file to my desktop modified it and replaced it in the directory) once the config file is changed to your new certificate’s names and saved the file you can start the previously stopped services.

Now go to your horizon connection server and add in a service account ideally like lab\appvolsvc that has administrator privilege on vcenter.

And that is it! In my next article you will be able to associate app volumes with a farm.

Horizon 2212 New Feature App Volumes Apps on Demand Overview and Configuration Part Two

Overview

One of the latest enhancements in Horizon View Connection Server is the capability to manage certificates directly from the Horizon View administrative console. Furthermore, you can monitor the certificate status. With the necessary permissions within the administrative console, you can take advantage of this new feature. Lets take a look at where this feature is located and how to use it.

Importing and Generating a CSR

Once you logon to your connection server administrative console navigate to Settings>Certificate Management

As you can see I currently have a self signed certificate.

I’ve logged into the connection server as an Administrator but I do not have the ability to manage the certificates yet! Let’s fix that. Navigate to Settings>Administrators>Role Privileges> Add 

I’m going to add the required new role Manage Certificates and name it Certificate_Management Next click OK

Now we need to add this new role to the to whatever group you would like to manage the certificates.  Settings>Administrators and Groups> Add Permissions next select the newly created Certificate_Management role and lick Finish. After this is complete you are now able to generate a CSR and Import Certificates. (the buttons will now be available to click on)

In the example below this is a CSR request. If you plan to use this certificate with other Horizon Connection Servers please put their FQDN’s in the Subject Alternative Names section. 

If you plan to use the method of generating a CSR through the windows GUI. You can follow this VMware KB to generate certificates using the windows GUI. Generating a certificate template and generating/renewing certificate for Horizon connection server (80314)Once you complete the steps in the KB you can import the PFX file generated in the screenshot below.

It is important to note that after you import the certificate. You also have to remove the friendly name VDM of the old certificate on each server. Then make sure you modify your new certificate with the friendly name VDM and restart the VMware Horizon View Security Gateway Component. 

View Certificate security Configuration from the Horizon Administrative Console

Settings>Global Settings>Security Settings> View Security Configurations