Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Lets talk about End User Computing Because we worth it ...

Uncategorized

Omnissa Unified Access Gateway 2412

January 29, 2025

What’s new :

Unified Access Gateway 2412 provides the following new features and enhancements:

  • Transition Update
    • The transition from Broadcom to Omnissa is now complete. The Unified Access Gateway Admin user interface, configuration strings, and file paths have been updated to reflect the new Omnissa brand.
    • As HTML Access is renamed to Web Client, the related keys and Admin UI settings on Unified Access Gateway are also renamed.
  • Operating System Update
    • Following the transition from Broadcom to Omnissa, the Unified Access Gateway now uses the AlmaLinux operating system. AlmaLinux is an open-source, community-driven Linux operating system. Unified Access Gateway 2412 uses AlmaLinux 9.2.
    • Compatibility between ALMA 9.2 and ESXi (vSphere/vCenter)
  • Users can now configure Unified Access Gateway to perform OpenID Connect (OIDC) authentication. See OpenID Connect (OIDC).
  • Administrators can now configure Gateway Specification that will allow only the required services for that specification type to run on the appliance. See Gateway Specification in Deploying to vSphere using the OVF Template Wizard.
  • Security Improvements
    • Added protection against user impersonation attack to ensure a desktop launch session is sent from the same client endpoint where it was generated when Unified Access Gateway is used with SAML authentication in Service Provider initiated mode.
    • Added protection against SAML assertion replay attack to ensure that the SAML assertion issued by an Identity Provider can be used only once in its lifetime.
    • In case of Smart card, RADIUS and RSA SecurID authentication, Unified Access Gateway issues a SAML assertion (containing the end user attributes) to Horizon Connection Server. Added support for encrypting this assertion.
    • Change in the default value of SAML Authentication request signature algorithm from SHA-1 to SHA-256.
    • On FIPS version of Unified Access Gateway, Extended Master Secret extension is mandatory for TLS 1.2 connections.
    • Updates to TLS Ciphers. See System configuration.
  • Added compatibility with Horizon Connection Server’s support for handling encrypted SAML assertion, issued by Identity Providers. See Encrypted assertion between Unified Access Gateway and auth methods.
  • On the Upload Identity Provider Metadata section of the Admin UI, you can now view all the uploaded certificates present in the Identity Provider metadata.
  • Logging improvements.
  • Updates to OS package versions and Java component versions.
Uncategorized

Omnissa Horizon 2412

January 29, 2025

Omnissa Horizon 2412 is finally GA 🙂

Most of all rebranding is done, the only thing who will be changed in a future release is the ADAM domains : vdi.vmware.int and vdiglobal.vmware.int

What’s New

Horizon Server

  • Rebranding to Omnissa.
  • Administrators can now configure a custom port for the admin console, moving away from the default port 443.
  • Administrators can use Horizon Console or Horizon REST API to move published applications between farms.
  • Configure reconnection behavior for published applications launched in nested mode.
  • Horizon Connection Server enhances pool management performance by ensuring tasks no longer get stuck and allowing VDIs in maintenance status to resync properly.
  • Introduced a new LDAP setting (pae-ic-SysprepDomainJoinEnabled) for customers having multi-site and multi-domain environments s to leverage Microsoft Sysprep guest customization to perform domain join to avoid instant clone customization errors.
  • Horizon 2412 now includes the “Required Encryption Assertion” option for SAML Authenticators. The UI has been updated to feature a checkbox in the Add/Edit SAML Authenticator flows.
  • vCloud Director Support – Limited Availability.
  • Horizon 8 on Amazon WorkSpaces Core now supports FIPS (Federal Information Processing Standard) 140-2 compliant algorithms.
  • Monitor Connection Server health & Utilization for cloud-connected POD(s)/Edge(s) in WS1-intelligence Reports and Dashboards.
  • Use the Amazon WorkSpaces Windows Server 2019 or 2022 Public BYOP Bundle with Horizon 8.
  • Administrators can now specify the idle timeout to automatically suspend a machine when configuring a dedicated Power Optimized pool.
  • A Horizon 8 pod residing outside of Amazon can now be configured to use Amazon WorkSpaces Core for desktop compute.
  • Horizon 8 on WorkSpaces Core administrators are now able to update the Bundle in use by a Power Optimized pool through the Horizon console.
  • Following the divestiture of Omnissa from Broadcom, this release introduces a new license module for term and perpetual licenses. To activate Horizon 8 2412 with a term or perpetual license, customers must install the new Omnissa Horizon license key, which can be obtained from the Customer Connect portal.
  • Horizon will now persist the Frame Rate Limiter parameter (pciPassthru0.cfg.frl_config) from snapshot to the instant clones. Administrators can increase this value for graphics intensive applications.
  • Horizon 2412 now enhances the Horizon Lifecycle Management APIs by implementing additional pre-checks for installation and upgrade of Horizon Connection Servers.
  • Support for Dual IDP Metadata in Horizon Connection Server.
  • Beginning with this release, the 15-day grace period for subscription licenses has been discontinued. You must reactivate your subscription license every 90 days to use the full capabilities of Horizon 8.
  • Horizon 8 on WorkSpaces Core now supports Manual Farms, Multi-session Hosts, and Published Desktops and Applications with Windows Server 2019 and 2022.
  • Administrators can now monitor the local and global schema master (FSMO) availability for Connection Servers before attempting upgrades, and ensure that upgrade tasks no longer get stuck or failed due to schema master unavailability.
  • Horizon Connection Server now supports dual IDP metadata files, enabling seamless updates and uninterrupted authentication.

Horizon Agent

  • Rebranding to Omnissa.
  • Configure the reconnection behavior for published applications launched in nested mode. For more information, see Omnissa Knowledge Base (KB) article 80509.
  •  Administrators can use Horizon Console or Horizon REST API to move published applications between farms.
  • Administrators now have an option to terminate active sessions while performing restart and shutdown operations on virtual machines.
  • Horizon Agent is supported on Windows 11 2024 Update (also known as Windows 11, version 24H2).
  • Starting with this release, user domain information is now collected and sent to Omnissa Intelligence when you have enabled the Horizon Agent Monitoring Service (hzMonService) to monitor Horizon Agent on Windows desktops and your deployment is integrated with Horizon Cloud Service – next-gen.
  • Starting with this release, additional metrics for Horizon Blast protocol are sent to Omnissa Intelligence when you have enabled the Horizon Agent Monitoring Service (hzMonService) to monitor Horizon Agent on Windows desktops and your deployment is integrated with Horizon Cloud Service – next-gen
  • This release adds support for SUSE 15 SP6. Debian 11.11, and Debian 12.7.
  • This release drops support for SUSE 15 SP4 and Debian 10.13.
  • With improved startup performance, Linux desktops take less time to start up and become available.
  • Screen Sharing Support for Chrome and Edge C in Browser Content Redirection.
  • Browser Content Redirection From Linux Desktops.
  • Hide the Horizon Chrome Client After Launch.
  • Individual Application Sharing on Linux Endpoints.

Horizon Server, Agent

  • Release Note Link

https://docs.omnissa.com/bundle/horizon8-rnV2412/page/Horizon8-ReleaseNotes.html

  • Documentation Link

https://docs.omnissa.com/category/Horizon_8

  • Download Link

https://customerconnect.omnissa.com/downloads/info/slug/desktop_end_user_computing/omnissa_horizon/2412

Uncategorized

Home Lab Upgrade

January 14, 2025

Recently I did a full Home Lab upgrade, removing my old Dell R820 + Dell R720 and Intel NUCs for some bunch of server, given me the possibility to have much more capacity and performance than before.

Thanks eBay as it was my main provider, so here the new configuration :

vSphere 8 – vSAN cluster composed of :
– 4 x Dell R630 (E5-2667 v4 @ 3.20GHz and 192GB RAM each)
– 4 x 480GB SAS SSD for Cache
– 8 x 1TB SATA SSD for Data

vSphere 8 – Single server :
– 1x T420 (E5-2440 @ 2.40GHz and 164GB RAM) – 5x 900GB SAS HDD (RAID-5) + 5 x 480GB SAS SSD (3PAR SDD converted to run on Perc H710P)

1x Nutanix CE 2.1 :
– 1x R620 (E5-2630Lv2 @ 2.40GHz and 192GB RAM)
– 1x 73GB SAS HDD for Hypervisor
– 2x 480GB SAS SSD for CVM
– 4x 900GB 15K SAS HDD for data

1x Switch Arista DCS-7050TX-72Q 48x 10GBase-T
Used as my Core Switch

1x Switch Cisco 2960G
Used as a specific LAN connected to my secondary Internet router

1x NAS Synology DS1511+DX510-2
– 5x 1TB HDD SATA – RAID 5
– 3x 1TB HDD SATA – Synology Hybrid RAID
– 2x 1TB SSD SATA – RAID 0)

Dynamic Environment Manager

Omnissa Dynamic Environment Manager 2412 is GA

January 13, 2025

What’s New?

  • Omnissa Dynamic Environment Manager. As part of our transition to Omnissa, Dynamic Environment Manager (DEM) has been refreshed. You will notice visual updates across all DEM suite components, including the Management Console, SyncTool, Application Profiler, Helpdesk Support Tool, and product installers.
  • Version History. Configuration versioning and restore is a robust feature that provides flexibility and control over your configuration files. It simplifies the recovery process from unintended changes, providing a reliable method to track and manage updates to your configurations. See Version History.
  • Help. To facilitate the search for Help, the DEM Management Console and Application Profiler now has an Admin guide link. Clicking the Admin Guide button will take you to the product’s administrative manual.
  • Horizon Smart Policy. To align with the Horizon agent changes, Two Horizon Smart Policy settings regarding the Blast protocol are amended. The “Max frame rate” support is increased to 120 fps. The policy list no longer includes the Switch Encoder.
  • Run-once flag files enhancement. A new configuration setting that allows you to control the creation of fallback ‘.flag’ files, providing flexibility and customization to your workflows. By default, the system maintains the existing behavior, ensuring compatibility with current setups and preventing disruption for the installed base. However, with this new setting, you can quickly turn off the creation of fallback files when they are not needed, reducing clutter and aligning with your operational requirements.
  • Latest Operating System Support. Dynamic Environment Manager now supports Windows 11 24H2 and Windows Server 2025.
  • Updated Components. This release updates all the components, including the main component, Application Profiler, Helpdesk Support Tool, and SyncTool.
App Volumes / Horizon

App Volumes Apps On Demand – Certificate Issue

January 19, 2023

Horizon Suite 2212 is GA since last week and of course I already upgraded all my lab with this new release.

I was particularly interested by the Application on Demand so directly manage App Volumes application on RDS with all entitlement done within the Horizon Console.

The principle consist of adding App Volumes server in Horizon and then assign it to an “Automated” farm.

Now when you add you App Volumes Server into Horizon, you’ll certainly need to import App Volumes certificates into the “Trusted Root Certification Authorities” folder and then restart Horizon Services on all you Connection Servers.

Now even if doing that, you can encounter the following issue, with Enterprise signed certificate :

I had this issue on my lab, so to get it solved, I had to generate a new certificate for my App Volumes server using a new Template.

This is how to do it ….

Continue reading…
Horizon

Horizon Cloud Connector 2.3.0 – Connection Server Monitoring Service – Failed

January 15, 2023

Some time it happens that Connection Server Monitoring Service appears to be failed (but it worked before) and we see a lot of restart attempts.

There’s many reason for this to happen (like proxy error etc..) but I personally first try this workaround and it worked all the times :

1 – SSH to Horizon Cloud Connector using ccadmin and then do a su – to login as root
2 – Go to /opt/container-data/data/csms/store/keep
3 – Do a copy of csms-config.json to csms-config.json.bak
4 – Edit csms-config.json

# su -
# cd /opt/container-data/data/csms/store/keep
# cp csms-config.json csms-config.json.bak
# vi csms-config.json

5 – change cmsTenantConfig to : null and set lifeCycle to : “PAIR” 

{
  "baseConfig" : {
    "version" : "1",
    "csmsIdentity" : "038eeb6a-159c-4ee5-89d0-xxxxxxxxxxxx",
    "salt" : "df3e8624-2478-4d6f-bd94-xxxxxxxxxxxxx",
    "keyLength" : 128
  },
  "cmsTenantConfig" : null,
  "applianceConfig" : {
    "podType" : "VIEW",
    "podCapacityType" : "GENERAL",
    "podId" : "4cfd1101-1f73-4691-aa39-xxxxxxxxxxxx",
    "podName" : "Cluster-HZN-01",
    "podLocationJson" : "{\"p\":[43.29695,5.38107],\"id\":\"b32f5cf4-7413-4877-92c4-xxxxxxxxxxxxx\",\"n\":\"Marseille, France\"}"
  },
  "lifeCycleConfig" : {
    "lifeCycle" : "PAIR",
    "lastUpdateTimestamp" : 1668683604710
  }
}

6 – restart csms :


# kubectl get pod -n cms-system
NAME                   READY   STATUS    RESTARTS   AGE
csms-79df9554f-jcprn   1/1     Running   0          27m
# kubectl delete pods -n cms-system csms-79df9554f-jcprn

After a few minutes, it should be green again… if not open a ticket 🙂

App Volumes / PowerShell

PowerShell : Automatically Expand Writable Volumes

September 9, 2022

One of my customer raised an issue about managing writable volumes as they are mainly used by developers who are unable to restrain their desires to fill disk with tons of data and can’t do some clean up 🙂

The problem of course is that the writable volume grow up to no free space and unfortunately the user is not aware of that as the “ReportSystemFreeSpace” Reg Key works only for App Volumes 2.x and not App Volumes 4.x

The following script can be used manually or integrated with Task Scheduler but requires App Volumes Server 2206 (4.7) to handle “requested_mb” parameters. You can use it with previous version but you don’t know if a request to expand disk was previously initiated.

Disclaimer : The script it self is not supported by me or VMware so use it at your own risk however it’s using official VMware API for App Volumes, and thank to Chris Halstead as his initial script helped me a lot (https://github.com/chrisdhalstead/appvolumes-expand-wv)

Continue reading…
Unified Access Gateway

ADFS with VMware Unified Access Gateway (UAG)

February 16, 2022

This article talks about configuration of ADFS with VMware Unified Access Gateway without the use of Workspace One Access.

There’re two use cases here to configure ADFS with Unified Access Gateway

  1. Use Case #1: ADFS as MFA, so users first authenticate using ADFS, and then authenticate using standard credential to get the list of available resources (desktop or apps)
  2. Use Case #2: ADFS for single authentication method, so users will authenticate once with ADFS and then will connect to VDI VMs or published apps without the need to enter any other credentials. This use case of course required VMware TrueSSO to works

Initial configuration is the same for both and to make it short here the different steps required:

  1. Change Expiration Period for Service Provider Metadata
    1. https://my-virt.alfadir.net/index.php/2022/01/12/change-the-expiration-period-for-service-provider-metadata-on-connection-server/
  2. Deploy UAG
    1. Configure Edge Service and specify a Connection Server fqdn (not the load-balancer)
    2. Check connection is working
  3. Connect to <federation fqdn> and save the FederationMetadata.xml file
  4. Import FederationMetadata.xml in UAG (Upload Identity Provider Metadata)
  5. Configure UAG for SAML or SAML and Passthrough auth methods
  6. Specify Identity Provider
  7. Download SAML Service Provided .xml file
  8. Configure ADFS
    1. Add a new Relying Party Trusts
    2. Specify UAG SP .xml file as source
    3. Configure Claim Issuance Policy
  9. Connect to UAG as “client”
    1. Auth using ADFS
    2. Auth using AD credential

Now if we want to go further and implement ADFS with TrueSSO:

  1. Generate SAML IdP Settings
    1. Import signed cert or use Generated one
    2. Copy Content of Download IDP Settings
  2. Configure Horizon Connect Server for SAML auth with UAG and ADFS
    1. Connect to admin console of Horizon Connection Server
    2. Add SAML Authenticator for UAG
      1. Mode Static
      2. Past Content of UAG Download IDP Settings
      3. Change EntityId if required
    3. Add SAML Authenticator for ADFS
      1. Mode Static
      2. Past Content of FederationMetadata.xml
  3. Enable TrueSSO for UAG and ADFS
    1. Using vdmUtil, enable both authenticator
  4. Check True SSO connection
    1. Connect to UAG as Client
    2. Once authenticated to ADFS, the list of available resource appears, and you can login without any other cred

That said, let see with some nice pictures how we do that :

Continue reading…
Horizon Cloud / Workspace One Access (Aka Identity Manager)

Get Horizon Cloud Managed desktop and apps on WS1 Access

February 3, 2022

Here a recent behavior I met at a customer and on my own labs, :

Normally and that was the case few months ago, when you entitled VMs or Apps (whatever it was on Azure or On-Premise but “Cloud Managed”) they were automatically available on the configured WS1 Tenant, and especially if you asked to create one from the Horizon Universal Console rather to attach an existing one.

Look like there a recent change, and some pre-requisites are required (mentioned in the documentation but to be honest the documentation is a little bit abstruse). So, if entitlements are not any more synchronized, or you don’t see any entitlement on WS1 you need to check 2 things :

1 – Ensure you gather appropriate User Attributes for WS1 :

In Identity & Access Management  \ Setup \ User Attributes make sure you have the 3 following attributes (none of them are by default):

  • objectGUID
  • sid
  • netBios

2 – Ensure you mapped these attributes with the right Active Directory Attribute

In Identity & Access Management \ Manage \ Directories, edit the Sync parameters of your AD and go to Mapped Attributes, make sure you mapped them as this :

Workspace ONE Access AttributeActive Directory Attribute
userPrincipalNameuserPrincipalName
objectGuidobjectGUID
sidobjectSid
netBiosmsDS-PrincipalName

Once done, just synchronize your directory and it works.