Eric Monjoin
Staff Consulting Architect but also pilot, spending time in front of my computer or flying in the air...

Lets talk about End User Computing Because we worth it ...

Awaited feature now available on Horizon 2103… Join VM in untrusted Domains

One year ago I posted a feature request for one of my customer who require to deploy Instant Clone VM on many Active Directory domain without Trust Relationship within each other and with the domain used by the Horizon Connection Server, so what was my surprise when I received the Announcing General Availability of Horizon Enterprise 2103 and saw this feature is now available 🙂

New Release of Horizon Enterprise 2103 and Unified Access Gateway 2103

What’s New?

  • Horizon Server
    • Added support for “Global Access Group”
    • Added support for open source database — “PostgresSQL”
    • Added support for untrusted domain
    • Pegged unabated growth of event database
    • Ability to pre-assign computer names to instant clone desktops
    • Delivered View API parity REST APIs
  • Horizon Agents & Clients
    • Teams offload Mac client
    • USB redirection for HTML Access & Chrome client
    • Pen redirection iOS & Android
    • HEVC 444 Intel GPU Linux client
    • Bandwidth control for integrated printing
    • Serial port improvements, auto mapping, ID passing
    • Agent hot patch via MSP
    • Expose HCA, H.264/H.265 enablement and networking client settings to registry and GPO template
    • Drop 32-bit support Windows agent, Linux agent and client
  • App Volumes
    • Support for Windows 10 Enterprise multi-session on Horizon Cloud on Azure
    • App Volumes Command-Line Capture Program for working with App Volumes and MSIX formatted VMDK and VHD packages
    • Global option to allow the same packages to work across both VDI/RDSH regardless of the packaging OS used
  • Dynamic Environment Manager
    • Replication of the Script folder in SyncTool
    • Simplification of computer environment configuration
    • Support for late arrival of system environment variables in agent configuration for computer environment settings
    • Improvements in default printer logic to roam default printer settings for redirected printers

Horizon Cloud from Zero to Hero – Set your Azure AD subscription ready for Horizon Cloud

In order to deploy Horizon Cloud on Azure, you first need to perform many task on Azure side like creating Virtual Network and so on. This can be done from the Azure portal or you can also use PowerShell to accomplish all tasks…

Before, let me tell you that all the merit for the following script must go to my colleague Roch Norwa and you can find the initial version on his blog here : https://digitalworkspace.blog/2020/04/19/horizon-cloud-on-azure-introduction-and-deployment-automation-script/

I made some slight changes to Roch scripts :

  • Added registration of Microsoft.SQL to the management subnet
  • Use only one Virtual Networ instead of 2
  • Use 3 of subnets instead of 2 : Management, VDI (and RDS host) and UAG
  • Changed Register-AzureRmResourceProvider for Register-AzResourceProvider
Continue reading…

PowerCLI and VMware Horizon.. error BaseImageVM_List

PowerShell and more specifically VMware PowerCLI (who are the PowerShell commands to manage VMware Infrastructure with around 800 cmdlets) are incredible tools who extremely facilitate administrators day to day life…

Now sometime it happens, after an upgrade, that didn’t work any more as expected.

In order to manage Horizon deployment using PowerShell scripts, using PowerCLI is not enough and you need to add the VMware.HV.Helper modules who contains many commands and more especially the New-HVPool one in order to create Horizon pools.

Continue reading…

vCenter 7 – Depreciation of IWA…

Every Friday we have an informal meeting with peoples from VMware PS: Architect, Sr Consultant and Consultant but also TAM and Project manager as well and today we spoke about the depreciation of IWA with vCenter 7 and so the necessity to move to AD FS for upcoming release :

Deprecation of Integrated Windows Authentication

Integrated Windows Authentication (IWA) is deprecated in vSphere 7.0 and will be removed in a future release. For more information, see VMware Knowledge Base article 78506

So we started to have look about how to move from IWA to AD FS and for this I deployed a brand new vCenter 7 on my own labs as many questions arise : How other applications will deal with this change (I mainly thought to Horizon and App Volumes Manager) but also could we still connect using the local vsphere.local domain. Spoiler : Yes it works for both (external apps and using local account)

Now let see how to configure this 🙂

Continue reading…

Adding Static Route to WS1 Access

I had a request from Spanish colleagues about adding static routes to Workspace One Access (in their case it was because of database in a different network).

I first had a look on our internal channel on Slack and find a first way to do it … but with Identity Manager version 3.3. However, when I try to test it in my Home Lab using my on-premise WS1 Access 20.10 it was totally different. vIDM 3.3 is based on Suse Linux when WS1 Access 20.10 is based on Photon 3. After some exchange by mail with my colleagues, they sent me the procedure they used for their deployment… different for the first two !!!
Yes they deployed Workspace One Access 20.01…

Basically both method work with vIDM 3.3 and Workspace One v20.01 as both are running Suse Linux

Method 1 : for Identity Manager 3.3 and WS1 Access 20.01: (thanks to Mahmood Ramzan for this one)

First edit “routes” files in /etc/sysconfig/network

vi /etc/sysconfig/network/routes

Then add your route in this form : <net_range>/<mask> <gateway> <interface>

10.1.2.0/24 192.168.12.254 eth0

Then restart your network and confirm the route is persistent:

# /etc/init.d/network restart
# ip route list

Method 2 : for Identity Manager 3.3 and WS1 Access 20.01: (thanks to Javier Perez for this one) :

After connecting to WS1 using sshuser and sudo as root (or direct login as root), create the ifroute-eth0 file

# vim /etc/sysconfig/network/ifroute-eth0	

Add your route (same format as for vIDM 3.3)
and set permission on this file:

# chmod 644 /etc/sysconfig/network/ifroute-eth0

Restart your network as explained above.

Method for Workspace One Access 20.10 and upward :
Starting with Workspace One Access 20.10, appliance are based on Photon 3.0. So adding a file call route-eth0 in /etc/sysconfig/network-scripts make it works by running /etc/sysconfig/network-scripts/ifup-routes but it doesn’t works when booting the appliance.

To add static routes to Photon appliance you need to follow this procedure :

So once logged as root edit this file : /usr/local/horizon/scripts/networkwizard.hzn

# vi /usr/local/horizon/scripts/networkwizard.hzn

Find the section “function save_sysconfig_properties” around line 800 (803 to be precise)

Alter the file to set the routes by adding the following lines in green :

function save_sysconfig_properties() {
    if [ $ETHO_DEVICE_RESTORED -eq 0 ]; then
      # any DHCP
      local DHCP=no
      if [ "$SYSCONF_IPV4_IP0" = "DHCP" -a "${SYSCONF_IPV6_IP[0]}" = "DHCP" ]; then
          DHCP="yes"
      elif [ "$SYSCONF_IPV4_IP0" = "DHCP" ]; then
          DHCP="ipv4"
      elif [ "${SYSCONF_IPV6_IP[0]}" = "DHCP" ]; then
          DHCP="ipv6"
      fi
      echo save $ETH0_CONF
      echo -n > $ETH0_CONF
      echo "[Match]" >> $ETH0_CONF
      echo "Name=eth0" >> $ETH0_CONF
      echo "" >> $ETH0_CONF
      echo "[Network]" >> $ETH0_CONF
      echo "DHCP=$DHCP" >> $ETH0_CONF
      if [ -n "$SYSCONF_IPV4_IP0" -a "$SYSCONF_IPV4_IP0" != "DHCP" ]; then
          echo "Address=$SYSCONF_IPV4_IP0/`mask2cdr $SYSCONF_IPV4_NETMASK`" >> $ETH0_CONF
          echo "Gateway=$SYSCONF_IPV4_GATEWAY" >> $ETH0_CONF
          echo "DNS=$SYSCONF_NET_DNS" >> $ETH0_CONF
          echo "LinkLocalAddressing=no" >> $ETH0_CONF
          echo "IPv6AcceptRA=no" >> $ETH0_CONF
          echo "[Route]" >> $ETH0_CONF
          echo "Destination=10.0.0.0/24" >> $ETH0_CONF
          echo "Gateway=192.168.0.250" >> $ETH0_CONF
          echo "GatewayOnlink=true" >> $ETH0_CONF
      fi
      if [ -n "${SYSCONF_IPV6_IP[0]}" -a "${SYSCONF_IPV6_IP[0]}" != "DHCP" ]; then
          local ndx=0
          while true
          do
              local tmpip=${SYSCONF_IPV6_IP[$ndx]}
              local tmppfx=${SYSCONF_IPV6_PFX[$ndx]}
              if [ -z "$tmpip" ]; then
                  break
              fi
              echo "Address$ndx='$tmpip/$tmppfx'" >> $ETH0_CONF
              ndx=$(($ndx + 1))
          done
      fi
    fi
}

Reboot the appliance to ensure it works fine

AD FS as IdP for Workspace ONE Access and UAG

I’ll not talk about the configuration of AD FS itself but how to create the relying party for both Workspace ONE Access and UAG… spoiler: the configuration is not the same 🙂

So here the common part who consist to the creation of the Relying Party Trusts:

Open you AD FS Manager, select “Relying Party Truts” and with the select “Add Relying Party Trust…

Azure AD as IdP for Workspace One Access

This tuto will show you how to configure Azure AD as a 3rd party Identity Provider for Workspace One Access.

Note : In my case, the default Azure AD domain is alfadir.onmicrosoft.com but in order to match with my on-premise Active Directory I had to use not the email address or UPN but the “Alternate email”

So the first thing to do is to create a “New Application” in Azure, once logged on Azure Portal as Admin, select “Azure Active Directory“, then on the left pane, select “Enteprise applications” and click “New Application“:

Shibboleth as IdP for Workspace ONE Access

Recently I had to work on a project that imply Shibboleth as IdP (Identity Provider), so you will see below how to configure it in Workspace One Access as a 3rd party IdP.

One of the major issue with Shibboleth (in my case) is it only provides a samAccountName but not a UserPrincipalName (upn), so basically the User name without the domain name (eg. e.monjoin but not e.monjoin@mydomain.dom). It works in many situation excepted in a multi domain configuration where you can potentially have the same username in two different domain and you have a trust relationship between them (eg. e.monjoin@finance.domain.com and e.monjoin@technical.domain.com). In this case WS1 Access will not be able to choose a account you will see the following error :

Running VMware Unified Access Gateway on Hyper-V

Ok okkkkkk, I know that could be weird at first sight but I had a request from a customer to assist in the deployment of UAG 3.9 on Hyper-V in a “Dual DMZ” configuration.

The Back End UAG is deployed on vSphere but the the front-end should run on the DMZ hypervisors who are…. Windows 2019 Core / Hyper-V

So when we look at the files required to perform this installation we need to download 2 files :

  • Unifed Access Gateway (UAG) 3.9 PowerShell scripts to get all scripts to deploy the appliance
  • Unifed Access Gateway (UAG) 3.9 for Microsoft Azure to have .vhd file so Hyper-V disk format file.