Upload
vothu
View
288
Download
2
Embed Size (px)
Citation preview
Jack McMichael Sr Systems Engineer VMware
Barak Nissim Sr EUC Practice Systems Engineer VMware
ADV1592BE
VMworld ADV1592BE
Troubleshooting Your Horizon 7 Deployment
VMworld 2017 Content Not fo
r publication or distri
bution
bull This presentation may contain product features that are currently under development
bull This overview of new technology represents no commitment from VMware to deliver these features in any generally available product
bull Features are subject to change and must not be included in contracts purchase orders or sales agreements of any kind
bull Technical feasibility and market demand will affect final delivery
bull Pricing and packaging for any new technologies or features discussed or presented have not been determined
Disclaimer
2ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Top 6 Global Support Tickets
SSL Certificates CAs
PersonaUEM
App Volumes
Parent VM issues
PCoIPBlast Extreme Black Screens
Log Analysis
3ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
1 Support Ticket to GSSCertificates
4
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
5
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
6
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANs
7
with Microsoft Certificate Templates
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
8
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
9
Simplifying and Troubleshooting
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
bull This presentation may contain product features that are currently under development
bull This overview of new technology represents no commitment from VMware to deliver these features in any generally available product
bull Features are subject to change and must not be included in contracts purchase orders or sales agreements of any kind
bull Technical feasibility and market demand will affect final delivery
bull Pricing and packaging for any new technologies or features discussed or presented have not been determined
Disclaimer
2ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Top 6 Global Support Tickets
SSL Certificates CAs
PersonaUEM
App Volumes
Parent VM issues
PCoIPBlast Extreme Black Screens
Log Analysis
3ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
1 Support Ticket to GSSCertificates
4
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
5
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
6
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANs
7
with Microsoft Certificate Templates
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
8
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
9
Simplifying and Troubleshooting
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Top 6 Global Support Tickets
SSL Certificates CAs
PersonaUEM
App Volumes
Parent VM issues
PCoIPBlast Extreme Black Screens
Log Analysis
3ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
1 Support Ticket to GSSCertificates
4
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
5
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
6
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANs
7
with Microsoft Certificate Templates
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
8
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
9
Simplifying and Troubleshooting
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
1 Support Ticket to GSSCertificates
4
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
5
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
6
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANs
7
with Microsoft Certificate Templates
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
8
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
9
Simplifying and Troubleshooting
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
5
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
6
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANs
7
with Microsoft Certificate Templates
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
8
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
9
Simplifying and Troubleshooting
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
6
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANs
7
with Microsoft Certificate Templates
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
8
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
9
Simplifying and Troubleshooting
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANs
7
with Microsoft Certificate Templates
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
8
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
9
Simplifying and Troubleshooting
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
8
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
9
Simplifying and Troubleshooting
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
9
Simplifying and Troubleshooting
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes ManagerReplace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
App Volumes
ABV1592BE CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate IssuesBe Consistent with App Volumes Manager Name
ABV1592BE CONFIDENTIAL 12
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ABV1592BE CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
14
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
15
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ABV1592BE CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Logging
18
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
19
Directflex Import
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
20
Directflex Export
User Environment Manager
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
21
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
22
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
24
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
25
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
26
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolution
bull Restart
bull Logoff
bull Reset
bull Disconnect
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
ABV1592BE CONFIDENTIAL 28
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
ABV1592BE CONFIDENTIAL 29
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
30
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ABV1592BE CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ABV1592BE CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
ABV1592BE CONFIDENTIAL 33
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
ABV1592BE CONFIDENTIAL 34
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
ABV1592BE CONFIDENTIAL 35
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone pools
36
Tips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant Clones
37
Troubleshooting
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
ABV1592BE CONFIDENTIAL 38
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
ABV1592BE CONFIDENTIAL 39
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
ABV1592BE CONFIDENTIAL 40
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
41
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ABV1592BE CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
43
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook Drivers
44
User Environment Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
45
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
46
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
50
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
51
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
ABV1592BE CONFIDENTIAL 52
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
ABV1592BE CONFIDENTIAL 53
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
ABV1592BE CONFIDENTIAL 54
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
ABV1592BE CONFIDENTIAL 55
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
ABV1592BE CONFIDENTIAL 56
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
ABV1592BE CONFIDENTIAL 57
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
58
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
59
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ABV1592BE CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
By default certificate validation is required between App Volumes Manager and vSphere
Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
No custom certificate work required
App Volumes
ABV1592BE CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for ProductionEnable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
Options to Enable SSL
SSL is enabled by default
Donrsquot disable certificate validation during Agent installation
Enable SSL in the registry after App Volumes Agent install
App Volumes
61
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POCDisable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
Options to Disable SSL
Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
EnforceSSLCertificateValidation in the registry after App Volumes Agent install
App Volumes
62
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ABV1592BE CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSetting Custom Private Key Permissions for SQL Service Account
bull Start on the SQL Server
bull MMC gt Certificates
App Volumes
ABV1592BE CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
Typical Deployment
SSL is terminated at load balancer
HTTP between LB and AV Manager
SSL between AV Agents and LB
If trusted CA-signed cert is used for LB be
sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
To keep SSL between LB and AV
Manager signed AV Manager
certificate(s) should be added to trust list
of the LB
SQLView Infrastructure
Now Secured with SSL
Certificates
App Volumes
ABV1592BE CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution