Jack McMichael Sr Systems Engineer VMwareJoshua Spencer Technical Marketing Architect - EUC VMware
ADV1592BU
VMworld ADV1592BU
Troubleshooting Your Horizon 7 Deployment
VMworld 2017 Content Not fo
r publication or distri
bution
bull This presentation may contain product features that are currently under development
bull This overview of new technology represents no commitment from VMware to deliver these features in any generally available product
bull Features are subject to change and must not be included in contracts purchase orders or sales agreements of any kind
bull Technical feasibility and market demand will affect final delivery
bull Pricing and packaging for any new technologies or features discussed or presented have not been determined
Disclaimer
ADV1592BU CONFIDENTIAL 2
VMworld 2017 Content Not fo
r publication or distri
bution
Top 6 Global Support Tickets
SSL Certificates CAs
PersonaUEM
App Volumes
Parent VM issues
PCoIPBlast Extreme Black Screens
Log Analysis
ADV1592BU CONFIDENTIAL 3
VMworld 2017 Content Not fo
r publication or distri
bution
1 Support Ticket to GSSCertificates
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
Horizon
ADV1592BU CONFIDENTIAL 5
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ADV1592BU CONFIDENTIAL 6
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANswith Microsoft Certificate Templates
Horizon
ADV1592BU CONFIDENTIAL 7
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ADV1592BU CONFIDENTIAL 8
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Simplifying and Troubleshooting
Unified Access Gateway
ADV1592BU CONFIDENTIAL 9
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
bull This presentation may contain product features that are currently under development
bull This overview of new technology represents no commitment from VMware to deliver these features in any generally available product
bull Features are subject to change and must not be included in contracts purchase orders or sales agreements of any kind
bull Technical feasibility and market demand will affect final delivery
bull Pricing and packaging for any new technologies or features discussed or presented have not been determined
Disclaimer
ADV1592BU CONFIDENTIAL 2
VMworld 2017 Content Not fo
r publication or distri
bution
Top 6 Global Support Tickets
SSL Certificates CAs
PersonaUEM
App Volumes
Parent VM issues
PCoIPBlast Extreme Black Screens
Log Analysis
ADV1592BU CONFIDENTIAL 3
VMworld 2017 Content Not fo
r publication or distri
bution
1 Support Ticket to GSSCertificates
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
Horizon
ADV1592BU CONFIDENTIAL 5
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ADV1592BU CONFIDENTIAL 6
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANswith Microsoft Certificate Templates
Horizon
ADV1592BU CONFIDENTIAL 7
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ADV1592BU CONFIDENTIAL 8
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Simplifying and Troubleshooting
Unified Access Gateway
ADV1592BU CONFIDENTIAL 9
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Top 6 Global Support Tickets
SSL Certificates CAs
PersonaUEM
App Volumes
Parent VM issues
PCoIPBlast Extreme Black Screens
Log Analysis
ADV1592BU CONFIDENTIAL 3
VMworld 2017 Content Not fo
r publication or distri
bution
1 Support Ticket to GSSCertificates
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
Horizon
ADV1592BU CONFIDENTIAL 5
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ADV1592BU CONFIDENTIAL 6
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANswith Microsoft Certificate Templates
Horizon
ADV1592BU CONFIDENTIAL 7
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ADV1592BU CONFIDENTIAL 8
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Simplifying and Troubleshooting
Unified Access Gateway
ADV1592BU CONFIDENTIAL 9
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
1 Support Ticket to GSSCertificates
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
Horizon
ADV1592BU CONFIDENTIAL 5
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ADV1592BU CONFIDENTIAL 6
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANswith Microsoft Certificate Templates
Horizon
ADV1592BU CONFIDENTIAL 7
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ADV1592BU CONFIDENTIAL 8
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Simplifying and Troubleshooting
Unified Access Gateway
ADV1592BU CONFIDENTIAL 9
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Horizon
bull Read the updated certificates guide httpbitly2uMhcRA
bull Replace self-signed certs on CS SS UAG Composer and vCenter
ndash Internal communications
bull Use SVIconfig for Composer server
bull Use Certificate Automation Tool for vCenter (vSphere 55)
bull Rename the self-signed generated certificate
Horizon
ADV1592BU CONFIDENTIAL 5
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ADV1592BU CONFIDENTIAL 6
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANswith Microsoft Certificate Templates
Horizon
ADV1592BU CONFIDENTIAL 7
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ADV1592BU CONFIDENTIAL 8
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Simplifying and Troubleshooting
Unified Access Gateway
ADV1592BU CONFIDENTIAL 9
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Certificates for Horizon
bull Key issues when creating certs from 3rd parties or CA
ndash Make sure compatibility level is Windows 2003
ndash Make sure key is exportable
bull Key issues when using your own Microsoft CA
ndash Make sure the Subject name is your DNS name
ndash Set DNS SubjectAltNames for DNS name including IP and localhost
bull Common symptoms of certificate issues
ndash Services fail to start after certificate replacement
ndash Default 404 page after certificate replacement
bull Most referenced KB articles for successful troubleshooting
ndash httpskbvmwarecomkb2032400
ndash httpskbvmwarecomkb2068666
Horizon
ADV1592BU CONFIDENTIAL 6
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANswith Microsoft Certificate Templates
Horizon
ADV1592BU CONFIDENTIAL 7
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ADV1592BU CONFIDENTIAL 8
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Simplifying and Troubleshooting
Unified Access Gateway
ADV1592BU CONFIDENTIAL 9
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Setting Subject Names and SANswith Microsoft Certificate Templates
Horizon
ADV1592BU CONFIDENTIAL 7
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ADV1592BU CONFIDENTIAL 8
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Simplifying and Troubleshooting
Unified Access Gateway
ADV1592BU CONFIDENTIAL 9
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Configuring Certificates for Unified Access Gateway
bull Replace the default self-signed certificate
bull Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines
bull Must also be applicable to all instances of Unified Access Gateway and any load balancer
ndash Use either wildcards or Subject Alternative Name (SAN) certificates
bull Detailed instructions httpbitly2gN17VE
UnifiedAccess
Gateway
Unified Access Gateway
ADV1592BU CONFIDENTIAL 8
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Simplifying and Troubleshooting
Unified Access Gateway
ADV1592BU CONFIDENTIAL 9
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Unified Access Gateway Certificate Deployment
bull Automate UAG deployment including trusted certificate
ndash Use OVF Tool or PowerShell
ndash Production-ready deployment in ~1 minute
ndash No longer requires PEM-formatted certificates
bull UAG 30 and above accepts PKCS12 (p12 or pfx) formatted certificates
ndash Guide to scripted deployment httpscommunitiesvmwarecomdocsDOC-30835
bull Includes sample INI and PS1 files
bull Includes troubleshooting examples
Simplifying and Troubleshooting
Unified Access Gateway
ADV1592BU CONFIDENTIAL 9
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Certificates with App Volumes Manager
Options to Enable SSL
bull Replace self-signed certificate on App Volumes Manager server with a cert trusted by App Volumes Agent VMs
bull User guide httpbitly2vlzgxX
bull Step-by-step blog with video httpbitly2ung7yE
Recommended for SSL
bull Use SSL for SQL Server Communication
bull Accept a CA-signed certificate from vCenter
Replace Self-Signed Cert with a CA-Signed Cert Trusted by the App Volumes Agent
App Volumes
ADV1592BU CONFIDENTIAL 10
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Certificates
bull Certificate validation between App Volumes Manager and vCenter
bull Certificate validation for App Volumes Agent
ndash POC versus Production implementation
bull Secure communications between App Volumes and Microsoft SQL server
bull Applying certificates in load balanced configurations
11
Additional Considerations
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Avoiding Certificate Issues
ADV1592BU CONFIDENTIAL 12
Be Consistent with App Volumes Manager Name
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Horizon Log Locations
Core
Infrastructure
Active
Directory
vCenter
Server
vRealize
Operations
Manager for
Horizon
Database
(SQL)
vSphere
vSAN
SaaS Mobile
Apps
Applications
(App Volumes)
VMware
Identity
Manager
User
Workspace
User
Environment
IT
Settings
User
Profile
End-Point Clients
VMware Horizon
RDS
Desktops amp Apps
Virtual Desktop Pools
Unified
Access
Gateway
Connection
Server
View
Composer
Logs can be collected fromhellip
Use KB1017939 for log locations and KB1025887 to change log levels
ADV1592BU CONFIDENTIAL 13
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMware Unified Access Gateway (UAG) Logs
Log Files
bull Default log level is INFO
bull Adjust log level for debugging information
ndash Details of log levels and collecting log files httpbitly2ufqdAY
Monitoring
bull Monitor UAG services from the Admin UI
Unified Access Gateway
ADV1592BU CONFIDENTIAL 14
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
App Volumes Logs
rdquoDJrdquo indicates
Manager
background
job
ldquoRrdquo indicates
dynamic Ruby
job
Log files are
now created
daily
bull Use Notepad++ to quickly group log entries by task
ADV1592BU CONFIDENTIAL 15
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment Manager Logs
bull Configure debug logging for individual user
ndash httpskbvmwarecomkb2113514
Global and Individual Debug Logs
User Environment Manager
ADV1592BU CONFIDENTIAL 16
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Application Personalization amp DirectFlex
User Session
Profile Data Store (File Share)
Base
Profile
UEM
LogonImport of Keyboard
Mouse Wallpaper
Windows Settings
Application
LaunchImport of application
settings
Application
ShutdownExport of application
settings
UEM
LogoffExport of Keyboard
Mouse Wallpaper
Windows Settings
Time
User Environment Manager
CONFIDENTIAL
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex LoggingUser Environment
Manager
ADV1592BU CONFIDENTIAL 18
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Import
Directflex Import
User Environment Manager
ADV1592BU CONFIDENTIAL 19
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
DirectFlex Export
Directflex Export
User Environment Manager
ADV1592BU CONFIDENTIAL 20
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Tracking Sessions
bull Use TailGrep Utilities or Trace32 (SCCM Toolkit)
Horizon
ADV1592BU CONFIDENTIAL 21
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Demo ndash Log Monitoring with BareTailBareGrep
ADV1592BU CONFIDENTIAL 22
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
HorizonCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Troubleshooting Keys
bull Check Admin Dashboard or HelpDesk Tool
bull Understand client connection paths
bull Set the appropriate Logging Level
bull Check Logs and understand DCT Tool
bull Use kbvmwarecom or communities
ADV1592BU CONFIDENTIAL 24
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk ToolHorizon
ADV1592BU CONFIDENTIAL 25
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool Session Details
Access
bull Installed by default on CS
bull https[CS FQDN]helpdesk
bull Launch from Horizon Console
Provides
bull Metrics
bull Send Message
bull Remote Assistance
bull Quick Resolutionndash Restart
ndash Logoff
ndash Reset
ndash Disconnect
Horizon
ADV1592BU CONFIDENTIAL 26
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Helpdesk Tool
ADV1592BU CONFIDENTIAL 27
Measuring Impact of AppStacks
No AppStacks
Three AppStacks ndash VLC Notepad++ 7-Zip
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Pool
Profile
Service AppsUser
Remoting
ProtocolUser Environment
Manager
File SharesPersona
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
Home File SharesFolder
Redirection
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS Mobile Other Apps
Client(s)
Identity Manager
HTML
APPS
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon ndash (Monitoring amp Mgt)
Identifying the Problem Domain
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Common challenges
ndash Horizon Client canrsquot connect
ndash Logon failure
ndash Black screen
ndash Poor quality display
ndash Randomly disconnected session
Horizon
ADV1592BU CONFIDENTIAL 29
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive TransportADMX Template Settings
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol
bull Requires restart of Blast service or reboot of guest OS to take effect
BlastExtreme
ADV1592BU CONFIDENTIAL 31
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Blast Extreme Adaptive Transport
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Not configured or Enabled TCP TCP
Typical Not configured or Enabled UDP TCP
Poor Not configured or Enabled UDP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Not Configured or Enabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 1
Client Settings Agent Settings (UDP) Blast Desktop Connection Broker Connection
Excellent Disabled TCP TCP
Typical Disabled TCP TCP
Poor Disabled TCP UDP
Computer gt Policies gt Admin Templates gt VMware Blast gt UDP Protocol ndash Disabled
HKLMSOFTWAREPoliciesVMware IncVMware BlastConfig ndash UdpEnabled = 0
BlastExtreme
ADV1592BU CONFIDENTIAL 32
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon Connectivity Issues
bull Where to look
ndash Connection Broker logs
bull CProgramDataVMwareVDMlogs
ndash Event Database
ndash DCT Tool
bull What to look for ndash
bull (Client connects) [SimpleAJPService] (ajpbrokerRequest9) Request from 19216821 POST brokerxml
bull (Broker authentication) [WinAuthFilter] (SESSION7072--a79c mattc) Attempting to authenticate user mattc in domain FUTUREOFFICErsquo
bull (User has authenticated to Broker) [AuthorizationFilter] (SESSION7072--a79c) User FUTUREOFFICEmattc has successfully authenticated to VDM
bull (Audit Entry) [Audit] (SESSION7072--a79c) BROKER_LOGONUSERFUTUREOFFICEmattcUSERSIDS-1-5-21-326850759-2560684469-1780228732-1113USERDNCN=S-1-5-21-326850759-2560684469-1780228732-1113CN=ForeignSecurityPrincipalsDC=vdiDC=vmwareDC=int
bull Event Database BROKER_USERLOGGEDIN
Horizon
ADV1592BU CONFIDENTIAL 33
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Black screen of deathmdashinstead of desktop
ndash PCoIP port blocked (TCP and UDP 4172) or SVGA Driver issue
ndash pcoip_serverclient logs - CUsersAll UsersVMwareVDMlogs
bull Error attaching to SVGADevTap error 4000 EscapeFailed
bull MGMT_SCHAN scnet_client_open tera_sock_connect returned error 10060 - Connection timed out
ndash Incorrect PCoIP External URL configured for SecurityConnection Servers
Horizon
ADV1592BU CONFIDENTIAL 34
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
User Experience Issues
bull Poor quality display
ndash Bandwidth latency or QoS
ndash Pcoip_server logs report
bull VGMAC Stat frms Loss=045021 (RT)
bull MGMT_PCOIP_DATA BW Decrease (loss) old = 2349982 new = 1768438
bull Randomly disconnected session
ndash 15 min after established - wssm process hasnt started on desktop
ndash View Agent logs (ltDriveLettergtProgramDataVMwareVDMlogs)
ndash PENDING_EXPIRED
ndash Sometimes caused by daisy-chaining the GINA (WinXP)
Horizon
ADV1592BU CONFIDENTIAL 35
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN support for Instant Clone poolsTips to Avoid Deployment Issues
Support
bull vSphere 2016
bull ESXi 60 U1 or newer
bull Virtual Distributed Switch only
ndash No support for Standard Switch
bull Port Group must be configured for Static Port Binding amp Fixed Port Allocation
ndash No support for Dynamic or Ephemeral
Tested Limits
bull No multi-VLAN provisioning with IPv6
bull Single IC pool of 2K VMs
Horizon
ADV1592BU CONFIDENTIAL 36
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Multi-VLAN with Horizon Instant ClonesTroubleshooting
Horizon
ADV1592BU CONFIDENTIAL 37
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Performance
bull Common Issues
ndash Storage IO bottleneck
ndash Memory contention
ndash CPU contention
ndash Network issues
bull Where to look
ndash vCenter Server
ndash VCOPs
ndash ESXTOP
ndash 3rd Party Tools
Horizon
ADV1592BU CONFIDENTIAL 38
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
The 3 Pillars of Performance
What to look for
bull CPU
ndash ClusterHost utilization lt 90
ndash VM utilization - USED (ESXTOP)
ndash VM RDY Time (ESXTOP) lt 10
bull Memory
ndash Host utilization lt 85
ndash VM utilization
ndash Swapping Ballooning SWCUR gt 1 MCTLSZ gt 1 (ESXTOP)
bull Storage
ndash Disk Read Latency lt 25ms
ndash ESXTOP DAVG or KAVG lt 25ms (ESXTOP)
Horizon
ADV1592BU CONFIDENTIAL 39
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Optimize Your Images
bull httpslabsvmwarecomflingsvmware-os-optimization-tool
Horizon
ADV1592BU CONFIDENTIAL 40
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
User Environment ManagerCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
FlexEngine Appears Not To Run
FlexEngine Client
bull Requires use of Regeditexeor Regexe to modify user-based registry keys
bull Must not be disabled via Local or Group Policy
ADMX Settings
bull Minimum settings to enable FlexEngine Client
bull Check path
ADV1592BU CONFIDENTIAL 42
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Path-Based Import Runs Slow
bull Be careful not to run FlexEngine as a logon script and a Group Policy client-side extension
ADV1592BU CONFIDENTIAL 43
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Application Incompatibility with Hook DriversUser Environment
Manager
DirectFlex Blacklist
bull Create ltFlexRepositorygtDirectFlexBlackListXML
bull Populate as follows
ltxml version=10 encoding=utf-8gt
ltuserEnvironmentSettingsgt
ltsetting type=blacklist list=rdquo1exe|2exe|3exe gt
ltuserEnvironmentSettingsgt
bull Example httpskbvmwarecomkb2145287
ADV1592BU CONFIDENTIAL 44
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
App VolumesCommon Issues
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Slow User Logon
bull Check Logon Segments in Horizon to determine where the delay is
bull Optimize clockyml
ndash If performance decreases as deployment scales
ndash Increasing servers workers and thread_poolrequires additional CPU and RAM
ndash Involve GSS to ensure optimal settings
ADV1592BU CONFIDENTIAL 46
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
AppStack Not Attaching at Logon
ADV1592BU CONFIDENTIAL 47
bull One host in vSphere cluster does not have access to the shared datastore where the AppStack resides
ndash Common oversight especially with Storage Groups
bull Conflicting Minifilter driver
ndash DLP software
ndash Be aware of app altitude
ndash More info from Microsoft
bull httpbitly2tSCdG5VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Static Configuration Editing
ADV1592BU CONFIDENTIAL 50
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Common Key Values to Inspect
bull pae-DisplayName
ndash VM name as displayed in View Admin
bull pae-DirtyForNewSessions
ndash Indicates whether the VM is ldquoDirtyrdquo and can be re-used in a non-persistent pool
bull pae-SVIVMSnapshot
ndash Indicates the current Snapshot that is in use
bull pae-VmPath
ndash Indicates the full Path to the VM in vCenter
bull pae-VmState
ndash Indicates the current state of the Desktop ndash some states are a combination of this valueand other values
ADV1592BU CONFIDENTIAL 51
Horizon
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
ADSI Edit ndash Searching for a Desktop
bull Find VMs with a Snapshot
ndash (amp(objectClass=pae-VM)(pae-SVIVmSnapshot=BaselineSnapshot1Snapshot2))
bull Find VMs with a Name
ndash (amp(objectClass=pae-VM)(pae-DisplayName=Desktop-234))
Horizon
ADV1592BU CONFIDENTIAL 52
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Horizon View Event Notifier
bull On the VMware Fling site - labsvmwarecomflings (chrishalstead)
Horizon
ADV1592BU CONFIDENTIAL 53
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and vCenter Server Connection
Accept vCenter Certificate
bull By default certificate validation is required between App Volumes Manager and vSphere
bull Accept vCenter cert (self-signed or CA-signed) while creating the Machine Manager in App Volumes Manager
bull No custom certificate work required
App Volumes
ADV1592BU CONFIDENTIAL 54
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for Production
Options to Enable SSL
bull SSL is enabled by default
bull Donrsquot disable certificate validation during Agent installation
bull Enable SSL in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 55
Enable Certificate Validation on the App Volumes Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 1bull SSL = 1
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Certificate Options for a POC
bull Options to Disable SSL
bull Disable Certificate Validation with App Volumes Manager during App Volumes Agent install
bull EnforceSSLCertificateValidation in the registry after App Volumes Agent install
ADV1592BU CONFIDENTIAL 56
Disable SSL Certificate Validation on the Agent
HKLMSystemCurrentControlSetServicessvservicesParametersbull EnforceSSLCertificateValidation = 0
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server CommunicationSecuring Communications Between App Volumes Manager and SQL Server
bull 212 User Guide references MS Support
bull Note the differences for a SQL Server clustered installation
bull Encryption is configured on the SQL Server instance so alldatabases on a shared SQL Server will be affected
bull From the SQL Server use SQL Server Configuration Manager to configure Force Encryption and specify the SQL certificate
SQL Server service account must have Read permissions to the Private Key of the SQL Server SSL certificate
ndash Check SQL Server Configuration Manager gt SQL Server Services gt SQL Server (SQL) gt Log On
ndash Default is NT ServiceMSSQL$SQL which does not have the necessary permissions
App Volumes
ADV1592BU CONFIDENTIAL 57
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and SQL Server Communication
bull Start on the SQL Server
bull MMC gt Certificates
ADV1592BU CONFIDENTIAL 58
Setting Custom Private Key Permissions for SQL Service Account
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
SSL Certificates and Load Balancers
ADV1592BU CONFIDENTIAL 59
Typical Deployment
ndash SSL is terminated at load balancer
ndash HTTP between LB and AV Manager
ndash SSL between AV Agents and LB
ndash If trusted CA-signed cert is used for LB be sure all agents trust the CA
App Volumes Agent VMs
Load Balancer
App Volumes Manager VMs
Alternative Deployment
ndash To keep SSL between LB and AV Manager signed AV Manager certificate(s) should be added to trust list of the LB
SQLView Infrastructure
Now Secured withSSL Certificates
App Volumes
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip (walk through successful connection)
bull Client requests desktop
ndash Event Database BROKER_DESKTOP_REQUEST
bull Broker allocates session to user
ndash [FarmImp] (SESSION7072--a79c) cn=3f974017-409f-4912-83bc-2ee794f22fabou=serversdc=vdidc=vmwaredc=int total session count 0
ndash [FarmImp] (SESSION7072--a79c) allocateNewSession - identified server for application CN=GOLD-NPOU=ApplicationsDC=vdiDC=vmwareDC=int
ndash Event Database BROKER_MACHINE_ALLOCATED
bull Broker attempts SSO
ndash [FarmImp] (SESSION7072--a79c) Using domain for SSO FUTUREOFFICE
ndash User wonrsquot be logged on to the VM without this
Horizon
ADV1592BU CONFIDENTIAL 60
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip Pool Provisioning
bull Desktops not available due to provisioning error
ndash Check View Administrator for Pool status check datastore capacity
ndash Check Event Database - BROKER_PROVISIONING_ERROR_
ndash Check View Composer has network access to ESX hosts
bull Desktop not available due to customization
ndash Check Desktop status ndash AGENT UNAVAILABLE
ndash Check View Dashboard
bull Desktop Status gt Preparing Desktops OR Problem Desktops
ndash Check Desktop connectivity to DNSADConnection Server
Horizon
ADV1592BU CONFIDENTIAL 61
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
bull Desktop not available due to VM resetcrash
ndash Check Desktop status ndash ALREADY USED
ndash Typical on refresh-on-logoff or delete-on-use desktops
ndash Broker never received an explicit logout message from the agent
ndash Missing AGENT_ENDED event in DB for VM
bull View Composer Issues associated with incorrect domain credentials
bull CProgramDataVMwareView ComposerLogs
bull FATAL CSvmGaService - [svmGaServicecpp 116] Domain join failed Error 5 (0x5) Access is denied
Horizon
ADV1592BU CONFIDENTIAL 62
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Not Available
What to look forhellip
bull Broker starts session on VM
ndash [DesktopSessionImp] (SESSION7072--a79c) startSession ndashsending StartSession message
bull Agent respondshellip
ndash DesktopManager got a StartSession messagerdquo
ndash Client Info should be in Agent Log along with PCoIP launch
bull Event Database AGENT_PENDING
bull Client connects to VM (Agent)
ndash ldquoPCoIPCnxOnConnectionComplete Begin (PCOIP)rdquo
ndash ldquoWTS_SESSION_LOGONrdquo
ndash Event Database AGENT_CONNECTED
Horizon
ADV1592BU CONFIDENTIAL 63
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Common Issues
bull No Desktop Available
bull Pool provisioning issues ndashcustomization
bull Agent not communicatingwith broker
bull Stuck at desktop loginscreen (SSO)
Horizon
ADV1592BU CONFIDENTIAL 64
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
Desktop Source Not Available
Where to look
bull Event Database
bull Connection Server logs
What to look for
[SessionLaunchContext] (SESSION40a7__6cbd) VMWEUCbsimpson Desktop=vmworld Session request failed
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) The following servers were blocked for new sessions [cn=5162cf76-8d8a-4ac0-9185-845a540d24e5ou=serversdc=vdidc=vmwaredc=int]
(SESSION40a7__6cbd) [VMWEUCbsimpson Desktop=vmworld] (5ms) Application launch failed exception was The desktop sources for this desktop are not responding Please try again later
Horizon
ADV1592BU CONFIDENTIAL 65
VMworld 2017 Content Not fo
r publication or distri
bution
