Notes from the lab: Bye Bye VMware View Composer

I was upgrading my lab to VMware Horizon 2012 and yes shame on me I still had an composer in my setup. It was already mentioned that VMware Composer is deprecated from the 2006 release but now in 2012 it will block your upgrade when you still have it enabled. Only after disabling composer on your vcenter the upgrade will succeed and afterwards composer will be gone as an configuration item.

See the following screenshots for detailed information:

Notes from the field: Citrix StoreFront forcing connections through Citrix Gateway

On a recent customer project there was the need to migrate off of VDA TLS encryption and migrate the connections from StoreFront to Citrix Gateway.

The customer previously had StoreFront direct connections and used the VDA TLS encryption setup to provide a TLS encrypted session to the desktop or applications.

The VDA TLS encryption setup was too much engineering labor for the day 2 day operations and therefore they asked for a alternate solution but still provide the client>desktop as an TLS encrypted session.

Here we have two options, the first is to use Citrix Gateway and StoreFront as authentication but this introduces the users with a new logon screen and then delegates the credentials with json to StoreFront.

The second is forcing the connections from StoreFront through the Citrix Gateway by the means of optimal gateway routing, and we don’t have any user experience changes because the logon point is still StoreFront.

Option two was chosen and after a quick and simple deployment a seamless migration with optimal gateway routing is in place.

First all the preparation in place is creating a new Citrix Gateway DNS record and a new StoreFront load-balancer IP into the current setup will be migrated, afterwards configure the CVAD wizard on the NetScaler for a simple Citrix Gateway deployment and unbind any authentication policies because these will not be used. Afterwards configure all the necessary settings for a standard Citrix Gateway deployment and propagate these changes across the cluster. When all this is done edit the web.config file of the store that got configured under the primary StoreFront servers IIS inetpub directory and search for: optimalGatewayForFarmsCollection and make sure there is an entry with optimalGatewayForFarms enabledOnDirectAccess=”true” and save the file. Propagate the changes and after that migrate the old DNS entry to the new StoreFront ip. You will see that after logon the desktop brokering is force through Citrix Gateway.

The following reference articles where used for configuration and testing:

How to Force Connections Through NetScaler Gateway Using Optimal Gateway Feature of StoreFront (citrix.com)

How to Configure Authentication at StoreFront using NetScaler Gateway – NetScaler Configuration (citrix.com)

FAQ: Configuring Authentication at StoreFront using NetScaler Gateway (citrix.com)

SSL configuration on VDA (citrix.com)

Notes from the field: VMware Horizon Instant Clone and Imprivata OneSign

On a recent project consisting of an VMware Horizon instant clone setup and Imprivata OneSign in the desktop for SSO capabilities I’ve encountered some strange timing issues.

Normal logins through the horizon client via connection server would be ok with the OneSign agent online, logins through the UAG without TrueSSO would also be okay. (so it seemed)

TrueSSO enabled because the total solution is a Workspace ONE deployment and we want to use one login of course regarding credentials introduced a problem. The login process would work just fine but the agent of Imprivata would stay offline only to be online after a reconnect to the desktop.

A long troubleshooting process started with the team and also a support case opened with Imprivata pointed us in the direction that there was an issue all along with the base setup as well.

Logging in to the VMware console of an desktop without the UAG or TrueSSO in place would provide the same result, an offline OneSign agent and the second logon or disconnect/reconnect even in the console would resolve it.

Long story short after that finding we did an test to restart the OneSign agent before logon of any user (tested this through Ivanti AM) and then let the user logon and presto no more issue.

We then created a script to be used in ClonePrep so that we don’t have to rely on Ivanti AM and after that issue is also resolved.

But now comes the kicker. The solution at the time was an Horizon 7.10.x ESB release and for customer requirements and lifecycle management to be future ready we needed to go to the 7.13 release of Horizon (not perfectly documented but this is the new ESB release as well and last significant release of Horizon 7)

After this update to the connection servers the ClonePrep scripts would time-out and not function correctly anymore. Removing that from the pool did blow my mind because after that the complete issue was gone and the OneSign agent would be online all the time no matter what.

Tested this with an old image and the 7.10.x release of Horizon installed with the 7.13 connection server as backend and indeed no more issues and everything fine. The root cause seems to be “something” in instant clones that got fixed/changed in 7.13

To summarize, the fix for an 7.10.x release is to use any means of restarting the OneSign service before any user will logon and for the 7.13 release it’s no issue at all. (I’m betting this will also be the case for Horizon 8 but haven’t tested that with Imprivata)

Some reference articles:
The Imprivata URL’s you will need an active account at Imprivata to view them

How to enable Imprivata Agent trace

Does Imprivata support VmWare Instant Clone for VM Desktops?

Configuring Kerberos Authentication (imprivata.com)

Configuring Support for VMware True SSO (imprivata.com)

Information on Horizon 7 Extended Service Branch (ESB) (52845) (vmware.com)

VMware Horizon 7 version 7.13 Support Plan (81189)

ClonePrep Guest Customization (vmware.com)