With all the Fabric configuration done we can test our setup.
I’m creating two overlay segments in NSX connected to a Tier-1 gateway, and after that we’ll create a Tier-0 gateway and connect the T1 gateway to it to get North/South connectivity to the overlay resources
Two VMs will be deployed, one VM in each of the two overlay segments
Create a Tier-1 Gateway
The Tier-1 Gateway will initially not be connected to a Tier-0 Gateway (I haven’t configured a T0 gw yet) or an Edge Cluster.
Tier-1 Gateway
Create Logical segments
We need two logical segments, both using the Overlay Transport Zone. I’m defining different subnets on them, 10.0.1.0/24 and 10.0.2.0/24.
Segments
Add VMs to Logical segments
We have two Photon VMs which should be added to the logical segments.
Two Photon VMs
Test connectivity
Now let’s verify that the two VMs can ping each other
Don’t forget to enable the echo rule on the Windows Firewall….
Connectivity test
This shows that the overlay is working, and note again that the Edge VMs are not in use here.
External connectivity
Traffic is flowing between VMs running on Logical segments inside the NSX-T environment, but what if we want to reach something outside, or reach a VM inside a NSX-T overlay?
Then we need to bring a Tier-0 Gateway in to the mix.
The T-0 gateway can be configured with Uplinks that are connected to the physical network. This is done through a segment which can reach the physical network, normally through a VLAN.
To configure the uplink interfaces we need to have Edge VMs so finally we get to bring those into play as well.
Create segment for uplinks
First I’ll create a segment mapped to VLAN 99 in my lab. Note that I select the VLAN transport zone, and I do not connect the segment to a gateway
Create Uplink VLAN segment
Create Tier-0 gateway
Now we’ll create a Tier-0 gateway, note that I now also select my Edge cluster.
Create T0 gateway
Static route
To be able to forward traffic out of the NSX-T environment the T0 gateway needs to know where to send queries for IPs it doesn’t control. Normally you would want to configure a routing protocol like BGP or OSPF so that the T0 gateway could exchange routes with the physical router(s) in your network.
I’ve not set up BGP or any other routing protocol on my physical router, so I’ve just configured a default static route that forwards to my physical router. The next hop is set to the gateway address for the Uplink VLAN 99, 192.168.99.1
Static route
Link T1 gateway to T0 gateway
We’ve done a lot of configuring now, but still we’ve not got connectivity in or out for our VMs. The final step is to connect the Tier-1 gateway to the Tier-0 gateway, and we’ll also activate Route Advertisement of Connected Segments and Service Ports
Tier-1 Gateway
Test connectivity
Verify North/South connectivity
Yes!
Test Distributed Firewall
Let’s also do a quick test of the Distributed Firewall feature in NSX-T.
First we’ll create a rule blocking ICMP (ping) from any to my test vm and publish the rule
ICMP firewall rule
Now let’s test pinging from from my pc to nested Windows 2016 server. With the rule not enabled en enabled.
Ping blocked
Summary
Hopefully this post can help someone, if not it has at least helped me.
Now we have working environment so we can go testing some things.
Also scripting/automation against a nsx environment I will look in to!
I’m doing a mini-series on my NSX-T home lab setup. It’s only for testing en knowledge about NXS-T.
With newer versions of NSX-T 3.1 and later a couple of enhancements have been made that makes the setup a lot easier, like the move to a single N-VDS with the ability to run NSX on a Virtual Distributed Switch (VDS) in vCenter with VDS version 7.0.
The NSX manager appliance has been downloaded and imported the OVF to the cluster. I won’t go into details about this, I just followed the deployment wizard.
In my lab I’ve selected to deploy a small appliance which requires 4 vCPUs, 16 GB RAM and 300 GB disk space. For more details about the NSX Manager requirements look at the official documentation
Note that I’ll not be deploying a NSX Manager cluster in my setup. In a production environment you should naturally follow best practices and configure a cluster of NSX Managers
NSX-T deployment
Now let’s get rocking with our NSX-T setup!
We’ll start the NSX manager and prepare it for configuring NSX in the environment
Initial Manager config
After first login I’ll accept the EULA and optionally enable the CEIP
License
Next I’ll add the license.
Add license
Import certificate
IP Pools
Our Endpoints will need IP addresses and I’ve set aside a subnet for this as mentioned. In NSX Manager we’ll add an IP pool with addresses from this subnet. (The IP pool I’m using is probably way larger than needed in a lab setup like this)
TEP pool
Compute Manager
With all that sorted we’ll connect the NSX manager to our vCenter server so we can configure our ESXi hosts and deploy our edge nodes.
Best is a specific service account for the connection
Compute Manager added
Fabric configuration
Now we’re ready for building out our network fabric which will consist of the following:
Transport Zones
Overlay
VLAN
Transport Nodes
ESXi Hosts
Edge VMs
Edge clusters
Take a look at this summary of the Key concepts in NSX-T to learn more about them.
Transport Zone
The first thing we’ll create are the Transport Zones. These will be used later on multiple occasions later on. A Transport Zone is used as a collection of hypervisor hosts that makes up the span of logical switches.
The defaults could be used, but I like to create my own.
Transport Zones
Uplink Profiles
Uplink profiles will be used when we configure our Transport Nodes, both Hosts and Edge VMs. The profile defines how a Host Transport node (hypervisor) or an Edge Transport node (VM) will connect to the physical network.
Again I’m creating my own profile and leave the default profiles be as they are.
Uplink profile
In my environment I have only one Uplink to use. Note that I’ve set the Transport VLAN to 0 which also corresponds with the TEP VLAN mentioned previously.
Transport Node Profile
Although not strictly needed, I’m creating a Transport Node profile which will let me configure an entire cluster of hosts with the same settings instead of having to configure each and every host
In the Transport Node profile we first select the type of Host switch. In my case I’m selecting the VDS option, which will let me select a specific switch in vCenter.
We’ll also add in our newly created Transport Zones
Creating Transport Node profile
We’ll select our Uplink profile and our IP Pool which we created earlier, finally we can set the mapping between the Uplinks
vCenter View
Creating Transport Node profile
Configure NSX on hosts
With our Transport Node profile we can go ahead and configure our ESXi hosts for NSX
Configure cluster for NSX
Select profile
After selecting the profile NSX Manager will go ahead and configure our ESXi hosts.
Hosts configuring
After a few minutes our hosts should be configured and ready for NSX
Hosts configured
Trunk segment
Next up is to create our Edge VMs which we will need for our Gateways and Services (NAT, DHCP, Load Balancer).
But before we deploy those we’ll have to create a segment for the uplink of the Edge VMs. This will be a Trunk segment which we create in NSX. Initially I created a Trunk portgroup on the VDS in vSphere, but that doesn’t work. The Trunk needs to be configured as a logical segment in NSX-T when using the same VLAN for both the Hypervisor TEPs and the Edge VM TEPs
Trunk segment
Edge VM
Now we can deploy our Edge VM(s). I’m using Medium sized VMs in my environment. Note that the Edge VMs is not strictly necessary for the test we’ll perform later on with connecting two VMs, but if we want to use some services later on, like DHCP, Load balancing and so on we’ll need them.
Deploy edge VM
Note the NSX config, where we set the switch name, the Transport Zones we created, the Uplink profile, the IP pool and finally we use the newly created Trunk segment for the Edge uplink
NSX Edge config
Edge cluster
We’ll also create an Edge cluster and add the Edge VM to it
Edge cluster
Summary
Wow, this was a lot of configuring, but that was also the whole point of doing this blog post. Stuff like this is learnt best while getting your hands dirty and do some actual work. And I learn even better when I’m writing and documenting it as well.
In the next blog post we’ll test the fabric to see if what we’ve done is working. We’ll also try to get some external connectivity to our environment.
Hopefully this post can help someone, if not it has at least helped me.
Issue The host goes into an un-responsive state due to: “Bootbank cannot be found at path ‘/bootbank” and boot device is in an APD state.
This issue is seen due to the boot device failing to respond & enter APD state (All paths down). Some cases, Host goes to non-responsive state & shows disconnected from vCenter.
As of 7.0 Update 1, the format of the ESX-OSData boot data partition has been changed. Instead of using FAT it is using a new format called VMFS-L. This new format allows much more and faster I/O to the partition. The level of read and write traffic is overwhelming and corrupting many less capable SD cards.
The action plan for future resolution would be to replace the SD card/s with a capable device/disk. Per the best practices mentioned on Installation guide.
The version 7.0 Update 2 VMware ESXi Installation and Setup Guide, page 19, specifically says “As even read-only workloads can cause problems on low-end flash devices, you should install ESXi only on high-endurance flash media“.
I must also move al lot of VM’s from different datacenters to other datacenters. I use the script from Michael Wilmsen to move the VM’s. But along the way I counter some problems with this script. So I begon tweaking and tweaking and tweaking this script to create for me the ultimate Cross vCenter PowerCLI Script.
Coolfeatures: – Info through Whattsapp (Default not enabled) – Dryrun (Test Run) – Logging – Selection through GUI – Multiple Nic support maximum of 4. – Datastore en Host selection based on Free space en Free Memory – Check of Destination Host or Datastore in Maintance – Destination Store exist in Destination Cluster
MoveVM.ps1: #Filename: MoveVM.ps1
#Author: M. Wilmsen / W. Vissers
#Source: http://virtual-hike.com/nlvmug-2018/
#Version: 2.0
#Date: 21-10-2018
#ChangeLog:
# V0.9 – M. Wilmsen First Version
# V1.0 – Fixed Multiple Nics to maximium of 4 nics
# – Logfile name VM name
# V1.1 – Destination Cluster not the first Host
# V1.2 – Selected Destination host based on memory used
# V1.3 – Fixed folder location and VirtualPortGroup
# V1.4 – Fixed Datastore in Maintance
# V1.5 – Using Get-VICredentialStoreItem + Logpath Fixt
# V1.6 – Fixed Log in Hours in 24 uurs
# V1.7 – Fixed Using DatastoreCluster name based on Cluster name!
# V1.8 – Check if Destination has the same datastore
# – Ask know for input
# – VM selection with VMhost
# – Fixed Ping Check
# v1.9 – Added Destination Store exist in Destination Cluster
# v2.0 – Fixed Destination Store exist in Destination Cluster
<#
.SYNOPSIS
Script to migrate a virtual machine
.DESCRIPTION
Script to migrate compute and storage from cluster to cluster. Log will be in current dir [VM]-[-timestamp].log
.EXAMPLE
MoveVM.ps1
#>
################################## INIT #################################################
#Set WebOperation timeout
# set-PowerCLIConfiguration -WebOperationTimeoutSeconds 3600
#Define Global variables
$location = “D:\xmovewhattsapp”
$LogPath = “.\”
$DataStoreClusterPrefix = “SAN-“
$SourceVC = Read-Host “Give Source vCenter”
$DestinationVC = Read-Host “Give Destination vCenter”
$DRSRecommendation = $true
$Dryrun = $false
$SendWhatsApp = $false
$WhatsAppNumbers = “0123456789”
$WhatsAppGroup = “Namehireyourwhattsgroup”
$instanceId = “23” #chang this line
$clientId = “demo@demo.nl” #change this line
$clientSecret = “Puthiersecretid” #change this line
################################## PASSWORD STORE ##############################################
#Username
# Check if credentials exist in credential store if not ask for credentials and put them in credential store
if ($DatastoreExistinOthervCenter ) { LogWrite “Datastore exsist $DestinationCluster in destination vCenter $DestinationVC “ $destinationDatastore = $DatastoreExistinOthervCenter } Else { LogWrite “Datastore does not exsist in $DestinationCluster destination vCenter $DestinationVC” # Select DataStore with the most free space and not in maintance $DatastoreCluster = “$DataStoreClusterPrefix”+”$DestinationCluster” $destinationDatastore = Get-DatastoreCluster $DatastoreCluster | Get-Datastore | Where {$_.State -ne “Maintenance”} | Sort-Object -Property FreeSpaceGB -Descending | Select-Object -First 1 }
LogWrite “Start move: $vm” Logwrite “VM IP: $vmip” Logwrite “VM Disk Used (GB): $VMHDDSize” Logwrite “VM Folder: $vmfolder” Logwrite “Source vCenter: $SourceVC” Logwrite “VM Source Cluster: $SourceCluster” Logwrite “Destination vCenter: $DestinationVC” Logwrite “VM Destination Cluster: $DestinationCluster” Logwrite “Destination host: $DestinationHost” LogWrite “VM Source PortGroup: $SourceVMPortGroup” LogWrite “VM Destination Portgroup: $DestinationVMPortgroup” Logwrite “VM Destination Datastore: $destinationDatastore” LogWrite “Destination Datastore FreeSpace GB: $destinationDatastoreFreeSpace “ if ( $Dryrun ) { $FreespaceAfterMigration = $destinationDatastoreFreeSpace – $VMHDDSize if ( $FreespaceAfterMigration -lt 0 ) { Logwrite “ERROR: Datastore $destinationDatastore does not have sufficient freespace! Virtual Machine needs $VMHDDSize. Only $destinationDatastoreFreeSpace available.” } else { Logwrite “Virtual Machine will fit on datastore $destinationDatastore. Freespace after migration is: $FreespaceAfterMigration GB” } } #Test if VM responsed to ping if ($vmip -eq $null) { LogWrite “Virtual Machine ip address not known” Logwrite “No ping check will be performed after moving the Virtual Machine” } else { Test-Connection -comp $vmip -quiet LogWrite “Virtual Machine $vm response to ping before being moved. Virtual machine will be checked after being moved” $PingVM = $true }
#if ( $VMHDDSize -eq if ( -NOT $Dryrun) { #Migrate VM to cluster LogWrite “Move $vm to vCenter $DestinationVC and datastore $DestinationDatastore” Try { $Result = Move-VM -VM $vm ` -Destination $DestinationHost ` -Datastore $DestinationDatastore ` -NetworkAdapter $NetworkAdapter ` -PortGroup $DestinationVMPortgroup ` -ErrorAction Stop } Catch { $ErrorMessage = $_.Exception.Message LogWrite “ERROR: Move of $vm to cluster $DestinationHost failed!!!” Logwrite “ERROR: Move Status Code: $ErrorMessage” SendWhatsApp “ERROR: Move of $vm failed!!! $ErrorMessage” $MigError = $true } #Migrate VM to folder LogWrite “Move $vm to vCenter $vmfolder” Try { $VMtemp = get-vm $vm $Result = Move-VM -VM $vmtemp -InventoryLocation $vmfolder -ErrorAction Stop } Catch { $ErrorMessage = $_.Exception.Message LogWrite “ERROR: Move of $vm to folder $vmfolder failed!!!” Logwrite “ERROR: Move Status Code: $ErrorMessage” SendWhatsApp “ERROR: Move of $vm failed!!! $ErrorMessage” $MigError = $true } }
$MigError = $false #Test if VM is running on destination cluster if ( -NOT $MigError -AND -NOT $Dryrun ) { LogWrite “Check $vm is registered in $DestinationVC” try { $CheckVM = get-vm -name $vm -server $DestinationVC -ErrorAction Stop
if ( $CheckVM ) { Logwrite “$vm registered in $DestinationVC” } else { Logwrite “ERROR: $vm not found in $DestinationVC” } } catch { $ErrorMessage = $_.Exception.Message Logwrite “ERROR: $vm not found in $DestinationVC” Logwrite “ERROR: $ErrorMessage” SendWhatsApp “ERROR move: $vm not found in $DestinationVC” } } #Test is VM response to ping, if $PingVM = $True if ($PingVM) { if (Test-Connection -comp $vmip -quiet) { LogWrite “Virtual Machine $vm response to ping after move” SendWhatsApp “Virtual Machine $vm response to ping after move” } } sleep 1 SendWhatsApp “Finished move action: $vm from $SourceVC to $DestinationVC” Logwrite “Finished move action: $vm from $SourceVC to $DestinationVC”
I love powershell. I created a little script to deploy multi VM based on a Windows Template throug CSV file.
It’s create a computer account at the specfified ou. He greates also a Domain Local Group for management. (It used in the customization not specified here)
Many new items have been introduced, such as HTML5 video redirection support for the Chrome browser and the ability to configure Windows Start menu shortcuts for desktop and application pools using the Horizon Administrator console. As always, you can count on increased operating system support for virtual desktops and clients.
Here is an overview of the new features:
VMware Horizon 7.3 Server Enhancements
Horizon Help Desk Tool
Displays application process resources with reset control
Role-based access control for help desk staff
Activity logging for help desk staff
Displays Horizon Client information
Granular logon time metrics
Blast Extreme display protocol metrics
Instant Clone Technology
Instant-clone desktops can now use dedicated assignment to preserve the hostname, IP address and MAC address of a user’s desktop
Windows Server OS is now supported for desktop use
Instant clones are now compatible with Storage DRS (sDRS)
If there are no internal VMs in all four internal folders created in vSphere Web Client, these folders are unprotected, and you can delete them
IcUnprotect.cmd utility can now unprotect or delete template, replica or parent VMs or folders from vSphere hosts
Windows Start Menu Shortcuts Created Using the Admin Console
Create shortcuts to Horizon 7 resources:
Published applications
Desktops
Global entitlements
Cloud Pod Architecture Scale
Total session limit is increased to 140,000
The site limit is now seven
VMware Horizon Apps
This update makes Horizon Apps easier to use and allows the administrator to restrict entitlements
Restrict access to desktop and application pools from specific client machines
Resiliency for Monitoring
If the event database shuts down, Horizon administrator maintains an audit trail of the events that occur before and after the event database shutdown
Database Support
Always-On Availability Groups feature for Microsoft SQL Server 2014
ADMX Templates
Additional GPO settings for ThinPrint printer filtering, HTML5 redirection and enforcement of desktop wallpaper settings
Remote Experience
Horizon Virtualization Pack for Skype for Business
Multiparty audio and video conferencing
Horizon 7 RDSH support
Windows Server 2008 R2
Windows Server 2012 R2
Forward Error Correction (FEC)
Quality of Experience (QOE) metrics
Customized ringtones
Call park and pickup
E911 (Enhanced 911) support, to allow the location of the mobile caller to be known to the call receiver
USB desktop-tethering support
Horizon Client for Linux support for the following Linux distributions:
Ubuntu 12.04 (32-bit)
Ubuntu 14.04 (32 & 64-bit)
Ubuntu 16.04 (64-bit)
RHEL 6.9/CentOS 6.x (64-bit)
RHEL 7.3 (64-bit)
SLED12 SP2 (64-bit)
Additional NVIDIA GRID vGPU Support
Support for the Tesla P40 graphics card from NVIDIA
HTML5 Video Redirection
View HTML 5 video from a Chrome browser and have video redirected to the client endpoint for smoother and more efficient video playback
Performance Counter Improvements
Windows agent PerfMon counters improvements for Blast Extreme sessions: imaging, audio, client-drive redirection (CDR), USB and virtual printing
Linux Virtual Desktops
KDE support: Besides RHEL/CentOS 6.x, the KDE GUI is now supported on RHEL/CentOS 7.x, Ubuntu 14.04/16.04 and SUSE Linux Enterprise Desktop 11 SP4
MATE interface is now supported on Ubuntu 14.04 and Ubuntu 16.04
Blast Extreme Adaptive Transport is now supported for Linux desktops
vGPU hardware H.264 encoder support has been added
USB Redirection
USB redirection is supported in nested mode
ThinPrint Filtering
Administrators can filter out printers that should not be redirected
Horizon Client 4.6 Updates
Security Update
All clients have been updated to use SHA-2 to prevent SHA-1 collision attacks
Session Pre-launch
Session pre-launch is now extended to both Horizon Client for macOS and Horizon Client for Windows
Apteligent
Integration of Apteligent crash log
Blast Extreme
Improvements in Blast Extreme Adaptive Transport mode for iOS and macOS
User can change Blast Extreme settings without having to disconnect
Horizon Client 4.6 for Windows
Support for UNC path with CDR
Horizon Client 4.6 for macOS
Support for macOS Sierra and macOS High Sierra
Selective monitor support
Norwegian keyboard support
Horizon Client 4.6 for iOS
CDR support with drag and drop of files in split view
iOS split keyboard enhancement
iOS UI updates
Horizon Client 4.6 for Android
Android Oreo support
Manage the Horizon server list with VMware AirWatch
Simple shortcuts
External mouse enhancements
Real-Time Audio-Video (RTAV) support for Android and Chrome OS
Horizon Client 4.6 for Linux
Blast Extreme Adaptive Transport support
Horizon Client 4.6 for Windows 10 UWP
Network recovery improvements
Horizon HTML Access 4.6
HTML Access for Android with a revised UI
Customization of HTML Access page
Horizon Help Desk Tool
The Horizon Help Desk Tool provides a troubleshooting interface for the help desk that is installed by default on Connection Servers. To access the Horizon Help Desk Tool, navigate to https://<CS_FQDN>/helpdesk, where <CS_FQDN> is the fully qualified domain name of the Connection Server, or click the Help Desk button in the Horizon Administrator console.
The Help Desk Tool was introduced in Horizon 7.2 and has been greatly expanded upon in the Horizon 7.3 release.
Help Desktop Tool features with Horizon 7.2:
Virtual machine metrics
Remote assistance
Session control (restart, logoff, reset, and disconnect)
Sending messages
Additional features with Horizon 7.3:
Display application process resources with reset control
Role-based access control for help desk staff
Activity logging for help desk staff
Granular login time metrics
Display Horizon Client information
User Session Details
The user session details appear on the Details tab when you click a user name in the Computer Name option on the Sessions tab. You can view details for Horizon Client, the VDI desktop or RDSH-published desktop, CPU and memory stats, and many other details.
Client version
Unified Access Gateway name and IP address
Logon breakdown (client to broker):
Brokering
GPO load
Profile load
Interactive
Authentication
Blast Extreme Metrics
Blast extreme metrics that have been added include estimated bandwidth (uplink), packet loss, and transmitted and received traffic counters for imaging, audio, and CDR.
Note the following behavior:
The text-based counters do not auto-update in the dashboard. Close and reopen the session details to refresh the information.
The counters for transmitted and received traffic counters are accumulative from the point the session is queried/polled.
Blast Extreme Metrics for a Windows 10 Virtual Desktop Session
Display and Reset Application Processes and Resources
This new feature provides help desk staff with a granular option to resolve problematic processes without affecting the entire user session, similar to Windows Task Manager. The session processes appear on the Processes tab when you click a user name in the Computer Name option on the Sessions tab. For each user session, you can view additional details about CPU- and memory-related processes to diagnose issues.
Role-based Access Control and Custom Roles
You can assign the following predefined administrator roles to Horizon Help Desk Tool administrators to delegate the troubleshooting tasks between administrator users:
Help Desk Administrator
Help Desk Administrator (Read Only)
You can also create custom roles by assigning the Manage Help Desk (Read Only) privilege along with any other privileges based on the Help Desk Administrator role or Help Desk Administrator (Read Only) role.
Members of the Help Desk Administrators (Read Only) role do not have access to following controls; in fact, functions such as Log Off and Reset are not presented in the user interface.
Watch this brief demonstration video of the Horizon Help Desk Tool to see it in action:
Horizon Virtualization Pack for Skype for Business
You can now make optimized audio and video calls with Skype for Business inside a virtual desktop without negatively affecting the virtual infrastructure and overloading the network.
All media processing takes place on the client machine instead of in the virtual desktop during a Skype audio and video call.
Horizon Virtualization Pack for Skype for Business offers the following supported features:
System Requirements
The following table outlines the system requirements for the new release:
Supported Clients
The following table provides the list of support Horizon clients:
Start Menu Shortcuts Configured Through the Admin Console
This feature improves the user experience by adding desktop and application shortcuts to the Start menu of Windows client devices.
You can use Horizon Administrator to create shortcuts for the following types of Horizon 7 resources:
Published applications
Desktops
Global entitlements
Shortcuts appear in the Windows Start menu and are configured by IT. Shortcuts can be categorized into folders.
Users can choose at login whether to have shortcuts added to the Start menu on their Windows endpoint device.
Watch this brief demonstration video of the new Desktop and Apps Shortcuts feature to see it in action:
Dedicated Desktop Support for Instant Clones
Upon the initial release of instant clones in Horizon 7, we supported floating desktop pools and assignments only. Further investments have been made to Instant Clone Technology that add support for dedicated desktop pools. Fixed assignments and entitlements of users to instant-clone machines is now provided as part of Horizon 7.3.
Dedicated instant-clone desktop assignment means that there is a 1:1 relationship between users and desktops. Once an end user is assigned to a desktop, they will consistently receive access to the same desktop and corresponding virtual machine. This feature is important for apps that require a consistent hostname, IP address, or MAC address to function properly.
Note: Persistent disks are not supported. Fixed assignments to desktops does not mean persistence for changes. Any changes that the user makes to the desktop while in-session will not be preserved after logoff, which is similar to how a floating desktop pool works. With dedicated assignment, when the user logs out, a resync operation on the master image retains the VM name, IP address, and MAC address.
Support for the Tesla P40 Graphics Card from NVIDIA
VMware has expanded NVIDIA GRID support with Tesla P40 GPU cards in Horizon 7.3.
HTML5 Video Redirection
This feature provides the ability to take the HTML5 video from a Chrome (version 58 or higher) browser inside a Windows VDI or RDSH system and redirect it to Windows clients. This feature uses Blast Extreme or PCoIP side channels along with a Chrome extension.
The redirected video is overlaid on the client and is enabled as well as managed using GPO settings.
Benefits include:
Supports generic sites such as YouTube, without requiring a server-side plugin.
Provides smooth video playback comparable to the native experience of playing video inside a browser on the local client system.
Reduces data center network traffic and CPU utilization on the vSphere infrastructure hosts.
Improved USB Redirection with User Environment Manager
The default User Environment Manager timeout value has been increased. This change ensures that the USB redirection Smart Policy takes effect even when the login process takes longer than expected.
With Horizon Client 4.6, the User Environment Manager timeout value is configured only on the agent and is sent from the agent to the client.
You can now bypass User Environment Manager control of USB redirection by setting a registry key on the agent machine (VDI desktop or RDSH server). This change ensures that smart card SSO works on Teradici zero clients. Note: Requires a restart.
The Windows Agent PerfMon counters for the Blast Extreme protocol have been improved to update at a constant rate and to be even more accurate.
Counters include:
Imaging
Audio
CDR
USB
Virtual printing
Linux Virtual Desktops
Features and functions for Horizon 7 for Linux virtual desktops have been expanded:
KDE support – Besides RHEL/CentOS 6.x, the KDE GUI is now supported on RHEL/CentOS 7.x, Ubuntu 14.04/16.04, SUSE Linux Enterprise Desktop 11 SP4.
Support for the MATE interface on Ubuntu 14.04, Ubuntu 16.04.
Blast Extreme Adaptive Transport support.
vGPU hardware H.264 encoder support.
USB Redirection Support in Nested Mode
The USB redirection feature is now supported when you use Horizon Client in nested mode. When using nesting–for example, when opening RDSH applications from a VDI desktop–you can now redirect USB devices from the client device to the first virtualization layer and then redirect the same USB device to the second virtualization layer (that is, nested session).
Filtering Redirected Printers
You can now create a filter to specify the printers that should not be redirected with ThinPrint. A new GPO ADMX template (vmd_printing_agent.admx) has been added to enable this functionality.
By default, the rule permits all client printers to be redirected.
Supported attributes:
PrinterName
DriverName
VendorName
Supported operators:
AND
OR
NOT
Supported searching pattern is a regular expression.
Blast Extreme Improvements in CPU Usage
Now even lower CPU usage is achieved with adaptive Forward Error Correction algorithms. This clever mechanism decides how to handle error correction, lowering CPU usage within virtual desktop machines as well as on client endpoint devices.
Blast Extreme Adaptive Transport Side Channel
New support has been added for Blast Extreme Adaptive Transport side channels for USB and CDR communications. Once enabled, TCP port 32111 for USB traffic does not need to be opened, and USB traffic uses a side channel. This feature is supported for both virtual desktops and RDS hosts.
Feature is turned off by default.
Enable the feature through a registry key: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config\UdpAuxiliaryFlowsEnabled 1
Entitlement Restrictions Based on Machine Name
This feature allows IT administrators to restrict access to published applications and desktops based on both client computer and user. With client restrictions for RDSH, it is now possible to check AD security groups for specific computer names. Users only have access to desktops and apps when both the user and the client machine are entitled. For this release, the feature is supported only for Windows clients and works with global entitlements.
Pre-Launch Improvements
Pre-launch provides the ability to launch an empty (application-less) session when connecting to the Connection Server. The feature is now also available to Windows clients, in addition to macOS.
Also, it is no longer necessary to manually make changes to the client settings. You can configure automatic reconnection.
Blast Extreme Adaptive Transport Mode for iOS and macOS
With prior client releases, users were required to configure their Blast Extreme settings before they connected to the Connection Server. After a connection was established, the options to change the Blast Extreme setting—which included H.264, Poor, Typical, and Excellent—were unavailable.
With this release, users can change the network condition setting from Excellent to Typical or the reverse while inflight to sessions. Doing so also changes the protocol connection type between TCP (for Excellent) and UDP (for Typical).
Note: End users will not be able to change the network condition setting if Poor is selected before establishing a session connection.
Horizon Client for Windows
Horizon Client 4.6 updates include:
Additional command-line options for the new client installer – When silently installing the Windows client, using the /s flag, you can now also set:
REMOVE-SerialPort,Scanner – Removes the serial port, scanner, or both.
DESKTOP_SHORTCUT-0 – Installs without a desktop shortcut.
STARTMENU_SHORTCUT-0 – Installs without a Start menu shortcut.
Support for UNC paths with client drive redirection (CDR):
Allows remote applications to access files from a network location on the client machine. Each location gets its own drive letter inside the remote application or VDI desktop.
Folders residing on UNC paths can now be redirected with CDR, and get their own drive letter inside the session, just as any other shared folder.
Horizon Client for macOS
Horizon Client 4.6 updates include:
Apple macOS High Sierra day 0 support.
Users can select which monitors to use for VDI sessions and which to use for the local system.
Norwegian keyboard support and mappings are now available
Horizon Client for iOS
Horizon Client 4.6 updates include:
iOS 11 support
iOS split keyboard update – Removes the middle area in the split keyboard for a better view of the desktop
New dialog box for easy connection to a Swiftpoint Mouse
Horizon Client for Android
Horizon Client 4.6 updates include:
Android 8.0 Oreo support.
Server URL configuration – Allows administrators to configure a list of Connection Servers and a default Connection Server on Android devices managed by VMware AirWatch.
Android and Chrome OS Client Updates
Horizon Client 4.6 for Android and Horizon Client 4.6 for Chrome OS updates include:
Simple shortcuts – Users can right-click any application or desktop to add a shortcut to the home screen.
Webcam redirection – Integrated webcams on an Android device or a Chromebook are now available for redirection using the Real-Time Audio-Video (RTAV) feature.
HTML Access
HTML Access 4.6 updates include:
HTML Access on Android devices – Though HTML Access has fewer features than the native Horizon Client, it allows you to use remote desktops and published applications without installing software.
HTML Access page customization – Administrators can customize graphics and text and have those customizations persist through future upgrades.
Horizon Client for Linux
Horizon Client 4.6 updates include:
Support for Raspberry Pi 3 Model B devices:
ThinLinx operating system (TLXOS) or Stratodesk NoTouch operating system
Supported Horizon Client features include:
Blast Extreme
USB redirection
264 decoding
8000Hz and 16000Hz audio-in sample rate
RHEL/CentOS 7.4 support
Horizon Client for Windows 10 UWP
Horizon Client 4.6 updates include:
Network recovery improvements – Clients can recover from temporary network loss (up to 2 minutes). This feature was already available for Windows, macOS, Linux, iOS, and Android, and is now available for Windows 10 UWP.
Automatically reconnects Blast Extreme sessions
Reduces re-authentication prompts
We are excited about these new features in Horizon 7.3.1 and the Horizon Client 4.6. We hope that you will give them a try.
The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.
Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.
If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.
On June 27, 2017 Microsoft has released its quarterly updates for Exchange 2013 and Exchange 2016. The current version is now at Exchange 2013 CU17 (15.0.1320.4) and Exchange 2016 CU6(15.1.1034.26) . But this time there are some interesting things I’d like to point out.
A couple of days before the release of Exchange 2016 CU6 (15.1.1034.26) Microsoft blogged about Sent Items Behavior Control and Original Folder Item Recovery. With the Sent Items Behavior Control, a message that’s sent using the Send As or Send on behalf of permission is not only stored in the mailbox of the user that actually sent the message, but a copy is also stored in the delegator mailbox sent items. This was already possible for shared mailboxes, but now it’s also possible for regular mailboxes (like manager/assistant scenarios).
The Original Folder Item Recovery feature is I guess on of the most requested features. In the past (before Exchange 2010) when items were restored after they were deleted, they were restored to their original location. With the Dumpster 2.0 that was introduced with Exchange 2010 this was no longer possible, and items were restored to the deleted items folder. In this case the items had to be moved manually to their original location. With the introduction of the Original Folder Item Recovery the restore of deleted items again takes place in the original folder.
Unfortunately, both Sent Items Behavior Control and Original Folder Item Recovery are only available in Exchange 2016 CU6 (and NOT in Exchange 2013 CU17).
When it comes to security TLS 1.2 is a hot topic. Microsoft is aware of this and working hard towards an Exchange environment that only uses TLS 1.2 (so that TLS 1.1 and TLS 1.0 can be disabled). We are not yet at that stage. Exchange 2016 CU6 does have improved support for TLS 1.2, but Microsoft is not encouraging customers to move to a TLS 1.2 environment only.
.NET Framework and Exchange server continues to be a difficult scenario. This is understandable, Exchange is just a consumer of Windows and .NET so the Exchange Product Group does not have much influence on the .NET (and Windows) Product Group.
Exchange 2016 CU6 does NOT support.NET Framework 4.7 at this moment, and you should NOT install .NET Framework on a server running Exchange 2016. Not before and not after the installation of Exchange 2016 CU6. This is also true for Exchange Server 2013 CU17. More information regarding .NET Framework and Exchange server can be found here: https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/.
The .NET Framework 4.6.2 is supported by Exchange 2016 CU3 and higher and Exchange 2013 CU15 and higher. For a complete overview of which scenarios are supported, navigate to the Exchange Server Supportability Matrix on https://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx.
KB articles that describe the fixes, features and information in each release are available as follows:
Microsoft Remote Desktop Team get customer enquiries asking which RDS updates are available for a particular Windows Server platform; or when providing support we need to verify if certain hotfixes and servicing rollups are installed on the customers’ servers. To make it easier for customers and ourselves, we regularly revise KB articles that list all of the available updates specific to Remote Desktop services for each Windows Server release:
You must be logged in to post a comment.