Vmware view connection server antivirus exceptions

An internal connection is one where the Horizon client connects directly to the Connection Server and then directly to the Horizon agent. Normally, this is for connections that are internal to the corporate network. In the initial authentication phase, the connection is from the Horizon Client to the Connection Server. The secondary protocol session then normally connects directly from the Horizon Client to the Horizon Agent.

This configuration is less common because the protocol session is then tunneled through the Connection Servers, making it part of the ongoing session. Although the above diagram shows three separate network zones, it is also supported to have all internal components on the same network with no firewalls between components. When load balancing Connection Servers only the initial XML-API connection authentication, authorization, and session management needs to be load balanced.

Because the secondary protocol connections go directly from the Horizon Client to the Horizon Agent, they are not load balanced. To ensure successful connections and correct communication between the components, it is important to understand the network port requirements for connectivity in a Horizon deployment. The diagrams below show an internal connection using each of the possible display protocols and the destination network ports.

The following diagram shows the ports required to allow an internal Blast Extreme connection. The following diagram shows the ports required to allow an internal PCoIP connection. The Network Ports in VMware Horizon guide has more detail, along with diagrams illustrating the traffic. It even has specific sections and diagrams on internal, external, and tunneled connections.

To see more detail on the network ports required for an external connection, see Network Ports in VMware Horizon: Internal Connection and the Internal Connection diagram.

If the connection is external, communication is typically through a VMware Unified Access Gateway appliance. The initial authentication phase of a connection is from the Horizon Client to a Unified Access Gateway appliance and then to a Connection Server.

Ensure that the Blast Secure Gateway and PCoIP Secure Gateway are not also enabled on the Connection Server because this would cause a double-hop attempt of the protocol traffic, which is not supported and will result in failed connections. When load balancing Horizon traffic to multiple Unified Access Gateway appliances, the initial XML-API connection authentication, authorization, and session management needs to be load balanced.

This allows the Unified Access Gateway to authorize the secondary protocols based on the authenticated user session. If the secondary protocol session is misrouted to a different Unified Access Gateway appliance from the primary protocol one, the session will not be authorized. The connection would therefore be dropped in the DMZ, and the protocol connection would fail. Misrouting secondary protocol sessions is a common problem if the load balancer is not configured correctly.

The load balancer affinity must ensure that XML-API connections made for the whole duration of a session default maximum 10 hours continue to be routed to the same Unified Access Gateway appliance.

Although the secondary protocol session must be routed to the same Unified Access Gateway appliance as was used for the primary XML-API connection, there is a choice about whether the secondary protocol session is routed through the load balancer or not. This normally depends on the capabilities of the load balancer. This has the advantage of needing only a single public IP address.

Where the load balancer does not have this capability, or where source IP affinity cannot be used, another option is to dedicate additional IP addresses for each Unified Access Gateway appliance so that the secondary protocol session can bypass the load balancer. To ensure successful external connections, and correct communication between the components, it is important to understand the network port requirements for connectivity in a Horizon deployment.

The diagrams below show an external connection using each of the possible display protocols and the destination network ports. The following diagram shows the ports required to allow an external Blast Extreme connection through Unified Access Gateway.

To see more detail on the network ports required for an external connection, see Network Ports in VMware Horizon: External Connection and the External Connection diagram.

When using Unified Access Gateway to provide external access to Horizon, the same Connection Servers can be used for both external and internal connections. Although the above diagram does not show a load balancer between the Unified Access Gateway appliances and Connection Servers, it is also supported to have a load balancer inline.

Knowing what is meant to happen during a successful connection helps you understand and troubleshoot when things do not work. This guide focuses on troubleshooting an external connection, as this shows all possible components and communication flows. The troubleshooting steps can also be applied to internal connections. The diagram below illustrates an external connection, and the numbers indicate the communication flow.

Note : While not part of the connection communication flow, it is important to note that the Horizon Agent will communicate to the Connection Servers to indicate its state. To troubleshoot a Horizon connection, first determine which phase is failing authentication or protocol.

Is the user able to authenticate or not? Are they able to log in, select a Horizon resource and launch it? Does the Horizon resource fail to connect for the user? If a user is unable to authenticate, we can limit the initial investigation to the first four steps listed above. Most problems are not related to the Horizon components themselves.

More commonly, they are issues with a misconfigured firewall blocking ports, a misconfigured load balancer misrouting connections, or network routing not allowing traffic to route to the destination Connection Server, Agent or authentication server. On the primary authentication phase, the Horizon Client connects to one of the Unified Access Gateways.

For the secondary protocol phase, the ports required depend on the display protocol being used, and with Blast, which specific ports have been configured for use on the Unified Access Gateway. When the Blast connection fails between the Horizon Client and the Unified Access Gateway, this displays a timeout log entry in bsg.

Ensure that the firewall between the Horizon Client and the Unified Access Gateway is not blocking the ports required by the Blast Extreme protocol port from the Horizon client.

The connection would therefore be dropped in the DMZ, and the Blast connection would fail. For Blast connections this will show in the bsg. The load balancer affinity must ensure that connections made for the whole duration of a session default maximum 10 hours continue to be routed to the same Unified Access Gateway appliance that was used for authentication.

Check that the affinity and timeout is configured correctly on the load balancer. Blast Extreme uses WebSocket s. When looking at adjustments to all-inclusive antivirus scanning to increase performance, there are several areas to consider.

These apply to both single-user virtual desktops and session-based desktops and applications provided by RDSH. Important : Any low-risk files and folders excluded from real-time scans should still be scanned on a regular schedule. Review the Microsoft support article, Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows , for general guidance on service exclusions.

Caution : Exclusions can present a security risk. Seek guidance from your security team and your antivirus vendor to ensure that any restrictions are appropriate for you. VMware App Volumes makes it easy to deliver, update, manage, and monitor applications, and users of those applications, across virtual desktop and published application environments. When working with App Volumes, consider the following when planning antivirus scanning:. The packaging machine should use a snapshot that is known to be virus free but also has no antivirus software installed.

The presence of antivirus software can interfere with the proper creation of a package or AppStack. You can make sure it is virus free by installing the required operating system and base software programs without it being on the network and taking the snapshot. Alternatively, you can install antivirus software to it, scan it, uninstall the antivirus software, and take the snapshot. If possible, disconnect the provisioning machine from the network when creating a package or AppStack.

VMware Dynamic Environment Manager delivers personalization and centrally managed policy configurations across virtual, physical, and cloud-based Windows desktop environments. Dynamic Environment Manager allows IT to control which settings users are allowed to personalize, and also maps environmental settings such as networks and location-specific printers.

Additionally, in nonpersistent desktop pools that have a clean golden image, you can exclude these Dynamic Environment Manager executables from real-time scans because they are known to be virus free:.

VMware ThinApp is a virtualization technology that isolates and encapsulates pre-installed applications. Virtualized applications are isolated from all other applications as well as from the underlying operating system. These packages can run on virtual or physical desktops, stream from a file share, or be placed on App Volumes 4 packages or App Volumes 2. This section lists third-party antivirus software vendors and a Microsoft guide.

Antivirus Software Vendors. Note : VMware does not endorse or recommend any particular third-party antivirus software vendor, nor is this list meant to be exhaustive. This message will close in seconds. You are about to be redirected to the central VMware login page. Areas of Consideration When looking at adjustments to all-inclusive antivirus scanning to increase performance, there are several areas to consider. Restarted the connection server service and the servers itself but still receive the same error.

It is working only using IE browser. I need to use the modern browsers like before the upgrade it was working. Same here. After upgrading to the ha proxy in front of CS stopped working. Does someone have a fix?

We had the same issue upgrading to and chrome users, we needed to add the portalHost property:. We are using something like:. Is it possible to build a new set of server running connected to the same vCenter? Horizon 7. Thank you for your reply. If older agent 7. You mean from 7. So thinking how to do the upgrade without disturbing users as its in production environment.

Yes, upgrade Connection Servers to 7. Then rebuild your pools with Win10 and Horizon Agent 7. Then you can upgrade everything to Horizon 8. Which one you think will be better way in terms of time, maintenance windows and any other issues? Building a new environment is certainly cleaner. Cutovers are risky. Thank you Carls.

I am using Horizon 7. Also I use App vol 2. What you recommend to upgrade from 2. How to migrate appstacks to 4.

Navigation This post applies to all VMware Horizon versions aka 8. Notes regarding upgrades: For supported upgrade paths which version can be upgraded to which other version , see VMware Interoperability Matrix. Horizon 7 license key does not work in Horizon 8. Upgrade all Connection Servers during the same maintenance window.

Horizon Agents cannot be upgraded until the Connection Servers are upgraded. The replacement is Unified Access Gateway. Composer is deprecated in Horizon 8. Composer was removed from Horizon 8. All editions of Horizon 8.

Downgrades are not permitted. You can snapshot your Connection Servers before beginning the upgrade. To revert, shut down all Connection Servers, then revert to snapshots. But upgrade all of them as soon as possible. All Connection Servers in the pod must be online before starting the upgrade. Just run the Connection Server installer and click Next a couple times. Once the first Connection Server is upgraded, Horizon 8.

After upgrading all Connection Servers to Horizon 8. Upgrade the Horizon Group Policy template. Upgrade the Horizon Agents. Persona is no longer supported. Persistent Disks are no longer supported.

Or Microsoft FSLogix. Otherwise, Horizon Agent is an in-place upgrade. Just run the installer on your gold images and full clones. Upgrade the Horizon Agents when time permits. Upgrade the Horizon Clients. Horizon Clients can be upgraded anytime before the rest of the infrastructure is upgraded. Download Horizon Horizon Connection Server. In the License Agreement page, select I accept the terms , and click Next. In the Destination Folder page, click Next.

In Horizon 8. In the Data Recovery page, enter a password, and click Next. In the Firewall Configuration page, click Next. In the Operational Data Collection page, click Next. In the Ready to Install the Program page, click Install.

In the Installer Completed page, uncheck the box next to Show the readme file , and click Finish. Download Horizon 8. Then click Next. In the Installer Completed page, click Finish. Load balance your multiple Horizon Connection Servers. Horizon Connection Server Certificate Run certlm.

Request a new certificate with a common name that matches the FQDN of the Connection Server, or import a wildcard certificate. Note: the private key must be exportable. If using the Computer template, click Details , and then click Properties. On the Private Key tab, click Key options to expand it, and check the box next to Mark private key as exportable. In the list of certificates, look for the one that is self-signed.

The Issuer will be the local computer name instead of a Certificate Authority. Right-click it, and click Properties. On the General tab, clear the Friendly name field, and click OK. Right-click your Certificate Authority-signed certificate, and try to export it. On the Export Private Key page, make sure Yes, export the private key is selectable.

If the option to export the private key is grayed out, then this certificate will not work. Click Cancel. Right-click your Certificate Authority-signed certificate, and click Properties.