Can’t connect to VDI – thanks again f5.

f5 have the marketing reputation as the de facto load balancer for Horizon View. In my own experience of using the virtual appliance with View 6.2.2 (and using it for other services) I have to say I wouldn’t want to touch one or recommend one again.

Aside from the many woes that I’ve experienced and at the expense of everyones precious time, I saw a new issue the other day that could help anyone else troubleshooting View/f5 issues.

After a host appliance went down and then everything was resolved, none of the View connections that were being brokered by the f5 would work. Traffic would flow through to Security Servers and UAGs, Connection servers were accessible internally, but any connections that were reliant on the f5 (via the view Iapp), were terminating with ‘network error’, then ‘authentication error’. TCP dumps showed traffic, everything was up and there was also the possibility of storage and/or networking issues due the host failure.

But…

Everything else seemed fine. The quik view/ihealth of the f5 looked fine and everything else worked. After engaging f5 support, they suggested that they’d seen this before and noticed that for a few seconds, the f5 had gone from Active to Standby and back again. He simply suggested restarting VDI APM daemon.

Voila! Connections working again!

What was most annoying that nowhere said the service hadn’t started, or got stuck, it was only because f5 had seen the issue before that they pointed us towards that.

So, emergency over and I’m sharing the various services/daemons in case you encounter a similar issue.

 

Daemon Description Impact if not running Relevant log file   
acctd The RADIUS accounting daemon used by BIG-IP APM to send RADIUS accounting start and stop messages to external RADIUS servers. RADIUS accounting messages are not sent to external RADIUS servers /var/log/apm
aced The aced process provides RSA SecurID authentication functionality for BIG-IP APM’s access policy engine. RSA SecurID authentication fails /var/log/apm
apmd The apmd process executes access policy for a user session; this includes Authentication, Authorization, hosting Accounting, and Audit. It also provides an MPI interface, as well as support for access control protocol. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso /var/log/apm
antserver The antserver process allows Secure Web Gateway (SWG) to dynamically filter web content. No dynamic web content filtering /var/log/apm
dnscached The dnscached process provides DNS cache functionality to BIG-IP APM subsystems. BIG-IP APM DNS performance is impaired /var/log/apm
eam The eam process provides external access management for 3rd party identity integration, such as Oracle Access Manager (OAM) single sign-on (SSO). OAM SSO authentication fails /var/log/apm
eca The eca process provides the client-side NT Lan Manager (NTLM) authentication mechanism. BIG-IP APM is unable to authenticate using NTLM /var/log/apm
mdmsyncmgr The mdmsyncmgr process fetch MDM-managed endpoint list from MDM servers and stores it in local MySQL database. BIG-IP APM is unable to fetch MDM-managed endpoint list. /var/log/apm
nlad The nlad process establishes communication channels to the Domain Controller (DC) for NTLM authentication. No NTLM communication to backend DC /var/log/apm
omapd The omapd process provides the IF-MAP server implementation for SWG and AFM user identification. No user identification for SWG /var/log/omapd
rba The rba process provides support for client-side Kerberos authentication. No Kerberos authentication /var/log/apm
rewrite The rewrite process rewrites links in web content for Portal Access. Portal Access web links are not rewritten /var/log/rewrite
samlidpd The samlidpd process interacts with the mcpd process to automate SAML IdP connector creation. SAML IdP connector creation fails /var/log/saml_automation.log
urldb The urldb process categorizes incoming URLs for SWG. No SWG URL categorization /var/log/apm, /var/log/urldb-trace.log
urldbmgrd The urldbmgrd process downloads and indexes the URL categorization database for use by the urldb process. URL categorization for SWG is impaired /var/log/apm, /var/log/urldbmgr-trace.log
vdi The vdi process handles communication for XML-based clients and back-end systems such as Citrix and VMware View. Citrix integration and RDP access fails /var/log/apm
websso The websso process provides Single Sign-On (SSO) functionality for the BIG-IP APM system. SSO fails /var/log/apm

You can manage the services by using the TMSH utility – get putty’ed in (or similar) and follow this through:

  1. Log in to the tmsh utility by typing the following command:tmsh
  2. To stop, start, or restart a BIG-IP APM process, use the following syntax:<action> /sys service <process>

    In this command syntax, note the following:

    • <action> is the action to be performed, such as stop, start, or restart
    • <process> is the name of the BIG-IP APM process

    For example, to restart the eam process, type the following command:

    restart /sys service eam

Horizon View 7 Network ports/diagram

I always find this document to be really helpful when deploying not only View, but when other components start getting involved:

vRealize Operations for Horizon
VMware Horizon Client
VMware Identity Manager
VMware Unified Access Gateway
VMware App Volumes
VMware User Environment Manager
VMware vCenter Server
VMware ESXi
VMware AirWatch

And you either need a checklist of ports or need to precisely and politely inform the Network team/Firewall admin that you need some ports opening up.

Me: Can you not just open all the ports I just told you from that IP?

FW Bloke: No, I need some documentation to prove those are the ports I need to change for my change request.

Me: But…I sent you it weeks ago?

FW Bloke: I know, but I didn’t make the change so need to raise a new CR.

Me: So… Just add the document I sent across…Please?

FW Bloke: I can’t, I need a new one.

Me:… I hate you.

FW Bloke: I don’t care.

Horizon 7 Network Ports

 

 

vRealize For Operations – Unable to pair the broker agent for Horizon

I actually wrote some documentation on this for my team, when I encountered the issue. Then I lost it. Hence setting up a website to store everything I come across, on!

This issue came about myself after I upgraded the version of VROPS I had installed and I couldn’t for the life of me understand why the agent simply refused to connect. So after much messing around, I found the following vmware KB:

VMware vRealize Operations Manager for Horizon 6.2 Broker Agent fails to pair with the Horizon adapter (2140844)

Yep, they decided to leave out the necessary ports allowed through the firewall on the appliance. Thanks vmware!

If you aren’t comfortable using VI – which for the uninitiated, can be a nightmare, you can take a copy of the file (download it/FTP it off etc) and make the changes, then re-upload it.

Don’t forget the restart the firewall service – also when I rebooted the VROPs server once, it lost the settings, so rookie mistake or something more…sinister… Not sure, don’t care, just had to do this again! 😉

 

Windows update KB3177467 – Causing crashing and boot loop

Oh those were the days. MS updates smashing their way into your infrastructure, leaving Exchange a gibbering wreck, W7 desktops not booting, WSUS not wanting to remove the updates… So glad those days are…gone… Oh wait, no, still happening!

In a physical environment, an update causing an issue with a desktop is a pain the backside – you have multiple options and ways to mitigate this. In a VDI environment… Well, you can imagine the carnage (Like Carmageddon without cars? Desktopgeddon? VDIGeddon? Ok, I’ll stop now.)

After trying multiple solutions, finally stumbled on someone else who had the problem way back in October 2016 and got it sorted out:

Update KB3177467 causing boot loop

Horizon View Client Install – Windows

And now for something completely different.

I mean, now for the Horizon View Windows Install!

Download the Horizon View Client from the following site:

https://my.vmware.com/web/vmware/details?downloadGroup=CART17Q1_WIN_440&productId=578&rPId=15156

1win2win

Now, you may not want USB redirection (or it may not work) and also it’s environment dependent whether you want to Log in as current user.

win3

Enter your Default connection server

win4

Continuing on from if you chose to log in as current user

win5win6win7win8win9

Run the app, log in and go forth!

Horizon View Client Install – iOS

Next part of client installs – iOS

Search for and install the client from the App store

1ios

Press ‘Add Server’ and type in the server name

 

2ios

Tap the Cloud icon for the your server and if necessary, choose your appropriate desktop pool and then enter your given username and password. Domain should auto populate, but is add if required.

3ios

You can make changes to various settings, such as the resolution (if required) from the settings menu.

4ios

Enter username and password

5ios

You’ll either go straight in, or have options if you are entitled to more than one pool. Choose what you’re due and you’re in.

6ios7ios

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Horizon View Client – Android Install

For most of us, it’s easy installing any kind of client app, or app on our phones. For others, it can be a little bit more challenging. I snipped (Love the snipping tool and PSR, but that’s another story) and borrowed some screenshots to build up a few documents for the client installs for View – as I couldn’t find anything official and I needed them for a project. Without further ado, here’s android – iOS and Windows follows later.

Search for and install the client from the App store

 1

 

 

Add the View Connection Server address you need

 

 2

 

 3

Enter your given username and password

4

Choose the appropriate Desktop pool if given the option

5

Profit!