Preparation of Horizon Scripts
    • Dark
      Light
    • PDF

    Preparation of Horizon Scripts

    • Dark
      Light
    • PDF

    Article Summary

    Important

    The maintenance of the VMware Horizon sync script have been discontinued. If you're using ControlUp version 8.6.5 or later, we recommend using the Universal sync script instead.

    Introduction

    ControlUp has the ability to monitor and manage VMware Horizon. ControlUp has created a number of Powershell scripts that can run either manually or automatically. However, some preliminary steps must be taken prior to using these scripts. This article guides you through the environment preparation process to use our Horizon scripts.

    Using Script Based Actions for VMware Horizon

    To use Script Based Actions (SBA’s) for VMware Horizon certain elements must be in place. Every Horizon-based SBA user needs a credential file created on the system in use. This includes the monitor if used for automated actions.

    Creating a Credentials File

    To create a credentials file, you must invoke the SBA Create credentials for Horizon View scripts.

    To create a credentials file:

    1. Right-click the machine that you want to create the credentials on and click Script Actions >More… >Create credentials for Horizon View scripts select the correct SBA, and the > Create credentials for Horizon View scripts popup appears.
      360009380057mceclip2.png
    2. From the Credentials section, enter/select the user to be granted to run the scripts.
      360009467518mceclip3.png
    3. Create a new username and password and click OK, and the script is executed.
    Note:

    The username field is in Domain\UserName format.

    360009467898mceclip4.png

    After you create a credentials file, we recommend that you test it.

    To test the credentials file:

    1. Open a PowerShell prompt on the same machine used to create the shared credentials, as the same user.
    2. Run the command $env:username. The output should be the correct username.
    3. Run the following commands with the same username:
    $creds = import-clixml C:\ProgramData\ControlUp\ScriptSupport\[<UserName>]_HorizonView_Cred.xml
    
    1. Run the following commands with the correct domain:
    connect-hvserver -Server hzn8pod1cs1.[<Domain>].io -Credential $creds
    
    1. Run the command $creds.username. The output should be Domain\UserName.

    VMware PowerCLI Installation and Configuration

    Installation

    VMware PowerCLI can be installed with the Install and Configure VMware PowerCLI SBA. When this SBA is used PowerCLI is installed for all users on the system. This SBA installs PowerCLI from the PowerShell Gallery so that it can be installed manually if needed.

    To install PowerCLI the latest version of the Nuget package provider is required and is installed by the SBA, as well.

    Configuration

    There are two main configurations that can be set for VMware PowerCLI:

    • Choosing whether you want to join the VMware Customer Experience Improvement Program (CEIP). More information about this program can be found here.
    • What action should be taken if the certificates for your various VMware components are not trusted. By default, PowerCLI will stop working when the certificates are not signed properly so it is recommended to have it set to ‘warn’ to receive a warning or ‘ignore’ to ignore the fact that these certificates haven’t been signed.

    Both configuration items are handled in the Install and Configure VMware PowerCLI SBA as well. To ensure maximum security, by default, the CEIP program is not set. The Invalid Certificate action is set to warn when there are many certificates for Horizon environments in use that have been signed for the URLs that the users connect to and not to the various URLs of the connection servers themselves.

    To install and configure the VMware PowerCLI:

    1. Right-click the system where you want to install PowerCLI and select Script Actions > More… > Install and configure VMware PowerCLI, and the Install and configure VMware PowerCLI popup appears.
      360009382497mceclip5.png
    2. Select True or False for the CEIP configuration and Warn, Fail or Ignore for Invalid Certificate Action, and click OK and a confirmation screen appears to verify that the configuration is updated.
      360009382557mceclip6.png
    Note

    This may take a while depending on available resources. You can check how busy the system is by looking at the Powershell process.

    360009469918mceclip7.png

    Credentials

    It is important to note that you can't use automatic pass-through authentication for your Windows credentials. Every time a connection is made with the Horizon Connection Server, you must explicitly pass credentials. To fix this, ControlUp provides a solution using PSCredential objects.

    A PSCredential object can be used to store the credentials for the user by creating the object and setting to only work on the machine that the object was created on. Horizon View scripts look for a PSCredential object for running the scripts in the %PROGRAMDATA%\ControlUp\ScriptSupport folder. The object itself uses the following naming convention: %USERNAME%HorizonViewCred.xml

    Important

    The PSCredential object is stored as an encrypted XML file. It can only be decrypted and used by the user that created it, on the system where it was created.

    To create this PSCredential object on all the machines running Horizon scripts, ControlUp created the script: Create credentials for Horizon View scripts.

    Using the Create credentials for Horizon View scripts

    Before preparing the machines with the PSCredential Object, you must determine what the PSCredential object is to be used for, because, as mentioned above, the object has a major dependency; it can only be used by the Windows account under which context it was created. If you run the scripts yourself, (manually OR with automation, where the monitor is using YOUR stored credentials), simply open the console and follow the instructions below.

    However, to keep things simple, it is recommended that the monitor uses a dedicated service account. With a service account, you can use an extremely complicated password that can be set to never expire.

    You can also lock down the account so it will only have permission to perform very specific tasks. For example, if you use the service account to run automation scripts for Horizon, this account will not need a mailbox, home drive, etc. Once everything you don’t need is removed, except for the appropriate VMware permission, you can now create a stored credential for this account in the console to be used for the monitors. (https://controlup97.document360.io/v1/docs/credentials-store)

    Note:

    With either approach, the script must run using stored credentials, therefore it is recommended to ensure that you have the set of credentials you want to use in the store before running the script. You can use your own credentials or service account credentials.

    To run the Create credentials for Horizon View scripts:

    1. Open the Scripts pane from the Home tab in the console and find Create credentials for Horizon View scripts. Select the script and download it.
    Note

    You can close the Scripts pane while the script is downloading. The download should only take a few minutes.

    1. In the console, select all the machines you wish to be prepared for the Horizon scripts.
    2. Right-click and navigate to Scripts >More >Create credentials for Horizon View scripts, and the Create credentials for Horizon View scripts popup appears.
    3. From the Credentials dropdown, select the stored credentials you wish to use and enter the username and password to be used to run the script, click OK and the script runs.
      360006331858image002.png
    Note:

    In this example, the account used to run the script and the account used to authenticate to Horizon are not the same. Therefore, the script is run by the automation account (in this case the ‘general’ service account MyAutomationAccount ) but will authenticate to Horizon using the dedicated HorizonViewAccount.

    You can also give your automation account the required permissions in Horizon and use this account for Horizon authentication.

    Each approach has its pros and cons: By using two separate accounts you increase security, meaning not making the automation account a very powerful account that has permissions on every system, but maintaining two accounts does increase administration . This works the other way, too, using only one account is less secure but requires less administration.

    When running a Horizon script on these machines the script will look for the PSCredential object in the %PROGRAMDATA%\ControlUp\ScriptSupport folder and use it to authenticate to the Horizon Connection Server.

    Note

    If the account password stored in the PSCredential object is changed, you must run the ‘Create…’ script again as the password in the object is no longer valid. This is another example why it’s recommended to have a service account with a very complicated password that never changes.

    As always, if you have any questions, please do not hesitate to reach out to our support team at support@ControlUp.com


    Was this article helpful?