Preparation of Horizon Scripts

Introduction

ControlUp 8.1 has the ability to monitor and manage VMware Horizon.

We have created a number of Powershell scripts that can run either manually or automatically. However, some preliminary steps must be taken prior to using these scripts. This post will guide you through the environment preparation process to use our Horizon scripts.

In order to use the Horizon scripts you must complete the following:

VMware PowerCLI

To make the initial connection to the Horizon Connection Server, you will need to have PowerCLI installed. If you don’t, you can find it here: https://code.vmware.com/web/tool/11.5.0/vmware-powercli

The Hv.Helper Module

ControlUp’s Horizon scripts use the Hv.Helper Powershell module. This needs to be available on every machine running the ControlUp Console or Monitor and the Horizon scripts. As a shortcut, we offer a script that has the module embedded so you can simply install it on the required targets. You do NOT need to have the module installed on your Horizon View VMs.

To install the Hv.Helper module:

  • Select the machine(s) you would like to install the module on, right click and enter ‘Install Hv.Helper’ in the Search box.
  • Navigate to Script Actions > More > Install Hv.Helper module for Horizon View Scripts and select it.
    (If the script has not been downloaded yet, you will get an interface prompting you to download it right then and there. This may take a while as the entire Hv.Helper module is embedded in the script so it is a bit large.)
  • You will receive a dialog box where you can choose if you would like to overwrite an existing Hv.Helper module if one is already installed. The default is False, so the script will not overwrite.

The module will now be installed on the machine.

If you prefer to download the Hv.Helper module, you can do so from Github: https://github.com/vmware/PowerCLI-Example-Scripts/tree/master/Modules/VMware.Hv.Helper

Credentials

It is important to note that automatic pass-through authentication with your Windows credentials is not possible. Every time a connection is made with the Horizon Connection Server you must explicitly pass credentials. When you’re running scripts manually, this is simply annoying. Worse, automation is impossible unless you ‘hardcode’ a username and password in the scripts, which is of course unwanted. We have come up with a solution using PSCredential objects.

A PSCredential object can be used to store the credentials for the user by creating the object, and will only work on the machine that the object was created on. The Horizon View scripts will look for a PSCredential object for running the scripts in the %PROGRAMDATA%\ControlUp\ScriptSupport folder. The object itself uses the following naming convention: %USERNAME%_HorizonView_Cred.xml

To clarify, the object is stored as an encrypted XML file. It can only be decrypted and used by the user that created it on the system where it was created.

So how do you create this object on all the machines you will use for running Horizon scripts?
We have made a script for this as well; ‘Create credentials for Horizon View scripts’. This script will create the PSCredential object for you and optionally install the Vmware.Hv.Helper module as well.

Here’s how to use it:

Before preparing the machines with the PSCredential Object, you must determine what you’ll use the PSCredential object for, because the object has a major dependency; it can only be used by the Windows account under which context it was created. If you are going to run the scripts yourself, (manually OR with automation, where the monitor is using YOUR stored credentials) you simply open the console and follow the instructions below.

However, to keep things simple, we recommend that the monitor use a dedicated service account. With a service account you can use an extremely complicated password that can be set to never expire. (Some companies allow this, some don’t, we will leave this up to you.) You can also lock down the account so it will only have permission to perform very specific tasks. For example, if you use the service account to run automation scripts for Horizon, this account will not need a mailbox, home drive, etc. Once you remove everything you don’t need, except for the appropriate VMware permission, you can now create a stored credential for this account in the console to be used for the monitors. (https://support.controlup.com/hc/en-us/articles/207203265-Credentials-Store)

With either approach, the script will have to run using stored credentials, so make sure you have the set of credentials you want to use in the store before running the script. You can use your own credentials or service account credentials.

  1. Open the Scripts pane on the Home tab in the console and find Create credentials for Horizon View scripts. Select the script and download it.
    You can close the Scripts pane while the script is downloading. The download should only take a few minutes.
  2. In the console, select all the machines you wish to be prepared for the Horizon scripts.
  3. Right click and navigate to Scripts > More > Create credentials for Horizon View scripts.
  4. From the the Credentials dropdown, first select the stored credentials you wish to use.
    image001.png
  5. Enter the username and password that will be used to run the script and confirm the password.
    image002.png
    Please Note: In this example the account used to run the script and the account used to authenticate to Horizon are not the same. Therefore, the script will be run by the automation account (in this case the ‘general’ service account MyAutomationAccount) but will authenticate to Horizon using the dedicated HorizonViewAccount
    You may also give your automation account the required permissions in Horizon and use this account for Horizon authentication. Either approach has its pros and cons: By using two separate accounts you increase security, that is you are not making the automation account a very powerful account that has permissions on every system, but maintaining two accounts does increase administration. This works the other way, too, using only one account is less secure but requires less administration.
  6. The script runs, and you’re done.

Now when you run a Horizon script on these machines the script will look for the PSCredential object in the %PROGRAMDATA%\ControlUp\ScriptSupport folder and use it to authenticate to the Horizon Connection server.

Remember, if the account password stored in the PSCredential object is changed, you will have to run the ‘Create…’ script again as the password in the object is no longer valid. This is another example why it’s convenient to have a service account with a very complicated password that never changes.

As always, if you have any questions, please do not hesitate to reach out to our support team.  We’ll be glad to guide you through the process.

Powered by Zendesk