Installing and configuring the 5 Virtual Appliance vApp Horizon-Workspace was no walk in the park. Hopefully these notes will help someone down the road, namely me, since I will probably have to do it again in two months.
-Create an IP Pool at the Datacenter level in vSphere and assign it to the dVS port group that will connect the vApp. I didn’t enable the pool; it just needs to be available.
– Horizon only supports one DNS server. This will bite you in the ass if you put multiple DNS servers in the assigned IP Pool. If you list more than one, the configurator-va appliance will tell you to fix it and then shut down. It’s moody.
-Reverse DNS must be in place for all 5 VAs. Have the static IPs for all 5 VAs in DNS and ensure you have a reverse lookup zone in place. If not, the configurator-va will give you the virtual finger and, yep, shut down.
-Choose an external FQDN for external access, assign it an IP in DNS. You’ll be asked for this during setup. The configurator-va will try and resolve it via DNS. If it can’t find it, you’ll get yelled at with a “Bad Gateway!” message and then: Shut. Down.
Errors and Fixes
-In the Configurator Web GUI
I. Error Creating Admin User – This occurs because in the original configurator setup the gateway was changed to a more familiar FQDN, now the certificates are wrong and the gateway has two hostnames (DNS entries for the gateway-va and the alternate FQDN)
FIX: Access the configurator-va console. Login as root and run the following commands
./wizardssl.hzn –makesslcert gateway-va <FQDN>
Line 2 creates a new certificate for the customized FQDN
Line 3 generates the new certificate and adds it to the store
II. Binding to Active Directory
Error Message: Unable to bind to the directory: The specified Bind DN and password could not be used to successfully authenticate against the directory. This can be caused by a plethora of things, none of them good.
FIX: Run through the following checklist:
1. Verify port 3268 is open on the AD server. if the AD server is also a Global Catalog then the default port listed in the setup (389) won’t work. If you’re validating against an AD/GC server, change the port to 3268, 3269 if you’re using SSL.
2. Use the IP of the AD server, not the FQDN. I used the same server as the solo one I listed in the IP Pool assignment.
3. Choose the sAMAccountName as the search attribute
4. Keep the Base DN at root level (DC=domain, DC=com)
5. Use the Advanced Settings in AD or ADSI edit to get the exact distinguishedName attribute of the account you’re going to use to validate against AD. Copy the distinguishedName and paste it into the Bind DN field.
***If you’re going to use a service account for this, make sure it has an email address in the E-Mail field of its properties. Horizon requires this account to have a first name, last name and email address.***
6. Make sure the AD user password has no special characters. The special characters in the password interfere with the TomCat configuration and may cause the problem.
Note: Underneath the BIND DN field there is some fine print explaining the user designated here becomes the Administrator of your Horizon deployment. If this is an account with rotating passwords, it may cause a problem. The one that I used has a rotating password, so if the Horizon lab blows up, I’ll have a good idea why.
***Update: The password does not get changed automatically. Fix a bad password here.***
III. Error trying to enable to View Module– This one could have been avoided in the initial setup, but I don’t RTFM. If this is covered in the manual, then I’m sorry VMware Empire. If not, then this is really lame, and it pissed me off.
Error Message: Error while saving view pool sync configuration.
FIX: To enable View pools, verify that the userPrincipalName is a required attribute and perform a directory synchronization.
1. Log into the connector-va web GUI. https://connector-va.yourdomain.yoursuffix:8443/hc/admin/
2. Navigate to User Attributes
3. Check the REQUIRED box next userprincipalName