All TKB Articles in Digital Workspace

I've created a DEM personalisation for the Zoom VDI client (optimized Zoom client to run inside Horizon)   It basically stores it's information in the %appdata%\ZoomVDI folder. However, it also saves a folder with emojis inside that folder. Size it not that big (about 9MB), but it contains over 2.500 files which does has a performance impact when (un)zipping the profile archive so I excluded that folder and it's related json files. The emojis folder gets recreated automatically in the background when starting the Zoom client.   It also contains the registry run key for Zoom to allow it to start automatically with Windows. Of course, you'll have to set "processing at logon/logoff for this to work" instead of using directFlex.    

By Mark Benson, Senior Architect and Senior Staff Engineer, End-User-Computing CTO Office, VMware Introduction For more information on Unified Access Gateway (UAG) deployment and configuration covering UAG 3.9, also see the tutorial in this VMware Knowledge Base article. In September 2015, I posted the article https://blogs.vmware.com/euc/2015/09/what-is-vmware-unified-access-gateway-secure-remote-access.html. Unified Access Gateway (UAG) is a VMware virtual appliance which is used with several VMware End-User Computing products for VMware Horizon, VMware Identity Manager and VMware AirWatch. In that article I mentioned the ability to perform a scripted deployment of a UAG virtual appliance to perform a repeatable deployment where all settings can be applied in a way that allows UAG to be production ready on first boot.   It is possible to deploy UAG in a vSphere environment using the VMware OVF Tool command. Whilst it is great to be able to specify all configuration settings in one go at deployment time, the downside of this is that the OVF Tool command line can become very long and complex. It is also easy to introduce errors on the command line as the command syntax for OVF Tool used in this way can be difficult to get right. Also, it is not possible to validate the settings with OVF Tool and it is therefore very easy to make configuration errors such as setting an admin REST API password that doesn't meet the required complexity rules.   Many Windows administrators managing a VMware End-User Computing product environment need an automated way to deploy UAG in a secure, reliable and repeatable way and to have complete control over the settings. For these reasons, we have developed a PowerShell script that can be used to deploy UAG and which overcomes the main difficulties of using OVF Tool directly on the command line. As this PowerShell script is delivered as a sample script, you can also adapt it as required for your specific needs although in most cases you won't need to modify it at all. The script calls the OVF Tool command but validates the settings and automatically constructs the correct command line syntax. The settings are taken from a simple .INI file. This script runs OVF Tool in a fully supported way for UAG deployment. Note that no password values or private key values are stored within the .INI configuration files.   The PowerShell script sets all configuration settings for OVF Tool at deployment time. This includes setting up the CA issued SSL Server certificate and all other possible settings. After UAG has been deployed by this script, there is no need to make configuration changes after deployment. UAG will be ready for production use on first boot. Using PowerShell and mastering configuration settings in a simple .ini file also simplifies the task or repeat deployments such as when upgrading UAG from one version to the next. You modify the .ova file reference in the .ini and re-run the PowerShell command. This automatically deletes the existing UAG appliance and replaces it with the upgraded image and automatically re-applies all of the initial settings from the .ini file.   What are the requirements for deploying UAG appliances using this script? For UAG itself, a vSphere ESXi host and a vCenter Server is needed. Decide on the vSphere datastore to be used and the Network name to be used. If you are deploying a pre 3.3 version of UAG then a vSphere Network Protocol Profile (or IP Pool) must be associated with every referenced network name. This Network Protocol Profile specifies network settings such as IPv4 subnet mask, gateway etc. The deployment of pre 3.3 UAG appliances uses these values so make sure the values are correct. Note: In order to improve vSphere deployment flexibility, UAG 3.3 no longer uses NPPs or IP Pools. This means UAG can be deployed in environments where these are not set up. Instead, settings of IPv4 netmask, IPv6 prefix and defaultGateway (as required) must be specified in the .ini file instead. Refer to the network settings section below for details of the configuration of each UAG NIC for IPv4 and IPv6 combinations supported. The PowerShell script runs on a machine running Windows 8.1 (or newer) or Windows Server 2008 R2 (or newer). This can be the vCenter Server itself if it is running on Windows, or can be a separate Windows machine. The Windows machine running the script must also have the VMware OVF Tool command installed. Install OVF Tool 4.2.0 or newer. You can download it from here OVF Tool Software and Documentation. Note that if you are running OVFTool version 4.4.0 and possibly newer versions, you must omit the :PASSWORD part in the target= value in the PowerShell .ini file otherwise the vCenter password entered while running uagdeploy.ps1 will not be accepted. e.g. instead use the form target=vi://administrator@vsphere.local@192.168.0.21/DC1/host/esx1.example.int. :PASSWORD in the target line works with OVFTool version 4.2.0.   How do I run the script? Download a version of UAG virtual appliance image from VMware onto your Windows machine. This is an OVA file. e.g. euc-unified-access-gateway-3.3.0.0-8539135_OVF10.ova. Refer to VMware Product Interoperability Matrixes to determine the latest version to download. Download the correct uagdeploy or apdeploy ZIP file attached below and extract the files into a folder on your Windows machine. Note that recent uagdeploy zip files are downloaded from VMware from the same location as the UAG images are downloaded. They are no longer attached to this page. On your Windows machine, open a PowerShell console and change directory to the location of your script. Create a .INI configuration file for your UAG virtual appliance. In this example, I am going deploy a new UAG appliance called UAG1. I have created a .INI file called uag1.ini which contains all the configuration settings for UAG1. You can use the sample .INI files contained within the uagdeploy ZIP file to create your .INI file and then modify the settings to the values you want. Make sure script execution is unrestricted for the current user. You can do this by running the command: set-executionpolicy -scope currentuser unrestricted You only need to run this once and only if it is currently restricted. If you get a warning about running this script, you can unblock that warning by running the command: unblock-file -path .\uagdeploy.ps1 or unblock-file -path .\apdeploy.ps1 Run the command .\uagdeploy.ps1 -iniFile uag1.ini as shown in the screenshot below. If you don't specify the -iniFile option, the script will default to uag.ini (or ap.ini with older Access Point versions). You will be prompted to set a root password for the appliance and an optional password for the admin REST API. You will also be prompted for the vCenter password. Deployment takes around a minute depending on your host and storage performance. If you are prompted to add the fingerprint for the target machine, enter yes.     When the script completes, the UAG appliance is ready to use. No further configuration steps are required.   .INI File Contents   The uagdeploy ZIP file attached at the bottom of this post contains four example .INI files. uag1-basic.ini is a minimal .INI file which just contains the minimum settings needed. uag2-advanced.ini is a more complex configuration file showing additional settings available. uag3-securid.ini is an example of a configuration including RSA SecurID authentication. uag4-radius.ini is an example of a configuration including RADIUS authentication. You should start with just a basic .INI file to ensure that this deployment method works in your environment. You can then add more advanced settings in your .INI file and repeat the deployment. If you have already deployed the named UAG appliance, then running the script again will power off the appliance, delete it, and will redeploy it with the current .INI settings. This is a useful capability to use when either upgrading the appliance to a newer version, or just to change any of the settings.   Basic .INI File Example   ############################################## [General] name=UAG1 source=C:\APs\euc-unified-access-gateway-3.1.0.0-6645767_OVF10.ova target=vi://administrator@vsphere.local@192.168.0.21/Datacenter1/host/esx1.myco.int ds=Local Disk 1 netInternet=VM Network netManagementNetwork=VM Network netBackendNetwork=VM Network honorCipherOrder=true   [Horizon] proxyDestinationUrl=https://192.168.0.209 ##############################################   The following table describes each configuration setting. These must be arranged in the .INI file under the appropriate Group Name shown in the first column and as shown in the sample .INI files.   Configuring UAG as a Web Reverse Proxy for VMware Identified Manager UAG (or Access Point) 2.6 and newer can be used as a Web Reverse Proxy in front of VMware Identity Manager version 2.6 (and newer). Make sure you use a 2.6 (or newer) version of UAG or Access Point e.g.   source=euc-unified-access-gateway-3.1.0.0-6645767_OVF10.ova For exact up to date information on UAG and Access Point compatibility, refer to the VMware Product Interoperability Matrixes.   For this setup, remove the entire [Horizon] section from the .ini file and replace it with a new [WebReverseProxy] section. Use the values shown in the sample uag10-vidm.ini file in uagdeploy ZIP file below. Set the proxyDestinationUrl to the URL of the Identity Manager server. If that service does not use a trusted CA signed SSL server certificate then you will also need to add the proxyDestinationUrlThumbprints value. Leave all other values in [WebReverseProxy] exactly as shown in the sample uag10-vidm.ini.   The setup requires "split DNS" to be setup where the URL hostname for an external user resolved to the address of UAG, and the same URL hostname for an internal user resolves to the address of the Identity Manager server.     Configuration Settings   Group Name Value UAG or AP Version Required (if applicable) Example Description [CertificateAuth] pemCerts   pemCerts=C:\Users\Administrator\SSL\north-ca-256.cer Used for certificate authentication to specify the public CA cert file (in PEM base64 format) that was used to issue the required client certificates. See notes below on Client Device certificate authentication.   crlLocation   crlLocation=http://crl.myca.com CRL Location   enableCertCRL   enableCertCRL=true Use CRL from Certificates   enableCertRevocation   enableCertRevocation=true Enable Cert revocation   enableOCSP 3.9+ enableOCSP=true Enable OCSP   ocspURL 3.9+ ocspURL=https://ocsp.example.com OCSP server [General] adminDisclaimerText 3.10+ adminDisclaimerText=x y z Specifies a text message to be shown to an admin when logging on to the UAG Admin UI.   adminPasswordExpirationDays 3.2+ adminPasswordExpirationDays=100 Number of days after which the admin user password will expire.   cipherSuites 3.3 cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 List of cipher setting for HTTPS/TLS. The list is comma separated and all on one line.   defaultGateway 3.0+ defaultGateway=192.168.0.1 Specifies the default gateway address for the UAG appliance. Used in cases where the Network Protocol Profiles in vSphere do not contain a default gateway. Also used to avoid ambiguity in cases where multiple Network Protocol Profiles are used each specifying a different gateway. An appliance can only have one default gateway and so this value can be used to explicitly specify it.   In addition to the defaultGateway, routes for other gateways can be added using the routes0, routes1 and routes2 setting for each NIC.   deploymentOption   deploymentOption=onenic UAG can be created with either one, two or three network interface cards (NICs). Either specify onenic, twonic or threenic. The default is onenic. This is for the standard 2 vCPU 4GB RAM deployment.   It is also possible to specify onenic-large, twonic-large, threenic-large, onenic-XL, twonic-XL, threenic-XL. The large options deploy UAG as 4 vCPU 8GB RAM and the extra-large (XL) options deploy UAG as 8 vCPU and 32 GB RAM.   diskMode 2.8+ diskMode=thin OVF Tool vSphere Disk Mode. Sets the disk provision mode. Refer to the OVF Tool documentation for further options. Default is thick.   dns   dns=192.168.0.1 dns=192.168.0.1 192.168.0.2 Optional DNS server address. Default is none. Multiple addresses must be space separated.   dnsSearch 3.6+ dnsSearch=localdomain.com dnsSearch=domain1.com domain2.com domain3.com Optional list of DNS search domains added to resolv.conf.   ds   ds=Local Disk 1 Datastore name which the appliance will be deployed to.   fallbackNtpServers 3.6+ fallbackNtpServers=ntp3.myco.in ntp4.myco.int Optional list of fallback NTP servers.   folder   folder=My VM Folder/My Sub Folder Deploys the appliance in the named VMs and Templates folder. Folders in vCenter are shown under VMs and Templates. The folder specified must exist before deployment.   forwardrules 2.8+ forwardrules=tcp/5262/10.20.30.40:5262, tcp/88/10.20.30.40:88, udp/88/10.20.30.40:88 A comma separated set of TCP or UDP forwarding rules. It is used as a generic protocol forwarding mechanism.   Each item in the list is of the following format.   tcp|udp/listen-port-number/destination-ip-address:destination-port-number   The first part is tcp or udp   listen-port number is the destination port number of a TCP connection or UDP datagram received by UAG. The number must not be one of the port numbers already in use on UAG.   The TCP or UDP protocol will be forwarded by UAG iptables to the destination-ip-address and destination-port number.   honorCipherOrder 2.7.2+ honorCipherOrder=true Default value is false. When set to true, the cipher list order for the SSL/TLS 443 listener is determined by the server. This allows forward secrecy ciphers to be presented first in the cipher list to improve security. With UAG 2.7.2 and newer it is recommended that this is set to true.   ip0   ip0=192.168.0.10 IPv4 address for NIC0 (onenic, twonic or threenic)   ip1   ip1=192.168.0.11 IPv4 address for NIC1 (twonic or threenic)   ip2   ip2=192.168.0.12 IPv4 address for NIC2 (threenic)   licenseEdition 3.4 only licenseEdition=Standard licenseEdition=Advanced licenseEdition=Enterprise Specifies the licenseEdition. Advanced and Enterprise will enable additional features. Refer to the documentation for details. Not used in versions prior to 3.4 and not used in 3.5 onward. With UAG 3.5 all features are available.   name   name=UAG1 Name of the virtual appliance as shown in vCenter. It must be between 1 and 32 characters long. If name is omitted, the PowerShell script will prompt for it.   netInternet   netInternet=VM Network The name of the vSphere Network for the UAG primary network   netManagementNetwork   netManagementNetwork=VM Network The name of the vSphere Network for the UAG management interface network.   netmask0 Mandatory in 3.3+ netmask0=255.255.255.0 IPv4 netmask for NIC0 (onenic, twonic or threenic)   netmask1 Mandatory in 3.3+ netmask1=255.255.255.0 IPv4 netmask for NIC1 (twonic or threenic)   netmask2 Mandatory in 3.3+ netmask2=255.255.255.0 IPv4 netmask for NIC2 (threenic)   netBackendNetwork   netBackendNetwork=VM Network The name of the vSphere Network for the UAG backend network.   ntpServers 3.6+ ntpServers=ntp1.myco.in ntp2.myco.int Optional. Sets a list of non default NTP servers for UAG time synchronization. Normally this doesn't need to be set as UAG uses default Internet time servers.   routes0 2.7.2+ routes0=192.168.1.0/24 192.168.0.1, 192.168.2.0/24 192.168.0.2 List of static routes for NIC0. Comma separated list of static routes in the form of: network in CIDR format followed by a space followed by the gateway IP address. A network with addresses 192.168.1.0 to 192.168.1.255 and a subnet mask of 255.255.255.0 is represented in CIDR format as 192.168.1.0/24.   routes1 2.7.2+   List of static routes for NIC1.   routes2 2.7.2+   List of static routes for NIC2.   sessionTimeout 2.7.2+ sessionTimeout=39600000 Maximum session time in milliseconds allowed for a logged on user. Default is 36000000 (10 hours). User is automatically logged off after this timeout and is required to log in again.   snmpEnabled 3.6+ snmpEnabled=true Enables SNMP GET and GETNEXT support on UDP port 161. This is to provide basic information and monitoring data such as sysDescr, sysName, sysUptimeInstance and CPU and memory information using the SNMP protocol.   e.g. run the following command on the UAG console (on a single line) to list the information.   snmpwalk -v 2c -c public 127.0.0.1 1.3.6   source   source=C:\Temp\euc-access-point-2.9.0.0-5178136_OVF10.ova Full path filename of the UAG .ova virtual machine image. The file can be downloaded from VMware.   sshEnabled 3.5+ sshEnabled=true Default is false. Enables console ssh access on TCP port 22. This is not recommended for production deployments. On vSphere deployments it is better to use vCenter console access instead of ssh.   sshKeyAccessEnabled 3.9+ sshKeyAccessEnabled=true Enables ssh key access login.   sshPasswordAccessEnabled 3.9+ sshPasswordAccessEnabled=false Allows password access for ssh to be disabled when sshEnabled=true. This is for cases where ssh key access only is required.   sshPublicKey1 ... sshPublicKey99 3.9+ sshPublicKey1=c:\temp\myssh_public.key ssh public keys to be configured on UAG when sshEnabled=true and sshKeyAccessEnabled=true   ssl30Enabled 3.3 ssl30Enabled=false Enables SSL 3.0. Not recommended. Default is false.   syslogUrl   syslogUrl=syslog://server.example.com:514 Optional syslog server URL. This allows syslog events to be forward to a syslog management server.   target   target=vi://administrator@vsphere.local@ 192.168.0.21/DC1/host/esx1.myco.int   target=vi://administrator@vsphere.local@ 192.168.0.21/DC1/host/my folder/esx1.myco.int   target=vi://administrator@vsphere.local@ 192.168.0.21/DC1/host/Cluster1/   target=vi://administrator@vsphere.local@ 192.168.0.21/DC1/host/my folder/Cluster1/   target=vi://administrator@vsphere.local@ 192.168.0.21/DC1/host/esx1.myco.int/Resources/my_resou rcepool Specifies the vCenter Server information and target ESX host. Refer to the OVF Tool documentation for details of the syntax of target.   Note that target must reference a vCenter host or cluste. Deploying direct to a vSphere host is not supported. In this example, 192.168.0.21 is the IP address of the vCenter host and administrator@vsphere.local is the vCenter administrator username.   Note that folder names, host names and cluster names used in the target value are case sensitive.   If you are unsure of the value to use for target, you can omit folder names etc. and OVF Tool will then provide a list of possible values for the next level. This allows you to accurately build up the full target specification one level at a time.   tls10Enabled 3.3 tls10Enabled=false Enables TLS 1.0. Set to true or false. Default is   tls11Enabled 3.3 tls11Enabled=false Enables TLS 1.1. Set to true or false.   tls12Enabled 3.3 tls12Enabled=true Enables TLS 1.2. Set to true or false.   tls13Enabled 3.10+ tls13Enabled=true Enables TLS 1.3. Set to true or false.   tlsPortSharingEnabled 3.1 tlsPortSharingEnabled=true Enables the TLS port sharing feature for AirWatch services.   uagName 3.6+ uagName=uag1 Optional. Sets hostname of appliance. Normally UAG appliance will perform a DNS reverse lookup on the eth0 IP address to determine the name, or if that is not available, will set it to a default hostname. uagName allows it to be explicitly set at deployments time.   v6ip0 3.3+ v6ip0=fe80::250:56ff:feb1:d01a IPv6 address for NIC0 (onenic, twonic or threenic)   Refer to "Network Setting for each NIC" section below.   v6ip1 3.3+ v6ip1=fe80::250:56ff:feb1:d01a IPv6 address for NIC1 (twonic or threenic)   Refer to "Network Setting for each NIC" section below.   v6ip2 3.3+ v6ip2=fe80::250:56ff:feb1:d01a IPv6 address for NIC2 (threenic)   Refer to "Network Setting for each NIC" section below.   v6Prefix0 3.3+ v6ipPrefix0=64 IPv6 prefix for NIC0 (onenic, twonic or threenic)   Refer to "Network Setting for each NIC" section below.   v6Prefix1 3.3+ v6ipPrefix1=64 IPv6 prefix for NIC1 (twonic or threenic)   Refer to "Network Setting for each NIC" section below.   v6Prefix2 3.3+ v6ipPrefix2=64 IPv6 prefix for NIC2 (threenic)   Refer to "Network Setting for each NIC" section below. [HighAvailability] virtualIPAddress 3.4+ virtualIPAddress=192.168.0.10 "Floating" virtual IP address for a group of UAG appliances. Used for the High Availability feature. A group of UAG appliances with used with high availability must have NIC 1 (eth0) on the same subnet, and they must all be configured with the same groupID value.   groupID 3.4+ groupID=1 Used to group a set of UAG appliances that are on the same subnet. e.g. if UAG1, UAG2 and UAG3 are on the same subnet and all have a groupID value of 1, then high availability feature will work across all 3. A second group could use groupID=2 and a different floating IP address. [Horizon] authMethods 2.5+ authMethods=securid-auth authMethods=radius-auth   authMethods=radius-auth authMethods=certificate-auth   authMethods=saml-auth && sp-auth authMethods=saml-auth Default when not specified is for pass-through authentication.   e.g. for RSA SecurID authentication specify: authMethods=securid-auth   saml-auth is supported from UAG 3.8+.   blastExternalUrl   blastExternalUrl=https://uag1.horizon.myco.com:443 URL used by Horizon native clients and HTML Access clients to connect Blast to this UAG appliance.   hostEntry1 ... hostEntry99 2.8+ hostEntry1=192.168.0.125 radius-server1.myorg.int hostEntry2=192.168.0.126 rsa-am1.myorg.int hostEntry3=192.168.0.127 s1 s1-alias A list of 1 or more /etc/hosts file entries to be added to UAG. This is useful if there is a requirement for host name resolution on UAG and DNS is not accessible from UAG. The hosEntry list must start at 1 and the list must be incremental and consecutive.   idpEntityID 3.8+ idpEntityID=http://www.example.com Used when authMethods contains saml-auth. This is the entityID of the 3rd party SAML IdP.   matchWindowsUserName 2.5+ matchWindowsUserName=true Forces subsequent username to be the same username as specified for RADIUS or RSA SecurID authentication.   pcoipDisableLegacyCertificate 3.5+ pcoipDisableLegacyCertificate=true A self signed legacy certificate is normally available on TCP port 4172 to allow legacy PCoIP clients to connect. Newer clients use the trusted CA signed certificate when installed on UAG for TCP port 443. Setting this to true disables the presentation of the legacy self-signed certificate. If legacy PCoIP clients do not need to connect then this should be set to true. Scanners that find a self-signed certificate on TCP port 4172 may report a security vulnerability if this is not set to true.   pcoipExternalUrl   pcoipExternalUrl=10.20.30.40:4172 URL used by Horizon Clients to connect using PCoIP to this UAG appliance. This must include a valid IPv4 address.   proxyDestinationUrl   proxyDestinationUrl=https://cs1.view.myorg.int URL representing the Horizon backend server such as an individual View Connection Server or a load balnced alias URL representing a group of View Connection Servers.   proxyDestinationUrl Thumbprints   proxyDestinationUrlThumbprints=sha1:3e ef ed c6 86 75 a6 15 ff c8 96 27 5a 4c ee 8e 16 fd 6e d3 An optional comma separated list of certificate thumbprints of the certificates on each backend View Connection Server. If the Horizon View environment is using trusted CA signed certificates, this setting can be ignored. For self signed or otherwise untrusted certificates enter the thumbprint values preceded by sha1:.   proxyPattern     Normally not required for Horizon as the default value is usually what is required. Allows an alternative URL pattern to be specified to control the URLs that can be passed to the proxy destination.   radiusClassAttributeList 3.6+ radiusClassAttributeList=group1 radiusClassAttributeList=group1,group2 Optional list of RADIUS classes used for authorization within Horizon RADIUS 2FA. If a list is specified, then access will be denied unless the RADIUS server returns a Class Attribute in the Access-Accept with a value that is specified in this list.   securityHeaders   securityHeaders={"Cache-Control":"no-cache,no-store,must-revalidate,pre-check=0,post-check=0,max-age=0,s-maxage=0","Pragma":"no-cache"} Adds optional HTTP response headers in cases where they are not present in responses from the proxyDestinationUrl server.   trustedCert1 ... trustedCert99   trustedCert1=c:\temp\CA-Cert-A.pem trustedCert2=c:\temp\CA-Cert-B.pem Certificates in PEM format to be added to the certificate trust store for trusting certificates issued by the CAs presented on outgoing SSL/TLS connections. e.g. to Connection Server.   tunnelExternalUrl   tunnelExternalUrl=https://uag1.horizon.myco.com:443 URL used by Horizon Clients to connect the secure tunnel to this UAG appliance.   windowsSSOEnabled 2.7.2+ windowsSSOEnabled=true Used in conjunction with Horizon RADIUS authentication in cases when the RADIUS passcode is the same as the Windows domain user password. This then skips the subsequent domain password prompt to allow single sign-on. [IDPExternalMetadata1] ...[IDPExternalMetadata99] metadataXmlFile 3.8+ metadataXmlFile=c:\temp\myIDP.xml SAML 2.0 Identity Provider (IdP) Metadata file obtained from the 3rd party IdP.   forceAuthN 3.8+ forceAuthN=true Used with 3rd party SAML IdP to add forceAuthN to the SAML request to the IdP. This forces authentication to occur by the IdP even if the previous authentication session is still valid. Default is false. [OCSPSigningCertificates] ocspSigningCert1 ... ocspSigningCert99 3.9+ ocspSigningCert=c:\temp\mysigningcert.pem Issuer certificate for OCSP URL trust. [RADIUSAuth] accountingPort 2.5+ accountingPort=1813 Optional destination UDP port used for sending RADIUS accounting records to the primary RADIUS server.   accountingPort_2 2.5+   For optional secondary server.   authPort 2.5+ authPort=1812 Destination UDP port used for sending RADIUS authentication requests to the primary and secondary RADIUS server.   authPort_2 2.5+   For optional secondary server.   authType 2.5+ authType=PAP Specify one of PAP, CHAP, MSCHAPv1, or MSCHAPv2. This must match the configuration of the RADIUS server.   authType_2 2.5+   For optional secondary server.   hostName 2.5+ hostName=192.168.0.100 Hostname or IP address of the primary RADIUS server.   hostname_2 2.5+   For optional secondary server.   numAttempts 2.5+ numAttempts=5 The number of times a RADIUS request will be sent if there was no reply. Default is 3 times.   numAttempts_2 2.5+   For optional secondary server.   radiusDisplayHint 2.5+ radiusDisplayHint=XXX Token radiusDisplayHint is a short string that will be included in the client prompt. In this example, the user prompt will be "Enter your XXX Token username and passcode".   realmPrefix 2.5+ realmPrefix=NorthDomain\ Optional text inserted ahead of the username before it is passed to the RADIUS server.   realmPrefix_2 2.5+   For optional secondary server.   realmSuffix 2.5+ realmSuffix=@north.com Optional text inserted after the username before it is passed to the RADIUS server.   realmSuffix_2 2.5+   For optional secondary server.   serverTimeout 2.5+ serverTimeout=10 Timeout in seconds after which a RADIUS request will be resent if there was no reply. Default is 5 seconds.   serverTimeout_2 2.5+   For optional secondary server. [SSLCert] pemCerts   pemCerts=C:\Users\admin\My Certs\mycaservercert.pem Optional SSL Server certificate filename for the user port (TCP 443). This should reference a .PEM format file containing the SSL Server certificate to be deployed onto UAG. The  PEM file should contain the SSL Server certifacte and any intermediate and root certificates. If this is omitted, UAG will generate a self-signed SSL server certificate instead.   pemPrivKey   pemPrivKey=C:\Users\admin\My Certs\mycacertrsakey.pem Filename of the .PEM file containg the RSA private key for the SSL server certificate referenced in pemCerts above. If pemCerts is specified, then pemPrivKey must also be specified.   pfxCertAlias 3.0+ pfxCertAlias=myalias1 Optional alias specification used in cases where pfxCerts file contains multiple certificates with private key. It allows specification of which one to use. If there is only one certificate with private key, this setting is not required.   pfxCerts 3.0+ pfxCerts=C:\Users\admin\My Certs\mycacerts.pfx If pfxCerts is specified, pemCerts and pemPrivKey are not needed and will be ignored. Specifies a PKCS#12 certificate file normally with .p12 or .pfx extension. The file should contain the SSL server certificate and private key plus any required intermediate certificates. During deployment, the script will prompt for the file password. If the file contains multiple certificates with private key, then pfxCertAlias must be used to specify the alias or friendly name of the certificate required. [SSLCertAdmin]   3.2+   All the same values as in the [SSLCert] section but specifies the certificate for the Admin UI port (TCP 9443). [SecurIDAuth] externalHostName 2.5+ externalHostName=192.168.0.10 Set this to the IPv4 address of UAG   internalHostName 2.5+ internalHostName=192.168.0.10 Set this to the IPv4 address of UAG   serverConfigFile 2.5+ serverConfigFile=C:\temp\sdconf.rec Specifies the sdconf.rec file obtained from RSA Authentication Manager Server. [WebReverseProxy] authCookie 2.6+ authCookie=HZN Cookie value to track authorized requests.   hostEntry1 ... hostEntry99 2.8+   Refer to the hostEntry description in the Horizon section.   instanceId 2.8+ instanceId=vIDM An optional instanceId to name individual WebReverseProxy instances when multiple instances are used. It is not necessary to specify this as this is assigned automatically.   loginRedirectURL 2.6+ loginRedirectURL=/SAAS/auth/login?dest=%s URL to redirect request for user login.   proxyDestinationUrl 2.6+ proxyDestinationUrl=https://vidmserver.example.com URL representing the backend Web server.   proxyDestinationUrl Thumbprints 2.6+ proxyDestinationUrlThumbprints=sha1:3e ef ed c6 86 75 a6 15 ff c8 96 27 5a 4c ee 8e 16 fd 6e d3 An optional comma separated list of certificate thumbprints of the certificates on each backend Web Server. If the Web servers are using trusted CA signed certificates, this setting can be ignored. For self signed or otherwise untrusted certificates enter the thumbprint values preceded by sha1:   proxyHostPattern 3.0+ proxyHostPattern=airwatch.myco.com Match on URL FQDN. Used in cases where multiple Web Reverse Proxy instances are used.   proxyPattern 2.6+ Refer to sample uag10-vidm.ini in the uagdeploy ZIP file below. Specifies the regular expression that matches URIs that should be forwarded to the proxyDestinationUrl.   securityHeaders   securityHeaders={"Cache-Control":"no-cache,no-store,must-revalidate,pre-check=0,post-check=0,max-age=0,s-maxage=0","Pragma":"no-cache"} Adds optional HTTP response headers in cases where they are not present in responses from the proxyDestinationUrl server.   trustedCert1 ... trustedCert99   trustedCert1=c:\temp\CA-Cert-A.pem trustedCert2=c:\temp\CA-Cert-B.pem Certificates in PEM format to be added to the certificate trust store for trusting certificates issued by the CAs presented on outgoing SSL/TLS connections.   unSecurePattern 2.6+ Refer to sample uag10-vidm.ini in the uagdeploy ZIP file below. Specifies the regular expression that matches URIs that should be forwarded to the proxyDestinationUrl that don't require an authenticated session. [WebReverseProxy1] ...[WebReverseProxy99]   2.8+   With UAG and Access Point 2.8 and newer you can add multiple [WebReverseProxy] sections. The Group Name must have a number appended in the range 1-99 and must be unique. The same values as [WebReverseProxy] are repeated for each additional group. e.g.   [WebReverseProxy] ... [WebReverseProxy1] ... [WebReverseProxy99] ...                                     Managing SSL Server Certificate Files   Deploying a trusted certificate authority (CA) signed SSL server certificate on UAG gives users the assurance that they are connecting to a trusted environment. It also significantly reduces the security risk of a so called man-in-the-middle attack between the user and the service.   If you don't specify a certificate in the [SSLCert] section of the .ini file, UAG will generate a self-signed SSL server certificate. This will work, and can be useful for initial testing, but a self-signed certificate will not be trusted by Horizon  and other clients and therefore users will receive a warning when connecting via UAG.   For production environments, it is best to obtain an SSL server certificate from a trusted CA for use on each UAG appliance.   If you have the PEM format files for the SSL server certificate (including any intermediate CA certificates and root CA certificate) you can reference the files in the pemCerts and pemPrivKey values as described later in this section.   From UAG version 3.0, the deployment of the SSL server certificate became much simpler for customers who have their trusted CA certificate and private key in PKCS#12 (.p12 or .pfx) format. From UAG version 3.0, it is no longer necessary to convert the .p12 or .pfx file to PEM format using openssl commands as described below. Instead, you can now just reference the .p12 or .pfx file directly from within the .ini file. In the .INI file, add the following lines.   [SSLCert] pfxCerts=mycaservercert.pfx   When the script is run, these certificates and private key will be automatically deployed to the new UAG appliance. The referenced pfxCerts file should contain the SSL server certificate with private key, and any intermediate certificates required. During deployment you enter the password associated with the .p12/.pfx file.   If there are multiple certificates with private key, then you can specify which one to use with the pfxCertAlias keyword.   If you have a certificate file with private key and certificate trust chain all in one PKCS#12 format file with either a .p12 or .pfx file extension, then with UAG 3.0 and newer you can use it use it directly without conversion as described above. For UAG and Access Point versions below 3.0 you must convert the PKCS#12 format file into the two PEM format files. PEM format is still supported for UAG 3.0 and newer and can still be needed if you have PEM format files. You can convert from PKCS#12 to the two PEM files with openssl (which you can download from Shining Light Productions - Win32 OpenSSL) by running the following example openssl commands which start with a PKCS#12 file called mycaservercert.pfx.   openssl pkcs12 -in mycaservercert.pfx -nokeys -out mycaservercert.pem openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercertkey.pem openssl rsa -in mycaservercertkey.pem -check -out mycaservercertkeyrsa.pem   Edit mycaservercert.pem and remove any unnecessary certificate entries. It should contain the one SSL server certificate followed by any necessary intermediate CA certificates and root CA certificate.   The pem file may contain text between the certificates such as "Bag Attributes". These lines are not necessary and can be removed. Make sure the .pem file does not contain any single-quote/apostrophe characters. These must be removed.   In the .INI file, add the following lines.   [SSLCert] pemCerts=mycaservercert.pem pemPrivKey=mycaservercertkeyrsa.pem   When the script is run, these certificates and private key will be automatically deployed to the new UAG appliance. The private key PEM file should be deleted from the Windows machine once UAG has been deployed.   If you find that the deployment of UAG works when you don't specify the PEM files (i.e. for UAG to use a self-signed SSL server certificate) but fails when you supply your own certificate as described above, then follow these steps. It could be caused by a missing intermediate or root certificate in your specified PEM file.   Log into the console of UAG as user root and enter the root password you chose when you ran the uagdeploy.ps1 script. Using an editor such as vi, look at the log file /opt/vmware/gateway/logs/admin.log If you see entries saying "Unable to build the certification path" and "No issuer certificate for certificate in certification path found" it means that you having missing intermediate or root certificate entries in the PEM or .p12/.pfx file specified for.     To correct this, you must make sure that any required intermediate certificates and/or root certificate are present in the PEM file and then re-run the uagdeploy.ps1 script.   Network Setting for each NIC (UAG 3.3 and newer)   Case IPv4 IPv6 ipMode0 ip0 netmask0 v6ip0 v6Prefix0 PowerShell [General] Settings 1 :smileycheck: :smileyx: DHCPV4         ipMode0=DHCPV4 2 :smileycheck: :smileycheck: DHCPV4+DHCPV6         None required as this is the default. 3 :smileycheck: :smileycheck: DHCPV4+AUTOV6         ipMode0=DHCPV4+AUTOV6 4 :smileycheck: :smileycheck: DHCPV4+STATICV6     fe80::250:56ff:feb1:e800 64 ipMode0=DHCPV4+STATICV6 v6ip0=fe80::250:56ff:feb1:d01a v6ipprefix0=64 5 :smileycheck: :smileyx: STATICV4 192.168.0.128 255.255.255.0     ip0=192.168.0.128 netmask0=255.255.255.0 6 :smileycheck: :smileycheck: STATICV4+DHCPV6 192.168.0.128 255.255.255.0     ipMode0=STATICV4+DHCPV6 ip0=192.168.0.128 netmask0=255.255.255.0 7 :smileycheck: :smileycheck: STATICV4+AUTOV6 192.168.0.128 255.255.255.0     ipMode0=STATICV4+AUTOV6 ip0=192.168.0.128 netmask0=255.255.255.0 8 :smileycheck: :smileycheck: STATICV4+STATICV6 192.168.0.128 255.255.255.0 fe80::250:56ff:feb1:e800 64 ip0=192.168.0.128 netmask0=255.255.255.0 v6ip0=fe80::250:56ff:feb1:d01a v6ipprefix0=64 9 :smileyx: :smileycheck: DHCPV6         ipMode0=DHCPV6 10 :smileyx: :smileycheck: AUTOV6         ipMode0=AUTOV6 11 :smileyx: :smileycheck: STATICV6     fe80::250:56ff:feb1:e800 64 v6ip0=fe80::250:56ff:feb1:d01a v6ipprefix0=64   The table above shows the 11 IPv4 and IPv6 combination modes supported in UAG 3.3 and newer for each NIC with examples for the first NIC (eth0). The same settings can be applied to the second (eth1) and third (eth2) NICs as required.   NIC0 - eth0 - ipMode0, ip0, netmask0, vcip0, v6Prefix0. NIC1 - eth1 - ipMode1, ip1, netmask1, vcip1, v6Prefix1. NIC2 - eth2 - ipMode2, ip2, netmask2, vcip2, v6Prefix2.   Troubleshooting Deployment Problems   1. I get a security warning about running scripts downloaded from the Internet   Verify that the PowerShell script is the script you intend to run, and then from the PowerShell console, run the command:   unblock-file .\uagdeploy.ps1   2. I get an error saying "ovftool command not found".   Make sure you have installed the OVF Tool software on your Windows machine and that it is installed in the location expected by the script. OVF Tool Download.   3. I get an error saying "Invalid Network in property netmask0" or "Cannot initialize property 'netmask0'. Network 'VM Network' has no associated network protocol profile"   The message may state netmask0, netmask1 or netmask2, Check that a value has been set in the .INI file for each of the three networks (netInternet, netManagementNetwork and netBackendNetwork),Also check that a vSphere Network Protocol Profile has been associated with every referenced network name. This specifies network settings such as IPv4 subnet mask, gateway etc. so make sure the associated Network Protocol Profile has correct values for each of the settings.   4. I get a warning message about the operating system identifier being not supported (id: 85)   The full message is: The specified operating system identifier 'SUSE Linux Enterprise Server 12.0 64bit' (id:85) is not supported on the selected host. It will be mapped to the following OS identifier: 'Other Linux (64-bit)'. This can be ignored. It is mapped to a supported operating system automatically.   5. How do I configure UAG for RSA SecurID authentication?   Add the following two lines to the [Horizon] section of your .ini file:   authMethods=securid-auth matchWindowsUserName=true   Add a new section at the bottom of your .ini file containing:   [SecurIDAuth] serverConfigFile=C:\temp\sdconf.rec externalHostName=192.168.0.90 internalHostName=192.168.0.90   The IP addresses should both be set to the IP address of UAG. The sdconf.rec file is obtained from RSA Authentication Manager (RSA-AM) which should be fully configured according to RSA documentation.   Make sure you are using UAG 2.5 or newer and that the RSA-AM server is accessible on the network from UAG.   If there is a firewall between UAG and your RSA Authentication Manager server, make sure it isn't blocking the communication. This is normally UDP 5500 from UAG to RSA-AM and the reply traffic.   Rerun uagdeploy PowerShell command to redeploy your UAG configured for RSA SecurID. Refer to VMware UAG RSA SecurID Authentication Setup Video for a full step-by-step description of this setup. Also Refer to the RSA Ready Certification Document for VMware UAG.   Note that when RSA SecurID is configured in the .INI file, then after deployment when UAG first starts up, it performs a check against RSA-AM. If RSA-AM is not available, or if DNS cannot resolve the hostname of RSA-AM referenced in the sdconf.rec file, or if a firewall is blocking the UDP port for this communication, this startup will fail. When this initial handshake fails, the RSA SecurID component on UAG remains disabled. You can open up the sdconf.rec file with a text editor and although it is a binary file, you can see the RSA-AM hostname(s). If you suspect a communication failure, you can log in to the console of UAG as root and run nslookup with that hostname to verify that it can be resolved. Once you have resolved any environment issues, just rerun the PowerShell command to redeploy UAG.   If you need to redeploy UAG with the PowerShell command when it was previously configured for RSA SecurID, then you must first "clear node secret" on RSA-AM so that trust can be re-established.   6. How do I configure UAG for RADIUS authentication?   Add the following two lines to the [Horizon] section of your .ini file:   authMethods=radius-auth matchWindowsUserName=true   Add a new section at the bottom of your .ini file containing:   [RADIUSAuth] hostName=192.168.0.100 authType=PAP authPort=1812 radiusDisplayHint=XXX Token   For more information on these and other settings, refer to the sample uag4-radius.ini file in the latest uagdeploy ZIP file below. Also refer to the [RADIUSAuth] descriptions in the table above.   Make sure you are using UAG 2.5 or newer and that the RADIUS server is accessible on the network from UAG.   If there is a firewall between UAG and your RADIUS server, make sure it isn't blocking the communication. This is normally UDP 1812 from UAG to to the RADIUS server and the reply traffic.   Rerun uagdeploy PowerShell command to redeploy your UAG configured for RADIUS.   Note that when RADIUS is configured in the .INI file, then after deployment when UAG first starts up, it performs a check against the configured RADIUS server. If the server is not available or if a firewall is blocking communication, this startup will fail.   7. How do I configure UAG for Client Device certificate authentication?   Add the following line to the [Horizon] section of your .ini file:   authMethods=certificate-auth && sp-auth   Add a new section at the bottom of your .ini file containing:   [CertificateAuth] pemCerts=C:\Users\Administrator\Documents\SSL\CA Certs\north-ca-256.cer   The .cer file is the public certificate authority (CA) certificate that was used to issue required client device certificates.   A client device certificate must be installed in the user or computer certificate store on the system where the Windows Horizon Client is installed. This proves the identity of the client computer. Unless the client supplies a valid certificate issued by this CA, then UAG will reject the connection with an error as shown below.   Client devices that do supply a valid certificate will get the normal user authentication prompt.   This feature is typically used to ensure that only Windows domain joined client computers can connect to desktops and applications via UAG. The client device certificates can be managed automatically as part of a Windows client machine enrolment policy.   For the Cryptographic Service Provider (CSP) specified in the certificate issuing template, use the "Microsoft Enhanced RSA and AES Cryptographic Provider". This supports SHA256 certificates and TLS 1.2. SHA1 is generally now considered too weak for authentication purposes so you should use SHA256.     For Windows to be able to use the certificate for client authentication purposes, the user on the client computer must have read access to the certificate private key. It is not necessary or desirable to make the private key exportable. The Key Usage of the certificate must include "Digital Signature" and "Key Encipherment (a0)".   8. I get an error saying "Locator does not refer to an object"   This means that the target= value (used by vSphere OVF Tool) is not correct for your vCenter environment. Refer to the table above for examples of the target format used to refer to a vCenter host or cluster. If you are not sure of the names to use, you can start with the top level object, e.g. by specifying:   target=vi://administrator@vsphere.local@192.168.0.21/   This will then show a list of possible names to use at the next level. You can then expand it, one level at a time based on this list.   target=vi://administrator@vsphere.local@192.168.0.21/Datacenter1/ target=vi://administrator@vsphere.local@192.168.0.21/Datacenter1/host target=vi://administrator@vsphere.local@192.168.0.21/Datacenter1/host/Cluster1/ or target=vi://administrator@vsphere.local@192.168.0.21/Datacenter1/host/esxhost1 or target=vi://administrator@vsphere.local@192.168.0.21/Datacenter1/host/my folder/esxhost1     Note that folder names, host names and cluster names used in the target value are case sensitive.     9. I get an error saying "Transfer failed and Error: failed to send http data"       This will happen if your target entry references an ESXi hostname that cannot be resolved by your local computer.   This will also happen if you are using a version of vSphere OVF Tool that is not compatible with the version of vSphere and vCenter you are using. I have seen this error after upgrading vSphere to version 6.5 where I was using an older 4.1.0 version of OVF Tool which is not compatible. In this case, the solution was to upgrade to OVF Tool version 4.2.0 or newer - see OVF Tool Software and Documentation.   For any questions on UAG, post a message on the discussion section of the Horizon community forum.

This PowerShell script will accomplish the following: 1. Install DEM Management Console 2. Create File share 3. Set all of the required permissions on file share ……………………………………………………………………………….. Param(   [string]$Parameter1 ) ## v.01 ## Script to create the base folders for DEM install ## - Script needs to be run in the root of the Drive you will to install the folders ## -- # Check if script is running as Adminstrator and if not use RunAs Write-Host "Checking if the script is running as Administrator" $IsAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator") if (-not $IsAdmin){     $Parameter1 = (Get-Location).ToString()     Write-Host "The script is NOT running as Administrator, restarting PowerShell as Administrator..."     $cmd = $MyInvocation.MyCommand.Path + " -Parameter1 '$Parameter1' -Parameter2 $Parameter2 -Parameter3 $Parameter3"     $arguments = "-NoProfile -Command ""& {$cmd} """     Get-Location     $cmd     $arguments     Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList "$arguments" -WorkingDirectory (Get-Location).path -ErrorAction 'stop'     Break              } else{     Write-Host "The script is already running as Administrator" } Set-ExecutionPolicy RemoteSigned #Install DEM Management Console #ADDLOCAL options ALL,FlexEngine,FlexMigrate,FlexProfilesSelfSupport,FlexManagementConsole $dir1 = """C:\Temp\VMware-DEM-9.11-GA\VMware Dynamic Environment Manager 9.11 x64.msi""" $dir2 = """C:\Program Files\VMware DEM""" $argument = " /i $dir1 /qn+ INSTALLDIR=$dir2 ADDLOCAL=FlexManagementConsole" $install = (start-process msiexec.exe -argumentlist $argument -passthru -wait).exitcode #param($dir) cd $Parameter1 #echo $dir > d:\dir.txt $dir = $Parameter1 $dir3 = "$dir\DEM" #pause ## DEM New-Item -ItemType Directory -Name DEM $acltmp = Get-Acl DEM $acltmp.SetAccessRuleProtection($true, $false) $own = New-Object System.Security.Principal.NTAccount("Builtin","Administrators") $acltmp.SetOwner($own) $DEMPerm = 'Domain Admins', 'FullControl', 'none, none', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = [Environment]::UserName, 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'SYSTEM', 'FullControl', 'none, none', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'Domain Users', 'FullControl', 'none, none', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) Set-Acl DEM -AclObject $acltmp ## DEMConfig New-Item -ItemType Directory -Path "$dir\DEM\DEMConfig" $acltmp = Get-Acl -Path "$($DIR)DEM\DEMConfig" $acltmp.SetAccessRuleProtection($true, $false) $own = New-Object System.Security.Principal.NTAccount("Builtin","Administrators") $acltmp.SetOwner($own) $DEMPerm = 'Domain Admins', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = [Environment]::UserName, 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'SYSTEM', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'Domain Users', 'AppendData,CreateDirectories,Read,ReadExtendedAttributes', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) Set-Acl -Path "$($DIR)DEM\DEMConfig" -AclObject $acltmp New-SmbShare –Name DEMConfig$ –Path "$($DIR)DEM\DEMConfig" -FullAccess Everyone -CachingMode None ## /DEMConfig ## DEM Users New-Item -ItemType Directory -Path "$dir\DEM\DEMUsers" $acltmp = Get-Acl -Path "$($DIR)DEM\DEMUsers" $acltmp.SetAccessRuleProtection($true, $false) $own = New-Object System.Security.Principal.NTAccount("Builtin","Administrators") $acltmp.SetOwner($own) $DEMPerm = 'Domain Admins', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = [Environment]::UserName, 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'SYSTEM', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'Everyone', 'AppendData,CreateDirectories,Read,ReadExtendedAttributes', 'none, none', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'CREATOR OWNER', 'FullControl', 'ContainerInherit, ObjectInherit', 'InheritOnly', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) Set-Acl "$($DIR)DEM\DEMUsers" -AclObject $acltmp New-SmbShare –Name DEMUsers$ –Path "$($DIR)DEM\DEMUsers" -FullAccess Everyone ## /DEMUsers ## HDaaS Redirected Profiles New-Item -ItemType Directory -Name TSREDIRECT $acltmp = Get-Acl TSREDIRECT $acltmp.SetAccessRuleProtection($true, $false) $own = New-Object System.Security.Principal.NTAccount("Builtin","Administrators") $acltmp.SetOwner($own) $DEMPerm = 'Domain Admins', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = [Environment]::UserName, 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'SYSTEM', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'Everyone', 'Traverse,ExecuteFile,ReadData,CreateDirectories,AppendData', 'none, none', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'CREATOR OWNER', 'Read,Delete,WriteExtendedAttributes,WriteAttributes,CreateDirectories,AppendData,CreateFiles,WriteData,ReadExtendedAttributes,ReadAttributes,ListDirectory,Traverse,ExecuteFile', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) Set-Acl TSREDIRECT -AclObject $acltmp New-SmbShare –Name TSREDIRECT$ –Path "$($DIR)TSREDIRECT" -FullAccess Everyone -CachingMode None ## /DEMProfiles ## Audit Logs New-Item -ItemType Directory -Name AuditLogs $acltmp = Get-Acl AuditLogs $acltmp.SetAccessRuleProtection($true, $false) $own = New-Object System.Security.Principal.NTAccount("Builtin","Administrators") $acltmp.SetOwner($own) $DEMPerm = 'Domain Admins', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = [Environment]::UserName, 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'SYSTEM', 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'Everyone', 'Traverse,ExecuteFile,ReadData,CreateDirectories,AppendData', 'none, none', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) $DEMPerm = 'CREATOR OWNER', 'Read,Delete,WriteExtendedAttributes,WriteAttributes,CreateDirectories,AppendData,CreateFiles,WriteData,ReadExtendedAttributes,ReadAttributes,ListDirectory,Traverse,ExecuteFile', 'ContainerInherit, ObjectInherit', 'None', 'Allow' $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $DEMPerm $acltmp.SetAccessRule($rule) Set-Acl AuditLogs -AclObject $acltmp New-SmbShare –Name Logs$ –Path "$($DIR)AuditLogs" -FullAccess Everyone -CachingMode None ## /Auditlogs pause

Hello. I was in need of enabling the status bar and removing the home button in the Android launcher. This was especially true for us with elderly patients and research individuals. There might be many reasons you need this. But this little snippet does a fantastic job: XML: <characteristic type="com.airwatch.android.androidwork.launcher" uuid="568bc89d-1df8-4ce9-a041-e5a24acdb7ec"> <parm name="SkipCosuSetup" value="True"/> </characteristic> Information can be found here: VMware Launcher on Android Enterprise – nuances – Arsen Bandurian: Technical Blog​ So grateful for Arsen. I hope this helps others as It took me a few Googles to get this one and I am excited. Xavier Vasquez Rush University

DEM configuration file for Microsoft Windows Sticky Notes/AppX package (Windows Store / Universal app) Adapted for Windows 10 using the comments from Sticky Notes.zip Verified on Windows 10 1909

INSTANT CLONE PROVISIONING IN VMWARE HORIZON CREATING MASTER IMAGE A master Image also known as a base image or a golden image is the most important part of the VDI deployment scenarios. Create one VM as a master image, and Horizon 7 can generate a pool of virtual desktops from that image. You can Use VMware optimization tool to optimize the golden image. If the image is not optimized, you will run into performance issues.The VMware OS Optimization Tool helps in preparing and optimizing Windows 10/8/7 and Windows Server 2019/2016/2012/2008 systems for use with VMware Horizon The OS Optimization Tool includes customizable templates to enable or disable Windows system services and features, per VMware recommendations and best practices. Now that the optimized Golden Image is ready, take a snapshot of the optimized Golden Image.  We will use that snapshot while creating Desktop Pools. For more information about creating and managing snapshots in vSphere Web Client, please refer to this link: https://kb.vmware.com/s/article/2032907 CREATING DESKTOP POOL A desktop pool is a collection of desktops that users select when they log in using the View client There are two main types of virtual desktop pools: automated and manual. Automated desktop pools use a vCenter Server virtual machine template or snapshot to create a pool of identical virtual machines. Manual desktop pools are a collection of Server virtual machines, physical computers, or third-party virtual machines. In automated or manual pools, each machine is available for one user to access remotely at a time For more information on creating Instant-Clone Desktop Pools visit: https://docs.vmware.com/en/VMware-Horizon-7/7.9/horizon-console-administration/GUID-C450DD3D-AB0B-4B24-8981-ED6C4D1B9148.html As soon as we create the desktop pools and enable provisioning, the process of creating the template from the associated snapshot starts. Once the template is created, it remains in the powered off state and resides in the same cluster as the Golden VM. The nomenclature of the Template is defined and the name of the template will be cp-template*followed by digits* The next step after the creation of template is creation of a Replica VM. Replica VM also remains in power off state. Each replica is created per Datastore basis that means there will be one replica VM per Datastore. Similar to Template, the nomenclature of the Replica VM is defined and the name of the template will be cp-replica*followed by digits* The last part of the PRIMING stage is marked by the creation of parent VM starts. It is important to remember that the parent VM is in powered ON state and single parent VM is created per ESXI host per Datastore. Parents VM loads the OS in the memory and sets up the shared area. Since the parent is powered ON, it will create a shared memory location. Immediately after that if forks off itself to create Instant Clone. This ends the PRIMING stage in the instant clone provisioning process. The PRMING stage starts with the template creation up to the point when the Parent forks off itself to create the Instant Clone. Priming is the most time consuming part. It takes around 20-30 minutes. The instant clone will then read from the shared memory and replica VM. Instant clone becomes a unique memory location with unique identity of its own, including a MAC address, UUID, and other system information. Instant clones require less storage and less expense to manage and update because the desktop is deleted when the user logs out, and a new desktop is created using the latest master image.

I created a small script that allows you to select a folder that contains existing shortcuts (LNK files) and export them to a folder, where they are saved as DEM XML (shortcut) files. 05/27/2020 - Version 0.4 Changes Important notice about VMware support is added Comment from shortcuts (if present) is automatically converted to DEM XML Additional SOURCE and TARGET path checking Getting started Open PowerShell and run the following script. .\Convert-LNK2DEMXML.ps1 -- or -- Right-click the script in Windows Explorer and click Run with PowerShell. Select the source folder that contains the shortcuts (LNK files) you want to convert. Select the target folder where you want to save the DEM XML files. Copy the XML files to your DEM configuration share (one by one, or all in one). The location you want to copy the DEM XML files to is typically something like \\server\demconfigshare$\general\FlexRepository\Shortcut. I recommend to test the shortcuts in a test or acceptance environment first, before putting in them in production. Background and introduction can be found here: https://www.ivandemes.com/bulk-convert-shortcuts-to-dynamic-environment-manager/ The script can be found on GitHub: https://github.com/ivandemes/Convert-LNK2DEMXML

Problem description: With Appstack 4.0 attached in the remote desktop, if the user tries to configure any network printer it fails with an error "Windows Cannot connect to the printer. Operation failed with error 0x00000006" On the same remote desktop, if the no appstack is attached, user is able to configure the network printer. Product: VMware AppVolumes 4.0 Workaround: Note: First implement the action plan on a test pool or test machine before moving it to production. Power on master VM. Navigate to C:\Program Files(x86)\CloudVolumes\Agent\Config. Create a new folder called "Custom" Then create a folder called "app" inside "Custom" folder. Create a notepad file, open the file and below lines: exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider exclude_path=%SystemRoot%\System32\DriverStore\FileRepository exclude_path=%SystemRoot%\INF exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Printers Save the file as snapvol.cfg. Make sure file extension is correctly set to '.cfg' not '.cfg.txt'. Reboot the VM, Shutdown the VM and take a snapshot and recompose/publish the pool with this snapshot. Login to the VM and you should be able to map network printers now. PS: For further details or information please contact VMware App Volumes support team.

Upgrade failed: SQL Server Agent Jobs If you are upgrading your Workspace ONE UEM and then installer fails with the below errors, it might be caused by the SQL Server Agent jobs. In the installer logs you might see an error as shown below: "an error occurred while the batch was being executed": To solve the problem, check the properties of all SQL Server Agent jobs, and make sure that the job owner is assigned to the SQL user that runs the installer. Restore your DB from the Backup and re-run the installer.

The Purpose of this document is to provide documented steps on successful troubleshooting measures when supporting Chrome OS managed devices within your Workspace One UEM environment. The document covers useful resources on Chrome OS integration into Workspace One UEM, differences between profile options and how to do some device side troubleshooting techniques that may help investigating challenges within an environment.

Below are some important links for admins and end-users on installing the Horizon Client on various devices. For Admins https://docs.vmware.com/en/VMware-Horizon-Client/index.html For End-Users Download the VMware Horizon Clients for Windows, Mac, iOS, Linux, Chrome and Android Instructions for Installing the Horizon Client on Windows Instructions for Installing the Horizon Client on Mac After installing Horizon Client on your device and launching it, you will need to provide organization-specific information in order to connect to a remote desktop or application. This information (name of server and your organization credentials) can only be provided by your organization.

This post will walk you through the very basics of using Postman to use the VMware Identity Manager REST APIs to either GET or POST data. This post assumes either VMware Identity Manager 2.8.x on-premises tenant or newer or a VMware Identity Manager SaaS tenant. NOTE: Some additional API calls may ONLY exist for on-premises tenants (e.g. node health status, etc.) which may not be accessible for VMware Identity Manager SaaS tenants. The Basics: On some occasions, customers may need to have a resource send a command to VMware Identity Manager but then redirect back. By default, VMware Identity Manager does not do redirects (this is by design), however, it can support them with a slight modification to trusts.  The changes are a one-time change per VMware Identity Manager tenant and remain from that point forward unless removed by an administrator. In this example, we are showing the settings to both GET and POST updates to the "Allow Redirects" API, which tells the VMware Identity Manager what 3rd party sites the vIDM tenant is allowed to safely redirect a user to. Warning/Notice! Download 3rd party software at your own risk!  VMware does not assume responsibility or liability for your actions on any system or your use of 3rd party software or any damages which may be caused through the use of third party software. Prerequisites: Postman - If you search for Postman, you'll likely come to the Download Postman App web page (This is the primary source as far as I can tell). A VMware Identity Manager tenant.  Preferably a test tenant (DO NOT TEST ON A PRODUCTION TENANT!). Admin credentials to the VMware Identity Manager (TEST) tenant Getting the Bearer Token from the HZN Cookie in the Browser The following are the instructions for grabbing the bearer token from the HZN cookie and then applying using Postman to access the APIs to update the settings for allowing redirects. NOTE: Most modern browsers have an inspection mode.  Usually this is accessed by right-clicking on the web page and selecting INSPECT. Open a browser such as Chrome and authenticate as admin account to your Workspace ONE tenant (Note: Make sure you have the option to view the Administrator console). Open INSPECT mode in the browser by right-clicking on the page and selecting INSPECT from the context menu. Select APPLICATION from the inspection window. Select your Workspace ONE / VMware Identity Manager portal under cookies. Find HZN under the name column and copy the value data to your clipboard. In step 5.) of the below instructions, paste the token in for authentication as a Bearer Token. Using PostMan to access Workspace ONE APIs to GET Values When you define the parameters in PostMan, make sure the following are set. Start with GET command to test URL. URL to the API with correct FQDN of VMware Identity Manager tenant.  In this case, to read the “allowedredirects” value from the Workspace ONE tenant, use the below URL. https://<FQDN>/SAAS/jersey/manager/api/authsettings/allowedredirects Open Authorization tab… Set authentication type to BEARER TOKEN. Paste in token from HZN cookie from browser (see above procedure to get token from HZN cookie). When you press SEND, the Body value should appear as shown in the image below. Using PostMan to access Workspace ONE APIs to POST Values When you define the parameters in PostMan, make sure the following are set. Start with POST command to test URL. URL to the API with correct FQDN of VMware Identity Manager tenant.  In this case, to update the “allowedredirects” value from the Workspace ONE tenant, use the below URL. https://<FQDN>/SAAS/jersey/manager/api/authsettings/allowedredirects To note: Allowed redirects are per tenant (not per node within a tenant) so they only need to be set using the LB FQDN (e.g. portal.flaming.ws or workspace.mydomain.com). Open Authorization tab… Set authentication type to BEARER TOKEN. Paste in token from HZN cookie from browser (see above procedure to get token from HZN cookie). Switch to the HEADERS tab in Postman. For updating the allowedredirects value we need to add in the “Accept” header with the following value: application/vnd.vmware.horizon.manager.authsettings.allowedredirects+json For updating the allowedredirects value we need to add in the “Content-Type” header with the following value: application/vnd.vmware.horizon.manager.authsettings.allowedredirects+json NOTE: If you do not see the above image, you are likely in Bulk Edit mode.  If you’d like, you can just paste in the text per the next image, or shift to the Key-Value Edit mode in postman to see the above screen. Within Postman, switch to the Body tab. Select “raw” for the entry type. This allows you to type in whatever code you wish. Select the code type.  This is optional as TEXT or TEXT PLAIN will also work.  The code we are entering is JSON so either TEXT/TEXT PLAIN or JSON will work. Enter the following code.  PUT YOUR CAREGATE LOGOUT/LOGIN PAGE AND ANY OTHER PAGES IN COMMA SEPARATED FORMAT BETWEEN THE DOUBLE QUOTES.  ENSURE YOU ADD THE ASTERISK AT THE END OF EACH TO BE ABLE TO POINT TO ANY SUBPAGE. Single Site Code Example: { "allowedRedirects":["https://www.flaming.ws*"] } Multi-Site Code Example: { "allowedRedirects":["https://www.google.com*,https://www.flaming.ws*"] } When you press SEND, the pages you define will show up under “allowedRedirects” within the Body outcome. NOTE:  If you make an error, just correct it and repost the update. If you wish to remove all redirects, simply delete all web sites between the quotes and POST the update. Remove All Redirects Code Example: { "allowedRedirects":[""] } Conclusion: This should get you started with using Postman to use the REST APIs within VMware Identity Manager / Workspace ONE to help with better administering and programmatically calling for information and updates to/from Workspace ONE. For a list of VMware Identity Manager APIs, see the VMware Identity Manager API explorer on code.vmware.com.

Bonjour, j’observe que mon curseur de souris dans un contexte de saisie est parfois remplacé par deux petits points assez microscopiques. auriez-vous déjà observé ce phénomène et surtout avez solution a me proposer. merci

UEM configuration file for SuperTuxKart 1.0.0 DirectFlex is enabled Import/Exports user config from <AppData>\supertuxkart\ Works on Windows 10 1803 and below SuperTuxKart 1.0.0 must be installed in C:\Program Files (x86)\SuperTuxKart 1.0.0\supertuxkart.exe