VMware Horizon 8 2212 Release Notes

Microsoft Internet Explorer no longer supported for Horizon Console from Horizon 2111 onwards

As Horizon Console is migrating to VMware clarity widgets which do not support Internet Explorer, we have removed Internet Explorer from the list of supported browsers for Horizon Console.

Important note about installing VMware Tools

If you plan to install a version of VMware Tools downloaded from VMware Product Downloads, rather than the default version provided with vSphere, make sure that the VMware Tools version is supported. To determine which VMware Tools versions are supported, go to the VMware Product Interoperability Matrix. (Supported versions: 11.1.0, 11.0.6, 10.3.22, 10.3.21). There are also performance issues with the 11.x versions of VMware Tools. For more information, see VMware Knowledge Base article 78434.

If you intend to upgrade a pre-6.2 installation of VMware Horizon and the Connection Server uses the self-signed certificate that was installed by default, you must remove the existing self-signed certificate before you perform the upgrade. Connections might not work if the existing self-signed certificates remain in place. During an upgrade, the installer does not replace any existing certificate. Removing the old self-signed certificate ensures that a new certificate is installed. The self-signed certificate in this release has a longer RSA key (2048 bits instead of 1024) and a stronger signature (SHA-256 with RSA instead of SHA-1 with RSA) than in pre-6.2 releases. Note that self-signed certificates are insecure and should be replaced by CA-signed certificates as soon as possible, and that SHA-1 certificates are no longer considered secure and should be replaced by SHA-2 certificates.

Do not remove CA-signed certificates that were installed for production use, as recommended by VMware. CA-signed certificates will continue to work after you upgrade to this release.

Downgrading Connection Server instances is not supported. To revert to a previous version after an upgrade, restore from backup. For more information, see Create a Replicated Group After Reverting Connection Server to a Snapshot.

VMware Horizon 8 uses only TLSv1.1 and TLSv1.2. TLSv1.1 is disabled by default. In FIPS mode, it uses only TLSv1.2. You might not be able to connect to vSphere unless you apply vSphere patches.

It is possible that the ordering of cipher suites can be enforced by Connection Server. For more information, see Horizon Security.

Connection Server must be able to communicate on port 32111 with other Connection Servers in the same pod. If this traffic is blocked during installation or upgrade, installation will not succeed.

TLS handshakes on port 443 must complete within 10 seconds, or within 100 seconds if smart card authentication is enabled. In previous releases of VMware Horizon, TLS handshakes on port 443 were allowed 100 seconds to complete in all situations. You can adjust the time for TLS handshakes on port 443 by setting the configuration property handshakeLifetime. Optionally, the client that is responsible for an over-running TLS handshake can be automatically added to a blacklist. New connections from blacklisted clients are delayed for a configurable period before being processed so that connections from other clients take priority. You can enable this feature by setting the configuration property secureHandshakeDelay. For more information about setting configuration properties, see Horizon Security.

If you have FIPS mode enabled, you cannot mix Horizon 7.10.3 pods and any Horizon 8.x pods in a single CPA federation.  In addition, you cannot upgrade the original Horizon 7.10.3 version directly to a Horizon 8.x pod.  You will first need to upgrade to a patched 7.10.3. Contact VMware Customer Connect on how to obtain the patch.

When you deploy an instant clone as a RDS host, do not reboot the RDS host directly from within the Windows Server OS. Instead, refresh the instant clone VM using the push image workflow.

In VMware Horizon 8, internal validation checks determine if the instant clone and internal template have valid IP addresses and a network connection. If a virtual machine has a NIC that cannot be assigned an IP address during provisioning, instant-clone provisioning fails.

The forwarding rules for HTTP requests received by Connection Server instances have changed at this release. If you have defined custom frontMapping entries in locked.properties, you should remove them before upgrading. If you wish to disallow administrator connections to certain Connection Server instances, then instead of defining custom frontMapping entries, add this entry to locked.properties:

frontServiceWhitelist = tunnel|ajp:broker|ajp:portal|ajp:misc|moved:*|file:docroot

In VMware Horizon 8, the viewDBChk tool will not have access to vCenter credentials and will prompt for this information when needed.

Microsoft Windows Server requires a dynamic range of ports to be open between all Connection Servers in the VMware Horizon 8 environment. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.

Screen DMA is disabled by default in virtual machines that are created in vSphere 6.0 and later. VMware Horizon 8 requires screen DMA to be enabled. If screen DMA is disabled, users see a black screen when they connect to the remote desktop. When VMware Horizon 8 provisions a desktop pool, it automatically enables screen DMA for all vCenter Server-managed virtual machines in the pool. However, if Horizon Agent is installed in a virtual machine in unmanaged mode (VDM_VC_MANAGED_AGENT=0), screen DMA is not enabled. For information about manually enabling screen DMA, see VMware Knowledge Base (KB) article 2144475.

To use View Storage Accelerator in a vSphere environment, a desktop virtual machine must be 512GB or smaller. View Storage Accelerator is disabled on virtual machines that are larger than 512GB. Virtual machine size is defined by the total VMDK capacity. For example, one VMDK file might be 512GB or a set of VMDK files might total 512GB. This requirement also applies to virtual machines that were created in an earlier vSphere release and upgraded to vSphere 5.5.

The Global Policy, Multimedia redirection (MMR), defaults to Deny. To use MMR, you must open Horizon Console, edit Global Policies, and explicitly set this value to Allow. To control access to MMR, you can enable or disable the Multimedia redirection (MMR) policy globally or for an individual pool or user. Multimedia Redirection (MMR) data is sent across the network without application-based encryption and might contain sensitive data, depending on the content being redirected. To ensure that this data cannot be monitored on the network, use MMR only on a secure network.

The USB Redirection setup option in the Horizon Agent installer is deselected by default. You must select this option to install the USB redirection feature. For guidance on using USB redirection securely, see Deploying USB Devices in a Secure VMware Horizon Environment.

For information on security considerations and disallowing inter-virtual machine transparent page sharing, see VMware KB article 2080735.

If a PCoIP Secure Gateway (PSG) has been deployed for PCoIP connections, zero client firmware must be version 4.0 or later.

RC4, SSLv3, TLSv1.0 and TLSv1.1 are disabled by default in VMware Horizon 8 components, in accordance with RFC 7465, "Prohibiting RC4 Cipher Suites," RFC 7568, "Deprecating Secure Sockets Layer Version 3.0," PCI-DSS 3.1, "Payment Card Industry (PCI) Data Security Standard", and SP800-52r1, "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations." If you need to re-enable RC4, SSLv3, TLSv1.0 or TLSv1.1 on a Connection Server or Horizon Agent machine, see Older Protocols and Ciphers Disabled in View.

VMware Horizon 8 uses version m86 of Microsoft WebRTC source code.

Ensure message security mode is set to ON or ENHANCED and all components are up and running to ensure this change is successful. See VMWare KB article 90251 for details.