Horizon Release Notes

Horizon Application Manager | 3 FEB 2012

Horizon Connector | 15 DEC 2011 | Build 556349

Last Document Update: 3 FEB 2012

What's in the Release Notes

The release notes cover the following topics:

What's New
Before You Begin
Documentation
Known Issues
Resolved Issues

What's New

More applications
Horizon Application Manager already includes a number of pre-configured applications, but now you can add even more. Application Manager makes it simple to add any application that uses either the SAML 1.1 or SAML 2.0 protocol to the list of SAML applications in your application catalog.

Before You Begin

Compatibility

Browser Compatibility
Platform and browser compatibility for Horizon Application Manager (except for Kerberos and NTLMv2-based authentication in Connector Authentication mode):

• Windows XP - Internet Explorer 8; Firefox 6 and 7; Safari 5; Chrome
• Windows Vista - Internet Explorer 8 and 9; Firefox 6 and 7;
• Windows 7 – Internet Explorer 8 and 9; Firefox 6 and 7; Safari 5; Chrome
• Mac OS X through 10.7 – Firefox 6 and 7; Safari 5; Chrome

Currently, only Windows platforms support Horizon Application Manager for Kerberos and NTLMv2-based authentication in Connector Authentication mode:

• Windows XP - Internet Explorer 8; Firefox 6 and 7; Chrome
• Windows Vista - Internet Explorer 8 and 9; Firefox 6 and 7;
• Windows 7 – Internet Explorer 8 and 9; Firefox 6 and 7; Chrome

Hypervisor Compatibility
Horizon Connector virtual machine is supported on ESXi 4.0 and later.

Installation Notes

The functionality of the service depends on Horizon Connector. Therefore, you must first install the connector. To install the connector, you need a Horizon account, which includes the URL and activation instructions. Follow the connector instructions as indicated.

Documentation

The Horizon documentation is applicable for Horizon Connector and the service, including Horizon Application Manager. See the following documentation pages:

Known Issues

The Known Issues section includes known issues for both Horizon Application Manager and Horizon Connector.

Horizon Application Manager Known Issues

The known Horizon Application Manager issues added in the most recent release are marked with the * symbol. Other known issues have been carried forward from previous releases.

Cannot disable option Remember this username*

If users select Remember this username when they log in to Application Manager, future login screens will display a Not this user? option. Clicking that option should allow a user to log in with a different username. Instead, clicking that option displays an error message.

Workaround: Close the error message and log in as the remembered user.

For some existing customers, reports may display the annual cost per license instead of the monthly cost, or vice versa

Due to a recently-fixed bug, reports for some customers may display the annual cost per license instead of the monthly cost, or the monthly cost instead of the annual cost. You should review your "cost per license" figures to make sure that the monthly and annual values are not reversed.

Workaround: In Horizon Administration, click the Reports tab, then select the Application usage report. Verify that the values for the License Cost and Pricing fields appear correctly for each application. If the values appear incorrectly, click the Applications tab, select the application, and then click Edit in the License Tracking section to edit the License Pricing and Cost per License fields.

Horizon Connector Known Issues

The known Horizon Connector issues added in the most recent release are marked with the * symbol. Other known issues have been carried forward from previous releases.

When you use the hostname in the Connector Address text box of the SecurID page, the information is not saved*
The RSA authentication agent, which in this situation is the connector, relies on InetAdress.getLocalHost() in Java. If that call returns 127.0.0.1 or another dummy or loopback address, what transpires between the connector and the RSA SecurID server is unclear. This issue is due to an RSA agent known issue (see RSA release notes), and can occur even when DNS works properly and hostnames are resolved.

Workaround: Use an IP address in the Connector Address text box instead of a hostname. If you want to use the hostname, you must override the IP address on the connector in the /etc/hosts file, and then clear the node secret.

When users abort the setup of an RSA SecurID token but try again soon after, their PIN can be set inaccurately
While setting up their RSA SecurID token, if users cancel the attempt or allow it to time out, upon return they can complete the token setup. However, the passcode the user entered on the previous page might be set as the new PIN.

Workaround: Inform users not to abort the RSA SecurID token setup.

On the Directory page in the Horizon connector Web Interface, using non-ascii characters in the Server Host text box might fail
The use of non-ascii characters for the Active Directory hostname might result in an error message about not resolving DNS.

Workaround: Use ascii characters in the Server Host text box.

The connector does not warn you when a new Active Directory group has the same name as an existing Horizon group
When you create an Active Directory group with a name that exactly matches an existing Horizon group name, the new group does not get pushed to Horizon. To not override the existing group is appropriate behavior. However, no alert is sent to explain the situation.

Workaround: Ensure that you do not create duplicate group names.

The Join Domain page in the Horizon connector Web Interface implies that the password is stored
After you click Join Domain, the AD Password text box remains populated with what appears to be a hidden password. However, the password is not stored on the connector.

Workaround: Ignore the fact that the AD Password text box remains populated after you have joined the domain.

The connector allows you to remove the Bind DN user account that has administrative access to the service
Initially, only the user associated with the Bind DN user account has administrative access to the service.

The following actions can result in you unintentionally removing the Bind DN user account from the service:
- You can filter out the Bind DN user account in the connector when you select users
- You can make the Bind DN user account invalid for directory synchronization by making a user attribute a required attribute while the Bind DN user account does not have that attribute
At the next directory synchronization, following one of the preceding actions, the service receives changes from Active Directory, which includes the removal of the Bind DN user account. At this point, you can no longer log in to the service as an administrator. While you can add the Bind DN user account back, the account will no longer have administrative privileges.

Workaround: Prevent the removal of the Bind DN user account by cautiously selecting users and mapping user attributes. Also, accessing the service as soon as possible to assign several delegated administrators access to the connector reduces the chance of this issue occurring in the future.

If the Bind DN user account is unintentionally removed from the service, contact Horizon customer support.

On the Join Domain page in the Horizon connector Web Interface, using non-ascii characters in the AD Username text box might fail
The use of non-ascii characters for the Active Directory username might result in an error message about failing to join the domain

Workaround: Use ascii characters in the AD Username text box.

On the Join Domain page in the Horizon connector Web Interface, using non-ascii characters in the AD FQDN text box might fail
The use of non-ascii characters for the Active Directory domain name might result in an error message about failing to join the domain

Workaround: Use ascii characters in the AD FQDN text box.

Sync Safeguards: Next button to either Ignore/Update safeguard is not shown when the browser is in maximized view
This issue occurs when you access the connector Web Interface with the browser window maximized. If safeguard alerts are triggered, a dialog box appears displaying the alerts. When several alerts are displayed, the Next button can be pushed off the page and become inaccessible while the browser window remains maximized.

Workaround: Resize the browser window to make the next button accessible.

Resetting the connector on the Configuration page in the connector Web Interface might fail when join domain is configured
After you have configured the Join Domain page, when you click Reset on the Configuration page, the reset might fail causing an error message to appear.

Workaround: Reload the page.

On the Select Users page in the connector Web Interface, error message might reverse first and last names
When a required attribute for a user is missing, the users name appears in the View Errors tab of the Select Users page. However, the user's last name and first name are displayed in reverse order.

Workaround: This issue does not affect functionality. Supply the missing attribute in Active Directory to complete the synchronization of the user's record.

On the Windows Apps page in the Horizon connector Web Interface, using non-ascii characters in the path text box might fail
If you use non-ascii characters in the Applications Share Path text area, the attempt might fail with an ERROR_PATH_NOT_FOUND error.

Workaround: Use ascii characters in the Applications Share Path text area.

On Internet Explorer 8 in the connector Web interface, some application icons might not appear on the Windows Apps page
The name of the application appears correctly, but in specific cases the icon does not.

Workaround: This issue is only visible to administrators. It does not affect functionality and can be ignored.

Cannot access the connector Web interface using Internet Explorer 8 on Windows XP
Attempts to reach the connector login page result in an error explaining that Internet Explorer cannot display the Web page.

Workaround: Use Firefox browser on Windows XP.

The "Domain Users" and "Domain Guests" built-in Active Directory groups do not properly synchronize to the service

Workaround: Create dynamic service-based groups, configured directly in the service, which can use rules to replicate the behavior of the Domain Users or Domain Guests groups.

LDAP queries to AD from the root of the tree (in other words, with DC only or without any OU or CN elements) are not working in the Directory Sync wizard

Workaround:
Use OU or CN instead of DN or DC only to sync AD users and groups. You can specify as many OUs or CNs as necessary.

Special characters in the Horizon Connector Bind password interfere with TomCat configuration and may result in authentication errors

Workaround:
Use only alphanumeric characters in your Bind passwords.

In the Horizon Connector setup wizard, on the Select Users page, View Results tab, users are listed twice (or multiple times) in Active Directory sub-branches

Workaround:
The user appears twice (or multiple times) because the user is a member of the main branch and the sub-branch (or sub-branches) specified as your listing criteria. After pushing, each user will appear only once and your user count will be correct.

Filtering users by givenName (first name) and sn (last name) does not omit them from the Select Admin page

Workaround:
Use mail (email) or sAMAccountName (username) for filtering users on the Select Admin page.

Resolved Issues

The Resolved Issues section includes resolved issues for Horizon Connector.

Horizon Connector Resolved Issues

The following issues were resolved in the most recent Horizon Connector release.

Uploading a wildcard SSL certificate to the Horizon Connector generates a warning

Example: CN=*.orgname.certifcatename.com hostname=hc. orgname.certifcatename.comAn error message appears warning that the SSL certificate does not match the hostname.

Workaround:
Ignore the warning or do not use wildcard characters in SSL certificate name.