VMware

Horizon Application Manager 1.5 Release Notes

Application Manager 1.5 | 13 JUN 2012 | Build 734000

Connector 1.5.1 | 17 AUG 2012 | Build 800560

Horizon Agent 1.5 | 13 JUN 2012 | Build 736755

Last Document Update: 4 OCT 2012

What's in the Release Notes

The release notes cover the following topics:

What's New

Horizon Application Manager Appliance

Now offered as a VMware vSphere-based virtual appliance for on-premise, private cloud configurations. This deployment model allows for a faster time to value with both reduced deployment time and costs. This deployment model includes access to a cloud-based update service, which enables non-disruptive patching and updates.

Operator
The Operator Web interface provides management capabilities across multiple organizations/tenants. Operators are able to create, manage, and report across all organizations within the system while creating delegated, role based administrators within organizations.
Administrator
The Administrator Web interface is a single integrated, Web-based platform for user and application management, policy definition, and reporting.
User
By providing one user workspace available across all platforms, Horizon Workspace, also referred to as the User Web interface, delivers a consistent end-user experience with single sign-on across all devices to access applications. The device-aware workspace takes the guesswork out of the end-user experience, while providing federated identity management across public and private cloud applications.

On-Premise Features:

  • Provided as a virtual appliance with an installation and configuration wizard
  • Multi-Tenant support
  • Easy update and patching
  • Operator and Administrator Web interfaces to manage your Application Manager deployment
  • Clustering for scalability and reliability
  • Debugging tools
  • Internationalization support (UTF-8)

Feature Details

Scalability and High Availability
  • Supports a cluster model for scalability and failover

    • Multiple Application Manager virtual appliance instances supported in a cluster
    • Customers manage external database scale and failover
    • External database supports PostgreSQL 9.1

  • The Operator Web interface provides Application Manager virtual appliance versions and status
  • The Application Manager virtual appliance contains an embedded database for the proof-of-concept phase of deployment
Security
  • Separate administration ports and administrative controls to lock down administrative access
  • Encryption key required to attach a new Application Manager instance to the cluster
  • SSL support, and non-SSL mode available for quick trials, with console alerts to indicate that non-SSL mode is in use

Updates to On-Premise Components

Application Manager Updates

  • The Application Manager virtual appliance polls VMware updates service for updates
    • Alerts appear in the Operator Web interface when updates are available
    • Administrator downloads updates from the VMware update service

Application Manager Web Interfaces

  • The Operator Web interface provides information and management capabilities across all organizations
    • Number of users, applications, and organizations under management.
    • Ability to create and manage organizations.
    • Ability to create delegated operators to manage specific actions across Application Manager instances, such as create new tenants, etc.
    • VMware licensing which requires a valid Horizon license. License upgrades for additional license counts.
  • The Administrator Web interface provides information and management capabilities across a single organization.
    • Manage users and applications within a single organization.
    • Create Application Manager entitlement groups using rules. For example: create a sales manager group with a rule indicating that Active Directory group=Sales and user title = manager.
    • Ability to create delegated administrators that can manage specific actions within the organization. For example: created a delegated administrator who is only able to entitle new applications to a certain group of users.
    • Audit events that capture all user and administrative activity in accessing applications and managing users and groups.
    • Report around user entitlements, access, and license metering.

Debugging tool

  • Collects logs and diagnostic information and bundles the information into a tarball to be uploaded to VMware technical support

Horizon Connector

The Connector supports end-user authentication and single-sign on through Application Manager to existing directory services, profiles, and policies without making changes or disrupting existing directory architectures.

New Features

  • New Inclusion Filter for Directory Sync
  • Enabled synchronization of groups greater than 1,500 users

New Inclusion Filter for Directory Sync

The Connector now has new functionality for including specific users in the directory synchronization. Administrators can append LDAP filters that include specific user attributes in the user fetch query.

To setup the Inclusion filter, the administrator must complete these steps:

  1. Open Horizon Connector.
  2. Click Advanced > Directory Sync > Edit Directory Sync Rules > Filter Users.
  3. Edit the DN information for users, and specify an Inclusion filter.
  4. Append a semicolon to the user base DN you want to filter.

Example: The Base DN for all users in Acme Company’s Active Directory is ou=Users,DC=testDC,DC=acme,DC=com.

In this use case, the administrator wants to synchronize users in the Sales department to the Connector. The administrator edits the DN information to include the following attributes:

ou=Users,DC=testDC,DC=acme,DC=com;
(&(objectClass=user)(objectCategory=person)( department=Sales))

If an inclusion filter is not needed, the default user filter is (&(objectClass=user)(objectCategory=person)) and does not need to be used in the DN string.

The Connector administrator now has the flexibility to enable inclusion filters without having to provide numerous exclusion filters to attain the same results. Excluding users is less desirable since user exclusion occurs on the Connector.

Enabled synchronization of groups greater than 1,500 users

Retrieving the contents of a multi-valued attribute from an LDAP group, such as a distribution list, can produce a large number of returned values. LDAP servers often limit the maximum number of attribute values that you can retrieve in a single query. For example, the maximum number of attribute values for Windows 2003 AD Server is 1,500. Connector 1.5.1 implements a range of retrievals that enable you to synchronize AD groups with more than 1,500 users.

Horizon Policy Manager

In this release, Policy Manager has several new enhancements. Now, administrators can easily define policies and enable secure, controlled access for bring-your-own-device (BYOD) initiatives for end-user access by using device information.

Extension Services
Delivering APIs to enable the integration of Application Manager data into existing systems and processes enable Application Manager to extend the value of existing investments.  Easily integrate into existing workflow or reporting systems and bring the added insight from Application Manager into the organization.

New Features

  • Integration with your enterprises's licensing workflow system
    • Users request applications from the User application catalog. The request is sent for approval.
  • Users can request applications and check status in User Portal (self-service)
    • In the User catalog, application labels indicate success/denial/reason code and allow for resubmission.
  • Enforcement of per-device licensing
    • Device information, such as computer name, provided to Application Manager to check for application launch/entitlement on a specific device. Application Manager passes this to the external licensing workflow and returns with approval or denial.

User Application Catalog

In this release, the User application catalog has several new enhancements. The unified User application catalog in the User Web interface delivers a single IT view of all entitled Windows, SaaS, and Web applications across the public and private cloud. The catalog comes with an inventory of industry leading SaaS applications to streamline deployment. In addition, your IT department is able to customize the catalog to support existing enterprise, Web, and ThinApp applications by adding the new applications. Expanded support of VMware ThinApp virtualized Windows applications enables your IT department to gain control of leases and patch updates to end-users.

  • Ships with SaaS templates for major SaaS applications like Salesforce.com
    • SaaS templates provided to make it easy to set up federation (SSO).
  • Add your own SaaS App
    • Administrators can add their own SaaS applications using federation standards. UI based for easy setup and testing.
  • Application management bundles
    • SaaS applications can be exported/imported using bundles (Zip file with JSON). Helps manage applications across multiple Application Manager instances. For example, for proof-of-concept, test, and production phases of deployment.
    • Versioning support, which facilitates upgrades to new SaaS application versions.
  • SaaS provisioning adapter SDK
    • Java SDK for Partners/Integrators to create provisioning adapters.
    • Adapters are uploaded by operators.

Horizon Agent for Windows

Provides support for ThinApp Windows application delivery and synchronizing to Windows based client devices.

New Features

  • Application activate/deactivate
  • Support for application updates
  • Support domain/non-domain authentication to Horizon Agent
  • Support for streamed ThinApp packages (Non-persistent desktops)

Before You Begin

Compatibility

Browser Compatibility
Platform and browser compatibility for Application Manager (except for Kerberos-based authentication in Connector Authentication mode):

• Windows XP - Internet Explorer 8; Firefox; Safari 5; Chrome
• Windows Vista - Internet Explorer 8 and 9; Firefox
• Windows 7 – Internet Explorer 8 and 9; Firefox; Safari 5; Chrome
• Mac OS X through 10.7 – Firefox; Safari 5; Chrome
  
Currently, only Windows platforms support Application Manager for Kerberos-based authentication in Connector Authentication mode:

• Windows XP - Internet Explorer 8; Firefox; Chrome
• Windows Vista - Internet Explorer 8 and 9; Firefox
• Windows 7 – Internet Explorer 8 and 9; Firefox; Chrome

Hypervisor Compatibility
The Connector virtual appliance and the Application Manager on-premise virtual appliances are supported on vSphere 4.0 and later.

Upgrading Connector 1.3/1.5 to 1.5.1

You can upgrade to Connector 1.5.1 from version 1.3/1.5.

  1. Login to the existing Connector 1.3/1.5, and export the connector configuration file.
    1. Click Advanced > Configuration > Export.
    2. Download the exported configuration file.
  2. Capture the network configuration of the existing Connector 1.3/1.5, including the following information:
    1. IP address
    2. Hostname
    3. DNS server entry details
  3. Download and deploy the new Connector 1.5.1 virtual appliance on your vSphere system.
  4. Shut down the existing Connector 1.3/1.5.
  5. From Connector 1.5.1, click Configure > Configure Network.
  6. Type the IP address, hostname, and DNS server entries you used in step 2.
  7. After you configure the network, open the Configuration page for Connector 1.5.1 using the URL: https://<your-1.5.1-connector>:8443/admin/config.
  8. Import the configuration file for Connector 1.3/1.5 by clicking Import.
  9. Open Connector 1.5.1.
  10. Click Advanced > External Access.
  11. Click Generate new SSL Certificate,  and click Save.
  12. If needed, include intermediate SSL certificates signed by a trusted certificate authority on Connector. See instructions in the Horizon Connector Administrator’s Guide to install an intermediate certificate authority.
  13. Restart Connector 1.5.1, and verify that the authentication, application launch, and basic end-to-end flow is functioning.

Upgrading Horizon Agent 1.0 to 1.5

You can upgrade Horizon Agent 1.0 to 1.5.

  1. Uninstall Horizon Agent 1.0.
  2. On the Agent host, delete the ThinAgentLease.db file.
    The ThinAgentLease.db file is a hidden file. Therefore you might need to adjust your Windows system to view hidden files.
    The location of the ThinAgentLease.db file differs according to the Windows version as follows:
    • Windows XP: C:\Documents and Settings\LocalService\ThinAgentLease.db
    • Windows 7 32-bit: %windir%\System32\config\systemprofile\ThinAgentLease.db
    • Win 7 64-bit: %windir%\SysWOW64\config\systemprofile\ThinAgentLease.db
  3. Install Horizon Agent 1.5.
  4. Restart the Horizon Agent.

Deleting a ThinApp Package from Application Manager

If you want to permanently remove a ThinApp package from Application Manager, implement the steps that follow.

  1. Delete the ThinApp package subfolder from the Windows application network file share.
  2. Delete the application from Application Manager.
    1. Log in to Application Manager as an administrator and navigate to Admin > Applications.
    2. Click the icon of the application (ThinApp package) you want to delete.
    3. Click Edit in the Application Info section.
    4. Click Delete this Application and verify that you want to delete the application.
  3. Use the Connector virtual appliance interface to issue commands to remove the ThinApp database.
    1. Select Login and Log in to the underlying Linux operating system of the Connector virtual appliance.
    2. Issue the following command to stop the ThinApp service:
      /opt/likewise/bin/lwsm stop thinapprepo
    3. Issue the following command to delete the ThinApp database:
      rm /var/lib/vmware/tam/repo/repodb
    4. Issue the following command to restart the ThinApp service:
      /opt/likewise/bin/lwsm start thinapprepo

Documentation

Application Manager documentation is applicable for the Connector, Application Manager, and Horizon Agent. See the Application Manager Landing Page.

Known Issues

The Known Issues section includes known issues for Application Manager, the Connector, and Horizon Agent.

Application Manager Known Issues

The known Application Manager issues added in the most recent release are marked with the * symbol. Other known issues have been carried forward from previous releases.

  • When the Application Manager virtual appliance reboots, all Application Manager Web pages are blank*

    This behavior has occasionally been observed after reboot. Regardless of the Application Manager URLs you use, the Web pages appear with no content and the Web server log file: /opt/vmware/horizon/horizoninstance/logs/horizon.log contains an error message similar to the following:

    13 Jun 2012 18:01:32,181 [com.vmware.horizon.startup.ContextListener] (main) (ContextListener:1) ERROR: caught exception while configuring application: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'liquibase' defined in class path resource [spring/datastore-wireup.xml]: Invocation of init method failed; nested exception is liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'liquibase' defined in class path resource [spring/datastore-wireup.xml]: Invocation of init method failed; nested exception is liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.


    Workaround: Restart the Apache Tomcat server.
    1. In the Application Manager virtual appliance interface, select Configure.
    2. Type the number to Manage Web Server.
    3. Type the number to Restart Tomcat.
  • Extended attributes might not appear on some Administrator Web interface pages*
    Although you create extended attributes in the Connector Web interface, they might not appear in the various drop-down menus in the Administrator Web interface that should list the attributes.

    Workaround: If you do not see a previously added extended attribute on an Administrator Web interface page, manually enter the name of the attribute.
  • Application Manager Web interfaces might display content improperly with Internet Explorer 8 and 9*
    The Operator, Administrator, and User Web interfaces of Application Manager improperly display content when the Browser Mode and Document Mode settings of Internet Explorer do not match the Internet Explorer version.

    Workaround: In Internet Explorer 8 or 9, go to Tools > Developer Tools to change the applicable settings, if necessary.
    • For Internet Explorer 8, confirm that Browser Mode and Document Mode are both set to IE8.
    • For Internet Explorer 9, confirm that Browser Mode and Document Mode are both set to IE9.
  • Denying a request for license deactivation fails and Application Manager throws an exception*
    If a request to deactivate a license is denied during your external license workflow process, Application Manager throws an exception and continues to deactivate the license.

    Workaround: As part of your external license workflow, always allow requests for deactivation of a license.
  • You cannot add applications to the temporary administrator on the Applications tab*
    You cannot use the Application tab to add an application to the temporary administrator because the temporary administrator does not appear in that specific list.

    Workaround: Use the Users & Groups tab to select the temporary administrator. Then, add applications.
  • In the Operator Web interface, the Return to Operator Dashboard tab link sometimes redirects you to the wrong page*
    Clicking the Return to Operator Dashboard tab link sometimes redirects you to the Settings tab instead of the Dashboard tab.

    Workaround: Click Operator in the upper left corner to be redirected to the dashboard.
  • Renaming an application in Application Manager does not always take effect
    After you rename an application, the former application name might appear instead of the new name.

    Workaround: Be aware of this issue and search for the former application name if necessary.
  • On the Edit Group Rules page, the autocomplete function does not work consistently with non-ascii characters*

    Workaround: Continue typing the entry with non-ascii characters until the autocomplete function responds or you have finished typing the entry.

Connector Known Issues

The known Connector issues added in the most recent release are marked with the * symbol. Other known issues have been carried forward from previous releases.

  • The Connector cannot reach the Internet if an outbound HTTP proxy server exists on the path*

    Workaround: If you want to allow outbound Internet access from the Connector, do not allow a proxy server to be installed on the path between the Connector and the Internet.
  • When you use the hostname in the Connector Address text box of the SecurID page, the information is not saved
    The RSA authentication agent, which in this situation is the Connector, relies on InetAdress.getLocalHost() in Java. If that call returns 127.0.0.1 or another dummy or loopback address, what transpires between the Connector and the RSA SecurID server is unclear. This issue is due to an RSA agent known issue (see RSA release notes), and can occur even when DNS works properly and hostnames are resolved.

    Workaround: Use an IP address in the Connector Address text box instead of a hostname. If you want to use the hostname, you must override the IP address on the Connector in the /etc/hosts file, and then clear the node secret.
  • When users abort the setup of an RSA SecurID token but try again soon after, their PIN can be set inaccurately
    While setting up their RSA SecurID token, if users cancel the attempt or allow it to time out, upon return they can complete the token setup. However, the passcode the user entered on the previous page might be set as the new PIN.

    Workaround: Inform users not to abort the RSA SecurID token setup.
  • On the Directory page in the Connector Web Interface, using non-ascii characters in the Server Host text box might fail
    The use of non-ascii characters for the Active Directory hostname might result in an error message about not resolving DNS.

    Workaround: Use ascii characters in the Server Host text box.
  • The Connector does not warn you when a new Active Directory group has the same name as an existing Horizon group
    When you create an Active Directory group with a name that exactly matches an existing Horizon group name, the new group does not get pushed to Application Manager. To not override the existing group is appropriate behavior. However, no alert is sent to explain the situation.

    Workaround: Ensure that you do not create duplicate group names.
  • The Join Domain page in the Connector Web Interface implies that the password is stored
    After you click Join Domain, the AD Password text box remains populated with what appears to be a hidden password. However, the password is not stored on the Connector.

    Workaround: Ignore the fact that the AD Password text box remains populated after you have joined the domain.
  • The Connector allows you to remove the Bind DN user account that has administrative access to Application Manager
    Initially, only the user associated with the Bind DN user account has administrative access to Application Manager.

    The following actions can result in you unintentionally removing the Bind DN user account from Application Manager:
    • You can filter out the Bind DN user account in the Connector when you select users
    • You can make the Bind DN user account invalid for directory synchronization by making a user attribute a required attribute while the Bind DN user account does not have that attribute

    At the next directory synchronization, following one of the preceding actions, Application Manager receives changes from Active Directory, which includes the removal of the Bind DN user account. At this point, you can no longer log in to Application Manager as an administrator. While you can add the Bind DN user account back, the account will no longer have administrative privileges.

    Workaround: Prevent the removal of the Bind DN user account by cautiously selecting users and mapping user attributes. Also, accessing Application Manager as soon as possible to assign several delegated administrators access to the Connector reduces the chance of this issue occurring in the future.

    If the Bind DN user account is unintentionally removed from Application Manager, contact Horizon customer support.
  • On the Join Domain page in the Connector Web Interface, using non-ascii characters in the AD Username text box might fail
    The use of non-ascii characters for the Active Directory username might result in an error message about failing to join the domain

    Workaround: Use ascii characters in the AD Username text box.
  • On the Join Domain page in the Connector Web Interface, using non-ascii characters in the AD FQDN text box might fail
    The use of non-ascii characters for the Active Directory domain name might result in an error message about failing to join the domain

    Workaround: Use ascii characters in the AD FQDN text box.
  • Sync Safeguards: Next button to either Ignore/Update safeguard is not shown when the browser is in maximized view
    This issue occurs when you access the Connector Web Interface with the browser window maximized. If safeguard alerts are triggered, a dialog box appears displaying the alerts. When several alerts are displayed, the Next button can be pushed off the page and become inaccessible while the browser window remains maximized.

    Workaround: Resize the browser window to make the next button accessible.
  • Resetting the Connector on the Configuration page in the Connector Web Interface might fail when join domain is configured
    After you have configured the Join Domain page, when you click Reset on the Configuration page, the reset might fail causing an error message to appear.

    Workaround: Reload the page.
  • On the Select Users page in the Connector Web Interface, error message might reverse first and last names
    When a required attribute for a user is missing, the users name appears in the View Errors tab of the Select Users page. However, the user's last name and first name are displayed in reverse order.

    Workaround: This issue does not affect functionality. Supply the missing attribute in Active Directory to complete the synchronization of the user's record.
  • On the Windows Apps page in the Connector Web Interface, using non-ascii characters in the path text box might fail
    If you use non-ascii characters in the Applications Share Path text area, the attempt might fail with an ERROR_PATH_NOT_FOUND error.

    Workaround: Use ascii characters in the Applications Share Path text area.
  • On Internet Explorer 8 in the Connector Web interface, some application icons might not appear on the Windows Apps page
    The name of the application appears correctly, but in specific cases the icon does not.

    Workaround: This issue is only visible to administrators. It does not affect functionality and can be ignored.
  • Cannot access the Connector Web interface using Internet Explorer 8 on Windows XP
    Attempts to reach the Connector login page result in an error explaining that Internet Explorer cannot display the Web page.

    Workaround: Use Firefox browser on Windows XP.
  • The "Domain Users" and "Domain Guests" built-in Active Directory groups do not properly synchronize to Application Manager

    Workaround: Create dynamic Application Manager-based groups, configured directly in Application Manager, which can use rules to replicate the behavior of the Domain Users or Domain Guests groups.
  • LDAP queries to AD from the root of the tree (in other words, with DC only or without any OU or CN elements) are not working in the Directory Sync wizard

    Workaround:
    Use OU or CN instead of DN or DC only to sync AD users and groups. You can specify as many OUs or CNs as necessary.
  • In the Connector setup wizard, on the Select Users page, View Results tab, users are listed twice (or multiple times) in Active Directory sub-branches

    Workaround:
    The user appears twice (or multiple times) because the user is a member of the main branch and the sub-branch (or sub-branches) specified as your listing criteria. After pushing, each user will appear only once and your user count will be correct.
  • Filtering users by givenName (first name) and sn (last name) does not omit them from the Select Admin page

    Workaround:
    Use mail (email) or sAMAccountName (username) for filtering users on the Select Admin page.

Horizon Agent Known Issues

  • The Horizon Agent uninstaller does not uninstall the ThinApp shortcuts or the Horizon folder from the desktop

    Workaround:
    Manually delete the folder and shortcuts.