VMware Horizon 8 2209

Print Friendly, PDF & Email

What’s New

VMware Horizon 8 version 2209 includes the following new features and enhancements. This information is grouped by installable component.

Security improvements were made in the following components to enable Horizon 8 2209 to be Common Criteria certified. Note that Horizon 2209 is currently going through certification testing and should not be considered certified until the process is completed. The Common Criteria certification is an evaluation of Commercial Off-The-Shelf (COTS) Information Technology (IT) products for conformance to the international Common Criteria. 

  • Windows Agent (must be in FIPS mode)
  • Linux Agent (must be in FIPS mode)
  • Windows Client (must be in FIPS mode)
  • Android Client (must be in Common Criteria mode)
  • Blast Secure Gateway (must be in FIPS mode)
  • Horizon Server (must be in FIPS mode)

Version numbering is based on the planned year and the month of the release. The actual release date can vary based on business needs and engineering schedule changes to address critical customer requirements.

  • Horizon Agent for Linux
    • This release adds support for the following Linux distributions.
      • Red Hat Enterprise Linux (RHEL) Workstation 9.0
      • Red Hat Enterprise Linux (RHEL) Server 9.0 and 8.4
    • Beginning with this release, the following Linux distributions are no longer supported.
      • RHEL Server 8.5
    • You can now install Horizon Agent on Linux virtual machines deployed in a vSphere 8.0 environment.
    • This release supports the use of Linux desktops and multi-session hosts in an IPv6 environment. Use the --ipv6 command-line option to install Horizon Agent with IPv6 support. The Subnet6 option in the /etc/vmware/viewagent-custom.conf configuration file lets you specify the IPv6 subnet of the Linux machine.
    • Linux desktops use the new VMware display manager and VMware greeter, instead of Gnome Display Manager (GDM) and X Display Manager Control Protocol (XDMCP), to control the login and launch of user sessions. The VMware display manager improves launch performance and eliminates problems with SSO that occurred previously from the dependency on GDM.
    • Smart card redirection now works with all versions of PC/SC Lite. The /etc/vmware/config file includes two new options, pcscd.maxReaderContext and pcscd.readBody, that let you configure reader context and message reading settings if you use a custom-built PC/SC Lite library.
    • This release supports smart card single sign-on (SSO). Smart card SSO enables users to launch desktop sessions automatically without entering their smart card credentials.
    • A new configuration file, /etc/vmware/viewagent-greeter.conf, allows you to configure the behavior of the VMware greeter in cases where True SSO or smart card SSO fails. The file also contains the PKCS #11 settings required for smart card SSO.
  • Virtual Desktops
    • Horizon 8 VDI use cases are now supported on Amazon WorkSpaces.
    • The Refresh Interval GPO setting allows you to specify the interval, in seconds, that the watermark is refreshed. This makes the time shown in the watermark more accurate.
    • Depending on how you want your golden image to be managed, you can change the source of the virtual machine template by editing the pool.  You can edit an instant-clone desktop pool to change the virtual machine template source from vCenter to Image Catalog or reverse. You can edit a full-clone desktop pool or farm to change the golden image and snapshot from vCenter to Image Catalog or reverse.
  • Horizon Connection Server
    • Alert mechanism for Forensics Select Hold feature The hold and release APIs for the forensics select hold feature have been enhanced to include the machine state for all desktops assigned to a held user. In addition, a new environment variable has been added to identify whether the user is a held user so that an administrator can trigger data collection scripts when a held user logs on to a desktop.
    • Network enhancements for instant clone pools and farms Networks displayed during the create instant clone pool or farm workflow are now filtered based on the network type of the network configured in the snapshot’s preferred network adapter (Network Adapter 1 while the snapshot was taken).
    • TrueSSO Trigger Mode has been added to the SAML 2.0 tab under Other Components in the System Health dashboard (Monitor > Dashboard).
    • The new Enable Host Redirection setting sets the load balancer name and enable HTTP host redirection capability. When an HTTP request from a load balancer host reaches the Connection Server, the Connection Server responds with an external HTTP redirection URL. For subsequent requests, the Horizon Client directly connects to the Connection Server using the external URL, thereby minimizing misroutes that might occur at the load balancer.
    • Pre-login message now requires administrator to acknowledge the message before proceeding to login.
    • Encoder Name has been added to User Experience Metrics dashboard.
    • View Unrecognized Session Count was added to the Connection Servers and Gateway Servers tabs in the System Health dashboard (Monitor > Dashboard) in the Admin Console. This allows administrators to troubleshoot random disconnections of end user sessions due to unrecognized requests received either at UAG or at the Connection Server.
  • Horizon Agent
    • Firewall logs are now included in the Horizon Agent log bundle that you generate on the Horizon Console.
    • Microsoft Teams Optimization is now supported on M1-based Macs in addition to Intel processors.
    • You can now install Horizon Agent on Windows virtual machines deployed in a vSphere 8.0 environment.
    • The UNC Path Redirection feature supports redirection from a remote desktop or published application to a client, and from a client to a remote desktop or published application.
  • Horizon ClientFor information about new features in a Horizon client, including HTML Access, see the release notes for that Horizon client.
  • General
    • vSphere 6.5/6.7 reached End of Support on 15th October 2022. Horizon 2209 is therefore not generally supported on vSphere 6.5/6.7. Support is limited to Horizon 2209 Connection Server running on and managing workloads on vSphere 6.5/6.7 during an upgrade window. After upgrading to Horizon 2209 Connection Server, upgrade vSphere 6.5/6.7 to a supported vSphere version before upgrading other Horizon components. See Horizon Installation and Upgrade for details.

Horizon API

For the latest set of Horizon APIs, see the VMware Horizon API and navigate to the current release in the drop down.  Click on the Documentation tab for more details and examples on how to use the API.

Horizon Cloud Connector

Applicable to customers with VMware Horizon Universal Subscription, Horizon Enterprise Plus Subscription, Horizon Standard Plus Subscription, Horizon Apps Universal Subscription, or Horizon Apps Standard Subscription.

The Horizon Cloud Connector virtual appliance is a required component for VMware Horizon to support the management of Horizon pods using Horizon Cloud Service.

Horizon Deployed on VMware Cloud on AWS

For a list of VMware Horizon features supported on VMware Cloud on AWS, see VMware Knowledge Base article 58539.

Horizon Deployed on Azure VMware Solution

You can select Azure as an installation option to deploy Horizon on Azure VMware Solution (AVS). See Deploying VMware Horizon 8 on Azure VMware Solution.

Horizon Deployed on Google Cloud VMware Engine

For a list of VMware Horizon 8 features supported on GCVE, see VMware Knowledge Base article 81922.

Horizon Deployed on Oracle Cloud VMware Solution

For a list of VMware Horizon 8 features supported on OCVS, see VMware Knowledge Base article 88202.

Before You Begin

  • Microsoft Internet Explorer no longer supported for Horizon Console As Horizon Console is migrating to VMware clarity widgets which do not support Internet Explorer, we have removed Internet Explorer from the list of supported browsers for Horizon Console.
  • Important note about installing VMware Tools If you plan to install a version of VMware Tools downloaded from VMware Product Downloads, rather than the default version provided with vSphere, make sure that the VMware Tools version is supported. To determine which VMware Tools versions are supported, go to the VMware Product Interoperability Matrix. (Supported versions: 11.1.0, 11.0.6, 10.3.22, 10.3.21). There are also performance issues with the 11.x versions of VMware Tools. For more information, see VMware Knowledge Base article 78434.
  • For supported upgrade paths, see the VMware Product Interoperability Matrix.
  • If you intend to upgrade a pre-6.2 installation of VMware Horizon and the Connection Server uses the self-signed certificate that was installed by default, you must remove the existing self-signed certificate before you perform the upgrade. Connections might not work if the existing self-signed certificates remain in place. During an upgrade, the installer does not replace any existing certificate. Removing the old self-signed certificate ensures that a new certificate is installed. The self-signed certificate in this release has a longer RSA key (2048 bits instead of 1024) and a stronger signature (SHA-256 with RSA instead of SHA-1 with RSA) than in pre-6.2 releases. Note that self-signed certificates are insecure and should be replaced by CA-signed certificates as soon as possible, and that SHA-1 certificates are no longer considered secure and should be replaced by SHA-2 certificates. Do not remove CA-signed certificates that were installed for production use, as recommended by VMware. CA-signed certificates will continue to work after you upgrade to this release.
  • Downgrading Connection Server instances is not supported. To revert to a previous version after an upgrade, restore from backup. For more information, see Create a Replicated Group After Reverting Connection Server to a Snapshot.
  • VMware Horizon uses only TLSv1.1 and TLSv1.2. TLSv1.1 is disabled by default. In FIPS mode, it uses only TLSv1.2. You might not be able to connect to vSphere unless you apply vSphere patches.
  • It is possible that the ordering of cipher suites can be enforced by Connection Server. For more information, see Horizon Security.
  • Connection Server must be able to communicate on port 32111 with other Connection Servers in the same pod. If this traffic is blocked during installation or upgrade, installation will not succeed.
  • TLS handshakes on port 443 must complete within 10 seconds, or within 100 seconds if smart card authentication is enabled. In previous releases of VMware Horizon, TLS handshakes on port 443 were allowed 100 seconds to complete in all situations. You can adjust the time for TLS handshakes on port 443 by setting the configuration property handshakeLifetime. Optionally, the client that is responsible for an over-running TLS handshake can be automatically added to a blacklist. New connections from blacklisted clients are delayed for a configurable period before being processed so that connections from other clients take priority. You can enable this feature by setting the configuration property secureHandshakeDelay. For more information about setting configuration properties, see Horizon Security.
  • If you have FIPS mode enabled in a cloud pod architecture consisting of non-homogenous pods, that is, pods at different versions, Horizon 7.10.3 pods do not work with a pod running Horizon 7.12 or later. To upgrade 7.10.3 to a later version, first upgrade to a patched 7.10.3 that is fully backward and forward compatible with other versions. Contact VMware Customer Connect on how to obtain the patch.
  • When you deploy an instant clone as a RDS host, do not reboot the RDS host directly from within the Windows Server OS. Instead, refresh the instant clone VM using the push image workflow.
  • In VMware Horizon, internal validation checks determine if the instant clone and internal template have valid IP addresses and a network connection. If a virtual machine has a NIC that cannot be assigned an IP address during provisioning, instant-clone provisioning fails. The forwarding rules for HTTP requests received by Connection Server instances have changed at this release. If you have defined custom frontMapping entries in locked.properties, you should remove them before upgrading. If you wish to disallow administrator connections to certain Connection Server instances, then instead of defining custom frontMapping entries, add this entry to locked.properties: frontServiceWhitelist = tunnel|ajp:broker|ajp:portal|ajp:misc|moved:*|file:docroot
  • In VMware Horizon, the viewDBChk tool will not have access to vCenter credentials and will prompt for this information when needed.
  • Microsoft Windows Server requires a dynamic range of ports to be open between all Connection Servers in the VMware Horizon environment. These ports are required by Microsoft Windows for the normal operation of Remote Procedure Call (RPC) and Active Directory replication. For more information about the dynamic range of ports, see the Microsoft Windows Server documentation.
  • Screen DMA is disabled by default in virtual machines that are created in vSphere 6.0 and later. VMware Horizon requires screen DMA to be enabled. If screen DMA is disabled, users see a black screen when they connect to the remote desktop. When VMware Horizon provisions a desktop pool, it automatically enables screen DMA for all vCenter Server-managed virtual machines in the pool. However, if Horizon Agent is installed in a virtual machine in unmanaged mode (VDM_VC_MANAGED_AGENT=0), screen DMA is not enabled. For information about manually enabling screen DMA, see VMware Knowledge Base (KB) article 2144475.
  • To use View Storage Accelerator in a vSphere environment, a desktop virtual machine must be 512GB or smaller. View Storage Accelerator is disabled on virtual machines that are larger than 512GB. Virtual machine size is defined by the total VMDK capacity. For example, one VMDK file might be 512GB or a set of VMDK files might total 512GB. This requirement also applies to virtual machines that were created in an earlier vSphere release and upgraded to vSphere 5.5.
  • The Global Policy, Multimedia redirection (MMR), defaults to Deny. To use MMR, you must open Horizon Console, edit Global Policies, and explicitly set this value to Allow. To control access to MMR, you can enable or disable the Multimedia redirection (MMR) policy globally or for an individual pool or user. Multimedia Redirection (MMR) data is sent across the network without application-based encryption and might contain sensitive data, depending on the content being redirected. To ensure that this data cannot be monitored on the network, use MMR only on a secure network.
  • The USB Redirection setup option in the Horizon Agent installer is deselected by default. You must select this option to install the USB redirection feature. For guidance on using USB redirection securely, see Deploying USB Devices in a Secure VMware Horizon Environment.
  • For information on security considerations and disallowing inter-virtual machine transparent page sharing, see VMware KB article 2080735.
  • If a PCoIP Secure Gateway (PSG) has been deployed for PCoIP connections, zero client firmware must be version 4.0 or later.
  • RC4, SSLv3, TLSv1.0 and TLSv1.1 are disabled by default in VMware Horizon components, in accordance with RFC 7465, “Prohibiting RC4 Cipher Suites,” RFC 7568, “Deprecating Secure Sockets Layer Version 3.0,” PCI-DSS 3.1, “Payment Card Industry (PCI) Data Security Standard”, and SP800-52r1, “Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations.” If you need to re-enable RC4, SSLv3, TLSv1.0 or TLSv1.1 on a Connection Server or Horizon Agent machine, see Older Protocols and Ciphers Disabled in View.
  • VMware Horizon uses version m86 of Microsoft WebRTC source code.