2. Choose the Windows authentication radio button.
3. Select the Default database for App Volumes Manager if it was already created. You can assign it later after creating the database if needed.
4. Select the Default language
Do not click OK!
On the Server Roles page, choose the sysadmin checkbox to grant the role to the user. Don’t click OK, yet.
On the User Mapping page, Choose the checkbox next to the database being mapped to the user (computer) account (assuming the database has already been created).
Click OK.
Verify the computer account is added to the list of logins.
I will start out this post to mention that if you try to install App Volumes 4 and are stuck on the SQL database portion trying to get Windows Integrated Authentication (WIA) working, you are not alone. I have spent countless hours troubleshooting this and looking for documentation. Documentation seems to be almost non-existent regarding the database requirements, besides which version to use, but nothing specific on database settings or user/computer/other authentication settings. It is very frustrating.
I am going to assume that you have some level of technical proficiency if you are this far along in your journey and will not add mundane details like how to mount an ISO or what buttons to click unless following a particular workflow and feel the details are absolutely necessary. Let’s get started…
Check the I accept the terms in the License Agreement checkbox (you did read all that, right?) and Click Next.
Choose the Install App Volumes Manager radio button since we are installing the App Volumes Manager. Click Next.
Not Shown! – You may be presented with a Windows User Account Control (UAC) prompt. Move past this accordingly. The installation up to this point has been a bootstrap of sorts. The next screens will do the actual Manager installation.
Déjà vu? Groundhog Day? Now we proceed with the actual installation of App Volumes Manager. Click Next.
Choose the Connect to an existing SQL Server Database radio button. Click Next.
There is a lot going on at this step. If you read the beginning of this post and followed the two additional articles provided, you should not have any trouble using Windows Integrated Authentication here. To quickly recap:
Your MS SQL server and App Volumes Manager servers can resolve DNS forward and reverse lookup records
Your MS SQL server has a TLS certificate in the local machine certificate store
The user running your MS SQL service has been provided access to the MS SQL server’s private key
The MS SQL server has been configured to use the machine’s TLS certificate
Choose the Windows Integrated Authentication radio button.
Click the Browse… button. If your authentication works properly, this is a good test as it will either show you the databases or it will present you an error.
Choose the database specified for use with App Volumes and click Next.
4. Check the Enable SQL Server certificate validation checkbox.
Click Next.
Almost there, if you are to this point, the hardest part of the installation is over! Leave the default ports unless you like to complicate your life. Click Next.
Optional: Change the installation location if necessary.
Click Next.
Click Install. Take a break! The installer will need a few minutes to install the software.
Confirm that the Wizard completed successfully. See Troubleshooting section below if you did not have a successful installation.
Click Finish.
You have completed the install, but there are some prerequisite steps to take to make the configuration easier and work the first time. Check out the article here: Installing VMware App Volumes 4 Manager – Part 2.
Troubleshooting
Be sure to read the finished dialog! You may receive the following, reporting that the Wizard ended prematurely. You will have to open up the logs and investigate; navigate to your installation directory and look at the logs. The issue that generated the following screenshot for me was either a self-signed certificate issue or a SQL Server issue because I didn’t add the App Volumes Manager server login to the MS SQL server and assign it to the App Volumes database (see below for specific error message and how to fix). Delete the Cloud Volumes directory and try the installation again.
From the inst_ruby_script.log file, you see the following:
E, [2020-11-19T11:43:30.666302 #3196] ERROR -- : ERROR: 28000 (18456) [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'AARONROMBAUT\APP-001V$'.
E, [2020-11-19T11:43:30.666571 #3196] ERROR -- : ["script/odbc_driver_validator.rb:145:in drvconnect'", "script/odbc_driver_validator.rb:145:inconnect_using_conn_string'", "script/odbc_driver_validator.rb:34:in odbc_connection'", "script/odbc_driver_validator.rb:76:invalidate_conn_and_version'", "script/odbc_driver_validator.rb:183:in <encoded>'", "script/odbc_driver_validator.rb:2:inRGLoader_load'", "script/odbc_driver_validator.rb:2:in `
'"]
Unable to connect to SQLServer. Exiting with status -1.
$VIRoleName = "View Manager Role"
$VIRolePrivileges = @(`
# Folder
'Create Folder', 'Delete Folder',`
# Datastore
'Allocate space',`
# Virtual Machine - Configuration
'Add or remove device', 'Advanced configuration', 'Modify device settings',`
# Virtual Machine - Interaction
'Power off', 'Power on', 'Reset', 'Suspend', 'Perform wipe or shrink operations',`
# Virtual Machine - Inventory
'Create new', 'Create from existing', 'Remove',`
# Virtual Machine - Provisioning
'Customize guest', 'Deploy template', 'Read customization specifications', 'Clone template', 'Clone Virtual Machine',`
# Resource
'Assign virtual machine to resource pool',`
# Global
'Act as vCenter Server',`
# Host
'Advanced settings',`
# Profile-driven Storage
'Profile-driven storage view', 'Profile-driven storage update'
)
try {
# Get list of current Roles
$VIRoles = Get-VIRole
# Check if Role exists
foreach($VIRole in $VIRoles) {
if ($VIRole.Name -like $VIRoleName) {
# Role exists
exit
}
}
# Assume the Role does not exist
# Create the new Role
New-VIRole -Name $VIRoleName
# Add the Privileges to the Role
foreach($VIRolePrivilege in $VIRolePrivileges) {
Set-VIRole -Role $VIRoleName -AddPrivilege $VIRolePrivilege
}
} catch {
}
Copy and paste the contents above to a new PowerShell file. This script will check if the given Role exists and exit or it will create the Role and add the Privileges. This script will not check the current assigned Privileges if the Role exists.
4. Open Sql Server Configuration Manager. Right-click Protocols for <INSTANCE-NAME>, choose Properties.
5. Click on the Certificate tab.
6. Choose the machine certificate you added earlier, click OK.
7. Back on the Sql Server Configuration Manager window, double-click TCP/IP.
8. Ensure the following settings:
9. Check the Active, Enabled, IP Address, and TCP Port settings. Modify as necessary and click OK. If you do make any modifications, be sure to restart the SQL service.
Creating the VMware Horizon Database and User
Open Microsoft SQL Server Management Studio.
Ensure the SQL server authentication is set to SQL Server and Windows Authentication mode. VMware Horizon does not use Integrated Windows Authentication. (https://docs.vmware.com/en/VMware-Horizon-7/7.12/horizon-installation/GUID-1360BFDF-9F90-47FD-8B6C-E842CF951A53.html)
3. Right-click Databases and choose New Database…
4. Fill in the Database name with a meaningful name. Click OK.
5. Expand Security and Right-click Logins.
6. On the General page, fill in the Login name with a meaningful name. Also choose a password and uncheckEnforce password policy unless you use a strong password. Change the Default database and Default language accordingly.
7. On the Server Roles page, check the sysadmin role.
8. On the User Mapping page, check the database name you created earlier. Click OK.
Configure the Event Database on Horizon View Connection Server
You are also going to need the ovftool that can be downloaded from https://code.vmware.com/web/tool/4.4.0/ovf. In this post, we are going to need the newest version, 4.4.1. Make sure you have installed the ovftool on your Windows machine you are going to deploy from. Also, ensure you can access ovftool from the command line. You may have to add this to the System PATH.
Optionally, you can use an Integrated Development Environment (IDE) of your choice. For this post, I am going to use Visual Studio Code, available at https://code.visualstudio.com/download.
I have TLS certificates from Let’s Encrypt, so I am going to deploy with them as well. For me, this is how I have created my directory structure.
certs – contains all of my TLS certificates needed
ova – contains the ova I am going to deploy
uag-001v_setting.ini – this is the settings file I use for one of my Unified Access Gateways (UAG). You would need one per UAG you want to deploy.
uagdeploy.ps1 – PowerShell script included in the PowerShell scripts zip
uagdeploy.psm1 – PowerShell module included in the PowerShell scripts zip
The following is my uag-001v_settings.ini file. You can get the “barebones” file after deploying and configuring at least one UAG in vSphere. Then you can export the settings and modify as necessary.
[General]
eth0ErrorMsg={"netmask":"SUCCESS","ip":"SUCCESS","defaultGateway":"SUCCESS"}
#netInternet: Portgroup used in vSphere for Internet/DMZ facing interface
netInternet=DMZ
#ip0: IP address for the netInternet interface
ip0=10.10.10.30
diskMode=
#source: The location of the OVA to deploy
source=.\ova\euc-unified-access-gateway-fips-20.09.0.0-16949983_OVF10.ova
#ip1: IP address for the internal interface
ip1=192.168.92.30
#defaultGateway: IP address for the gateway on the netInternet interface
defaultGateway=10.10.10.1
#target: User ([email protected]),
#target: vCenter(vcenter.aaronrombaut.com),
#target: host location (/Datacenter/host/Cluster/vmh-001p.aaronrombaut.com)
target=vi://[email protected]:[email protected]/Datacenter/host/Cluster/vmh-001p.aaronrombaut.com
#ds: Datastore to install to
ds=Synology-LUN01
netmask0=255.255.255.0
#netManagementNetwork= Portgroup used in vSphere
netManagementNetwork=LAN
#netBackendNetwork: Portgroup used in vSphere
netBackendNetwork=LAN
ip0AllocationMode=STATICV4
#name: Name of the Unified Access Gateway appliance
name=uag-001v
deploymentOption=twonic
ip1AllocationMode=STATICV4
netmask1=255.255.255.0
authenticationTimeout=300000
fipsEnabled=true
sysLogType=UDP
uagName=uag-001v
clockSkewTolerance=600
locale=en_US
tls12Enabled=true
tls13Enabled=false
ipMode=STATICV4
requestTimeoutMsec=10000
ipModeforNIC2=STATICV4
tls11Enabled=false
clientConnectionIdleTimeout=360
tls10Enabled=false
adminCertRolledBack=false
cookiesToBeCached=none
enableHTTPHealthMonitor=false
snmpEnabled=false
maxSystemCPUAllowed=100
healthCheckUrl=/favicon.ico
quiesceMode=false
#dns: The Domain Name System server in use
dns=192.168.92.10
isTLS13SetByUser=false
isCiphersSetByUser=false
tlsPortSharingEnabled=true
ceipEnabled=false
bodyReceiveTimeoutMsec=15000
monitorInterval=60
maxConnectionsAllowedPerSession=16
cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
adminPasswordExpirationDays=90
httpConnectionTimeout=120
#dnsSearch: The domain name to use in queries
dnsSearch=aaronrombaut.com
isTLS11SetByUser=false
sessionTimeout=36000000
syslogSystemMessagesEnabled=false
ssl30Enabled=false
#ntpServers: Servers for providing time in the infrastructure
ntpServers=time.cloudflare.com
#sshEnabled: Leave this blank to NOT enable ssh which is recommended in Production
sshEnabled=
[Horizon]
#proxyDestinationUrl: URL for the VMware Horizon Connection Server
proxyDestinationUrl=https://hzn7cs-001v.aaronrombaut.com
disableHtmlAccess=false
rewriteOriginHeader=false
healthCheckUrl=/favicon.ico
proxyDestinationIPSupport=IPV4
queryBrokerInterval=300
matchWindowsUserName=false
windowsSSOEnabled=false
pcoipDisableLegacyCertificate=false
gatewayLocation=External
securityHeaders={"X-Frame-Options":"SAMEORIGIN","Strict-Transport-Security":"max-age=63072000; includeSubdomains; preload","X-Content-Type-Options":"nosniff","Content-Security-Policy":"default-src 'self';font-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval' data:;style-src 'self' 'unsafe-inline';img-src 'self' blob: data:","X-XSS-Protection":"1; mode=block"}
proxyDestinationUrlThumbprints=
tunnelExternalUrl=https://myhorizon.aaronrombaut.com:443
blastExternalUrl=https://myhorizon.aaronrombaut.com:8443
radiusClassAttributeList=
smartCardHintPrompt=false
logoutOnCertRemoval=false
redirectHostMappingList=
proxyPattern=(/|/view-client(.*)|/portal(.*)|/appblast(.*))
pcoipExternalUrl=72.225.4.11:4172
[SSLCert] #External facing
pemPrivKey=
pemCerts=
#pfxCerts: The location where the certificates are located
pfxCerts=.\certs\myhorizon-prod.p12
pfxCertAlias=
[SSLCertAdmin] #Internal facing
pemPrivKey=
pemCerts=
#pfxCerts: The location where the certificates are located
pfxCerts=.\certs\myhorizon-prod.p12
pfxCertAlias=
[PackageUpdates]
packageUpdatesScheme=OFF
Open an elevated PowerShell window and navigate to the working directory. You will want to type the following to start the deployment:
.\uagdeploy.ps1 .\uag-001v_settings.ini
Enter and re-enter the root password and admin password.
Enter Yes or No if you want to join the VMware Customer Experience Improvement Program (CEIP).
Enter the password for the vCenter you specified in the settings.ini file above.
You should receive a “deployed successfully” message at the end. From here, you should be able to navigate to the appliance in a web browser and if you used certificates, your page should be accessible, securely. For me, I access the UAG at https://uag-001v.aaronrombaut.com:9443.
If you have other Unified Access Gateways to deploy, just modify the settings.ini file and deploy. Make sure you have records for each UAG added to your DNS forward and reverse lookup zones.
I wanted to update vCenter Server Appliance update 1 (vCenter Appliance 6.7 U1 (6.7.0.20000)) to the most current patch level which at the time of this post is Update 3k.
I navigated to VMware’s patch repository, https://my.vmware.com/group/vmware/patch#search, and selected VC and 6.7.0. I already have the appliance, so I downloaded the Appliance-Patch file as highlighted below.
Once downloaded, I added the .iso file to the VCSA virtual machine’s CD/DVD drive using the VMware Remote Console window. (It’s my personal preference to not add ISO files to datastores as I feel it is a waste of space and unnecessary)
I logged into the VMware Appliance Interface (VAMI), https://fqdn:5480, and chose Update > CHECK UPDATES > Check CD ROM. I was presented with a screen stating, “No applicable update found.” I was a little concerned and thought maybe I added the wrong ISO file, so I double checked.
After a little digging and documentation reading, I found that this upgrade path is not supported. I first have to patch to the base appliance level, in this case vCenter Appliance 6.7.0 update 3, before I can apply the security patch. The following is an excerpt from the document, Patching the vCenter Server Appliance and Platform Services Controller Appliance.
VMware makes patches available on a monthly basis. These patches can only be applied in between major releases of vCenter Server Appliance. For example, patches released for the initial release of vCenter Server Appliance 6.7, are not applicable to vCenter Server Appliance 6.7 Update 1, as any patches previously made available will be included with the Update 1 release.
So now that I have RTFM, I can try again in the correct order. I downloaded the vCenter Appliance Update 3 (VMware-vCenter-Server-Appliance-6.7.0.40000-14367737-patch-FP.iso) ISO from the patches repository and loaded it into the vCenter Server Appliance’s CD ROM. I went back to the VAMI and checked for updates again, this time with a positive result!
To update:
Click on the STAGE AND INSTALL link above the Available updates table
Click to check the checkbox labeled, “I accept the terms of the license agreement“
Click NEXT button
Click to uncheck the checkbox labeled, “Join the VMware’s Customer Experience Improvement Program (CEIP)” [Note: this is a lab environment, follow your organization’s policy regarding this program]
Click NEXT button
Click to check the checkbox labeled, “I have backed up vCenter Server and its associated databases.” [Note: Make sure that you actually do have a backup to be safe]
Click FINISH button
Ref: Patching the vCenter Server Appliance by Using the Appliance Management Interface (https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.upgrade.doc/GUID-E2E359B1-5834-4BFF-AEFE-6CEBFC8CC3D5.html) and subsequently, Install vCenter Server Appliance Patches (https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.upgrade.doc/GUID-E5E78149-4AC8-4DD7-BBA8-19CC17711D40.html).
Wait for the server to install the update and show Installation succeeded. Click the Close button.
Depending on how long the process took, you may need to log into the VAMI again. Verify the Version is updated from the previous.
This time you can load up the most recent patch and follow the update procedure again.
At the end, you should have an updated appliance with the most recent patch.
I was configuring VMware App Volumes and ran into an issue where the installer reported a MS SQL security alert. Since I am trying to get this to work in a production-like environment, I did not want to just “Trust server certificate” and move along. I wanted this to be installed appropriately. A couple minutes Googling and this post is a record of my findings for the future. Hopefully, it may help you as well if you stumbled here. Here is a screenshot of the security alert.
First of all, make sure you have a CA-signed certificate loaded in the Personal store on the server hosting your MS SQL Server. You can quickly check your machine certificates by clicking the Start button or opening Run and typing certlm.msc. If you don’t have that, stop here and go get one. I used Let’s Encrypt for my certificate.
The next thing you want to do is verify the service account that is running your MS SQL Server. In my case, I am using the default NT Service\MSSQLSERVER.
Right-click on your machine certificate and point to All Tasks, and choose Manage Private Keys…
The Permissions window opens up.
Add the account you verified as the Log On As user when checking the Services.msc management console. (You may need to change the location to the local server name from the Locations… button on the side of the SelectUsers or Groups window.) Ensure the user has Full Control on the certificate.
Go back to the Services.msc console and restart the SQL Server service and you should no longer have authentication or trust issues with connecting services.
