Enabling use of the VMware Horizon View 5.2 HTML5 Portal

Leave a reply

Today I tried upgrading VMware's View Connection and Security servers from 5.1 to 5.2.  All went well, but when I browsed out to our security server, I noticed that the web client did not exist.

Solution:
Turns out that VMware View 5.2 itself doesn't contain the HTML5 interface to control your desktop through the browser.  In order to enable this feature, you must download the VMware Horizon View Feature Pack on the connection server as well as install the Remote Experience Agent with the HTML Access component on the virtual desktops.  All of these can be obtained from the "My VMware" center.

First, I navigated to the VMware Horizon View 5.2 Feature Pack downloads and downloaded the VMware-Horizon-View-HTML-Access_x64-1.0.0-1049726.exe (Click here to go to the VMware download portal).  Once downloaded, I installed this on my Connection Servers.  This can be installed while the Connection server is running, no downtime neccessary.

Next, I downloaded the Remote Experience Agent for 64-bit desktops (VMware-Horizon-View-5.2-Remote-Experience-Agent-x64-1.0-1046150.msi) file (Same download portal as mentioned above) and installed that on the client machines I wanted to be accessible via the HTML5 page.

Next, I opened up the VMware Horizon View Administrator web GUI and navigated to View Configuration -> Servers -> Connection Servers.  Right click on the connection server and ensure the Blast Server URL has been configured properly.

Next, still inside of the VMware Horizon View Administrator web GUI, I navigated to Pools, selected the Pool I wanted to allow HTML5 Web Access to, hit Edit..., selected the Pools Settings tab, and checked HTML Access.

VMware Horizon View - VM Pool - HTML Access

Last, you need to open port 8443 (or whatever External Blast URL port number you used) on your security server (when installing the Security Server, by default the rules are added to Windows Firewall but are not enabled).  To do enable the rules, remote to your security server, open up your firewall (in my example, Windows Firewall with Advanced Security), and enable the VMware View Connection Server (Blast-In) rules.

VMware Horizon View - Security Server - Windows Firewall

 

 

Some errors you may come across

Problem: When you try to login to your desktop via the HTML5 GUI, you receive the following error:

You are not entitled to use the system.

Solution: You need to make sure you entitle the user to the pool or make sure you have checked the HTML Access checkbox for the pool as mentioned above.

-------------------------------------------------------------------------------------------------------------------------

Problem: When connecting to the View Desktop you receive the following error message:

The display protocol for this desktop is currently not available.  Please contact your system administrator.

Solution: Make sure the VMware Blast service is running on your virtual desktop/you have installed the Remote Experience Agent as mentioned above.

-------------------------------------------------------------------------------------------------------------------------

Problem: When connecting to the View Desktop you receive the following error message:

All available desktop sources for this desktop are currently busy. Please try connecting to this desktop again later, contact your system administrator.

Solution: Log out of the Web GUI and log back in.

-------------------------------------------------------------------------------------------------------------------------

Problem: When connecting to the View Desktop you receive the following error message:

Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.

Solution: Log out of the Web GUI and log back in.

-------------------------------------------------------------------------------------------------------------------------

Problem: When connecting to the View Desktop, you are redirected to a page and are given a 404 page cannot be displayed.

Solution: Make sure you have enabled the ports on your external firewall for the Security Servers as well as the firewall on the host running the security server (Windows Firewall as mentioned above).

-------------------------------------------------------------------------------------------------------------------------

Known Issues

Please note, there is a list of published Known Issues by VMware.  I would recommend giving the following article a peruse to be familiar with those issues: http://www.vmware.com/support/viewclients/doc/horizon-view-html-access-release-notes.html

 

Tutorial: 802.1X Authentication via WiFi - Active Directory + Network Policy Server + Cisco WLAN + Group Policy

78 Replies

Here is how to implement 802.1X authentication in a Windows Server 2008 R2 domain environment using Protected-EAP authentication.  I have designed the tutorial to be worked on in the specific order to prevent downtime if deployed during the day.  By creating the Network Policy server first, once we switch the authentication type from whatever to 802.1X via RADIUS, our Network Policy Server will immediately start processing requests and allowing machines on the domain.  By configuring the Cisco Wireless LAN Controller or Group Policy first, clients will try connecting to a RADIUS server that doesn't exist or present invalid credentials.  If you have any suggestions on how to better the implementation I demonstrate here, please drop a comment below to improve security/stability of these types of deployments. 🙂

Active Directory

First, we need to create a security group in Active Directory to allow a list of specific users and computers to login to the domain.  In this example, we will allow any authenticated user or machine on the domain to authenticate successfully to the RADIUS sever.  In the screenshot below, we can see I have added both Domain Users and Domain Computers to a security group called WirelessAccess. Here is a screenshot with the above settings.

802.1X - AD Security Group

Network Policy Server

  1. Create a new Windows Server 2008 R2 or Windows Server 2012 machine
  2. Add the machine to the domain
  3. Give the machine a static IP: (I'll use 10.10.10.15 throughout this document as a reference to this server)
  4. Open up Server Manager, click Add Roles, click Next on the Before You Begin screen, check Network Policy and Access Services and click Next, click Next on the Introduction screen, check Network Policy Server (leave the rest unchecked) and click Next, click Install.
  5. Once Network Policy Server is installed, launch the Network Policy Server snap-in (via MMC or Administrative Tools)
  6. Inside of Network Policy Server, on NPC (Local), select RADIUS server for 802.1X Wireless or Wired Connections from the dropdown and click Configure 802.1X
    1. On the Select 802.1X Connections Type page, select Secure Wireless Connections, and enter My Company's Wireless.  Click Next.
    2. Click on the Add... button.  Enter the following settings:
      1. Friendly name: Cisco WLAN Controller
      2. Address: 10.10.10.10 (Enter your WLAN Controller's IP address)
      3. Select Generate, click the Genereate button, and then copy down the Shared Secret the wizard generated (we will use this later to get the WLAN Controller to talk to the RADIUS server).  Click OK.
    3. Click Next.
    4. On the Configure an Authentication Method, select Microsoft: Protected EAP (PEAP). Click Next.
    5. Click Next on the Specify User Groups (we will come back to this).
    6. Click Next on the Configure Traffic Controls page.
    7. Click Finish
  7. Click on NPS (Local) -> Policies -> Network Policies. Right click Secure Wireless Connections and click Properties.
  8. Click on the Conditions tab, select NAS Port Type, and click Remove.
  9. Still on the Conditions tab, click Add..., select Windows Groups and click Add..., click Add Groups..., search for WirelessAccess and click OK.  Click OK on the Windows Groups dialog box, click Apply on the Secure Wireless Connections Properties box.  You should now have something like the image below:
    802.1X - Secure Wireless Connections Conditions
  10. Click on the Constraints tab.
    1. Uncheck all options under Less secure authentication methods like the image below:
      802.1X - Secure Wireless Connections Constraints
    2. Click Apply

Cisco WLAN

  1. Login to your Cisco Wireless Lan Controller
  2. Add a RADIUS server to your controller
    1. Click on the Security tab
    2. Select AAA -> Radius -> Authentication on the left side
    3. Click the New... button in the top right
      1. Server IP Address: 10.10.10.15 (The IP address of your NPS server we setup earlier)
      2. Shared Secret Format: ASCII
      3. Shared Secret: The long generated password you wrote down when setting up the Network Policy Server
      4. Confirm Shared Secret: Same password in previous step
      5. Key Wrap: unchecked
      6. Port Number: 1812
      7. Server Status: Enabled
      8. Support for RFC 3576: Enabled
      9. Server Timeout: 2
      10. Network User: Checked
      11. Management: Checked
      12. IP Sec: Unchecked
      13. Here is a screenshot with the above settings
        802.1X - Cisco WLAN - RADIUS
  3. Create or modify a wireless network to use 802.1X
    1. Click on the WLANs tab
    2. Create a new wireless network or select an existing WLAN ID to edit
    3. On the "WLANs > Add/Edit 'My SSID'" page, use the following settings
      1. Security Tab
        1. Layer 2 Tab
          1. Layer 2 Security: WPA+WPA2
          2. MAC Filtering: Unchecked
          3. WPA+WPA2 Parameters
            1. WPA Policy: Unchecked
            2. WPA2 Policy: Checked
            3. WPA2 Encryption: AES checked, TKIP unchecked
            4. Auth Key Mgmt: 802.1X
          1. Here is a screenshot of the above settings
            802.1X - Cisco WLAN - Security
        2. Layer 3 Tab
          1. Layer 3 Security: none
          2. Web Policy: unchecked
        3. AAA Servers Tab
          1. Authentication Servers: checked Enabled
          2. Server 1: Select your RADIUS server from the dropdown
          3. Local EAP Authentication: Unchecked
          4. Authentication priority order for web-auth user: Move RADIUS over to the right
          5. Here is a screenshot of the above settings802.1X - Cisco WLAN - AAA Servers
        4. Click Apply

Group Policy

  1. Go to your domain controller and open up the Group Policy Management console.
  2. Right click the Organizational Unit you want to apply to policy to and select Create a GPO in this domain, and Link it here...
    1. Note, the policy must be linked to the OU containing a group of machines you want to have WiFi access to or a parent of the OU.
  3. Enter in 802.1X WiFi Policy for the Name and click OK
  4. Right click your new GPO and click Edit
  5. Navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Wireless Network (IEEE 802.11) Policies
  6. Right click and select Create A New Wireless Network Policy for Windows Vista and Later Releases
  7. Ensure the following settings are set for your Windows Vista and Later Releases policy
    1. General Tab
      1. Policy Name: My Wireless Policy for Vista and Later Clients
      2. Description: Vista and later wireless network for my company.
      3. Check Use Windows WLAN AutoConfig service for clients
      4. Here is a screenshot with the above settings802.1X - General
      5. Click the Add... button and select Infrastructure
        1. Connection Tab
          1. Profile Name: My Network
          2. Enter in your SSID (Wireless network name that gets broadcasted) and click the Add... button
          3. Check Connect Automatically when this network is in range
          4. Here is a screenshot of the above settings802.1X - Properties
        2. Security Tab
          1. Authentication: WPA2-Enterprise
          2. Encryption: AES
          3. Select a network authentication method: Microsoft Protected EAP (PEAP)
          4. Authentication Mode: User or Computer authentication
          5. Max Authentication Failures: 1
          6. Check Cache user information for subsequent connections to this network
          7. Here is a screenshot of the above settings with the Advanced tab open as well802.1X - Security Settings
        3. Click OK
    2. Network Permissions Tab
      1. Enter your network into Define permissions for viewing and connection to wireless networks if it hasn't been added already.
      2. Uncheck Prevent connections to ad-hoc networks
      3. Uncheck Prevent connections to infrastructure networks
      4. Check Allow user to view denied networks
      5. Check Allow everyone to create all user profiles
      6. Uncheck Only use Group Policy profiles for allowed networks
      7. Leave all Windows 7 policy settings unchecked
      8. Here is a screenshot with the above settings (note, you may change the settings above to be in accordance to your policy.  Just ensure you don't check Prevent connections to infrastructure networks).
        802.1x - Network Permissions
      9. Click OK
  8. Right click and select Create A New Windows XP Policy
  9. Ensure the following settings are set for your Windows XP Policy
    1. General Tab
      1. XP Policy Name: My Wireless Policy for XP Machines
      2. Description: My wireless policy for XP machines.
      3. Networks to access: Any available network (access point preferred)
      4. Check Use Windows WLAN AutoConfig service for clients
      5. Uncheck Automatically connect to non-preferred networks
      6. Here is a screenshot of the above settings.
        802.1X - XP General
    2. Preferred Networks Tab
      1. Click the Add... button and select Infrastructure
        1. Network Properties Tab
          1. Network name (SSID): My SSID
          2. Description: My wireless network
          3. Uncheck Connect even if network is not broadcasting
          4. Authentication: WPA2
          5. Encryption: AES
          6. Check Enable Pairwise Master Key (PMK) Caching
          7. Uncheck This network uses pre-authentication
          8. Here is a picture of the above settings
            802.1X - XP Network Properties
        2. IEEE 802.1X Tab
          1. EAP Type: Microsoft: Protected EAP (PEAP)
          2. Eapol-Start Message: Transmit
          3. Authentication Mode: User or Computer Authentication
          4. Check Authenticate as computer when computer information is available
          5. Uncheck Authente as guest when user or computer information is unavailable
          6. Screenshot of above settings
            802.1X - XP IEEE
        3. Click OK
    3. Click OK

Removing last Lync 2010 Front End – Unassigned Number Error

Leave a reply

Symptom:
You receive the following error when trying to publish your new Lync Topology, after removing the last Lync 2010 Front End Server.

Result: Call orbit depends on an application server that is being removed.
ServiceInUse: The new topology XML removes services that will create stale configuration settings.
ServiceInUseResolution: Consult your Lync Server documentation to learn how to to disassociate the service of the settings using it.

Error: Cannot publish topology changes. Unassigned number still exists on one or more deleted application servers.
▼ Details
└ Type: InvalidOperationException
└ ▼ Stack Trace
└ at Microsoft.Rtc.Management.Deployment.Tasks.PublishTopologyTask.CheckIfVacantNumberRangesInUse(DeletedServices deletedServices) at Microsoft.Rtc.Management.Deployment.Tasks.PublishTopologyTask.VerifyServiceDependentSettings(DeletedServices deleteServices) at Microsoft.Rtc.Management.Internal.Utilities.LogWriter.InvokeAndLog[T](Action`1 action, T arg)

Error: An error occurred: "System.InvalidOperationException" "Cannot publish topology changes. Unassigned number still exists on one or more deleted application servers."

Solution:
Open up the Lync Server Management Shell as an Administrator on a different Front End server that you aren't retiring and execute the following command:

Get-CsUnassignedNumber

For each of the returned results with the AnnouncementServerFqdn matching the server you are trying to retire, execute the following command:

Set-CsUnassignedNumber -Identity IdentityFromPreviousCommand -AnnouncementService newlyncpoolorfrontend.mydomain.local

Alternately, you can change the Front End server these numbers are on through the Lync Web GUI (Cscp).  To do so, navigate to the Lync Server 2013 Control Panel, click on Voice Features->Unassigned Number, and then double click every entry that has a destination with the old Front End.  When the Edit Unassigned Number Range dialog shows up, type in the FQDN to the new Front End Pool/Server and then click OK. Repeat for each number.

Lastly, if you want to cleanup your Lync server, you can remove all instances of the old Announcements using the following command:

Remove-CsAnnouncement -Identity "ApplicationServer:myoldfrontend.mydomain.local"

Alternately, if you published the topology, you may have to remove the Announcements individually by using entering the command below with the entire Identity value or via the old ApplicationServer's name (in my case it was 1-ApplicationServer-1 as shown below):

Remove-CsAnnouncement -Identity "ApplicationServer:probablysays1-ApplicationServer-1/1951f734-c80f-4fb2-965d-51807c792b90"

Once all Unassigned Numbers have been moved to the new Front End server or pool, you should be able to successfully publish your topology.

Removing last Lync 2010 Front End - Conference Error

2 Replies

Symptom:
You receive the following error when trying to publish your new Lync Topology, after removing the last Lync 2010 Front End Server.

ConferencingPoolInUse: The new topology XML removes services that will orphan existing conference directories.

Error: Cannot publish topology changes. Conference directories still exist on a pool that would be deleted. Remove the conference directories before continuing.
▼ Details
└ Type: InvalidOperationException
└ ▼ Stack Trace
└ at Microsoft.Rtc.Management.Deployment.Tasks.PublishTopologyTask.VerifyOrphanedDirectories()
at Microsoft.Rtc.Management.Internal.Utilities.LogWriter.InvokeAndLog(Action action)

Error: An error occurred: "System.InvalidOperationException" "Cannot publish topology changes. Conference directories still exist on a pool that would be deleted. Remove the conference directories before continuing."

Solution:
On one of your front end lync servers, open up the Lync Server Management Shell as an Administrator.  Once open, execute the following command:

Get-CsConferenceDirectory

For each of the items that have a ServiceID referencing the Front End server you are trying to retire, execute the following command (replacing the appropriate values with the output found from the previous command):

Move-CsConferenceDirectory -Identity X -TargetPool poolorfrontendserver.mydomain.local

After all conferences have been moved off of your Lync 2010 Front End server, you should be able to successfully publish the topology.

Lync meetings drop dial-in (PSTN) calls after 30 seconds to a minute

Leave a reply

Symptom: Upon using Lync 2013 meetings, I noticed that PSTN callers were being dropped from dial-in meetings.  This drop was approximately after 30 seconds or a minute.  After finally pulling the plug and calling Microsoft for support on why this was happening, we found that our Session Boarder Controller was not sending responses back to Lync telling Lync that a person was still apart of the call.

Solution: Execute Get-CsTrunkConfiguration and look for the RTCPActiveCalls and RTCPCallsOnHold values. If both of these values are true, try setting them to false via the following command:

Set-CsTrunkConfiguration -RTCPActiveCalls $false -RTCPCallsOnHold $false

This should tell Lync to not drop the user's call even if it doesn't receive any media packets from the SBC.  If this does work, then I highly recommend you enable the Session Timer to ensure dropped calls do not continue forever in your Lync meeting.  To enable that option, execute the following command:

Set-CsTrunkConfiguration -EnableSessionTimer $true

Just for reference, here are some more in-depth notes on what the RTCPActiveCalls, RTCPCallsOnHold, and EnableSessionTimer variables do.

RTCPActiveCalls -This parameter determines whether RTCP packets are sent from the PSTN gateway, IP-PBX, or SBC at the service provider for active calls. An active call in this context is a call where media is allowed to flow in at least one direction. If RTCPActiveCalls is set to True, the Mediation Server or Lync Server client can terminate a call if it does not receive RTCP packets for a period exceeding 30 seconds. Note that disabling the checks for received RTCP media for active calls in Lync Server elements removes an important safeguard for detecting a dropped peer and should be done only if necessary.

RTCPCallsOnHold - This parameter determines whether RTCP packets continue to be sent across the trunk for calls that have been placed on hold and no media packets are expected to flow in either direction. If Music on Hold is enabled at either the Lync Server client or the trunk, the call will be considered to be active and this property will be ignored. In these circumstances use the RTCPActiveCalls parameter. Note that disabling the checks for received RTCP media for active calls in Lync Server elements removes an important safeguard for detecting a dropped peer and should be done only if necessary.

EnableSessionTimer - This parameter specifies whether the session timer is enabled. Session timers are used to determine whether a particular session is still active. Note that even if this parameter is set to False, session timers can be applicable if the remote connection has session timer enabled. In such a case, the Mediation Server will reply to session timer probes from the remote entity. The default is False.

Polycom Lync Phone - An account matching this phone number cannot be found

4 Replies

Symptom:

When you try to sign in to a Polycom Lync Enabled phone (CX600, CX3000, etc.), you receive the following error:

An account matching this phone number cannot be found. Please contact your support team.

Solution:

I found out that this appeared to be caused from a change made to the Lync front-end server.  There are two things that need to happen.

  1. Make sure the ports for 80 and 443 have been opened on the server's firewall.
  2. Try running the following command in the Lync Management Shell on the front-end server.
    1. Test-CsPhoneBootstrap -PhoneOrExt 15555551234 -PIN 5678 -verbose
    2. The verbose command should output all information needed to figure out where things are going wrong.  In my case, I had an issue with the phone being able to pull-down a certificate (The verbose command revealed the following: "Could not download certificate chain from web service.").  After restarting IIS, I was able to authenticate via the phone to Lync.
    3. Just as an FYI, once you see Result: Success, you will be able to login to the phone.  Prior to seeing that, I was seeing a Result: Failed when the phone could not connect.

Attempt to configure DHCP server failed with error code 0x8007005. Access is denied.

Leave a reply

Symptoms:

When trying to deploy DHCP on a member server (not a DC), you receive the following error:

Attempt to configure DHCP server failed with error code 0x8007005. Access is denied.

DHCP Error 0x8007005

When you go to Authorize the server you receive "Access Denied" as well.

Solution:

This is caused by permission issues on the user's account.  To fix this, first right click on IPv4 and then select Properties.  Click on the Advanced tab and then click on Credentials.  Inside of here, enter in the credentials you want to use as the service account to run DHCP.

DHCP Credentials

Next, open up Server Manager, expand Configuration, expand Local Users and Groups.  Click on DHCPAdministrators, and then add your service account.

DHCP Administrators group

Next, restart the DHCP Server service.  Inside of server manager, right click on the DHCP server and click Authorize.  Restart the service one last time, and each of your DHCP scopes should now be up (with green checkmarks).

 

 

Lync 2013 Logging Tool

Leave a reply

After installing Lync 2013 RTM, I noticed that the Lync Logging Tool doesn't exist.  As you can see below, when you search for the tool under Server 2012, it is missing from the list of Apps.

Lync Logging

Solution:

You can manually grab a copy of the Microsoft Lync Server 2013 Debugging Tools (this includes both OCSLogger.exe and Snooper.exe) from here: http://www.microsoft.com/en-us/download/details.aspx?id=35453

Once installed, you can access the tool by browsing to: C:\Program Files\Microsoft Lync Server 2013\Debugging Tools\OCSLogger.exe

Lync Debugging Tools 2013

Lync 2012 Creating CommonAreaPhone - Filter failed to return unique result

Leave a reply

Symptom:

You receive the following error when executing the New-CsCommonAreaPhone command via PowerShell.

New-CsCommonAreaPhone : Filter failed to return unique result, "[LineURI : tel:+15555555555] [PrivateLine : tel:+15555555555] "
At line:1 char:1
+ New-CsCommonAreaPhone -LineUri "tel:+15555555555" -RegistrarPool "lync.mydomain ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-CsCommonAreaPhone], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Rtc.Management.AD.Cmdlets.NewOcsCommonAreaPhoneCmdlet

Solution:
This means that the phone number has been assigned to either another user or response group. Make sure the number is not in use by Lync.

VMware View Composer agent initialization state error (16)

Leave a reply

Symtom:

When trying to deploy a desktop using VMware View (Horizon), you receive the following error in your connection server:

Mar 31, 2013 1:41:45 PM CDT: View Composer agent initialization state error (16): Failed to activate license (waited 1215 seconds)
View Composer Agent Error 16

Solution:

This error is caused by Windows not being activated.  To solve this error, make sure you have Windows Activated or that Windows can properly reach your KMS server to activate Windows.  Once the OS is activated, simply restart the VMware Agent service or reboot the machine to have your vconnect server set the desktop to available.