Disclaimer: All scripts provided here are AS-IS and should be used with caution. We DO NOT offer any warranties.

• Prepare Azure for VMWare Horizon Cloud Deployment
  • Check Azure Resource Provider Status and register required Providers
  • Check you Azure Subscription Available Quota
  • Get Azure Subscription ID
  • Create Service Principal
  • Create VNET and Subnet for VMWare Horizon
  • Create Azure App Service Certificate to be used by External Gateway
  • Configure your Active Directory Domain Services with appropriate permissions
  • Configure DNS CNAME for your Horizon external Gateway

This Repo contains scripts to prepare your Azure environment to VMware Horizon deployment. All steps, commands and scripts present here were created to address the requirements of VMWare Horizon Cloud on Azure Checklist

Note: Run the following commands on Azure Cloud Shell , PowerShell Mode.

The following Azure Regions are not supported for Horizon Cloud on Azure Deployment:

• France South
• UAE Central
• Azure Government (US Gov Iowa)
• Azure Germany (Germany Central, Germany Northeast)

The script PowerShell Register-Providers.ps1 will check all Azure Resource Providers required by VMWare Horizon and register the ones that are missing. You should first change the $location variable to the Azure Region you want to deploy VMWare Horizon, and then execute the script on Azure Cloud Shell

The following Azure Resource Provider are required by VMware Horizon:

• Microsoft.Compute
• microsoft.insights
• Microsoft.Network
• Microsoft.Storage
• Microsoft.KeyVault
• Microsoft.Authorization
• Microsoft.Resources
• Microsoft.ResourceHealth
• Microsoft.ResourceGraph
• Microsoft.Security
• Microsoft.DBforPostgreSQL
• Microsoft.Sql

The script PowerShell Available-Quota.ps1 will check all Azure Resource Quota required by VMWare Horizon and if you have enough quota available or not. You should first change the $location variable to the Azure Region you want to deploy VMWare Horizon, and then execute the script on Azure Cloud Shell

This is a sample script output that show quota is available to proceed with Horizon Deployment:

Get you Azure Subscription ID with the following command:

Get-AzSubscription

Take note of the output and copy your Subscription ID:

Create Azure Service Principal with Contributor Role at the Subscription Level for VMWare Horizon Cloud connection:

az ad sp create-for-rbac -n "VmwareHorizon" --role Contributor --scopes /subscriptions/{Your_SubscriptionID}

Take note of the output, you will need the following information to add you Azure Subscription to Horizon Cloud:

"appId": "YOUR-APPLICATION-ID",

"displayName": "VmwareHorizon",

"name": "hexadecimal-name-code-wont-be-used",

"password": "YOUR-APPLICATION-SECRET",

"tenant": "YOUR-AZURE-AD-TENANT-ID"

On VMWare Horizon Universal Console add a new subscription and paste the information in the appropriate fields:

The Script Create-Network.ps1 will help you to create a VNET and all required subnets to support VMWare Horizon deploy and a VPN Site to Site Connectivity with the minimum requirements needed. On the diagram below you have a network design and some detailed information:

NOTE: You MUST configure the script variables with the appropriate Address Space for VNET and Subnet that does not overlap with Customer's On-premises Address space.

NOTE: You should define the custom DNS IP address for Name Resolution on Azure VNET. Usually, it's the IP addresses of your Active Directory Servers, that may exist on Azure as Virtual Machines, or On-premises Servers (Domain Controllers), and other option is use Azure AD Domain Services as managed-Directory Services.

We create a VNET with 4 non-overlapping address ranges in CIDR format in the pod's VNet, reserved for subnets.

• Management subnet — /27 minimum - It must have SQL Service Endpoint enabled on this subnet.
• VM subnet - Primary (tenant) — /27 minimum with /24 - /22 preferred, based on the number of desktops and RDS servers
• DMZ subnet — /28 minimum when Unified Access Gateway is deployed in the pod's VNet (optional)
• Gateway subnet — /28 minimum, needed for VPN Gateway deployment to allow VPN Site-To-Site communication

After the creation of the VPN Gateway, that take around 45 minutes, you should configure both customer's on-premises gateway and Azure VPN Gateway to stablish the network connectivity. Please check this documentation for more information:

• Connect On-Premises with Azure using VPN Site-To-Site
• Supported On-Premises VPN Devices and Configuration

Azure provides you the ability to buy an SSL certificate that you can export and use for Horizon Cloud External Gateway configuration. Unfortunately, we can't complete automate this procedure using scripts, but we will provide a how-to guidance on creating the certificate, converting it to PEM format and adding to you Horizon Cloud setup.

1. Go to Azure Portal, click create a resource and type “App Service Certificate”
2. Select App Service Certificate and click Create
3. Complete the wizard with the following information:

• Select your Resource Group where you will deploy Horizon Cloud on Azure
• Select the certificate type:
  • Standard will provide you a FQDN certificate like “MyVDI.contoso.com”
  • Wildcard will give you more freedom to choose your hostname once you have a “*.contoso.com” certificate
• Type your domain hostname
  • If using Standard: MyVDI.contoso.com
  • if using Wildcard: *.contoso.com
• Type your certificate name: Mycertificate
• Select Autorenewal so your certificate gets renewed every year.

4. Click Review And Create, and then click Create.
5. After the certificate is created, you need to complete some validation steps to have it issued and available for download
6. Open your new created certificate and go to "Certificate Configuration" on the left-side menu
7. Configure your certificate store with Azure KeyVault

• If you don't have a Azure KeyVault, you can create a new KeyVault with the following PowerShell command:

New-AzKeyVault -VaultName 'Your-KeyVault-Name' -ResourceGroupName 'Your-ResourceGroup-Name' -Location 'East US'

9. Verify your domain name using one of the methods recommend on the portal. Creating a TXT record on your Public DNS zone is probably the easier way to do it.
10. Once you complete all validation steps, your certificate will be issued and ready to be used.

11. Now you need to download the certificate in PFX format with its Private Key

12. Go to your Azure Key Vault, Select Secrets on the Left-Side Menu

13. Click on secret that start with your Certificate Name you defined on Step 3.

14. Click on hexadecimal code under Current Version

15. Click Download as a Certificate on the bottom of the page

16. Now your certificate was download to your computer in PFX format and we need to convert it to PEM format, what is supported by VMWare Horizon Cloud.

17. Go to your downloaded certificate and click Install PFX

18. Select Local Machine and click Next

23. Click Next on File to Import
24. On Private Key Protection left the password field empty and check the option "Mark This Key As Exportable"

26. Click Next and then Finish to complete the certificate import.
27. Now open the Command Prompt (CMD) and run this command: certlm.msc
28. It will open the Cert manager snap-in
29. Go to Personal, Certificates, and you will be able to locate a certificate with the same FQDN name you defined in Step 3.

30. Double-Click the certificate, go to Certification Path tab and make user you can see both root and Intermediate certification as the image below:

31. Now go to Details tab and click Copy To File
32. Click Next on the Certificate Export Wizard
33. Select Yes, Export the private key and click Next

34. Make sure Include all certificates in the certificate path if possible is selected and click Next

35. Type a password to protect your exported certificate and click Next. Take note of this password, you will need it later.

36. Type the path and name of your certificate to be exported, click Next and then click Finish.

37. Now that your certificate is exported with Private Key and all Certificate Chain inside it, we can convert it to PEM format
38. Open your Command-Prompt (CMD) and run the following command

Note: To complete this step you need to have OpenSSL command line installed on your computer. If you don't have it, use this link to install OpenSSL

openssl pkcs12 -in <Your-Certificate-Name.PFX> -out <New-Certificate-Name.PEM> -nodes

40. Now your certificate is ready to upload at Horizon Cloud POD wizard. Select your .PEM certificate file and upload it.

The PowerShell Script Config-AD.ps1 will help you to configure your Active Directory Domain Service Environment with the appropriate permissions required to complete Horizon on Azure Deploy. It's important to highlight that your Domain Controllers can be On-Premises or on Azure. The Script will work for both scenarios, but it's important that in case you are using On-Premises Domain Controllers, the VNET where you will deploy Horizon must have connectivity (VPN or ExpressRoute) to your On-Premises network, where your DNS and Domain Controllers are. You MUST configure the script variable with the appropriate user name, group name, OU and password you want to set. The Script will execute the following actions:

• Create two Bind User with Password defined by you
• Create a Group and add the Bind users to this group
• Create an Organizational Unit where both users, group and Horizon VMs will reside
• Delegate required permissions for the users to be able to join VM to the OU

It's important that you run the PowerShell script directly in a Domain Controller server with Domain Admin rigths and with Active Directory PowerShell Module installed.

The expect script output is:

Take note of the OU Path, Bind Username and password, you will use it during your Horizon Cloud Deployment.

NOTE: In this case we're assuming that you host your Public DNS zone in Azure. In Case you host your Public DNS zone elsewhere, please follow your provider's instructions to create the DNS record. The script will provide you the CNAME you should use to register.

The PowerShell Script Config-DNSexternal.ps1 will help you to configure your Azure Public DNS Zone to add a CNAME record of your Horizon External Gateway that points to UAG Load Balancer resource. The DNS name will be the same of the certificate Domain Name you defined at step 3 of Create Azure App Service Certificate to be used by External Gateway section. You MUST configure the script variable to set the correct DNS zone name, DNS record name, Resource Group and Location before executing it.

With this script you can:

• Create a new Azure DNS Zone, if you haven't one created on azure or registered in another DNS provider
• Display the CNAME value you should use to create the DNS record in other DNS provider, if you do not host it in Azure.
• Add a CNAME record to the Azure DNS Zone that will map to UAG (Horizon External Load balancer) DNS Name