Complete each prerequisite in this section before creating a Horizon domain.

Horizon 7 License

You must have a valid Horizon 7 license key, purchased separately from the VMware Cloud Foundation license. You must add this license key to VMware Cloud Foundation. See Add License Keys for the Software in Your VMware Cloud Foundation System.

Horizon 7 Install Bundle

Download the Horizon 7 install bundle. See Downloading an Install Bundle.


The following networks must be configured.
  • DMZ network

    The DMZ network is the intermediate network between the corporate network and the internet. The incoming interface of the Unified Access Gateway appliances and the DMZ load balancer are connected here.

  • Interconnect network

    This is an optional network for high security environments. The outgoing interface of the Unified Access Gateway appliances are connected with the management network here. This network must be routable to the Horizon management network.

    Instead of having an interconnect network, you can also connect Unified Access Gateway appliances directly to the Horizon management network.

  • Horizon management network

    The Horizon management is the network dedicated to the Horizon components. All Horizon VMs (except Unified Access Gateway) must be on this network. All Connection Servers, Composer Servers, App Volumes, User Environment Manager and management interface of the Unified Access Gateway appliances must have IP addresses from this network. In addition, the load balancers deployed by Horizon domain in front of the Connection Servers and App Volumes must be in this network as well.

Unified Access Gateway has three interfaces - internal, external, and management:
  • The internal interface can be either in the Horizon management or interconnect network. If it is on the interconnect network, it must be routable to the Horizon management network.
  • External interface must be in the DMZ network.
  • Management interface must be in the Horizon Management network.

Load Balancers and IP Addresses

External IP addresses must be available for all VMs and load balancers. The following components need load balancers:
  • Connection Servers
  • App Volumes (optional component)
  • Unified Access Gateway appliances (optional component)

Load balancers must in the same network as the VMs they serve (Connection Servers and App Volumes load balancers in the Horizon management network and Unified Access Gateway load balancer in the DMZ network).

VXLAN Port Groups

VXLAN port groups must be created for the following:

  • Horizon VMs in the Horizon management network
  • Incoming interface (DMZ network)
  • Outgoing interface (Interconnect network)

DNS Records

DNS records for load balancers must be pre-created such that the DNS names assigned to the entry points for load balancers are resolvable to the IP addresses being assigned to the load balancers. This is validated during the Horizon domain creation.

If Secure Dynamic Update is enabled within your Active Directory, a DNS record for each deployed Windows server is added automatically. If Secure Dynamic Update is turned off, you must create a DNS record for each Windows server you are planning to deploy. User Environment Manager, Connection Servers, App Volumes, and Composer Servers are Windows servers.

Custom Windows Image

You must provide a Windows Server image in OVA format for use with the Windows server components. This allows you to configure those server images according to your corporate guidelines.VMware Cloud Foundation supports Windows 2016 and Windows 2012r2 images with the latest VMware tools installed and Windows Remote Management (WinRM) enabled. The template must have an administrator user account enabled.

Active Directory

You need two groups in your Active Directory for a Horizon domain. During the Horizon domain creation, one group is assigned administrative privileges for the Connection Servers and the other group is assigned administrative privileges for App Volumes. You can use a single group with privileges for both. Note that you cannot use groups of Builtin Local type.

You also need two service accounts in your Active Directory. The first account is required for Composer Servers. You can either have a dedicated account for each Composer Server, or one account for all Composer Servers. The second service account must have read-write permissions for the Organizational Unit. This account is used to join the servers that are deployed by Horizon.

A Horizon administrator account is also required for logging in to Horizon and App Volumes. This user must be a member of both the Horizon and App Volumes groups.

All users must be added with the following syntax:


where the domain name is the FQDN of the domain and user name matches the user logon name in AD Users and Computers console (pre-Windows 2000). For example horizon-1.local\vdiadmin.

SQL Servers

You may either use one SQL Server for your entire environment, or use one SQL Server per deployed component. A user account with permissions to create databases is required for each SQL Server to be used. One account can be used for all SQL servers, or you can have a dedicated account per server. Each user account must be an SQL user.

Connection Servers, Composer Servers, and App Volumes require SQL databases. A dedicated SQL database is required for each Composer Server. All Connection Servers share one database, and all App Volumes can share one database. As an example, if you have five Composer Servers and an App Volumes in your environment, you will need seven SQL databases - five for the Composer Servers and one each for App Volumes and Connection Servers. All seven SQL databases can be inside a single SQL Server instance.

VI Workload Domains

You must pre-create the required VI workload domains, which are then associated with the Horizon domain. The end user desktops are placed on the VI workload domains.