Use this procedure if the View Connection Server instance that you plan to upgrade is paired with a security server.

About this task

This procedure is designed to upgrade one security server and its paired View Connection Server instance before moving on to upgrade the next security server and its paired View connection Server instance. This strategy allows for zero down time. If the instance is not paired with a security server, use the procedure Upgrade View Connection Servers in a Replicated Group.

The first few steps of this procedure involve upgrading the View Connection Server instance. After the View Connection Server upgrade, but before the security server upgrade, one of the steps describes removing the IPsec rules for the security server. When you remove the IPsec rules for an active security server, all communication with the security server is lost until you upgrade or reinstall the security server.

By default, communication between a security server and its paired View Connection Server instance is governed by IPsec rules. If the existing IPsec rules are not removed before you upgrade or reinstall, the pairing between the security server and View Connection Server fails, and a new set of IPsec rules cannot be established after the upgrade.

Prerequisites

  • Determine when to perform this procedure. Choose an available desktop maintenance window. Budget 15 to 30 minutes for each security server and its paired View Connection Server instance.

  • If you use View Composer, verify that View Composer has been upgraded. See Upgrade View Composer. After you upgrade View Connection Server, you must add View Composer using View Administrator.

  • Familiarize yourself with the security-related requirements of View, and verify that these requirements are met. See Upgrade Requirements for View Connection Server. You might need to obtain and install a CA-signed SSL server certificate that includes certificate revocation information, verify that Windows Firewall with Advanced Security is set to on, and configure any back-end firewalls to support IPsec.

  • Verify that the virtual or physical machines on which the current security server and View Connection Server instances are installed meet the system requirements.

    See View Connection Server Requirements.

  • Complete the tasks listed in Preparing View Connection Server for an Upgrade.

    Important:

    If any Local Mode desktops are checked out at the time you run the View Connection Server installer to install the upgrade, the upgrade will fail.

  • Verify that you have a license for the new version.

  • Verify that you have a user account with administrative privileges on the hosts that you will use to run the installer and perform the upgrade.

  • If you have not configured a security server pairing password, use the latest version of View Administrator to do so. The installation program will prompt you for this password during installation. See the topic called "Configure a Security Server Pairing Password" in the View Installation document.

Procedure

  1. If you are using a load balancer to manage security servers that are paired with View Connection Server instances, disable the security server that is paired with the View Connection Server instance you are about to upgrade.
  2. Upgrade the View Connection Server instance that is paired with this security server.

    Follow steps 2 through 6 of Upgrade View Connection Servers in a Replicated Group.

  3. Remove IPsec rules for the security server paired with the View Connection Server instance that you just upgraded.
    1. In View Administrator, click View Configuration > Servers.
    2. In the Security Servers tab, select a security server and click More Commands > Prepare for Upgrade or Reinstallation.

      If you disabled IPsec rules before you installed the security server, this setting is inactive. In this case, you do not have to remove IPsec rules before you reinstall or upgrade.

    3. Click OK.

    The IPsec rules are removed and the Prepare for Upgrade or Reinstallation setting becomes inactive, indicating that you can reinstall or upgrade the security server.

  4. On the host of the security server, download and run the installer for the latest version of View Connection Server.

    The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. The installer determines that an older version is already installed and performs an upgrade. The installer displays fewer installation options than during a fresh installation.

    You will be prompted to supply the security server pairing password.

    You might be prompted to dismiss a message box notifying you that the Security Server service was stopped. The installer stops the service in preparation for the upgrade.

  5. After the installer wizard is finished, verify that the VMware Horizon View Security Server service is started.
  6. If you are using a load balancer for managing this security server, add this server back to the load-balanced group.
  7. Log in to View Administrator, select the security server in the Dashboard, and verify that the security server is now at the latest version.
  8. Verify that you can log in to a remote desktop.
  9. In View Administrator, go to View Configuration > Servers > Security Servers tab and remove any duplicate security servers from the list.

    The automated security server pairing mechanism can produce duplicate entries in the Security Servers list if the full system name does not match the name that was assigned when the security server was originally created.

  10. Use the vdmexport.exe utility to back up the newly upgraded View LDAP database.

    If you have multiple instances of View Connection Server in a replicated group, you need only export the data from one instance.

  11. Log in to View Administrator and examine the dashboard to verify that the vCenter Server and View Composer icons are green.

    If either of these icons is red and an Invalid Certificate Detected dialog box appears, you must click Verify and either accept the thumbprint of the untrusted certificate, as described in "What to Do Next," or install a valid CA-signed SSL certificate.

    For information about replacing the default certificate for vCenter Server, see the VMware vSphere Examples and Scenarios document.

What to do next

To use a default or self-signed certificate from vCenter Server or View Composer, see Accept the Thumbprint of a Default SSL Certificate.

If the upgrade fails on one or more of the View Connection Server instances, see Create a Replicated Group After Reverting View Connection Server to a Snapshot.

Important:

If you plan to use enhanced message security mode for JMS messages, make sure that firewalls allow View Connection Server instances to receive incoming JMS traffic on port 4002 from desktops and security servers. Also open port 4101 to accept connections from other View Connection Server instances.

If you ever reinstall View Connection Server on a server that has a data collector set configured to monitor performance data, stop the data collector set and start it again.