Use this procedure if the Connection Server instance that you plan to upgrade is paired with a security server.

This procedure is designed to upgrade one security server and its paired Connection Server instance before moving on to upgrade the next security server and its paired Connection Server instance. This strategy allows for zero down time. If the instance is not paired with a security server, use the procedure Upgrade Connection Servers in a Replicated Group.

The first few steps of this procedure involve upgrading the Connection Server instance. After the Connection Server upgrade, but before the security server upgrade, one of the steps describes removing the IPsec rules for the security server. When you remove the IPsec rules for an active security server, all communication with the security server is lost until you upgrade or reinstall the security server.

By default, communication between a security server and its paired Connection Server instance is governed by IPsec rules. If the existing IPsec rules are not removed before you upgrade or reinstall, the pairing between the security server and Connection Server fails, and a new set of IPsec rules cannot be established after the upgrade.


  • Determine when to perform this procedure. Choose an available desktop maintenance window. Budget 15 to 30 minutes for each security server and its paired Connection Server instance.
  • If you use View Composer, verify that View Composer has been upgraded. See Upgrade View Composer. After you upgrade Connection Server, you must add View Composer using Horizon Administrator.
  • Familiarize yourself with the security-related requirements of Horizon 7, and verify that these requirements are met. See Upgrade Requirements for Horizon Connection Server. You might need to obtain and install a CA-signed TLS server certificate that includes certificate revocation information, verify that Windows Firewall with Advanced Security is set to on, and configure any back-end firewalls to support IPsec.
  • Verify that the virtual or physical machines on which the current security server and Connection Server instances are installed meet the system requirements.

    See Horizon Connection Server Requirements.

  • Complete the tasks listed in Preparing Connection Server for an Upgrade.
  • Verify that you have a license for the new version.
  • Verify that you have a user account with administrative privileges on the hosts that you will use to run the installer and perform the upgrade.
  • Verify that the Connection Server instance to be paired with the security server is accessible to the computer on which you plan to install the security server.
    Note: After a Connection Server upgrade to Horizon 7 version 7.5, security servers with IPsec disabled must be reinstalled. If the IP address of a security server changes it must be reinstalled. Security server pairing does not work correctly if the security server is behind Dynamic NAT.


  1. If you are using a load balancer to manage security servers that are paired with Connection Server instances, disable the security server that is paired with the Connection Server instance you are about to upgrade.
  2. Upgrade the Connection Server instance that is paired with this security server.
  3. Remove IPsec rules for the security server paired with the Connection Server instance that you just upgraded.
    1. In Horizon Administrator, click View Configuration > Servers.
    2. In the Security Servers tab, select a security server and click More Commands > Prepare for Upgrade or Reinstallation.
      If you disabled IPsec rules before you installed the security server, this setting is inactive. In this case, you do not have to remove IPsec rules before you reinstall or upgrade.
    3. Click OK.
    The IPsec rules are removed and the Prepare for Upgrade or Reinstallation setting becomes inactive, indicating that you can reinstall or upgrade the security server.
  4. Configure a security server pairing password using the latest version of Horizon Administrator. See, "Configure a Security Server Pairing Password" in the Horizon 7 Installation document.
  5. On the host of the security server, download and run the installer for the latest version of Connection Server.
    The installer filename is VMware-viewconnectionserver-x86_64-y.y.y-xxxxxx.exe, where xxxxxx is the build number and y.y.y is the version number. The installer determines that an older version is already installed and performs an upgrade. The installer displays fewer installation options than during a fresh installation.

    You will be prompted to supply the security server pairing password.

    You might be prompted to dismiss a message box notifying you that the Security Server service was stopped. The installer stops the service in preparation for the upgrade.

  6. After the installer wizard is finished, verify that the VMware Horizon View Security Server service is started.
  7. If you are using a load balancer for managing this security server, add this server back to the load-balanced group.
  8. Log in to Horizon Administrator, select the security server in the Dashboard, and verify that the security server is now at the latest version.
  9. Verify that you can log in to a remote desktop.
  10. In Horizon Administrator, go to View Configuration > Servers > Security Servers tab and remove any duplicate security servers from the list.
    The automated security server pairing mechanism can produce duplicate entries in the Security Servers list if the full system name does not match the name that was assigned when the security server was originally created.
  11. Use the vdmexport.exe utility to back up the newly upgraded View LDAP database.
    If you have multiple instances of Connection Server in a replicated group, you need only export the data from one instance.
  12. Log in to Horizon Administrator and examine the dashboard to verify that the vCenter Server and View Composer icons are green.
    If either of these icons is red and an Invalid Certificate Detected dialog box appears, you must click Verify and either accept the thumbprint of the untrusted certificate, as described in "What to Do Next," or install a valid CA-signed SSL certificate.

    For information about replacing the default certificate for vCenter Server, see the VMware vSphere Examples and Scenarios document.

  13. Verify that the dashboard icons for the connection server instances are also are green.
    If any instances have red icons, click the instance to determine the replication status. Replication might be impaired for any of the following reasons:
    • A firewall might be blocking communication
    • The VMware VDMDS service might be stopped on a Connection Server instance
    • The VMware VDMS DSA options might be blocking the replications
    • A network problem has occurred

What to do next

To use a default or self-signed certificate from vCenter Server or View Composer, see Accept the Thumbprint of a Default TLS Certificate.

If the upgrade fails on one or more of the Connection Server instances, see Create a Replicated Group After Reverting Connection Server to a Snapshot.

Important: If you plan to use enhanced message security mode for JMS messages, make sure that firewalls allow Connection Server instances to receive incoming JMS traffic on port 4002 from desktops and security servers. Also open port 4101 to accept connections from other Connection Server instances.

If you ever reinstall Connection Server on a server that has a data collector set configured to monitor performance data, stop the data collector set and start it again.