The Horizon Connection Server upgrade process has specific requirements and limitations.

  • Connection Server requires a valid license key for this latest release.

  • The domain user account that you use to install the new version of Connection Server must have administrative privileges on the Connection Server host. The Connection Server administrator must have administrative credentials for vCenter Server.

  • When you run the installer, you authorize an Administrators account. You can specify the local Administrators group or a domain user or group account. Horizon 7 assigns full Horizon Administration rights, including the right to install replicated Connection Server instances, to this account only. If you specify a domain user or group, you must create the account in Active Directory before you run the installer.

  • When you back up Connection Server, the View LDAP configuration is exported as encrypted LDIF data. To restore the encrypted backup Horizon 7 configuration, you must provide the data recovery password. The password must contain between 1 and 128 characters.

Security-Related Requirements

  • Connection Server requires a TLS certificate that is signed by a CA (certificate authority) and that your clients can validate. Although a default self-signed certificate is generated in the absence of a CA-signed certificate when you install Connection Server, you must replace the default self-signed certificate as soon as possible. Self-signed certificates are shown as invalid in Horizon Administrator.

    Also, updated clients expect information about the server's certificate to be communicated as part of the TLS handshake between client and server. Often updated clients do not trust self-signed certificates.

    For complete information about security certificate requirements, see "Configuring TLS Certificates for Horizon 7 Servers" in the Horizon 7 Installation guide. Also see the Scenarios for Setting Up TLS Certificates for Horizon 7 document, which describes setting up intermediate servers that perform tasks such as load balancing and off-loading SSL connections.


    If your original servers already have TLS certificates signed by a CA, during the upgrade, Horizon 7 imports your existing CA-signed certificate into the Windows Server certificate store.

  • Certificates for vCenter Server, View Composer, and Horizon 7 servers must include certificate revocation lists (CRLs). For more information, see "Configuring Certificate Revocation Checking on Server Certificates" in the Horizon 7 Installation document.


    If your company uses proxy settings for Internet access, you might have to configure your Connection Server hosts to use the proxy. This step ensures that servers can access certificate revocation checking sites on the Internet. You can use Microsoft Netshell commands to import the proxy settings to Connection Server. For more information, see "Troubleshooting Horizon 7 Server Certificate Revocation Checking" in the Horizon 7 Administration document.

  • If you plan to pair a security server with this Connection Server instance, verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and Connection Server and require Windows Firewall with Advanced Security to be enabled.

  • If your network topology includes a firewall between a security server and a Connection Server instance, you must configure the firewall to support IPsec. See the Horizon 7 Installation document.

  • You might need to make security protocol configuration changes to continue to be compatible with vSphere. If possible, apply patches to ESXi and vCenter Server to support TLSv1.1 and TLSv1.2 before upgrading Connection Server. If you cannot apply patches, reenable TLSv1.0 on Connection Server before upgrading. For more information, see Enable TLSv1.0 on vCenter Connections from Connection Server.

  • If you use Horizon 7 servers with a version of View Agent older than 6.2, you will need to enable TLSv1.0 for PCoIP connections. View Agent versions that are older than 6.2 support the security protocol TLSv1.0 only for PCoIP. Horizon 7 servers, including connection servers and security servers, have TLSv1.0 disabled by default. You can enable TLSv1.0 for PCoIP connections on these servers by following the instructions in the VMware Knowledge Base, at

If you plan to perform fresh installations of Connection Server instances on additional physical or virtual machines, see the complete list of installation requirements in the Horizon 7 Installation document.