To use Universal Broker for the brokering of resources from end-user assignments, you must first configure certain settings. This article provides detailed, step-by-step instructions for configuring the Universal Broker settings, including the connection FQDN or URL, two-factor authentication, session timeouts, and Horizon feature policies.

The configuration wizard for Universal Broker opens automatically after you first select Universal Broker as your tenant-wide connection broker. You can also open the configuration wizard manually.

Prerequisites

Prepare the required system components according to your pod type.

Horizon pods on a VMware SDDC-based platform:

Horizon Cloud pods in Microsoft Azure:

Important: Ensure that all your Horizon Cloud pods in Microsoft Azure are online and in a healthy, ready state. The Universal Broker service must communicate with the pods and perform some configuration steps on the pods to complete the setup process. If any of the pods are offline or unavailable, the Universal Broker setup fails.

Procedure

  1. If needed, open the configuration wizard for setting up Universal Broker.
    • In the Getting Started page, go to General Setup > Broker and click Go. Then click Set Up to specify a new configuration, or click the pencil icon to edit a configuration.
    • Select Settings > Broker. Then click Set Up to specify a new configuration, or click the pencil icon to edit a configuration.
    The configuration wizard for Universal Broker appears.
  2. In the FQDN page of the wizard, configure the settings for the fully qualified domain name (FQDN) of the Universal Broker service. These settings define the dedicated connection address or URL that your end users will use to access resources brokered by Universal Broker.
    Note: When you modify a subdomain or FQDN setting, it might take some time for the change to take effect across all your DNS servers.
    1. For Type, select either a VMware Provided or Custom fully qualified domain name (FQDN).
    2. Specify additional settings for the selected FQDN type.
      • If you selected the VMware Provided type, specify settings as follows.
        Setting Description
        Sub Domain Enter the unique DNS name of a valid subdomain in your network configuration that represents your company or organization. This subdomain is prefixed to the VMware-provided domain to form the brokering FQDN.
        Note: Some strings are disallowed or reserved by the system. This category of strings includes generic words like book, well-known company-owned terms like gmail, and protocol. coding, and open-source terms like php and sql. The system also disallows a category of patterns of those strings such as mail0, mail1, mail2, and so on.

        However, when you type a disallowed name into this field, the system does not validate the entry at that time. Only when you reach the wizard's final summary step does the system validate the name you typed here and display an error if your entry matches one of the disallowed names. If that happens,enter a different and more unique name here.

        Brokering FQDN This read-only field displays the configured FQDN. The FQDN uses the format https://<your sub-domain>vmwarehorizon.com.

        Provide this FQDN to your end users to allow them to connect to the Universal Broker service using Horizon Client.

        Universal Broker manages the DNS and SSL validation of this FQDN.

        The following screenshot shows an example of the configuration wizard with the settings for a VMware-provided FQDN filled in.


        Universal Broker configuration wizard with VMware-provided FQDN settings filled in.
      • If you selected the Custom type, specify settings as follows.
        Setting Description
        Brokering FQDN Enter the custom FQDN that your end users will use to access the Universal Broker service. Your custom FQDN functions as an alias to the automatically generated VMware-provided FQDN that completes the connection to the service.

        You must be the owner of the domain name specified in your custom FQDN and provide a certificate that can validate that domain.

        Note: Your custom FQDN, also known as the connection URL, represents your company or organization. Ensure that you have the proper authorization to use this custom FQDN.
        Note: Your custom FQDN must be unique and distinct from the FQDNs of all Unified Access Gateway instances within your pods.
        Important: You must create a CNAME record on your DNS server that maps your custom FQDN to the VMware-provided FQDN representing the internal connection address of the Universal Broker service. For example, the record might map vdi.examplecompany.com to <auto-generated string>.vmwarehorizon.com .
        Certificate

        Click Browse and upload the certificate (in password-protected PFX format) that validates your brokering FQDN. The certificate must be signed by a trusted CA, either the certificate's Common Name (SN) or any of its Subject Alternative Names (SANs) must match the FQDN, and the certificate's content must conform to standard X.509 format.

        The PFX file must contain the entire certificate chain and the private key: domain certificate, intermediate certificates, root CA certificate, private key.

        The Universal Broker service uses this certificate to establish trusted connection sessions with clients.

        Password Enter the password for the PFX certificate file.
        VMware Provided FQDN This read-only field displays the VMware-provided FQDN that is automatically generated for the brokering service. The FQDN takes the format https://<auto-generated string>.vmwarehorizon.com.

        The VMware-provided FQDN is not visible to end users and represents the internal connection address of the Universal Broker service. Your custom FQDN functions as an alias to the VMware-provided FQDN.

        Important: You must set up an alias association by creating a CNAME record on your DNS server that maps your custom FQDN to the VMware-provided FQDN. For example, the record might map vdi.examplecompany.com to <auto-generated string>.vmwarehorizon.com .

        The following screenshot shows an example of the configuration wizard with the settings for a custom FQDN filled in.


        Universal Broker configuration wizard with custom FQDN settings filled in
    3. When you are finished configuring the FQDN settings, click Next to proceed to the next page of the wizard.
  3. (Optional) In the Authentication page of the wizard, configure two-factor authentication.
    By default, Universal Broker authenticates users solely through their Active Directory user name and password. You can implement two-factor authentication by specifying an additional authentication method. For more information, see Best Practices When Implementing Two-Factor Authentication in a Universal Broker Environment.
    Important: To use two-factor authentication for Universal Broker, you must first configure the appropriate authentication service on each external Unified Access Gateway instance within every participating pod. The configurations of external Unified Access Gateway instances must be identical within and across participating pods.

    For example, if you want to use RADIUS authentication, you must configure the RADIUS service on each external Unified Access Gateway instance across all participating Horizon pods and pods in Microsoft Azure.

    Do not delete any Unified Access Gateway instances within the participating pods. Since Universal Broker relies on Unified Access Gateway for the protocol traffic between Horizon Client and virtual resources, users cannot access provisioned resources from a participating pod if you delete the Unified Access Gateway instance on that pod.

    Setting Description
    2 Factor Authentication

    To use two-factor authentication, enable this toggle.

    When you enable the toggle, you are presented with additional options for configuring two-factor authentication.

    Maintain User Name Enable this toggle to maintain the user's Active Directory user name during authentication to Universal Broker. When enabled:
    • The user must have the same user name credentials for the additional authentication method as for their Active Directory authentication to Universal Broker.
    • The user cannot change the user name in the client login screen.

    If this toggle is turned off, the user is allowed to type a different user name in the login screen.

    Type

    Specify the authentication method that you want to use in addition to the Active Directory user name and password.

    • To use two-factor authentication across both your Horizon pods and pods in Microsoft Azure, select RADIUS.
    • To use two-factor authentication for your Horizon pods only, select RSA SecurID.
    Note: In this release, RSA SecurID is supported on Horizon pods but not on pods in Microsoft Azure. If you select RSA SecurID, users' RSA authentication requests are attempted through the Unified Access Gateway instances of your Horizon pods only. Active Directory user name and password authentication requests are attempted through the Unified Access Gateway instances of either Horizon pods or pods in Microsoft Azure.
    Show Hint Text Enable this toggle to configure a text string that displays in the client login screen to help prompt the user for their credentials to the additional authentication method.
    Custom Hint Text

    Enter the text string that you want to display in the client login screen. The specified hint appears to the end user as Enter your DisplayHint user name and password, where DisplayHint is the text string you enter in this text box.

    Note: Universal Broker does not allow the following characters in the custom hint text: & < > ' "

    If you include any of these disallowed characters in the hint text, user connections to the Universal Broker FQDN will fail.

    This hint can help guide users to enter the correct credentials. For example, entering the phrase Company user name and domain password below for results in a prompt to the end user that states: Enter your Company user name and domain password below for user name and password.

    Skip Two-Factor Authentication

    Enable this toggle to bypass two-factor authentication for internal network users connecting to the Universal Broker service. Ensure that you have specified the public IP ranges belonging to your internal network, as described in Define Internal Network Ranges for Universal Broker.

    • When this toggle is enabled, internal users must enter only their Active Directory credentials to authenticate to the Universal Broker service. External users must enter both their Active Directory credentials and their credentials for the additional authentication service.
    • When this toggle is turned off, both internal and external users must enter their Active Directory credentials and their credentials for the additional authentication service.
    Public IP Ranges

    This read-only field lists the public IP ranges that represent your internal network. Universal Broker considers any user connecting from an IP address within one of these ranges to be an internal user.

    For more information, see Define Internal Network Ranges for Universal Broker.

    The following screenshot shows an example of the configuration wizard with two-factor authentication settings filled in.

    Universal Broker configuration wizard with two-factor authentication settings filled in
    When you are finished configuring two-factor authentication, click Next to proceed to the next page of the wizard.
  4. In the Settings page of the configuration wizard, configure Durations settings for Horizon Client.
    These timeout settings apply to the connection session between Horizon Client and the assigned desktop allocated by Universal Broker. These settings do not apply to the user's login session to the guest operating system of the assigned desktop. When Universal Broker detects the timeout conditions specified by these settings, it closes the user's Horizon Client connection session.
    Setting Description
    Client Heartbeat Interval Controls the interval, in minutes, between Horizon Client heartbeats and the state of the user's connection to Universal Broker. These heartbeats report to Universal Broker how much idle time has passed during the Horizon Client connection session.

    Idle time is measured when no interaction occurs with the end-point device running Horizon Client. This idle time is not affected by inactivity in the login session to the guest operating system that underlies the user's assigned desktop.

    In large desktop deployments, increasing the Client Heartbeat Interval might reduce network traffic and improve performance.

    Client Idle User Maximum idle time, in minutes, allowed during a connection session between Horizon Client and Universal Broker.

    When the maximum time is reached, the user's authentication period expires, and Universal Broker closes all active Horizon Client sessions. To reopen a connection session, the user must reenter their authentication credentials on the Universal Broker login screen.

    Note: To avoid disconnecting users unexpectedly from their assigned desktops, set the Client Idle User timeout to a value that is at least double that of the Client Heartbeat Interval.
    Client Broker Session Maximum time, in minutes, allowed for a Horizon Client connection session before the user's authentication expires. The time starts when the user authenticates to Universal Broker. When the session timeout occurs, the user can continue to work in their assigned desktop. However, if they perform an action (such as changing settings) that requires communication with Universal Broker, Horizon Client prompts them to reenter their Universal Broker credentials.
    Note: The Client Broker Session timeout must be greater than or equal to the sum of the Client Heartbeat Interval value and the Client Idle User timeout.
    Client Credential Cache Controls whether to store user login credentials in the client system cache. Enter 1 to store user credentials in the cache. Enter 0 if you do not want to store user credentials in the cache.
  5. In the Settings page of the configuration wizard, configure Policy Details.
    Policy Details control whether end users can access certain Horizon features, if the features are available on the desktop and client.
    Setting Description
    Multimedia Redirection (MMR) Enable this toggle to allow your end users access to the Multimedia Redirection feature, if the feature is available on the desktop and client.
    USB Access Enable this toggle to allow your end users to the USB Redirection feature, if the feature is available on the desktop and client.
    Clean Up HTML Access Credentials When Tab is Closed

    Enabling this setting removes a user's credentials from cache when a user closes a tab that connects to a remote desktop, or closes a tab that connects to the desktop selection page, in the HTML Access client.

    When this setting is enabled, credentials are also removed from cache in the following HTML Access client scenarios:

    • A user refreshes the desktop selection page or the remote session page.
    • The server presents a self-signed certificate, a user starts a remote desktop, and the user accepts the certificate when the security warning appears.
    • A user runs a URI command in the tab that contains the remote session.

    When this setting is switched off, the credentials remain in cache.

    Allow Client to Wait for Powered-Off VM Enabling this setting allows Horizon Client to retry connection requests to a remote desktop that is currently unavailable.

    For example, a client user might request a desktop that is currently powered off. With this setting enabled, Horizon Client can resend its connection request and establish a connection session when the desktop is powered on and available.

    When you are finished configuring Policy Details, click Next to proceed to the next step of the wizard.
  6. Review your settings in the Summary page, and then click Finish to save and apply the configuration.
    Depending on your system and network conditions, it typically takes at least a few minutes and up to half an hour for the configuration settings to take full effect in the Universal Broker service, as DNS records are propagated across the DNS servers in all global regions. During this time, the Universal Broker service is unavailable. When the setup is completed successfully, the Broker section on the Getting Started page shows the Complete and the Settings > Broker page shows the Enabled status with a green dot.

    Broker page with Universal Broker enabled
    Important: If the Universal Broker setup fails, the Settings > Broker page shows the Error status with a red alert icon. To remediate the configuration failure and set up the Universal Broker service, contact VMware Support as described in VMware Knowledge Base (KB) article 2006985.

What to do next