This article describes the detailed system requirements that your Horizon Cloud tenant environment must meet to support the use of Universal Broker. The requirements differ slightly depending on whether you are configuring Universal Broker for Horizon pods on a VMware SDDC-based platform or for Horizon Cloud pods in Microsoft Azure.

Requirements for Horizon Pods That are Connected to Horizon Cloud by Horizon Cloud Connector

To support the use of Universal Broker for Horizon pods that are connected to the cloud service by Horizon Cloud Connector, your system environment must meet the following requirements.

  • Each pod must be running Horizon Connection Server version 7.11 or later, with a valid license and the Universal Broker plugin installed, as described in Horizon Pods - Install the Universal Broker Plugin on the Connection Server.
  • Each pod must be configured according to the VMware Horizon documentation or the VMware Horizon 7 documentation. See the "Configuring VMware Horizon for the First Time" topic in the Horizon Installation document, or the "Configuring Horizon 7 for the First Time" topic in the Horizon 7 Installation document.
  • Each pod must be cloud-connected to Horizon Cloud using Horizon Cloud Connector version 1.6 or later.
    Note: If your Horizon pod is cloud-connected using Horizon Cloud Connector 1.8 or later, Universal Broker is supported if you deployed Horizon Cloud Connector with the Full Feature profile or if you deployed with the Basic Feature profile and then manually activated the Cloud Broker Client Service. For more information, see Manually Activate Horizon Cloud Services for Horizon Cloud Connector 1.8 or Later.
  • Each pod must be configured with the required ports and protocols as described in Horizon Pods - DNS, Ports, and Protocol Requirements for Universal Broker.
  • The security server in each pod must be replaced with a Unified Access Gateway appliance, version 3.8 or later. Each pod must be configured with either an internal or external Unified Access Gateway instance, or with both. Unified Access Gateway is required for both internal and external network access. Direct connect mode is not supported.
    Note: Configure each Unified Access Gateway instance as the proxy server for connection requests to its paired Connection Server. Ensure that each Unified Access Gateway instance is paired with only one pod.

    To support specific use cases, the pod must meet additional requirements:

    • To route internal and external network traffic from Universal Broker to their respective internal and external DNS servers, the pod must be configured with both internal and external Unified Access Gateway instances. The internal and external Unified Access Gateway instances can be configured with different FQDNs, or they can be configured with the same FQDN and the pod's load balancer configured with split DNS zones.
    • To use two-factor authentication for Universal Broker, the pod must have at least one external Unified Access Gateway instance configured with the appropriate two-factor authentication service (either RADIUS or RSA SecurID). The configurations of all external Unified Access Gateway instances within a pod must match each other and must be identical to the configurations of external Unified Access Gateway instances across every other participating pod.

    For more information, see the Unified Access Gateway documentation, the VMware Horizon documentation, and the VMware Horizon 7 documentation.

  • Desktop pools must be configured on the participating pods and based on virtual machines running the Windows operating system. In addition, the pool configuration settings must meet the requirements of Universal Broker, as described in Horizon Pods - Prepare an Existing Desktop Pool for Use in a Multi-Cloud Assignment.

Requirements for Pods in Microsoft Azure

To support the use of Universal Broker, each participating pod in Microsoft Azure must be:

  • Deployed new in Microsoft Azure at the July 2020 release's manifest (2298.0) or later
    Note: Universal Broker is available only if you have deployed all your pods in Microsoft Azure at manifest 2298.0 or later. If you deployed any of your pods in Microsoft Azure at earlier than manifest 2298.0, Universal Broker is not an available brokering option for your pods in Microsoft Azure.
  • Configured with either an internal or external Unified Access Gateway instance, or with both. Unified Access Gateway 3.8 or later is required for both internal and external network access. Direct connect mode is not supported.
    Note: Ensure that each Unified Access Gateway instance is paired with only one pod.

    To support specific use cases, the pod must meet additional requirements:

    • To route internal and external network traffic from Universal Broker to their respective internal and external DNS servers, each pod must be configured with both internal and external Unified Access Gateway instances. The internal and external Unified Access Gateway instances can be configured with different FQDNs, or they can be configured with the same FQDN and the pod's load balancer configured with split DNS zones.
    • To use two-factor authentication for Universal Broker, the pod must have at least one external Unified Access Gateway instance configured with the appropriate RADIUS authentication service. The configurations of all external Unified Access Gateway instances within a pod must match each other and must be identical to the configurations of external Unified Access Gateway instances across every other participating pod.
    For more information, see Specify the Horizon Cloud Pod's Gateway Configuration.
  • Configured such that the required DNS names for your regional Universal Broker instance are resolvable and reachable. See the "Pod Deployment and Operations DNS Requirements" table in DNS Requirements for a Horizon Cloud Pod in Microsoft Azure.
  • Configured with the required ports and protocols, as described in the "Ports and Protocols Required by Universal Broker" section in Ports and Protocols Requirements for a Horizon Cloud Pod at the September 2019 Release's Manifest or Later
  • In a healthy state. On the Capacity page, a healthy pod shows a green dot under the Status column, indicating that the pod is online and ready.

Client Requirements

To access remote resources brokered by Universal Broker, an end user must be running one of the following client applications:

  • Horizon Client 5.4 or later for their operating system. Windows users can run Horizon Client for Windows 5.3 or later.

    End users can also connect to the Universal Broker service through a web browser using Horizon HTML Access.

    Note: When using Horizon HTML Access, unless the SSL certificate configured on the load balancer of your Unified Access Gateway setup has a common name that precisely matches that load balancer's name and is signed by a well-known Certificate Authority (CA), when the user starts a brokered desktop, their browser displays the standard browser 'unsafe' message. (For information about the relationship between a certificate's common name and the hostname of where the certificate is installed, see https://support.dnsimple.com/articles/what-is-common-name/.)

For more information about client releases, see the VMware Horizon Clients documentation page.

You must provide your end users with the connection FQDN for Universal Broker. For instructions on how to configure the connection FQDN, see Configure the Universal Broker Settings.