VMware Horizon Pods with Horizon Cloud - Requirements Checklist - Updated as Appropriate for Connecting Pods Starting from the March 2021 Service Release

Complete the following tasks to prepare your Horizon pod's components for connecting with Horizon Cloud. Ensure that every step is completed as described in the following sections to complete a successful deployment.

The sections in this documentation topic are:

Horizon Cloud Control Plane Requirements
Active Directory Requirements
Horizon Pod and Horizon Cloud Connector Requirements
DNS, Ports, and Protocols Requirements
Universal Broker Requirements
Licensing for the Microsoft Windows Operating Systems

This checklist is primarily for Horizon Cloud customer accounts that have never had a pod deployed from or cloud-connected to their tenant environment prior to the March 2021 service release date. Such environments might be referred to as clean-slate environments or greenfield environments.

Some of the requirements listed in the following sections are the ones needed for successfully onboarding a Horizon pod to Horizon Cloud. Some requirements are those needed for the key tasks that are performed after onboarding the Horizon pod to get a productive tenant environment, able to provide multi-cloud assignments to your end users.

Horizon Cloud Control Plane Requirements


☐	Active My VMware account to log in to the Horizon Cloud control plane.
☐	Valid Horizon Universal License. For more information, see the Horizon Universal License page.

Active Directory Requirements


☐	Supported Microsoft Windows Active Directory Domain Services (AD DS) domain functional levels: Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 R2 Microsoft Windows Server 2016
☐	All cloud-connected pods in the same Horizon Cloud customer account must have line-of-sight to the same set of Active Directory domains at the time you deploy those pods. This requirement applies not only to additional Horizon pods that you subsequently cloud connect using the Horizon Cloud Connector after the first pod, but also to pods deployed into Microsoft Azure using the same customer account. You can see the checklist for Microsoft Azure pods at VMware Horizon Cloud Service on Microsoft Azure Requirements Checklist For New Pod Deployments - Updated As Appropriate for Pods That Deploy Starting From the March 2021 Service Release.
☐	Domain bind account Active Directory domain bind account (a standard user with read access) that has the following permissions: List Contents Read All Properties Read Permissions Read tokenGroupsGlobalAndUniversal (implied by Read All Properties) Note: If you are familiar with the VMware Horizon on-premises offering, the above permissions are the same set that is required for the Horizon on-premises offering's secondary credential accounts, stated in this Horizon on-premises documentation topic. Generally speaking, the domain bind accounts should be granted the default out-of-the-box read-access-related permissions typically granted to Authenticated Users in a Microsoft Active Directory deployment. However, if your organization's AD administrators have chosen to lock down read-access-related permissions for regular users, you must request that those AD administrators preserve the Authenticated Users standard defaults for the domain bind accounts you will use for Horizon Cloud. You should also set the account password to Never Expire to ensure continued access to log in to your Horizon Cloud environment. For additional details and requirements, see Service Accounts That Horizon Cloud Requires for Its Operations
☐	Auxiliary domain bind account — cannot use the same account as above Active Directory domain bind account (a standard user with read access) that has the following permissions: List Contents Read All Properties Read Permissions Read tokenGroupsGlobalAndUniversal (implied by Read All Properties) Note: If you are familiar with the VMware Horizon on-premises offering, the above permissions are the same set that is required for the Horizon on-premises offering's secondary credential accounts, stated in this Horizon on-premises documentation topic. Generally speaking, the domain bind accounts should be granted the default out-of-the-box read-access-related permissions typically granted to Authenticated Users in a Microsoft Active Directory deployment. However, if your organization's AD administrators have chosen to lock down read-access-related permissions for regular users, you must request that those AD administrators preserve the Authenticated Users standard defaults for the domain bind accounts you will use for Horizon Cloud. You should also set the account password to Never Expire to ensure continued access to log in to your Horizon Cloud environment. For additional details and requirements, see Service Accounts That Horizon Cloud Requires for Its Operations
☐	Domain join account Active Directory domain join account which can be used by the system to perform Sysprep operations and join computers to the domain, typically a new account (domain join user account) Set account password to Never Expire This account requires the following Active Directory permissions: List Contents, Read All Properties, Read Permissions, Reset Password, Create Computer Objects, Delete Computer Objects. This account also requires the Active Directory permission named Write All Properties on the OU descendant objects of the target Organizational Unit (OU) that you plan to use for farms and VDI desktop assignments which you create using the Horizon Universal Console. For additional details and requirements, see Service Accounts That Horizon Cloud Requires for Its Operations Note: The use of white spaces in the domain join account's logon name is not supported. If the domain join account's logon name contains a white space, unexpected results will occur in the system operations that rely on that account. In Microsoft Active Directory, when you create a new OU, the system might automatically set the `Prevent Accidental Deletion` attribute which applies a `Deny` to the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear the `Deny` that Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear the `Deny` permission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console. Prior to manifest 1600.0, this account required the permissions of the system's Super Administrator role. If your tenant environment has any Horizon Cloud pods in Microsoft Azure running manifests older than manifest 1600.0, the domain join account must be in the described Horizon Cloud Administrators group. The system uses this domain join account with all of your tenant's Horizon Cloud pods in Microsoft Azure. When your tenant has existing pods of manifests older than 1600.0, the domain join account must meet this requirement. For details, see Service Accounts That Horizon Cloud Requires for Its Operations.
☐	Auxiliary domain join account (Optional, cannot use the same account as above) Active Directory domain join account which can be used by the system to perform Sysprep operations and join computers to the domain, typically a new account (domain join user account) Set account password to Never Expire This account requires the following Active Directory permissions: List Contents, Read All Properties, Read Permissions, Reset Password, Create Computer Objects, Delete Computer Objects. This account also requires the Active Directory permission named Write All Properties on the OU descendant objects of the target Organizational Unit (OU) that you plan to use for farms and VDI desktop assignments which you create using the Horizon Universal Console. For additional details and requirements, see Service Accounts That Horizon Cloud Requires for Its Operations Note: The use of white spaces in the domain join account's logon name is not supported. If the domain join account's logon name contains a white space, unexpected results will occur in the system operations that rely on that account. In Microsoft Active Directory, when you create a new OU, the system might automatically set the `Prevent Accidental Deletion` attribute which applies a `Deny` to the Delete All Child Objects permission for the newly created OU and all descendant objects. As a result, if you explicitly assigned the Delete Computer Objects permission to the domain join account, in the case of a newly created OU, Active Directory might have applied an override to that explicitly assigned Delete Computer Objects permission. Because clearing the Prevent Accidental Deletion flag might not automatically clear the `Deny` that Active Directory applied to the Delete All Child Objects permission, in the case of a newly added OU, you might have to verify and manually clear the `Deny` permission set for Delete All Child Objects in the OU and all child OUs before using the domain join account in the Horizon Cloud console. Prior to manifest 1600.0, this account required the permissions of the system's Super Administrator role. If your tenant environment has any Horizon Cloud pods in Microsoft Azure running manifests older than manifest 1600.0, the domain join account must be in the described Horizon Cloud Administrators group. The system uses this domain join account with all of your tenant's Horizon Cloud pods in Microsoft Azure. When your tenant has existing pods of manifests older than 1600.0, the domain join account must meet this requirement. For details, see Service Accounts That Horizon Cloud Requires for Its Operations.
☐	Active Directory groups Horizon Cloud Administrators — Active Directory security group for Horizon Cloud administrators. Contains the Horizon Cloud administrative users and domain join account. This group is granted the Super Administrator role in Horizon Cloud. Horizon Cloud Users — Active Directory security group for the users which will have access to virtual desktops and RDS session-based desktops and published applications in Horizon Cloud. Note: If your tenant environment has any Horizon Cloud pods in Microsoft Azure running manifests older than manifest 1600.0, the domain join account and any auxiliary domain join accounts must also be in Horizon Cloud Administrators group — or in an Active Directory group which is granted the Super Administrator role in Horizon Cloud.

Horizon Pod and Horizon Cloud Connector Requirements


☐	Horizon pod running a minimum of version 7.10 or later. To obtain use of the latest cloud services and features with the cloud-connected pod, it must be running the most currently available version of the Horizon pod software.
☐	Horizon Cloud Connector virtual appliance, a minimum of version 1.8 or later. To obtain use of the latest cloud services and features with the cloud-connected pod, it must be running the most current version, Horizon Cloud Connector version 1.10. Static IP DNS forward and reverse lookup records
☐	Resource requirements for the Horizon Cloud Connector virtual appliance: For version 1.8: Full Feature profile: 8 vCPUs, 8 GB memory (RAM), 40 GB datastore Basic Feature profile: 4 vCPUs, 6 GB memory (RAM), 40 GB datastore For version 1.9: Full Feature profile: 8 vCPUs, 8 GB memory (RAM), 40 GB datastore Basic Feature profile: 4 vCPUs, 6 GB memory (RAM), 40 GB datastore For version 1.10: 8 vCPUs, 8 GB memory (RAM), 40 GB datastore Important: Along with reserving capacity for the Horizon management components such as the Connection Server VMs, Unified Access Gateway VMs, and other components, you should plan on reserving capacity for the Horizon Cloud Connector component. The Horizon Cloud Connector is an infrastructure component that is deployed into your Horizon pod environment to connect a Horizon pod to Horizon Cloud for the use cases of using Horizon subscription licenses and cloud-hosted services with that pod.
☐	Active Directory user used in the pod-onboarding process, when pairing the Horizon Cloud Connector with the pod's Connection Server. This Active Directory user must have the pod's predefined Administrators role on the root access group, as displayed in the pod's Horizon Console in Global Administrators View > Role Permissions > Administrators. In other words, the Active Directory user specified for the pod-onboarding process is a super user for that pod, as described in the Horizon documentation's Horizon Administration guide or Horizon Console Administration guide that is applicable for your pod's software version.

DNS, Ports, and Protocols Requirements


☐	Specific ports and protocols are required both for onboarding a Horizon pod to Horizon Cloud and for ongoing operations of the pod, the Horizon Cloud Connector paired with that pod, and your Horizon Cloud tenant environment. See DNS, Ports, and Protocols Requirements When Using Horizon Cloud Connector and a Horizon Pod.

Universal Broker Requirements

After you complete onboarding your first pod, you can set up use of Universal Broker as the brokering method for your Horizon Cloud environment. When you choose to configure Universal Broker for your environment, at a high level, the following items are needed. For additional specifics, Configure Universal Broker and System Requirements for Universal Broker.


☐	To use Universal Broker with a cloud-connected Horizon pod, the pod must have Unified Access Gateway configured.
☐	Universal Broker has specific DNS, port, and protocol requirements to work with participating Horizon pods. See Horizon Pods - Port and Protocol Requirements for Universal Broker.
☐	Optional: Configure your pod's gateways for two-factor authentication to a RADIUS authentication server, if you want Universal Broker to use two-factor authentication for the pod. DNS Addresses for Unified Access Gateway to resolve the name of the authentication server Routes for Unified Access Gateway to resolve network routing to the authentication server
☐	Optional: A custom FQDN that your end users will use to access the Universal Broker service and the certificate based on that FQDN (optional)

Licensing for the Microsoft Windows Operating Systems

Horizon Cloud does not provide any guest operating system licensing required for use of Microsoft Windows operating systems that you use in the course of using the Horizon Cloud workflows. You, the customer, have the responsibility to have valid and eligible Microsoft licenses that entitle you to create, perform workflows on, and operate the Windows-based desktop VMs and RDSH VMs that you choose to use in your Horizon Cloud tenant environment. The required licensing depends on your intended use.


☐	Licensing for one or more of the following types: Microsoft Windows 7, Microsoft Windows 10
☐	Licensing for one or more of the following types: Microsoft Windows Server 2012 R2, Microsoft Server 2016, Microsoft Server 2019
☐	Microsoft Windows RDS Licensing Servers — for high availability, redundant licensing servers are recommended
☐	Microsoft RDS User or Device CALs or both