You run the Connection Server installer and select the Horizon Enrollment Server option to install an enrollment server. The enrollment server requests short-lived certificates on behalf of the users you specify. These short-term certificates are the mechanism True SSO uses for authentication to avoid prompting users for Active Directory credentials.

You must install and set up at least one enrollment server, and the enrollment server cannot be installed on the same host as Connection Server. VMware recommends that you have two enrollment servers for purposes of failover and load balancing. If you have two enrollment servers, by default one is preferred and the other is used for failover. You can change this default, however, so that the connection server alternates sending certificate requests to both enrollment servers.

If you install the enrollment server on the same machine that hosts the enterprise CA, you can configure the enrollment server to prefer using the local CA. For best performance, VMware recommends combining the configuration to prefer using the local CA with the configuration to load balance the enrollment servers. As a result, when certificate requests arrive, the connection server will use alternate enrollment servers, and each enrollment server will service the requests using the local CA. For information about the configuration settings to use, see Enrollment Server Configuration Settings and Connection Server Configuration Settings.

Prerequisites

  • Create a Windows Server 2012 R2, Windows server 2016, or Windows Server 2019 virtual machine with at least 4GB of memory, or use the virtual machine that hosts the enterprise CA. Do not use a machine that is a domain controller.
  • Verify that no other Horizon component, including Connection Server, Horizon Client, or Horizon Agent is installed on the virtual machine.
  • Verify that the virtual machine is part of the Active Directory domain for the Horizon deployment.
  • Verify that you are using an IPv4 environment. This feature is currently not supported in an IPv6 environment
  • VMware recommends that the system must have a static IP address.
  • Verify that you can log in to the operating system as a domain user with Administrator privileges. You must log in as an administrator to run the installer.

Procedure

  1. On the machine that you plan to use for the enrollment server, add the Certificate snap-in to MMC:
    1. Open the MMC console and select File > Add/Remove Snap-in
    2. Under Available snap-ins, select Certificates and click Add.
    3. In the Certificates snap-in window, select Computer account, click Next, and click Finish.
    4. In the Add or Remove Snap-in window, click OK.
  2. Issue an enrollment agent certificate:
    1. In the Certificates console, expand the console root tree, right-click the Personal folder, and select All Tasks > Request New Certificate.
    2. In the Certificate Enrollment wizard, accept the defaults until you get to the Request Certificates page.
    3. On the Request Certificates page, select the Enrollment Agent (Computer) check box and click Enroll.
    4. Accept the defaults on the other wizard pages, and click Finish on the last page.
    In the MMC console, if you expand the Personal folder and select Certificates in the left pane, you will see a new certificate listed in the right pane.
  3. Install the enrollment server:
    1. Download the Horizon Connection Server installer file from the VMware download site at https://my.vmware.com/web/vmware/downloads.
      Under Desktop & End-User Computing, select the VMware Horizon download, which includes Connection Server.
    2. Double-click the installer file to start the wizard, and follow the prompts until you get to the Installation Options page.
    3. On the Installation Options page, select Horizon Enrollment Server and choose an authentication mode for the enrollment server instance, then click Next.
      Option Description
      Horizon Configures the authentication mode for a Horizon environment.
      Horizon Cloud Configures the authentication mode for a Horizon Cloud environment.
    4. Follow the prompts to finish the installation.
    You must enable the incoming connections on Port 32111 (TCP) for enrollment server to be functional. The installer opens the port by default during installation.

What to do next