The Horizon Connection Server upgrade process has specific requirements and limitations.
- Connection Server requires a valid license for this latest release. If you have a perpetual license, you will need to download the new key specific for VMware Horizon 2006 or later releases. If you have a subscription license, no additional action is required.
- The domain user account that you use to install the new version of Connection Server must have administrative privileges on the Connection Server host. The Connection Server administrator must have administrative credentials for vCenter Server.
- When you run the installer, you authorize an Administrators account. You can specify the local Administrators group or a domain user or group account. VMware Horizon assigns full Horizon Administration rights, including the right to install replicated Connection Server instances, to this account only. If you specify a domain user or group, you must create the account in Active Directory before you run the installer.
- When you back up Connection Server, the Horizon Directory configuration is exported as encrypted LDIF data. To restore the encrypted backup VMware Horizon configuration, you must provide the data recovery password. The password must contain between 1 and 128 characters.
Security-Related Requirements
- Connection Server requires a TLS certificate that is signed by a CA (certificate authority) and that your clients can validate. Although a default self-signed certificate is generated in the absence of a CA-signed certificate when you install Connection Server, you must replace the default self-signed certificate as soon as possible. Self-signed certificates are shown as invalid in Horizon Console.
Also, updated clients expect information about the server's certificate to be communicated as part of the TLS handshake between client and server. Often updated clients do not trust self-signed certificates.
For complete information about security certificate requirements, see "Configuring TLS Certificates for Horizon Servers" in the Horizon Installation guide. Also see the Scenarios for Setting Up TLS Certificates for Horizon document, which describes setting up intermediate servers that perform tasks such as load balancing and off-loading SSL connections.
Note: If your original servers already have TLS certificates signed by a CA, during the upgrade, VMware Horizon imports your existing CA-signed certificate into the Windows Server certificate store. - Certificates for vCenter Server and VMware Horizon servers must include certificate revocation lists (CRLs). For more information, see "Configuring Certificate Revocation Checking on Server Certificates" in the Horizon Installation document.
Important: If your company uses proxy settings for Internet access, you might have to configure your Connection Server hosts to use the proxy. This step ensures that servers can access certificate revocation checking sites on the Internet. You can use Microsoft Netshell commands to import the proxy settings to Connection Server. For more information, see "Troubleshooting Horizon Server Certificate Revocation Checking" in the Horizon Installation document.
- You might need to make security protocol configuration changes to continue to be compatible with vSphere. If possible, apply patches to ESXi and vCenter Server to support TLSv1.1 and TLSv1.2 before upgrading Connection Server.
If you plan to perform fresh installations of Connection Server instances on additional physical or virtual machines, see the complete list of installation requirements in the Horizon Installation document.