To install Horizon Agent for Linux, you must meet certain requirements for the Linux operating system, Linux virtual machine, VMware Horizon system components, and vSphere platform.

Supported Linux Versions for Horizon Agent

The following table lists the Linux operating systems that are supported for Horizon Agent.

Table 1. Supported Linux Operating Systems for Horizon Agent
Linux Distribution Architecture
Ubuntu 20.04 and 18.04 x64
Red Hat Enterprise Linux (RHEL) Workstation 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, and 8.3 x64
Red Hat Enterprise Linux (RHEL) Server 7.8, 7.9, 8.2, and 8.3 x64
CentOS 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, and 8.3 x64
SUSE Linux Enterprise Desktop (SLED) 12 SP3, 15 SP1, and 15 SP2 x64
SUSE Linux Enterprise Server (SLES) 12 SP3, 12 SP5, 15 SP1, and 15 SP2 x64
Note: Horizon Agent has dependency packages on some Linux distributions. See Install Dependency Packages for Horizon Agent for more information.

Required Platform and Software Versions

To install and use Horizon Agent for Linux, your deployment must meet certain requirements for the vSphere platform, Horizon Connection Server, and Horizon Client software.

Table 2. Required Platform and VMware Horizon Software Versions
Platform and Software Supported Versions
vSphere platform version
  • vSphere 6.0 U2 or a later release
  • vSphere 6.5 U1 or a later release
  • vSphere 6.7 or later release
Horizon environment
  • Horizon Connection Server 2103
Horizon Client software
  • Horizon Client for Android 2103
  • Horizon Client for Windows 2103
  • Horizon Client for Linux 2103
  • Horizon Client for Mac 2103
  • Horizon Client for iOS 2103
  • HTML Access 2103 on Chrome and Firefox
  • Zero clients that support the VMware Blast protocol
    Note: Teradici PCoIP zero clients are not supported.

TCP/UDP Ports Used by Linux Virtual Machines

Horizon Agent and Horizon Clients use TCP or UDP ports for network access between each other and various Horizon server components.

Table 3. TCP/UDP Ports Used by Linux Virtual Machines
Source Port Target Port Protocol Description
Horizon Client * Linux Agent 22443 TCP/UDP Blast if Blast Security Gateway is used
Horizon Connection Server or Unified Access Gateway appliance * Linux Agent 22443 TCP/UDP Blast if Blast Security Gateway is used
Horizon Agent * Horizon Connection Server 4001, 4002 TCP JMS SSL traffic
Note: For more information on TCP and UDP ports used by clients, see the Horizon Security document and the Network Ports in VMware Horizon guide.

To allow users to connect to their Linux desktops, the desktops must be able to accept incoming TCP connections from Horizon Client devices, Unified Access Gateway, and Horizon Connection Server.

On Ubuntu distributions, the iptables firewall is configured by default with an input policy of ACCEPT.

On RHEL and CentOS distributions, where possible, the Horizon Agent installer script configures the iptables firewall with an input policy of ACCEPT.

Make sure that iptables on an RHEL or CentOS guest operating system has an input policy of ACCEPT for new connections from the Blast port, 22443.

When the BSG is enabled, client connections are directed from a Horizon Client device through the BSG on the Horizon Connection Server to the Linux desktop. When the BSG is not enabled, connections are made directly from the Horizon Client device to the Linux desktop.

Verify the Linux Account Used by Linux Virtual Machines

The following table lists the account name and account type used by Linux virtual machines.

Table 4. Account Name and Account Type
Account Name Account Type Used By
root Linux OS built-in Java Standalone Agent, mksvchanserver, shell scripts
vmwblast Created by Linux Agent installer VMwareBlastServer
<current login user> Linux OS built-in or AD user or LDAP user Python script

Desktop Environment

Horizon Agent for Linux supports multiple desktop environments on different Linux distributions. The following table lists the default desktop environments for each Linux distribution and the additional desktop environments supported by Horizon Agent for Linux.
Table 5. Supported Desktop Environments
Linux Distribution Default Desktop Environment Desktop Environments Supported by Horizon Agent for Linux
Ubuntu 20.04/18.04 Gnome Gnome Ubuntu, K Desktop Environment (KDE), MATE
RHEL/CentOS 7.x Gnome Gnome, KDE
RHEL/CentOS 8.x Gnome Gnome
SLED/SLES Gnome Gnome
To change the default desktop environment used on one of the supported Linux distributions, you must use the following steps and commands appropriate for your Linux desktop.
Note: Single sign-on (SSO) for KDE and the MATE Desktop Environment only works when your Linux desktop is using the GDM3 greeter (login screen). You must install KDE and MATE using the commands listed in Commands to Install Desktop Environments.

When using RHEL/CentOS 7.x and Ubuntu distributions, SSO fails to unlock a locked KDE session. You must manually enter your password to unlock the locked session.

  1. Install the supported Linux distribution's operating system with the default desktop environment setting.
  2. Run the appropriate commands described in the following table for your specific Linux distribution.
    Table 6. Commands to Install Desktop Environments
    Linux Distribution New Default Desktop Environment Commands to Change the Default Desktop Environment
    RHEL/CentOS 7.x KDE
    # yum groupinstall "KDE Plasma Workspaces"
    Ubuntu 20.04/18.04 KDE
    # apt install plasma-desktop
    Ubuntu 20.04/18.04 MATE 1.225
    # apt install ubuntu-mate-desktop
  3. To begin using the new default desktop environment, restart the desktop.
If you enabled SSO on a Linux desktop that has multiple desktop environments installed, use the following information to select the desktop environment to use in an SSO session.
  • For Ubuntu 20.04/18.04 and RHEL/CentOS 7.x, use the information in the following table to set the SSODesktopType option in the /etc/vmware/viewagent-custom.conf file to specify the desktop environment to use with SSO.
    Table 7. SSODesktopType Option
    Desktop Type SSODesktopType Option Setting
    MATE SSODesktopType=UseMATE
    GnomeUbuntu SSODesktopType=UseGnomeUbuntu
    GnomeFlashback SSODesktopType=UseGnomeFlashback
    KDE SSODesktopType=UseKdePlasma
    GnomeClassic SSODesktopType=UseGnomeClassic
  • For RHEL/CentOS 8.x, for the SSO login session to use Gnome Classic, remove all the desktop startup files, except for the Gnome Classic startup file, from the /usr/share/xsession directory. Use the following set of commands as an example.
    # cd /usr/share/xsessions
    # mkdir backup
    # mv *.desktop backup
    # mv backup/gnome-classic.desktop ./
    After the initial setup, the end user must log out or reboot their Linux desktop to use Gnome Classic as the default desktop in their next SSO session.

If you disabled SSO on a Linux desktop that has multiple desktop environments installed, you do not need to perform any of the previously described steps. The end users have to select their desired desktop environment when they log in to that Linux desktop.

Network Requirements

VMware Blast Extreme supports both User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). Network conditions affect the performances of UDP and TCP. To receive the best user experience, select UDP or TCP based on the network condition.
  • Select TCP if the network condition is good, such as in a local area network (LAN) environment.
  • Select UDP if the network condition is poor, such as in a wide area network (WAN) environment with packet loss and time delay.
Use a network analyzer tool, such as Wireshark, to determine whether VMware Blast Extreme is using TCP or UDP. Use the following set of steps, which use Wireshark, as a reference example.
  1. Download and install Wireshark on your Linux VM.
    For RHEL/CentOS:
    sudo yum install wireshark
    For Ubuntu:
    sudo apt install tshark
  2. Connect to the Linux desktop using VMware Horizon Client.
  3. Open a terminal window and run the following command, which displays the TCP package or UDP package used by VMware Blast Extreme.
    sudo tshark -i any | grep 22443
USB Redirection and Client Drive Redirection (CDR) features are sensitive to network conditions. If the network condition is bad, such as a limited bandwidth with time delay and packet loss, the user experience becomes poor. In such condition, the end user might experience one of the following.
  • Copying remote files can be slow. In this situation, transmit smaller sized files instead.
  • USB device does not appear in the remote Linux desktop.
  • USB data does not transfer completely. For example, if you copy a large file, you might get a file smaller in size than the original file.

VHCI Driver for USB Redirection

The USB redirection feature has a dependency on the USB Virtual Host Controller Interface (VHCI) kernel driver. To support USB 3.0 and the USB redirection feature, you must perform the following steps:

  1. Download the USB VHCI source code from https://sourceforge.net/projects/usb-vhci/files/linux%20kernel%20module/.
  2. To compile the VHCI driver source code and install the resulting binary on your Linux system, use the commands listed in the following table.
    For example, if you unpack the installation file VMware-horizonagent-linux-x86_64-YYMM-y.y.y-xxxxxxx.tar.gz under the /install_tmp/ directory, the full-path_to_patch-file is /install_tmp/VMware-horizonagent-linux-x86_64-YYMM-y.y.y-xxxxxxx/resources/vhci/patch/vhci.patch and the patch command to use is
    # patch -p1 < /install_tmp/VMware-horizonagent-linux-x86_64-YYMM-y.y.y-xxxxxxxi/resources/vhci/patch/vhci.patch
Note: The VHCI driver installation must be done before the installation of Horizon for Linux.
Table 8. Compile and Install the USB VHCI Driver
Linux Distribution Steps to Compile and Install USB VHCI Driver
Ubuntu 20.04/18.04
  1. Install the dependency packages.
    # apt-get install make
    # apt-get install gcc
    # apt-get install libelf-dev
  2. Compile and install the VHCI drivers.
    # tar -xzvf vhci-hcd-1.15.tar.gz
    # cd vhci-hcd-1.15
    # patch -p1 < full-path_to_patch-file
    # make clean && make && make install

RHEL/CentOS 7.x

RHEL/CentOS 8.x

  1. Install the dependency packages.
    # yum install gcc-c++
    # yum install kernel-devel-$(uname -r)
    # yum install kernel-headers-$(uname -r)
    # yum install patch
    # yum install elfutils-libelf-devel
  2. Compile and install the VHCI drivers.
    # tar -xzvf vhci-hcd-1.15.tar.gz
    # cd vhci-hcd-1.15
    # patch -p1 < full-path_to_patch-file
    # make clean && make && make install
  3. (RHEL/CentOS 8.x) To ensure that the VHCI drivers work properly with USB redirection, configure signing settings for the USB driver.
    1. Create an SSL key pair for the USB driver.
      openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/" -addext extendedKeyUsage=1.3.6.1.5.5.7.3.3
    2. Sign the USB driver.
      sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-iocifc.ko
      sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-hcd.ko
    3. Register the key for UEFI Secure Boot.
      sudo mokutil --import MOK.der
      Note: This command issues a request to set a Machine Owner Key (MOK) password for UEFI Secure Boot.
    4. To set up UEFI Secure Boot in the vSphere console, reboot the system. For more information, see https://sourceware.org/systemtap/wiki/SecureBoot.

SLED/SLES 12.x

SLED/SLES 15.x

  1. Find the version of the current kernel package.
    # rpm -qa | grep kernel-default-$(echo $(uname -r) | cut -d '-' -f 1,2)

    The output is the name of the kernel package currently installed. If, for example, the package name is kernel-default-3.0.101-63.1, then the current kernel package version is 3.0.101-63.1.

  2. Install the kernel-devel, kernel-default-devel, kernel-macros, and the patch packages.
    # zypper install --oldpackage kernel-devel-<kernel-package-version> \
    kernel-default-devel-<kernel-package-version> kernel-macros-<kernel-package-version> patch
    For example:
    # zypper install --oldpackage kernel-devel-4.4.21-90.1 kernel-default-devel-4.4.21-90.1 kernel-macros-4.4.21-90.1 patch
  3. Compile and install the VHCI drivers.
    # tar -xzvf vhci-hcd-1.15.tar.gz
    # cd vhci-hcd-1.15
    # patch -p1 < full-path_to_patch-file
    # mkdir -p linux/$(echo $(uname -r) | cut -d '-' -f 1)/drivers/usb/core
    # cp /lib/modules/$(uname -r)/source/include/linux/usb/hcd.h linux/$(echo $(uname -r) | cut -d '-' -f 1)/drivers/usb/core
    # make clean && make && make install
  4. (SLED/SLES 15.x) To ensure that the VHCI drivers work properly with USB redirection, configure signing settings for the USB driver.
    1. Create an SSL key pair for the USB driver.
      openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/" -addext extendedKeyUsage=1.3.6.1.5.5.7.3.3
    2. Find the path to the signing file for the USB driver.
      find / -name sign-file

      This command returns the paths to all the signing files located on the system. The signing file path for the USB driver resembles the following example.

      /usr/src/linux-5.3.18-24.9-obj/x86_64/default/scripts/
    3. Sign the USB driver. In the following commands, <sign-file-path> is the path to the signing file that you found earlier in step 4b.
      # sudo /<sign-file-path>/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-iocifc.ko
      # sudo /<sign-file-path>/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-hcd.ko
    4. Register the key for UEFI Secure Boot.
      # sudo mokutil --import MOK.der
      Note: This command issues a request to set a Machine Owner Key (MOK) password for UEFI Secure Boot.
    5. To set up UEFI Secure Boot in the vSphere console, reboot the system. For more information, see https://sourceware.org/systemtap/wiki/SecureBoot.

In addition, follow these guidelines:

  • If your Linux kernel changes to a new version, you must recompile and reinstall the VHCI driver, but you do not need to reinstall Horizon for Linux.
  • You can also add Dynamic Kernel Module Support (DKMS) to the VHCI driver using steps similar to the following example for an Ubuntu system.
    1. Install the kernel headers.
      # apt install linux-headers-`uname -r`
    2. Install dkms using the following command.
      # apt install dkms
    3. Extract and patch the VHCI TAR file.
      # tar xzvf vhci-hcd-1.15.tar.gz
      # cd vhci-hcd-1.15
      # patch -p1 <full-path_to_patch-file>
      # cd ..
    4. Copy the extracted VHCI source files to the /usr/src directory.
      # cp -r vhci-hcd-1.15 /usr/src/usb-vhci-hcd-1.15
    5. Create a file named dkms.conf and place it in the /usr/src/usb-vhci-hcd-1.15 directory.
      # touch /usr/src/usb-vhci-hcd-1.15/dkms.conf
    6. Add the following contents to the dkms.conf file.
      PACKAGE_NAME="usb-vhci-hcd"
      PACKAGE_VERSION=1.15
      MAKE_CMD_TMPL="make KVERSION=$kernelver"
      
      CLEAN="$MAKE_CMD_TMPL clean"
      
      BUILT_MODULE_NAME[0]="usb-vhci-iocifc"
      DEST_MODULE_LOCATION[0]="/kernel/drivers/usb/host"
      MAKE[0]="$MAKE_CMD_TMPL"
      
      BUILT_MODULE_NAME[1]="usb-vhci-hcd"
      DEST_MODULE_LOCATION[1]="/kernel/drivers/usb/host"
      MAKE[1]="$MAKE_CMD_TMPL"
      
      AUTOINSTALL="YES"
    7. Add this VHCI driver in dkms.
      # dkms add usb-vhci-hcd/1.15
    8. Build the VHCI driver.
      # dkms build usb-vhci-hcd/1.15
    9. Install the VHCI driver.
      # dkms install usb-vhci-hcd/1.15