To install Horizon Agent for Linux, you must meet certain requirements for the Linux operating system, Linux virtual machine, VMware Horizon 8 system components, and VMware vSphere platform.

Supported Linux Distributions for Horizon Agent

The following table lists the Linux operating systems that have been tested and are supported for Horizon Agent.

Table 1. Supported Linux Operating Systems for Horizon Agent
Linux Distribution Architecture
Ubuntu 20.04 and 22.04 x64
Debian 10.13, 11.5, 11.6. and 11.7 x64
Red Hat Enterprise Linux (RHEL) Workstation 7.9, 8.6, 8.7, 8.8, 9.0, 9.1, and 9.2 x64
Red Hat Enterprise Linux (RHEL) Server 7.9, 8.6, 8.7, 8.8, 9.0, 9.1, and 9.2 x64
Rocky Linux 8.8 and 9.2 x64
CentOS 7.9 x64
SUSE Linux Enterprise Desktop (SLED) 15 SP3 and 15 SP4 x64
SUSE Linux Enterprise Server (SLES) 15 SP3 and 15 SP4 x64
Note: Horizon Agent has dependency packages on some Linux distributions. See Install Dependency Packages for Horizon Agent for more information.

Some features are supported on a limited subset of Linux operating systems. For more information, see the section of this document that discusses the specific feature.

The install_viewagent.sh installation script provides a --force parameter that forces the installation of Horizon Agent on Linux distributions not listed in the test support matrix. See Command-line Options for Installing Horizon Agent for Linux.

Required Platform and Software Versions

To install and use Horizon Agent for Linux, your deployment must meet certain requirements for the vSphere platform, Horizon Connection Server, and Horizon Client software.

Table 2. Required Platform VMware Horizon Software Versions
Platform and Software Supported Versions
vSphere platform version
  • vSphere 8.0 or later release
  • vSphere 7.0 or later release
  • vSphere 6.7 or later release
  • vSphere 6.5 U1 or later release
VMware Horizon 8 environment
  • Horizon Connection Server 2306
Horizon Client software
  • Horizon Client for Android 2306
  • Horizon Client for Windows 2306
  • Horizon Client for Linux 2306
  • Horizon Client for Mac 2306
  • Horizon Client for iOS 2306
  • HTML Access 2306 on Chrome and Firefox
  • Zero clients that support the VMware Blast protocol
    Note: Teradici PCoIP zero clients are not supported.

Ports Used by Linux Desktops

To enable connection sessions, Linux desktops must support incoming TCP connections from Horizon Client devices, Unified Access Gateway, and Horizon Connection Server.

On Ubuntu and Debian distributions, the iptables firewall is configured by default with an input policy of ACCEPT.

On RHEL, Rocky Linux, and CentOS distributions, where possible, the Horizon Agent installer script configures the iptables firewall with an input policy of ACCEPT. To ensure support of incoming connections, verify that iptables has an input policy of ACCEPT for new connections through the Blast port, 22443.

When you enable Blast Secure Gateway (BSG), client connections are directed from a Horizon Client device through the BSG on the Horizon Connection Server to the Linux desktop. When you do not enable BSG, connections are made directly from the Horizon Client device to the Linux desktop.

For detailed information on the ports used by Horizon Agent on Linux desktops, see the Horizon Security document and the Network Ports in VMware Horizon guide.

Verify the Linux Account Used by Linux Virtual Machines

The following table lists the account name and account type used by Linux virtual machines.

Table 3. Account Name and Account Type
Account Name Account Type Used By
root Linux OS built-in Java Standalone Agent, mksvchanserver, shell scripts
vmwblast Created by Linux Agent installer VMwareBlastServer
<current login user> Linux OS built-in or AD user or LDAP user Python script

Desktop Environment

Horizon Agent for Linux supports multiple desktop environments on different Linux distributions. The following table lists the default desktop environments for each Linux distribution and the other desktop environments supported by Horizon Agent for Linux.
Table 4. Supported Desktop Environments
Linux Distribution Default Desktop Environment Desktop Environments Supported by Horizon Agent for Linux
Ubuntu Gnome Gnome Ubuntu, K Desktop Environment (KDE), MATE
Debian Gnome Gnome, KDE, MATE
RHEL and Rocky Linux 8.x/9.x Gnome Gnome
RHEL 7.9 Gnome Gnome, KDE, MATE
CentOS 7.9 Gnome Gnome, KDE
SLED/SLES Gnome Gnome
Note: When using RHEL/CentOS 7.x and Ubuntu distributions, SSO fails to unlock a locked KDE session. You must manually enter your password to unlock the locked session.

To change the default desktop environment used on one of the supported Linux distributions, you must use the following steps and commands appropriate for your Linux desktop.

  1. Install the supported Linux distribution's operating system with the default desktop environment setting.
  2. Run the appropriate commands described in the following table for your specific Linux distribution.
    Table 5. Commands to Install Desktop Environments
    Linux Distribution New Default Desktop Environment Commands to Change the Default Desktop Environment
    RHEL/CentOS 7.9 KDE
    yum groupinstall "KDE Plasma Workspaces"
    RHEL 7.9 MATE
    rpm -ivh https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm
    
    yum groupinstall -y "MATE Desktop"
    Ubuntu KDE
    apt install plasma-desktop
    Ubuntu MATE
    apt install ubuntu-mate-desktop
  3. To begin using the new default desktop environment, restart the desktop.
If you enabled SSO on a Linux desktop that has multiple desktop environments installed, use the following information to select the desktop environment to use in an SSO session.
  • For Ubuntu and RHEL/CentOS 7.x, use the information in the following table to set the SSODesktopType option in the /etc/vmware/viewagent-custom.conf file to specify the desktop environment to use with SSO.
    Table 6. SSODesktopType Option
    Desktop Type SSODesktopType Option Setting
    MATE SSODesktopType=UseMATE
    GnomeUbuntu SSODesktopType=UseGnomeUbuntu
    GnomeFlashback SSODesktopType=UseGnomeFlashback
    KDE SSODesktopType=UseKdePlasma
    GnomeClassic SSODesktopType=UseGnomeClassic
  • For RHEL and Rocky Linux 9.x/8.x, for the SSO login session to use Gnome Classic, remove all the desktop startup files, except for the Gnome Classic startup file, from the /usr/share/xsession directory. For example, run the following set of commands as the root user:
    cd /usr/share/xsessions
    mkdir backup
    mv *.desktop backup
    mv backup/gnome-classic.desktop ./
    After the initial setup, the end user must log out or reboot their Linux desktop to use Gnome Classic as the default desktop in their next SSO session.

If you deactivated SSO on a Linux desktop that has multiple desktop environments installed, you do not need to perform any of the previously described steps. The end users have to select their desired desktop environment when they log in to that Linux desktop.

Network Requirements

VMware Blast Extreme supports both User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). Network conditions affect the performances of UDP and TCP. To receive the best user experience, select UDP or TCP based on the network condition.
  • Select TCP if the network condition is good, such as in a local area network (LAN) environment.
  • Select UDP if the network condition is poor, such as in a wide area network (WAN) environment with packet loss and time delay.
Use a network analyzer tool, such as Wireshark, to determine whether VMware Blast Extreme is using TCP or UDP. Use the following set of steps, which use Wireshark, as a reference example.
  1. Download and install Wireshark on your Linux VM.
    For RHEL/CentOS and Rocky Linux:
    sudo yum install wireshark
    For Ubuntu:
    sudo apt install tshark
  2. Connect to the Linux desktop using VMware Horizon Client.
  3. Open a terminal window and run the following command, which displays the TCP package or UDP package used by VMware Blast Extreme.
    sudo tshark -i any | grep 22443
USB Redirection and Client Drive Redirection (CDR) features are sensitive to network conditions. If the network condition is bad, such as a limited bandwidth with time delay and packet loss, the user experience becomes poor. In such condition, the end user might experience one of the following.
  • Copying remote files can be slow. In this situation, transmit smaller sized files instead.
  • USB device does not appear in the remote Linux desktop.
  • USB data does not transfer completely. For example, if you copy a large file, you might get a file smaller in size than the original file.

VHCI Driver for USB Redirection

Note: To determine the correct installation sequence for the VHCI driver, use the following guidelines:
  • If you intend to install Horizon Agent using the .tar.gz tarball installer, you must first download and unpack the tarball installer, then install the VHCI driver, and then install Horizon Agent with the installation parameter for the USB redirection feature.
  • If you intend to install Horizon Agent using the .rpm RPM installer, you must first install Horizon Agent, then install the VHCI driver, and then add the USB redirection feature to the Horizon Agent configuration.

For more information, see Install Horizon Agent on a Linux Virtual Machine.

The USB redirection feature has a dependency on the USB Virtual Host Controller Interface (VHCI) kernel driver. To support USB 3.0 and the USB redirection feature, you must install the VHCI driver by performing the following steps:

  1. Download the USB VHCI source code from https://sourceforge.net/projects/usb-vhci/files/linux%20kernel%20module/.
  2. Identify the full path to the VHCI patch file, depending on the Horizon Agent installer format. For guidelines, see the following examples.
    • (Tarball installer) If you download and unpack the tarball installer VMware-horizonagent-linux-x86_64-YYMM-y.y.y-xxxxxxx.tar.gz under the /install_tmp/ directory, the full-path_to_patch-file is /install_tmp/VMware-horizonagent-linux-x86_64-YYMM-y.y.y-xxxxxxx/resources/vhci/patch/vhci.patch.
    • (RPM installer) If you download the RPM installer VMware-horizonagent-linux-YYMM-y.y.y-xxxxxxx.el8.x86_64.rpm and use it to install Horizon Agent, the full-path_to_patch-file is /usr/lib/vmware/viewagent/resources/vhci/patch/vhci.patch.
  3. To compile the VHCI driver source code and install the resulting binary on your Linux system, use the commands listed in the following table. Replace full-path_to_patch-file in the commands with the file path that you identified in the previous step.
    For example, if the file path is /install_tmp/VMware-horizonagent-linux-x86_64-YYMM-y.y.y-xxxxxxx/resources/vhci/patch/vhci.patch, the patch command becomes:
    patch -p1 < /install_tmp/VMware-horizonagent-linux-x86_64-YYMM-y.y.y-xxxxxxxi/resources/vhci/patch/vhci.patch
Table 7. Compile and Install the USB VHCI Driver
Linux Distribution Steps to Compile and Install USB VHCI Driver
Ubuntu
  1. Install the dependency packages.
    sudo apt-get install make
    sudo apt-get install gcc
    sudo apt-get install libelf-dev
  2. (Ubuntu 22.04) Install the kernel header files.
    sudo apt-get install linux-headers-$(uname -r)
  3. Compile and install the VHCI driver.
    tar -xzvf vhci-hcd-1.15.tar.gz
    cd vhci-hcd-1.15
    patch -p1 < full-path_to_patch-file
    make clean && make && sudo make install
  4. If you have enabled the Extensible Firmware Interface (EFI) and UEFI Secure Boot on the virtual machine, configure signing settings for the VHCI driver.
    1. Create an SSL key pair for the VHCI driver.
      openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/" -addext extendedKeyUsage=1.3.6.1.5.5.7.3.3
    2. Sign the VHCI driver.
      sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-iocifc.ko
      
      sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-hcd.ko
    3. Register the key for UEFI Secure Boot.
      sudo mokutil --import MOK.der
      Note: This command issues a request to set a Machine Owner Key (MOK) password for UEFI Secure Boot.
    4. To set up UEFI Secure Boot in the vSphere console, reboot the system. For more information, see https://sourceware.org/systemtap/wiki/SecureBoot.
Debian
  1. Install the dependency packages.
    sudo  apt install -y  patch g++ make linux-headers-$(uname -r)
  2. Compile and install the VHCI driver.
    tar -xzvf vhci-hcd-1.15.tar.gz
    cd vhci-hcd-1.15
    patch -p1 < full-path_to_patch-file
    mkdir -p linux/$(echo $(uname -r) | cut -d '-' -f 1)/drivers/usb/core
    cp /lib/modules/$(uname -r)/source/include/linux/usb/hcd.h linux/$(echo $(uname -r) | cut -d '-' -f 1)/drivers/usb/core
    
    make clean && make && sudo make install

RHEL/CentOS 7.x

RHEL 8.x/9.x

Rocky Linux 8.x/9.x

  1. Install the dependency packages.
    sudo yum install gcc-c++
    sudo yum install kernel-devel-$(uname -r)
    sudo yum install kernel-headers-$(uname -r)
    sudo yum install patch
    sudo yum install elfutils-libelf-devel
  2. Compile and install the VHCI driver.
    tar -xzvf vhci-hcd-1.15.tar.gz
    cd vhci-hcd-1.15
    patch -p1 < full-path_to_patch-file
    make clean && make && sudo make install
  3. (RHEL and Rocky Linux 9.x/8.x) To ensure that the VHCI driver works properly with USB redirection, configure signing settings for the driver.
    1. Create an SSL key pair for the VHCI driver.
      openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/" -addext extendedKeyUsage=1.3.6.1.5.5.7.3.3
    2. Sign the VHCI driver.
      sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-iocifc.ko
      sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-hcd.ko
    3. Register the key for UEFI Secure Boot.
      sudo mokutil --import MOK.der
      Note: This command issues a request to set a Machine Owner Key (MOK) password for UEFI Secure Boot.
    4. To set up UEFI Secure Boot in the vSphere console, reboot the system. For more information, see https://sourceware.org/systemtap/wiki/SecureBoot.

SLED/SLES

  1. Find the version of the current kernel package.
    rpm -qa | grep kernel-default-$(echo $(uname -r) | cut -d '-' -f 1,2)

    The output is the name of the kernel package currently installed. If, for example, the package name is kernel-default-3.0.101-63.1, then the current kernel package version is 3.0.101-63.1.

  2. Install the kernel-devel, kernel-default-devel, kernel-macros, and the patch packages.
    sudo zypper install --oldpackage kernel-devel-<kernel-package-version> \
    kernel-default-devel-<kernel-package-version> kernel-macros-<kernel-package-version> patch
    For example:
    sudo zypper install --oldpackage kernel-devel-4.4.21-90.1 kernel-default-devel-4.4.21-90.1 kernel-macros-4.4.21-90.1 patch
  3. Compile and install the VHCI driver.
    tar -xzvf vhci-hcd-1.15.tar.gz
    cd vhci-hcd-1.15
    patch -p1 < full-path_to_patch-file
    mkdir -p linux/$(echo $(uname -r) | cut -d '-' -f 1)/drivers/usb/core
    cp /lib/modules/$(uname -r)/source/include/linux/usb/hcd.h linux/$(echo $(uname -r) | cut -d '-' -f 1)/drivers/usb/core
    make clean && make && sudo make install
  4. To ensure that the VHCI driver works properly with USB redirection, configure signing settings for the driver.
    1. Create an SSL key pair for the VHCI driver.
      openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/" -addext extendedKeyUsage=1.3.6.1.5.5.7.3.3
    2. Find the path to the signing file for the VHCI driver.
      sudo find / -name sign-file

      This command returns the paths to all the signing files located on the system. The signing file path for the VHCI driver resembles the following example.

      /usr/src/linux-5.3.18-24.9-obj/x86_64/default/scripts/
    3. Sign the VHCI driver. In the following commands, <sign-file-path> is the path to the signing file that you found earlier in step 4b.
      sudo /<sign-file-path>/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-iocifc.ko
      sudo /<sign-file-path>/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/kernel/drivers/usb/host/usb-vhci-hcd.ko
    4. Register the key for UEFI Secure Boot.
      sudo mokutil --import MOK.der
      Note: This command issues a request to set a Machine Owner Key (MOK) password for UEFI Secure Boot.
    5. To set up UEFI Secure Boot in the vSphere console, reboot the system. For more information, see https://sourceware.org/systemtap/wiki/SecureBoot.

In addition, follow these guidelines:

  • If your Linux kernel changes to a new version, you must recompile and reinstall the VHCI driver, but you do not need to reinstall Horizon Agent for Linux.
  • You can also add Dynamic Kernel Module Support (DKMS) to the VHCI driver using steps similar to the following example for an Ubuntu system.
    1. Install the kernel headers.
      sudo apt install linux-headers-`uname -r`
    2. Install dkms using the following command.
      sudo apt install dkms
    3. Extract and patch the VHCI TAR file.
      tar xzvf vhci-hcd-1.15.tar.gz
      cd vhci-hcd-1.15
      patch -p1 <full-path_to_patch-file>
      cd ..
    4. Copy the extracted VHCI source files to the /usr/src directory.
      sudo cp -r vhci-hcd-1.15 /usr/src/usb-vhci-hcd-1.15
    5. Create a file named dkms.conf and place it in the /usr/src/usb-vhci-hcd-1.15 directory.
      sudo touch /usr/src/usb-vhci-hcd-1.15/dkms.conf
    6. Add the following contents to the dkms.conf file.
      PACKAGE_NAME="usb-vhci-hcd"
      PACKAGE_VERSION=1.15
      MAKE_CMD_TMPL="make KVERSION=$kernelver"
      
      CLEAN="$MAKE_CMD_TMPL clean"
      
      BUILT_MODULE_NAME[0]="usb-vhci-iocifc"
      DEST_MODULE_LOCATION[0]="/kernel/drivers/usb/host"
      MAKE[0]="$MAKE_CMD_TMPL"
      
      BUILT_MODULE_NAME[1]="usb-vhci-hcd"
      DEST_MODULE_LOCATION[1]="/kernel/drivers/usb/host"
      MAKE[1]="$MAKE_CMD_TMPL"
      
      AUTOINSTALL="YES"
    7. Add this VHCI driver in dkms.
      sudo dkms add usb-vhci-hcd/1.15
    8. Build the VHCI driver.
      sudo dkms build usb-vhci-hcd/1.15
    9. Install the VHCI driver.
      sudo dkms install usb-vhci-hcd/1.15