Configure Horizon pods and pod federations in the Workspace ONE Access console to sync resources and assignments to the Workspace ONE Access service.

To configure the pods and pod federations, you create one or more virtual apps collections in the Catalog > Virtual Apps Collections page and enter configuration information such as the Horizon Connection Servers from which to sync resources and entitlements, pod federation details, the Workspace ONE Access Virtual App service to use for sync, and administrator settings such as the default launch client.

After you add the pods and pod federations, you configure client access FQDNs for specific network ranges so that end users connect to the correct servers when they launch apps and desktops.

You can add all the Horizon pods and pod federations in one collection or you can create multiple collections, based on your needs. For example, you might choose to create separate collections for each pod federation or each pod for easier management and to distribute the sync load across multiple connectors. Or you may choose to include all pods and pod federations in one collection for test purposes and have another identical collection for your production environment.

Important: If you change any settings or the SAML configuration on the Horizon server after setting up the integration, and you want to propagate the changes to the Workspace ONE Access service immediately, edit the virtual apps collection page in the Workspace ONE Access console and click Save. Otherwise, updates are propagated at the next sync.

Prerequisites

Procedure

  1. Log in to the Workspace ONE Access console.
  2. Select the Catalog > Virtual Apps Collections tab.
  3. If an information page appears, review the information and click Get Started, otherwise click New.
  4. Select Horizon as the source type.
  5. In the New Horizon Collection wizard, enter the following information in the Connector page.
    Option Description
    Name Enter a unique name for the Horizon virtual apps collection.
    Connector Select the connectors to use to sync this collection. You can add multiple connectors and arrange them in failover order. Only connectors that have the Virtual App service installed appear in the list.
  6. Click Next.
  7. In the Pod and Federation page, click Add a Pod and enter the pod information.
    If the pod has multiple Horizon Connection Server instances, enter the information for any of the instances.
    Option Description
    Horizon Connection Server Enter the fully qualified host name of any one of the Horizon Connection Server instances within the pod. For example, connectionserver.horizondomain.com. The domain name must match the domain name to which the Horizon Connection Server instance is joined.
    Important: If the pod has multiple Horizon Connection Server instances, you need to add only one of the instances. VMware Workspace ONE Access pulls the information for all the instances within the pod.
    Username Enter the Horizon Connection Server administrator user name. The user must have the Administrators role in Horizon.
    Password Enter the Horizon Connection Server administrator password.
    Smart Card Authentication Select this option if users will use smart card authentication instead of passwords to sign in to the Horizon Connection Server.
    True SSO

    Select this option only if True SSO is enabled for the Horizon Connection Server. This option only applies to Horizon versions that support the True SSO feature.

    When this option is enabled, users logged into the Workspace ONE app or portal with a non-password authentication method such as SecurID will not be prompted for a password when they launch their Windows desktops.

    Sync Local Assignments Select this option to sync local entitlements from the Horizon Connection Server, in addition to global assignments.
    For example:
    In the Add Pod form, the Horizon Connection Server field has the value pod2.example.com, Username has the value admin, and a password is entered.
  8. Click Add.
  9. To add more pods, click Add a Pod and enter the information for each pod.
  10. If the Cloud Pod Architecture option is enabled in Horizon for any of the pods that you added, follow these steps to add the pod federation information.
    1. Set the Have you enabled Cloud Pod Architecture for any of the pods added above option to Yes.
    2. Click Add a federation.
    3. Enter the pod federation information, then click Add.
      Option Description
      Federation Name The name of the pod federation.
      Default Client Access FQDN The fully qualified domain name (FQDN) of the server to which to direct clients accessing global entitlements on this pod federation. This value is typically the global load balancer of the pod federation deployment.

      For example, federationA.example.com.

      The Default Client Access FQDN is used to set an intial, default value for the View CPA Federation - Client Access FQDN text box for all network ranges that are currently configured. After creating the collection, go to the collection's Network Ranges tab to customize the View CPA Federation - Client Access FQDN value for each network range.

      After creating the collection, if you want to update the pod federation's Client Access FQDN, go to the Network Ranges tab and edit the Client Access FQDN value in the View CPA Federation section for each network range. Editing the Default Client Access FQDN value in the Edit Horizon Collection wizard does not update the value in the network ranges.

      Note: If you create a network range after creating the collection, make sure that you go to the collection's Network Ranges tab, select the new network range, and add a Client Access FQDN value in the View CPA Federation section. Otherwise, clients using that network range will not be able to access their Horizon desktops and apps.
      Horizon Pods Select all the pods that belong to the pod federation. The Available Pods column displays the pods that you added to the collection. When you select a pod, it is added to the Selected Pods column. You can arrange the pods in the Selected Pods column in failover order.
      Important: You must add all the pods that belong to the pod federation to the virtual apps collection and select them here.
      For example:
      In the Add a Federation form, the Federation Name field has the value Horizon Pod Federation A, the Client Access FQDN field has the value federationA.example.com. The Horizon Pods section has two columns, Available Pods and Selected Pods. pod2.example.com is selected.
    4. To add another pod federation, click Add a federation and enter the pod federation information.
  11. In the Configuration page, enter the following information.
    Option Description
    Sync Frequency Select how often you want to sync applications, desktops, and assignments from the Horizon servers to Workspace ONE Access.

    You can set up an automatic sync schedule or choose to sync manually. To set a schedule, select the interval such as daily or weekly and select the time of day to run the sync. If you select Manual, you must click Sync > Sync with safeguards or Sync > Sync without safeguards on the virtual apps collection page after you create the collection and whenever there is a change in the Horizon resources or assignments.

    For more information about sync, see Syncing Virtual Apps Collections in Workspace ONE Access.
    Sync Duplicate Apps Set to No if you want to prevent duplicate applications from being synced from multiple servers.

    When Workspace ONE Access is deployed in multiple data centers, the same resources are set up in the multiple data centers. Setting this option to No prevents duplication of the desktop or application pools in the Intelligent Hub catalog.
    Safeguard Thresholds Limits Configure sync safeguard thresholds if you want to limit the number of changes that can be made to applications, desktops, and assignments when the virtual apps collection syncs. If any of the thresholds is met, sync is cancelled.

    By default, Workspace ONE Access sets the threshold for all categories to 10%.

    Sync safeguards are ignored the first time a collection syncs and are applied to all subsequent syncs.

    For more information about sync safeguards, see Syncing Virtual Apps Collections in Workspace ONE Access.
    Activation Policy Select how you want to make resources in this collection available to users in the Workspace ONE Intelligent Hub app and portal. If you intend to set up an approval flow, select User-Activated, otherwise select Automatic.

    With both the User-Activated and Automatic options, the resources are added to the Apps tab. Users can run the resources from the Apps tab or mark them as favorites and run them from the Favorites tab. However, to set up an approval flow for any of the apps, you must select User Activated for that app.

    The activation policy applies to all user assignments for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the user or group page in the Users & Groups tab.

    Default Launch Client Select the default client for end users accessing Horizon desktops and applications from the Intelligent Hub app or portal.

    None: No default preference is set at the administrator level. If this option is set to None and the end user does not set a preference either, the Horizon Default display protocol setting is used to determine how to launch the desktop or application.

    Browser: Horizon desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting.

    Native: Horizon desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting.

    This setting applies to all users for all resources in this collection.

    The following order of precedence, listed from highest to lowest, applies to the default launch client settings:

    1. End user preference setting, set in Intelligent Hub.
    2. Administrator Default Launch Client setting for the collection, set in the Workspace ONE Access console.
    3. Horizon Remote Display Protocol > Default display protocol setting for the desktop or application pool, set in Horizon Console. For example, when the display protocol is set to PCoIP, the application or desktop is launched in the Horizon Client.
    Important: If you integrate Horizon 7.13 or later versions with Workspace ONE Access, end users always see the option in Intelligent Hub to launch applications and desktops in a browser. However, if HTML Access is not installed on the Horizon Connection servers, browser launch fails. For Horizon 7.13 and later versions, you must install HTML Access on the Horizon Connection servers. See the VMware Horizon HTML Access documentation for information.
  12. In the Summary page, review your selections, then click Save & Configure.
    The Network Ranges tab appears.
  13. In the Network Ranges tab, edit each network range and specify Client Access FQDNs for Horizon pods and pod federations so that end users accessing Horizon applications and desktops from that network range connect to the correct server.
    See Setting Client Access FQDNs for Horizon Virtual Apps in Workspace ONE Access for more information on configuring network ranges.

What to do next

The Horizon collection is created and appears in the Catalog > Virtual Apps Collections page. Resources in the collection are not yet synced. You can either wait for the next scheduled sync or sync the collection manually from the Catalog > Virtual Apps Collections page.