Configure Horizon pods and pod federations in the Workspace ONE Access console to sync resources and entitlements to the Workspace ONE Access service.

To configure the pods and pod federations, you create one or more virtual apps collections in the Catalog > Virtual Apps Collections page and enter configuration information such as the Horizon Connection Servers from which to sync resources and entitlements, pod federation details, the Workspace ONE Access connector to use for sync, and administrator settings such as the default launch client.

After you add the pods and pod federations, you configure client access FQDNs for specific network ranges so that end users connect to the correct servers when they access resources.

You can add all the Horizon pods and pod federations in one collection or you can create multiple collections, based on your needs. For example, you might choose to create separate collections for each pod federation or each pod for easier management and to distribute the sync load across multiple connectors. Or you may choose to include all pods and pod federations in one collection for test purposes and have another identical collection for your production environment.

Important: If you change any settings or SAML configuration on the Horizon server, make sure you edit the Virtual Apps Collection page in the Workspace ONE Access console and click Save to update the latest Horizon settings in the Workspace ONE Access service.

Prerequisites

  • Set up Horizon according to Requirements for Integrating Horizon Pods and Requirements for Integrating Horizon Pod Federations.
  • Set up Workspace ONE Access according to Set up Your Workspace ONE Access Environment.
  • For each Horizon pod that you want to configure in Workspace ONE Access, ensure that you have the credentials of a user with the administrators role.
  • To perform this procedure in Workspace ONE Access, you must use an administrator role that includes the Manage Desktop Apps action in the Catalog service.
  • At the end of this procedure, you are redirected to the Network Ranges page to configure Client Access FQDNs. To edit and save the Network Ranges page, you require a Super Admin role. You can select to perform that step separately.

Procedure

  1. Log in to the Workspace ONE Access console.
  2. Select the Catalog > Virtual Apps Collections tab.
  3. Click New.
  4. Select Horizon as the source type.
  5. In the New Horizon Virtual Apps Collection wizard, enter the following information in the Connector page.
    Option Description
    Name Enter a unique name for the Horizon collection.
    Connector Select the connector that you want to use to sync this collection. To select the connector, select the directory that is associated with it. If you have set up a cluster of connectors, all the connector instances appear in the Host list and you can arrange them in failover order for this collection.
    Important: After you create the collection, you cannot select a different directory.
  6. Click Next.
  7. In the Pod and Federation page, click Add a Pod and enter the pod information.
    If the pod has multiple Horizon Connection Server instances, enter the information for any of the instances.
    Option Description
    Connection Server Enter the fully qualified host name of any one of the Horizon Connection Server instances within the pod. For example, connectionserver.horizondomain.com. The domain name must match the domain name to which the Horizon Connection Server instance is joined.
    Important: If the pod has multiple Horizon Connection Server instances, you need to add only one of the instances. VMware Workspace ONE Access pulls the information for all the instances within the pod.
    Username Enter the Horizon Connection Server administrator user name. The user must have the Administrators role in Horizon.
    Password Enter the Horizon Connection Server administrator password.
    Smart Card Authentication Enable this option if users will use smart card authentication instead of passwords to sign in to the Horizon Connection Server.
    True SSO

    Enable this option only if True SSO is enabled for the Horizon Connection Server. This option only applies to Horizon versions that support the True SSO feature.

    When this option is enabled, users logged into Workspace ONE with a non-password authentication method such as SecurID will not be prompted for a password when they launch their Windows desktops.

    Sync Local Assignments Enable this option to sync local entitlements from the Horizon Connection Server, in addition to global assignments.
  8. To add more pods, click Add a Pod and enter the information for each pod.
  9. If the Cloud Pod Architecture option is enabled in Horizon for any of the pods that you added, follow these steps to add the pod federation information.
    1. Set the Have you enabled Cloud Pod Architecture for any of the pods added above option to Yes.
    2. Click Add a federation.
    3. Enter the pod federation information.
      Option Description
      Federation Name The name of the pod federation.
      Client Access FQDN The fully qualified domain name (FQDN) of the server to which to direct clients accessing global entitlements on this pod federation. This value is typically the global load balancer of the pod federation deployment.

      For example, federationA.example.com.

      You can customize the Client Access FQDN for specific network ranges later in the configuration process.

      Horizon Pods Select the pods that belong to the pod federation. The Available Pods column displays all the pods that you added to the collection. When you select a pod, it is added to the Selected Pods column. You can arrange the pods in the Selected Pods column in failover order.
    4. To add another pod federation, click Add a federation and enter the pod federation information.
  10. Click Next.
  11. In the Configuration page, enter the following information.
    Option Description
    Sync Frequency Select how often you want to sync the resources in the collection.

    You can set up an automatic sync schedule or choose to sync manually. To set a schedule, select the interval such as daily or weekly and select the time of day to run the sync. If you select Manual, you must click Sync on the Virtual Apps Collections page after you set up the collection and whenever there is a change in your Horizon Cloud resources or entitlements.

    Sync Duplicate Apps Set to No if you want to prevent duplicate applications from being synced from multiple servers.

    When Workspace ONE Access is deployed in multiple data centers, the same resources are set up in the multiple data centers. Setting this option to No prevents duplication of the desktop or application pools in your Intelligent Hub catalog.

    Activation Policy Select how you want to make resources in this collection available to users in the Intelligent Hub app and portal. If you intend to set up an approval flow, select User-Activated, otherwise select Automatic.

    With both the User-Activated and Automatic options, the resources are added to the Apps tab. Users can use the resources from the Apps tab or mark them as favorites and run them from the Favorites tab. However, to set up an approval flow for any of the apps, you must select User Activated for that app.

    The activation policy applies to all user entitlements for all the resources in the collection. You can modify the activation policy for individual users or groups per resource, from the user or group page in the Users & Groups tab.

    Default Launch Client Select the default client for end users accessing Horizon desktops and apps from the Intelligent Hub app or portal.

    None: No default preference is set at the administrator level. If this option is set to None and the end user does not set a preference either, the Horizon Default display protocol setting is used to determine how to launch the desktop or application.

    Browser: Horizon desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting.

    Native: Horizon desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting.

    This setting applies to all users for all resources in this collection.

    The following order of precedence, listed from highest to lowest, applies to the default launch client settings:

    1. End user preference setting, set in Intelligent Hub.
    2. Administrator Default Launch Client setting for the collection, set in the Workspace ONE Access console.
    3. Horizon Remote Display Protocol > Default display protocol setting for the desktop or application pool, set in Horizon Administrator. For example, when the display protocol is set to PCoIP, the application or desktop is launched in the Horizon Client.
  12. Click Next.
  13. In the Summary page, review your selections, then click Save & Configure Network Range.
    The Network Ranges page appears.
  14. In the Network Ranges page, edit each network range and specify the Client Access FQDNs for the Horizon pods and pod federations so that end users accessing Horizon applications and desktops connect to the correct server.
    1. Click the network range to edit or click Create Network Range to create a new network range, if necessary.
    2. If you are creating a new network range, enter a name, optional description, and the IP address range.
    3. Scroll to the Pod and View CPA Federation sections.
      The Pod section lists all the Horizon pods that you added to the collection that have the Syc Local Assignments option enabled. The View CPA Federation section lists all the pod federations that you added.
      Assign Pods to Network Ranges

    4. Edit the Pod section for each pod and enter the appropriate values for this network range.
      Option Description
      Client Access FQDN Specify the fully qualified domain name (FQDN) of the server to which to direct clients accessing local entitlements on this pod, when the requests come from this network range. This can be a Horizon Connection Server, security server, load balancer, or reverse proxy FQDN.

      For example: internallb.example.com

      The Client Access FQDN for a pod is used to launch locally-entitled resources from the pod.

      Port The server port.
      Wrap Artifact in JWT See Launching Horizon Resources Through Validating Gateways.
      Audience in JWT See Launching Horizon Resources Through Validating Gateways.
    5. Edit the View CPA Federation section for each pod federation and enter the appropriate values for this network range.
      Option Description
      Client Access FQDN Specify the fully qualified domain name (FQDN) of the server to which to direct clients accessing global entitlements on this pod federation, when the requests come from this network range. This is typically the global load balancer of the pod federation deployment.

      For example: globallb.example.com

      The Client Access FQDN for a pod federation is used to launch globally-entitled resources.

      Port The server port.
      Wrap Artifact in JWT When the Workspace ONE Access service is integrated with a validating gateway, such as F5, this option must be enabled to authenticate Horizon resources assigned to users. See Launching Horizon Resources Through Validating Gateways.
      Audience in JWT See Launching Horizon Resources Through Validating Gateways.
    6. Click Save.
    7. Repeat these steps to edit the other network ranges.
    8. Click Finish in the Network Ranges page.

What to do next

The Horizon collection is created and appears in the Catalog > Virtual Apps Collections page. Resources in the collection are not yet synced. You can either wait for the next scheduled sync or sync the collection manually from the Catalog > Virtual Apps Collections page.