Upgrading VMware Horizon is going to be a fun task for the weekend. It means upgrading 3 connection servers, a security server, the vcenter server and the composer server. This is all so we can disable SSLv3 on the ESXi hosts they all run on.
Migration was originally planned from 5.3 to 6.2, as this is the earliest version that resolves the SSLv3 problem. But if we’re going to have to upgrade, why not go all the way to v7?
There’s lot’s of help and instruction to be had on the net on how to plan and deploy, but the plan we’re aiming for gives us an easy backout plan that then resolves all of the version upgrades required by Windows and MSSQL on the current infrastructure.
The plan is simply to turn off the old systems, reinstall new ones and migrate data. This way if we need to chicken out we turn off all the new and turn on all the old. So all the new servers will have the same IP addresses and names as the ones they are replacing. This way we have no concerns about the various firewalls and rules that relate to Horizon.
Plan of attack
- Install 6 new virtual servers with Windows 2012R2
- Install a new v7 connection server as a replica server to be able to manage Horizon from
- Turn off the Windows 2008 security server
- Turn off the Windows 2008 connection servers
- Check composer server by managing Horizon using the “new” connection server
- Stop composer and database services on composer server*
- Take a snap shot of the composer server
- Restart the composer and database services on composer server
- Run the v7 upgrade of composer services on the composer server
- Test the new composer services using the connection server
- Stop the composer services (leave database running)
- Backup the composer database putting it somewhere safe
- Turn off the composer server
- Bring up a new Windows server for composer
- Install MSSQL 2012 onto “new” composer server
- Install v7 composer services
- Restore composer database backup to new server
- Test the new composer server and services using the connection server
- Use the VMware migration tool to migrate the Windows vcenter server to a vcenter appliance
- Turn off the Windows vcenter server
- Install the remaining connection servers
- Install the security server
All being well everything should be pretty much live. Now all that needs taking care of is VMware tools on the gold images and the Group Policy ADM updates.
Notes
The certificate on the security server needs to be an external certificate with a friendly name of “vdm”
The certificate on the composer server can be an internal certificate and has a friendly name of “vrm”
- We’ve decided that as we only operate 4 pools from 4 “gold” images that we’re just going to drop the existing composer server from the configuration and install a new v7 one. Then just recreate the pools based on the settings we have from the existing pools.
References
Update sequence for vSphere 6.0 https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2109760
Migrating composer database https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2051921
Upgrading to Horizon 6.0 https://elgwhoppo.com/2014/09/07/upgrading-to-horizon-6-part-1-prepwork/
Things went pretty well on the day. Everything worked as expected. Test a few clients internally and externally and all was well.
That was until Monday morning when we discovered what seemed like a random pattern of some users being able to logon and other not. The error we were seeing was “The view connection server connection failed. The handle is in the wrong state for the requested response.”
Turns out this is because the new Connection Servers no longer support SSLv3 (which is what we’re trying to get rid of anyhow). But the Horizon View client on a large number of older re-purposed machines was too old and required SSL support!
The long and the short of it is that we needed to ensure that the Horizon View client was at least version 3.3 to be able to connect.
Be aware that the versioning of the client is screwed up. VMware released version 5.2 and 5.3, but they are older than the version 3.3 client. So in order of oldest to newest version it goes 5.2, 5.3, 3.2, 3.3, 4.2, 4.3.
LikeLike
This post is amazing!!! I have a single question regarding View Composer:
I am following your steps since I will be replacing the servers with the same name and IP address. However,
I am just concern about View Composer. Do I need to export and import the SSL certs?
My scenario:
View composer 5.3 separate server from vCenter, and we are hosting the database on a SQL 2008 R2. In this case I would:
5.Check composer server by managing Horizon using the “new” connection server
6.Stop composer (database is hosted on separate server)
7.Take a snap shot of the composer server
8.Restart the composer and database services on composer server
9.Run the v7 upgrade of composer services on the composer server
10.Test the new composer services using the connection server
11.Stop the composer services (leave database running)
12.Backup the composer database putting it somewhere safe
13.Turn off the composer server
Do I need to worry about Backing up the folder containing the SSL certificates on View Composer server. folder: %ALLUSERSPROFILE%\Application Data\VMware\VMware VirtualCenter.
Again, thank you for taking the time to create the post :).
LikeLike
Glad you found it useful. I pretty much do this just as a memory jogger for myself and a few guys in my team.
For the composer certificate we requested a new “Computer” one from our own CA and then simply gave it the friendly name “vrm”, but after just checking it actually doesn’t have a friendly name at all. So maybe we missed that, but everything works as expected and shows all green in the VDI admin console.
LikeLike
0 Pingbacks