Chathura Ariyadasa (He/Him) - ❤️Father | 💻Infrastructure and Cybersecurity Architect

Horizon DaaS hotfix management is a very straightforward process. Those Hotfixes and updates are being applied using the HVM (Horizon Version Manager). This process consists of several steps.

Upload hotfixes/updates to the HVM
Refresh hotfix list
Detect hotfixes on DaaS appliances
Apply hotfix on DaaS appliances
Verifying the hotfixes on DaaS appliances

In our example, we will look at DaaS 9.1.x version (21.1.0). Will look at the entire process in 5 sub-steps.

Upload hotfixes/updates to the HVM

First, download WinSCP and the DaaS hotfixes/updates from VMWare downloads, and then make an SCP connection to the HVM. You need to upload those hotfixes to the /opt/vmware/hvm/hotfixes directory.

Refresh hotfix list

Once you are done with the hotfix upload, you need to refresh the list of hotfixes that are on the HVM. Projects > Horizon-DaaS-HotFix-Management

and then Jobs > Refresh Hotfix List and then Run Job Now

Detect hotfixes on DaaS appliances

This is not mandatory. But it is always advisable to check whether the DaaS appliances are patched or not. So, you can simply access the Sub menu and select Step 4, which is Detect Hotfixes on DaaS Appliances. If the appliances are not patched, you may proceed to the next steps. If the appliances are already patched with the latest build, you may hold the patch process.

Under the Org-IDs tab, you need to enter the relevant tenant ID (keep in mind that tenant ID 1000 is reserved for the SP [Service Provider] appliances).

Continue reading “How to patch Horizon DaaS appliances from a Windows computer”

Apply hotfix on DaaS appliances

When you are ready to apply the hotfixes to the appliances, always make sure to start with the SP appliances. Otherwise, there can be incompatibilities with the tenant appliance operations. On the menu, you will see an option called “Pre-Migrated“.

As you can see in the above image, option 2 (Pre-Migrated) is for newly upgraded appliances that are yet to be migrated. If you have already migrated the appliances and are in production, you need to select option 3.

In our example, we have used DaaS 9.1.x. which is version (21.1.0). Once you select the version, you will be presented with the relevant hotfixes which are being uploaded to the HVM hotfixes directory. Over there, you can see 2 different hotfixes.

[SP-RM] – This is for Service Provider appliances and Resource Managers
[TA-DM] – This is for Tenant Appliances and Desktop Managers

Based on your need, you may pick the correct hotfix and run the job. If you are going to patch the Service Provider appliances, it would be the [SP-RM] filename

Jobs > Apply Hotfix to DaaS Appliances

Verifying the hotfixes on DaaS appliances

Once you are done with the patching, you could verify the patches by executing the Detect Hotfixes on DaaS Appliances job.

As you can see, we have successfully applied the hotfixes to the tenant appliances.

Due to the cybersecurity compliance requirements, we had to disable insecure SSL and TLS protocol versions. Our infrastructure consists of VMware multi-tenants and F5 LTM as the ADC (Application Delivery Controller). Since the UAGs (Unified Access Gateway) sit behind the F5 LTM, the configuration changes need to be done at the F5 ADC.

There was no proper article written specifically for this purpose. So, I thought of sharing this with the community. Let’s look at the steps involved in the configuration change.

From the configuration utility, navigate to Local Traffic > Profiles > SSL > Client
Select the Client SSL profile used in the virtual server, and then change to Advanced

We need to change 2 fields (Cipers and Enabled Options)
Under the Ciphers, select Cipher Suites
In Cipher Suites, you need to change the value to DEFAULT:!RC4:!MEDIUM:@STRENGTH
Then, under the Enabled Options select only No TLSv1.3, No TLSv1.1, and No TLSv1 (refer to the below image)

Once you confirm the values, you may save the changes and test the access.
If you need to confirm the security settings and collect evidence, you can simply test the URL with ssllabs

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.