WinHorizon Configuration
Prerequisites
Before configuring WinHorizon, ensure that you have published your trust chain like described in the Publishing the Trust Chain section.
Updating the local built-in 'Distributed COM Users' group
| For Domain Controllers and computers to be able to enroll (i.e. contact the DCOM service on the WinHorizon server), they need to be members of the built-in local group 'Distributed COM Users'. |
1. Access the WinHorizon server (local console or Terminal Services) using a local administrator account;
2. Launch the 'Local User and Groups' management console using lusrmgr.msc;
3. Edit the built-in group 'Distributed COM Users';
4. Add the groups that should be able to enroll/auto enroll:
-
For Domain Controllers: Domain Controllers;
-
For workstation: Domain Computers.
Based on the security group(s) that you assigned to your template (for example, "Domain Users"), add the same security group(s) to the "Distributed COM Users" local group on the machine.
| Don’t forget to manage WinHorizon’s Microsoft Defender Firewall. |
EverTrust WinHorizon Configurator
Authentication Tab
1. Search and start the EverTrust WinHorizon configurator application using Domain Administrator account.
2. Go to the Authentication tab.
3. Click the Generate CSR button and fill in the fields you need, leave a field blank if it is not needed (it will not appear in the CSR).
| We recommend leaving the options as default. |
4. When you have completed all the necessary fields, click the Generate button and then use the Save CSR button to save the CSR somewhere you can find it.
5. Use this CSR to sign the certificate with your PKI / CA and download the newly created certificate in PEM format.
6. After downloading the certificate, go back to the Authentication tab, click the Import Certificate button and choose the certificate.
| Check that you are in the "Windows store" authentication mode. |
7. After a successful import, you should see a confirmation message as well as the serial number being filled in the specific field.
Connection Tab
Fill the following fields in the Connection tab:
-
Horizon URL: Enter the Horizon instance URL to connect to. Should end with /api/v1 Example: https://horizon.evertrust.fr/api/v1
-
Proxy URL (if needed): If you need a proxy to reach Horizon, fill in the proxy URL as well.
CA Settings Tab
WinHorizon is registered as an Enrollment Service in Active Directory. CA Name and WinHorizon Hostname are used to create the Enrollment Service entry.
Fill the following fields:
-
CA Name: CA Name will be used as cn.
-
WinHorizon Hostname: WinHorizon Hostname will be used as dNSHostName.
| It is not recommended to edit the hostname since it is already based on your machine FQDN. |
1. Click on Add ES Entry and import the CA certificate file that has signed the WinHorizon Certificate, most likely the Technical CA.
| To be able to add the Enrollment service entry to the Active Directory you need permissions to manage them. |
2. Click on Templates to add the templates your WinHorizon will serve.
3. Write down each template managed by the WinHorizon instance separated by ;. Click OK. Example: EverTrustDomainController;EverTrustIIS;EverTrustUser;EverTrustServer.
Internet Ports Configuration
WinHorizon uses the port 135 as management port and then affects a port for each client. By default, the port is randomly chosen between 1024 and 65535 but if the option is turned on, the port range can be restricted.
| To restrict this range to specific ports, additional DCOM configuration may be required. |