VMware Horizon 7.3.2

Just over a month after the 7.3.1 release, VMware has released a minor version update, Horizon 7.3.2, which appears to primarily fix a 7.3.1 issue related to Instant Clones where the operations were failing in 7.3.x versions. Operations are now handled gracefully, according to the release notes. VMware appears to strongly recommend that customers running 7.3.x upgrade to 7.3.2.

What’s New

Only the updates to Instant Clones and references to version 7.3.2 have changed. The rest of the updates appear to be identical to 7.3.1.

Resolved Issues

Just the clones. If you haven’t already updated to the 7.3 release, 7.3 also upgrades 7-Zip version incorporated into the Horizon Agent and Horizon Connection Server to 16.04 to resolve a security issue in 16.02 and earlier, CVE-2016-7804. The issue was an untrusted search path vulnerability in 7 Zip for Windows 16.02 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

It is also worth noting that if you plan on installing VMware View Composer you must upgrade the Microsoft .NET framework to version 4.6.1, otherwise the installation will fail. Also, VMware Tools interoperability Matrix should be referenced when installing a version other than the default provided with vSphere.

Known Issues

If upgrading from a prior release to 7.3.2, there are several issues and workarounds for 7.3 related to the following components: Horizon Persona Management, View Composer, Horizon Connection Server, Horizon Agent for Linux, Horizon Agent, Horizon GPO Bundle, Horizon Client. The list is environment dependent and too lengthy to summarize. It is advisable to refer to the release notes linked below.

Of the items to note, if you plan on migrating directly to 7.3.2, with the updates to Global Policy Objects, Computer-based  Global Policy Objects that require a reboot to take effect are not applied on instant clones. If you are attempting to use computer-based policy settings on instant clones, you will want to make note of this shift and move to user-based GPO settings or follow the guidance in VMware KB article 2150495.

Relevant Links

Horizon 7.3.2 Download Page
Horizon 7.3.2 Release Notes

NSX 6.3.5 Release

VMware recently made NSX 6.3.5 (Build 7119875) available for download. This is a full maintenance release including a number of fixes.

There are numerous fixes in this release that will be of interest. Most notably, are the fixes related to Guest Introspection – a feature leveraged by several third party AV and security products and the NSX Identity Firewall.  There are several enhancements to GI: Deployment naming, network event filtering, and CPU utilization fixes in the form of threshold modifications via API.   There is also a fix for issue number 1897878, outlined in VMware KB 2151235 that sometimes caused a “Lost communication with ESX module” message.

What’s New in 6.3.5

Anyone using Guest Introspection should definitely consider upgrading

“For vCenter 6.5 and later, Guest Introspection VM’s, on deployment, will be named Guest Introspection (XX.XX.XX.XX), where XX.XX.XX.XX is the IPv4 address of the host on which the GI machine resides.”
In larger NSX deployments using GI, the associated guest configuration should be easier to identify.

“Guest Introspection service VM will now ignore network events sent by guest VMs unless Identify Firewall or Endpoint Monitoring is enabled”
According to some reports, this is a feature that was occasionally disabled in very large deployments to improve 3rd party A/V scalability. The vast majority don’t use ‘Network Introspection’ services, so it’s good to see that it’s now off by default.  It will more readily allow for adoption of these services and can be implemented if needed.

Also, it is worth noting, under serviceability enhancements for L2VPN, that changing or enabling logging no longer requires a process restart.  There is some additional log detail available also.

Resolved Issues

In short, Lots.

In addition to the Guest Introspection memory consumption issue, several migration and upgrade problems were also addressed.  The controller disconnect issue and password expiry issues are also resolved in this release.  Of the logical networking and edge components, fixes to the Edge IPsec VPN and failures related to service certificates are most notable.  For the Manager and Controller issues related to reliability, accessibility, and CPU utilization were addressed.  Also, in prior editions, upgrading the VIB retained the password file of the vShield firewall causing delays and occasional packet loss related to the time it takes to update the password by connecting to the NSX manager in an automated DRS cluster.

Known Issues

Should you deploy 6.3.5? I don’t see a  reason why you would not jump to 6.3.5 in a new deployment, but paying close attention to known issues and workarounds in an upgrade is key.   I only see one issue related to sslvpn service using a local authentication server which doesn’t post a workaround.  The issue may generate support calls from end users or administrators logging in during a password change.

Relevant Links

NSX 6.3.5 Download Page
NSX 6.3.5 Release Notes