This information describes how to install Application Manager, the on-premise appliance as opposed to the hosted version of Application Manager. When you host Application Manager, you control the operator and administrator pages that allow you to manage end-user access to your Windows, SaaS, and Web applications. The Connector is a required software piece that you must install separately.

This information is intended for organization administrators. The information is written for experienced Windows and Linux system administrators who are familiar with VMware virtual machine technology, identity management, entitlement, and directory services. SUSE Linux is the underlying operating system of the Application Manager virtual appliance. Knowledge of Linux is essential to configure the Application Manager directly and to perform system-level functions, such as configuring network settings, time settings, and log files. Knowledge of other technologies, such as VMware ThinApp and RSA SecurID, is helpful if you plan to implement those features.

This process involves a variety of tasks and you can deploy the Application Manager in several different ways. A key distinction in deployments is in the mode of authentication you choose. See Introduction to Application Manager. An important deployment factor depends on if you choose to provide Application Manager users with access to Windows applications captured as ThinApp packages. See Installing and Configuring the Connector for more information.

Application Manager Installation and Configuration Flowchart provides a broad overview of the installation and configuration tasks involved in an on-premise Application Manager deployment. The summary that follows reiterates the main steps.

Application Manager Installation and Configuration Flowchart
Flowchart of installation and configuration tasks involved in an Application Manager deployment including the on-premise Application Manager.
1

Prepare your environment:

Create DNS records for Application Manager and the Connector.

Ensure hardware and software requirements are met.

Prepare the optional features that apply. For example, create the ThinApp repository for ThinApp integration and configure KDC for Kerberos authentication.

Prepare vSphere for Connector Authentication mode.

2

Obtain virtual appliances:

Obtain the Application Manager and Connector virtual appliances.

3

Install and configure the Application Manager virtual appliance:

Provide network information, including:

IP/subnet/gateway info

DNS servers

Hostname

A Network Time Protocol server

Time zone

SSL connectivity to Application Manager

4

Configure Application Manager as an operator:

Use a browser to log in to the Operator Web interface.

Run the setup wizard to create your first organization.

Copy and save the URL for Application Manager and the activation code for the Connector.

5

Install and configure the Connector:

Configure the Connector using the virtual appliance interface and the applicable wizards of the Web interface. If you are providing users with access to Windows Applications captured as ThinApp packages, configure Windows Apps in the Connector setup wizard. You can also perform additional configuration such as setting up RSA SecurID.

In the Web interface, you can enable SSL for end user authentication.

6

Return to Application Manager as an operator of your first organization:

Create delegated operators, add applications, additional organizations, etc.

7

Configure Application Manager as an administrator:

Using a browser, return to Application Manager for further configuration. For example, you can add ThinApp packages, configure IdP Discovery for ThinApp integration, add applications, create groups, set entitlements, and define roles for delegated administration.

8

Configure logging:

Configure logging for Application Manager. Return to the Connector virtual appliance interface to configure logging for the Connector.

9

Provide users with URLs to access applications:

Distribute URLs to users to provide access to the User Web interface and directly to individual applications

To reduce the complexity of the deployment process, you might want to deploy Application Manager in phases.

SSL connectivity, load balancing, and high availability add layers of complexity to your deployment that can be avoided during the proof-of-concept phase.

By default, secure ports are disabled for the Connector and Application Manager. For the proof-of-concept phase, you can install the Connector and Application Manager using the default insecure ports. This frees you during this phase from managing SSL certificates.

Also, by default, Application Manager uses an internal database server. To support load balancing or high availability you must install and configure a supported external database server and point multiple Application Manager instances to that external database server. For the proof-of-concept phase, you can use the default internal database server. This frees you from installing an external database server and configuring clustering.

Recommended Phases of Deployment

Phase

Recommended Actions

Trial (Proof-of-Concept)

SSL Connectivity (Do not configure)

For Application Manager, keep the insecure ports enabled and the secure ports disabled. These settings are accessible with the Application Manager virtual appliance interface, on the Configure Web Server screen.

For the Connector, accept the default insecure mode. This setting is accessible with the Connector virtual appliance interface, on the Configure Web Server screen.

Note

You can test ThinApp integration in Insecure mode.

Load Balancing and High Availability (Do not configure)

For Application Manager, keep the internal database server configuration. This setting is accessible with the Application Manager virtual appliance interface, on the Configure Database Connection screen.

Test (Pre-Production)

SSL Connectivity

For Application Manager, disable the insecure ports and enable the secure ports.

For the Connector, enable secure mode, which requires you to reset and reconfigure the Connector.

Generate both an Application Manager SSL certificate and a Connector SSL certificate.

If you are using self-signed SSL certificates, deploy the certificates to user machines. In addition, distribute the Application Manager certificate to each Connector instance.

Reconfigure SAML applications to use HTTPS instead of HTTP.

Reinstall the Horizon Agent on user machines to use HTTPS instead of HTTP.

Load Balancing and High Availability

For Application Manager, install a supported external database server and point multiple Application Manager instances to that external database server.

Production

SSL Connectivity

Replace your self-signed SSL certificates with signed third-party CA certificates.

For Application Manager, verify that insecure ports are disabled and secure ports are enabled.

For the Connector, verify that secure mode is enabled.

Verify that SAML applications are configured for HTTPS.

Verify that the Horizon Agent has been reinstalled on user machines to use HTTPS.

Load Balancing and High Availability

For Application Manager, install a supported external database server and point multiple Application Manager instances to that external database server.