Select Page
Know Your Options with Citrix and VMware

Know Your Options with Citrix and VMware

No, this is not an article about Citrix vs. Horizon and which product is better. And I think that you should not compare Citrix and VMware anymore. If you are still reading and haven’t closed the tab in your browser yet, you made the right decision. The intent of this article is to help you better understand when the usage of Citrix Virtual Apps and Desktops (CVAD) makes sense, which VMware products could complement a CVAD infrastructure and the different options you have with VMware Horizon.

I think it is a very big plus that I worked for Citrix before and still have some technical knowledge. This gives me more credibility in front of the customer and I am not just someone from a vendor, who tries to blame or downplay the other competitor to sell his on stuff. In fact, I always tell my customers how good Citrix is – there is no doubt about that.

But people are still stuck in the past and have the knowledge from four or six years ago. VMware Horizon has evolved into a very mature virtual apps and desktops solution and at the same time VMware’s products evolved as well and the story and product portfolio are better than ever.

Would have asked me a few years ago, no matter if I would be still with Citrix or already with VMware, VMware Horizon had some (feature) gaps and differences (e.g. display protocol) compared to Citrix. But Horizon has transformed into a equal player in the market and can do the same as CVAD (formerly XenDesktop and XenApp).

Let’s see which enhancements or new features have been released in the last 18 months for Horizon:

  • A lot of enhancements and closed feature gaps for the Horizon HTML5 console (now default)
  • RDS Drain Mode and RDSH Load Balancing configurable from UI
  • Improved CDR (Client Drive Redirection) performance
  • Increased CPA (Cloud Pod Architecture) scale up to 250k sessions
  • Session “pre-launch”
  • Two-Factor Re-Authentication
  • Client UI redesign
  • vGPU vMotion (came with vSphere 6.7 U1)
  • VM hosted apps (published applications from Win10 desktop pools)
  • Longer Lived Instant Clones
  • Horizon Cloud Services Enhancements & WVD support for Horizon Cloud on Azure
  • VMware Skyline Log Assist
  • App Volumes 4
  • New REST APIs
  • Bandwidth savings in Blast (with Blast Codec)
  • CPU utilization by Blast has been reduced
  • Blast Extreme HEVC High Color Accuracy support
  • Automatic codec switching based on screen content
  • NSX Advanced Load Balancer (Avi LB) support

As you can see, a lot work has been done and a lot of time has been invested to make Horizon better! These improvements are one of many why I think it’s useless to compare Citrix vs. Horizon, because both can basically do the same if you ask me.

Note: Horizon 8.0 is coming very soon and the beta program for it starts in a few weeks! Stay tuned for more enhancements and innovation. 🙂

Citrix and VMware – Four Options

When I think about Citrix and VMware, there are four options which come up in my mind how a customer could move forward at any given time:

  1. Replace Citrix with Horizon
  2. Integrate Citrix with Workspace ONE
  3. Enhance Citrix with Horizon or Workspace ONE components
  4. Enhance Citrix with other VMware components
  5. Use Citrix and VMware Horizon (yes, there are customers with both!)

Replace Citrix with Horizon

The first option is the most obvious one and can happen from time to time due to various reasons. Sometimes the customer is just not happy anymore (technical or commercial) or wants to try something new because of one or more of the other listed options (integration and enhancements in place already).

A migration would be very easy. StoreFront could be replaced by Workspace ONE Access (formerly vIDM), the VDA installed on RDS hosts or virtual desktops need to be replaced with the Horizon agent and on the client side the Citrix Workspace App (Citrix Receiver) gets replaced by a Horizon Client (including HTML5 client).

VMware and Citrix Partnership

A replacement could also be done in parallel where you install a Horizon infrastructure beside the current Citrix environment and move the users over whenever you are ready.

If you are running your desktops on Azure together with Citrix Cloud, then the Citrix Cloud piece can be replaced with the Horizon Cloud Service on Azure. Citrix and VMware Horizon are both supported if you are looking for a connection broker for your Windows Virtual Desktops (WVD).

Integrate Citrix with Workspace ONE

The second option doesn’t come up very often. If a Citrix customer is using CVAD only and no Citrix Endpoint Management (formerly known as XenMobile) or Microsoft Intune (or MobileIron) and is considering Workspace ONE for their unified endpoint management of iOS, Android, macOS or Windows 10 clients, then mutual customers could use Workspace ONE (WS1) Access as the web portal or application catalog and single point of access for any application.

As just mentioned already, Workspace ONE users and devices access Citrix-published resources by integrating their Citrix deployment with Workspace ONE Access, which offers an application portal, single-sign on capabilities, conditional access and many other features. Citrix-published resources include applications and desktops from any CVAD infrastructure starting from XenApp 6.0.

All entitlements are still configured in Citrix Studio and you just have to sync these users and groups to the WS1 Access services from Active Directory first.

Beside WS1 Access you need one additional component called the Integration Broker, which can be installed on a Windows Server. The Integration Broker is responsible for the communication with all Citrix farms/sites. The WS1 Access connectors then communicate with the Integration Broker.

Workspace ONE Integration Broker

More information can be found here. That’s all what is needed for the integration with Workspace ONE.

Enhance Citrix with Horizon or Workspace ONE components

VMware has customers with a large Citrix footprint of several thousand users. And some of these customers are using Horizon components together with their Citrix infrastructure. The two most used Horizon components in a Citrix infrastructure are:

I am not up to date anymore what Citrix App Layering, Profile Management (UPM) and Workspace Environment Management (WEM) can do for you today. But App Volumes would replace App Layering and Dynamic User Environment (DEM) would replace UPM and WEM in a Citrix environment.

Don’t know if this still is the case, but a few years ago App Layering had very limited features, didn’t perform and the handling of layers was a pain. And WEM just didn’t scale in larger Citrix environment. Probably Citrix UPM still is doing its awesome job but is leveraging FSLogix for profile and O365 container management and I assume that WEM is also installed more nowadays.

If Citrix App Layering is in use, then probably the FSLogix Application Masking feature could be used as well to hide some components in the image, which also allows the admin to manage fewer golden images. This is something you also can do with Dynamic Environment Manager in combination with App Volumes.

Before FSLogix was available to almost every joint Citrix/VMware and Microsoft customer, it totally made sense to use something like DEM for the user environment management, as DEM has similar features as FSLogix.

To understand the integration of FSLogix and AV and DEM better, this article from VMware’s Digital Workspace TechZone is for you. 

Maybe you ask yourself now how you could get App Volumes and Dynamic Environment Manager for your Citrix environment? Well, there are a few ways and options:

  • Buy the “Horizon Enterprise” or “Horizon Apps Advanced” edition which includes AV and DEM (yes, can happen)
  • Buy the “Workspace ONE Enterprise” edition which includes “Horizon Apps Advanced”
  • Buy the “Workspace ONE Enterprise for VDI” edition which includes “Horizon Enterprise”

You have to buy another license from another vendor, yes. But, let me explain why this could make sense.

Scenario 1 – Citrix customer is buying Workspace ONE Enterprise

Let’s assume you are a Citrix customer and use CVAD to publish applications to your users, but want to manage your iOS, Android, macOS and Windows 10, IoT devices with one solution or platform. That’s the moment when you go for Workspace ONE as your Unified Endpoint Management (UEM) platform. Here’s what you get with Workspace ONE Enterprise:

  • iOS, Android, macOS, Windows 10 and IoT device management (MDM/UEM)
  • Workspace ONE Access
  • Application delivery and management (mobile and desktop)
  • Mobile SSO
  • Workspace ONE productivity apps (email, tasks, notes, content/file repository, web, card scanner)
  • Multi-Factor Authentication (MFA) with “Workspace ONE Verify” mobile application
  • Workspace ONE Intelligence (SaaS-based intelligence and automation engine including reporting)
  • Add-on: Remote Management of any device based on Workspace ONE Assist
  • Add-on: Workspace Security (Carbon Black offerings)
  • Horizon Apps Advanced

The Horizon Apps Advanced edition includes the following:

  • RDS published apps (no desktop OS, only server OS) and session-based desktops
  • ThinApp (not included with WS1 Enterprise)
  • App Volumes
  • Dynamic Environment Management
  • vSphere Desktop

As you can see, you are removing silos in your digital workspace and can use App Volumes and Dynamic Environment Management at the same time to enhance your Citrix infrastructure.

Scenario 2 – Citrix customer is buying Workspace ONE Enterprise for VDI

The difference between scenario 1 and scenario 2 is the Workspace ONE Enterprise for VDI license, which includes the following components:

  • Published desktops and apps (server OS and desktop OS incl. Linux)
  • App Volumes
  • ThinApp (not included with WS1 Enterprise for VDI)
  • Dynamic Environment Management
  • vRealize Operations for Horizon (not included with WS1 Enterprise for VDI)
  • vSphere Desktop
  • vSAN Advanced for Desktop with All-Flash

WS1 Enterprise for VDI makes it possible to have VDI based on the Windows desktop operating system (e.g. Windows 10) as well and adds the infrastructure capability to run your desktop workloads on vSAN enabled clusters! The only thing which differs from the regular standalone Horizon editions, is, that ThinApp and vRealize Operations are not part of the suite. If you have a lot of legacy apps or you need application virtualization or isolation, then take a look at ThinApp.

Applications installers such as MSI files can be packaged into a portable EXE file and can then be run on any physical or virtual Windows PC and delivered with App Volumes (RDS/VDI) or with Workspace ONE (persistent VDI desktop or physical desktop).

And you get the “vSphere for Desktop” edition in both cases which is another killer argument why you could buy Workspace ONE Enterprise (for VDI) licenses as a Citrix customer.

vSphere Desktop

I don’t have any confirmed number, but I assume that 70% of the Citrix customers are using VMware vSphere as their hypervisor. Each regular Horizon edition has vSphere Desktop included which many people are not aware of.

vSphere for Desktop is a special edition, which provides the full range of features of the vSphere Enterprise Plus edition:

  • The new image management feature to patch, update or upgrade ESXi clusters (vSphere 7.0)
  • vCenter Server profiles and update planner (vSphere 7.0)
  • Distributed vSwitch
  • Secure access and account management with ADFS (vSphere 7.0)
  • Distributed Resource Scheduler (DRS)
  • Storage DRS
  • Nvidia GRID vGPU

vSphere Desktop is licensed based on the total number of powered-on VMs and has no processor limitation. It’s available in a pack size of 100 desktop VMs with up to 100 users per pack. VERY IMPORTANT: vSphere Desktop can be used for a VDI environment only and a vCenter license is not included in vSphere for Desktop.

This is the only restriction mentioned in the vSphere Desktop FAQ:

vSphere Desktop can be used only to host a desktop
virtualization environment or desktop management and
monitoring tools. Each pack of 100 VMs can be used for
up to 100 users. You can use vSphere Desktop for desktop
management and monitoring tools in a VDI environment
only. Desktop licenses covered by this provision, however,
may not be managed by the same instance of VMware
vCenter that is being used to manage non-desktop
OS virtual machines.

So, what is considered as a “desktop virtualization environment” including monitoring tools? Normally you would separate your Citrix or Horizon infrastructure servers from the virtual machines which provide the virtual desktops and applications. But this design is more a leading practice and recommended by reference architectures and therefore it is technically possible to mix the RDS and VDI virtual machines with the infrastructure servers like:

  • Connection Server / Delivery Controller
  • Workspace ONE Access / StoreFront
  • Unified Access Gateway / NetScaler
  • Active Directory
  • Monitoring Tools (vRealize Operations / Director)
  • any “other infrastructure directly related to and exclusive to the VDI environment”

In a Citrix Virtual Apps and Desktop environment you can use vSphere Desktop to provide the virtual machines (desktops) and the underlying infrastructure. In this use case, you are licensed per virtual machine and virtual machines used to host the infrastructure servers. These two numbers will be counted against your “total powered-on VM” count. If your Citrix environment has a 100-pack of vSphere Desktop licenses and you host 85 VDI desktops and 15 VMs that host the Citrix VDI environment, then you have used up all the 100 vSphere Desktop licenses.

vSAN Advanced for Desktop

vSAN Advanced for Desktop is shipped together with Horizon Advanced, Horizon Enterprise and Workspace ONE Enterprise for VDI. This license is available for customers using vSAN exclusively for a VDI infrastructure.

Horizon Universal License

The Horizon Universal License is a single subscription-based license, which is included in the Workspace ONE Enterprise edition and serves as an entitlement for all Horizon products, namely Horizon Cloud (including Horizon Cloud Apps) and Horizon on-premises (including Horizon Apps). Thus, the universal license entitles you for the following solutions:

This universal license gives customers the choice to start with an on-premises Horizon deployment and to move to the cloud (or vice versa) without requiring a new license.

Note: Because it’s the universal license and not a regular Horizon license, which is included in the WS1 editions, vRealize Operations (vROps) is not part of this subscription bundle. If needed, vROps can be bought as a standalone license.

Thin Client Management

I thought it is worth mention it here. Keep in mind that you could use a platform like Workspace ONE to manage your thin clients. If your environment is heavily using thin clients you could “build” your own thin client based on Windows 10 IoT Enterprise and manage it via Workspace ONE.

E.g. Workspace ONE can manage Dell Wyse 5070 thin clients with Windows 10 IoT Enterprise. If needed, WS1 can configure the Unified Write Filter (UWF) feature to protect your thin client drives for any changes (saved data, setting changes or app installations). This is also helpful for increasing security for kiosk PCs in hotels, public spots, internet cafés etc. or for devices where it’s not expected to have new application frequently added.

WS1 Unified Write Filter

Enhance Citrix with other VMware components

We know that you could make your Citrix environment “better” with Horizon components like App Volumes or Dynamic Environment Manager and vSphere components like vSphere and vSAN. But there are other products and components which could make sense in a Citrix environment.

I believe, today, VMware has something which you could call a partnership and both CTOs are clearly leading the way:

Citrix Partnership VMware

 

I don’t know if it ever happened before that Citrix mentioned VMware on stage at Synergy, but the announcement from the above picture brings me to my first solution which you could use for your Citrix deployment.

VMware Cloud on AWS

What has been announced at Citrix Synergy 2019? The intent to officially support CVAD running on VMware-based clouds, starting with VMware Cloud on AWS. Many organizations are evaluating or even using a hybrid cloud approach already. This announcement should help Citrix customers, who are running their workloads on vSphere already, to seamlessly move to the cloud to experience a consistent infrastructure with consistent operations.

Because you are using the same technology stack on-prem and in the cloud, this allows you to easily bring your RDS and VDI golden images to the cloud without any a conversion.

I see two deployments options here. Either you leverage the Citrix Cloud services (use VMC as a resource location) or manually install your Citrix infrastructure like you would normally do in your on-premises environment.

VMC on AWS is Citrix-Ready

Note: VMC on AWS is citrix-ready since Q4 2018!

CVAD on VMC on AWS

If you would like to know more about running Citrix Virtual Apps and Desktops with VMC on AWS, please watch the VMworld 2019 recording of the session “Building Global Citrix Virtual Apps and Desktops with VMware Cloud on AWS (HBI2247BU)“. There’s also a recording of the US 2019 session “Building Global Citrix Virtual Apps and Desktops with VMware Cloud on AWS“, presented by Andrew Morgan and James Hsu.

Interesting facts:

  • It takes about 60-70min in average to deploy a new SDDC on VMC on AWS
  • 12min is the average time to add a new host
  • Stretched clusters give you a guaranteed SLA of 99.99%
  • Sync your VM templates with your Content Library
  • Andrew and James deployed 100 Win10 desktops in 5min only
  • PVS and MCS both work on VMC on AWS

NSX – Software-Defined Networking

Digital transformations are nothing new, but get more complex with newer technologies we have today. One very important topic which came up in 2019 and is one of the most important trends for 2020 is “cyber security” or “zero trust security”. VMware and Citrix are both pointing to a zero trust approach to protect the workforce, any app and data. VMware has defined 5 pillars of zero trust for a digital workspace and “transport/session trust” is one of them with these parameters:

  • Micro-Segmentation
  • Transport Encryption
  • Session Protection

For secure transport of a user’s session you would use appliances like the Unified Access Gateway (UAG) or Citrix NetScaler. To achieve a trusted network access within the data center and between workloads, you’ll need something like NSX and micro-segmentation. Citrix has only a SD-WAN solution to protect branch offices and branch users, but no solution for micro-segmentation. What is micro-segmentation and why is it important?

Imagine that network policies can be bound to a virtual machine or in our case to a virtual desktop and dynamically follow a virtual desktop. This is very helpful in the case of VMC on AWS for example. You can easily move the workload to the cloud and move the networking policies together with the VM, because the underlying stack on VMC on AWS (based on VMware Cloud Foundation) includes NSX and the vSphere hypervisor.

How would you secure the communication and access between desktops in the same VLAN? All desktops on a VLAN can communicate freely and one compromised desktop allows lateral movement. With NSX we can provide granular control of desktops and user/group based access control. This is micro-segmentation.

NSX Micro-Segmentation

Here are two articles about Citrix and NSX from VMware and Citrix:

If you are interested in 100% software-defined networking and are thinking to replace an existing hardware or virtual ADCs (application delivery controllers), take a look at NSX Advanced Load Balancer (formerly Load Balancer from Avi Networks).

NSX Advanced Load Balancer Architecture

Where VMware Horizon differs from Citrix

Now you know the four options you have as a Citrix customer when considering VMware products for your current and future environment. Let me explain you why you shouldn’t compare Citrix and VMware Horizon anymore. To get started, you need to understand all the different options you have and how and where you could consume VMware Horizon:

  • Horizon on-premises
  • Horizon Cloud
  • Horizon DaaS

And with the different desktop virtualization offerings there are also different management responsibilities for the customer, partner and VMware:

VMware Horizon Responisibilities

Customers have the flexibility to choose the level of control they want to have over the Horizon and data center infrastructure. If full control of the solution is needed, then you would probably implement Horizon with vSphere on-premises. For use cases where you only would like to maintain the desktop and apps only without concerning yourself about managing any infrastructure, Horizon Cloud on Azure could be one option.

Horizon On-Premises

The biggest difference for me, if you really want to compare Citrix and VMware in a better way, is to see the big picture. People need to understand that it is totally normal that one vendor sometimes is ahead or behind the competitor. The feature set from both vendors, only considering desktop virtualization, is pretty much the same.

When you start a desktop virtualization project and design the solution, you also have to think about the data center part. I’m am not only talking about Horizon and the storage or network requirements here. It’s important to understand the general strategy and vision of VMware and your employer/customer.

Today, automation is a design requirement and you ideally build your on-premises infrastructure based on public cloud principles. Companies don’t start anymore by buying hardware and think about automation later. They want to buy and build something that can be automated from day 1 like it’s done in the public cloud. Everything needs to be agile and elastic and should be able to change when any kind of change occurs.

Because of that it is essential to understand the cloud infrastructure part very well and this is the big difference between Citrix and VMware. We shouldn’t only talk about EUC (End-User Computing) only, but even consider other projects or domains of the infrastructure:

  • Does it fit in my cloud operating model?
  • Can I use an existing solution to automate it (software and hardware)?
  • How would I move my workloads to the cloud tomorrow?
  • Can I integrate existing solutions in my ecosystem (e.g. security, IPAM etc.)?
  • Can it be integrated in our existing or new platform for modern applications based on containers?
  • What about day 2 operations if I need to expand?
  • Can I reduce my silos and reduce the number of vendors and licenses somehow?

The installation of a complete Horizon (or Citrix) infrastructure can be done in a few days, normally, but larger environments require a lot of automation and integrations into the existing infrastructure. Then we talk about several months and not days or weeks anymore.

Horizon on VMware Cloud Foundation

VMware Cloud Foundation (VCF) is made for any workload and is a hybrid cloud platform which provides a set of software-defined components for compute, storage, networking, security and cloud management. VCF is an engineered solution that integrates the entire VMware stack without the need you dealing with complex interoperability matrixes.

VMware Cloud Foundation Overview

The architecture is built on VMware’s Validated Designs (VVD) to reduce the risk of misconfigurations or design failures. The VCF stack is also used with VMC on AWS or Azure VMware Solutions (AVS) for example. This is another reason that clearly shows that this technology stack is the right for any (VMware) infrastructure. If workload mobility is part of your IT strategy, then only VMware can offer this at the moment.

VCF 4.0 Bill of Materials

VMware Cloud Foundation has a “siloed” approach when it comes to the deployment. Based on different hardware resource pools you can create different so-called workload domains (WLD). Each WLD is a different SDDC instance which is managed by software-defined policies. The Horizon deployment can form one or more VDI WLDs.

VCF WLD Overview

Because it’s a standardized approach, VCF makes it very easy to scale on-demand depending on your needs. To get started you’ll need a management workload domain, which is a special-purpose workload domain dedicated for infrastructure and management components like the SDDC Manager, vCenter Servers, vRealize Suite and NSX. The SDDC Manager is responsible for the creation, update or deletion of a workload domain.

Using the regular standard architecture model for VCF, an environment starts with at least 4 physical servers for the management domain, 3 servers for the VI workload domain (Active Directory, SQL servers, any general infrastructure VM) and 3 servers for a Horizon VDI workload domain. This gives us a starting point of 10 physical servers if you build a complete IT infrastructure from scratch. Otherwise you just need the management domain and VDI workload domain with a total minimum of 7 physical servers.

There is also the option available of a consolidated architecture design for smaller environments. In this design the management and workloads run together on a shared management domain. But the consolidated architecture doesn’t support the automated deployment of Horizon yet.

For the automated deployment of Horizon on VCF you would use the SDDC Manager to deploy Connection Servers, App Volumes, Dynamic Environment Manager and Unified Access Gateways. Let me show you some part of the wizard to create a VDI WLD:

You don’t have to install the components by hand, but still need to do your homework before you can deploy the WLD.

I skipped a few steps. You need to upload the Windows server template, convert an existing VI WLD to a Horizon VDI WLD, configure the Horizon AD service account, provide a SQL server and provide information for the load balancers before you reach the step where you enter the details for the connection servers:

One more App Volumes Manager can be added as well:

If you reached the end, you’ll see a review page to do a final check and after that you can run a validation of all your inputs. The deployment of at least one Connection Server is required, but Horizon Composer Servers, UAGs, App Volumes and DEM are optional components and could be skipped.

To expand a current VDI WLD to install UAGs or just to expand the Horizon Pod (add ESXi hosts or Connection Servers) VCF gives you the option to start small and expand later. In the future it should also be possible to shrink a VDI WLD.

The lifecycle management with VCF is very easy. Available updates for all components are tested for interoperability and then bundled with the necessary logic for the proper installation order. VCF offers automated lifecycle management on a per-cluster basis (one WLD can have one or more clusters). This allows admin to target specific workloads or environments for updates independently of the rest of the environment.

VCF Lifecycle Management

For a VDI workload domain VCF delivers a nice view to see the allocated servers/resources and each component related to this workload domain. 

VCF Horizon Deployment WLD

Horizon on VCF on VxRail

So, we know now that VMware Cloud Foundation is the “easy button” for the deployment of the full vSphere stack including vSAN, NSX, vRealize Operations, vRealize Automation, vRealize Log Insight and so on. VCF on VxRail goes one step further and provides you the “one-click upgrade button” for your vSphere stack including the server hardware and firmware. VxRail bundles are pre-configured and pre-tested and therefore validated by Dell EMC and VMware.

VxRail SDDC Manager

The cool thing with VxRail is, that it gives you flexibility for your workloads and that you can choose between different series based on Dell EMC PowerEdge servers. You have multiple compute, memory, storage, network and graphics (M10, P40, T4) options available to cover your workloads and applications with the right server specifications.

VxRail Server Series

Citrix (on VCF) on VxRail

Since VxRail is an HCI appliance, it can run everything on top. I know some larger Citrix customers who are running their Citrix infrastructure on VxRail. It is also possible to run your Citrix infrastructure on VCF on VxRail on a VI workload domain. The only difference with Horizon is the missing automation and integration into the whole (VCF) stack.

Intrinsic Security

In case you missed it, VMware bought Carbon Black and has a new security business unit now. And this is one very important differentiator in this virtual cloud computing space. If VMware’s software-defined data center is your platform of choice already, it makes sense to use a security solution which can be fully integrated and provided by the same vendor.

VMware Security Solutions with Carbon Black

Imagine, that the endpoint protection agent is already integrated in the Horizon Agent and that you could deliver security from your mobile endpoints (Windows, Mac, Linux) to your workloads (VMs or container) in your data center or any cloud (AWS, Azure, GCP). Sounds too good to be true? No, this where the VMware products are heading, especially with Workspace ONE and Horizon (next-gen AV, behavioral EDR, audit and remediation)! 

Workspace ONE for Horizon

I mentioned it already, Horizon is included in the Workspace ONE Enterprise editions. I haven’t covered the case yet where you could combine Horizon and Workspace ONE. If you provide your users persistent virtual desktops based on Windows 10, then it is also possible to manage those with Workspace ONE as well. This will help if you want to move away from a traditional PC lifecycle management (PCLM) solution and move to a modern management approach. So far this only supported with Horizon on-premises installation. Take a look at the product interoperability matrix:

Workspace ONE for Horizon

For which other use cases could this be useful?

  • Physical desktops with Horizon Agent installed (Remote PC access)
  • Physical servers with Windows 10 installed (e.g. HP Moonshot)

I don’t know if the last option has been tested but Windows 10 is a supported operating system for HP Moonshot cartridges.

Horizon Cloud

The Horizon (Cloud) Service is a group of cloud-based services that deliver features for Horizon deployments. This includes the Windows Virtual Desktop (WVD) on Azure as well since the 17th March 2020. Any customer who is using a Horizon subscription license, such as the universal license, can use the Horizon Service.

Horizon Cloud Service Overview

The goal of Horizon Cloud is to provide a single-pane management UI for the delivery and management of your desktops and applications. This is the overview dashboard which shows some information about the health and capacity of all your Horizon deployments.

Horizon Cloud Dashboard

The Cloud Monitoring Service (CMS), which is one of the central services of the Horizon Service, provides data about the user’s session and issues. It can show you how many users and their user experience are impacted related to issues (latency, protocol, slow logon).

In the administration console you can configure the role-based access (RBAC) for your helpdesk admins. It allows them to log in to the admin console and use the search feature to look up users. The help desk administrator can then look up the user’s sessions and perform troubleshooting or desktop maintenance operations. 

Horizon Cloud Helpdesk

The Image Management Service (IMS) is one of the coolest feature of the Horizon Service. As the name suggests it already, it allows you to manage Horizon images from the cloud. You can create, customize, publish and even version all your different images for your Horizon pods. IMS provides a centralized catalog for your images and these can be automatically replicated across the cloud-connected Horizon pods.

Important note: The current release of Horizon Cloud only supports Windows operating systems and on-premises Horizon pods.

Universal Broker

When I joined VMware in May 2018 I was waiting for a feature like this and tried to explain some product managers (PM) that we need something like the Universal Broker. I was looking for a solution that we can avoid E/W traffic in a Horizon multi-pod deployment. I think I tried to explain it to some of our PMs using Citrix’ Optimal Gateway Routing for
Storefront & NetScaler capability. Nobody understood me, but at least we have it now. 😀

Horizon Universal Broker is the cloud-based brokering technology used to manage and allocate virtual resources from multi-cloud assignments to your end users.

These are the listed key features in the VMware Horizon Cloud Service documentation:

  • Single FQDN for all multi-cloud assignments
  • Global pod connectivity and awareness for optimal performance (no longer need for GSLB and no more E/W traffic)
  • Smart brokering (awareness of geographical sites and pod topology)

This diagram shows the Universal Broker components and how the traffic flow works:

  1. From Horizon Client, the end user requests a virtual desktop by connecting to the Horizon Universal Broker service through the brokering FQDN. The service uses the XML-API protocol to authenticate the Horizon Client user and manage the connection session.
  2. After determining that Pod 1 in Site 1 is the best available source for the desktop, the Horizon Universal Broker service sends a message to the Horizon Universal Broker client, which runs on the Horizon 7 Cloud Connector paired with Pod 1.
  3. The Horizon Universal Broker client forwards the message to the Horizon Universal Broker plugin, which runs on one of the Connection Server instances within Pod 1.
  4. The Horizon Universal Broker plugin identifies the best available desktop to deliver to the end user.
  5. The Horizon Universal Broker service returns a response to Horizon Client which includes the unique FQDN of Pod 1 (typically the FQDN of the Pod 1 load balancer). Horizon Client establishes a connection with the load balancer to request a protocol session with the desktop.
  6. After passing through the local load balancer, the request goes to the Unified Access Gateway for Pod 1. The Unified Access Gateway validates that the request is trusted and prepares the Blast Secure Gateway, PCoIP Secure Gateway, and tunnel server.
  7. The Horizon Client user receives the specified desktop and establishes a session based on the configured secondary protocol (Blast Extreme or PCoIP).

Horizon DaaS

In 2013 VMware acquired Desktone. A company that was specialized in delivering desktops and applications as a cloud service. The product got renamed during the years and kept the name “Horizon DaaS“. This is the reason that Horizon DaaS is not just another version of the classic “Horizon” or “Horizon View” since it was a different product which VMware bought. It’s important to know that there are technical differences/characteristics between Horizon and Horizon DaaS because of this history.

Horizon DaaS is the Horizon Desktop-as-a-Service platform for service providers. Not many people understand and know this specific product and you won’t find a lot of content on blogs about it.

The most recent information, beside the official Horizon DaaS documentation, can now be found here 😉 or on Johan’s blog, where he published a lightboard series about Horizon DaaS.

As a service provider you have different options to provide a “managed desktop” or “DaaS” offering:

  • Dedicated Horizon deployment hosted in your data center (licenses through VCPP rental)
  • Horizon Cloud Service (DaaS offering licensed through VCPP MSP)
  • Horizon DaaS – multi-tenant Horizon deployment hosted in your data center (VCPP rental)

Again, Horizon DaaS should be seen as something different than Horizon, it’s really just not Horizon. But the future strategy and look of the user interface will be aligned with Horizon Cloud, because VMware’s Horizon Cloud Service is powered by Horizon DaaS already.

If multi-tenancy is a key requirement for your business, you’ll have to go with Horizon DaaS. Otherwise the regular Horizon edition or the combination with Horizon Cloud are the right fit. Horizon DaaS and Horizon have common components like vCenter, Agents, UAGs etc., but there are also different appliances with Horizon DaaS which replace components of a regular Horizon deployment.

Horizon DaaS Architecture

With Horizon DaaS you are going to have “Service Provider” appliances, “Tenant” appliances and “Tenant Resource Manager” appliances, which form the DaaS back-end.

The Service Provider Appliance is the first appliance installed in a data center and provides the foundation to install the remainder of the Horizon DaaS application.

The Resource Manager abstracts the specifics about the desktop infrastructure from the tenant appliances and allows multiple Desktop Managers to communicate with their respective virtualization resources. A Resource Manager appliance integrates with the hypervisor and storage infrastructure in a given data center. A single Resource Manager appliance can be shared across multiple tenants.

The Tenant Appliance provides the tenant with both end user and administrative access to their virtual desktops. End users access and manage their individual virtual desktops via the Desktop Portal. Administrators create and manage their virtual desktops via the Enterprise Center. The Tenant Appliance includes the Desktop Manager, a per-tenant resource that manages each tenant’s virtualization resources and communicates with a tenant’s hosts (hypervisors). You associate the desktop manager with a resource manager and one or more host managers.

It’s not 100% clear from the Horizon DaaS 8.0.0 Service Center guide, but a Tenant Appliance replaces the Connection Server you would know from a regular Horizon deployment (one of the differences I was already referring to).

Use what makes sense

For me it is very important that you understand how VMware products can help and that people are aware of all the different options they would have with VMware and Horizon.

You must form your own view and opinion and I hope this article was useful to get facts from both worlds (based on my best knowledge and experience). If you understand Horizon better now, this is already fine for me.

There was no intention to lead the path to a way where you would replace Citrix. The new information should help you to make the right decision for your company, your environment, your needs and use cases. Use the products which make sense for you and make sure you understood all options.

Azure VMware Solutions

Azure VMware Solutions

Since Dell Technologies World 2019 it’s clear: VMware and Microsoft are not frenemies anymore!

Dell Technologies and Microsoft announced an expanded partnership which should help customers and provide them more choice and flexibility for their future digital workspace projects or cloud integrations.

One result and announcement of this new partnership is the still pretty new offering called “Azure VMware Solutions” (AVS). Other people and websites may also call it “Azure VMware Solutions by Virtustream” or “Azure VMware Solutions by CloudSimple”.

AVS is a Microsoft first-party offering. Meaning, that it’s sold and supported by Microsoft, NOT VMware. This is one very important difference if you compare it with VMC on AWS. The operation, development and delivery are done by a VMware Cloud Verified and Metal-as-a-Service VCPP (VMware Cloud Provider Program) partner; CloudSimple or Virtustream (subsidiary of Dell Technologies). AVS is fully supported and verified by VMware.

VMware Metal-as-a-Service Authorized partners Virtustream and CloudSimple run the latest VMware software-defined data center technology, ensuring customers enjoy the same benefits of a consistent infrastructure and consistent operations in the cloud as they achieve in their own physical data center, while allowing customers to also access the capabilities of Microsoft Azure.

So, why would someone like Microsoft run VMware’s Cloud Foundation (VCF) stack on Azure? The answer is quite simple. VMware has over 500’000 customers and an estimated number of 70mio VMs which are mostly running on-premises. Microsoft’s doesn’t care if virtual machines (VMs) are running on vSphere, they care about Azure and the consumption in the end. AVS is just another form of Azure, Microsoft says. I would say it’s very unlikely that a customer moves on to Azure native once they are onboarded via Azure VMware Solutions.

Microsoft would like to see some of the 70mio running on their platform, no matter if it’s VCF on top of their Azure servers. Customers should get the option to move to the Azure cloud, using Azure native services (e.g. Azure NetApp Files, Azure databases etc.), but give them the choice and flexibility to use their existing technology stack, ecosystem and tools (e.g. automation or operation) they are familiar with – the whole or some part of the VCF coupled with products from the vRealize Suite. Plus, other VMware 3rd party integrations they might have for data protection or backup. This is one unique specialty – Microsoft says – that there is no restricted functionality as you may experience in other VMware clouds.

Azure VMware Solutions Components

From VMware’s perspective most of our customers are already Microsoft customers as well. In addition to that VMware’s vision is to provide the freedom of choice and flexibility, same like Microsoft, but it one small difference: to be cloud and infrastructure agnostic. This vision says that VMware doesn’t care if you run your workloads on-prem, on AWS, Azure or GCP (or even at a VCPP partner’s cloud) as long it’s running on the VCF stack. Cloud is not a choice or destination anymore, it has become an operation model.

And to keep it an operation model without having a new silo and the vendor lock-in, it makes totally sense to use VMware’s VCF on top of AWS, Azure, GCP, Oracle, Alibaba or any other VCPP partners. This ensures that customers have the choice and flexibility they are looking for, coupled with the new and maybe still surprising “new” or “special” public cloud. If your vision is also about workload mobility on any cloud, then VMware is the right choice and partner!

Use Cases

What are the reasons to move to Azure and use Azure VMware solutions?

If you don’t want to scale up or scale out your own infrastructure and would like to get additional capacity almost instantly, then speed is definitely one reason. Microsoft can spin up a new AVS SDDC under 60min, which is impressive. How is this possible? With automation! This proves that VMware Cloud Foundation is the new data center operating system of the future and that automation is a key design requirement. If you would like to experience nearly the same speed and work with the same principles as public cloud provider do, then VCF is the way to go.

The rest of the use cases or reasons are in general the same if we talk about cloud. If it’s not only speed, then agility, (burstable) capacity, expansion in a new geography, DRaaS or for app modernization reasons using cloud native services.

Microsoft Licenses

What I have learned from this MS Ignite recording, is, that you can bring your existing MS licenses to AVS and that you don’t have to buy them AGAIN. In any other cloud this is not the case.

This information can be found here as well:

Beginning October 1, 2019, on-premises licenses purchased without Software Assurance and mobility rights cannot be deployed with dedicated hosted cloud services offered by the following public cloud providers: Microsoft, Alibaba, Amazon (including VMware Cloud on AWS), and Google. They will be referred to as “Listed Providers”.

Regions

If you check the Azure documentation, you’ll see that AVS is only available in US East and West Azure regions, but should be available in Western Europe “in the near future”. In the YouTube video above Microsoft was showing this slide which shows their global rollout strategy and the planned availability for Q2 2020:

Azure VMware Solutions Regions 2020

According to the Azure regions website Azure VMware Solutions is available at the following locations and countries in Europe:

Azure VMware Solutions by Azure RegionSo, North Europe (UK) is expected for H2 2020 and AVS is already available in the West Europe Azure region. Since no information available about the Swiss regions, even the slide from the MS Ignite recording may suggest the availability until May 2020, it’s very unlikely that AVS will be available in Zurich or Geneva before 2021.

Azure VMware Solutions Components

You need at least three hosts to get started with the AVS service and you can scale up to 16 hosts per cluster with a SLA of 99.9%. More information about the available node specifications for your region can be found here. At the moment CloudSimple offers the following host types:

  • CS28 node: CPU:2x 2.2 GHz, total 28 cores, 48 HT. RAM: 256 GB. Storage: 1600 GB NVMe cache, 5760 GB data (All-Flash). Network: 4x25Gbe NIC
  • CS36 node: CPU 2x 2.3 GHz, total 36 cores, 72 HT. RAM: 512 GB. Storage: 3200 GB NVMe cache 11520 GB data (All-Flash). Network: 4x25Gbe NIC
  • CS36m node (only option for West Europe): CPU 2x 2.3 GHz, total 36 cores, 72 HT. RAM: 576 GB. Storage: 3200 GB NVMe cache 13360 GB data (All-Flash). Network: 4x25Gbe NIC

I think it’s clear that the used hypervisor is vSphere and that it’s maintained by Microsoft and not by VMware. There is no host-level access, but Microsoft gives you the possibility of a special “just in time” privileges access (root access) feature, which allows to install necessary software bits you might need – for example for 3rd party software integrations.

The storage infrastructure is based on vSAN with an all-flash persistent storage and a NVMe cache storage. More capacity can be made available by adding additional nodes or use Azure offerings which can be added to VMs directly.

Networking and security are based on NSX-T which fully supports micro segmentation.

To offer choice, Microsoft gives you the option to manage and see your AVS VMware infrastructure via vCenter or Azure Resource Manager (ARM). The ARM integration will allow you to create, start, stop and delete virtual machines and is not meant to replace existing VMware tools.

Microsoft support is your single point of contact and CloudSimple contacts VMware if needed.

Connectivity Options

CloudSimple provides the following connectivity options to connect to your AVS region network:

Depending on the connectivity option you have different ways to bring your VMs to your AVS private cloud:

How do I get started?

You have to contact your Microsoft account manager or business development manager if would like to know more. But VMware account representatives are also available to support you. If you want to learn more, check https://aka.ms/startavs.

Can I burn my existing Azure Credits?

Yes. Customers with Azure credits can use them through Azure VMware Solutions.

VMware’s Tanzu Kubernetes Grid

Since the announcement of Tanzu and Project Pacific at VMworld US 2019 a lot happened and people want to know more what VMware is doing with Kubernetes. This article is a summary about the past announcements in the cloud native space. As you already may know at this point, when we talk about Kubernetes, VMware made very important acquisitions regarding this open-source project.

VMware Kubernetes Acquisitions

It all started with the acquisition of Heptio, a leader in the open Kubernetes ecosystem. With two of the creators of Kubernetes (K8s), namely Joe Beda and Craig McLuckie, Heptio should help to drive the cloud native technologies within VMware forward and help customers and the open source community to accelerate the enterprise adoption of K8s on-premises and in multi-cloud environments.

The second important milestone was in May 2019, where the intent to acquire Bitnami, a leader in application packaging solutions for Kubernetes environments, has been made public. At VMworld US 2019 VMware announced Project Galleon to bring Bitnami capabilities to the enterprise to offer customized application stacks to their developers.

One week before VMworld US 2019 the third milestone has been communicated, the agreement to acquire Pivotal. The solutions from Pivotal have helped customers learn how to adopt modern techniques to build and run software and they are the provider of the most popular developer framework for Java, Spring and Spring Boot.

On the 26th August 2019, VMware gave those strategic acquisitions the name VMware Tanzu. Tanzu should help customers to BUILD modern applications, RUN Kubernetes consistently in any cloud and MANAGE all Kubernetes environments from a single point of control (single console).

VMware Tanzu

Tanzu Mission Control (Tanzu MC) is the cornerstone of the Tanzu portfolio and should help to relieve the problems we have or going to have with a lof of Kubernetes clusters (fragmentation) within organizations. Multiple teams in the same company are creating and deploying applications on their own K8s clusters – on-premises or in any cloud (e.g. AWS, Azure or GCP). There are many valid reasons why different teams choose different clouds for different applications, but is causing fragmentation and management overhead because you are faced with different management consoles and silo’d infrastructures. And what about visibility into app/cluster health, cost, security requirements, IAM, networking policies and so on? Tanzu MC let customers manage all their K8s clusters across vSphere, VMware PKS, public cloud, managed services or even DIY – from a single console.

Tanzu Mission Control

It lets you provision K8s clusters in any environment and configure policies which establish guardrails. Those guardrails are configured by IT operations and they will apply policies for access, security, backup or quotas.

Tanzu Mission Control

As you can see, Mission Control has a lot of capabilities. If you look at the last two images you can see that you not only can create clusters directly from Tanzu MC, but also have the ability to attach existing K8s clusters. This can be done by installing an agent in the remote K8s cluster, which then provides a secure connection back to Tanzu MC.

We focused on the BUILD and MANAGE layers now. Let’s take a look at the RUN layer which should help us to run Kubernetes consistently across clouds. Without consistency across cloud environments (this includes on-prem) enterprises will struggle to manage their hundred or even thousands of modern apps. It’s just getting too complex.

VMware’s goal in general is to abstract complexity and to make your life easier and for this case VMware has announced the so-called Tanzu Kubernetes Grid (TKG) to provide us a common Kubernetes distribution across all the different environments.

Tanzu Kubernetes Grid

In my understanding TKG means VMware’s Kubernetes distribution, will include Project Pacific as soon as it’s GA and is based on three principles:

  • Open Source Kubernetes – tested and secured
  • Cluster Lifecycle management – fully integrated
  • 24×7 support

Meaning, that TKG is based on open source technologies, packaged for enterprises and supported by VMware’s Global Support Services (GSS). Based on these facts you could say, that today your Kubernetes journey with VMware starts with VMware PKS. PKS is the way VMware deliver the principles of Tanzu today – across vSphere, VCF, VMC on AWS, public clouds and edge.

Project Pacific

Project Pacific, which has been announced at VMworld US 2019 as well, is a complement to VMware PKS and will be available in a future release. If you are not familiar with Pacific yet, then read the introduction of Project Pacific. Otherwise, it’s sufficient to say, that Project Pacific means the re-architecture of vSphere to natively integrate Kubernetes. There is no nesting or any kind of it and it’s not Kubernetes in vSphere. It’s more like vSphere on top of Kubernetes since the idea of this project is to use Kubernetes to steer vSphere.

Project Pacific

Pacific will embed Kubernetes into the control plane of vSphere and converge VMs and containers on the same underlying platform. This will give the IT operators the possibility to see and manage Kubernetes from the vSphere client and provide developers the interfaces and tools they are already familiar with.

Project Pacific Console

If you are interested in the Project Pacific Beta Program, you’ll find all information here.

I would have access to download the vSphere build which includes Project Pacific, but I haven’t got time at the moment and my home lab is also not ready yet. We hear customers asking about the requirements for Pacific. If you watch all the different recordings from the VMworld sessions about Project Pacific and the Supervisor Cluster, then we could predict, that only NSX-T is a prerequisite to deploy and enable Project Pacific. This slide shows why NSX-T is part of Pacific:

Project Pacific Supervisor ClusterFrom this slide (from session HBI1452BE) we learn that a load balancer built on NSX Edge is sitting in front of the three K8s Control Plane VMs and that you’ll find a Distributed Load Balancer spanned across all hosts to enable the pod-to-pod or east-west communication.

Nobody of the speakers ever mentioned vSAN as a requirement and I also doubt that vSAN is going to be a prerequisite for Pacific.

You may ask yourself now which Kubernetes version will be shipped with ESXi and how you upgrade your K8s distribution? And what about if this setup with Pacific is too “static” for you? Well, for the Supervisor Clusters VMware releases patches with vSphere and you apply them with the known tools like VUM. For your own built K8s clusters, or if you need to deploy Guest Clusters, then the upgrades are easy as well. You just have to download the new distribution and specify the new version/distribution in the (Guest Cluster Manager) YAML file.

Conclusion

Rumos say that Pacific will be shipped with the upcoming vSphere 7.0 release, which even should include NSX-T 3.0. For now we don’t know when Pacific will be shipped with vSphere and if it really will be included with the next major version. I would be impressed if that would be the case, because you need a stable hypervisor version, then a new NSX-T version is also coming into play and in the end Pacific relies on these stable components. Our experience has shown that the first release normally is never perfect and stable and that we need to wait for the next cycle or quarter. With that in mind I would say that Pacific could be GA in Q3 2020 or Q4 2020. And beside that the beta program for Project Pacific just has started!

Nevertheless I think that Pacific and the whole Kubernetes Grid from VMware will help customers to run their (modern) apps on any Kubernetes infrastructure. We just need to be aware that there are some limitations when K8s is embedded in the hypervisor, but for these use cases Guest Clusters could be deployed anyway.

In my opinion Tanzu and Pacific alone don’t make “the” big difference. It’s getting more interesting if you talk about multi-cloud management with vRA 8.0 (or vRA Cloud), use Tanzu MC for the management of all your K8s clusters, networking with NSX-T (and NSX Cloud), create a container host with a container image (via vRA’s Service Broker) for AI- and ML-based workloads and provide the GPU over the network with Bitfusion.

Bitfusion Architecture

Looking forward to such conversations! 😀

Introduction to Workspace ONE Express and Express+

Introduction to Workspace ONE Express and Express+

With the release of Workspace ONE UEM 1907 AirWatch Express has been renamed to Workspace ONE Express and a few months later VMware announced Workspace ONE Express+ which is the result of a partnership with Dell.

Workspace ONE Express (WS1 Express) is a SaaS-only solution which is perfectly made for startups and the small- and mid-market in general. It is a simple mobile device management (MDM) solution designed to get your mobile devices up and running quickly without requiring extensive knowledge or an on-premises infrastructure.

The main features are the configuration of WiFi, apps, e-mail and security – basic MDM. WS1 Express requires a minimum of 10 devices and can be used for up to 500 devices, whereas the regular Workspace ONE UEM editions require at least 25 devices/users and have an unlimited licensing scale.

So, which edition is the right one for you? It depends on your types of mobile devices, use cases and requirements.

If you are a small company for example with 50 iOS and Android devices and would like to configure the native e-mail client, WiFi access, deploy some apps and set a passcode, then the Workspace ONE Express is the edition you are looking for.

If you are a company with around 250 users and would like to manage your macOS and Windows 10 clients, then we have to take a closer look what your requirements are.

IMPORTANT: WS1 Express has some policies for macOS, but Windows 10 can only be managed with Workspace ONE Express+ !

This means that you have to go for the Workspace ONE UEM Standard edition, if you need an acceptable feature set for these operating systems.

What is the big difference between Workspace ONE Express and Workspace ONE UEM Standard?

As just mentioned before, the biggest difference is the limited feature set of WS1 Express and that you cannot configure payloads, but have to use the “blueprint setup”.

WS1Express-Blueprints_Create

Upon the initial login, a step-by-step wizard will help and guide you through the process of configuring WS1 and your devices.

WS1Express-Getting Started _Setup

During the creation of a blueprint you can select the policies for each operating system and you quickly realize that Workspace ONE Express is really offers basic MDM capabilities.

WS1Express-Blueprints_Policies

Apple DEP and Android Zero-Touch Enrollment are fully supported with the Express edition.

Can you start with Express and upgrade later to Standard or Advanced? Yes, you can! This is the great thing about Workspace ONE. If your company is small and would like to start small, then choose Express. If your company, the employee number and your requirements grow, upgrade to a regular Workspace ONE UEM Edition like Standard or Advanced. That’s the most recent Workspace ONE Edition Comparison Guide about Express, Express+ and Standard:

Workspace ONE Standard for macOS and Windows 10 Management

I doubt that a customer would start with Express if they have macOS and Windows clients. Even smaller companies have probably 80% of the same requirements when it comes to macOS and Windows 10 modern management.

But which features and configurations does VMware support with Workspace ONE Standard for Windows 10 management? Please find here an unofficial listing of the supported features:

OS Lifecycle

  • OOBE and Factory Provisioning (Device Onboarding)
  • Co-Management with SCCM and Workspace ONE AirLift
  • MDM profiles (passcode, WiFi, restrictions etc.)
  • OS Updates via WSUS or Windows Updates for Business

App Lifecycle

Security

  • Device Restrictions
  • Remote and Enterprise Wipe
  • GPS Tracking
  • DLP (Windows Information Protection, AppLocker)
  • AV and Firewall (Windows Defender, 3rd party AV deployment, Windows Firewall)
  • Conditional Access Management
  • Enforce BitLocker Encryption

WS1_MDM_capabilities

That is a lot you can do already with our Standard edition, right? What are the reasons that you would need the next higher Workspace ONE Advanced edition? Most probably if you need one or more features like:

  • Application Delivery and Application Lifecycle (win32 – MSI, EXE, MST, MSP, PS1, BAT, ZIP)
  • Peer-to-Peer Distribution (WS1 uses Windows BranchCache feature!)
  • Advanced BitLocker Encryption Management (key rotation, maintenance windows etc.)
  • Per-App VPN Tunneling with VMware Tunnel

What are the capabilities when it comes to macOS management? Well, also here, VMware’s approach is to have a modern imageless management over the air from the same management console. New devices can be enrolled with DEP and the Bootstrap Enrollment method, but existing users and devices have the choice of a web-based or staged enrollment.

WS1_MDM_macOS

Please find here an unofficial listing of the supported features and configuration for macOS payloads which are included in Workspace ONE Standard.

Via MDM interface

  • Passcode
  • Network
  • VPN
  • Certificates
  • SCEP
  • Dock
  • Restrictions
  • Parental Controls
  • Directory Binding
  • Security & Privacy
  • Disk Encryption
  • Login Items
  • Login Window
  • Time Machine
  • Finder
  • Printing
  • Content Filter
  • Device & Enterprise Wipe
  • Token Enrollment
  • User Management (unlock user account, logout current user, delete user)

Via our Intelligent Hub (Agent)

  • Enforce Encryption
  • Firewall
  • Firmware Password
  • VMware Fusion
  • Microsoft Outlook
  • Notifications
  • Custom Attributes

How can I deliver 3rd party apps like MS Office, Adobe Creative Suite etc.? VMware use the open source “Munki” framework for that.

Workspace ONE Assist (formerly known as Advanced Remote Management)

There is also an add-on called Workspace ONE Assist which enables you to remotely access and troubleshoot a device. 

At the moment of writing WS1 Assist only supports iOS, Android, Windows Mobile and Windows 10 devices, but the support for macOS is coming until the end of this year (2019). 

Via the WS1 Admin Console WS1 Assist let’s you to capture images and videos of the remote device and you can view and export audit logs of the sessions and even manage files and folders on the Windows 10 remote device for example.

Final Words

If you would like to get a TestDrive access for Workspace ONE Express or Workspace ONE UEM, don’t hesitate to contact your partner or VMware account executive.

If you are a partner and would like to sell Workspace ONE, VMware has a MSP (Managed Service Provider) model for you! In this case contact your VCPP representative.

And I hope that you found valuable information here to better decide which Workspace ONE edition is the right one for you! 🙂

VMware Horizon – Raspberry Pi 4 with Stratodesk NoTouch OS

After I wrote the article “Raspberry Pi 4 – The Ultimate Thin Client?” I have been asked on Twitter to write about the Raspi in combination with Stratodesk’s NoTouch OS. I have no hands-on experience with this operating system, but am currently helping a partner who is doing a proof of concept with a customer. The customer uses AMD-based thin clients for their tests and one important criteron is Skype for Business. As you maybe know from my previous article, Skype for Business (SfB) is not running with the Horizon Client on TLXOS. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

And I think I know now why. It’s not the Horizon Client on TLXOS, but the Raspi’s CPU architecture. In the VMware Docs for the Horizon Client for Linux 5.1 (most recent at the time of writing) it’s clearly stated that:

Real-Time Audio-Video is supported on x86 and x64 devices. This feature is not supported on ARM processors. The client system must meet the following minimum hardware requirements.

So, if I want to test all features of the Horizon Client, then I have to use my Intel NUC Skull Canyon. I’m still going to test the user experience with NoTouch OS, but the RTAV with SfB is off the table with this device.

Horizon Test Environment

I’m going to use VMware’s TestDrive to access a vGPU enabled Windows 10 desktop from the EMEA region. Such a Windows 10 1709 desktop is equipped with a Xeon Gold 6140 CPU and a Nvidia Tesla V100 card.

Raspberry Pi 4 Setup

There is no special manual needed to set up a Raspberry Pi. Just unbox and install it in a case, if you ordered one. Here are some general instructions: https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

Install NoTouch OS on the Raspberry Pi 4

Format the SD card because TLXOS is installed. On Windows open the “Disk Management” tool to delete the volumes on the SD card.

After the deletion it should look like this.

Register for a free trial to download the  installer “Stratodesk-NoTouchOS-DiskImage-2.40.5587-EEs-k419-armhf-190808.zip – NoTouch OS – Standard Edition k419 (Raspberry Pi 3 and 4) – Disk Image Installer”

Uncompress the ZIP archive

Double-click on “FlashSDcard.cmd” and check in the appearing “Win32 Disk Imager” that the drive letter points to your SD card (in my case “F”). When you are sure click “Write” and wait for the operation to complete.

After the write has been successful, remove the SD card and put it into the Raspberry Pi. Boot and let’s see.

Wizard Step 1 – Location and Keyboard

Wizard Step 2 – Create a connection (for Horizon View)

Wizard Step 3 – Admin Password and EULA

Wizard – Configuration stored and Horizon Destop icon appears.

After a reboot, try to connect to your Horizon environment by double-clicking the icon on the desktop.

Works fine – my TestDrive desktop appears

I wanted quickly to test audio and video, but the video was very laggy and no audio at all. I couldn’t find a way, same with TLXOS, to minimize the Horizon session to get back to my NoTouch desktop. After checking the Blast settings in the Horizon Client I could see, that the H.264 decoding is not allowed by default.

Before we connect back to the desktop we need to fix the audio problem as well. In the start menu you can access the system configuration where you have to enter a password first.

After access the “Audio” settings I had to change the “Standard audio device” to “Analog” and allow the other settings marked with “On” now.

Tried to save the config change but this resulted in an error. I decided to reboot the OS.

Checked the settings again – yes, they were saved. Finally, I could move on to the first test with YouTube.

Testing

 

1) User Experience with YouTube

As a first test I’m using the same Avengers 4K trailer on YouTube.

AVENGERS 4 ENDGAME: 8 Minute Trailers (4K ULTRA HD) NEW 2019: https://www.youtube.com/watch?v=FVFPRstvlvk

Result: Video good, audio unusable

2) TestDrive – Nvidia Faceworks

Result: Good performance (same like TLXOS)

3) TestDrive – eDrawings Racecar Animation

Result: Good performance (same like TLXOS)

4) TestDrive – Nvidia “A New Dawn”

Result: Video animation good, audio unusable

5) FishGL

Result: Good performance (same like TLXOS)

NoTouch OS – VMware Horizon Audio Problems

The good thing about the NoTouch OS is, that it gives you more configuration and diagnostic options. And one of them is  “play test sound”:

This tells us that the problem only exists in the Horizon VDI session. What happens if I change my analog speakers to USB and test it again?

Result: Good performance (same like TLXOS)

NoTouch OS – Configuration Options for the Horizon View

I have to admit that Stratodesk’s NoTouch OS is way more mature than a TLXOS. With TLXOS I had the feeling that the configuration options are very limited and the big advantage there was, that you could only configure one application or connection. Meaning you could only use Horizon or a web browser for example.

With NoTouch OS this is really different. You can configure Horizon, Citrix, RDP, Chromium etc. and place all the icons on the desktop or in the start menu.

Maybe I was not familiar enough with TLXOS or it’s not very intuitive, but the NoTouch OS gives me a rich set of options to configure the Horizon Client or my Horizon session.

Conclusion

Compared to the TLXOS I have to admit that Stratodesk’s NoTouch OS is the better option. You have way more options to configure the thin client (the operating system in the end) and the Horizon Client. In addition to that you are also allowed to configure more than one application or connection, which is limited to only one with ThinLinx (TLXOS).

And according to a current customer, who is performing a Horizon PoC, the management software from Stratodesk is also awesome.

If you look for an enterprise-ready operating system for thin clients, then NoTouch OS is the better choice for sure. I can confirm that Stratodesk is correctly installing our Horizon Client for Linux in their image including all the necessary libraries and dependencies!

The only thing which you have to keep in mind is the limited feature set with a Raspberry Pi. Skype for Business with the optimized mode currently is not supported. This means you have to go with a thin client which is based on a Intel or AMD-based CPU architecture.

Raspberry Pi 4 – The Ultimate Thin Client?

Everyone is talking about the new Raspberry Pi 4 and ask themselves if it’s the new ultimate and cheap thin client. So far, I haven’t seen any customer here in Switzerland using a Pi with VMware Horizon. And to be honest, I have no hands-on experience with Raspberry Pis yet and want to know if someone in pre-sales like me easily could order, install, configure and use it as a thin client. My questions were:

  • How much would it cost me in CHF to have a nice thin client?
  • What kind of operating system (OS) is or needs to be installed?
  • Is this OS supported for the VMware Horizon Client?
  • If not, do I need to get something like the Stratodesk NoTouch OS?
  • If yes, how easy is it to install the Horizon Client for Linux?
  • How would the user experience be for a normal office worker?
  • Is it possible to use graphics and play YouTube videos?

First, let’s check what I ordered on pi-shop.ch:

  • Raspberry Pi 4 Model B/4GB – CHF 62.90
  • KKSB Raspberry Pi 4 Case – CHF 22.90
  • 32GB MicroSD Card (Class10) – CHF 16.90
  • Micro-HDMI to Standard HDMI (A/M) 1m cable – CHF 10.90
  • Power: Official Power Supply 15W – CHF 19.40
  • Keyboard/Mouse: Already available in my home lab

Total cost in CHF: 133.00

Raspberry Pi 4 Model B Specs

I ordered the Raspberry Pi 4 Model B/4GB with the following hardware specifications:

  • CPU – Broadcom BCM2711, quad-core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
  • RAM – 4GB LPDDR4
  • WLAN – 2.4 GHz and 5.0 GHz IEEE 802.11b/g/n/ac wireless
  • Gigabit Ethernet
  • USB – 2x USB 3.0, 2x USB 2.0
  • Video – 2 × micro HDMI ports (up to 4Kp60 supported)
  • Multimedia – H.265 (4Kp60 decode), H.264 (1080p60 decode, 1080p30 encode)

With this powerful hardware I expect no problems and would assume that even playing videos and using graphics is not an issue. But let’s figure that out later.

Horizon Client for Linux

The support for the Raspberry Pi came with Horizon Client 4.6 for Linux:

Horizon Client for Linux now supports the Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

And the current Horizon Client 5.1 still only mentions the support for Raspberry Pi 3 with the same supported feature set:

Horizon Client for Linux 5.1 is supported on Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

Hm, nothing has changed so far. During the time of writing this article I’ll try to figure out if the official support for a Pi 4 is coming soon and why ThinLinX is the only supported OS so far. Because I saw on Twitter and on the Forbes website that people are waiting for Ubuntu MATE for their Raspis

And I found a tweet from August 6, 2019, from the ThinLinX account with the following information:

ThinLinX has just released TLXOS 4.7.0 for the Raspberry Pi 4 with dual screen support. The same image runs on the entire Raspberry Pi range from the RPi2 onward TLXOS 4.7.0 supports VMware Horizon Blast, Citrix HDX, RDP/RemoteFX, Digital Signage and IoT

Raspberry Pi and Horizon Client 4.6 for Linux

The next question came up – are there already any people around who tested the ThinLinX OS with a Raspberry Pi 3/4?

Probably a few people tried it already, but only one guy from UK so far blogged about this combination on his blog vMustard.

He wrote a guide about how to install TLXOS and the TMS management software, the configuration of TLXOS and how the Horizon Client for Linux needs to be installed. For sure his information helps me to get started.

Horizon Test Environment

I’m going to use VMware’s TestDrive to access a vGPU enabled Windows 10 desktop from the EMEA region. Such a Windows 10 1709 desktop is equipped with a Xeon Gold 6140 CPU and a Nvidia Tesla V100 card. I tried to get a card from Nvidia to perform the tests in my home lab, but they already gave away all the cards they had. So, the test in my home lab has to wait for a few weeks or months. 🙂 

Workspace ONE UEM and TLXOS

And when I finally have installed TLXOS and can connect to a Horizon desktop, would it be possible to install Intelligent Hub and enroll the device in my Workspace ONE UEM sandbox environment? Is this also possible and supported?

Checking our VMware Docs and the Workspace ONE UEM product documentation the following information can be found:

The flexibility of the Linux operating system makes it a preferred platform for a wide range of uses, including notebooks, Raspberry Pi devices, and other IoT-capable devices. With Workspace ONE UEM, you can build on the flexibility and ubiquity of Linux devices and integrate them with your other mobile platforms in a central location for mobile device management.

Hm, would my new thin client be supported or not? The only requirements mentioned, are:

  • You can enroll devices running any version and any configuration of Linux running on either x86_64 or ARM7 architecture into Workspace ONE UEM
  • You can enroll Linux devices in any Workspace ONE UEM version from 1903 onward
  • You must deploy the Workspace ONE Intelligent Hub for Linux v1.0

As you can see above the new Raspberry Pi 4 is based on ARM8. I asked our product management if the RPi4 and TLXOS is supported and received the following answer:

As for WS1 UEM support for Linux, we do support ARM and won’t have a problem running on a Pi4, but we are still early stages for the product

As the Linux management capabilities with Workspace ONE UEM are very limited, I’m going to wait another four to six months to perform some tests. But TLXOS is anyway coming with its on management software. And customers would probably prefer another Linux Distribution like Ubuntu MATE.

Raspberry Pi 4 Setup

There is no special manual needed to set up a Raspberry Pi. Just unbox and install it in a case, if you ordered one. Here are some general instructions: https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

Install ThinLinX OS on the Raspberry Pi 4

Download the most recent installer for ThinLinX OS (TLXOS) for a Raspberry Pi: http://thinlinx.com/download/

1_TLXOS_RaspberryPi4_SDcard_Installer

Insert your microSD card into your PC and launch the “TLXOS Raspberry Pi SD Card Installer” (in my case tlxos_rpi-4.7.0.exe” and press “Yes” if you are prepared to write the image to the SD card.

3_TLXOS 4.7.0 for Raspberry Pi (v2 and v3)

After the image extraction a “Win32 Disk Imager” window will appear. Make sure the to choose the correct drive letter for the SD card (in my case “G”). Click “Write”

4_Win32_Disk_Imager

If everything went fine you should get a notification that the write was successful.

5_TLXOS-Complete

Now put the SD card into the Pi, connect the USB-C power cable, mirco-HDMI cable, keyboard and mouse.

And then let’s see if the Pi can boot from the SD card.

5_TLXOS-Complete

It seems that the TLXOS just booted up fine and that we have “30 Day Free Trial” included.

8_TLXOS_30d_FreeTrial

A few minutes later TLXOS was writing something to the disk and did a reboot. The Chromium browser appears. This means we don’t need to install the TMS for our tests, except you would like to test the management of a TLXOS device.

I couldn’t find any menu on TLXOS, so I closed the browser and got access to a menu where I apparently can configure stuff.

10_Chromium_closed_menu_appears

Install Horizon Client for Linux on TLXOS

After I clicked on “Configure” before I browsed through the tabs (Application) and found the option to configure the Horizon Client. It seems that the client is included now in TLXOS which was not the case in the past. Nice! 

11_TLXOS_Configure_VMwareBlast

Note:

When a TLXOS device boots, if configured correctly it will automatically connect to a Remote
Server using the specified connection Mode. Up to 16 different connection Modes can be
configured

I just entered the “Server” before and clicked on “Save Settings” which opened the Horizon Client automatically where I just have to enter my username and password (because I didn’t configure “Auto Login” before).

Voila, my vGPU powered Windows 10 desktop from VMware TestDrive appeared.

As first step I opened the VMware Horizon Performance Tracker and the Remote Desktop Analyzer (RD Analyzer) which both confirmed that the active encoder is “NVIDIA NvEnc H264“. This means that the non-CPU encoding (H.264) on the server and the H.264 decoding on TLXOS with the Horizon Client (with Blast) should work fine.

To confirm this, I logged out from the desktop and checked the Horizon Client settings. Yes, H.264 decoding was allowed (default).

15_TLXOS_HorizonClient_H264_allowed

After disallowing the H.264 decoding I could see the difference in the Horizon Performance Tracker.

The active encoder changed to “adaptive”. Let’s allow H.264 again for my tests!

Testing

 

1) User Experience with YouTube

As a first test the user experience with the Raspberry Pi 4 as a thin client and to check how the H.264 decoding performs I decided to watch this trailer:

AVENGERS 4 ENDGAME: 8 Minute Trailers (4K ULTRA HD) NEW 2019: https://www.youtube.com/watch?v=FVFPRstvlvk

I had to compress the video to be able to upload and embed it here. Important to see is that I was watching the 4K trailer in full screen mode and the video and audio were not choppy, but smooth I would say! I had around 21 to 23 fps. But that’s very impressive, isn’t it?

For the next few tests I’m going to use what TestDrive offers me:

2) TestDrive – Nvidia Faceworks

3) TestDrive – eDrawings Racecar Animation

4) TestDrive – Nvidia “A New Dawn”

5) TestDrive – Google Earth

6) FishGL

Conclusion

Well, what are the important criteria which a thin client needs to fullfil? Is it

  • (Very) small form factor
  • Management software – easy to manage
  • Secure (Patching/Updating, Two Factor Authentication, Smartcard Authentication)
  • Longevity – future proof
  • Enough ports for peripherals (e.g. Dualview Support)
  • Low price
  • Low power consumption

It always depends on the use cases, right? If Unified Communications is important to you or your customer, then you need to go with the Stratodesk’s NoTouch OS or have to buy another device and use a different OS. But if you are looking for a good and cheap device like the Raspberry Pi 4, then multimedia, (ultra) HD video streaming and office applications use cases are no problem.

My opinion? There are a lot of use cases for these small devices. Not only in end-user computing, but it’s easy for me to say that the Raspi has a bright future!

With the current TLXOS and the supported Horizon Client features so far I wouldn’t call this setup “enterprise ready” because the installation of TLXOS needs to be done manually except you can get it pre-installed on a SD card? Most customers rely on Unified Communications today and are using Skype for Business and other collaboration tools which is not possible yet according to the Horizon Client release notes. But as soon as the Horizon Client (for Linux) in TLXOS gets more features, the Raspberry Pi is going to take some pieces of the cake and the current thin client market has to live in fear. 😀

The biggest plus of a Raspberry Pi as a thin client is definitely the very small form factor combined with the available ports and the cheap money (TLXOS license not included). You can connect two high resolution monitors, a network cable, keyboard, mouse and a headset without any problem. If you buy the Pi in bulk as customer then I claim that the price is very, very hard to beat. And if a Pi has a hardware defect then plug the SD card into another Pi and your user can work again within a few minutes. If VESA mount is mandatory for you then buy a VESA case. By the way, this is my KKSB case:

What is missing in the end? Some Horizon Client features and the manual initial OS deployment method maybe. I imagine that IT teams of smaller and medium-sized companies could be very interested in a solution like this, because a Raspberry Pi 4 as a thin client already ROCKS!

    Horizon and Workspace ONE Architecture for 250k Users Part 1

    Disclaimer: This article is based on my own thoughts and experience and may not reflect a real-world design for a Horizon/Workspace ONE architecture of this size. The blog series focuses only on the Horizon or Workspace ONE infrastructure part and does not consider other criteria like CPU/RAM usage, IOPS, amount of applications, use cases and so on. Please contact your partner or VMware’s Professional Services Organization (PSO) for a consulting engagement.

    To my knowledge there is no Horizon implementation of this size at the moment of writing. This topic, the architecture and the necessary amount of VMs in the data center, was always important to me since I moved from Citrix Consulting to a VMware pre-sales role. I always asked myself how VMware Horizon scales when there are more than only 10’000 users.

    250’000 users are the current maximum for VMware Horizon 7.8 and the goal is to figure out how many Horizon infrastructure servers like Connection Servers, App Volumes Managers (AVM), vCenter servers and Unified Access Gateway (UAG) appliances are needed and how many pods should be configured and federated with the Cloud Pod Architecture (CPA) feature.

    I will create my own architecture, meaning that I use the sizing and recommendation guides and design a Horizon 7 environment based on my current knowledge, experience and assumption.

    After that I’ll feed the Digital Workspace Designer tool with the necessary information and let this tool create an architecture, which I then compare with my design.

    Scenario

    This is the scenario I defined and will use for the sizing:  

    Users: 250’000
    Data Centers: 1 (to keep it simple)
    Internal Users: 248’000
    Remote Users: 2’000
    Concurrency Internal Users: 80% (198’400 users)
    Concurrency Remote Users: 50% (1’000 users)

    Horizon Sizing Limits & Recommendations

    This article is based on the current release of VMware Horizon 7 with the following sizing limits and recommendations:

    Horizon version: 7.8
    Max. number of active sessions in a Cloud Pod Architecture pod federation: 250’000
    Active connections per pod: 10’000 VMs max for VDI (8’000 tested for instant clones)
    Max. number of Connection Servers per pod: 7
    Active sessions per Connection Server: 2’000
    Max. number of VMs per vCenter: 10’000
    Max. connections per UAG: 2’000 

    The Digital Workspace Designer lists the following Horizon Maximums:

     

    Horizon Maximums Digital Workspace Designer

    Please read my short article if you are not familiar with the Horizon Block and Pod Architecture.

    Note: The App Volumes sizing limits and recommendations have been updated recently and don’t follow this rule of thumb anymore that an App Volumes Manager only can handle 1’000 sessions. The new recommendations are based on “concurrent logins per second” login rate:

    New App Volumes Limits Recommendations

     

    Architecture Comparison VDI

    Please find below my decisions and the one made by the Digital Workspace Designer (DWD) tool:

    Horizon ItemMy DecisionDWD ToolNotes
    Number of Users (concurrent)199'400199'400
    Number of Pods required2020
    Number of Desktop Blocks (one per vCenter)100100
    Number of Management Blocks (one per pod)2020
    Connection Servers required100100
    App Volumes Manager Servers802024+1 AVMs for every 2,500 users
    vRealize Operations for Horizonn/a22I have no experience with vROps sizing
    Unified Access Gateway required22
    vCenter servers (to manage clusters)20100Since Horizon 7.7 there is support for spanning vCenters across multiple pods (bound to the limits of vCenter)

    Architecture Comparison RDSH

    Please find below my decisions* and the one made by the Digital Workspace Designer (DWD) tool:

    Horizon ItemMy DecisionDWD ToolNotes
    Number of Users (concurrent)199'400199'400
    Number of Pods required2020
    Number of Desktop Blocks (one per vCenter)20401 block per pod since we are limited by 10k sessions per pod, but only have 333 RDSH per pod
    Number of Management Blocks (one per pod)2020
    Connection Servers required100100
    App Volumes Manager Servers142024+1 AVMs for every 2,500 users/logins (in this case RDSH VMs (6'647 RDSH totally))
    vRealize Operations for Horizonn/a22I have no experience with vROps sizing
    Unified Access Gateway required22
    vCenter servers (to manage resource clusters)440Since Horizon 7.7 there is support for spanning vCenters across multiple pods (bound to the limits of vCenter)

    *Max. 30 users per RDSH

    Conclusion

    VDI

    You can see in the table for VDI that I have different numbers for “App Volumes Manager Servers” and “vCenter servers (to manage clusters)”. For the amount of AVM servers I have used the new recommendations which you already saw above. Before Horizon 7.7 the block and pod architecture consisted of one vCenter server per block:

    Horizon Pod vCenter tradtitional

    That’s why, I assume, the DWD recommends 100 vCenter servers for the resource cluster. In my case I would only use 20 vCenter servers (yes, it increases the failure domain), because Horizon 7.7 and above allows to span one vCenter across multiple pods while respecting the limit of 10’000 VMs per vCenter. So, my assumption is here, even the image below is not showing it, that it should be possible and supported to use one vCenter server per pod:

    Horizon Pod Single vCenter

    RDSH

    If you consult the reference architecture and the recommendation for VMware Horizon you could think that one important information is missing:

    The details for a correct sizing and the required architecture for RDSH!

    We know that each Horizon pod could handle 10’000 sessions which are 10’000 VDI desktops (VMs) if you use VDI. But for RDSH we need less VMs – in this case only 6’647.

    So, the number of pods is not changing because of the limitation “sessions per pod”. But there is no official limitation when it comes to resource blocks per pod and having one connection server for every 2’000 VMs or sessions for VDI, to minimize the impact of a resource block failure. This is not needed here I think. Otherwise you would bloat up the needed Horizon infrastructure servers and this increases operational and maintenance efforts, which obviously also increases the costs.

    But, where are the 40 resource blocks of the DWD tool coming from? Is it because the recommendation is to have at least two blocks per pod to minimize the impact of a resource block failure? If yes, then it would make sense, because in my calculation you would have 9’971 RDSH users sessions per pod/block and with the DWD calculation only 4’986 (half) per resource block.

    *Update 28/07/2019*
    I have been informed by Graeme Gordon from technical marketing that the 40 resources blocks and vCenters are coming from here:

    App Volumes vCenters per Pod

    I didn’t see that because I expect that we can go higher if it’s a RDSH-only implementation.

    App Volumes and RDSH

    The biggest difference when we compare the needed architecture for VDI and RDSH is the number of recommended App Volumes Manager servers. Because “concurrent logins at a one per second login rate” for the AVM sizing was not clear to me I asked our technical marketing for clarification and received the following answer:

    With RDSH we assign AppStacks to the computer objects rather than to the user. This means the AppStack attachment and filter drive virtualization process happends when the VM is booted. There is still a bit of activity when a user authenticates to the RDS host (assignment validation), but it’s considerably less than the attachment process for a typical VDI user assignment.

    Because of this difference, the 1/second/AVM doesn’t really apply for RDSH only implementations.

    With this background I’m doing the math with 6’647 logins and neglect the assignment validation activity and this brings me to a number of 4 AVMs only to serve the 6’647 RDS hosts.

    Disclaimer

    Please be reminded again that these are only calculations to get an idea how many servers/VMs of each Horizon component are needed for a 250k user (~200k CCU) installation. I didn’t consider any disaster recovery requirements and this means that the calculation I have made recommend the least amount of servers required for a VDI- or RDSH-based Horizon implementation.

    Workspace ONE UEM – Data Security, Data Privacy and Data Collection

    A lot of businesses are getting more and more interested in a Unified Endpoint Management solution like Workspace ONE UEM. While EMM is pretty clear to everyone, UEM is far away from this status. During the meetings with customers about Workspace ONE there are often concerns about “cloud” and the data which is being sent to the cloud.

    Since this information about data privacy, data security or data collection regarding Workspace ONE is not easy to gather, I decided to make this information available here.

    This topic is very important, because more businesses are open now to talk about cloud and hybrid solutions like Workspace ONE where the management backend is managed by VMware and only a few components need to be installed on-premises in your own data center:

    Workspace ONE UEM SaaS Architecture

    With the release of Workspace ONE UEM 1904 VMware started to publish “SaaS only releases“. Before this announcement an on-premises customer would get the on-prem installers three to four weeks after a new SaaS release has been made available. That’s why it’s clear that a lot more customers are having the same questions and requests when it comes to a cloud-based solution.

    Of course, as we strive to bring you more cloud services at a faster pace, we will continue to add value with innovations in both our On-Premises and cloud offerings.

    As a result, we are making a change to how we deliver Workspace ONE UEM beginning with Workspace ONE UEM Console 1904, which will be SaaS only release.

    Which data are collected from users and devices? Who has access to this data?

    • By default, the solution only collects information necessary to manage the device, such as the device status, compliance information, OS, etc.; our solution may collect (if configured by administrator) or users may input data considered to be sensitive
    • The solution collects a limited personal data which includes user first and last name, username, email address, and phone number for user activation and management. These fields can be encrypted at rest in the solution database (AES 256). Customers may collect additional data points in the following matrix (as configured by the customer administrator): https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1904/UEM_Managing_Devices/GUID-AWT-DATA-COLLECT-MATRIX.html
      • VMware automatically collects certain information when you use or access Online Properties (“VMware websites, online advertisements or marketing emails “) or mobile apps. This information does not necessarily reveal your identity directly but may include information about the specific device you are using, such as the hardware model, operating system version, web-browser software (such as Firefox, Safari, or Internet Explorer) and your Internet Protocol (IP) address/MAC address/device identifier. We also automatically collect and store certain information in server logs such as: statistics on your activities on the Online Properties or mobile apps; information about how you came to and used the Online Property or mobile app; your IP address; device type and unique device identification numbers, device event information (such as crashes, system activity and hardware settings, browser type, browser language, the date and time of your request and referral URL), broad geographic location (e.g. country or city-level location) and other technical data collected through cookies, pixel tags and other similar technologies that uniquely identify your browser. Please refer to the VMware Privacy Notice for additional information.
    • VMware manages access to the SaaS environment while customers manage administrative and end-user access through the solution console
      • Access to the SaaS environment is technically enforced according to role, the principle of least privileges and separation of duties
      • Customers manage access entitlements for administrative and end users
    • VMware defines customer data related to the solution and/or hosted service in the VMware Data Processing Addendum
    • Data Sub-Processors can be found here

    Is it possible to prevent data collection of specific information?

    • Customer administrators use granular controls to configure what data is collected from users and what collected data is viewable by admins within the Workspace ONE console. Use granular role-based access controls to restrict the depth of device management information and features available to each administrative console user.
    • For Workspace ONE UEM configure Collect and Display, Collect Do Not Display, and Do Not Collect settings for user data:
      • GPS Data
      • Carrier/Country Code
      • Roaming Status
      • Cellular Data Usage
      • Call Usage
      • SMS Usage
      • Device Phone Number
      • Personal Application
      • Unmanaged Profiles
      • Public IP Address
    • Customer administrators can choose whether to display or to do not display the following user information:
      https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1904/UEM_Managing_Devices/GUID-AWT-CONFIGUREPRIVACYSETTINGS.html
      • First Name
      • Last Name
      • Phone Number
      • Email Accounts
      • Username

     Is the data in the cloud encrypted?

    • Yes – Certificate private keys, client cookie data and tokens are encrypted in the solution database with a derived AES 256-bit symmetric encryption with an IV.
      • Customers can enable encryption at rest for user first name, last name, email and phone number
      • We do not store AD/LDAP passwords in our database
    • VMware Content Locker, VMware Boxer and VMware AirWatch App Wrapping solutions use AES 256-bit encryption to secure data on mobile devices
    • Data between the web console (management console and Self Service Portal) and device is encrypted using HTTPS and is not decrypted at any point along the path
      • VMware leverages a 2048-bit key in the SaaS environment
      • An application server controls communication between the web console and the database to limit the potential for malicious actions through SQL injection or invalid input: No direct calls are made to the database
    • All sensitive interactions between AirWatch nodes (AirWatch hosting servers and the VMware Enterprise Systems Connector), between VMware AirWatch Agent and the AirWatch solution are accomplished using message level encryption. For these message level interactions, the AirWatch Cloud uses 2048-bit RSA asymmetric key encryption using digital certificates.
    • We encrypt AD/LDAP credentials on the device via AES 256-bit and store them in the device keychain (internal memory)

    I hope this short article helps everyone to get the information they require for a Workspace ONE UEM SaaS project. I shared the same information with several customers from different businesses and so far all legal departments accepted the statements and moved forward with their project with Workspace ONE UEM. 🙂

    Horizon on VMC on AWS Basics

    VMC on AWS

    In Switzerland where VMware has a lot of smaller to medium sized companies, the demand for a  cloud solution is increasing. The customers are not yet ready to put all their servers and data into to the cloud, so they go for a hybrid cloud strategy.

    And now it makes even more sense and got easier since VMware’s offering VMware Cloud on AWS (VMC on AWS) exists. This service, powered by VMware Cloud Foundation (VCF), brings VMware’s SDDC stack to the AWS cloud and runs the compute, storage and network products (vSphere, vSAN, NSX) on dedicated bare-metal AWS hardware. 

    VMC on AWS

    If you would like to try this offering you have the option for a Single Host SDDC which is the time-bound starter configuration and comes with the limitation of 30 days. After 30 days your Single Host SDDC will be deleted and all data will be lost as well. If you plan to scale up into a 3-host SDDC you retain all your data and you SDDC is not time bound anymore.

    Availability

    This pretty new service is already available in 13 global regions and already had 200+ released features since its launch. VMC on AWS is available almost everywhere – in US and Asia Pacific for example – and in Europe you find the service hosted in Frankfurt, London, Paris and Ireland. 

    Use Cases

    It’s not hard to guess what the use cases are for a service like this. If you are building up a new IT infrastructure, don’t want to have your own data center and purchase any server, then you might want to consider VMC on AWS. Another project could be to expand your market into a new geography and extend your footprint into the cloud based on a VMware-consistent and enterprise-grade environment in the AWS cloud.

    A few customers are also finding a new way to easily deliver business continuity with VMware Site Recovery and take advantage of VMC on AWS which delivers a robust Disaster Recovery as a Service (DRaaS) possibility.

    Another reason could be that your on-premises data center is in danger because of bad weather and you want to migrate all your workloads to another region.

    Or you just want to quickly build a dev/test environment or do a PoC of a specific solution or application (e.g. VMware Horizon).

    Elastic DRS

    In my opinion EDRS is one of best reasons to go for VMC on AWS. EDRS allows you to get the capacity you need in minutes to meet temporary or unplanned demand. You have the possibility to scale-out and scale-in depending on the generated recommendation.

    A scale-out recommendation is generated when any of CPU, memory, or storage utilization remains consistently above thresholds. For example, if storage utilization goes above 75% but memory and CPU utilization remain below their respective thresholds, a scale-out recommendation is generated.

     

     A scale-in recommendation is generated when CPU, memory, and storage utilization all remain consistently below thresholds.

    This is interesting if your dekstop pool is creating more instant clones and the defined value of RAM for example is above the threshold. But there is also a safety check included in the algorithm, which runs every 5 minutes, to provide time to the cluster to cool off with changes. 

    If you check the EDRS settings you have the option for the “Best Performance” or “Lowest Cost” policy. More information can be found here.

    Horizon on VMC on AWS

    For customers who are already familiar with a Horizon 7 on-premises deployment, Horizon on VMC on AWS lets you leverage the same architecture and the familiar tools. The only difference now is the vSphere outsourcing.

    Use Cases

    Horizon can be deployed on VMware Cloud on AWS for different scenarios. You could have the same reasons like before – data center expansion or to have a disaster recovery site in the cloud. But the most reason why a customer goes for Horizon on VMC on AWS is flexibility combined with application locality.

    Horizon 7 on VMC on AWS

    There are customers who were operating an on-premises infrastructure for years and suddenly they are open to a cloud infrastructure. Because the SDDC stack in the cloud is the same like in the private cloud the migration can be done very easily. You can even use the same management tools like before.

    Minimum SDDC Size

    The minimum number of hosts required per SDDC on VMware Cloud on AWS for production use is 3 nodes (hosts). For testing purpose, a 1-node SDDC is also available. However, since a single node does not support HA, it’s not recommended for production use.

    Cloud Pod Architecture for Hybrid Cloud

    If you are familiar with the pod and block architecture you can start to create your architecture design. This hasn’t changed for the offering on VMC on AWS but there is a slight difference:

    • Each pod consists of a single SDDC
    • Each SDDC only has a single vCenter server
    • A Horizon pod consists of a single block Horizon7Pod on VMC on AWS

    Each SDDC only has one compute gateway which limits the connections to ~2’000 VMs or user sessions. This means that the actual limit per pod on VMC on AWS is ~2’000 sessions as well. When the number of compute gateways per SDDC can be increased, Horizon 7 on VMC on AWS will definitely have a comparable scalability with the on-premises installation.

    You can deploy a hybrid cloud environment when you use the Cloud Pod Architecture to interconnect your on-premises and Horizon pods on VMC on AWS. You can also stretch CPA across pods in two or more VMware Cloud on AWS data centers with the same flexibility to entitle your users to one or multiple pods as desired.

    Supported Features

    The deployment of Horizon 7 on VMC on AWS started with Horizon 7.5 but there was no feature parity at this time. With the release of Horizon 7.7 and App Volumes 2.15 we finally had the requested feature parity. This means since Horizon 7.7 we can use Instant Clones, App Volumes and UEM. At the time of writing the vGPU feature is not available yet but VMware is working with Amazon on it. With the release of Horizon 7.8 a pool with VMware Cloud on AWS is now capable of using multiple network segments, allowing you to use less pools and/or smaller scopes. Please consult this KB for the currently supported features. 

    Use AWS Native Services

    When you set up the Horizon 7 environment in VMware Cloud on AWS you have to install and configure the following components:

    • Active Directory
    • DNS 
    • Horizon Connection Servers
    • DHCP
    • etc.

    If you are deploying Horizon 7 in a hybrid cloud environment by linking the on-premises pod with the
    VMC on AWS pod, you must prepare the on-premises Microsoft Active Directory (AD) to access
    the AD on VMware Cloud on AWS.

    My recommendation: Use the AWS native services if possible 🙂

    AWS Directory Services

    AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features, such as Group Policy and single sign-on (SSO).

    Amazon Relational Database Service

    Amazon RDS is available on several database instance types – optimized for memory, performance or I/O – and provides you with six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. You can use the AWS Database Migration Service to easily migrate or replicate your existing databases to Amazon RDS.

    This service allows you to quickly setup a SQL Express (not recommended for production) or regular SQL Server which can be used for the Horizon Event DB or App Volumes. 

    Amazon FSx for Windows File Server

    Amazon FSx for Windows File Server provides a fully managed native Microsoft Windows file system so you can easily move your Windows-based applications that require file storage to AWS. Built on Windows Server, Amazon FSx provides shared file storage with the compatibility and features that your Windows-based applications rely on, including full support for the SMB protocol and Windows NTFS, Active Directory (AD) integration, and Distributed File System (DFS).

    At the time of writing I have to mention that the FSx service has not yet officially been tested and qualified for User Environment Manager (UEM), but that’s no problem. Technically it’s working totally fine.

    Amazon Route 53

    The connectivity to data centers in the cloud can be a challenge. You need to manage the external namespace to give users access to their desktop in the cloud (or on-prem). For a multi-site architecture the solution is always Global Server Load Balancing (GSLB), but how is this done when you cannot install your physical appliance anymore (in your VMC on AWS SDDC)?

    The answer is easy: Leverage Amazon Route 53!

    Amazon Route 53 effectively connects user requests to infrastructure running in AWS – such as Amazon EC2 instances, Elastic Load Balancing load balancers, or Amazon S3 buckets – and can also be used to route users to infrastructure outside of AWS. You can use Amazon Route 53 to configure DNS health checks to route traffic to healthy endpoints or to independently monitor the health of your application and its endpoints. 

    Check Andrew Morgans blog article if you need more information about Route 53.

    Horizon on VMC on AWS rocks! 🙂

     

    vSAN Basics for a Virtual Desktop Infrastructure with VMware Horizon

    As an EUC architect you need fundamental knowledge about VMware’s SDDC stack and this time I would like to share some more basics about VMware vSAN for VMware Horizon.

    In part 5 of my VCAP7-DTM Design exam series I already posted some YouTube videos about vSAN in case you prefer videos instead of reading. To further proof my vSAN knowledge I decided to take the vSAN Specialist exam which focuses on the version 6.6.

    To extend my vSAN skills and to prep myself for this certification I have bought the VMware vSAN 6.7 U1 Deep Dive book which is available on Amazon.

    vSAN 6.7 U1 Deep Dive

    vSAN Basics – Facts and Requirements

    Out in the field not every EUC guy has enough sic knowledge about vSAN and I want to provide some facts about this technology here. This is no article about all the background information and detailed stuff you can do with vSAN, but it should help you to get a basic understanding. If you need more details about vSAN I highly recommend the vSAN 6.7 U1 Deep Dive book and the content available on storagehub.vmware.com.

    • The vSAN cluster requires at least one flash device and capacity device (magnetic or flash)
    • A minimum of three hosts is required except you go for a two-node configuration (requires a witness appliance)
    • Each host participating in the vSAN cluster requires a vSAN enabled VMkernel port
    • Hybrid configurations require a minimum of one 1GbE NIC, 10GbE is recommended by VMware
    • All-Flash configurations require a minimum of one 10GbE NIC
    • vSAN can use RAID-1 (mirroring) and RAID5-/6 (erasure coding) for the VM storage policies
    • RAID-1 is used for performance reasons, erasure coding is used for capacity reasons
    • Disk groups require one flash device for the cache tier and one or more flash/magnetic device for the capacity tier
    • There can be only one cache device per disk group
    • Hybrid configuration – The SSD cache is used for read and write (70/30)
    • All-Flash configuration – The SSD cache is used 100% as a write cache
    • Since version 6.6 there is no multicast requirement anymore
    • vSAN supports IPv4 and IPv6
    • vSphere HA needs to be disabled before vSAN can be enabled and configured
    • The raw capacity of a vSAN datastore is calculated by the number of capacity devices multiplied by the number of ESXi hosts (e.g. 5 x 2TB x 6 hosts = 60 TB raw)
    • Deduplication and compression are only available in all-flash configurations
    • vSAN stores VM data in objects (VM home, swap, VMDK, snapshots)
    • The witness does not store any VM specific data, only metadata
    • vSAN provides data at rest encryption which is a cluster-wide feature
    • vSAN integrates with CBRC (host memory read cache) which is mostly used for VMware Horizon
    • By default, the default VM storage policy is assigned to a VM
    • Each stretched cluster must have its own witness host (no additional vSAN license needed)
    • Fault domains are mostly described with the term “rack awareness”

    vSAN for VMware Horizon

    The following information can be found in the VMware Docs for Horizon:

    When you use vSAN, Horizon 7 defines virtual machine storage requirements, such as capacity, performance, and availability, in the form of default storage policy profiles, which you can modify. Storage is provisioned and automatically configured according to the assigned policies. The default policies that are created during desktop pool creation depend on the type of pool you create.

    This means that Horizon will create storage policies when a desktop pool get created. To get more information I will provision a floating Windows 10 instant clone desktop pool. Before I’m doing that, let’s have a look first at the policies which will appear in vCenter depending on the pool type:

    Since I’m going to create a floating instant clone desktop pool I assume that I should see some the storage policies marked in yellow. 

    Instant Clones

    First of all we need to take a quick look again at instant clones. I only cover instant clones since it’s the recommended provisioning method by VMware. As you can learn from this VMware blog post, you can maissvely reduce the time for a desktop to be provisioned (compared to View Composer Linked Clones).

    VMware Instant Clones

    The big advantage of the instant clone technology (vmFork) is the in-memory cloning technique of a running parent VM.

    The following table summarizes the types of VMs used or created during the instant-cloning process:

    Instant Cloning VMs
    Source: VMWARE HORIZON 7 INSTANT-CLONE DESKTOPS AND RDSH SERVERS 

    Horizon Default Storage Policies

    To add a desktop pool I have created my master image first and took a snapshot of it. In my case the VM is called “dummyVM_blog” and has the “vSAN Default Storage Policy” assigned.

    How does it go from here when I create the floating Windows 10 instant clone desktop pool?

    Instant Clone Technology

    The second step in the process is where the instant-clone engine uses the master VM snapshot to create one template VM. This template VM is linked to the master VM. My template VM automatically got the following storage policy assigned:

    The third step is where the replica VM gets created with the usage of the template VM. The replica VM is a thinprovisioned full clone of the internal template VM. The replica VM shares a read disk with the instantclone VMs after they are created. I only have the vSAN datastore available and one replica VM is created per datastore. The replica VM automatically got the following storage policy assigned:

    The fourth step involves the snapshot of the replica VM which is used to create one running parent VM per ESXi host per datastore. The parent VM automatically got the following storage policies assigned:

    After, the running parent VM is used to create the instant clone, but the instant clone will be linked to the replica VM and not the running parent VM. This means a parent VM can be deleted without affecting the instant clone. The instant clone automatically got the following storage policies assigned:

    And the complete stack of VMs with the two-node vSAN cluster in my home lab, without any further datastores, looks like this:

    vCenter Resource Pool 

    Now we know the workflow from a master VM to the instant clone and which default storage policies got created and assigned by VMware Horizon. We only know from the VMware Docs that FTT=1 and one stripe per object is configured and that there isn’t any difference except for the name. I checked all storage policies in the GUI again and indeed they are all exactly the same. Note this:

    Once these policies are created for the virtual machines, they will never be changed by Horizon 7

    Even I didn’t use linked clones with a persistent disk the storage policy PERSISTENT_DISK_<guid> gets created. With instant clones there is no option for a persistent disk yet (you have to use App Volumes with writable volumes), but I think that this will come in the future for instant clones and then we also don’t need View Composer anymore. 🙂

    App Volumes Caveat

    Don’t forget this caveat for App Volumes when using a vSAN stretched cluster.