VMware’s Tanzu Kubernetes Grid

Dec 12, 2019 | cloud native apps, ESXi, networking, project pacific, tanzu, vsan

Since the announcement of Tanzu and Project Pacific at VMworld US 2019 a lot happened and people want to know more what VMware is doing with Kubernetes. This article is a summary about the past announcements in the cloud native space. As you already may know at this point, when we talk about Kubernetes, VMware made very important acquisitions regarding this open-source project.

VMware Kubernetes Acquisitions

It all started with the acquisition of Heptio, a leader in the open Kubernetes ecosystem. With two of the creators of Kubernetes (K8s), namely Joe Beda and Craig McLuckie, Heptio should help to drive the cloud native technologies within VMware forward and help customers and the open source community to accelerate the enterprise adoption of K8s on-premises and in multi-cloud environments.

The second important milestone was in May 2019, where the intent to acquire Bitnami, a leader in application packaging solutions for Kubernetes environments, has been made public. At VMworld US 2019 VMware announced Project Galleon to bring Bitnami capabilities to the enterprise to offer customized application stacks to their developers.

One week before VMworld US 2019 the third milestone has been communicated, the agreement to acquire Pivotal. The solutions from Pivotal have helped customers learn how to adopt modern techniques to build and run software and they are the provider of the most popular developer framework for Java, Spring and Spring Boot.

On the 26th August 2019, VMware gave those strategic acquisitions the name VMware Tanzu. Tanzu should help customers to BUILD modern applications, RUN Kubernetes consistently in any cloud and MANAGE all Kubernetes environments from a single point of control (single console).

VMware Tanzu

Tanzu Mission Control (Tanzu MC) is the cornerstone of the Tanzu portfolio and should help to relieve the problems we have or going to have with a lof of Kubernetes clusters (fragmentation) within organizations. Multiple teams in the same company are creating and deploying applications on their own K8s clusters – on-premises or in any cloud (e.g. AWS, Azure or GCP). There are many valid reasons why different teams choose different clouds for different applications, but is causing fragmentation and management overhead because you are faced with different management consoles and silo’d infrastructures. And what about visibility into app/cluster health, cost, security requirements, IAM, networking policies and so on? Tanzu MC let customers manage all their K8s clusters across vSphere, VMware PKS, public cloud, managed services or even DIY – from a single console.

Tanzu Mission Control

It lets you provision K8s clusters in any environment and configure policies which establish guardrails. Those guardrails are configured by IT operations and they will apply policies for access, security, backup or quotas.

Tanzu Mission Control

As you can see, Mission Control has a lot of capabilities. If you look at the last two images you can see that you not only can create clusters directly from Tanzu MC, but also have the ability to attach existing K8s clusters. This can be done by installing an agent in the remote K8s cluster, which then provides a secure connection back to Tanzu MC.

We focused on the BUILD and MANAGE layers now. Let’s take a look at the RUN layer which should help us to run Kubernetes consistently across clouds. Without consistency across cloud environments (this includes on-prem) enterprises will struggle to manage their hundred or even thousands of modern apps. It’s just getting too complex.

VMware’s goal in general is to abstract complexity and to make your life easier and for this case VMware has announced the so-called Tanzu Kubernetes Grid (TKG) to provide us a common Kubernetes distribution across all the different environments.

Tanzu Kubernetes Grid

In my understanding TKG means VMware’s Kubernetes distribution, will include Project Pacific as soon as it’s GA and is based on three principles:

  • Open Source Kubernetes – tested and secured
  • Cluster Lifecycle management – fully integrated
  • 24x7 support

Meaning, that TKG is based on open source technologies, packaged for enterprises and supported by VMware’s Global Support Services (GSS). Based on these facts we can say, that today your Kubernetes journey with VMware starts with VMware PKS. PKS is the way we deliver the principles of Tanzu today – across vSphere, VCF, VMC on AWS, public clouds and edge.

Project Pacific

Project Pacific, which has been announced at VMworld US 2019 as well, is a complement to VMware PKS and will be available in a future release. If you are not familiar with Pacific yet, then read the introduction of Project Pacific. Otherwise, it’s sufficient to say, that Project Pacific means the re-architecture of vSphere to natively integrate Kubernetes. There is no nesting or any kind of it and it’s not Kubernetes in vSphere. It’s more like vSphere on top of Kubernetes since the idea of this project is to use Kubernetes to steer vSphere.

Project Pacific

Pacific will embed Kubernetes into the control plane of vSphere and converge VMs and containers on the same underlying platform. This will give the IT operators the possibility to see and manage Kubernetes from the vSphere client and provide developers the interfaces and tools they are already familiar with.

Project Pacific Console

If you are interested in the Project Pacific Beta Program, you’ll find all information here.

I would have access to download the vSphere build which includes Project Pacific, but I haven’t got time at the moment and my home lab is also not ready yet. We hear customers asking about the requirements for Pacific. If you watch all the different recordings from the VMworld sessions about Project Pacific and the Supervisor Cluster, then we could predict, that only NSX-T is a prerequisite to deploy and enable Project Pacific. This slide shows why NSX-T is part of Pacific:

Project Pacific Supervisor ClusterFrom this slide (from session HBI1452BE) we learn that a load balancer built on NSX Edge is sitting in front of the three K8s Control Plane VMs and that we’ll find a Distributed Load Balancer spanned across all hosts to enable the pod-to-pod or east-west communication.

Nobody of the speakers ever mentioned vSAN as a requirement and I also doubt that vSAN is going to be a prerequisite for Pacific.

You may ask yourself now which Kubernetes version will be shipped with ESXi and how you upgrade your K8s distribution? And what about if this setup with Pacific is too “static” for you? Well, for the Supervisor Clusters VMware releases patches with vSphere and you apply them with the known tools like VUM. For your own built K8s clusters, or if you need to deploy Guest Clusters, then the upgrades are easy as well. You just have to download the new distribution and specify the new version/distribution in the (Guest Cluster Manager) YAML file.

Conclusion

We hear rumors that Pacific will be shipped with the upcoming vSphere 7.0 release, which even should include NSX-T 3.0. For now we don’t know when Pacific will be shipped with vSphere and if it really will be included with the next major version. I would be impressed if that would be the case, because you need a stable hypervisor version, then a new NSX-T version is also coming into play and in the end Pacific relies on these stable components. Our experience has shown that the first release normally is never perfect and stable and that we need to wait for the next cycle or quarter. With that in mind I would say that Pacific could be GA in Q3 2020 or Q4 2020. And beside that the beta program for Project Pacific just has started!

Nevertheless I think that Pacific and the whole Kubernetes Grid from VMware will help customers to run their (modern) apps on any Kubernetes infrastructure. We just need to be aware that there are some limitations when K8s is embedded in the hypervisor, but for these use cases we can deploy Guest Clusters anyway.

In my opinion Tanzu and Pacific alone don’t make “the” big difference. It’s getting more interesting if you talk about multi-cloud management with vRA 8.0 (or vRA Cloud), use Tanzu MC for the management of all your K8s clusters, networking with NSX-T (and NSX Cloud), create a container host with a container image (via vRA’s Service Broker) for AI- and ML-based workloads and provide the GPU over the network with Bitfusion.

Bitfusion Architecture

Looking forward to such conversations! 😀

Introduction to Workspace ONE Express and Express+

Introduction to Workspace ONE Express and Express+

Oct 18, 2019 | emm, workspaceone, workspaceone uem

With the release of Workspace ONE UEM 1907 AirWatch Express has been renamed to Workspace ONE Express and a few months later we announced Workspace ONE Express+ which is the result of a partnership with Dell.

Workspace ONE Express (WS1 Express) is a SaaS-only solution which is perfectly made for startups and the small- and mid-market in general. It is a simple mobile device management (MDM) solution designed to get your mobile devices up and running quickly without requiring extensive knowledge or an on-premises infrastructure.

The main features are the configuration of WiFi, apps, e-mail and security – basic MDM. WS1 Express requires a minimum of 10 devices and can be used for up to 500 devices, whereas the regular Workspace ONE UEM editions require at least 25 devices/users and have an unlimited licensing scale.

So, which edition is the right one for you? It depends on your types of mobile devices, use cases and requirements.

If you are a small company for example with 50 iOS and Android devices and would like to configure the native e-mail client, WiFi access, deploy some apps and set a passcode, then the Workspace ONE Express is the edition you are looking for.

If you are a company with around 250 users and would like to manage your macOS and Windows 10 clients, then we have to take a closer look what your requirements are.

IMPORTANT: WS1 Express has some policies for macOS, but Windows 10 can only be managed with Workspace ONE Express+ !

This means that you have to go for the Workspace ONE UEM Standard edition, if you need an acceptable feature set for these operating systems.

What is the big difference between Workspace ONE Express and Workspace ONE UEM Standard?

As just mentioned before, the biggest difference is the limited feature set of WS1 Express and that you cannot configure payloads, but have to use the “blueprint setup”.

WS1Express-Blueprints_Create

Upon the initial login, a step-by-step wizard will help and guide you through the process of configuring WS1 and your devices.

WS1Express-Getting Started _Setup

During the creation of a blueprint you can select the policies for each operating system and you quickly realize that Workspace ONE Express is really offers basic MDM capabilities.

WS1Express-Blueprints_Policies

Apple DEP and Android Zero-Touch Enrollment are fully supported with the Express edition.

Can you start with Express and upgrade later to Standard or Advanced? Yes, you can! This is the great thing about Workspace ONE. If your company is small and would like to start small, then choose Express. If your company, the employee number and your requirements grow, upgrade to a regular Workspace ONE UEM Edition like Standard or Advanced. That’s the most recent Workspace ONE Edition Comparison Guide about Express, Express+ and Standard:

Workspace ONE Standard for macOS and Windows 10 Management

I doubt that a customer would start with Express if they have macOS and Windows clients. Even smaller companies have probably 80% of the same requirements when it comes to macOS and Windows 10 modern management.

But which features and configurations do we support with Workspace ONE Standard for Windows 10 management? Please find here an unofficial listing of the supported features:

OS Lifecycle

  • OOBE and Factory Provisioning (Device Onboarding)
  • Co-Management with SCCM and Workspace ONE AirLift
  • MDM profiles (passcode, WiFi, restrictions etc.)
  • OS Updates via WSUS or Windows Updates for Business

App Lifecycle

Security

  • Device Restrictions
  • Remote and Enterprise Wipe
  • GPS Tracking
  • DLP (Windows Information Protection, AppLocker)
  • AV and Firewall (Windows Defender, 3rd party AV deployment, Windows Firewall)
  • Conditional Access Management
  • Enforce BitLocker Encryption

WS1_MDM_capabilities

That is a lot you can do already with our Standard edition, right? What are the reasons that you would need the next higher Workspace ONE Advanced edition? Most probably if you need one or more features like:

  • Application Delivery and Application Lifecycle (win32 – MSI, EXE, MST, MSP, PS1, BAT, ZIP)
  • Peer-to-Peer Distribution (WS1 uses Windows BranchCache feature!)
  • Advanced BitLocker Encryption Management (key rotation, maintenance windows etc.)
  • Per-App VPN Tunneling with VMware Tunnel

What are our capabilities when it comes to macOS management? Well, also here our approach is to have a modern imageless management over the air from the same management console. We support new devices with DEP and Bootstrap Enrollment, but give existing users and devices the choice of a web-based or staged enrollment.

WS1_MDM_macOS

Please find here an unofficial listing of the supported features and configuration for macOS payloads which are included in Workspace ONE Standard.

Via MDM interface

  • Passcode
  • Network
  • VPN
  • Certificates
  • SCEP
  • Dock
  • Restrictions
  • Parental Controls
  • Directory Binding
  • Security & Privacy
  • Disk Encryption
  • Login Items
  • Login Window
  • Time Machine
  • Finder
  • Printing
  • Content Filter
  • Device & Enterprise Wipe
  • Token Enrollment
  • User Management (unlock user account, logout current user, delete user)

Via our Intelligent Hub (Agent)

  • Enforce Encryption
  • Firewall
  • Firmware Password
  • VMware Fusion
  • Microsoft Outlook
  • Notifications
  • Custom Attributes

How can I deliver 3rd party apps like MS Office, Adobe Creative Suite etc.? We use the open source “Munki” framework for that.

Workspace ONE Assist (formerly known as Advanced Remote Management)

We also have an add-on called Workspace ONE Assist which enables you to remotely access and troubleshoot a device. 

At the moment of writing WS1 Assist only supports iOS, Android, Windows Mobile and Windows 10 devices, but the support for macOS is coming until the end of this year (2019). 

Via the WS1 Admin Console WS1 Assist let’s you to capture images and videos of the remote device and you can view and export audit logs of the sessions and even manage files and folders on the Windows 10 remote device for example.

Final Words

If you would like to get a TestDrive access for Workspace ONE Express or Workspace ONE UEM, don’t hesitate to contact your partner or VMware account executive.

If you are a partner and would like to sell Workspace ONE, we also have a MSP (Managed Service Provider) model for you! In this case contact your VCPP representative.

And I hope that you found valuable information here to better decide which Workspace ONE edition is the right one for you! 🙂

VMware Horizon – Raspberry Pi 4 with Stratodesk NoTouch OS

Aug 27, 2019 | homelab, horizon, thinclient

After I wrote the article “Raspberry Pi 4 – The Ultimate Thin Client?” I have been asked on Twitter to write about the Raspi in combination with Stratodesk’s NoTouch OS. I have no hands-on experience with this operating system, but am currently helping a partner who is doing a proof of concept with a customer. The customer uses AMD-based thin clients for their tests and one important criteron is Skype for Business. As you maybe know from my previous article, Skype for Business (SfB) is not running with the Horizon Client on TLXOS. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

And I think I know now why. It’s not the Horizon Client on TLXOS, but the Raspi’s CPU architecture. In the VMware Docs for the Horizon Client for Linux 5.1 (most recent at the time of writing) it’s clearly stated that:

Real-Time Audio-Video is supported on x86 and x64 devices. This feature is not supported on ARM processors. The client system must meet the following minimum hardware requirements.

So, if I want to test all features of the Horizon Client, then I have to use my Intel NUC Skull Canyon. I’m still going to test the user experience with NoTouch OS, but the RTAV with SfB is off the table with this device.

Horizon Test Environment

I’m going to use VMware’s TestDrive to access a vGPU enabled Windows 10 desktop from the EMEA region. Such a Windows 10 1709 desktop is equipped with a Xeon Gold 6140 CPU and a Nvidia Tesla V100 card.

Raspberry Pi 4 Setup

There is no special manual needed to set up a Raspberry Pi. Just unbox and install it in a case, if you ordered one. Here are some general instructions: https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

Install NoTouch OS on the Raspberry Pi 4

Format the SD card because TLXOS is installed. On Windows open the “Disk Management” tool to delete the volumes on the SD card.

After the deletion it should look like this.

Register for a free trial to download the  installer “Stratodesk-NoTouchOS-DiskImage-2.40.5587-EEs-k419-armhf-190808.zip – NoTouch OS – Standard Edition k419 (Raspberry Pi 3 and 4) – Disk Image Installer”

Uncompress the ZIP archive

Double-click on “FlashSDcard.cmd” and check in the appearing “Win32 Disk Imager” that the drive letter points to your SD card (in my case “F”). When you are sure click “Write” and wait for the operation to complete.

After the write has been successful, remove the SD card and put it into the Raspberry Pi. Boot and let’s see.

Wizard Step 1 – Location and Keyboard

Wizard Step 2 – Create a connection (for Horizon View)

Wizard Step 3 – Admin Password and EULA

Wizard – Configuration stored and Horizon Destop icon appears.

After a reboot, try to connect to your Horizon environment by double-clicking the icon on the desktop.

Works fine – my TestDrive desktop appears

I wanted quickly to test audio and video, but the video was very laggy and no audio at all. I couldn’t find a way, same with TLXOS, to minimize the Horizon session to get back to my NoTouch desktop. After checking the Blast settings in the Horizon Client I could see, that the H.264 decoding is not allowed by default.

Before we connect back to the desktop we need to fix the audio problem as well. In the start menu you can access the system configuration where you have to enter a password first.

After access the “Audio” settings I had to change the “Standard audio device” to “Analog” and allow the other settings marked with “On” now.

Tried to save the config change but this resulted in an error. I decided to reboot the OS.

Checked the settings again – yes, they were saved. Finally, I could move on to the first test with YouTube.

Testing

 

1) User Experience with YouTube

As a first test I’m using the same Avengers 4K trailer on YouTube.

AVENGERS 4 ENDGAME: 8 Minute Trailers (4K ULTRA HD) NEW 2019: https://www.youtube.com/watch?v=FVFPRstvlvk

Result: Video good, audio unusable

2) TestDrive – Nvidia Faceworks

Result: Good performance (same like TLXOS)

3) TestDrive – eDrawings Racecar Animation

Result: Good performance (same like TLXOS)

4) TestDrive – Nvidia “A New Dawn”

Result: Video animation good, audio unusable

5) FishGL

Result: Good performance (same like TLXOS)

NoTouch OS – VMware Horizon Audio Problems

The good thing about the NoTouch OS is, that it gives you more configuration and diagnostic options. And one of them is  “play test sound”:

This tells us that the problem only exists in the Horizon VDI session. What happens if I change my analog speakers to USB and test it again?

Result: Good performance (same like TLXOS)

NoTouch OS – Configuration Options for the Horizon View

I have to admit that Stratodesk’s NoTouch OS is way more mature than a TLXOS. With TLXOS I had the feeling that the configuration options are very limited and the big advantage there was, that you could only configure one application or connection. Meaning you could only use Horizon or a web browser for example.

With NoTouch OS this is really different. You can configure Horizon, Citrix, RDP, Chromium etc. and place all the icons on the desktop or in the start menu.

Maybe I was not familiar enough with TLXOS or it’s not very intuitive, but the NoTouch OS gives me a rich set of options to configure the Horizon Client or my Horizon session.

Conclusion

Compared to the TLXOS I have to admit that Stratodesk’s NoTouch OS is the better option. You have way more options to configure the thin client (the operating system in the end) and the Horizon Client. In addition to that you are also allowed to configure more than one application or connection, which is limited to only one with ThinLinx (TLXOS).

And according to a current customer, who is performing a Horizon PoC, the management software from Stratodesk is also awesome.

If you look for an enterprise-ready operating system for thin clients, then NoTouch OS is the better choice for sure. I can confirm that Stratodesk is correctly installing our Horizon Client for Linux in their image including all the necessary libraries and dependencies!

The only thing which you have to keep in mind is the limited feature set with a Raspberry Pi. Skype for Business with the optimized mode currently is not supported. This means you have to go with a thin client which is based on a Intel or AMD-based CPU architecture.

Raspberry Pi 4 – The Ultimate Thin Client?

Aug 15, 2019 | homelab, horizon, thinclient, workspaceone uem

Everyone is talking about the new Raspberry Pi 4 and ask themselves if it’s the new ultimate and cheap thin client. So far, I haven’t seen any customer here in Switzerland using a Pi with VMware Horizon. And to be honest, I have no hands-on experience with Raspberry Pis yet and want to know if someone in pre-sales like me easily could order, install, configure and use it as a thin client. My questions were:

  • How much would it cost me in CHF to have a nice thin client?
  • What kind of operating system (OS) is or needs to be installed?
  • Is this OS supported for the VMware Horizon Client?
  • If not, do I need to get something like the Stratodesk NoTouch OS?
  • If yes, how easy is it to install the Horizon Client for Linux?
  • How would the user experience be for a normal office worker?
  • Is it possible to use graphics and play YouTube videos?

First, let’s check what I ordered on pi-shop.ch:

  • Raspberry Pi 4 Model B/4GB – CHF 62.90
  • KKSB Raspberry Pi 4 Case – CHF 22.90
  • 32GB MicroSD Card (Class10) – CHF 16.90
  • Micro-HDMI to Standard HDMI (A/M) 1m cable – CHF 10.90
  • Power: Official Power Supply 15W – CHF 19.40
  • Keyboard/Mouse: Already available in my home lab

Total cost in CHF: 133.00

Raspberry Pi 4 Model B Specs

I ordered the Raspberry Pi 4 Model B/4GB with the following hardware specifications:

  • CPU – Broadcom BCM2711, quad-core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
  • RAM – 4GB LPDDR4
  • WLAN – 2.4 GHz and 5.0 GHz IEEE 802.11b/g/n/ac wireless
  • Gigabit Ethernet
  • USB – 2x USB 3.0, 2x USB 2.0
  • Video – 2 × micro HDMI ports (up to 4Kp60 supported)
  • Multimedia – H.265 (4Kp60 decode), H.264 (1080p60 decode, 1080p30 encode)

With this powerful hardware I expect no problems and would assume that even playing videos and using graphics is not an issue. But let’s figure that out later.

Horizon Client for Linux

The support for the Raspberry Pi came with Horizon Client 4.6 for Linux:

Horizon Client for Linux now supports the Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

And the current Horizon Client 5.1 still only mentions the support for Raspberry Pi 3 with the same supported feature set:

Horizon Client for Linux 5.1 is supported on Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

Hm, nothing has changed so far. During the time of writing this article I’ll try to figure out if the official support for a Pi 4 is coming soon and why ThinLinX is the only supported OS so far. Because I saw on Twitter and on the Forbes website that people are waiting for Ubuntu MATE for their Raspis

And I found a tweet from August 6, 2019, from the ThinLinX account with the following information:

ThinLinX has just released TLXOS 4.7.0 for the Raspberry Pi 4 with dual screen support. The same image runs on the entire Raspberry Pi range from the RPi2 onward TLXOS 4.7.0 supports VMware Horizon Blast, Citrix HDX, RDP/RemoteFX, Digital Signage and IoT

Raspberry Pi and Horizon Client 4.6 for Linux

The next question came up – are there already any people around who tested the ThinLinX OS with a Raspberry Pi 3/4?

Probably a few people tried it already, but only one guy from UK so far blogged about this combination on his blog vMustard.

He wrote a guide about how to install TLXOS and the TMS management software, the configuration of TLXOS and how the Horizon Client for Linux needs to be installed. For sure his information helps me to get started.

Horizon Test Environment

I’m going to use VMware’s TestDrive to access a vGPU enabled Windows 10 desktop from the EMEA region. Such a Windows 10 1709 desktop is equipped with a Xeon Gold 6140 CPU and a Nvidia Tesla V100 card. I tried to get a card from Nvidia to perform the tests in my home lab, but they already gave away all the cards they had. So, the test in my home lab has to wait for a few weeks or months. 🙂 

Workspace ONE UEM and TLXOS

And when I finally have installed TLXOS and can connect to a Horizon desktop, would it be possible to install Intelligent Hub and enroll the device in my Workspace ONE UEM sandbox environment? Is this also possible and supported?

Checking our VMware Docs and the Workspace ONE UEM product documentation the following information can be found:

The flexibility of the Linux operating system makes it a preferred platform for a wide range of uses, including notebooks, Raspberry Pi devices, and other IoT-capable devices. With Workspace ONE UEM, you can build on the flexibility and ubiquity of Linux devices and integrate them with your other mobile platforms in a central location for mobile device management.

Hm, would my new thin client be supported or not? The only requirements mentioned, are:

  • You can enroll devices running any version and any configuration of Linux running on either x86_64 or ARM7 architecture into Workspace ONE UEM
  • You can enroll Linux devices in any Workspace ONE UEM version from 1903 onward
  • You must deploy the Workspace ONE Intelligent Hub for Linux v1.0

As you can see above the new Raspberry Pi 4 is based on ARM8. I asked our product management if the RPi4 and TLXOS is supported and received the following answer:

As for WS1 UEM support for Linux, we do support ARM and won’t have a problem running on a Pi4, but we are still early stages for the product

As the Linux management capabilities with Workspace ONE UEM are very limited, I’m going to wait another four to six months to perform some tests. But TLXOS is anyway coming with its on management software. And customers would probably prefer another Linux Distribution like Ubuntu MATE.

Raspberry Pi 4 Setup

There is no special manual needed to set up a Raspberry Pi. Just unbox and install it in a case, if you ordered one. Here are some general instructions: https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

Install ThinLinX OS on the Raspberry Pi 4

Download the most recent installer for ThinLinX OS (TLXOS) for a Raspberry Pi: http://thinlinx.com/download/

1_TLXOS_RaspberryPi4_SDcard_Installer

Insert your microSD card into your PC and launch the “TLXOS Raspberry Pi SD Card Installer” (in my case tlxos_rpi-4.7.0.exe” and press “Yes” if you are prepared to write the image to the SD card.

3_TLXOS 4.7.0 for Raspberry Pi (v2 and v3)

After the image extraction a “Win32 Disk Imager” window will appear. Make sure the to choose the correct drive letter for the SD card (in my case “G”). Click “Write”

4_Win32_Disk_Imager

If everything went fine you should get a notification that the write was successful.

5_TLXOS-Complete

Now put the SD card into the Pi, connect the USB-C power cable, mirco-HDMI cable, keyboard and mouse.

And then let’s see if the Pi can boot from the SD card.

5_TLXOS-Complete

It seems that the TLXOS just booted up fine and that we have “30 Day Free Trial” included.

8_TLXOS_30d_FreeTrial

A few minutes later TLXOS was writing something to the disk and did a reboot. The Chromium browser appears. This means we don’t need to install the TMS for our tests, except you would like to test the management of a TLXOS device.

I couldn’t find any menu on TLXOS, so I closed the browser and got access to a menu where I apparently can configure stuff.

10_Chromium_closed_menu_appears

Install Horizon Client for Linux on TLXOS

After I clicked on “Configure” before I browsed through the tabs (Application) and found the option to configure the Horizon Client. It seems that the client is included now in TLXOS which was not the case in the past. Nice! 

11_TLXOS_Configure_VMwareBlast

Note:

When a TLXOS device boots, if configured correctly it will automatically connect to a Remote
Server using the specified connection Mode. Up to 16 different connection Modes can be
configured

I just entered the “Server” before and clicked on “Save Settings” which opened the Horizon Client automatically where I just have to enter my username and password (because I didn’t configure “Auto Login” before).

Voila, my vGPU powered Windows 10 desktop from VMware TestDrive appeared.

As first step I opened the VMware Horizon Performance Tracker and the Remote Desktop Analyzer (RD Analyzer) which both confirmed that the active encoder is “NVIDIA NvEnc H264“. This means that the non-CPU encoding (H.264) on the server and the H.264 decoding on TLXOS with the Horizon Client (with Blast) should work fine.

To confirm this, I logged out from the desktop and checked the Horizon Client settings. Yes, H.264 decoding was allowed (default).

15_TLXOS_HorizonClient_H264_allowed

After disallowing the H.264 decoding I could see the difference in the Horizon Performance Tracker.

The active encoder changed to “adaptive”. Let’s allow H.264 again for my tests!

Testing

 

1) User Experience with YouTube

As a first test the user experience with the Raspberry Pi 4 as a thin client and to check how the H.264 decoding performs I decided to watch this trailer:

AVENGERS 4 ENDGAME: 8 Minute Trailers (4K ULTRA HD) NEW 2019: https://www.youtube.com/watch?v=FVFPRstvlvk

I had to compress the video to be able to upload and embed it here. Important to see is that I was watching the 4K trailer in full screen mode and the video and audio were not choppy, but smooth I would say! I had around 21 to 23 fps. But that’s very impressive, isn’t it?

For the next few tests I’m going to use what TestDrive offers me:

2) TestDrive – Nvidia Faceworks

3) TestDrive – eDrawings Racecar Animation

4) TestDrive – Nvidia “A New Dawn”

5) TestDrive – Google Earth

6) FishGL

Conclusion

Well, what are the important criteria which a thin client needs to fullfil? Is it

  • (Very) small form factor
  • Management software – easy to manage
  • Secure (Patching/Updating, Two Factor Authentication, Smartcard Authentication)
  • Longevity – future proof
  • Enough ports for peripherals (e.g. Dualview Support)
  • Low price
  • Low power consumption

It always depends on the use cases, right? If Unified Communications is important to you or your customer, then you need to go with the Stratodesk’s NoTouch OS or have to buy another device and use a different OS. But if you are looking for a good and cheap device like the Raspberry Pi 4, then multimedia, (ultra) HD video streaming and office applications use cases are no problem.

My opinion? There are a lot of use cases for these small devices. Not only in end-user computing, but it’s easy for me to say that the Raspi has a bright future!

With the current TLXOS and the supported Horizon Client features so far I wouldn’t call this setup “enterprise ready” because the installation of TLXOS needs to be done manually except you can get it pre-installed on a SD card? Most customers rely on Unified Communications today and are using Skype for Business and other collaboration tools which is not possible yet according to the Horizon Client release notes. But as soon as the Horizon Client (for Linux) in TLXOS gets more features, the Raspberry Pi is going to take some pieces of the cake and the current thin client market has to live in fear. 😀

The biggest plus of a Raspberry Pi as a thin client is definitely the very small form factor combined with the available ports and the cheap money (TLXOS license not included). You can connect two high resolution monitors, a network cable, keyboard, mouse and a headset without any problem. If you buy the Pi in bulk as customer then I claim that the price is very, very hard to beat. And if a Pi has a hardware defect then plug the SD card into another Pi and your user can work again within a few minutes. If VESA mount is mandatory for you then buy a VESA case. By the way, this is my KKSB case:

What is missing in the end? Some Horizon Client features and the manual initial OS deployment method maybe. I imagine that IT teams of smaller and medium-sized companies could be very interested in a solution like this, because a Raspberry Pi 4 as a thin client already ROCKS!

    Horizon and Workspace ONE Architecture for 250k Users Part 1

    May 23, 2019 | appvolumes, cpa, horizon, uem, vsan, vSphere, workspaceone

    Disclaimer: This article is based on my own thoughts and experience and may not reflect a real-world design for a Horizon/Workspace ONE architecture of this size. The blog series focuses only on the Horizon or Workspace ONE infrastructure part and does not consider other criteria like CPU/RAM usage, IOPS, amount of applications, use cases and so on. Please contact your partner or VMware’s Professional Services Organization (PSO) for a consulting engagement.

    To my knowledge there is no Horizon implementation of this size at the moment of writing. This topic, the architecture and the necessary amount of VMs in the data center, was always important to me since I moved from Citrix Consulting to a VMware pre-sales role. I always asked myself how VMware Horizon scales when there are more than only 10’000 users.

    250’000 users are the current maximum for VMware Horizon 7.8 and the goal is to figure out how many Horizon infrastructure servers like Connection Servers, App Volumes Managers (AVM), vCenter servers and Unified Access Gateway (UAG) appliances are needed and how many pods should be configured and federated with the Cloud Pod Architecture (CPA) feature.

    I will create my own architecture, meaning that I use the sizing and recommendation guides and design a Horizon 7 environment based on my current knowledge, experience and assumption.

    After that I’ll feed the Digital Workspace Designer tool with the necessary information and let this tool create an architecture, which I then compare with my design.

    Scenario

    This is the scenario I defined and will use for the sizing:  

    Users: 250’000
    Data Centers: 1 (to keep it simple)
    Internal Users: 248’000
    Remote Users: 2’000
    Concurrency Internal Users: 80% (198’400 users)
    Concurrency Remote Users: 50% (1’000 users)

    Horizon Sizing Limits & Recommendations

    This article is based on the current release of VMware Horizon 7 with the following sizing limits and recommendations:

    Horizon version: 7.8
    Max. number of active sessions in a Cloud Pod Architecture pod federation: 250’000
    Active connections per pod: 10’000 VMs max for VDI (8’000 tested for instant clones)
    Max. number of Connection Servers per pod: 7
    Active sessions per Connection Server: 2’000
    Max. number of VMs per vCenter: 10’000
    Max. connections per UAG: 2’000 

    The Digital Workspace Designer lists the following Horizon Maximums:

     

    Horizon Maximums Digital Workspace Designer

    Please read my short article if you are not familiar with the Horizon Block and Pod Architecture.

    Note: The App Volumes sizing limits and recommendations have been updated recently and don’t follow this rule of thumb anymore that an App Volumes Manager only can handle 1’000 sessions. The new recommendations are based on “concurrent logins per second” login rate:

    New App Volumes Limits Recommendations

     

    Architecture Comparison VDI

    Please find below my decisions and the one made by the Digital Workspace Designer (DWD) tool:

    Horizon ItemMy DecisionDWD ToolNotes
    Number of Users (concurrent)199'400199'400
    Number of Pods required2020
    Number of Desktop Blocks (one per vCenter)100100
    Number of Management Blocks (one per pod)2020
    Connection Servers required100100
    App Volumes Manager Servers802024+1 AVMs for every 2,500 users
    vRealize Operations for Horizonn/a22I have no experience with vROps sizing
    Unified Access Gateway required22
    vCenter servers (to manage clusters)20100Since Horizon 7.7 there is support for spanning vCenters across multiple pods (bound to the limits of vCenter)

    Architecture Comparison RDSH

    Please find below my decisions* and the one made by the Digital Workspace Designer (DWD) tool:

    Horizon ItemMy DecisionDWD ToolNotes
    Number of Users (concurrent)199'400199'400
    Number of Pods required2020
    Number of Desktop Blocks (one per vCenter)20401 block per pod since we are limited by 10k sessions per pod, but only have 333 RDSH per pod
    Number of Management Blocks (one per pod)2020
    Connection Servers required100100
    App Volumes Manager Servers142024+1 AVMs for every 2,500 users/logins (in this case RDSH VMs (6'647 RDSH totally))
    vRealize Operations for Horizonn/a22I have no experience with vROps sizing
    Unified Access Gateway required22
    vCenter servers (to manage resource clusters)440Since Horizon 7.7 there is support for spanning vCenters across multiple pods (bound to the limits of vCenter)

    *Max. 30 users per RDSH

    Conclusion

    VDI

    You can see in the table for VDI that I have different numbers for “App Volumes Manager Servers” and “vCenter servers (to manage clusters)”. For the amount of AVM servers I have used the new recommendations which you already saw above. Before Horizon 7.7 the block and pod architecture consisted of one vCenter server per block:

    Horizon Pod vCenter tradtitional

    That’s why, I assume, the DWD recommends 100 vCenter servers for the resource cluster. In my case I would only use 20 vCenter servers (yes, it increases the failure domain), because Horizon 7.7 and above allows to span one vCenter across multiple pods while respecting the limit of 10’000 VMs per vCenter. So, my assumption is here, even the image below is not showing it, that it should be possible and supported to use one vCenter server per pod:

    Horizon Pod Single vCenter

    RDSH

    If you consult the reference architecture and the recommendation for VMware Horizon you could think that one important information is missing:

    The details for a correct sizing and the required architecture for RDSH!

    We know that each Horizon pod could handle 10’000 sessions which are 10’000 VDI desktops (VMs) if you use VDI. But for RDSH we need less VMs – in this case only 6’647.

    So, the number of pods is not changing because of the limitation “sessions per pod”. But there is no official limitation when it comes to resource blocks per pod and having one connection server for every 2’000 VMs or sessions for VDI, to minimize the impact of a resource block failure. This is not needed here I think. Otherwise you would bloat up the needed Horizon infrastructure servers and this increases operational and maintenance efforts, which obviously also increases the costs.

    But, where are the 40 resource blocks of the DWD tool coming from? Is it because the recommendation is to have at least two blocks per pod to minimize the impact of a resource block failure? If yes, then it would make sense, because in my calculation you would have 9’971 RDSH users sessions per pod/block and with the DWD calculation only 4’986 (half) per resource block.

    *Update 28/07/2019*
    I have been informed by Graeme Gordon from technical marketing that the 40 resources blocks and vCenters are coming from here:

    App Volumes vCenters per Pod

    I didn’t see that because I expect that we can go higher if it’s a RDSH-only implementation.

    App Volumes and RDSH

    The biggest difference when we compare the needed architecture for VDI and RDSH is the number of recommended App Volumes Manager servers. Because “concurrent logins at a one per second login rate” for the AVM sizing was not clear to me I asked our technical marketing for clarification and received the following answer:

    With RDSH we assign AppStacks to the computer objects rather than to the user. This means the AppStack attachment and filter drive virtualization process happends when the VM is booted. There is still a bit of activity when a user authenticates to the RDS host (assignment validation), but it’s considerably less than the attachment process for a typical VDI user assignment.

    Because of this difference, the 1/second/AVM doesn’t really apply for RDSH only implementations.

    With this background I’m doing the math with 6’647 logins and neglect the assignment validation activity and this brings me to a number of 4 AVMs only to serve the 6’647 RDS hosts.

    Disclaimer

    Please be reminded again that these are only calculations to get an idea how many servers/VMs of each Horizon component are needed for a 250k user (~200k CCU) installation. I didn’t consider any disaster recovery requirements and this means that the calculation I have made recommend the least amount of servers required for a VDI- or RDSH-based Horizon implementation.

    Workspace ONE UEM – Data Security, Data Privacy and Data Collection

    May 22, 2019 | aws, emm, workspaceone, workspaceone uem

    A lot of businesses are getting more and more interested in a Unified Endpoint Management solution like Workspace ONE UEM. While EMM is pretty clear to everyone, UEM is far away from this status. During the meetings with customers about Workspace ONE we often hear concerns about “cloud” and the data which is being sent to the cloud.

    Since this information about data privacy, data security or data collection regarding Workspace ONE is not easy to gather, I decided to make this information available here.

    This topic is very important, because more businesses are open now to talk about cloud and hybrid solutions like Workspace ONE where the management backend is managed by VMware and only a few components need to be installed on-premises in your own data center:

    Workspace ONE UEM SaaS Architecture

    With the release of Workspace ONE UEM 1904 VMware started to publish “SaaS only releases“. Before this announcement an on-premises customer would get the on-prem installers three to four weeks after a new SaaS release has been made available. That’s why it’s clear that a lot more customers are having the same questions and requests when it comes to a cloud-based solution.

    Of course, as we strive to bring you more cloud services at a faster pace, we will continue to add value with innovations in both our On-Premises and cloud offerings.

    As a result, we are making a change to how we deliver Workspace ONE UEM beginning with Workspace ONE UEM Console 1904, which will be SaaS only release.

    Which data are collected from users and devices? Who has access to this data?

    • By default, the solution only collects information necessary to manage the device, such as the device status, compliance information, OS, etc.; our solution may collect (if configured by administrator) or users may input data considered to be sensitive
    • The solution collects a limited personal data which includes user first and last name, username, email address, and phone number for user activation and management. These fields can be encrypted at rest in the solution database (AES 256). Customers may collect additional data points in the following matrix (as configured by the customer administrator): https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1904/UEM_Managing_Devices/GUID-AWT-DATA-COLLECT-MATRIX.html
      • VMware automatically collects certain information when you use or access Online Properties (“VMware websites, online advertisements or marketing emails “) or mobile apps. This information does not necessarily reveal your identity directly but may include information about the specific device you are using, such as the hardware model, operating system version, web-browser software (such as Firefox, Safari, or Internet Explorer) and your Internet Protocol (IP) address/MAC address/device identifier. We also automatically collect and store certain information in server logs such as: statistics on your activities on the Online Properties or mobile apps; information about how you came to and used the Online Property or mobile app; your IP address; device type and unique device identification numbers, device event information (such as crashes, system activity and hardware settings, browser type, browser language, the date and time of your request and referral URL), broad geographic location (e.g. country or city-level location) and other technical data collected through cookies, pixel tags and other similar technologies that uniquely identify your browser. Please refer to the VMware Privacy Notice for additional information.
    • VMware manages access to the SaaS environment while customers manage administrative and end-user access through the solution console
      • Access to the SaaS environment is technically enforced according to role, the principle of least privileges and separation of duties
      • Customers manage access entitlements for administrative and end users
    • VMware defines customer data related to the solution and/or hosted service in the VMware Data Processing Addendum
    • Data Sub-Processors can be found here

    Is it possible to prevent data collection of specific information?

    • Customer administrators use granular controls to configure what data is collected from users and what collected data is viewable by admins within the Workspace ONE console. Use granular role-based access controls to restrict the depth of device management information and features available to each administrative console user.
    • For Workspace ONE UEM configure Collect and Display, Collect Do Not Display, and Do Not Collect settings for user data:
      • GPS Data
      • Carrier/Country Code
      • Roaming Status
      • Cellular Data Usage
      • Call Usage
      • SMS Usage
      • Device Phone Number
      • Personal Application
      • Unmanaged Profiles
      • Public IP Address
    • Customer administrators can choose whether to display or to do not display the following user information:
      https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1904/UEM_Managing_Devices/GUID-AWT-CONFIGUREPRIVACYSETTINGS.html
      • First Name
      • Last Name
      • Phone Number
      • Email Accounts
      • Username

     Is the data in the cloud encrypted?

    • Yes – Certificate private keys, client cookie data and tokens are encrypted in the solution database with a derived AES 256-bit symmetric encryption with an IV.
      • Customers can enable encryption at rest for user first name, last name, email and phone number
      • We do not store AD/LDAP passwords in our database
    • VMware Content Locker, VMware Boxer and VMware AirWatch App Wrapping solutions use AES 256-bit encryption to secure data on mobile devices
    • Data between the web console (management console and Self Service Portal) and device is encrypted using HTTPS and is not decrypted at any point along the path
      • VMware leverages a 2048-bit key in the SaaS environment
      • An application server controls communication between the web console and the database to limit the potential for malicious actions through SQL injection or invalid input: No direct calls are made to the database
    • All sensitive interactions between AirWatch nodes (AirWatch hosting servers and the VMware Enterprise Systems Connector), between VMware AirWatch Agent and the AirWatch solution are accomplished using message level encryption. For these message level interactions, the AirWatch Cloud uses 2048-bit RSA asymmetric key encryption using digital certificates.
    • We encrypt AD/LDAP credentials on the device via AES 256-bit and store them in the device keychain (internal memory)

    I hope this short article helps everyone to get the information they require for a Workspace ONE UEM SaaS project. I shared the same information with several customers from different businesses and so far all legal departments accepted the statements and moved forward with their project with Workspace ONE UEM. 🙂

    Horizon on VMC on AWS Basics

    Apr 13, 2019 | aws, cpa, horizon, vmc

    VMC on AWS

    In Switzerland where we have a lot of smaller to medium sized companies the demand for a  cloud solution is increasing. The customers are not yet ready to put all their servers and data into to the cloud, so they go for a hybrid cloud strategy.

    And now it makes even more sense and got easier since VMware’s offering VMware Cloud on AWS (VMC on AWS) exists. This service, powered by VMware Cloud Foundation (VCF), brings VMware’s SDDC stack to the AWS cloud and runs the compute, storage and network products (vSphere, vSAN, NSX) on dedicated bare-metal AWS hardware. 

    VMC on AWS

    If you would like to try this offering you have the option for a Single Host SDDC which is the time-bound starter configuration and comes with the limitation of 30 days. After 30 days your Single Host SDDC will be deleted and all data will be lost as well. If you plan to scale up into a 3-host SDDC you retain all your data and you SDDC is not time bound anymore.

    Availability

    This pretty new service is already available in 13 global regions and already had 200+ released features since its launch. VMC on AWS is available almost everywhere – in US and Asia Pacific for example – and in Europe we find the service hosted in Frankfurt, London, Paris and Ireland. 

    Use Cases

    It’s not hard to guess what the use cases are for a service like this. If you are building up a new IT infrastructure, don’t want to have your own data center and purchase any server, then you might want to consider VMC on AWS. Another project could be to expand your market into a new geography and extend your footprint into the cloud based on a VMware-consistent and enterprise-grade environment in the AWS cloud.

    A few customers are also finding a new way to easily deliver business continuity with VMware Site Recovery and take advantage of VMC on AWS which delivers a robust Disaster Recovery as a Service (DRaaS) possibility.

    Another reason could be that your on-premises data center is in danger because of bad weather and you want to migrate all your workloads to another region.

    Or you just want to quickly build a dev/test environment or do a PoC of a specific solution or application (e.g. VMware Horizon).

    Elastic DRS

    In my opinion EDRS is one of best reasons to go for VMC on AWS. EDRS allows you to get the capacity you need in minutes to meet temporary or unplanned demand. You have the possibility to scale-out and scale-in depending on the generated recommendation.

    A scale-out recommendation is generated when any of CPU, memory, or storage utilization remains consistently above thresholds. For example, if storage utilization goes above 75% but memory and CPU utilization remain below their respective thresholds, a scale-out recommendation is generated.

     

     A scale-in recommendation is generated when CPU, memory, and storage utilization all remain consistently below thresholds.

    This is interesting if your dekstop pool is creating more instant clones and the defined value of RAM for example is above the threshold. But there is also a safety check included in the algorithm, which runs every 5 minutes, to provide time to the cluster to cool off with changes. 

    If you check the EDRS settings you have the option for the “Best Performance” or “Lowest Cost” policy. More information can be found here.

    Horizon on VMC on AWS

    For customers who are already familiar with a Horizon 7 on-premises deployment, Horizon on VMC on AWS lets you leverage the same architecture and the familiar tools. The only difference now is the vSphere outsourcing.

    Use Cases

    Horizon can be deployed on VMware Cloud on AWS for different scenarios. You could have the same reasons like before – data center expansion or to have a disaster recovery site in the cloud. But the most reason why a customer goes for Horizon on VMC on AWS is flexibility combined with application locality.

    Horizon 7 on VMC on AWS

    We have customers who were operating an on-premises infrastructure for years and suddenly they are open to a cloud infrastructure. Because the SDDC stack in the cloud is the same like in the private cloud the migration can be done very easily. You can even use the same management tools like before.

    Minimum SDDC Size

    The minimum number of hosts required per SDDC on VMware Cloud on AWS for production use is 3 nodes (hosts). For testing purpose, a 1-node SDDC is also available. However, since a single node does not support HA, it’s not recommended for production use.

    Cloud Pod Architecture for Hybrid Cloud

    If you are familiar with the pod and block architecture you can start to create your architecture design. This hasn’t changed for the offering on VMC on AWS but there is a slight difference:

    • Each pod consists of a single SDDC
    • Each SDDC only has a single vCenter server
    • A Horizon pod consists of a single block Horizon7Pod on VMC on AWS

    Each SDDC only has one compute gateway which limits the connections to ~2’000 VMs or user sessions. This means that the actual limit per pod on VMC on AWS is ~2’000 sessions as well. When the number of compute gateways per SDDC can be increased, Horizon 7 on VMC on AWS will definitely have a comparable scalability with the on-premises installation.

    You can deploy a hybrid cloud environment when you use the Cloud Pod Architecture to interconnect your on-premises and Horizon pods on VMC on AWS. You can also stretch CPA across pods in two or more VMware Cloud on AWS data centers with the same flexibility to entitle your users to one or multiple pods as desired.

    Supported Features

    The deployment of Horizon 7 on VMC on AWS started with Horizon 7.5 but there was no feature parity at this time. With the release of Horizon 7.7 and App Volumes 2.15 we finally had the requested feature parity. This means since Horizon 7.7 we can use Instant Clones, App Volumes and UEM. At the time of writing the vGPU feature is not available yet but VMware is working with Amazon on it. With the release of Horizon 7.8 a pool with VMware Cloud on AWS is now capable of using multiple network segments, allowing you to use less pools and/or smaller scopes. Please consult this KB for the currently supported features. 

    Use AWS Native Services

    When you set up the Horizon 7 environment in VMware Cloud on AWS you have to install and configure the following components:

    • Active Directory
    • DNS 
    • Horizon Connection Servers
    • DHCP
    • etc.

    If you are deploying Horizon 7 in a hybrid cloud environment by linking the on-premises pod with the
    VMC on AWS pod, you must prepare the on-premises Microsoft Active Directory (AD) to access
    the AD on VMware Cloud on AWS.

    My recommendation: Use the AWS native services if possible 🙂

    AWS Directory Services

    AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features, such as Group Policy and single sign-on (SSO).

    Amazon Relational Database Service

    Amazon RDS is available on several database instance types – optimized for memory, performance or I/O – and provides you with six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. You can use the AWS Database Migration Service to easily migrate or replicate your existing databases to Amazon RDS.

    This service allows you to quickly setup a SQL Express (not recommended for production) or regular SQL Server which can be used for the Horizon Event DB or App Volumes. 

    Amazon FSx for Windows File Server

    Amazon FSx for Windows File Server provides a fully managed native Microsoft Windows file system so you can easily move your Windows-based applications that require file storage to AWS. Built on Windows Server, Amazon FSx provides shared file storage with the compatibility and features that your Windows-based applications rely on, including full support for the SMB protocol and Windows NTFS, Active Directory (AD) integration, and Distributed File System (DFS).

    At the time of writing I have to mention that the FSx service has not yet officially been tested and qualified for User Environment Manager (UEM), but that’s no problem. Technically it’s working totally fine.

    Amazon Route 53

    The connectivity to data centers in the cloud can be a challenge. You need to manage the external namespace to give users access to their desktop in the cloud (or on-prem). For a multi-site architecture the solution is always Global Server Load Balancing (GSLB), but how is this done when you cannot install your physical appliance anymore (in your VMC on AWS SDDC)?

    The answer is easy: Leverage Amazon Route 53!

    Amazon Route 53 effectively connects user requests to infrastructure running in AWS – such as Amazon EC2 instances, Elastic Load Balancing load balancers, or Amazon S3 buckets – and can also be used to route users to infrastructure outside of AWS. You can use Amazon Route 53 to configure DNS health checks to route traffic to healthy endpoints or to independently monitor the health of your application and its endpoints. 

    Check Andrew Morgans blog article if you need more information about Route 53.

    Horizon on VMC on AWS rocks! 🙂

     

    vSAN Basics for a Virtual Desktop Infrastructure with VMware Horizon

    Jan 28, 2019 | ESXi, horizon, vsan, vSphere

    As an EUC architect you need fundamental knowledge about VMware’s SDDC stack and this time I would like to share some more basics about VMware vSAN for VMware Horizon.

    In part 5 of my VCAP7-DTM Design exam series I already posted some YouTube videos about vSAN in case you prefer videos instead of reading. To further proof my vSAN knowledge I decided to take the vSAN Specialist exam which focuses on the version 6.6.

    To extend my vSAN skills and to prep myself for this certification I have bought the VMware vSAN 6.7 U1 Deep Dive book which is available on Amazon.

    vSAN 6.7 U1 Deep Dive

    vSAN Basics – Facts and Requirements

    Out in the field not every EUC guy has enough sic knowledge about vSAN and I want to provide some facts about this technology here. This is no article about all the background information and detailed stuff you can do with vSAN, but it should help you to get a basic understanding. If you need more details about vSAN I highly recommend the vSAN 6.7 U1 Deep Dive book and the content available on storagehub.vmware.com.

    • The vSAN cluster requires at least one flash device and capacity device (magnetic or flash)
    • A minimum of three hosts is required except you go for a two-node configuration (requires a witness appliance)
    • Each host participating in the vSAN cluster requires a vSAN enabled VMkernel port
    • Hybrid configurations require a minimum of one 1GbE NIC, 10GbE is recommended by VMware
    • All-Flash configurations require a minimum of one 10GbE NIC
    • vSAN can use RAID-1 (mirroring) and RAID5-/6 (erasure coding) for the VM storage policies
    • RAID-1 is used for performance reasons, erasure coding is used for capacity reasons
    • Disk groups require one flash device for the cache tier and one or more flash/magnetic device for the capacity tier
    • There can be only one cache device per disk group
    • Hybrid configuration – The SSD cache is used for read and write (70/30)
    • All-Flash configuration – The SSD cache is used 100% as a write cache
    • Since version 6.6 there is no multicast requirement anymore
    • vSAN supports IPv4 and IPv6
    • vSphere HA needs to be disabled before vSAN can be enabled and configured
    • The raw capacity of a vSAN datastore is calculated by the number of capacity devices multiplied by the number of ESXi hosts (e.g. 5 x 2TB x 6 hosts = 60 TB raw)
    • Deduplication and compression are only available in all-flash configurations
    • vSAN stores VM data in objects (VM home, swap, VMDK, snapshots)
    • The witness does not store any VM specific data, only metadata
    • vSAN provides data at rest encryption which is a cluster-wide feature
    • vSAN integrates with CBRC (host memory read cache) which is mostly used for VMware Horizon
    • By default, the default VM storage policy is assigned to a VM
    • Each stretched cluster must have its own witness host (no additional vSAN license needed)
    • Fault domains are mostly described with the term “rack awareness”

    vSAN for VMware Horizon

    The following information can be found in the VMware Docs for Horizon:

    When you use vSAN, Horizon 7 defines virtual machine storage requirements, such as capacity, performance, and availability, in the form of default storage policy profiles, which you can modify. Storage is provisioned and automatically configured according to the assigned policies. The default policies that are created during desktop pool creation depend on the type of pool you create.

    This means that Horizon will create storage policies when a desktop pool get created. To get more information I will provision a floating Windows 10 instant clone desktop pool. Before I’m doing that, let’s have a look first at the policies which will appear in vCenter depending on the pool type:

    Since I’m going to create a floating instant clone desktop pool I assume that I should see some the storage policies marked in yellow. 

    Instant Clones

    First of all we need to take a quick look again at instant clones. I only cover instant clones since it’s the recommended provisioning method by VMware. As we can learn from this VMware blog post, you can maissvely reduce the time for a desktop to be provisioned (compared to View Composer Linked Clones).

    VMware Instant Clones

    The big advantage of the instant clone technology (vmFork) is the in-memory cloning technique of a running parent VM.

    The following table summarizes the types of VMs used or created during the instant-cloning process:

    Instant Cloning VMs
    Source: VMWARE HORIZON 7 INSTANT-CLONE DESKTOPS AND RDSH SERVERS 

    Horizon Default Storage Policies

    To add a desktop pool I have created my master image first and took a snapshot of it. In my case the VM is called “dummyVM_blog” and has the “vSAN Default Storage Policy” assigned.

    How does it go from here when I create the floating Windows 10 instant clone desktop pool?

    Instant Clone Technology

    The second step in the process is where the instant-clone engine uses the master VM snapshot to create one template VM. This template VM is linked to the master VM. My template VM automatically got the following storage policy assigned:

    The third step is where the replica VM gets created with the usage of the template VM. The replica VM is a thinprovisioned full clone of the internal template VM. The replica VM shares a read disk with the instantclone VMs after they are created. I only have the vSAN datastore available and one replica VM is created per datastore. The replica VM automatically got the following storage policy assigned:

    The fourth step involves the snapshot of the replica VM which is used to create one running parent VM per ESXi host per datastore. The parent VM automatically got the following storage policies assigned:

    After, the running parent VM is used to create the instant clone, but the instant clone will be linked to the replica VM and not the running parent VM. This means a parent VM can be deleted without affecting the instant clone. The instant clone automatically got the following storage policies assigned:

    And the complete stack of VMs with the two-node vSAN cluster in my home lab, without any further datastores, looks like this:

    vCenter Resource Pool 

    Now we know the workflow from a master VM to the instant clone and which default storage policies got created and assigned by VMware Horizon. We only know from the VMware Docs that FTT=1 and one stripe per object is configured and that there isn’t any difference except for the name. I checked all storage policies in the GUI again and indeed they are all exactly the same. Note this:

    Once these policies are created for the virtual machines, they will never be changed by Horizon 7

    Even I didn’t use linked clones with a persistent disk the storage policy PERSISTENT_DISK_<guid> gets created. With instant clones there is no option for a persistent disk yet (you have to use App Volumes with writable volumes), but I think that this will come in the future for instant clones and then we also don’t need View Composer anymore. 🙂

    App Volumes Caveat

    Don’t forget this caveat for App Volumes when using a vSAN stretched cluster.

    VMware Mirage – Alternatives

    Jan 12, 2019 | horizon, mirage, uem, workspaceone uem

    As some of you know Mirage was (and still is) a revolutionary technology at the time Wanova released it in 2011 and in 2012 Mirage became part of VMware.

    VMware Mirage is used by customers for their desktop image management and for backup and recovery requirements.

    VMware Mirage provides next-generation desktop image management for physical desktops and POS devices across distributed environments. Automate backup and recovery and simplify Windows migrations.

    Mirage is and was the solution for certain use cases and solved common desktop challenges. Therefore not all customers are happy that Mirage reaches end of support (EOS) on June 30, 2019. 🙁

    But why is VMware Mirage being removed from support?

    Well, the answer is very simple. Today, the market is heading in two directions – it’s all about the applications and end-user devices (called the Digital Workspace). That’s why customers should move or are somehow forced to move to a Unified Endpoint Management solution which is considered to be “the” Windows desktop management solution of the future. The future of Windows is apparently cloud based and Mirage has not been designed or architected for this.

    What are the alternatives?

    VMware has no successor or product which can replace all of the features and functions Mirage provided, but Workspace ONE is the official alternative solution when it comes to Windows desktop management.

    There are really a lot of use cases and reasons why customers in the past decided to choose Mirage:

    • Reduce Management Complexity (e.g. single management console)
    • Desktop Backup and Recovery (automated and continuous system or user data backup)
    • Image Management (image layering)
    • Patch Management
    • Security & Compliance (auditing and encrypted connections)
    • Simple Desktop OS Migrations (e.g. Windows 7 to Windows 10 migrations)

    VMware Mirage really simplified desktop management and provides a layered approach when it comes to OS and applications rollouts. Customers also had the use case where the physical desktop not always was connected to the corporate network and this is a common challenge IT department were facing.

    The desktop images are stored in your own data center with secure encrypted access from all endpoints. You can also customize access rights to data and apps.  Even auditing capabilities are available for compliance requirements.
    And the best and most loved feature was the possibility for a full system backup and recovery!

    IT people love Mirage because it was so simple to restore any damaged and lost device to the most recent state (snapshot).

    For branch offices where no IT was onsite Mirage was also the perfect fit. An administrator just can distribute updates or Windows images to all remote laptops and PCs without any user interaction – maybe a reboot was now and then required. But that’s all!

    In case of bandwidth problems you could also take advantage of the Branch Reflector technology which ensured that one endpoint downloads images update and then distribute it locally to other computers (peers), which saved relieved the WAN connection drastically.

    Can WorkspaceONE UEM replace Mirage?

    From a technical perspective my opinion is definitely NO. WorkspaceONE has not the complete feature set compared to Mirage when it is about Windows 10 desktop management, but both are almost congruent I have to say.

    I agree that WorkspaceONE (WS1) is the logical step or way to “replace” Mirage, but this you have to know:

    • WS1 cannot manage desktop images for OS deployments. Nowadays, it is expected that a desktop is delivered pre-staged with a Windows 10 OS from the vendor or that your IT department is doing the staging for example with WDS/MDT.
    • WS1 has no backup and recovery function. If you use Dell Factory Provisioning then you can go back to a “restore point” where all of your pre-installed and manually installed applications get restored after a device wipe let’s say for example. But if the local hard disk has a failure and this restore partition is gone, then you have to get your device or hard disk replaced. Without Dell Factory Provisioning this means that IT has, again, still to deploy the desktop image with WDS/MDT.

    For some special use cases it is even necessary to implement VMware Horizon, User Environment Manager, OneDrive for Business etc, but even then WS1 is a good complement since it can also be used for persistent virtual desktops!

    As you can see a transition from Mirage to WS1 is not so easy and the few but most important differences are the reasons why customers and IT admins are not so amused about the EOS announcement of VMware Mirage.

    VCP-DW 2018 Exam Experience

    Jan 8, 2019 | horizon, workspaceone, workspaceone uem

    On the 30th November 2018 I passed my VCAP7-DTM Design exam and now I would like to share my VCP-DW 2018 (2V0-761) exam experience with you guys.

    I’m happy to share that I also passed this exam today and I thought it might be helpful, even a new VCP-DW 2019 exam will be released on 28th February 2019, to share my exam experience since it’s still a pretty new certification and not that much information can be found in the vCommunity.

    How did I prepare myself? To be honest, I almost had no hands-on experience and therefore I had to get the most out of the available VMware Workspace ONE documentation. I already had basic knowledge for my daily work as a solution architect, but it was obvious that this is not enough to pass. The most of my basic knowledge I gained from the VMware Workspace ONE: Deploy and Manage [V9.x] course which was really helpful in this case.

    If you check the exam prep guide you can see that you have to study tons of PDFs and parts of the online documentation. 

    Didn’t check all the links and documents in the exam prep guide but I can recommend to read these additional docs:

    In my opinion you’ll get a very good understanding of Workspace ONE (UEM and IDM) if you read all the documents above. In additional to the papers I recommend to get some hands-on experience with the Workspace ONE UEM and IDM console.

    As VMware employee I have access to VMware TestDrive where I have a dedicated Workspace ONE UEM sandbox environment. I enrolled an Android, iOS and two Windows 10 devices and configured a few profiles (payloads). I also deployed the Identity Manager Connector in my homelab to sync my Active Directory accounts with my Identity Manager instance which enables also the synchronization of my future Horizon resources like applications and desktops.

    I think that I spent around two weeks for preparation including the classroom training at the AirWatch Training Facility Milton Keynes, UK.

    The exam (version 2018) itself consists of 65 multiple choice and drag & drop questions and I had 135 minutes time to answer all questions. If you are prepared and know your stuff then I doubt that you will need more than one hour, but this could change with the new VCP-DW 2019. 🙂

    I’m just happy that I have a second VCP exam in my pocket and now I have to think about the next certification. My scope as solution architect will change a little. In the future I’m also covering SDDC (software defined data center) topics like vSphere, vSAN, NSX, VMware Cloud Foundation, Cloud Assembly and VMC on AWS. That’s why I’m thinking to earn the VCP-DCV 2019 or the TOGAF certification.