Google Cloud VMware Engine (GCVE)

Google Cloud VMware Engine (GCVE)

In June 2020 VMware and Google made the announcement that Google Cloud VMware Engine (GCVE) is generally available. Almost exactly one year ago, the market received the information that VMware’s Cloud Foundation (vSphere, vSAN and NSX) stack will come to Google Cloud.

With this milestone VMware is now present on top of all the so-called “big three” hyperscalers.

GCVE has the same goals like the other similar offerings like VMware Cloud on AWS or Azure VMware Solution and belongs to the VMware multi-cloud strategy – to seamlessly migrate and run applications in the public cloud. In this case in Google Cloud! Run your applications in the public cloud exactly the same way as you already do now withh your on-premises VMware environment. With the very important addition, that you have high speed access to Google Cloud services like Cloud SQL, Cloud Storage, big data or AI/ML services.

To be able to run VMware workloads on top of the Google Cloud global infrastructure, Google acquired CloudSimple (with which they partnered with already) last November 2019.

At the moment of writing, the VMware hybrid cloud experience on Google Cloud is sold, operated and supported by Google and their partners.

Many customers are already looking at this very interesting offer, which is going to be available in more regions until the end of 2020. But there are also already a few customers using the joint offering. Google just published a customer reference story about the “Deutsche Börse Group”, a large and international financial organization, which extended their on-premises environment to Google Cloud with Google Cloud VMware Engine. One of the reasons why Deutsche Börse went for this vSphere-based cloud approach, was, to keep migrations to the cloud easy. I expect we can hear more about this success story at VMworld 2020.

Cloud Migration and Workload Mobility

A lot of customers underestimate the amount of work, time and costs involved in refactoring or re-platforming applications and the overall challenges when it comes to migrations from on-prem to the cloud. To build this secure hybrid cloud extension with GCVE, you’ll need VMware HCX, which is included in the GCVE offering.

There are different options available to connect both worlds:

GCVE Connectivity Options

  • VPN Gateway for point-to-point connections, used for the secure admin access to vCenter. Useful for the initial setup of the GCVE environment.
  • Cloud VPN for site-to-site connections, a secure layer 3 connection over the internet. This is one of the lower cost options for use cases, that don’t require high bandwidth.
  • Dedicated Cloud Interconnect with a direct traffic flow to Google with 10Gbps or 100Gbps circuits with 50Mbps to 50 Gbps connection capacities. This direct connection is required for HCX and the preferable connectivity option for customers requiring high speed and low latency.
  • Partner (Cloud) Interconnect is another option of a Cloud Interconnect, where your traffic flows through one of the supported service providers (e.g. Colt, Equinix, BT, e-shelter, Verizon, InterCloud, Interxion, Megaport)

Note: One unique feature of GCVE is the ability to route between different GCVE environments in the same region, without the need for additional configuration. 

Use Cases

These use cases, if you made yourself already familiar with a hybrid cloud approach, shouldn’t be new to you.

Data Center extension or retirement. You can scale the data center capacity in the cloud on-demand, if you for example don’t want to invest anymore in your on-premises environment. In case you just refreshed your current hardware, another use case would be the extension of your on-premises vSphere cloud to Google Cloud.

Disaster Recovery and data protection. Here we’ll find different scenarios like recovery (replication) or backup/archive (data protection) use cases. You can also still use your existing 3rd party tools from Zerto or Veeam to replace or complement existing DR locations and leverage the Cloud Storage service. You can also use your GCVE private clouds as a disaster recovery (DR) site for your on-premises workloads. This DR solution would be based on VMware Site Recovery Manager (SRM) which can be also used together with HCX.

Cloud migrations or consolidation. If you want to start with a lift & shift approach to migrate specific applications to the cloud, then GCVE is definitely right for you. Maybe you want to refresh your current infrastructure and need to relocate or migrate your workloads in an easy and secure way? Another perfect scenario would be the consolidation of different vSphere-based clouds.

Application modernization. Re-architecting or refactoring applications is not that easy. Most customers start with a partial approach to modernize their applications and leverage cloud-native services (e.g. databases, AI/ML engines).

Interesting: Did you know that Google’s on-prem GKE (Google Anthos) is running on vSphere?

VMware Horizon on VMware Engine

The advantages of a public cloud like Google Cloud are the “endless” capacity, agility and high-bandwidth connections. These items are very important for a virtual desktop infrastructure (VDI) and specially during disaster scenarios, when onboardings have to happen fast or if you look for on-demand growth.

Another regular example could be a merger & acquisition use case, where we the main infrastructure doesn’t have the necessary physical resources to onboard to new company and their employees.

Because something like this has always happen as easy and fast as possible. Running virtual desktops in Google Cloud VMware Engine can help in such situations. Together with VMware Horizon, organizations could install a VDI environment in GCVE and connect it to their Horizon on-premises infrastructure using the Cloud Pod Architecture (CPA). 

Note: When migrating applications to the cloud (GCVE), it is a best practice to keep the virtual desktop close to the application, which is a general use case we see when talking about application locality.

Horizon Global Pod GCVE

With the release of Horizon 2006 (aka Horizon 8) it is also possible to choose “Google Cloud” as deployment option during the connection server installation.

C:\Users\mrebmann\OneDrive - VMware, Inc\cloud13\2020 - Google Cloud VMware Engine\Horizon on GCVE.png

In case you need a load balancer (for your Horizon components and in general) for your on-premises environment and the public cloud, have a look at NSX Advanced Load Balancer.

GCVE Node Specs

When planning your GCVE resource needs, be aware of the following specifications and limits:

CPU: Intel Xeon Gold 6240 (Cascade Lake) 2.6 GHz (x2), 36 Cores, 72 Hyper-Threads

Memory: 768 GB

Storage (vSAN): 2 × 1.6 TB (3.2 TB) NVMe (Cache), 6 × 3.2 TB (19.2 TB) NVMe (Data)

Number of nodes required to create a private cloud: 3 (up to 64 hosts per private cloud)

Number of nodes allowed in a cluster on a private cloud: 16

3rd party tools compatibility: Yes, you can use existing tools (elevated privileges allow you to install 3rd party software)

Interesting facts: It only takes about a half hour to spin up your private cloud with three nodes! The addition of a new node takes approximately 15 minutes.

GCVE Elevated Privileges

Software License and Versions

Please find the current software versions and licenses below used for the GCVE offering (purchased with a 1- or 3- year commitment). The listed software versions are fixed and all updates are managed by Google. Google is responsible for the lifecycle management of the VMware software, which includes ESXi, vCenter and NSX.

Component Version License
vCenter 6.7 U3 vCenter Standard
ESXi 6.7 U3 Enterprise Plus
vSAN 6.7 U3 Enterprise
NSX Data Center (NSX-T) 2.5.1 Advanced
HCX 3.5.3 Advanced

Shared Responsibilities

Google Cloud VMware Engine is coming with all components you need to securely run VMware natively in a dedicated private cloud. Google takes care of the infrastructure (service) and their native service integrations. As a customer you only need to take care of your virtual machines or containers with your applications and data. Besides that, you also need to make sure that your configurations, policies, network portgroups, authentication and capacity management are properly configured.

GCVE Shared Responsibilities

If you want to know and learn more about Google Cloud VMware Engine, have a look at the following resources: 

Multi-Cloud Load Balancing and Autoscaling with NSX Advanced Load Balancer (formerly Avi Networks)

Multi-Cloud Load Balancing and Autoscaling with NSX Advanced Load Balancer (formerly Avi Networks)

Do you want to build your private cloud like a hyperscaler is doing it? You know that VMware Cloud Foundation is becoming the new vSphere, but still wonder how you can implement software-defined load balancing (LB) or application services and features like autoscaling or predictive scaling? Then this article about multi-cloud load balancing and autoscaling with NSX Advanced Load Balancer aka Avi Networks is for you!

My Experience with a Legacy ADC

A few years ago, I was working on the customer side for an insurance company in Switzerland as a Citrix System Engineer. My daily tasks included the maintenance and operation of the Citrix environment, which included physical and virtual Citrix NetScaler Application Delivery Controller (ADC) appliances. The networking team owned a few hardware-based appliances (NetScaler SDX) with integrated virtualization capability (XenServer as hypervisor) to host multiple virtual NetScaler (VPX) instances.

The networking team had their dedicated NetScaler VPX instances (for LDAP and HTTP load balancing mostly) and deployed my appliances after I filed a change request. Today, you would call this multi-tenancy. For a Citrix architecture is was best practices to have one high availability (HA) pair for the internal and one HA pair for the external (DMZ) network access. A HA pair was running in a active/passive mode and I had to maintain the same setup for the test environment as well.

Since my virtual VPX appliances were hosted on the physical SDX appliance, I always relied on the network engineers, if I needed more resources (CPU, RAM, SSL, throughput) chips allocated to my virtual instances. Before I could upgrade to a specific firmware version, I also had to wait until they upgraded the physical NetScaler appliances and approved my change request. This meant, we had to plan changes and maintenance windows together and had to cross fingers, that their upgrade went well, that we could upgrade all our appliances after.

NetScaler SDX

It was also possible to download a VPX appliance, which could run on top of VMware vSphere. To be more independent, I decided to install four new VPX appliances (for the production and test environment) on vSphere and migrated the configuration from the appliances running on the physical SDX appliance.

Another experience I had with load balancers was when I started to work for Citrix as a consultant in Central Europe and had to perform a migration of physical NetScaler MPX appliances, which had no integrated virtualization capability. I believe I had two sites with each two of these powerful MPX appliances for tens of thousands of users. Beside the regular load balancing configuration for some of the Citrix components, I also had to configure Global Server Load Balancing (GSLB) in active/passive mode for the two sites.

NetScaler GSLB Active Passive

There were so many more features available (e.g. Web Application Firewall, Content Switching, Caching, Intrusion Detection), but I never used anything else than the NetScaler Universal Gateway for the remote access to the virtual desktop infrastructure (VDI), load balancing, HTTP to HTTPS redirections and GSLB. In all scenarios I had a HA pair where one instance was idling and doing nothing. And the active unit was in average not utilized more than 15-20%. It was common to install/buy too large or powerful instances/licenses, because you wanted to be on the safe side and have enough capacity to terminate all your SSL sessions and so on.

It (load balancing) was about distributing network traffic across multiple servers by spreading the requests and work evenly, and do add some intelligence (health monitoring) in case an application server or a service would fail or be unavailable for any reason. If one more application server was needed, I ordered a new Windows Server, installed and configured the Citrix components and added the necessary load balancing configuration on the NetScaler. These were all manual tasks. The same work has been done by the network engineers when the application team requested a new application server, which then had to be added to the load balancing configuration on their NetScaler appliances.

This was my personal experience from 2017. Since then applications became more complex and distributed. The analysts and market are focusing on containerized and portable apps running and more and more in multiple clouds. The prediction is also that the future is multi-cloud.

Multiple Clouds vs. Multi-Cloud

There are different definitions and understandings out there what multi-cloud means. In my understanding, using a private cloud, AWS, Microsoft Office 365 and Azure are a typical setup with multiple clouds. There are simple scenarios where you migrate workloads from the private to the public cloud (e.g. Azure) or having applications with services lying on the private on the public cloud. The latter would be an example of a hybrid cloud architecture.

The reasons for which services and resources are needed or distributed on multiple clouds (on-prem, Azure, AWS, GCP etc.) are various:

  • Avoid dependence on only one cloud provider
  • Consume different specific services that are not provided elsewhere
  • Optimize costs for different workloads and services
  • React to price changes by the providers

That is why we are seeing also the trend to break up big legacy applications (monoliths) in smaller pieces (segments), which is a best practice and design principle today. The goal is to move to a loosely coupled and more service-oriented architecture. This provides greater agility, more flexibility and easier scalability, because of less inter-dependencies.

And, if we take the second example from the list before, a segmented application is much easier to run in different clouds (portability). Running one application over multiple clouds is in my understanding the right definition of multi-cloud.

Multiple Clouds versus Multi-Cloud

Let’s assume that most probably all the four reasons above apply to larger enterprises. If we take another angle, we can define some business and technical requirements for multi-cloud:

  • Application or services need to be cloud vendor-agnostic
  • Provide or abstract control and management interface of multiple clouds
  • Support application portability/relocation between clouds
  • Combine IaaS and services from different clouds
  • Possibility to deploy components of applications in multiple clouds
  • (Cloud) Broker service needed
  • Policy and governance over multiple clouds
  • Network connectivity for migration scenarios with partially modernized applications
  • Automated procedures for deployments
  • Application monitoring over different clouds
  • Costs management
  • Lifecycle management of deployed applications in multiple clouds
  • Self-adaption and auto scaling features
  • Large team with various expertises needed

How can you deliver and manage the different applications services like load balancing, web application firewalling, analytics, automation and security over multiple clouds?

Another important question would be, how you want to manage the deployment on the various clouds. But cloud management or a cloud management platform is something for another article. 🙂

The requirements for the developers, operations and the business are very complex and it’s a long list (see above).

It is important, that you understand, based on the requirements for multi-cloud, that it is mandatory to implement a modern solution for your modernized application architectures. Enterprises have become more application-centric and everyone is talking about continious integration, continuous delivery and DevOps practices to automate operation and deployment tasks. A modern solution implicits a software-defined approach. Otherwise you won’t be able to be agile, adapt to changes and meet future requirements.

My past experience with Citrix’ NetScaler is a typical example that “virtualized” and “software-defined” are not the same thing. And this is very important if we want to have a future-ready solution. If we look at VMware’s software-defined data center (SDDC), beside the virtual compute, also includes software-defined storage and networking. Part of the software-defined networking portfolio is “NSX Advanced Load Balancer“, the software-defined application services platform, which was also known as “Avi Networks” before VMware bought them in June 2019.

Unlike a virtualized load-balancing appliance, a software-defined
application services platform separates the data and control planes
to deliver application services beyond load balancing, real-time
application analytics, security and monitoring, predictive autoscaling,
and end-to-end automation for Transport (Layer 4) to
Application (Layer 7) layer services. The platform supports multicloud
environments and provides software-defined application
services with infrastructure-agnostic deployments on bare metal
servers, virtual machines (VMs), and containers, in on-premises
data centers and private/public clouds.

Autoscaling became famous with AWS as it monitors your applications and automatically adjusts capacity to maintain availability and performance at the lowest possible costs. It automatically adds or removes application servers (e.g. EC2 instances), load balancers, applies the right network configuration and so on.

Can you achieve the same for your on-premises infrastructure with VMware? Yes.

Is there even a solution which can serve both worlds – on-prem and cloud? Yes.

And what about predictive scaling with real-time insights? Yes.

NSX Advanced Load Balancer (NSX ALB)

Why did VMware buy Avi? Because it follows the same architecture principles like NSX: A distributed platform with a separate control and data plane built on software-defined principles for any cloud.

Avi High Level Architecture

Traditional ADCs or load balancers are mostly configured in active/standby pairs, no matter if physical or virtual. Typically you would see around 15% utilization on the active node where the secondary standby node is just idling and doing nothing. Each pair is its own island of static capacity which shares the management, control and data plane.

You have to decide where to place the virtual IP (VIP) and how much you want to overprovision the physical or virtual appliances, because there is no capacity pooling available. This leads to operational complexity, especially when you have hundreds of such HA pairs running in different clouds. Therefore, legacy and virtualized ADCs are not the ideal choice for a multi-cloud architecture. Let’s check NSX ALB’s architecture:

Control Plane – This is the brain (single point of management) of the whole platform that can be spun up in your on-prem environment or in the cloud (also available as a managed SaaS offering), typically as a three-node cluster. Within this cluster, all configuration is done, this also where the policies reside and the decisions are made. It is the controller’s duty to place virtual services on SEs to load balance new applications or increase the capacity of running applications.

The control plane comprises the three pillars that deliver the key capabilities of the Avi platform:

  • Multi-Cloud – Consistent experience for any cloud, no lock-in
  • Intelligence – The machine learning based analytics engine enables application performance monitoring, troubleshooting, and operational insights (gathered by the SEs)
  • Automation – Elastic and predictive auto scaling & self-service without over-provisioning through a complete set of REST APIs

Data Plane –  The Service Engines (SEs) handle all data plane operations by receiving and executing instructions from the controller. The SEs perform load balancing and all client- and server-facing network interactions. It collects real-time application telemetry from application traffic flows. 

As already mentioned, NSX ALB can be deployed in multiple cloud environments like VMware vCenter, Amazon Web Services, Microsoft Azure, Google Cloud Platform, Oracle Cloud, IBM Cloud, VMC on AWS, Nutanix, OpenStack or bare-metal.

Use Cases

Most customers deploy Avi because of:

  • Load Balancer refresh
  • Multi-Cloud initiatives
  • Security including WAF, DDoS attack mitigation, achieve compliance (GDPR, PCI, HIPAA)
  • Container ingress (integrates via REST APIs with K8s ecosystems like GKE, PKS (TKGI), OpenShift, EKS, AKS, TKG)

Advanced Kubernetes Ingress Controller Avi Networks

  • Virtual Desktop Infrastructure (Citrix, VMware Horizon)

Consistent Application Services Platform (Features)

Avi/NSX ALB is an enterpise-grade solution. So, everything you would expect from a traditional ADC (e.g. F5), layer 4 to layer 7 services, SSL, DDoS, WAF etc. is built-in without the need for a special license edition. There is also no NSX license requirement even the product name would suggest it. It can be deployed as a standalone load balancer or as an integrated solution with other VMware products (e.g. VCF, vRA/vRO, Horizon, Tanzu etc.).

Avi Networks Features

Below is a list with the core features:

  • Enterprise-class load balancing – SSL termination, default gateway, GSLB, DNS, and other L4-L7 services
  • Multi-cloud load balancing – Intelligent traffic routing across multiple sites and across private or public clouds
  • Application performance monitoring – Monitor performance and record and replay network events like a Network DVR
  • Predictive autoscaling Application and load balancer scaling based on real-time traffic patterns
  • Self-service – For app developers with REST APIs to build services into applications
  • Cloud connectors – VMware Cloud on AWS, SDN/NFV controllers, OpenStack, AWS, GCP, Azure, Linux Server Cloud, OpenShift/Kubernetes
  • Distributed application security fabric – Granular app insights from distributed service proxies to secure web apps in real time
  • SSO / Client Authentication – SAML 2.0 authentication for back-end HTTP applications
  • Automation and programmability – REST API based solution for accelerated application delivery; extending automation from networking to developers
  • Application Analytics – Real-time telemetry from a distributed load balancing fabric that delivers millions of data points in real time

Load Balancing for VMware Horizon

NSX ALB can be configured for load balancing in VMware Horizon deployments, where you place SEs in front of Unified Access Gateways (UAG) or Connection Servers (CS) as required.

Avi Horizon High Level Architecture

For a multi-site architecture you can also configure GSLB if needed. With GSLB, access to resources is controlled with DNS queries and health checking.

Note: If you are using the Horizon Universal Broker, the cloud-based brokering service, there is no need for GSLB, because the Universal Broker can orchestrate connections from a higher level based on different policies.

Automation

With NSX Advanced Load Balancer there are two parts when we talk about automation. One part is about infrastructure automation, where the controller talks to the ecosystem like a vCenter, AWS or Azure to orchestrate the Service Engine. So, when you configure a new VIP, the controller would talk to vCenter to spin up a VM, put it in the right portgroup, connect the front and the back-end, download the policy and service engine, and starts receiveing traffic.

The second piece of automation focuses more on the operational automation which is through the REST API (the UI and CLI don’t offer all the configuration, 100% can be done via REST API). But, on top of that you can also run Ansible playbooks, Terraform templates, Go and Python SDKs, have integrations with Splunk or other tools like vRealize Automation. This is the built-in automation in the product.

Avi Networks Automation

VMworld 2020 Sessions

This year VMworld is going to be for free and virtual. Take this chance and register yourself and learn more about Avi aka NSX ALB:

  1. Making Your Private Cloud Network Run Like a Public Cloud – Part 2 [VCNC2918]
  2. Modern Apps and Containers: Networking and Security [VCNC2920]
  3. Prepare for the New Normal of Work from Anywhere [VCNC2919]

Expectations and Current Approaches

There is the general understanding and need for hybrid or multi-cloud architectures. Different people will tell different stories and give different advices. The result are different architectures and different approaches. Some people will tell you, that you can use a cloud serially, so moving from one cloud to another. Or, simultaneously, when using different services from different clouds.

My last article focused on hybrid cloud, the architecture with some services lying on the private infrastructure, while other services are hosted on a public cloud. A public cloud providers tells you, that you can buy all services from them and tries to give you a better discount than the competition (to avoid multiple clouds). Enterprises see the need for multiple (public) clouds to avoid a vendor lock-in instead of going all-in with just one of them.

VMware is about multi-cloud and workload mobility, with the vision, that their VCF stack is running everywhere in the future. Now, some people would now say that this is also a vendor lock-in. Depending on your strategy and technology choices and preferences (e.g. databases, AI/ML services, virtual desktops), you have to decide somewhen which (cloud) vendor, approach and operation model is the right one for you.

It may not true for every large environment, but if you go for multiple clouds, multiple technologies, management and security consoles, architecture and so on, you’ll spend a lot of time and money on engineering and keeping your environment “integrated” and functional.

VMware offers you choice. The choice to run your workloads today and tomorrow wherever you want.

If you have the same vision and strategy like VMware, then you are looking for solutions which run in or on top of every cloud. Because of that it’s very important to understand the different between multiple clouds and multi-cloud.

In this case, NSX ALB brings you multi-cloud load balancing and auto scaling features for any cloud and for multi-cloud enabled applications and services.

Don’t forget: Some people are also saying,  that multi-cloud is not needed and doesn’t exist in reality. Nobody is saying multi-cloud is a piece of cake, but VMware can definitely help you to abstract this complexity. And part of this abstraction can be handled with vRealize Automation for example, which can act as a cloud broker to deploy your application and services.

 

Mobile-First with Samsung DeX and VMware Horizon

Mobile-First with Samsung DeX and VMware Horizon

Currently, most people must work from home because of COVID-19. When the global lockdown started, companies were challenged to provide continuity of business with:

  • Remote PC access (physical access to computers with VMware Horizon or Citrix)
  • Remote access via VPN
  • Published desktops and apps hosted on-premises
  • Published desktops and apps hosted in the Cloud (e.g. Azure or AWS)
  • Shipping of new laptops
  • Shipping of new thin clients (don’t forget the Raspberry Pi 4)
  • Shipping of new mobile devices like smartphones and tablets

The options look clear but the execution of these action wasn’t that easy. Nobody was prepared for a pandemic and its consequence of shipping problems and delays of servers, PCs and mobile devices. On the other side some of the companies already had the necessary infrastructure but not enough licenses for their virtual desktop infrastructure (VDI) of unified endpoint management (UEM) platform. 

In Switzerland we are lucky to have modern and stable internet connections where 1 Gigabit over fiber is not the exception anymore. I don’t know how VMware’s internal IT was challenged at the beginning of this crisis but I could always access my applications and data from my laptop with Workspace ONE (I don’t need Horizon for work). 

After a few weeks I was asking myself if the employers know all their options to enable their employees for remote working. For sure the most increased numbers are related to digital workspace products. That’s why people on Twitter and LinkedIn are shouting out that it’s “the year of VDI”. 

As long as not every virtual desktop or remote desktop session host is equipped with a vGPU or when GPUs are affordable for everyone and become commodity, in my opinion, we cannot talk about the year of VDI. But that’s another topic. 

When I heard that PC and smartphone shipments are delayed for weeks, I looked for alternatives which don’t rely on shipping of new devices:  

  • I assume the employee has a private PC or laptop at home
  • I assume the employee possesses at least one smartphone or tablet
  • I assume the employee has a stable internet connection at home
  • I assume the employee has 4G/5G reception

To access a virtual desktop brokered via VMware Horizon you would only need a PC or laptop with a HTML5 capable browser to access the virtual environment. The installation of the Horizon Agent is not mandatory but would give you a much richer user experience.

Working directly on a smartphone or tablet makes only sense and fun when: 

  • You don’t have to access a virtual desktop or virtual app on a tiny display
  • You can use mobile apps
  • You can SaaS apps
  • You can connect your phone or tablet to an external display – ideally with a keyboard and mouse

I have an iPad Pro at home but decided to test a mobile-first approach with a Samsung S20+, because it is more common that employers provide a smartphone instead of tablet. I am not aware of any mobile-only company that solely work with smartphones or tablets. But I think it’s important to understand how a mobile-first or mobile-only approach affects the user experience and if it’s possible to replaces PCs, laptops or thin clients.

Why is this thought interesting and important? The employee experience (EX) is the number one priority for a digital workspace and with today’s UEM platforms you can manage almost every formfactor and operating system (iOS, Android, macOS, Windows 10, Linux).

What if we can provide the same user experience and reduce costs with a mobile-first strategy coupled with Horizon for VDI use cases? Don’t ignore that there’s an ongoing shift towards 5G and it’s becoming more and more accessible. 

The most famous telco provider in Switzerland is “Swisscom” who already offers a pretty wide 5G (up to 1Gbit/s) and 5G+ (up to 2Gbit/s) coverage:

Swisscom 5G Coverage

My vision here is, that every employee is only equipped with a smartphone which they can use in the office and at home to securely connect to the corporate network to access internal apps or data and SaaS applications.

Here is what I would like to test:

  • Can the Samsung S20+ replace my Dell laptop?
  • How can I connect peripherals like an external display, keyboard, mouse, headset, webcam, printer etc.
  • Which internal and external (mobile/SaaS) applications can be used with a good user experience?
  • Which applications should better be accessed via a virtual desktop or published app delivered with Horizon?
  • How is the user experience with Samsung DeX?
  • Which 3rd party applications are supported with Samsung DeX?
  • Can Samsung DeX transform a Samsung smartphone into a Windows thin client?
  • How is my daily work affected?
  • How does Samsung DeX and VMware Horizon work together?

Preparation of my Mobile-First Workplace

The first thing I did, after I installed all necessary Android updates, was to enroll my S20+ in VMware’s Workspace ONE. 

In enrolled my phone as a dedicated corporate device and could access my company’s applications within the next five minutes. The following applications are the most important ones for my daily work at VMware: 

  • Microsoft Outlook / VMware Boxer
  • Microsoft PowerPoint
  • Microsoft Word
  • Microsoft Excel
  • OneDrive
  • Microsoft Teams
  • Slack
  • Zoom
  • Salesforce (SaaS version)
  • Different web links (Confluence, Jira, intranet, technical marketing website etc.)

Workspace ONE Application Catalog

My phone is enrolled, remote access to the corporate network can be established and all the necessary mobile applications are installed. Internal web links and SaaS applications can be access through the secure per-app VPN tunnel (micro VPN tunnel) and the Workspace ONE application catalog (image above) with SSO (Single Sign-On).

So, how do I transform this smartphone into PC-mode? 

Samsung DeX

I believe Samsung first included the “Desktop eXperience” (DeX) feature on Galaxy S8 smartphones and the original version even required the use of a DeX docking station. And since a few months DeX can now be launched via a direct cable connected to an external display, Windows or Mac client. This means that no multiport adapter and no HDMI cable is needed if your display has an USB-C port. 

Samsung DeX is not hardware — it’s a software platform that extends your smartphone or tablet into a desktop computing experience.

To use DeX desktop on a Windows or Mac OS you’ll need the downloadable app, but this is not something I’m going to explore further.

Lucky me, my Dell display at home has a lot of regular USB ports and one USB-C port. This allowed me to connect the S20+ smartphone with the USB-C cable and connect peripherals like my headset (or speakers), keyboard and mouse. Another option would be, if you have a Bluetooth keyboard and mouse, to connect them directly to the S20. They only thing I didn’t do yet, because it has no priority, is to connect my network printer to the phone.

Samsung DeX Home Office Setup

In the image above you can see the DeX desktop with some applications shortcuts I created.

Samsung DeX Keyboard Settings Samsung DeX Audio Settings 

The configuration of my keyboard and headset as the primary audio device was also very simple. So far, I am very impressed! 

Adapters

All you need to get started using DeX are a display, a HDMI adapter and peripherals. The HDMI adapter is only needed if you haven’t got an integrated USB-C port in your monitor. And not every monitor has a lot of USB ports. That’s why Samsung offers three different adapters: 

 

 

 

Samsung DeX Adapters

The DeX cable is simple 1.4m long HDMI-USB-C cable which you plug into your monitor.

The compact HDMI adapter allows you to connect your phone to a HDMI cable on your monitor. As no additional ports are available with the DeX cable and HDMI adapter, you’ll need to use Bluetooth peripherals.

The third option is a multiport adapter gives you a USB 3.0 port, a GigE port for a wired internet connect and a USB-C port to connect the phone’s charging cable (beside the HDMI port).

If you have no mouse, then you could use your phone as a touchpad. A notification on your phone will give show you this option.

Samsung Core Applications & 3rd party apps

In Samsung’s “Beginner’s Guide to Samsung DeX” you’ll find the following information about support mobile apps: 

All of Samsung’s core applications are optimized for DeX, meaning you can resize and maximize the apps. You can also use right-click functionality and keyboard shortcuts. There are dozens of third-party apps that are fully optimized for DeX, including the Microsoft Office suite, Adobe Acrobat Reader, Photoshop Lightroom, Photoshop Sketch, Gmail, Chrome, BlueJeans, GoToMeeting and all the leading VDI clients, to name just a few. For those that aren’t optimized for DeX, read on for the next tip.

Samsung DeX Support Apps

Here’s the next tip about the DeX Labs activation:

DeX Labs offers access to “experimental” features that aren’t officially supported. Two current features include allowing DeX to force apps to resize and auto-open the last used app. To activate, click the DeX logo on the bottom right of your screen, open DeX Labs and toggle the features on. Now, when you open an app that is not DeX optimized, you’ll be given the opportunity to force resizing. This will allow you to view it in a larger window or even in fully maximized view.

Samsung and VMware have a partnership for a while now and because of that the VMware Horizon Client and some other VMware apps are on the list of supported 3rd party apps:

Samsung DeX 3rd party apps

I tested Zoom already and it worked perfectly. First tests of Boxer and Slack also looked promising. The only apps which are not on the list of “apps in DeX mode” are:

  • MS Teams
  • Salesforce
  • Slack (seems to work)

Samsung DeX Team Crash Samsung DeX Salesforce crash

When I try to open MS Teams in DeX mode, nothing happens, and I see on the smartphone that the app is immediately crashing. DeX Labs, which attempts to resize apps that aren’t officially supported by Samsung DeX, didn’t make any difference.

Mobile Apps vs. Desktop Apps

Since MS Teams is not working in DeX mode, I’m going to check if DeX Labs helps. Otherwise I have to mirror my phone’s screen to use MS Teams or start this on a virtual desktop provided with Horizon.

Launching VMware Horizon desktops when working within DeX gives you both. You’re now working on a virtual desktop with full desktop apps. You’re viewing content on a full-sized monitor, and using the keyboard and mouse to get work done. And it’s all powered by your Galaxy smartphone. That is the digital workplace, powered by mobile.

Accessing a virtual desktop is very easy. You just need to download the Horizon Client from the Workspace ONE catalog (Intelligent Hub) or install the available one from the Google Play Store.

Samsung DeX VMware Horizon Client

For my tests I’m going to use the VMware TestDrive environment again like I did it for my testing with the Raspberry Pi 4. In the Horizon Client for Android User Guide you will find more information about using the Horizon Client with Samsung DeX:

If the Android device supports Samsung DeX, you can use Horizon Client in DeX desktop mode.

When the device is in DeX desktop mode, Horizon Client treats the device as a thin client and Thin Client
mode is enabled. For more information, see Using Horizon Client on a Thin Client.

The following features are supported when you use Horizon Client in Horizon DeX desktop mode.

  • You can configure Horizon Client to start automatically when you switch to DeX desktop mode. See
    Enable the DeX Mode Auto Launch Feature.
  • Remote desktop and published application sessions continue to run after you enter or exit DeX
    desktop mode.
  • If Horizon Client is maximized, remote desktops enter full-screen mode after you switch to DeX
    desktop mode.
  • To switch the language input method in a remote desktop, you can use the language switch key on a
    Samsung physical keyboard.
  • You can connect to multiple remote desktops and published applications at the same time. Smart
    card authentication is not supported for multiple sessions

Use Cases for DeX and VDI

Let’s give you a few examples of classic use cases. 

Healthcare

When we think about hospitals and healthcare in general, then data security and mobility are very important topics. Mobility can help to improve productivity and almost every healthcare customers uses VDI for security and mobility purposes: E.g. shift workers, doctors need (VDI desktop) session roaming

My experience shows that doctors often have a phone, tablet and a desktop/laptop.

Instead of having:

  • a computer in the office
  • a computer or thin client in the examination room
  • and a tablet for patient data (electronic health record) or medical images

you could do it all with one device and have the same user experience everywhere an in any case. I will cover the support of various authentication methods (smart card, biometric) later.

Please find here the VMware Horizon 7 Deployment Guide for Healthcare. 

Finance

The finance vertical has also different pillars and specific use cases. With banking or wealth management customers you probably have to talk more about thin clients and VDI. And with insurances companies, that have a lot of road warriors, you need to consider scenarios where the agents/consultants are working in the car or directly at their customer.

For road warriors you could also propose a Samsung tablet and/or a mounted display and a dedicated keyboard which acts like a standalone computer.

Public Sector

Public sector customers have requirements with a combination of the healthcare and finance industry. Obviously, security is one of the most important topics. Data leakage prevention, encryption, data locality (argument for VDI) etc. or just a few of the requirements. Multi-factor authentication with smart cards is also very common.

Security with Samsung DeX and Horizon

In this section I want to summarize what Samsung and VMware offering for a secure mobile-first or mobile-only workplace. Samsung provides security with their phone and additional security features (Know) for the personal and enterprise use.

VMware is referring to their intrinsic security strategy with Zero Trust security approach.

Samsung and VMware

Samsung DeX and Samsung Knox

Using DeX also brings security benefits. Samsung smartphones and tablets are protected by advanced biometric security and Samsung Knox, a defense-grade security platform that’s designed from the chip up to protect devices from the minute they’re powered on — so you can be sure your information is safe.

Workspace ONE Unified Endpoint Management (UEM)

For the device management and compliance (OS updates, security patches etc.) of Android based phones we have Workspace ONE UEM before allowing any access.

With Workspace ONE Access you can grant access to your applications based on a combination of conditions (which is also known as the conditional access engine. The policy framework for conditional access consists of:

  • User (employee, contractor, customer)
  • Device (iOS, Android, Win10, macOS, BYOD, corp device, unmanaged)
  • Application (web, mobile, virtual, low or high security, internal, external)
  • Location (network range, 3G/4G/5G, geo)

For the secure remote access to the corporate network Workspace ONE offers an application tunnel and proxy. The app tunnel is established with Workspace ONE Tunnel and the Unified Access Gateway (UAG) offers edge services that you securely access your on-prem Horizon virtual app or desktop.

With Workspace ONE Intelligence you’ll get automated remediation and orchestration. Based on different conditions or triggers you can define actions or workflows like ticketing or notifications. You could also automate the blocking of a VPN access if a phone or tablet doesn’t meet the required patch level.

If you want to go one step further you could leverage the Workspace ONE Trust Network which combines the insights from Workspace ONE with verified security partners (current partners are Carbon Black, Zscaler, Lookout, Netskope, Wandera and Zimperium) by APIs to deliver predictive and automated security for your mobile clients or the digital workspace in general.

VMware Zero Trust Security Workspace ONE

You can also add VMware NSX to enhance security with micro-segmentation and secure east-west traffic for applications and desktops in the data center and the cloud.

Workspace ONE Intelligent Hub is the portal for users to access their different applications and provides the same user experience on any device. The look and feel in your browser are the same as on your Samsung phone or tablet. In DeX mode I opened the Intelligent Hub app (left) and access the portal as well in Chrome (right):

Workspace ONE Intelligent Hub

Smart Cards

Customers know the smart cards as plastic cards which have a digital certificate embedded which allows them to authenticate themselves to their desktops and applications. Some larger enterprises use the same plastic card or badge to access buildings or to digitally sign documents.

To get access to the digital certificate on the card traditionally you would insert the card in an internal or external connected smart card reader and insert your PIN after. For mobile workers and a mobile-centric platform this way of working doesn’t offer the best user experience.

And beside that physical smart cards are also considered old-fashioned, right?

Because of these reasons VMware introduced support for derived credentials a couple of years ago for Horizon Clients for Android, iOS and Windows. This eliminated the need for physical smart cards and smart card readers. All you need is the PIV-D Manager mobile app which comes with Workspace ONE:

VMware PIV-D Manager is a mobile application that integrates with various Derived Credential solution providers enabling the use of Derived Credentials with Workspace ONE UEM. The available vendors currently supported with the PIV-D Manager app are DISA Purebred, Entrust IdentityGuard, Intercede MyID, XTec, and Workspace ONE UEM.

Remote Support

What if your mobile workers have problems with their phones or tablets? Workspace ONE Assist is the last piece to complete the puzzle and it enables you to access and troubleshoot devices remotely in real time from the Workspace ONE console.

Here are the current supported features separated by platform:

WS1 Assist Capabilities Platform

In April 2020 VMware has just announced the expansion of their remote support solution offerings with VMware RemoteHelp

The difference between RemoteHelp and Workspace ONE Assist is, that you don’t Workspace ONE UEM with RemoteHelp. You can look at RemoteHelp like Bomgar or TeamViewer, but with the addition that support engineers can launch remote support sessions of Android (and iOS) devices directly from their CRM platform. RemoteHelp is sold as a standalone product and has its own console and end-user mobile application.

You would use RemoteHelp where customers are using DeX with Horizon but are not managing the device with Workspace ONE.

Samsung Galaxy S20+ as Thin Client

I mentioned already once or twice that I wrote articles about the Raspberry Pi 4 (RPi) and how it performs as a thin client for VMware Horizon. From a price perspective you cannot compare a S20+ and RPi because a smartphone has so many more features and is used for a lot else than connecting to a virtual desktop or web browsing. But let us have a look at the specs of both devices:

SpecificationsSamsung S20+Raspberry Pi 4 B/4GB
FormfactorSmartphoneSmall Single-Board Computer
Dimensions & Weight161.9 x 73.7 x 7.8mm
188g
88 x 58 x 19.5mm
46g (board only)
Operating System(s)Android 10Raspbian
Stratodesk NoTouch OS
ThinLinX
Ubuntu (MATE, Core, Server)
RISC OS
Win 10 IoT Core
Processor (CPU)64-bit 8-Core 2.70 GHz4-Core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
Memory (RAM)8GB4GB
Network & Connectivity5G
LTE
Wi-Fi
1 GigE (with adapter)
Wi-Fi
1 GigE
Display ConnectivityUSB-C
HDMI (with adapter)
2x micro-HDMI
Power ConnectivityUSB-C
Wireless Charging
Wireless PowerShare
Power Supply
USB-C Connector

The specifications of the Galaxy S20+ let us expect that we should have the same user experience compared to a Raspberry Pi4 Model B with 4GB RAM.

Horizon Test Environment

I’m going to use the same vGPU enabled Windows 10 from VMware TestDrive in the EMEA region. The Win10 desktop is equipped with four vCPUs from a Xeon Gold 6140 CPU, 8GB RAM and a Nvidia Tesla V100 GPU (V100-2Q profile).

VMware TestDrive

As you can see in the screenshot above in Remote Desktop Analyzer I’m connected with the Blast protocol and that the active encoder is NVIDIA NvEnc H264. This tells us that the non-CPU encoding (H.264) on the virtual desktop and the H.264 decoding on the Samsung smartphone are supported and working.

Performance Testing

I have tested a YouTube HD trailer and graphic intensive applications as usual. All my uploaded videos have been compressed to a more web-friendly format and size.

1) YouTube

Here is the link for the Avengers 4 Endgame Trailer.

2) Nvidia Faceworks

3) eDrawings Racecar Animation

4) Nvidia “A New Dawn”

5) FishGL

Can a Samsung Galaxy S20+ replace my laptop?

A Samsung smartphone (or tablet) can definitely replace a fat client like a PC or laptop. The videos above are clearly showing that accessing and working with a virtual desktop is no problem at all and that the user experience is very good.

Working in DeX mode was a little strange at the beginning, but I think I and people in general could get used to it over time.

The 3rd party apps which are not working in DeX mode need to be accessed from a virtual desktop delivered with VMware Horizon or directly on the phone. You can switch to screen mirroring quickly and go back to DeX mode after. That’s just how it is.

When I joined VMware two years ago, I chose the Galaxy S8 as my corporate device and a Dell Precision laptop. For my role as a pre-sales solution architect who has to work a lot offline while travelling, a laptop is probably a better fit. Otherwise, at home or in the office, I could easily work with my S8 or S20+ only.

And as companies are giving you a phone and laptop as well, the price for a S20+ is very acceptable if you can replace at least one device like a PC or thin client.

Mobile computing is already transforming productivity across many industries. I believe that Samsung’s key features and VMware’s digital workspace offering make it possible to provide a secure mobile-first workplace.

Know Your Options with Citrix and VMware

Know Your Options with Citrix and VMware

No, this is not an article about Citrix vs. Horizon and which product is better. And I think that you should not compare Citrix and VMware anymore. If you are still reading and haven’t closed the tab in your browser yet, you made the right decision. The intent of this article is to help you better understand when the usage of Citrix Virtual Apps and Desktops (CVAD) makes sense, which VMware products could complement a CVAD infrastructure and the different options you have with VMware Horizon.

I think it is a very big plus that I worked for Citrix before and still have some technical knowledge. This gives me more credibility in front of the customer and I am not just someone from a vendor, who tries to blame or downplay the other competitor to sell his on stuff. In fact, I always tell my customers how good Citrix is – there is no doubt about that.

But people are still stuck in the past and have the knowledge from four or six years ago. VMware Horizon has evolved into a very mature virtual apps and desktops solution and at the same time VMware’s products evolved as well and the story and product portfolio are better than ever.

Would have asked me a few years ago, no matter if I would be still with Citrix or already with VMware, VMware Horizon had some serious (feature) gaps and differences (e.g. display protocol) compared to Citrix. But Horizon has transformed into a equal player in the market and can do almost the same as CVAD (formerly XenDesktop and XenApp).

Note: I’m not saying that VMware Horizon has reached feature parity compared to Citrix

Let’s see which enhancements or new features have been released in the last 18 months for Horizon:

  • A lot of enhancements and closed feature gaps for the Horizon HTML5 console (now default)
  • RDS Drain Mode and RDSH Load Balancing configurable from UI
  • Improved CDR (Client Drive Redirection) performance
  • Increased CPA (Cloud Pod Architecture) scale up to 250k sessions
  • Session “pre-launch”
  • Two-Factor Re-Authentication
  • Client UI redesign
  • vGPU vMotion (came with vSphere 6.7 U1)
  • VM hosted apps (published applications from Win10 desktop pools)
  • Longer Lived Instant Clones
  • Horizon Cloud Services Enhancements & WVD support for Horizon Cloud on Azure
  • VMware Skyline Log Assist
  • App Volumes 4
  • New REST APIs
  • Bandwidth savings in Blast (with Blast Codec)
  • CPU utilization by Blast has been reduced
  • Blast Extreme HEVC High Color Accuracy support
  • Automatic codec switching based on screen content
  • NSX Advanced Load Balancer (Avi LB) support

As you can see, a lot work has been done and a lot of time has been invested to make Horizon better! These improvements are one of many why I think it’s useless to compare Citrix vs. Horizon, because both can basically do the same if you ask me.

Note: Horizon 8.0 is coming very soon and the beta program for it starts in a few weeks! Stay tuned for more enhancements and innovation. 🙂

Citrix and VMware – Four Options

When I think about Citrix and VMware, there are four options which come up in my mind how a customer could move forward at any given time:

  1. Replace Citrix with Horizon
  2. Integrate Citrix with Workspace ONE
  3. Enhance Citrix with Horizon or Workspace ONE components
  4. Enhance Citrix with other VMware components
  5. Use Citrix and VMware Horizon (yes, there are customers with both!)

Replace Citrix with Horizon

The first option is the most obvious one and can happen from time to time due to various reasons. Sometimes the customer is just not happy anymore (technical or commercial) or wants to try something new because of one or more of the other listed options (integration and enhancements in place already).

A migration would be very easy on paper. StoreFront could be replaced by Workspace ONE Access (formerly vIDM), the VDA installed on RDS hosts or virtual desktops need to be replaced with the Horizon agent and on the client side the Citrix Workspace App (Citrix Receiver) gets replaced by a Horizon Client (including HTML5 client).

Caution: Even if it’s technically possible to uninstall Citrix Virtual Desktop Agenda (VDA) and install the Horizon Agent after, this is not something a good consultant would recommend normally. Do it right and rebuild a clean image and test it before going in production. 

VMware and Citrix Partnership

A replacement could also be done in parallel where you install a Horizon infrastructure beside the current Citrix environment and move the users over whenever you are ready.

If you are running your desktops on Azure together with Citrix Cloud, then the Citrix Cloud piece can be replaced with the Horizon Cloud Service on Azure. Citrix and VMware Horizon are both supported if you are looking for a connection broker for your Windows Virtual Desktops (WVD).

Integrate Citrix with Workspace ONE

The second option doesn’t come up very often. If a Citrix customer is using CVAD only and no Citrix Endpoint Management (formerly known as XenMobile) or Microsoft Intune (or MobileIron) and is considering Workspace ONE for their unified endpoint management of iOS, Android, macOS or Windows 10 clients, then mutual customers could use Workspace ONE (WS1) Access as the web portal or application catalog and single point of access for any application.

As just mentioned already, Workspace ONE users and devices access Citrix-published resources by integrating their Citrix deployment with Workspace ONE Access, which offers an application portal, single-sign on capabilities, conditional access and many other features. Citrix-published resources include applications and desktops from any CVAD infrastructure starting from XenApp 6.0.

All entitlements are still configured in Citrix Studio and you just have to sync these users and groups to the WS1 Access services from Active Directory first.

Beside WS1 Access you need one additional component called the Integration Broker, which can be installed on a Windows Server. The Integration Broker is responsible for the communication with all Citrix farms/sites. The WS1 Access connectors then communicate with the Integration Broker.

Workspace ONE Integration Broker

More information can be found here. That’s all what is needed for the integration with Workspace ONE.

Enhance Citrix with Horizon or Workspace ONE components

VMware has customers with a large Citrix footprint of several thousand users. And some of these customers are using Horizon components together with their Citrix infrastructure. The two most used Horizon components in a Citrix infrastructure are:

I am not up to date anymore what Citrix App Layering, Profile Management (UPM) and Workspace Environment Management (WEM) can do for you today. But App Volumes would replace App Layering and Dynamic User Environment (DEM) would replace UPM and WEM in a Citrix environment.

Don’t know if this still is the case, but a few years ago App Layering had very limited features, didn’t perform and the handling of layers was a pain. And WEM just didn’t scale in larger Citrix environment. Probably Citrix UPM still is doing its awesome job but is leveraging FSLogix for profile and O365 container management and I assume that WEM is also installed more nowadays.

If Citrix App Layering is in use, then probably the FSLogix Application Masking feature could be used as well to hide some components in the image, which also allows the admin to manage fewer golden images. This is something you also can do with Dynamic Environment Manager in combination with App Volumes.

Before FSLogix was available to almost every joint Citrix/VMware and Microsoft customer, it totally made sense to use something like DEM for the user environment management, as DEM has similar features as FSLogix.

To understand the integration of FSLogix and AV and DEM better, this article from VMware’s Digital Workspace TechZone is for you. 

Maybe you ask yourself now how you could get App Volumes and Dynamic Environment Manager for your Citrix environment? Well, there are a few ways and options:

  • Buy the “Horizon Enterprise” or “Horizon Apps Advanced” edition which includes AV and DEM (yes, can happen)
  • Buy the “Workspace ONE Enterprise” edition which includes “Horizon Apps Advanced”
  • Buy the “Workspace ONE Enterprise for VDI” edition which includes “Horizon Enterprise”

You have to buy another license from another vendor, yes. But, let me explain why this could make sense.

Scenario 1 – Citrix customer is buying Workspace ONE Enterprise

Let’s assume you are a Citrix customer and use CVAD to publish applications to your users, but want to manage your iOS, Android, macOS and Windows 10, IoT devices with one solution or platform. That’s the moment when you go for Workspace ONE as your Unified Endpoint Management (UEM) platform. Here’s what you get with Workspace ONE Enterprise:

  • iOS, Android, macOS, Windows 10 and IoT device management (MDM/UEM)
  • Workspace ONE Access
  • Application delivery and management (mobile and desktop)
  • Mobile SSO
  • Workspace ONE productivity apps (email, tasks, notes, content/file repository, web, card scanner)
  • Multi-Factor Authentication (MFA) with “Workspace ONE Verify” mobile application
  • Workspace ONE Intelligence (SaaS-based intelligence and automation engine including reporting)
  • Add-on: Remote Management of any device based on Workspace ONE Assist
  • Add-on: Workspace Security (Carbon Black offerings)
  • Horizon Apps Advanced

The Horizon Apps Advanced edition includes the following:

  • RDS published apps (no desktop OS, only server OS) and session-based desktops
  • ThinApp (not included with WS1 Enterprise)
  • App Volumes
  • Dynamic Environment Management
  • vSphere Desktop

As you can see, you are removing silos in your digital workspace and can use App Volumes and Dynamic Environment Management at the same time to enhance your Citrix infrastructure.

Scenario 2 – Citrix customer is buying Workspace ONE Enterprise for VDI

The difference between scenario 1 and scenario 2 is the Workspace ONE Enterprise for VDI license, which includes the following components:

  • Published desktops and apps (server OS and desktop OS incl. Linux)
  • App Volumes
  • ThinApp (not included with WS1 Enterprise for VDI)
  • Dynamic Environment Management
  • vRealize Operations for Horizon (not included with WS1 Enterprise for VDI)
  • vSphere Desktop
  • vSAN Advanced for Desktop with All-Flash

WS1 Enterprise for VDI makes it possible to have VDI based on the Windows desktop operating system (e.g. Windows 10) as well and adds the infrastructure capability to run your desktop workloads on vSAN enabled clusters! The only thing which differs from the regular standalone Horizon editions, is, that ThinApp and vRealize Operations are not part of the suite. If you have a lot of legacy apps or you need application virtualization or isolation, then take a look at ThinApp.

Applications installers such as MSI files can be packaged into a portable EXE file and can then be run on any physical or virtual Windows PC and delivered with App Volumes (RDS/VDI) or with Workspace ONE (persistent VDI desktop or physical desktop).

And you get the “vSphere for Desktop” edition in both cases which is another killer argument why you could buy Workspace ONE Enterprise (for VDI) licenses as a Citrix customer.

vSphere Desktop

I don’t have any confirmed number, but I assume that 70% of the Citrix customers are using VMware vSphere as their hypervisor. Each regular Horizon edition has vSphere Desktop included which many people are not aware of.

vSphere for Desktop is a special edition, which provides the full range of features of the vSphere Enterprise Plus edition:

  • The new image management feature to patch, update or upgrade ESXi clusters (vSphere 7.0)
  • vCenter Server profiles and update planner (vSphere 7.0)
  • Distributed vSwitch
  • Secure access and account management with ADFS (vSphere 7.0)
  • Distributed Resource Scheduler (DRS)
  • Storage DRS
  • Nvidia GRID vGPU

vSphere Desktop is licensed based on the total number of powered-on VMs and has no processor limitation. It’s available in a pack size of 100 desktop VMs with up to 100 users per pack. VERY IMPORTANT: vSphere Desktop can be used for a VDI environment only and a vCenter license is not included in vSphere for Desktop.

This is the only restriction mentioned in the vSphere Desktop FAQ:

vSphere Desktop can be used only to host a desktop
virtualization environment or desktop management and
monitoring tools. Each pack of 100 VMs can be used for
up to 100 users. You can use vSphere Desktop for desktop
management and monitoring tools in a VDI environment
only. Desktop licenses covered by this provision, however,
may not be managed by the same instance of VMware
vCenter that is being used to manage non-desktop
OS virtual machines.

So, what is considered as a “desktop virtualization environment” including monitoring tools? Normally you would separate your Citrix or Horizon infrastructure servers from the virtual machines which provide the virtual desktops and applications. But this design is more a leading practice and recommended by reference architectures and therefore it is technically possible to mix the RDS and VDI virtual machines with the infrastructure servers like:

  • Connection Server / Delivery Controller
  • Workspace ONE Access / StoreFront
  • Unified Access Gateway / NetScaler
  • Active Directory
  • Monitoring Tools (vRealize Operations / Director)
  • any “other infrastructure directly related to and exclusive to the VDI environment”

In a Citrix Virtual Apps and Desktop environment you can use vSphere Desktop to provide the virtual machines (desktops) and the underlying infrastructure. In this use case, you are licensed per virtual machine and virtual machines used to host the infrastructure servers. These two numbers will be counted against your “total powered-on VM” count. If your Citrix environment has a 100-pack of vSphere Desktop licenses and you host 85 VDI desktops and 15 VMs that host the Citrix VDI environment, then you have used up all the 100 vSphere Desktop licenses.

vSAN Advanced for Desktop

vSAN Advanced for Desktop is shipped together with Horizon Advanced, Horizon Enterprise and Workspace ONE Enterprise for VDI. This license is available for customers using vSAN exclusively for a VDI infrastructure.

Horizon Universal License

The Horizon Universal License is a single subscription-based license, which is included in the Workspace ONE Enterprise edition and serves as an entitlement for all Horizon products, namely Horizon Cloud (including Horizon Cloud Apps) and Horizon on-premises (including Horizon Apps). Thus, the universal license entitles you for the following solutions:

This universal license gives customers the choice to start with an on-premises Horizon deployment and to move to the cloud (or vice versa) without requiring a new license.

Note: Because it’s the universal license and not a regular Horizon license, which is included in the WS1 editions, vRealize Operations (vROps) is not part of this subscription bundle. If needed, vROps can be bought as a standalone license.

Thin Client Management

I thought it is worth mention it here. Keep in mind that you could use a platform like Workspace ONE to manage your thin clients. If your environment is heavily using thin clients you could “build” your own thin client based on Windows 10 IoT Enterprise and manage it via Workspace ONE.

E.g. Workspace ONE can manage Dell Wyse 5070 thin clients with Windows 10 IoT Enterprise. If needed, WS1 can configure the Unified Write Filter (UWF) feature to protect your thin client drives for any changes (saved data, setting changes or app installations). This is also helpful for increasing security for kiosk PCs in hotels, public spots, internet cafés etc. or for devices where it’s not expected to have new application frequently added.

WS1 Unified Write Filter

Enhance Citrix with other VMware components

We know that you could make your Citrix environment “better” with Horizon components like App Volumes or Dynamic Environment Manager and vSphere components like vSphere and vSAN. But there are other products and components which could make sense in a Citrix environment.

I believe, today, VMware has something which you could call a partnership and both CTOs are clearly leading the way:

Citrix Partnership VMware

 

I don’t know if it ever happened before that Citrix mentioned VMware on stage at Synergy, but the announcement from the above picture brings me to my first solution which you could use for your Citrix deployment.

VMware Cloud on AWS

What has been announced at Citrix Synergy 2019? The intent to officially support CVAD running on VMware-based clouds, starting with VMware Cloud on AWS. Many organizations are evaluating or even using a hybrid cloud approach already. This announcement should help Citrix customers, who are running their workloads on vSphere already, to seamlessly move to the cloud to experience a consistent infrastructure with consistent operations.

Because you are using the same technology stack on-prem and in the cloud, this allows you to easily bring your RDS and VDI golden images to the cloud without any a conversion.

I see two deployments options here. Either you leverage the Citrix Cloud services (use VMC as a resource location) or manually install your Citrix infrastructure like you would normally do in your on-premises environment.

VMC on AWS is Citrix-Ready

Note: VMC on AWS is citrix-ready since Q4 2018!

CVAD on VMC on AWS

If you would like to know more about running Citrix Virtual Apps and Desktops with VMC on AWS, please watch the VMworld 2019 recording of the session “Building Global Citrix Virtual Apps and Desktops with VMware Cloud on AWS (HBI2247BU)“. There’s also a recording of the US 2019 session “Building Global Citrix Virtual Apps and Desktops with VMware Cloud on AWS“, presented by Andrew Morgan and James Hsu.

Interesting facts:

  • It takes about 60-70min in average to deploy a new SDDC on VMC on AWS
  • 12min is the average time to add a new host
  • Stretched clusters give you a guaranteed SLA of 99.99%
  • Sync your VM templates with your Content Library
  • Andrew and James deployed 100 Win10 desktops in 5min only
  • PVS and MCS both work on VMC on AWS

NSX – Software-Defined Networking

Digital transformations are nothing new, but get more complex with newer technologies we have today. One very important topic which came up in 2019 and is one of the most important trends for 2020 is “cyber security” or “zero trust security”. VMware and Citrix are both pointing to a zero trust approach to protect the workforce, any app and data. VMware has defined 5 pillars of zero trust for a digital workspace and “transport/session trust” is one of them with these parameters:

  • Micro-Segmentation
  • Transport Encryption
  • Session Protection

For secure transport of a user’s session you would use appliances like the Unified Access Gateway (UAG) or Citrix NetScaler. To achieve a trusted network access within the data center and between workloads, you’ll need something like NSX and micro-segmentation. Citrix has only a SD-WAN solution to protect branch offices and branch users, but no solution for micro-segmentation. What is micro-segmentation and why is it important?

Imagine that network policies can be bound to a virtual machine or in our case to a virtual desktop and dynamically follow a virtual desktop. This is very helpful in the case of VMC on AWS for example. You can easily move the workload to the cloud and move the networking policies together with the VM, because the underlying stack on VMC on AWS (based on VMware Cloud Foundation) includes NSX and the vSphere hypervisor.

How would you secure the communication and access between desktops in the same VLAN? All desktops on a VLAN can communicate freely and one compromised desktop allows lateral movement. With NSX we can provide granular control of desktops and user/group based access control. This is micro-segmentation.

NSX Micro-Segmentation

Here are two articles about Citrix and NSX from VMware and Citrix:

If you are interested in 100% software-defined networking and are thinking to replace an existing hardware or virtual ADCs (application delivery controllers), take a look at NSX Advanced Load Balancer (formerly Load Balancer from Avi Networks).

NSX Advanced Load Balancer Architecture

Where VMware Horizon differs from Citrix

Now you know the four options you have as a Citrix customer when considering VMware products for your current and future environment. Let me explain you why you shouldn’t compare Citrix and VMware Horizon anymore. To get started, you need to understand all the different options you have and how and where you could consume VMware Horizon:

  • Horizon on-premises
  • Horizon Cloud
  • Horizon DaaS

And with the different desktop virtualization offerings there are also different management responsibilities for the customer, partner and VMware:

VMware Horizon Responisibilities

Customers have the flexibility to choose the level of control they want to have over the Horizon and data center infrastructure. If full control of the solution is needed, then you would probably implement Horizon with vSphere on-premises. For use cases where you only would like to maintain the desktop and apps only without concerning yourself about managing any infrastructure, Horizon Cloud on Azure could be one option.

Horizon On-Premises

The biggest difference for me, if you really want to compare Citrix and VMware in a better way, is to see the big picture. People need to understand that it is totally normal that one vendor sometimes is ahead or behind the competitor. The feature set from both vendors, only considering desktop virtualization, is pretty much the same.

When you start a desktop virtualization project and design the solution, you also have to think about the data center part. I’m am not only talking about Horizon and the storage or network requirements here. It’s important to understand the general strategy and vision of VMware and your employer/customer.

Today, automation is a design requirement and you ideally build your on-premises infrastructure based on public cloud principles. Companies don’t start anymore by buying hardware and think about automation later. They want to buy and build something that can be automated from day 1 like it’s done in the public cloud. Everything needs to be agile and elastic and should be able to change when any kind of change occurs.

Because of that it is essential to understand the cloud infrastructure part very well and this is the big difference between Citrix and VMware. We shouldn’t only talk about EUC (End-User Computing) only, but even consider other projects or domains of the infrastructure:

  • Does it fit in my cloud operating model?
  • Can I use an existing solution to automate it (software and hardware)?
  • How would I move my workloads to the cloud tomorrow?
  • Can I integrate existing solutions in my ecosystem (e.g. security, IPAM etc.)?
  • Can it be integrated in our existing or new platform for modern applications based on containers?
  • What about day 2 operations if I need to expand?
  • Can I reduce my silos and reduce the number of vendors and licenses somehow?

The installation of a complete Horizon (or Citrix) infrastructure can be done in a few days, normally, but larger environments require a lot of automation and integrations into the existing infrastructure. Then we talk about several months and not days or weeks anymore.

Horizon on VMware Cloud Foundation

VMware Cloud Foundation (VCF) is made for any workload and is a hybrid cloud platform which provides a set of software-defined components for compute, storage, networking, security and cloud management. VCF is an engineered solution that integrates the entire VMware stack without the need you dealing with complex interoperability matrixes.

VMware Cloud Foundation Overview

The architecture is built on VMware’s Validated Designs (VVD) to reduce the risk of misconfigurations or design failures. The VCF stack is also used with VMC on AWS or Azure VMware Solutions (AVS) for example. This is another reason that clearly shows that this technology stack is the right for any (VMware) infrastructure. If workload mobility is part of your IT strategy, then only VMware can offer this at the moment.

VCF 4.0 Bill of Materials

VMware Cloud Foundation has a “siloed” approach when it comes to the deployment. Based on different hardware resource pools you can create different so-called workload domains (WLD). Each WLD is a different SDDC instance which is managed by software-defined policies. The Horizon deployment can form one or more VDI WLDs.

VCF WLD Overview

Because it’s a standardized approach, VCF makes it very easy to scale on-demand depending on your needs. To get started you’ll need a management workload domain, which is a special-purpose workload domain dedicated for infrastructure and management components like the SDDC Manager, vCenter Servers, vRealize Suite and NSX. The SDDC Manager is responsible for the creation, update or deletion of a workload domain.

Using the regular standard architecture model for VCF, an environment starts with at least 4 physical servers for the management domain, 3 servers for the VI workload domain (Active Directory, SQL servers, any general infrastructure VM) and 3 servers for a Horizon VDI workload domain. This gives us a starting point of 10 physical servers if you build a complete IT infrastructure from scratch. Otherwise you just need the management domain and VDI workload domain with a total minimum of 7 physical servers.

There is also the option available of a consolidated architecture design for smaller environments. In this design the management and workloads run together on a shared management domain. But the consolidated architecture doesn’t support the automated deployment of Horizon yet.

For the automated deployment of Horizon on VCF you would use the SDDC Manager to deploy Connection Servers, App Volumes, Dynamic Environment Manager and Unified Access Gateways. Let me show you some part of the wizard to create a VDI WLD:

You don’t have to install the components by hand, but still need to do your homework before you can deploy the WLD.

I skipped a few steps. You need to upload the Windows server template, convert an existing VI WLD to a Horizon VDI WLD, configure the Horizon AD service account, provide a SQL server and provide information for the load balancers before you reach the step where you enter the details for the connection servers:

One more App Volumes Manager can be added as well:

If you reached the end, you’ll see a review page to do a final check and after that you can run a validation of all your inputs. The deployment of at least one Connection Server is required, but Horizon Composer Servers, UAGs, App Volumes and DEM are optional components and could be skipped.

To expand a current VDI WLD to install UAGs or just to expand the Horizon Pod (add ESXi hosts or Connection Servers) VCF gives you the option to start small and expand later. In the future it should also be possible to shrink a VDI WLD.

The lifecycle management with VCF is very easy. Available updates for all components are tested for interoperability and then bundled with the necessary logic for the proper installation order. VCF offers automated lifecycle management on a per-cluster basis (one WLD can have one or more clusters). This allows admin to target specific workloads or environments for updates independently of the rest of the environment.

VCF Lifecycle Management

For a VDI workload domain VCF delivers a nice view to see the allocated servers/resources and each component related to this workload domain. 

VCF Horizon Deployment WLD

Horizon on VCF on VxRail

So, we know now that VMware Cloud Foundation is the “easy button” for the deployment of the full vSphere stack including vSAN, NSX, vRealize Operations, vRealize Automation, vRealize Log Insight and so on. VCF on VxRail goes one step further and provides you the “one-click upgrade button” for your vSphere stack including the server hardware and firmware. VxRail bundles are pre-configured and pre-tested and therefore validated by Dell EMC and VMware.

VxRail SDDC Manager

The cool thing with VxRail is, that it gives you flexibility for your workloads and that you can choose between different series based on Dell EMC PowerEdge servers. You have multiple compute, memory, storage, network and graphics (M10, P40, T4) options available to cover your workloads and applications with the right server specifications.

VxRail Server Series

Citrix (on VCF) on VxRail

Since VxRail is an HCI appliance, it can run everything on top. I know some larger Citrix customers who are running their Citrix infrastructure on VxRail. It is also possible to run your Citrix infrastructure on VCF on VxRail on a VI workload domain. The only difference with Horizon is the missing automation and integration into the whole (VCF) stack.

Intrinsic Security

In case you missed it, VMware bought Carbon Black and has a new security business unit now. And this is one very important differentiator in this virtual cloud computing space. If VMware’s software-defined data center is your platform of choice already, it makes sense to use a security solution which can be fully integrated and provided by the same vendor.

VMware Security Solutions with Carbon Black

Imagine, that the endpoint protection agent is already integrated in the Horizon Agent and that you could deliver security from your mobile endpoints (Windows, Mac, Linux) to your workloads (VMs or container) in your data center or any cloud (AWS, Azure, GCP). Sounds too good to be true? No, this where the VMware products are heading, especially with Workspace ONE and Horizon (next-gen AV, behavioral EDR, audit and remediation)! 

Workspace ONE for Horizon

I mentioned it already, Horizon is included in the Workspace ONE Enterprise editions. I haven’t covered the case yet where you could combine Horizon and Workspace ONE. If you provide your users persistent virtual desktops based on Windows 10, then it is also possible to manage those with Workspace ONE as well. This will help if you want to move away from a traditional PC lifecycle management (PCLM) solution and move to a modern management approach. So far this only supported with Horizon on-premises installation. Take a look at the product interoperability matrix:

Workspace ONE for Horizon

For which other use cases could this be useful?

  • Physical desktops with Horizon Agent installed (Remote PC access)
  • Physical servers with Windows 10 installed (e.g. HP Moonshot)

I don’t know if the last option has been tested but Windows 10 is a supported operating system for HP Moonshot cartridges.

Horizon Cloud

The Horizon (Cloud) Service is a group of cloud-based services that deliver features for Horizon deployments. This includes the Windows Virtual Desktop (WVD) on Azure as well since the 17th March 2020. Any customer who is using a Horizon subscription license, such as the universal license, can use the Horizon Service.

Horizon Cloud Service Overview

The goal of Horizon Cloud is to provide a single-pane management UI for the delivery and management of your desktops and applications. This is the overview dashboard which shows some information about the health and capacity of all your Horizon deployments.

Horizon Cloud Dashboard

The Cloud Monitoring Service (CMS), which is one of the central services of the Horizon Service, provides data about the user’s session and issues. It can show you how many users and their user experience are impacted related to issues (latency, protocol, slow logon).

In the administration console you can configure the role-based access (RBAC) for your helpdesk admins. It allows them to log in to the admin console and use the search feature to look up users. The help desk administrator can then look up the user’s sessions and perform troubleshooting or desktop maintenance operations. 

Horizon Cloud Helpdesk

The Image Management Service (IMS) is one of the coolest feature of the Horizon Service. As the name suggests it already, it allows you to manage Horizon images from the cloud. You can create, customize, publish and even version all your different images for your Horizon pods. IMS provides a centralized catalog for your images and these can be automatically replicated across the cloud-connected Horizon pods.

Important note: The current release of Horizon Cloud only supports Windows operating systems and on-premises Horizon pods.

Universal Broker

When I joined VMware in May 2018 I was waiting for a feature like this and tried to explain some product managers (PM) that we need something like the Universal Broker. I was looking for a solution that we can avoid E/W traffic in a Horizon multi-pod deployment. I think I tried to explain it to some of our PMs using Citrix’ Optimal Gateway Routing for
Storefront & NetScaler capability. Nobody understood me, but at least we have it now. 😀

Horizon Universal Broker is the cloud-based brokering technology used to manage and allocate virtual resources from multi-cloud assignments to your end users.

These are the listed key features in the VMware Horizon Cloud Service documentation:

  • Single FQDN for all multi-cloud assignments
  • Global pod connectivity and awareness for optimal performance (no longer need for GSLB and no more E/W traffic)
  • Smart brokering (awareness of geographical sites and pod topology)

This diagram shows the Universal Broker components and how the traffic flow works:

  1. From Horizon Client, the end user requests a virtual desktop by connecting to the Horizon Universal Broker service through the brokering FQDN. The service uses the XML-API protocol to authenticate the Horizon Client user and manage the connection session.
  2. After determining that Pod 1 in Site 1 is the best available source for the desktop, the Horizon Universal Broker service sends a message to the Horizon Universal Broker client, which runs on the Horizon 7 Cloud Connector paired with Pod 1.
  3. The Horizon Universal Broker client forwards the message to the Horizon Universal Broker plugin, which runs on one of the Connection Server instances within Pod 1.
  4. The Horizon Universal Broker plugin identifies the best available desktop to deliver to the end user.
  5. The Horizon Universal Broker service returns a response to Horizon Client which includes the unique FQDN of Pod 1 (typically the FQDN of the Pod 1 load balancer). Horizon Client establishes a connection with the load balancer to request a protocol session with the desktop.
  6. After passing through the local load balancer, the request goes to the Unified Access Gateway for Pod 1. The Unified Access Gateway validates that the request is trusted and prepares the Blast Secure Gateway, PCoIP Secure Gateway, and tunnel server.
  7. The Horizon Client user receives the specified desktop and establishes a session based on the configured secondary protocol (Blast Extreme or PCoIP).

Horizon DaaS

In 2013 VMware acquired Desktone. A company that was specialized in delivering desktops and applications as a cloud service. The product got renamed during the years and kept the name “Horizon DaaS“. This is the reason that Horizon DaaS is not just another version of the classic “Horizon” or “Horizon View” since it was a different product which VMware bought. It’s important to know that there are technical differences/characteristics between Horizon and Horizon DaaS because of this history.

Horizon DaaS is the Horizon Desktop-as-a-Service platform for service providers. Not many people understand and know this specific product and you won’t find a lot of content on blogs about it.

The most recent information, beside the official Horizon DaaS documentation, can now be found here 😉 or on Johan’s blog, where he published a lightboard series about Horizon DaaS.

As a service provider you have different options to provide a “managed desktop” or “DaaS” offering:

  • Dedicated Horizon deployment hosted in your data center (licenses through VCPP rental)
  • Horizon Cloud Service (DaaS offering licensed through VCPP MSP)
  • Horizon DaaS – multi-tenant Horizon deployment hosted in your data center (VCPP rental)

Again, Horizon DaaS should be seen as something different than Horizon, it’s really just not Horizon. But the future strategy and look of the user interface will be aligned with Horizon Cloud, because VMware’s Horizon Cloud Service is powered by Horizon DaaS already.

If multi-tenancy is a key requirement for your business, you’ll have to go with Horizon DaaS. Otherwise the regular Horizon edition or the combination with Horizon Cloud are the right fit. Horizon DaaS and Horizon have common components like vCenter, Agents, UAGs etc., but there are also different appliances with Horizon DaaS which replace components of a regular Horizon deployment.

Horizon DaaS Architecture

With Horizon DaaS you are going to have “Service Provider” appliances, “Tenant” appliances and “Tenant Resource Manager” appliances, which form the DaaS back-end.

The Service Provider Appliance is the first appliance installed in a data center and provides the foundation to install the remainder of the Horizon DaaS application.

The Resource Manager abstracts the specifics about the desktop infrastructure from the tenant appliances and allows multiple Desktop Managers to communicate with their respective virtualization resources. A Resource Manager appliance integrates with the hypervisor and storage infrastructure in a given data center. A single Resource Manager appliance can be shared across multiple tenants.

The Tenant Appliance provides the tenant with both end user and administrative access to their virtual desktops. End users access and manage their individual virtual desktops via the Desktop Portal. Administrators create and manage their virtual desktops via the Enterprise Center. The Tenant Appliance includes the Desktop Manager, a per-tenant resource that manages each tenant’s virtualization resources and communicates with a tenant’s hosts (hypervisors). You associate the desktop manager with a resource manager and one or more host managers.

It’s not 100% clear from the Horizon DaaS 8.0.0 Service Center guide, but a Tenant Appliance replaces the Connection Server you would know from a regular Horizon deployment (one of the differences I was already referring to).

Use what makes sense

For me it is very important that you understand how VMware products can help and that people are aware of all the different options they would have with VMware and Horizon.

You must form your own view and opinion and I hope this article was useful to get facts from both worlds (based on my best knowledge and experience). If you understand Horizon better now, this is already fine for me.

There was no intention to lead the path to a way where you would replace Citrix. The new information should help you to make the right decision for your company, your environment, your needs and use cases. Use the products which make sense for you and make sure you understood all options.

VMware Horizon – Raspberry Pi 4 with Stratodesk NoTouch OS

After I wrote the article “Raspberry Pi 4 – The Ultimate Thin Client?” I have been asked on Twitter to write about the Raspi in combination with Stratodesk’s NoTouch OS. I have no hands-on experience with this operating system, but am currently helping a partner who is doing a proof of concept with a customer. The customer uses AMD-based thin clients for their tests and one important criteron is Skype for Business. As you maybe know from my previous article, Skype for Business (SfB) is not running with the Horizon Client on TLXOS. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

And I think I know now why. It’s not the Horizon Client on TLXOS, but the Raspi’s CPU architecture. In the VMware Docs for the Horizon Client for Linux 5.1 (most recent at the time of writing) it’s clearly stated that:

Real-Time Audio-Video is supported on x86 and x64 devices. This feature is not supported on ARM processors. The client system must meet the following minimum hardware requirements.

So, if I want to test all features of the Horizon Client, then I have to use my Intel NUC Skull Canyon. I’m still going to test the user experience with NoTouch OS, but the RTAV with SfB is off the table with this device.

Horizon Test Environment

I’m going to use VMware’s TestDrive to access a vGPU enabled Windows 10 desktop from the EMEA region. Such a Windows 10 1709 desktop is equipped with a Xeon Gold 6140 CPU and a Nvidia Tesla V100 card.

Raspberry Pi 4 Setup

There is no special manual needed to set up a Raspberry Pi. Just unbox and install it in a case, if you ordered one. Here are some general instructions: https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

Install NoTouch OS on the Raspberry Pi 4

Format the SD card because TLXOS is installed. On Windows open the “Disk Management” tool to delete the volumes on the SD card.

After the deletion it should look like this.

Register for a free trial to download the  installer “Stratodesk-NoTouchOS-DiskImage-2.40.5587-EEs-k419-armhf-190808.zip – NoTouch OS – Standard Edition k419 (Raspberry Pi 3 and 4) – Disk Image Installer”

Uncompress the ZIP archive

Double-click on “FlashSDcard.cmd” and check in the appearing “Win32 Disk Imager” that the drive letter points to your SD card (in my case “F”). When you are sure click “Write” and wait for the operation to complete.

After the write has been successful, remove the SD card and put it into the Raspberry Pi. Boot and let’s see.

Wizard Step 1 – Location and Keyboard

Wizard Step 2 – Create a connection (for Horizon View)

Wizard Step 3 – Admin Password and EULA

Wizard – Configuration stored and Horizon Destop icon appears.

After a reboot, try to connect to your Horizon environment by double-clicking the icon on the desktop.

Works fine – my TestDrive desktop appears

I wanted quickly to test audio and video, but the video was very laggy and no audio at all. I couldn’t find a way, same with TLXOS, to minimize the Horizon session to get back to my NoTouch desktop. After checking the Blast settings in the Horizon Client I could see, that the H.264 decoding is not allowed by default.

Before we connect back to the desktop we need to fix the audio problem as well. In the start menu you can access the system configuration where you have to enter a password first.

After access the “Audio” settings I had to change the “Standard audio device” to “Analog” and allow the other settings marked with “On” now.

Tried to save the config change but this resulted in an error. I decided to reboot the OS.

Checked the settings again – yes, they were saved. Finally, I could move on to the first test with YouTube.

Testing

 

1) User Experience with YouTube

As a first test I’m using the same Avengers 4K trailer on YouTube.

AVENGERS 4 ENDGAME: 8 Minute Trailers (4K ULTRA HD) NEW 2019: https://www.youtube.com/watch?v=FVFPRstvlvk

Result: Video good, audio unusable

2) TestDrive – Nvidia Faceworks

Result: Good performance (same like TLXOS)

3) TestDrive – eDrawings Racecar Animation

Result: Good performance (same like TLXOS)

4) TestDrive – Nvidia “A New Dawn”

Result: Video animation good, audio unusable

5) FishGL

Result: Good performance (same like TLXOS)

NoTouch OS – VMware Horizon Audio Problems

The good thing about the NoTouch OS is, that it gives you more configuration and diagnostic options. And one of them is  “play test sound”:

This tells us that the problem only exists in the Horizon VDI session. What happens if I change my analog speakers to USB and test it again?

Result: Good performance (same like TLXOS)

NoTouch OS – Configuration Options for the Horizon View

I have to admit that Stratodesk’s NoTouch OS is way more mature than a TLXOS. With TLXOS I had the feeling that the configuration options are very limited and the big advantage there was, that you could only configure one application or connection. Meaning you could only use Horizon or a web browser for example.

With NoTouch OS this is really different. You can configure Horizon, Citrix, RDP, Chromium etc. and place all the icons on the desktop or in the start menu.

Maybe I was not familiar enough with TLXOS or it’s not very intuitive, but the NoTouch OS gives me a rich set of options to configure the Horizon Client or my Horizon session.

Conclusion

Compared to the TLXOS I have to admit that Stratodesk’s NoTouch OS is the better option. You have way more options to configure the thin client (the operating system in the end) and the Horizon Client. In addition to that you are also allowed to configure more than one application or connection, which is limited to only one with ThinLinx (TLXOS).

And according to a current customer, who is performing a Horizon PoC, the management software from Stratodesk is also awesome.

If you look for an enterprise-ready operating system for thin clients, then NoTouch OS is the better choice for sure. I can confirm that Stratodesk is correctly installing our Horizon Client for Linux in their image including all the necessary libraries and dependencies!

The only thing which you have to keep in mind is the limited feature set with a Raspberry Pi. Skype for Business with the optimized mode currently is not supported. This means you have to go with a thin client which is based on a Intel or AMD-based CPU architecture.

Raspberry Pi 4 – The Ultimate Thin Client?

Everyone is talking about the new Raspberry Pi 4 and ask themselves if it’s the new ultimate and cheap thin client. So far, I haven’t seen any customer here in Switzerland using a Pi with VMware Horizon. And to be honest, I have no hands-on experience with Raspberry Pis yet and want to know if someone in pre-sales like me easily could order, install, configure and use it as a thin client. My questions were:

  • How much would it cost me in CHF to have a nice thin client?
  • What kind of operating system (OS) is or needs to be installed?
  • Is this OS supported for the VMware Horizon Client?
  • If not, do I need to get something like the Stratodesk NoTouch OS?
  • If yes, how easy is it to install the Horizon Client for Linux?
  • How would the user experience be for a normal office worker?
  • Is it possible to use graphics and play YouTube videos?

First, let’s check what I ordered on pi-shop.ch:

  • Raspberry Pi 4 Model B/4GB – CHF 62.90
  • KKSB Raspberry Pi 4 Case – CHF 22.90
  • 32GB MicroSD Card (Class10) – CHF 16.90
  • Micro-HDMI to Standard HDMI (A/M) 1m cable – CHF 10.90
  • Power: Official Power Supply 15W – CHF 19.40
  • Keyboard/Mouse: Already available in my home lab

Total cost in CHF: 133.00

Raspberry Pi 4 Model B Specs

I ordered the Raspberry Pi 4 Model B/4GB with the following hardware specifications:

  • CPU – Broadcom BCM2711, quad-core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
  • RAM – 4GB LPDDR4
  • WLAN – 2.4 GHz and 5.0 GHz IEEE 802.11b/g/n/ac wireless
  • Gigabit Ethernet
  • USB – 2x USB 3.0, 2x USB 2.0
  • Video – 2 × micro HDMI ports (up to 4Kp60 supported)
  • Multimedia – H.265 (4Kp60 decode), H.264 (1080p60 decode, 1080p30 encode)

With this powerful hardware I expect no problems and would assume that even playing videos and using graphics is not an issue. But let’s figure that out later.

Horizon Client for Linux

The support for the Raspberry Pi came with Horizon Client 4.6 for Linux:

Horizon Client for Linux now supports the Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

And the current Horizon Client 5.1 still only mentions the support for Raspberry Pi 3 with the same supported feature set:

Horizon Client for Linux 5.1 is supported on Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

Hm, nothing has changed so far. During the time of writing this article I’ll try to figure out if the official support for a Pi 4 is coming soon and why ThinLinX is the only supported OS so far. Because I saw on Twitter and on the Forbes website that people are waiting for Ubuntu MATE for their Raspis

And I found a tweet from August 6, 2019, from the ThinLinX account with the following information:

ThinLinX has just released TLXOS 4.7.0 for the Raspberry Pi 4 with dual screen support. The same image runs on the entire Raspberry Pi range from the RPi2 onward TLXOS 4.7.0 supports VMware Horizon Blast, Citrix HDX, RDP/RemoteFX, Digital Signage and IoT

Raspberry Pi and Horizon Client 4.6 for Linux

The next question came up – are there already any people around who tested the ThinLinX OS with a Raspberry Pi 3/4?

Probably a few people tried it already, but only one guy from UK so far blogged about this combination on his blog vMustard.

He wrote a guide about how to install TLXOS and the TMS management software, the configuration of TLXOS and how the Horizon Client for Linux needs to be installed. For sure his information helps me to get started.

Horizon Test Environment

I’m going to use VMware’s TestDrive to access a vGPU enabled Windows 10 desktop from the EMEA region. Such a Windows 10 1709 desktop is equipped with a Xeon Gold 6140 CPU and a Nvidia Tesla V100 card. I tried to get a card from Nvidia to perform the tests in my home lab, but they already gave away all the cards they had. So, the test in my home lab has to wait for a few weeks or months. 🙂 

Workspace ONE UEM and TLXOS

And when I finally have installed TLXOS and can connect to a Horizon desktop, would it be possible to install Intelligent Hub and enroll the device in my Workspace ONE UEM sandbox environment? Is this also possible and supported?

Checking our VMware Docs and the Workspace ONE UEM product documentation the following information can be found:

The flexibility of the Linux operating system makes it a preferred platform for a wide range of uses, including notebooks, Raspberry Pi devices, and other IoT-capable devices. With Workspace ONE UEM, you can build on the flexibility and ubiquity of Linux devices and integrate them with your other mobile platforms in a central location for mobile device management.

Hm, would my new thin client be supported or not? The only requirements mentioned, are:

  • You can enroll devices running any version and any configuration of Linux running on either x86_64 or ARM7 architecture into Workspace ONE UEM
  • You can enroll Linux devices in any Workspace ONE UEM version from 1903 onward
  • You must deploy the Workspace ONE Intelligent Hub for Linux v1.0

As you can see above the new Raspberry Pi 4 is based on ARM8. I asked our product management if the RPi4 and TLXOS is supported and received the following answer:

As for WS1 UEM support for Linux, we do support ARM and won’t have a problem running on a Pi4, but we are still early stages for the product

As the Linux management capabilities with Workspace ONE UEM are very limited, I’m going to wait another four to six months to perform some tests. But TLXOS is anyway coming with its on management software. And customers would probably prefer another Linux Distribution like Ubuntu MATE.

Raspberry Pi 4 Setup

There is no special manual needed to set up a Raspberry Pi. Just unbox and install it in a case, if you ordered one. Here are some general instructions: https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

Install ThinLinX OS on the Raspberry Pi 4

Download the most recent installer for ThinLinX OS (TLXOS) for a Raspberry Pi: http://thinlinx.com/download/

1_TLXOS_RaspberryPi4_SDcard_Installer

Insert your microSD card into your PC and launch the “TLXOS Raspberry Pi SD Card Installer” (in my case tlxos_rpi-4.7.0.exe” and press “Yes” if you are prepared to write the image to the SD card.

3_TLXOS 4.7.0 for Raspberry Pi (v2 and v3)

After the image extraction a “Win32 Disk Imager” window will appear. Make sure the to choose the correct drive letter for the SD card (in my case “G”). Click “Write”

4_Win32_Disk_Imager

If everything went fine you should get a notification that the write was successful.

5_TLXOS-Complete

Now put the SD card into the Pi, connect the USB-C power cable, mirco-HDMI cable, keyboard and mouse.

And then let’s see if the Pi can boot from the SD card.

5_TLXOS-Complete

It seems that the TLXOS just booted up fine and that we have “30 Day Free Trial” included.

8_TLXOS_30d_FreeTrial

A few minutes later TLXOS was writing something to the disk and did a reboot. The Chromium browser appears. This means we don’t need to install the TMS for our tests, except you would like to test the management of a TLXOS device.

I couldn’t find any menu on TLXOS, so I closed the browser and got access to a menu where I apparently can configure stuff.

10_Chromium_closed_menu_appears

Install Horizon Client for Linux on TLXOS

After I clicked on “Configure” before I browsed through the tabs (Application) and found the option to configure the Horizon Client. It seems that the client is included now in TLXOS which was not the case in the past. Nice! 

11_TLXOS_Configure_VMwareBlast

Note:

When a TLXOS device boots, if configured correctly it will automatically connect to a Remote
Server using the specified connection Mode. Up to 16 different connection Modes can be
configured

I just entered the “Server” before and clicked on “Save Settings” which opened the Horizon Client automatically where I just have to enter my username and password (because I didn’t configure “Auto Login” before).

Voila, my vGPU powered Windows 10 desktop from VMware TestDrive appeared.

As first step I opened the VMware Horizon Performance Tracker and the Remote Desktop Analyzer (RD Analyzer) which both confirmed that the active encoder is “NVIDIA NvEnc H264“. This means that the non-CPU encoding (H.264) on the server and the H.264 decoding on TLXOS with the Horizon Client (with Blast) should work fine.

To confirm this, I logged out from the desktop and checked the Horizon Client settings. Yes, H.264 decoding was allowed (default).

15_TLXOS_HorizonClient_H264_allowed

After disallowing the H.264 decoding I could see the difference in the Horizon Performance Tracker.

The active encoder changed to “adaptive”. Let’s allow H.264 again for my tests!

Testing

 

1) User Experience with YouTube

As a first test the user experience with the Raspberry Pi 4 as a thin client and to check how the H.264 decoding performs I decided to watch this trailer:

AVENGERS 4 ENDGAME: 8 Minute Trailers (4K ULTRA HD) NEW 2019: https://www.youtube.com/watch?v=FVFPRstvlvk

I had to compress the video to be able to upload and embed it here. Important to see is that I was watching the 4K trailer in full screen mode and the video and audio were not choppy, but smooth I would say! I had around 21 to 23 fps. But that’s very impressive, isn’t it?

For the next few tests I’m going to use what TestDrive offers me:

2) TestDrive – Nvidia Faceworks

3) TestDrive – eDrawings Racecar Animation

4) TestDrive – Nvidia “A New Dawn”

5) TestDrive – Google Earth

6) FishGL

Conclusion

Well, what are the important criteria which a thin client needs to fullfil? Is it

  • (Very) small form factor
  • Management software – easy to manage
  • Secure (Patching/Updating, Two Factor Authentication, Smartcard Authentication)
  • Longevity – future proof
  • Enough ports for peripherals (e.g. Dualview Support)
  • Low price
  • Low power consumption

It always depends on the use cases, right? If Unified Communications is important to you or your customer, then you need to go with the Stratodesk’s NoTouch OS or have to buy another device and use a different OS. But if you are looking for a good and cheap device like the Raspberry Pi 4, then multimedia, (ultra) HD video streaming and office applications use cases are no problem.

My opinion? There are a lot of use cases for these small devices. Not only in end-user computing, but it’s easy for me to say that the Raspi has a bright future!

With the current TLXOS and the supported Horizon Client features so far I wouldn’t call this setup “enterprise ready” because the installation of TLXOS needs to be done manually except you can get it pre-installed on a SD card? Most customers rely on Unified Communications today and are using Skype for Business and other collaboration tools which is not possible yet according to the Horizon Client release notes. But as soon as the Horizon Client (for Linux) in TLXOS gets more features, the Raspberry Pi is going to take some pieces of the cake and the current thin client market has to live in fear. 😀

The biggest plus of a Raspberry Pi as a thin client is definitely the very small form factor combined with the available ports and the cheap money (TLXOS license not included). You can connect two high resolution monitors, a network cable, keyboard, mouse and a headset without any problem. If you buy the Pi in bulk as customer then I claim that the price is very, very hard to beat. And if a Pi has a hardware defect then plug the SD card into another Pi and your user can work again within a few minutes. If VESA mount is mandatory for you then buy a VESA case. By the way, this is my KKSB case:

What is missing in the end? Some Horizon Client features and the manual initial OS deployment method maybe. I imagine that IT teams of smaller and medium-sized companies could be very interested in a solution like this, because a Raspberry Pi 4 as a thin client already ROCKS!