How becoming a VMware vExpert changed my life

How becoming a VMware vExpert changed my life

Most people think they are just like everyone else – I was also one of them. Let me share my story about becoming a vExpert and tell you, that this perception of “like everyone else” is wrong. I had to learn that as well.

In 2012, I started to work for a small VMware Cloud Provider Partner (VCPP) in Switzerland, was the 7th employee and the second one in the cloud engineering team. My role included the administration and operation of a data center environment which consisted of:

  • vCloud Director 5.x
  • vSphere 5.x
  • Citrix XenApp/XenDesktop
  • Cisco UCS
  • Cisco Switches and Routers
  • Dell EMC Storage and Backup

Back then I designed and deployed Windows environments mostly on terminal servers so customers could connect to their IaaS-hosted offerings via RDP. After a while we improved this service offering with Citrix on top, because we suddenly had new larger customers with different requirements and the company I worked for had to be innovative and think about new offerings and services.

Besides that, I also configured several Cisco routers and switches at the customer sites. Not only for the inhouse connections, but also for the VPN connection to the data center, where their hosted infrastructure was hosted.

I never realized until a few months ago, that I already built some cool hybrid clouds in 2012!

As you can imagine, since we were only 2 people maintaining a lot of customer environments and our own infrastructure at the same time, we had a lot of knowledge and responsibility! But it was fun, and also the employer where I gained the most knowledge and experience.

I would say that this employer and the experience I gained during my 3,5 years there were such an important part of my career, that I could work for Citrix a few years later, then join VMware and become a vExpert as well.

I remember that I said, while still working for the VCPP partner, that I want to work for VMware one day, but it’s most probably just going to be a dream.

Fun Fact: You have to imagine that I held several Cisco certifications (CCNA and CCNP), but was so afraid to fail the VCP5-DCV exam back then.

And today I’m going for my triple VCP badge and hope to get my first VCIX at the end of January 2021! ๐Ÿ˜€

Since I worked at this small VCPP partner, I always wanted to blog about the stuff I’m doing or had to build for customers. About the special use cases or configurations I had fulfilled.

Decision to become a VMware vExpert

I joined VMware in May 2018 as a pre-sales solution architect focusing on EUC (end-user computing) topics, because I came from Citrix. The responsibility of this role included to help growing the business of VMware Horizon and Workspace ONE.

But, when the management from Switzerland hired me, I had no VMware EUC knowledge – only Citrix, Cisco and a strong VMware data center background.

So, I was very ambitious, hungry for new knowledge and decided that I could try to earn the VCDX-DTM certification somewhen in the next few years. This idea led me to decision to start bloggingย three months after I got hired.

I thought “let’s give it a try and if nobody is reading my stuff, I just delete everything one year later”.

Anyway, why should anyone read (or even find) my stuff? There are already so many great bloggers with awesome content out there.

My first articles were about the preparation for my first VCAP (desktop and mobility track) design exam. I wrote about it, because I had to gain a lot of Horizon knowledge and realized, that not many people wrote about this topic so far. And most of the content to that day was outdated.

Until January 2019 I had passed the VCP-DTM, VCAP7-DTM Design and VCP-DW exam. In the meanwhile, I also tried to get familiar with Twitter and tried to be active there. And started to follow the known and famous people from the VMware community including some vExperts.

I had around 200 unique visitors hitting my blog per month and saw that other people were interested in my simple VCAP7-DTM study guide. At the same moment I got notified on Twitter, that the vExpert applications are open again.

At the end of January 2019, 5 months after I started blogging, I submitted my vExpert application with the expectation, that I won’t get accepted. Why have I thought this? Because I was just someone, who started blogging recently, wrote a few okayish articles and nobody knew me. But in March 2019 I had the following email in my inbox:

vExpert 2019 You are in

Benefits of being a VMware vExpert

YES! I couldn’t believe it, but this gave me motivation to write more and better articles. And I felt the pressure now, that I had to deliver new content to keep this status for upcoming years, if I want to re-apply every year. ๐Ÿ™‚

I told myself, that I need to write about stuff, which nobody did yet – unique content. How did my visitor counter look like before and after I became a vExpert? They were just going up (from March on) even I didn’t write that much after joining the program:

cloud13 2019 unique visitors

Benefit 1: Becoming a VMware vExpert helps to you get visibility and more people finding your blog!ย 

Why did my numbers go up starting in August 2019?

I had a customer looking at VMware Horizon, who was evaluating different thin clients. While troubleshooting something in their POC (proof of concept) environment, they asked me, if they would have other options like Igel, Dell, Fujitsu or Igel thin clients. Is there a better and even cheaper option?

This question and some research made me order a Raspberry Pi 4 model, which I wanted to test. I wanted to figure out and write about, if the Raspberry Pi 4 could become the ultimate thin client.

It was one simple question, which resulted in an idea for a blog article and then resulted in more visitors coming to my blog.

Until today this article is by far the most successful article with the most hits per month! Suddenly I had pingbacks from other vExperts, people were talking about this article on Twitter and VMware forums as well!

Benefit 2: People recognize your vExpert status (and credibility) and start to mention you on social media

I now had the confidence, that I could write articles, which people are reading. I had proof now.

An unexpected change leads to success

In December 2019 my focus as a solution architect expanded. I got promoted to a “senior” solution architect and moved into a generalist role. This meant, that I started to focus on all VMware topics/products now and got the responsibility for some of the largest and most strategic enterprise accounts VMware has in Switzerland.

This also meant, that I had to learn a lot of new stuff, if I wanted to survive in front my customers and to hold my own presentations and meetings, which also should lead to business growth in the end. Some of the new topics and technologies were:

  • VMware Cloud Foundation
  • Cloud Management Platform and the vRealize Suite
  • Software-Defined Networking with NSX and SD-WAN (Velocloud)
  • Kubernetes and app modernization with VMware Tanzu
  • Multi-Cloud Architectures and Cloud Migrations
  • Security with Carbon Black

The first three months were very challenging. I wanted to learn everything very fast to become a trusted advisor and to prove, that I am worthy and the promotion and role change were no mistake.

In my opinion, the best way to demonstrate or prove something is to write or to talk about it. So, in 2020 I started to write about new technologies, included my own words and new angles when publishing or pitching something:

The role change and my new focus made it possible, that I could write about topics, which were relevant for more people. Not only the technical people anymore, but also decision makers and in general less technical people.

Why do I mention these articles? Because I consider them as a huge personal success. Three of the four above articles were shared on the official VMware social media accounts on Twitter, Facebook and LinkedIn. I got a decent amount of likes and re-posts (between 70 and 300 times)! These are two examples from LinkedIn:

Benefit 3: Your articles or posts get shared on social media by VMware. Suddenly a new level of reaching people, which also brings a lot of visibility for you!

You can imagine how I felt after this happened. I was a surprised and impressed, that there is interest for my content. I received a lot of great feedback on Twitter, LinkedIn and via e-mail.

Did I mention that I even was invited to the VMware Community Podcast? You can do that too! ๐Ÿ™‚

It’s not about bragging, but I realized something very important, which is another benefit as well:

Benefit 4: You can have an impact on people lives and decisions.

May it be a VMware partner, who now has a better understanding how to explain some topics to their prospects or customers in a different way. There are customers, who understand the huge VMware portfolio and the strategy behind it a lot better. And there are colleagues within VMware, that are contacting me from different places on this planet and thanking me for my contributions.

Benefit 5: People are thankful for your content and the information you share with others.

Apply for the vExpert Program

I worked in a small company, which became the most important milestone in my career before I joined VMware and became a vExpert.

Never believed, that I could be successful and that other people would listen to me or read about what I have to say.ย My story should be proof enough, that anyone can contribute and make a mark. And what was between me and where I stand today as a vExpert?

Benefit 6: Higher confidence and believe more in myself.

The decision to start a blog to share information.

If you already share or want to share your knowledge and views which are related to VMware, then please apply for the vExpert program. If you are a current vExpert, please don’t forget to reapply.

Donโ€™t miss out on the opportunity, be sure to apply before January 9th, 2021. The vExpert awards will be announced on February 19th, be a part of the announcement!

Benefit 7: It is fun to share, and it gives you a great feeling.

Other vExpert benefits can be found here.

How are my website stats looking today after two years and the help of social media?

ย 

Contact me on Twitter or LinkedIn, if you need help with your vExpert application!

PS: I had the idea two write this article three weeks ago and removed it on my to-do list on Monday, because I thought nobody would be interested.ย I woke up a little bit earlier today than expected and said to myself:

If my story results in at least one more person, who wants to start blogging or even become a vExpert, it was already worth it. And I truly believe in that after what I experienced the last two years! ๐Ÿ™‚

Again, it was only the decision between me and writing this story.

VCAP7-DTM Design Exam Passed

On 21 October I took my first shot to pass the VCAP7-DTM Design exam and failed as you already know from my this article. Today I am happy to share that I finally passed the exam! ๐Ÿ™‚

What did I do with the last information and notes I had about my weaknesses from the last exam score report? I read a lot additional VMware documents and guides about:

  • Integrating Airwatch and VMware Identity Manager (vIDM)
  • Cloud Pod Architecture
  • PCoIP/Blast Display Protocol
  • VMware Identity Manager
  • vSAN 6.2 Essentials fromย Cormac Hogan and Duncan Epping
  • Horizon Apps (RDSH Pools)
  • Database Requirements
  • Firewall Ports
  • vRealize Operations for Horizon
  • Composer
  • Horizon Security
  • App Volumes & ThinApp
  • Workspace ONE Architecture (SaaS & on-premises)
  • Unified Access Gateway
  • VDI Design Guide from Johan van Amersfoort

Today, I had a few different questions during the exam but reading more PDFs about the above mentioned topics helped me to pass, as it seems. In addition to that, I attended a Digital Workspace Livefire Architecture & Design training which is available for VMware employees and partners. The focus of this training was not only about designing a Horizon architecture, but also about VMware’s EUC design methodology.

If you have the option to attend classroom trainings, then I would recommend the following:

I had two things I struggled with during the exam. Sometimes the questions were not clear enough and I made assumptions what it could mean and that the exam is based on Horizon 7.2 and other old product versions of the Horizon suite:

  • VMware Identity Manager 2.8
  • App Volumes 2.12
  • User Environment Manager 9.1
  • ThinApp 5.1
  • Unified Access Gateway 2.9
  • vSAN 6.2
  • vSphere 6.5
  • vRealize Operations 6.4
  • Mirage 5.x

But maybe it’s only me since I have almost no hands-on experience with Horizon, none with Workspace ONE and in addition to that I’m only 7 months with VMware now. ๐Ÿ™‚

It is time for an update, but VMware announced already that they are publishing a new design exam version called VCAP7-DTM 2019 next year.

What about VCIX7-DTM?

ย In part 2 of my VCAP7-DTM Design exam blog series I mentioned this:

Since no VCAP7-DTM Deploy exam is available and itโ€™s not clear yet when this exam will be published, you only need the VCAP7-DTM Design certification to earn the VCIX7-DTM status. I have got this information from VMware certification.

This information is not correct, sorry. VMware certification pulled their statement back and provided the information that you need to pass the VCAP6-DTM Deploy exam, as long as no VCAP7-DTM Deploy is available, to earn the VCIX7-DTM badge.

I don’t know yet if I want to pursue the VCIX7-DTM certification and will think about it when the deploy exam for Horizon 7 is available.

What’s next?

Hm… I am going to spend more time again with my family and will use some of my 3 weeks vacation time to assemble and install my new home lab.

Then I also have a few ideas for topics to write about, like:

  • Multi-Domain and Trust with Horizon 7.x
  • Linux VDI Basics with Horizon 7.x
  • SD-WAN for Horizon 7.x
  • NSX Load Balancing for Horizon 7.x

These are only a few of my list, but let’s see if I really find the time to write a few article.ย 

In regards to certification I think I continue with these exams:

This has no priority for now and can wait until next year! Or…I could try the VDP-DW 2018 since I have vacation. Let’s see ๐Ÿ˜€

VCAP7-DTM Design Exam, Part 12

I failed the VCAP7-DTM Design exam, but expected it and the first try of the exam showed me what stuff I need to learn better and where my weaknesses are. Let me tell you about my exam experience.

I arrived on time at the PearsonVUE test center, but they had PC problems and so I had to wait first for 30min until I could start the exam. The timer showed me that I have two hours for the 60 questions. The most of the time I was guessing and eliminating the obviously wrong answers and so I was through 50% of the questions of 50% of the time. If you would know a little bit more than I do and you work/worked with all the products on a daily basis, I would say that the exam is a piece of cake!

Nevertheless, I answered all 60 questions 15 minutes before the timer ended, but I didn’t review any of them, because I knew that I still wouldn’t have the better or correct answers. This may sound to you like I failed with a score of 0, but no. I had 252 of the 300 needed points and this is a sign for me that I just need to improve my weak spots and the topics I didn’t check during my preparation time.

Today I’m going to travel to VMware Airwatch in Milton Keynes (UK) for myย VMware Workspace ONE: Deploy and Manage [V9.x] training which starts tomorrow. And I have to prepare a presentation for a roadshow with five events where I will be the speaker of a 30min slot. This means no time for studying yet.

But I’m lucky that I still got a seat at the Digital Workspace Livefire Architecture & Design training taking place in three weeks. This will be last part of my preparation for the retake which I planned for 23rd November 2018. But first I have to wait for my new exam voucher. ๐Ÿ™‚

I cannot tell you which topics/technologies or questions were asked during the exam, but I can assure you that I didn’t expect some of the questions – they were just craaaaazy or about veeeery old stuff.

This is also one of my problems. You have to study things which are not valid anymore for the today’s product version or implementation. In a few cases the configuration limits or some parts of an architecture have changed.

So, I read the exam blueprint again and checked some of the attached URLs and document links again. In my opinion the following products and versions you should know for the exam:

  • Horizon 7.2
  • VMware Identity Manager 2.8
  • App Volumes 2.12
  • User Environment Manager 9.1
  • ThinApp 5.1
  • Unified Access Gateway 2.9
  • vSAN 6.2
  • vSphere 6.5
  • vRealize Operations 6.4
  • Mirage 5.x

So, this was my exam experience of the VCAP7-DTM Design exam and my advices after. It is totally okay to fail, because it will just help you if you are not prepared well enough or just went to early for your first shot.

My last advice: Use the note board for the difficult answers and topics you have no clue of. If you have enough time, reviewed your answers and you are ready to end the exam, memorize all your notes. Just in case you didn’t pass, you now have the notess in your mind and could transfer themto your personal notebook. This is totally legal and really helpful! ๐Ÿ™‚

Good luck to you if you take the exam. I have another four weeks now to fill the gaps. ๐Ÿ™‚ See if I passed or not.

VCAP7-DTM Design Exam, Part 11

My last article was about the Horizon reference architecture and four weeks have already passed since then. My VCAP7-DTM Design exam is scheduled for October 18 – that’s in five days! I haven’t opened my books the last three weeks, because I think it’s important to take a break and get some distance of your books and documents, which allows you to understand things better and faster and see connections between things you haven’t seen before. And another reason was my pregnant wife who delivered our beautiful daughter on October 4! ๐Ÿ™‚ I started from scratch and repeated reading all my training material and PDF documents.

Infrastructure Assessment

To design a Horizon 7 environment you have to follow a process to work out a VMware EUC solution that meets the customer’s requirements and follow the VMware design guidelines and use the reference architectures while considering customer constraints. It is very important that all customer business drivers and objectives are clearly defined. Then you will start to gather and analyze the business and application requirements and document the design requirements, assumptions, risks and constraints. For example, if you talk about technical requirements with your customer, the following categories should be covered:
  • Virtualization infrastructure and data center hardware
  • Storage
  • Networking
  • Security
  • Application
  • Directory services and GPOs
  • Monitoring and performance
  • Management
  • Profile management
  • Peripherals
  • Printing
  • Backup and recovery (business continuity)
  • Endpoints
  • Users/Use cases: correlation between hardware, software and user requirements)
  • High availability
  • Licensing
With the information from the assessment phase, the design work can begin and you create the conceptual designย before you head over to create a logical design. Advice: Minimize risks and keep things simple!

Horizon Logical Design

The logical design (high level design) follows the conceptual design and defines how to arrange components and features. It is also useful to understand and evaluate the infrastructure design. The easiest and most common way to create a logical design is the use of architecture layers. Each layer contains one or more components and has functional and technical inter-dependencies:
  • User Layer
    • Self-Service portal
    • Authentication
  • Application Layer
    • Application deployment and type (cloud-based, locally installed, enterprise apps etc.)
  • Desktop Layer
    • Use cases and type of user
    • Scalability and multi-site
    • Desktop types and OS
  • Virtualization Layer
    • Hypervisor
    • Compute, network and storage
    • Graphics
  • Hardware Layer
    • Server
    • Network and storage
  • Management Layer
    • Patching
    • Monitoring
    • Cluster and resources
    • Capacity
    • Backup
  • Security Layer
    • Internal and external
    • Authentication and authorization
    • Policies
    • Antivirus etc.
A Horizon logical design could look like this: Horizon Logical Architecture If you need to write down use cases and their attributes, here an example:
AttributeDefinition
Business UnitFinance
User ClassificationTask Worker
Time of use07:00-18:00, mo-fr
User deviceThin Client
PeripheralsNone
ConnectivityLAN
PersistencyNon-persistent desktop
Data centerBasel DC1
AuthenticationWindows Login

Horizon Block and Pod Design

In part 4 I covered this topic how to use a repeatable and scalable approach to design a large scale Horizon environment.

Horizon Component Design

To have a complete design you must define the amount and the configuration of Horizon components required for your environment. You have to include certain design recommendations and design the configuration for Horizon components for your use cases. These are some required infrastructure components:
  • VMware Identity Manager
    • Load Balancing for resiliency and scale
    • Database required
    • Connection to Active Directory
    • SaaS-based implementation recommended
    • Approx. 100’000 users per virtual appliance
  • vCenter Server
    • Up to 10’000 virtual machines per vCenter
      • Recommendation: 2’000 desktops per vCenter
    • Dedicated vCenter Server instance per resource block
    • Database required
  • ย Connection Server
    • Up to 2’000 sessions per Connection Server (4’000 tested limit)
    • Database required
    • Install at least one Replica Server for redundancy
    • Max. 7 Connection Servers per pod
      • Load-balanced
    • Max. 10’000 sessions per pod recommended
    • Cloud Pod Architecture
      • Max. 175 Connection Servers
      • Max. 120’000 sessions
      • Max. 5 sites
    • View Composer needed?
      • Database required
  • Security Server (not recommended anymore, use UAG)
    • Should not be member of AD domain
    • Load Balancing
    • Should be hardened Windows server (placed in DMZ)
    • 1:1 mapping with Connection Servers
  • Unified Access Gateway (UAG)
    • Virtual appliance (placed in DMZ) based on linux (Photon OS)
    • Scale-out is independent of Connection Server
    • Does not need to be paired with a single Connection Server
    • Load Balancing

Pool and Desktop Configuration

  • Desktop Configuration
    • Specification (OS, apps, RAM, disk, network)
    • Operating System Builds (master images)
      • Image Optimization (use OSOT)
    • Application Deployment
  • Pool Configuration
    • Map use cases to pools
    • Pool Design
      • Type
      • User Assignment
      • User Experience Settings
      • Pool Size
      • Performance
      • AD Groups
    • Pool Types
      • Automated Desktop Pool
      • Manual Desktop Pool
      • RDS Desktop Pool
    • Desktop Persistence
      • Dedicated
      • Floating
    • Desktop Pool Definition
      • Full Clones
      • Linked Clones (Composer)
      • Instant Clones
    • Remote Display Protocol
      • Blast (H.264 capable, TCP/UDP)
      • PCoIP (UDP)
      • RDP (TCP)
    • 3D Rendering (Horizon 7.2)
      • Nvidia GRID vCPU (shared GPU hardware acceleration)
      • Hardware
      • Virtual Shared Graphics Acceleration (vSGA)
      • Virtual Dedicated Graphics Acceleration (vDGA)
      • Soft 3D (Software-accelerated graphics)
      • AMD Multiuser GPU using vDGA
      • Pool must use PCoIP or Blast
      • (Live vMotion of vGPU VMs is supported since Horizon 7.6)

VMware Infrastructure Design

You need to map the Horizon desktop building block and the Horizon management building block to vSphere and identify factors and design decisions to figure out the sizing of the VMware infrastructure.
  • ESXi Hosts
    • ESXi Host Specifications
    • CPU requirements
    • Memory requirements
    • Storage requirements (specially if using vSAN)
    • Host density (max. VMs/desktops per ESXi host)
    • vSphere cluster requirements (HA and DRS)
  • Storage
    • Storage performance and desktop I/O requirements
      • Types of disks (SSD, SAS, SATA)
      • Dedicated array for VDI
      • FC/Network connectivity
    • Shared Storage recommended
      • vSAN recommended for Horizon desktops
      • Datastore sizing
    • Storage requirements depending on pool configuration
      • E.g. Instant Clones use significantly less storage

Network and Security Design

The network design should be simple, scalable and secure. More secure does not always mean less “user simple” (user experience), but it does less risks and does not imply more complexity.
  • Network
    • UAG appliance load-balanced in DMZ
    • Connection Servers load-balanced inside corporate firewall
      • Security Server would be placed in DMZ if no UAG
    • Know the key firewall considerations for Horizon 7
    • Bandwidth requirements for different types of users
    • LAN considerations
    • WAN considerations (e.g. latency, WAN optimization)
    • Optimization/Policies for display protocols (LAN/WAN)
    • vSphere networking requirements
      • Separate networks for management, VMs, vMotion etc.
      • Physical redundancy
      • Use vSphere Distributed Switch
  • Security
    • Secure your desktops (lockdown, GPOs, UEM)
    • Use secure client connections (secure gateways/tunnel)
    • Use Unified Access Gateway for remote access (use three NICs)
      • View Security Server (if needed)
    • User authentication method from internal and external
      • Two Factor Authentication for external connections
    • Restrict access (tags, AD groups)
    • Use NSX for micro segmentation
    • Install signed SSL certificates

Session Management

Our objective of a Horizon implementation is to provide better support to users than the physical solution. Session management is an aspect of this. Configuration and different settings on the sessions or client device are essential for a smooth user experience.
  • Personalization
    • Profile Management (mandatory profiles recommended)
      • Use folder redirection
    • User User Environment Manager (UEM) for Windows and application settings
      • Personalization
      • Application Configuration Management
      • User Environment Settings
      • Application Migration
      • Dynamic Configuration
  • Just-in-Time Management (JMP) Platform
    • App Volumes (real-time application delivery)
    • Instant Clones (rapid desktop provisioning)
    • User Environment Management (contextual policy management)
  • End-User Desktop Maintenance
    • Maintaining linked-clone desktops with Composer
      • Recompose – Patch and update desktop
      • Refresh – Revert OS disk to the base image snapshot
      • Rebalance – Management of datastore capacity
    • Manage Instant Clones by pushing an image
  • User Authentication Method
    • Smartcard
    • Two Factor Authentication (RSA, RADIUS, SAML, vIDM)
    • True SSO (short-lived certificate for Windows login process)
      • Enrollment Server required
  • ADMX template files for secure remote desktops
  • Client Devices
    • Thin clients, zero clients, fat clients, tablet and smartphones
    • Different Horizon Clients
    • Printing

Delivering Applications

The last topic I quickly repeat is about delivering and managing applications. Horizon has different methods of application delivery and the method of application delivery depends on many factors.
  • Applications in general
    • New or existing applications
    • App Lifecycle
    • Dependencies and conflicts
    • Performance and stability
  • Application delivery methods
    • RDS-hosted apps
    • ThinApp package (containerized applications, isolated from OS)
    • Natively installed Windows apps (in master image)
    • Citrix published apps
    • SaaS
    • App Volumes (real-time application delivery with LCM)
  • ThinApp
    • Isolation modes
      • Merged mode (full write access)
      • WriteCopy mode (restricted write access)
      • Full mode (no read/write access)
    • Package format
      • EXE
      • DAT (when EXE is larger than 200MB)
      • MSI
These are the topics you should cover when you prepare for the VCAP7-DTM Design exam. In addition I also read the following documents: This is my recommendation. Within the last 8 weeks I’ve effectively studied 5 weeks for the exam. I work approx. since 4 months with Horizon products in a pre-sales role, not as a consultant. I will update you after the exam if the experience combined with learning was enough to pass! ๐Ÿ™‚ Did I forget anything? Let me know! Jump to part 12

VCAP7-DTM Design Exam, Part 10

In part 10 of my VCAP7-DTM Design exam series we take a look at the Horizon 7 Enterprise Reference Architecture.

To be honest, I didn’t study that much the last two weeks but I checked a few documents about App Volumes, Mirage, ThinApp and User Environment Manager.

This time I would like to summarize what I have learned from the reference architecture and the VMworld 2018 session called Architecting Horizon 7 Enterprise: The Official Reference Architecture (WIN3451BUR).

I only focus on the component design part since I already covered topics like use cases, business drivers, design methodology etc.

Horizon 7

A successful deployment depends on good planning and a very good understanding of the platform. The core elements include Connection Server, Composer, Horizon Agent and Horizon Client. Part 4 to part 9 cover the Horizon 7 component design and also provide more information on the following components.

Horizon 7 Logical Architecture

Identity Manager

VMware Identity Manager (VIDM) can be implemented on-premises or in the cloud, a SaaS-based implementation. If you decide to go with the SaaS implementation, a VIDM connector needs to be installed on-prem to synchronize accounts from Active Directory to the VIDM service in the cloud.

If cloud is no option for you, you still have the possibility for the on-prem deployment and use the Linux-based virtual appliance. There is also a Windows-based installer available which is included in the VMware Enterprise Systems Connector. VMware’s reference architecture is based on the Linux appliance.

VMware Identity Manager Architecture

Syncing resources such as Active Directory and Horizon 7 and can be done either by using a separate VMware Identity Manager Connector or by using the built-in connector of an on-premises VMware Identity Manager VM. The separate connector can run inside the LAN in outbound-only connection mode, meaning the connector receives no incoming connections from the DMZ.

VIDM comes with an embedded PostgreSQL database, but it’s recommended to use an external database server for production deployments.

For high availability, based on your requirements, at least two VIDM appliances should be deployed behind a load balancer. After you have deployed your first appliance, you simply clone it and assign a new hostname and a new IP address.

App Volumes

As you still may know from part 8, App Volumes has two functions. The first is the delivery of applications for VDI and RDSH. The second is the provision of writable volumes to capture user-installed applications and the user profile.

app volumes architecture

For high availability, always use at least two App Volumes Managers which are load-balanced.

AppStacks are very read intensive, hence, you should place AppStacks on storage that is optimized for read operations. Writable volumes should be placed on storage for random IOPS (50/50). There reference architecture uses vSAN to provide a single highly available datastore.

For the SQL database it is recommended using an AlwaysOn Availability Group.

User Environment Manager

When User Environment Manager design decisions need to be made, you have to think about user profiles (mandatory, roaming, local) and folder redirection. As already described in part 9, VMware recommendation is to use mandatory profiles and folder redirection. Use appendix B if you need help configuring the mandatory profile.

vmware user environment manager

The first key design consideration is using DFS-R to provide high availability for the configuration and user shares. Note: Connect the management console only to the hub member when making changes. DFS-R will replicated those changes to the spoke members.

The second consideration one is using GPO loopback processing.

Unified Access Gateway

In part 6 I mentioned that a UAG is typically deployed within the DMZ.

VMware Unified Access Gateway

UAG appliances are deployed in front of the Horizon 7 Connection Servers and sit behind a load balancer. The Unified Access Gateway also runs the Content Gateway as part the AirWatch (WorkspaceONE UEM) service.

You have two sizing options during the appliance deployment:

  • Standard (2 vCPU, 4GB RAM, 2’000 Horizon server connections, 10’000 AirWatch service connections)
  • Large (4 vCPU, 16GB RAM, 2’000 Horizon server connections, 50’000 AirWatch service connections)

As you can see, the big difference here are the estimated AirWatch service connections per appliance. In production you would deploy dedicated UAG appliances for each service. Example:

  • 2 standard size UAGs appliances for 2’000 Horizon 7 sessions (n+1)
  • 3 large size UAG appliances for 50’000 devices using Content Gateway and per-App Tunnel which gives us a total of 100’000 sessions. The third appliance is for high availability (n+1)

vSphere and Physical Environment

The software-defined data center (SDDC) is the foundation that runs all infrastructure servers and components. The products and the licensing for the foundation are outside of the Horizon 7 product (except vSAN), but are required to deliver a complete solution.

And in my opinion this is what makes the whole solution so brilliant. Even I work for VMware, I would never say from the beginning that Horizon is better than XA/XD. This was also the case when I worked as a consultant for Citrix before I joined VMware in May 2018.
It depends on the requirements and use cases which need to be satisfied. That are the most important things if you choose a vendor or a specific technology. Our goal is to make the customer happy! ๐Ÿ™‚

But I would say that VMware Horizon including WorkspaceONE is very hard to beat if you use the complete stack! But that’s another topic.

The vSphere infrastructure in the reference architecture includes vSAN and NSX. In part 5 I covered the basics of vSAN, but I think I maybe need to write a short overview about NSX and how you can use it with Horizon.

vSAN provides a hyper-converged storage optimized for virtual machines without the need for an external SAN or NAS. This means that the physical server not only provides the compute and memory resources, but also storage in a modular fashion. You can use vSAN for the management and resource block  and follow a hybrid approach for the management resources and use all-flash vSAN for the Horizon resources.

VMware vSAN

I will not cover the vSphere design, but it’s important to understand that all components are operating redundantly and that you have enough physical resources to meet the requirements.

vSphere Networking

A general recommendation is to use at least 10 GbE connections, to separate each traffic (mgmt, VM traffic, vSAN, vMotion) and make sure that each of them has sufficient bandwidth.

NSX for vSphere

NSX provides several network-based services and performs several security functions within a Horizon 7 implementation:

  • Protects VDI infrastructure
  • Protects desktop pool VM communication with applications
  • Provides user-based access control (user-level identity-based micro-segmentation)

VMware NSX for vSphere

If you want to use NSX you have to think about a NSX infrastructure design as the NSX platform adds new components (e.g. NSX manager) and new possibilities (distributed firewall and identity firewall).

The most important design consideration for Horizon 7 is the concept of micro-segmentation. In the case of Horizon 7, NSX can block desktop-to-desktop communications, which are normally not needed or recommended. Each VM can now be its own perimeter and this desktop isolation prevents threats from spreading:

NSX isolation

The Horizon 7 reference architecture of probably the best document to prepare yourself for the VCAP7-DTM exam. What do the current VCAP7-DTM certified  people say? What else needs to be covered? Jump to part 11

VCAP7-DTM Design Exam, Part 9

This is the 9th part of my VCAP7-DTM Design exam series. In part 8 I covered the creation of an application architecture design for Horizon 7. Let’s have a look at the last part of the exam blueprint, which is about session management and client devices:

Section 8 โ€“ Incorporate Endpoints into a Horizon Design
Objective 8.1 โ€“ Incorporate Session Connectivity Requirements in a Horizon End Point Design
Objective 8.2 โ€“ Incorporate Management Requirements in a Horizon End Point Client Design
Objective 8.3 โ€“ Incorporate Security Requirements in a Horizon End Point Design

User Personalization

In a Windows environment several types of user profiles are available:

  • Local Profile
  • Roaming Profile
  • Mandatory Profile

The user profile include user-specific data and application settings which allows the users to have a persistent appearance regardless which desktops a user logs in to.

As a general leading practice, it is recommended to redirect as much user data as possible to a network share. But in a Windows environment, administrators have often experienced issues with roaming profiles. From my experience, a smaller profile causes less trouble and it’s worth to spend time to have a proper profile management strategy configuration.

VMware User Environment Manager

VMware’s solution for profile management is called User Environment Manager (UEM) which is part of the Just-in-Time Management (JMP) platform. JMP is composed of the Instant Clone technology for fast desktop provisioning, App Volumes for real-time application delivery and User Environment Manager for the profile and session management.

vmware uem architecture

When I worked with Citrix products, the recommendation was to use Citrix UPM (roaming profile) and configure folder redirections via GPO.

One of the things I have learned when I joined VMware, is the different approach when it comes to profile management. VMware recommends mandatory profiles and the dynamic configuration capability of UEM:

User Environment Manager manages user and Windows settings and dynamically configures the desktop. For example, it can create drive and printer mappings, file type associations, and shortcuts. User Environment Manager can also manage and provide shortcuts to applications such as ThinApp to users.

This is Microsoft’s definition of a mandatory user profile:

A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded.

If you need to know how you create a mandatory user profile, check Microsoft’s article for Windows 10.

Very important to know when using UEM with mandatory profiles: Only the settings you have defined in UEM are kept for your sessions. Settings that you didn’t configure with UEM are not preserved and are discarded after a logout. This is called personalization.

Once you have configured your mandatory profile, the configuration in UEM is waiting:

  • Personalization (e.g. configuration files for Windows settings)
  • Application Configuration Management (initial settings for applications)
  • User Environment Settings (printer/drive mappings, environment variables, shortcuts etc.)
  • Dynamic configuration based on conditions (user, location, client device etc.)

If you need to know more about UEM, read the blog VMware User Environment Manager, Part 1: Easier, Faster Windows Logins with Mandatory Profiles, where you find information about installing and configuring VMware User Environment Manager.

Client Devices

Identify the customer’s client device characteristics and compare it with the requirements. Depending on the requirements you have the following client device options:

  • Chromebook
  • Tablets and Smartphone
  • Fat Clients (the traditional PCs or laptops including Mac)
  • Thin Clients
  • Zero Clients

For each device a different Horizon Client (depending on the OS) is available for download.

As already mentioned earlier in this series, Blast should be the primary protocol for your Horizon sessions. If you have endpoints where a Horizon Client cannot be used or installed, you still have the HTML access option.

Smart Policies

Configuration for Smart Policies are done in the UEM console. Some of the settings you have configured via Group Policies before can now be done in UEM. I’m talking about configuration based on conditions like client location, launch tag or pool name. But it’s also possible to fill in your own personal View client properties:

With Smart Policies, administrators have granular control of a userโ€™s desktop experience. A number of key Horizon 7 features can be dynamically enabled, disabled, or controlled based not only on who the user is, but on the many different variables available through Horizon 7: client device, IP address, pool name, and so on.

horizon smart policies

Example: Based on the client device used you can set different settings for USB redirection, clipboard and bandwidth profile.

Smart Policies can be enforced and evaluated at login/logout and reconnect/disconnect and at defined refresh intervals. This allows IT to maintain endpoint and session security even the user changes the network, the endpoint or both.

These are the basics about session management and client devices. We have now covered all sections of the exam blueprint:

Section 1 โ€“ Create a Horizon Conceptual Design
Section 2 โ€“ Create a Horizon Logical Design
Section 3 โ€“ Create a Physical Design for vSphere and Horizon Components
Section 4 โ€“ Create a Physical Design for Horizon Storage
Section 5 โ€“ Create a Physical Design for Horizon Networking
Section 6 โ€“ Create a Physical Design for Horizon Desktops and Pools
Section 7 โ€“ Incorporate Application Services into a Horizon Physical Design
Section 8 โ€“ Incorporate Endpoints into a Horizon Design

What’s Next?

I know the basics about a Horizon 7 implementation but I need to gain more technical knowledge about each product. As a Solution Architect I have a customer-facing pre-sales role and in general have no hands-on experience. As a consultant, who works with the Horizon suite on a daily basis, I’m sure that the VCAP-DTM Design exam would a piece of cake. ๐Ÿ™‚

The next weeks I will  read a lot of the PDFs (reference architecture and admin guides) mentioned in the exam blueprint and they are about:

  • Horizon 7.2 (including Mirage, ThinApp, UAG)
  • App Volumes 2.12
  • IDM 2.9
  • UEM 9.2
  • vROps 6.4
  • vSAN 6.2
  • vSphere 6.5

Because I have a quite big home office and love whiteboards, I decided to order whiteboard papers which hold to the walls by static charge. This should help me to note important stuff down. ๐Ÿ˜€

whiteboard paper

I have left six weeks to prepare! Let’s do this! ๐Ÿ™‚ Jump to part 10