My last article was about the Horizon reference architecture and four weeks have already passed since then. My VCAP7-DTM Design exam is scheduled for October 18 – that’s in five days!
I haven’t opened my books the last three weeks, because I think it’s important to take a break and get some distance of your books and documents, which allows you to understand things better and faster and see connections between things you haven’t seen before. And another reason was my pregnant wife who delivered our beautiful daughter on October 4! 🙂
I started from scratch and repeated reading all my training material and PDF documents.
Infrastructure Assessment
To design a Horizon 7 environment you have to follow a process to work out a VMware EUC solution that meets the customer’s requirements and follow the VMware design guidelines and use the reference architectures while considering customer constraints. It is very important that all customer business drivers and objectives are clearly defined. Then you will start to gather and analyze the business and application requirements and document the design requirements, assumptions, risks and constraints. For example, if you talk about technical requirements with your customer, the following categories should be covered:
Virtualization infrastructure and data center hardware
With the information from the assessment phase, the design work can begin and you create the conceptual design before you head over to create a logical design. Advice: Minimize risks and keep things simple!
Horizon Logical Design
The logical design (high level design) follows the conceptual design and defines how to arrange components and features. It is also useful to understand and evaluate the infrastructure design. The easiest and most common way to create a logical design is the use of architecture layers. Each layer contains one or more components and has functional and technical inter-dependencies:
User Layer
Self-Service portal
Authentication
Application Layer
Application deployment and type (cloud-based, locally installed, enterprise apps etc.)
Desktop Layer
Use cases and type of user
Scalability and multi-site
Desktop types and OS
Virtualization Layer
Hypervisor
Compute, network and storage
Graphics
Hardware Layer
Server
Network and storage
Management Layer
Patching
Monitoring
Cluster and resources
Capacity
Backup
Security Layer
Internal and external
Authentication and authorization
Policies
Antivirus etc.
A Horizon logical design could look like this:
If you need to write down use cases and their attributes, here an example:
Attribute
Definition
Business Unit
Finance
User Classification
Task Worker
Time of use
07:00-18:00, mo-fr
User device
Thin Client
Peripherals
None
Connectivity
LAN
Persistency
Non-persistent desktop
Data center
Basel DC1
Authentication
Windows Login
Horizon Block and Pod Design
In part 4 I covered this topic how to use a repeatable and scalable approach to design a large scale Horizon environment.
Horizon Component Design
To have a complete design you must define the amount and the configuration of Horizon components required for your environment. You have to include certain design recommendations and design the configuration for Horizon components for your use cases. These are some required infrastructure components:
VMware Identity Manager
Load Balancing for resiliency and scale
Database required
Connection to Active Directory
SaaS-based implementation recommended
Approx. 100’000 users per virtual appliance
vCenter Server
Up to 10’000 virtual machines per vCenter
Recommendation: 2’000 desktops per vCenter
Dedicated vCenter Server instance per resource block
Database required
 Connection Server
Up to 2’000 sessions per Connection Server (4’000 tested limit)
Database required
Install at least one Replica Server for redundancy
Max. 7 Connection Servers per pod
Load-balanced
Max. 10’000 sessions per pod recommended
Cloud Pod Architecture
Max. 175 Connection Servers
Max. 120’000 sessions
Max. 5 sites
View Composer needed?
Database required
Security Server (not recommended anymore, use UAG)
Should not be member of AD domain
Load Balancing
Should be hardened Windows server (placed in DMZ)
1:1 mapping with Connection Servers
Unified Access Gateway (UAG)
Virtual appliance (placed in DMZ) based on linux (Photon OS)
Scale-out is independent of Connection Server
Does not need to be paired with a single Connection Server
(Live vMotion of vGPU VMs is supported since Horizon 7.6)
VMware Infrastructure Design
You need to map the Horizon desktop building block and the Horizon management building block to vSphere and identify factors and design decisions to figure out the sizing of the VMware infrastructure.
ESXi Hosts
ESXi Host Specifications
CPU requirements
Memory requirements
Storage requirements (specially if using vSAN)
Host density (max. VMs/desktops per ESXi host)
vSphere cluster requirements (HA and DRS)
Storage
Storage performance and desktop I/O requirements
Types of disks (SSD, SAS, SATA)
Dedicated array for VDI
FC/Network connectivity
Shared Storage recommended
vSAN recommended for Horizon desktops
Datastore sizing
Storage requirements depending on pool configuration
E.g. Instant Clones use significantly less storage
Network and Security Design
The network design should be simple, scalable and secure. More secure does not always mean less “user simple” (user experience), but it does less risks and does not imply more complexity.
Know the key firewall considerations for Horizon 7
Bandwidth requirements for different types of users
LAN considerations
WAN considerations (e.g. latency, WAN optimization)
Optimization/Policies for display protocols (LAN/WAN)
vSphere networking requirements
Separate networks for management, VMs, vMotion etc.
Physical redundancy
Use vSphere Distributed Switch
Security
Secure your desktops (lockdown, GPOs, UEM)
Use secure client connections (secure gateways/tunnel)
Use Unified Access Gateway for remote access (use three NICs)
View Security Server (if needed)
User authentication method from internal and external
Two Factor Authentication for external connections
Restrict access (tags, AD groups)
Use NSX for micro segmentation
Install signed SSL certificates
Session Management
Our objective of a Horizon implementation is to provide better support to users than the physical solution. Session management is an aspect of this. Configuration and different settings on the sessions or client device are essential for a smooth user experience.
User User Environment Manager (UEM) for Windows and application settings
Personalization
Application Configuration Management
User Environment Settings
Application Migration
Dynamic Configuration
Just-in-Time Management (JMP) Platform
App Volumes (real-time application delivery)
Instant Clones (rapid desktop provisioning)
User Environment Management (contextual policy management)
End-User Desktop Maintenance
Maintaining linked-clone desktops with Composer
Recompose – Patch and update desktop
Refresh – Revert OS disk to the base image snapshot
Rebalance – Management of datastore capacity
Manage Instant Clones by pushing an image
User Authentication Method
Smartcard
Two Factor Authentication (RSA, RADIUS, SAML, vIDM)
True SSO (short-lived certificate for Windows login process)
Enrollment Server required
ADMX template files for secure remote desktops
Client Devices
Thin clients, zero clients, fat clients, tablet and smartphones
Different Horizon Clients
Printing
Delivering Applications
The last topic I quickly repeat is about delivering and managing applications. Horizon has different methods of application delivery and the method of application delivery depends on many factors.
Applications in general
New or existing applications
App Lifecycle
Dependencies and conflicts
Performance and stability
Application delivery methods
RDS-hosted apps
ThinApp package (containerized applications, isolated from OS)
Natively installed Windows apps (in master image)
Citrix published apps
SaaS
App Volumes (real-time application delivery with LCM)
ThinApp
Isolation modes
Merged mode (full write access)
WriteCopy mode (restricted write access)
Full mode (no read/write access)
Package format
EXE
DAT (when EXE is larger than 200MB)
MSI
These are the topics you should cover when you prepare for the VCAP7-DTM Design exam. In addition I also read the following documents:
This is my recommendation. Within the last 8 weeks I’ve effectively studied 5 weeks for the exam. I work approx. since 4 months with Horizon products in a pre-sales role, not as a consultant. I will update you after the exam if the experience combined with learning was enough to pass! 🙂
Did I forget anything? Let me know! Jump to part 12
To be honest, I didn’t study that much the last two weeks but I checked a few documents about App Volumes, Mirage, ThinApp and User Environment Manager.
I only focus on the component design part since I already covered topics like use cases, business drivers, design methodology etc.
Horizon 7
A successful deployment depends on good planning and a very good understanding of the platform. The core elements include Connection Server, Composer, Horizon Agent and Horizon Client. Part 4 to part 9 cover the Horizon 7 component design and also provide more information on the following components.
Identity Manager
VMware Identity Manager (VIDM) can be implemented on-premises or in the cloud, a SaaS-based implementation. If you decide to go with the SaaS implementation, a VIDM connector needs to be installed on-prem to synchronize accounts from Active Directory to the VIDM service in the cloud.
If cloud is no option for you, you still have the possibility for the on-prem deployment and use the Linux-based virtual appliance. There is also a Windows-based installer available which is included in the VMware Enterprise Systems Connector. VMware’s reference architecture is based on the Linux appliance.
Syncing resources such as Active Directory and Horizon 7 and can be done either by using a separate VMware Identity Manager Connector or by using the built-in connector of an on-premises VMware Identity Manager VM. The separate connector can run inside the LAN in outbound-only connection mode, meaning the connector receives no incoming connections from the DMZ.
VIDM comes with an embedded PostgreSQL database, but it’s recommended to use an external database server for production deployments.
For high availability, based on your requirements, at least two VIDM appliances should be deployed behind a load balancer. After you have deployed your first appliance, you simply clone it and assign a new hostname and a new IP address.
App Volumes
As you still may know from part 8, App Volumes has two functions. The first is the delivery of applications for VDI and RDSH. The second is the provision of writable volumes to capture user-installed applications and the user profile.
For high availability, always use at least two App Volumes Managers which are load-balanced.
AppStacks are very read intensive, hence, you should place AppStacks on storage that is optimized for read operations. Writable volumes should be placed on storage for random IOPS (50/50). There reference architecture uses vSAN to provide a single highly available datastore.
For the SQL database it is recommended using an AlwaysOn Availability Group.
User Environment Manager
When User Environment Manager design decisions need to be made, you have to think about user profiles (mandatory, roaming, local) and folder redirection. As already described in part 9, VMware recommendation is to use mandatory profiles and folder redirection. Use appendix B if you need help configuring the mandatory profile.
The first key design consideration is using DFS-R to provide high availability for the configuration and user shares. Note: Connect the management console only to the hub member when making changes. DFS-R will replicated those changes to the spoke members.
In part 6 I mentioned that a UAG is typically deployed within the DMZ.
UAG appliances are deployed in front of the Horizon 7 Connection Servers and sit behind a load balancer. The Unified Access Gateway also runs the Content Gateway as part the AirWatch (WorkspaceONE UEM) service.
You have two sizing options during the appliance deployment:
Standard (2 vCPU, 4GB RAM, 2’000 Horizon server connections, 10’000 AirWatch service connections)
Large (4 vCPU, 16GB RAM, 2’000 Horizon server connections, 50’000 AirWatch service connections)
As you can see, the big difference here are the estimated AirWatch service connections per appliance. In production you would deploy dedicated UAG appliances for each service. Example:
2 standard size UAGs appliances for 2’000 Horizon 7 sessions (n+1)
3 large size UAG appliances for 50’000 devices using Content Gateway and per-App Tunnel which gives us a total of 100’000 sessions. The third appliance is for high availability (n+1)
vSphere and Physical Environment
The software-defined data center (SDDC) is the foundation that runs all infrastructure servers and components. The products and the licensing for the foundation are outside of the Horizon 7 product (except vSAN), but are required to deliver a complete solution.
And in my opinion this is what makes the whole solution so brilliant. Even I work for VMware, I would never say from the beginning that Horizon is better than XA/XD. This was also the case when I worked as a consultant for Citrix before I joined VMware in May 2018.
It depends on the requirements and use cases which need to be satisfied. That are the most important things if you choose a vendor or a specific technology. Our goal is to make the customer happy! 🙂
But I would say that VMware Horizon including WorkspaceONE is very hard to beat if you use the complete stack! But that’s another topic.
The vSphere infrastructure in the reference architecture includes vSAN and NSX. In part 5 I covered the basics of vSAN, but I think I maybe need to write a short overview about NSX and how you can use it with Horizon.
vSAN provides a hyper-converged storage optimized for virtual machines without the need for an external SAN or NAS. This means that the physical server not only provides the compute and memory resources, but also storage in a modular fashion. You can use vSAN for the management and resource block and follow a hybrid approach for the management resources and use all-flash vSAN for the Horizon resources.
I will not cover the vSphere design, but it’s important to understand that all components are operating redundantly and that you have enough physical resources to meet the requirements.
A general recommendation is to use at least 10 GbE connections, to separate each traffic (mgmt, VM traffic, vSAN, vMotion) and make sure that each of them has sufficient bandwidth.
NSX for vSphere
NSX provides several network-based services and performs several security functions within a Horizon 7 implementation:
Protects VDI infrastructure
Protects desktop pool VM communication with applications
Provides user-based access control (user-level identity-based micro-segmentation)
If you want to use NSX you have to think about a NSX infrastructure design as the NSX platform adds new components (e.g. NSX manager) and new possibilities (distributed firewall and identity firewall).
The most important design consideration for Horizon 7 is the concept of micro-segmentation. In the case of Horizon 7, NSX can block desktop-to-desktop communications, which are normally not needed or recommended. Each VM can now be its own perimeter and this desktop isolation prevents threats from spreading:
The Horizon 7 reference architecture of probably the best document to prepare yourself for the VCAP7-DTM exam. What do the current VCAP7-DTM certified people say? What else needs to be covered? Jump to part 11
This is the fifth part of my VCAP7-DTM Design exam series. In part 4 I covered the creation of a physical design for vSphere and Horizon components. This time we take a look at section 4 of the blueprint, the creation of a physical design for horizon storage:
Section 4 – Create a Physical Design for Horizon Storage
Objective 4.1 – Create and Optimize a Physical Design for Horizon Infrastructure Storage
Objective 4.2 – Create and Optimize a Physical Design for View Pool Storage
Objective 4.3 – Create and Optimize a Physical Storage Design for Applications
Objective 4.4 – Create and Optimize a Tiered Physical Horizon Storage Design
Objective 4.5 – Integrate Virtual SAN into a Horizon Design
This article is not a comparison between HCI and traditional storage architecture and if you build hosts by yourself or buy Dell EMC’s VxRail or any other vSAN ReadyNode.
Since it is VMware’s strategy to push vSAN and get away from traditional storage, I only cover vSAN. For my VCDX design I will also move away from traditional storage and use vSAN – it’s also my customer’s strategy. The price for flash storage is decreasing constantly and makes a hybrid vSAN architecture less attractive – at least for our use cases.
In general the storage design of a Horizon implementation is very critical. You have to think about capacity, growth capacity, data/object placement, disaster recovery, kind of SSD disks and so on. But in my opinion, HCI or vSAN makes your life a lot easier and simplifies the storage deployment.
If you fail to correctly size the storage and I/O capacity, your customer’s user experience will suffer or the deployment of new desktops is not possible anymore. So, storage performance and sizing is vital for the satisfactory of your customers and their users!
All-Flash or Hybrid Architecture
The first thing you have to figure out and define is the vSAN platform you are going to deploy – All-Flash or hybrid architecture. A All-Flash vSAN configuration aims at delivering very high IOPS with low latencies. Also in a All-Flash configuration you use two different grades of (flash) disks: lower capacity and higher endurance device for the capacity tier and more cost-effective and higher capacity disks for the capacity tier
There is no read cache available in a All-Flash configuration as all data is directly read from the capacity tier. Because you aim for extremely high IOPS, make sure you provide a dedicated 10Gb network for the vSAN traffic.
You can enable the deduplication and compression setting (not available when using a hybrid vSAN) in the vSAN cluster to reduce redundant copies of blocks within the same disk group to one copy and to compress the blocks after they have been deduplicated.
Erasure Coding (RAID 5/6 is only available with All-Flash) provides the same level of redundancy as mirroring, but with a reduced capacity requirement. In general, erasure coding means breaking data into multiple pieces and spread them across multiple devices, while adding parity data in the event data gets corrupted or lost. This is a good and short video about this feature:
When using vSAN without further adjustments, your virtual desktops and infrastructure servers are using the default vSAN storage policy. For infrastructure servers this might be okay, but for our desktops we need to create a new policies. Cormac Hogan has very good material about Horizon and vSAN Storage Policies:
The Number of Failures to Tolerate defines the number of host, disk or network failures a storage object can tolerate. This number of Failures to Tolerate (FTT) has the greatest impact on your capacity in a vSAN cluster. Based on your configured availability requirements for a VM, the settings in the policy can lead to a higher consumption on the vSAN datastore (more copies of your data). For “n” failures tolerated, n+1 copies of the object are created and 2n+1 hosts are required.
Consider to configure FTT = 0 for the OS disk for linked-clone floating pools or if you use full-clone non-persistent desktops. If vSAN should experience a failure, only non-persistent data will be lost.
I hope this information was helpful even we didn’t go to deep. If you need to know more about vSAN, then you’ll find tons of documents and other blogs about this technology.
In part 6 I’ll try to give you more information about the design for a Horizon network.
In Switzerland sites are often located in the same data center building and two separate rooms represent these sites. To keep management and the architecture simple, some customers or partners would like to take advantage of a vSAN Stretched Cluster.
This question came up several times already at the product management: “Are Instant Clone desktops supported in combination with vSAN Stretched Clusters? And can we use App Volumes?“
The short answer of our product management was that Horizon 7.x (all clones) and a vSAN Stretched Cluster are supported, but that we advise customers to follow the reference architecture design and to test the scalability of the combination of Horizon 7 and a vSAN Stretched Cluster. The caveat is that App Volumes is not supported in this scenario.
But it was not 100% clear if it’s supported to use non-persistent desktops together with a vSAN Stretched Cluster. This gap has been closed with the appendix H:
This new appendix is saying that a stretched active/active architecture is not supported and the use case described in the RA is for full clones only. So, please carefully read our guidelines when working with vSAN Stretched Clusters and Horizon 7.
App Volumes Caveat: There is no support for App Volumes at this time when using a vSAN Stretched Cluster.
My name is Michael Rebmann. I am a cloud strategist at Oracle, helping public sector organizations and enterprise customers design sovereign and compliant cloud architectures using OCI. I focus on sovereign cloud, hybrid cloud infrastructure, and data privacy in regulated industries.
The views and opinions expressed here are entirely my own, reflecting my journey and insights.
If you need to write down use cases and their attributes, here an example:
