I failed the VCAP7-DTM Design exam, but expected it and the first try of the exam showed me what stuff I need to learn better and where my weaknesses are. Let me tell you about my exam experience.
I arrived on time at the PearsonVUE test center, but they had PC problems and so I had to wait first for 30min until I could start the exam. The timer showed me that I have two hours for the 60 questions. The most of the time I was guessing and eliminating the obviously wrong answers and so I was through 50% of the questions of 50% of the time. If you would know a little bit more than I do and you work/worked with all the products on a daily basis, I would say that the exam is a piece of cake!
Nevertheless, I answered all 60 questions 15 minutes before the timer ended, but I didn’t review any of them, because I knew that I still wouldn’t have the better or correct answers. This may sound to you like I failed with a score of 0, but no. I had 252 of the 300 needed points and this is a sign for me that I just need to improve my weak spots and the topics I didn’t check during my preparation time.
Today I’m going to travel to VMware Airwatch in Milton Keynes (UK) for my VMware Workspace ONE: Deploy and Manage [V9.x] training which starts tomorrow. And I have to prepare a presentation for a roadshow with five events where I will be the speaker of a 30min slot. This means no time for studying yet.
But I’m lucky that I still got a seat at the Digital Workspace Livefire Architecture & Design training taking place in three weeks. This will be last part of my preparation for the retake which I planned for 23rd November 2018. But first I have to wait for my new exam voucher. 🙂
I cannot tell you which topics/technologies or questions were asked during the exam, but I can assure you that I didn’t expect some of the questions – they were just craaaaazy or about veeeery old stuff.
This is also one of my problems. You have to study things which are not valid anymore for the today’s product version or implementation. In a few cases the configuration limits or some parts of an architecture have changed.
So, I read the exam blueprint again and checked some of the attached URLs and document links again. In my opinion the following products and versions you should know for the exam:
VMware Identity Manager 2.8
App Volumes 2.12
User Environment Manager 9.1
Unified Access Gateway 2.9
vRealize Operations 6.4
So, this was my exam experience of the VCAP7-DTM Design exam and my advices after. It is totally okay to fail, because it will just help you if you are not prepared well enough or just went to early for your first shot.
My last advice: Use the note board for the difficult answers and topics you have no clue of. If you have enough time, reviewed your answers and you are ready to end the exam, memorize all your notes. Just in case you didn’t pass, you now have the notess in your mind and could transfer themto your personal notebook. This is totally legal and really helpful! 🙂
Good luck to you if you take the exam. I have another four weeks now to fill the gaps. 🙂 See if I passed or not.
My last article was about the Horizon reference architecture and four weeks have already passed since then. My VCAP7-DTM Design exam is scheduled for October 18 – that’s in five days!
I haven’t opened my books the last three weeks, because I think it’s important to take a break and get some distance of your books and documents, which allows you to understand things better and faster and see connections between things you haven’t seen before. And another reason was my pregnant wife who delivered our beautiful daughter on October 4! 🙂
I started from scratch and repeated reading all my training material and PDF documents.
To design a Horizon 7 environment you have to follow a process to work out a VMware EUC solution that meets the customer’s requirements and follow the VMware design guidelines and use the reference architectures while considering customer constraints. It is very important that all customer business drivers and objectives are clearly defined. Then you will start to gather and analyze the business and application requirements and document the design requirements, assumptions, risks and constraints. For example, if you talk about technical requirements with your customer, the following categories should be covered:
Virtualization infrastructure and data center hardware
With the information from the assessment phase, the design work can begin and you create the conceptual design before you head over to create a logical design. Advice: Minimize risks and keep things simple!
Horizon Logical Design
The logical design (high level design) follows the conceptual design and defines how to arrange components and features. It is also useful to understand and evaluate the infrastructure design. The easiest and most common way to create a logical design is the use of architecture layers. Each layer contains one or more components and has functional and technical inter-dependencies:
Application deployment and type (cloud-based, locally installed, enterprise apps etc.)
Use cases and type of user
Scalability and multi-site
Desktop types and OS
Compute, network and storage
Network and storage
Cluster and resources
Internal and external
Authentication and authorization
A Horizon logical design could look like this:
If you need to write down use cases and their attributes, here an example:
Time of use
Horizon Block and Pod Design
In part 4 I covered this topic how to use a repeatable and scalable approach to design a large scale Horizon environment.
Horizon Component Design
To have a complete design you must define the amount and the configuration of Horizon components required for your environment. You have to include certain design recommendations and design the configuration for Horizon components for your use cases. These are some required infrastructure components:
VMware Identity Manager
Load Balancing for resiliency and scale
Connection to Active Directory
SaaS-based implementation recommended
Approx. 100’000 users per virtual appliance
Up to 10’000 virtual machines per vCenter
Recommendation: 2’000 desktops per vCenter
Dedicated vCenter Server instance per resource block
Up to 2’000 sessions per Connection Server (4’000 tested limit)
Install at least one Replica Server for redundancy
Max. 7 Connection Servers per pod
Max. 10’000 sessions per pod recommended
Cloud Pod Architecture
Max. 175 Connection Servers
Max. 120’000 sessions
Max. 5 sites
View Composer needed?
Security Server (not recommended anymore, use UAG)
Should not be member of AD domain
Should be hardened Windows server (placed in DMZ)
1:1 mapping with Connection Servers
Unified Access Gateway (UAG)
Virtual appliance (placed in DMZ) based on linux (Photon OS)
Scale-out is independent of Connection Server
Does not need to be paired with a single Connection Server
Know the key firewall considerations for Horizon 7
Bandwidth requirements for different types of users
WAN considerations (e.g. latency, WAN optimization)
Optimization/Policies for display protocols (LAN/WAN)
vSphere networking requirements
Separate networks for management, VMs, vMotion etc.
Use vSphere Distributed Switch
Secure your desktops (lockdown, GPOs, UEM)
Use secure client connections (secure gateways/tunnel)
Use Unified Access Gateway for remote access (use three NICs)
View Security Server (if needed)
User authentication method from internal and external
Two Factor Authentication for external connections
Restrict access (tags, AD groups)
Use NSX for micro segmentation
Install signed SSL certificates
Our objective of a Horizon implementation is to provide better support to users than the physical solution. Session management is an aspect of this. Configuration and different settings on the sessions or client device are essential for a smooth user experience.
This is my recommendation. Within the last 8 weeks I’ve effectively studied 5 weeks for the exam. I work approx. since 4 months with Horizon products in a pre-sales role, not as a consultant. I will update you after the exam if the experience combined with learning was enough to pass! 🙂
Did I forget anything? Let me know! Jump to part 12
I only focus on the component design part since I already covered topics like use cases, business drivers, design methodology etc.
A successful deployment depends on good planning and a very good understanding of the platform. The core elements include Connection Server, Composer, Horizon Agent and Horizon Client. Part 4 to part 9 cover the Horizon 7 component design and also provide more information on the following components.
VMware Identity Manager (VIDM) can be implemented on-premises or in the cloud, a SaaS-based implementation. If you decide to go with the SaaS implementation, a VIDM connector needs to be installed on-prem to synchronize accounts from Active Directory to the VIDM service in the cloud.
If cloud is no option for you, you still have the possibility for the on-prem deployment and use the Linux-based virtual appliance. There is also a Windows-based installer available which is included in the VMware Enterprise Systems Connector. VMware’s reference architecture is based on the Linux appliance.
Syncing resources such as Active Directory and Horizon 7 and can be done either by using a separate VMware Identity Manager Connector or by using the built-in connector of an on-premises VMware Identity Manager VM. The separate connector can run inside the LAN in outbound-only connection mode, meaning the connector receives no incoming connections from the DMZ.
VIDM comes with an embedded PostgreSQL database, but it’s recommended to use an external database server for production deployments.
For high availability, based on your requirements, at least two VIDM appliances should be deployed behind a load balancer. After you have deployed your first appliance, you simply clone it and assign a new hostname and a new IP address.
As you still may know from part 8, App Volumes has two functions. The first is the delivery of applications for VDI and RDSH. The second is the provision of writable volumes to capture user-installed applications and the user profile.
For high availability, always use at least two App Volumes Managers which are load-balanced.
AppStacks are very read intensive, hence, you should place AppStacks on storage that is optimized for read operations. Writable volumes should be placed on storage for random IOPS (50/50). There reference architecture uses vSAN to provide a single highly available datastore.
For the SQL database it is recommended using an AlwaysOn Availability Group.
User Environment Manager
When User Environment Manager design decisions need to be made, you have to think about user profiles (mandatory, roaming, local) and folder redirection. As already described in part 9, VMware recommendation is to use mandatory profiles and folder redirection. Use appendix B if you need help configuring the mandatory profile.
The first key design consideration is using DFS-R to provide high availability for the configuration and user shares. Note: Connect the management console only to the hub member when making changes. DFS-R will replicated those changes to the spoke members.
In part 6 I mentioned that a UAG is typically deployed within the DMZ.
UAG appliances are deployed in front of the Horizon 7 Connection Servers and sit behind a load balancer. The Unified Access Gateway also runs the Content Gateway as part the AirWatch (WorkspaceONE UEM) service.
You have two sizing options during the appliance deployment:
Standard (2 vCPU, 4GB RAM, 2’000 Horizon server connections, 10’000 AirWatch service connections)
Large (4 vCPU, 16GB RAM, 2’000 Horizon server connections, 50’000 AirWatch service connections)
As you can see, the big difference here are the estimated AirWatch service connections per appliance. In production you would deploy dedicated UAG appliances for each service. Example:
2 standard size UAGs appliances for 2’000 Horizon 7 sessions (n+1)
3 large size UAG appliances for 50’000 devices using Content Gateway and per-App Tunnel which gives us a total of 100’000 sessions. The third appliance is for high availability (n+1)
vSphere and Physical Environment
The software-defined data center (SDDC) is the foundation that runs all infrastructure servers and components. The products and the licensing for the foundation are outside of the Horizon 7 product (except vSAN), but are required to deliver a complete solution.
And in my opinion this is what makes the whole solution so brilliant. Even I work for VMware, I would never say from the beginning that Horizon is better than XA/XD. This was also the case when I worked as a consultant for Citrix before I joined VMware in May 2018.
It depends on the requirements and use cases which need to be satisfied. That are the most important things if you choose a vendor or a specific technology. Our goal is to make the customer happy! 🙂
But I would say that VMware Horizon including WorkspaceONE is very hard to beat if you use the complete stack! But that’s another topic.
The vSphere infrastructure in the reference architecture includes vSAN and NSX. In part 5 I covered the basics of vSAN, but I think I maybe need to write a short overview about NSX and how you can use it with Horizon.
vSAN provides a hyper-converged storage optimized for virtual machines without the need for an external SAN or NAS. This means that the physical server not only provides the compute and memory resources, but also storage in a modular fashion. You can use vSAN for the management and resource block and follow a hybrid approach for the management resources and use all-flash vSAN for the Horizon resources.
I will not cover the vSphere design, but it’s important to understand that all components are operating redundantly and that you have enough physical resources to meet the requirements.
A general recommendation is to use at least 10 GbE connections, to separate each traffic (mgmt, VM traffic, vSAN, vMotion) and make sure that each of them has sufficient bandwidth.
NSX for vSphere
NSX provides several network-based services and performs several security functions within a Horizon 7 implementation:
Protects VDI infrastructure
Protects desktop pool VM communication with applications
Provides user-based access control (user-level identity-based micro-segmentation)
If you want to use NSX you have to think about a NSX infrastructure design as the NSX platform adds new components (e.g. NSX manager) and new possibilities (distributed firewall and identity firewall).
The most important design consideration for Horizon 7 is the concept of micro-segmentation. In the case of Horizon 7, NSX can block desktop-to-desktop communications, which are normally not needed or recommended. Each VM can now be its own perimeter and this desktop isolation prevents threats from spreading:
The Horizon 7 reference architecture of probably the best document to prepare yourself for the VCAP7-DTM exam. What do the current VCAP7-DTM certified people say? What else needs to be covered? Jump to part 11
This is the 8th part of my VCAP7-DTM Design exam series. In part 7 I covered the creation of a physical design for Horizon desktop and pools. Now we take a look at section 7 of the blueprint, the creation of an application architecture design for Horizon 7:
Section 7 – Incorporate Application Services into a Horizon Physical Design
Objective 7.1: Design Application Integration and/or Delivery System(s) using Horizon Application Tools
Objective 7.2: Design Active Directory to Facilitate Application Assignment Objective 7.3: Design and Size RDS Application Pools and Farms
Objective 7.4: Create Application Architecture Design
Objective 7.5: Design Application Integration and/or Delivery System(s) using Horizon Workspace One
The purpose of implementing VMware Horizon 7 is to deliver virtualized applications and/or desktop for end users. You have different methods of application delivery and the delivery depends on many factors. The delivery method can have major impacts on the user experience.
End users want the “fat client experience” – they want speed and performance and ease of use. IT has to define and find a balance between user experience and security and these opposing goals of IT and end users could be a challenge.
Today, people don’t want to wait for anything. They want to use, consume, be independent and have all the permissions they need to download and/or install applications – they just want to do their job. In this case, for example, a self-service portal with workflows could provide the necessary flexibility and security. But what about application performance and delivery?
One of the biggest challenges during a VDI project are legacy applications and IT still has to manage them in 2018. And sometimes, the customer is making the money with legacy applications. If the performance suffers or these applications don’t work anymore, neither does the business.
With Horizon 7 you have different options for app delivery:
Manually installed applications in the master image or in the virtual desktop
Delivery using ThinApp, App Volumes or RDSH (RDS application pool)
Each method has advantages, disadvantages and a different way of management. In most of the cases you will find a mix of these application delivery methods, but it depends on your use cases which ones you are going to choose.
I expect you know the features and technology of ThinApp and App Volumes and therefore I don’t explain them further. Just think about flexibility and management. I assume you don’t want to end up with 10 different master images which you have to maintain separately and modify once or twice a week. In general, Office applications and Adobe Reader are installed in the base image and the other applications can be delivered by App Volumes. If you need a “secure browser” (sandboxed browser) environment, then ThinApp is the right solution for this. Maybe you have the same application but with different versions? Then, it depends on the use case and requirement – your options are the manual installation, the delivery with App Volumes and ThinApp. Make yourself familiar with all those methods and also study the multi-site reference guide of each product.
Note: Sometimes it’s hard to know all features of a specific product, but reading and understanding the release notes can save your life sometimes. Example: ThinApp 5.2.3 only supports Firefox version 50.1 and nothing else. Maybe you can install and deploy Firefox 52.9 which is working, but is not officially supported by VMware. And then, when you want to upgrade to 60.1, suddenly the compilation with ThinApp is not working anymore even it was with 52.9, which was also not supported.
If you have read and understood this requirement before, you or your customer wouldn’t have a problem now.
Just think about if you provide secure browsing with Firefox delivered by ThinApp and you have a high security environment. When a new Firefox version gets published which is more secure and is supported by Mozilla, you cannot deliver this browser anymore. What are you doing now? Do you have enough time to find, design and test another solution?
ThinApp, App Volumes and RDSH have unique characteristics that allow them to increase the user experience and decrease resource utilization. Evaluate each solution and use the appropriate one for your design.
This is all I have to say about application delivery without going too deep. Make your homework and know what you need! Next time we take a look at section 8 which is about session management and client devices.
I give myself two months to study and prepare for the exam. If I fail to pass in October then at least I know my weak spots. 🙂
Kyran Brophy has also written down how he prepared himself for the VCAP7-DTM exam and was so kind to bundle all the PDF documents mentioned in the exam blueprint.
VMware Certified Professional – Digital Workspace 2018 (VCP-DW 2018)
Since WorkspaceONE is also listed in the exam prep guide, I decided to earn the VCP-DW 2018 certification before I would go ahead and prepare for the VCAP7-DTM Deploy exam next year. Anyway, it seems that the VCAP7-DTM Deploy exam still has not been published yet.
In the next article I will cover first section of the exam blueprint:
Section 1 – Create a Horizon Conceptual Design
Objective 1.1 – Gather and analyze requirements Objective 1.2 – Gather and analyze application requirements Objective 1.3 – Differentiate requirements, risks, constraints and assumptions Objective 1.4 – Evaluate existing business practices against established use cases