My last article was about the Horizon reference architecture and four weeks have already passed since then. My VCAP7-DTM Design exam is scheduled for October 18 – that’s in five days!
I haven’t opened my books the last three weeks, because I think it’s important to take a break and get some distance of your books and documents, which allows you to understand things better and faster and see connections between things you haven’t seen before. And another reason was my pregnant wife who delivered our beautiful daughter on October 4! 🙂
I started from scratch and repeated reading all my training material and PDF documents.
To design a Horizon 7 environment you have to follow a process to work out a VMware EUC solution that meets the customer’s requirements and follow the VMware design guidelines and use the reference architectures while considering customer constraints. It is very important that all customer business drivers and objectives are clearly defined. Then you will start to gather and analyze the business and application requirements and document the design requirements, assumptions, risks and constraints. For example, if you talk about technical requirements with your customer, the following categories should be covered:
Virtualization infrastructure and data center hardware
With the information from the assessment phase, the design work can begin and you create the conceptual design before you head over to create a logical design. Advice: Minimize risks and keep things simple!
Horizon Logical Design
The logical design (high level design) follows the conceptual design and defines how to arrange components and features. It is also useful to understand and evaluate the infrastructure design. The easiest and most common way to create a logical design is the use of architecture layers. Each layer contains one or more components and has functional and technical inter-dependencies:
Application deployment and type (cloud-based, locally installed, enterprise apps etc.)
Use cases and type of user
Scalability and multi-site
Desktop types and OS
Compute, network and storage
Network and storage
Cluster and resources
Internal and external
Authentication and authorization
A Horizon logical design could look like this:
If you need to write down use cases and their attributes, here an example:
Time of use
Horizon Block and Pod Design
In part 4 I covered this topic how to use a repeatable and scalable approach to design a large scale Horizon environment.
Horizon Component Design
To have a complete design you must define the amount and the configuration of Horizon components required for your environment. You have to include certain design recommendations and design the configuration for Horizon components for your use cases. These are some required infrastructure components:
VMware Identity Manager
Load Balancing for resiliency and scale
Connection to Active Directory
SaaS-based implementation recommended
Approx. 100’000 users per virtual appliance
Up to 10’000 virtual machines per vCenter
Recommendation: 2’000 desktops per vCenter
Dedicated vCenter Server instance per resource block
Up to 2’000 sessions per Connection Server (4’000 tested limit)
Install at least one Replica Server for redundancy
Max. 7 Connection Servers per pod
Max. 10’000 sessions per pod recommended
Cloud Pod Architecture
Max. 175 Connection Servers
Max. 120’000 sessions
Max. 5 sites
View Composer needed?
Security Server (not recommended anymore, use UAG)
Should not be member of AD domain
Should be hardened Windows server (placed in DMZ)
1:1 mapping with Connection Servers
Unified Access Gateway (UAG)
Virtual appliance (placed in DMZ) based on linux (Photon OS)
Scale-out is independent of Connection Server
Does not need to be paired with a single Connection Server
Know the key firewall considerations for Horizon 7
Bandwidth requirements for different types of users
WAN considerations (e.g. latency, WAN optimization)
Optimization/Policies for display protocols (LAN/WAN)
vSphere networking requirements
Separate networks for management, VMs, vMotion etc.
Use vSphere Distributed Switch
Secure your desktops (lockdown, GPOs, UEM)
Use secure client connections (secure gateways/tunnel)
Use Unified Access Gateway for remote access (use three NICs)
View Security Server (if needed)
User authentication method from internal and external
Two Factor Authentication for external connections
Restrict access (tags, AD groups)
Use NSX for micro segmentation
Install signed SSL certificates
Our objective of a Horizon implementation is to provide better support to users than the physical solution. Session management is an aspect of this. Configuration and different settings on the sessions or client device are essential for a smooth user experience.
This is my recommendation. Within the last 8 weeks I’ve effectively studied 5 weeks for the exam. I work approx. since 4 months with Horizon products in a pre-sales role, not as a consultant. I will update you after the exam if the experience combined with learning was enough to pass! 🙂
Did I forget anything? Let me know! Jump to part 12
I only focus on the component design part since I already covered topics like use cases, business drivers, design methodology etc.
A successful deployment depends on good planning and a very good understanding of the platform. The core elements include Connection Server, Composer, Horizon Agent and Horizon Client. Part 4 to part 9 cover the Horizon 7 component design and also provide more information on the following components.
VMware Identity Manager (VIDM) can be implemented on-premises or in the cloud, a SaaS-based implementation. If you decide to go with the SaaS implementation, a VIDM connector needs to be installed on-prem to synchronize accounts from Active Directory to the VIDM service in the cloud.
If cloud is no option for you, you still have the possibility for the on-prem deployment and use the Linux-based virtual appliance. There is also a Windows-based installer available which is included in the VMware Enterprise Systems Connector. VMware’s reference architecture is based on the Linux appliance.
Syncing resources such as Active Directory and Horizon 7 and can be done either by using a separate VMware Identity Manager Connector or by using the built-in connector of an on-premises VMware Identity Manager VM. The separate connector can run inside the LAN in outbound-only connection mode, meaning the connector receives no incoming connections from the DMZ.
VIDM comes with an embedded PostgreSQL database, but it’s recommended to use an external database server for production deployments.
For high availability, based on your requirements, at least two VIDM appliances should be deployed behind a load balancer. After you have deployed your first appliance, you simply clone it and assign a new hostname and a new IP address.
As you still may know from part 8, App Volumes has two functions. The first is the delivery of applications for VDI and RDSH. The second is the provision of writable volumes to capture user-installed applications and the user profile.
For high availability, always use at least two App Volumes Managers which are load-balanced.
AppStacks are very read intensive, hence, you should place AppStacks on storage that is optimized for read operations. Writable volumes should be placed on storage for random IOPS (50/50). There reference architecture uses vSAN to provide a single highly available datastore.
For the SQL database it is recommended using an AlwaysOn Availability Group.
User Environment Manager
When User Environment Manager design decisions need to be made, you have to think about user profiles (mandatory, roaming, local) and folder redirection. As already described in part 9, VMware recommendation is to use mandatory profiles and folder redirection. Use appendix B if you need help configuring the mandatory profile.
The first key design consideration is using DFS-R to provide high availability for the configuration and user shares. Note: Connect the management console only to the hub member when making changes. DFS-R will replicated those changes to the spoke members.
In part 6 I mentioned that a UAG is typically deployed within the DMZ.
UAG appliances are deployed in front of the Horizon 7 Connection Servers and sit behind a load balancer. The Unified Access Gateway also runs the Content Gateway as part the AirWatch (WorkspaceONE UEM) service.
You have two sizing options during the appliance deployment:
Standard (2 vCPU, 4GB RAM, 2’000 Horizon server connections, 10’000 AirWatch service connections)
Large (4 vCPU, 16GB RAM, 2’000 Horizon server connections, 50’000 AirWatch service connections)
As you can see, the big difference here are the estimated AirWatch service connections per appliance. In production you would deploy dedicated UAG appliances for each service. Example:
2 standard size UAGs appliances for 2’000 Horizon 7 sessions (n+1)
3 large size UAG appliances for 50’000 devices using Content Gateway and per-App Tunnel which gives us a total of 100’000 sessions. The third appliance is for high availability (n+1)
vSphere and Physical Environment
The software-defined data center (SDDC) is the foundation that runs all infrastructure servers and components. The products and the licensing for the foundation are outside of the Horizon 7 product (except vSAN), but are required to deliver a complete solution.
And in my opinion this is what makes the whole solution so brilliant. Even I work for VMware, I would never say from the beginning that Horizon is better than XA/XD. This was also the case when I worked as a consultant for Citrix before I joined VMware in May 2018.
It depends on the requirements and use cases which need to be satisfied. That are the most important things if you choose a vendor or a specific technology. Our goal is to make the customer happy! 🙂
But I would say that VMware Horizon including WorkspaceONE is very hard to beat if you use the complete stack! But that’s another topic.
The vSphere infrastructure in the reference architecture includes vSAN and NSX. In part 5 I covered the basics of vSAN, but I think I maybe need to write a short overview about NSX and how you can use it with Horizon.
vSAN provides a hyper-converged storage optimized for virtual machines without the need for an external SAN or NAS. This means that the physical server not only provides the compute and memory resources, but also storage in a modular fashion. You can use vSAN for the management and resource block and follow a hybrid approach for the management resources and use all-flash vSAN for the Horizon resources.
I will not cover the vSphere design, but it’s important to understand that all components are operating redundantly and that you have enough physical resources to meet the requirements.
A general recommendation is to use at least 10 GbE connections, to separate each traffic (mgmt, VM traffic, vSAN, vMotion) and make sure that each of them has sufficient bandwidth.
NSX for vSphere
NSX provides several network-based services and performs several security functions within a Horizon 7 implementation:
Protects VDI infrastructure
Protects desktop pool VM communication with applications
Provides user-based access control (user-level identity-based micro-segmentation)
If you want to use NSX you have to think about a NSX infrastructure design as the NSX platform adds new components (e.g. NSX manager) and new possibilities (distributed firewall and identity firewall).
The most important design consideration for Horizon 7 is the concept of micro-segmentation. In the case of Horizon 7, NSX can block desktop-to-desktop communications, which are normally not needed or recommended. Each VM can now be its own perimeter and this desktop isolation prevents threats from spreading:
The Horizon 7 reference architecture of probably the best document to prepare yourself for the VCAP7-DTM exam. What do the current VCAP7-DTM certified people say? What else needs to be covered? Jump to part 11
This is the 9th part of my VCAP7-DTM Design exam series. In part 8 I covered the creation of an application architecture design for Horizon 7. Let’s have a look at the last part of the exam blueprint, which is about session management and client devices:
Section 8 – Incorporate Endpoints into a Horizon Design
Objective 8.1 – Incorporate Session Connectivity Requirements in a Horizon End Point Design
Objective 8.2 – Incorporate Management Requirements in a Horizon End Point Client Design
Objective 8.3 – Incorporate Security Requirements in a Horizon End Point Design
In a Windows environment several types of user profiles are available:
The user profile include user-specific data and application settings which allows the users to have a persistent appearance regardless which desktops a user logs in to.
As a general leading practice, it is recommended to redirect as much user data as possible to a network share. But in a Windows environment, administrators have often experienced issues with roaming profiles. From my experience, a smaller profile causes less trouble and it’s worth to spend time to have a proper profile management strategy configuration.
VMware User Environment Manager
VMware’s solution for profile management is called User Environment Manager (UEM) which is part of the Just-in-Time Management (JMP) platform. JMP is composed of the Instant Clone technology for fast desktop provisioning, App Volumes for real-time application delivery and User Environment Manager for the profile and session management.
When I worked with Citrix products, the recommendation was to use Citrix UPM (roaming profile) and configure folder redirections via GPO.
One of the things I have learned when I joined VMware, is the different approach when it comes to profile management. VMware recommends mandatory profiles and the dynamic configuration capability of UEM:
User Environment Manager manages user and Windows settings and dynamically configures the desktop. For example, it can create drive and printer mappings, file type associations, and shortcuts. User Environment Manager can also manage and provide shortcuts to applications such as ThinApp to users.
This is Microsoft’s definition of a mandatory user profile:
A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded.
Very important to know when using UEM with mandatory profiles: Only the settings you have defined in UEM are kept for your sessions. Settings that you didn’t configure with UEM are not preserved and are discarded after a logout. This is called personalization.
Once you have configured your mandatory profile, the configuration in UEM is waiting:
Personalization (e.g. configuration files for Windows settings)
Application Configuration Management (initial settings for applications)
User Environment Settings (printer/drive mappings, environment variables, shortcuts etc.)
Dynamic configuration based on conditions (user, location, client device etc.)
Identify the customer’s client device characteristics and compare it with the requirements. Depending on the requirements you have the following client device options:
Tablets and Smartphone
Fat Clients (the traditional PCs or laptops including Mac)
For each device a different Horizon Client (depending on the OS) is available for download.
As already mentioned earlier in this series, Blast should be the primary protocol for your Horizon sessions. If you have endpoints where a Horizon Client cannot be used or installed, you still have the HTML access option.
Configuration for Smart Policies are done in the UEM console. Some of the settings you have configured via Group Policies before can now be done in UEM. I’m talking about configuration based on conditions like client location, launch tag or pool name. But it’s also possible to fill in your own personal View client properties:
With Smart Policies, administrators have granular control of a user’s desktop experience. A number of key Horizon 7 features can be dynamically enabled, disabled, or controlled based not only on who the user is, but on the many different variables available through Horizon 7: client device, IP address, pool name, and so on.
Example: Based on the client device used you can set different settings for USB redirection, clipboard and bandwidth profile.
Smart Policies can be enforced and evaluated at login/logout and reconnect/disconnect and at defined refresh intervals. This allows IT to maintain endpoint and session security even the user changes the network, the endpoint or both.
These are the basics about session management and client devices. We have now covered all sections of the exam blueprint:
I know the basics about a Horizon 7 implementation but I need to gain more technical knowledge about each product. As a Solution Architect I have a customer-facing pre-sales role and in general have no hands-on experience. As a consultant, who works with the Horizon suite on a daily basis, I’m sure that the VCAP-DTM Design exam would a piece of cake. 🙂
The next weeks I will read a lot of the PDFs (reference architecture and admin guides) mentioned in the exam blueprint and they are about:
Horizon 7.2 (including Mirage, ThinApp, UAG)
App Volumes 2.12
Because I have a quite big home office and love whiteboards, I decided to order whiteboard papers which hold to the walls by static charge. This should help me to note important stuff down. 😀
I have left six weeks to prepare! Let’s do this! 🙂 Jump to part 10
This is the 8th part of my VCAP7-DTM Design exam series. In part 7 I covered the creation of a physical design for Horizon desktop and pools. Now we take a look at section 7 of the blueprint, the creation of an application architecture design for Horizon 7:
Section 7 – Incorporate Application Services into a Horizon Physical Design
Objective 7.1: Design Application Integration and/or Delivery System(s) using Horizon Application Tools
Objective 7.2: Design Active Directory to Facilitate Application Assignment Objective 7.3: Design and Size RDS Application Pools and Farms
Objective 7.4: Create Application Architecture Design
Objective 7.5: Design Application Integration and/or Delivery System(s) using Horizon Workspace One
The purpose of implementing VMware Horizon 7 is to deliver virtualized applications and/or desktop for end users. You have different methods of application delivery and the delivery depends on many factors. The delivery method can have major impacts on the user experience.
End users want the “fat client experience” – they want speed and performance and ease of use. IT has to define and find a balance between user experience and security and these opposing goals of IT and end users could be a challenge.
Today, people don’t want to wait for anything. They want to use, consume, be independent and have all the permissions they need to download and/or install applications – they just want to do their job. In this case, for example, a self-service portal with workflows could provide the necessary flexibility and security. But what about application performance and delivery?
One of the biggest challenges during a VDI project are legacy applications and IT still has to manage them in 2018. And sometimes, the customer is making the money with legacy applications. If the performance suffers or these applications don’t work anymore, neither does the business.
With Horizon 7 you have different options for app delivery:
Manually installed applications in the master image or in the virtual desktop
Delivery using ThinApp, App Volumes or RDSH (RDS application pool)
Each method has advantages, disadvantages and a different way of management. In most of the cases you will find a mix of these application delivery methods, but it depends on your use cases which ones you are going to choose.
I expect you know the features and technology of ThinApp and App Volumes and therefore I don’t explain them further. Just think about flexibility and management. I assume you don’t want to end up with 10 different master images which you have to maintain separately and modify once or twice a week. In general, Office applications and Adobe Reader are installed in the base image and the other applications can be delivered by App Volumes. If you need a “secure browser” (sandboxed browser) environment, then ThinApp is the right solution for this. Maybe you have the same application but with different versions? Then, it depends on the use case and requirement – your options are the manual installation, the delivery with App Volumes and ThinApp. Make yourself familiar with all those methods and also study the multi-site reference guide of each product.
Note: Sometimes it’s hard to know all features of a specific product, but reading and understanding the release notes can save your life sometimes. Example: ThinApp 5.2.3 only supports Firefox version 50.1 and nothing else. Maybe you can install and deploy Firefox 52.9 which is working, but is not officially supported by VMware. And then, when you want to upgrade to 60.1, suddenly the compilation with ThinApp is not working anymore even it was with 52.9, which was also not supported.
If you have read and understood this requirement before, you or your customer wouldn’t have a problem now.
Just think about if you provide secure browsing with Firefox delivered by ThinApp and you have a high security environment. When a new Firefox version gets published which is more secure and is supported by Mozilla, you cannot deliver this browser anymore. What are you doing now? Do you have enough time to find, design and test another solution?
ThinApp, App Volumes and RDSH have unique characteristics that allow them to increase the user experience and decrease resource utilization. Evaluate each solution and use the appropriate one for your design.
This is all I have to say about application delivery without going too deep. Make your homework and know what you need! Next time we take a look at section 8 which is about session management and client devices.
This is the 7th part of my VCAP7-DTM Design exam series. In part 6 I covered the creation of a physical network design for Horizon 7. This time we take a look at section 6 of the blueprint, the creation of a physical design for Horizon desktop and pools:
Section 6 – Create a Physical Design for Horizon Desktops and Pools
Objective 6.1 – Design Virtual and Physical Image Masters
Objective 6.2 – Optimize Desktop Images, OS Services and Applications for a Horizon Design
Objective 6.3 – Incorporate Desktop Pools into a Horizon Design
Objective 6.4 – Incorporate RDS Pools into a Horizon Design
The desktops your customer provides must satisfy the use case requirements to ensure a good user experience and user acceptance. To provide desktops with Horizon you have to create so called desktop pools. VMware has a few recommendations and leading practices for the configuration and optimization of a Horizon desktop. These things will help you to enhance the overall scalability and performance of a Horizon implemenation.
The desktop build process would look like this:
You will start with the creation of the target VM
Installation of guest OS
Installation of VMware Tools
Perform image optimization
Installation of globally used applications and Horizon Agent
Creation of VM template
If you understand the customer’s use cases, you will understand what kind of desktops are needed to meet the requirements. The configuration of the desktop VM varies for each pool. The differences between them are often resource allocations like disk size, installed applications, memory or even the operating system.
For the most use cases VMware recommends only assigning two vCPUs unless it’s proven and really a requirement to have more CPU power.
Consider RAM reservation settings and keep in mind that high memory settings require more disk space as the VM swap file and the Windows pagefile sizes are related to these settings.
Globally used applications like MS Office or Adobe Reader should be installed within the desktop image. All other applications are delivered with App Volumes, if possible.
VMware recommends optimizing the guest operating system of a desktop image to positively affect the performance of a Horizon desktop.
Use VMware OS Optimization Tool (OSOT) to optimize your Windows desktops and server images. It is a great tool and will help you to disable OS components you don’t need and could help to enhance the overall scalability and performance. Make sure you know the optimizations you apply and what settings are changed to avoid any bad user experience or unexpected behaviour of your desktops.
If you are using Windows 10 for example, also make sure that you remove all unneeded native apps.
You can create desktop pools to give users remote access to virtual machine-based desktops. You can also choose VMware PC-over-IP (PCoIP), or VMware Blast to provide remote access to users.
There are two main types of virtual desktop pools. Automated desktop pools use a vCenter Server virtual machine template or snapshot to create a pool of identical virtual machines. Manual desktop pools are a collection of existing vCenter Server virtual machines, physical computers, or third-party virtual machines. In automated or manual pools, each machine is available for one user to access remotely at a time.
With Horizon 7.5 a instance is limited to 10’000 desktops and if the planned deployment exceeds this limit, then you must use the Cloud Pod Architecture (CPA) feature. With CPA you can link together 25 pods to provide one big desktop environment for ten geographically distant sites and provide apps and desktops for up to 200’000 sessions. See VMware Horizon 7 sizing limits and recommendations.
In a Horizon design you must state the use cases and use desktop pools which are the logical containers that represent each use case (desktop type, application set, access mode etc.).
With VMware Horizon it is also possible to provide hosted applications with the integration or Remote Desktop Services Hosts (RDSH) based on Microsoft Remote Desktop Services (RDS).
A RDS desktop pool is associated with a farm, which is nothing more than group of RDS hosts. Each RDS host is a Windows Server that can host multiple RDS desktop sessions.
The Horizon 7.5 handbook is a really great source for this part and I will allow myself to copy and past some part of it. 🙂
There are two options for a desktop assignment:
Each user is assigned a particular remote desktop and returns to the same desktop at each login. Dedicated assignment pools require a one-to-one desktop-to-user relationship. For example, a pool of 100 desktops are needed for a group of 100 users.
Using floating-assignment pools also allows you to create a pool of
desktops that can be used by shifts of users. For example, a pool of 100 desktops could be used by 300 users if they worked in shifts of 100 users at a time. The remote desktop is optionally deleted and re-created after each use, offering a highly controlled environment.
This means that a floating assignment is recommended because it decouples the user from a specific desktop and provides management and resource efficiency. This obviously could also reduce the licensing costs.
Dedicated desktop assignments are useful or required where users have applications or data that they install and keep on a specific desktop. A dedicated desktop can be assigned (fixed) to a specific user or also during the first logon where the next unused desktop will be assigned automatically.
Full Clones, Linked Clones or Instant Clones?
One of the most important questions for your design is whether users need a stateful or stateless desktop to work with. If the user has a stateful desktop, you have to think about the data which needs to be included in a backup (e.g. user profile or application data).
If you provide stateless desktop images you face other challenges. What happens to a user’s profile or data? Should it be saved and be available in the next session?
Stateless desktop images
Also known as nonpersistent desktops, stateless architectures have many advantages, such as being easier to support and having lower storage costs. Other benefits include a limited need to back up the virtual machines and easier, less expensive disaster recovery and business continuity options.
Stateful desktop images
Also known as persistent desktops, these images might require traditional image management techniques. Stateful images can have low storage costs in conjunction with certain storage system technologies. Backup and recovery technologies such as VMware Site Recovery Manager are important when considering strategies for backup, disaster recovery, and business continuity.
There are two ways to create stateless (non-persistent) desktop images in Horizon 7:
You can create floating assignment pools or dedicated assignment pools of instant clone virtual machines. Folder redirection and roaming profiles can optionally be used to store user data.
You can use View Composer to create floating or dedicated assignment pools of linked clone virtual machines. Folder redirection and roaming profiles can optionally be used to store user data or configure persistent disks to persist user data.
There are several ways to create stateful (persistent) desktop images in Horizon 7:
You can create full clones or full virtual machines. Some storage vendors have cost-effective storage solutions for full clones. These vendors often have their own best practices and provisioning utilities. Using one of these vendors might require that you create a manual dedicated-assignment pool.
You can create pools of instant-clone or linked-clone virtual machines and use App Volumes user writable volumes to attach user data and user-installed apps.
Whether you use stateless or stateful desktops depends on the specific type of worker.
There could be a lot more to tell you about when creating desktop pools, but those details can be found on Tech Zone and the available PDFs and Youtube videos.
The next time we take a look at “Section 7 – Incorporate Application Services into a Horizon Physical Design”.
This is the sixth part of my VCAP7-DTM Design exam series. In part 5 I covered the creation of a physical design for horizon storage. This time we take a look at section 5 of the blueprint, the creation of a physical network design for Horizon:
Section 5 – Create a Physical Design for Horizon Networking
Objective 5.1 – Plan and Design Network Requirements for Horizon solutions (including Mirage and Workspace One)
Objective 5.2 – Design Network and Security Components Based on Capacity and Availability Requirements
Objective 5.3 – Evaluate GPO and Display Protocol Tuning Options Based on Bandwidth and Connection Limits
Networking is also a very important and exciting when creating a Horizon architecture and a lot of questions are coming up when I think about Horizon and network access and devices:
How does the ISP infrastructure look like?
Do we have redundant internet uplinks?
Bandwidth in the data center?
How is the connection between Horizon client and agent?
ESXi host network interfaces?
Do we have mobile workers using WLAN?
I once had a customer who had a really nice and modern data center infrastructure, but their firewalls didn’t provide enough throughput. Make your homework and know how the routing and switching looks like and check every component’s limit.
Beside our VDI traffic, what about management, vMotion and vSAN traffic? Do we have enough network interfaces and bandwidth? If you think about management traffic, then 1Gbit interfaces are normally sufficient. But vMotion and vSAN traffic should have redundant 10Gbit connections and be on different subnets/VLANs.
Overview of the Network Architecture
In most network architectures two firewalls exist to create the DMZ.
The Unified Access Gateway (UAG) appliances are placed in the DMZ. UAG can perform authentication or pass a connection to the Connection Server for AD authentication.
Notauthenticated sessions are dropped at the Unified Access Gateway appliance and only authenticated sessions are allowed to connect to the internal resources.
UAG appliances in the DMZ communicate with the Connection Server instances inside the corporate firewalls and ensure that only the desired remote apps and desktop sessions can enter the corporate data center on behalf of this strongly authenticated user.
Inside the corporate firewall you install and configure at least two Connection Server instances. Their configuration data is stored in an embedded LDAP directory (AD LDS) and is replicated among all members of the group.
The used session bandwidth between the Horizon client and agent depends highly on the session configuration. For display traffic, many elements can affect network bandwidth, such as the used protocol, monitor resolution, frames per second, graphically intense applications or videos, image and video quality settings.
Because the effects of each configuration can vary widely, it’s recommended to monitor the session bandwidth consumption as part of a pilot. Try to figure out the bandwidth requirements for each use case.
I would say that Blast Extreme is the way to go, because it has been optimized for mobile devices and can intelligently switch between UDP and TCP (Adaptive Transport). PCoIP has been developed by Teradici, but Blast is VMware’s own creation and that’s why I think that Blast will be “the future” and that RDP still can be used as fallback for some special scenarios.
Display Protocol Tuning Options
I will not cover this topic and explain you how you can configure the maximum bandwidth for PCoIP via GPO. There are several options to decrease and increase the used session bandwidth:
Nowadays, every client device is connected with 1Gbps. LAN connections and the user experience are most of the time perfect. How is it with WAN connections where you will have latencies that could be between 50 and 200ms? Do you apply Quality of Services (Qos) policies to prioritize Horizon traffic?
WAN optimization is one of the keywords when talking about WAN connections and is valuable for TCP-based protocols which require many handshakes between client and server, such as RDP.
PCoIP is UDP-based and this was the reason why everyone in the past said, that you should prefer this protocol for connections with higher latencies and then no WAN optimization or acceleration would be needed.
Then inside the corporate network you would use RDP because your network is stable or did you leave this choice to the user?
With Blast Extreme, Adaptive Transport will automatically detect higher latencies and automatically switches between TCP and UDP if needed. Higher latencies could also occur with mobile devices working of WiFi networks.
In my opinion there are almost no reasons anymore to use anything else than Blast because it’s also more network efficient than PCoIP.
Use separate networks for vSphere management, VM connectivity, vMotion and vSAN traffic. Make sure you have redundancy across different physical adapters (NIC, PCI slot) and devices (switches, router, firewall). Consider the use of a vSphere Distributed Switch (vDS) to reduce management overhead and provide a richer feature set. Maybe NSX could be interesting for micro segmentation.
Load balancing is a very important component of a Horizon architecture. The primary purpose of load balancing is to optimize performance by evenly distributing client sessions across all available Connection Server instances. The same is valid for UAG appliances, Identity Manager or App Volumes Manager. NSX comes with a virtual load balancer, but F5 and NetScaler are also fine.
Depending on your customer’s requirements and needs, the network design is another key part to remove single point of failures.
In part 7 we will figure out how we have to design Horizon desktops and pools.
This is the fifth part of my VCAP7-DTM Design exam series. In part 4 I covered the creation of a physical design for vSphere and Horizon components. This time we take a look at section 4 of the blueprint, the creation of a physical design for horizon storage:
Section 4 – Create a Physical Design for Horizon Storage
Objective 4.1 – Create and Optimize a Physical Design for Horizon Infrastructure Storage
Objective 4.2 – Create and Optimize a Physical Design for View Pool Storage
Objective 4.3 – Create and Optimize a Physical Storage Design for Applications
Objective 4.4 – Create and Optimize a Tiered Physical Horizon Storage Design
Objective 4.5 – Integrate Virtual SAN into a Horizon Design
This article is not a comparison between HCI and traditional storage architecture and if you build hosts by yourself or buy Dell EMC’s VxRail or any other vSAN ReadyNode.
Since it is VMware’s strategy to push vSAN and get away from traditional storage, I only cover vSAN. For my VCDX design I will also move away from traditional storage and use vSAN – it’s also my customer’s strategy. The price for flash storage is decreasing constantly and makes a hybrid vSAN architecture less attractive – at least for our use cases.
In general the storage design of a Horizon implementation is very critical. You have to think about capacity, growth capacity, data/object placement, disaster recovery, kind of SSD disks and so on. But in my opinion, HCI or vSAN makes your life a lot easier and simplifies the storage deployment.
If you fail to correctly size the storage and I/O capacity, your customer’s user experience will suffer or the deployment of new desktops is not possible anymore. So, storage performance and sizing is vital for the satisfactory of your customers and their users!
All-Flash or Hybrid Architecture
The first thing you have to figure out and define is the vSAN platform you are going to deploy – All-Flash or hybrid architecture. A All-Flash vSAN configuration aims at delivering very high IOPS with low latencies. Also in a All-Flash configuration you use two different grades of (flash) disks: lower capacity and higher endurance device for the capacity tier and more cost-effective and higher capacity disks for the capacity tier
There is no read cache available in a All-Flash configuration as all data is directly read from the capacity tier. Because you aim for extremely high IOPS, make sure you provide a dedicated 10Gb network for the vSAN traffic.
You can enable the deduplication and compression setting (not available when using a hybrid vSAN) in the vSAN cluster to reduce redundant copies of blocks within the same disk group to one copy and to compress the blocks after they have been deduplicated.
Erasure Coding (RAID 5/6 is only available with All-Flash) provides the same level of redundancy as mirroring, but with a reduced capacity requirement. In general, erasure coding means breaking data into multiple pieces and spread them across multiple devices, while adding parity data in the event data gets corrupted or lost. This is a good and short video about this feature:
When using vSAN without further adjustments, your virtual desktops and infrastructure servers are using the default vSAN storage policy. For infrastructure servers this might be okay, but for our desktops we need to create a new policies. Cormac Hogan has very good material about Horizon and vSAN Storage Policies:
The Number of Failures to Tolerate defines the number of host, disk or network failures a storage object can tolerate. This number of Failures to Tolerate (FTT) has the greatest impact on your capacity in a vSAN cluster. Based on your configured availability requirements for a VM, the settings in the policy can lead to a higher consumption on the vSAN datastore (more copies of your data). For “n” failures tolerated, n+1 copies of the object are created and 2n+1 hosts are required.
Consider to configure FTT = 0 for the OS disk for linked-clone floating pools or if you use full-clone non-persistent desktops. If vSAN should experience a failure, only non-persistent data will be lost.
I hope this information was helpful even we didn’t go to deep. If you need to know more about vSAN, then you’ll find tons of documents and other blogs about this technology.
In part 6 I’ll try to give you more information about the design for a Horizon network.
This is the fourth part of my VCAP7-DTM Design exam series. In part 3 I covered the creation of a logical design for Horizon 7. This time we take a look at section 3 of the blueprint, the creation of a physical design:
Section 3 – Create a Physical Design for vSphere and Horizon Components Objective 3.1 – Create a Horizon Pod and Block Architecture Design Objective 3.2 – Extend Horizon Architecture Design to Support Additional Horizon Suite Components Objective 3.3 – Design vSphere Infrastructure to Support a Horizon Implementation Objective 3.4 – Add Required Services to Support a Given vSphere Design
Physical diagrams contain more details than the logical architecture and could can brand names or models of storage arrays, network switches and so on. In the physical design we will describe individual parameters or settings for each component.
VMware Horizon Block and Pod Design
A VMware Horizon solution includes one or more Horizon instances, where a Horizon instance is a pod that includes one or more building blocks.
A building block consists of physical servers, a vSphere infrastructure, Horizon 7 servers, shared storage, and virtual machine desktops for end users. A building block is a logical construct and should not be sized for more than 2’000 Horizon desktops. Customers usually include up to five building blocks in a Horizon 7 pod, although in theory you can use more blocks than that, as long as the pod does not go above 10’000 sessions and 7 Horizon Connection Server instances.
The Cloud Pod Architecture (CPA) feature allows you to link multiple Horizon pods together (using the View Inter-Pod API (VAPI) protocol) to provide cross-data center administration and to perform local or global user-to-desktop mappings (entitlements). In a traditional Horizon implementation you manage each pod independently.
There are two different kind of building blocks, the management block (only one) and the resource block (up to 5 in a Horizon pod)
VMware recommends about 2’000 sessions or desktops in a Horizon resource block which includes at least one Horizon Connection Server (CS). In addition to the CS other components like ESXi hosts, vSphere clusters, desktop and application pools and storage form a VMware Horizon resource block.
One Horizon pod can contain up to 10’000 sessions or desktops and 7 Connection Server instances. For environments exceeding the 10’000 users, you have to leverage the Cloud Pod Architecture feature with the usage of load balancers.
In the image above each Horizon 7 resource block has its own vCenter Server. Since View 5.2 and later customers have the ability to use a single vCenter Server instance to manage a 10’000 desktop environment. Although using one vCenter Server for 10’000 desktops is possible and supported, doing so is not recommended because this design creates a single point of failure. The loss of that single vCenter Server prevents any desktop power management, provisioning and other operations.
The Horizon 7 management block consists of the VMs that are supporting the block and pod infrastructure:
vCenter Server instances, Horizon infrastructure servers, Connection Servers, database servers, Composer, UAG, Active Directory, DNS, DHCP, Certification Authorities etc.
Horizon Component Design
To be able to deliver the Horizon 7 services, we first need to design and build the required infrastructure components.
VMware Identity Manager (vIDM) provides the optional WorkspaceONE portal which provides access to different types of applications (Horizon desktop & apps, SaaS-based web apps, ThinApp packaged applications and even Citrix-based application an desktops). Even vIDM is available from on-premises installation, VMware recommends a SaaS-based implementation.
Following VMware’s recommendations, you will need at least three vCenter Server instances:
– 1 vCenter Server for every 2’000 desktops – 1 vCenter Server for the Horizon management block – 1 vCenter Server for the vCenter Server Management cluster (with all vCenter Servers including networking and security instances)
Each Horizon Connection Server provisioned with the minimum supported system specifications should be able to manage the connectivity for up to 2’000 users. If you are using Blast Secure Gateway connections to desktops using HTML access, the Connection Server only can have a maximum of 800 connections. A minimum of two Connection Servers is recommended for failover and redundancy reasons. VMware supports a maximum of seven active Connection Servers per replication group because of Java Message Services (JMS) performance limitations.
Connection servers are active only if they are enabled in Horizon Administrator to accept connections. A disabled connection server communicates with other connection servers in the group and replicates the LDAP directory.
This means that, if you have deployed the maximum of 7 Connection Servers, five have to be enabled and two disabled.
Although View Composer can be installed on the same server as the Windows vCenter Server, for larger environments VMware recommends that you install View Composer on a standalone server. Each Composer server requires a unique Composer database. However, multiple Composer databases can be placed on a single SQL instance. A View Composer server is always paired with a vCenter Server for each Horizon block. If possible, VMware recommends using the Instant Clone technology which doesn’t need additional infrastructure servers.
The Unified Access Gateway (UAG) is the new way to allow remote connections and has the same features like the old View Security Server. The UAG appliance (VM based on Linux) is normally installed in the DMZ and enables secure access from outside the corporate network to the internally hosted desktop and application servers. Unlike a Security Server, the UAG appliance doesn’t need to be paired with a specific Connection Server. VMware recommends the usage of a UAG than Security Server.
This is it. 🙂 The next article focuses on section 4 where the design for Horizon storage is the topic.
This is the third part of my VCAP7-DTM Design exam series. In part 2 I covered the creation of a conceptual design for Horizon 7. This time we take a look at section 2 of the blueprint, the creation of a logical design.
As you already know, the conceptual design or architecture is the one you begin with and is driven by the most essential requirements (the ones you gathered during the assessment). Typically you do not mention any specific solution or product in the conceptual design. To provide more details you will create a logical design of the Horizon solution.
The logical architecture should provide a high-level overview of the proposed architecture for the customer’s Horizon environment and helps all involved people in the early phases of planning, designing and deploying the solution.
As you can see, it now contains components like connection servers, Identity Managers, Composer Servers, database servers etc. The logical diagram shows you more details than before but the more specific (technical) details for each component will be described in the physical design which is part of section 3 of the exam blueprint. Example: Amount of App Volumes Managers Permissions of UEM shares Applied GPOs Load balancing solution
As you may know from the first article, I successfully passed my VCP7-DTM exam and now I’m studying for the VCAP7-DTM Design certification.
Before we take a closer look at the different objectives or requirements, there is one important information about the VCIX7-DTM track. Since no VCAP7-DTM Deploy exam is available and it’s not clear yet when this exam will be published, you only need the VCAP7-DTM Design certification to earn the VCIX7-DTM status. I have got this information from VMware certification.
Section 1 – Create a Horizon Conceptual Design
Let’s have a look at the different objectives from section 1 and see what they mean for me using my learning resources.
Objective 1.1 – Gather and analyze requirements Objective 1.2 – Gather and analyze application requirements Objective 1.3 – Differentiate requirements, risks, constraints and assumptions Objective 1.4 – Evaluate existing business practices against established use cases
The gathering of requirements (functional and nonfunctional) is an essential part of the whole design and deploy process.
A functional requirement describes what the solution must do or accomplish. Example: Limit access to a specific user group
A nonfunctional requirement describes the characteristics of a solution. Example: Horizon service uptime of 99.99%
To have a good and valid design you also have to define goals, requirements, risks, constraints and assumptions.
Normally, defining goals is one of the easier parts when it comes to a design. When you interview the different key stakeholders and use the right questions, you already have the business objectives or goals. The goals are the business drivers and it’s important for you as architect to understand all the objectives to fulfill the customer’s needs.
What are the company’s business needs? Do they want to increase user mobility? Lower the operational costs with a faster deployment method? Is remote access needed?
If your design process is based on the VMware Delivery Excellence Methodology, then you know that the assessment phase focuses on the scope of the project and the data-gathering for the design. You need to understand the customer’s requirements and for that you need to interview different key stakeholders to create a design which meets all the needs. After you have gathered all the requirements, you must document them and write down the constraints, assumptions and risks.
With all the information about the current state, the business requirements and the application requirements, you are able to create an enterprise infrastructure design based on a three-step model. The conceptual design is the first one to begin with: