View Architecture Planning VMware Horizon 7 7.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
View Architecture Planning You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents Horizon 7 Architecture Planning 5 1 Introduction to Horizon 7 7 Advantages of Using Horizon 7 7 Horizon 7 Features 10 How the Components Fit Together 11 Integrating and Customizing Horizon 7 15 2 Planning a Rich User Experience 21 Feature Support Matrix for Horizon Agent 21 Choosing a Display Protocol 22 Using Published Applications 26 Using Horizon Persona Management to Retain User Data and Settings 27 Using USB Devices with Remote Desktops and Applications 28 Using the Real-Time Audio-Vide
View Architecture Planning Advantages of Using Multiple vCenter Servers in a Pod 74 5 Planning for Security Features 77 Understanding Client Connections 77 Choosing a User Authentication Method 80 Restricting Remote Desktop Access 82 Using Group Policy Settings to Secure Remote Desktops and Applications 84 Using Smart Policies 84 Implementing Best Practices to Secure Client Systems 84 Assigning Administrator Roles 85 Preparing to Use a Security Server 85 Understanding Horizon 7 Communications Protocols
Horizon 7 Architecture Planning Horizon 7 Architecture Planning provides an introduction to VMware Horizon™ 7, including a description of its major features and deployment options and an overview of how the components are typically set up in a production environment.
View Architecture Planning 6 VMware, Inc.
1 Introduction to Horizon 7 With Horizon 7, IT departments can run remote desktops and applications in the datacenter and deliver these desktops and applications to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
View Architecture Planning n Remote desktops and applications that are hosted in a data center experience little or no downtime. Virtual machines can reside on high-availability clusters of VMware servers. Virtual desktops can also connect to back-end physical systems and Microsoft Remote Desktop Services (RDS) hosts. Convenience The unified management console is built for scalability so that even the largest Horizon 7 deployments can be efficiently managed from a single management interface.
Chapter 1 Introduction to Horizon 7 n Integration with VMware Identity Manager means that IT managers can use the Web-based VMware Identity Manager administration interface to monitor user and group entitlements to remote desktops. n Integration with VMware App Volumes, a real-time application delivery system, enables enterprises to deliver and manage applications at scale. Use App Volumes to attach applications to users, groups, or target computers, even when users are logged into their desktop.
View Architecture Planning Horizon 7 Features Features included in Horizon 7 support usability, security, centralized control, and scalability. The following features provide a familiar experience for the end user: n On certain client devices, print from a virtual desktop to any local or networked printer that is defined on the client device. This virtual printer feature solves compatibility issues and does not require you to install additional print drivers in a virtual machine.
Chapter 1 Introduction to Horizon 7 n Use View Composer to quickly create desktop images that share virtual disks with a master image. Using linked clones in this way conserves disk space and simplifies the management of patches and updates to the operating system. n Use the Instant Clone feature, introduced in Horizon 7, to quickly create desktop images that share virtual disks and memory with a parent image.
View Architecture Planning Figure 1‑2.
Chapter 1 Introduction to Horizon 7 Horizon Connection Server This software service acts as a broker for client connections. Horizon Connection Server authenticates users through Windows Active Directory and directs the request to the appropriate virtual machine, physical PC, or Microsoft RDS host.
View Architecture Planning n Details about the HTML Access Web client, which allows you to open a remote desktop inside a browser. No Horizon Client application is installed on the client system or device. See the Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. n Various third-party thin clients and zero clients, available only through certified partners. n View Open Client, which supports the VMware partner certification program.
Chapter 1 Introduction to Horizon 7 You can also use View Composer to create automated farms of linked-clone Microsoft RDS hosts, which provide published applications to end users. Although you can install View Composer on its own server host, a View Composer service can operate with only one vCenter Server instance. Similarly, a vCenter Server instance can be associated with only one View Composer service. Important View Composer is an optional component.
View Architecture Planning n VMware Mirage and Horizon FLEX IT managers can use the browser-based administration console of VMware Identity Manager to monitor user and group entitlements to remote desktops. You can use Mirage and Horizon FLEX to deploy and update applications on dedicated full-clone remote desktops without overwriting user-installed applications or data. Mirage provides a better offline virtual desktop solution than the Local Mode feature that was previously included with Horizon 7.
Chapter 1 Introduction to Horizon 7 Integrating with Popular Video Conferencing Software Flash URL Redirection Streaming Flash content directly from Adobe Media Server to client endpoints lowers the load on the datacenter ESXi host, removes the extra routing through the datacenter, and reduces the bandwidth required to simultaneously stream live video events to multiple client endpoints. The Flash URL redirection feature uses a JavaScript that is embedded inside a Web page by the Web page administrator.
View Architecture Planning Integrating Horizon 7 with Business Intelligence Software You can configure Horizon Connection Server to record events to a Microsoft SQL Server or Oracle database. n End-user actions such as logging in and starting a desktop session. n Administrator actions such as adding entitlements and creating desktop pools. n Alerts that report system failures and errors. n Statistical sampling such as recording the maximum number of users over a 24-hour period.
Chapter 1 Introduction to Horizon 7 You can use LDIF files to perform a number of tasks. n Transfer configuration data between Connection Server instances. n Define a large number of Horizon 7 objects, such as desktop pools, and add these to your Connection Server instances without using Horizon Administrator or Horizon PowerCLI. n Back up a configuration so that you can restore the state of a Connection Server instance. For more information, see the View Integration document.
View Architecture Planning 20 VMware, Inc.
Planning a Rich User Experience 2 Horizon 7provides the familiar, personalized desktop environment that end users expect. For example, on some client systems, end users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. Horizon 7 includes many features that you might want to make available to your end users.
View Architecture Planning To see a list of specific remote experience features supported on Windows operating systems where Horizon Agent is installed, see the VMware Knowledge Base (KB) article http://kb.vmware.com/kb/2150305. Note For information about which features are supported on the various types of client devices, see the Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
Chapter 2 Planning a Rich User Experience n Copy and paste of text and, on some clients, images between the client operating system and a remote application or desktop. For other client types, only copy and paste of plain text is supported. You cannot copy and paste system objects such as folders and files between systems. n Multiple monitors are supported for some client types.
View Architecture Planning 1080p-formatted video If the remote desktop has a dual virtual CPU, you can play 1080p formatted video, although the media player might need to be adjusted to a smaller window size. 3D rendering You can configure remote desktops to use software- or hardware-accelerated graphics. The software-accelerated graphics feature enables you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical graphics processing unit (GPU).
Chapter 2 Planning a Rich User Experience n Multiple monitors are supported for some client types. On some clients, you can use up to 4 monitors with a resolution of up to 2560 x 1600 per display or up to 3 monitors with a resolution of 4K (3840 x 2160) for Windows 7 remote desktops with Aero disabled. Pivot display and autofit are also supported. When the 3D feature is enabled, up to 2 monitors are supported with a resolution of up to 1920 x 1200, or one monitor with a resolution of 4K (3840 x 2160).
View Architecture Planning Hardware Requirements for Client Systems For information about processor and memory requirements, see the "Using VMware Horizon Client" document for the specific type of desktop or mobile client device. Go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Microsoft RDP Remote Desktop Protocol is the same multichannel protocol many people already use to access their work computer from their home computer.
Chapter 2 Planning a Rich User Experience Deploying published applications in this way might be preferable to deploying complete remote desktops under the following conditions: n If an application is set up with a multi-tiered architecture, where the components work better if they are located geographically near each other, using published applications is a good solution.
View Architecture Planning As with Windows roaming profiles, you can configure folder redirection. You can redirect the following folders to a network share.
Chapter 2 Planning a Rich User Experience Using the Real-Time Audio-Video Feature for Webcams and Microphones With the Real-Time Audio-Video feature, you can use your local computer's webcam or microphone on your remote desktop. Real-Time Audio-Video is compatible with standard conferencing applications and browser-based video applications, and supports standard webcams, audio USB devices, and analog audio input.
View Architecture Planning Virtual Shared Graphics Acceleration (vSGA) Available with vSphere 5.1 and later, this feature allows multiple virtual machines to share the physical GPUs on ESXi hosts. You can use 3D applications for design, modeling, and multimedia. Soft 3D Software-accelerated graphics, available with vSphere 5.0 and later, allows you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical GPU.
Chapter 2 Planning a Rich User Experience Location-based printing allows IT organizations to map remote desktops to the printer that is closest to the endpoint client device. For example, as a doctor moves from room to room in a hospital, each time the doctor prints a document, the print job is sent to the nearest printer. Using this feature does require that the correct printer drivers be installed in the remote desktop. Note These printing features are available only on some types of clients.
View Architecture Planning Horizon Client supports the following monitor configurations: n If you use two monitors, the monitors are not required to be in the same mode. For example, if you are using a laptop connected to an external monitor, the external monitor can be in portrait mode or landscape mode. n Monitors can be placed side by side, stacked two by two, or vertically stacked only if you are using two monitors and the total height is less than 4096 pixels.
Managing Desktop and Application Pools from a Central Location 3 You can create pools that include one or hundreds or thousands of remote desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Remote Desktop Services (RDS) hosts. Create one virtual machine as a base image, and Horizon 7 can generate a pool of remote desktops from that image. You can also create pools of applications that give users remote access to applications.
View Architecture Planning n For View Composer linked-clone virtual machines, you can specify whether to use a Microsoft Sysprep customization specification or QuickPrep from VMware. Sysprep generates a unique SID and GUID for each virtual machine in the pool. Instant clones require a different customization specification, called ClonePrep, from VMware. You can also specify how users are assigned desktops in a pool.
Chapter 3 Managing Desktop and Application Pools from a Central Location Reducing and Managing Storage Requirements Deploying desktops on virtual machines that are managed by vCenter Server provides all the storage efficiencies that were previously available only for virtualized servers. Using instant clones or View Composer linked clones as desktop machines increases the storage savings because all virtual machines in a pool share a virtual disk with a base image.
View Architecture Planning n Replica disks must be stored on VMFS5 or later datastores or NFS datastores. If you store replicas on a VMFS version earlier than VMFS5, a cluster can have at most eight hosts. OS disks and persistent disks can be stored on NFS or VMFS datastores. Compatible vSphere 5.5 Update 1 or Later Features With vSphere 5.
Chapter 3 Managing Desktop and Application Pools from a Central Location Using Virtual SAN for High-Performance Storage and Policy-Based Management VMware Virtual SAN is a software-defined storage tier, available with vSphere 5.5 Update 1 or a later release, that virtualizes the local physical storage disks available on a cluster of vSphere hosts.
View Architecture Planning n A cluster of at least three ESXi hosts. You need enough ESXi hosts to accommodate your setup even if you use two ESXi hosts with a Virtual SAN stretched cluster. For more information, see the vSphere Configuration Maximums document. n SSD capacity that is at least 10 percent of HDD capacity. n Enough HDDs to accommodate your setup. Do not exceed more than 75% utilization on a magnetic disk.
Chapter 3 Managing Desktop and Application Pools from a Central Location n Virtual Volumes datastores are not supported for instant clone desktop pools. Note Virtual Volumes is compatible with the View Storage Accelerator feature. Virtual SAN provides a caching layer on SSD disks, and the View Storage Accelerator feature provides a content-based cache that reduces IOPS and improves performance during boot storms. The Virtual Volumes feature has the following requirements: n vSphere 6.
View Architecture Planning Disposable Disks for Paging and Temp Files When you create a linked-clone pool or farm, you can also optionally configure a separate, disposable virtual disk to store the guest operating system's paging and temp files that are generated during user sessions. When the virtual machine is powered off, the disposable disk is deleted. Using disposable disks can save storage space by slowing the growth of linked clones and reducing the space used by powered off virtual machines.
Chapter 3 Managing Desktop and Application Pools from a Central Location Reducing Storage Requirements with Instant Clones The instant clones feature leverages vSphere vmFork technology (available with vSphere 6.0U1 and later) to quiesce a running base image, or parent virtual machine, and rapidly create and customize a pool of virtual desktops. Not only do instant clones share the virtual disks with the parent virtual machine at the time of creation, instant clones also share the memory of the parent.
View Architecture Planning However, you must consider the restrictions that using local datastores imposes on your Horizon 7 desktop or farm deployment: n You cannot use VMotion to manage Virtual Volumes. n You cannot use VMware High Availability. n You cannot use the vSphere Distributed Resource Scheduler (DRS). If you are deploying instant clones on a single ESXi host with a local datastore, you must configure a cluster containing that single ESXi host.
Chapter 3 Managing Desktop and Application Pools from a Central Location n Deploying Applications and System Updates with View Composer on page 43 Because linked-clone desktop pools share a base image, you can quickly deploy updates and patches by updating the parent virtual machine. n Deploying Applications and System Updates with Instant Clones on page 44 Because instant clone desktop pools share a base image, you can quickly deploy updates and patches by updating the parent virtual machine.
View Architecture Planning n Changing other virtual machine settings, such as available memory Note Because you can also use View Composer to create farms of linked-clone Microsoft RDS hosts, the recompose feature lets you update the guest operating system and applications on RDS hosts. You can create a View Composer persistent disk that contains user settings and other user-generated data. This persistent disk is not affected by a recompose operation.
Chapter 3 Managing Desktop and Application Pools from a Central Location If you assign a ThinApp package so that it is installed on a virtual desktop, the architectural considerations are similar to those that you address when you use traditional MSI-based software provisioning. Storage configuration for the application repository is a consideration both for streamed applications and for ThinApp packages installed in remote desktops.
View Architecture Planning n All users regardless of the system they log in to n Connection Server configuration n Horizon Client configuration n Horizon Agent configuration After a GPO is applied, properties are stored in the local Windows registry of the specified component. You can use GPOs to set all the policies that are available from the Horizon Administrator user interface (UI). You can also use GPOs to set policies that are not available from the UI.
Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments 4 A typical Horizon 7 architecture design uses a pod strategy. Pod definitions can vary, based on hardware configuration, Horizon 7 and vSphere software versions used, and other environment-specific design factors. The examples in this document illustrate a scalable design that you can adapt to your enterprise environment and special requirements.
View Architecture Planning Virtual Machine Requirements for Remote Desktops When you plan the specifications for remote desktops, the choices that you make regarding RAM, CPU, and disk space have a significant effect on your choices for server and storage hardware and expenditures.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Estimating Memory Requirements for Virtual Machine Desktops RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage of overall server hardware costs and total storage capacity needed, determining the correct memory allocation is crucial to planning your desktop deployment.
View Architecture Planning ESXi swap file This file, which has a .vswp extension, is created if you reserve less than 100 percent of a virtual machine's RAM. The size of the swap file is equal to the unreserved portion of guest RAM. For example, if 50 percent of guest RAM is reserved and guest RAM is 2GB, the ESXi swap file is 1GB. This file can be stored on the local data store on the ESXi host or cluster. ESXi suspend file This file, which has a .
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Estimating CPU Requirements for Virtual Machine Desktops When estimating CPU, you must gather information about the average CPU utilization for various types of workers in your enterprise. CPU requirements vary by worker type.
View Architecture Planning n If you are using vSphere 5.1 or later, enable space reclamation for vCenter Server and for the linkedclone desktop pools. If virtual machine desktops use the space-efficient disk format available with vSphere 5.1 or later, stale or deleted data within a guest operating system is automatically reclaimed with a wipe and shrink process.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments n Finally, consider cluster requirements and any failover requirements. For more information, see “Determining Requirements for High Availability,” on page 62. For information about specifications of ESXi hosts in vSphere, see the VMware vSphere Configuration Maximums document.
View Architecture Planning n Pools for Kiosk Users on page 56 Kiosk users might include customers at airline check-in stations, students in classrooms or libraries, medical personnel at medical data entry workstations, or customers at self-service points. Accounts associated with client devices rather than users are entitled to use these desktop pools because users do not need to log in to use the client device or the remote desktop.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments n Create instant-clone or View Composer linked-clone desktops so that desktops share the same base image and use less storage space in the datacenter than full virtual machines. Pools for Knowledge Workers and Power Users Knowledge workers must be able to create complex documents and have them persist on the desktop. Power users must be able to install their own applications and have them persist.
View Architecture Planning Pools for Kiosk Users Kiosk users might include customers at airline check-in stations, students in classrooms or libraries, medical personnel at medical data entry workstations, or customers at self-service points. Accounts associated with client devices rather than users are entitled to use these desktop pools because users do not need to log in to use the client device or the remote desktop.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Desktop Virtual Machine Configuration The example settings for items such as memory, number of virtual processors, and disk space are specific to Horizon 7. The amount of system disk space required depends on the number of applications required in the base image. VMware has validated a setup that included 8GB of disk space.
View Architecture Planning For more information about RDS host configuration and tested workloads, see the VMware Horizon 6 Reference Architecture white paper at http://www.vmware.com/files/pdf/techpaper/VMware-Reference-Architecture-Horizon-6-View-MirageWorkspace.pdf. vCenter Server and View Composer Virtual Machine Configuration You can install vCenter Server and View Composer on the same virtual machine or on separate servers.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Table 4‑5.
View Architecture Planning Connection Server Cluster Design Considerations You can deploy multiple replicated Connection Server instances in a group to support load balancing and high availability. Groups of replicated instances are designed to support clustering within a LAN-connected single-datacenter environment.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments The number of connections per Unified Access Gateway appliance is similar to those for security servers. For more information about Unified Access Gateway appliances, see Deploying and Configuring Unified Access Gateway.
View Architecture Planning If you store View Composer replicas on a VMFS version earlier than VMFS5, a cluster can have at most eight hosts. OS disks and persistent disks can be stored on NFS or VMFS datastores. For more information, see the chapter about creating desktop pools, in the Setting Up Virtual Desktops in Horizon 7 document. Networking requirements depend on the type of server, the number of network adapters, and the way in which VMotion is configured.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Table 4‑10. Virtual Machine Desktop Cluster Example Item Example Number of clusters 5 Number of desktops and pools per cluster 1 pool of 2,000 desktops (virtual machines) per cluster Nodes (ESXi hosts) Following are examples of various servers that could be used for each cluster: 12 Dell PowerEdge R720 (16 cores * 2 GHz; and 192GB RAM on each host) n 16 Dell PowerEdge R710 (12 cores * 2.
View Architecture Planning Shared Storage Example For a View 5.2 test environment, View Composer replica virtual machines were placed on high-readperformance solid-state drives (SSD), which support tens of thousands of I/Os per second (IOPS). Linked clones were placed on traditional, lower-performance spinning media-backed datastores, which are less expensive and provide higher storage capacity.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments This storage strategy is illustrated in the following figure. Figure 4‑1. Tiered Storage Example for a Large Desktop Pool Parent 2 Parent 4 Parent 1 Parent 3 Parent 5 PARENT SSD, shared across all clusters Replica 1 ES X ES X ES X ESX cluster, consisting of 192 Intel cores and 2.
View Architecture Planning You can also reduce operating system disk space by using View Composer persistent disks or a shared file server as the primary repository for the user profile and user documents. Because View Composer lets you separate user data from the operating system, you might find that only the persistent disk needs to be backed up or replicated, which further reduces storage requirements. For more information, see “Reducing Storage Requirements with View Composer,” on page 39.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments With the PCoIP or Blast Extreme display protocol, if you have an enterprise LAN with 100Mb or a 1Gb switched network, your end users can expect excellent performance under the following conditions: n Two monitors (1920 x 1080) n Heavy use of Microsoft Office applications n Heavy use of Flash-embedded Web browsing n Frequent use of multimedia with limited use of full screen mode n Frequent use of USB-based
View Architecture Planning Virtual VMotiondvswitch (1 uplink per host) Infra-dvswitch (2 uplink per host) Desktop-dvswitch (2 uplink per host) n One 1Gb vLAN for the management network n One 1Gb vLAN for the VMotion network n One 10Gb vLAN for the infrastructure network This switch was used by the ESXi hosts of infrastructure, parent, and desktop virtual machines. n Jumbo Frame (9000 MTU) n 1 Ephemeral Distributed Port Group n Private VLAN and 192.168.x.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Capacity for an Hour-Long Logon Storm of 10,000 Users Note This example was used in a View 5.2 setup, which was carried out prior to the release of VMware Virtual SAN. For guidance on sizing and designing the key components of View virtual desktop infrastructures for VMware Virtual SAN, see the white paper at http://www.vmware.com/files/pdf/products/vsan/VMW-TMD-Virt-SAN-Dsn-Szing-Guid-Horizon-View.pdf.
View Architecture Planning Time Required for Rebalancing a Pool A desktop rebalance operation evenly redistributes linked-clone desktops among available logical drives. A rebalance operation saves storage space on overloaded drives and ensures that no drives are underused. You can also use a rebalance operation to migrate all virtual machines in a desktop pool to or from a Virtual SAN datastore.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments n 2Mbps per simultaneous user running 480p video, depending upon the configured frame rate limit and the video type. Note The estimate of 50 to 150Kbps per typical user is based on the assumption that all users are operating continuously and performing similar tasks over an 8- to 10- hour day. The 50Kbps bandwidth usage figure is from View Planner testing on a LAN with the Build-to-Lossless feature disabled.
View Architecture Planning Table 4‑11. Example of a LAN-Based Horizon Building Block for 2,000 Virtual Machine Desktops (Continued) Item Example Database MS SQL Server or Oracle database server (can be run in the block itself) VLANs 3 (a 1Gbit Ethernet network for each: management network, storage network, and VMotion network) Each vCenter Server can support up to 10,000 virtual machines. This support enables you to have building blocks that contain more than 2,000 virtual machine desktops.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Figure 4‑2. Pod Diagram for 10,000 Virtual Machine Desktops View building blocks switched networks Each switched network connects to each View Connection Server View Connection Servers load balancing network core Pod Example Using One vCenter Server In the previous section, the Horizon 7 pod consisted of multiple building blocks. Each building block supported 2,000 virtual machines with a single vCenter Server.
View Architecture Planning Cloud Pod Architecture Overview To use a group of replicated Connection Server instances across a WAN, MAN (metropolitan area network), or other non-LAN, in scenarios where a Horizon deployment needs to span datacenters, you must use the Cloud Pod Architecture feature. This feature uses standard Horizon components to provide cross-datacenter administration, global and flexible user-to-desktop mapping, high-availability desktops, and disaster recovery capabilities.
Chapter 4 Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments Pod designs with one vCenter Server instance Concurrency settings determine how many operations can be queued up for an entire Horizon 7 pod at one time. For example, if you set concurrent provisioning operations to 20 and you have only one vCenter Server instance in a pod, a desktop pool larger than 20 will cause provisioning operations to be serialized.
View Architecture Planning If your Horizon 7 design does not require user-triggered power and refit operations, a single vCenter Server instance can probably suit your needs. Without a high frequency of user-triggered power and refit operations, no long queue of operations can accumulate that might cause Horizon Connection Server to time-out waiting for vCenter Server to complete the requested operations within the defined concurrency setting limits.
Planning for Security Features 5 Horizon 7 offers strong network security to protect sensitive corporate data. For added security, you can integrate Horizon 7 with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature. Important Horizon 6 version 6.2 and later releases can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms.
View Architecture Planning n Client Connections Using the PCoIP and Blast Secure Gateways on page 78 When clients connect to a remote desktop or application with the PCoIP or Blast Extreme display protocol from VMware, Horizon Client can make a second connection to the applicable Secure Gateway component on a Horizon Connection Server instance, security server, or Unified Access Gateway appliance.
Chapter 5 Planning for Security Features Tunneled Client Connections with Microsoft RDP When users connect to a remote desktop with the Microsoft RDP display protocol, Horizon Client can make a second HTTPS connection to the Horizon Connection Server host. This connection is called the tunnel connection because it provides a tunnel for carrying RDP data. The tunnel connection offers the following advantages: n RDP data is tunneled through HTTPS and is encrypted using SSL.
View Architecture Planning Choosing a User Authentication Method Horizon 7 uses your existing Active Directory infrastructure for user authentication and management. For added security, you can integrate Horizon 7 with two-factor authentication solutions, such as RSA SecurID and RADIUS, and smart card authentication solutions.
Chapter 5 Planning for Security Features Administrators can use the vdmadmin command-line interface to configure domain filtering, which limits the domains that a Connection Server instance searches and that it displays to users. See the View Administration document for more information. Policies, such as restricting permitted hours to log in and setting the expiration date for passwords, are also handled through existing Active Directory operational procedures.
View Architecture Planning Using the Log In as Current User Feature Available with Windows-Based Horizon Client With Horizon Client for Windows, when users select the Log in as current user check box, the credentials that they provided when logging in to the client system are used to authenticate to the Horizon Connection Server instance and to the remote desktop. No further user authentication is required.
Chapter 5 Planning for Security Features For example, your Horizon 7 deployment might include two Connection Server instances. The first instance supports your internal users. The second instance is paired with a security server and supports your external users. To prevent external users from accessing certain desktops, you could set up restricted entitlements as follows: n Assign the tag "Internal" to the Connection Server instance that supports your internal users.
View Architecture Planning Using Group Policy Settings to Secure Remote Desktops and Applications Horizon 7 includes Group Policy administrative ADMX templates that contain security-related group policy settings that you can use to secure your remote desktops and applications. For example, you can use group policy settings to perform the following tasks.
Chapter 5 Planning for Security Features Assigning Administrator Roles A key management task in a Horizon 7 environment is to determine who can use Horizon Administrator and what tasks those users are authorized to perform. The authorization to perform tasks in Horizon Administrator is governed by an access control system that consists of administrator roles and privileges. A role is a collection of privileges.
View Architecture Planning Best Practices for Security Server Deployments Follow these best practice security policies and procedures when operating a security server in a DMZ. The DMZ Virtualization with VMware Infrastructure white paper includes examples of best practices for a virtualized DMZ. Many of the recommendations in this white paper also apply to a physical DMZ.
Chapter 5 Planning for Security Features When users outside the corporate network connect to a security server, they must successfully authenticate before they can access remote desktops and applications. With appropriate firewall rules on both sides of the DMZ, this topology is suitable for accessing remote desktops and applications from client devices located on the Internet. You can connect multiple security servers to each instance of Connection Server.
View Architecture Planning n A back-end firewall, between the DMZ and the internal network, is required to provide a second tier of security. You configure this firewall to accept only traffic that originates from the services within the DMZ. Firewall policy strictly controls inbound communications from DMZ services, which greatly reduces the risk of compromising your internal network. Figure 5-4 shows an example of a configuration that includes front-end and back-end firewalls. Figure 5‑4.
Chapter 5 Planning for Security Features Table 5‑1. Front-End Firewall Rules Source Default Port Horizon Client Default Port Protocol Destination Notes TCP Any HTTP Security Server TCP 80 (Optional) External client devices connect to a security server within the DMZ on TCP port 80 and are automatically directed to HTTPS. For information about the security considerations related to letting users connect with HTTP rather than HTTPS, see the View Security guide.
View Architecture Planning Table 5‑2. Back-End Firewall Rules (Continued) Default Port Protocol Destination Security server TCP Any JMS Connection Server TCP 4002 Security servers connect to Connection Server instances on TCP port 4002 to exchange secure Java Message Service (JMS) traffic. Security server TCP Any RDP Remote desktop TCP 3389 Security servers connect to remote desktops on TCP port 3389 to exchange RDP traffic.
Chapter 5 Planning for Security Features Figure 5‑5. View Components and Protocols Without a Security Server client device RDP Client Horizon Client PCoIP RDP HTTP(S) View Secure GW Server & PCoIP Secure GW View Connection Server View Messaging View Broker & Admin Server View Administrator HTTP(S) SOAP vCenter Server View Manager LDAP JMS RDP PCoIP View Agent View desktop virtual machine Note This figure shows direct connections for clients using either PCoIP or RDP.
View Architecture Planning Figure 5‑6. View Components and Protocols with a Security Server client devices RDP Client Horizon Client HTTP(S) Blast HTTP(S) PCoIP View Security Server View Secure GW Server & PCoIP Secure GW Blast PCoIP RDP, Framework, MMR, CDR... AJP13 JMS View Secure GW Server & PCoIP Secure GW HTTP(S) View Broker & Admin Server View Messaging View Connection Server View Administrator SOAP vCenter Server View Manager LDAP JMS PCoIP RDP, Framework, MMR, CDR...
Chapter 5 Planning for Security Features Table 5‑3. Default Ports (Continued) Protocol Port HTTP TCP port 80 HTTPS TCP port 443 MMR/CDR For multimedia redirection and client drive redirection, TCP port 9427 RDP TCP port 3389 Note If the Connection Server instance is configured for direct client connections, these protocols connect directly from the client to the remote desktop and are not tunneled through the View Secure GW Server component.
View Architecture Planning Blast Secure Gateway Security servers and Access Point appliances include a Blast Secure Gateway component. When the Blast Secure Gateway is enabled, after authentication, clients that use Blast Extreme or HTML Access can make another secure connection to a security server or Access Point appliance. This connection allows clients to access remote desktops and applications from the Internet.
Chapter 5 Planning for Security Features Intercomponent message validation uses DSA keys. The key size is 512 bits by default, except in FIPS mode, where the key size is 2048 bits. Note When the message security mode is set to Enhanced, SSL/TLS is used to secure JMS connections rather than using per-message encryption. In enhanced message security mode, validation applies to only one message type. For enhanced message mode, VMware recommends increasing the key size to 2048 bits.
View Architecture Planning Firewall Rules for Horizon Agent The Horizon Agent installation program optionally configures Windows Firewall rules on remote desktops and RDS hosts to open the default network ports. Ports are incoming unless otherwise noted. The agent installation program configures the local firewall rule for inbound RDP connections to match the current RDP port of the host operating system, which is typically 3389.
Overview of Steps to Setting Up a Horizon 7 Environment 6 Complete these high-level tasks to install Horizon 7 and configure an initial deployment. Table 6‑1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: View Installation and vSphere documentation. 2 If you have not yet done so, install and set up ESXi hosts and vCenter Server. Instructions: VMware vSphere documentation.
View Architecture Planning Table 6‑1. View Installation and Setup Check List (Continued) 98 Step Task 12 (Optional) Configure Horizon Persona Management, which gives users access to personalized data and settings whenever they log in to a desktop. Instructions: Setting Up Virtual Desktops in Horizon 7. 13 (Optional) For added security, integrate smart card authentication or a RADIUS two-factor authentication solution. Instructions: View Administration document. VMware, Inc.
Index Symbols .
View Architecture Planning firewalls back-end 87 front-end 87 rules 88 Flash URL Redirection 15 floating-assignment desktop pools 33 front-end firewall configuring 87 rules 88 G gateway server 93 GPOs, security settings for remote desktops 84 GRID vGPU, NVIDIA 29 H HA cluster 58, 59, 61 hardware requirements, PCoIP 24 hardware-accelerated graphics 29 Horizon 7 deployment diagram 11 Horizon Administrator 14 Horizon Agent 14, 45 Horizon Agent Direct Connect Plugin 13 Horizon Client 45 Horizon Client for Li
Index professional services 5 provisioning a pool 68 provisioning desktops 7 published applications 26 R RADIUS authentication 81 RAM allocation for virtual machines 49, 57 RDP 26 RDS host 43, 57 rebalance feature 39 rebalancing a pool 68 recompose feature 43 recomposing a pool 68 refresh feature 43, 51 refreshing a pool 68 regulatory compliance 34 remote applications 43 remote display protocols PCoIP 24 RDP 26 replicas 39 restricted entitlements 82 roaming profiles 27 RSA key size, changing 94 RSA SecurI
View Architecture Planning View Administrator 45 View Broker 93 View Client 13 View Composer, operations 59, 64, 68 View Connection Server, configuration 45 View Messaging 94 View Open Client 13 View Portal 14 View Secure Gateway Server 93 virtual profiles 10, 21 virtual machine configuration for vCenter 58 for Horizon Connection Server 59 for remote desktops 48 for View Composer 58 virtual printing feature 10, 21, 30 virtual private networks 85 Virtual SAN 35, 37, 39 Virtual Volumes (VVols) 38, 39 VMotion
