View Architecture Planning Modified for Horizon 7 7.3.2 VMware Horizon 7 7.
View Architecture Planning You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2009–2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents Horizon 7 Architecture Planning 5 1 Introduction to Horizon 7 6 Advantages of Using Horizon 7 Horizon 7 Features 6 9 How the Components Fit Together 11 Integrating and Customizing Horizon 7 16 2 Planning a Rich User Experience 22 Feature Support Matrix for Horizon Agent Choosing a Display Protocol Using Published Applications 22 23 28 Using Horizon Persona Management to Retain User Data and Settings Using USB Devices with Remote Desktops and Applications 29 31 Using the Real-Time Aud
View Architecture Planning Storage and Bandwidth Requirements Horizon 7 Building Blocks Horizon 7 Pods 74 84 84 Advantages of Using Multiple vCenter Servers in a Pod 87 5 Planning for Security Features 90 Understanding Client Connections 90 Choosing a User Authentication Method Restricting Remote Desktop Access 93 97 Using Group Policy Settings to Secure Remote Desktops and Applications Using Smart Policies 98 99 Implementing Best Practices to Secure Client Systems Assigning Administrator Rol
Horizon 7 Architecture Planning Horizon 7 Architecture Planning provides an introduction to VMware Horizon™ 7, including a description of its major features and deployment options and an overview of how the components are typically set up in a production environment.
1 Introduction to Horizon 7 With Horizon 7, IT departments can run remote desktops and applications in the datacenter and deliver these desktops and applications to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
View Architecture Planning n The ability to provision remote desktops with pre-created Active Directory accounts addresses the requirements of locked-down Active Directory environments that have read-only access policies. n Data backups can be scheduled without considering when end users' systems might be turned off. n Remote desktops and applications that are hosted in a data center experience little or no downtime. Virtual machines can reside on high-availability clusters of VMware servers.
View Architecture Planning Manageability Provisioning desktops and applications for end users is a quick process. No one is required to install applications one by one on each end user's physical PC. End users connect to a remote application or a remote desktop complete with applications. End users can access their same remote desktop or application from various devices at various locations.
View Architecture Planning n If remote desktops use the space-efficient disk format available with vSphere 5.1 and later, stale or deleted data within a guest operating system is automatically reclaimed with a wipe and shrink process. Hardware Independence Remote desktops and applications are hardware-independent.
View Architecture Planning n Use Horizon Persona Management to retain user settings and data between sessions even after the desktop has been refreshed or recomposed. Persona Management has the ability to replicate user profiles to a remote profile store (CIFS share) at configurable intervals. You can also use a standalone version of Persona Management on physical computers and virtual machines that are not managed by Horizon 7.
View Architecture Planning n Send updates and patches to virtual desktops without affecting user settings, data, or preferences. n Integrate with VMware Identity Manager so that end users can access remote desktops through the user portal on the Web, as well as use VMware Identity Manager from a browser inside a remote desktop.
View Architecture Planning Figure 1‑2.
View Architecture Planning Horizon Connection Server This software service acts as a broker for client connections. Horizon Connection Server authenticates users through Windows Active Directory and directs the request to the appropriate virtual machine, physical PC, or Microsoft RDS host.
View Architecture Planning Horizon Client The client software for accessing remote desktops and applications can run on a tablet, a phone, a Windows, Linux, or Mac PC or laptop, a thin client, and more. After logging in, users select from a list of remote desktops and applications that they are authorized to use. Authorization can require Active Directory credentials, a UPN, a smart card PIN, or an RSA SecurID or other two-factor authentication token.
View Architecture Planning Horizon Agent You install the Horizon Agent service on all virtual machines, physical systems, and Microsoft RDS hosts that you use as sources for remote desktops and applications. On virtual machines, this agent communicates with Horizon Client to provide features such as connection monitoring, virtual printing, Horizon Persona Management, and access to locally connected USB devices.
View Architecture Planning vCenter Server This service acts as a central administrator for VMware ESXi servers that are connected on a network. vCenter Server provides the central point for configuring, provisioning, and managing virtual machines in the datacenter.
View Architecture Planning n VMware Mirage and Horizon FLEX IT managers can use the browser-based administration console of VMware Identity Manager to monitor user and group entitlements to remote desktops. You can use Mirage and Horizon FLEX to deploy and update applications on dedicated full-clone remote desktops without overwriting user-installed applications or data. Mirage provides a better offline virtual desktop solution than the Local Mode feature that was previously included with Horizon 7.
View Architecture Planning can create policies that take effect only if certain conditions are met. For example, you can configure a policy that disables the client drive redirection feature if a user connects to a remote desktop from outside your corporate network. VMware Unified Access Gateway Unified Access Gateway functions as a secure gateway for users who want to access remote desktops and applications from outside the corporate firewall.
View Architecture Planning This feature is available only on some types of clients. To find out whether this feature is supported on a particular type of client, see the feature support matrix included in the "Using VMware Horizon Client" document for the specific type of desktop or mobile client device. Go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
View Architecture Planning You can alternatively generate Horizon 7 events in Syslog format so that the event data can be accessible to analytics software. If you enable file-based logging of events, events are accumulated in a local log file. If you specify a file share, the log files are moved to that share. For more information, see the View Installation document.
View Architecture Planning n Back up a configuration so that you can restore the state of a Connection Server instance. For more information, see the View Integration document. Using SCOM to Monitor Horizon 7 Components You can use Microsoft System Center Operations Manager (SCOM) to monitor the state and performance of Horizon 7 components, including Connection Server instances and security servers and the services running on these hosts. For more information, see the View Integration document.
Planning a Rich User Experience 2 Horizon 7provides the familiar, personalized desktop environment that end users expect. For example, on some client systems, end users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. Horizon 7 includes many features that you might want to make available to your end users.
View Architecture Planning To see a list of specific remote experience features supported on Windows operating systems where Horizon Agent is installed, see the VMware Knowledge Base (KB) article http://kb.vmware.com/kb/2150305. Note For information about which features are supported on the various types of client devices, see the Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
View Architecture Planning n Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You can, however, change the encryption key cipher to AES-256. n Connections from all types of client devices. n Optimization controls for reducing bandwidth usage on the LAN and WAN.
View Architecture Planning Recommended Guest Operating System Settings 1 GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen mode, or 720p or higher formatted video. To use Virtual Dedicated Graphics Acceleration for graphics-intensive applications such as CAD applications, 4 GB of RAM is required. Video Quality Requirements 480p-formatted video You can play video at 480p or lower at native resolutions when the remote desktop has a single virtual CPU.
View Architecture Planning PCoIP PCoIP (PC over IP) provides an optimized desktop experience for the delivery of a remote application or an entire remote desktop environment, including applications, images, audio, and video content for a wide range of users on the LAN or across the WAN. PCoIP can compensate for an increase in latency or a reduction in bandwidth, to ensure that end users can remain productive regardless of network conditions.
View Architecture Planning For information about which desktop operating systems support specific PCoIP features, see Feature Support Matrix for Horizon Agent. For information about which client devices support specific PCoIP features, go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Recommended Guest Operating System Settings 1GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen mode, or 720p or higher formatted video.
View Architecture Planning Microsoft RDP Remote Desktop Protocol is the same multichannel protocol many people already use to access their work computer from their home computer. Microsoft Remote Desktop Connection (RDC) uses RDP to transmit data. Microsoft RDP is a supported display protocol for remote desktops that use virtual machines, physical machines, or shared session desktops on an RDS host.
View Architecture Planning Deploying published applications in this way might be preferable to deploying complete remote desktops under the following conditions: n If an application is set up with a multi-tiered architecture, where the components work better if they are located geographically near each other, using published applications is a good solution. For example, when a user must access a database remotely, if large amounts of data must be transmitted over the WAN, performance is usually affected.
View Architecture Planning With Persona Management, if you provision desktops with VMware ThinApp applications, the ThinApp sandbox data can also be stored in the user profile. This data can roam with the user but does not significantly affect logon times. This strategy provides better protection against data loss or corruption. Configuration Options You can configure Horizon 7 personas at several levels: a single remote desktop, a desktop pool, an OU, or all remote desktops in your deployment.
View Architecture Planning Using USB Devices with Remote Desktops and Applications Administrators can configure the ability to use USB devices, such as thumb flash drives, cameras, VoIP (voice-over-IP) devices, and printers, from a remote desktop. This feature is called USB redirection, and it supports using the Blast Extreme, PCoIP, or Microsoft RDP display protocol. A remote desktop can accommodate up to 128 USB devices.
View Architecture Planning Using the Real-Time Audio-Video Feature for Webcams and Microphones With the Real-Time Audio-Video feature, you can use the local client system's webcam or microphone on a remote desktop. Real-Time Audio-Video is compatible with standard conferencing applications and browser-based video applications, and supports standard webcams, audio USB devices, and analog audio input.
View Architecture Planning Virtual Dedicated Graphics Acceleration (vDGA) Available with vSphere 5.5 and later, this feature dedicates a single physical GPU on an ESXi host to a single virtual machine. Use this feature if you require high-end, hardware-accelerated workstation graphics. Note Some Intel vDGA cards require a certain vSphere 6 version. See the VMware Hardware Compatibility List at http://www.vmware.com/resources/compatibility/search.php.
View Architecture Planning Printing from a Remote Desktop The virtual printing feature allows end users on some client systems to use local or network printers from a remote desktop without requiring that additional print drivers be installed in the remote desktop operating system. The location-based printing feature allows you to map remote desktops to the printer that is closest to the endpoint client device.
View Architecture Planning True SSO With the True SSO feature, introduced with Horizon 7 and VMware Identity Manager 2.6, users are no longer required to supply Active Directory credentials at all. After users log in to VMware Identity Manager using any non-AD method (for example, RSA SecurID or RADIUS authentication), users are not prompted to also enter Active Directory credentials in order to use a remote desktop or application.
View Architecture Planning n With the VMware Blast display protocol or the PCoIP display protocol, a remote desktop screen resolution of 4K (3840 x 2160) is supported. The number of 4K displays that are supported depends on the hardware version of the desktop virtual machine and the Windows version. Hardware Version Windows Version Number of 4K Displays Supported 10 (ESXi 5.5.x compatible) 7, 8, 8.x, 10 1 11 (ESXi 6.
Managing Desktop and Application Pools from a Central Location 3 You can create pools that include one or hundreds or thousands of remote desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Remote Desktop Services (RDS) hosts. Create one virtual machine as a base image, and Horizon 7 can generate a pool of remote desktops from that image. You can also create pools of applications that give users remote access to applications.
View Architecture Planning Using pools to manage desktops allows you to apply settings or deploy applications to all remote desktops in a pool. The following examples show some of the settings available: n Specify which remote display protocol to use as the default for the remote desktop and whether to let end users override the default.
View Architecture Planning n Accelerated deployment With application pools, deploying applications can be accelerated because you only deploy applications on servers in a data center and each server can support multiple users. n Manageability Managing software that is deployed on client computers and devices typically requires significant resources. Management tasks include deployment, configuration, maintenance, support, and upgrades.
View Architecture Planning n Reducing Storage Requirements with View Composer Because View Composer creates desktop images that share virtual disks with a base image, you can reduce the required storage capacity by 50 to 90 percent. n Reducing Storage Requirements with Instant Clones The instant clones feature leverages vSphere vmFork technology (available with vSphere 6.
View Architecture Planning Virtual SAN also lets you manage virtual machine storage and performance by using storage policy profiles. If the policy becomes noncompliant because of a host, disk, or network failure, or workload changes, Virtual SAN reconfigures the data of the affected virtual machines and optimizes the use of resources across the cluster. You can deploy a desktop pool on a cluster that contains up to 20 ESXi hosts.
View Architecture Planning Using Virtual SAN for High-Performance Storage and Policy-Based Management VMware Virtual SAN is a software-defined storage tier, available with vSphere 5.5 Update 1 or a later release, that virtualizes the local physical storage disks available on a cluster of vSphere hosts.
View Architecture Planning n Virtual SAN does not support the View Composer Array Integration (VCAI) feature because Virtual SAN does not use NAS devices. Note Virtual SAN is compatible with the View Storage Accelerator feature. Virtual SAN provides a caching layer on SSD disks, and the View Storage Accelerator feature provides a content-based cache that reduces IOPS and improves performance during boot storms. The Virtual SAN feature has the following requirements: n vSphere 5.
View Architecture Planning Virtual Volumes has the following benefits: n Virtual Volumes supports offloading a number of operations to storage hardware. These operations include snapshotting, cloning, and Storage DRS. n With Virtual Volumes, you can use advanced storage services that include replication, encryption, deduplication, and compression on individual virtual disks.
View Architecture Planning Replica and Linked Clones on the Same Datastore When you create a linked-clone desktop pool or farm of Microsoft RDS hosts, a full clone is first made from the parent virtual machine. The full clone, or replica, and the clones linked to it can be placed on the same data store, or LUN (logical unit number).
View Architecture Planning Local Datastores for Floating, Stateless Desktops Linked-clone desktops can be stored on local datastores, which are internal spare disks on ESXi hosts. Local storage offers advantages such as inexpensive hardware, fast virtual-machine provisioning, highperformance power operations, and simple management. However, using local storage limits the vSphere infrastructure configuration options that are available to you.
View Architecture Planning Replica and Instant Clones on the Same Datastore When you create an instant clone desktop pool, a full clone is first made from the master virtual machine. The full clone, or replica, and the clones linked to it can be placed on the same data store, or LUN (logical unit number). Replica and Instant Clones on Different Datastores Alternatively, you can place instant clone replicas and instant clones on separate datastores with different performance characteristics.
View Architecture Planning n You cannot use the vSphere Distributed Resource Scheduler (DRS). If you are deploying instant clones on a single ESXi host with a local datastore, you must configure a cluster containing that single ESXi host. If you have a cluster of two or more ESXi hosts with local datastores, select the local datastore from each of the hosts in the cluster. Otherwise, instant clone creation fails. This behavior differs from the behavior of local datastores with View Composer linked clones.
View Architecture Planning Application Provisioning With Horizon 7, you have several options regarding application provisioning: You can use traditional application provisioning techniques, you can provide remote applications rather than a remote desktop, you can distribute application packages created with VMware ThinApp, you can deploy applications as part of a View Composer or instant clone base image, or you can attach applications using App Volumes.
View Architecture Planning Using this strategy simplifies adding, removing, and updating applications; adding or removing user entitlements to applications; and providing access from any device or network to centrally or distributed application farms. Deploying Applications and System Updates with View Composer Because linked-clone desktop pools share a base image, you can quickly deploy updates and patches by updating the parent virtual machine.
View Architecture Planning n Adding applications n Adding virtual devices n Changing other virtual machine settings, such as available memory Managing VMware ThinApp Applications in View Administrator VMware ThinApp™ lets you package an application into a single file that runs in a virtualized application sandbox. This strategy results in flexible, conflict-free application provisioning.
View Architecture Planning Deploying and Managing Applications Using App Volumes VMware App Volumes offers an alternative way to manage applications by virtualizing applications above the operating system. By using this strategy, applications, data files, settings, middleware, and configurations act as separate, layered containers. These containers are called application stacks (AppStacks) when in read-only mode or writable volumes when in read-write mode.
View Architecture Planning Using Active Directory GPOs to Manage Users and Desktops Horizon 7 includes many Group Policy administrative ADMX templates for centralizing the management and configuration of Horizon 7 components and remote desktops.
Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments 4 A typical Horizon 7 architecture design uses a pod strategy. Pod definitions can vary, based on hardware configuration, Horizon 7 and vSphere software versions used, and other environment-specific design factors. The examples in this document illustrate a scalable design that you can adapt to your enterprise environment and special requirements.
View Architecture Planning n Advantages of Using Multiple vCenter Servers in a Pod Virtual Machine Requirements for Remote Desktops When you plan the specifications for remote desktops, the choices that you make regarding RAM, CPU, and disk space have a significant effect on your choices for server and storage hardware and expenditures.
View Architecture Planning Power users Power users include application developers and people who use graphicsintensive applications. Kiosk users These users need to share a desktop that is located in a public place. Examples of kiosk users include students using a shared computer in a classroom, nurses at nursing stations, and computers used for job placement and recruiting. These desktops require automatic login. Authentication can be done through certain applications if necessary.
View Architecture Planning RAM Sizing Impact on Storage The amount of RAM that you allocate to a virtual machine is directly related to the size of the certain files that the virtual machine uses. To access the files in the following list, use the Windows guest operating system to locate the Windows page and hibernate files, and use the ESXi host's file system to locate the ESXi swap and suspend files. Windows page file By default, this file is sized at 150 percent of guest RAM.
View Architecture Planning Table 4‑1. PCoIP or Blast Extreme Client Display Overhead Display Resolution Standard Width, in Pixels Height, in Pixels 1-Monitor Overhead 2-Monitor Overhead 3-Monitor Overhead 4-Monitor Overhead VGA 640 480 1.20MB 3.20MB 4.80MB 5.60MB WXGA 1280 800 4.00MB 12.50MB 18.75MB 25.00MB 1080p 1920 1080 8.00MB 25.40MB 38.00MB 50.60MB WQXGA 2560 1600 16.00MB 60.00MB 84.80MB 109.60MB UHD (4K) 3840 2160 32.00MB 78.00MB 124.
View Architecture Planning Estimating CPU Requirements for Virtual Machine Desktops When estimating CPU, you must gather information about the average CPU utilization for various types of workers in your enterprise. CPU requirements vary by worker type. During your pilot phase, use a performance monitoring tool, such as Perfmon in the virtual machine, esxtop in ESXi, or vCenter Server performance monitoring tools, to understand both the average and peak CPU use levels for these groups of workers.
View Architecture Planning Choosing the Appropriate System Disk Size When allocating disk space, provide only enough space for the operating system, applications, and additional content that users might install or generate. Usually this amount is smaller than the size of the disk that is included on a physical PC. Because datacenter disk space usually costs more per gigabyte than desktop or laptop disk space in a traditional PC deployment, optimize the operating system image size.
View Architecture Planning If you use instant clones, the .vmdk files grow over time within a login session. Whenever a user logs out, the instant clone desktop is automatically deleted and a new instant clone is created and ready for the next user to log in. With this process, the desktop is effectively refreshed and returned to its original size. You can also add 15 percent to this estimate to be sure that users do not run out of disk space.
View Architecture Planning Desktop Pools for Specific Types of Workers Horizon 7 provides many features to help you conserve storage and reduce the amount of processing power required for various use cases. Many of these features are available as pool settings. The most fundamental question to consider is whether a certain type of user needs a stateful desktop image or a stateless desktop image.
View Architecture Planning n Pools for Knowledge Workers and Power Users Knowledge workers must be able to create complex documents and have them persist on the desktop. Power users must be able to install their own applications and have them persist. Depending on the nature and amount of personal data that must be retained, the desktop can be stateful or stateless.
View Architecture Planning n Use the Persona Management feature so that users always have their preferred desktop appearance and application settings, as with Windows user profiles. If you do not have the desktops set to be refreshed or deleted at logoff, you can configure the persona to be removed at logoff. Important Persona Management facilitates implementing a floating-assignment pool for those users who want to retain settings between sessions.
View Architecture Planning n If you use View Composer linked-clone desktops, implement Persona Management, roaming profiles, or another profile management solution. You can also configure persistent disks so that you can refresh and recompose the linked-clone OS disks while keeping a copy of the user profile on the persistent disks. n Use the Persona Management feature so that users always have their preferred desktop appearance and application settings, as with Windows user profiles.
View Architecture Planning As part of this setup, you can use the following instant-clone desktop pool settings. n If you are using instant clone desktop pools, Horizon 7automatically deletes the instant clone whenever a user logs out. A new instant clone is created and ready for the next user to log in, thus effectively refreshing the desktop on every log out. As part of this setup, you can use the following View Composer linked-clone desktop pool settings.
View Architecture Planning Table 4‑2.
View Architecture Planning vCenter Server and View Composer Virtual Machine Configuration You can install vCenter Server and View Composer on the same virtual machine or on separate servers. These servers require much more memory and processing power than a desktop virtual machine. VMware tested having View Composer create and provision 2,000 desktops per pool using vSphere 5.1 or later. VMware also tested having View Composer perform a recompose operation on 2,000 desktops at a time.
View Architecture Planning Table 4‑4. vCenter Server Virtual Machine Example (Continued) Example for a vCenter Server That Manages 10,000 Desktops Example for a vCenter Server That Manages 2,000 Desktops Maximum concurrent vCenter provisioning operations 20 20 Maximum concurrent power operations 50 50 Item Table 4‑5.
View Architecture Planning Table 4‑6.
View Architecture Planning PCoIP Secure Gateway connections are required if you use security servers or Unified Access Gateway appliances for PCoIP connections from outside the corporate network. Blast Secure Gateway connections are required if you use security servers or Unified Access Gateway appliances for Blast Extreme or HTML Access connections from outside the corporate network.
View Architecture Planning Table 4‑8. Hardware Requirements for Unified Access Gateway (Continued) Item Example Virtual network adapter VMXNET 3 Network adapter 1Gbps NIC Network Mapping Single NIC option vSphere Clusters Horizon 7 deployments can use VMware HA clusters to guard against physical server failures. Depending on your setup, clusters can contain up to 32 nodes. vSphere and vCenter Server provide a rich set of features for managing clusters of servers that host virtual machine desktops.
View Architecture Planning In cases where availability requirements are high, proper configuration of VMware HA is essential. If you use VMware HA and are planning for a fixed number of desktops per server, run each server at a reduced capacity. If a server fails, the capacity of desktops per server is not exceeded when the desktops are restarted on a different host.
View Architecture Planning Table 4‑10. Virtual Machine Desktop Cluster Example (Continued) Item Example Nodes (ESXi hosts) Following are examples of various servers that could be used for each cluster: n 12 Dell PowerEdge R720 (16 cores * 2 GHz; and 192GB RAM on each host) n 16 Dell PowerEdge R710 (12 cores * 2.
View Architecture Planning Shared Storage Example For a View 5.2 test environment, View Composer replica virtual machines were placed on high-readperformance solid-state drives (SSD), which support tens of thousands of I/Os per second (IOPS). Linked clones were placed on traditional, lower-performance spinning media-backed datastores, which are less expensive and provide higher storage capacity.
View Architecture Planning For pool 1: n 360 15K 300GB HDD (47TB usable) n 97 450GB LUNs for desktops For pool 2: n 296 15K 300GB HDD (39TB usable) n 7 450GB LUNs for infrastructure n 85 450GB LUNs for desktops This storage strategy is illustrated in the following figure. Figure 4‑1.
View Architecture Planning If you use View Composer with vSphere 5.1 or later virtual machine desktops, you can use the space reclamation feature. With this feature, stale or deleted data within a guest operating system is automatically reclaimed with a wipe and shrink process when the amount of unused disk space reaches a certain threshold. Note that the space reclamation feature is not supported if you use a Virtual SAN datastore.
View Architecture Planning In addition to determining best practices, VMware recommends that you provide bandwidth of 1Gbps per 100 virtual machines, even though average bandwidth might be 10 times less than that. Such conservative planning guarantees sufficient storage connectivity for peak loads. Network Bandwidth Considerations Certain virtual and physical networking components are required to accommodate a typical workload.
View Architecture Planning You can also configure a lower limit, in kilobits per second, for the bandwidth that is reserved for the session, so that a user does not have to wait for bandwidth to become available. You can specify the Maximum Transmission Unit (MTU) size for UDP packets for a session, from 500 to 1500 bytes. For more information, see the "PCoIP General Settings" and the "VMware Blast Policy Settings" sections in Configuring Remote Desktop Features in Horizon 7.
View Architecture Planning n Desktop-dvswitch (2 uplink per host) Infrastructure VLAN /24 (256 addresses) This switch was used by the ESXi hosts of parent, and desktop virtual machines. n Jumbo frame (9000 MTU) n 6 Ephemeral distributed port groups n 5 Desktop port groups (1 per pool) n Each network was /21, 2048 addresses View Composer Performance Test Results These test results describe a View 5.2 setup with 10,000-desktops, in which one vCenter Server 5.
View Architecture Planning For 10,000 desktops the logon storm occurred over a 60-minute period, using a normal distribution of logon times. The virtual machines were powered on and were available before the logon storm began. After logon, a workload started, which included the following applications: Adobe Reader, Microsoft Outlook, Internet Explorer, Microsoft Word, and Notepad.
View Architecture Planning In a test pod that contained 5 pools of 2,000 virtual machines in each pool, 2 datastores were added to the pod for one test. For another test, 2 datastores were removed from the pod. After the datastores were added or removed, a rebalance operation was performed on one of the pools. A rebalance of one pool of 2,000 virtual machines took 9 hours. All virtual machines were powered on and available before the rebalance operation began.
View Architecture Planning n 2Mbps per simultaneous user running 480p video, depending upon the configured frame rate limit and the video type. Note The estimate of 50 to 150Kbps per typical user is based on the assumption that all users are operating continuously and performing similar tasks over an 8- to 10- hour day. The 50Kbps bandwidth usage figure is from View Planner testing on a LAN with the Build-to-Lossless feature disabled.
View Architecture Planning Horizon 7 Building Blocks A building block consists of physical servers, a vSphere infrastructure, Horizon 7 servers, shared storage, and virtual machine desktops for end users. A building block is a logical construct and should not be sized for more than 2,000 Horizon desktops.
View Architecture Planning Table 4‑12. Example of a LAN-Based Horizon 7 Pod Constructed of 5 Building Blocks (Continued) Item Number 10Gb Ethernet module 1 Modular networking switch 1 Each vCenter Server can support up to 10,000 virtual machines. This support enables you to have building blocks that contain more than 2,000 virtual machine desktops. However, the actual block size is also subject to other Horizon 7-specific limitations.
View Architecture Planning Although using one vCenter Server and one View Composer for 10,000 desktops is possible, doing so creates a situation where there is a single point of failure. The loss of that single vCenter Server renders the entire desktop deployment unavailable for power, provisioning, and refit operations. For this reason, choose a deployment architecture that meets your requirements for overall component resiliency.
View Architecture Planning In the example topology, two previously standalone pods in different datacenters are joined together to form a single pod federation. An end user in this environment can connect to a Connection Server instance in the New York datacenter and receive a desktop or application in the London data center. The Cloud Pod Architecture feature is not supported in an IPv6 environment. For more information, see Administering Cloud Pod Architecture in Horizon 7.
View Architecture Planning Because each vSphere cluster must be managed by a single vCenter Server instance, this server represents a single point of failure in every Horizon 7 design. This risk is also true for each View Composer instance. (There is a one-to-one mapping between each View Composer instance and vCenter Server instance.
View Architecture Planning Some customers are reducing electricity usage by configuring Horizon 7 to power off desktops not in use so that vSphere DRS (Distributed Resources Scheduler) can consolidate the running virtual machines onto a minimum number of ESXi hosts. VMware Distributed Power Management then powers off the idle hosts. In scenarios such as these, multiple vCenter Server instances can better accommodate the higher frequency of power and refit operations required to avoid operations time-outs.
Planning for Security Features 5 Horizon 7 offers strong network security to protect sensitive corporate data. For added security, you can integrate Horizon 7 with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature. Important Horizon 6 version 6.2 and later releases can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms.
View Architecture Planning A default SSL server certificate is generated during Connection Server installation. By default, SSL clients are presented with this certificate when they visit a secure page such as Horizon Administrator. You can use the default certificate for testing, but you should replace it with your own certificate as soon as possible. The default certificate is not signed by a commercial Certificate Authority (CA).
View Architecture Planning n No VPN is required, as long as the display protocol is not blocked by any networking component. For example, someone trying to access their remote desktop or application from inside a hotel room might find that the proxy the hotel uses is not configured to pass UDP packets. For more information, see Firewall Rules for DMZ-Based Security Servers.
View Architecture Planning Direct Client Connections Administrators can configure Horizon Connection Server settings so that remote desktop and application sessions are established directly between the client system and the remote application or desktop virtual machine, bypassing the Connection Server host. This type of connection is called a direct client connection.
View Architecture Planning Active Directory Authentication Each Horizon Connection Server instance is joined to an Active Directory domain, and users are authenticated against Active Directory for the joined domain. Users are also authenticated against any additional user domains with which a trust agreement exists.
View Architecture Planning Because two-factor authentication solutions such as RSA SecurID and RADIUS work with authentication managers, installed on separate servers, you must have those servers configured and accessible to the Connection Server host. For example, if you use RSA SecurID, the authentication manager would be RSA Authentication Manager. If you have RADIUS, the authentication manager would be a RADIUS server.
View Architecture Planning Using the Log In as Current User Feature Available with WindowsBased Horizon Client With Horizon Client for Windows, when users select the Log in as current user check box, the credentials that they provided when logging in to the client system are used to authenticate to the Horizon Connection Server instance and to the remote desktop. No further user authentication is required.
View Architecture Planning n The client machine must be able to communicate with the corporate Active Directory server and not use cached credentials for authentication. For example, if users log in to their client machines from outside the corporate network, cached credentials are used for authentication.
View Architecture Planning Figure 5‑1. Restricted Entitlements Example client device external network DMZ View Security Server client device View Connection Server Tag: “External” View Connection Server Tag: “Internal” VM VM VM VM VM VM VM VM desktop pool A Tag: “External” desktop pool B Tag: “Internal” You can also use restricted entitlements to control desktop access based on the user-authentication method that you configure for a particular Connection Server instance.
View Architecture Planning n Prevent non-Horizon Client systems from using RDP to connect to remote desktops. You can set this policy so that connections must be Horizon Client-managed, which means that users must use Horizon 7 to connect to remote desktops. See the Configuring Remote Desktop Features in Horizon 7 document for information on using remote desktop and Horizon Client group policy settings.
View Architecture Planning An administrator can create folders to subdivide desktop pools and delegate the administration of specific desktop pools to different administrators in Horizon Administrator. An administrator configures administrator access to the resources in a folder by assigning a role to a user on that folder. Administrators can only access the resources that reside in folders for which they have assigned roles.
View Architecture Planning Best Practices for Security Server Deployments Follow these best practice security policies and procedures when operating a security server in a DMZ. The DMZ Virtualization with VMware Infrastructure white paper includes examples of best practices for a virtualized DMZ. Many of the recommendations in this white paper also apply to a physical DMZ.
View Architecture Planning Figure 5‑2. Load-Balanced Security Servers in a DMZ client device external network DMZ load balancing View Security Servers View Connection Servers Microsoft Active Directory vCenter Management Server ESX hosts running Virtual Desktop virtual machines When users outside the corporate network connect to a security server, they must successfully authenticate before they can access remote desktops and applications.
View Architecture Planning Figure 5‑3. Multiple Security Servers client device client device external network DMZ load balancing internal network View Security Servers load balancing View Connection Servers Microsoft Active Directory vCenter Management Server ESXi hosts running Virtual Desktop virtual machines You must implement a hardware or software load balancing solution if you install more than one security server. Connection Server does not provide its own load balancing functionality.
View Architecture Planning Figure 5‑4.
View Architecture Planning Table 5‑1. Front-End Firewall Rules Default Port Protocol Destination Horizon Client TCP Any HTTP Security Server TCP 80 (Optional) External client devices connect to a security server within the DMZ on TCP port 80 and are automatically directed to HTTPS. For information about the security considerations related to letting users connect with HTTP rather than HTTPS, see the View Security guide.
View Architecture Planning Table 5‑2. Back-End Firewall Rules (Continued) Source Security server Default Port Protocol Destination TCP Any AJP13 Connection Server Default Port TCP 8009 Notes Security servers connect to Connection Server instances on TCP port 8009 to forward Web traffic from external client devices. If you enable IPSec, AJP13 traffic does not use TCP port 8009 after pairing. Instead it flows over either NATT (UDP port 4500) or ESP.
View Architecture Planning Understanding Communications Protocols Horizon 6 and Horizon 7 components exchange messages by using several different protocols. Figure 5‑5 illustrates the protocols that each component uses for communication when a security server is not configured. That is, the secure tunnel for RDP, the Blast Secure Gateway, and the PCoIP Secure Gateway are not turned on. This configuration might be used in a typical LAN deployment. Figure 5‑5.
View Architecture Planning Figure 5‑6. Horizon 6 and Horizon 7 Components and Protocols with a Security Server client devices RDP Client Horizon Client HTTP(S) Blast HTTP(S) PCoIP View Security Server View Secure GW Server & PCoIP Secure GW Blast PCoIP RDP, Framework, MMR, CDR...
View Architecture Planning Table 5‑3. Default Ports Protocol Port JMS TCP port 4001 TCP port 4002 AJP13 TCP port 8009 Note AJP13 is used in a security server configuration only.
View Architecture Planning View Secure Gateway Server View Secure Gateway Server is the server-side component for the secure HTTPS connection between client systems and a security server, Access Point appliance, or View Connection Server instance. When you configure the tunnel connection for View Connection Server, RDP, USB, and Multimedia Redirection (MMR) traffic is tunneled through the View Secure Gateway component.
View Architecture Planning PCoIP Secure Gateway Security servers and Access Point appliances include a PCoIP Secure Gateway component. When the PCoIP Secure Gateway is enabled, after authentication, clients that use PCoIP can make another secure connection to a security server or Access Point appliance. This connection allows clients to access remote desktops and applications from the Internet.
View Architecture Planning If you want all keys to be 1024 bits, the RSA key size must be changed immediately after the first View Connection Server instance is installed and before additional servers and desktops are created. See VMware Knowledge Base (KB) article 1024431 for more information. Firewall Rules for Horizon Connection Server Certain ports must be opened on the firewall for Connection Server instances and security servers.
View Architecture Planning Firewall Rules for View Agent or Horizon Agent The View Agent and Horizon Agent installers optionally configure Windows firewall rules on remote desktops and RDS hosts to open the default network ports. Ports are incoming unless otherwise noted. The View Agent and Horizon Agent installers configure the local firewall rule for inbound RDP connections to match the current RDP port of the host operating system, which is typically 3389.
View Architecture Planning Firewall Rules for Active Directory If you have a firewall between your View environment and your Active Directory server, you must make sure that all of the necessary ports are opened. For example, View Connection Server must be able to access the Active Directory Global Catalog and Lightweight Directory Access Protocol (LDAP) servers. If the Global Catalog and LDAP ports are blocked by your firewall software, administrators will have problems configuring user entitlements.
Overview of Steps to Setting Up a Horizon 7 Environment 6 Complete these high-level tasks to install Horizon 7 and configure an initial deployment. Table 6‑1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: View Installation and vSphere documentation. 2 If you have not yet done so, install and set up ESXi hosts and vCenter Server. Instructions: VMware vSphere documentation.
View Architecture Planning Table 6‑1. View Installation and Setup Check List (Continued) Step Task 12 (Optional) Configure Horizon Persona Management, which gives users access to personalized data and settings whenever they log in to a desktop. Instructions: Setting Up Virtual Desktops in Horizon 7. 13 (Optional) For added security, integrate smart card authentication or a RADIUS two-factor authentication solution. Instructions: View Administration document. VMware, Inc.
