View Architecture Planning Modified on 4 JAN 2018 VMware Horizon 7 7.
View Architecture Planning You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2009–2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents Horizon 7 Architecture Planning 5 1 Introduction to Horizon 7 6 Advantages of Using Horizon 7 Horizon 7 Features 6 9 How the Components Fit Together 11 Integrating and Customizing Horizon 7 16 2 Planning a Rich User Experience 21 Feature Support Matrix for Horizon Agent Choosing a Display Protocol Using Published Applications 21 22 28 Using Horizon Persona Management to Retain User Data and Settings Using USB Devices with Remote Desktops and Applications 29 30 Using the Real-Time Aud
View Architecture Planning Storage and Bandwidth Requirements Horizon 7 Building Blocks Horizon 7 Pods 73 83 84 Advantages of Using Multiple vCenter Servers in a Pod 86 5 Planning for Security Features 90 Understanding Client Connections 90 Choosing a User Authentication Method Restricting Remote Desktop Access 93 96 Using Group Policy Settings to Secure Remote Desktops and Applications Using Smart Policies 98 98 Implementing Best Practices to Secure Client Systems Assigning Administrator Rol
Horizon 7 Architecture Planning Horizon 7 Architecture Planning provides an introduction to VMware Horizon™ 7, including a description of its major features and deployment options and an overview of how the components are typically set up in a production environment.
1 Introduction to Horizon 7 With Horizon 7, IT departments can run remote desktops and applications in the datacenter and deliver these desktops and applications to employees as a managed service. End users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from home. Administrators gain centralized control, efficiency, and security by having desktop data in the datacenter.
View Architecture Planning n The ability to provision remote desktops with pre-created Active Directory accounts addresses the requirements of locked-down Active Directory environments that have read-only access policies. n Data backups can be scheduled without considering when end users' systems might be turned off. n Remote desktops and applications that are hosted in a data center experience little or no downtime. Virtual machines can reside on high-availability clusters of VMware servers.
View Architecture Planning Manageability Provisioning desktops and applications for end users is a quick process. No one is required to install applications one by one on each end user's physical PC. End users connect to a remote application or a remote desktop complete with applications. End users can access their same remote desktop or application from various devices at various locations.
View Architecture Planning n If remote desktops use the space-efficient disk format available with vSphere 5.1 and later, stale or deleted data within a guest operating system is automatically reclaimed with a wipe and shrink process. Hardware Independence Remote desktops and applications are hardware-independent.
View Architecture Planning n Use Horizon Persona Management to retain user settings and data between sessions even after the desktop has been refreshed or recomposed. Persona Management has the ability to replicate user profiles to a remote profile store (CIFS share) at configurable intervals. You can also use a standalone version of Persona Management on physical computers and virtual machines that are not managed by Horizon 7.
View Architecture Planning n Send updates and patches to virtual desktops without affecting user settings, data, or preferences. n Integrate with VMware Identity Manager so that end users can access remote desktops through the user portal on the Web, as well as use VMware Identity Manager from a browser inside a remote desktop.
View Architecture Planning Figure 1‑2.
View Architecture Planning Horizon Connection Server This software service acts as a broker for client connections. Horizon Connection Server authenticates users through Windows Active Directory and directs the request to the appropriate virtual machine, physical PC, or Microsoft RDS host.
View Architecture Planning After logging in, users select from a list of remote desktops and applications that they are authorized to use. Authorization can require Active Directory credentials, a UPN, a smart card PIN, or an RSA SecurID or other two-factor authentication token. An administrator can configure Horizon Client to allow end users to select a display protocol. Protocols include PCoIP, Blast Extreme, and Microsoft RDP for remote desktops.
View Architecture Planning If the desktop source is a virtual machine, you first install the Horizon Agent service on that virtual machine and then use the virtual machine as a template or as a parent of linked clones or instant clones. When you create a pool from this virtual machine, the agent is automatically installed on every remote desktop. You can install the agent with an option for single sign-on.
View Architecture Planning You can install View Composer on the same server as vCenter Server or on a different server. vCenter Server then manages the assignment of the virtual machines to physical servers and storage and manages the assignment of CPU and memory resources to virtual machines. You can install vCenter Server either as a VMware virtual appliance or install vCenter Server in a Windows Server 2008 R2 server or a Windows Server 2012 R2 server, preferably on a VMware virtual machine.
View Architecture Planning Mirage provides a better offline virtual desktop solution than the Local Mode feature that was previously included with Horizon 7. Mirage includes the following security and management features for offline desktops: n Encrypts the locally installed virtual machine and prevents a user from modifying virtual machine settings that affect the integrity of the secure container.
View Architecture Planning only traffic entering the corporate data center is traffic on behalf of a strongly authenticated remote user. You can use Unified Access Gateway appliances instead of Horizon 7 security servers. For more information, see the Unified Access Gateway documentation.
View Architecture Planning Whenever a Lync VoIP or video chat call occurs, the Lync VDI plug-in offloads all the media processing from the datacenter server to the client endpoint, and encodes all media into Lync-optimized audio and video codecs. This optimized architecture is highly scalable, results in lower network bandwidth used, and provides point-to-point media delivery with support for high-quality real-time VoIP and video.
View Architecture Planning n Add datacenter resources to a full virtual machine or linked-clone pool. n Perform rebalance, refresh, or recompose operations on linked-clone desktops. n Sample the usage of specific desktops or desktop pools over time. n Query the event database. n Query the state of services. You can use the cmdlets in conjunction with the vSphere PowerCLI cmdlets, which provide an administrative interface to the VMware vSphere product.
Planning a Rich User Experience 2 Horizon 7provides the familiar, personalized desktop environment that end users expect. For example, on some client systems, end users can access USB and other devices connected to their local computer, send documents to any printer that their local computer can detect, authenticate with smart cards, and use multiple display monitors. Horizon 7 includes many features that you might want to make available to your end users.
View Architecture Planning To see a list of specific remote experience features supported on Windows operating systems where Horizon Agent is installed, see the VMware Knowledge Base (KB) article http://kb.vmware.com/kb/2150305. Note For information about which features are supported on the various types of client devices, see the Horizon Client documentation at https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html.
View Architecture Planning n Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You can, however, change the encryption key cipher to AES-256. n Connections from all types of client devices. n Optimization controls for reducing bandwidth usage on the LAN and WAN.
View Architecture Planning n USB redirection is supported for some client types. n MMR redirection is supported for some Windows client operating systems and some remote desktop operating systems (with Horizon Agent installed). n Connections to physical machines that have no monitors attached are supported with NVIDIA graphics cards. For best performance, use a graphics card that supports H.264 encoding. This is a technical preview feature for Horizon 7 version 7.1.
View Architecture Planning 1080p-formatted video If the remote desktop has a dual virtual CPU, you can play 1080p formatted video, although the media player might need to be adjusted to a smaller window size. 3D rendering You can configure remote desktops to use software- or hardwareaccelerated graphics. The software-accelerated graphics feature enables you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical graphics processing unit (GPU).
View Architecture Planning n 32-bit color is supported for virtual displays. n ClearType fonts are supported. n Audio redirection with dynamic audio quality adjustment for LAN and WAN. n Real-Time Audio-Video for using webcams and microphones on some client types. n Copy and paste of text and, on some clients, images between the client operating system and a remote application or desktop. For other client types, only copy and paste of plain text is supported.
View Architecture Planning 1080p-formatted video If the remote desktop has a dual virtual CPU, you can play 1080p formatted video, although the media player might need to be adjusted to a smaller window size. 3D rendering You can configure remote desktops to use software- or hardwareaccelerated graphics. The software-accelerated graphics feature enables you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical graphics processing unit (GPU).
View Architecture Planning Hardware Requirements for Client Systems For information about processor and memory requirements, see the "Using VMware Horizon Client" document for the specific type of client system. Go to https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html. Note Mobile client 3.x devices use only the PCoIP display protocol. Mobile client 4.x clients use only the PCoIP display protocol or the VMware Blast display protocol.
View Architecture Planning Using Horizon Persona Management to Retain User Data and Settings You can use Horizon Persona Management with remote desktops and with physical computers and virtual machines that are not managed by Horizon 7. Persona Management retains changes that users make to their profiles. User profiles comprise a variety of user-generated information.
View Architecture Planning Contacts My Documents Save Games Cookies My Music Searches Desktop My Pictures Start Menu Downloads My Videos Startup Items Favorites Network Neighborhood Templates History Printer Neighborhood Temporary Internet Files Links Recent Items Limitations Persona Management has the following limitations and restrictions: n This feature is not supported on instant clone desktop pools.
View Architecture Planning Administrators can specify which types of USB devices end users are allowed to connect to. For composite devices that contain multiple types of devices, such as a video input device and a storage device, on some client systems, administrators can split the device so that one device (for example, the video input device) is allowed but the other device (for example, the storage device) is not. The USB redirection feature is available only on some types of clients.
View Architecture Planning Using 3D Graphics Applications The software- and hardware-accelerated graphics features available with the Blast Extreme or PCoIP display protocol enable remote desktop users to run 3D applications ranging from Google Earth to CAD and other graphics-intensive applications. NVIDIA GRID vGPU (shared GPU hardware acceleration) Available with vSphere 6.0 and later, this feature allows a physical GPU (graphical processing unit) on an ESXi host to be shared among virtual machines.
View Architecture Planning Streaming Multimedia to a Remote Desktop The Windows Media MMR (multimedia redirection) feature, for Windows 7 and Windows 8/8.1 desktops and clients, enables full-fidelity playback on Windows client computers when multimedia files are streamed to a remote desktop. With MMR, the multimedia stream is processed, that is, decoded, on the Windows client system. The client system plays the media content, thereby offloading the demand on the ESXi host.
View Architecture Planning Using Single Sign-On for Logging In The single-sign-on (SSO) feature allows end users to supply Active Directory login credentials only once. If you do not use the single-sign-on feature, end users must log in twice. They are first prompted for Active Directory credentials to log in to Horizon Connection Server and then are prompted log in to their remote desktop.
View Architecture Planning Horizon Client supports the following monitor configurations: n If you use two monitors, the monitors are not required to be in the same mode. For example, if you are using a laptop connected to an external monitor, the external monitor can be in portrait mode or landscape mode. n Monitors can be placed side by side, stacked two by two, or vertically stacked only if you are using two monitors and the total height is less than 4096 pixels.
Managing Desktop and Application Pools from a Central Location 3 You can create pools that include one or hundreds or thousands of remote desktops. As a desktop source, you can use virtual machines, physical machines, and Windows Remote Desktop Services (RDS) hosts. Create one virtual machine as a base image, and Horizon 7 can generate a pool of remote desktops from that image. You can also create pools of applications that give users remote access to applications.
View Architecture Planning Using pools to manage desktops allows you to apply settings or deploy applications to all remote desktops in a pool. The following examples show some of the settings available: n Specify which remote display protocol to use as the default for the remote desktop and whether to let end users override the default.
View Architecture Planning n Accelerated deployment With application pools, deploying applications can be accelerated because you only deploy applications on servers in a data center and each server can support multiple users. n Manageability Managing software that is deployed on client computers and devices typically requires significant resources. Management tasks include deployment, configuration, maintenance, support, and upgrades.
View Architecture Planning n Reducing Storage Requirements with View Composer Because View Composer creates desktop images that share virtual disks with a base image, you can reduce the required storage capacity by 50 to 90 percent. n Reducing Storage Requirements with Instant Clones The instant clones feature leverages vSphere vmFork technology (available with vSphere 6.
View Architecture Planning Virtual SAN also lets you manage virtual machine storage and performance by using storage policy profiles. If the policy becomes noncompliant because of a host, disk, or network failure, or workload changes, Virtual SAN reconfigures the data of the affected virtual machines and optimizes the use of resources across the cluster. You can deploy a desktop pool on a cluster that contains up to 20 ESXi hosts.
View Architecture Planning Virtual SAN implements a policy-based approach to storage management. When you use Virtual SAN, Horizon 7 defines virtual machine storage requirements, such as capacity, performance, and availability, in the form of default storage policy profiles and automatically deploys them for virtual desktops onto vCenter Server. The policies are automatically and individually applied per disk (Virtual SAN objects) and maintained throughout the life cycle of the virtual desktop.
View Architecture Planning n A cluster of at least three ESXi hosts. You need enough ESXi hosts to accommodate your setup even if you use two ESXi hosts with a Virtual SAN stretched cluster. For more information, see the vSphere Configuration Maximums document. n SSD capacity that is at least 10 percent of HDD capacity. n Enough HDDs to accommodate your setup. Do not exceed more than 75% utilization on a magnetic disk.
View Architecture Planning Requirements and Limitations The Virtual Volumes feature has the following limitations when used in a Horizon 7 deployment: n This release does not support using the Horizon 7 space-efficient disk format feature, which reclaims disk space by wiping and shrinking disks. n Virtual Volumes does not support using View Composer Array Integration (VCAI). n Virtual Volumes datastores are not supported for instant clone desktop pools.
View Architecture Planning Replica and Linked Clones on Different Datastores Alternatively, you can place View Composer replicas and linked clones on separate datastores with different performance characteristics. For example, you can store the replica virtual machines on a solidstate drive (SSD). Solid-state drives have low storage capacity and high read performance, typically supporting tens of thousands of I/Os per second (IOPS).
View Architecture Planning Using local datastores is most likely to work well if the remote desktops in your environment are stateless. For example, you might use local datastores if you deploy stateless kiosks or classroom and training stations. If you intend to take advantage of the benefits of local storage, you must carefully consider the following limitations: n You cannot use VMotion, VMware High Availability (HA), or vSphere Distributed Resource Scheduler (DRS).
View Architecture Planning You can store instant clones on traditional, spinning media-backed datastores. These disks provide lower performance, but are less expensive and provide higher storage capacity, which makes them suited for storing the many instant clones in a large pool. Tiered storage configurations can be used to costeffectively handle intensive I/O scenarios such as simultaneous running scheduled antivirus scans.
View Architecture Planning n If you select local spinning-disk drives, performance might not match that of a commercially available storage array. Local spinning-disk drives and a storage array might have similar capacity, but local spinning-disk drives do not have the same throughput as a storage array. Throughput increases as the number of spindles grows. If you select direct attached solid-state disks (SSDs), performance is likely to exceed that of many storage arrays.
View Architecture Planning n Deploying Applications and System Updates with View Composer Because linked-clone desktop pools share a base image, you can quickly deploy updates and patches by updating the parent virtual machine. n Deploying Applications and System Updates with Instant Clones Because instant clone desktop pools share a base image, you can quickly deploy updates and patches by updating the parent virtual machine.
View Architecture Planning The recompose feature allows you to make changes to the parent virtual machine, take a snapshot of the new state, and push the new version of the image to all, or a subset of, users and desktops.
View Architecture Planning Managing VMware ThinApp Applications in View Administrator VMware ThinApp™ lets you package an application into a single file that runs in a virtualized application sandbox. This strategy results in flexible, conflict-free application provisioning.
View Architecture Planning Using Existing Processes or VMware Mirage for Application Provisioning With Horizon 7, you can continue to use the application provisioning techniques that your company currently uses, and you can use Mirage. Two additional considerations include managing server CPU usage and storage I/O and determining whether users are permitted to install applications.
View Architecture Planning You can use GPOs to set all the policies that are available from the Horizon Administrator user interface (UI). You can also use GPOs to set policies that are not available from the UI. For a complete list and description of the settings available through ADMX templates, see Configuring Remote Desktop Features in Horizon 7.
Architecture Design Elements and Planning Guidelines for Remote Desktop Deployments 4 A typical Horizon 7 architecture design uses a pod strategy. Pod definitions can vary, based on hardware configuration, Horizon 7 and vSphere software versions used, and other environment-specific design factors. The examples in this document illustrate a scalable design that you can adapt to your enterprise environment and special requirements.
View Architecture Planning n Advantages of Using Multiple vCenter Servers in a Pod Virtual Machine Requirements for Remote Desktops When you plan the specifications for remote desktops, the choices that you make regarding RAM, CPU, and disk space have a significant effect on your choices for server and storage hardware and expenditures.
View Architecture Planning Power users Power users include application developers and people who use graphicsintensive applications. Kiosk users These users need to share a desktop that is located in a public place. Examples of kiosk users include students using a shared computer in a classroom, nurses at nursing stations, and computers used for job placement and recruiting. These desktops require automatic login. Authentication can be done through certain applications if necessary.
View Architecture Planning RAM Sizing Impact on Storage The amount of RAM that you allocate to a virtual machine is directly related to the size of the certain files that the virtual machine uses. To access the files in the following list, use the Windows guest operating system to locate the Windows page and hibernate files, and use the ESXi host's file system to locate the ESXi swap and suspend files. Windows page file By default, this file is sized at 150 percent of guest RAM.
View Architecture Planning Table 4‑1. PCoIP or Blast Extreme Client Display Overhead Display Resolution Standard Width, in Pixels Height, in Pixels 1-Monitor Overhead 2-Monitor Overhead 3-Monitor Overhead 4-Monitor Overhead VGA 640 480 1.20MB 3.20MB 4.80MB 5.60MB WXGA 1280 800 4.00MB 12.50MB 18.75MB 25.00MB 1080p 1920 1080 8.00MB 25.40MB 38.00MB 50.60MB WQXGA 2560 1600 16.00MB 60.00MB 84.80MB 109.60MB UHD (4K) 3840 2160 32.00MB 78.00MB 124.
View Architecture Planning CPU requirements vary by worker type. During your pilot phase, use a performance monitoring tool, such as Perfmon in the virtual machine, esxtop in ESXi, or vCenter Server performance monitoring tools, to understand both the average and peak CPU use levels for these groups of workers. Also use the following guidelines: n Software developers or other power uses with high-performance needs might have much higher CPU requirements than knowledge workers and task workers.
View Architecture Planning n Turn off Windows services such as the indexer service, the defragmenter service, and restore points. For details, see the topics "Optimize Windows Guest Operating System Performance," "Optimize Windows 7 and Windows 8 Guest Operating System Performance," and "Overview of Windows 7 and Windows 8 Services and Tasks That Cause Linked-Clone Growth," in Setting Up Virtual Desktops in Horizon 7.
View Architecture Planning There is no substitute for measuring performance under actual, real world scenarios, such as in a pilot, to determine an appropriate consolidation ratio for your environment and hardware configuration. Consolidation ratios can vary significantly, based on usage patterns and environmental factors. Use the following guidelines: n As a general framework, consider compute capacity in terms of 8 to 10 virtual desktops per CPU core.
View Architecture Planning The most fundamental question to consider is whether a certain type of user needs a stateful desktop image or a stateless desktop image. Users who need a stateful desktop image have data in the operating system image itself that must be preserved, maintained, and backed up. For example, these users install some of their own applications or have data that cannot be saved outside of the virtual machine itself, such as on a file server or in an application database.
View Architecture Planning n Pools for Kiosk Users Kiosk users might include customers at airline check-in stations, students in classrooms or libraries, medical personnel at medical data entry workstations, or customers at self-service points. Accounts associated with client devices rather than users are entitled to use these desktop pools because users do not need to log in to use the client device or the remote desktop.
View Architecture Planning n Use the Persona Management feature so that users always have their preferred desktop appearance and application settings, as with Windows user profiles. If you do not have the desktops set to be refreshed or deleted at logoff, you can configure the persona to be removed at logoff. Important Persona Management facilitates implementing a floating-assignment pool for those users who want to retain settings between sessions.
View Architecture Planning n If you use View Composer linked-clone desktops, implement Persona Management, roaming profiles, or another profile management solution. You can also configure persistent disks so that you can refresh and recompose the linked-clone OS disks while keeping a copy of the user profile on the persistent disks. n Use the Persona Management feature so that users always have their preferred desktop appearance and application settings, as with Windows user profiles.
View Architecture Planning As part of this setup, you can use the following instant-clone desktop pool settings. n If you are using instant clone desktop pools, Horizon 7automatically deletes the instant clone whenever a user logs out. A new instant clone is created and ready for the next user to log in, thus effectively refreshing the desktop on every log out. As part of this setup, you can use the following View Composer linked-clone desktop pool settings.
View Architecture Planning Table 4‑2.
View Architecture Planning vCenter Server and View Composer Virtual Machine Configuration You can install vCenter Server and View Composer on the same virtual machine or on separate servers. These servers require much more memory and processing power than a desktop virtual machine. VMware tested having View Composer create and provision 2,000 desktops per pool using vSphere 5.1 or later. VMware also tested having View Composer perform a recompose operation on 2,000 desktops at a time.
View Architecture Planning Table 4‑4. vCenter Server Virtual Machine Example (Continued) Example for a vCenter Server That Manages 10,000 Desktops Example for a vCenter Server That Manages 2,000 Desktops Maximum concurrent vCenter provisioning operations 20 20 Maximum concurrent power operations 50 50 Item Table 4‑5.
View Architecture Planning Table 4‑6. Connection Server Virtual Machine Example Item Example Operating system See supported operating systems in the View Installation document.
View Architecture Planning Table 4‑7. Remote Desktop Connections (Continued) Connection Servers per Deployment Connection Type Maximum Simultaneous Connections 1 Connection Server Unified Access to RDS hosts 2,000 (tested configuration) 7 Connection Servers Direct connection, RDP, Blast Extreme, or PCoIP 20,000 (tested configuration) Note Tested configurations are fully supported.
View Architecture Planning Hardware Requirements for Unified Access Gateway with Horizon 7 VMware recommends to use 4 vCPUs and 10GB RAM for Unified Access Gateway appliances to support maximum number of connections when used with Horizon 7. Table 4‑8.
View Architecture Planning For more information, see the chapter about creating desktop pools, in the Setting Up Virtual Desktops in Horizon 7 document. Networking requirements depend on the type of server, the number of network adapters, and the way in which VMotion is configured. Determining Requirements for High Availability vSphere, through its efficiency and resource management, lets you achieve industry-leading levels of virtual machines per server.
View Architecture Planning Table 4‑9. Horizon 7 Infrastructure Cluster Example (Continued) Item Example SSD storage Virtual machines for vCenter Server, View Composer, SQL database server, and the parent virtual machines Non-SSD storage Virtual machines for Active Directory, Connection Server, and security server Cluster type DRS (Distributed Resource Scheduler)/HA Table 4‑10.
View Architecture Planning n View Composer Performance Test Results These test results describe a View 5.2 setup with 10,000-desktops, in which one vCenter Server 5.1 instance managed 5 pools of 2,000 virtual machine desktops each. Only one maintenance period was required for provisioning a new pool or for recomposing, refreshing, or rebalancing an existing pool of 2,000 virtual machines. A logon storm of 10,000 users was also tested.
View Architecture Planning n SSD storage tier Virtual machine desktop storage tier Eight 10Gbit FCoE front end connections (4 per controller).
View Architecture Planning Figure 4‑1. Tiered Storage Example for a Large Desktop Pool Parent 2 Parent 4 Parent 1 Parent 3 Parent 5 PARENT SSD, shared across all clusters Replica 1 ES ES X X ES X ESX cluster, consisting of 192 Intel cores and 2.
View Architecture Planning You can also reduce operating system disk space by using View Composer persistent disks or a shared file server as the primary repository for the user profile and user documents. Because View Composer lets you separate user data from the operating system, you might find that only the persistent disk needs to be backed up or replicated, which further reduces storage requirements. For more information, see Reducing Storage Requirements with View Composer.
View Architecture Planning Network Bandwidth Considerations Certain virtual and physical networking components are required to accommodate a typical workload. For display traffic, many elements can affect network bandwidth, such as protocol used, monitor resolution and configuration, and the amount of multimedia content in the workload. Concurrent launches of streamed applications can also cause usage spikes.
View Architecture Planning Network Configuration Example In a View 5.2 test pod in which one vCenter Server 5.1 instance managed 5 pools of 2,000 virtual machines in each pool, each ESXi host had the following hardware and software for networking requirements. Note This example was used in a View 5.2 setup, which was carried out prior to the release of VMware Virtual SAN.
View Architecture Planning n Each network was /21, 2048 addresses View Composer Performance Test Results These test results describe a View 5.2 setup with 10,000-desktops, in which one vCenter Server 5.1 instance managed 5 pools of 2,000 virtual machine desktops each. Only one maintenance period was required for provisioning a new pool or for recomposing, refreshing, or rebalancing an existing pool of 2,000 virtual machines. A logon storm of 10,000 users was also tested.
View Architecture Planning Time Required for Provisioning a Pool Pools are provisioned either up front, when you create the pool, or on demand, as users are assigned to them. Provisioning means creating the virtual machine and configuring it to use the correct operating system image and network settings. In a test setup already containing 4 pools of 2,000 virtual machines in each pool, provisioning a fifth pool that contained 2,000 virtual machines took 4 hours.
View Architecture Planning If you use the RDP display protocol, you must have a WAN optimization product to accelerate applications for users in branch offices or small offices. With PCoIP and Blast Extreme, many WAN optimization techniques are built into the base protocol. n WAN optimization is valuable for TCP-based protocols such as RDP because these protocols require many handshakes between client and server. The latency of these handshakes can be quite large.
View Architecture Planning Branch or Remote Office Scenario n Users have basic Microsoft Office productivity applications, no video, no 3D graphics, and USB keyboards and mouse devices. n The bandwidth required per typical office user on Horizon 7 is from 50-150Kbps. n The T1 network capacity is 1.5Mbps. n Bandwidth utilization is 80 percent (.8 utilization factor). Formula for Determining the Number of Users Supported n In the worst case, users require 150Kbps: (1.5Mbps*.8)/150Kbps = (1500*.
View Architecture Planning Each vCenter Server can support up to 10,000 virtual machines. This support enables you to have building blocks that contain more than 2,000 virtual machine desktops. However, the actual block size is also subject to other Horizon 7-specific limitations. If you have only one building block in a pod, use two Connection Server instances for redundancy. Horizon 7 Pods A pod is a unit of organization determined by Horizon 7 scalability limits.
View Architecture Planning Figure 4‑2. Pod Diagram for 10,000 Virtual Machine Desktops View building blocks switched networks Each switched network connects to each View Connection Server View Connection Servers load balancing network core Pod Example Using One vCenter Server In the previous section, the Horizon 7 pod consisted of multiple building blocks. Each building block supported 2,000 virtual machines with a single vCenter Server.
View Architecture Planning Cloud Pod Architecture Overview To use a group of replicated Connection Server instances across a WAN, MAN (metropolitan area network), or other non-LAN, in scenarios where a Horizon deployment needs to span datacenters, you must use the Cloud Pod Architecture feature. This feature uses standard Horizon components to provide cross-datacenter administration, global and flexible user-to-desktop mapping, high-availability desktops, and disaster recovery capabilities.
View Architecture Planning Duration of Maintenance Windows Concurrency settings for virtual machine power, provisioning, and maintenance operations are determined per vCenter Server instance. Pod designs with one vCenter Server instance Concurrency settings determine how many operations can be queued up for an entire Horizon 7 pod at one time.
View Architecture Planning Risk tolerance is an important factor in determining whether to use one or multiple vCenter Server instances in your pod design. If your operations require the ability to perform desktop management tasks such as power and refit of all desktops simultaneously, you should spread the impact of an outage across fewer desktops at a time by deploying multiple vCenter Server instances.
View Architecture Planning Your design might benefit from a hybrid approach. You can choose to have very large and relatively static pools managed by one vCenter Server instance and have several smaller, more dynamic desktop pools managed by multiple vCenter Server instances. The best strategy for upgrading existing large-scale pods is to first upgrade the VMware software components of your existing pod.
Planning for Security Features 5 Horizon 7 offers strong network security to protect sensitive corporate data. For added security, you can integrate Horizon 7 with certain third-party user-authentication solutions, use a security server, and implement the restricted entitlements feature. Important Horizon 6 version 6.2 and later releases can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms.
View Architecture Planning A default SSL server certificate is generated during Connection Server installation. By default, SSL clients are presented with this certificate when they visit a secure page such as Horizon Administrator. You can use the default certificate for testing, but you should replace it with your own certificate as soon as possible. The default certificate is not signed by a commercial Certificate Authority (CA).
View Architecture Planning n No VPN is required, as long as the display protocol is not blocked by any networking component. For example, someone trying to access their remote desktop or application from inside a hotel room might find that the proxy the hotel uses is not configured to pass UDP packets. For more information, see Firewall Rules for DMZ-Based Security Servers.
View Architecture Planning Direct Client Connections Administrators can configure Horizon Connection Server settings so that remote desktop and application sessions are established directly between the client system and the remote application or desktop virtual machine, bypassing the Connection Server host. This type of connection is called a direct client connection.
View Architecture Planning Active Directory Authentication Each Horizon Connection Server instance is joined to an Active Directory domain, and users are authenticated against Active Directory for the joined domain. Users are also authenticated against any additional user domains with which a trust agreement exists.
View Architecture Planning Because two-factor authentication solutions such as RSA SecurID and RADIUS work with authentication managers, installed on separate servers, you must have those servers configured and accessible to the Connection Server host. For example, if you use RSA SecurID, the authentication manager would be RSA Authentication Manager. If you have RADIUS, the authentication manager would be a RADIUS server.
View Architecture Planning To support this feature, user credentials are stored on both the Connection Server instance and on the client system. n On the Connection Server instance, user credentials are encrypted and stored in the user session along with the username, domain, and optional UPN. The credentials are added when authentication occurs and are purged when the session object is destroyed. The session object is destroyed when the user logs out, the session times out, or authentication fails.
View Architecture Planning With restricted entitlements, you assign one or more tags to a Connection Server instance. Then, when configuring a desktop pool, you select the tags of the Connection Server instances that you want to be able to access the desktop pool. When users log in through a tagged Connection Server instance, they can access only those desktop pools that have at least one matching tag or no tags. For example, your Horizon 7 deployment might include two Connection Server instances.
View Architecture Planning You can also use restricted entitlements to control desktop access based on the user-authentication method that you configure for a particular Connection Server instance. For example, you can make certain desktop pools available only to users who have authenticated with a smart card. The restricted entitlements feature only enforces tag matching. You must design your network topology to force certain clients to connect through a particular Connection Server instance.
View Architecture Planning n Require users to enter a username and password when starting client systems. Do not configure client systems to allow automatic logins. n For Mac client systems, consider setting different passwords for the Keychain and the user account. When the passwords are different, users are prompted before the system enters any passwords on their behalf. Also consider turning on FileVault protection.
View Architecture Planning A DMZ-based security server deployment requires a few ports to be opened on the firewall to allow clients to connect with security servers inside the DMZ. You must also configure ports for communication between security servers and the Connection Server instances in the internal network. See Firewall Rules for DMZ-Based Security Servers for information on specific ports.
View Architecture Planning Figure 5‑2. Load-Balanced Security Servers in a DMZ client device external network DMZ load balancing View Security Servers View Connection Servers Microsoft Active Directory vCenter Management Server ESX hosts running Virtual Desktop virtual machines When users outside the corporate network connect to a security server, they must successfully authenticate before they can access remote desktops and applications.
View Architecture Planning Figure 5‑3. Multiple Security Servers client device client device external network DMZ load balancing internal network View Security Servers load balancing View Connection Servers Microsoft Active Directory vCenter Management Server ESXi hosts running Virtual Desktop virtual machines You must implement a hardware or software load balancing solution if you install more than one security server. Connection Server does not provide its own load balancing functionality.
View Architecture Planning Figure 5‑4.
View Architecture Planning Table 5‑1. Front-End Firewall Rules Default Port Protocol Destination Horizon Client TCP Any HTTP Security Server TCP 80 (Optional) External client devices connect to a security server within the DMZ on TCP port 80 and are automatically directed to HTTPS. For information about the security considerations related to letting users connect with HTTP rather than HTTPS, see the View Security guide.
View Architecture Planning Table 5‑2. Back-End Firewall Rules (Continued) Source Security server Default Port Protocol Destination TCP Any AJP13 Connection Server Default Port TCP 8009 Notes Security servers connect to Connection Server instances on TCP port 8009 to forward Web traffic from external client devices. If you enable IPSec, AJP13 traffic does not use TCP port 8009 after pairing. Instead it flows over either NATT (UDP port 4500) or ESP.
View Architecture Planning Understanding Communications Protocols Horizon 6 and Horizon 7 components exchange messages by using several different protocols. Figure 5‑5 illustrates the protocols that each component uses for communication when a security server is not configured. That is, the secure tunnel for RDP, the Blast Secure Gateway, and the PCoIP Secure Gateway are not turned on. This configuration might be used in a typical LAN deployment. Figure 5‑5.
View Architecture Planning Figure 5‑6. Horizon 6 and Horizon 7 Components and Protocols with a Security Server client devices RDP Client Horizon Client HTTP(S) Blast HTTP(S) PCoIP View Security Server View Secure GW Server & PCoIP Secure GW Blast PCoIP RDP, Framework, MMR, CDR...
View Architecture Planning Table 5‑3. Default Ports Protocol Port JMS TCP port 4001 TCP port 4002 AJP13 TCP port 8009 Note AJP13 is used in a security server configuration only.
View Architecture Planning When you configure the tunnel connection for View Connection Server, RDP, USB, and Multimedia Redirection (MMR) traffic is tunneled through the View Secure Gateway component. When you configure direct client connections, these protocols connect directly from the client to the remote desktop and are not tunneled through the View Secure Gateway Server component.
View Architecture Planning When you configure direct client connections, PCoIP traffic and other traffic goes directly from a client to a remote desktop or application. When end users such as home or mobile workers access desktops from the Internet, security servers or Access Point appliances provide the required level of security and connectivity so that a VPN connection is not necessary.
View Architecture Planning The following table lists the default ports that can be opened automatically during installation. Ports are incoming unless otherwise noted. Table 5‑4.
View Architecture Planning Windows firewall rules for View Agent or Horizon Agent on RDS hosts show a block of 256 contiguous UDP ports as open for inbound traffic. This block of ports is for VMware Blast internal use in View Agent or Horizon Agent. A special Microsoft-signed driver on RDS hosts blocks inbound traffic to these ports from external sources. This driver causes the Windows firewall to treat the ports as closed.
Overview of Steps to Setting Up a Horizon 7 Environment 6 Complete these high-level tasks to install Horizon 7 and configure an initial deployment. Table 6‑1. View Installation and Setup Check List Step Task 1 Set up the required administrator users and groups in Active Directory. Instructions: View Installation and vSphere documentation. 2 If you have not yet done so, install and set up ESXi hosts and vCenter Server. Instructions: VMware vSphere documentation.
View Architecture Planning Table 6‑1. View Installation and Setup Check List (Continued) Step Task 12 (Optional) Configure Horizon Persona Management, which gives users access to personalized data and settings whenever they log in to a desktop. Instructions: Setting Up Virtual Desktops in Horizon 7. 13 (Optional) For added security, integrate smart card authentication or a RADIUS two-factor authentication solution. Instructions: View Administration document. VMware, Inc.
