VMware Horizon components
VMware Horizon is a family of desktop and application virtualization solutions designed to deliver end user computing services from any cloud. The following section will provide a high-level overview of those components of the Horizon family of products that we will cover in this book, which includes:
- VMware Horizon Connection Server, Security Server, and Access Point
- VMware Horizon Composer
- VMware Horizon Agent
- VMware Horizon Client
- VMware vSphere including vCenter Server
- VMware App Volumes
- VMware User Environment Manager
- VMware ThinApp
The following figure shows where each of the components of a typical Horizon installation resides within the IT infrastructure. The only components not shown that are discussed in this book are the VMware App Volumes servers and Windows-based files servers used for hosting VMware User Environment Manager data. If shown, both of these components would be located on the internal network along with the Horizon Connection Server, vCenter Server, and virtual desktops and Microsoft Windows Remote Desktop Session (RDS) Servers.
Horizon Connection Server
VMware Horizon Connection Server is a software service that serves as the broker for Horizon client connections. In this role, it authenticates user connection requests, verifies the desktops or Microsoft Windows RDS Servers that the user is entitled to access, and then directs the connection to the appropriate resource. Horizon Connection Server is installed on a dedicated server that is required to be a member of an Active Directory (AD) domain that is trusted by all Horizon clients. Horizon Connection Server also hosts the Horizon Administrator console, an Adobe Flex-based web application that is used to manage the Horizon environment and perform tasks, such as:
- Deploying virtual desktops
- Creating desktop or Microsoft Windows RDS-based pools
- Controlling access to desktop pools
- Creating and managing Horizon Cloud Pods
- Examining Horizon system events
The Horizon Connection Server is one component that is required in every Horizon environment owing to the role it plays as the connection broker and management console. Chapter 2, Implementing Horizon Connection Server, provides the information needed to install and configure a VMware Horizon Connection Server. Chapter 6, Implementing a Horizon Cloud Pod, provides information about the configuration of the Cloud Pod feature that is used to provide Horizon clients access to desktops across multiple Horizon Pods, each Pod representing a standalone installation of VMware Horizon. The following chapters provide information about the deployment of Horizon desktops and management of desktop pools:
VMware Horizon Security Server is a custom instance of the Horizon Connection Server that is designed to be installed in a datacenter demilitarized zone (DMZ), to provide strong authentication and secure access for Horizon clients connecting from outside the organization's private network. Multiple Security Servers may be installed to provide load balancing and high availability to these external clients. The following figure shows the placement of a Horizon Security Server, or Access Point (described next), within a DMZ.
Horizon Security Server is installed on top of a supported version of Microsoft Windows' Server using the same installation package used for Horizon Connection Servers. Horizon Security Server is only required if providing access to Horizon clients residing outside of the company network. Chapter 4, Implementing Horizon Security Server, provides the information needed to install and configure a VMware Horizon Security Server.
VMware Horizon Access Point was first introduced in VMware Horizon 6.2, although it was previously used with the VMware Horizon Air cloud-hosted desktop and application offering. Like Horizon Security Server, Access Point is designed to provide strong authentication, and secure access, for Horizon clients connecting from outside the organizations private network. The figure in the previous section shows the placement of a Horizon Access Point within a DMZ environment, as is typical, since it performs similar functions to Horizon Security Server.
Access Point is packaged in Open Virtualization Format (OVF) and is deployed on vSphere as a hardened, pre-configured Linux-based virtual appliance. Horizon Access Point is provided as an option on Horizon Security Server, and like Security Server, it is only required if providing access for external clients, it is designed to be installed in a DMZ, and multiple appliances may be installed to ensure high availability and load balancing. Chapter 5, Implementing VMware Horizon Access Point, provides the information needed to install and configure a VMware Horizon Access Point.
Tip
VMware recommends that customers using Security Server today should continue to do so, but they have also indicated that Access Point is their primary focus moving forward. New deployments may wish to future-proof their Horizon installation by selecting Access Point, as VMware has indicated that Security Server will be deprecated or possibly even phased out in a future Horizon release. I recommended at least trying Access Point, if for no other reason than it can work with multiple connection servers at once, while Security Servers can only be paired with one connection server at a time. Additionally, Access Point can be deployed or redeployed very quickly and with minimal effort.
Horizon Enrollment Server
VMware Horizon Enrollment Server is new to version 7, is installed as a standalone service and integrates with VMware Identity Manager to enable true Single Sign-On (SSO) for Horizon clients that are using non-AD-based authentication methods such as RSA SecureID. SSO means that, when using non-AD-based authentication methods, users will only need to log into Horizon once to reach their desktop or streamed application. The VMware blog post Introducing True SSO (Single Sign-On) in VMware Horizon 7 (http://blogs.vmware.com/euc/2016/03/true-sso-single-sign-on-view-identity-manager-authenticate.html) provides an overview of this new Horizon feature.
This feature is only used when Horizon clients use non-AD-based methods for authentication. Implementing solutions, such as SecureID and VMware Identity Manager, is outside the scope of this book, which is why the Enrollment Server will not be covered. Consult the Horizon documentation (https://www.vmware.com/support/pubs/view_pubs.html) for additional information about the deployment and configuration of Horizon Enrollment Server.
VMware vSphere, also referred to as ESXi or even ESX for earlier versions, is a Type 1 hypervisor that is the virtualization platform used for the vSphere suite of products. Type 1 hypervisors are designed to run directly on the host hardware, whereas Type 2 hypervisors run within a conventional operating system environment.
ESXi is the only hypervisor that is fully supported by VMware for hosting Horizon virtual desktops, as it fully integrates with Horizon for full desktop lifecycle management. All of the primary desktop provisioning and maintenance tasks are performed using the Horizon Administrator console; the vSphere Client is not used. Horizon supports multiple versions of vSphere, but vSphere 6.0 Update 1 and newer are required to leverage many of the latest features of the platform, and vSphere 6.0 Update 2 is required when you want to use the latest version of Virtual SAN (VSAN). Refer to the VMware vCenter Server requirements section for examples of some Horizon features that require a specific version of both vSphere and vCenter Server.
VMware vSphere also includes the VSAN feature that uses local ESXi server storage to build a highly resilient virtual storage area network (SAN) to provide storage for virtual machines. VMware Horizon supports using VSAN, and we will review how to do so in Chapter 7, Using VMware Virtual SAN with Horizon.
VMware vCenter Server is a software service that provides a central administration point for VMware ESXi servers as well as other components of the vSphere suite. vCenter Server performs the actual creation and management of virtual desktops, based on instructions received from the Horizon Connection Server and the Horizon Composer Server.
Tip
This book includes some information that applies only to the Windows-based version of VMware vCenter, but rest assured that you are free to use the Linux-based vCenter Server Appliance (vCSA) for your VMware Horizon deployment if you wish. The vCSA supports up to the Horizon single Pod maximum of 10,000 desktops, so there are no concerns about scalability. The most significant difference you will encounter (aside from the fact that you will not need to create a separate database for vCenter) is that when you use the vCSA you will be required to deploy a standalone Horizon Composer server, which is what will be demonstrated in Chapter 3, Implementing Horizon Composer.
VMware Horizon Composer is a software service that works alongside the VMware vCenter and Horizon Connection Servers to deploy and manage linked clone desktops. Horizon Composer can be installed directly on the vCenter Server, or on a dedicated server.
Horizon Composer is only required if linked clone desktops will be deployed. Chapter 3, Implementing Horizon Composer, provides the information needed to install and configure Horizon Composer.
Tip
Horizon Composer is not required when using Instant Clone desktops; it is only required if you are using linked clone desktops. Linked clone and Instant Clone desktops are similar in how they operate when deployed, but the deployment process itself is quite different.
VMware Horizon Agent is a software service that is installed on the systems that will be managed by Horizon. This includes not only a virtual desktop image that will be deployed using Horizon, but any physical desktops or Microsoft RDS Servers as well.
The Horizon agent provides services including, but not limited to, support for connecting the virtual desktop to Horizon's client-attached USB devices, client connection monitoring, Virtual Printing, and single sign-on.
VMware Horizon Client is a software application that is used to communicate with a Horizon Connection Server, and initiate connections to desktops and Microsoft Windows RDS servers.
The Horizon Client is available for multiple software platforms, including Microsoft Windows, Apple OSX and IOS, Android, and Ubuntu Linux. In addition, there are a number of Thin and Zero clients that come preloaded with Horizon-compatible clients.
VMware App Volumes is an optional component of VMware Horizon that provides multiple capabilities, particularly in environments where floating assignment desktops are used or changes to a virtual desktop are discarded after every session (also known as non-persistent desktops). The deployment and configuration of VMware App Volumes is discussed in detail in Chapter 9, Implementing VMware App Volumes.
The primary features of VMware App Volumes include:
- The ability for applications to be delivered to Horizon desktops, or Microsoft Windows RDS servers, immediately and dynamically, in a manner that is transparent to the end user. This feature works both with Horizon desktops and Microsoft Windows RDS servers, and is called an App Volumes AppStack.
- The ability to roam user installed applications across Horizon client sessions, even if a different desktop virtual machine is assigned during the next logon. This feature is designed for use with Horizon desktops only, and is called Writable Volumes.
The following diagram shows the logical layering of multiple AppStack and a Writeable Volume on top of the host operating system. Each of the items is attached to the host virtual machine individually when a user logs in, can be removed individually if changes are required, and will follow a user from one login to the next.
App Volumes AppStacks are packaged as a Virtual Machine Disk (VMDK) file and attached to one or more virtual machines as needed. The App Volumes agent seamlessly integrates this VMDK into the virtual machines OS; no actual installation is performed. AppVolumes can even capture an application packaged using VMware ThinApp, which provides organizations who rely on ThinApp with an additional method for distributing its virtualized application packages.
App Volumes creates a unique Writeable Volume for each user, using a VMDK that is also seamlessly integrated into their current virtual machine. The Writable Volumes is attached to the Horizon desktop when the user logs in, and detached upon logoff.
The combination of VMware App Volumes, and VMware User Environment Manager (discussed next), provides organizations with a way to leverage the efficiencies of floating assignment non-persistent desktops (described in Chapter 10, Creating Horizon Desktop Pools), while still providing users a highly personalized desktop experience.
VMware User Environment Manager
VMware User Environment Manager (UEM) is an optional component of VMware Horizon that provides the ability to roam end user Windows profile and persona configuration data, including application settings, across different Windows operating system (OS) versions, or even between physical desktops and virtual desktops or Windows RDS servers.
VMware UEM works with all three Microsoft Windows profile types, including mandatory, roaming, or local. UEM is not a replacement for any of these profile types as it does not roam user data across sessions or devices, only the profile and persona configuration. User data should be saved using techniques such as roaming profiles, or even folder redirection.
Highlights of the benefits of UEM include:
- A consistent and personalized end user experience, regardless of where a user logs in or which Windows OS they are using.
- Implementation of various settings that previously required AD group policies, such as Windows user profile redirection, and some Horizon agent settings.
- Customization of user settings, such as printers, based on log on location.
- Elimination of the need to perform user profile migrations when moving to a newer version of Windows that has a new profile type (such as from Windows 8.1 to Windows 10).
- Robust design that scales to support over a hundred thousand end users.
- Simple design that requires no scripting knowledge, can be implemented rapidly, and requires minimal infrastructure to begin using.
Chapter 8, Implementing VMware User Environment Manager, provides information about how to implement and administer UEM.
VMware ThinApp is an application virtualization platform that integrates with Horizon to provide users with rapid access to new or upgraded applications without having to perform any changes to the virtual desktops. Applications that have been packaged with ThinApp are delivered as a single executable file that runs in complete isolation to both of the other ThinApp packaged applications, as well as applications that are installed on the desktop itself.
ThinApp provides Horizon customers with a number of powerful capabilities. The following list details two popular scenarios where ThinApp can benefit an organization:
- Eliminate application conflicts that can occur when specific programs are installed together within the desktop image
- Virtualize legacy applications to ensure that they will continue to function regardless of the underlying Windows OS
This book does not have a dedicated chapter concerning VMware ThinApp; consult the VMware ThinApp documentation page for details about how it is used (https://www.vmware.com/support/pubs/thinapp_pubs.html).
Tip
In Chapter 9, Implementing VMware App Volumes, I will provide an overview of how you can use ThinApp virtualization within an AppStack.