Xtravirt — Single Sign On: The VDI Challenge

By Curtis Brown

Introduction

VMware PowerCLI has been in existence for quite some time and over the last 2 years it has been moving at quite a rapid pace.  It has traditionally been used to provide PowerShell based command and control functionality within VMware vSphere environments, with particular focus on the ability to create scripted functions for automation purposes.  Used in conjunction with automation and orchestration tooling, a great many bespoke capabilities are available.

During 2018, there has been a release around every 2 months, the current release, version 11 was released in October and provides support for the following:

• vSphere 6.7U1
  
• VMware Horizon 7.6
  
• NSX-T 2.3
  
• VMware Cloud on AWS
  

Being based on PowerShell, it is also compatible with third party modules, such as those administering Active Directory, to provide an integrated solution across a wide range of products.

In this blog, I look at PowerCLI’s ability to support VMware Horizon.

Installing VMware PowerCLI

Installing PowerCLI was once a case of downloading an installer from the VMware Portal and installing the components.  However, PowerCLI is now published from the PowerShell Gallery on the internet (https://www.powershellgallery.com/packages/VMware.PowerCLI/11.0.0.10380590) permitting installation on a connected PC straight from the PowerShell interface, simply by running:

Install-Module -Name VMware.PowerCLI

You might get something like this (accept the default):

Then it’ll install…

To allow execution of local scripts:

Set-ExecutionPolicy RemoteSigned

Then, run the following to confirm it’s all installed successfully.

Once installed, it’s worth configuring the Customer Experience Program participation by Enabling or Disabling this (It stops nag messages).

Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $true $false

After that, the basic PowerCLI is ready to go.

What can we do for Horizon?

‘Out of the box’, PowerCLI only provides  the ability to connect or disconnect to the Connection Server, so providing a conduit for accessing the Horizon APIs.  To connect to Horizon Connection Server:

Connect-HVServer -Server connectionserverFQDN -user adminuser@domain -Password XXXX

However, VMware maintain example scripts at https://github.com/vmware/PowerCLI-Example-Scripts that can be used as a basis for automation of Horizon and the other supported components.  

By downloading the scripts as a ZIP file, it is possible to install them.  First, check $env:PSModulePath to locate the modules directory paths (usually, there’s the user specific path, plus system ones)

For Horizon, we extract VMware.hv.helper from the ZIP and drop this into C:\Program Files\WindowsPowerShell\Modules.

In PowerShell, we then unblock the newly exported folder by running

dir ‘C:\Program Files\WindowsPowerShell\Modules\VMware.Hv.Helper\’ | Unblock-File

With this in place, we can now use a whole raft of useful PowerShell commands (they can be listed by using Get-Command -Module ‘VMware.Hv.Helper’). These can be used for automation of tasks and generating reports.

For example, Get-HVPoolSummary will list configured pools, including their type, assignment type and status:

And we can see how many VMs are available:

Get-HVHealth shows a basic status:

By leveraging the ‘New‘ and ‘Remove’ commands, it is possible to provision and destroy new Pools (desktops and applications), entitlements, RDS Farms and Cloud Pod objects such as Sites and Entitlements.  For Example, setting up Shared Desktop pool ‘Teachers 1’:

Closing Thoughts

What we have here is a set of powerful tools that are not just capable of managing the VMware vSphere infrastructure, but can also expand into the realm of delivering desktop pools – all from scripting and automation.  For example, it would be possible to create a script that would leverage PowerShell to create an Active Directory Group and populate it, then create a desktop pool and grant the members of the group access to it.  Further, this could be used in concert with vRealize Automation and Orchestration to provide a portal for self service requests for generating desktop pools and services.

Given that the current release supports VMware Cloud on AWS as well as VMware Horizon, this offers the tantalizing prospect of being able to programmatically manage a federated on-prem and AWS hosted Horizon Cloud Pod Architecture.  The sky is the limit!

If you’re planning to deploy a Virtual Desktop solution, we can help. Xtravirt provide design and implementation services to create the right solution for your organisation. Contact us and we’d be happy to use our wealth of knowledge and experience to assist you.  

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

www.xtravirt.com

by Curtis Brown

Once upon a time (in the mid 2000s), VMware decided to delve into the End User Compute market space, taking on the juggernauts of Citrix and Microsoft by releasing VMware Virtual Desktop Manager (VDM). This evolved into VMware View in 2008, and over the following eight years a further re-branding exercise resulted in the release of the VMware Horizon Suite. Our plucky VDI software evolved into VMWare Horizon (with View) then Horizon View with the release of version 6.0, and finally in version 7 ‘Horizon 7’, with the name ‘View’ reserved as a hangover legacy name for the VDM components.

So, as a customer, you’ve decided to invest in VMware Horizon.  These days, Horizon is much more than simply a means to deliver a desktop to a user.  With the modern realisation that the user isn’t really after a desktop (they just want their applications), Horizon is now, more than ever, a suite of products that allow you to deliver applications in a multitude of ways.

This article aims to provide you with a quick primer on these products and how they fit together.  For the sake of simplicity, it will stick to the on-premises offerings, largely as these are still the most common ‘in the wild’, though Cloud based elements, such as AirWatch, are gaining ground.

The Shopping List

Let’s start by exploring the suite from a component level.  The suite comprises the following products*:

Product License Level What does this do

VMware Horizon (

the View component)

Standard

Advanced

Enterprise

Delivers Virtual Desktops as either dedicated VMs or via Remote Desktop Session Hosts (RDSH).

The latter ability is also used to deliver Published Applications (Not in Standard though).

VMware ThinApp Standard

Advanced

Enterprise

This is what is known as Application Virtualisation.  An application is re-packaged in a self-contained executable that can be run on a Windows PC (physical or virtual).  The self-contained nature means that it is essentially sand-boxed – with minimal dependency on the surrounding operating system (required DLLs, configuration etc. are self-contained)

VMware Identity Manager Standard Advanced

Enterprise

This provides user facing authentication and single sign-on (SSO) capabilities as well as an application portal for presenting Virtual Desktops, Remote Applications, ThinApp packages and web-based applications.

The SSO element can be used to provide immediate access to Web based applications if these are capable of SAML-based authentication.

_Beyond Horizon, Identity Manager is available in an Advanced version and as part of AirWatch.  These provide additional features, notably in Mobile Device management including device configuration, remote wipe etc. _

VMware App Volumes Enterprise This product provides the means to deliver defined stacks of applications (AppStacks) to virtual desktops or RDSH servers instantaneously using shared Virtual Disks.

This is quite agnostic – and can be purchased and deployed with other VDI solutions such as Citrix XenDesktop.

VMware User Environment Manager Enterprise This is used to manage user’s Windows Profile – the users environmental and application settings.  The Windows profile is notoriously large and unreliable, especially in a roaming context.  UEM provides a means to streamline and centrally manage the Windows profile, so improving log on times and reliability.

As with App Volumes, this too can be purchased and used outside of Horizon – including with physical devices.  In this context, its central management of settings is particularly useful.

If you’re using Standard or Advanced, the View part of Horizon includes the older Persona Manager product.  This uses a compressed version of the Windows Profile to speed up the delivery of Roaming Profiles to virtual desktops.

VMware Mirage AdvancedEnterprise This provides a layered-image based desktop management solution. Although it can be used in Virtual Machines, it is primarily aimed at the management of physical Windows PCs in a corporate environment.

Its abilities include in place operating system upgrades and the delivery of sets of applications that are layered on top of the base image.  This makes it quite attractive for Windows XP/Vista migrations for example.

VMware FLEX is based on VMware Mirage, combining its technology with that of VMware’s desktop hypervisors – Workstation (for PC) and Fusion (for Apple Mac) – to deliver centrally managed, encrypted offline Virtual Desktops.  This is predominantly intended for BYOD or field staff who require a corporate desktop in a roaming context where connectivity to Horizon might be difficult.  It’s not part of the Horizon Suite and is sold separately.

*the components you’re entitled to depends on the level of licensing you’ve purchased

The Horizon Suite also includes VMware vSphere for Desktops.  This is functionally equivalent to Enterprise Plus in terms of features, but is licensed per desktop.  The idea is that this is used to host the published desktops while the Horizon infrastructure servers are hosted in the corporate server estate.

How it all hangs together…

The following diagram shows how the platform holds together as a single site solution.  This is a somewhat simplified example with no resilient components, firewalls and load balancers and concentrates on Internet based access.

We can see how our user initially connects from their device to Identity Manager.  The user’s device and location can define how they authenticate – for example, access from the outside might need Two Factor Authentication, whereas an internal user might just need an Active Directory Used ID or password.

Once authenticated, the user can see the applications they are entitled to.  Let’s first look at a Cloud based application such as SalesForce.  If the user selects this, Identity Manager (having already been configured with a SAML relationship to Salesforce), passes the user authentication as a token to the user’s browser accessing the Salesforce application – without them needing to log on a second time.

When considering an application or desktop presented by Horizon View, the request is passed to the Connection Servers.  These will initiate a session to an available desktop (either VDI or RDSH, depending on what is requested) – in the case of VDI desktops, these can be provisioned as Linked Clones using Composer.

As the VDI session is logged on, the App Volumes Agent detects the credentials and App Volumes mounts an entitled AppStack containing the application required.  The user’s Windows Profile is provided via UEM.  For internet-based users, the View session is tunnelled out via the Security Server/Appliance in the DMZ.  Internal users connect directly to their session (though this can be configured to tunnel via the Connection server).

ThinApp packaged applications may well be deployed to the Horizon desktop (possibly inside the App Volumes AppStack), but as an alternative, if the Workspace ONE client is installed, Identity Manager can stream a selected entitled package directly to the user’s Windows laptop/desktop, straight from the Identity Manager Portal (this isn’t shown above).

Alternatively, VMware Horizon Mirage can be used to manage and protect our PCs, whether within the network or outside (via the security gateway in the DMZ).

Closing Thoughts

The Horizon suite has quite a few elements, each delivering different pieces of the puzzle – even in a basic configuration.  However, in concert, the solution is quite seamless to the end user.  The single point of access and authentication becomes Identity Manager, with this presenting all the entitlements desired through a single pane of glass.

If you’d like to learn more about VMware Horizon and how to use it to deliver applications to end users, please contact us and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2017.

By Curtis Brown

Introduction

As VMware Horizon® 7 has developed, we’re starting to see the product evolve from the existing Horizon Admin Console based on Flash to a new Horizon Console based on HTML5. It’s a steady evolution, in much the same light as VMware® vCenter HTML5 console evolved through releases of VMware vSphere® 6.5 and 6.7.

The 7.8 release of VMware Horizon is the most feature-rich to date and adds much in the way of configuration settings as well as provisioning.

A Quick Guided Tour

So how do we access this new console?  VMware have been particularly imaginative with the URL.  While the old console had the URL of HTTPS://(Connection Server)/admin, we now have HTTPS://(Connection Server)/newadmin for the new console. Which at least allows us to access both consoles.

At the logon page, we can enter our admin credentials.

Once logged in, we see the nice, clean HTML5 interface.

On the left a navigation pane; at the top, we have a dashboard view – this has a splash screen at the moment, so it appears to be more of a placeholder.

Users & Groups covers entitlements while the Inventory section covers the resources to be published, much in the same way as the old console.

JMP is new – this refers to the Just-In-Time Management Platform.  This will be covered in a future post, but it provides a means to integrate Horizon View, User Environment Manager and App Volumes for assigning and controlling resources.

The last section, Settings, is a new area in the Console.  It provides the direct replacement for the Settings in the old admin console, allowing the admin to configure Servers, Cloud Pod Architecture and other settings.

Notice in the vCenter Servers page, it still includes Composer.  Although there’s a push to move to Instant Clones, Composer based Linked Clones are still alive and well.

If we add a vCenter, we get presented with a cleaned up, but familiar wizard.

One significant difference is the non-appearance of the Security Server tab.  However, as is common in the later 7.x iterations admin console, it is possible to register Unified Access Gateway appliances.

Closing Thoughts

There are a few areas where it’s still a work in progress, some of which are a little odd.  While you can configure Cloud Pod Architecture, you can’t control the basic global settings or the Events database, let alone add a Horizon license key.  Remember though, it’s a work in progress and for day-to-day admin, it’s pretty good.

About the author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strengths in VDI, storage integration, backup and disaster recovery design/implementation. He was awarded VMware vExpert 2019.

About Xtravirt

If you’re embarking on either an upgrade or a new VMware Horizon implementation, Xtravirt have the expertise and experience in the End User Compute space and can provide advisory, design and implementation services to create the right solution for your organisation. Contact us and we’ll be happy to assist you.

by Curtis Brown

Introduction

What is GRID?

New Hardware - M6 & M60

Onto the PoC…

Installing the infrastructure

Laying out the GRID

• The Nvidia GPU Mode Switch tool
• NVidia GRID 2.0 software package
• Nvidia GRID 2.0 License server.

GPU Mode Switch

• To check the current mode run gpumodeswitch --listgpumodes
• If the mode needs to be changed to graphics, run gpumodeswitch --gpumode graphics

Installing the VIB

Prep the Nvidia License Server

Configuring the VM for View and 3D acceleration.

Closing thoughts

About the Author

By Curtis Brown

A brief update

Following my visit to VMworld Europe in 2017 I wrote a blog post on VMware Horizon Cloud on Azure. Much has changed in a year, so it seems rather timely, given that VMworld Europe 2018 has just concluded, that I update the blog.

Where we were….

Going back a year to 2017, VMware Horizon Cloud on Azure had only just launched and at the time, it was capable of publishing full clones of Remote Desktop Session Host servers for publishing Shared Desktops and applications.  A pretty good start, all things considered, albeit slightly functionally limited compared to the VMware Hosted offering that could also offer dedicated VDI desktops.

A year on, where are we now?

Things have definitely moved on in the last year.  Not only is feature-parity between Azure and VMware Hosted offerings somewhat closer, but in one area, graphics, the Azure offering is actually superior!

Deployment

The deployment model has remained the same – you bring your own Azure subscription rather than lean on VMware for the hosting.  In this sense, it is still the case that a cost/benefit analysis needs to be undertaken

The cost of deploying Horizon VMs on Azure can be more expensive when compared to the VMware hosted offering.  To be fair, Azure is more oriented towards a server offering than desktops, so perhaps this shouldn’t be too much of a surprise.  To counterbalance this however, one must also consider connectivity in the equation.  If you already have an established Azure tenant with backhaul connectivity to on-site, then deploying VMware Hosted with its own connectivity overhead may counter the VM costs to a degree – certainly, the operational upkeep of additional environments and connectivity is a consideration.

An additional point to consider may be functionality.  From a deployment perspective, Horizon Cloud on Azure is now starting to offer dedicated and floating full desktops, not just shared.  However, at present, Instant Clones are not supported so deployment is limited to essentially persistent desktops.

Features

There is, as yet, no support for VMware App Volumes AppStacks in Horizon Cloud, so legacy deployment mechanisms will need to be considered.  As desktops are currently persistent in nature, legacy tooling such as Microsoft System Center Configuration Manager remain viable in this sense, though streaming application virtualisation tools such as VMware ThinApp and Microsoft App-V would be attractive too.

One feature that stands out over Hosted Horizon Cloud is that Azure offers enhanced graphics using Nvidia vGPU technology.  So, if you have a need for graphically intensive workloads in the Cloud, then Azure is currently the better choice.

Otherwise, with respect to connectivity protocols, management interfaces and other functionality such as the Skype for Business Virtualization Pack, the two offerings are now aligned.

What about VMware Cloud on AWS with Horizon?

VMware and Amazon Web Services have joined up to offer their VMware Cloud on AWS solution.  This allows customers to deploy a full VMware vSphere infrastructure in AWS data centers.  On top of that, it is possible to deploy VMware Horizon, so in a sense there is now a third Cloud desktop offering.

VMware consider this as an IaaS solution with desktops on, rather than a Desktop-as-a-Service offering as the customer has to look after the management tier of Horizon here, as opposed to Horizon Cloud.

The million-dollar question is - which is best? Well, there’s no easy answer to that.  Functionality wise, Horizon View has been around longer, has far greater scalability and the ability to federate multiple instances for greater resilience.  In an on-prem capacity, vGPU is supported, however this has yet to reach AWS.  The economics are more complex too given the different acquisition model involved.

There are a considerable number of use-cases where Horizon on VMware Cloud on AWS makes much more sense. For example, you have an on-prem VDI (and other services) that you wish to provide an instantaneous Cloud based DR or scaling offering, this is much more seamless and flexible than Horizon Cloud.

Closing Thoughts….

While the choice between on premises and then several cloud offerings is undoubtedly great, never has it been more apparent that an analysis prior to deciding is not just a ‘nice to have’ but a necessity.  The wrong decision can have expensive repercussions.  Such an analysis needs to consider:

• The business needs:
  

1. How does the business function currently and what are the issues to address?
   
2. How will a given solution benefit the business?
   

• Technology needs:
  

1. Compatibility with the existing environment
   
2. What connectivity do I have, and what will I need?
   
3. What resilience and security features are required?
   

• User needs:
  

1. Where are the users working?
   
2. What devices do they use and how do we manage them?
   
3. What and where are application services that users need?
   

For some customers, on-premises will remain the best approach to VDI, while others may benefit from the VMware Cloud on AWS approach offering both hybridity and flexibility and yet more may find a Desktop-as-a-Service the suitable answer.

Horizon Cloud on Azure has evolved rapidly and offers a convincing use case for customers who can gain a tangible benefit from it, but it’s not suitable in all cases.  If you need a DaaS solution and have Azure already or have graphical requirements that can’t be met in Horizon Cloud Hosted, then this might be your answer. But consider all possibilities and use cases before committing.

If you’re considering a VDI solution or digital workspace transformation, whether Cloud or On-Premises, we can help. We provide advisory, design and implementation services to create the right solution for your organisation. Contact us and we’d be happy to use our wealth of knowledge and experience to assist you.  

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

www.xtravirt.com

By Curtis Brown

There are a considerable number of blog posts and articles that have looked at the individual components of the VMware® End User Compute stacks, so I thought I’d take a high-level look at some of what’s possible when we take the whole solution in its entirety.

The Moving Parts

In the early days of VMware’s End User Compute efforts, we were looking at a relatively simple stack of VMware vCenter, ESX and Virtual Desktop Manager (or, to you young folks, Horizon View 1.0 or 2.0 back in 2007/8).  These days, things are somewhat more powerful, offering a wider array of capabilities, but these capabilities also require more moving parts.

The diagram below shows the VMware components that could be deployed in a solution.  

 Now, let’s look a little deeper…

For Virtual Desktop delivery, we have the underlying infrastructure of VMware vSphere with vCenter and ESXi.  However, we can enhance this further in two ways. Firstly, we can leverage local storage by implementing VMware vSAN rather than rely on a SAN/NAS based solution. Secondly, we could deploy VMware NSX to provide enhanced security in the form of micro-segmentation of the network as well as anti-malware protection using Guest Introspection.

For publishing desktops, we have VMware Horizon View. The connection servers provide the brains, managing entitlements and provisioning of desktop and application pools. For secure access from untrusted or external networks, we deploy either Security Servers, or, more recently, Unified Access Gateway appliances to serve as a proxy into the solution.  VMware Horizon View Composer is used to manage and deploy non-persistent Linked Clone desktops.  Although this approach is in decline as Instant Clone technology replaces it.

We then need to consider the management and delivery of applications and user settings.  For the latter, we can integrate VMware User Environment Manager.  This can manage both environmental settings (including delivery of application shortcuts, drive mappings etc) as well as eliminating the issues related to Windows Roaming Profiles.  For application delivery, we can use App Volumes within the virtual estate or leverage the estate itself to publish Remote Desktop Session Host based remote applications.  ThinApp, although somewhat out of favour these days, remains an option for direct delivery to Windows Endpoints (via VMware Workspace ONE Identity Manager) or within Horizon View desktops.

When it comes to monitoring the estate, we can use VMware vRealize Operations Manager with the VMware Horizon Management Pack.  It’s possible to expand further still by leveraging more of the vRealize suite, notably VMware vRealize Log Insight for capturing logs from both the solution as well as the environment.

We then move out into two topics – The Endpoint and the User. These are somewhat integrated topics these days as they do overlap.  

VMware Workspace ONE comprises two key elements:  

• Unified Endpoint Management can provide control, configuration and administration to endpoints, be they mobile devices or traditional desktops.  
• Identity Manager provides the user authentication layer into the solution as a whole, while also providing a unified catalogue of applications and services, whether publish via VMware Horizon or whether through single sign-on to cloud services.  

Another offering that is often overlooked, but still a part of the VMware Horizon licensing (at the Advanced and Enterprise level) is VMware Mirage.  This can provide image level management of Windows based client desktop/laptops. FLEX leverages the Mirage infrastructure in conjunction with VMware Workstation and VMware Fusion to provide an offline VDI capability.

What parts are available is largely defined by what is purchased.  Some parts are included in the various VMware Horizon editions, while some, notably VMware vSAN, VMware NSX and VMware Horizon FLEX are separate products.  In the case of Workspace ONE, VMware Horizon Advanced and above includes just Workspace ONE Identity Manager Standard.  To get the full Workspace ONE suite requires purchase of Workspace ONE as a specific product.

VMware Horizon editions can be compared at:

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/horizon/vmware-horizon-editions-compare-chart.pdf.

The Art of the Possible

For the purposes of looking at what is possible, let us assume that an Alien Space Bat has deemed it fit to leave an unlimited budget for us to acquire all these tools.  Here’s a few ideas of what we could achieve:

• By integrating the full VMware Workspace ONE with Horizon, we can fully manage security between a user, a managed endpoint and access to Virtual Desktops.  By managing the device using VMware Workspace ONE Unified Endpoint Management and establishing Compliance checking, we can define an Identity Manager policy that allows access only to users with valid credentials who are using compliant devices to the Workspace ONE catalogue. In turn, users can then access a VDI desktop from the relevant icon in Workspace ONE.

• It is possible to provide a single portal to a geographically spread VMware Horizon VDI offering that will connect users seamlessly to the nearest desktop instance. Workspace ONE Identity Manager can provide location awareness based on client IP address.  By defining IP ranges, and relating these to the public DNS name for the local Horizon site, Workspace ONE will direct users to the nearest VMware Horizon site for optimum performance.  This leverages VMware Horizon Cloud Pod Architecture to present a common entitlement across all instances.

• App Volumes, User Environment Manager and NSX Distributed Firewall Rules can be tied to Active Directory groups.  We can therefore deploy an application in an App Volumes App Stack, with a standard configuration provided by UEM and permit traffic from the application to a specific server all tied to a single Active Directory Group.

And these are but a few options.  When you consider that a number of these offerings are now available in a cloud-based form, the options broaden still.  Workspace ONE components both offer cloud and on-premises variants, while VMware Horizon now includes not only the on-premises offering, but also the ability to deploy on top of VMware Cloud on AWS or the full Desktop-as-a-Service offering of Horizon Cloud.

Closing Thoughts…

As a range of products that can be built in an array of different configurations, it is possible to design and deploy solutions that fit a broad variety of use cases, from simple to very specific.

If you are looking to deploy a new Digital Workspace solution or wish to enhance or upgrade what you currently have, then Xtravirt can help. We have a long track record of successful digital workspace projects and can provide advisory, design and implementation services to create the right solution for your organisation. Contact us and we’d be happy to use our wealth of knowledge and experience to assist you.  

About the author

Curtis Brown is a Lead Consultant at Xtravirt.   His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

About Xtravirt

Xtravirt is an independent cloud consulting business. We believe in empowering enterprises to innovate and thrive in an ever-changing digital world. We are experts in digital transformation and our portfolio of services cover digital infrastructure, digital workspace, automation, networking and security.

by Curtis Brown

VMware’s virtual desktop and application publishing portfolio has gotten increasingly complex of late, with a mix of cloud and on-premises offerings, and this is even before you consider the components that make up the supporting pieces, such as User Environment Manager, App Volumes and integration with Workspace ONE.

In this article I hope to provide you with a (little) clearer view as to which Horizon to look out onto (pun intended).

 The On-Prem option – Horizon 7

This is the ‘great original flavour’ of VMware’s desktop virtualization offering.  The customer provides the tin to host it all on, builds a VMware vSphere estate (with VMware vSphere for Desktops included in the suite) and then layers on the VMware Horizon components for delivery of either Virtual Desktops or Remote Application publishing.

It does have several pro’s and cons –

• You have flexibility on the scale and architecture, including geographic locations.
• Scaling from very small to incredibly large, through the ability to leverage Cloud Pod Architecture.
• Proximity to on-premises services and corporate network users can be an advantage, particularly for client/server resources.
• Scaling down is expensive as you own the tin it’s hosted on.
• It can generate VDI desktops, RDS Desktops and applications, using a number of delivery methods (Linked, Instant and full clones) of whatever specification you’ll need.

Being the most developed product, in combination with being in a customer-owned environment, it has a greater range of integration points with third party products, for example, there are numerous application delivery tools available.

When On-Prem is also Cloudy – Horizon View on VMware Cloud on AWS

This next offering is also the newest.  VMware Cloud on Amazon Web Services (VMC on AWS) is an Infrastructure as a Service (IaaS) offering that allows a customer to purchase VMware vSphere environments on AWS. As an IaaS solution, the customer has more control over the estate than would be the case in most XaaS offerings, to the point that it is possible to deliver VMware Horizon View on the platform.

Functionally, this is the same as the on-premises Horizon View, right down to the point that you build your own servers for hosting the otherwise identical components, however, there are a small number of caveats.  The biggest one of these is that you can’t use Linked Clones for delivering desktops – only full or instant clones are supported.  Although given that Instant Clones are rapidly superseding Linked clones, this is not that much of a loss.

As this is a Cloud solution, there are still questions to answer with respect to connectivity to on-premises resources, though if application services are moved to AWS, this is less of an issue.

By leveraging multiple tenants and AWS connectivity, it is possible to scale outwards for geographical and resilience reasons.  It is even possible to run a Cloud Pod federation that includes both on-premises and VMware Cloud on AWS-hosted Horizon Pods.  It’s a little more elastic than an on-premises solution in that you can scale down the VMware Cloud on AWS tenant.

Going Full Cloud – Horizon Cloud

The next option is VMware’s true Desktop-as-a-Service (DaaS) offering, Horizon Cloud.  Currently, this is available in two flavours – Horizon Cloud on IBM Cloud and Horizon Cloud on Microsoft Azure.   Each of these have slightly different attributes that affect use cases, however as both use a common management backplane, they’re similar to administer.

The key thing that separates the Horizon Cloud flavour is that because it’s a DaaS offering, the buyer is literally just an administrator of desktops – all the broker components and (in the case of the IBM Cloud hosted) infrastructure is controlled and maintained by VMware.  If you require elasticity in scaling both up and down, this is the most dynamic offering as it is purchased in desktop capacity units as a subscription service.

Horizon Cloud on IBM Cloud

This is hosted on an IBM platform based on VMware vSphere technology.  This option is comparatively cheap and is intended to be the ‘all in one’ greenfield solution as the license includes the compute capacity as well as Horizon licensing.

It can provide full VDI desktops, or Remote Desktop Session Host (RDSH) based desktops and published applications.  For VDI, it can produce non-persistent desktops using Linked Clone technology. There are several Nvidia GPU offerings for graphic intensive desktops, but only for full VDI.

While this solution offers VMware App Volumes for application delivery to the desktops (no user assigned disks), it does not support the use of App Volumes with RDSH servers, unlike the Horizon View offerings.

As a DaaS offering, rather than IaaS, integration is limited – for example, little ability to leverage virtualisation-based app delivery tools outside App Volumes and no agentless anti-virus.

Horizon Cloud on Microsoft Azure

By leveraging the same broker technology and management portal as Horizon Cloud on IBM Hosted, it is now possible to deploy on your own Microsoft Azure tenant.  In this case, an appliance is used to automate the cloning process for deploying full clones in Azure – there is no Instant Clone capability here currently.

This is largely intended for those who want to do desktop virtualisation and already have Azure. It’s not particularly cheap as you must pay both VMware (for Horizon licensing) and Microsoft for the Azure VMs. While it has no App Volumes support at all, it does, however, have enhanced 3D graphics support through Microsoft Azure GPU-enabled infrastructure for RDS workloads.

Closing Thoughts

The choice is quite broad, but must be considered with care, leaning heavily on the use case.  The discovery process is more critical than ever and should be embarked upon before signing on the dotted line for a product to ensure that not only is the solution sized and designed correctly, but that the correct platform is selected in the first place.

The Horizon Cloud DaaS offerings are compelling, but they aren’t a panacea – you still need to design and administer the solution.  You’ve only eliminated the infrastructure support and moved your desktops further away from your users and their data.

Horizon View remains the most flexible product and, with the VMware Cloud on AWS support, even offers a cloud presence and better scaling options than previously.  An interesting option here is a hybrid approach of Horizon View on-premises, but federated with an AWS hosted tenant for DR.  The disadvantage is that you need to keep the platform running rather than throwing infrastructure issues over the fence to VMware and that infrastructure will be costly.

Ultimately, it’s a ‘choose your poison’ decision, which re-emphasises the point above – don’t rush in and buy first/design later – carry out a proper investigation into the options and decide based upon business requirements and use cases.

Xtravirt have been involved in End User Compute virtualisation projects of all sizes for many years, bringing a broad range of skills and experience to the table. If you are looking to deploy a new digital workspace solution or wish to enhance or upgrade what you currently have, we can help. We have a long track record of successful workspace projects and can provide advisory, design and implementation services to create the right solution for your organisation. Contact us and we’ll be happy to assist you.

by Curtis Brown

As those of you who have the joy of supporting end-users will know (and this old techie has worn that badge of honour!), any tool that can make getting to grips with an issue easier is always welcome, particularly if it means getting your hands on the user’s desktop to see the problem in action.

So it’s welcome news that the latest release of VMware Horizon® 7.2 brings into play a fully integrated helpdesk tool, specifically for supporting VMware Horizon desktop sessions. It provides session information, as well as several remote operational abilities such as resetting sessions, remote control, logging off users etc.

Setting up Helpdesk

You don’t need to do anything fancy to install it as it’s a part of the Connection Server installation, however there are several recommended additional steps to get best use from it.

You will need to configure the Events database – this provides session information to the HelpDesk console, so it’s pretty important. To track logon events properly, a further command should be run on each Connection Server:

vdmadmin -I -timingProfiler -enable

Oh, and ensure that the VMware Horizon Agent installed in the desktop templates is also a 7.2 release – otherwise you’ll miss desktop side session information.

Getting into the Help Desk Tool

There are two ways of accessing the Helpdesk tool.  In either case, a user will require Admin access to Horizon – Inventory Admins should be sufficient for most operations.

The first option is to log into the Admin console for horizon (HTTPS://(ConnectionServer URL)/admin). Once logged in, there is a new Help Desk button in the top bar of the console – click on this to access the helpdesk tool – the credentials pass through, all Single Sign-On style!

Alternatively, you can access the console directly (via HTTPS://(ConnectionServer URL)/helpdesk) and then log on with the right credentials.

Doing Help Desk stuff.

So, once you’re all set up and logged in, you can use the tool to do all sorts of heroic Help Desk stuff. The front page offers a search function.

Punch in the name of the user, for example, “Curtis” and it’ll pull in the Active Directory credentials of the user – if the Active Directory E-mail and phone number fields are filled in, these are also displayed.

If you click on the user, you’ll get a new page with a summary of running sessions and entitlements.

Under ‘Sessions’, you’ll see the highlights of all running sessions - the green ones are connected sessions.  It’s even Cloud Pod aware – the L status refers to a session in the local Pod, and the G status refers to a session in the global Cloud Pod environment. If you then click on the Computer name, you can drill down further.

If the Agent is 7.2+, you get detailed session info, including CPU performance, memory usage and more.  Further, you can do some active tasks on the session.

You can send messages to the specific session or offer Remote Assistance.  The latter plugs into Microsoft’s Remote Assistance functionality, so this will need to be enabled and configured in the VM.

On VDI sessions (not RDS Published Desktops or Application Sessions), you can issue a restart command to the desktop – this will reboot the VM.  You can also disconnect or log off users.  The Reset function differs from Restart in that the latter is a graceful shutdown and restart – Reset should only be used if the VM has hung.

Closing Thoughts….

So, a welcome set of useful capabilities has been added to this point release – and one that focusses on supportability rather than the usual performance or user-centric capabilities.

If you’re in need of assistance with a troublesome Horizon solution or perhaps want some support upgrading or implementing a new one, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2017.

by Curtis Brown

VMware NSX® network virtualisation platform has been around for a little while now delivering an operational model for networking that forms the foundation of the Software-Defined-Data-Centre.  It’s often associated more with server virtualisation or as a component within a Cloud Automation solution and with good reason; it’s readily able to deliver a scaled, secure environment, while providing several mechanisms to deliver advanced network functionality such as firewalling, load balancing and anti-malware protection.  However, one area where its application is frequently overlooked is in the world of End User Compute – more specifically virtual desktop infrastructure.

Wouldn’t it be nice if…

Consider a full-on Horizon deployment (though, to be fair, these components could be replaced in the most part for an element of your choice) –

•  Horizon View – This will publish Virtual Desktops in Pools, with these pools assigned to Active Directory based Groups/Users.
• App Volumes – This gives you a mechanism for delivering defined stacks of applications to the Virtual Desktops.Again, you can assign using Groups or users.
• User Environment Manager – You use this to manage environmental and application settings.

 So, you have the mechanisms in place to deliver Virtual Desktops, complete with some granular application and settings delivery.  This is all pretty good, but wouldn’t it be nice if you could provide some intelligent network capabilities too?

Finetuned Firewalling.

Now take VMware NSX - this has some nice features that you can leverage in a VDI estate.

One of the key areas of concern is hardening the estate.  There’s been a pretty big play in the NSX world around using NSX to provide segmentation – both at a macro level, separating workloads into different VXLANs on virtual switches – and at the micro level using the Distributed Firewall to provide firewall rules at the Vmnic. Both strategies can be used here.

You can also separate Pools at a macro level or a micro level if you wish to, with the latter being particularly interesting.

The Distributed Firewall can provide a great deal of flexibility when defining firewall rules and can leverage several different identifiers, including vSphere entities and Active Directory objects.  Using these, you can generate a rule bases to lock down traffic quite tightly, in conjunction with the VDI solution and application delivery mechanism.  Take this example:

You can set up a standard DFW ruleset that applies to your desktops that will prevent traffic between the virtual desktops, while still providing the core services and application support for anything required for the desktop. This means you can control LDAP traffic between the desktops and Domain Controllers or PCoIP between the desktops, the Connection Servers or direct to physical endpoints if you wish.

 With App Volumes, you can define an AppStack with several applications which may well have discrete client/server network traffic requirements.  The DFW can apply rules based upon the user logged into the desktop, so you can create and apply rules specific for these client server applications and tie them to the same Active Directory object that applies the AppStack.

 The net result is that you end up with a combined ruleset applied to a desktop that is not just tied to a broad pool, but also to discrete needs for users within the pool. This provides strict granular access based upon the needs of the desktop and the application set for the user.  And let’s remember that this is applied at the desktop’s connection to the network – not at any perimeter level.

Malware Protection

NSX also provides the ability to integrate a compatible antivirus/antimalware solution into the mix. This is not, however, limited to the more publicised Guest Introspection where virus scanning is offloaded at the hypervisor level.  NSX can also integrate with both virtual and physical appliances such as Fortigate for intrusion detection, perimeter firewalling and more.

At the Infrastructure Level

As with any VDI estate, you have the upstream infrastructure to consider, several services can be provided here too.  

Using VMware NSX Edge Gateway appliances, you can provide perimeter firewalling between networks.

For Horizon View, both Connection Servers as well as Access Gateways/Security Servers require Load Balancers, as do App Volumes Managers.  The NSX Edge appliances are capable of being configured to provide load balancing services.

Perimeter firewalling using NSX Edge can also be provided, so you can have a DMZ layer for the Security Servers/Access Gateways as well.

Generally speaking, you could deploy something like this for the Horizon View management environment:

Our external traffic accesses the estate via a pair of NSX Edge Gateways, serving as firewall and load balancer for a pair of VMware User Access Gateways.  These are configured as two-legged, tunnelling into the vSwitch beneath, where you have a dedicated NSX Edge appliance load balancing the Connection servers.  This internal load balancer is also used by internal users who connect in via an L2 bridge or NSX Edge as appropriate.

 You then deploy NSX for the Desktop blocks as well, in order to provide the previously mentioned firewalling and malware protection for a secure end-to-end solution.

Closing Thoughts…

With NSX, it’s possible to turbo-charge the security for a VDI desktop environment in a manner that can be applied regardless of the choice of broker solution – the above would work just as well in a third party VDI solution such as Citrix XenApp or, perhaps more importantly, XenDesktop, not just VMware Horizon.  The ability to dynamically set and operate firewalling on egress outside of the guest Operating System means that such firewalling cannot be tampered with from within the VDI desktop, which might be useful in environments where desktops are used with untrusted users (public kiosks for example).

If you’re interested in exploring the combination of VMware NSX network virtualisation in a VDI estate, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2017.

by Michal Grzeszczak

My name is Michal Grzeszczak and I am a senior consultant at Xtravirt (www.xtravirt.com), an independent cloud consulting business and VMware Master Services Competent Partner.  In this blog, I’d like to share with you my experience of L2 bridging with VMware® NSX-T Data Center and help you to understand some of the differences between NSX-T and NSX-V, as well as cover some NSX use cases.  

Customer background:

The customer is one of the leading organisations in the betting and gambling industry and have been using NSX-V for some time now. When it came to their new greenfield environment, they decided to deploy NSX-T 2.4 Data Center. This decision was largely based on the fact that NSX-T Data Center provides bridging firewalls natively for L2 software bridging, which was their main requirement. Also, given that NSX-T will be the de facto network and security virtualisation platform offered by VMware going forward, by specifying it for this environment the customer is able to future proof the deployment. 

Future upgrades are also accounted for as upgrading from NSX-T 2.4 to future NSX-T releases is simpler than performing upgrades from a previous version of V or T.

NSX-T 2.4 was a major update and brought many changes to the architecture of the product, the main ones being:

• The NSX Manager and NSX Controllers were merged into one appliance deployed in a Cluster of 3 Nodes therefore minimising the footprint of the solution and operational complexity. 
• The other major change was the introduction of the new Simplified UI which “requires just the bare minimum of user input, offering strong default values with prescriptive guidance for ease of use. This means fewer clicks and page hops are required to complete configuration tasks.”

NOTE: In NSX 2.4 two UIs are presented - one is the new Simplified UI, the other one is Advanced. The latter is taken from NSX-T 2.3. The future plan is to remove the Advanced UI and provide all of the functionality via the Simplified UI.

 What are the key benefits of choosing NSX-T over NSX-V?

 There are many benefits of NSX-T over NSX-V, to name a few:

• NSX-T doesn’t require vCenter, however it can be added to NSX-T as a Compute Manager and allows for up to 16 Compute Managers per NSX 2.4 solution . There is no longer a 1:1 requirement like there was with NSX-V. 
• KVM Hypervisor support
• Bare Metal Edges provide sub-second failover 
• Data Plane Development Kit (DPDK) Optimising Forwarding - DPDK is a set of data plane libraries and network interface controller drivers for fast packet processing
• New, more flexible Overlay technology - Geneve replaces     VXLAN  https://docs.vmware.com/en/VMware-Validated-Design/4.3/com.vmware.vvd.sddc-nsxt-design.doc/GUID-CF3C47CA-9BEB-4213-8F08-1494261BF3EC.html 
• Bi-directional Forwarding Detection support
• BGP (Border Gateway Protocol) expanded functionality with features like Route Maps
• Much clearer User Interface (UI)

What were the specific use cases for this case customer and the design considerations?

USE CASE 1 - NSX-T Edge L2 Bridging - Integration of physical, non-virtualised database servers that require L2 connectivity to the virtualised environment. 

Design considerations:

• In NSX-T 2.4 two options are possible to bridge L2 workloads - using ESXi Bridge Clusters or Edge Bridge Profiles. The latter is recommended to use as the former will be deprecated in future. 
• Ideally the use of dedicated Bare Metal Edges, however this is not a requirement. 
• The possibility to deploy Edge Bridges in collapsed vSphere Clusters >     Management + Edge or Compute + Edge
• Consider having active and standby Edge Nodes on different hosts to avoid throughput drop, because VLAN traffic needs to be forwarded to both Edge Nodes in promiscuous mode.
• Overlay traffic can be tagged on a Distributed Port Group or Uplink Profile, but please avoid double tagging. 
• VLAN traffic should not be tagged on the Uplink Profile.
• Distributed Port Group for VLAN traffic connecting to the Edge Node should be in a Trunk Mode. The reason for this is due to the fact that Edge doing Bridging adds 802.1Q tag when transposing Overlay traffic to VLAN. 
• Consider having the same MTU value across your environment - if you can, choose MTU of 9000 for better performance. 
• Several Bridge Profiles can be configured, and a given Edge can belong to several Bridge Profiles. By creating two separate Bridge Profiles, alternating active and backup Edge in the configuration, the user can easily make sure that two Edge nodes simultaneously bridge traffic between Overlay and VLAN

Constraints:

• Edge Cluster with minimum 2 Edge Nodes in Active/Standby mode is needed.
• Standby uplinks are not supported on the Edge Node.
• Source Based Load Based Teaming is not supported on the Edge Node.
• The port group on the VSS/VDS sending and receiving traffic on the VLAN side should be in promiscuous mode, allowing MAC Address changes and Forge Transmits.

Deployment:

• Follow the deployment guide here - https://youtu.be/IwpujflzJhY 
• Or here https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.3/com.vmware.nsxt.admin.doc/GUID-7B21DF3D-C9DB-4C10-A32F-B16642266538.html 

Validation:

• Log in to the Edge Node with your credentials.
• Type “nsxcli”.
• “Get l2bridge-ports-config” will show the Bridge Port State (Active Edge will have Forwarding, Standby will have Stopped), VLAN ID configured and Bridge UUID which can be copied and used to do a packet capture on the Edge Node.
• To do the packet capture type “start capture interface “copied Bridge UUID” and hit enter, ping from VM to Physical Server to see the flows. 

USE CASE 2 - NSX bridging firewall - Secure communication between physical database servers and Overlay workloads.

• The configuration of the bridging firewall can be done currently only on the Advanced UI.
• Security rules are configured per Logical Switch aka Segment in Simplified UI. 
• NSX-T grouping objects like NSGroups can be used to provide abstraction from the IP based approach.

USE CASE 3 - vRealize Network Insight - Monitoring tool that can provide visibility into both Physical and Virtual environments. 

• NSX-T 2.4 is fully supported with the latest vRealize Network Insight version 4.1.
• Make sure you are allowing ports for communication between vRNI and other devices after the deployment. For example, ESXi Hosts to vRNI Collector on UDP 2055. The full list of ports needed can be found here - https://docs.vmware.com/en/VMware-vRealize-Network-Insight/3.9/com.vmware.vrni.install.doc/GUID-FDDA5F2F-7C3B-472A-A17D-39582FBD5996.html 
• There is a new website that provides in-depth information about new features in vRNI, definitely worth visiting - https://vrealize.vmware.com/t/vmware-network-management/  

What were the outcomes?

Overall, this deployment was a complete success as we were able to satisfy all of the requirements that the customer had. All the production physical databases were able to communicate on the same L2 segments, virtualised and connected to NSX-T segments workloads. On top of that, communication between those workloads was secured by NSX-T Bridging Firewall. vRealize Network Insight was used to provide visibility into the environment. Its ability to quickly troubleshoot network and firewall related issues in both virtual and physical realms allows admins to take a breath in the never-ending battle of making the networks stable.

I hope you enjoyed my blog, if you’d like to talk to Xtravirt about your business’s networking and security requirements, then please send an email to info@xtravirt.com

Some Useful links:

You can read more about the NSX-T 2.4 release here: https://blogs.vmware.com/networkvirtualization/2019/02/introducing-nsx-t-2-4-a-landmark-release-in-the-history-of-nsx.html/