Change Log
10 December 2021 - Updated Figure 1: VMware Horizon Timeline with the latest releases of Horizon.
23 October 2021 - Updated Figure 1: VMware Horizon Timeline with the latest releases of Horizon.
Over the course of the next few weeks, I will be bringing to you a series of blog posts, white papers and videos on how to get the most out of VMware Horizon. The aim of this series is for me to share with you my experience with Horizon designs and deployments as I guide you through the different levels of knowledge.
The series will take you along a path of the following competencies:
Basic
- Introduction to VDI and VMware's take on this
- Basic VMware Horizon architecture principles
- Initial installation and configuration steps of VMware Horizon
Intermediate
- Walkthrough of the features and settings of the Horizon Administrator Console
Advance
- Understanding the business and technical requirements for VDI projects
- How to define and map use-cases for VDI
- Deep dive look into the VMware Horizon architecture based on the business outcomes
and goals
- Create desktop and application pools in VMware Horizon based on the captured use-
cases
Expert
- How VMware Horizon integrates with other solutions
- Troubleshooting VMware Horizon
The Basics
Introduction to VDI and VMware's Take On This
The acronym VDI stands for Virtual Desktop Infrastructure. The history of desktop virtualisation goes back to the late 1990s, early 2000s, with companies like Propero and Leostream setting the early trend for VDI.
There are many different definitions of VDI, the following is my take on it; VDI is running a desktop operating system, complete with all its resources on top of a virtualisation layer and accessing it remotely using a client and a display protocol.
As you can see in Figure 1 below, VMware entered the VDI arena in 2007 and in the same year acquired Propero to strengthen its VDI solution. The solution was called VDM (Virtual Desktop Manager), and a year later was rebranded to View, which introduced the PCoIP (Teradici) display protocol.
Another rename occurred in 2016, and the product was called Horizon 7. This naming has continued to date with the latest release of 7.13 in 2020. In parallel to this release, VMware also released Horizon version 2006, also referred to as Horizon 8. This follows the new naming standard of YYMM format at the end of the name, which represents when the product was scheduled for GA.
Figure 1: VMware Horizon Timeline
The above timeline also displays that every year, since 2007, VMware has made enhancements to the Horizon product, and today it is genuinely an enterprise-grade solution used within all industry sectors. Horizon goes beyond offering traditional virtual desktops, as you can publish Horizon applications (running on Microsoft RDS hosts) and has comprehensive integration with other solutions, more on this in the expert competency.
Basic Horizon Architecture Principles
To get started with Horizon, various building blocks need to be in place to provide the users with the best user experience.
Figure 2: Horizon Conceptual Design
As shown in Figure 2 above, the block starts with the physical layer; this is your server hardware, external storage array and physical networking components.
The next block is the virtualisation layer; this is responsible for providing the physical resources in a virtual format that is distributed across the virtual workloads. Virtual CPU, virtual Memory, datastores, virtual networking, etc. are examples of this layer.
On top of the virtualisation layer is the End User Computing block, and it is where this series will focus the most on. This block is responsible for providing the virtual desktops and virtual application resources to the end-users as well as providing access to application persona and user data.
The next block is User Access and describes how the user accesses their VDI environment.
Wrapped around all of the above blocks are Security, Management and Operations. Regardless of which block you are looking at, it requires these three strategies to provide a successful implementation.
Now we will look at the components, in more detail and explain what their functions are. Remember, this is the basic competency so I won't go deep into the architecture at this stage, that will come in a later blog.
Figure 3: Horizon Logical Design (Basic)
Client Devices. Horizon supports a wide range of clients that can run the Horizon Client application, which gives users the flexibility on the device they use when they need to connect to their Horizon resources, and also supports any organisation wanting to move to a BYOD environment. Clients that are unable to install the Horizon Client software can alternatively access their virtual desktops resources using a supported Web Browser.
Depending on the use-case, to provide secure access to users connecting from untrusted networks, they authenticate against VMware Unified Access Gateway (UAG). The UAG sits within the DMZ network and communicates with the back end infrastructure, protecting the internal networks from direct exposure to these untrusted source networks. More on UAG in the Advanced competency of this series.
Horizon Connection Server is the brains of the VMware VDI solution. It acts as a connection broker for the clients. It is responsible for authenticating users against Microsoft Windows Active Directory, can integrate with MFA solutions and provide the relevant mapping to the authorised virtual desktop or virtual application.
Horizon Agent. The Horizon Agent is installed on all systems that will be access to provide desktop and application resources. The Horizon Agent is integral to communicating with the Horizon Client to provide functionality such as USB redirection, printing, audio-video redirection.
VMware vSphere. Horizon requires VMware vSphere hypervisor to operate due to tight integration in providing virtual resources (vCPU, vMemory, vGPU, etc.) to the desktops and applications.
VMware vCenter Server. All provisioning activities from Horizon are sent to vCenter Server to run. vCenter Server is responsible for providing information such as Cluster, datastore, virtual networks, etc. to the Horizon Console so that desktops will be configured with the correct configuration during creation.
Microsoft Windows Active Directory is required to successfully authenticate users and map them to the correct virtual desktop resource. AD is also a requirement for the Horizon Connection Server as the underlying operating system has to be domain-joined before the installation of Horizon can occur.
Database Server. The only component that Horizon requires a database for is the Events database. This database stores records of all events and auditing information regarding Horizon. Horizon supports Microsoft SQL as well as Oracle databases.
The above components are the bare minimum you require to get started with Horizon, and as we move along this series and start building up the use-cases and the requirements, you will see how this design will scale out and integrate with other solutions.
Initial installation and configuration steps of Horizon
Now that you understand the basic architecture of VMware Horizon, I will show you the steps required to install your first Horizon Connection Server, but before that, I want to go through some prerequisites that are necessary before we can complete the installation and configuration of VMware Horizon.
The following steps can be viewed as a PDF document and downloaded by clicking 🔗.
Horizon Connection Server Hardware and Software Requirements
The following hardware and software requirements apply to any type of Horizon Connection Server role, whether it is the standard, replica, security or the enrollment server.
In most organisations, the Horizon Connection Server is deployed as a virtual machine rather than on a physical server. Having this component running as a virtual machine means that it can benefit from all the high-availability and the ease-of-manageability that you get from a virtual infrastructure.
Hardware Sizing
Table 1 below shows the recommended server sizing for running Horizon Connection Server.
Table 1: Horizon Connection Server Sizing
Horizon Connection Server Operating System
The Horizon Connection Server is installed on top of Microsoft Windows Server operating system.
Table 2 below shows the supported Microsoft versions.
Table 2: Horizon Connection Server Supported Operating System
Microsoft Active Directory Requirements and Domain Requirements
Domain Functional Level
As previously stated, Horizon uses Microsoft AD for authenticating users and providing other domain functionality. Table 3 below lists the supported AD domain functional levels with Horizon.
Table 3: Supported Microsoft AD Functional Levels
Domain Trusts
Horizon supports a number of different domain configurations as shown below.
Figure 3: Same Domain
In Figure 3 above, the Horizon Connection Server is installed in the same domain as the AD users and groups as well as where the Horizon Agent machines are located.
Figure 4: Different Domain (One-way Trust Relationship)
In Figure 4 above, the Horizon Connection Server and the users and Horizon Agent machines are in different domains. In this scenario, there is a one-way trust from the Horizon Connection Server domain to the domain where the users and computers are.
In this configuration, you are required to provide secondary credentials to the Horizon Connection Server in order to access the trusted domain.
Figure 5: Different Domain (Two-way Trust Relationship)
In this configuration, there is a two-way trust relationship between the two domains that link the Horizon Connection Server to the users and computers. There is no requirement to enter any secondary credentials in this set up.
Figure 6: Different Forest (One-way External or Realm Trust Relationship)
Figure 6 shows the one-way trust relationship between two forests. Once again you are required to provide secondary credentials for the forest root domain to the Horizon Connection Server in order to access the trusted domain and child domains.
Figure 7: Different Forest (One-way or Two-way Transitive Trust Relationship)
Lastly, as shown in Figure 7, you can have a one-way or a two-way transitive trust relationship between forests
Domain Accounts
When we install the Horizon Connection Server, you must be logged on as a domain user that has local Administrator privilege. During installation, you need to specify the Horizon Administrator user or group, which will be granted full administrative permissions on Horizon Console. It is recommended to create a new AD security group beforehand that contains the user accounts of those users who will manage the Horizon environment.
Before we can create Instant Clone desktop pools, you must create an instant clone domain administrator account in AD first that will be configured in the Horizon Console after the installation. This account allows for the Instant Clone virtual desktops to automatically join the domain during provisioning tasks.
The following account permissions need to be applied to the OU that the Instant Clone virtual desktops will be created in and all child OUs. The permissions are as follows:
Create Computer Objects
Delete Computer Objects
Write All Properties
List Contents
Read All Properties
Read Permissions
Reset Password
This account should be treated as a service account, and the password should be set not to expire.
Installation of Horizon Connection Server (Standard Server) - Horizon version 2006
Below are the steps to install the first Horizon Connection Server after the Windows Server has been domain-joined, updated with Windows Updates and assigned a static IP address.
1. Ensure you are logged onto the server as a domain user but with administrator privileges to run the installer.
2. Double-click on the Horizon Connection Server installer.
3. On the Welcome to the Installation Wizard for VMware Horizon Connection Server screen, click Next.
4. On the License Agreement screen, select I accept the terms in the license agreement and click Next.
5. On the Destination Folder screen, click the Change...tab to specify an installation folder location or leave the default location and click Next.
6. On the Installation Options screen, as this is the first Horizon Connection Server to be installed, ensure that Horizon Standard Server is selected (default).
If you are not planning to allow HTML Access (web-based access without the need of the Horizon Client, remove the check against Install HTML Access. This is checked by default.
Select the IP protocol based on your environment. IPv4 is selected by default. Click Next.
7. On the Data Recovery screen, enter a data recovery password. This is password is required during a restoration of the Horizon configuration.Click Next.
8. On the Firewall Configuration screen, select Configure Windows Firewall automatically (default) and click Next.
9. On the Initial Horizon Administrators screen, either select Authorize the local Administrators group (not recommended if there are other users in the Administrators group that will not be part of the Horizon administration) or select Authorize a specific domain user or domain group (recommended) and enter the domain user or domain group that will be the Horizon administrator. Click Next.
10. On the User Experience Improvement Program screen, either leave the Join the VMware Customer Experience Improvement Program checkbox selected (default) or uncheck it to opt out. Click Next.
11. On the Ready to Install the Program screen, depending on the platform you are installing onto, select from the following options:
General - selected by default, when conducting a Horizon 2006 on-premises installation or when installing on a platform not listed in the options
AWS - select this option when installing Horizon 8 2006 onto VMC on AWS
Dell EMC - select this option when installing Horizon 8 2006 onto VMC on Dell EMC
Azure - select this option when installing Horizon 8 2006 on Azure or on Azure VMware Solution (AVS)
Google Cloud - select this option when installing Horizon 8 2006 on Google Cloud or on Google VMware Cloud Engine (GCVE)
Oracle Cloud - select this option when installing Horizon 8 2006 on Oracle Cloud or on Oracle VMware Cloud Solution (OCVS)
Click Install once you have made your selection.
12. Once the installation completes, uncheck Show the documentation if you do not wish to review the documentation (checked by default). Click Finish.
This concludes the installation of the first Horizon Connection Server. Next we will look at the initial configuration.
Initial Configuration of Horizon Console - Horizon version 2006
Licensing Horizon
Now that the installation has completed, let's log onto the Horizon Console.
1. Open a Web Browser and enter the following URL format:
https://<connection_server_fqdn>adminWhen prompted, enter the username and password for the account that has been granted access to the Horizon Console and click Sign in.
2. As soon as you log into the Horizon Console, you are prompted to add a license key. Click on Edit License.
3. Enter a valid license key and click OK.
4. Confirm that the license key has correctly been applied.
Before adding vCenter Server to the Horizon Console, Horizon requires permissions on the vCenter Server to carry out provisioning activities.It is strongly recommended to create a service account in AD, which is added to vCenter Server with the privileges detailed in Table 4 below.
Table 4: vCenter Server Privileges
5. Under Settings, click on Servers. Ensure vCenter Servers is selected and click Add.
6. Enter the FQDN of your vCenter Server that will be managing the virtual desktop resources. Enter the username and password for the account with permissions to connect to vCenter Server. Typically, the advanced settings are left as defaults in most deployments, however below is an explanation as to each option:
Max concurrent vCenter provisioning operations - this is only applicable for automated, full clone virtual machines, and does not affect any other clone type. This setting limits the maximum number of concurrent requests for provisioning and deleting full clone virtual machines that Horizon Connection Server can make. The default is 20.
Max concurrent power operations - This setting also only applies to full clone virtual machines. This sets the maximum concurrent power operations that vCenter Server can execute when instructed by Horizon Connection Server. This would include, powering on, powering off, reset, shutdown, etc. The default is 50.
Max concurrent maintenance operations - this applies to Instant Clone virtual machines and it sets the maximum number of concurrent maintenance operations that vCenter Server can carry out on this type of clone. The default is 12.
Max concurrent View Composer provisioning operations - this applies only to Linked Clone virtual machines. This sets the maximum number of concurrent tasks, such as create and delete that vCenter Server can conduct when instructed by the View Composer instance. The default is 8. This feature is depreciated in Horizon 8 2006.
Max concurrent Instant Clone Engine operations - this applies only to Instant Clone virtual machines. This sets the maximum number of concurrent tasks, such as create and delete that vCenter Server can conduct. The default is 20.
Review your requirements and click Next.
7. Select whether you are planning to use View Composer. Take a moment to read the information banner that View Composer will longer be available in future releases of Horizon 8. Take this into consideration when planning your use-cases. Make the required settings and click Next.
8. The next page is where you can configure Storage Settings. The Reclaim VM disk space option allows you to reclaim disk space that has grown over time. When using this with Instant Clone floating pools, this option is not used, it is only required when using dedicated Instant Clone virtual machines that have been configured to refresh the OS disk after a specified settings, such as At, Every or Never.
When you enable View Storage Accelerator, this option uses the Content Based Read Cache (CBRC) feature in ESXi. The cache is created on the ESXi hosts memory to store common data blocks, which in turn improves performance as there is less storage I/O read requests for the same data. This setting can be set at this global level or be overridden at the individual pool level. When you are planning your ESXi sizing, take this cache size into consideration.
Review the settings can click Next.
9. Review your settings and click Submit.
Configure Events Database
The final part of the initial configuration is configuring Horizon with the Events database.
10. Under Settings, click on Event Configuration and then click Edit.
11. Enter the FQDN of your database server. Select the Database Type from the drop-down list.
If required, change the Port to communicate with the database server. Enter the username and password to the database. Enter a Table Prefix and click OK.
This concludes the basic requirements for getting Horizon up and running. The next part of this series is the Intermediate level where I will go through each feature and function of the Horizon Console, which will be coming very soon.
Comentários