Embed Size (px)
Citation preview
IBM SoftLayer with VMware Horizon VDI D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1
IBM SoftLayer with VMware Horizon VDI
Table of Contents
1. EUC ARCHITECTURE OVERVIEW .............................................................................................................. 5
2. VMWARE HORIZON 7 ARCHITECTURE .................................................................................................. 7 2.1 VMWARE HORIZON 7 ARCHITECTURAL OVERVIEW ........................................................................................... 8 2.2 VMWARE HORIZON 7 MANAGEMENT BLOCK ...................................................................................................... 9 2.3 MULTIPLE SITE AND POD DESIGN ....................................................................................................................... 10
2.3.1 Cloud Pod Architecture Overview ............................................................................................................ 10 2.4 VMWARE HORIZON 7 POOL OVERVIEW ............................................................................................................. 11
2.4.1 Virtual Desktop Pool Types ........................................................................................................................ 11 2.4.2 RDSH Pools ....................................................................................................................................................... 11
2.5 VIRTUAL DESKTOP BLOCK DESIGN ..................................................................................................................... 11 2.5.1 Desktop Pool Settings ................................................................................................................................... 12
2.6 RDS HOSTED DESKTOPS AND APPLICATIONS BLOCK DESIGN....................................................................... 13 2.7 CLOUD POD ARCHITECTURE DESIGN .................................................................................................................. 13
3. ACCESS LAYER ARCHITECTURE ............................................................................................................. 15 3.1 ACCESS OPTIONS ..................................................................................................................................................... 15 3.2 INTERNAL CONNECTIONS ...................................................................................................................................... 15 3.3 CONNECTIONS FROM UNTRUSTED NETWORKS ................................................................................................. 15 3.4 VMWARE HORIZON 7 AGENT DIRECT CONNECTIONS OVERVIEW ................................................................ 16
3.4.1 Design ................................................................................................................................................................. 17
4. INTEGRATION OF SUPPORTING INFRASTRUCTURE ...................................................................... 18 4.1 FILE SHARES............................................................................................................................................................. 18 4.2 ACTIVE DIRECTORY ................................................................................................................................................ 18
4.2.1 Active Directory Standards ........................................................................................................................ 18 4.3 DATABASES .............................................................................................................................................................. 19
5. VSPHERE INTEGRATION .......................................................................................................................... 20 5.1 MANAGEMENT BLOCK INTEGRATION ................................................................................................................. 20 5.2 DESKTOP BLOCK INTEGRATION ........................................................................................................................... 20 5.3 RDS BLOCK INTEGRATION .................................................................................................................................... 21
6. STORAGE ........................................................................................................................................................ 22 6.1 OVERVIEW ................................................................................................................................................................ 22 6.2 VMWARE HORIZON 7 DISK TYPES ...................................................................................................................... 22 6.3 RDSH APPLICATION FARM – LINKED-CLONE SPACE REQUIREMENTS........................................................ 23
7. NETWORKING .............................................................................................................................................. 25 7.1 OVERVIEW ................................................................................................................................................................ 25 7.2 DNS, DHCP, AND SUBNET CONFIGURATION .................................................................................................... 25 7.3 BANDWIDTH AND LATENCY CONSIDERATIONS ................................................................................................. 25 7.4 NETWORK CIRCUIT REQUIREMENTS ................................................................................................................... 26 7.5 OPTIMAL CONFIGURATION OF WANS FOR REMOTE PROTOCOLS ................................................................. 26 7.6 LOAD BALANCING AND TRAFFIC MANAGEMENT .............................................................................................. 27 7.7 VMWARE HORIZON 7 NETWORK PORTS AND PROTOCOLS ............................................................................ 28
8. OPERATING SYSTEM SECURITY ............................................................................................................ 29 8.1 OVERVIEW ................................................................................................................................................................ 29 8.2 ANTIVIRUS AND ANTI-MALWARE ........................................................................................................................ 29
8.2.1 Guest Agent Based Antivirus ...................................................................................................................... 29 8.2.2 View Connection Server Antivirus Considerations ............................................................................ 29
8.3 VMWARE NSX WITH VSHIELD ENDPOINT ......................................................................................................... 30
9. MANAGEMENT OF USER ENVIRONMENT ........................................................................................... 31
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2
IBM SoftLayer with VMware Horizon VDI
9.1 OVERVIEW ................................................................................................................................................................ 31 9.2 SMART POLICIES ...................................................................................................................................................... 31
10. GRAPHICS ACCELERATION ................................................................................................................. 32 10.1 OVERVIEW ................................................................................................................................................................ 32
11. MULTIMEDIA ENHANCEMENTS ........................................................................................................ 34 11.1 OVERVIEW ................................................................................................................................................................ 34 11.2 REAL-TIME AUDIO-VIDEO .................................................................................................................................... 34
12. AVAILABILITY, BUSINESS CONTINUITY, AND RECOVERY ....................................................... 34 12.1 OVERVIEW ................................................................................................................................................................ 34 12.2 DISASTER RECOVERY.............................................................................................................................................. 34
APPENDIX A: RESOURCES.................................................................................................................................. 36 Tables TABLE 1. VMWARE HORIZON 7 DISK TYPES ................................................................................................................................................... 22 TABLE 2. STORAGE SIZING FORMULA FOR LINKED CLONE DISKS ON SELECTED DATASTORE ................................................................ 23 TABLE 3. STORAGE SIZING FORMULA FOR LINKED-CLONE WHEN THE POOL IS EDITED OR REPLICA IS STORED ON DIFFERENT
DATASTORE .................................................................................................................................................................................................. 24 TABLE 4. LOAD BALANCER REQUIREMENTS .................................................................................................................................................... 27 TABLE 5. EXTERNAL HORIZON SMART POLICIES ............................................................................................................................................ 31 TABLE 6. INTERNAL HORIZON SMART POLICIES ............................................................................................................................................. 31 TABLE 7. 3D GRAPHICS OPTIONS ....................................................................................................................................................................... 32 TABLE 8. 3D RENDERING OPTIONS ................................................................................................................................................................... 32 TABLE 9. DISASTER RECOVERY DESIGN DECISIONS ....................................................................................................................................... 34
Figures FIGURE 1. EUC HIGH-LEVEL ARCHITECTURAL COMPONENTS ........................................................................................................................5 FIGURE 2. VMWARE HORIZON 7 CONCEPTUAL ARCHITECTURE ....................................................................................................................7 FIGURE 3. VIEW POD AND BLOCK OVERVIEW .....................................................................................................................................................8 FIGURE 4. VMWARE HORIZON 7 MANAGEMENT BLOCK ..................................................................................................................................9 FIGURE 5. VMWARE HORIZON 7 POD LOGICAL DESIGN................................................................................................................................ 10 FIGURE 6. VMWARE HORIZON 7 DESKTOP BLOCK – LOGICAL INFRASTRUCTURE................................................................................... 12 FIGURE 7. VMWARE HORIZON 7 RDS HOST BLOCK – LOGICAL INFRASTRUCTURE DESIGN ................................................................. 13 FIGURE 8. CLOUD POD ARCHICTURE CONCEPTUAL DIAGRAM...................................................................................................................... 14 FIGURE 8. INTERNAL CONNECTIONS .................................................................................................................................................................. 15 FIGURE 9. VMWARE HORIZON 7 ARCHITECTURE – EXTERNAL/REMOTE UNTRUSTED CONNECTIONS .............................................. 15 FIGURE 11. VMWARE VIEW ARCHITECTURE – DIRECT-CONNECTION ACCESS BRANCH OFFICE ......................................................... 17 FIGURE 12. VIRTUAL DESKTOP DOMAIN STRUCTURE ................................................................................................................................... 18 FIGURE 13. DESKTOP BLOCK CLUSTER DESIGN .............................................................................................................................................. 20 FIGURE 14. RDS BLOCK CLUSTER DESIGN....................................................................................................................................................... 21 FIGURE 15. RDSH APPLICATION FARM LINKED-CLONE STORAGE DIAGRAM.......................................................................................... 23 FIGURE 16. VMWARE HORIZON 7 NETWORK PORTS AND PROTOCOLS..................................................................................................... 28 FIGURE 17. VMWARE NSX DATA SECURITY INTEGRATION ......................................................................................................................... 30
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 3
IBM SoftLayer with VMware Horizon VDI
Introduction This deployment guide is intended as a guide to facilitate VMware Horizon Virtual Desktop Infrastructure workloads on IBM SoftLayer hosted bare metal servers running VMware vSphere. It intends to cover the use case, toolset required and technology elements to deliver this solution at a high level. Low level design and detailed configuration options will still be required for deployment.
About the authors Andrew Haschka is a Regional Technical Alliance Manager across Asia Pacific and Japan in the VMware Centre of Excellence. He has a long history of working with customers and partners as a lead architect developing technical solutions to business requirements. Prashant Pandey is EUC Solution Architect across Asia Pacific and Japan in the VMware Centre of Excellence. He has lead multiple engagement with customer and partners on EUC and Data Centre architecture solutions over the period of his professional tenure.
Version Control Date Version Author Comment Reviewers
02/09/2016 0.1 Andrew Haschka Draft Prashant Pandey
03/10/2016 0.2 Prashant Pandey Draft updates Andrew Haschka
12/10/2016 0.3 Andrew Haschka Pre-release review and minor updates
14/10/2016 0.4 Andrew Haschka Review for inconsistencies Prashant Pandey
20/10/2016 0.5 Prashant Pandey Review for inconsistencies Andrew Haschka
21/10/2016 0.6 Andrew Haschka Final review Prashant Pandey
26/10/2016 1.0 Andrew Haschka Version 1.0 release
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 4
IBM SoftLayer with VMware Horizon VDI
Audience This document is intended to assist enterprise architects, solution architects, sales engineers, field consultants, advanced services specialists, and customers responsible for infrastructure services. This can be used as a guide to build a capability to deploy VMware Virtual Desktop workloads on a hosted IBM SoftLayer environment running VMware vSphere. This document assumes the implementer has prior knowledge of VMware vSphere, VMware Horizon and IBM SoftLayer/VMware on IBM Cloud. Architecture details for the baseline VMware and IBM SoftLayer platform hosting this solution are documented here;
https://developer.ibm.com/architecture/virtualization
https://developer.ibm.com/architecture/pdfs/VMware_on_IBM_Cloud-Standard.pdf
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 5
IBM SoftLayer with VMware Horizon VDI
1. EUC Architecture Overview This section describes the high-level components that form the EUC target architecture necessary to meet business objectives as defined by the customer. Figure 1. EUC High-Level Architectural Components
The components of this EUC architecture, as shown in the figure, and latest available features are summarized below:
VMware vSphere® with VMware vCenter® – Hypervisor and management framework that will provide foundational virtual machine infrastructure.
VMware Horizon® 7 – Virtual desktop and application provisioning and management infrastructure that will deliver virtualized desktops and applications to users using robust communications protocols for an optimized, superior end-user experience to any device on any network.
Just-in-Time Desktops: The pioneering instant clone technology couple with AppVolumes accelerates the delivery of user-customized and fully personalized desktop. Along with enhanced security benefit, the benefits of this features are:
Reap the economic benefits of stateless, non-persistent virtual desktops served upto to date on each login.
Deliver pristine, high-performance personalized desktop to end users every time they login. Improve security by destroying desktops everytime users log out.
VMware App Volumes™ – Provides real-time application delivery and management without the need to package or sequence applications.
Quickly provision applications at scale Dynamically attach applications to users,groups or devices, even when the users are logged in to
their desktops. Provision, deliver, update and applications in real time. Provide a user-writable volume allowing users to install applications that follows them across.
VMware User Environment Manager™ – Offers personalization and dynamic policy configuration across any virtual, physical and cloud-based environment.
Provides end users with quick access to windows workspace and applications, with personalized and consistent experience across devices and locations.
Simplify end-user profile management by providing organisation with single and scalable solution that leverages existing infrastructure.
Speed up login process by applying configuration and environment settings in asynchronous fashion.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 6
IBM SoftLayer with VMware Horizon VDI
Provide dynamic configuration environment configuration, such as drive, printer mappings when user launches an application.
VMware Identity Manager – Streamline the end-user experience and reduce costs with a single workspace for centralized application access, delivered securely on any device.
VMware vRealize® Operations Manager for Horizon – Monitor and optimize the health, performance, and efficiency of the entire EUC stack.
Blast Extreme - Purpose-built additional display technology is built on industry-standard H.264, delivering a high-performance graphics experience accessible on billions of devices including ultra-low-cost PCs.
Multi-codec – Blast Extreme supports the JPG/PNG and H.264 codecs.
Multi-protocol - Supports both TCP and UDP transport protocols.
This document describes the VMware Horizon 7 components of this solution. Other components of the solution, such as App Volumes, are described in detail in separate documentation. Shared infrastructure, management, automation, vSphere, underlying hardware, client access devices, and so on are referenced throughout this design document in order to understand how this design integrates with the infrastructure.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 7
IBM SoftLayer with VMware Horizon VDI
2. VMware Horizon 7 Architecture The following diagram provides a high-level overview of the proposed architecture for VMware Horizon 7. This architecture is designed to address the use cases described in the Solution Requirements document and can serve as a design blueprint for extending capacity in the future.
Figure 2. VMware Horizon 7 Conceptual Architecture
The design is based upon both new components and existing infrastructure. The key technology used in this design and its primary purpose is summarized below
View Connection Server instances provide the core management capabilities, such as brokering access to user resources, pool creation, user entitlements, authentication, runtime management, and policy configuration.
Cloud Pod Architecture will be used to scale the design blueprint to multiple VMware Horizon View™ instances.
View security servers or Access Point servers will proxy external client connections.
Microsoft Windows 10 or Windows 2012 will be used as the centrally hosted client operating system accessed through VMware Horizon 7. Windows 10 provides single user/VM sessions. Windows 2012 RDS hosts provide access for multiple users. Integration with the View Connection Server instances and user access is provided through the VMware View Agent® that is installed within each VM.
Virtual desktops will be provisioned using either VMware View Composer or Instant Clone, depending on the use case that a pool is serving to address.
This architecture provides the flexibility to deliver applications to users in the most flexible way depending on the use case. Application deployment can be a combination of the customer’s existing SCCM for golden images with App Volumes and ThinApp for dynamic application deployment.
A combination of dedicated vSphere instances and VMware ESXi™ clusters will be used for the purpose of workload separation of client operating system instances and management infrastructure.
Internal connections will be made directly from the client access device to the centrally hosted resources.
Blast Extreme will be the preferred communication protocol used for desktop and application access. RDP can be used for virtual or RDS hosted desktop access if necessary. PCoIP protocol will also be available through a compatible browser for clientless endpoints.
User settings will be managed using standard Microsoft Windows user profiles.
VMware Identity Manager shall be used to provide a common portal for user access to VMware Horizon 7 resources. Single sign-on for VMware Identity Manager can be implemented through True SSO with enrollment servers.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 8
IBM SoftLayer with VMware Horizon VDI
2.1 VMware Horizon 7 Architectural Overview Figure 3. View Pod and Block Overview
The VMware Horizon 7 architecture is designed, built, managed, and scaled using logical constructs known as pods (item 1 in Figure 3). A VMware Horizon pod is demarcated by View Connection Server instances that manage up to 10,000 active sessions. VMware Horizon pods can contain multiple instances of VMware vCenter Server®, RDS hosts delivering shared virtual desktops and seamless applications, View Connection Server instances and security servers, and shared storage that can span multiple clusters. The pod is comprised of the following components:
VMware Horizon 7 View Connection Server instances – A minimum of two and a maximum of seven View Connection Server instances are present in a single View pod. All View Connection Server instances replicate inventory and configuration data among their partners. View Connection Server instances operate in an active configuration and should be placed behind a load balancer. Any View Connection Server instances can provide administrative responsibilities and connection brokering.
VMware Horizon 7 security servers or Access Point servers – These servers can be used for remote access connections by proxying connections to desktops. A minimum of two are required for redundancy. Additional servers can be added for capacity.
VMware Horizon 7 blocks – This design will contain multiple blocks. Details about the logical design of each block are provided in the following section. The VMware Horizon 7 block (items 2 and 3 in Figure 3) is a logical component of a pod. VMware Horizon 7 blocks are demarcated by vSphere instances. A VMware Horizon 7 block is comprised of the following components:
View Connection Server – In this design, there are at least two View Connection Server instances per VMware Horizon 7 block.
ESXi hosts – A VMware Horizon 7 block always has at least one ESXi host to run the user operating systems.
vSphere clusters – vSphere clusters that contain the ESXi hosts. A pool cannot extend beyond the boundary of a vSphere cluster.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 9
IBM SoftLayer with VMware Horizon VDI
Pools – Every VMware Horizon 7 block contains at least one pool of user operating system instances, either desktops or RDSH servers.
Shared and local storage – Shared datastore(s) accessible to all ESXi hosts in the block. A VMware Horizon 7 management block (item 4 in Figure 3) is demarcated by the vSphere cluster that hosts only the management server components for the pod, such as View Connection Server instances, View security servers, and vCenter Server instances supporting desktop/RDSH blocks. User workloads do not sit within the management block.
2.2 VMware Horizon 7 Management Block Figure 4. VMware Horizon 7 Management Block
The Horizon 7 management block hosts the View desktop block vCenter Server instances, View Connection Server instances, View security servers, appvolume/UEM servers, vROPS for Horizon and access point servers. The VMware Horizon 7 Architectural Overview provides a description of the purpose and function of the management block. The View management hosts must be in the same data center as the View desktop hosts. The Java Message Service (JMS) used by the View Connection Server instances is not tolerant of network latency between View Connection Server instances. Furthermore, spanning View instances across Wide Area Networks (WANs) or Metropolitan Area Networks (MANs) is not supported, and will result in the failure of View Active Directory Lightweight Directory Service (ADLDS) database replication. The vCenter that manages the management block is placed on the customer’s existing infrastructure. This design has the following components in the management block:
ESXi hosts and clusters – A dedicated cluster of ESXi hosts to run the VMware Horizon 7 server components.
vCenter Server instances for managing desktop blocks, together with associated VMware Update Manager servers.
View Connection Server instances – Multiple View Connection Server instances are required for the design. A load balancer should be utilized to balance user connections between the View Connection Server instances. A maximum of seven View Connection Server instances can be implemented in a VMware Horizon 7 pod.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 0
IBM SoftLayer with VMware Horizon VDI
View security servers/Access point – Multiple View security servers are required for the design. A load balancer should be utilized to balance user connections between the security servers/access point.
2.3 Multiple Site and Pod Design Figure 5. VMware Horizon 7 Pod Logical Design
This architecture will have multiple View pods across different sites. For the implementation to be transparent to users, the scalable and manageable Cloud Pod Architecture (CPA), together with the customer’s network load-balancing solution, can be used. CPA greatly enhances the scaling and manageability of the customer’s VMware Horizon 7 solution, but it does not provide full multi-site resiliency by itself.
2.3.1 Cloud Pod Architecture Overview For the reasons stated in the previous section, this architecture will use CPA to link pods across WANs or between other non-LAN connected sites. For ease of management, CPA will also be used to link pods in the same data center. In such an environment, an end user can connect to a View Connection Server in one pod and receive a desktop or hosted application from another pod. 2.3.1.1. Cloud Pod Architecture Components The components and concepts used with Cloud Pod Architecture are as follows:
Sites – In a CPA environment, a site is a collection of well-connected pods in the same physical location. These are treated equally by CPA. CPA assumes that pods within the same site are on the same LAN, and that pods in different sites are on different LANs. To reduce the impact of network performance, CPA gives preference to resources that are in the local pod or site when it allocates desktops to users.
Global entitlements – In a CPA environment, global entitlements are created to entitle users or groups to multiple desktops/applications across multiple pods in the pod federation. Global entitlements obviate the need to configure and manage local entitlements, simplifying administration. VMware Horizon 7 stores global entitlements in the global data layer, which is available on all pods.
Scope – On creation of global entitlements, the scope policy must be specified. The scope policy determines the scope of the search when View enumerates requests from users contained within global entitlements. Valid options are: o All sites – VMware Horizon 7 looks for desktops on any pod in the pod federation. o Within site – VMware Horizon 7 looks for desktops only on pods in the same site as the pod to which the user is connected. o Within pod – VMware Horizon 7 looks for desktops only in the pod to which the user is connected. o Home site – With home sites, View begins searching for desktops and applications from a specific site rather than searching for desktops and applications based on the user's current location.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 1
IBM SoftLayer with VMware Horizon VDI
If the home site is unavailable or does not have resources to satisfy the user's request, View continues searching other sites according to the scope policy set for the global entitlement. For global desktop entitlements that contain dedicated pools, the home site affects where View looks for desktops the first time a user requests a dedicated desktop. After View allocates a dedicated desktop, it returns the user directly to the same desktop. There are two types of home site assignments: Global home site – A home site assigned to a user or group. A user’s group takes precedence. Per-global-entitlement home site – A home site associated with a global entitlement. This overrides global home sites. The customer should be aware that CPA currently has a limit of 50 sessions, 25 pods, 5 data centers and 50 View Connection Server instances.
2.4 VMware Horizon 7 Pool Overview VMware Horizon 7 makes use of pools to simplify the management of resources that users can access by providing a single way of managing like resources, such as those that might have a common set of applications.
2.4.1 Virtual Desktop Pool Types There are two types of desktops pools as follows:
Manual – Virtual desktops available through View Connection Server. The VMware Horizon 7 administrator can control the power state of these virtual desktops. Manual desktop pools can be made up of VMs managed by vCenter, VMs hosted on non-vSphere platforms, or physical machines.
Automated – An automatic desktop pool consists of desktop sources that are managed by the VMware Horizon 7 administrator. They can be made up of the following sources: o Linked-clone virtual machines created automatically in vCenter using VMware View Composer. o Full-clone virtual machines created automatically in vCenter using a virtual machine template. o Instant-clone Virtual machines created automatically in vCenter using VMfork technology (No VMware View Composer required). Pool assignments can be either dedicated (automatic or manual assignment) or floating.
Dedicated assignment – Dedicated virtual desktops are assigned to their user on first use, so the user returns to the same virtual desktop on each login. This type of pool should be used when users want to customize their desktops by installing additional applications and storing local data.
Floating assignment – A pool of virtual desktops where virtual desktops are not permanently assigned to users. When a session is finished, the virtual desktop is returned to the pool and made available for other users. By optionally refreshing or deleting the virtual desktop after each use, this type of pool can verify that each user receives a newly provisioned virtual desktop on each login. This type of pool should be used when a clean machine is needed for each user session or in highly controlled environments where there is no requirement for customization to be stored on the virtual desktop.
2.4.2 RDSH Pools RDSH farms are collections of RDS enabled Windows Server operating systems. They can be either physical or virtual machines. RDS pools use RDS farms to deliver hosted desktops and applications to multiple instances of supported access devices and/or users. RDS farms can be used to silo applications for effective application performance and load management. The RDS hosts in the farm provide desktop and application sessions to users. RDS farms can be one of two types, manual or automated. RDS hosts in manual farms are made up of existing machines, physical or virtual. Automated farms are linked clones created by VMware View Composer. There are two types of RDS desktop pools
RDSH desktop pool – An RDS desktop pool is associated with an RDS farm. Each RDS host is a Windows Server that can host multiple RDS desktops supporting PCoIP or RDP. An RDS desktop is based on a session running on an RDS host.
Application pool – Application pools can be used to entitle users to applications that run on servers in a data center instead of on their personal computers or devices. Applications are delivered seamlessly to the client and appear as if they are running locally. Application pools offer several important benefits such as accessibility, device independence, access control, accelerated application deployment, ease of managing applications, security and compliance, and reduced costs.
2.5 Virtual Desktop Block Design
Sizing the VMware Horizon 7 block architecture will vary depending on customer requirements. Cloud pod architecture with Horizon 7 scales to 5 sites, with 25 Pods and 50,000 connections. Although vCenter can
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 2
IBM SoftLayer with VMware Horizon VDI
support up to 10,000 sessions, VMware recommends having each instance support approximately 2,000 sessions. This number was chosen because it provides a more manageable number for virtual machine maintenance and better scalability. This number can be increased with careful consideration. Some things to consider when sizing the VMware Horizon 7 block include, but are not limited to, the following:
Risk of single point of failure – Increasing the number of virtual desktops managed by a single vCenter Server in a large VMware Horizon 7 environment can create a single point of failure. Keeping the number of desktops lower can lessen the impact on the architecture as a whole in the event of a vCenter failure.
Scalability – Most customers will experience growth in their VMware Horizon 7 environment on a smaller scale, and expansion of the VMware Horizon 7 environment can be more cost effective when building out the environment in smaller, customer-defined building blocks than for 10,000 PCoIP sessions.
Ease of management: The suggested number of 2000 makes is easy to do operation, maintenance and accounting on the set of users/desktops which are entitled for that pool.
Figure 6. VMware Horizon 7 Desktop Block – Logical Infrastructure
Each View block consists of clusters for housing desktops. Each cluster will support approximately 2,000 virtual desktops using the provided virtual machine configuration. A dedicated vCenter instance will manage the clusters for each desktop block. If additional virtual machine configurations are established, VMware recommends grouping only similarly configured virtual machines within the same cluster.
2.5.1 Desktop Pool Settings
This architecture will use two types of pools. For most user groups, the floating/automated desktop pool with linked clones or instant clone will be used. Images will be deployed from a parent image, updates will be made to the parent image when needed, and linked clones will be recomposed through predetermined maintenance windows, or on-demand, as needed. Instant clone will use the master and the parent VM’s availability on each host and datastore to spawn desktops when the user logs in.
The other pool type is a dedicated desktop pool with full/traditional virtual machines. This pool type will be used for those users who require custom desktops or require local application installations. The View manager will deploy these desktops, and the desktops are maintained individually as if they were physical desktops (using SCCM).
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 3
IBM SoftLayer with VMware Horizon VDI
The detailed configuration of all desktop pools is described in the accompanying Configuration Workbook.
2.6 RDS Hosted Desktops and Applications Block Design
The goal of this sizing is to consolidate as many sessions as possible on a particular infrastructure without sacrificing the quality. The fundamental of VDI design pool equally applies to RDSH block design.This VMware Horizon 7 architecture design has multiple VMware Horizon 7 RDS host blocks. Each block will be configured to support either RDS Hosted Applications or RDS hosted desktops. This represents a modular implementation based on recommended hardware configurations provided by VMware. This implementation will require at least one View Connection Server for every 2,000 active RDS sessions.
Figure 7. VMware Horizon 7 RDS Host Block – Logical Infrastructure Design
2.7 Cloud Pod Architecture Design
For this archtiecture two VMware Horizon 7 pods will be deployed, one in each data center. Each data center will represent a CPA site. Through global entitlements, the customer will assign pools that span RDS desktops and virtual desktops between both data centers. Users will not be assigned a home site. Entitlements will be through Active Directory groups assigned to the global entitlement.
The design configuration for Cloud Pod Architecture shall be done to cater of the one of the specific options of the below:
Global roaming desktop – This is a use case where the end user needs access to a desktop only to access their Windows-based applications. An end user can be located either in Location 1 or the Location 2 with an entitlement to a nonpersistent desktop pool. The end user gets a desktop in their connected pod (that is, close to their client location—If they connect from Location 1, they get a desktop in Location 1).
Global home desktop – This is the typical case where the end user wants to get the same persistent desktop every time they request access, irrespective of their location. To accomplish this, persistent desktop pools in all pods need to be set up. The FromHome policy can be used to direct the user back to their home site. The end user gets the same desktop machine irrespective of which pod they are connected to.
Local scale desktop – In this use case, each site has multiple pods, each offering a standard nonpersistent desktop pool. A global entitlement layer provided by Cloud Pod Architecture joins all these pools together. Using the site’s Scope policy, one can control and limit access to a desktop that is available within the site.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 4
IBM SoftLayer with VMware Horizon VDI
The following diagram provides an overview of the Cloud Pod Architecture
Figure 8. Cloud Pod Archicture Conceptual Diagram
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 5
IBM SoftLayer with VMware Horizon VDI
3. Access Layer Architecture
3.1 Access Options
The different types of components that the architecture will use to access the VMware Horizon 7 infrastructure are described in the following table in terms of access device, protocol, location, use case, authentication, and client.
PCoIP, RDP, Blast Extreme, and Blast HTML access are the remote/display protocols that can be used by clients for accessing VMware Horizon 7 resources. This architecture plans to use the native Windows client on their existing Windows 7 devices, the mobile Android and iOS clients, and on employee-owned devices, the HTML 5 Web client will be used.
This architecture will use the following combinations of protocols, access devices, and locations to address the access requirements of all their use cases.
3.2 Internal Connections
Internally, users will connect using the VMware Horizon Client™ installed on their existing desktops, using HTTPS to connect to the load-balanced View Connection Server pool. Next, users will select their entitled desktop or applications and launch a PCoIP or Blast Extreme connection to it.
Figure 9. Internal Connections
3.3 Connections from Untrusted Networks
Users connecting to the network from an untrusted location, such as a guest network or Internet, connect to their VMware Horizon 7 resources using the Horizon Client. Initial connections are made over HTTPS through a load balancer to the View security server. PCoIP or Blast Extreme connections are then made to the desktop or RDS server through the security server gateway.
In this scenario, when connecting through a browser using the Web client, the client connects to the security server initially on port 443, and then the HTML Blast connection is established on port 8443, both using HTTPS.
Connections are not made directly to the desktop or RDS server in this external scenario. They are proxied through the security server.
Figure 10. VMware Horizon 7 Architecture – External/Remote Untrusted Connections
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 6
IBM SoftLayer with VMware Horizon VDI
3.4 VMware Horizon 7 Agent Direct Connections Overview
To support the direct-connection capability without a View Connection Server, a VMware Horizon 7 software component called View Agent Direct-Connection (VADC) Plug-In can be installed on each VMware Horizon 7 desktop, alongside VMware Horizon 7 Agent. This component provides a subset of View Connection Server functionality, including PCoIP, RDP, USB redirection, sound, 3D, RTAV, Unity Touch, single sign-on, session management, and so on.
All configuration settings for VMware Horizon 7 Agent Direct-Connection Plug-In are stored in the local registry on each VMware Horizon 7 desktop. The configuration settings can be managed through Group Policy.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 7
IBM SoftLayer with VMware Horizon VDI
3.4.1 Design
To achieve good user experience, this architecture will place a two-node ESXi cluster in each of the three branch offices, and configure the virtual desktops to use VMware Horizon 7 Agent Direct-Connection Plug-In. Users in these branch offices will be configured to connect directly to these local virtual desktops. The virtual desktops in the branch offices will be centrally provisioned and managed by View Connection Server instances in the data center.
Figure 11. VMware View Architecture – Direct-Connection Access Branch Office
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 8
IBM SoftLayer with VMware Horizon VDI
4. Integration of Supporting Infrastructure
This section explains the integration points with existing and shared infrastructure that is required for this solution.
4.1 File Shares
SMB shares are used for shared drives, home drives, and roaming profiles. The design and implementation of these shares is out of scope for this design however available for extensibility.
4.2 Active Directory
Many components of this design will be required to integrate with Active Directory for establishing user entitlements, authentication/authorization, and to make use of centrally managed Group Policy settings.
View Connection Server includes administrative templates for managing VMware Horizon 7 virtual machines. Administrators can import these templates and apply policy settings to the respective Organizational Units (OUs) using a Group Policy Object (GPO). This provides a straightforward and consistent way to manage policies specific to VMware Horizon 7 virtual machines and users.
4.2.1 Active Directory Standards
The following diagram outlines the domain structure that will be used for this virtual desktop deployment.
In this design, user accounts are managed through the customer’s domain. This domain will serve as the authentication domain for virtual desktop users and house virtual desktop computer accounts.
Virtual desktops delivered through VMware Horizon 7 will be added to the appropriate OUs. GPOs will be applied at the virtual desktop OU level. Additional OUs and GPOs will be developed if needed (on an exception basis).
Figure 12. Virtual Desktop Domain Structure
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 1 9
IBM SoftLayer with VMware Horizon VDI
4.3 Databases
The following databases are required for the VMware Horizon 7 components of this design:
Database server – A dedicated database server is utilized for this design. One database server is required for the management block, and one database server is required for each desktop block. The database server should be highly available.
Database – A database is required for the following VMware Horizon 7 components:
o One database per pod for the View events logging.
o One database for each desktop block's VMware View Composer server.
The specification of databases that are not accessed directly by VMware Horizon 7 components, such as vCenter and VMware vSphere Update Manager, are not described because their design is out of scope.
The availability, backup, and restore of these databases is handled by the customer’s DBA team in a similar way to their other business critical highly available databases.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 0
IBM SoftLayer with VMware Horizon VDI
5. vSphere Integration
This section describes the vSphere integration for each VMware Horizon 7 block within this design.
Underlying vSphere elements, such as vSphere Update Manager, SAN Fabric, physical networking, power, and cooling, are not specific to this VMware Horizon 7 design and are not included in this document.
5.1 Management Block Integration
The management block will be hosted in the existing the customer’s production vSphere environment.
It is assumed that there are adequate spare resources in the existing vSphere environment to host the management block Server VMs.
The customer will ensure that current capacity exists, or will expand the existing vSphere environment to support the server virtual machines required for this design.
5.2 Desktop Block Integration
The desktop block will be hosted in a dedicated vSphere environment.
The vSphere design settings for the desktop block are outlined in this section.
Assessment tools utilized during the engagement calculated the host count and resource requirements for each use case.
Figure 13. Desktop Block Cluster Design
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 1
IBM SoftLayer with VMware Horizon VDI
5.3 RDS Block Integration
The RDS block will be hosted in a dedicated vSphere environment.
The vSphere design settings for the RDS block are outlined in this section.
Assessment tools utilized during the engagement calculated the host count and resource requirements for each RDS use-case.
Figure 14. RDS Block Cluster Design
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 2
IBM SoftLayer with VMware Horizon VDI
6. Storage
6.1 Overview
The following section outlines the storage configurations for the VMware Horizon 7 environment. Ancillary storage, such as ThinApp repositories, user home drive shares, and third-party user environment management systems, is not included in this section.
The storage design requirements presented in this section remain the same regardless of the underlying storage technology. The configuration of the storage platform is out of scope for the VMware Horizon 7 design.
6.2 VMware Horizon 7 Disk Types
The shared storage will provide a number of separate datastores for each specific VMware Horizon 7 requirement, such as virtual machine OS disk, user data, and template VMs. The different disks and possible datastores are shown in the following table.
Table 1. VMware Horizon 7 Disk Types
Disk Type Locations and limitations
Full Clone VM Disk
(.vmdk)
Typically hosted on a shared datastore
Up to 128 for traditional VMFS5-based datastores
Up to 256 for traditional NFS-based datastores
One per full-clone desktop
Linked-Clone OS Disk
(.vmdk)
Typically hosted on a shared datastore
Up to 128 for traditional VMFS5-based datastores
Up to 256 for traditional NFS-based datastores
One per linked-clone desktop
Linked-Clone Replica Disk (replica-GUID.vmdk)
Typically hosted on a shared SSD datastore
Up to 128 for traditional VMFS5-based datastores
Up to 256 for traditional NFS-based datastores
One per pool if replica is placed on separate shared datastore as that of the linked-clone OS disk
One per datastore if replica is placed on same datastore as that of the linked-clone OS disk
Linked-Clone Swap File
(.vswp)
Same datastore as linked-clone OS disk
Can be configured to use local datastore
ESX VM memory swap file
Same size as virtual memory, minus reservation
Linked-Clone Persistent Data Disk (.vmdk)
Datastore selected during configuration
Virtual disk for user profile; Attaches to linked-clone OS disk at logon for dedicated assignment pools only
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 3
IBM SoftLayer with VMware Horizon VDI
Disk Type Locations and limitations
Linked-Clone Disposable Data Disk (vdm-disposable-GUID.vmdk)
Datastore selected during configuration
Virtual disk deleted when the desktop is powered off
vCenter Gold Master
Template
(.vmdk)
Typically hosted on a shared (low-tier) datastore
Used by administrator as a common provisioning source for any pool parent
Pool Parent
(.vmdk)
Typically hosted on a shared (low-tier) datastore
Used by administrator as provisioning source for a desktop pool
Instant-Clone Template Disk
(cp-template- GUID.vmdk)
Typically hosted on a shared datastore
One copy per pool
Instant-Clone Replica Disk
(cp-replica- GUID.vmdk)
Typically hosted on a shared datastore
One copy on each datastore accessible by a particular pool
Instant-Clone Parent Disk
(cp-parent-GUID.vmdk)
Typically hosted on a shared datastore
One copy for every host present on each datastore
Instant-Clone Swap File
(cp-parent- GUID.vswp)
Same datastore as instant-clone OS disk
ESX VM memory swap file
Same size as virtual memory less reservation
6.3 RDSH Application Farm – Linked-Clone Space Requirements Figure 15. RDSH Application Farm Linked-Clone Storage Diagram
The following table provides the main parameters for sizing the RDSH application farm datastores for VMware Horizon 7.
The below guideline is for the formula that calculate the estimated sizes of linked-clone disks when you create a pool and as the linked-clone machines grow over time. These formulas include the space for replica disks that are stored with the clones on the data store.
Table 2. Storage Sizing Formula for linked clone disks on Selected Datastore
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 4
IBM SoftLayer with VMware Horizon VDI
Data Type
Selected Free Space (GB)
Min Recommended (GB)
50% Utilization
(GB)
Max Recommended
(GB)
OS disks Free Space on the selected datastores
Number of VMs * (2 * memory of VM) + (2 * replica disk)
Number of VMs * (50% of replica disk + memory of VM) + (2 * replica disk)
Number of VMs * (100% of replica disk + memory of VM) + (2 * replica disk)
Persistent disks
Free Space on the selected datastores
Number of VMs * 20% of persistent disk
Number of VMs * 50% of persistent disk
Number of VMs * 100% of persistent disk
However, if you edit the existing pool or store replica on separate datastore, View Composer creates new clones on the selected datastores. The new clones are anchored to the existing snapshot and use the existing replica disk. No new replicas are created. View estimates the sizing requirements of new clones that are added to the desktop pool. View does not include the existing clones in the calculation. If you store replicas on a separate datastore, the other selected datastores are dedicated to linked-clone disks. In these cases, View does not include space for replicas when it calculates storage recommendations for linked-clone disks. Below is the guidance for sizing of the storage:
Table 3. Storage Sizing Formula for linked-clone when the pool is edited or replica is stored on different datastore
Data Type
Selected Free Space (GB)
Min Recommended (GB)
50% Utilization
(GB)
Max Recommended
(GB)
OS disks Free Space on the selected datastores
Number of new VMs * (2 * memory of VM)
Number of new VMs * (50% of replica disk + memory of VM)
Number of new VMs * (100% of replica disk + memory of VM)
Persistent disks
Free Space on the selected datastores
Number of new VMs * 20% of persistent disk
Number of new VMs * 50% of persistent disk
Number of new VMs * 100% of persistent disk
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 5
IBM SoftLayer with VMware Horizon VDI
7. Networking
7.1 Overview This section provides an overview of the network services and configuration required to implement this VMware Horizon 7 design. Items such as DNS, DHCP, load balancing, firewall configuration, network links and so on, are described in this section.
7.2 DNS, DHCP, and Subnet Configuration
VMware Horizon 7 desktops require DHCP services. The customer will use existing DHCP services available on their client VLANs. The lease time of these client scopes will be reduced to a level so that sufficient addresses are available during recompose and instant clone operations.
RDS servers will use static addresses for manual pools.
DNS should be fully functional for resolution of forward and reverse queries. The View Connection Server infrastructure requires a DNS alias to enable load balancing of VMware Horizon 7 desktop connections across View Connection Server instances. Dynamic DNS is required for virtual desktops.
7.3 Bandwidth and Latency Considerations
To deliver a productive user experience, it is essential that latency, bandwidth, and jitter are within acceptable limits for the specific use cases.
There are a number of variables that must be considered to accurately estimate bandwidth between remote sites and the central VMware Horizon 7 resources. These include:
The number of idle sessions
File transfers through client drive mappings and remote USB connections
URL and Flash redirection
3D use
Video and audio consumption
In addition, each of these factors would need to be considered in terms of concurrent use and frequency across the end-user population. When you consider your network bandwidth, plan with the following estimates: • 100 to 150Kbps average bandwidth for a basic office productivity desktop: typical office applications with no video, no 3D graphics, and the default Windows and VMware View settings • 50 to 100Kbps average bandwidth for an optimized office productivity desktop: typical office applications with no video, no 3D graphics, with Windows desktop settings optimized and VMware View optimized • 400 to 600Kbps average bandwidth for virtual desktops utilizing multiple monitors, 3D, Aero, and Office 2010 • 500Kbps to 1Mbps minimum peak bandwidth to provide headroom for bursts of display changes. In general, size your network using the average bandwidth, but consider peak bandwidth to accommodate bursts of imaging traffic associated with large screen changes. • The percentage of users who will use 3D graphics. You might balance users who will use 3D with other users who will not use 3D graphics. Those using 3D will have higher bandwidth utilization. • 2Mbps per simultaneous user running 480p video, depending upon the configured frame rate limit and the video type • Less than 80% network utilization Note: 50 to 150Kbps per typical user is based on the assumption that all users are operating continuously and performing similar tasks over an 8- to 10- hour day. The 50Kbps bandwidth usage figure is from View Planner testing on a LAN with the Build-to-Lossless feature disabled. Situations may vary in that some users may be fairly inactive and consuming almost no bandwidth, allowing more users per link. Therefore, these guidelines are intended to provide a starting point for more detailed bandwidth planning and testing. After you know the real bandwidth requirements of your typical users, substitute in those values.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 6
IBM SoftLayer with VMware Horizon VDI
For guidance on example of network bandwidth calculation, please refer to the Network Optimization (Page 20). To get the best performance with Blast Extreme in low-bandwidth, high-latency situations, VMware recommends the following configuration settings:
Use the H.264 codec whenever possible. The H.264 codec provides the best performance and experience. If end users connect with a device that does not support H.264, or if users have multiple monitors, the JPG/PNG codec is used automatically.
Use TCP rather than UDP for the transport protocol. You can use a GPO setting or Horizon Client to disable UDP. The only situation in which UDP performs slightly better than TCP is when there is packet loss. The H.264 codec, when used with TCP, can handle up to 20 percent packet loss, whereas H.264 when used with UDP can handle up to 25 percent packet loss. (PCoIP can handle up to 15 percent packet loss.)
Classify Blast Extreme network traffic as interactive real-time traffic, just below VoIP, but above all other TCP-based traffic. That is, prioritize Blast Extreme in the same way that you prioritized PCoIP if you previously used PCoIP.
If your end users do not require client drive redirection (CDR), do not enable this feature.
Windows-specific optimizations include the following: – Use the VMware OS Optimization Tool Fling default template to disable a number of items. – Use the OS Optimization Tool to also disable the following Windows features: Dynamic Windows Preview, Taskbar Animation, and Windows Peek. – Use Group Policy to prohibit Desktop Wallpaper
VMware recommends monitoring bandwidth usage, especially during the early weeks of the deployment so that these figures can be adjusted if necessary.
7.4 Network Circuit Requirements
The following factors should be considered during the planning and implementation of the links between sites:
Because these links are not dedicated to the VMware Horizon 7 infrastructure, the customer will need to make sure there is sufficient bandwidth available and that latency is kept at an acceptable level.
User OS network requirements for non-remote protocol traffic, for example, applications, OS agents, file transfers, and so on, are not accounted for here, but assumptions around LAN-based traffic are addressed in Section 5, vSphere Integration.
Any discussion around the type of circuit, the SLA, or existing utilization is out of scope for this design.
Latency is assumed to be:
o Less than 150 ms from all sites to DC A and DC B
o Less than 25 ms from Site A and Site B to either data center
Quality of Service (QoS) is implemented on the WAN. Voice over IP (VoIP) services receive the highest priority, and all other services and protocols are prioritized equally. Protocols do not receive any guaranteed bandwidth. The following table provides information on current networking capabilities and current usage and latency levels across the customer network.
It is assumed all circuits are synchronous.
7.5 Optimal Configuration of WANs for Remote Protocols
It is important that the customer’s WAN is optimally configured to carry the VMware Horizon 7 remote protocols (PCoIP, Blast Extreme, and HTML Blast). The main considerations are as follows:
The customer will not implement any WAN optimizations for PCoIP due to the UDP nature of PCoIP, and the fact that PCoIP is already compressed.
Neither HTML Blast nor Blast Extreme will be compressed using WAN optimizers because they are already make use of compression.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 7
IBM SoftLayer with VMware Horizon VDI
The customer’s existing VPNs will not be used because they do not support UDP traffic.
The customer will tag and classify PCoIP as interactive real-time traffic just below VoIP, but above all other TCP-based traffic. While this recommendation is likely to have a far larger impact in a WAN scenario, consider it a best practice for LAN environments.
These considerations should be discussed during the knowledge transfer sessions with the customer’s networking team, but for full details of other essential PCoIP optimizations consult the VMware View 5 with PCoIP Network Optimization Guide (http://www.vmware.com/files/pdf/view/VMware-View-5-PCoIP-Network-Optimization-Guide.pdf).
7.6 Load Balancing and Traffic Management
This design will require network load balancers. They will be used by various components of the design and
will help achieve the required levels of usability, performance, availability, and scalability. See Section 3,
Access Layer Architecture, for a view of where the load balancers will be positioned as part of the client access layer.
The design and implementation of third-party load balancers are out of scope of this design. However, any load-balancing infrastructure should support the features shown in the following table to fully meet the requirements of this design.
Table 4. Load Balancer Requirements
Feature Specification Justification/Comments
Support Virtual IP/DNS for VMware Identity Manager
Yes The VIP represents the group of load balanced servers, for example, View connection servers, App Volumes managers, and so on.
Support Session Affinity Yes
Session Affinity Method Cookie – JESSIONID. Some load balancers do not support session affinity based on JSESSIONID
Load-Balancing Basis Fewest connections
Ports Monitoring Configurable port monitoring, for example, 443 (HTTPS) and 80 (HTTP).
Health Monitoring Yes
Connections per Endpoint Must support 2 connections per endpoint
Mirage specific requirement.
Configurable Timeout Yes
Connection Routing X-forwarding for settings to determine source IP.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 8
IBM SoftLayer with VMware Horizon VDI
7.7 VMware Horizon 7 Network Ports and Protocols Figure 16. VMware Horizon 7 Network Ports and Protocols
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 2 9
IBM SoftLayer with VMware Horizon VDI
8. Operating System Security
8.1 Overview
The security requirements for this VMware Horizon 7 platform were discussed during the design workshop and captured in the Solution Requirements document. The goal of meeting these security requirements is addressed throughout this design, for example, firewalls and authentication mechanisms. This section describes design elements that enhance the security of the VMware Horizon 7 platform that are not addressed elsewhere in the design. This section does not describe existing policies that are already applied to the customer’s operating system through organization-wide Group Policies, application settings, User Environment Manager smart policies, and so on.
8.2 Antivirus and Anti-malware
8.2.1 Guest Agent Based Antivirus
A key challenge in virtual desktop infrastructure deployments is the deployment of antivirus updates, scheduling of scans, and on-access agent configuration. In a physical deployment, PCs do not share compute or storage resources and they can run updates and scans at the same time without issues. In a shared infrastructure, such as a virtual desktop infrastructure, resources are shared, so care needs to be taken with how antivirus is implemented.
The following provides general recommendations for antivirus configurations if traditional antivirus/endpoint protection is required, although antivirus vendor specific documentation should be reviewed.
For the virtual guests:
Scan on write/inbound activity only
Exclude print spool directory
o Exclude %systemroot%\SoftwareDistribution\Datastore,
%allusersprofile%\NTUser.pol, %allusersprofile%\NTUser.pol, *.pst files (if used), and any
local databases that might be used
App Volumes exclusions:
o C:\Program Files (x86)\CloudVolumes
o C:\SnapVolumesTemp
o C:\SVROOT
Scan local drives only
Consider disabling heuristics, as this is resource intensive
Exclude the page file
Limit the installation to only the antivirus scanner (no firewall, spyware, and so on) if possible
Set your nightly scheduled scanning processes to be random or scattered, if possible. This will prevent the hosts from scanning all at one time
Scheduled scans should be conducted on the primary/master replica image before it is sealed
VMware recommends that large updates for antivirus (engine updates) be applied to the parent virtual machine only. Scanning on updates should be avoided
Scanning of View logs should be avoided
8.2.2 View Connection Server Antivirus Considerations
For the View Connection Server and security server configurations, it is important to verify that the Java Message Bus directory is excluded from real-time scanning. View components actively log to the
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 3 0
IBM SoftLayer with VMware Horizon VDI
corresponding operating system. It is recommended that antivirus software be configured to avoid scanning View logs.
8.3 VMware NSX with vShield Endpoint
This reference architecture has determined that the best approach for desktop and application performance, as well as security and scalability is to leverage a VMware NSX® Data Security (VMware vShield Endpoint™) based solution that can provide endpoint protection at the hypervisor level. Various vShield Endpoint partner solutions are being evaluated as the preferred antivirus solution for the virtual desktop environment.
The following diagram provides an overview of the architecture required for antivirus vendor and VMware NSX Data Security (vShield Endpoint). vCenter instances will be associated with a VMware NSX Manager, which will provide the installation and management capabilities for VMware NSX Data Security (vShield Endpoint drivers are installed on each host in the cluster).
Figure 17. VMware NSX Data Security Integration
In addition, there is a Security Virtual Appliance (SVA) on each host that receives requests from the VMware NSX Data Security API (and the virtual machines) and provides the scanning and protection for the VMs. All scanning policies are managed through the antivirus vendor’s management consoles, and communicate with the SVA (and not the actual VMs themselves) for enforcement.
Scanning is done at the hypervisor level. Therefore, there is no requirement to have traditional antivirus agents inside of the virtual machine, unless other products are used within the virtual desktop. VMware best practices for scanning and protecting virtual desktops should also be implemented.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 3 1
IBM SoftLayer with VMware Horizon VDI
9. Management of User Environment
9.1 Overview
Whether a user is accessing a virtual desktop or a hosted application , the requirement for a consistent experience for users across all VMware Horizon 7 resources is one of the essential requirements described in the Solution Requirements document. This section describes the design of the infrastructure components that will be used to provide a consistent and manageable user environment.
The user-specific settings that the customer will define, for example, drive mappings, default browsers, and languages, are not discussed here, only the framework to implement such settings.
9.2 Smart Policies
Below are some simple sample Horizon policies. The following policies are defined in the User Environment Manager console and shall be leveraged based on use case. Example of of few policy settings for internal and external users are given as below.
Table 5. External Horizon Smart Policies
Horizon Policy - External
Horizon Policy Setting Value
USB redirection Disable
Printing Disable
Clipboard Disable
Client Drive Redirection Disable
PCoIP Profile Set Not set
Conditions Horizon Client property “Client Location” is equal to “External”
Table 6. Internal Horizon Smart Policies
Horizon Policy - Internal
Horizon Policy Setting Value
USB redirection Enable
Printing Enable
Clipboard Enable
Client Drive Redirection Enable
PCoIP Profile Set Not Set
Conditions Horizon Client property “Client Location” is equal to “Internal”
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 3 2
IBM SoftLayer with VMware Horizon VDI
10. Graphics Acceleration
10.1 Overview
The graphics acceleration capabilities of the underlying host system can be utilized by desktop virtual machines. Configure the desktop pool appropriately, taking into consideration the GPU hardware available on the host and the use case's 3D performance needs.
The following tables explain the 3D graphics options available. Refer to the VMware Horizon 7 Documentation (https://www.vmware.com/support/pubs/view_pubs.html) for detailed explanations of these options.
Table 7. 3D Graphics Options
Name Description
NVIDIA GRID vGPU This feature allows a physical Nvidia GPU on an ESXi host to be shared amongst virtual machines.
This feature offers flexible hardware-accelerated 3D profiles for lightweight to high-end graphics needs.
AMD Multiuser GPU using vDGA
This feature allows multiple virtual machines to share an AMD GPU by making the GPU appear as multiple PCI pass-through devices.
This feature offers flexible hardware-accelerated 3D profiles for lightweight to high-end graphics needs.
Virtual Dedicated Graphics Acceleration
(vDGA)
This feature dedicates a single physical GPU on an ESXi host to a single virtual machine.
Use this feature if you require high-end, hardware-accelerated workstation graphics.
Virtual Shared Graphics Acceleration
(vSGA)
This feature allows multiple virtual machines to share the physical GPUs on ESXi hosts.
This feature is suitable for mid-range 3D design, modeling, and multimedia applications.
Soft 3D This feature allows you to run DirectX 9 and OpenGL 2.1 applications without requiring a physical GPU.
Table 8. 3D Rendering Options
Name Description
Manage using VMware vSphere Client™
View does not control 3D rendering.
The type of 3D graphics rendering is controlled by the VMware vSphere Web Client.
Automatic 3D rendering is enabled.
The ESXi host controls the type of 3D rendering that takes place.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 3 3
IBM SoftLayer with VMware Horizon VDI
Software 3D rendering is enabled.
The ESXi host uses software 3D graphics rendering.
If a GPU graphics card is installed on the ESXi host, this pool will not use it.
Hardware 3D rendering is enabled.
The ESXi host reserves GPU hardware resources on a first come, first served basis as virtual machines are powered on.
Nvidia Grid GPU 3D rendering is enabled for NVIDIA GRID vGPU.
The ESXi host reserves GPU hardware resources on a first come, first served basis as virtual machines are powered on.
For more information, see the NVIDIA GRID vGPU Deployment Guide (https://www.vmware.com/files/pdf/products/horizon/grid-vgpu-deployment-guide.pdf).
Disabled 3D rendering is disabled.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 3 4
IBM SoftLayer with VMware Horizon VDI
11. Multimedia Enhancements
11.1 Overview
There are a number of VMware Horizon 7 features that can be implemented to provide an enhanced user experience when connecting to centralized desktop and application resources. These include Real-Time Audio-Video, Adobe Flash optimizations, optimizations for Microsoft Lync, and so on. As part of this VMware Horizon 7 design, this reference architecture has chosen to implement these enhancements for some of their use cases. These are described in the following section.
11.2 Real-Time Audio-Video
Real-Time Audio-Video (RTAV) redirects video and audio data to the hosted desktop/server with significantly lower bandwidth than redirecting the native USB device. RTAV is compatible with standard conferencing applications, such as Skype, and supports standard webcams, audio USB devices, and analog audio input.
If the customer uses Google Hangouts for video conferencing between employees and customers. They will use RTAV to reduce the bandwidth requirements when using Google Hangouts with their virtual desktops.
12. Availability, Business Continuity, and Recovery
12.1 Overview
The availability requirements for this VMware Horizon 7 platform were discussed during the design workshop and captured in the Solution Requirements document. These requirements for a resilient system are addressed throughout this design in the appropriate sections. For example, the number of ESXi hosts required
is discussed in the Section 5, vSphere Integration.
In addition to the provisioning of a resilient system, it is important for business and technology to continue functioning in the event of natural and man-made disasters or other potential events that might interrupt critical business functions. Therefore, as the customer plans to use VMware Horizon 7 to deliver business critical applications, they should review their business continuity and disaster recovery (BCDR) plan to confirm that VMware Horizon 7 is fully integrated with it. Any applications or systems accessed through VMware Horizon 7 must be considered separately and as part of a broader BCDR plan. Any capacity required for alternate working plans during a disaster should also be addressed during any refinement of use cases using the framework provided in the Solution Requirements document.
12.2 Disaster Recovery
It is essential to verify that recovery procedures are tested and validated, and have procedures and mechanisms in place to verify that critical data (images, software media, data backup, and so on) is ready and housed in an alternate location to provide an efficient and timely recovery.
The following table provides the backup decisions for this reference architecture
Table 9. Disaster Recovery Design Decisions
Standard Decision Frequency Justification
App Stacks Tape or long-term backup
Replicated to alternate data center
Weekly backups
App stacks do not change frequently.
Applications are replicated to the alternate datacenter.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 3 5
IBM SoftLayer with VMware Horizon VDI
Standard Decision Frequency Justification
User Writeable Volumes
No backup N/A User writeable volumes contain user-installed applications. These are not backed up because users can reinstall applications if required.
Linked Clone Desktops
No backup N/A Linked-clone desktops are volatile and do not require backups.
User Environment Manager Repository
Tape or long-term backup
Replicated to alternate data center
Daily incremental
Weekly full
The User Environment Manager repository contains user profile data and should be backed up daily.
User Data Repository
Tape or long-term backup
Replicated to alternate data center
Daily Incremental
Weekly full
This repository is used for folder redirection and contains user data. It should be backed up daily.
This service is already in place and managed by the customer.
ThinApp Repositories
Tape or long-term backup
Daily This includes packaging work in progress and live production share.
View Connection Server Instances
Tape or long-term backup
Weekly incremental
Monthly full
VDI Brokers to not change often and can be rebuilt if required.
Databases Tape backup Daily incremental
Weekly full
Database servers are highly available, but will be backed up to protect against data corruption.
Existing database backups are fully managed by the customer’s DBA team.
VMware View Connection Server LDAP Backup
Integrated View LDAP backup
Daily incremental
Weekly full
The default backup configuration within View will be used to back up the LDAP Database.
Parent Images Template on tape or long-term backup
Weekly backups
Parent images do not change often.
vRealize Operations Manager
Tape or long-term backup
Daily incremental
Weekly full
These will be backed up to retain historical data.
D E P L O Y M E N T A R C H I T E C T U R E A P P R O A C H / 3 6
IBM SoftLayer with VMware Horizon VDI
Appendix A: Resources
IBM SoftLayer: https://www.softlayer.com
VMware: https://www.vmware.com
VMware Horizon 7 Documentation: https://www.vmware.com/support/pubs/view_pubs.html
VMware Horizon 7 Reference Architecture: http://www.vmware.com/files/pdf/techpaper/vmware-horizon-7-enterprise-validated-integration-design-reference-architecture.pdf
Antivirus considerations in Horizon 7 environment: http://www.vmware.com/files/pdf/techpaper/horizon-7-antivirus-view-app-volumes-thinapp-user-environment-manager.pdf
VMware Appvolume Reference Architecture: https://www.vmware.com/files/pdf/techpaper/vmware-app-volumes-reference-architecture.pdf
VMware Instant Clone Desktops: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-view-instant-clone-technology.pdf
VMware Horizon View and vSAN reference architecture: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-view-virtual-san-reference-architecture-white-paper.pdf
VMware Horizon View and All-Flash vSAN reference architecture: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/whitepaper/vmware-horizon-view-and-all-flash-virtual-san-reference-architecture-white-paper.pdf
VMware View 5 with PCoIP, Network Optimizaion Guide: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/whitepaper/view/vmware-view-5-pcoip-network-optimization-guide-white-paper.pdf
Blast Extreme Display Protocol: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-view-blast-extreme-display-protocol.pdf
