]

Solution

  • Horizon

Type

  • Document

Level

  • Intermediate

Category

  • Deployment Considerations

Product

  • Horizon

Phase

  • Design
  • Deploy

Use-Case

  • Windows Delivery

VMware Blast Extreme Display Protocol in Horizon 7

VMware Horizon 7 version 7.10 and later

Introduction

Display communication protocols provide end users with a graphical interface to a remote desktop or published application. Blast Extreme is a display protocol built by VMware to deliver an immersive, feature-rich experience for end users across devices, locations, media, and network connections. Blast Extreme is included with VMware Horizon®, the latest generation of VMware desktop virtualization and remote application-delivery software.

This guide provides a technical description of the Blast Extreme display protocol, including its benefits, limitations, and deployment options, for administrators who are considering using Blast Extreme in their organization today.

This guide is intended for IT administrators and evaluators who are familiar with VMware Horizon and VMware vSphere®. Readers should also have a solid understanding of desktop and application virtualization, as well as a good working knowledge of networking and supporting infrastructure, covering topics such as Active Directory, Group Policy, and supporting technologies.

Blast Extreme Benefits

Blast Extreme provides

  • End-users access to their personalized virtual desktops or remote applications from company laptops, their home PCs, thin client devices, Macs, tablets, or smartphones.

  • A consistent user experience across devices and locations while keeping corporate data compliant and securely stored in the data center.

  • Ability to meet performance requirements for visually demanding applications when used with NVIDIA Tesla GPU–based hardware acceleration in the host.

  • Broad client support, including Windows, Linux, Mac, Android, iOS, Chrome, and web (HTML Access) clients.

  • Ability to use either the TCP or the UDP network transport.

  • Intelligence to determine and accommodate varying network conditions.

  • Feature parity with the VMware PCoIP display protocol.

  • Flexibility with regard to configuration methods, which include using Windows Group Policy or Horizon 7 Smart Policies included with VMware Dynamic Environment Manager™.

  • Option to simplify setup, including opening only one port (TCP 443) on front-end firewalls when VMware Unified Access Gateway™ is used as the secure gateway.

For a detailed list of Blast Extreme features, see the VMware Blast Extreme topic in the VMware Horizon 7 Architecture Planning guide.

Security Features

Blast Extreme includes the following security features to support Horizon 7:

  • AES (Advanced Encryption Standard) encryption – All TCP connections use SSL/TLS web sockets to encrypt communication. TLS 1.1 and 1.2 are supported. All UDP connections are encrypted with DTLS encryption. These encryption mechanisms apply to the H.264, H.265, and JPG/PNG codecs.

  • Security certificates – For external connections, Blast Extreme can use the security certificate on the Unified Access Gateway appliance. Blast Extreme can also use the certificate thumbprint of the Blast Secure Gateway or virtual desktop. A certificate thumbprint is a cryptographic hash of a certificate.

  • SHA-256 signatures – Blast Extreme uses the latest security algorithms, including SHA-256.

  • Dual IPv4/IPv6 support – When using Blast Extreme, Unified Access Gateway can be used to bridge between IPv6 VMware Horizon® Clients and an IPv4 backend and agents. The Horizon Clients can use either IP version 4 or 6. Blast Extreme must be on TCP 443 only (as described previously for port sharing).

  • FIPS support – FIPS-ready libraries are available for Unified Access Gateway 2.9 or later appliances.

  • Common Criteria – The evaluation process has been initiated. For more information, see Common Criteria Certification Report for VMware Horizon 7.

  • Port sharing – If you use a Unified Access Gateway virtual appliance for connections from outside the corporate network, by default the connection uses TCP port 8443 and optionally UDP port 8443. It is possible to configure the Blast External URL on the Unified Access Gateway appliance to use port sharing on TCP port 443 so that no additional ports need be opened on the front-end firewall.
    Note: Because port sharing incurs some performance overhead on Unified Access Gateway, port sharing is not the preferred configuration.

Components of Blast Extreme

Display protocols must be able to efficiently provide the best user experience for various types of screen content, including text, still images, streaming video, 3D rendering, and audio. VMware built Blast Extreme to handle even the most demanding graphical workloads, including medical imaging and designing geographic information systems (GIS) applications used for analyzing large data sets, creating maps, and visualizing scenarios of the outside world, in both 2D and 3D.

Configurable Components

Various components of a display protocol can be configured to address the different types of screen content and differing network speeds that end users are likely to encounter. These components include the transport protocol and display protocol codec:

  • Transport protocol – Blast Extreme supports two transport protocols to carry the display traffic between clients and the Horizon infrastructure: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

  • Display protocol codec – A codec is used to encode and decode the screen content transferred by Blast Extreme. Blast Extreme supports four codecs: JPG/PNG, H.264, HEVC (H.265), and the new Blast Codec. The image formats used by these codecs employ compression to reduce the size of the content before it is transferred across the network.

For details about the various transport protocols, codecs, image formats, and types of compression that Blast Extreme uses, depending on the type of screen content, see Blast Extreme Technology, in the VMware Blast Extreme Optimization Guide.

VMware Blast Extreme uses VMware client-side components, installed with VMware Horizon Client, as well as agent-side components, installed on virtual desktops, physical desktops, and RDSH servers that host published applications and desktops.

Client-Side Components

Optimized for the mobile cloud, VMware Blast Extreme supports a broad range of client devices, including Windows, Linux, Mac, Android, iOS, Chrome, and web (HTML Access) clients. On the client side, you can configure which codec or codecs to use for encoding and decoding the screen content transferred by Blast Extreme.

Blast Extreme Settings on Horizon Client for Windows

Figure 1: Blast Extreme Settings on Horizon Client for Windows

Horizon Client supports H.264 software encoding and hardware decoding on the following types of client devices:

  • Most Macs, laptops, and Windows PCs manufactured in 2013 or later.

  • Chromebooks.

  • iOS and Android devices.

  • Windows tablets and phones.

  • For VMware Horizon® HTML Access™, this feature is supported on Chrome browsers (version 45 or later) if the device supports H.264 decoding. For other browsers, the JPG/PNG codec is used.

Horizon Client also supports High Efficiency Video Coding, or HEVC for short. HEVC is also known as H.265 and is the industry successor to H.264. HEVC provides up to 50 percent better compression with the same quality as H.264 and can also provide higher quality at similar compression ratios as H.264.

However, because H.265 requires substantially more processing power than H.264 to encode and decode, the ESXi hosts for desktops and server farms must have NVIDIA Tesla GPUs to offload encoding. HEVC will not work with CPU encoding alone. HEVC also requires clients to have graphics cards with H.265 decode support, but fortunately, as with H.264, most client devices manufactured since 2015 have them.

Note: Different types of client devices support different Blast Extreme. To find out which Blast Extreme settings are available for a specific client platform, see the Horizon Client user guide for that platform, available from the VMware Horizon Client Documentation page.

Agent-Side Components

The client-side settings work in conjunction with the agent-side settings, which administrators can configure, as described in How to Configure Blast Extreme, in the VMware Blast Extreme Optimization Guide.

Three Blast Extreme components are built into the Horizon Agent, which administrators install in virtual desktops and Microsoft RDSH servers:

  • The VMware Blast service (VMBlastS.exe) manages user sessions, proxies incoming TCP connections, and prepares the Blast Worker process.

  • The Blast Worker process (VMBlastW.exe) captures the screen and handles everything within the session.

  • If you use UDP, the Blast Proxy process (VMBlastP.exe) brokers UDP connections.

Log File Locations for Client and Agent Components

Log files related to Blast Extreme can be found in the following locations:

  • Windows client: C:\Users\<%username%>\AppData\Local\Temp\vmware-<username>\vmware-mks-<#>.log

  • Mac client: Users/<%username%>/Library/Logs/VMware/vmware-mks-<#>.logTo collect logs on a Mac, you can use the Horizon Collector for Mac Fling (which like all VMware flings, is not officially supported).

  • Horizon Agent:

    <Drive>:\ProgramData\VMware\VMware Blast\This directory contains logs for the three Blast Extreme components:

    • Blast-Service.log   

    • Blast-Worker-SessionId<#>.txt 

    • Blast-Proxy.log    

For more information about the entries in these log files, see How to Verify Configuration in the VMware Blast Extreme Optimization Guide.

The next section describes the workflow of connections made between the client and agent components.

Blast Extreme Network Connections

This section details the workflow of connections that are made so that Blast Extreme can provide the best remote display experience, regardless of whether the user is inside or outside of the corporate network. Diagrams show which ports are used at which locations, and the numbered lists that follow the diagrams show what is happening at each connection.

The descriptions mention various remote experience features. For details about the remote experience features, see Configuring Remote Desktop Features, in the guide Configuring Remote Desktop Features in VMware Horizon 7.

The connection workflow descriptions in this section also include information about the configurable components of Blast Extreme and the various Blast Extreme services and processes that are built into the virtual desktop agent.

Internal Connection

With an internal connection, the client, the server, and the virtual desktop or RDSH server are all inside the corporate network. The following diagram shows the ports used for an internal connection, and the list that follows describes the order in which the connections are made.

Note: For more information about internal client connections, see Network Ports in VMware Horizon 7.

Internal Connection from Client to Agent Using Blast Extreme

Figure 2: Internal Connection from Client to Agent Using Blast Extreme

  1. Horizon Client, installed on the client device, connects to a Connection Server on TCP port 443 for authentication and to request a desktop or application.
  2. The Connection Server returns connection information for the virtual desktop or RDSH server that provides remote applications (on TCP port 443).
  3. A TCP web socket connection is made on port 22443 between the client and the virtual desktop or RDSH server.

    Note: At this point, the VMware Blast service on the agent side (Horizon Agent on the virtual desktop or RDSH server) proxies the incoming TCP connection. The Blast Worker process determines whether UDP is enabled on the agent and allowed on the client.

  4. If UDP is enabled on the agent (default), the Blast Proxy process (in Horizon Agent) attempts to make a UDP web socket connection to the client on port 22443.
    • If UDP is not enabled or is blocked, the initial TCP connection (Step 3) is used instead.

    • If LAN network conditions are detected, the initial TCP connection (Step 3) is used instead of UDP.

  1. When client-drive redirection (CDR) is enabled by the administrator, by default, the traffic is side-channeled on the Blast Extreme channel. If desired, the traffic between Horizon Client and Horizon Agent can be configured to use a separate port (TCP 9427).

  2. If multimedia redirection (MMR) is enabled, this traffic uses TCP port 9427 between the client and agent.

  3. If USB redirection is enabled, this traffic uses TCP 32111 between the client and agent. USB redirection traffic can also be side-channeled in the Blast Extreme port. See Enabling the USB Over Session Enhancement SDK Feature.

Internal Tunneled Connection

With an internal tunneled connection, the client, the server, and the virtual desktop or RDSH server are all also inside the corporate network, but the clients might be on a different subnet from that of the virtual desktops or RDSH servers (where the agent is installed), and you do not want to open ports between the clients and agents directly. Tunneling traffic through the Connection Server allows for ports to be open between the Connection Server and the client, and between the Connection Server and the agent, but not between the client and the agent.

The following diagram shows the ports used for an internal tunneled connection, and the list that follows describes the order in which the connections are made.

Note: For more information about tunneled connections, see Network Ports in VMware Horizon 7.

Tunneled Connection from Client to Agent Through the Connection Server

Figure 3: Tunneled Connection from Client to Agent Through the Connection Server

  1. Horizon Client, on the client device, connects to a Connection Server on TCP port 443 for authentication and to request a desktop or application.

  2. The Connection Server returns the connection information for the virtual desktop or RDSH server that provides remote applications (on TCP port 443).

  3. A TCP web socket connection is made from the client to the Blast Secure Gateway on port 443, and then from the Blast Secure Gateway to the virtual desktop or RDSH server on port 22443.

  4. When multimedia redirection (MMR), client-drive redirection (CDR), USB redirection, or some combination of these are enabled by the administrator, this traffic goes through the HTTPS Secure Tunnel on the Connection Server.

    TCP 443 is used between the client and the Connection Server. The traffic uses the native port for each of the remote experience features between the Connection Server and the agent:

    • Multimedia redirection traffic uses TCP 9427.

    • Client-drive redirection traffic uses TCP 9427.

    • USB redirection traffic uses TCP 32111.

External Connection

With an external connection, the client is connecting from outside the corporate network to the Unified Access Gateway. This gateway then directs the traffic to the correct port and location on the Connection Server and agent. The following diagram shows the ports used for an external connection, and the list that follows describes the order in which the connections are made.

Note: For more information about external client connections, see Network Ports in VMware Horizon 7.

External Connection from Client to Agent Through the Unified Access Gateway

Figure 4: External Connection from Client to Agent Through the Unified Access Gateway

  1. Horizon Client, on the client device, authenticates and requests a desktop or application. The connection travels from the client to a Unified Access Gateway virtual appliance on TCP port 443, and then from the Unified Access Gateway to the Connection Server on TCP port 443.

  2. The Connection Server returns the connection information for the virtual desktop or RDSH server to the client.

  3. A web socket connection is made from the client to the Blast Secure Gateway (on the Unified Access Gateway) on TCP port 8443, and then from the Blast Secure Gateway to the virtual desktop or RDSH server on TCP port 22443.

    The port used by the Blast Secure Gateway on the Unified Access Gateway can be customized (for example, it can use TCP 443).

    Note: At this point, the VMware Blast service on the agent side (Horizon Agent on the virtual desktop or RDSH server) proxies the incoming connection. The Blast Worker process determines whether UDP is enabled on the agent and allowed on the client.

  4. If UDP is enabled on the agent (default), the Blast Proxy process (in Horizon Agent) attempts to make a UDP web socket connection. If UDP is not enabled or is blocked, the initial TCP connection (Step 3) is used instead.

    If LAN network conditions are detected, the initial TCP connection (Step 3) is used instead of UDP.

    1. This connection is on UDP port 8443 from the client to the UDP Tunnel on the Unified Access Gateway.

    2. The connection continues on UDP port 22443 from the Unified Access Gateway to the agent.

  5. The VMware Virtual Channel is opened between the agent (virtual desktop or RDSH server) and the Blast Secure Gateway on port 22443, and between the Blast Secure Gateway and the client on port 8443 using TCP or UDP as determined in Step 4. The remote experience traffic runs on this channel, including traffic related to USB redirection and client drive-redirection (CDR), if these features are enabled by the administrator.

  6. When client-drive redirection (CDR) is enabled by the administrator, this traffic goes through the Horizon Tunnel on the Unified Access Gateway appliance. TCP 443 is used between the client and the Unified Access Gateway.

    By default, the traffic is then side-channeled on the Blast Extreme channel to the agent. If desired, the traffic between the Unified Access Gateway and Horizon Agent can be configured to use a separate port (TCP 9427).

  7. If multimedia redirection (MMR) is enabled, this traffic uses TCP port 443 from the client to the Horizon Tunnel on the Unified Access Gateway. TCP port 9427 is then used from the Unified Access Gateway to the agent.

  8. If USB redirection is enabled, this traffic, this traffic uses TCP port 443 from the client to the Horizon Tunnel on the Unified Access Gateway. TCP port 32111 is then used between the Unified Access Gateway and agent.

    USB redirection traffic can also be side-channeled in the Blast Extreme port between the Unified Access Gateway and agent. See Enabling the USB Over Session Enhancement SDK Feature.

Deployment

To set up the Horizon 7 environment for Blast Extreme, administrators open various firewall ports and select Blast Extreme as the default display protocol or as a possible protocol choice for end users:

VMware Horizon Software Requirements

Use the correct version of Horizon 7 and related components:

  • Connection Server 7.1 or later is required; Connection Server 7.10 or later is recommended.

  • For external connections: Unified Access Gateway 2.9 or later.

  • Horizon Client 4.8 or later is required; Horizon Client 5.2 or later is recommended.

  • Horizon Agent 7.5 or later is required; Horizon Agent 7.10 or later is recommended.

  • For Linux desktops: Horizon for Linux version 7.5 or later is required; Horizon for Linux version 7.10 or later is recommended.

Software Requirements for Physical Desktop Machines

With Horizon 7 version 7.7, VMware introduced the ability to broker physical desktop machines running Windows 10 version 1803 and 1809 Enterprise Edition, via the Blast Extreme display protocol.

With Horizon 7 version 7.12, support for using Blast Extreme with physical desktop machines running Windows 10 versions 1903 and later was added.

Port Requirements

For details about port requirements for connectivity between the various components and servers in a Horizon 7 deployment, see Network Ports in VMware Horizon 7.

Configuration and Optimization

For information about administrator settings, end-user settings, and various optimization strategies, see the VMware Blast Optimization Guide.

Summary and Additional Resources

Now that you have learned about the benefits and features of Blast Extreme, and seen how easy it is to configure in your Horizon 7 environment, we hope that you will take advantage of this adaptive and purpose-built display protocol.

Additional Resources

VMware Blast Extreme Optimization Guide

Horizon 7 Console Administration

Configuring Remote Desktop Features in Horizon 7

VMware Horizon Client documentation

Network Ports in VMware Horizon 7

NVIDIA vGPU Deployment Guide for VMware Horizon 7.5 on VMware vSphere 6.7

VMware Horizon Blast Extreme Acceleration with NVIDIA GRID blog post

3D Graphics like never before with VMware Horizon and NVIDIA T4 GPUs blog post

Authors and Contributors

Graeme Gordon is a Senior Staff End-User-Computing Architect, EUC Technical Marketing, VMware.

Caroline Arakelian is a Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware.

Chris Halstead co-authored the original version of this white paper. Chris is EUC Staff Architect, End-User-Computing Technical Marketing, VMware.

Mark Ewert is a Senior Product Line Manager, EUC Desktop Products, VMware.

The authors wish to thank the following people for their contributions to this paper:

Frank Anderson, EUC Architect, EUC Technical Marketing, VMware

Josh Spencer, EUC Architect, EUC Technical Marketing, VMware Ramu Panayappan, Director, Virtual Workspace R&D, VMware Mike Oliver, Staff Engineer, Virtual Workspace R&D, VMware

  • Salil Kanitkar, Senior Member of the Technical Staff, Virtual Workspace R&D, VMware Mark Ewert, Lead Technologist, EUC Competitive Marketing, VMware

  • Matt Coppinger, Director, Technical Marketing and Enablement, EUC Technical Marketing, VMware

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com

Filter Tags

  • Horizon
  • Intermediate
  • Deployment Considerations
  • Document
  • Horizon
  • Design
  • Deploy
  • Windows Delivery