Business Continuity with VMware Horizon

Providing Business Continuity with VMware Horizon

Disruptions can take many forms, many scopes, and can impact organizations of any size, in any location. Unplanned events such as natural disasters, severe weather, illness, and travel restrictions make it nearly impossible to continue “business as usual.” Every organization should have or develop a business continuity plan to ensure its operations can continue, no matter what the disruption. Business continuity can be achieved and remote workers supported with  AnchorVMware Horizon®, and AnchorVMware Horizon® Cloud Service™, as well as with the VMware Workspace ONE® platform and the solutions it includes.


This guide is intended for security architects, engineers, and administrators who are interested in a VMware Horizon or Horizon Cloud Service infrastructure. This guide is intended for those who want to familiarize themselves with Horizon, are in the process of implementing Horizon for the first time, or have an existing Horizon implementation that they want to expand. Not all sections of this guide are necessarily applicable to your particular deployment, but are clearly marked so you can find what you need to get started.

It is assumed that you have some familiarity with Windows data center technologies such as Active Directory, as well as with virtualization technology, cloud computing, network routing, and firewall security architecture.

Purpose of This Guide

This guide covers how business continuity challenges are changing with a remote-first requirement. It gives technical detail on how VMware Horizon can help you meet these challenges.

Organizations may have a variety of starting states, from being new to Horizon or already using one of the deployment options for Horizon 7 or Horizon Cloud. No matter what state your organization is starting from, you should consider the following four steps, which are covered in this guide:

  1. Reflect - Health check and solidify any existing environment.
  2. Expand - Understand the options available for new environments or expansion of existing ones.
  3. Deploy – Get deployment considerations for Horizon, including guidance on best practices.
  4. Enhance and Evolve - Understand how to enhance and evolve the solution to add more security, improve user experience, and drive digital transformation.

Figure 1: Business Continuity Journey

Current Challenges

Many business continuity plans have traditionally focused on the datacenter elements when it comes to planning IT systems. These include ensuring data is replicated from primary to secondary data centers in case of a disaster, and making key systems redundant and able to failover to run in alternate locations. A secondary consideration was ensuring users could access those systems during a period of disruption. However, this consideration was often based on the assumption that the users could work from another office location, either owned or leased, that had been primed for them.

Times and challenges have changed, and the assumption that users can access an office location no longer holds true. The focus is now on how to provide both continuity for the user, as well as business continuity for the IT systems. When planning for user access, a remote-first approach must now be taken.

While building a business and a user continuity plan, a critical element is to provide continuing access to IT systems and corporate resources, to ensure that users remain productive no matter where they are. This has to be done while maintaining proper security and control over users’ access to corporate applications, data, and resources.

How can organizations plan, maintain, and support users that are no longer necessarily based in the office? While initially this requirement is driven by recent events when users cannot get to an office location, you should consider beyond these immediate needs. When evaluating business continuity options, you should strive for solutions that can be used as part of the user’s everyday system. In that way, this can be seen as more than just something to be used during an outage or disruptive event.

When the solution is based on a remote-first approach, you have the ability to offer options to work from home, either full-time or part-time. Many organizations are also exploring this for other reasons, such as to reduce daily travel to the office as part of a green initiative, or to allow more flexible work schedules.

The challenge facing IT is: How do we give users secure access to the software and IT systems that they use in their daily work, from locations and over networks that are not managed by our organization?

In the past, organizations have used VPN solutions to provide remote access into systems in data. These typically assume trust in the endpoint device, which becomes difficult to enforce in a remote-first scenario. These approaches are often coupled with the distribution of laptops that are taken home by the users. These present challenges in management with a distributed device estate, and entail risk, as data often resides on those devices.

Meeting the Challenge

VMware Horizon provides remote delivery and comprehensive lifecycle management of desktops and published applications. Providing seamless, familiar, and secure access to these resources from any device, any location, and at any time, is a foundational tenet of Horizon. Users are presented with a familiar desktop or set of published applications that they can remotely access to allow them to work from home, from other locations, or from anywhere that they can get an internet connection.

Organizations may be new to VMware Horizon, or already using one of the deployment models to deploy virtual desktops and published applications to their users. Some may be using Horizon for only a portion of their workforce and are now looking to expand it, in order to address an increase in demand for both business continuity and remote-first working. Many organizations either rapidly adopted Horizon or expanded their usage to cope with the sudden increase in demand during recent events. Some organizations have used Horizon to allow their users to connect securely and remotely from home to their physical Windows machine located back at the user’s usual office.

These environments should be revisited to ensure that things were done correctly and that security is implemented properly. In addition, you should verify that the environments are designed and built to be robust enough to serve in the future, with the ability to be scaled to service the entire workforce.

IT Benefits of Using VMware Horizon

VMware Horizon provides many benefits to the IT administrator. For example, you can quickly deploy Horizon to solve the demand for remote-first working. You can also implement it as a highly available desktop and application service to help meet your business continuity needs.

Security is inherent in Horizon. With the user remoting into a Horizon resource to run their applications, the data stays centralized. The endpoint is not on the corporate network, no data resides it, and no VPN software is necessary. Since all applications and data stay on the servers in the datacenter or the cloud, you don’t have to worry about what might be saved on a user’s home device, which means you don’t have to worry about it being lost, stolen, and so on. All traffic between the endpoint and the Horizon desktop or application is encrypted to secure communication.

Policies can be implemented to control the copying of data, including completing restricting the ability to copy any data between the endpoint and the internal resource. This is useful when protecting data that is under compliance regulations.

User are entitled to the desktops or published applications that they need, and the multi-factor authentication options available allow for additional security to prove a user’s identity before granting them access.

User Benefits of Using VMware Horizon

VMware Horizon provides many benefits to the end users being managed by the IT administrator. Horizon provides a consistent user experience that gives users access to a familiar environment every time.

It does not matter what type of device the user has, as long as it has a screen, keyboard, and often a mouse, because Horizon can be accessed from many different types of devices, including Windows, Mac, Linux, iOS, Android, and ChromeOS. This flexibility allows the user to use the device they prefer, or is most available, and even to swap between endpoint devices if they want to.

Getting connected to Horizon desktops and published applications does not require any IT expertise at the user’s house. All the user has to do is go to a web page, where they can optionally install the Horizon Client, or simply log in to use the browser as the client. Once authenticated, they can access their full corporate desktop or individual published applications, giving them access to all of their familiar applications and data, as if they were sitting in the office.

Once connected, users work as they would normally, with the option to access redirected peripherals attached to the endpoint and to print to local printers. Of course, all of this can be controlled by policies to enforce security as appropriate.

Starting States

Organizations may be new to VMware Horizon, or already familiar and using one of the deployment models. Some organizations may be using Horizon for only a portion of their workforce, and are now looking to expand, to address an increase in demand for business continuity and remote-first working.

Horizon can be deployed on-premises, in the cloud, or in a hybrid model. The Horizon universal license gives you the flexibility to deploy and expand on your platform or platforms of choice.

No matter what your starting state, there are a variety of options that you can consider, in order to expand remote working capabilities to a larger portion of your workforce.

Figure 2: Starting states and deployment options

New to VMware Horizon

VMware Horizon is a family of desktop and application virtualization solutions that enables organizations to deliver virtualized desktop services and applications to end users. Horizon can be used as a cornerstone for Business Continuity planning, and as an important function to make sure users have access to the applications they need on a platform that is familiar to them, such as Windows 10.

Horizon has advantages for both end users and IT administrators. End users are no longer restricted to one specific machine, and can access their system and files across supported devices and locations. As an IT administrator, you can use Horizon to simplify and automate the management of desktops and applications, and you can securely deliver desktops as a service to users from a central location. You can quickly create virtual desktops on demand, based on location and profile.

A single cloud control plane is available, from which you can choose multiple deployment options. At any time, you can dynamically switch options to adjust to changes in use cases, employee moves, economic shifts, and so on. These options consist of Horizon pods using:

  • Microsoft Azure capacity - Public cloud infrastructure from Microsoft Azure, an Infrastructure-as-a-Service (IaaS) provider
  • VMware Cloud on AWS capacity - Cloud-hosted capacity managed by VMware
  • Partner solutions

Considering Deployment Options

VMware Horizon has several deployment options.

  • The most common option, for many customers, is to deploy Horizon 7 in on-premises datacenters.
  • Horizon 7 can also be deployed on VMware Cloud on AWS.
  • Horizon is also available as a service with Horizon Cloud on Microsoft Azure.
  • There are also partner solutions leveraging Horizon technologies as mentioned in the preceding section.

Some organizations choose a hybrid approach that includes on-premises and cloud-based desktop and application resources. The Horizon Control Plane section provides common management services.

Consult the Deployment Considerations section for more detail on these deployment options and on the considerations that should be taken into account.

Horizon goes beyond brokering virtual machines. Although best known for its myriad benefits when implementing virtual desktops and application servers, Horizon also offers the option to broker access to physical Windows desktop machines. This provides an excellent and familiar experience for employees.

Brokering to physical machines can be implemented either with an existing Horizon 7 environment or with a new one. With minimal components required, this solution can be implemented quickly. See Using Horizon 7 to Access Physical Windows Machines for more information.

Exploring Hands-On Labs and TestDrive

For those completely new to Horizon, there are a couple of options for taking a look at the solutions without setting them up in your environment.

VMware Hands-On Labs provides an on-demand hands-on experience for some of the Horizon product line. You can access the current catalog, and search for “VMware Horizon” to see what is available. Signing up for an account is free.

VMware TestDrive is also available for additional use-case based, hands-on interactions. TestDrive provides a pre-configured, optimized environment with comprehensive step-by-step videos, walkthroughs, and guides for a quick learning experience. It is available to VMware partners and anyone with an invitation code. Contact your VMware EUC sales team to get an invitation code. You can access TestDrive here.

Conducting a Proof of Concept

It is a common practice to set up an initial proof of concept in order to get hands-on experience with Horizon technologies that includes testing your specific use cases and how the solution works in your environment. We have Quick-Start Tutorials that provide installation guidance, as well as walkthroughs of initial basic tasks such as setting up a desktop pool. There are guides for both Horizon 7 and Horizon Cloud Service on Azure:

Running a Pilot

The next logical step in testing whether a Horizon solution is suitable for your everyday production or business continuity needs, is to deploy a pilot with one or more user groups to test the full functionality that your users require. A pilot typically includes testing the full range of user experience requirements such as printing, device redirection, and overall performance. This is typically done with users who are willing to participate in initial testing and provide objective, detailed feedback.

Pilots are often done with a VMware Partner or VMware Professional Services to leverage their expertise in having conducted previous pilots. Contact your VMware EUC Sales Team for help in finding a partner or PSO resource.

Next Steps

This document provides more things to consider as you are looking at Horizon to provide business continuity and remote first capabilities for your organization, and it is worth reading further. There is more detail on design, architecture, sizing, external access and other important topics in the Deployment Considerations section.

Existing Horizon 7

If you already have an existing Horizon 7 deployment, there are many options available for expansion and for addressing an increase in demand for remote working. This section outlines an approach and main options, along with the considerations for each.

Conducting a Health Check

The first step in building business continuity, and any potential expansion, should be to check that any existing Horizon 7 environment is healthy, has been properly deployed, and is sufficiently sized to cope with the number of users to support. This is especially important before expanding, to ensure that any new capacity or capability is being built on solid foundations. If environments have been rapidly stood up or expanded to cope with a sudden increase in demand for remote working, these should be checked and amended, as necessary, to make sure they follow sizing, security, and other best practice recommendations.

Review the following sections of this guide and update any current environment, as necessary.

  • Release versions – Review the versions of software used in the environment to make sure that the Infrastructure is running supported versions and also taking advantage of all the fixes, features, and performance improvements in recent releases of Horizon.
    See the Release Versions section of this guide for more details.
  • Sizing - The environment should be sized correctly to cope with the current demand and also any increase that is expected during a business continuity event. Review the Horizon 7 sizing guidance, limits, and information to ensure that the current and any future environment is designed and sized correctly.
    See the Horizon 7 sizing section below, and the design guidelines in the Horizon Reference Architecture.
  • Security – Review Horizon communication, the network ports used, and firewall rules to ensure only required traffic is allowed.
    See the Security section of this guide for more details.
  • Authentication - Review how user authentication is handled and evaluate if this should be enhanced.
    See the Authentication section of this guide for more details.
  • Golden Images - Ensure that best practices have been followed for creating images to be used for virtual desktops and for Windows RDS Hosts used for published applications. If the golden image is not properly optimized, the virtual desktop or RDS Host that is cloned from it, for end user consumption, will consume more resources and adversely affect user experience.
  • Review the Golden Image Best Practices section of this guide for more details.

A health check service is available from VMware Professional Services. Inquire with your VMware team for more details.

Considering Expansion Options

VMware Horizon has several deployment options that can be used to expand an existing Horizon 7 deployment to support additional remote workers:

Expanding Existing Horizon 7 Environments

Deploying or expanding existing Horizon 7 deployments is a relatively straightforward process with flexible deployment options. Horizon 7 can be deployed on-premises or in the cloud. Horizon 7 can be deployed in a single site, across multiple sites, in VMware Cloud, or all of these.

Cloud Pod Architecture (CPA) or the Horizon Universal Broker can be used to federate multiple locations together, and can be used between both on-premises deployments and cloud-based deployments.

CPA introduces the concept of a global entitlement (GE) through joining multiple pods together into a federation. This feature allows us to provide users and groups with a global entitlement that can contain desktop pools or published applications from multiple different pods that are members of this federation construct. This feature provides a solution for many different use cases, even though they might have different requirements in terms of accessing the Horizon resources.

The following figure shows a logical overview of a basic two-site CPA implementation.

Figure 3: Cloud Pod Architecture

The Horizon Universal Broker is the cloud-based brokering technology used to manage and allocate virtual resources from multi-cloud assignments to end users. End users can access multi-cloud assignments in your environment by connecting to a fully qualified domain name (FQDN), which is defined in the Horizon Universal Broker configuration settings. Through the single Horizon Universal Broker FQDN, users can access assignments from any participating Horizon 7 pod in any site. No internal networking between pods is required.

Architecture diagram of Horizon Universal Broker system components

Figure 4: Horizon Universal Broker

VMware Horizon 7 on VMware Cloud on AWS delivers a seamlessly integrated hybrid cloud for virtual desktops and applications. It combines the enterprise capabilities of VMware’s Software-Defined Data Center (delivered as a service on AWS) with VMware Horizon’s capabilities. See Rapidly Build and Scale Horizon 7 Desktops and Applications with VMware Cloud on AWS.

Figure 5: Horizon 7 options for deployment on-premises and on VMware Cloud on AWS

Follow the Horizon 7 Deployment Considerations section and the relevant common considerations as detailed in this guide.

Considering Hybrid Deployment Options

If you want to expand your Horizon 7 environment, you can expand onto other VMware Cloud Verified IaaS and vSphere infrastructures, or to a native Microsoft Azure infrastructure with Horizon Cloud on Microsoft Azure. See the section on Horizon Cloud on Microsoft Azure deployment considerations.

Adding a Horizon 7 Cloud Connector to your Horizon 7 deployment enables you to access all of the features of the Horizon Control Plane, including the ability to deploy Horizon nodes onto a native Microsoft Azure infrastructure. By doing so, you retain a single-pane management UI for all Horizon pods, and gain access to features like the Image Management Service, Cloud Monitoring Service, Helpdesk and the Universal Broker.

You can also use Horizon 7 on IBM Cloud as burst capacity to supplement your on-premises Horizon 7 environment, and if you need help, IBM services can help you get up and running quickly. For more information, see the reference architecture that IBM released at VMworld 2019.

Consult the Deployment Considerations section below for more detail on these deployment options and the considerations that should be taken into account.

Next Steps

There is more detail on design, architecture, sizing, external access and other important topics in the Deployment Considerations section.

Existing Horizon Cloud on Microsoft Azure

If you already have Horizon Cloud on Microsoft Azure, there are a few ways to expand your deployment.

Conducting a Health Check

Now that you have a stable Horizon Cloud on Microsoft Azure deployment, there are several things you can do to check to make sure that the implementation is configured properly.

Review the following sections of this guide and update any current environment as necessary.

  • Release versions – Review the versions of software used in the environment to make sure that the Infrastructure is running supported versions and also taking advantage of all the fixes, features and performance improvements in recent releases of Horizon.
    See the Release Versions section of this guide for more details.
  • Sizing - Right sizing your environment is another important step in reducing costs on cloud-based infrastructure. One place to look for optimizing costs is with the network connection to cloud infrastructure. Another thing you can do is implement Power management and scaling features included in Horizon Cloud on Microsoft Azure.
  • Security – Some customers reduced networking and security requirements to get Horizon Cloud on Microsoft Azure stood up as quickly as possible. One of the first things you should do is go back and check to make sure that you have secured your deployment properly.
  • Authentication - Review how user authentication is handled and evaluate if this should be enhanced.
    See the Authentication section of this guide for more details.
  • Authentication – Review how user authentication is handled and evaluate if this should be enhanced. See the Authentication section of this guide for more details.
  • Golden Images – Often, a shortcut is taken to use an image created from a physical desktop or from a vSphere VM to use as an image. Best practices on creating images to be used for virtual desktops and for Windows RDS Hosts used for published applications, should be followed. If the golden image is not properly optimized, the virtual desktop or RDS Host that is cloned from it, for end user consumption, will consume more resources and adversely affect user experience.
    Review the Golden Image Best Practices section of this guide for more details.

Expanding Existing Horizon Cloud on Microsoft Azure

If you need less than 2000 users, you just add them to your existing Horizon Cloud on Microsoft Azure deployment.

If you need to support more than 2000 users, then the simplest way is to deploy another Horizon Cloud on Microsoft Azure pod into another Azure subscription. Microsoft allows customers to create multiple subscriptions for each Microsoft Azure account. Doing so allows organizations to separate workloads and provides a simple method for organizational billing. However, Microsoft also uses subscriptions to define resource allocation and constraints. Microsoft sets resource limitations on each subscription that will keep you from expanding a single subscription to serve more than 2000 users with Horizon.

For more information, see the Sizing section of the Horizon Cloud on Microsoft Azure section below.

Considering Hybrid Deployment Options

You can expand your Horizon deployment onto other IaaS or vSphere infrastructures if you do not want to continue to expand in native Microsoft Azure infrastructure.

VMware Horizon 7 can be deployed on any vSphere or VMware Cloud Certified partner platform. Once you have completed the deployment, you can connect it to the Horizon Control Plane using the Horizon 7 Cloud Connector. Doing so gives you the ability to manage your hybrid environment from the Horizon user-interface,

Consult the Deployment Considerations section below for more detail on these deployment options and the considerations that should be taken into account

Deployment Considerations

Whether checking an existing environment or planning for a new deployment, there are important considerations that should be checked and reviewed. The following section covers the main considerations for Horizon 7, Horizon Cloud and those that are common across all environments.

Release Versions

The versions of software used in the environment should be reviewed to make sure that the Infrastructure is running supported versions and also taking advantage of all the fixes, features, and performance improvements in recent releases of Horizon. Horizon 7 is updated on a quarterly basis, and fixes, features, and performance benefits are included in the new versions.

Check the interoperability matrix to make sure the Horizon 7 and vSphere/vCenter versions are supported together.

  • Infrastructure - Connection Servers, Unified Access Gateways, vSphere and vCenter, App Volumes Managers should be running the latest build or a recent build to benefit from the new features, enhancements, and bug fixes.
  • Horizon Agent - The version of Horizon Agents used in the virtual desktops should be reviewed and updated where necessary. Ideally these should match the Horizon release version. Newer versions of agents will include both new features and also have performance improvements.
  • Horizon Client - The Horizon Client on the users end devices should also be updated to make sure they have the latest version. Newer versions of the client will include both new features and also performance improvements. By default, the Horizon Client for Windows and Mac is configured to automatically check for an update online. Android and iOS devices will receive updates through the app store used for installation.

Horizon 7

A successful deployment of Horizon 7 depends on good planning and a robust understanding of the platform. The following figure shows the high-level logical architecture of the Horizon 7 components with other Horizon 7 Enterprise Edition components shown for illustrative purposes.

Figure 6: Horizon 7 Enterprise Edition Logical Components

Use the following list of resources to get started, or to quickly scale.

Both checking an existing Horizon infrastructure or building new infrastructure necessitates having a good understanding of the building blocks that are used and how those building blocks scale. Use the Workspace ONE and Horizon Reference Architecture as a guide for how to architect an environment that scales to your requirements and uses the recommended practices. The Reference Architecture has a dedicated chapter for Horizon Architecture.


Whether deployed on-premises or on VMware Cloud on AWS, Horizon 7 is deployed using a block and pod architecture. Horizon pod federations can be used to scale up within a datacenter or scale out across global datacenters. Refer to these sections of the Reference Architecture:

For more details on pod and block, multi-site deployments of Horizon 7, and more, see Component Design: Horizon 7 Architecture in the VMware Workspace ONE and VMware Horizon Reference Architecture guide.**italics*

Horizon 7 on VMWare Cloud on AWS uses Horizon 7 as the platform. The architectural components are the same as used with Horizon 7 on-premises with pod and block designs. See the Deploying Horizon 7 on VMware Cloud on AWS guide or contact your VMware sales team.

This section of the Reference Architecture provides guidance on the recommended sizing and load for each of the required components. For the most current numbers, limits, and recommendations, see the VMware Knowledge Base article VMware Horizon 7 Sizing Limits and Recommendations (2150348).

Connection Server

A single Connection Server supports a maximum of 4,000 sessions, although 2,000 is recommended as a best practice. To ensure that the environment includes redundancy and is able to handle failure, deploy one more server than is required for the number of connections (n+1).

One key concept in a Horizon 7 environment design is the use of pods and blocks, which gives us a repeatable and scalable approach. When we are brokering connections only to physical desktops, we need to focus only on the pod construct, and can ignore the block construct. A pod is made up of a group of interconnected Connection Servers that broker connections to desktops or published applications. A pod can broker up to 20,000 sessions (12,000 recommended), including desktop and RDSH sessions.

Up to seven Connection Servers are supported per pod with a recommendation of 12,000 desktop sessions in total per pod. Multiple pods can be interconnected using Cloud Pod Architecture (CPA).

For complete design guidance, see the Horizon Architecture chapter of the VMware Workspace ONE and VMware Horizon Reference Architecture guide.**ii*

Unified Access Gateway

Unified Access Gateway gives three sizing options during deployment: standard, large, and extra-large. When deploying to provide secure edge services for Horizon, the standard size should be used.

A standard-sized Unified Access Gateway supports 2,000 Horizon sessions.

For complete design guidance, see the Unified Access Gateway Architecture chapter of the VMware Workspace ONE and VMware Horizon Reference Architecture.**ii*

Load Balancing

When scaling for size and also to ensure availability, you deploy multiple server components such as the Connection Server and Unified Access Gateway, following the guidelines given above. It is strongly recommended that end users connect to these servers using a load-balanced virtual IP (VIP). This ensures that user load is evenly distributed across all available servers. Using a load balancer also facilitates greater flexibility by enabling IT administrators to perform maintenance, upgrades, and configuration changes while minimizing impact to users.

Figure 7: Load Balancing Connection Servers and Unified Access Gateways

An existing load balancer can be used, or a new one such as the VMware NSX Advanced Load Balancer (formerly Avi Vantage by Avi Networks) can be deployed.

The VMware NSX Advanced load balancer is a software-only ADC which offers enterprise grade load balancing, web application firewall, and other application services in multi-cloud environments. The VMware NSX Advanced load balancer offers a distributed architecture with separate control plane and data plane.

The VMware NSX Advanced load balancer can be deployed for load balancing Horizon deployed on-premises in vCenter or VMware Cloud on AWS. The VMware NSX Advanced load balancer provides a full feature load balancing for Horizon for multiple deployment scenarios, including GSLB for multi-site deployments.

See Load Balancing Horizon View using Avi Vantage for more details.

For more detail on load balancing of Unified Access Gateway appliances, see:

Ensuring Security

Secure external access for Horizon 7 sessions is provided through the integration of Unified Access Gateway appliances.

Review how a Horizon Connection works to understand the communication flow and what traffic goes between which components. See Understand and Troubleshoot Horizon Connections for more information.

Figure 8: External Connection Communication Flow

Review the required network ports between the components and adjust any firewalls present to allow the necessary traffic, while blocking those not required. See Network Ports in VMware Horizon 7 for more detail.

Ensuring Authentication

Horizon connections are encrypted, and multiple authentication options are supported, including SAML, RADIUS, RSA SecurID, and certificates, including smart cards, and active directory username and password.

With Horizon 7 internal users are normally authenticated when they connect to a Connection Server.

Horizon 7 external users can be authenticated in the DMZ at the Unified Access Gateway, before allowing the authenticated traffic through to the internal resource. Unified Access Gateway supports multiple authentication options; for example, pass-through, RSA SecurID, RADIUS, SAML, and certificates, including smart cards. Pass-through authentication forwards the request to the internal Connection Server or broker. Other authentication types enable authentication at the Unified Access Gateway, before passing authenticated traffic through to the internal resource.

The following diagram depicts the pass-through authentication option.

Figure 9: Unified Access Gateway Pass-Through Authentication

The following diagram depicts the two-factor authentication option.

Figure 10: Unified Access Gateway Two-Factor Authentication

You can also use SAML to authenticate Horizon users against a third-party identity provider (IdP), leveraging Unified Access Gateway as the service provider (SP). This new capability requires Horizon Connection Server 7.11 or later, and user authentication must go through Unified Access Gateway.

The authentication sequence can be configured as SAML and Passthrough or as just SAML:

  • When Auth Methods is set to SAML and Passthrough, the SAML assertion is validated by Unified Access Gateway, and Connection Server authenticates the user against Active Directory when launching remote desktops and applications.
  • When Auth Methods is set to SAML, the SAML assertion is validated by Unified Access Gateway and passed to the backend. Users single sign-on, leveraging the Horizon True SSO feature, to the remote desktops and applications.

In both authentication methods, the user will be redirected to the IdP for SAML authentication. Both SP- and IdP-initiated flows are supported.

Figure 11: Unified Access Gateway SAML Authentication

For general information and configuration of SAML and Unified Access Gateway support for Horizon, see Configuring Horizon for Unified Access Gateway and Third-Party Identity Provider Integration.

For detailed information and step-by-step guidance on how to integrate Okta and Unified Access Gateway for Horizon authentication, see the VMware Tech Zone Operational Tutorial Enabling SAML 2.0 Authentication for Horizon with Unified Access Gateway and Okta.

For guidance on how to set up authentication in the DMZ, see Configuring Authentication in DMZ.

Deploying Horizon 7 on VMware Cloud on AWS

You can implement Horizon 7 on VMware Cloud on AWS. With this solution, you can provision an entire SDDC, including the Horizon management components, in a matter of hours. Watch this brief VMware Cloud on AWS – Feature Walk-through video to see how easy it is to deploy Horizon on AWS. If you are new to Horizon, this solution enables you to get the infrastructure up and running quickly. For existing Horizon on-premises administrators, quickly expanding your Horizon deployment is easy. Simply consume cloud resources to build a hybrid deployment.

Figure 12: Horizon on VMware Cloud on AWS

Horizon Cloud Pod Architecture can be used to connect Horizon PODs deployed on-premises and on VMC.

Horizon Cloud on Microsoft Azure

Deploying a Horizon Cloud pod on Azure infrastructure is straightforward. If your organization does not already have access to Azure resources, Microsoft provides you details on how to acquire Azure capacity on their Azure portal.

If you already have an MSDN subscription or an enterprise agreement with Microsoft for Azure capacity, you’re in luck. You can leverage that agreement to set up a subscription to deploy a Horizon Cloud on Microsoft pod into.

Figure 13: Horizon Cloud Service on Microsoft Azure Logical Architecture

VMware Horizon Cloud delivers virtual desktops and apps using a cloud platform that is scalable across multiple deployment options. Want to deploy a pod in just a couple of hours? Get access to Horizon Cloud on Microsoft Azure, and use the resources below:

Each Horizon Cloud on Microsoft Azure pod can support up to 2,000 concurrent users or 2,000 VMs. Deploying an additional Horizon Cloud on Microsoft Azure pod into another Azure subscription or region is very straightforward. If you deploy two or more Horizon Cloud on Microsoft Azure pods, you can manage all of them from the same Horizon user interface.

For more details on building out a multi-pod deployment of Horizon Cloud on Microsoft Azure, see the Horizon Cloud on Microsoft Azure Architecture chapter of the VMware Workspace ONE and VMware Horizon Reference Architecture.


Horizon Cloud Service on Microsoft Azure is a Horizon platform running on Microsoft Azure that leverages a different set of building blocks than Horizon 7 to achieve the same goal of delivering virtual desktops and applications. It is important to understand the components that are deployed, how it scales, and how it is designed for multiple sites. Refer to these sections of the Reference Architecture:

Horizon Cloud on Microsoft Azure has certain configuration maximums you must consider when making design decisions:

  • Up to 2,000 concurrent active connections are supported per Horizon Cloud pod
  • Up to 2,000 desktop and RDSH server VMs are supported per Horizon Cloud pod
  • Up to 2,000 desktop and RDSH server VMs are supported per Microsoft Azure region or subscription

To handle larger user environments, you can deploy multiple Horizon Cloud pods, but take care to follow the accepted guidelines for separating the pods from each other. For example, under some circumstances, you might deploy a single pod in two different Microsoft Azure regions, or you might be able to deploy two pods in the same subscription in the same region as long as the IP address space is large enough to handle multiple deployments.

For more details on scaling up Horizon Cloud on Microsoft Azure please see the Horizon Cloud on Microsoft Azure Architecture chapter of the Workspace ONE and Horizon Reference Architecture.

Ensuring Security and Authentication

You can reduce the number of permissions that you allow your administrative accounts used in Horizon Cloud on Microsoft Azure. Granting prohibitive privileges to the Domain Join, Auxiliary Domain Join, Domain Bind, and Auxiliary Domain Bind accounts is a good first step to locking down your deployment.

Use the Active Directory Requirements section of the Horizon Cloud on Microsoft Azure Requirements Checklist to accomplish this task.

There are other methods to secure your environment, including checking to make sure that you are only allowing the necessary ports and DNS configurations for your deployment and possibly using encrypted disks for your RDSH Farms and VDI Desktops.

With Horizon Cloud on Microsoft Azure, typically all users are authenticated by the Unified Access Gateway(s) deployed as a part of the service. Internal users can also be connected by authenticating to a Pod Manager. Horizon Cloud on Microsoft Azure can be integrated with Workspace ONE Access to provide optional authentication mechanisms like two-factor authentication and RADIUS integration. You can also configure True SSO to work with Horizon Cloud on Microsoft Azure.

Acquiring and Connecting to Cloud Capacity from Microsoft Azure

You can implement Horizon Cloud on Microsoft Azure in one or multiple Microsoft Azure regions. Horizon Cloud on Microsoft Azure leverages Azure infrastructure. The fastest way to get up and running on Horizon Cloud on Microsoft Azure is to follow the steps in the Quick Start Guide for Horizon Cloud on Microsoft Azure. If you want to practice deploying the solution before you do it, you can use the Hands-On Lab to develop familiarity with the process of setting up the prerequisites and deploying Horizon Cloud on Microsoft Azure in cloud capacity.

If you have never used cloud infrastructure before and want a little background on connecting your own infrastructure to a cloud infrastructure, we have summarized the basics for you. There are three primary deployment methods of leveraging cloud infrastructure for expanding a Horizon solution.



Figure 14: Example of connection options for Microsoft Azure


A point-to-point VPN is the simplest way to connect your datacenter to a cloud infrastructure provider. A VPN gateway provides an encrypted tunnel between your on-premises environment and the infrastructure you are renting from a cloud provider. This connection works best for hybrid environments where traffic between infrastructures is light, or tolerant of longer latency times.

Dedicated Connection

A dedicated connection is a private, dedicated connection between your datacenter and the cloud provider located in a co-location environment. This type of connection does not leverage the Internet and typically allows for more bandwidth and reliability than a point-to-point VPN connection. You acquire these connections through cloud exchange provider or from the cloud platform provider itself.

Island configuration

In an Island configuration, you acquire cloud capacity, and then build out all necessary infrastructure and services from scratch. You do not rely on, or have minimal reliance on, your current (on-premises) services and resources for anything. You re-build everything you need in the cloud for your remote users from scratch. Users and administrators access the infrastructure via the Internet. This is typically the fastest method of setting up cloud capacity, but it can be an onerous task to undertake, as you must build from scratch. Furthermore, if you deploy Horizon into an island, that island will still need to provide remote access to internal applications and data in your corporate datacenter.

Right-Sizing Your Connectivity to Microsoft Azure

There are multiple methods to connect your on-premises or customer-owned datacenter to a Microsoft Azure region. There are typically three factors in determining which option best fits your organization.

  • Proximity of User-Applications - Your Horizon deployment should always be located as close as possible to the location of the applications that the users will be using.
  • Cost – Each method of connectivity has a different cost associated with it, depending on a number of factors including data transmitted, and SLA requirement.
  • Need for redundancy – Based on your RTO / RPO expectations, you may need to set up multiple network connections to multiple Azure regions and leverage Azure networking to build a more resilient connection.

Microsoft compares these methods in their product documentation.

Reducing Cloud Infrastructure Costs with Power Management Features

Cloud-based infrastructure is convenient, but that convenience comes at a financial cost. Horizon Cloud on Microsoft Azure has built-in power management features to help you be more efficient with your cloud infrastructure spend.

You can set up power management policies for any type of user assignment:


Golden Image Best Practices

It is strongly recommended that you create an optimized primary VM for cloning and creating desktop pools or RDSH server farms. Do not clone or repurpose an existing image that has been created for another use, such as physical machines.

Windows was designed for physical hardware, specifically desktops, and for that hardware to be accessed by just one user at a time. Windows uses many resources to present a responsive desktop, but many of its settings are unnecessary or even detrimental when applied to a virtual environment. These actions include, for example, animating windows as the user opens them. Performing this animation takes significant CPU resources, which decreases the number of desktops that you can host per physical server. Consequently, this nonessential function in a virtual machine (VM) environment increases the amount of system hardware that you need. Even if hardware is plentiful, Windows animations do not perform well when accessed remotely, especially when connecting over a slow WAN or Internet connection. As a result, keeping animations enabled (in addition to other features unnecessary for VMs) impairs the end-user experience.

Another example of desktop optimization in a virtual machine environment is to disable Windows Update so that control of the service is isolated to administrators. Administrators can run Windows Update in batch mode for the VMs as opposed to users performing this task.

Note: You can also optimize physical machines by removing nonessential functions in a similar manner.

Considering the Benefits of Optimizing

By optimizing Windows, you are maximizing the efficiency and performance of your virtual desktops and RDS Host servers.

Optimizing virtual desktops:

  • Increases their performance
  • Increases their density, boosting the number of virtual desktops that can be hosted per server, thereby reducing infrastructure costs
  • Improves end-user experience
  • Reduces end-user support incidents

Optimizing RDS Host servers:

  • Increases hosted desktop and application performance
  • Reduces the amount of system resources that each RDS Host server requires
  • Increases the density and the number of RDS Host servers that can be hosted
  • Increases the number of users that can be supported per RDS Host server
  • Improves the end-user hosted desktop and application experience
  • Reduces system support incidents

Optimizing Windows

The free OS Optimization Tool makes it easy to apply configuration settings to desktops and servers. It includes settings to optimize the following Windows operating systems for both desktops and servers for deployment and use either on-premises or in the Cloud.

  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2

Creating an Optimized Golden Image for Horizon 7

The high-level steps to create an optimized golden image for use on Horizon 7 are:

  1. Create the primary VM (Windows 10 or Windows Server).
  2. Install Windows, and enter audit mode.
  3. Install VMware Tools.
  4. Install common Microsoft runtimes, features, and applications that you want in the golden image.
  5. Install Microsoft updates.
  6. Optimize Windows with the VMware OS Optimization Tool.
  7. Generalize Windows with the OS Optimization Tool.
  8. Finalize Windows with the OS Optimization Tool.
  9. Export the image.

For step-by-step instructions, see Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop.

Creating an Optimized Golden Image for Horizon Cloud

The high-level steps to create an optimized golden image for use on Horizon Cloud on Microsoft Azure are:

  1. Create a virtual machine manually or via Azure Marketplace for Horizon Cloud on Microsoft Azure and install an operating system, if appropriate.
  2. Install VMware Tools (installed automatically if done from Azure Marketplace).
  3. Customize the image with Windows applications and features as required.
  4. Install Microsoft Updates.
  5. Optimize Windows with the VMware OS Optimization Tool.
  6. Generalize Windows with the OS Optimization Tool.
  7. Finalize Windows with the OS Optimization Tool.
  8. Export or publish the image.

For step-by-step instructions, see Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop.

Desktop Pools

Desktop pools are required to allow management, entitlement, and user assignment to the desktop objects within Horizon. There are two main types of virtual desktop pools: automated and manual.

  • Manual desktop pools are a collection of existing virtual machines, physical computers, or third-party virtual machines.
  • Automated desktop pools use a primary virtual machine, which is cloned to create the individual desktop virtual machines.

Using Horizon 7

An individual Horizon 7 pool should contain no more than 2,000 desktops. For the most current numbers, limits, and recommendations, see the VMware Knowledge Base article VMware Horizon 7 Sizing Limits and Recommendations (2150348).

Depending on the types of desktop pools, review the relevant section of Setting Up Virtual Desktops in Horizon 7.

With Instant Clone and Linked Clone Pools, consider priming and publishing the image for pools that are only designed for use in a business continuity event. This can be done by deploying smaller minimal sized pools that will then be increased when required. This allows for the testing of the pool and avoids the process of image publishing having to be done at business continuity initiation.

Using Horizon Cloud

For a Horizon pod deployed in Microsoft Azure, you can create:

  • Dedicated and floating VDI desktop assignments to provide VDI desktops to your end users
  • Session desktop assignments

See Creating Desktop Assignments in Horizon Cloud for more detail and instruction.

Published Applications

With Horizon 7, you can deliver virtualized published applications to the user on their device without delivering a full virtual desktop to the user.

Before you can assign published applications or session-based desktops to end users, you must create the farms to serve those desktops and applications. A farm is a collection of Microsoft Remote Desktop Services (RDS) hosts that provide multiple users with published applications and session-based desktops. Farms simplify the management of the RDS hosts. You can create farms to serve groups of users that vary in size or have different desktop or application requirements.

Horizon 7.9 introduced a feature called VM Hosted Applications, which allows floating instant-clone desktop pools to be used as a source for published application pools. With VM Hosted Applications, published applications do not run on a server OS, but rather on a desktop OS, Windows 10.

The benefits include:

  • This strategy uses the same deployment and configuration process as a normal desktop.
  • Administrators can publish UWP apps as well as any Win32 applications.
  • This setup offers better security than the one-to-many-session relationship used with RDSH servers.
  • One-to-one user-to-machine assignment also prevents one user from impacting performance for another user, which can happen in the one-to-many relationship with RDSH servers.
  • RDS CALs are not needed.

See the Best Practices for Published Applications and Desktops in VMware Horizon and VMware Horizon Apps guide for more detail and guidance.


With a remote-first solution, steps should be taken to ensure that network links and especially Internet connections have sufficient bandwidth to cope with both normal demand, but also with any increase if a larger than normal portion of the workforce has to work remotely.

If bandwidth is constrained or limited, configuration can be made to disable or limit functionality that may be seen as a large consumer of bandwidth. Features to consider limiting or disabling, include sound redirection, USB redirection, and client drive redirection.

Content redirection features in Horizon help direct certain types of traffic directly to the endpoint, minimizing the amount of traffic that enters the datacenter. This is useful when the traffic is coming from an external or internet source and is destined for a user who is also located externally. Redirection features include HTML, Flash, and URL redirection. See Configuring Remote Desktop Features in Horizon 7.

When using Blast Extreme as a display protocol, tuning can be done to balance the bandwidth consumption and the user experience. The Blast Extreme Optimization Guide gives detail on how to tune the protocol traffic if necessary.

Horizon Control Plane

The Horizon Control Plane is a cloud-based service that hosts features that can be implemented with Horizon deployments. The service is based on a multi-tenant, cloud scale architecture that enables you to choose where your virtual desktops and applications reside.

Example features enabled by the Horizon Control Plane include:

  • Cloud Monitoring Service – Monitor user sessions and virtual desktops
  • Helpdesk – Detailed real-time information about a user’s session(s) and functionality to troubleshoot issues with their experience.
  • Image Management Service – Manage golden images for virtual desktops and session or application hosts
  • Universal Broker – Provide a single URL for users to access virtual desktops or applications from

The capabilities or the ability to access each feature may be different, based on the version of Horizon that you are using. Refer to the product documentation for each feature listed above for details on the platforms each feature serves.

Figure 15: Management Services from On-Premises to Cloud

Access to the Horizon Control Plane requires the use of a subscription license in your Horizon Deployment. The Horizon universal license entitles you to any version of Horizon that you want via a single subscription entitlement. Details about the Horizon universal license can be found on VMware’s website. You can acquire Horizon universal licenses from VMware or partner resellers. Once you have acquired the Horizon Universal licenses, you will receive an email that will begin your onboarding process for the Horizon Control Plane.

Anyone who is currently using Horizon Cloud on Microsoft Azure is already using a subscription license. Each Horizon Cloud on Microsoft Azure pod is automatically connected to and leverages the Horizon Control Plane for functionality.

If you want to connect your Horizon 7 pod to the Horizon Control Plane, you need to leverage the Horizon 7 Cloud Connector. The Horizon 7 Cloud connector is a virtual machine that certifies your entitlement to the Horizon Control Plane and enables the service to integrate with your Horizon 7 pods. You must run a Horizon 7 Cloud Connector for each Horizon 7 pod that you plan on using Horizon subscription licenses with. Details on the service along with the Service Description can be found on the VMware EULA site.


Any Horizon environment needs to be properly licensed. With Horizon 7, you have a choice of using perpetual licenses or Horizon Universal Licensing. The Horizon universal license provides a single subscription license for all Horizon products and gives you the flexibility to deploy and expand on your platform or platforms of choice.

The universal license entitles you to:

Horizon Cloud

  • Horizon Cloud on Microsoft Azure
  • Horizon Cloud on IBM Cloud

Horizon 7 Subscription

  • Horizon 7 subscription on-premises
  • Horizon 7 subscription on VMware Cloud on AWS
  • Horizon 7 subscription on Google Cloud VMware Engine
  • Horizon 7 subscription on Azure VMware Solutions
  • VMware Verified Cloud Providers

See Horizon Universal License and the Horizon Pricing, Purchasing and Licensing Guide.

Enhance and Evolve for Better Business Continuity

Once you have implemented or expanded your Horizon solution as part of a business continuity initiative, there are many ways that you can build on and enhance your environment. There are a variety of business drivers and user experience reasons that can compel these.

This section provides an overview of common steps taken to enhance and transform Horizon environments into full digital workspaces.

Micro-segmentation with NSX-T

The principle of least privilege can be achieved by using VMware NSX-T. The distributed firewall feature allows for the definition of network security policies and firewall rules that can be applied granularly based on context. This allows for:

  • Micro-segmentation – Enables micro-segmentation to protect virtual machines from the lateral spread of threats. The security policy is defined based on context and is enforced individually. Each VM can have individual firewalls and individual security policies.
  • Identity-based firewall – Applies micro-segmentation and applies the network security policy based on who the user is and which Active Directory groups they belong to.

Figure 16: Micro-segmentation Enforcing Network Security Policy at the Individual VM Level

The use of micro-segmentation allows for the definition of network policies that will be applied around every resource in the data center.

  • Servers can be secured so that only required sources are allowed to communicate and only over the necessary network ports.
  • Desktops can have policies applied to prohibit unnecessary lateral communication. For example, rules can block desktop-to-desktop communication.

Dynamically Applied Identity-Based Firewall Rules

The use of identity-based firewalls takes this strategy to the next level in a Horizon environment. The network policy can be dynamically applied, based on who the user is. This allows for the policy-based lockdown of the environment to the least privilege required for that user.

With VDI, each user is presented with an entire desktop VM. Firewall rules are based on giving a single user access to their entitled desktop VM on a per-NIC basis.

With RDSH-published applications, each user is presented with an application or session inside a shared server VM. Features include:

  • Context-aware support for virtual user sessions running on RDSH
  • Application of firewall-rule-based multi-user and multi-session identification, on a per-NIC basis
  • Micro-segmentation by NSX-T of each session for Horizon RDSH based on user ID
  • Granular application access to simultaneously logged-in users

Security with VMware Carbon Black

Organizations are dealing with significant challenges from suddenly having an influx of remote workers accessing business applications and data from their home offices and devices. Teams are dealing with a significant loss of visibility and weakened security tools at a time that our research shows attackers are increasing their activity to take advantage of the chaotic situation. Once a remote working solution is planned or has been deployed, security teams have to focus on how to best secure those remote endpoints on a long-term basis.

VMware Carbon Black Cloud is a cloud-native endpoint protection platform that carries unique value for those organizations who are struggling to maintain a strong security posture on remote endpoints by providing greater visibility, up-to-date prevention policies, and reduced operational complexities.

Carbon Black Cloud consolidates multiple endpoint security capabilities using one agent and console, helping you operate faster and more effectively. As part of VMware’s intrinsic security approach, Carbon Black Cloud spans the system hardening and threat prevention workflow to accelerate responses and defend against a variety of threats.

Our cloud-native platform and lightweight agent eliminate many of the time- and resource-consuming barriers that often slow down deployments, allowing your team to optimize time-to-value. The platform also provides your team with the full visibility and control required to consistently prevent, detect, and respond to threats to all protected endpoints, regardless of their location.

  • Roll out our lightweight sensor remotely without the need to stand up any additional hardware.
  • Update prevention policies in minutes without the need to VPN into the corporate network.
  • Get full visibility into endpoint activity to Investigate and triage threats from anywhere.
  • Audit and fix unwanted changes to configuration settings and security controls.

To learn more, see VMware Carbon Black.

Networking with VMware SD-WAN

With a move to support remote working and a more distributed workforce, WAN networking links and their resiliency is increasingly important. With a user’s location becoming more fluid, the potential for more, localized branch offices, where the workforce is distributed away from the larger centralized offices becomes attractive.

VMware SD-WAN enables enterprises to support application growth, network agility, and simplified branch implementations while delivering optimized access to cloud services, private data centers and enterprise applications simultaneously over both ordinary broadband Internet and private links.

WAN technologies used in most branch offices today have changed little, if at all in the last couple of decades. Traditional wide area networks utilize rigid architectures which are optimized around private data center applications. These architectures are unable to seamlessly integrate cloud computing, SaaS, virtualization, and other industry advances. Branch offices with only private-circuit connections rely on backhauling of all cloud applications, SaaS, and Internet traffic through the enterprise data center, adding latency, degrading application performance, and driving up network bandwidth costs.

MPLS typically provides high quality of service, but with the tradeoff of limited capacity, higher cost, and long deployment lead times. Broadband provides fast deployments and greater capacity, but with the tradeoff of reliability. These factors can have the following negative impacts:

  • Branch network deployments delayed due to IT complexity or lack of wireline service
  • New applications inhibited by bandwidth or the lack of assured performance
  • Cloud migration not supported by traditional hub and spoke wide area network architecture

SD-WAN enables enterprises to incorporate both private MPLS and broadband Internet links, which can reduce costs and increase agility and performance, while reducing complexity.

SD-WAN helps in solving challenges with:

  • Providing optimal connectivity
  • Enabling bandwidth expansion
  • Automating branch deployments
  • Supporting virtual services

To learn more, see VMware SD-WAN by VeloCloud.

Unified Digital Workspace with Workspace ONE

A unified digital hub is essentially a single digital space where everything an employee needs to perform their normal daily tasks is located. A digital hub is accessible from every device type on the planet (whether personal or corporate) and acts as an experiential platform for every interaction an employee could need. A digital hub includes:

  • A location to download or launch every single application and app type via SSO
  • An embedded VDI platform to make even challenging workloads available anywhere
  • A place to receive informational, urgent, or critical notifications including the ability to respond and to give corporate communications the ability to track responses
  • An ability to surface common business flows such as onboarding, approvals, orders, and re-orders
  • A place to access current intranets (with embedded per app VPN) with a single click
  • A chat bot that responds to a myriad of employee requests using natural language and integrates into other systems such as ITSM
  • A directory of every co-worker with contact information
  • Embedded support for one-click access to helpdesk resources

What is described above is what is currently available in VMware’s Workspace ONE platform. It is a single platform upon which to build a comprehensive and compelling employee experience. And the current national trial has demonstrated the immense value in providing such a platform for employees.

Workspace ONE has proven highly effective for building culture and productivity. More importantly, it provides a total workforce with the ability to look to this “single digital space” for everything in a time of crisis, because they have habitually gone to this “single digital space” for everything. In a crisis, we don’t rely on email; we interact with urgency through our hub. We can still leverage intranet since one-click access to it is embedded in our hub. We don’t need employees’ personal mobile numbers, as they have the hub on every personal and corporate device, or simply via any browser on any device.

Zero Trust

Securing enterprise is a lot easier when all the endpoints (laptops, mobile devices, and so on), applications, and users are within the network perimeter, than when they are outside. Traditionally, securing the network perimeter has been the recommended go-to approach for most enterprises, but with the changes to a remote-first workforce and workstyles have become flexible, and technologies such as mobile and cloud have matured, a Zero Trust model for security is gaining traction.

At VMware, our Zero Trust solution is based on developing five pillars of trust. These pillars are device trust, user trust, transport/session trust, application trust, and data trust. A full implementation requires all five pillars. Zero Trust does not implicitly trust any one of these pillars and instead continuously verifies trust across all before granting access to resources. Such a security model offers greater flexibility and choice to employees to work from anywhere and from any device while ensuring optimal security at all times.

Figure 17: Five Pillars of Zero Trust

Another key component of Zero Trust is the concept of least-privilege access. The idea is that a user or system should have access to only those resources that are specifically required to perform the task at hand. No more, no less.

The Zero Trust methodology can be applied to protect any application, but the implementation might look different, depending on the use case. One use is to enhance the secure access to Horizon desktops and published applications.

Any employee irrespective of where (home, office, coffee shop, and so on), will almost certainly use a device (mobile, laptop, and so on) to access email, attend meetings, or find enterprise information on any regular day.

  • Using its Unified Endpoint Management capabilities, Workspace ONE is able to quickly verify if it’s a trusted device.
  • Additionally, as the user inputs their credentials, Workspace ONE’s Access technology seamlessly brokers between a variety of identity stores and providers, and offers a single sign-on (SSO) access to mobile, SaaS, web and virtual applications.
  • As needed, it is also able to invoke native MFA or other third-party MFA solutions to add an additional layer of security before granting access to the corporate information.
  • Tying together the device compliance and user credentials is the analytics and automation engine we call Workspace ONE Intelligence.
  • Leveraging machine learning, Workspace ONE Intelligence works on data it gathers from the Workspace ONE platform, Carbon Black’s Endpoint Solutions, and our Trust Network partners to give IT and the security teams complete visibility into the IT infrastructure.
  • Further, using its automation engine and orchestration capabilities, Intelligence orchestrates various ITSM tools (Service Now, Slack, and so on) and even automates remediation efforts (push software updates and security patches, quarantine device, block access to an app, deny access to data, and more).

When the risk is deemed low and the user and device are considered trustworthy, Workspace ONE then allows access to Enterprise applications that may reside either in the cloud or the datacenter. When accessing data behind a firewall, Workspace ONE can allow only per-app VPN access to the datacenter, thereby further reducing the attack surface for any threat. Encryption is checked both at rest and in-motion to ensure the integrity of the data is maintained throughout the session, giving an added level of confidence.

The following diagram shows how the various Workspace ONE and Horizon components interact to build an end-to-end solution that incorporates the following Zero Trust elements:

  • Verification of device compliance
  • Conditional, least-privilege access
  • Certificate-based and multi-factor authentication
  • Single sign-on
  • Micro-segmentation of networks
  • Automated real-time threat detection and remediation
  • Encryption
  • Session protection
  • Protection of data at rest

Figure 18: Trust Enforcement Points

Depending on the use-case, using virtual applications and desktops may be most useful for an enterprise which gives customers another level of security. But by integrating it with Workspace ONE, your company can ensure consistent user experience, Zero Trust security, continuous communications via Workspace ONE Intelligent Hub, and––most importantly––uninterrupted productivity.

See the Zero Trust Secure Access to Traditional Applications with VMware guide for more details.

Summary and Additional Resources

Whether you were new to Horizon 7 or Horizon Cloud, or were an experienced user, this guide provided a start to exploring ways to meet the challenges of today’s events, as well as to be better prepared for business continuity and disaster recovery in the future. We started by reflecting on the current state of your deployment, and conducted a health check to solidify your existing enterprise. Next, we explored a variety of expansion options available for both new environments and existing ones. Then, we covered the deployment considerations to be aware of, including best practices guidance. And we ended by discussing how to enhance and transform your deployment to add security, improve user experience, drive digital transformation, and achieve your business continuity goals.

Additional Resources

To learn more about VMware End User Computing solutions, visit the Digital Workspace Tech Zone, your fastest path to understanding, evaluating and deploying VMware EUC products.

Change Log

The following updates were made to this guide:


Description of Changes


  • Initial version

Authors and Contributors

This guide was written by:

  • Graeme Gordon, Senior Staff EUC Staff Architect, EUC Technical Marketing, VMware
  • Jim Yanik, Senior Manager, EUC Technical Marketing, VMware
  • Rick Terlep, EUC Staff Architect, EUC Technical Marketing, VMware
  • Chris Halstead, EUC Staff Architect, EUC Technical Marketing, VMware


The purpose of this guide is to assist you, and your feedback about this is valuable. To comment on this paper, contact VMware End-User-Computing Technical Marketing at






Filter Tags

Horizon Carbon Black Cloud Horizon Horizon Cloud Service NSX for Horizon Unified Access Gateway Document Technical Overview Overview Design Business Continuity