Business Continuity with VMware Solutions for Remote Work
Providing Business Continuity with Solutions for Remote Work
Disruptions can take many forms, many scopes, and can impact organizations of any size, in any location. Unplanned events such as natural disasters, power outages, and sudden staff departure make it nearly impossible to continue “business as usual”. Every organization should have or develop a business continuity plan to ensure its operations can continue, no matter what the disruption. Business continuity can be achieved and remote workers supported with the platform and the solutions it includes, such as , , and , as well as with , and .
This guide is intended for security architects, engineers, and administrators who are interested in a VMware Horizon, Horizon Cloud Service, and a VMware Workspace ONE infrastructure. This guide is intended for those who want to familiarize themselves with Horizon and Workspace ONE, are in the process of implementing Horizon and Workspace ONE for the first time or have an existing Horizon or Workspace ONE implementation that they want to expand. Not all sections of this guide are necessarily applicable to your particular deployment but are clearly marked so you can find what you need to get started.
It is assumed that you have some familiarity with Windows data center technologies such as Active Directory, as well as with virtualization technology, cloud computing, network routing, and firewall security architecture.
Purpose of This Guide
This guide covers how business continuity challenges are changing with a remote-first requirement. It gives technical detail on how Horizon and Workspace ONE can help you meet these challenges.
Organizations may have a variety of starting states, from being new to Horizon and Workspace ONE or already using one of the deployment options for Horizon 7, . No matter what state your organization is starting from, you should consider the following four steps, which are covered in this guide:
- Reflect - Health check and solidify any existing environment.
- Expand - Understand the options available for new environments or expansion of existing ones.
- Deploy – Get deployment considerations for Horizon, including guidance on best practices.
- Enhance and Transform - Understand how to enhance and transform the solution to add more security, improve user experience, and drive digital transformation.
Figure 1: Business Continuity Journey
Many business continuity plans have traditionally focused on the datacenter elements when it comes to planning IT systems. These include ensuring data is replicated from primary to secondary data centers in case of a disaster and making key systems redundant and able to failover to run in alternate locations. A secondary consideration was ensuring users could access those systems during a period of disruption. However, this consideration was often based on the assumption that the users could work from another office location, either owned or leased, that had been primed for them.
Times and challenges have changed, and the assumption that users can access an office location no longer holds true. The focus is now on how to provide both continuity for the user, as well as business continuity for the IT systems. When planning for user access, a remote-first approach must now be taken.
While building a business and a user continuity plan, a critical element is to provide continuing access to IT systems and corporate resources, to ensure that users remain productive no matter where they are. This must be done while maintaining proper security and control over users’ access to corporate applications, data, and resources.
How can organizations plan, maintain, and support users that are no longer necessarily based in the office? When evaluating business continuity options, you should strive for solutions that can be used as part of the user’s everyday system. In that way, this can be seen as more than just something to be used during an outage or disruptive event.
When the solution is based on a remote-first approach, you can offer options to work from home, either full-time or part-time. Many organizations are also exploring this for other reasons, such as to reduce daily travel to the office as part of a green initiative, or to allow more flexible work schedules.
The challenge facing IT is: How do we give users secure access to the software and IT systems that they use in their daily work, from locations and over networks that are not managed by our organization?
In the past, organizations have used VPN solutions to provide remote access into systems in data. These typically assume trust in the endpoint device, which becomes difficult to enforce in a remote-first scenario. These approaches are often coupled with the distribution of laptops that are taken home by the users. These present challenges in management with a distributed device estate, and entail risk, as data often resides on those devices.
Meeting the Challenge
These challenges can be met with VMware Workspace ONE and VMware Horizon.
Workspace ONE combines powerful integration across digital workspace solutions, including access management, unified endpoint management (UEM), analytics, desktop and application virtualization and endpoint security. These are key solutions that enable remote work without compromising security and provides incredible user experience. The Workspace ONE platform includes four core solutions (which are described in this guide):
- Workspace ONE UEM – Enables Unified Endpoint Management across Windows, Mac, iOS, and Android devices, protecting corporate applications and data
- Workspace ONE Access – Enables a unified application catalog, providing a single place to secure access to all applications and single sign-on, in addition to streamlining communication with all users through Hub Services
- VMware Horizon – Enables access to remote applications and desktops, keeping all data in the datacenter
- Carbon Black Cloud – Provides a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console
VMware Horizon provides remote delivery and comprehensive lifecycle management of desktops and published applications. Providing seamless, familiar, and secure access to these resources from any device, any location, and at any time, is a foundational tenet of Horizon. Users are presented with a familiar desktop or set of published applications that they can remotely access to allow them to work from home, from other locations, or from anywhere that they can get an internet connection.
Organizations may be new to VMware Horizon, or already using one of the deployment models to deploy virtual desktops and published applications to their users. Some may be using Horizon for only a portion of their workforce and are now looking to expand it, in order to address an increase in demand for both business continuity and remote-first working. Many organizations either rapidly adopted Horizon or expanded their usage to cope with the sudden increase in demand during recent events. Some organizations have used Horizon to allow their users to connect securely and remotely from home to their physical Windows machine located back at the user’s usual office.
These environments should be revisited to ensure that things were done correctly, and that security is implemented properly. In addition, you should verify that the environments are designed and built to be robust enough to serve in the future, with the ability to be scaled to service the entire workforce.
VMware Horizon provides many benefits to the IT administrator. For example, you can quickly deploy Horizon to solve the demand for remote-first working. You can also implement it as a highly available desktop and application service to help meet your business continuity needs.
Security is inherent in Horizon. With the user remoting into a Horizon resource to run their applications, the data stays centralized. The endpoint is not on the corporate network, no data resides it, and no VPN software is necessary. Since all applications and data stay on the servers in the datacenter or the cloud, you don’t have to worry about what might be saved on a user’s home device, which means you don’t have to worry about it being lost, stolen, and so on. All traffic between the endpoint and the Horizon desktop or application is encrypted to secure communication.
Policies can be implemented to control the copying of data, including completing restricting the ability to copy any data between the endpoint and the internal resource. This is useful when protecting data that is under compliance regulations.
User are entitled to the desktops or published applications that they need, and the multi-factor authentication options available allow for additional security to prove a user’s identity before granting them access.
VMware Horizon provides many benefits to the end users being managed by the IT administrator. Horizon provides a consistent user experience that gives users access to a familiar environment every time.
It does not matter what type of device the user has, as long as it has a screen, keyboard, and often a mouse, because Horizon can be accessed from many different types of devices, including Windows, Mac, Linux, iOS, Android, and ChromeOS. This flexibility allows the user to use the device they prefer, or is most available, and even to swap between endpoint devices if they want to.
Getting connected to Horizon desktops and published applications does not require any IT expertise at the user’s house. All the user must do is go to a web page, where they can optionally install the Horizon Client, or simply log in to use the browser as the client. After authentication, they can access their full corporate desktop or individual published applications, giving them access to all of their familiar applications and data, as if they were sitting in the office.
After users have connected, they work as they would normally, with the option to access redirected peripherals attached to the endpoint and to print to local printers. Of course, all of this can be controlled by policies to enforce security as appropriate.
The Workspace ONE platform helps organizations quickly react to situations, providing the tools users need to adapt to unexpected changes in the workplace. By combining the ability to manage, secure, and deliver any app on any device, Workspace ONE enables all kinds of workforces to work from anywhere, instantly, while maintaining a consistent user experience.
With Workspace ONE, end-users have a unified catalog that provides access to virtually any corporate application. This includes mobile apps, SaaS, internal, virtual and Windows apps. Once signed-in, end-users can self-service select the applications they need to be productive with no IT intervention, reducing helpdesk calls for end users to get access to applications and services.
- Workspace ONE provides easy access to all the apps end users need to do their job either through a catalog available through a browser or the Intelligent Hub native application.
- Transform employee onboarding by enabling self-service access to the apps and resources end-users need.
- One-touch single sign-on means end-users don't have to remember multiple credentials, or type in the same password every time they access an app. Through the use of certificates, Workspace ONE provides a secure and easy way that results in a password-less single-sign on experience.
Organizations may be new to VMware Horizon and Workspace ONE, or already familiar and using one of the deployment models. Some organizations may be using Horizon and Workspace ONE for only a portion of their workforce, and are now looking to expand, to address an increase in demand for business continuity and remote-first working.
No matter what your starting state, there are a variety of options that you can consider, in order to expand remote working capabilities to a larger portion of your workforce.
Figure 2: Starting states and deployment options
Many organizations either rapidly adopted Workspace ONE or expanded their usage to cope with the sudden increase in demand during recent times. If this is true of your organization, your environment should be revisited to ensure that your organization is realizing all the benefits of Workspace ONE, that security has been implemented properly, and that the deployment is designed to scale and support the entire workforce.
After the health of any existing deployments is verified, there are various options that your organization should consider when looking to expand capabilities of a mobile or remote workforce and provide a robust digital workspace for all employees. The following sections detail this journey to a fully digital workspace from four different starting states: No Workspace ONE deployment, an existing deployment with no additional components, an existing deployment with some additional components, and an existing deployment with all components.
Figure 3: Workspace ONE Starting States and Deployment Journey
Enabling Remote Work for New VMware Customers
New to VMware Horizon
VMware Horizon is a family of desktop and application virtualization solutions that enables organizations to deliver virtualized desktop services and applications to end users. Horizon can be used as a cornerstone for Business Continuity planning, and as an important function to make sure users have access to the applications they need on a platform that is familiar to them, such as Windows 10.
Horizon has advantages for both end users and IT administrators. End users are no longer restricted to one specific machine, and can access their system and files across supported devices and locations. As an IT administrator, you can use Horizon to simplify and automate the management of desktops and applications, and you can securely deliver desktops as a service to users from a central location. You can quickly create virtual desktops on demand, based on location and profile.
A single cloud control plane is available, from which you can choose multiple deployment options. At any time, you can dynamically switch options to adjust to changes in use cases, employee moves, economic shifts, and so on. These options consist of Horizon pods using:
- Microsoft Azure capacity - Public cloud infrastructure from Microsoft Azure, an Infrastructure-as-a-Service (IaaS) provider
- VMware Cloud on AWS capacity - Cloud-hosted capacity managed by VMware
- Partner solutions
- The most common option, for many customers, is to deploy Horizon 7 in on-premises datacenters.
- Horizon 7 can also be deployed on VMware Cloud on AWS.
- Horizon is also available as a service with Horizon Cloud on Microsoft Azure.
- There are also partner solutions leveraging Horizon technologies as mentioned in the preceding section.
Horizon goes beyond brokering virtual machines. Although best known for its myriad benefits when implementing virtual desktops and application servers, Horizon also offers the option to broker access to physical Windows desktop machines. This provides an excellent and familiar experience for employees.
Brokering to physical machines can be implemented either with an existing Horizon 7 environment or with a new one. With minimal components required, this solution can be implemented quickly. See for more information.
For those completely new to Horizon, there are a couple of options for taking a look at the solutions without setting them up in your environment.
is also available for additional use-case based, hands-on interactions. TestDrive provides a pre-configured, optimized environment with comprehensive step-by-step videos, walkthroughs, and guides for a quick learning experience. It is available to VMware partners and anyone with an invitation code. Contact your VMware EUC sales team to get an invitation code. You can access TestDrive.
It is a common practice to set up an initial proof of concept in order to get hands-on experience with Horizon technologies that includes testing your specific use cases and how the solution works in your environment. We have Quick-Start Tutorials that provide installation guidance, as well as walkthroughs of initial basic tasks such as setting up a desktop pool. There are guides for both Horizon 7 and Horizon Cloud Service on Azure:
The next logical step in testing, whether a Horizon Solution is suitable for your everyday production or business continuity needs, is to do a pilot with one or more user groups to test the full functionality that your users require. This typically includes testing the full range of user experience requirements such as printing, device redirection, and overall performance. This is typically done with users who are willing to participate in initial testing and provide feedback.
This document provides more things to consider as you are looking at Horizon to provide business continuity and remote first capabilities for your organization, and it is worth reading further. There is more detail on design, architecture, sizing, external access and other important topics in the section.
New to VMware Workspace ONE
If you are new to the Workspace ONE platform, there are a variety of ways you can explore it, test it, and conduct trial runs, to help you determine the best solution for your organization.
VMware Workspace ONE is an intelligence-driven digital workspace platform that easily and securely delivers and manages any app on any device by integrating access control, application management, and multi-platform endpoint management. It is available as an annual cloud subscription or a perpetual on-premises license. Workspace ONE combines unified endpoint management technology (formerly VMware AirWatch®) with virtual application delivery (VMware Horizon) on a shared access management framework. With Workspace ONE, organizations can now evolve siloed cloud and mobile investments, enabling all employees, devices, and applications across the organization to accelerate their digital transformation journey with a platform-based approach.
Workspace ONE enables you to drastically improve experiences and tasks that were previously costly, time-consuming, and resource intensive. With Workspace ONE, your IT organizations can:
- Onboard a new employee with all apps and devices in under an hour without tickets and help-desk calls
- Set and enforce access and data policies across all apps, devices, and locations in one place
- Complete business processes from a mobile device, similar to consumer experiences
- Provision a new corporate laptop out of the box, anywhere in the world from the cloud, within minutes
- Get insights and automation capabilities across your entire digital workspace environment
If you are new to the Workspace ONE platform, you can consider your deployment options, explore using Hands-On Labs, deploy a proof of concept, or conduct a pilot:
- Choose a Software-as-a-Service (SaaS) hosted and managed Workspace ONE instance. Note: Some components require deployment within your network or on-premises datacenter to integrate the platform with internal systems.
- Deploy Workspace ONE components in your on-premises datacenter as an alternative to SaaS-hosted.
- Purchase a solution leveraging Workspace ONE technologies from a partner within the VMware Partner network, including mobile device carriers, desktop/laptop hardware vendors, and more, or leverage the expertise of .
For those completely new to Workspace ONE, there are a couple of options to experience the solution before setting it up in your environment.
VMware Hands-On Labs provides an on-demand hands-on experience for some of the Horizon product line. You can access the current HOL catalog, and search for "UEM" or "Workspace ONE" to see what is available. Signing up for an account is free.
VMware TestDrive is also available for additional use-case based, hands-on interactions. TestDrive provides a pre-configured, optimized environment with comprehensive step-by-step videos, walkthroughs, and guides for a quick learning experience. It is available to VMware partners and anyone with an invitation code. Contact your VMware EUC sales team to get an invitation code. You can access TestDrive here.
It is a common practice to stand up an initial proof of concept to get hands-on experience with Workspace ONE technologies. A proof of concept includes testing specific use cases (such as employee-owned, corporate-owned, and rugged or kiosk devices), and how the solution works in your environment. The Quick-Start tutorial for Workspace ONE can be found on TechZone at . After concluding a proof of concept, but before running a pilot, revisit the deployment type decision (on-premises versus dedicated or shared SaaS) and verify that it meets your business needs. Work with your VMware EUC Sales Team if concerned about the deployment type selected.
The next logical step in testing whether a Workspace ONE solution is suitable for your everyday production or business continuity needs, is to deploy a pilot with one or more user groups to test the full functionality that your users require. A pilot typically includes testing the full range of device management and user experience capabilities. This is typically done with users who are willing to participate in initial testing and provide objective, detailed feedback.
Pilots are often done with VMware Partners or VMware Professional Services to leverage their expertise in having conducted previous pilots. Contact your VMware EUC Sales Team for help in finding a partner or Professional Services resource.
After a successful pilot, organizations typically begin to bring more devices under management with Workspace ONE. In the past, handheld mobile devices (from Apple, Google, Zebra, and more) were typically the first targets for management. Current desktop operating systems (Windows 10, macOS, and Chrome OS) support modern management via Workspace ONE. As such, you have the flexibility to onboard your end-user computing platforms to Workspace ONE management in a method that fits your business.
Some suggested next steps would include the following:
- Identify opportunities or projects involving new device purchases, such as kiosk projects or device refresh. Plan to have these devices implemented with Workspace ONE as the management platform. By making Workspace ONE the standard for new devices, you can avoid migrations or on-site configuration changes later.
- Identify small device groupings, or non-critical devices, to migrate with little or no business impact. Ask for feedback and use these smaller migrations to iterate improvements for onboarding or migration processes.
- Consider whether users should force-migrate immediately or migrate at their next device refresh interval.
- If currently managing devices with another MDM vendor, consider using a partner tool (such as Exodus or EBF Onboarder) to migrate mobile devices to Workspace ONE.
- Consider Workspace ONE Access if an improved user-experience for employees (via catalog, single sign-on, and more) is a focus for the business.
This guide provides more options to consider as you are looking at Workspace ONE to provide business continuity and remote-first capabilities for your organization, and it is worth reading further. For more detail on design, architecture, sizing, external access, and other essential topics, see .
Enabling Remote Work for Existing VMware Customers
Existing Horizon 7
If you already have an existing Horizon 7 deployment, there are many options available for expansion and for addressing an increase in demand for remote working. This section outlines an approach and main options, along with the considerations for each.
The first step in building business continuity, and any potential expansion, should be to check that any existing Horizon 7 environment is healthy, has been properly deployed, and is sufficiently sized to cope with the number of users to support. This is especially important before expanding, to ensure that any new capacity or capability is being built on solid foundations. If environments have been rapidly stood up or expanded to cope with a sudden increase in demand for remote working, these should be checked and amended, as necessary, to make sure they follow sizing, security, and other best practice recommendations.
Review the following sections of this guide and update any current environment, as necessary.
- Release versions – Review the versions of software used in the environment to make sure that the infrastructure is running supported versions and also taking advantage of all the fixes, features, and performance improvements in recent releases of Horizon.
- Sizing - The environment should be sized correctly to cope with the current demand and also any increase that is expected during a business continuity event. Review the Horizon 7 sizing guidance, limits, and information to ensure that the current and any future environment is designed and sized correctly.
- Security – Review Horizon communication, the network ports used, and firewall rules to ensure only required traffic is allowed.
- Authentication - Review how user authentication is handled and evaluate if this should be enhanced.
- Master Images - Ensure that best practices have been followed for creating images to be used for virtual desktops and for Windows RDS Hosts used for published applications. If the master image is not properly optimized, the virtual desktop or RDS Host that is cloned from it, for end user consumption, will consume more resources and adversely affect user experience.
VMware Horizon has several deployment options that can be used to expand an existing Horizon 7 deployment to support additional remote workers:
- Expand the existing deployment, while ensuring that scaling is considered properly.
- Deploy Horizon 7 on-premises deployment, either in the same datacenter or across multiple locations.
- Deploy Horizon 7 on .
- Deploy Horizon 7 on .
- Deploy Horizon 7 on .
Deploying or expanding existing Horizon 7 deployments is a relatively straightforward process with flexible deployment options. Horizon 7 can be deployed on-premises or in the cloud. Horizon 7 can be deployed in a single site, across multiple sites, in VMware Cloud, or all of these.
Cloud Pod Architecture (CPA) or the Horizon Universal Broker can be used to federate multiple locations together, and can be used between both on-premises deployments and cloud-based deployments.
CPA introduces the concept of a global entitlement (GE) through joining multiple pods together into a federation. This feature allows us to provide users and groups with a global entitlement that can contain desktop pools or published applications from multiple different pods that are members of this federation construct. This feature provides a solution for many different use cases, even though they might have different requirements in terms of accessing the Horizon resources.
The following figure shows a logical overview of a basic two-site CPA implementation.
Figure 4: Cloud Pod Architecture
The Horizon Universal Broker is the cloud-based brokering technology used to manage and allocate virtual resources from multi-cloud assignments to end users. End users can access multi-cloud assignments in your environment by connecting to a fully qualified domain name (FQDN), which is defined in the Horizon Universal Broker configuration settings. Through the single Horizon Universal Broker FQDN, users can access assignments from any participating Horizon 7 pod in any site. No internal networking between pods is required.
Figure 5: Horizon Universal Broker
VMware Horizon 7 on VMware Cloud on AWS delivers a seamlessly integrated hybrid cloud for virtual desktops and applications. It combines the enterprise capabilities of VMware’s Software-Defined Data Center (delivered as a service on AWS) with VMware Horizon’s capabilities. See .
Figure 6: Horizon 7 options for deployment on-premises and on VMware Cloud on AWS
If you want to expand your Horizon 7 environment, you can expand onto other VMware Cloud Verified IaaS and vSphere infrastructures, or to a native Microsoft Azure infrastructure with Horizon Cloud on Microsoft Azure. See the section on .
Adding a Horizon 7 Cloud Connector to your Horizon 7 deployment enables you to access all of the features of the , including the ability to deploy Horizon nodes onto a native Microsoft Azure infrastructure. By doing so, you retain a single-pane management UI for all Horizon pods, and gain access to features like the Image Management Service, Cloud Monitoring Service, Helpdesk and the Universal Broker.
You can also use Horizon 7 on IBM Cloud as burst capacity to supplement your on-premises Horizon 7 environment, and if you need help, IBM services can help you get up and running quickly. For more information, see the that IBM released at VMworld 2019.
Existing Horizon Cloud on Microsoft Azure
If you already have Horizon Cloud on Microsoft Azure, there are a few ways to expand your deployment.
Now that you have a stable Horizon Cloud on Microsoft Azure deployment, there are several things you can do to check to make sure that the implementation is configured properly.
Review the following sections of this guide and update any current environment as necessary.
- Release versions – Review the versions of software used in the environment to make sure that the Infrastructure is running supported versions and also taking advantage of all the fixes, features and performance improvements in recent releases of Horizon.
- Sizing - Right sizing your environment is another important step in reducing costs on cloud-based infrastructure. One place to look for . Another thing you can do is implement included in Horizon Cloud on Microsoft Azure.
- Security – Some customers reduced networking and security requirements to get Horizon Cloud on Microsoft Azure stood up as quickly as possible. One of the first things you should do is go back and check to make sure that you have .
- Authentication - Review how user authentication is handled and evaluate if this should be enhanced.
- Master Images – Often, a shortcut is taken to use an image created from a physical desktop or from a vSphere VM to use as an image. Best practices on creating images to be used for virtual desktops and for Windows RDS Hosts used for published applications, should be followed. If the master image is not properly optimized, the virtual desktop or RDS Host that is cloned from it, for end user consumption, will consume more resources and adversely affect user experience.
If you need less than 2000 users, you just add them to your existing Horizon Cloud on Microsoft Azure deployment.
If you need to support more than 2000 users, then the simplest way is to deploy another Horizon Cloud on Microsoft Azure pod into another Azure subscription. Microsoft allows customers to create multiple subscriptions for each Microsoft Azure account. Doing so allows organizations to separate workloads and provides a simple method for organizational billing. However, Microsoft also uses subscriptions to define resource allocation and constraints. Microsoft sets resource limitations on each subscription that will keep you from expanding a single subscription to serve more than 2000 users with Horizon.
You can expand your Horizon deployment onto other IaaS or vSphere infrastructures if you do not want to continue to expand in native Microsoft Azure infrastructure.
VMware Horizon 7 can be deployed on any vSphere or VMware Cloud Certified partner platform. Once you have completed the deployment, you can connect it to the Horizon Control Plane using the Horizon 7 Cloud Connector. Doing so gives you the ability to manage your hybrid environment from the Horizon user-interface,
Existing Workspace ONE MDM Only
If you currently leverage only Workspace ONE UEM, this is the time to conduct a health check of your current state, consider expansion and deployment options, and start enhancements.
Before expanding an existing Workspace ONE UEM solution, the first step is to ensure that your organization is taking full advantage of current Workspace ONE capabilities and following best practices.
VMware provides a Health Check program to help. The program includes a technical review of system health, as well as a functional review of the usage of the VMware solution. The service applies to both on-premises and cloud deployment models, and is conducted remotely via teleconference by the VMware Professional Service team. VMware recommends to schedule health checks annually to optimize usage and proactively detect vulnerabilities in a rapidly evolving digital workspace ecosystem.
For more information on VMware's professional services offering, contact your EUC Sales representative.
Workspace ONE UEM has several deployment options that you can use to expand an existing Workspace ONE deployment to support additional remote workers:
VMware Workspace ONE Access (formerly called VMware Identity Manager) is a key component of the VMware Workspace ONE platform. Among the capabilities of Workspace ONE Access are:
- Simple application access for end users – Provides access to different types of applications, including internal web applications, SaaS-based web applications (such as Salesforce, Dropbox, Concur, and more), native mobile apps, native Windows and macOS apps, VMware ThinApp® packaged applications, VMware Horizon-based applications and desktops, and Citrix-based applications and desktops, all through a unified application catalog.
- Self-service app store – Allows end users to search for and select entitled applications in a simple way, while providing enterprise security and compliance controls to ensure that the right users have access to the right applications. Users can customize the Favorites tab for fast, easy access to frequently used applications, and place the apps in a preferred order. IT can optionally push entries onto the Favorites tab using automated application entitlements.
- Enterprise single sign-on (SSO) – Simplifies business mobility with an included Identity Provider (IdP) or integration with existing on-premises identity providers so that you can aggregate SaaS, native mobile, macOS, and Windows 10 apps into a single catalog. Users have a single sign-on experience regardless of whether they log in to an internal, external, or virtual-based application.
- Conditional access – Includes a comprehensive policy engine that allows you, as the administrator, to set different access policies based on the risk profile of the application. You can use criteria such as network range, user group, application type, method of authentication, or device operating system to determine if the user should have access or not.
- Productivity tools – Enables the Hub Services suite of productivity tools such as People Search, Notifications, Mobile Flow, Assistant, and more.
- Enterprise identity management with adaptive access – Establishes trust between users, devices, and applications for a seamless user experience and powerful conditional access controls that leverage Workspace ONE UEM device enrollment and SSO adapters.
- Workspace ONE native mobile apps – Includes native apps for iOS, Android, macOS, and Windows 10 to simplify finding, installing enterprise apps, and providing an SSO experience across resource types.
- VMware Horizon / Citrix – Workspace ONE Access can also be integrated with VMware Horizon, VMware Horizon Cloud Service, and Citrix published applications and desktops. The Workspace ONE Access handles authentication and provides SSO services to applications and desktops.
In addition, Workspace ONE Access has the ability to validate the compliance status of the device in Workspace ONE UEM. Failure to meet the compliance standards blocks a user from signing into an application or accessing applications in the catalog until the device becomes compliant. By integrating Workspace ONE Access and VMware Workspace ONE Intelligence, you can add user behavior and risk scoring into the access decision. For more information on Workspace ONE Intelligence, see the starting state.
Workspace ONE combines complete cloud-based, modern management with intelligent automation to empower users, harden security, and simplify IT. Workspace ONE also co-exists with your Windows 10 traditional client management tools across any workload and features automation to speed transition to full modern management.
VMware Workspace ONE AirLift is a server-side connector that simplifies and speeds your journey to Windows 10 modern management. Workspace ONE AirLift bridges administrative frameworks between Microsoft Endpoint Configuration Manager (ConfigMgr), Active Directory, and Workspace ONE UEM. Some of the key features and benefits include:
- Provides dashboards to monitor automated enrollment progress and modern management activity
- Enables mapping between ConfigMgr device collections and Workspace ONE UEM smart groups
- Facilitates application rationalization and migration from ConfigMgr to Workspace ONE
- Facilitates Windows 10 Group Policy rationalization and migration from Active Directory to Workspace ONE UEM
In migrating macOS management, you must consider the current management tool and macOS version. Not all macOS management tools manage the OS in the same way. Some manage macOS using custom agents, while others leverage the MDM protocol (or a combination of both). Additionally, as macOS continues to mature, the capabilities of the MDM protocol change, along with underlying requirements for successful onboarding. As such, use the following questions to guide your in-house professional services- or partner-engaged migration:
- What version of macOS requires migration to Workspace ONE?
- Should the Workspace ONE enrollment be automated, user-approved, or automated via Apple Business Manager or Apple School Manager?
- Are currently deployed devices MDM-enrolled? If so, are they enrolled via Apple Business Manager (or Apple School Manager) automated enrollment?
- If devices were MDM-enrolled via Apple Business Manager, was the automated enrollment profile set to prevent profile removal? If so, does the current management tool (and the migration tool) support API-driven profile removal?
For more information regarding macOS migration, see the following resources:
VMware enables IT to leverage cloud-first modern management capabilities to ensure all employees, including decentralized workers, remain productive without disruption. Modern management is critical in supporting remote and distributed workforces as it leverages a cloud-based native framework unlike traditional PC lifecycle management solutions. Modern management allows IT to fully manage and configure devices over-the-air compared to legacy PC lifecycle management solutions which require line of sight to the domain. Workspace ONE offers cloud-based infrastructure for deploying policies, apps, updates, and enabling real-time communication, all over-the-air. Moving to modern management reduces the total cost of ownership per device per year by two-thirds when compared to traditional management solutions which require high IT-touch for deployment and configurations of devices. (For more information, see and .) By leveraging new technologies in Windows 10 and macOS, as well as strong hardware OEM partnerships, Workspace ONE enables modern management across five main areas:
- Device onboarding – Simplified end-user onboarding with Windows 10 Out-of-Box Experience (OOBE) and Windows Autopilot for Windows 10. Drop ship Windows 10 devices to end users with Factory Provisioning or automate enrollment via command-line. For macOS, streamline deployment using Apple Business Manager or Apple School Manager. See the and Operational Tutorials for more details.
- Configuration management – Apply MDM-based policies to Windows and macOS endpoints and apply specific configuration settings over-the-air from the management console. Workspace ONE also supports scripting capabilities for both platforms. In addition to the standard MDM policies, you can leverage industry-standard policy baselines to deploy cloud-based policies (GPOs) to Windows devices.
- OS Update management – Leverage the Windows and Apple update sources and choose when and how updates are applied to devices over-the-air. Updates can be scheduled, forced, or allow the end user to choose the best time for installation within a configured grace period set by IT. Windows Updates can also leverage Delivery Optimization to decrease the potential impacts on the corporate network.
- Software distribution – Deliver applications from different sources to users via the Workspace ONE catalog. For both Windows 10 and macOS, applications are optionally delivered from a global CDN. With Windows 10, you can optionally leverage P2P capabilities in Windows 10. You can deliver EXE, MSI, or scripted install (ZIP) applications to Windows and third-party DMG and PKG installers to macOS. In addition, Workspace ONE integrates with Apple Business Manager, Apple School Manager, or the Microsoft Store for Business to deliver volume-licensed app store apps to devices.
- Client health and security – Enable IT to enforce and manage the full lifecycle of BitLocker and FileVault encryption and set security policies on the endpoint. You will also have access to setting policies related to Windows Information Protection (WIP), Windows Hello for Windows, and various security, privacy, firewall, and firmware passwords for macOS, along with other OS security features for both platforms.
Your organization will have to determine the appropriate aspects of modern management that can be implemented in order to enable cloud-based modern management with intelligent automation to empower users, harden security, and simplify IT. To help with this process, see .
Existing Workspace ONE UEM and Access
If you currently leverage Workspace ONE UEM and Workspace ONE Access, you are ready to conduct a health check, consider expansion and deployment options, and start enhancements.
Depending on your industry or current situation, your employees may or may not have a dedicated corporate device. First, you want to consider which device platforms or form factors each working group requires to be productive on their first days of working remotely. Your highly mobile users (those who already work from home or own a corporate device) will likely not require anything else, other than an added management layer to reap some of the benefits of device management.
Unifying the user experience across different device types and operating systems, simplifies the user experience, leading to improved productivity and satisfaction. Workspace ONE Access provides identity-related components, including authentication using username and password, two-factor authentication, certificate, Kerberos, mobile SSO, and inbound SAML from third-party Workspace ONE Access systems. Workspace ONE Access also provides SSO to entitled web apps, Windows apps, and desktops delivered through either VMware Horizon or Citrix.
Before expanding with VMware solutions, the first step is to ensure your organization is taking full advantage of current Workspace ONE capabilities and following best practices.
VMware provides a Health Check program to help. The program includes a technical review of system health, as well as a functional review of the usage of the VMware solution. The service applies to both on-premises and cloud deployment models and is conducted remotely via teleconference by the VMware Professional Service team. VMware recommends that you schedule health checks annually to optimize usage and proactively detect vulnerabilities in a rapidly evolving digital workspace ecosystem.
For more information on VMware's professional services offering, contact your EUC Sales representative.
Figure 7: Workspace ONE Access Federated Authentication
If, like so many others, your enterprise IT environment has evolved through merger and acquisition (M&A) activity or business unit expansion, it likely includes a mix of new and legacy identity stores from a host of providers. While not uncommon, it is cumbersome for a company to be using Active Directory Federation Services, Azure Active Directory, Okta, Ping, and Active Directory across disparate locations.
Workspace ONE Access acts as an identity broker and can integrate with your existing third-party identity solutions. Take this time to federate Workspace ONE Access with your existing solutions to provide a seamless SSO experience to your end-users.
Employees want seamless access to all their information and apps without administrative hassles. Yet protecting corporate data in a perimeter-less environment is not only challenging, but costly when you must deploy and manage a variety of disconnected solutions.
The Workspace ONE Intelligent Hub user interface works similarly on phones, tablets, desktops, and browsers. The Catalog page in Workspace ONE Intelligent Hub displays resources that have been pushed to Workspace ONE. Users can tap or click to search, add, bookmark, and update applications. They can right-click on an app to remove it from the Bookmarked page and go to the Catalog page to add entitled resources.
To create seamless access to all corporate information and applications, we recommend these steps:
- - The Intelligent Hub web browser displays the Favorites and App tabs. In the App tab, users see the Promotions, New Apps, and the Categories list. People, Notifications, and Support display as separate tabs, if enabled.
- - Cloud, Mobile, and Windows applications can be accessed from the catalog. Native applications that are internally developed or publicly available in app stores can be made available to your end-users from the Workspace ONE portal.
- - can be configured to check the Workspace ONE UEM server for device compliance status when users sign on from the device. The compliance check ensures that users are blocked from signing into an application or using single sign-on to the Workspace ONE portal if the device goes out of compliance. When the device is compliant again, the ability to sign on is restored.
- - For iOS device authentication, Workspace ONE Access uses an identity provider that is built into the Workspace ONE Access service to provide access to mobile SSO authentication.
- - Mobile single sign-on (SSO) for Android is an implementation of the certificate authentication method for Workspace ONE UEM-managed Android devices. Mobile SSO allows users to sign onto their device and securely access their Workspace ONE apps without re-entering a password.
Figure 8: Workspace ONE Access Provides Policy-Based Conditional Access into Applications
Workspace ONE Hub Services offers a unified catalog, actionable notifications, a virtual assistance chatbot, and a people directory for a full digital workspace experience. Employees install the Workspace ONE Intelligent Hub app on their devices or use their web browser for a single destination to access, discover, and connect with a company's corporate resources, teams, and workflows. Consider deploying the full suite of Hub Services to create a complete digital workspace and elegant employee experience:
- - When Hub Services is fully integrated with Workspace ONE Access, you can enable access to the People service to let users search for their colleagues and view user details and organization charts directly from the Intelligent Hub app.
- - Through Workspace ONE Intelligent Hub notifications, organizations can generate and serve actionable, real-time notifications across employees or to select employee groups. This flexible, cloud-hosted service sends notifications to users in both the Intelligent Hub portal in a browser and through the Intelligent Hub app on their mobile device.
- - The Workspace ONE mobile flows service processes the notification workflow from other business apps such as Salesforce and delivers them to apps that integrate with Workspace ONE mobile flows. You must enable mobile flows in the Hub console to display notifications from mobile flows-configured business systems within Intelligent Hub.
- - In the Hub Services console Help & Support page, you can customize the type of self-service support features that are available in the Workspace ONE Intelligent Hub web browser view. You can add helpful links to the Support tab to empower and educate users about how to perform basic device management tasks, investigate issues, and fix problems. These links can reduce the number of help-desk tickets and support issues.
Figure 9: Workspace ONE Intelligent Hub
Workspace ONE UEM has several deployment options that can be used to expand an existing Workspace ONE deployment to support additional remote workers:
Figure 10: VMware Unified Access Gateway
VMware Unified Access Gateway is a security platform that provides edge services and access to defined resources that reside in the internal network. It acts as the security gateway for VMware Workspace ONE and VMware Horizon deployments, enabling secure remote access from an external network to a variety of internal resources. Unified Access Gateway supports multiple use cases.
- Per-App Tunneling of native and web apps on Android, iOS, macOS, and Windows 10 desktop platforms to secure access to internal resources through the VMware Tunnel service. For more technical details on getting started with Per-App Tunneling refer to .
- Secure on-premises email infrastructure that grants access only to authorized devices, users, and email applications based on managed policies. This capability leverages the Secure Email Gateway service integrated with . For more technical details on getting started with Secure Email Gateway refer to .
- Access from VMware Workspace ONE® Content to internal file shares or SharePoint repositories by running the Content Gateway service. For more technical details on getting started with Content Gateway service refer to .
- Reverse proxying of web applications and Identity bridging for authentication to on-premises legacy applications that use Kerberos or header-based authentication. For more technical details on getting started with Reverse proxying and Identity bridging refer to the .
- Secure external access to desktops and applications, utilizing , and VMware Horizon® 7 on-premises. For more technical details on getting started with Secure external Access to desktops refer to the .
For more technical details on getting started with Unified Access Gateway, see the Product Activity Path on Tech Zone. Select the Edge Services tab to jump to resources to walk you through configuring various Edge Services in Unified Access Gateway.
Figure 11: Workspace ONE Intelligence Overview
VMware Workspace ONE Intelligence is a cloud service built for the VMware Workspace ONE platform that provides deep insights, analytics, and automation for the entire digital workspace. Together, these capabilities enhance digital user experience and strengthen security across the entire digital workspace environment.
- Insights - By aggregating, correlating, and analyzing data from multiple internal and external sources, Workspace ONE Intelligence delivers out-of-the-box as well as advanced custom dashboards and reports to help organizations visualize the state of the digital workspace. It provides insights into the security posture, impact of new security threats, in context risk analytics, device and OS compliance, and the state digital employee experience.
- Analytics - Workspace ONE Intelligence delivers a rich set of device and mobile app analytics. Built for the Workspace ONE Platform, Workspace ONE Intelligence aggregates data from Workspace ONE Access and Workspace ONE Unified Endpoint Management, enabling unique correlations and analytics for the digital workspace. With the Workspace ONE Intelligence SDK that collects mobile app analytics, your organization can track app performance and engagement. By leveraging machine learning techniques, Workspace ONE Intelligence takes the management of the digital workspace to the next level.
Automation and Orchestration - After the information has been surfaced by Workspace ONE Intelligence, you can leverage the built-in automation and orchestration engine to orchestrate workflows and automate actions based on pre-defined policies and a rich set of parameters. Automation can extend to third-party tools such as ServiceNow for ticketing and Slack for communications, and other tools that support REST API.
Existing Workspace ONE, Access, Intelligence, and Unified Access Gateway
If your organization is currently leveraging the Workspace ONE platform, along with the core components listed below, you are well on the way to achieving business continuity. Now is the time to conduct a health check, verify that your organization is taking full advantage of current capabilities and following best practices, and consider additional expansion and deployment options.
There is still room to enhance and evolve the use of VMware solutions as business continuity scenarios continue to add new requirements, pushing organizations to enable and efficiently manage a remote workforce.
- Workspace ONE UEM
- Workspace ONE Access
- Workspace ONE Intelligence
- VMware Unified Access Gateway
Before expanding, the first step is to ensure that your organization is taking full advantage of current Workspace ONE capabilities and following best practices.
VMware provides a Health Check program to help. The program includes a technical review of system health, as well as a functional review of the usage of the VMware solution. The service applies to both on-premises and cloud deployment models and is conducted remotely via teleconference by the VMware Professional Service team. VMware recommends to schedule health checks annually to optimize usage and proactively detect vulnerabilities in a rapidly evolving digital workspace ecosystem.
For more information on VMware's professional services offering, contact your EUC Sales representative.
Deployment Considerations to Support Remote Work
Whether checking an existing environment or planning for a new deployment, there are important considerations that should be checked and reviewed. The following section covers the main considerations for Horizon 7, Horizon Cloud and those that are common across all environments.
The versions of software used in the environment should be reviewed to make sure that the Infrastructure is running supported versions and also taking advantage of all the fixes, features, and performance improvements in recent releases of Horizon. Horizon 7 is updated on a quarterly basis, and fixes, features, and performance benefits are included in the new versions.
- Infrastructure - Connection Servers, Unified Access Gateways, vSphere and vCenter, App Volumes Managers should be running the latest build or a recent build to benefit from the new features, enhancements, and bug fixes.
- Horizon Agent - The version of Horizon Agents used in the virtual desktops should be reviewed and updated where necessary. Ideally these should match the Horizon release version. Newer versions of agents will include both new features and also have performance improvements.
- Horizon Client - The Horizon Client on the users end devices should also be updated to make sure they have the latest version. Newer versions of the client will include both new features and also performance improvements. By default, the Horizon Client for and is configured to automatically check for an update online. Android and iOS devices will receive updates through the app store used for installation.
A successful deployment of Horizon 7 depends on good planning and a robust understanding of the platform. The following figure shows the high-level logical architecture of the Horizon 7 components with other Horizon 7 Enterprise Edition components shown for illustrative purposes.
Figure 12: Horizon 7 Enterprise Edition Logical Components
Use the following list of resources to get started, or to quickly scale.
Both checking an existing Horizon infrastructure or building new infrastructure necessitates having a good understanding of the building blocks that are used and how those building blocks scale. Use the as a guide for how to architect an environment that scales to your requirements and uses the recommended practices. The Reference Architecture has a dedicated chapter for .
Whether deployed on-premises or on VMware Cloud on AWS, Horizon 7 is deployed using a block and pod architecture. Horizon pod federations can be used to scale up within a datacenter or scale out across global datacenters. Refer to these sections of the Reference Architecture:
Horizon 7 on VMWare Cloud on AWS uses Horizon 7 as the platform. The architectural components are the same as used with Horizon 7 on-premises with pod and block designs. See the or contact your VMware sales team.
This Reference Architecture provides guidance on the recommended sizing and load for each of the required components. For the most current numbers, limits, and recommendations, see the VMware Knowledge Base article .
A single Connection Server supports a maximum of 4,000 sessions, although 2,000 is recommended as a best practice. To ensure that the environment includes redundancy and is able to handle failure, deploy one more server than is required for the number of connections (n+1).
One key concept in a Horizon 7 environment design is the use of pods and blocks, which gives us a repeatable and scalable approach. When we are brokering connections only to physical desktops, we need to focus only on the pod construct, and can ignore the block construct. A pod is made up of a group of interconnected Connection Servers that broker connections to desktops or published applications. A pod can broker up to 20,000 sessions (12,000 recommended), including desktop and RDSH sessions.
Up to seven Connection Servers are supported per pod with a recommendation of 12,000 desktop sessions in total per pod. Multiple pods can be interconnected using Cloud Pod Architecture (CPA).
Unified Access Gateway gives three sizing options during deployment: standard, large, and extra-large. When deploying to provide secure edge services for Horizon, the standard size should be used.
A standard-sized Unified Access Gateway supports 2,000 Horizon sessions.
When scaling for size and also to ensure availability, you deploy multiple server components such as the Connection Server and Unified Access Gateway, following the guidelines given above. It is strongly recommended that end users connect to these servers using a load-balanced virtual IP (VIP). This ensures that user load is evenly distributed across all available servers. Using a load balancer also facilitates greater flexibility by enabling IT administrators to perform maintenance, upgrades, and configuration changes while minimizing impact to users.
Figure 13: Load Balancing Connection Servers and Unified Access Gateways
An existing load balancer can be used, or a new one such as the VMware NSX Advanced Load Balancer (formerly Avi Vantage by Avi Networks) can be deployed.
The VMware NSX Advanced load balancer is a software-only ADC which offers enterprise grade load balancing, web application firewall, and other application services in multi-cloud environments. The VMware NSX Advanced load balancer offers a distributed architecture with separate control plane and data plane.
The VMware NSX Advanced load balancer can be deployed for load balancing Horizon deployed on-premises in vCenter or VMware Cloud on AWS. The VMware NSX Advanced load balancer provides a full feature load balancing for Horizon for multiple deployment scenarios, including GSLB for multi-site deployments.
For more detail on load balancing of Unified Access Gateway appliances, see:
Secure external access for Horizon 7 sessions is provided through the integration of Unified Access Gateway appliances.
Figure 14: External Connection Communication Flow
Horizon connections are encrypted, and multiple authentication options are supported, including SAML, RADIUS, RSA SecurID, and certificates, including smart cards, and active directory username and password.
With Horizon 7 internal users are normally authenticated when they connect to a Connection Server.
Horizon 7 external users can be authenticated in the DMZ at the Unified Access Gateway, before allowing the authenticated traffic through to the internal resource. Unified Access Gateway supports multiple authentication options; for example, pass-through, RSA SecurID, RADIUS, SAML, and certificates, including smart cards. Pass-through authentication forwards the request to the internal Connection Server or broker. Other authentication types enable authentication at the Unified Access Gateway, before passing authenticated traffic through to the internal resource.
The following diagram depicts the pass-through authentication option.
Figure 15: Unified Access Gateway Pass-Through Authentication
The following diagram depicts the two-factor authentication option.
Figure 16: Unified Access Gateway Two-Factor Authentication
You can also use SAML to authenticate Horizon users against a third-party identity provider (IdP), leveraging Unified Access Gateway as the service provider (SP). This new capability requires Horizon Connection Server 7.11 or later, and user authentication must go through Unified Access Gateway.
The authentication sequence can be configured as SAML and Passthrough or as just SAML:
- When Auth Methods is set to SAML and Passthrough, the SAML assertion is validated by Unified Access Gateway, and Connection Server authenticates the user against Active Directory when launching remote desktops and applications.
- When Auth Methods is set to SAML, the SAML assertion is validated by Unified Access Gateway and passed to the backend. Users single sign-on, leveraging the Horizon True SSO feature, to the remote desktops and applications.
In both authentication methods, the user will be redirected to the IdP for SAML authentication. Both SP- and IdP-initiated flows are supported.
Figure 17: Unified Access Gateway SAML Authentication
You can implement Horizon 7 on VMware Cloud on AWS. With this solution, you can provision an entire SDDC, including the Horizon management components, in a matter of hours. Watch this brief video to see how easy it is to deploy Horizon on AWS. If you are new to Horizon, this solution enables you to get the infrastructure up and running quickly. For existing Horizon on-premises administrators, quickly expanding your Horizon deployment is easy. Simply consume cloud resources to build a hybrid deployment.
Figure 18: Horizon on VMware Cloud on AWS
Horizon Cloud on Microsoft Azure
Deploying a Horizon Cloud pod on Azure infrastructure is straightforward. If your organization does not already have access to Azure resources, Microsoft provides you details on on their Azure portal.
If you already have an MSDN subscription or an enterprise agreement with Microsoft for Azure capacity, you’re in luck. You can leverage that agreement to set up a subscription to deploy a Horizon Cloud on Microsoft pod into.
Figure 19: Horizon Cloud Service on Microsoft Azure Logical Architecture
VMware Horizon Cloud delivers virtual desktops and apps using a cloud platform that is scalable across multiple deployment options. Want to deploy a pod in just a couple of hours? Get access to Horizon Cloud on Microsoft Azure, and use the resources below:
Each Horizon Cloud on Microsoft Azure pod can support up to 2,000 concurrent users or 2,000 VMs. Deploying an additional Horizon Cloud on Microsoft Azure pod into another Azure subscription or region is very straightforward. If you deploy two or more Horizon Cloud on Microsoft Azure pods, you can manage all of them from the same Horizon user interface.
Horizon Cloud on Microsoft Azure is a Horizon platform running on Microsoft Azure that leverages a different set of building blocks than Horizon 7 to achieve the same goal of delivering virtual desktops and applications. It is important to understand the components that are deployed, how it scales, and how it is designed for multiple sites. Refer to these sections of the Reference Architecture:
Horizon Cloud on Microsoft Azure has certain configuration maximums you must consider when making design decisions:
- Up to 2,000 concurrent active connections are supported per Horizon Cloud pod
- Up to 2,000 desktop and RDSH server VMs are supported per Horizon Cloud pod
- Up to 2,000 desktop and RDSH server VMs are supported per Microsoft Azure region or subscription
To handle larger user environments, you can deploy multiple Horizon Cloud pods, but take care to follow the accepted guidelines for segregating the pods from each other. For example, under some circumstances, you might deploy a single pod in two different Microsoft Azure regions, or you might be able to deploy two pods in the same subscription in the same region as long as the IP address space is large enough to handle multiple deployments.
You can reduce the number of permissions that you allow your administrative accounts used in Horizon Cloud on Microsoft Azure. Granting prohibitive privileges to the Domain Join, Auxiliary Domain Join, Domain Bind, and Auxiliary Domain Bind accounts is a good first step to locking down your deployment.
With Horizon Cloud on Microsoft Azure, typically all users are authenticated by the Unified Access Gateway(s) deployed as a part of the service. Internal users can also be connected by authenticating to a Pod Manager. Horizon Cloud on Microsoft Azure to provide optional authentication mechanisms like two-factor authentication and RADIUS integration. You can also .
You can implement Horizon Cloud on Microsoft Azure in one or multiple Microsoft Azure regions. Horizon Cloud on Microsoft Azure leverages Azure infrastructure. The fastest way to get up and running on Horizon Cloud on Microsoft Azure is to follow the steps in the . If you want to practice deploying the solution before you do it, you can use the Hands-On Lab to develop familiarity with the process of setting up the prerequisites and deploying Horizon Cloud on Microsoft Azure in cloud capacity.
If you have never used cloud infrastructure before and want a little background on connecting your own infrastructure to a cloud infrastructure, we have summarized the basics for you. There are three primary deployment methods of leveraging cloud infrastructure for expanding a Horizon solution.
Figure 20: Example of connection options for Microsoft Azure
A point-to-point VPN is the simplest way to connect your datacenter to a cloud infrastructure provider. A VPN gateway provides an encrypted tunnel between your on-premises environment and the infrastructure you are renting from a cloud provider. This connection works best for hybrid environments where traffic between infrastructures is light, or tolerant of longer latency times.
A dedicated connection is a private, dedicated connection between your datacenter and the cloud provider located in a co-location environment. This type of connection does not leverage the Internet and typically allows for more bandwidth and reliability than a point-to-point VPN connection. You acquire these connections through cloud exchange provider or from the cloud platform provider itself.
In an Island configuration, you acquire cloud capacity, and then build out all necessary infrastructure and services from scratch. You do not rely on, or have minimal reliance on, your current (on-premises) services and resources for anything. You re-build everything you need in the cloud for your remote users from scratch. Users and administrators access the infrastructure via the Internet. This is typically the fastest method of setting up cloud capacity, but it can be an onerous task to undertake, as you must build from scratch. Furthermore, if you deploy Horizon into an island, that island will still need to provide remote access to internal applications and data in your corporate datacenter.
There are multiple methods to connect your on-premises or customer-owned datacenter to a Microsoft Azure region. There are typically three factors in determining which option best fits your organization.
- Proximity of User-Applications - Your Horizon deployment should always be located as close as possible to the location of the applications that the users will be using.
- Cost – Each method of connectivity has a different cost associated with it, depending on a number of factors including data transmitted, and SLA requirement.
- Need for redundancy – Based on your RTO / RPO expectations, you may need to set up multiple network connections to multiple Azure regions and leverage Azure networking to build a more resilient connection.
Cloud-based infrastructure is convenient, but that convenience comes at a financial cost. Horizon Cloud on Microsoft Azure has built-in power management features to help you be more efficient with your cloud infrastructure spend.
You can set up power management policies for any type of user assignment:
Master Image Best Practices
It is strongly recommended that you create an optimized master VM for cloning and creating desktop pools or RDSH server farms. Do not clone or repurpose an existing image that has been created for another use, such as physical machines.
Windows was designed for physical hardware, specifically desktops, and for that hardware to be accessed by just one user at a time. Windows uses many resources to present a responsive desktop, but many of its settings are unnecessary or even detrimental when applied to a virtual environment. These actions include, for example, animating windows as the user opens them. Performing this animation takes significant CPU resources, which decreases the number of desktops that you can host per physical server. Consequently, this nonessential function in a virtual machine (VM) environment increases the amount of system hardware that you need. Even if hardware is plentiful, Windows animations do not perform well when accessed remotely, especially when connecting over a slow WAN or Internet connection. As a result, keeping animations enabled (in addition to other features unnecessary for VMs) impairs the end-user experience.
Another example of desktop optimization in a virtual machine environment is to disable Windows Update so that control of the service is isolated to administrators. Administrators can run Windows Update in batch mode for the VMs as opposed to users performing this task.
Note: You can also optimize physical machines by removing nonessential functions in a similar manner.
By optimizing Windows, you are maximizing the efficiency and performance of your virtual desktops and RDS Host servers.
Optimizing virtual desktops:
- Increases their performance
- Increases their density, boosting the number of virtual desktops that can be hosted per server, thereby reducing infrastructure costs
- Improves end-user experience
- Reduces end-user support incidents
Optimizing RDS Host servers:
- Increases hosted desktop and application performance
- Reduces the amount of system resources that each RDS Host server requires
- Increases the density and the number of RDS Host servers that can be hosted
- Increases the number of users that can be supported per RDS Host server
- Improves the end-user hosted desktop and application experience
- Reduces system support incidents
The free makes it easy to apply configuration settings to desktops and servers. It includes settings to optimize the following Windows operating systems for both desktops and servers for deployment and use either on-premises or in the Cloud.
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
The high-level steps to create an optimized master image for use on Horizon 7 are:
- Create the master VM (Windows 10 or Windows Server).
- Install Windows, and enter audit mode.
- Install VMware Tools.
- Install common Microsoft runtimes, features, and applications that you want in the master image.
- Install Microsoft updates.
- Optimize Windows with the VMware OS Optimization Tool.
- Generalize Windows with the OS Optimization Tool.
- Finalize Windows with the OS Optimization Tool.
- Export the image.
The high-level steps to create an optimized master image for use on Horizon Cloud on Microsoft Azure are:
- Create a virtual machine manually or via Azure Marketplace for Horizon Cloud on Microsoft Azure and install an operating system, if appropriate.
- Install VMware Tools (installed automatically if done from Azure Marketplace).
- Customize the image with Windows applications and features as required.
- Install Microsoft Updates.
- Optimize Windows with the VMware OS Optimization Tool.
- Generalize Windows with the OS Optimization Tool.
- Finalize Windows with the OS Optimization Tool.
- Export or publish the image.
Desktop pools are required to allow management, entitlement, and user assignment to the desktop objects within Horizon. There are two main types of virtual desktop pools: automated and manual.
- Manual desktop pools are a collection of existing virtual machines, physical computers, or third-party virtual machines.
- Automated desktop pools use a master virtual machine, which is cloned to create the individual desktop virtual machines.
With Instant Clone and Linked Clone Pools, consider priming and publishing the image for pools that are only designed for use in a business continuity event. This can be done by deploying smaller minimal sized pools that will then be increased when required. This allows for the testing of the pool and avoids the process of image publishing having to be done at business continuity initiation.
For a Horizon pod deployed in Microsoft Azure, you can create:
- Dedicated and floating VDI desktop assignments to provide VDI desktops to your end users
- Session desktop assignments
With Horizon 7, you can deliver virtualized published applications to the user on their device without delivering a full virtual desktop to the user.
Before you can assign published applications or session-based desktops to end users, you must create the farms to serve those desktops and applications. A farm is a collection of Microsoft Remote Desktop Services (RDS) hosts that provide multiple users with published applications and session-based desktops. Farms simplify the management of the RDS hosts. You can create farms to serve groups of users that vary in size or have different desktop or application requirements.
Horizon 7.9 introduced a feature called VM Hosted Applications, which allows floating instant-clone desktop pools to be used as a source for published application pools. With VM Hosted Applications, published applications do not run on a server OS, but rather on a desktop OS, Windows 10.
The benefits include:
- This strategy uses the same deployment and configuration process as a normal desktop.
- Administrators can publish UWP apps as well as any Win32 applications.
- This setup offers better security than the one-to-many-session relationship used with RDSH servers.
- One-to-one user-to-machine assignment also prevents one user from impacting performance for another user, which can happen in the one-to-many relationship with RDSH servers.
- RDS CALs are not needed.
With a remote-first solution, steps should be taken to ensure that network links and especially Internet connections have sufficient bandwidth to cope with both normal demand, but also with any increase if a larger than normal portion of the workforce has to work remotely.
If bandwidth is constrained or limited, configuration can be made to disable or limit functionality that may be seen as a large consumer of bandwidth. Features to consider limiting or disabling, include sound redirection, USB redirection, and client drive redirection.
Content redirection features in Horizon help direct certain types of traffic directly to the endpoint, minimizing the amount of traffic that enters the datacenter. This is useful when the traffic is coming from an external or internet source and is destined for a user who is also located externally. Redirection features include HTML, Flash, and URL redirection. See .
Horizon Control Plane
The Horizon Control Plane is a cloud-based service that hosts features that can be implemented with Horizon deployments. The service is based on a multi-tenant, cloud scale architecture that enables you to choose where your virtual desktops and applications reside.
Example features enabled by the Horizon Control Plane include:
- – Monitor user sessions and virtual desktops
- – Detailed real-time information about a user’s session(s) and functionality to troubleshoot issues with their experience.
- – Manage golden images for virtual desktops and session or application hosts
- – Provide a single URL for users to access virtual desktops or applications from
The capabilities or the ability to access each feature may be different, based on the version of Horizon that you are using. Refer to the product documentation for each feature listed above for details on the platforms each feature serves.
Figure 21: Management Services from On-Premises to Cloud
Access to the Horizon Control Plane requires the use of a subscription license in your Horizon Deployment. The Horizon universal license entitles you to any version of Horizon that you want via a single subscription entitlement. You can acquire Horizon universal licenses from VMware or partner resellers. After you have acquired the Horizon Universal licenses, you will receive an email that will begin your .
Anyone who is currently using Horizon Cloud on Microsoft Azure is already using a subscription license. Each Horizon Cloud on Microsoft Azure pod is automatically connected to and leverages the Horizon Control Plane for functionality.
If you want to connect your Horizon 7 pod to the Horizon Control Plane, you need to leverage the Horizon 7 Cloud Connector. The is a virtual machine that certifies your entitlement to the Horizon Control Plane and enables the service to integrate with your Horizon 7 pods. You must run a Horizon 7 Cloud Connector for each Horizon 7 pod that you plan on using Horizon subscription licenses with. along with the can be found on the VMware EULA site.
Any Horizon environment needs to be properly licensed. With Horizon 7, you have a choice of using perpetual licenses or Horizon Universal Licensing. The Horizon universal license provides a single subscription license for all Horizon products and gives you the flexibility to deploy and expand on your platform or platforms of choice.
The universal license entitles you to:
- Horizon Cloud on Microsoft Azure
- Horizon Cloud on IBM Cloud
Horizon 7 Subscription
- Horizon 7 subscription on-premises
- Horizon 7 subscription on VMware Cloud on AWS
- Horizon 7 subscription on Google Cloud VMware Engine
- Horizon 7 subscription on Azure VMware Solutions
- VMware Verified Cloud Providers
Whether expanding an existing environment or planning for a new deployment, you should review and evaluate the deployment considerations covered in the . This resource is available on to help you get started planning your next step into the digital workspace. It is a key tool that provides a framework and guidance for architecting Workspace ONE and Horizon environments, whether using cloud-based deployments or installing on-premises deployments. Design guidance is given for each product—with a corresponding component design chapter devoted to each product—followed by chapters that provide best practices for integrating the components into a complete platform.
Enhance and Transform
After you have implemented or expanded your Horizon and Workspace ONE solution as part of a business continuity initiative, there are many ways that you can build on and enhance your environment. There are a variety of business drivers and user experience reasons that can compel these.
This section provides an overview of common steps taken to enhance and transform Horizon and Workspace ONE environments into full digital workspaces.
Micro-segmentation with NSX-T
The principle of least privilege can be achieved by using VMware NSX-T. The distributed firewall feature allows for the definition of network security policies and firewall rules that can be applied granularly based on context. This allows for:
- Micro-segmentation – Enables micro-segmentation to protect virtual machines from the lateral spread of threats. The security policy is defined based on context and is enforced individually. Each VM can have individual firewalls and individual security policies.
- Identity-based firewall – Applies micro-segmentation and applies the network security policy based on who the user is and which Active Directory groups they belong to.
Figure 22: Micro-segmentation Enforcing Network Security Policy at the Individual VM Level
The use of micro-segmentation allows for the definition of network policies that will be applied around every resource in the data center.
- Servers can be secured so that only required sources are allowed to communicate and only over the necessary network ports.
- Desktops can have policies applied to prohibit unnecessary lateral communication. For example, rules can block desktop-to-desktop communication.
The use of identity-based firewalls takes this strategy to the next level in a Horizon environment. The network policy can be dynamically applied, based on who the user is. This allows for the policy-based lockdown of the environment to the least privilege required for that user.
With VDI, each user is presented with an entire desktop VM. Firewall rules are based on giving a single user access to their entitled desktop VM on a per-NIC basis.
With RDSH-published applications, each user is presented with an application or session inside a shared server VM. Features include:
- Context-aware support for virtual user sessions running on RDSH
- Application of firewall-rule-based multi-user and multi-session identification, on a per-NIC basis
- Micro-segmentation by NSX-T of each session for Horizon RDSH based on user ID
- Granular application access to simultaneously logged-in users
Security with VMware Carbon Black
Organizations are dealing with significant challenges from suddenly having an influx of remote workers accessing business applications and data from their home offices and devices. Teams are dealing with a significant loss of visibility and weakened security tools at a time that our research shows attackers are increasing their activity to take advantage of the chaotic situation. Once a remote working solution is planned or has been deployed, security teams have to focus on how to best secure those remote endpoints on a long-term basis.
is a cloud-native endpoint protection platform that carries unique value for those organizations who are struggling to maintain a strong security posture on remote endpoints by providing greater visibility, up-to-date prevention policies, and reduced operational complexities.
Carbon Black Cloud consolidates multiple endpoint security capabilities using one agent and console, helping you operate faster and more effectively. As part of VMware’s intrinsic security approach, Carbon Black Cloud spans the system hardening and threat prevention workflow to accelerate responses and defend against a variety of threats.
Our cloud-native platform and lightweight agent eliminate many of the time- and resource-consuming barriers that often slow down deployments, allowing your team to optimize time-to-value. The platform also provides your team with the full visibility and control required to consistently prevent, detect, and respond to threats to all protected endpoints, regardless of their location.
- Roll out our lightweight sensor remotely without the need to stand up any additional hardware.
- Update prevention policies in minutes without the need to VPN into the corporate network.
- Get full visibility into endpoint activity to Investigate and triage threats from anywhere.
- Audit and fix unwanted changes to configuration settings and security controls.
Figure 23: Security orchestration flow integrating Workspace ONE UEM, Intelligence and VMware Carbon Black.
Networking with VMware SD-WAN
With a move to support remote working and a more distributed workforce, WAN networking links and their resiliency is increasingly important. With a user’s location becoming more fluid, the potential for more, localized branch offices, where the workforce is distributed away from the larger centralized offices becomes attractive.
VMware SD-WAN enables enterprises to support application growth, network agility, and simplified branch implementations while delivering optimized access to cloud services, private data centers and enterprise applications simultaneously over both ordinary broadband Internet and private links.
WAN technologies used in most branch offices today have changed little, if at all in the last couple of decades. Traditional wide area networks utilize rigid architectures which are optimized around private data center applications. These architectures are unable to seamlessly integrate cloud computing, SaaS, virtualization, and other industry advances. Branch offices with only private-circuit connections rely on backhauling of all cloud applications, SaaS, and Internet traffic through the enterprise data center, adding latency, degrading application performance, and driving up network bandwidth costs.
MPLS typically provides high quality of service, but with the tradeoff of limited capacity, higher cost, and long deployment lead times. Broadband provides fast deployments and greater capacity, but with the tradeoff of reliability. These factors can have the following negative impacts:
- Branch network deployments delayed due to IT complexity or lack of wireline service
- New applications inhibited by bandwidth or the lack of assured performance
- Cloud migration not supported by traditional hub and spoke wide area network architecture
SD-WAN enables enterprises to incorporate both private MPLS and broadband Internet links, which can reduce costs and increase agility and performance, while reducing complexity.
SD-WAN helps in solving challenges with:
- Providing optimal connectivity
- Enabling bandwidth expansion
- Automating branch deployments
- Supporting virtual services
Unified Digital Workspace with Workspace ONE
A unified digital hub is essentially a single digital space where everything an employee needs to perform their normal daily tasks is located. A digital hub is accessible from every device type on the planet (whether personal or corporate) and acts as an experiential platform for every interaction an employee could need. A digital hub includes:
- A location to download or launch every single application and app type via SSO
- An embedded VDI platform to make even challenging workloads available anywhere
- A place to receive informational, urgent, or critical notifications including the ability to respond and to give corporate communications the ability to track responses
- An ability to surface common business flows such as onboarding, approvals, orders, and re-orders
- A place to access current intranets (with embedded per app VPN) with a single click
- A chat bot that responds to a myriad of employee requests using natural language and integrates into other systems such as ITSM
- A directory of every co-worker with contact information
- Embedded support for one-click access to helpdesk resources
What is described above is what is currently available in VMware’s Workspace ONE platform. It is a single platform upon which to build a comprehensive and compelling employee experience. And the current national trial has demonstrated the immense value in providing such a platform for employees.
Workspace ONE has proven highly effective for building culture and productivity. More importantly, it provides a total workforce with the ability to look to this “single digital space” for everything in a time of crisis, because they have habitually gone to this “single digital space” for everything. In a crisis, we don’t rely on email; we interact with urgency through our hub. We can still leverage intranet since one-click access to it is embedded in our hub. We don’t need employees’ personal mobile numbers, as they have the hub on every personal and corporate device, or simply via any browser on any device.
Securing enterprise is a lot easier when all the endpoints (laptops, mobile devices, and so on), applications, and users are within the network perimeter, than when they are outside. Traditionally, securing the network perimeter has been the recommended go-to approach for most enterprises, but with the changes to a remote-first workforce and workstyles have become flexible, and technologies such as mobile and cloud have matured, a Zero Trust model for security is gaining traction.
At VMware, our Zero Trust solution is based on developing five pillars of trust. These pillars are device trust, user trust, transport/session trust, application trust, and data trust. A full implementation requires all five pillars. Zero Trust does not implicitly trust any one of these pillars and instead continuously verifies trust across all before granting access to resources. Such a security model offers greater flexibility and choice to employees to work from anywhere and from any device while ensuring optimal security at all times.
Figure 24: Five Pillars of Zero Trust
Another key component of Zero Trust is the concept of least-privilege access. The idea is that a user or system should have access to only those resources that are specifically required to perform the task at hand. No more, no less.
The Zero Trust methodology can be applied to protect any application, but the implementation might look different, depending on the use case. One use is to enhance the secure access to Horizon desktops and published applications.
Any employee irrespective of where (home, office, coffee shop, and so on), will almost certainly use a device (mobile, laptop, and so on) to access email, attend meetings, or find enterprise information on any regular day.
- Using its Unified Endpoint Management capabilities, Workspace ONE is able to quickly verify if it’s a trusted device.
- Additionally, as the user inputs their credentials, Workspace ONE’s Access technology seamlessly brokers between a variety of identity stores and providers, and offers a single sign-on (SSO) access to mobile, SaaS, web and virtual applications.
- As needed, it is also able to invoke native MFA or other third-party MFA solutions to add an additional layer of security before granting access to the corporate information.
- Tying together the device compliance and user credentials is the analytics and automation engine we call Workspace ONE Intelligence.
- Leveraging machine learning, Workspace ONE Intelligence works on data it gathers from the Workspace ONE platform, Carbon Black’s Endpoint Solutions, and our Trust Network partners to give IT and the security teams complete visibility into the IT infrastructure.
- Further, using its automation engine and orchestration capabilities, Intelligence orchestrates various ITSM tools (Service Now, Slack, and so on) and even automates remediation efforts (push software updates and security patches, quarantine device, block access to an app, deny access to data, and more).
When the risk is deemed low and the user and device are considered trustworthy, Workspace ONE then allows access to Enterprise applications that may reside either in the cloud or the datacenter. When accessing data behind a firewall, Workspace ONE can allow only per-app VPN access to the datacenter, thereby further reducing the attack surface for any threat. Encryption is checked both at rest and in-motion to ensure the integrity of the data is maintained throughout the session, giving an added level of confidence.
The following diagram shows how the various Workspace ONE and Horizon components interact to build an end-to-end solution that incorporates the following Zero Trust elements:
- Verification of device compliance
- Conditional, least-privilege access
- Certificate-based and multi-factor authentication
- Single sign-on
- Micro-segmentation of networks
- Automated real-time threat detection and remediation
- Session protection
- Protection of data at rest
Figure 25: Trust Enforcement Points
Depending on the use-case, using virtual applications and desktops may be most useful for an enterprise which gives customers another level of security. But by integrating it with Workspace ONE, your company can ensure consistent user experience, Zero Trust security, continuous communications via Workspace ONE Intelligent Hub, and––most importantly––uninterrupted productivity.
Workspace ONE Assist
VMware Workspace ONE® Assist allows VMware Workspace ONE UEM administrators to remotely access and troubleshoot devices in real time while respecting end-user privacy. It provides cross platform support, including Windows 10, macOS, iOS, and Android.
Figure 26: Remote Access to Android Device with Workspace ONE Assist
The ability to remotely troubleshoot devices allows IT to quickly resolve issues impacting end user experience and productivity. To learn more about the features of Workspace ONE Assist, see . For comprehensive deployment details, consult the .
Workspace ONE Trust Network
With the removal of local office boundaries and security as the top priority, endpoint and data protection is a major concern. VMware Workspace ONE® Trust Network allows verified security partner solutions to integrate with Workspace ONE Intelligence to deliver predictive and automated security in the digital workspace. Workspace ONE Trust Network is rapidly expanding, see below a list of released integrations and receptivity categories:
- VMware Carbon Black (Endpoint Protection Platform)
- Lookout for Work (Mobile Threat Defense)
- Netskope (Cloud Access Security Broker)
- Wandera (Mobile Threat Defense)
- Zimperium (Mobile Threat Defense)
Integrating Workspace ONE Trust Network with Workspace ONE Intelligence provides insight into threats detected by each of the Trust Network components configured in the environment. With this information, you can get insights through predefined dashboards, customize as you need, and create automations based on threat events. The automation capability allows the immediate initiation of remediation actions, bring the InfoSec teams up to speed with key information about the threat and device under attack, enabled communication across teams integrating with third-party collaboration tools and more.
Figure 27: Consolidated Threat View Reported by Trust Network Solutions Over Time in Workspace ONE Intelligence
Summary and Additional Resources
Whether you were new to Horizon 7, Horizon Cloud, and Workspace ONE or were an experienced user, this guide provided a start to exploring ways to meet the challenges of today’s events, as well as to be better prepared for business continuity and disaster recovery in the future. We started by reflecting on the current state of your deployment and conducted a health check to solidify your existing enterprise. Next, we explored a variety of expansion options available for both new environments and existing ones. Next, we covered the deployment considerations to be aware of, including best practices guidance. And we ended by discussing how to enhance and transform your deployment to add security, improve user experience, drive digital transformation, and achieve your business continuity goals.
The following updates were made to this guide:
Description of Changes
Authors and Contributors
This guide was written by:
- , Senior Staff EUC Staff Architect, EUC Technical Marketing, VMware
- , Senior Manager, EUC Technical Marketing, VMware
- , EUC Staff Architect, EUC Technical Marketing, VMware
- , EUC Staff Architect, EUC Technical Marketing, VMware
- , Staff Architect, EUC Technical Marketing, VMware
- , Senior Architect, EUC Technical Marketing, VMware
- , Senior Architect, EUC Technical Marketing, VMware
- , Staff Architect, EUC Technical Marketing, VMware
- , Senior Technical Marketing Manager, EUC Technical Marketing, VMware
- , Senior Architect, EUC Technical Marketing, VMware