Evaluation Guide for VMware Horizon Cloud Service – Next-Gen
This evaluation guide introduces you to VMware Horizon® Cloud Service™ - next-gen. This solution combines the management functionality of the Horizon Cloud Service control plane with the cost-saving capacities of scalable cloud platforms.
Use Horizon Cloud to manage VDI machines and published applications that are hosted in a cloud platform, such as a Microsoft Azure infrastructure, on RDSH servers or Windows 10 or Windows 11 Enterprise multi-session desktops. You have the flexibility to choose the deployment option that best meets the needs of your organization or use cases.
This guide describes the process of deploying Horizon Cloud Service components into a Microsoft Azure capacity. (At the time of this writing, Microsoft Azure is the first supported resource capacity provider.) With Horizon Cloud – next-gen, the VDI infrastructure services, app-packaging services, connection brokering service, edge gateways, databases, and so on are managed by VMware in the Horizon Control Plane. The components you will be managing have to do with the virtual desktop images and applications you want to deploy. You can also leverage automation to perform basic agent updates to VDI and RDSH server VMs.
Purpose of This Guide
The tutorials in this guide help you evaluate this product through a series of practical exercises. You will deploy a Horizon Edge that connects your cloud capacity provider to the Horizon Control Plane and your identity provider, and then explore core capabilities and key features.
Important: The exercises in this guide are for evaluation purposes, based on minimum required resources for a basic deployment, and do not explore all possible features. The resulting environment should not be used as a template for deploying a production environment. To deploy a production environment, see the .
This guide is intended for security architects, engineers, and administrators who want to familiarize themselves with, or are in the process of implementing, a Horizon Cloud Service – next-gen deployment.
It is assumed that you have familiarity with Windows data center technologies such as Microsoft Azure and Active Directory, and knowledge of VMware Horizon® and VMware Unified Access Gateway™. For a basic description, see
You should also be familiar with virtualization technology, cloud computing, network routing, and firewall security architecture. Knowledge of compatibility is also useful when using VMware Horizon Cloud Service on Microsoft Azure (see ).
Technical Introduction and Features
Horizon Cloud Service delivers virtual desktops and applications using a DaaS (desktop-as-a-service) platform that is scalable across multiple deployment options. The overall Horizon Cloud tenant environment consists of the VMware-hosted cloud service, your designated resource capacity, on a cloud platform, and the VMware software you deploy into that capacity.
Horizon Cloud Service provides a single cloud control plane, run by VMware, that enables the central orchestration and management of remote desktops and applications in your cloud platform resource capacity. The cloud control plane also hosts the common cloud- and web-based management user interface called the Horizon Universal Console, or console, for short.
- You first log into VMware Cloud Services, and then into VMware Workspace ONE services, which include Horizon Cloud Service as well as Workspace ONE Access, an identity provider, and other services.
- When you launch the Horizon Cloud Service, you are taken to the Horizon Universal Console, so that you can connect to machine and user identity providers and deploy a Horizon Edge to connect these to your capacity provider and to the Horizon Control Plane.
- From there you can create virtual desktops, multi-session desktop VMs and RDSH servers, as well as published apps and app packages, and then entitle these to your end users.
- You also have access to all the , which can expand your control across multiple Horizon cloud environments.
Features and Benefits
Key features of Horizon Cloud Service – next-gen include:
- Application and desktop delivery: Dedicated and floating desktops are available with virtual desktop infrastructure (VDI). If Microsoft Azure is used as the resource capacity provider, Azure Virtual Desktop is used, and you get the associated advantages of built-in licensing, special Azure instance pricing, and the Windows 10 or Windows 11 Enterprise multi-session desktop operating system.
- Low-cost hourly billing and power management options: You benefit from consumption-based pricing for capacity, as well as no upfront costs or termination fees. Horizon Cloud has built-in features that automatically allocate and deallocate RD Session Hosts based on demand. For VDI machines, you can schedule powering off for weekends, holidays, and non-working hours.
- Simplified deployment and management: Depending on the complexity of your configuration, it can take as little as 60 minutes to deploy the service to your own capacity provider instance. Even when you have deployments in multiple regions, you still use the same cloud-based management UI to configure and manage all your Horizon Cloud environments.
- Advanced automation: Horizon Cloud - next-gen is built entirely using APIs, so that anything you can do from the management interface is accessible through APIs. This public API platform supports third-party ticketing or monitoring solutions, partner-built managed service offerings, and customer-built integrations and automations that leverage existing workflows.
- Cloud monitoring and image management: You can avoid needing a third party or additional tool to monitor or manage your Horizon Cloud Service deployment. Our new cloud-based monitoring feature allows you to keep an eye on your deployment from a single UI.
- Certified Azure Virtual Desktop Solution - VMware is an approved , which means that customers can leverage the Azure Virtual Desktop benefits from their Microsoft 365 subscription or Enterprise Agreement in Horizon Cloud Service. This includes Windows 10 and 11 Enterprise multi-session, which is exclusive to Azure Virtual Desktop.
Components and Architecture
The core elements of Horizon Cloud Service include:
- Horizon Cloud control plane, which also hosts the Horizon Universal Console UI
- VMware Horizon Edge Gateway
- VMware Unified Access Gateway
- Horizon Agent
- VMware Horizon® Client
- VMware App Volumes™
- VMware Dynamic Environment Manager™
Packaging and Licensing
Two licensing models are available:
- Per named user: For virtual environments with end users that require dedicated access to VMs throughout the day
- Per concurrent connection: For virtual environments with a high number of users who share machines throughout the day, such as students or shift workers
The following types of subscription license are available:
- Universal subscription for Horizon apps only or Horizon apps and desktops
- Standard subscription for Horizon apps only
Prerequisites for Completing the Exercises in This Guide
Tip: If you do not have a Microsoft Azure subscription, you might be able to sign up for a free Microsoft Azure account.
Although some of the exercises in guide walk you through performing some of the prerequisite tasks in Microsoft Azure, there are some networking prerequisites that are not included in the exercises. See the following product documentation links and make sure your environment satisfies these requirements before you proceed:
Horizon Cloud Onboarding and Domain Registration
Most of the setup and administration tasks for Horizon Cloud Service are accomplished by using the Horizon Universal Console. The exercises in this chapter walk you through signing up for a free trial and registering an Active Directory domain to be used for machine identity.
Exercise: Sign Up for a Free Trial and Onboard to Horizon Cloud
This exercise covers the process of:
- Creating an account on the VMware Customer Connect website
- Registering for a 60-day free trial of Horizon Cloud – next-gen
- Onboarding—activating VMware Workspace ONE services, which include Horizon Cloud – next-gen
- Launching the Horizon Cloud Service and logging in to the Horizon Universal Console
Exercise: Register the Active Directory Domain to Be Used for Machines
In this exercise, you bind an Active Directory domain to Horizon Cloud Service so that machine objects can be created in Active Directory. These machine accounts are for virtual desktops and app servers of published apps.
This exercise covers:
- Verifying that the on-premises Active Directory is connected to the vNet that will be used in Microsoft Azure
- Making sure the domain bind and domain join AD user accounts have been created and have the required permissions
- Specifying the DNS domain name and the organizational unit (OU) to use for storing the computer accounts that get automatically created for virtual desktops and RDSH app servers
Setting Up Workspace ONE Access as the User Identity Provider
The exercises in this chapter walk you through setting up VMware Workspace ONE Access to be the identity provider that authenticates end users, authorizes their access to desktops and apps, and provides single sign-on. This setup integrates with Horizon Cloud Services, as well as other Workspace ONE services such as Workspace ONE UEM.
Exercise: Install the VMware Workspace ONE Access Connector
In this exercise, you perform a default installation, which installs the Directory Sync, User Auth, Kerberos Auth, and Virtual App services. For information about a custom installation, see the production documentation topic .
Server host requirements: In the video demonstration, we used a Windows Server 2019 Desktop Experience virtual machine, with 4 CPU cores, 12 GB of RAM, and 100 GB of disk space. For complete system requirements, see the product documentation topic .
This exercise covers:
- Checking to see if the .NET Framework 4.8 is installed on the server that is to host the Workspace ONE Access Connector
- Downloading the connector installer and configuration file
- Running the installer
- Specifying the service account to be used for running the services that get installed
Exercise: Sync Active Directory User Groups with Workspace ONE Access
Now that you have installed the Directory Sync service, which is a component of the Workspace ONE Access Connector, you can create a directory in Workspace ONE Access and sync it to Active Directory users and groups in your enterprise. Although it is possible to use various types of directories, for this exercise, we use Active Directory over Integrated Windows Authentication.
A limited number of user and group attributes, which you, the administrator, specify, are synced to the Workspace ONE Access service. User passwords and any attributes other than the ones specified by the administrator are not synced.
Important: Before you start this exercise, you must have an Active Directory security group whose members include the user accounts you want to add to Horizon Cloud. If necessary, create the group in Active Directory Users & Groups and add the accounts as members.
This exercise covers:
- Adding a directory to Workspace ONE Access
- Specifying the AD user account that has permission to query users and groups for the required domains
For information about what permissions that user needs, see the product documentation topic called .
- Specifying the user and group distinguished names (DNs) from AD, as described in the Microsoft documentation topic
- Setting a schedule that specifies how frequently synchronization will be performed
Exercise: Add Custom User Attributes and Configure People Search
When you sync user groups between Workspace ONE Access and an on-prem Active Directory server, some user attributes get mapped from one system to the other. In this exercise, you map the additional custom attributes that are required for Horizon Cloud. You also map custom attributes that are required for the people search component of the Intelligent Hub, which is required if you plan to use Workspace ONE Access as the user identity provider.
Employees use the VMware Workspace ONE Intelligent Hub app, or the browser-based Hub portal, to access, discover, and connect with corporate resources, teams, and workflows within a company.
This exercise covers:
- Adding and mapping the
netBioscustom attributes for integration with Horizon Cloud – next-gen
- Manually syncing the directory to add the custom attributes to the group
- Adding and mapping the
businessUnitpeople search custom attributes for integration with Horizon Cloud – next-gen
Exercise: Connect Workspace ONE Access as the User Identity Provider for Horizon Cloud
Separating machine identity from user identity offers flexibility. For user identity, you can use either Azure Active Directory, soon to be renamed Microsoft Entra ID, or VMware Workspace ONE Access. For information about the various choices, see the documentation topic called .
Earlier exercises showed how to connect Workspace ONE Access to an on-premises Active Directory and synchronize user directories. In this exercise, you connect Workspace ONE Access to Horizon Cloud Service.
This video covers:
- Determining the FQDN of the Workspace ONE Access tenant
- Completing the Identity Provider wizard
Exercise: Create a Single Sign-On Configuration
With single sign-on, or SSO, users log in to Horizon Cloud once, and then they can access their virtual desktops and apps without having to log in again. In this exercise, you configure a VMware certificate authority to issue short-lived certificates for authentication to accomplish SSO.
This exercise covers:
- Setting the certificate authority mode to root
For information about the other modes, see the documentation topic called .
- Specifying an SSO configuration name and SSO configuration domain name
- Downloading the certificate authority (CA) bundle, which includes a PowerShell script, on the domain controller
- Running the PowerShell script that:
- Publishes the root certificate and the various certificate revocation lists, and adds them to the DS store
- Adds the certificate to the Enterprise NTAuth store
- Updates the computer policy
Deploying a Horizon Edge
The Horizon Edge is the “thin edge” part of the Horizon Cloud – next-gen architecture. It securely connects end users to their virtual desktops and apps in a cloud platform, such as Microsoft Azure. It also connects to the Horizon Control Plane, so that administrators can create, manage, and assign those virtual desktops and apps.
Each Horizon Edge can support up to 20,000 end users. Scaling beyond that number is straightforward by adding additional Horizon Edges.
This chapter incudes an exercise about running the deployment wizard for a Horizon Edge and also an exercise that walks you through three prerequisite tasks that must be completed in Microsoft Azure prior to deploying an edge.
Exercise: Create a Service Principal and Managed Identity, and Register Required Resource Providers
In this exercise, you create accounts and configure resources that are required for integrating with Microsoft Azure resources:
- Service principal – A service principal is similar to a service account in an on-prem Active Directory. The service principal is for enterprise apps that need to access Azure resources.
Important: When creating the service principal, you are strongly advised to copy the client secret and paste it into a document so that you can copy and paste it into the Edge Deployment wizard later. Also make note of the expiration date you specify for the service principal.
- Azure resource providers – There are 11 resources that the service principal will access. The providers of these resources must be registered.
- User-managed identity – A user-managed identity is just like a service principal except that it is linked to an Azure resource rather than to an app. For Horizon Cloud, the Azure resource linked to the user-managed identity is the Azure Kubernetes Service.
Exercise: Deploy a Horizon Edge
A Horizon Edge consists of one or more Horizon Edge Gateways and one or more pairs of load-balanced Unified Access Gateway virtual appliances; there are no connection servers and no cloud connectors. If more capacity is needed, you need only deploy a new Horizon Edge.
Because the exercises in this guide build on one another, before you attempt this exercise, be sure you have completed all the preceding exercises.
Besides the networking tasks, you must determine the fully qualified domain name (FQDN) you want to use for the load balancer that will front the pair of Unified Access Gateways that the deployment wizard creates. Before you run the wizard, you must also acquire a security certificate that corresponds to that FQDN, as described in the documentation topic .
Deploying Desktops and Apps to End Users
The exercises in this chapter walk you through creating and publishing a Windows OS image and then using that image to create a desktop and app pool. To assign the desktops and apps to end users, you add the pool to a pool group and then entitle users.
Exercise: Import and Publish a Windows OS Image
Creating a Windows OS image that you can use for VDI desktops or session-based desktops and published applications involves importing an OS image, making any changes or additions to the image, and then publishing the image. In this exercise, you also auto-scan the multi-session VM for applications that you want to publish.
Exercise: Create a Pool and Group and Assign Desktops and Apps
In this exercise, you first create a pool from the multi-session Windows VM that you published in the previous exercise. You then add that pool to a pool group, select which apps to publish, and then entitle the pool group to end users and groups.
Summary and Additional Resources
Now that you have completed the exercises in this guide, you should have a basic setup of Horizon Cloud – next-gen. First, you completed Horizon Cloud Service onboarding and registered the Active Directory domain to use for machine identity. Then you set up Workspace ONE Access as the user identity provider and configured single sign-on for end users. Finally, you deployed a Horizon Edge to connect end users to their virtual desktop and app resources residing in a cloud platform, and to connect these to the Horizon Control Plane for centralized management and monitoring.
Although the basic environment you just set up is for evaluation purposes only, you can now explore further on your own as you evaluate this offering. When you are ready to deploy a production environment, see the .
Next Steps and Additional Resources
This guide addressed the one-time setup tasks required to deploy Horizon Cloud – next-gen. For day-2, operational tasks, such as creating Windows VM images and managing published apps and virtual desktops, see the following documents and videos.
VMware Digital Workspace Tech Zone Resources
The following updates were made to this guide:
Description of Changes
Added the chapter “Deploying Desktops and Apps to End Users.”
Original publication date.
About the Author and Contributors
This guide was written by , Senior Technical Marketing Manager, End-User-Computing Technical Marketing. Important contributions were provided by , Staff Technical Marketing Architect, End-User Computing, VMware. Some videos in this series were narrated by , Technical Marketing Manager, End-User-Computing Technical Marketing, Vmware.
Your feedback is valuable.