Evaluation Guide for VMware Horizon Cloud Service – Next-Gen

Overview

This evaluation guide introduces you to VMware Horizon® Cloud Service™ - next-gen. This solution combines the management functionality of the Horizon Cloud Service control plane with the cost-saving capacities of scalable cloud platforms.

Use Horizon Cloud to manage VDI machines and published applications that are hosted in a cloud platform, such as a Microsoft Azure infrastructure, on RDSH servers or Windows 10 or Windows 11 Enterprise multi-session desktops. You have the flexibility to choose the deployment option that best meets the needs of your organization or use cases.

This guide describes the process of deploying Horizon Cloud Service components into a Microsoft Azure capacity. (At the time of this writing, Microsoft Azure is the first supported resource capacity provider.) With Horizon Cloud – next-gen, the VDI infrastructure services, app-packaging services, connection brokering service, edge gateways, databases, and so on are managed by VMware in the Horizon Control Plane. The components you will be managing have to do with the virtual desktop images and applications you want to deploy. You can also leverage automation to perform basic agent updates to VDI and RDSH server VMs.

Purpose of This Guide

The tutorials in this guide help you evaluate this product through a series of practical exercises. You will deploy a Horizon Edge that connects your cloud capacity provider to the Horizon Control Plane and your identity provider, and then explore core capabilities and key features.

Important: The exercises in this guide are for evaluation purposes, based on minimum required resources for a basic deployment, and do not explore all possible features. The resulting environment should not be used as a template for deploying a production environment. To deploy a production environment, see the Horizon Cloud Service documentation.

Audience

This guide is intended for security architects, engineers, and administrators who want to familiarize themselves with, or are in the process of implementing, a Horizon Cloud Service – next-gen deployment.

It is assumed that you have familiarity with Windows data center technologies such as Microsoft Azure and Active Directory, and knowledge of VMware Horizon® and VMware Unified Access Gateway™. For a basic description, see What Is VMware Horizon Cloud Service - next-gen?

You should also be familiar with virtualization technology, cloud computing, network routing, and firewall security architecture. Knowledge of compatibility is also useful when using VMware Horizon Cloud Service on Microsoft Azure (see VMware Product Interoperability Matrices).

Technical Introduction and Features

Horizon Cloud Service delivers virtual desktops and applications using a DaaS (desktop-as-a-service) platform that is scalable across multiple deployment options. The overall Horizon Cloud tenant environment consists of the VMware-hosted cloud service, your designated resource capacity, on a cloud platform, and the VMware software you deploy into that capacity.

Horizon Cloud Service provides a single cloud control plane, run by VMware, that enables the central orchestration and management of remote desktops and applications in your cloud platform resource capacity. The cloud control plane also hosts the common cloud- and web-based management user interface called the Horizon Universal Console, or console, for short.

  1. You first log into VMware Cloud Services, and then into VMware Workspace ONE services, which include Horizon Cloud Service as well as Workspace ONE Access, an identity provider, and other services.
  2. When you launch the Horizon Cloud Service, you are taken to the Horizon Universal Console, so that you can connect to machine and user identity providers and deploy a Horizon Edge to connect these to your capacity provider and to the Horizon Control Plane.
  3. From there you can create virtual desktops, multi-session desktop VMs and RDSH servers, as well as published apps and app packages, and then entitle these to your end users.
  4. You also have access to all the Horizon Control Plane services, which can expand your control across multiple Horizon cloud environments.

Features and Benefits

Key features of Horizon Cloud Service – next-gen include:

  • Application and desktop delivery: Dedicated and floating desktops are available with virtual desktop infrastructure (VDI). If Microsoft Azure is used as the resource capacity provider, Azure Virtual Desktop is used, and you get the associated advantages of built-in licensing, special Azure instance pricing, and the Windows 10 or Windows 11 Enterprise multi-session desktop operating system.
  • Low-cost hourly billing and power management options: You benefit from consumption-based pricing for capacity, as well as no upfront costs or termination fees. Horizon Cloud has built-in features that automatically allocate and deallocate RD Session Hosts based on demand. For VDI machines, you can schedule powering off for weekends, holidays, and non-working hours.
  • Simplified deployment and management: Depending on the complexity of your configuration, it can take as little as 60 minutes to deploy the service to your own capacity provider instance. Even when you have deployments in multiple regions, you still use the same cloud-based management UI to configure and manage all your Horizon Cloud environments.
  • Advanced automation: Horizon Cloud - next-gen is built entirely using APIs, so that anything you can do from the management interface is accessible through APIs. This public API platform supports third-party ticketing or monitoring solutions, partner-built managed service offerings, and customer-built integrations and automations that leverage existing workflows.
  • Cloud monitoring and image management: You can avoid needing a third party or additional tool to monitor or manage your Horizon Cloud Service deployment. Our new cloud-based monitoring feature allows you to keep an eye on your deployment from a single UI.
  • Certified Azure Virtual Desktop Solution - VMware is an approved Azure Virtual Desktop provider, which means that customers can leverage the Azure Virtual Desktop benefits from their Microsoft 365 subscription or Enterprise Agreement in Horizon Cloud Service. This includes Windows 10 and 11 Enterprise multi-session, which is exclusive to Azure Virtual Desktop.

Components and Architecture

The core elements of Horizon Cloud Service include:

  • Horizon Cloud control plane, which also hosts the Horizon Universal Console UI
  • VMware Horizon Edge Gateway
  • VMware Unified Access Gateway
  • Horizon Agent
  • VMware Horizon® Client
  • VMware App Volumes™
  • VMware Dynamic Environment Manager™

For a description of how these components work together, along with a logical architecture diagram, see the Architectural Overview section of the Horizon Cloud Service – next-gen Architecture document.

Packaging and Licensing

Two licensing models are available:

  • Per named user: For virtual environments with end users that require dedicated access to VMs throughout the day
  • Per concurrent connection: For virtual environments with a high number of users who share machines throughout the day, such as students or shift workers

The following types of subscription license are available:

  • Universal subscription for Horizon apps only or Horizon apps and desktops
  • Standard subscription for Horizon apps only

See the VMware Horizon Subscription Feature Comparison.

Prerequisites for Completing the Exercises in This Guide

Before starting the exercises in this guide, you must provide your own Microsoft Azure IaaS capacity. See the documentation topic Microsoft Azure Capacity Requirements.

Tip: If you do not have a Microsoft Azure subscription, you might be able to sign up for a free Microsoft Azure account.

Although some of the exercises in guide walk you through performing some of the prerequisite tasks in Microsoft Azure, there are some networking prerequisites that are not included in the exercises. See the following product documentation links and make sure your environment satisfies these requirements before you proceed:

For a complete list of all the requirements, see the documentation topic called Requirements Checklist for Deploying a Microsoft Azure Edge and also see the topic called Microsoft Azure Deployments, Horizon Edge - Preparing to Deploy.

Horizon Cloud Onboarding and Domain Registration

Most of the setup and administration tasks for Horizon Cloud Service are accomplished by using the Horizon Universal Console. The exercises in this chapter walk you through signing up for a free trial and registering an Active Directory domain to be used for machine identity.

Exercise: Sign Up for a Free Trial and Onboard to Horizon Cloud

This exercise walks you through signing up for a free trial and directs you to the Horizon Cloud product page, available at https://www.vmware.com/products/horizon-cloud.html.

This exercise covers the process of:

  • Creating an account on the VMware Customer Connect website
  • Registering for a 60-day free trial of Horizon Cloud – next-gen
  • Onboarding—activating VMware Workspace ONE services, which include Horizon Cloud – next-gen
  • Launching the Horizon Cloud Service and logging in to the Horizon Universal Console

Note: The following video, Starting a Free Trial of VMware Horizon Cloud Service Next-Gen, demonstrates how to perform this procedure.

 

Exercise: Register the Active Directory Domain to Be Used for Machines

In this exercise, you bind an Active Directory domain to Horizon Cloud Service so that machine objects can be created in Active Directory. These machine accounts are for virtual desktops and app servers of published apps.

There are several options for Active Directory configurations, as described in the documentation topic Active Directory Requirements. The configuration used in this exercise is for an on-premises Active Directory.

This exercise covers:

  • Verifying that the on-premises Active Directory is connected to the vNet that will be used in Microsoft Azure
  • Making sure the domain bind and domain join AD user accounts have been created and have the required permissions
  • Specifying the DNS domain name and the organizational unit (OU) to use for storing the computer accounts that get automatically created for virtual desktops and RDSH app servers

Note: The following video, Registering the Domain to Be Used with VMware Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.

Setting Up Workspace ONE Access as the User Identity Provider

The exercises in this chapter walk you through setting up VMware Workspace ONE Access to be the identity provider that authenticates end users, authorizes their access to desktops and apps, and provides single sign-on. This setup integrates with Horizon Cloud Services, as well as other Workspace ONE services such as Workspace ONE UEM.

Exercise: Install the VMware Workspace ONE Access Connector

In this exercise, you perform a default installation, which installs the Directory Sync, User Auth, Kerberos Auth, and Virtual App services. For information about a custom installation, see the production documentation topic Installing the Workspace ONE Access Connector.

Server host requirements: In the video demonstration, we used a Windows Server 2019 Desktop Experience virtual machine, with 4 CPU cores, 12 GB of RAM, and 100 GB of disk space. For complete system requirements, see the product documentation topic Workspace ONE Access Connector 22.09 Systems Requirements.

This exercise covers:

  • Checking to see if the .NET Framework 4.8 is installed on the server that is to host the Workspace ONE Access Connector
  • Downloading the connector installer and configuration file
  • Running the installer
  • Specifying the service account to be used for running the services that get installed

Note: The following video, Installing the VMware Workspace ONE Access Connector, demonstrates how to perform this procedure.

Exercise: Sync Active Directory User Groups with Workspace ONE Access

Now that you have installed the Directory Sync service, which is a component of the Workspace ONE Access Connector, you can create a directory in Workspace ONE Access and sync it to Active Directory users and groups in your enterprise. Although it is possible to use various types of directories, for this exercise, we use Active Directory over Integrated Windows Authentication.

A limited number of user and group attributes, which you, the administrator, specify, are synced to the Workspace ONE Access service. User passwords and any attributes other than the ones specified by the administrator are not synced.

Important: Before you start this exercise, you must have an Active Directory security group whose members include the user accounts you want to add to Horizon Cloud. If necessary, create the group in Active Directory Users & Groups and add the accounts as members.

This exercise covers:

  • Adding a directory to Workspace ONE Access
  • Specifying the AD user account that has permission to query users and groups for the required domains
    For information about what permissions that user needs, see the product documentation topic called  Configuring Active Directory Connection to the Workspace ONE Access Service.
  • Specifying the user and group distinguished names (DNs) from AD, as described in the Microsoft documentation topic Distinguished Names
  • Setting a schedule that specifies how frequently synchronization will be performed

Note: The following video, Syncing Active Directory User Groups in VMware Workspace ONE Access, demonstrates how to perform this procedure.

 

When you sync user groups between Workspace ONE Access and an on-prem Active Directory server, some user attributes get mapped from one system to the other. In this exercise, you map the additional custom attributes that are required for Horizon Cloud. You also map custom attributes that are required for the people search component of the Intelligent Hub, which is required if you plan to use Workspace ONE Access as the user identity provider.

Employees use the VMware Workspace ONE Intelligent Hub app, or the browser-based Hub portal, to access, discover, and connect with corporate resources, teams, and workflows within a company.

This exercise covers:

  • Adding and mapping the ObjectGuid, sid, and netBios custom attributes for integration with Horizon Cloud – next-gen
  • Manually syncing the directory to add the custom attributes to the group
  • Adding and mapping the managerDN and businessUnit people search custom attributes for integration with Horizon Cloud – next-gen

Note: The following video, Adding Custom User Attributes and Turning On People Search in Workspace ONE Access, demonstrates how to perform this procedure.

Exercise: Connect Workspace ONE Access as the User Identity Provider for Horizon Cloud

Separating machine identity from user identity offers flexibility. For user identity, you can use either Azure Active Directory, soon to be renamed Microsoft Entra ID, or VMware Workspace ONE Access. For information about the various choices, see the documentation topic called Connecting Your Identity Provider.

Earlier exercises showed how to connect Workspace ONE Access to an on-premises Active Directory and synchronize user directories. In this exercise, you connect Workspace ONE Access to Horizon Cloud Service.

This video covers:

  • Determining the FQDN of the Workspace ONE Access tenant
  • Completing the Identity Provider wizard

Note: The following video, Connecting Workspace ONE Access as an Identity Provider in Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.

Exercise: Create a Single Sign-On Configuration

With single sign-on, or SSO, users log in to Horizon Cloud once, and then they can access their virtual desktops and apps without having to log in again. In this exercise, you configure a VMware certificate authority to issue short-lived certificates for authentication to accomplish SSO.

This exercise covers:

  • Setting the certificate authority mode to root
    For information about the other modes, see the documentation topic called About Using a VMware CA for SSO with Horizon Cloud Service - next-gen.
  • Specifying an SSO configuration name and SSO configuration domain name
  • Downloading the certificate authority (CA) bundle, which includes a PowerShell script, on the domain controller
  • Running the PowerShell script that:
    • Publishes the root certificate and the various certificate revocation lists, and adds them to the DS store
    • Adds the certificate to the Enterprise NTAuth store
    • Updates the computer policy

Note: The following video, Creating a Single Sign-On Configuration in VMware Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.

Deploying a Horizon Edge

The Horizon Edge is the “thin edge” part of the Horizon Cloud – next-gen architecture. It securely connects end users to their virtual desktops and apps in a cloud platform, such as Microsoft Azure. It also connects to the Horizon Control Plane, so that administrators can create, manage, and assign those virtual desktops and apps.

Each Horizon Edge can support up to 20,000 end users. Scaling beyond that number is straightforward by adding additional Horizon Edges.

This chapter incudes an exercise about running the deployment wizard for a Horizon Edge and also an exercise that walks you through three prerequisite tasks that must be completed in Microsoft Azure prior to deploying an edge.

Exercise: Create a Service Principal and Managed Identity, and Register Required Resource Providers

In this exercise, you create accounts and configure resources that are required for integrating with Microsoft Azure resources:

  • Service principal – A service principal is similar to a service account in an on-prem Active Directory. The service principal is for enterprise apps that need to access Azure resources.

    Important: When creating the service principal, you are strongly advised to copy the client secret and paste it into a document so that you can copy and paste it into the Edge Deployment wizard later. Also make note of the expiration date you specify for the service principal. 
  • Azure resource providers – There are 11 resources that the service principal will access. The providers of these resources must be registered.
  • User-managed identity – A user-managed identity is just like a service principal except that it is linked to an Azure resource rather than to an app. For Horizon Cloud, the Azure resource linked to the user-managed identity is the Azure Kubernetes Service.

For information about the permissions required to perform these tasks in Microsoft Azure, see Permissions required for registering an app, Register resource provider, and Create a user-assigned managed identity.

Note: The following video, Creating a Service Principal & Managed Identity, and Registering Resource Providers in Horizon Cloud, demonstrates how to perform this procedure.

Exercise: Deploy a Horizon Edge

A Horizon Edge consists of one or more Horizon Edge Gateways and one or more pairs of load-balanced Unified Access Gateway virtual appliances; there are no connection servers and no cloud connectors. If more capacity is needed, you need only deploy a new Horizon Edge.

Because the exercises in this guide build on one another, before you attempt this exercise, be sure you have completed all the preceding exercises.

Not all of the prerequisites are covered in the exercises in this guide. Therefore, be sure to read and complete the tasks listed in the earlier section Prerequisites for Completing the Exercises in This Guide.

Besides the networking tasks, you must determine the fully qualified domain name (FQDN) you want to use for the load balancer that will front the pair of Unified Access Gateways that the deployment wizard creates. Before you run the wizard, you must also acquire a security certificate that corresponds to that FQDN, as described in the documentation topic Unified Access Gateway Requirements.

Note: The following video, Deploying a Horizon Edge Using VMware Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.

Deploying Desktops and Apps to End Users

The exercises in this chapter walk you through creating and publishing a Windows OS image and then using that image to create a desktop and app pool. To assign the desktops and apps to end users, you add the pool to a pool group and then entitle users.

Exercise: Import and Publish a Windows OS Image

Creating a Windows OS image that you can use for VDI desktops or session-based desktops and published applications involves importing an OS image, making any changes or additions to the image, and then publishing the image. In this exercise, you also auto-scan the multi-session VM for applications that you want to publish.

Note: The following video, Creating and Publishing a Windows OS Image in Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.

Exercise: Create a Pool and Group and Assign Desktops and Apps

In this exercise, you first create a pool from the multi-session Windows VM that you published in the previous exercise. You then add that pool to a pool group, select which apps to publish, and then entitle the pool group to end users and groups.

Note: The following video, Creating Pools and Pool Groups and Assigning Them in Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.

Summary and Additional Resources

Now that you have completed the exercises in this guide, you should have a basic setup of Horizon Cloud – next-gen. First, you completed Horizon Cloud Service onboarding and registered the Active Directory domain to use for machine identity. Then you set up Workspace ONE Access as the user identity provider and configured single sign-on for end users. Finally, you deployed a Horizon Edge to connect end users to their virtual desktop and app resources residing in a cloud platform, and to connect these to the Horizon Control Plane for centralized management and monitoring.

Although the basic environment you just set up is for evaluation purposes only, you can now explore further on your own as you evaluate this offering. When you are ready to deploy a production environment, see the Horizon Cloud Service documentation.

Next Steps and Additional Resources

This guide addressed the one-time setup tasks required to deploy Horizon Cloud – next-gen. For day-2, operational tasks, such as creating Windows VM images and managing published apps and virtual desktops, see the following documents and videos.

VMware Digital Workspace Tech Zone Resources

Getting Started with Horizon Cloud Service - next-gen Supported REST APIs with PowerShell (Blog Post)

Horizon Cloud Service - Next-Gen Evaluation Guide (YouTube playlist of videos from this document)

Product Documentation Resources

VMware Horizon Cloud Service - next-gen Release Notes

Managing Horizon Images from the Cloud

Using VMware Horizon Cloud Service - Next-Gen

Changelog

The following updates were made to this guide:

Date

Description of Changes

2023/09/20

Added the chapter “Deploying Desktops and Apps to End Users.”

2023/09/09

Original publication date.

About the Author and Contributors

This guide was written by Caroline Arakelian, Senior Technical Marketing Manager, End-User-Computing Technical Marketing. Important contributions were provided by Rick Terlep, Staff Technical Marketing Architect, End-User Computing, VMware. Some videos in this series were narrated by Gina Daly, Technical Marketing Manager, End-User-Computing Technical Marketing, Vmware.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


Filter Tags

Horizon Horizon Cloud Service Document Quick-Start Intermediate