Evaluation Guide for VMware Horizon Cloud Service – Next-Gen
Overview
This evaluation guide introduces you to VMware Horizon® Cloud Service™ - next-gen. This solution combines the management functionality of the Horizon Cloud Service control plane with the cost-saving capacities of scalable cloud platforms.
Use Horizon Cloud to manage VDI machines and published applications that are hosted in a cloud platform, such as a Microsoft Azure infrastructure, on RDSH servers or Windows 10 or Windows 11 Enterprise multi-session desktops. You have the flexibility to choose the deployment option that best meets the needs of your organization or use cases.
This guide describes the process of deploying Horizon Cloud Service components into a Microsoft Azure capacity. (At the time of this writing, Microsoft Azure is the first supported resource capacity provider.) With Horizon Cloud – next-gen, the VDI infrastructure services, app-packaging services, connection brokering service, edge gateways, databases, and so on are managed by VMware in the Horizon Control Plane. The components you will be managing have to do with the virtual desktop images and applications you want to deploy. You can also leverage automation to perform basic agent updates to VDI and RDSH server VMs.
Purpose of This Guide
The tutorials in this guide help you evaluate this product through a series of practical exercises. You will deploy a Horizon Edge that connects your cloud capacity provider to the Horizon Control Plane and your identity provider, and then explore core capabilities and key features.
Important: The exercises in this guide are for evaluation purposes, based on minimum required resources for a basic deployment, and do not explore all possible features. The resulting environment should not be used as a template for deploying a production environment. To deploy a production environment, see the Horizon Cloud Service documentation.
Audience
This guide is intended for security architects, engineers, and administrators who want to familiarize themselves with, or are in the process of implementing, a Horizon Cloud Service – next-gen deployment.
It is assumed that you have familiarity with Windows data center technologies such as Microsoft Azure and Active Directory, and knowledge of VMware Horizon® and VMware Unified Access Gateway™. For a basic description, see What Is VMware Horizon Cloud Service - next-gen?
You should also be familiar with virtualization technology, cloud computing, network routing, and firewall security architecture. Knowledge of compatibility is also useful when using VMware Horizon Cloud Service on Microsoft Azure (see VMware Product Interoperability Matrices).
Technical Introduction and Features
Horizon Cloud Service provides a single cloud control plane, run by VMware, that enables the central orchestration and management of remote desktops and applications in your cloud platform resource capacity. The cloud control plane also hosts the common cloud- and web-based management user interface called the Horizon Universal Console, or console, for short.
- You first log into VMware Cloud Services, and then into VMware Workspace ONE services, which include Horizon Cloud Service as well as Workspace ONE Access, an identity provider, and other services.
- When you launch the Horizon Cloud Service, you are taken to the Horizon Universal Console, so that you can connect to machine and user identity providers and deploy a Horizon Edge to connect these to your capacity provider and to the Horizon Control Plane.
- From there you can create virtual desktops, multi-session desktop VMs and RDSH servers, as well as published apps and app packages, and then entitle these to your end users.
- You also have access to all the Horizon Control Plane services, which can expand your control across multiple Horizon cloud environments.
Features and Benefits
Key features of Horizon Cloud Service – next-gen include:
- Application and desktop delivery: Dedicated and floating desktops are available with virtual desktop infrastructure (VDI). If Microsoft Azure is used as the resource capacity provider, Azure Virtual Desktop is used, and you get the associated advantages of built-in licensing, special Azure instance pricing, and the Windows 10 or Windows 11 Enterprise multi-session desktop operating system.
- Low-cost hourly billing and power management options: You benefit from consumption-based pricing for capacity, as well as no upfront costs or termination fees. Horizon Cloud has built-in features that automatically allocate and deallocate RD Session Hosts based on demand. For VDI machines, you can schedule powering off for weekends, holidays, and non-working hours.
- Simplified deployment and management: Depending on the complexity of your configuration, it can take as little as 60 minutes to deploy the service to your own capacity provider instance. Even when you have deployments in multiple regions, you still use the same cloud-based management UI to configure and manage all your Horizon Cloud environments.
- Advanced automation: Horizon Cloud - next-gen is built entirely using APIs, so that anything you can do from the management interface is accessible through APIs. This public API platform supports third-party ticketing or monitoring solutions, partner-built managed service offerings, and customer-built integrations and automations that leverage existing workflows.
- Cloud monitoring and image management: You can avoid needing a third party or additional tool to monitor or manage your Horizon Cloud Service deployment. Our new cloud-based monitoring feature allows you to keep an eye on your deployment from a single UI.
- Certified Azure Virtual Desktop Solution - VMware is an approved Azure Virtual Desktop provider, which means that customers can leverage the Azure Virtual Desktop benefits from their Microsoft 365 subscription or Enterprise Agreement in Horizon Cloud Service. This includes Windows 10 and 11 Enterprise multi-session, which is exclusive to Azure Virtual Desktop.
Components and Architecture
The core elements of Horizon Cloud Service include:
- Horizon Cloud control plane, which also hosts the Horizon Universal Console UI
- VMware Horizon Edge Gateway
- VMware Unified Access Gateway
- Horizon Agent
- VMware Horizon® Client
- VMware App Volumes™
- VMware Dynamic Environment Manager™
For a description of how these components work together, along with a logical architecture diagram, see the Architectural Overview section of the Horizon Cloud Service – next-gen Architecture document.
Packaging and Licensing
Two licensing models are available:
- Per named user: For virtual environments with end users that require dedicated access to VMs throughout the day
- Per concurrent connection: For virtual environments with a high number of users who share machines throughout the day, such as students or shift workers
The following types of subscription license are available:
- Universal subscription for Horizon apps only or Horizon apps and desktops
- Standard subscription for Horizon apps only
Prerequisites for Completing the Exercises in This Guide
Before starting the exercises in this guide, you must provide your own Microsoft Azure IaaS capacity. See the documentation topic Microsoft Azure Capacity Requirements.
Tip: If you do not have a Microsoft Azure subscription, you might be able to sign up for a free Microsoft Azure account.
Although some of the exercises in guide walk you through performing some of the prerequisite tasks in Microsoft Azure, there are some networking prerequisites that are not included in the exercises. See the following product documentation links and make sure your environment satisfies these requirements before you proceed:
- Network Requirements and Configure the Network Requirements
- Port and Protocol Requirements for Your Horizon Cloud Deployment in Microsoft Azure and Make Appropriate Destination URLs Reachable to Deploy a Horizon Edge Gateway in a Microsoft Azure Environment
- Unified Access Gateway Requirements
- Obtain Licensing for the Microsoft Windows Operating Systems
For a complete list of all the requirements, see the documentation topic called Requirements Checklist for Deploying a Microsoft Azure Edge and also see the topic called Microsoft Azure Deployments, Horizon Edge - Preparing to Deploy.
Horizon Cloud Onboarding and Domain Registration
Most of the setup and administration tasks for Horizon Cloud Service are accomplished by using the Horizon Universal Console. The exercises in this chapter walk you through signing up for a free trial and registering an Active Directory domain to be used for machine identity.
Exercise: Sign Up for a Free Trial and Onboard to Horizon Cloud
This exercise walks you through signing up for a free trial and directs you to the Horizon Cloud product page, available at https://www.vmware.com/products/horizon-cloud.html.
This exercise covers the process of:
- Creating an account on the VMware Customer Connect website
- Registering for a 60-day free trial of Horizon Cloud – next-gen
- Onboarding—activating VMware Workspace ONE services, which include Horizon Cloud – next-gen
- Launching the Horizon Cloud Service and logging in to the Horizon Universal Console
Note: The following video, Starting a Free Trial of VMware Horizon Cloud Service Next-Gen, demonstrates how to perform this procedure.
Exercise: Register the Active Directory Domain to Be Used for Machines
In this exercise, you bind an Active Directory domain to Horizon Cloud Service so that machine objects can be created in Active Directory. These machine accounts are for virtual desktops and app servers of published apps.
There are several options for Active Directory configurations, as described in the documentation topic Active Directory Requirements. The configuration used in this exercise is for an on-premises Active Directory.
This exercise covers:
- Verifying that the on-premises Active Directory is connected to the vNet that will be used in Microsoft Azure
- Making sure the domain bind and domain join AD user accounts have been created and have the required permissions
- Specifying the DNS domain name and the organizational unit (OU) to use for storing the computer accounts that get automatically created for virtual desktops and RDSH app servers
Note: The following video, Registering the Domain to Be Used with VMware Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.
Setting Up Workspace ONE Access as the User Identity Provider
The exercises in this chapter walk you through setting up VMware Workspace ONE Access to be the identity provider that authenticates end users, authorizes their access to desktops and apps, and provides single sign-on. This setup integrates with Horizon Cloud Services, as well as other Workspace ONE services such as Workspace ONE UEM.
Exercise: Install the VMware Workspace ONE Access Connector
In this exercise, you perform a default installation, which installs the Directory Sync, User Auth, Kerberos Auth, and Virtual App services. For information about a custom installation, see the production documentation topic Installing the Workspace ONE Access Connector.
Server host requirements: In the video demonstration, we used a Windows Server 2019 Desktop Experience virtual machine, with 4 CPU cores, 12 GB of RAM, and 100 GB of disk space. For complete system requirements, see the product documentation topic Workspace ONE Access Connector 22.09 Systems Requirements.
This exercise covers:
- Checking to see if the .NET Framework 4.8 is installed on the server that is to host the Workspace ONE Access Connector
- Downloading the connector installer and configuration file
- Running the installer
- Specifying the service account to be used for running the services that get installed
Note: The following video, Installing the VMware Workspace ONE Access Connector, demonstrates how to perform this procedure.
Exercise: Sync Active Directory User Groups with Workspace ONE Access
Now that you have installed the Directory Sync service, which is a component of the Workspace ONE Access Connector, you can create a directory in Workspace ONE Access and sync it to Active Directory users and groups in your enterprise. Although it is possible to use various types of directories, for this exercise, we use Active Directory over Integrated Windows Authentication.
A limited number of user and group attributes, which you, the administrator, specify, are synced to the Workspace ONE Access service. User passwords and any attributes other than the ones specified by the administrator are not synced.
Important: Before you start this exercise, you must have an Active Directory security group whose members include the user accounts you want to add to Horizon Cloud. If necessary, create the group in Active Directory Users & Groups and add the accounts as members.
This exercise covers:
- Adding a directory to Workspace ONE Access
- Specifying the AD user account that has permission to query users and groups for the required domains
For information about what permissions that user needs, see the product documentation topic called Configuring Active Directory Connection to the Workspace ONE Access Service. - Specifying the user and group distinguished names (DNs) from AD, as described in the Microsoft documentation topic Distinguished Names
- Setting a schedule that specifies how frequently synchronization will be performed
Note: The following video, Syncing Active Directory User Groups in VMware Workspace ONE Access, demonstrates how to perform this procedure.
Exercise: Add Custom User Attributes and Configure People Search
When you sync user groups between Workspace ONE Access and an on-prem Active Directory server, some user attributes get mapped from one system to the other. In this exercise, you map the additional custom attributes that are required for Horizon Cloud. You also map custom attributes that are required for the people search component of the Intelligent Hub, which is required if you plan to use Workspace ONE Access as the user identity provider.
Employees use the VMware Workspace ONE Intelligent Hub app, or the browser-based Hub portal, to access, discover, and connect with corporate resources, teams, and workflows within a company.
This exercise covers:
- Adding and mapping the
ObjectGuid,sid, andnetBioscustom attributes for integration with Horizon Cloud – next-gen - Manually syncing the directory to add the custom attributes to the group
- Adding and mapping the
managerDNandbusinessUnitpeople search custom attributes for integration with Horizon Cloud – next-gen
Note: The following video, Adding Custom User Attributes and Turning On People Search in Workspace ONE Access, demonstrates how to perform this procedure.
Exercise: Connect Workspace ONE Access as the User Identity Provider for Horizon Cloud
Separating machine identity from user identity offers flexibility. For user identity, you can use either Azure Active Directory, soon to be renamed Microsoft Entra ID, or VMware Workspace ONE Access. For information about the various choices, see the documentation topic called Connecting Your Identity Provider.
Earlier exercises showed how to connect Workspace ONE Access to an on-premises Active Directory and synchronize user directories. In this exercise, you connect Workspace ONE Access to Horizon Cloud Service.
This video covers:
- Determining the FQDN of the Workspace ONE Access tenant
- Completing the Identity Provider wizard
Note: The following video, Connecting Workspace ONE Access as an Identity Provider in Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.
Exercise: Create a Single Sign-On Configuration
With single sign-on, or SSO, users log in to Horizon Cloud once, and then they can access their virtual desktops and apps without having to log in again. In this exercise, you configure a VMware certificate authority to issue short-lived certificates for authentication to accomplish SSO.
This exercise covers:
- Setting the certificate authority mode to root
For information about the other modes, see the documentation topic called About Using a VMware CA for SSO with Horizon Cloud Service - next-gen. - Specifying an SSO configuration name and SSO configuration domain name
- Downloading the certificate authority (CA) bundle, which includes a PowerShell script, on the domain controller
- Running the PowerShell script that:
- Publishes the root certificate and the various certificate revocation lists, and adds them to the DS store
- Adds the certificate to the Enterprise NTAuth store
- Updates the computer policy
Note: The following video, Creating a Single Sign-On Configuration in VMware Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.
Deploying a Horizon Edge
The Horizon Edge is the “thin edge” part of the Horizon Cloud – next-gen architecture. It securely connects end users to their virtual desktops and apps in a cloud platform, such as Microsoft Azure. It also connects to the Horizon Control Plane, so that administrators can create, manage, and assign those virtual desktops and apps.
Each Horizon Edge can support up to 20,000 end users. Scaling beyond that number is straightforward by adding additional Horizon Edges.
This chapter incudes an exercise about running the deployment wizard for a Horizon Edge and also an exercise that walks you through three prerequisite tasks that must be completed in Microsoft Azure prior to deploying an edge.
Exercise: Create a Service Principal and Managed Identity, and Register Required Resource Providers
In this exercise, you create accounts and configure resources that are required for integrating with Microsoft Azure resources:
- Service principal – A service principal is similar to a service account in an on-prem Active Directory. The service principal is for enterprise apps that need to access Azure resources.
Important: When creating the service principal, you are strongly advised to copy the client secret and paste it into a document so that you can copy and paste it into the Edge Deployment wizard later. Also make note of the expiration date you specify for the service principal. - Azure resource providers – There are 11 resources that the service principal will access. The providers of these resources must be registered.
- User-managed identity – A user-managed identity is just like a service principal except that it is linked to an Azure resource rather than to an app. For Horizon Cloud, the Azure resource linked to the user-managed identity is the Azure Kubernetes Service.
For information about the permissions required to perform these tasks in Microsoft Azure, see Permissions required for registering an app, Register resource provider, and Create a user-assigned managed identity.
Note: The following video, Creating a Service Principal & Managed Identity, and Registering Resource Providers in Horizon Cloud, demonstrates how to perform this procedure.
Exercise: Deploy a Horizon Edge
A Horizon Edge consists of one or more Horizon Edge Gateways and one or more pairs of load-balanced Unified Access Gateway virtual appliances; there are no connection servers and no cloud connectors. If more capacity is needed, you need only deploy a new Horizon Edge.
Because the exercises in this guide build on one another, before you attempt this exercise, be sure you have completed all the preceding exercises.
Not all of the prerequisites are covered in the exercises in this guide. Therefore, be sure to read and complete the tasks listed in the earlier section Prerequisites for Completing the Exercises in This Guide.
Besides the networking tasks, you must determine the fully qualified domain name (FQDN) you want to use for the load balancer that will front the pair of Unified Access Gateways that the deployment wizard creates. Before you run the wizard, you must also acquire a security certificate that corresponds to that FQDN, as described in the documentation topic Unified Access Gateway Requirements.
Note: The following video, Deploying a Horizon Edge Using VMware Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.
Deploying Desktops and Apps to End Users
The exercises in this chapter walk you through creating and publishing a Windows OS image and then using that image to create a desktop and app pool. To assign the desktops and apps to end users, you add the pool to a pool group and then entitle users.
Exercise: Import and Publish a Windows OS Image
Creating a Windows OS image that you can use for VDI desktops or session-based desktops and published applications involves importing an OS image, making any changes or additions to the image, and then publishing the image. In this exercise, you also auto-scan the multi-session VM for applications that you want to publish.
Note: The following video, Creating and Publishing a Windows OS Image in Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.
Exercise: Create a Pool and Group and Assign Desktops and Apps
In this exercise, you first create a pool from the multi-session Windows VM that you published in the previous exercise. You then add that pool to a pool group, select which apps to publish, and then entitle the pool group to end users and groups.
Note: The following video, Creating Pools and Pool Groups and Assigning Them in Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.
Exercise: Log in to a Horizon Cloud – Next-Gen Desktop or App as an End User
In this exercise, you first log in to a virtual desktop and published app using Horizon Client and take a tour of the user interface. You then log in using a browser and explore that user interface.
Also included in this exercise is a task for administrators: Configuring a custom URL for client access to desktops and apps.
Important: Before you start this exercise, on the client device you plan to use—preferably a desktop or laptop—navigate to the Download VMware Horizon Clients page and download the appropriate client installer for that OS type.
Note: The following video, Logging in to a Horizon Cloud – Next-Gen Desktop or App as an End User, demonstrates how to perform this procedure.
Exercise: Monitor VMware Horizon Cloud Components
With the Horizon Cloud Universal Console, you can monitor user, pool, pool group, and infrastructure information and events. There is even a help-desk feature.
With the intelligence and analytics information available from the Workspace ONE Admin Hub, you can create dashboards and reports to monitor the health of your deployment over time. In this exercise, you take a brief tour of the dashboards of both administrative interfaces.
Note: The following video, Monitoring VMware Horizon Cloud Components, demonstrates how to perform this procedure.
Summary and Additional Resources
Now that you have completed the exercises in this guide, you should have a basic setup of Horizon Cloud – next-gen. First, you completed Horizon Cloud Service onboarding and set up a machine identity provider and a user identity provider, as well as a single sign-on configuration. As a final step in setting up your environment, you deployed a Horizon Edge to connect end users to their virtual desktop and app resources.
With initial setup complete, you then imported a Windows image from the Azure Marketplace, published the image to Horizon Cloud, and used it to create desktop and app pools and pool groups for entitling end users. Finally, you connected to a virtual desktop and app as an end user and then took a tour of the admin UIs for monitoring the environment, analyzing the health deployment, and using the help-desk feature.
Additional Resources
VMware Digital Workspace Tech Zone Resources
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 1132)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 1280)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2611 1333)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ETile View (with image and controls)%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Getting Started with Horizon Cloud Service - next-gen Supported REST APIs with PowerShell (Blog Post)
Horizon Cloud Service - Next-Gen Evaluation Guide (YouTube playlist of videos from this document)
Product Documentation Resources
VMware Horizon Cloud Service - next-gen Release Notes
Managing Horizon Images from the Cloud
Using VMware Horizon Cloud Service - Next-Gen
Changelog
The following updates were made to this guide:
| Date | Description of Changes |
| 2023/10/10 | Added exercises for accessing virtual apps and desktops as an end user and for monitoring the Horizon Cloud environment. |
| 2023/09/20 | Added the chapter “Deploying Desktops and Apps to End Users.” |
| 2023/09/09 | Original publication date. |
About the Author and Contributors
This guide was written by Caroline Arakelian, Senior Technical Marketing Manager, End-User-Computing Technical Marketing. Important contributions were provided by Rick Terlep, Staff Technical Marketing Architect, End-User Computing, VMware. Some videos in this series were narrated by Gina Daly, Technical Marketing Manager, End-User-Computing Technical Marketing, Vmware.
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.