Horizon Cloud Service - next-gen Configuration

This chapter is one of a series that make up the VMware Workspace ONE and VMware Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Workspace ONE and Horizon solutions. This chapter provides information about common configuration and deployment tasks for Horizon Cloud Service - next-gen. It is not intended to replace the product documentation but to reference and supplement it with additional guidance. A companion chapter, Horizon Cloud Service - next-gen Architecture, provides information about architecture and design.

Identity and Access Management

You need to configure machine identity by defining the domain information to use for virtual machines. You also need to configure user identity by establishing a trust relationship with an Identity Provider (IdP) to provide user authentication services. You can optionally set up single sign-on to allow users to access virtual desktops and applications, without having to enter credentials a second time.

Configuring Machine and User Identity

As a part of the onboarding process, Horizon Cloud Service – next-gen requires you to configure a trust with an Identity Provider (IdP) to provide authentication services for that customer tenant. You can choose to leverage Workspace ONE Access or Microsoft Azure Active Directory as your IdP. More IdP options may be available in future releases.

A picture containing text, font, screenshot, circle

Description automatically generated

Figure 1: Identity Management Setup

To configure Identity Management:

Define at least one active directory domain and the associated domain bind and join account information.
Add Single Sign-on (SSO) configuration (optional) – See Configuring Single Sign-on.
Connect to the chosen identity provider. See Connecting your Identity Provider.

Table 1: Identity Management Strategy

Decision	Workspace ONE Access was used as the identity provider.
Justification	Workspace ONE Access was already in place, used for other Horizon deployments with Workspace ONE Access connectors already connecting to Active Directory.

Configuring Single Sign-On

To enable a single sign-on experience for your users, you can add SSO configuration to be deployed on the Horizon Edge Gateway. This process sets up the required trust relationship to allow users to authenticate once in the Horizon Cloud service and then get automatically logged into their desktop or applications without having to enter their credentials a second time at the resource.

To set up SSO, the following steps must be completed.

Create an SSO Configuration. See Adding SSO Configuration for more information.
Ensure that the active directory domains, that you intend to use for desktops, are defined in the Universal Console and have the SSO configuration selected.
Install and configure the Certificate Authority (CA) role on a Domain Controller. See Install the Certification Authority for more information.
Download the CA bundle for the SSO Configuration and install it on the domain controller by running the included PowerShell script.
Add an internal DNS record for the management interface of the Horizon Edge Gateway service and ensure that desktops can resolve this FQDN to the correct IP address. See DNS for more information.
When defining a pool group, select the option to use SSO.

Table 9: SSO Strategy

Decision	Single sign-on was configured.
Justification	Using SSO prevents users from being challenged for their credentials again when they launch a desktop or application.

Deploying a Horizon Edge

The Universal Console in the Horizon Control Plane can be used to define, deploy, and manage Horizon Edges to supported cloud-native provider capacity. Before deploying your first Horizon Edge, complete the onboarding tasks to assign roles, launch Horizon Cloud for the first time, and select a region for Horizon Cloud services metadata. See VMware Horizon Cloud Service - next-gen Deployment and Onboarding for more information.

A picture containing text, font, circle, diagram

Description automatically generated

Figure 2: Deploying a Horizon Edge

To deploy a new Horizon Edge:

Prepare the capacity provider.
1. For Azure - See Preparing Microsoft Azure.
Register a new capacity provider to use.
Define a site (if not using an existing site).
Deploy the Horizon Edge.

Steps 2 and 3 can also be done as part of the Horizon Edge deployment wizard.

Note: Before deploying a Horizon Edge, you should configure identity management, including domain information, and single-sign-on configuration (if being used). See Configuring Machine and User Identity for an overview of the process.

Certificates

When deploying a Horizon Edge, you need to supply a TLS/SSL certificate. The certificate is applied to the Unified Access Gateways when the Horizon Edge deploys them.

The certificate can be in either PEM or PFX format. The certificate should match the FQDN of the Unified Access Gateway as defined when deploying the Horizon Edge.

DNS

Two DNS records are required as part of the Horizon Edge deployment. One facilitates user connections and a second is used as part of the single sign-on configuration.

Load Balancer for Unified Access Gateways

To allow user connections to resources, you need to create a DNS record to the load balanced FQDN of the Unified Access Gateways.

Create a DNS record for the load balanced address of the Unified Access Gateways.

The name should match Unified Access Gateway FQDN.
The IP address is the load balancer IP in the Unified Access Gateway section.
You should create a DNS record in your external DNS. If you use split DNS (where the internal domain name matches the internal domain name, also create a record in your internal DNS system).

The Unified Access Gateway FQDN and load balancer IP address are listed in the Horizon Edge detail which can be found by navigating to Resources > Capacity, clicking the name of the Horizon Edge, and then locating within the Unified Access Gateway section.

Horizon Edge Gateway

As part of the single sign-on (SSO) configuration, you must set up a DNS record for the Horizon Edge gateway service. Desktops should be able to resolve the FQDN of the Horizon Edge Gateway to the IP address allocated to it in the Management subnet used for deployment.

Create a DNS record for the Horizon Edge Gateway service.

The name should match the Horizon Edge Services FQDN.
The IP address is the load balancer IP in the Horizon Edge Gateway section.
Create this DNS record in your internal DNS or the DNS system the desktops use for their DNS lookups.

The Horizon Edge Services FQDN and Load Balancer IP address are listed in the Horizon Edge detail which can be found by navigating to Resources > Capacity, clicking the name of the Horizon Edge, and then locating within the Horizon Edge Gateway section.

Preparing Microsoft Azure

To deploy a Horizon Edge to a Microsoft Azure IaaS provider, the Azure subscription must first be prepared.

Diagram

Description automatically generated

Figure 3: Preparing Azure for a Horizon Edge Deployment

To prepare an Azure subscription for a new Horizon Edge deployment:

Obtain an Azure subscription with suitable capacity.
Set up an identity provider - See Setting Up Your Identity Provider.

Either Microsoft Azure Active Directory or VMware Workspace ONE Access
Microsoft Azure Active Directory (Azure AD)
- Install Azure AD Connect on an on-premises active directory server to link Microsoft Azure AD. See Integrate on-premises AD domains with Azure AD for more information.
VMware Workspace ONE Access
- Configure user attributes.
- Enable the people search feature in Workspace ONE Access.
Create Active Directory domain bind and domain join accounts. A main account and an auxiliary are required for each of these.

Create a Resource Group in the target Azure region – See Manage Azure resource groups by using the Azure portal for more information.
Configure Networking – See the Networking Requirements section of Requirements Checklist for Deploying a Microsoft Azure Edge and Configure the Network Requirements for more information.

Setup a new VNet or configure an existing VNet to be used for the Horizon Edge deployment.
Define subnets for DMZ, management, and desktop VMs.
Add NAT Gateway to the management subnet. The Horizon Edge Gateway needs a NAT Gateway for outbound connectivity. For guidance on creating an Azure NAT Gateway, see Quickstart: Create a NAT gateway using the Azure portal.
Configure any required virtual network peering between VNets. For example, between the target VNet and other VNets that contain supporting infrastructure such as Active Directory domain controllers, or DNS servers.

Create Service Principal and User-assigned Managed Identity

Add a Service Principal for the Azure subscription – Service Principals can be defined using the Azure Portal in Azure Active Directory > App registrations. See Azure Service Principals and Create a Service Principal for the Microsoft Azure Subscription for more information and the process.
Add a User-assigned Managed Identity to the Azure subscription. See Azure Managed Identities and Manage user-assigned managed identities for more information and the process.

Creating Desktops and Apps on Cloud-native Deployments

After a Horizon Edge has been deployed to a cloud-native provider, such as Microsoft Azure, you can import images, use them to create pools, pool groups, and entitle users to desktops and applications.

A picture containing application

Description automatically generated

Figure 4: Import Images, Add Pools, Add Pool Groups, and Entitle Users

The process involves the following steps:

Import a virtual machine (VM) image. This image becomes a golden virtual machine image that is used to create individual VM clones.
Publish the image to the Horizon Edges that you want to use it on.
Create a pool to use the published image.
Create a pool group to apply policy to the consumption of one or more pools.
Entitle users to allow access to the resources.

Golden Image

With Horizon Edge deployments on a cloud-native provider, such as Microsoft Azure, you can import, customize, and prepare a suitable golden image. You can then publish the image to the Horizon Edges where this is to be used. See Image Management Service for more information.

Pool

A pool uses a published image to create a collection of virtual machines within the selected Azure provider.

Table 2: Cloud-native Deployment Pool Settings

Component	Settings
Destination	Site – Select the site which you want this pool to be associated with. Horizon Edge – Select the Horizon Edge. This list will be populated with the Horizon Edges associated with the chosen site. Provider – Select the provider to use.
Image	Azure VM Generation type – V1 or V2 Image – Select an image that has previously been published to the Horizon Edge being used. The capabilities of the image must match the type of pool being created (for example, single-session or multi-session). Marker – Select which marker on the image to use. Version – Select the desired version of the published image to use. Windows license – Confirm that you have eligible Windows licensing.
VM Details	Model – Choose the VM model to use. Disk type - Select a supported disk type from the available options. Disk type options are based on the VM model selected, and the Microsoft Azure subscription and region. Disk size – Size of disk in GB Encrypt disks – Choose whether hard disks should be encrypted or not.
Domain	Domain - Select the active directory domain to use. Computer OU – Define the Active directory organization unit (OU) where the computer objects should be created. This is the distinguished name of the target OU.
Provisioning	Provision VMs on-demand or all at once – Choose whether the total number of VMs defined should be created when the wizard completes, or on-demand, as they are needed by users. Minimum provisioned VMs - The minimum number of spare VMs. Must be less than or equal to maximum VMs to avoid frequent capacity updates. Only applicable if provisioning VMs on demand. Maximum provisioned VMs - The maximum number of spare VMs. Must be greater than or equal to minimum VMs to avoid frequent capacity updates. Only applicable if provisioning VMs on demand. Total VMs - The maximum number of VMs that can be provisioned. Sessions per VM – For multi-session pools, set the total number of sessions to allow per virtual machine.
Properties	VM name prefix – Define a prefix for the VMs and the computer objects that will be created. Desktop admin username - Create a username for the local admin account to access the image's operating system, and to use during the image conversion process. Desktop admin password – Define the password to set for the desktop admin account. Outbound proxy – Choose whether to route outbound requests to the Internet through a proxy server. If selected define the proxy host, port, and any IP addresses that should bypass the proxy.
Networks	Select which VNets and subnets to create this pool in. Note that after the pool is saved, the networks cannot be edited or changed.
VMware Dynamic Environment Manager	When defining a pool, you can optionally select a VMware Dynamic Environment Manager configuration that you have previously defined. See Dynamic Environment Manager.

For more information, see Create a Pool.

Pool Group

A pool group collects together one or more pools. The pools consumed by a pool group can be from any Azure provider.

A Pool Group allows:

A common set of policies to be applied to the pools that define how users will consume the resources of the pools.
Users to be entitled to resources in the pool group and therefore consume resources from the pools that are members of that pool group.

The policies that you define on a pool group include the following.

Table 17: Pool Group Policies

Component	Policies
Client	Default protocol – Select the default protocol for end-user sessions. Currently, only Blast Extreme is supported. You can also select whether to Allow users to select protocol. Allow users to select protocol Preferred client type – Select whether to launch assignments in Horizon Client or a browser.
Brokering	Scope – Select whether to search for available desktops on any site or only within the end-user's site. Site connection affinity – Select the default site that end users will connect to. Options are Nearest Site or Home Site. Home site restriction – Restrict users to accessing the assignment only through the assignment home site override, or through the user's home site if an override is not designated. If not selected, the nearest site will be used. Only selectable when site connection affinity is set to Home Site.
SSO (Single sign-on)	Use SSO – Defines whether to use SSO for the pool. To enable SSO for the pool, SSO must be enabled on the Horizon Edge Gateway and SSO configuration set up as detailed in Single Sign-On.
Power Management	Minimum VMs - The minimum percentage of VMs to keep powered on relative to the total VMs in a pool at any point in time. Power management mode – Select the threshold of virtual machine utilization for this assignment at which a new virtual machine is spun up and drained respectively. Choose from Optimized for performance, Balanced, or Optimized for cost. This setting is only available for a multi-session pool. With an Optimized for performance selection, a new virtual machine is spun up more quickly, making capacity readily available for a possible enhanced user experience. With an Optimized for cost selection, the virtual machine will have a higher utilization rate before spinning up a new virtual machine, which may help to minimize costs. Power off protect time - Enter the number of minutes (from 1 to 60) a VM is protected from powering off after powering on due to a headroom error. The default is 30. Power management schedule – Optionally, set up a schedule for power management.

For more information, see Create a Single-Session Pool Group and Create a Multi-Session Pool Group.

Dynamic Environment Manager

Dynamic Environment Manager offers personalization and dynamic policy configuration for end-user desktops and applications. For Azure-based Horizon Edge deployments:

Install and configure Dynamic Environment Manager to a file share – See the deployment guidance in the Dynamic Environment Manager Activity Path.
Add a Dynamic Environment Manager Configuration – See Configuring VMware Dynamic Environment Manager for more information.
Select the Dynamic Environment Manager Configuration when defining the Pool – See Create a Pool for more information.

For more guidance on architecting Dynamic Environment Manager, see Dynamic Environment Manager Architecture. For guidance on configuring Dynamic Environment Manager, see Dynamic Environment Manager Configuration.

Summary and Additional Resources

Now that you have come to the end of this design chapter on Horizon Cloud Service – next-gen, you can return to the landing page and use the tabs, search, or scroll to select your next chapter in one of the following sections:

Overview chapters provide understanding of business drivers, use cases, and service definitions.
Architecture chapters give design guidance on the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
Integration chapters cover the integration of products, components, and services you need to create the platform capable of delivering the services that you want to deliver to your users.
Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Workspace ONE, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Management, and more.

Additional Resources

For more information about VMware Horizon Cloud Service – next-gen, you can explore the following resources:

Changelog

The following updates were made to this guide:

Date	Description of Changes
2023-07-24	Added this Summary and Additional Resources section to list changelog, authors, and contributors within each design chapter.
2023-06-27	Added new chapter on common configuration tasks.

Author and Contributors

This chapter was written by:

Graeme Gordon, Senior Staff End-User-Computing (EUC) Architect in End-User-Computing Technical Marketing, VMware.
Rick Terlep, Staff Technical Marketing Architect in End-User-Computing Technical Marketing, VMware.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.