Horizon on Azure VMware Solution Configuration

This chapter is one of a series that make up the VMware Workspace ONE and VMware Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of VMware Workspace ONE® and VMware Horizon® solutions. This chapter provides information about common configuration and deployment tasks for VMware Horizon on Azure VMware® Solution.

Deploying Horizon with Azure VMware Solution

This section covers specific information for deploying Horizon on Azure VMware Solution.

Configuring Azure VMware Solution for Horizon Deployment

At a high-level, the following steps are required to deploy Horizon with Azure VMware Solution:

  1. Create a Private Cloud. See the Azure VMware Solution documentation. The recommendation for a production environment is to use a minimum of three hosts in a cluster.
  2. Deploy Horizon 8 on the Azure VMware Solution, following the architecture described in Scaling Deployments.
  3. Set up the Horizon environment on Azure VMware Solution.

Horizon Installation on Azure VMware Solution

When you set up the Horizon environment on Azure VMware Solution, you must install and configure the following components:

  1. Install Active Directory, DNS, DHCP, and KMS servers.
  2. Optionally, install RDS license servers.
  3. Install one or more Horizon Connector Servers.
  4. Install a Horizon Cloud Connector.
  5. Install one or more Unified Access Gateways.

Preparation

First gather the VMware vCenter® and VMware NSX® URLs and credentials.

  • In the Azure Portal, go to Azure VMware Solution.
  • Go to your AVS Private cloud, then select Identity under the Manage section of the middle menu.
  • Copy the vCenter Web Client URL, vCenter admin user, vCenter admin password, VMware NSX-T™ Data Center Manager URL, NSX-T Manager admin user, NSX-T Manager admin password.

Instance Types

The following table lists the Azure instances used based on a 2,000-desktop deployment example. Different Azure instance sizes can be used, although consideration should be given to the vCPU, memory and expected network bandwidth available on the different instance sizes. This can have an impact on the number of sessions a management component can support. See https://docs.microsoft.com/en-us/azure/virtual-machines/dv4-dsv4-series#dsv4-series for details on other Azure instance sizes.

Table 1: Horizon Component Instance Types on Azure (Example)

Horizon Infrastructure

Instance

vCPU

Memory

Amount

Connection Server

D4s_v4

4

16

1 per 2,000 sessions, +1

Unified Access Gateway

D4s_v4

4

16

1 per 2,000* sessions, +1

App Volumes Manager

D4s_v4

4

16

1 per 2,000 sessions, +1

Horizon Cloud Connector

D4s_v4

4

16

1

Domain Controller*

D4s_v4

4

16

Minimum 2

MS-SQL Database*

D4s_v4

4

16

Minimum 2

Windows file share*

D4s_v4

4

16

Minimum 2

*Size according to your environment

Connection Server Deployment

Deploy a Horizon Connection Server and select Azure VMware Solution to indicate that the platform that this Horizon Pod is being deployed on. This choice is only made on the first Connection Server in a pod.

Figure 1: Horizon Connection Server Installation Platform Choice

  • Version 8 2006 or later should be used.
  • Deploy a load balancer if you are using two or more Connection Servers.
  • Optionally, install a Horizon event database on a Microsoft SQL Server.

Horizon Cloud Connector Deployment

One Horizon Cloud Connector is deployed per Horizon Pod. For more information, see High-Level Workflow When You are Onboarding an Existing Manually Deployed Horizon Pod as Your First Pod to Your Horizon Cloud Tenant Environment.

Unified Access Gateway Deployment

Deploy a Unified Access Gateway appliance and connect it to the Connection Server if your deployment supports remote users.

  • Use Unified Access Gateway version 20.06 or later.
  • Use the PowerShell script to include the password and encode special characters in the .ini configuration file. For more information, see the Unified Access Gateway documentation.
  • Specify static routes for the NIC connected to the Internal DMZ and specify all RFC1918 networks with the Internal DMZ gateway.
    • For example: routes1=10.0.0.0/8 10.6.4.1,172.16.0.0/12 10.6.4.1,192.168.0.0/16 10.6.4.1
    • Where: 10.6.4.1 is the Internal DMZ gateway.

Deploying Horizon over Hybrid Cloud

You might already have Horizon environments on-premises or on another cloud platform. The Horizon pod on-premises and your Horizon pod with Azure VMware Solution can be managed separately. Alternatively, you can extend your other Horizon environments by linking them with your Horizon with Azure VMware Solution environment using Cloud Pod Architecture (CPA). Deploying your Horizon over hybrid cloud enables you to manage your on-premises deployment and your cloud deployment in a single federated space.

For hybrid cloud deployment, follow these steps.

  1. Configure ExpressRoute and firewall rules to enable the Connection Server instance with Azure VMware Solution to communicate with the Connection Server instance on-premises.
  2. Prepare Microsoft Active Directory (AD) and choose to set up a one-way trust or a two-way trust.
  3. Ensure that your on-premises Horizon version is 7.5 or later.
    Note: The Horizon version deployed on-premises does not have to match the Horizon version deployed on Azure VMware Solution. However, you cannot mix a Horizon 7.4 pod (or lower) with a Horizon 8 or 7 pod within the same CPA.
  4. Use Cloud Pod Architecture to connect the other Horizon pods against the Horizon pod with Azure VMware Solution.
  5. For easy sharing of VM images and ISO images, you can use the vCenter Content Library on each vCenter Server.
  6. For outbound Internet access on the AVS Private Cloud (SDDC), go to AVS SDDC from Azure Portal > Connectivity > Settings > Internet Enabled and set this to Enabled:

Afbeelding met tekst

Automatisch gegenereerde beschrijving

Figure 2: Enable Internet Access for the SDDC

Connection, Firewall and Load Balancer Configuration

To set up a successful hybrid cloud deployment, you must follow these connection and firewall rules.

Connection Rules

Use the Azure portal to create an ExpressRoute in the vNet to connect to your on-premises management network. Finally, specify DNS server addresses for the management network.

Firewall Rules

The following table describes firewall rules for the Azure vNet.

Table 2: Management Inbound Security Rules

Rule Name

Port

Protocol

Source

Destination

Action

Allow-UAG-CS-XML_API

443

TCP

Unified Access Gateway Internal - Application Security Group

Connection Servers - Application Security Group

Allow

Allow_443-CS

443,8443

Any

Any

Connection Servers - Application Security Group

Allow

Allow_AVSDesktop-AVM

443

TCP

VDI Subnet

AppVolumes Managers - Application Security Group

Allow

Allow_DomainControllerInbound

Any

Any

Horizon Management Subnet,

VDI Subnet,

On-premises Management Subnet

Domain Controllers - Application Security Group

Allow

Allow_AVM-MGMT-DC

443

TCP

Horizon Management Subnet

AppVolumes Managers - Application Security Group

Allow

Allow_LDAP_Replication-CS-CS

22389,

22636,

49152-65535,

389,

135,

32111,

4100,

4101

TCP

Connection Servers - Application Security Group

Connection Servers - Application Security Group

Allow

Allow_InterPODCommunication

8472,

22389,

22636,

49152-65535,

135

TCP

On-premises Management Subnet

Connection Servers - Application Security Group

Allow

Allow_CloudConnector-CS

443,4002

TCP

Cloud Connector - Application Security Group

Connection Servers - Application Security Group

Allow

Allow_WorkspaceONEConnector-CS

443,389

TCP

WS ONE Access Connector - Application Security Group

Connection Servers - Application Security Group

Allow

Allow_AVM-DB

1433

TCP

AppVolumes Managers - Application Security Group

SQL Database - Application Security Group

Allow

Allow_AVSDesktop-CS

4001,

4002,

389

TCP

VDI Subnet

Connection Servers - Application Security Group

Allow

Allow_DFS_FileServerAccess

135,

137,

138,

139,

445,

5445,

5722

Any

Horizon Management Subnet,

VDI Subnet,

On-premises Management Subnet

File Server - Application Security Group

Allow

Allow_UAG-DNSonDC

53

Any

Unified Access Gateway Internal - Application Security Group

Domain Controllers - Application Security Group

Allow

Allow_CloudConnectorMgmt

443

TCP

Horizon Management Subnet

Cloud Connector - Application Security Group

Allow

Allow_ALB-AVM

443

TCP

AzureLoadBalancer

AppVolumes Managers - Application Security Group

Allow

Allow_ALB-CS

443,

8443

TCP

AzureLoadBalancer

Connection Servers - Application Security Group

Allow

Deny_All

Any

Any

Any

Any

Deny

AllowVnetInBound

Any

Any

VirtualNetwork

VirtualNetwork

Allow

AllowAzureLoadBalancerInBound

Any

Any

AzureLoadBalancer

Any

Allow

DenyAllInBound

Any

Any

Any

Any

Deny

Table 3: Management and Internal DMZ Outbound Security Rules

Rule Name

Port

Protocol

Source

Destination

Action

AllowVnetOutBound

Any

Any

VirtualNetwork

VirtualNetwork

Allow

AllowInternetOutBound

Any

Any

Any

Internet

Allow

DenyAllOutBound

Any

Any

Any

Any

Deny

 

Table 4: Internal DMZ Inbound Security Rules

Rule Name

Port

Protocol

Source

Destination

Action

Allow_UAG-Management

9443

TCP

Horizon Management Subnet

Unified Access Gateway Internal - Application Security Group

Allow

Deny_All

Any

Any

Any

Any

Deny

AllowVnetInBound

Any

Any

VirtualNetwork

VirtualNetwork

Allow

AllowAzureLoadBalancerInBound

Any

Any

AzureLoadBalancer

Any

Allow

DenyAllInBound

Any

Any

Any

Any

Deny

 

Table 5: External Inbound Security Rules

Rule Name

Port

Protocol

Source

Destination

Action

Port_443

443

TCP

Any

Unified Access Gateway External - Application Security Group

Allow

BLAST_TCP

8443

TCP

Any

Unified Access Gateway External - Application Security Group

Allow

BLAST_UDP

8443

UDP

Any

Unified Access Gateway External - Application Security Group

Allow

UDP_Tunnel

443

UDP

Any

Unified Access Gateway External - Application Security Group

Allow

PCoIP_TCP

4172

TCP

Any

Unified Access Gateway External - Application Security Group

Allow

PCoIP_UDP

4172

UDP

Any

Unified Access Gateway External - Application Security Group

Allow

Allow_ALB-UAG-EXT

443

TCP

AzureLoadBalancer

Unified Access Gateway External - Application Security Group

Allow

AllowVnetInBound

Any

Any

VirtualNetwork

VirtualNetwork

Allow

AllowAzureLoadBalancerInBound

Any

Any

AzureLoadBalancer

Any

Allow

DenyAllInBound

Any

Any

Any

Any

Deny

 

Table 6: External DMZ Outbound Security Rules

Rule Name

Port

Protocol

Source

Destination

Action

AllowInternetOutBound

Any

Any

Any

Internet

Allow

DenyAllOutBound

Any

Any

Any

Any

Deny

 

Load Balancers

For redundancy, load balancers are used for Unified Access Gateways, Connection Servers, and App Volumes Managers. In Azure, when adding a load balancer outbound NAT is no longer working for internal load balancers, as such every component behind a load balancer also gets connected to an outbound only load balancer for Internet access. Internet access is useful for certificate revocation list checking and updates.

Table 7: Load Balancers

Name

UAG

CS

AVM

Outbound Internet

SKU

Public Standard

Internal Standard

Internal Standard

Public Standard

Protocol

TCP

TCP

TCP

All

Port

443

443

443

na

Backend port

443

443

443

na

Backend Pool

Unified Access Gateways

Connection Servers

App Volumes Managers

Connection Servers, App Volumes Managers

Health Probe

HTTPS:443/favicon.ico

HTTPS:443/favicon.ico

HTTPS:443/health_check

na

Session Persistence

Client IP

Client IP

Client IP

na

Floating IP

Disabled

Disabled

Disabled

na

TCP reset

Disabled

Disabled

Disabled

na

SNAT

Use outbound rules

Use outbound rules

Use outbound rules

na

What’s Next?

Now that you have come to the end of this chapter, you can return to the landing page and search or scroll to select your next chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters explore the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of components and services you need to create the platform capable of delivering what you want.
  • Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Horizon, App Volumes, Dynamic Environment Management, and more.

 

Filter Tags

Horizon Horizon Document Reference Architecture Advanced Deploy Windows Delivery