How Does VMware Horizon Work?
As you learned in our What Is VMware Horizon? article, VMware Horizon® is the leading platform for Windows desktop and application virtualization, providing a consistent user experience across devices and locations while keeping corporate data secure and compliant. In this article, we’ll discuss how it works, including the various components and how they fit together.
Horizon Hybrid and Multi-Cloud Architecture
In a hybrid architecture, organizations might start out with the VMware Horizon and vSphere infrastructure servers, as well as the virtual desktops and Microsoft RDSH server farms, residing on-premises, while the management control plane is a cloud service. This strategy is especially useful for many of today’s most urgent use cases, including work from home, business continuity, real-time bursting, disaster recovery, and high availability.
From this starting point, organizations can deploy and scale-up Horizon pods of desktops and apps in one or more private or public clouds while retaining their on-premises Horizon pods. This way, organizations can migrate from on-premises to completely in the cloud when they are ready.
In a multi-cloud architecture, organizations can place pods of Horizon desktops and apps in one or more public or private clouds. Cloud options include using either a public cloud infrastructure or a VMware vSphere infrastructure on the cloud platform. Horizon Cloud Service is a VMware-managed virtual desktop and application solution that provides desktops as a service using a Microsoft Azure or IBM Cloud public cloud infrastructure:
- Horizon Cloud Service on Microsoft Azure
- Horizon Cloud Service on IBM Cloud
Other cloud options include cloud platform support for the native (VMware vSphere) stack, including:
- Horizon on VMware Cloud™ on AWS
- Horizon on Azure VMware Solution (AVS)
- Horizon on Google Cloud VMware Engine (GCVE)
- Horizon on VMware Cloud™ on Dell EMC
- Horizon on Oracle Cloud VMware Solution
The following diagram shows the logical architecture of a typical Horizon implementation.
Following are descriptions of the elements in this diagram.
Horizon Control Plane is a cloud-based service that unifies and simplifies management across pods, providing monitoring as well as image, application, and lifecycle management.
In addition, a global entitlement layer connects Horizon pods, letting end users access their desktop in any connected pod or cloud.
Horizon Cloud Connector is a virtual appliance that you pair with a Connection Server in an on-premises pod so that the pod can be connected to the Horizon Control Plane. This pairing also enables the use of subscription licensing.
Horizon Connection Server manages sessions between users and their virtual desktops or published applications. These published applications are hosted on Microsoft Windows Remote Desktop Session Host (RDSH) virtual machines (VMs). The Connection Server also includes the instant-clone engine, which provides single-image management with automation capabilities.
Unified Access Gateway virtual appliances provide a secure gateway so that users who are outside the corporate network can access their virtual desktops and published applications through the secure gateway rather than a VPN.
VMware App Volumes™ software can also optionally be used for packaging applications that are virtually attached rather than natively installed on the virtual desktop or RDSH server.
VMware Dynamic Environment Manager™ (formerly User Environment Manager) lets you configure user-specific Windows desktop and application settings that are applied in the context of the client device, location, or other conditions. Policies are enforced when users log in, launch an app, reconnect, or when some other triggering event occurs.
You can also configure folder redirection for storing personal user data, including documents, pictures, and so on.
Instant Clone Technology is preferred for cloning desktops and RDSH servers. The virtual desktop can contain either a Windows or a Linux operating system.
RDSH server farms and virtual desktop pools are created from the golden image. The Horizon Agent software on the VMs communicates with the Horizon servers and the clients to determine which applications and desktops to provide to which groups of users.
VMware vSphere® servers can host all of these components—the various server VMs, desktop VMs, RDSH server VMs.
VMware Horizon Client™ software, used on client devices, can be downloaded for free from app stores or from VMware to install on iOS, Android, Chromebook, Windows, macOS, or Linux clients, or users can open a browser and enter the server URL to use the HTML Access web client.
Just-in-Time Desktops and Apps
VMware just-in-time technologies are able to decouple each aspect of a desktop to allow it to be managed on a per-user or per-group basis. Each component of the desktop is virtualized and managed centrally rather than separately, as is done in a traditional distributed per-VM approach.
As illustrated in the following figure, application-management containers are managed separately from the desktop OS. Similarly, user data files and OS- and application-specific configurations are decoupled from the OS and kept on separate file shares.
The following components of JIT desktops and apps work together to compose a just-in-time personalized desktop:
- VMware Dynamic Environment Manager™ share – A file share that stores user-specific desktop and application settings, making them available across multiple devices, Windows versions, and application instances. Application settings are imported and applied at application launch. Windows settings (such as the desktop background, desktop screensaver, keyboard settings) are imported at login. When a user quits an application, or logs out of the OS, settings are exported and saved on a file share.
- User data share – A file share that stores personal user data, documents, pictures, and so on that are redirected from specific folders inside the VM. This strategy minimizes the number of files that must be copied to the VM when the user logs in.
- VMware App Volumes™ Packages – Read-only containers for one-to-many delivery of IT-managed applications.
- For virtual desktops, App Volumes packages are assigned to an Active Directory user or group, and assigned packages are attached to the desktop when a user logs in.
- For RDSH servers, which provide published applications and shared session-based desktops, App Volumes packages are assigned to the group object in Active Directory that contains the computer objects for the servers. Assigned packages are attached to the RDSH server at boot time.
- Writable volume – A one-to-one, user-specific, read-and-write container for user-installed applications or for applications that require a local cache, since a writable volume appears as part of the local C: drive. Users must ordinarily have administrator permissions to install applications in a virtual desktop, just as they would for a physical desktop. However, Dynamic Environment Manager has a Permission Elevation feature that administrators can now use so that users can install applications without having to have full administrator permissions.
Important: In companies that require tight control over virtual desktops and apps, you need not provide users with a writable volume. In this case, when users log out, they lose any changes they might have made to the OS, as well as any data they might have saved to a folder location that is not redirected.
- Instant clone – A VM that is created by rapidly cloning a golden VM image.
With all these components working together, Horizon desktops and apps are delivered to end users through the Blast Extreme display protocol. Blast Extreme provides the responsiveness and high-fidelity display end users are accustomed to, even when those users require graphically intensive, 3D applications or high-definition (up to 8K) displays.
VMware Horizon Client software is available from app stores or from VMware for iOS, Android, Chrome, Windows, Linux, and macOS so that users can access published applications and VDI desktops from any device.
An HTML Access web client is also available, and it does not require installing any software on client devices.
Optional Workspace ONE End-User Components
Workspace ONE leverages VMware Workspace ONE® Access (formerly VMware Identity Manager), which provides application provisioning, a self-service catalog, conditional access controls, and single sign-on for SaaS, web, cloud, and native mobile applications. In addition, Workspace ONE Access provides single-sign-on access to Horizon virtual desktops and published applications. Users can access the Workspace ONE app catalog from their browsers.
When Workspace ONE is integrated with Horizon, users can also access the app catalog through the Workspace ONE Intelligent Hub app, either from a browser:
Or from a tablet or smartphone:
With one click in the Workspace ONE catalog, the selected published app or virtual desktop is launched in Horizon Client.