What Is VMware Horizon and How Does It Work?VMware Horizon 8
What Is VMware Horizon?
Virtual desktop infrastructure (VDI) products, such as VMware Horizon®, enable IT departments to run virtual machine (VM) desktops and applications in the data center or cloud and remotely deliver these desktops and applications to employees as a managed service. This computer-within-a-computer strategy enables multiple VMs to be run per physical server core.
For administrators, this means desktop and application management can be simplified, automated, and made more secure. Admins can quickly create virtual desktops on demand based on location and profile, and securely deliver desktops as a service from a single control plane. VMware Horizon supports hybrid (on-premises but managed in the cloud) as well as multi-cloud architectures, to enable global entitlement and management.
End users can access their personalized virtual desktops or remote RDSH-published applications from company laptops, their home PCs, thin client devices, Macs, tablets, or smartphones. Horizon is the leading platform for Windows desktop and application virtualization, providing a consistent user experience across devices, locations, and networks. All of this is accomplished while keeping corporate data compliant and securely stored in the data center on premises or in a private or public cloud, such as Microsoft Azure, VMware Cloud™ on AWS, Google Cloud, IBM Cloud, or other partner clouds.
When VDI solutions first started appearing, about a decade ago, the strategy was to take a Windows desktop system, install applications, virtualize the whole thing, and place it in the data center. Unlike this traditional VDI, Horizon is built on technologies that allow components of a desktop or application to be decoupled and managed independently in a centralized manner, yet reconstituted on demand to deliver a personalized user workspace.
For example, when the user logs in, a virtual desktop can assemble itself on the fly by combining an instant clone of a golden image (VM) with a user environment profile and one or more containerized applications that attach themselves to (but are not installed in) the VM.
Besides improving on traditional VDI, Horizon allows the same strategy to be used with Microsoft Remote Desktop Session Host (RDSH) server farms, which provide published applications and desktops.
In addition, Horizon integrates with VMware Workspace ONE® on a common identity framework to provide a single catalog for accessing Windows applications and desktops, as well as software-as-a-service (SaaS), web, cloud, and native mobile applications.
What Are the Key Capabilities / Features of VMware Horizon?
Horizon features can be broadly grouped into two categories, those that benefit IT admins and those that primarily benefit end users. Because this article is written for IT admins, let’s begin with the management and administration benefits.
Note: For cloud-based Horizon deployments, organizations have a choice between using a cloud-native infrastructure, such as a Microsoft Azure data center, or a VMware software-defined data center, which uses a VMware vSphere® infrastructure. For example, Horizon Cloud® on Microsoft Azure uses a Microsoft Azure data center; whereas the Azure VMware® Solution uses a vSphere data center delivered by Microsoft on Azure. In the sections that follow, mention of vSphere-enabled features, such as Instant Clone Technology, do not apply to Horizon Cloud on Microsoft Azure.
Deliver applications and desktops automatically and in real-time.
With VMware just-in-time desktops and applications, the necessary systems are provisioned in real time. Horizon uses the following components to deploy desktop and application services to specific groups of users at the time and location the IT admin chooses:
- VMware vSphere Instant Clone Technology leverages the VMware virtualization infrastructure for ultra-fast desktop provisioning. Cloning a VM takes only a second or two.
- VMware Dynamic Environment Manager™ (formerly User Environment Manager) enables admins to personalize user and application settings and configure user environments dynamically based on conditions such as the user’s location, type of device, and user group.
- VMware App Volumes™ is a container-style technology that attaches applications to a VM at login time. App Volumes eliminates the pain in application packaging and can reduce the number of images admins must manage by up to 70 percent.
These technologies, used together, rapidly create desktops that seem persistent. They maintain user customizations, user-installed applications, and more, from session to session, even though the desktop itself is destroyed on logout. New desktops are automatically recreated and ready for the user’s next login.
Simplify management and maintenance tasks.
Horizon gives you the benefits of VDI, which include security, reliability, and access from all types of client devices, while removing the usual obstacles. For example, instead of each user having a dedicated VM that requires as much maintenance effort as a physical desktop, only a few golden VM images are required.
Other VMware technologies provide personalization and the seeming experience of a dedicated, persistent desktop. Users no longer need to equate the VDI experience with a locked-down, restricted, vanilla desktop:
- Instant Clone Technology allows administrators to quickly create virtual desktops that share virtual disks with a golden image, conserving disk space and simplifying the management of OS patches and updates—no separate server or database required.
- Horizon Control Plane is a feature-rich, cloud-based service that uses a multi-tenant, cloud-scale architecture and enables administrators to choose where virtual desktops and applications reside. For more information, see the section of the VMware Workspace ONE and VMware Horizon Reference Architecture.
- VMware Advanced Monitoring powered by ControlUp can be purchased and added for monitoring, reporting, deep in-guest troubleshooting, and root cause analysis.
Keep sensitive data safe and enforce endpoint compliance.
Horizon includes security features across all product areas, from the data center and network to the endpoint, including mobile devices.
- Communication among server components, client devices, and, optionally, virtual desktops uses TLS/SSL.
- With Dynamic Environment Manager, you can easily configure fine-grained policies for application blocking and disabling features such as copying, pasting, and printing based on user device, location, and other defined security conditions.
- VMware NSX can provide micro-segmentation for network data separation. NSX advantages include providing security within the hypervisor—no additional hardware required. Note that NSX is not bundled in perpetual Horizon editions. You can purchase as a standalone license per user. NSX is typically included in VMware-based infrastructure-as-a-service solutions, such as VMware Cloud on AWS, Google Cloud VMware Engine, and Azure VMware Solution.
- For endpoint protection of virtual desktops, ™ provides support for persistent Horizon desktops and previews nonpersistent clones to detect and prevent malware and fileless non-malware attacks. Carbon Black also has audit and remediation features, using a system-centric, cloud-based approach.
Give end users a rich, personalized experience from any device and any location.
When integrated with Workspace ONE, end users can sign on once, through the Workspace ONE Intelligent Hub, and access all their personalized virtual desktops and applications from company laptops, their home PCs, thin client devices, Macs, tablets, or smartphones.
- Blast Extreme is the VMware user-interface remoting technology. With the Blast Extreme display protocol, end users can enjoy the responsiveness and high-fidelity display they are accustomed to, even those users that require graphically intensive, 3D applications or high-definition (up to 8K) displays.
- Optimization packs are available to provide an enhanced audio and video experience and support for Zoom, Cisco WebEx, and Microsoft Teams.
- Horizon virtual desktops and applications can connect to most commonly used peripherals, including printers, scanners and imaging devices, smart cards, and USB storage devices.
- In addition to Windows virtual desktops and apps, you can provide virtualized Linux desktops to developers, CAD/CAM developers, government workers, and organizations who want to take advantage of the cost savings, security, and customizations available with Linux.
Give your users a desktop that can never die.
Physical hardware can have accidents, get lost, get stolen, or just die. Restoring from a backup is a pain, takes time, and might or might not bring back your most recent work. In contrast, virtualized desktops and applications are, by design, highly available and accessible from whatever device is appropriate for the user at any given time and location.
- For example, a user starts writing a report on the branch office PC, and suddenly the power goes out in their building. The user can pick up where they left off at home on their MacBook or iPad because their virtual desktop does not reside on that office PC.
- In fact, if a user does not happen to have a device of their own at the moment, they can borrow one and use the Horizon HTML Access web client. The web client does not require installing any software on the client device.
- VMs can reside on high-availability clusters of VMware vSphere servers.
These are just a few of the remote experience features available. For more detail and a longer list, see the blog post The Evolution of VMware Horizon for Hybrid and Multi-Cloud Deployments of Virtual Desktops and Applications.
Horizon Hybrid and Multi-Cloud Architecture
In a hybrid architecture, organizations might start out with the VMware Horizon and vSphere infrastructure servers, as well as the virtual desktops and Microsoft RDSH server farms, residing on-premises, while the management control plane is a cloud service. This strategy is especially useful for many of today’s most urgent use cases, including work from home, business continuity, real-time bursting, disaster recovery, and high availability.
From this starting point, organizations can deploy and scale-up Horizon pods of desktops and apps in one or more private or public clouds while retaining their on-premises Horizon pods. This way, organizations can migrate from on-premises to completely in the cloud when they are ready.
In a multi-cloud architecture, organizations can place pods of Horizon desktops and apps in one or more public or private clouds. Cloud options include using either a public cloud infrastructure or a VMware vSphere infrastructure on the cloud platform. Horizon Cloud Service is a VMware-managed virtual desktop and application solution that provides desktops as a service using a Microsoft Azure or IBM Cloud public cloud infrastructure:
- Horizon Cloud Service on Microsoft Azure
- Horizon Cloud Service on IBM Cloud
Other cloud options include cloud platform support for the native (VMware vSphere) stack, including:
- Horizon on VMware Cloud™ on AWS
- Horizon on Azure VMware Solution (AVS)
- Horizon on Google Cloud VMware Engine (GCVE)
- Horizon on VMware Cloud™ on Dell EMC
- Horizon on Oracle Cloud VMware Solution
The following diagram shows the logical architecture of a typical Horizon implementation.
Following are descriptions of the elements in this diagram.
Horizon Control Plane is a cloud-based service that unifies and simplifies management across pods, providing monitoring as well as image, application, and lifecycle management.
In addition, a global entitlement layer connects Horizon pods, letting end users access their desktop in any connected pod or cloud.
Horizon Cloud Connector is a virtual appliance that you pair with a Connection Server in an on-premises pod so that the pod can be connected to the Horizon Control Plane. This pairing also enables the use of subscription licensing.
Horizon Connection Server manages sessions between users and their virtual desktops or published applications. These published applications are hosted on Microsoft Windows Remote Desktop Session Host (RDSH) virtual machines (VMs). The Connection Server also includes the instant-clone engine, which provides single-image management with automation capabilities.
Unified Access Gateway virtual appliances provide a secure gateway so that users who are outside the corporate network can access their virtual desktops and published applications through the secure gateway rather than a VPN.
VMware App Volumes™ software can also optionally be used for packaging applications that are virtually attached rather than natively installed on the virtual desktop or RDSH server.
VMware Dynamic Environment Manager™ (formerly User Environment Manager) lets you configure user-specific Windows desktop and application settings that are applied in the context of the client device, location, or other conditions. Policies are enforced when users log in, launch an app, reconnect, or when some other triggering event occurs. You can also configure folder redirection for storing personal user data, including documents, pictures, and so on.
Instant Clone Technology is preferred for cloning desktops and RDSH servers. The virtual desktop can contain either a Windows or a Linux operating system.
RDSH server farms and virtual desktop pools are created from the golden image. The Horizon Agent software on the VMs communicates with the Horizon servers and the clients to determine which applications and desktops to provide to which groups of users.
VMware vSphere® servers can host all of these components—the various server VMs, desktop VMs, RDSH server VMs.
VMware Horizon Client™ software, used on client devices, can be downloaded for free from app stores or from VMware to install on iOS, Android, Chromebook, Windows, macOS, or Linux clients, or users can open a browser and enter the server URL to use the HTML Access web client.
Just-in-Time Desktops and Apps
VMware just-in-time technologies are able to decouple each aspect of a desktop to allow it to be managed on a per-user or per-group basis. Each component of the desktop is virtualized and managed centrally rather than separately, as is done in a traditional distributed per-VM approach.
As illustrated in the following figure, application-management containers are managed separately from the desktop OS. Similarly, user data files and OS- and application-specific configurations are decoupled from the OS and kept on separate file shares.
The following components of JIT desktops and apps work together to compose a just-in-time personalized desktop:
- VMware Dynamic Environment Manager™ share – A file share that stores user-specific desktop and application settings, making them available across multiple devices, Windows versions, and application instances. Application settings are imported and applied at application launch. Windows settings (such as the desktop background, desktop screensaver, keyboard settings) are imported at login. When a user quits an application, or logs out of the OS, settings are exported and saved on a file share.
- User data share – A file share that stores personal user data, documents, pictures, and so on that are redirected from specific folders inside the VM. This strategy minimizes the number of files that must be copied to the VM when the user logs in.
- VMware App Volumes™ Packages – Read-only containers for one-to-many delivery of IT-managed applications.
- For virtual desktops, App Volumes packages are assigned to an Active Directory user or group, and assigned packages are attached to the desktop when a user logs in.
- For RDSH servers, which provide published applications and shared session-based desktops, App Volumes packages are assigned to the group object in Active Directory that contains the computer objects for the servers. Assigned packages are attached to the RDSH server at boot time.
- Writable volume – A one-to-one, user-specific, read-and-write container for user-installed applications or for applications that require a local cache, since a writable volume appears as part of the local C: drive. Users must ordinarily have administrator permissions to install applications in a virtual desktop, just as they would for a physical desktop. However, Dynamic Environment Manager has a Permission Elevation feature that administrators can now use so that users can install applications without having to have full administrator permissions.
Important: In companies that require tight control over virtual desktops and apps, you need not provide users with a writable volume. In this case, when users log out, they lose any changes they might have made to the OS, as well as any data they might have saved to a folder location that is not redirected.
- Instant clone – A VM that is created by rapidly cloning a golden VM image.
With all these components working together, Horizon desktops and apps are delivered to end users through the Blast Extreme display protocol. Blast Extreme provides the responsiveness and high-fidelity display end users are accustomed to, even when those users require graphically intensive, 3D applications or high-definition (up to 8K) displays.
VMware Horizon Client – What is VMware Horizon Client? It is the app you can use on client devices to access published applications and VDI desktops from anywhere anytime. The Horizon Client app is available from app stores or from VMware and can be installed on iOS, Android, Chrome, Windows, Linux, and macOS devices.
An HTML Access web client is also available, and it does not require installing any software on client devices.
Optional Workspace ONE End-User Components
(formerly VMware Identity Manager) is included with Horizon, which enables you to deliver Horizon, web, and SaaS apps. You can also integrate Workspace ONE, which enables you to deliver native mobile and desktop apps, ensure device compliance, and more.
Workspace ONE Access – Is an identity and access management solution that provides end-users with a self-service app catalog to access Horizon desktops and apps, plus SaaS and web applications via a supported browser. It is included with all versions of Horizon as either a VMware-managed SaaS solution or a user-managed, on-premises deployment.
Workspace ONE Access can integrate with a variety of identity providers and supports modern authentication methods. It features single sign-on, conditional access policies, and built-in multi-factor authentication functionality.
Using Workspace ONE Access that is licensed with Horizon, end users have the option of accessing the app catalog through a web browser only:
Workspace ONE integration – Includes all the advantages of Workspace ONE Access, as well as support for delivering desktop and native mobile applications in the self-service catalog, utilizing to deliver the applications to devices over the air.
Using Workspace ONE integrated with Horizon, end users can access the app catalog either from a browser, as shown above, or through the Workspace ONE Intelligent Hub app on a desktop client:
Or from a tablet or smartphone:
With one click in the Workspace ONE catalog, the selected published app or virtual desktop is launched in Horizon Client.
Why Consider VMware Horizon?
Horizon is a complete solution that delivers, manages, and protects virtual desktops, RDSH-published desktops, and applications across devices and locations. From provisioning to management and monitoring, Horizon offers an integrated stack of enterprise-class technologies that can deploy hundreds of customized desktops and RDSH servers in a few minutes from centralized single images.
Horizon can be integrated with Workspace ONE through (formerly VMware Identity Manager) either on-premises or as part of the Workspace ONE service. Workspace ONE Access is provided with Horizon Enterprise Edition or Workspace ONE when purchased.