I’ll be honest – I like VDI. It’s a great way of delivering a slick, consistent managed desktop experience, not to mention applications to users from practically any device or location. However, it does have a somewhat serious Achilles Heel … [More]
By Curtis Brown 14 0
I’ll be honest – I like VDI. It’s a great way of delivering a slick, consistent managed desktop experience, not to mention applications to users from practically any device or location. However, it does have a somewhat serious Achilles Heel – you can access a desktop or application from any device or location so long as you can connect to the VDI platform. So if your connection is poor or non-existent, well it’s normally back to traditional corporate laptops and all the management overheads that this entails.
Once upon a time, VMware attempted to answer this problem by providing an offline mode for VMware View (back in the pre-Horizon days). Even VMware themselves accepted that this was less than successful - the capability was later dropped. The issue was that the mechanism for checking in and out desktops essentially meant downloading and uploading entire VMs regularly – obviously not a tenable position, particularly as internet connections a few years ago were even worse than now. However, VMware has re-visited the requirement for offline desktops by looking in the kit bag and coming up with a new solution. As with all corporates, they had to give it a publicity friendly name – introducing Horizon FLEX.
So what is FLEX?FLEX takes the back end web services of Horizon Mirage and combines it with the desktop hypervisor products of VMware Fusion Pro (for Apple Mac clients) and VMware Workstation Player (For Windows PCs).
Horizon FLEX is installed in the datacenter. In Mirage, you have a management server and Mirage servers, with the latter providing the capacity for the solution. Here, for FLEX, it’s the management part that’s important. Using the Mirage features (backup and recovery, app layers etc.) is actually optional – if you don’t plan to use these, they can be co-hosted on the management server. The FLEX solution is very dependent on certificates – public trusted certificates are strongly recommended, particularly in a BYOD context, though private certificates are workable too. On the client side, we have an installation of VMware Fusion Pro or VMware Workstation Player. Note that VMware Workstation Pro includes Player – but Player is the FLEX client on Windows.
So how does it work?We create a template VM using VMware Fusion, configuring it to serve as an image in FLEX (this includes setting VM encryption and pointing the image at the FLEX solution for management). The VM is exported as a compressed TAR file and then uploaded to a simple HTTP server. The image is then registered by an admin in the FLEX admin console. With the image registered in FLEX, this can now be entitled to Active Directory based users (or groups). The entitlement will define aspects such as VM naming, expiration on the image and Active Directory joining. In the case of the latter, it is possible to inject Microsoft DirectAccess VPN configuration into a Windows 10 image. This permits a secure Active Directory join and access from within the VM over the internet. We can also define policies such as locking down USB access to the VM. Our user opens the client software, Workstation Player as shown in the example below and selects the option to connect to the VMware Horizon FLEX server.
After entering server details and credentials, if the user is entitled to a desktop, it can be selected for download. The client pulls the image from the HTTP server, with the relevant policy and configuration settings from FLEX. When the VM is first started, the user must enter an unlock passphrase (configured when the image is created and published) in order to access the encrypted image. The VM is then configured (naming and so on) prior to allowing the user to log into the VM and hey presto, our user has a secure, offline desktop based on a corporate image. A VM image can be supplied on a USB stick, copied to the device and used where downloading an image is unattractive. Even in this context, an initial connection to the FLEX server is required in order to authenticate, acquire policy and configuration and decrypt the VM.
Putting the flexibility in FLEXOne of the key things about FLEX is its flexibility. Here’s a few useful pointers:
- The VM within the image needn’t be Windows. You don’t even have to use all of the native features of FLEX such as Active Directory domain join. Officially, Windows XP upwards plus Ubuntu are supported as guests.
- If you go down the Windows route, you could include the Horizon Mirage agent within the VM and manage the OS and applications this way, or include other solutions such as SCCM.
- For publishing over the internet, consideration will need to be given for securing FLEX, but more importantly access from the VM back to the environment, particularly for accessing LAN based resources. Joining Active Directory is an important aspect here, with options including, use of Read Only Domain Controllers, endpoint based VPN or even in-guest VPN as possibilities.
- One clever idea a customer used was hosting the images on a geographically replicated Cloud provider. The cloud provider’s DNS entry for the storage would direct users to the nearest copy of the VM image, so automatically optimising the download for globally remote users.
- The client should really be deployed with a corporate license key. There are ways of packaging both the Windows and Apple Mac clients to deploy in a consistent manner. In the case of VMware Fusion, the downloaded Fusion Package can be edited to include a specific license key. VMware Workstation Player’s installer can be configured using command line switches to specify the license key, installation path etc. Using 7-Zip or similar to create a self-extracting archive that then launches this command line automates this further.
- Another clever customer solution was to build a website to publish the client packages and on-line help. This ensures that the user can access the configured client package, company specific guidance as well as connect and download a desktop with minimal intervention by support staff.