Close

Endless options with VMware Horizon and VMware Workspace ONE

Curtis Brown

There are a considerable number of blog posts and articles that have looked at the individual components of the VMware® End User Compute stacks, so I thought I’d take a high-level look at some of what’s possible when we take VMware Horizon and VMware Workspace ONE on in their entirety.

The Moving Parts

In the early days of VMware’s End User Compute efforts, we were looking at a relatively simple stack of VMware vCenter, ESX and Virtual Desktop Manager (or, to you young folks, Horizon View 1.0 or 2.0 back in 2007/8).  These days, things are somewhat more powerful, offering a wider array of capabilities, but these capabilities also require more moving parts.

The diagram below shows the VMware components that could be deployed in a solution. 

VMware Components that can be deployed in a solution

Now, let’s look a little deeper…

VMware NSX - VMware vCenter, ESXi & vSAN - VMware Horizonm Connection Servers, Security Servers/UAG, Composer Server

For Virtual Desktop delivery, we have the underlying infrastructure of VMware vSphere with vCenter and ESXi.  However, we can enhance this further in two ways.  Firstly, we can leverage local storage by implementing VMware vSAN rather than relying on a SAN/NAS based solution.  Secondly, we could deploy VMware NSX to provide enhanced security in the form of micro-segmentation of the network as well as anti-malware protection using Guest Introspection.

For publishing desktops, we have VMware Horizon View.  The connection servers provide the brains, managing entitlements and provisioning of desktop and application pools.  This includes the provisioning of Instant Clone desktop pools (and Remote Desktop Session Hosts).  For secure access from untrusted or external networks, we deploy Unified Access Gateway appliances to serve as a proxy into the solution.

With the move from VMware Horizon 7 to 8, the old Linked Clones method of delivering desktops has been retired, so no more Horizon View Composer.

VMware App Volumes - VMware ThinApp - VMware Dynamic Environment Manager

We then need to consider the management and delivery of applications and user settings.  For the latter, we can integrate VMware Dynamic Environment Manager.  This can manage both environmental settings (including delivery of application shortcuts, drive mappings etc) as well as eliminating the issues related to Windows Roaming Profiles.  For application delivery, we can use App Volumes within the virtual estate or leverage the estate itself to publish Remote Desktop Session Host based remote applications.  ThinApp, although somewhat out of favour these days, remains an option for direct delivery to Windows Endpoints (via VMware Workspace ONE Identity Manager) or within Horizon View desktops.

VMware vRealize Operations Manager - VMware Horizon Control Plane Services

When it comes to monitoring the estate, while with Horizon 7 can still use VMware vRealize Operations Manager, with the retirement of the VMware Horizon Management Pack, Horizon 8 is no longer covered (refer to VMware KB 80146).  VMware recommend third party tools, notably ControlUP, for those on a perpetual license, though the primary replacement is intended to be the VMware Horizon Cloud Monitoring Service. 

VMware Worksapce ONE Unified Endpoint Management - VMware Workspace ONE Access

We then move out into two topics – The Endpoint and The User.  These are somewhat integrated topics these days as they do overlap. 

VMware Workspace ONE comprises two key elements: 

  • Unified Endpoint Management can provide control, configuration and administration to endpoints, be they mobile devices or traditional desktops. 
  • Access provides the user authentication layer into the solution as a whole, while also providing a unified catalogue of applications and services, whether published via VMware Horizon or through single-sign-on to cloud services. 

What parts are available is largely defined by what is purchased.  Some parts are included in the various VMware Horizon editions, while some, notably VMware vSAN and VMware NSX are additional licenses.  In the case of Workspace ONE, VMware Horizon Advanced and above includes just Workspace ONE Identity Manager Standard.  To get the full Workspace ONE suite requires purchase of Workspace ONE as a specific product.

VMware Horizon 8 editions can be compared at:

Perpetual licensed

Subscription licensed

The Art of the Possible

For the purposes of looking at what is possible, let us assume that an Alien Space Bat has deemed it fit to leave an unlimited budget for us to acquire all these tools.  Here are a few ideas of what we could achieve:

  • By integrating the full VMware Workspace ONE with Horizon, we can fully manage security between a user, a managed endpoint and access to Virtual Desktops.  By managing the device using VMware Workspace ONE Unified Endpoint Management and establishing Compliance checking, we can define an Access policy that allows access only to users with valid credentials who are using compliant devices to the Workspace ONE catalogue.  In turn, users can then access a VDI desktop from the relevant icon in Workspace ONE.
Mapping user flow using the entire horizon suite
  • App Volumes, Dynamic Environment Manager (DEM) and NSX Distributed Firewall Rules can be tied to Active Directory groups.  We can therefore deploy an application in an App Volumes App Package, with a standard configuration provided by DEM and permit traffic from the application to a specific server all tied to a single Active Directory Group.
Active Directory Group Entitlement
  • It is possible to provide a single portal to a geographically spread VMware Horizon VDI offering that will connect users seamlessly to the nearest desktop instance.  Workspace ONE Access can provide location awareness based on client IP address.  By defining IP ranges, and relating these to the public DNS name for the local Horizon site, Workspace ONE will direct users to the nearest VMware Horizon site for optimum performance.  This leverages VMware Horizon Cloud Pod Architecture to present a common entitlement across all instances.
Use VMware Horizon Cloud Pod Architecture for common entitlement across regions

And these are but a few options.  When you consider that a number of these offerings are now available in a cloud-based form, the options broaden still.  Workspace ONE components both offer cloud and on-premises variants, while VMware Horizon now includes not only the on-premises offering, but also the ability to deploy on top of VMware Cloud on AWS or the full Desktop-as-a-Service offering of Horizon Cloud.

Closing Thoughts…

As a range of products that can be built in an array of different configurations, it is possible to design and deploy solutions that fit a broad variety of use cases, from simple to very specific. This can be seen in action in the Xtravirt Customer Experience Centre which features the complete VMware Horizon 8 Enterprise stack as a means to both access the estate and as a solution demonstration.

Xtravirt Customer Experience Centre - Test drive your future-state - Discover the CEC

If you are looking to deploy a new Digital Workspace solution or wish to enhance or upgrade what you currently have, then Xtravirt can help. We have a long track record of successful digital workspace projects and can provide advisory, design and implementation services to create the right solution for your organisation. Our Customer Experience Centre also includes a fully featured modern digital workspace based on VMware Horizon and Workspace ONE in a fully immersive demo environment which can enable you to bring your plans to life.   Contact us and we’d be happy to use our wealth of knowledge and experience to assist you.  

Want to start your
Digital Transformation journey?

subscribe

Get the latest developments and insights from our award winning team