Endless options with VMware Horizon and VMware Workspace ONE

Curtis Brown

There are a considerable number of blog posts and articles that have looked at the individual components of the VMware® End User Compute stacks, so I thought I’d take a high-level look at some of what’s possible when we take the whole solution in its entirety.

The Moving Parts

In the early days of VMware’s End User Compute efforts, we were looking at a relatively simple stack of VMware vCenter, ESX and Virtual Desktop Manager (or, to you young folks, Horizon View 1.0 or 2.0 back in 2007/8).  These days, things are somewhat more powerful, offering a wider array of capabilities, but these capabilities also require more moving parts.

The diagram below shows the VMware components that could be deployed in a solution.

VMware Components that could be deployed -Pic1

Now, let’s look a little deeper…

NSX - vCenter - Horizon - pic2

For Virtual Desktop delivery, we have the underlying infrastructure of VMware vSphere with vCenter and ESXi.  However, we can enhance this further in two ways. Firstly, we can leverage local storage by implementing VMware vSAN rather than rely on a SAN/NAS based solution. Secondly, we could deploy VMware NSX to provide enhanced security in the form of micro-segmentation of the network as well as anti-malware protection using Guest Introspection.

For publishing desktops, we have VMware Horizon View. The connection servers provide the brains, managing entitlements and provisioning of desktop and application pools. For secure access from untrusted or external networks, we deploy either Security Servers, or, more recently, Unified Access Gateway appliances to serve as a proxy into the solution.  VMware Horizon View Composer is used to manage and deploy non-persistent Linked Clone desktops.  Although this approach is in decline as Instant Clone technology replaces it.

AppVolumes - ThinApp - vUEM - pic3

We then need to consider the management and delivery of applications and user settings.  For the latter, we can integrate VMware User Environment Manager.  This can manage both environmental settings (including delivery of application shortcuts, drive mappings etc) as well as eliminating the issues related to Windows Roaming Profiles.  For application delivery, we can use App Volumes within the virtual estate or leverage the estate itself to publish Remote Desktop Session Host based remote applications.  ThinApp, although somewhat out of favour these days, remains an option for direct delivery to Windows Endpoints (via VMware Workspace ONE Identity Manager) or within Horizon View desktops.

vRO Manager pic4

When it comes to monitoring the estate, we can use VMware vRealize Operations Manager with the VMware Horizon Management Pack.  It’s possible to expand further still by leveraging more of the vRealize suite, notably VMware vRealize Log Insight for capturing logs from both the solution as well as the environment.

Workspace ONE Unified Endpoint Managment, Horizon Flex - Identity Manager - Pic5

We then move out into two topics – The Endpoint and the User. These are somewhat integrated topics these days as they do overlap.

VMware Workspace ONE comprises two key elements:

  • Unified Endpoint Management can provide control, configuration and administration to endpoints, be they mobile devices or traditional desktops.
  • Identity Manager provides the user authentication layer into the solution as a whole, while also providing a unified catalogue of applications and services, whether publish via VMware Horizon or whether through single sign-on to cloud services.

Another offering that is often overlooked, but still a part of the VMware Horizon licensing (at the Advanced and Enterprise level) is VMware Mirage.  This can provide image level management of Windows based client desktop/laptops. FLEX leverages the Mirage infrastructure in conjunction with VMware Workstation and VMware Fusion to provide an offline VDI capability.

What parts are available is largely defined by what is purchased.  Some parts are included in the various VMware Horizon editions, while some, notably VMware vSAN, VMware NSX and VMware Horizon FLEX are separate products.  In the case of Workspace ONE, VMware Horizon Advanced and above includes just Workspace ONE Identity Manager Standard.  To get the full Workspace ONE suite requires purchase of Workspace ONE as a specific product.

VMware Horizon editions can be compared at:

The Art of the Possible

For the purposes of looking at what is possible, let us assume that an Alien Space Bat has deemed it fit to leave an unlimited budget for us to acquire all these tools.  Here’s a few ideas of what we could achieve:

  • By integrating the full VMware Workspace ONE with Horizon, we can fully manage security between a user, a managed endpoint and access to Virtual Desktops.  By managing the device using VMware Workspace ONE Unified Endpoint Management and establishing Compliance checking, we can define an Identity Manager policy that allows access only to users with valid credentials who are using compliant devices to the Workspace ONE catalogue. In turn, users can then access a VDI desktop from the relevant icon in Workspace ONE.

User access diagram - pic6

  • It is possible to provide a single portal to a geographically spread VMware Horizon VDI offering that will connect users seamlessly to the nearest desktop instance. Workspace ONE Identity Manager can provide location awareness based on client IP address.  By defining IP ranges, and relating these to the public DNS name for the local Horizon site, Workspace ONE will direct users to the nearest VMware Horizon site for optimum performance.  This leverages VMware Horizon Cloud Pod Architecture to present a common entitlement across all instances.

single portal - pic7

  • App Volumes, User Environment Manager and NSX Distributed Firewall Rules can be tied to Active Directory groups.  We can therefore deploy an application in an App Volumes App Stack, with a standard configuration provided by UEM and permit traffic from the application to a specific server all tied to a single Active Directory Group.

Active Directory Groups - pic 8

And these are but a few options.  When you consider that a number of these offerings are now available in a cloud-based form, the options broaden still.  Workspace ONE components both offer cloud and on-premises variants, while VMware Horizon now includes not only the on-premises offering, but also the ability to deploy on top of VMware Cloud on AWS or the full Desktop-as-a-Service offering of Horizon Cloud.

Closing Thoughts…

As a range of products that can be built in an array of different configurations, it is possible to design and deploy solutions that fit a broad variety of use cases, from simple to very specific.

If you are looking to deploy a new Digital Workspace solution or wish to enhance or upgrade what you currently have, then Xtravirt can help. We have a long track record of successful digital workspace projects and can provide advisory, design and implementation services to create the right solution for your organisation. Contact us and we’d be happy to use our wealth of knowledge and experience to assist you.

Want to start your
Digital Transformation journey?


Get the latest developments and insights from our award winning team

contact us

Let's get started