What do you get with Print?

Instant access to your digital eBook copy whilst your Print order is Shipped

Black & white paperback book shipped to your address

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Buy Now

VMWare Horizon Workspace Essentials

Chapter 1. Getting Started with VMware Horizon Workspace

In this chapter, we will introduce you to VMware Horizon Workspace, where it is positioned in the market, and then give you an overview of all the components you need before starting to deploy the technology.

We will also cover where you can download the software from, outline the time requirements to install and configure a successful deployment, and give tips on what to think about for a full production environment. This book is primarily geared towards a test environment, as that's where most projects start. However, we will provide hints, tips, and best practices on building, delivering, and administering a full production environment as well.

Introduction to VMware Horizon Workspace

Horizon Workspace is a new type of solution that is commonly referred to as Workspace Aggregator. A solution that provides end users with a single point of access to their corporate data, applications, and other IT resources, as well as providing IT administrators with a single point of administration.

Let's first discuss the background and challenges that exist in most corporations today.

There are some ongoing technology trends that will affect us all and how we deliver IT services to our end users. A few of these are as follows:

BYOD
Software-as-a-Service
Mobile applications
Mobile/tablet devices
Always on network connectivity
Consumerization

In the last few years, the market has exploded with new devices, applications, and services that have been focused on being easy to pick up and consume with little technical knowledge.

Companies such as Google, Apple, Facebook, Twitter, and Dropbox have had enormous adoption with consumers; all of these services offer a great user experience and is easy to use.

For a long time, corporate IT companies have been able to withstand the pressure from these trends by locking environments down and mandating what users can access by way of applying policies, but we have reached a point where users are starting to circumnavigate these policies and utilize these services directly and not involving the corporate IT department and its policies. This is commonly referred to as shadow IT.

The traditional approach has been to deploy Windows on physical machines, and use some form of a distribution system for deploying applications and securing data. Users typically work between 8 a.m. and 5 p.m., usually from the office, and as the computers are physically attached to the desk, it's been considered secure.

Corporate IT risks turning into a slow moving dinosaur that does not contribute, but rather hinders innovation and users' ability to be productive. Users are starting to avoid involving IT since it takes a long time and is slow moving. There is now a real threat that corporate IT becomes irrelevant thanks to the competition from these outside trends.

Some real examples we have seen is when a business unit goes out and buys a solution somewhere from the Internet and is not even involving corporate IT since it would make the process slower and less productive.

Another common example is when users are using consumer-based file sharing applications to be able to share information or collaborate with partners, internal or external, to their organization.

When exposed to these threats, the following are the three common typical reactions:

Ignore it!
Pretending that your users are not using these services and devices is a sure way of getting a false sense of security and comfort
Lock it down!
Tightening the control even more usually forces people to find ways around the systems and will make the users unhappy
Implement a point solution
Just solving one of the challenges might buy you some time, but in the end will actually increase the complexity since there will be many point solutions to solve all the challenges

Another approach is to embrace the advances in technology and to listen to the users' requests. This is where VMware Horizon Workspace can help.

Horizon Workspace addresses these new challenges, such as delivering web applications, mobile applications, and data collaboration to any device. The key point to highlight is that you can give the users the tools and the modern approach that they have become used to as a consumer, but still retain security and control.

Horizon Workspace 1.5 provides the following functionalities:

A single workspace for apps and data
Anywhere, anytime access
Data synchronization
Separate personal and corporate data
A virtualized container for Android devices
Native application support
Detailed policy management
Simple user and application management
Share files seamlessly and securely
Enterprise-grade security
Complete on-premise solutions
Access controls

So what is the business value for a customer when they deploy this solution? We can divide this into two aspects: one for end users and one for corporate IT.

For end users:
- Easy access to applications, files, and virtual desktops
- Single Sign-On to internal and external web-based applications
- One place to access all services
- A service catalog where the users can quickly get access to new services
- Own choice of device and networks to work from
- Use multiple devices without complex configurations or VPN
- Sanctioned way to share files and collaborate with internal and external parties
For corporate IT:
- Common model on how to entitle and disentitle users to services
- Faster time to market for new services
- Stop worrying about devices and start managing users
- Extensible platform that can be integrated into existing services
- Common reporting for all types of applications

Ease of deployment

Horizon Workspace comes packaged as a vApp, which means that it's a number of preconfigured virtual machines in a container with the extension .ova. Open Virtual Appliance (OVA) is a standard way of packaging a vApp.

It needs to be deployed using VMware vCenter Server on to a VMware vSphere virtualization platform. We will cover the prerequisites later in this chapter.

The benefits with this type of deployment is many, since the vApp is preinstalled with the operating system (Horizon Workspace is based on Suse Linux Enterprise Server) and all components that make up Horizon Workspace. The only thing you need to do is to configure the unique settings for your environment. There is no complicated operating system to install and configure, and no installer to run.

Just download and deploy.

Another benefit of being deployed within a virtual environment is that we can take advantage of all the features that the virtual infrastructure platform provides for, which are high availability, load balancing, backup, and disaster recovery.

Proving the technology

Before embarking on a Proof of Concept (POC) or Pilot of Horizon Workspace, the following are a few things that we have learned from our experience in working with the technology:

Do not run a POC/Pilot on production systems
- This could possibly interfere with your running systems
Do not run a POC/Pilot using production applications.
- Horizon Workspace can take over the authentication for web-based applications that it integrates with and can disable other ways of authenticating, potentially locking out other users
Make sure that you have clearly defined the success criteria. It's hard to know whether you have succeeded if there are no clear goals or objectives defined

Now that we have introduced you to VMware Horizon Workspace, we are going to cover what you need to get your environment up and running in the following sections.

Prerequisites

The first thing we are going to cover are the prerequisites in more details. We will start with the test environment first.

Infrastructure requirements for an initial test setup

You will need the following hardware and virtual infrastructure components:

1 vCenter Server
1 ESXi host server with:
- A minimum of 8 cores
- 14 GB RAM
- 412 GB of local disk or SAN attached storage

The installation and configuration of vCenter and ESXi is beyond the scope of this book and therefore we assume that you already will have this in place.

Note

Using VMware Workstation or VMware Fusion natively does not work since the vApp requires a vCenter to be able to deploy. As an alternative, you could use something known as nested hypervisors. This means that you can use VMware Workstation or Fusion and create a virtual vCenter and virtual instance of ESXi. Be aware though that this will cause considerable overhead and require a powerful CPU, plenty of memory, and a fast disk system.

Infrastructure requirements for production deployment

For production environments, you will need the following minimum hardware and virtual infrastructure components:

1 vCenter-server, redundant
2 ESXi-hosts (3 ESXi hosts are recommended)
500 GB of SAN storage
Network Load balancer
NFS-storage for Horizon Files

Horizon Workspace supports a number of VMware vSphere versions listed as follows:

vCenter: 5.0 U2, 5.1, and 5.5
ESXi: 5.0 U2, 5.1, and 5.5

When setting up your ESXi hosts, ensure that you configure them to use the Network Time Protocol (NTP). Correct time synchronization is critical for a successful installation since the SAML-based authentication is based on short-lived assertions of 60 seconds. If there is a time difference, logins will fail.

Network, DNS, and Active Directory requirements

The initial deployment of Horizon Workspace will require 5 IP addresses. If you need redundancy and external access, you will need additional IP addresses. Each of the IP's need a static DNS host record as well as reverse pointer-records (PTR record).

DNS name resolution needs to be fully implemented for both forward and reverse lookups. Horizon Workspace will not function without reverse lookups configured.

For this book, we have used Windows Server 2008 R2 Active Directory and DNS; however, Horizon Workspace supports Windows 2003 Active Directory or later. Using Bind DNS will work just as well as using Microsoft DNS.

As we go through the setup of the Active Directory (AD) infrastructure to support our installation, it's worth making a note of some of the key information that you will be prompted for during the actual configuration process. Make a note of the following information:

Name of the Active Directory controller
Fully qualified domain name (FQDN) of the Active Directory controller
Base DN— the container from where to start searching for users; in our example, this would be something like ou=horizon, dc=domain_name, or dc=local
The Bind DN username and password
Administrator account or an account with rights to add computers to the domain

Note

The Bind DN username is an account that will be used to communicate with Active Directory to read user information and their attributes. The Bind DN will become the first administrator in your Horizon Workspace installation. In our examples, we have set up a Horizon Administrator account to do this. You need to enter the details in the following format:

cn=horizonadmin,ou=horizon,dc=domain_name,dc=local

vCenter Server requirements

Before installing the vApp, you need to configure an IP pool for the Horizon Workspace vApp that contains the correct IP address range along with details of your DNS server (you can only specify one DNS server). You also need the name of the domain into which you will deploy your VMs.

Note

IP pools are used by vCenter to provide a network identity to vApps. The IP pool itself is a network configuration that you assign to a network used by the vApp. Once set up, the vApp can use vCenter to provide the IP configuration to the virtual machines it contains.

External access

For users to log on to their Workspace, you will need to make sure certain network ports are open. For external access, you will need to ensure that the TCP port 443 is open for the connector-va appliance to communicate. For a production environment with a demilitarized zone (DMZ)—a term for a network between internal and external networks—and connection to external services such as Active Directory and RSA SecureID, additional ports may need to be opened. If you are also integrating with Horizon View, you will need to make sure that those ports are also open.

Certificates

For a production environment, you will need publicly signed certificates from a trusted certificate provider. For a test environment, you can use a self-signed certificate. The certificate must have the FQDN of your Horizon Workspace installation as the Subject Alternative Name (SAN) of the certificate or you can use a Wildcard certificate.

Horizon Workspace vApp

Horizon Workspace comes packaged as a vApp, which means that it's a number of preconfigured virtual machines in a single file with the extension OVA. (The OVA extension is a standard way of packaging a vApp).

There are many benefits with this type of deployment. The vApp is preinstalled with the operating system (Horizon Workspace is based on SUSE Enterprise Linux (SLES)) along with all the components that make up Horizon Workspace. The only thing you need to do is to configure the unique settings in your environment. There is no operating system to install and no installer to run.

Use a naming convention that makes sense to you and is consistent throughout your environment. For a test environment you can keep the default appliance names, but for production, it would make sense to name them, so that they are meaningful to your environment and also as one of the appliances will be the address that your users will use to connect.

Choose your hostnames and enter them into your DNS server along with the associated IP addresses. During the installation process, the appliances will perform a reverse lookup in DNS to determine (resolve) what their hostname is.

An overview of vApp

As we previously discussed, Horizon Workspace is comprised of five virtual appliances as shown in the following diagram:

The five virtual appliances (va) are described in the following list:

gateway-va
The Horizon Workspace Gateway is the single entity for all end user communication. All user requests hit the gateway-va virtual machine, which then routes the request to the appropriate virtual appliance. The Gateway appliance offers a single namespace for accessing the Horizon Workspace implementation.
configurator-va
Horizon Workspace is configured using this virtual appliance, so this appliance configures all the other appliances. It has both a console and a web interface. Any configuration changes you make with the configurator are then distributed to the other virtual appliances within the vApp automatically, for example, SSL-certificates and root passwords.
service-va
Horizon Workspace uses a standard named SAML for authentication of users and to extend the identities, which is explained in more detail in Chapter 4, Integrating SaaS Applications. The service-va controls this function and also provides the frontend for the Administrator Web interface.
connector-va
The Horizon Workspace Connector provides the following services: user authentication (identity provider), directory synchronization, ThinApp synchronization, and View pool synchronization.
data-va
This virtual appliance controls file storage and sharing service, stores users' files and folders, and synchronizes them across multiple devices. The data-va also hosts the end user web portal. We will cover the functionality of this appliance in Chapter 3, Horizon Files.