This recipe will outline a number of different reasons why organizations might opt to implement a virtual desktop solution using VMware Horizon with View.
VMware Horizon with View can provide us with a number of different capabilities that can complement, extend, or replace our existing end user computing (EUC) platforms. Identifying which of these apply in our organization is important, as they can influence all phases of our project, starting with the design and ending with the rollout itself.
Migrating to a newer version of Microsoft Windows is a difficult project for reasons that include:
Hardware compatibility or capability issues that might require hardware upgrade or replacement
Application compatibility testing
Application support for a newer operating system (OS)
User training for the new OS
User downtime
User data and desktop configuration migration
Labor costs
What makes things even more difficult is if we are running an unsupported OS such as Windows XP and require official support from Microsoft. In some cases, we are paying at least $200 per desktop for this service (http://software.dell.com/products/changebase/calculate.aspx).
While VMware Horizon with View and its VMware ThinApp (http://www.vmware.com/products/thinapp/) application virtualization platform cannot by themselves solve issues related to the support of legacy applications or operating systems, they can provide organizations with a way to improve their end user computing environment with little or no changes to their existing legacy desktops. Horizon View provides users with a more relaxed desktop migration than is typically possible with a traditional reimage or replacement of an existing physical computer, where rolling back the migration is difficult or, sometimes, impossible. When migrating the users to Horizon View virtual desktops, any existing physical desktops need not be immediately removed or changed, usually enabling a less disruptive upgrade with the potential to move back to the physical desktop, if required.
Providing a more relaxed OS migration to the end users is not the only benefit of using Horizon View; the information technology (IT) staff will also benefit. While tools such as VMware Horizon Mirage (http://www.vmware.com/products/horizon-mirage) and Microsoft System Center Configuration Manager (http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2-configuration-manager) can assist organizations with OS and software upgrades on their existing physical machines, if those machines lack the resources required, the hardware itself will still need replacement. Additionally, tools such as these often carry additional costs that must be factored into the cost of the migration.
Note
Implementing Horizon View will not necessarily eliminate the need for tools to assist with our desktop migration. If we determine that these tools will provide some benefit, we must research whether the costs and resource requirements outweigh whatever that benefit that might be.
While many organizations might select to replace their existing physical computers with a thin or zero client tailored for use specifically with Horizon View or to rebuild the existing computer with just an OS and the Horizon View client software, there is no immediate need to do either of these unless we wish to prevent the user from continuing to use any existing applications on their physical desktop.
VMware Horizon View 6 introduced the capability to stream individual applications directly to the Horizon View client, a feature that is also known as application remoting. Using a Microsoft Windows Remote Desktop Session Host (RDSH) server, Horizon View can now deliver access to individual applications in addition to traditional virtual desktops.
VMware Horizon View 6 also offers the capability to directly deliver other applications, including those packaged with VMware ThinApp, streamed using Citrix XenApp (http://www.citrix.com/products/xenapp/overview.html) and even Web or SaaS applications using the included Horizon Workspace Portal (http://www.vmware.com/products/workspace-portal).
Application remoting enables organizations to distill the end user computing experience down to the smallest unit possible: individual applications. One scenario where application remoting can provide the most benefit is when a user uses only one or two applications; rather than providing them with their own virtual desktop, it might be more efficient to have them stream just these applications from a shared RDSH server.
Additionally, VMware created its own protocol provider for the RDSH servers so that application remoting clients can leverage the same PC over Internet Protocol (PCoIP) protocol used with virtual desktops; this is one of the key differentiating features of the Horizon View platform, offering high levels of performance using the minimum bandwidth required.
Chapter 11, Implementing Application Streaming Using Windows Remote Desktop Services, provides us with an overview on how to use VMware Horizon View and Microsoft Windows RDSH servers to enable the Microsoft Windows RDSH application remoting and streamed ThinApp applications.
VMware Horizon View supports the VMware Virtual SAN (VSAN) hypervisor-converged storage platform. VMware Virtual SAN provides organizations that do not wish to invest in a traditional shared storage array for their Horizon View desktops with an additional option that can meet the capacity and performance needs that the desktops require.
With VMware VSAN, organizations need to only deploy vSphere servers that include additional dedicated local storage. This storage can be all flash disks or a combination of flash and spinning disks. The combination of flash and spinning disks, along with the automated data-tiering capabilities or VSAN, allows it to meet both the performance and capacity needs of almost any Horizon View environment. VMware VSAN can also be used to provide the storage required for the Horizon View infrastructure servers, if desired.
One advantage of using VMware VSAN is that it reduces the complexity of a VMware Horizon View deployment by reducing the overall number of infrastructure components required while also simplifying the management, as VSAN is managed using the VMware vSphere Web Client.
Chapter 10, Implementing VMware Virtual SAN for Horizon View, provides us with an overview on how to use VMware VSAN to provide storage for Horizon View.
For many organizations, desktop mobility means providing users with a laptop and a virtual private network (VPN) connection that they can use to access company resources remotely. While this method of office mobility has worked, and continues to work, for many, managing these remote clients and their data can be challenging if organizations lack tools that are specifically designed to manage clients who are infrequently connected to an organization's private network. Organizations that cannot address these challenges might find themselves exposed to significant risks when it comes to the security of these remote physical endpoints, whether keeping them up-to-date with critical security patches or protecting and backing their data.
VMware Horizon View provides organizations with a number of different ways to rethink how they provide users with a mobile office:
A VMware Horizon View Connection Server deployed as a specialized gateway, commonly referred to as a View Security Server, can be deployed in a perimeter network, also known as the demilitarized zone (DMZ), in order to provide secure access to Horizon View without needing to deploy a VPN. To further secure the user authentication process, Horizon View supports multifactor authentication platforms, such as RSA SecurID and others, that are supported by RADIUS, which is a network protocol that is most commonly used for authentication.
When paired with VMware Horizon Workspace and VMware AirWatch Secure Content Locker (http://www.air-watch.com/solutions/mobile-content-management), Horizon View clients gain access to a single portal that they can use to access desktops, streamed applications, applications packaged using ThinApp, and user data stored in AirWatch Secure Content Locker. AirWatch Secure Content Locker is a separate VMware product that integrates with the VMware Horizon Workspace portal and mobile devices in order to provide access to secure file storage.
Using Blast Adaptive UX, a HTML5-compliant web browser is all that is required for Horizon View clients to access their desktops and applications. The software-based Horizon View client is also available for remote users, enabling greater flexibility.
For organizations that wish to leverage VMware Horizon View in order to manage desktop images deployed to traditional physical desktops—beginning with Horizon View 6—you can manage images used by physical machines running VMware Horizon Mirage or as virtual machines running on VMware Fusion Professional (http://www.vmware.com/products/fusion-professional) or VMware Player Plus (http://www.vmware.com/products/player). Chapter 9, Using VMware Mirage with Horizon View, provides us with an overview on how to use VMware Horizon Mirage with Horizon View full clone desktops.
In summary, VMware Horizon View enables organizations to offer new virtual desktop mobility offerings without the need to provide additional mobile devices for remote access; train users on how to properly protect their mobile devices and their data; or explain to users how their experience differs when they are logging in remotely.
Virtual desktops offer many potential benefits for enhancing end user computing security; however, but similar to traditional desktops, organizations must commit to the changes required for them to be effective. With the exception of remote desktops managed by VMware Horizon Mirage, Horizon View desktops are hosted in a data center where it is assumed that they will be more secure than traditional physical computers. In reality, with virtual desktops, there is no longer any physical hardware to steal, but securing the desktop OS and its applications is the same regardless of where it is located. The fact that a desktop is virtual does not automatically prevent the flow of data from that desktop to elsewhere, unless an organization takes steps to prevent it from using methods such as Active Directory (AD) group policies or various software tools.
Note
Simply migrating desktops to VMware Horizon View or managing them using VMware Horizon Mirage does not mean that we do not need data loss prevention (DLP) platforms or organizational policies that are designed to protect our data. Horizon View and Horizon Mirage merely provide us with a tool that we can use to enhance or extend our data-protection goals.
VMware Horizon View supports a variety of options for controlling how USB devices access virtual desktops. The devices can be controlled based on a specific device (such as a USB Ethernet adapter), the type of device (such as the storage device), or even on the vendor product model. This feature is controlled using AD group policies and enables advanced control over how the desktop can be accessed.
The most common benefit of using Horizon View to provide virtual desktops is that their data remains in the data center, where we can protect it using whatever data center capabilities or protections are at our disposal. This includes tools such as vSphere-based backups of virtual desktop data, common storage array features such as snapshots and Redundant Array of Inexpensive Disk (RAID) protection, and even VMware vShield Endpoint, which provides antivirus (AV) protection at the hypervisor level rather than within each individual desktop.
Note
VMware vShield also requires third-party scanning plugins to provide antivirus scanning capabilities. These plugins are currently offered by a number of different vendors including Trend Micro (http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/) and McAfee (http://www.mcafee.com/us/products/move-anti-virus.aspx).
Each of these capabilities provides a more efficient means of protecting virtual desktops and their content than is possible with physical desktops. If physical desktops are still required, VMware Horizon Mirage can be used to provide similar levels of protection, namely the desktop contents and configuration.
Note
VMware Horizon Mirage is discussed in greater detail in Chapter 9, Using VMware Mirage with Horizon View, but primarily, within the context of using it with Horizon View full clone virtual desktops. Consult the VMware Mirage website (http://www.vmware.com/products/horizon-mirage) for information on how Mirage can be used with physical desktops.
One benefit of using virtual desktops is that they can dramatically change how an organization provides support to its end users. In scenarios where we are replacing our existing physical desktops with dedicated devices whose only purpose is to act as a client for Horizon View, with the exception of hardware failure, there is less of a need to provide support in person. The following is a list of key features and characteristics of VMware Horizon View:
Horizon View application remoting using Microsoft Windows RDSH servers enables organizations to provide access to critical applications directly rather than deploying a physical or virtual desktop. Since the RDSH servers support multiple concurrent users, while a virtual desktop can only support one, fewer infrastructure resources might be needed.
The VMware ThinApp application virtualization platform enables us to package and distribute applications independent of the desktop operating system. Horizon View and Horizon Workspace can also be used to provide access to ThinApp applications without the need to install them on each desktop.
VMware Horizon View Persona Management enables us to centrally manage and protect the user profile data while delivering a personalized desktop experience regardless of where our users log in.
Linked clone Horizon View desktops require far less storage capacity than physical or full clone desktops and can also be rapidly refreshed, thus discarding any changes that were made since the desktop was deployed or last recomposed.
These features are just a partial list of what Horizon View can offer, yet they alone offer us the opportunity to rethink how support is provided. With Horizon View, we don't have to expend resources that support individual desktops, as everything that makes these desktops unique can be abstracted or stored elsewhere. If everything that makes a desktop unique can be maintained in another location, such as custom applications and user persona data, our IT support staff can simply discard the problematic machine and provide the user with a fresh desktop free of any underlying issues.
With Horizon View, we can greatly reduce the support our desktops require and focus more on supporting the users. With linked clone desktops, when desktops need to be changed, these changes are applied to the desktop master image and rolled out to all users at our convenience.
Note
In this section, we referred to linked clone desktops that share a common master disk and write any changes to a dedicated delta disk. If we choose to use full clone desktops, we cannot use features such as a Horizon View desktop Refresh or Recompose. Due to this, full clone desktops are often managed using the same techniques as physical desktops; this also includes VMware Horizon Mirage.
The concept of having users use their own devices to access company resources is becoming more common as organizations move towards new ways of providing users access to their applications and data. With Horizon View, users can use their own endpoint as a client to access desktops, applications, or data hosted by Horizon View or other components of the VMware Horizon Suite.
Bring Your Own Device (BYOD) does not necessarily mean that users are spending their own money to purchase these devices. In some organizations, users are provided with a stipend to purchase whatever device they wish, preferably with some guidance from their IT department in terms of required client features or specifications. In some cases, by providing users with access to a wider variety of devices, they are more likely to end up with a device they are comfortable with, which might help make them more productive.
The concept of BYOD is most commonly seen with smartphones where employees use their own mobile device to access e-mail and other company resources, in many cases without being required to or without reimbursement.