0% found this document useful (0 votes)

113 views84 pages

Horizon Architecture Planning

Uploaded by

salah al-hakimi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

113 views84 pages

Horizon Architecture Planning

Uploaded by

salah al-hakimi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 84

Horizon Overview and

Deployment Planning
VMware Horizon
Horizon Overview and Deployment Planning

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

©
Copyright 2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or
its subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade names,
service marks, and logos referenced herein belong to their respective companies. Copyright and trademark
information.

VMware by Broadcom 2
Contents

Horizon Overview and Deployment Planning 6

1 Introduction to the VMware Horizon Portfolio 7

2 About VMware Horizon 8 8

Advantages of Using VMware Horizon 8 8
Get Started with VMware Horizon 8 12
How the VMware Horizon 8 Components Fit Together 14
Client Devices 15
Horizon Client 15
VMware Horizon User Web Portal 16
Horizon Connection Server 16
Horizon Agent 17
Horizon Console 18
vCenter Server 18
Integrating VMware Horizon 8 18

3 About Horizon Cloud Service and Horizon Control Plane 20

Horizon Edge 22
Horizon Universal Broker 22
Horizon Client and Client Devices 23
Horizon User Web Portal 23
Horizon Universal Console 24

4 Planning a Rich User Experience 26

Feature Support Matrix for Horizon Agent 27
Choosing a Display Protocol 27
VMware Blast Extreme 27
PCoIP 32
Types of Desktop Pools 34
Using Published Applications 34
Using USB Devices with Remote Desktops and Applications 34
Using Webcams, Microphones, and Speakers 35
Using 3D Graphics Applications 36
Streaming Multimedia to a Remote Desktop 37
Printing from a Remote Desktop 37
Using Single Sign-On for Logging In 38
Monitors and Screen Resolution 38

VMware by Broadcom 3
Horizon Overview and Deployment Planning

5 Managing Desktop and Application Pools from a Central Location with VMware
Horizon 8 41
Desktop Pools 41
Application Pools 42
Application Provisioning 43
Deploying Published Applications Using an RDS Host 43
Deploying Published Applications That Run On Desktop Pools With VM Hosted Applications
44
Deploying Applications Within Virtual Desktops 44
Using Active Directory GPOs to Manage Users and Desktops 45

6 Horizon 8 Architecture Design Elements and Planning Guidelines for Remote

Desktop Deployments 46
Guest Operating System Requirements for Remote Desktops 47
Planning Based on Types of Workers 47
Desktop Types 48
Estimating Memory Requirements for Virtual Machine Desktops 50
Estimating CPU Requirements for Virtual Machine Desktops 52
Choosing the Appropriate System Disk Size 53
Desktop Virtual Machine Configuration 54
RDS Host Virtual Machine Configuration 55
ESXi Node 56
vCenter Server Virtual Machine Configuration 57
Horizon Connection Server Maximums and Configuration 57
vSphere Clusters 59
Storage and Bandwidth Design Considerations 60
Shared Storage Considerations 61
Storage Bandwidth Considerations 61
Network Bandwidth Considerations 62
VMware Horizon 8 Building Blocks 63
Horizon 8 Pods 63
Advantages of Using Multiple vCenter Servers in a Pod 65
Cloud Pod Architecture Overview 68

7 Planning for Horizon 8 Security Features 69

Understanding Client Connections 69
Client Connections Using the PCoIP and Blast Secure Gateways 70
Tunneled Client Connections with Microsoft Remote Desktop Protocol 71
Direct Client Connections 71
Choosing a User Authentication Method for a Horizon Environment 72
Active Directory Authentication 73
Using Two-Factor Authentication 73

VMware by Broadcom 4
Horizon Overview and Deployment Planning

Smart Card Authentication 74

Using the Log In as Current User Feature Available with Windows-Based Horizon Client 74
Restricting Remote Desktop Access in Horizon 8 Environments 76
Using Group Policy Settings to Secure Remote Desktops and Applications 77
Using Smart Policies 78
Implementing Best Practices to Secure Client Systems 78
Assigning Administrator Roles 78
Understanding Communications Protocols 79
VMware Horizon Security Gateway 80
Blast Secure Gateway 80
PCoIP Secure Gateway 81
Horizon LDAP 82
Horizon Messaging 82
Firewall Rules for Horizon Connection Server 82
Firewall Rules for Horizon Agent 83
Firewall Rules for Active Directory 84

VMware by Broadcom 5
Horizon Overview and Deployment
Planning

This guide provides an introduction to the VMware Horizon™ portfolio, including a description of
the key platforms in the portfolio, the major features and deployment options, and an overview
of how the components are typically set up in a production environment.

The features and capabilities of VMware Horizon depend on license editions. For a comparison of
feature sets in each edition, see https://www.vmware.com/products/horizon.html.

Intended Audience
This information is for IT decision makers, architects, administrators, and others who need to
familiarize themselves with the components and capabilities of this product. With this information,
architects and planners can determine whether VMware Horizon satisfies the requirements of
their enterprise for efficiently and securely delivering virtual desktops and applications to their
end users.

VMware by Broadcom 6
Introduction to the VMware
Horizon Portfolio 1
The VMware Horizon portfolio consists of two main virtual desktop and application platforms
with additional management products that can be used in conjunction with these platforms
to efficiently and securely deliver virtual desktops and applications to end users across many
different deployment scenarios.

The two main virtual desktop and application platforms are VMware Horizon 8 and VMware
Horizon Cloud Service:

n VMware Horizon 8

This platform, formerly known as "View", "Horizon 7" or sometimes referred to as "Horizon
Enterprise" or "Horizon", primarily focuses on delivering virtual desktops and applications
in a vSphere-based environment, whether deployed on-premises or in public clouds. While
Horizon 8 can be used by service providers to build their own DaaS service, it is primarily a
customer-managed desktop and application platform.

n VMware Horizon Cloud Service

This DaaS (desktop-as-a-service) platform focuses on delivering virtual desktops and

applications in a native cloud environment. It currently supports the Microsoft Azure native
cloud environment.

In addition to and in conjunction with these two platforms, VMware offers a cloud-based control
plane (Horizon Control Plane) and its associated SaaS services (Horizon Control Plane SaaS
Services). Horizon Control Plane and Horizon Control Plane SaaS Services support both Horizon
8 as well as Horizon Cloud Service platforms. For Horizon 8 deployments, Horizon Control Plane
and associated optional SaaS services can be unlocked by SaaS licenses. For Horizon Cloud
Service deployments, Horizon Control Plane is the default GUI for administrators to manage their
environment.

Horizon Agent and Horizon Clients are common or shared across the two platforms. Additional
products in the Horizon portfolio such as VMware App Volumes, VMware Dynamic Environment
Manager, and VMware Workspace ONE Access support both platforms in similar ways.

For a visual depiction of the various deployment scenarios that are achievable with our platforms,
see https://docs.vmware.com/en/VMware-Horizon/index.html

The remainder of this document will introduce each platform, the control plane and associated
SaaS services, as well as the key elements that are common to both platforms.

VMware by Broadcom 7
About VMware Horizon 8
2
With VMware Horizon 8, IT departments can run remote desktops and applications in the
data center and deliver these desktops and applications to employees. End users gain a
familiar, personalized environment that they can access from any number of devices anywhere
throughout the enterprise or from home. Administrators gain centralized control, efficiency, and
security by having desktop data in the data center.

Read the following topics next:

n Advantages of Using VMware Horizon 8

n Get Started with VMware Horizon 8

n How the VMware Horizon 8 Components Fit Together

n Integrating VMware Horizon 8

Advantages of Using VMware Horizon 8

The benefits of VMware Horizon 8 include simplicity, security, speed, and scale for delivering
virtual desktops and applications with cloud-like economics and elasticity.

Flexible Horizon 8 Deployments

Horizon 8 offers the flexibility of deploying virtual desktops and applications on premises, in a
cloud-hosted environment, or a hybrid mix of both. License requirements vary based on the
deployment environment.

You can deploy Horizon 8 in the following environments.

On-premises Deployment

Horizon 8 can be deployed on-premises or in a private cloud. You can use a perpetual,
term or SaaS subscription license for an on-premises deployment. With a SaaS subscription
license, you will have access to the Horizon Control Plane and associated services. Internet
connectivity is optional so you can deploy Horizon 8 in an air-gapped environment or a
sovereign cloud.

Cloud-hosted Deployment

VMware by Broadcom 8
Horizon Overview and Deployment Planning

Horizon 8 can be deployed in a public cloud such as VMware Cloud on AWS or Azure
VMware Solutions. You are required to use a SaaS subscription license for deployment in a
public cloud. With the SaaS subscription license, you have the option to leverage the SaaS
services provided by the Horizon Control Plane.

Hybrid Deployment

You can deploy Horizon 8 on-premises and in cloud-hosted environments. You can link these
deployments in a federation. In this hybrid deployment scenario, you can use the following
licenses:

n Use perpetual or term license for your on-premises deployments and use SaaS
subscription license for your cloud-hosted deployments.

n Use SaaS subscription license for both your on-premises deployments and your cloud-
hosted deployments.

Connecting Horizon 8 Deployments to Horizon Control Plane

With the SaaS subscription license, you can connect Horizon 8 pods to the control plane for
additional SaaS services.

Horizon Control Plane (enabled by the SaaS subscription license) provides the following benefits
when connected to a Horizon 8 deployment.

n The Horizon Universal Console provides a single unified console that provides additional SaaS
features across on-premises and multi-cloud deployments for working with your tenant's fleet
of cloud-connected pods.

n The single pane dashboard and Workspace One Intelligence console gives you the ability to
monitor capacity, usage, and health within and across your fleet of cloud-connected pods,
regardless of the deployment environments in which those individual pods reside.

Additional SaaS services are enabled on an ongoing basis. For information on available services,
see the Horizon Cloud Service documentation.

Just-in-Time Management Platform (JMP)

JMP represents VMware Horizon 8 capabilities for delivering just-in-time virtual desktops and
applications that are flexible, fast, and personalized. JMP includes the following VMware
technologies.

Instant Clones

Instant clone is a vSphere-based cloning technology that is used to provision thousands of

non-persistent virtual desktops from a single golden image. Instant-clone desktops offer the
following advantages:

n Rapid provisioning speed that takes 1-2 seconds on average to create a new desktop.

n Delivers a pristine, high performance desktop every time a user logs in.

n Improves security by destroying the desktop every time a user logs out.

VMware by Broadcom 9
Horizon Overview and Deployment Planning

n Eliminates the need to have a dedicated desktop for every single user.

n Zero downtime for patching a pool of desktops.

n You can couple instant clones with VMware App Volumes and VMware Dynamic
Environment Manager to deliver fully personalized desktops.

VMware App Volumes

VMware App Volumes is an integrated and unified application delivery and user management
system for Horizon 8 and other virtual environments. VMware App Volumes offers the
following advantages:

n Quickly provision applications at scale.

n Dynamically attach applications to users, groups, or devices, even when users are already
logged in to their desktop.

n Provision, deliver, update, and retire applications in real time.

n Provide a user-writable volume, allowing users to install applications that follow across
desktops.

VMware Dynamic Environment Manager

VMware Dynamic Environment Manager offers personalization and dynamic policy

configuration across any virtual, physical, and cloud-based environment. VMware Dynamic
Environment Manager offers the following advantages:

n Provide end users with quick access to a Windows workspace and applications, with a
personalized and consistent experience across devices and locations.

n Simplify end user profile management by providing organizations with a single and
scalable solution that leverages the existing infrastructure.

n Speed up the login process by applying configuration and environment settings in an

asynchronous process instead of all at login.

n Provide a dynamic environment configuration, such as drive or printer mappings, when a

user launches an application.

Reliability and Security

Horizon 8, along with the underlying vSphere platform, provides the following reliability and
security advantages to your virtual desktop and app deployment:

n Access to data can easily be restricted. Sensitive data can be prevented from being copied
onto a remote employee's home computer.

n RADIUS support provides flexibility when choosing among two-factor authentication vendors.
Supported vendors include RSA SecureID, VASCO DIGIPASS, SMS Passcode, and SafeNet,
among others.

VMware by Broadcom 10
Horizon Overview and Deployment Planning

n Integration with VMware Workspace ONE Access means that end users have on-demand
access to remote desktops through the same web-based application catalog they use to
access SaaS, Web, and Windows applications. Users can also use this custom app store
to access applications inside a remote desktop,. With the True SSO feature, users who
authenticate using smart cards or two-factor authentication can access their remote desktops
and applications without supplying Active Directory credentials.

n Unified Access Gateway functions as a secure gateway for users who want to access remote
desktops and applications from outside the corporate firewall. Unified Access Gateway is
an appliance that is installed in a demilitarized zone (DMZ). Use Unified Access Gateway to
ensure that the only traffic entering the corporate data center is traffic on behalf of a strongly
authenticated remote user.

n The ability to provision remote desktops with pre-created Active Directory accounts
addresses the requirements of locked-down Active Directory environments that have read-
only access policies.

n Data backups can be scheduled without considering when end users' systems might be
turned off.

n Remote desktops and applications that are hosted in a data center experience little or no
downtime. Virtual machines can reside on high-availability clusters of VMware servers.

n Virtual desktops can also connect to back-end physical systems and Microsoft Remote
Desktop Services (RDS) hosts.

Tight Integration with the VMware Ecosystem

You can use Horizon 8 with VMware vSphere, vSAN, and NSX to extend the power of
virtualization with virtual compute, virtual storage, and virtual networking and security to drive
down costs, enhance user experience, and deliver greater business agility. You can take your
deployment onto a public cloud such as VMware Cloud on AWS or VMware Azure Solutions.

VMware Aria Operations (formerly vRealize Operations) is a unified, AI-powered self-driving IT

operations management platform for private, hybrid and multi-cloud environments.

VMware Aria Operations Management Pack for Horizon customizes the power of Aria Operations
for Horizon environment and enables you to monitor the performance and capacity of the
remote desktops and applications in the data center and managed services of Horizon 8.

For more information, see "VMware Aria Operations Management Pack for Horizon" in the
VMware Aria Operations for Integrations Documentation.
You can also leverage additional management software such as Avi Networks and Carbon Black.

Rich User Experience

Horizon 8 provides the familiar, personalized desktop environment that end users expect,
including the following features:

n A rich selection of display protocols

VMware by Broadcom 11
Horizon Overview and Deployment Planning

n Ability to access USB and other devices connected to their local computer

n Send documents to any printer their local computer can detect

n Real-time audio/video features

n Authentication with smart cards

n Use of multiple display monitors

n 3D graphics support

RESTful APIs
Horizon 8 RESTful APIs automate the deployment, operation, management, monitoring,
reporting, and analytics for the Horizon 8 infrastructure, workloads, and integration with third-
party products. You can use these APIs to perform the following functions:

n Desktop pool management

n Virtual machine and farm management

n Publishing applications

n Entitling published applications

n Infrastructure discovery

n Monitoring and troubleshooting

To get the latest documentation for the Horizon RESTful APIs:

1 Install or Upgrade to the latest released version of Connection Server.

2 Navigate to https://<CS-IP//FQDN>rest/swagger-ui.html from any browser.

3 Click Select a spec from the top right of the browser. Select Latest to see the latest version of
APIs. Select Default to view all versions of all APIs.

For more information about Horizon 8 RESTful APIs, see the RESTful APIs available at https://
code.vmware.com/apis/1122/view-rest-api. For a list of VMware Horizon 8 RESTful API for each
release, see KB 84155.

Get Started with VMware Horizon 8

Complete these high-level tasks to install VMware Horizon 8 and configure an initial deployment.

Prerequisites

Review the system requirements for all of the Horizon 8 components that you plan to install.
For more information, see "System Requirements for Server Components" in the Horizon 8
Installation and Upgrade guide.

VMware by Broadcom 12
Horizon Overview and Deployment Planning

Procedure

1 Set up the required administrator users and groups in Active Directory.

See "Preparing Active Directory" in the Horizon 8 Installation and Upgrade guide.

2 If you have not yet done so, install and set up VMware ESXi servers and vCenter Server.

See the VMware vSphere documentation on the VMware Documentation website.

3 Install and set up the connection broker. Install the Events database.

See "Installing Horizon Connection Server" in the Horizon 8 Installation and Upgrade guide.

4 Configure SSL certificates for Horizon 8 servers. See "Configuring TLS Certificates for VMware
Horizon 8 Servers" in the Horizon 8 Installation and Upgrade guide.

5 Complete the initial setup of your Horizon 8 environment. See "Configuring VMware Horizon
for the First Time" in the Horizon 8 Installation and Upgrade guide.

6 Create desktop pools that run on virtual desktop machines.

a Create one or more virtual machines that can be used as a template VM for full-clone
desktop pools.

See "Creating and Preparing a Virtual Machine for Cloning" in the Desktops and
Applications in Horizon 8 guide.
b To create an instant-clone desktop pool, see "Creating and Managing Instant-Clone
Desktop Pools" in the Desktops and Applications in Horizon 8.

c To create a full-clone desktop pool, see "Creating and Managing Automated Full-Clone
Desktop Pools" in the Desktops and Applications in Horizon 8 guide.

d To create a manual desktop pool, "Creating and Managing Manual Desktop Pools" in the
Desktops and Applications in Horizon 8 guide.
7 Create desktop and application pools that run on session-based Remote Desktop Services
(RDS) hosts.

a Prepare RDS hosts to support desktop and application sessions. See "Setting Up Remote
Desktop Services Hosts" in the Desktops and Applications in Horizon 8 guide.

b Create one or more farms. See "Creating and Managing Farms" in the Desktops and
Applications in Horizon 8 guide.
c Create application pools. See "Creating Application Pools" in the Desktops and
Applications in Horizon 8 guide.
d Create published desktop pools. See "Creating Published Desktop Pools" in the Desktops
and Applications in Horizon 8 guide.
8 Control user access to desktops and applications.

See "Entitling Users and Groups" in the Horizon 8 Administration guide.

VMware by Broadcom 13
Horizon Overview and Deployment Planning

9 Install Horizon Client on end users' machines and mobile devices and have end users access
their remote desktops and applications.

See the VMware Horizon Clients documentation on the VMware Horizon documentation
landing page.

Results

Your initial configuration of Horizon 8 is completed.

What to do next

After you have successfully installed and configured your Horizon 8 environment, you can
perform the following additional configuration tasks.

n Create and configure additional administrators to allow different levels of access to specific
inventory objects and settings. See "Configuring Role-Based Delegated Administration" in the
Horizon 8 Administration guide.
n Configure policies to control the behavior of Horizon 8 components, desktop and application
pools, Remote Desktop Services, and users. See "Configuring Policies for Desktop and
Application Pools" in the Horizon Remote Desktop Features and GPOs guide.

n For added security, integrate smart card authentication and two-factor authentication
solutions such as RSA SecurID and RADIUS. See "Setting Up Other Types of User
Authentication" in the Horizon 8 Administration guide.

How the VMware Horizon 8 Components Fit Together

End users start Horizon Client to log in to a connection broker.

n In a typical Horizon 8 deployment, the connection broker is the Horizon Connection Server,
which integrates with Windows Active Directory and provides access to remote desktops
hosted on a VMware vSphere server, a physical PC, or a multi-session host such as Microsoft
RDS. Horizon Connection Server also provides access to published applications on a multi-
session host.

The high-level example of a Horizon 8 environment below shows the relationships between the
major components.

VMware by Broadcom 14
Horizon Overview and Deployment Planning

Figure 2-1. High-level Example of a VMware Horizon 8 Environment

End users

Horizon Control Horizon Clients Workspace ONE

Plane Access

Integration
Unified Access
Gateway
Microsoft Horizon Console vCenter VMware Dynamic
(UAG with load
Active Directory (web browser) Server Environment Manager
balancer)
(user profiling, IT settings,
and configuration
Horizon for enviroment
Connection Server Virtual Desktops
Horizon Edge and Applications

VMware App Volumes

RDS Hosts (application deployment)
Non-vCenter
-Physical RDS Hosts
Server VMs
- Virtualized RDS Hosts
VMware vSphere
(vCenter or non-vCenter)
(Infrastructure platform)
Physical PCs
Horizon Agent
Horizon Agent VMware vSAN
(Storage platform)
vCenter Server
Published Desktops VMs (on ESXi Hosts)
and Applications (Server OS) VMware NSX (Networking
and security platform)

Virtual Desktops
and Applications

Client Devices
A major advantage of using the VMware Horizon portfolio is that remote desktops and
applications follow the end user regardless of device or location. Users can access their
personalized virtual desktop or remote application from a company laptop, their home PC, a
thin client device, a Mac, or a tablet or phone.

End users open Horizon Client to display their remote desktops and applications. Thin client
devices use VMware Horizon thin client software and can be configured so that the only
application that users can launch directly on the device is VMware Horizon Thin Client.
Repurposing a legacy PC into a thin client desktop can extend the life of the hardware by three
to five years. For example, by using VMware Horizon on a thin desktop, you can use a newer
operating system such as Windows 10 on older desktop hardware.

With the HTML Access feature, end users can open a remote desktop inside a browser, without
having to install any client application on the client system or device.

Horizon Client
The client software for accessing remote desktops and applications can run on a tablet, a phone,
a Windows, Linux, or Mac PC or laptop, a thin client, and more.

VMware by Broadcom 15
Horizon Overview and Deployment Planning

After logging in, users select from a list of remote desktops and applications that they are
authorized to use. Authorization can require Active Directory credentials, a UPN, a smart card
PIN, or an RSA SecurID or other two-factor authentication token.

An administrator can configure Horizon Client to allow end users to select a display protocol.
Protocols include PCoIP, Blast Extreme, and Microsoft RDP for remote desktops. The speed and
display quality of PCoIP and Blast Extreme rival that of a physical PC.

Features differ according to which Horizon Client you use. This guide focuses on Horizon Client
for Windows. The following types of clients are not described in detail in this guide:

n Details about Horizon Client for tablets, Linux clients, and Mac clients. See the Horizon Client
documentation at https://docs.vmware.com/en/VMware-Horizon/index.html.

n Details about the HTML Access Web client, which allows you to open a remote desktop
inside a browser. No Horizon Client application is installed on the client system or device.
See the Horizon Client documentation at https://docs.vmware.com/en/VMware-Horizon/
index.html.

n Various third-party thin clients and zero clients, available only through certified partners.

Horizon Clients can be used with Horizon 8 or Horizon Cloud on Microsoft Azure.

VMware Horizon User Web Portal

From a web browser on a client device, end users in Horizon 8 or Horizon Cloud on
Azure environments can connect to remote desktops and applications through the browser,
automatically start Horizon Client if it is installed, or download the Horizon Client installer.

When you open a browser and enter the URL of the connection broker, the web page that
appears contains links to the VMware Downloads site for downloading Horizon Client. The links
on the Web page are configurable, however. For example, you can configure the links to point
to an internal Web server, or you can limit which client versions are available on your own
connection broker.

If you use the HTML Access feature, the Web page also displays a link for accessing remote
desktops and applications inside a supported browser. With this feature, no Horizon Client
application is installed on the client system or device. For more information, see the Horizon
Client documentation at https://docs.vmware.com/en/VMware-Horizon/index.html.

Horizon Connection Server

This software service acts as a broker for client connections in Horizon 8 environments. Horizon
Connection Server authenticates users through Windows Active Directory and directs the
request to the appropriate virtual machine, physical PC, or Microsoft RDS host.

Connection Server provides the following management capabilities:

n Authenticating users

n Entitling users to specific desktops and pools

VMware by Broadcom 16
Horizon Overview and Deployment Planning

n Managing remote desktop and application sessions

n Establishing secure connections between users and remote desktops and applications

n Enabling single sign-on

n Setting and applying policies

Inside the corporate firewall, you install and configure a group of two or more Connection Server
instances. Their configuration data is stored in an embedded LDAP directory and is replicated
among members of the group.

Outside the corporate firewall, you can install a Unified Access Gateway appliance in the DMZ.
Unified Access Gateway appliances in the DMZ communicate with Connection Servers inside
the corporate firewall. Unified Access Gateway appliances ensure that the only remote desktop
and application traffic that can enter the corporate data center is traffic on behalf of a strongly
authenticated user. Users can access only the resources that they are authorized to access.

For more information about Unified Access Gateway appliances, see the Unified Access Gateway
documentation at https://docs.vmware.com/en/Unified-Access-Gateway/index.html.

Important It is possible to create a VMware Horizon setup that does not use Connection
Server. If you install the Horizon Agent Direct-Connection Plug-In (formerly View Agent Direct-
Connection Plug-In) in a remote virtual machine desktop, the client can connect directly to
the virtual machine. All the remote desktop features, including PCoIP, HTML Access, RDP, USB
redirection, and session management work in the same way, as if the user had connected
through Connection Server. For more information, see the Horizon Agent Direct-Connection
Plugin document.

Horizon Agent
The Horizon Agent can be used either with the Horizon 8 platform or the Horizon Cloud on
Microsoft Azure platform. Each platform has its own version of Horizon Agent. Depending on
which platform is used, Horizon Agent features may be different.

You install the Horizon Agent service on all virtual machines, physical systems, and Microsoft
RDS hosts that you use as sources for remote desktops and applications. On virtual machines,
this agent communicates with Horizon Client to provide features such as connection monitoring,
integrated printing, and access to locally connected USB devices.

If the desktop source is a virtual machine, you first install the Horizon Agent service on that virtual
machine and then use the virtual machine as a template or as a golden image of instant clones.
When you create a pool from this virtual machine, the agent is automatically installed on every
remote desktop.

You can install the agent with an option for single sign-on. With single sign-on, users are
prompted to log in only when they connect to the connection broker and are not prompted
a second time to connect to a remote desktop or application.

VMware by Broadcom 17
Horizon Overview and Deployment Planning

Horizon Console
Horizon Console is the main user interface for the Horizon 8 platform. This web-based application
allows administrators to configure the connection broker, deploy and manage remote desktops
and applications, control user authentication, and troubleshoot end user issues.

When you install a connection broker instance, you also get the URL for the console web
interface. This web interface allows administrators to manage connection broker instances from
anywhere without having to install an application on their local computer.

vCenter Server
If you are deploying Horizon 8 on vSphere, vCenter Server acts as a central administrator for
VMware ESXi servers that are connected on a network. vCenter Server provides the central point
for configuring, provisioning, and managing virtual machines in the data center.

You can share a single vCenter Server across multiple Horizon 8 pods. For limitations, see
Knowledge Base Article 80673.

In addition to using these virtual machines as sources for virtual machine desktop pools, you can
use virtual machines to host the server components of VMware Horizon 8, including connection
brokers, Active Directory servers, Microsoft RDS hosts, and vCenter Server instances.

Integrating VMware Horizon 8

To enhance the effectiveness of VMware Horizon 8 in your organization, you can use several
interfaces to integrate VMware Horizon 8 with external applications or to create administration
scripts that you can run from the command line or in batch mode.

Integrating VMware Horizon 8 with Business Intelligence Software

You can configure Horizon Connection Server to record events to a Microsoft SQL Server, Oracle,
or PostgreSQL database.

n End-user actions such as logging in and starting a desktop session.

n Administrator actions such as adding entitlements and creating desktop pools.

n Alerts that report system failures and errors.

n Statistical sampling such as recording the maximum number of users over a 24-hour period.

You can use business intelligence reporting engines such as Crystal Reports, IBM Cognos,
MicroStrategy 9, and Oracle Enterprise Performance Management System to access and analyze
the event database.

For more information, see Horizon 8 Administration.

You can alternatively generate VMware Horizon 8 events in Syslog format so that the event
data can be accessible to analytics software. If you enable file-based logging of events, events
accumulate in a local log file. If you specify a file share, the log files move to that share. For more
information, see the Horizon 8 Installation and Upgrade document.

VMware by Broadcom 18
Horizon Overview and Deployment Planning

Using Horizon PowerCLI Cmdlets to Create Administration Scripts

You can use Horizon PowerCLI cmdlets with VMware PowerCLI. Use Horizon PowerCLI cmdlets
to perform various administration tasks on Horizon 8 components. For more information about
Horizon PowerCLI cmdlets, read the VMware PowerCLI Cmdlets Reference available at https://
code.vmware.com/docs/6978/cmdlet-reference.

For information on the API specifications to create advanced functions and scripts to use with
Horizon PowerCLI, see the Horizon API Reference at the VMware Developer Center.

For more information on sample scripts that you can use to create your own Horizon PowerCLI
scripts, see the Horizon PowerCLI community on GitHub.

Modifying LDAP Configuration Data in VMware Horizon 8

When you use Horizon Console to modify the configuration of VMware Horizon 8, the
appropriate LDAP data in the repository is updated. Horizon Connection Server stores its
configuration information in an LDAP compatible repository. For example, if you add a desktop
pool, Connection Server stores information about users, user groups, and entitlements in LDAP.

You can use VMware and Microsoft command-line tools to export and import LDAP configuration
data in LDAP Data Interchange Format (LDIF) files from and into VMware Horizon 8. These
commands are for advanced administrators who want to use scripts to update configuration data
without using Horizon Console or Horizon PowerCLI.

You can use LDIF files to perform a number of tasks.

n Transfer configuration data between Connection Server instances.

n Define a large number of VMware Horizon 8 objects, such as desktop pools, and add these to
your Connection Server instances without using Horizon Console or Horizon PowerCLI.

n Back up a configuration so that you can restore the state of a Connection Server instance.

For more information, see the Horizon 8 Administration document.

Using the vdmadmin Command

You can use the vdmadmin command line interface to perform a variety of administration tasks
on a Connection Server instance. You can use vdmadmin to perform administration tasks that are
not possible from within the Horizon Console user interface or that need to run automatically
from scripts.

For more information, see the Horizon 8 Administration document.

VMware by Broadcom 19
About Horizon Cloud Service and
Horizon Control Plane 3
This documentation page introduces the VMware Horizon Cloud Service and Horizon Control
Plane and provides pointers to additional documentation about how you can get started.

Introduction
Note There are two generations of the Horizon Cloud Service and Horizon Control Plane.
Next-gen is the modern evolution from the initial generation's architecture.

Since the first-gen Horizon Cloud Service and Horizon Control Plane are no longer available,
this document will specifically address the capability of the next-gen Horizon Cloud Service and
Horizon Control Plane.

Horizon Control Plane is a modern, cloud-based platform that provides you with a global
view of your desktops and applications spanning across on-premises and cloud environments.
Regardless of the location of your desktop and application deployments, Horizon Control Plane
enables you to consistently manage and monitor them.

There are two main use cases for Horizon Control Plane:

n Platform for deploying Horizon Cloud Service (DaaS). Currently only Horizon Cloud Service on
Azure is available.

n Control plane for connecting to Horizon 8 pods and providing optional common SaaS services

Horizon 8 pods deployed on-premises and on public cloud SDDCs can be connected to the
Horizon Control Plane and consume additional SaaS services.

The remainder of this chapter will primarily focus on Horizon Cloud Service on Azure.

Compared to Horizon Cloud Service on Azure initial generation, the next-gen service has several
benefits to improve the experience. These are listed below.

Lower costs

"Pod-less" infrastructure results in lower operational costs, faster time to value, and reduced
maintenance.

Improved visibility and troubleshooting

VMware by Broadcom 20
Horizon Overview and Deployment Planning

Using the same model across all platforms improves visibility and troubleshooting capabilities
with proactive alerting and advanced reporting.

Advanced automation

API-driven platform supports advanced automation and integration with third-party apps and
services or Day 2 management processes.

Unprecedented scalability

"Thin edge" architecture and a cloud-native architecture increases scalability across all
platforms.

To get started, see the Horizon Cloud Service - next-gen documentation:

n Horizon Cloud next-gen Release Notes

n Using Horizon Cloud - next-gen

For more details about the architecture, read Tech Zone's Horizon Cloud Service next-gen
Architecture chapter. For more details about the system components, see the sub-articles listed
under this documentation page.

Note For details about the agent service that enables virtual machines to be used as Horizon
remote desktops, see Horizon Agent.

With Horizon Cloud Service on Azure many of the infrastructural components and functionality
that were traditionally deployed into an on-premises site are now provided by the Horizon Cloud
and lets you limit the footprint of the infrastructural component to the thin edge of a Horizon
Edge and the distributed services it runs.

The Horizon Cloud Service on Azure enables administrators to do the following:

n Perform administrative and policy management tasks.

n Manage virtual desktops and multi-session server farms.

n Assign applications and desktops to users and groups using a browser on any machine with
an Internet connection.

n Implement end-user services, such as identity management and session brokering.

Read the following topics next:

n Horizon Edge

n Horizon Universal Broker

n Horizon Client and Client Devices

n Horizon User Web Portal

n Horizon Universal Console

VMware by Broadcom 21
Horizon Overview and Deployment Planning

Horizon Edge
This article describes the Horizon Edge component of a Horizon Cloud Service on Azure
deployment.

Horizon Edge is a thin-edge infrastructure that you deploy into your resource capacity in a
specified primary provider in a specific site. When you deploy the Horizon Cloud Service on
Azure the thin Horizon Edge is in your Azure subscription. Although the Horizon Edge is based in
a single physical location or region, you can divide it into multiple blocks to employ scalability.

A Horizon Edge consists of the following:

n A Horizon Edge deployment consisting of the following components:

n A Horizon Edge Gateway instance, which enables the management and monitoring of
the Unified Access Gateway instances, handles end-user authentication services for single
sign-on (SSO) capabilities, and monitors end-user resources such as virtual desktops and
farms.

n Unified Access Gateway instances, which enable secure remote access from an
external network to internal end-user resources such as virtual desktops and published
applications.

n A load balancer, which distributes network traffic across the Unified Access Gateway
instances. If you are deploying Horizon Cloud Service - next-gen in Microsoft Azure, the
Azure load balancer is used.

n User capacity for hosting image templates, desktop pools, and published applications. This
capacity can be provided by the same primary provider that you used for the Horizon
Edge deployment. Or, you can scale end-user resources by using capacity from secondary
providers.

n Networking functionality within the provider that enables proper communication between
components. If you use Microsoft Azure as your provider, networking is provided by
Microsoft Azure VNet.

For more information, see Deploying Horizon Edge into Your Resource Capacity Provider.

Horizon Universal Broker

This topic describes the Universal Broker component of a Horizon Cloud Service on Azure.

The Universal Broker is a cloud-based service that enables the brokering of end-user resources
that span multiple sites regardless of the infrastructure they are running on. The service also
makes intelligent brokering decisions based on the geographic sites of users and resources.

You can create a pool group containing one or more resource pools and then configure
brokering policies for the pool group.

VMware by Broadcom 22
Horizon Overview and Deployment Planning

For example, you can configure a policy that restricts the Universal Broker to delivering only
those resources hosted in the end-user's home site, or a policy that allows the Universal Broker
to give preference to resources in the site physically closest to the user instead of the user's
home site.

For information about configuring brokering policies, see Create a Single-Session Pool Group or
Create a Multi-Session Pool Group.

Horizon Client and Client Devices

A major advantage of using Horizon Cloud Service on Azure is that remote desktops and
applications follow the end user regardless of device or location. Users can access their
personalized virtual desktop or remote application from a company laptop, their home PC, a
Mac, a tablet, or a phone.

With the HTML Access feature, also known as the web client, end users can open a remote
desktop or application inside a browser running on any device with an Internet connection. Users
do not have to install any client application on their device to use the web client.

End users can also open remote resources using a Horizon Client application that is installed
natively on the client device. For a list of supported Horizon Client applications, see the "Client
Support" section in the VMware Horizon Cloud Service - next-gen Release Notes.

The client login process supports user authentication methods such as single sign-on (SSO). After
logging in, users can select from a list of remote desktops and applications that they are entitled
to use.

For detailed instructions on how to open remote resources from a client, see Desktops and
Applications.

Horizon User Web Portal

The Horizon User Web Portal for Horizon Cloud Service, also known as the Horizon portal, serves
as the initial point of entry for client users to access their Horizon Cloud desktop and application
resources.

To launch the Horizon portal, use a web browser on the client device to visit this address:
https://cloud.vmwarehorizon.com/

VMware by Broadcom 23
Horizon Overview and Deployment Planning

By default, the Horizon portal provides two selection tiles.

n Install Horizon Native Client allows users to download and install the native Horizon Client
for their client device. They can then use Horizon Client to launch a desktop or application
resource.

n Browser allows users to launch a desktop or application using HTML Access, also known as
the web client.

For more information, see Desktops and Applications in the Horizon Cloud Service - next-gen
documentation.

Horizon Universal Console

Horizon Universal Console is the main administration interface for Horizon Cloud Service on
Azure. As a web application based in the Horizon Control Plane, the Horizon Universal Console
allows administrators to perform deployment, confliguration, provisioning, monitoring, and
management tasks in a Horizon Cloud Service on Azure.

The Horizon Universal Console provides full life-cycle administration of remote desktop and
application resources through a single, easy-to-use web-based interface. The console displays
elements for features based on your VMware Horizon subscription. You will not see elements in
the Horizon Universal Console for features that your subscription does not support.

VMware by Broadcom 24
Horizon Overview and Deployment Planning

The Horizon Universal Console allows administrators to perform a range of tasks, including the
following:

n Register resource providers

n Deploy Horizon Edge instances

n Manage virtual machine images

n Provision and manage Horizon desktops, applications, and resource entitlements

For more information, see Tips for Using the Horizon Universal Console and Your Horizon Cloud
next-gen Tenant.

VMware by Broadcom 25
Planning a Rich User Experience
4
VMware Horizon portfolio provides the familiar, personalized desktop environment that end users
expect. For example, on some client systems, end users can access USB and other devices
connected to their local computer, send documents to any printer that their local computer can
detect, authenticate with smart cards, and use multiple display monitors.

VMware Horizon portfolio includes many features that you might want to make available to your
end users. Before you decide which features to use, you must understand the limitations and
restrictions of each feature.

Note The user experience features listed in this section are available for Horizon 8 and the
configuration steps are written specifically for Horizon 8. The majority of these features are also
applicable for Horizon Cloud on Azure. For an up-to-date list of remote experience features, refer
to the Horizon Cloud on Azure documentation.

Read the following topics next:

n Feature Support Matrix for Horizon Agent

n Choosing a Display Protocol

n Types of Desktop Pools

n Using Published Applications

n Using USB Devices with Remote Desktops and Applications

n Using Webcams, Microphones, and Speakers

n Using 3D Graphics Applications

n Streaming Multimedia to a Remote Desktop

n Printing from a Remote Desktop

n Using Single Sign-On for Logging In

n Monitors and Screen Resolution

VMware by Broadcom 26
Horizon Overview and Deployment Planning

Feature Support Matrix for Horizon Agent

When planning which display protocol and features to make available to your end users, use
the following information to determine which agent (remote desktop and application) operating
systems support the feature.

The types and editions of the supported guest operating system depend on the Windows
version.

For a list of Windows 10 guest operating systems, see the VMware Knowledge Base (KB) article
https://kb.vmware.com/s/article/78714.

For Windows operating systems, other than Windows 10, see the VMware Knowledge Base (KB)
article https://kb.vmware.com/s/article/78715.

Note For information about which features are supported on the various types of client
devices, see the Horizon Client documentation at https://docs.vmware.com/en/VMware-Horizon/
index.html.

In addition, several VMware partners offer thin and zero client devices for VMware Horizon
deployments. The features that are available for each thin or zero client device are determined
by the vendor and model and the configuration that an enterprise chooses to use. For
information about the vendors and models for thin and zero client devices, see the VMware
Compatibility Guide, available on the VMware Web site.

Choosing a Display Protocol

A display protocol provides end users with a graphical interface to a remote desktop or
application that resides in the data center. Depending on which type of client device you have,
you can choose from among Blast Extreme and PCoIP (PC-over-IP), which VMware provides, or
Microsoft RDP (Remote Desktop Protocol).

You can set policies to control which protocol is used or to allow end users to choose the
protocol when they log in to a desktop.

Note For some types of clients, neither the PCoIP nor the RDP remote display protocol is used.
For example, if you use the HTML Access client, available with the HTML Access feature, the
Blast Extreme protocol is used, rather than PCoIP or RDP. Similarly, if you use a remote Linux
desktop, Blast Extreme is used.

VMware Blast Extreme

Optimized for the mobile cloud, VMware Blast Extreme supports the broadest range of client
devices that are H.264, HEVC, JPEG, PNG, and proprietary Blast codec capable. Of the display
protocols, VMware Blast Extreme offers the lowest CPU consumption for longer battery life on
mobile devices. VMware Blast Extreme can compensate for an increase in latency or a reduction
in bandwidth and can leverage both TCP and UDP network transports.

VMware by Broadcom 27
Horizon Overview and Deployment Planning

The VMware Blast Extreme display protocol can be used for published applications and for
remote desktops that use virtual machines or shared-session desktops on an RDS host. The RDS
host can be a physical machine or a virtual machine. The VMware Blast display protocol does not
operate on a single-user physical computer, except for the enterprise edition of Windows 10 RS4
and later builds.

Note Movies & TV applications are not supported for physical computers running Windows 10
RS4.

VMware Blast Extreme Features

Key features of VMware Blast Extreme include the following:

n Users outside the corporate firewall can use this protocol with the corporate virtual private
network (VPN), or users can make secure, encrypted connections to the Unified Access
Gateway appliance in the corporate DMZ.

Note It is not recommended to use VPN since Blast connections are already encrypted. For
a better user experience, use the Unified Access Gateway appliance instead.

n Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by

default. You can, however, change the encryption key cipher to AES-256.

n Connections from all types of client devices.

n Optimization controls for reducing bandwidth usage on the LAN and WAN.

n Performance counters displayed using PerfMon on Windows agents provide an accurate

representation of the current state of the system that also updates at a constant rate for the
following:

n Blast session

n Imaging

n Audio

n CDR

n USB: USB counters displayed using PerfMon on Windows agents are valid if USB traffic is
configured to use VMware Virtual Channel (VVC).

n Skype for Business: counters are for control traffic only.

n Clipboard

n RTAV

n Serial port and scanner redirection features

n Virtual printing

n HTML5 MMR

VMware by Broadcom 28
Horizon Overview and Deployment Planning

n Windows Media MMR: Performance counters appear only if you configured this feature to
use VMware Virtual Channel (VVC).

n Network continuity during momentary network loss on Windows clients.

n 32-bit color is supported for virtual displays.

n ClearType fonts are supported.

n Audio redirection with dynamic audio quality adjustment for LAN and WAN.

n Real-Time Audio-Video for using webcams and microphones on some client types.

n Copy and paste of text and, on some clients, images between the client operating system
and a remote desktop or published application. For other client types, only copy and paste of
plain text is supported. You cannot copy and paste system objects such as folders and files
between systems.

n Multiple monitors are supported for some client types. On some clients, you can use up to
four monitors with a resolution of up to 2560 x 1600 per display or up to three monitors with
a resolution of 4K (3840 x 2160) for Windows desktops. Pivot display and autofit are also
supported.

When the 3D feature is enabled, up to two monitors are supported with a resolution of up to
1920 x 1200, or one monitor with a resolution of 4K (3840 x 2160).

n USB redirection is supported for some client types.

n MMR redirection is supported for some Windows client operating systems and some remote
desktop operating systems (with Horizon Agent installed).

n Connections to physical machines that have no monitors attached are supported with NVIDIA
graphics cards. For best performance, use a graphics card that supports H.264 encoding.

If you have an add-in discrete GPU and an embedded GPU, the operating system might
default to the embedded GPU. To fix this problem, you can disable or remove the device in
Device Manager. If the problem persists, you can install the WDDM graphics driver for the
embedded GPU, or disable the embedded GPU in the system BIOS. Refer to your system
documentation on how disable the embedded GPU.

Caution Disabling the embedded GPU might cause future loss of access to functionality such
as console access to BIOS setup or NT Boot Loader.

n The Blast Codec improves on Adaptive and on H.264 encoders in desktop usage by
delivering sharper images and fonts and operates like a video codec with motion
detection, motion vectors, and inter-predicted macroblocks. It is supported on the following
environments and is enabled by default.

n Windows and Linux agents

n Disable H.264 and HEVC on Windows, Linux, and MacOS client settings. This feature is
not supported on mobile clients and the Web client.

VMware by Broadcom 29
Horizon Overview and Deployment Planning

n Blast Extreme implements High Dynamic Range (HDR) encoding, which expands the range of
brightness in a digital image to provide a more realistic depiction of a scene. HDR is enabled
by default on the agent. You can add these optional registry keys REG_SZ (string value) on a
Windows agent:

n PixelProviderHDRReferenceWhite: an integer greater than 0 that controls the relative

brightness of the paper white level. The default value is 80.

n TopologyHDREnabled = 1 to enable HDR. The default value is 1.

n TopologyHDREnabled = 0 to disable HDR.

On the client, set the optional registry key REG_SZ (string value) HKLM\SOFTWARE\VMware,
Inc.\VMware VDM\Client\AllowClientHDR to True or False for HDR topology requests. The
default value is True.

In the client VMware Blast settings, turn on Allow High Efficiency Video Decoding (HEVC)
and Allow High Dynamic Range Decoding (HDR).

n VMware Blast detects the presence of a vGPU system and applies higher quality default
settings. There is a unified image quality configuration setting that controls the remote
display image quality level across all Blast encoders. For more information, see "VMware
Blast Policy Settings" in the Horizon Remote Desktop Features and GPOs document.

For information about which client devices support specific VMware Blast Extreme features, go
to https://docs.vmware.com/en/VMware-Horizon-Client/index.html.

Wake-on-LAN
In Horizon environments, Wake-on-LAN is supported for physical machines with the Enterprise
edition of Windows 10 RS4 and later. With this feature, users can wake up physical machines
when connecting with the connection broker. The Wake-on-LAN feature has these prerequisites:

n Wake-on-LAN (WoL) is only supported on IPv4 environments.

n The physical machine must be configured to wake up on receiving Wake-on-LAN packets

when Wake-on-LAN is enabled in the BIOS settings as well as network card settings.

n Destination port 9 is used for WoL packets from the connection broker.

n WoL packets are IP-directed broadcast packets that must be able to reach Horizon Agent
when sent from the connection broker. Wake-on-LAN functions in these scenarios:

n Connection broker and Horizon Agent on the physical machine are on the same subnet in
a LAN environment.

VMware by Broadcom 30
Horizon Overview and Deployment Planning

n All routers between the connection broker and Horizon Agent are configured to allow the
IP-directed broadcast packet for the target subnet of the physical machine you want to
wake up.

Note The Wake-on-LAN feature does not support floating-assignment pools of a physical
Windows 10 agent. The WoL packet is only sent to dedicated assignment pools entitled with a
particular user.

Recommended Guest Operating System Settings

1 GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen
mode, or 720p or higher formatted video. To use Virtual Dedicated Graphics Acceleration for
graphics-intensive applications such as CAD applications, 4 GB of RAM is required.

Video Quality Requirements

480p-formatted video

You can play video at 480p or lower at native resolutions when the remote desktop has
a single virtual CPU. If you want to play the video in high-definition Flash or in full screen
mode, the desktop requires a dual virtual CPU. Even with a dual virtual CPU desktop, as low
as 360p-formatted video played in full screen mode can lag behind audio, particularly on
Windows clients.

720p-formatted video

You can play video at 720p at native resolutions if the remote desktop has a dual virtual CPU.
Performance might be affected if you play videos at 720p in high definition or in full screen
mode.

1080p-formatted video

If the remote desktop has a dual virtual CPU, you can play 1080p formatted video, although
the media player might need to be adjusted to a smaller window size.

3D rendering

You can configure remote desktops to use software- or hardware-accelerated graphics.

The software-accelerated graphics feature enables you to run DirectX 9 and OpenGL 2.1
applications without requiring a physical graphics processing unit (GPU). The hardware-
accelerated graphics features enable virtual machines to either share the physical GPUs
(graphical processing unit) on a vSphere host or dedicate a physical GPU to a single virtual
desktop.

For 3D applications, up to two monitors are supported, and the maximum screen resolution is
1920 x 1200.

For more information about 3D features, see Using 3D Graphics Applications.

VMware by Broadcom 31
Horizon Overview and Deployment Planning

Hardware Requirements for Client Systems

For information about processor and memory requirements for the specific type of desktop or
mobile client device, go to https://docs.vmware.com/en/VMware-Horizon/index.html.

PCoIP
PCoIP (PC over IP) provides an optimized desktop experience for the delivery of a published
application or an entire remote desktop environment, including applications, images, audio, and
video content for a wide range of users on the LAN or across the WAN. PCoIP can compensate
for an increase in latency or a reduction in bandwidth, to ensure that end users can remain
productive regardless of network conditions.

The PCoIP display protocol can be used for published applications and for remote desktops
that use virtual machines, physical machines that contain Teradici host cards, or shared session
desktops on an RDS host.

PCoIP Features
Key features of PCoIP include the following:

n Users outside the corporate firewall can use this protocol with your company's virtual private
network (VPN), or users can make secure, encrypted connections to the Unified Access
Gateway appliance in the corporate DMZ.

n Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by

default. You can, however, change the encryption key cipher to AES-256.

n Connections from all types of client devices.

n Optimization controls for reducing bandwidth usage on the LAN and WAN.

n 32-bit color is supported for virtual displays.

n ClearType fonts are supported.

n Audio redirection with dynamic audio quality adjustment for LAN and WAN.

n Real-Time Audio-Video for using webcams and microphones on some client types.

n Multiple monitors are supported for some client types. On some clients, you can use up to
4 monitors with a resolution of up to 2560 x 1600 per display or up to 3 monitors with a
resolution of 4K (3840 x 2160). Pivot display and autofit are also supported.

When the 3D feature is enabled, up to 2 monitors are supported with a resolution of up to

1920 x 1200, or one monitor with a resolution of 4K (3840 x 2160).

n USB redirection is supported for some client types.

VMware by Broadcom 32
Horizon Overview and Deployment Planning

n MMR redirection is supported for some Windows client operating systems and some remote
desktop operating systems (with Horizon Agent installed).

For information about which desktop operating systems support specific PCoIP features, see
Feature Support Matrix for Horizon Agent.

For information about which client devices support specific PCoIP features, go to https://
docs.vmware.com/en/VMware-Horizon-Client/index.html.

Recommended Guest Operating System Settings

1GB of RAM or more and a dual CPU is recommended for playing in high-definition, full screen
mode, or 720p or higher formatted video. To use Virtual Dedicated Graphics Acceleration for
graphics-intensive applications such as CAD applications, 4GB of RAM is required.

Video Quality Requirements

480p-formatted video

720p-formatted video

You can play video at 720p at native resolutions if the remote desktop has a dual virtual CPU.
Performance might be affected if you play videos at 720p in high definition or in full screen
mode.

1080p-formatted video

If the remote desktop has a dual virtual CPU, you can play 1080p formatted video, although
the media player might need to be adjusted to a smaller window size.

3D rendering

You can configure remote desktops to use software- or hardware-accelerated graphics.

For more information about 3D features, see Using 3D Graphics Applications.

Hardware Requirements for Client Systems

For information about processor and memory requirements, see the "Using VMware Horizon
Client" document for the specific type of desktop or mobile client device. Go to https://
docs.vmware.com/en/VMware-Horizon-Client/index.html.

VMware by Broadcom 33
Horizon Overview and Deployment Planning

Types of Desktop Pools

Using Published Applications

You can use Horizon Client to securely access published Windows-based applications, in addition
to remote desktops.

With this feature, after launching Horizon Client and logging in to a connection broker, users see
all the published applications they are entitled to use, in addition to remote desktops. Selecting
an application opens a window for that application on the local client device, and the application
looks and behaves as if it were locally installed.

For example, on a Windows client computer, if you minimize the application window, an item for
that application remains in the Taskbar and looks identical to the way it would look if it were
installed on the local Windows computer. You can also create a shortcut for the application that
will appear on your client desktop, just like shortcuts for locally installed applications.

Deploying published applications in this way might be preferable to deploying complete remote
desktops under the following conditions:

n If an application is set up with a multi-tiered architecture, where the components work better
if they are located geographically near each other, using published applications is a good
solution.

For example, when a user must access a database remotely, if large amounts of data must
be transmitted over the WAN, performance is usually affected. With published applications,
all parts of the application can be located in the same data center as the database, so that
traffic is isolated and only the screen updates are sent across the WAN.

n From a mobile device, accessing an individual application is easier than opening a remote
Windows desktop and then navigating to the application.

To use this feature, you install applications on a Microsoft RDS host. In this respect, VMware
Horizon published applications work similarly to other application remoting solutions. VMware
Horizon published applications are delivered using either the Blast Extreme display protocol or
the PCoIP display protocol, for an optimized user experience.

Using USB Devices with Remote Desktops and Applications

Administrators can configure the ability to use USB devices, such as thumb flash drives, cameras,
VoIP (voice-over-IP) devices, and printers, from a virtual desktop. This feature is called USB
redirection. A virtual desktop can accommodate up to 255 USB devices.

You can also redirect certain locally connected USB devices for use in published desktops and
applications. For information about the specific types of devices that are supported, see the
Horizon Remote Desktop Features and GPOs document.

VMware by Broadcom 34
Horizon Overview and Deployment Planning

When you use this feature in desktop pools that are deployed on single-user machines, most
USB devices that are attached to the local client system become available in the remote desktop.
You can even connect to and manage an iPad from a remote desktop. For example, you can
sync your iPad with iTunes installed in your remote desktop. On some client devices, such as
Windows and Mac computers, the USB devices are listed in a menu in Horizon Client. You use the
menu to connect and disconnect the devices.

In most cases, you cannot use a USB device in your client system and in your remote desktop at
the same time. Only a few types of USB devices can be shared between a remote desktop and
the local computer. These devices include smart card readers and human interface devices, such
as keyboards and pointing devices.

Administrators can specify the types of USB devices to which end users are allowed to connect.
For composite devices that contain multiple types of devices, such as a video input device and
a storage device, on some client systems, administrators can split the device so that one device
(for example, the video input device) is allowed but the other device (for example, the storage
device) is not.

The USB redirection feature is available only on certain types of clients. To find out whether this
feature is supported on a particular client, see the feature support matrix included in the Horizon
Client installation and setup document for that client.

Using Webcams, Microphones, and Speakers

With the Real-Time Audio-Video feature, you can use the local client system's webcam or
microphone in a remote desktop or published application. Real-Time Audio-Video is compatible
with standard conferencing applications and browser-based video applications. It supports
standard webcams, audio USB devices, and analog audio input.

For information about setting up the Real-Time Audio-Video feature on the agent machine,
including configuring the frame rate and image resolution, see the Horizon Remote Desktop
Features and GPOs document.
End users can run Skype, Webex, Google Hangouts, and other online conferencing applications
in their remote desktops. This feature redirects video and audio data to the agent machine with
a lower bandwidth than can be achieved by using USB redirection. With Real-Time Audio-Video,
webcam images and audio input are encoded on the client system and then sent to the agent
machine. On the agent machine, a virtual webcam and virtual microphone can decode and play
the stream, which the third-party application can use.

No special configuration is necessary, although administrators can set agent-side group policies
and registry keys to configure frame rate and image resolution, or to turn off the feature. By
default, the resolution is 320 by 240 pixels at 15 frames per second. If needed, administrators can
also use client-side configuration settings to set a preferred webcam or audio device.

Note This feature is available only on some types of clients. To find out whether this feature is
supported on a particular type of client, see the feature support matrix included in the installation
and setup document for the specific type of desktop or mobile client device.

VMware by Broadcom 35
Horizon Overview and Deployment Planning

Using 3D Graphics Applications

The software- and hardware-accelerated graphics features available with the Blast Extreme or
PCoIP display protocol enable remote desktop users to run 3D applications ranging from Google
Earth to CAD and other graphics-intensive applications.

NVIDIA GRID vGPU (shared GPU hardware acceleration)

Available with vSphere, this feature allows a physical GPU (graphical processing unit) on an
ESXi host to be shared among virtual machines. Use this feature if you require high-end,
hardware-accelerated workstation graphics.

AMD MxGPU

Available with vSphere, this feature allows multiple virtual machines to share an AMD GPU
by making the GPU appear as multiple PCI passthrough devices. This feature offers flexible
hardware-accelerated 3D profiles, ranging from lightweight 3D task workers to high-end
workstation graphics power users.

Virtual Dedicated Graphics Acceleration (vDGA)

Available with vSphere, this feature dedicates a single physical GPU on an ESXi host to
a single virtual machine. Use this feature if you require high-end, hardware-accelerated
workstation graphics.

Note See the VMware Hardware Compatibility List at http://www.vmware.com/resources/

compatibility/search.php. For Intel vDGA, the Intel integrated GPU is used rather than discrete
GPUs, as is the case with other vendors.

Virtual Shared Graphics Acceleration (vSGA)

Available with vSphere, this feature allows multiple virtual machines to share the physical
GPUs on ESXi hosts. You can use 3D applications for design, modeling, and multimedia.

Soft 3D

Software-accelerated graphics, available with vSphere, allows you to run DirectX 9 and
OpenGL 2.1 applications without requiring a physical GPU. Use this feature for less demanding
3D applications such as Windows Aero themes, Microsoft Office 2010, and Google Earth.

Important See the VMware resource Deploying Hardware-Accelerated Graphics with VMware
Horizon. The rendering options differ by environment (vSphere, non-vSphere, and physical PC)
and use cases (virtual desktops versus published desktops). See the Desktops and Applications
in Horizon 8 document for the 3D options available specific to your environment and use case.
For more information on the choices for 3D rendering, see NVIDIA GRID Virtual GPU User Guide.

VMware by Broadcom 36
Horizon Overview and Deployment Planning

Streaming Multimedia to a Remote Desktop

The Windows Media MMR (multimedia redirection) feature, for desktops and clients, enables full-
fidelity playback on client computers when multimedia files are streamed to a remote desktop.

With MMR, the multimedia stream is processed, that is, decoded, on the client system. The client
system plays the media content, thereby offloading the demand on the ESXi host. Media formats
that are supported on Windows Media Player are supported; for example: M4V; MOV; MP4;
WMP; MPEG-4 Part 2; WMV 7, 8, and 9; WMA; AVI; ACE; MP3; WAV.

Note You must add the MMR port as an exception to your firewall software. The default port for
MMR is 9427 for a PCoIP connection.

Printing from a Remote Desktop

The virtual printing feature allows end users on some client systems to use local or network
printers from a remote desktop without requiring that additional print drivers be installed in the
remote desktop operating system. The location-based printing feature allows you to map remote
desktops to the printer that is closest to the endpoint client device.

With virtual printing, after a printer is added on a local client computer, that printer is
automatically added to the list of available printers on the remote desktop. No further
configuration is required. For each printer available through this feature, you can set preferences
for data compression, print quality, double-sided printing, color, and so on. Users who have
administrator privileges can still install printer drivers on the remote desktop without creating a
conflict with the virtual printing component.

Local printer redirection is designed for the following use cases:

n Printers directly connected to USB or serial ports on the client device

n Specialized printers such as bar code printers and label printers connected to the client

n Network printers on a remote network that are not addressable from the virtual session.

To send print jobs to a USB printer, you can either use the USB redirection feature or use the
virtual printing feature.

Location-based printing allows IT organizations to map remote desktops to the printer that is
closest to the endpoint client device. For example, as a doctor moves from room to room in
a hospital, each time the doctor prints a document, the print job is sent to the nearest printer.
Using this feature does require that the correct printer drivers be installed in the remote desktop.

Note These printing features are available only on some types of clients. To find out whether
a printing feature is supported on a particular type of client, see the feature support matrix
included in the installation and setup guide for the specific type of desktop or mobile client
device. Go to https://docs.vmware.com/en/VMware-Horizon/index.html.

VMware by Broadcom 37
Horizon Overview and Deployment Planning

Using Single Sign-On for Logging In

The single-sign-on (SSO) feature allows end users to supply Active Directory login credentials
only once.

If you do not use the single-sign-on feature, end users must log in twice. They are first prompted
for Active Directory credentials to log in to the connection broker and then prompted to log in
to their remote desktop. If smart cards are also used, end users must sign in three times because
users must also log in when the smart card reader prompts them for a PIN.

For remote desktops, this feature includes a credential provider dynamic-link library.

True SSO
With the True SSO feature, users in Horizon environments are no longer required to supply
Active Directory credentials at all. After users log in to VMware Identity Manager using any
non-AD method (for example, RSA SecurID or RADIUS authentication), users are not prompted to
also enter Active Directory credentials to use a remote desktop or application.

If a user authenticates by using smart cards or Active Directory credentials, the True SSO feature
is not necessary, but you can configure True SSO to be used even in this case. Then any AD
credentials that the user provides are ignored and True SSO is used.

True SSO works by generating a unique, short-lived certificate for the Windows logon process.
You must set up a Certificate Authority, if you do not already have one, and a certificate
Enrollment Server to generate short-lived certificates on behalf of the user. For VMware Horizon
8 environments, you install the Enrollment Server by running the Connection Server installer and
selecting the Enrollment Server option.

True SSO separates authentication (validating a user's identity) from access (such as to a
Windows desktop or application). User credentials are secured by a digital certificate. No
passwords are vaulted or transferred within the data center. For more information, see the
Horizon 8 Administration document.

Monitors and Screen Resolution

You can extend a remote desktop to multiple monitors. If you have a high-resolution monitor, you
can see the remote desktop or application in full resolution.

You can select the All Monitors display mode to display a remote desktop on multiple monitors. If
you are using All Monitors mode and click the Minimize button, if you then maximize the window,
the window goes back to All Monitors mode. Similarly, if you are using Fullscreen mode and
minimize the window, when you maximize the window, the window goes back to Fullscreen
mode on one monitor.

VMware by Broadcom 38
Horizon Overview and Deployment Planning

Using All Monitors in a Multiple-Monitor Setup

Regardless of the display protocol, you can use multiple monitors with a remote desktop. If you
have Horizon Client use all monitors, if you maximize an application window, the window expands
to the full screen of only the monitor that contains it.

Horizon Client supports the following monitor configurations:

n If you use two monitors, the monitors are not required to be in the same mode. For example,
if you are using a laptop connected to an external monitor, the external monitor can be in
portrait mode or landscape mode.

n Monitors can be placed side by side, stacked two by two, or vertically stacked only if you are
using two monitors and the total height is less than 4096 pixels.

n To use the 3D rendering feature, you must use the VMware Blast display protocol or the
PCoIP display protocol. You can use up to two monitors, with a resolution of up to 1920 x
1200. For a resolution of 4K (3840 x 2160), only one monitor is supported.

Note Windows 7 and Windows 8.x virtual desktops are not supported with Horizon Agent
2006 and later.

n With the VMware Blast display protocol, a remote desktop screen resolution of 8K (7680 x
4320) is supported. Two 8K displays are supported. The hardware version of the desktop
virtual machine must be 14 (ESXi 6.7 or later). You must allocate sufficient system resources
in the virtual machine to support an 8K display. For information about supported monitor
configurations for GRID-based desktops, and for NVIDIA vGPU profiles, see the Virtual GPU
Software User Guide on the NVIDIA website. This feature is supported only with the Windows
client.

With the VMware Blast display protocol, a remote desktop screen resolution of 8K (7680 x
4320) is supported. Two 8K displays are supported. The hardware version of the desktop
virtual machine must be 14 (ESXi 6.7 or later). You must allocate sufficient system resources
in the virtual machine to support an 8K display. For information about supported monitor
configurations for GRID-based desktops, and for NVIDIA vGPU profiles, see the Virtual GPU
Software User Guide on the NVIDIA website. This feature is supported only with the Windows
client.

n With the VMware Blast display protocol or the PCoIP display protocol, a remote desktop
screen resolution of 4K (3840 x 2160) is supported. The number of 4K displays that
are supported depends on the hardware version of the desktop virtual machine and the
Windows 10 version.

Hardware Version Number of 4K Displays Supported

10 (ESXi 5.5.x compatible) 1

11 (ESXi 6.0 compatible) 3

VMware by Broadcom 39
Horizon Overview and Deployment Planning

Hardware Version Number of 4K Displays Supported

11 1

13, 14, or later 1 (3D rendering feature enabled)

4 (3D rendering feature disabled)

For the best performance, the virtual machine should have at least 2 GB of RAM and 2 vCPUs.
This feature might require good network conditions, such as a bandwidth of 1000 Mbps with
low network latency and a low package loss rate.

Note When the remote desktop screen resolution is set to 3840 x 2160 (4K), items on the
screen might appear smaller, and you might not be able to use the Screen Resolution dialog
box in the remote desktop to make text and other items larger. On a Windows client, you can
set the client machine's DPI to the proper setting and enable the DPI Synchronization feature
to redirect the client machine's DPI setting to the remote desktop.

n If you use Microsoft RDP 7, the maximum number of monitors that you can use to display a
remote desktop is 16.

n If you use Microsoft RDP display protocol, you must have Microsoft Remote Desktop
Connection (RDC) 6.0 or later installed in the remote desktop.

Using One Monitor in a Multiple-Monitor Setup

If you have multiple monitors but want Horizon Client to use only one monitor, you can select
to have a remote desktop window open in any mode other than All Monitors. By default, the
window is opened on the primary monitor. For more information, see the Horizon Client for
Windows Guide document.

Using High-Resolution Mode

On some types of clients, when you use the VMware Blast display protocol or the PCoIP display
protocol, Horizon Client also supports very high resolutions for those client systems with high-
resolution displays. The option to enable High-Resolution Mode appears only if the client system
supports high-resolution displays.

Hardware encoding is enabled by default after you have vGPU configured in the virtual machine.
Hardware encoding is enabled for all supported multiple-monitor configurations, except vGPU
profiles that use less than 1 GB of video memory will use the software decoder due to
NVENC memory restrictions. See NVENC requires at least 1 Gbyte of frame buffer in https://
docs.nvidia.com/grid/4.3/grid-vgpu-release-notes-vmware-vsphere/index.html

VMware by Broadcom 40
Managing Desktop and
Application Pools from a Central
Location with VMware Horizon 8
5
You can create pools that include one or thousands of remote desktops. As a desktop source,
you can use virtual machines, physical machines, and Windows Remote Desktop Services (RDS)
hosts. Create one virtual machine as a base image, and VMware Horizon 8 can generate a pool
of remote desktops from that image. You can also create pools of applications that give users
remote access to applications.

Read the following topics next:

n Desktop Pools

n Application Pools

n Application Provisioning

n Using Active Directory GPOs to Manage Users and Desktops

Desktop Pools
VMware Horizon 8 offers the ability to create and provision pools of desktops as its basis of
centralized management.

You create a desktop pool from one of the following sources:

n A virtual machine that is hosted on an ESXi host and managed by vCenter Server.

n A session-based desktop on an RDS host. For more information about creating desktop pools
from an RDS host, see the Desktops and Applications in Horizon 8 in Horizon document.

n A non-vSphere machine such as a physical desktop PC.

n A virtual machine that runs on a virtualization platform other than vCenter Server that
supports Horizon Agent.

If you use a vSphere virtual machine as a desktop source, you can automate the process of
making as many identical virtual desktops as you need. You can set a minimum and maximum
number of virtual desktops to be generated for the pool. Setting these parameters ensures that
you always have enough remote desktops available for immediate use but not so many that you
overuse available resources.

VMware by Broadcom 41
Horizon Overview and Deployment Planning

Using pools to manage desktops allows you to apply settings or deploy applications to all
remote desktops in a pool. For more information about desktop pools, see the Desktops and
Applications in Horizon 8 document.

Application Pools
With application pools that run on a farm of RDS hosts, you give users access to published
applications that run on servers in a data center instead of on their personal computers or
devices.

Application pools offer several important benefits:

n Accessibility

Users can access applications from anywhere on the network. You can also configure secure
network access.

n Device independence

With application pools, you can support a range of client devices, such as smart phones,
tablets, laptops, thin clients, and personal computers. The client devices can run various
operating systems, such as Windows, iOS, Mac OS, or Android.

n Access control

You can easily and quickly grant or remove access to applications for one user or a group of
users.

n Accelerated deployment

With application pools, deploying applications can be accelerated because you only deploy
applications on servers in a data center and each server can support multiple users.

n Manageability

Managing software that is deployed on client computers and devices typically requires
significant resources. Management tasks include deployment, configuration, maintenance,
support, and upgrades. With application pools, you can simplify software management in
an enterprise because the software runs on servers in a data center, which requires fewer
installed copies.

n Security and regulatory compliance

With application pools, you can improve security because applications and their associated
data are centrally located in a data center. Centralized data can address security concerns
and regulatory compliance issues.

n Reduced cost

Depending on software license agreements, hosting applications in a data center can

be more cost-effective. Other factors, including accelerated deployment and improved
manageability, can also reduce the cost of software in an enterprise.

VMware by Broadcom 42
Horizon Overview and Deployment Planning

Application Provisioning
With VMware Horizon 8, you have several options regarding application provisioning.

n Deploy published applications using RDS hosts. See Deploying Published Applications Using
an RDS Host.s

n Deploy published applications that run on desktop pools with VM Hosted Applications. See
Deploying Published Applications That Run On Desktop Pools With VM Hosted Applications.

n Deploy applications within virtual desktops. See Deploying Applications Within Virtual
Desktops.

n Deploy applications using VMware App Volumes. You can package applications and
deliver them to your users using VMware App Volumes. As your users log into their
remote desktops, their apps will be attached to their desktops, Fore more information,
see the VMware App Volumes documentation at https://docs.vmware.com/en/VMware-App-
Volumes/index.html.

n Distribute application packages created with VMware ThinApp. For more information about
distributing application packages created with VMware ThinApp, see the VMware ThinApp
documentation at https://docs.vmware.com/en/VMware-ThinApp/index.html.

n Deploying Published Applications Using an RDS Host

You might choose to provide end users with published applications rather than remote
desktops. Individual published applications might be easier to navigate on a small mobile
device.

n Deploying Published Applications That Run On Desktop Pools With VM Hosted Applications
You can deliver one or multiple published applications to end users without creating a farm
of RDS hosts. You can create a pool of virtual machine desktops to host the applications and
then expose end users to only the published applications.

n Deploying Applications Within Virtual Desktops

You can deploy applications into the golden image, and create a pool of identical desktops
each with the exact same copy of applications.

Deploying Published Applications Using an RDS Host

You might choose to provide end users with published applications rather than remote desktops.
Individual published applications might be easier to navigate on a small mobile device.

End users can access published Windows-based applications by using the same Horizon Client
that they previously used for accessing remote desktops, and they use the same Blast Extreme
or PCoIP display protocol.

VMware by Broadcom 43
Horizon Overview and Deployment Planning

To provide a published application, you install the application on a Microsoft Remote Desktop
Session (RDS) host. One or more RDS hosts make up a farm, and from that farm administrators
create application pools in a similar manner to creating desktop pools. For farm sizing
recommendations see VMware Configuration Maximums.

Using this strategy simplifies adding, removing, and updating applications; adding or removing
user entitlements to applications; and providing access from any device or network to centrally
or distributed application farms.

Deploying Published Applications That Run On Desktop Pools With

VM Hosted Applications
You can deliver one or multiple published applications to end users without creating a farm of
RDS hosts. You can create a pool of virtual machine desktops to host the applications and then
expose end users to only the published applications.

This approach benefits the following applications types.

This strategy simplifies the use of the following application types.

n Applications that require .NET framework version compatibility.

n Applications that require special device support, where drivers may not run or be supported
on RDS Hosts.

n Applications that are only tested and certified on Windows 10.

n Applications that require an install license and usage reporting by independent software
vendors.

For more information, see the "Best Practices for Published Applications and
Desktops in VMware Horizon and VMware Horizon Apps" document available at https://
techzone.vmware.com.

Deploying Applications Within Virtual Desktops

You can deploy applications into the golden image, and create a pool of identical desktops each
with the exact same copy of applications.

If you are deploying an instant-clone desktop pool, when the time comes to patch the
applications across all the desktops, you can simply update the golden image and use the push
image feature to quickly propagate the changes across all the desktops in the pool on a rolling
basis. When a user logs off an instant-clone virtual desktop, VMware Horizon 8 deletes the
instant clone and creates a fresh new instant clone from the latest version of the golden image.
This new clone is ready for the next user to log in. With rolling updates, the downtime associated
with pool maintenance can be minimized.

You can use this feature for the following tasks:

n Applying operating system and software patches and upgrades

n Applying service packs

VMware by Broadcom 44
Horizon Overview and Deployment Planning

n Adding applications

n Adding virtual devices

n Changing other virtual machine settings, such as available memory

Using Active Directory GPOs to Manage Users and Desktops

VMware Horizon 8 includes many Group Policy administrative ADMX templates for centralizing
the management and configuration of VMware Horizon 8 components and remote desktops.

After you import these templates into Active Directory, you can use them to set policies that
apply to the following groups and components:

n All systems regardless of which user logs in

n All users regardless of the system they log in to

n Connection Server configuration

n Horizon Client configuration

n Horizon Agent configuration

After a GPO is applied, properties are stored in the local Windows registry of the specified
component.

You can use GPOs to set all the policies that are available from the console web interface. You
can also use GPOs to set policies that are not available from the UI. For a complete list and
description of the settings available through ADMX templates, see the Horizon Remote Desktop
Features and GPOs document.

Using Smart Policies with Dynamic Environment Manager

You can also use Smart Policies to create policies that control the behavior of the USB
redirection, virtual printing, clipboard redirection, client drive redirection, and PCoIP display
protocol features on specific remote desktops. This feature requires Dynamic Environment
Manager.

With Smart Policies, you can create policies that take effect only if certain conditions are met.
For example, you can configure a policy that disables the client drive redirection feature if a user
connects to a remote desktop from outside your corporate network.

In general, Horizon 8 policy settings that you configure for remote desktop features in Dynamic
Environment Manager override any equivalent registry key and group policy settings.

VMware by Broadcom 45
Horizon 8 Architecture Design
Elements and Planning Guidelines
for Remote Desktop Deployments
6
This chapter discusses architecture design elements and planning guidelines that includes key
details about requirements for memory, CPU, storage capacity, network components, and
hardware to give IT architects and planners a practical understanding of what is involved in
deploying a VMware Horizon 8 solution.

For details on how to architect a VMware Horizon 8 deployment, see the "VMware
Workspace ONE and VMware Horizon Reference Architecture" document available at https://
techzone.vmware.com.

Important This chapter does not cover the following topics:

Architecture design A VMware Horizon 8 pod can support farms of Microsoft RDS hosts, where each farm contains
for hosted RDS hosts. For more information, see the Desktops and Applications in Horizon 8 document. If
applications you plan to use virtual machines for RDS hosts, also see RDS Host Virtual Machine Configuration.

Architecture design With this plugin running on a remote virtual machine desktop, the client can connect directly
for View Agent Direct- to the virtual machine. All the remote desktop features, including PCoIP, HTML Access, RDP,
Connection Plugin USB redirection, and session management work in the same way, as if the user had connected
through the connection broker. For more information, see the Horizon Agent Direct-Connection
Plug-In document.

Read the following topics next:

n Guest Operating System Requirements for Remote Desktops

n ESXi Node

n vCenter Server Virtual Machine Configuration

n Horizon Connection Server Maximums and Configuration

n vSphere Clusters

n Storage and Bandwidth Design Considerations

n VMware Horizon 8 Building Blocks

n Horizon 8 Pods

n Advantages of Using Multiple vCenter Servers in a Pod

n Cloud Pod Architecture Overview

VMware by Broadcom 46
Horizon Overview and Deployment Planning

Guest Operating System Requirements for Remote Desktops

When you plan the specifications for remote desktops, the choices that you make regarding
RAM, CPU, and disk space have a significant effect on your choices for server and storage
hardware and expenditures.

n Planning Based on Types of Workers

For many configuration elements, including RAM, CPU, and storage sizing, requirements
depend largely on the type of worker who uses the virtual desktop and on the applications
that must be installed.

n Desktop Types
The most fundamental question to consider is whether a certain type of user needs a
stateful desktop image or a stateless desktop image. Whether you use persistent or non-
persistent desktops depends on the specific type of worker.

n Estimating Memory Requirements for Virtual Machine Desktops

RAM costs more for servers than it does for PCs. Because the cost of RAM is a high
percentage of overall server hardware costs and total storage capacity needed, determining
the correct memory allocation is crucial to planning your desktop deployment.

n Estimating CPU Requirements for Virtual Machine Desktops

When estimating CPU, you must gather information about the average CPU utilization for
various types of workers in your enterprise.

n Choosing the Appropriate System Disk Size

When allocating disk space, provide only enough space for the operating system,
applications, and additional content that users might install or generate. Usually this amount
is smaller than the size of the disk that is included on a physical PC.

n Desktop Virtual Machine Configuration

The example settings for items such as memory, number of virtual processors, and disk
space are specific to VMware Horizon 8.

n RDS Host Virtual Machine Configuration

Use RDS (Remote Desktop Services) hosts for providing published applications and session-
based remote desktops to end users.

Planning Based on Types of Workers

For many configuration elements, including RAM, CPU, and storage sizing, requirements depend
largely on the type of worker who uses the virtual desktop and on the applications that must be
installed.

For architecture planning, workers can be categorized into several types.

Task workers

VMware by Broadcom 47
Horizon Overview and Deployment Planning

Task workers and administrative workers perform repetitive tasks within a small set of
applications, usually at a stationary computer. The applications are usually not as CPU- and
memory-intensive as the applications used by knowledge workers. Task workers who work
specific shifts might all log in to their virtual desktops at the same time. Task workers include
call center analysts, retail employees, warehouse workers, and so on.

Knowledge workers

Knowledge workers' daily tasks include accessing the Internet, using email, and
creating complex documents, presentations, and spreadsheets. Knowledge workers include
accountants, sales managers, marketing research analysts, and so on.

Power users

Power users include application developers and people who use graphics-intensive
applications. These users and applications tend to be CPU and memory intensive and
therefore these considerations should be made in the architecture process.

Kiosk users

These users need to share a desktop that is located in a public place. Examples of kiosk users
include students using a shared computer in a classroom, nurses at nursing stations, and
computers used for job placement and recruiting. These desktops require automatic login.
Authentication can be done through certain applications if necessary.

Desktop Types
The most fundamental question to consider is whether a certain type of user needs a stateful
desktop image or a stateless desktop image. Whether you use persistent or non-persistent
desktops depends on the specific type of worker.

Persistent Desktop

Persistent desktops have data in the operating system image itself that must be preserved,
maintained, and backed up. For example, users who need to install some of their own
applications or have data that cannot be saved outside of the virtual machine itself (such
as on a file server or in an application database) require a persistent desktop.

There are several ways to create persistent desktops in VMware Horizon 8:

You can create automated pools of full-clone virtual machines.

If you already have virtual desktops or physical desktops created (vCenter virtual machines,
non-vCenter virtual machines, or physical PCs), you can import them into VMware Horizon 8
as persistent desktops using the manual desktop pool with a dedicated-assignment.

VMware by Broadcom 48
Horizon Overview and Deployment Planning

Persistent desktops give users the highest degree of flexibility and control over their own
desktops. However, they consume more compute resources and are more difficult to manage
by IT. These desktops might require traditional image management techniques. Persistent
desktops can have low storage costs in conjunction with certain storage system technologies.
Since each persistent desktop is unique and must be preserved, backup and recovery
technologies are important when considering strategies for business continuity.

Non-persistent Desktop

Non-persistent desktops are stateless images that are identical to one another. They are
primarily used by users who do not need to install or preserve their own applications. Non-
persistent desktops have many advantages, such as being easier to support and having
lower storage costs. Other benefits include a limited need to back up the virtual machines
and easier, less expensive disaster recovery and business continuity options. The virtual
desktops themselves do not need to be protected as there is no unique user data stored. In
the event that the virtual desktops are destroyed, you can simply re-create them from the
golden image. Folder redirection and various profile technologies can optionally be used to
storage user profile and user data.

In VMware Horizon 8, you can create non-persistent desktops by leveraging instant clones.
For more information on instant clones, see the Desktops and Applications in Horizon 8
document.

Desktops for Task Workers

Since task workers perform repetitive tasks within a small set of applications, you can utilize
non-persistent desktops, which saves on storage an compute costs and make desktop
management easier.

Desktops for Knowledge Workers and Power Users

Knowledge workers are usually required to create complex documents and have them
persist. Power users often need to install their own applications and have them persist.
Depending on the nature and amount of personal data that must be retained, they require
either a non-persistent desktop or a persistent desktop.

For workers who must install their own applications, which adds data to the operating system
disk, the best option is to create a persistent desktop using full clone virtual machines.

Desktops for Kiosk Users

Kiosk users might include customers at airline check-in stations, students in classrooms
or libraries, medical personnel at medical data entry workstations, or customers at self-
service points. Accounts associated with client devices rather than users are entitled to use
these desktop pools because users do not need to log in to use the client device or the
remote desktop. Users can still be required to provide authentication credentials for some
applications.

VMware by Broadcom 49
Horizon Overview and Deployment Planning

Virtual machine desktops that are set to run in kiosk mode use non-persistent desktops
because user data does not need to be preserved in the operating system disk. Kiosk mode
desktops are used with thin client devices or locked-down PCs. You must ensure that the
desktop application implements authentication mechanisms for secure transactions, that the
physical network is secure against tampering and snooping, and that all devices connected to
the network are trusted.

To set up kiosk mode, you must use the vdmadmin command-line interface and perform
several procedures documented in the topics about kiosk mode in the Horizon 8
Administration document.
For more information creating desktop pools for specific types of workers, see the Desktops and
Applications in Horizon 8 document.

Estimating Memory Requirements for Virtual Machine Desktops

RAM costs more for servers than it does for PCs. Because the cost of RAM is a high percentage
of overall server hardware costs and total storage capacity needed, determining the correct
memory allocation is crucial to planning your desktop deployment.

If the RAM allocation is too low, it can affect storage I/O because too much Windows paging
occurs. If the RAM allocation is too high, it can affect storage capacity because the paging file in
the guest operating system and the swap and suspend files for each virtual machine become too
large.

RAM Sizing Impact on Performance

When allocating RAM, avoid selecting an overly conservative setting. Consider the following:

n Insufficient RAM allocations can cause excessive Windows paging, which can generate I/O
that causes significant performance degradations and increases storage I/O load.

n Because virtual desktop performance is sensitive to response times, VMware recommends

reserving all the memory.

RAM Sizing Impact on Storage

The amount of RAM that you allocate to a virtual machine is directly related to the size of
the certain files that the virtual machine uses. To access the files in the following list, use the
Windows guest operating system to locate the Windows page and hibernate files, and use the
ESXi host's file system to locate the ESXi swap and suspend files.

Windows page file

By default, this the size of this file is 150 percent of guest RAM. This file, which is by
default located at C:\pagefile.sys, causes thin-provisioned storage to expand because
it is accessed frequently.

VMware by Broadcom 50
Horizon Overview and Deployment Planning

For instant clones, any guest operating systems paging and temp files are automatically
deleted during the logoff operation and so do not have time to grow very large. Each time
a user logs out of an instant clone desktop, Horizon 8 deletes the clone, and provisions and
powers on another instant clone based on the latest OS image available for the pool.

Windows hibernate file for laptops

This file can equal 100 percent of guest RAM. You can safely delete this file because it is not
needed in Horizon 8 deployments.

ESXi swap file

This file, which has a .vswp extension, is created if you reserve less than 100 percent of a
virtual machine's RAM. The size of the swap file is equal to the unreserved portion of guest
RAM. For example, if 50 percent of guest RAM is reserved and guest RAM is 2 GB, the ESXi
swap file is 1 GB. This file can be stored on the local datastore on the ESXi host or cluster.

ESXi suspend file

This file, which has a .vmss extension, is created if you set the desktop pool logoff policy so
that the virtual desktop is suspended when the end user logs off. The size of this file is equal
to the size of guest RAM.

RAM Sizing for Specific Monitor Configurations When Using PCoIP or Blast
Extreme

In addition to system memory, a virtual machine also requires a small amount of RAM on the ESXi
host for video overhead. This VRAM size requirement depends in on the display resolution and
number of monitors configured for end users. Table 6-1. PCoIP or Blast Extreme Client Display
Overhead lists the amount of overhead RAM required for various configurations. The amounts of
memory listed in the columns are in addition to the amount of memory required for other PCoIP
or Blast Extreme functionality.

Note 5K and 8K UHD resolutions are only available when using the Blast protocol and only for
1-monitor or 2-monitor configurations. If you attempt to launch a PCoIP session with a 5K or 8K
monitor configured on the client, the session fails.

Table 6-1. PCoIP or Blast Extreme Client Display Overhead

Display 2-Monitor 3-Monitor
Resolution Width Height 1-Monitor Overhead Overhead 4-Monitor
Standard (Pixels) (Pixels) Overhead (MB) (MB) (MB) Overhead (MB)

VGA 640 480 1.20 3.20 4.80 5.60

WXGA 1280 800 4.00 12.50 18.75 25.00

1080p 1920 1080 8.00 25.40 38.00 50.60

WQXGA 2560 1600 16.00 60.00 84.80 109.60

UHD (4K) 3840 2160 32.00 78.00 124.00 170.00

VMware by Broadcom 51
Horizon Overview and Deployment Planning

Table 6-1. PCoIP or Blast Extreme Client Display Overhead (continued)

Display 2-Monitor 3-Monitor
Resolution Width Height 1-Monitor Overhead Overhead 4-Monitor
Standard (Pixels) (Pixels) Overhead (MB) (MB) (MB) Overhead (MB)

5K 5120 2880 64.00 128.00 NA NA

Blast only

UHD (8K) 7680 4320 128.00 256.00 NA NA

Blast only

For calculating system requirements, the VRAM values are in addition to the base system RAM
for the virtual machine. The system automatically calculates and configures overhead memory
when you specify the maximum number of monitors and select the display resolution in the
console.

Note If the RAM size exceeds the maximum value supported for number of monitors, the
maximum supported resolution value is returned.

If you use the 3D rendering feature and select Soft3D or vSGA, you can recalculate using the
additional VRAM values in a console control for configuring VRAM for 3D guests. Alternatively,
and for other types of graphics acceleration besides Soft3D and vSGA, you can specify the exact
amount of VRAM if you elect to manage VRAM by using vSphere Client.

By default, the multiple-monitor configuration matches the host topology. There is extra
overhead pre-calculated for more than two monitors to accommodate additional topology
schemes. If you encounter a black screen when starting a remote desktop session, verify that
the values for the number of monitors and the display resolution, which are set in the console,
match the host system, or manually adjust the amount of memory by using selecting Manage
using vSphere Client in the console and then set the total video memory value to maximum of
128 MB.

RAM Sizing for Specific Workloads and Operating Systems

Because the amount of RAM required can vary widely, depending on the type of worker, many
companies conduct a pilot phase to determine the correct setting for various pools of workers in
their enterprise.

A good starting point is to allocate 2 GB for Windows 10 or later desktops. If you want to use
one of the hardware accelerated graphics features for 3D workloads, VMware recommends two
virtual CPUs and 4 GB of RAM. During a pilot, monitor the performance and disk space used with
various types of workers and make adjustments until you find the optimal setting for each pool of
workers.

Estimating CPU Requirements for Virtual Machine Desktops

When estimating CPU, you must gather information about the average CPU utilization for various
types of workers in your enterprise.

VMware by Broadcom 52
Horizon Overview and Deployment Planning

CPU requirements vary by worker type. During your pilot phase, use a performance monitoring
tool, such as Perfmon in the virtual machine, esxtop in ESXi, or vCenter Server performance
monitoring tools, to understand both the average and peak CPU use levels for these groups of
workers. Also use the following guidelines:

n Software developers or other power uses with high-performance needs might have much
higher CPU requirements than knowledge workers and task workers. Dual or Quad virtual
CPUs are recommended for 64-bit Windows virtual machines running compute-intensive
tasks such as using CAD applications, playing HD videos, or driving 4K display resolutions.

n Two virtual CPUs are generally recommended for other cases.

Because many virtual machines run on one server, CPU can spike if agents such as antivirus
agents all check for updates at exactly the same time. Determine which agents and how many
agents could cause performance issues and adopt a strategy for addressing these issues. For
example, the following strategies might be helpful in your enterprise:

n Use instant-clone desktop pools instead of desktop pools of full virtual machines for your
virtual desktops. With instant clones, you can patch the golden image and then use push
image to propagate the patch on a rolling basis across your pool of desktops. This eliminates
the software update bottleneck typically associated with traditional patch management
software that downloads and updates patch directly on each individual virtual desktop.

n Schedule antivirus and software updates to run at non-peak hours, when few users are likely
to be logged in.

n Stagger or randomize when updates occur.

n Use agent-less antivirus software that is compatible with the VMware NSX Guest
Introspection capabilities.

As an informal initial sizing approach, to start, assume that each virtual machine requires 1/8 to
1/10 of a CPU core as the minimum guaranteed compute power. That is, plan a pilot that uses 8
to 10 virtual machines per core. For example, if you assume 8 virtual machines per core and have
a 2-socket 8-core ESXi host, you can host 128 virtual machines on the server during the pilot.
Monitor the overall CPU usage on the host during this period and ensure that it rarely exceeds a
safety margin such as 80 percent to give enough headroom for spikes.

Choosing the Appropriate System Disk Size

When allocating disk space, provide only enough space for the operating system, applications,
and additional content that users might install or generate. Usually this amount is smaller than the
size of the disk that is included on a physical PC.

Because data center disk space usually costs more per gigabyte than desktop or laptop disk
space in a traditional PC deployment, optimize the operating system image size. The following
suggestions might help optimize image size:

n Remove unnecessary files. For example, reduce the quotas on temporary internet files.

VMware by Broadcom 53
Horizon Overview and Deployment Planning

n Turn off Windows services such as the indexer service, the defragmenter service, and restore
points. For details, see the Desktops and Applications in Horizon 8 document.

n Choose a virtual disk size that is sufficient to allow for future growth, but is not unrealistically
large.

n Use centralized file shares or App Volumes for user-generated content and user-installed
applications.

n Enable space reclamation for vCenter Server to automatically reclaim space used by stale or
deleted data within a guest operating system.

The amount of storage space required must take into account the following files for each virtual
desktop:

n The ESXi suspend file is equivalent to the amount of RAM allocated to the virtual machine.

n By default, the Windows page file is equivalent to 150 percent of RAM.

n Log files can take up as much as 100MB for each virtual machine.

n The virtual disk, or .vmdk file, must accommodate the operating system, applications, and
future applications and software updates. The virtual disk must also accommodate local user
data and user-installed applications if they are located on the virtual desktop rather than on
file shares.

If you use instant clones, the .vmdk files grow over time within a login session. Whenever a
user logs out, the instant clone desktop is automatically deleted and a new instant clone is
created and ready for the next user to log in. With this process, the desktop is effectively
refreshed and returned to its original size.

You can also add 15 percent to this estimate to be sure that users do not run out of disk space.

Desktop Virtual Machine Configuration

The example settings for items such as memory, number of virtual processors, and disk space are
specific to VMware Horizon 8.

The amount of system disk space required depends on the number of applications required in
the base image. VMware has validated a setup that included 8GB of disk space. Applications
included Microsoft Word, Excel, PowerPoint, Adobe Reader, Internet Explorer, McAfee Antivirus,
and PKZIP.

The amount of disk space required for user data depends on the role of the end user and
organizational policies for data storage.

The guidelines listed in the following table are for a standard Windows 10 virtual machine
desktop.

VMware by Broadcom 54
Horizon Overview and Deployment Planning

Table 6-2. Desktop Virtual Machine Example for Windows 10

Item Example

Operating system Windows 10 (with the latest service pack)

RAM 4GB

Virtual CPU 2

System disk capacity 24GB (slightly less than standard)

Virtual SCSI adapter type Select VMware Paravirtual (PVSCSI).

PVSCSI is recommended, but may require additional steps depending
on the version of Windows to be installed. For more information,
see https://techzone.vmware.com/resource/manually-creating-optimized-windows-
images-vmware-horizon-vms.

Virtual network adapter VMXNET 3

RDS Host Virtual Machine Configuration

Use RDS (Remote Desktop Services) hosts for providing published applications and session-
based remote desktops to end users.

An RDS host can be a physical machine or a virtual machine. This example uses a virtual machine
with the specifications listed in the following table. The ESXi host for this virtual machine can be
part of a VMware HA cluster to guard against physical server failures.

Table 6-3. RDS Host Virtual Machine Example

Item Example

Operating system Windows Server 2016

RAM 24GB

Virtual CPU 4

System disk capacity 40GB

Virtual SCSI adapter type Select either LSI Logic SAS or VMware Paravirtual (PVSCSI).
Using PVSCSI may require additional steps depending on the
version of Windows to be installed. For more information, see the
VMware Knowledge Base article Configuring disks to use VMware
Paravirtual SCSI (PVSCSI) controllers (1010398).

Virtual network adapter VMXNET 3

VMware by Broadcom 55
Horizon Overview and Deployment Planning

Table 6-3. RDS Host Virtual Machine Example (continued)

Item Example

1 NIC 1 Gigabit

Maximum number of client connections total 50

(including session-based remote desktop
connections and published application
connections)

Note If you configure RDS hosts at the lower end of the resource specifications, you might
encounter resource constraints when using all features instead of the default installation.

ESXi Node
A node is a single VMware ESXi host that hosts virtual machine desktops in a VMware Horizon 8
deployment.

VMware Horizon 8 is most cost-effective when you maximize the consolidation ratio, which is the
number of virtual machines (either used as desktops or RDS hosts) hosted on an ESXi host. The
consolidation ratio is generally determined by how much CPU, RAM, and storage is available for
the ESXi host, and how much is required per virtual machine while accounting for the overhead
resources required for infrastructure components. Although many factors affect server selection,
if you are optimizing strictly for acquisition price, you must find server configurations that have
an appropriate balance of processing power, memory and storage. Use the following guidelines:

n As a general framework, consider compute capacity in terms of 8 to 10 virtual desktops per

CPU core. For information about calculating CPU requirements for each virtual machine, see
Estimating CPU Requirements for Virtual Machine Desktops.

n Think of memory capacity in terms of virtual desktop RAM and host RAM. For information
about calculating the amount of RAM required per virtual machine, see Estimating Memory
Requirements for Virtual Machine Desktops.

Note that physical RAM costs are not linear and that in some situations, it can be cost-
effective to purchase more smaller servers that do not use expensive DIMM chips. In other
cases, rack density, storage connectivity, manageability and other considerations can make
minimizing the number of servers in a deployment a better choice.

n In VMware Horizon 8, the View Storage Accelerator feature is turned on by default, which
allows ESXi hosts to cache common virtual machine disk data. View Storage Accelerator can
improve performance and reduce the need for extra storage I/O bandwidth to manage boot
storms and anti-virus scanning I/O storms. This feature requires up to 32GB of RAM per ESXi
host. For more information about View Storage Accelerator, see "Configuring View Storage
Accelerator for vCenter Server" in the Horizon 8 Installation and Upgrade document.

n Finally, consider cluster requirements and any failover requirements. For more information
about determining requirements for high availability on vSphere clusters, see Determining
Requirements for High Availability.

VMware by Broadcom 56
Horizon Overview and Deployment Planning

There is no substitute for measuring performance under actual, real world scenarios, such
as in a pilot, to determine an appropriate consolidation ratio for your environment and
hardware configuration. Consolidation ratios can vary significantly, based on usage patterns and
environmental factors. For information about specifications of ESXi hosts in vSphere, see the
VMware vSphere Configuration Maximums document.

vCenter Server Virtual Machine Configuration

When you deploy VMware Horizon in a vSphere environment, you will need to deploy and
configure vCenter Server.

You can install vCenter Server on the same cluster of ESXi hosts that your Horizon infrastructure
and workloads will run on, or on a different cluster. For information on sizing the vCenter Server
based on the expected number of virtual machines it will manage, see Hardware Requirements
for the vCenter Server Appliance.

Horizon Connection Server Maximums and Configuration

You can install Horizon Connection Server either on a physical server or in a virtual machine.

Connection Server Configuration Example

This example uses a virtual machine with the specifications listed in Connection Server Virtual
Machine Example. The ESXi host for this virtual machine can be part of a VMware HA cluster to
guard against physical server failures.

Table 6-4. Connection Server Virtual Machine Example

Item Example

Operating system See supported operating systems in the Horizon 8

Installation and Upgrade document.

RAM 10 GB

Virtual CPU 4

System disk capacity 70 GB

Virtual SCSI adapter type Select either LSI Logic SAS or VMware Paravirtual
(PVSCSI).
Using PVSCSI may require more steps depending on
the version of Windows you are installing. For more
information, see the VMware Knowledge Base article
Configuring disks to use VMware Paravirtual SCSI
(PVSCSI) controllers (1010398).

Virtual network adapter VMXNET 3

Network adapter 1 Gbps NIC

VMware by Broadcom 57
Horizon Overview and Deployment Planning

Connection Server Cluster Design Considerations

You can deploy multiple replicated Connection Server instances in a group to support load
balancing and high availability. Groups of replicated instances support clustering within a LAN-
connected single-data-center environment.

Important To use a group of replicated Connection Server instances across a WAN, MAN
(metropolitan area network), or other non-LAN, in scenarios where a Horizon 8 deployment
needs to span data centers, you must use the Cloud Pod Architecture feature. For more
information, see the Cloud Pod Architecture in Horizon 8 document.

Maximum Connections for Connection Server

VMware Configuration Maximums provides information about the tested limits regarding the
number of simultaneous connections that a Horizon 8 deployment can accommodate.

PCoIP Secure Gateway connections are required if you use Unified Access Gateway appliances
for PCoIP connections from outside the corporate network. Blast Secure Gateway connections
are required if you use Unified Access Gateway appliances for Blast Extreme or HTML Access
connections from outside the corporate network. Tunneled connections are required if you use
Unified Access Gateway appliances for RDP connections from outside the corporate network and
for USB and multimedia redirection (MMR) acceleration with a PCoIP or Blast Secure Gateway
connection.

Although the Unified Access Gateway appliance can support a maximum of 2,000 simultaneous
connections, you might decide to use 2 or 4. The required amount of memory and CPU usage
might dictate that you add more Unified Access Gateway appliances per Connection Server
instance to spread the load.

Although five Connection Server instances (suitably configured) can handle 20,000 connections,
you might want to consider using six or seven Connection Servers for availability planning
purposes, and to accommodate connections coming from both inside and outside of the
corporate network.

For example, if you have 20,000 users, with 16,000 of them inside the corporate network, you
need five Connection Server instances inside the corporate network. That way, if one of the
instances became unavailable, the four remaining instances can handle the load. Similarly, for the
4,000 connections coming from outside the corporate network, you can use two Connection
Server instances so if one becomes unavailable, you still have one instance left that can handle
the load.

These numbers assume that external connections are presented through a gateway. In this
example, each of the Connection Server instances handling external connections is paired
with three Unified Access Gateway appliances, load balanced across both Connection Server
instances, so that if one becomes unavailable, the two remaining appliances can handle the load.

In all cases, users need to reconnect if they are using a Connection Server or gateway that
became unavailable.

VMware by Broadcom 58
Horizon Overview and Deployment Planning

Hardware Requirements for Unified Access Gateway with VMware

Horizon 8
VMware recommends to use 2 vCPUs and 4 GB RAM for Unified Access Gateway appliances to
support maximum number of connections when used with VMware Horizon 8.

Table 6-5. Hardware Requirements for Unified Access Gateway

Item Example

Operating system OVA

RAM 4 GB

Virtual CPU 2

System disk capacity 20 GB (Changing the default log level requires more
space.)

Virtual SCSI adapter type LSI Logic Parallel (the default for OVA)

Virtual network adapter VMXNET 3

Network adapter 1 Gbps NIC

Network Mapping Single NIC option

vSphere Clusters
VMware Horizon 8 deployments can use VMware HA clusters to guard against physical server
failures.

vSphere and vCenter Server provide a rich set of features for managing clusters of servers that
host virtual machine desktops. The cluster configuration is also important because each virtual
machine desktop pool must be associated with a vCenter Server resource pool. Therefore, the
maximum number of desktops per pool is related to the number of servers and virtual machines
that you plan to run per cluster.

In very large VMware Horizon 8 deployments, vCenter Server performance and responsiveness
can be improved by having only one cluster object per data center object, which is not the
default behavior. By default, vCenter Server creates new clusters within the same data center
object.

Note For the latest updates to the VMware Horizon 8 sizing limits and recommendations, see
VMware Configuration Maximums.

For more information, see the chapter about creating desktop pools, in the Desktops and
Applications in Horizon 8 document. Networking requirements depend on the type of server,
the number of network adapters, and the way in which VMotion is configured.

VMware by Broadcom 59
Horizon Overview and Deployment Planning

Determining Requirements for High Availability

vSphere, through its efficiency and resource management, lets you achieve industry-leading
levels of virtual machines per server. But achieving a higher density of virtual machines per server
means that more users are affected if a server fails.

Requirements for high availability can differ substantially based on the purpose of the desktop
pool. For example, a non-persistent desktop pool might have different recovery point objective
(RPO) requirements than a persistent desktop pool. For a non-persistent pool, we recommend to
have users log in to a different desktop if the desktop they are using becomes unavailable.

In cases where availability requirements are high, proper configuration of VMware HA is essential.
If you use VMware HA and are planning for a fixed number of desktops per server, run each
server at a reduced capacity. If a server fails, the capacity of desktops per server is not exceeded
when the desktops are restarted on a different host.

For example, in an 8-host cluster, where each host is capable of running 128 desktops, and the
goal is to tolerate a single server failure, make sure that no more than 128 * (8 - 1) = 896 desktops
are running on that cluster. You can also use VMware DRS (Distributed Resource Scheduler) to
help balance the desktops among all 8 hosts. You get full use of the extra server capacity without
letting any hot-spare resources sit idle. Additionally, DRS can help rebalance the cluster after a
failed server is restored to service.

You must also make sure that storage is properly configured to support the I/O load that results
from many virtual machines restarting at once in response to a server failure. Storage IOPS has
the most effect on how quickly desktops recover from a server failure.

Storage and Bandwidth Design Considerations

Several considerations go into planning for shared storage of virtual machine desktops, planning
for storage bandwidth requirements with regard to I/O storms, and planning network bandwidth
needs.

n Shared Storage Considerations

Storage design considerations are one of the most important elements of a successful
VMware Horizon 8 architecture.

n Storage Bandwidth Considerations

In a VMware Horizon 8 environment, logon storms are the main consideration when
determining bandwidth requirements.

n Network Bandwidth Considerations

Certain virtual and physical networking components are required to accommodate a typical
workload.

VMware by Broadcom 60
Horizon Overview and Deployment Planning

Shared Storage Considerations

Storage design considerations are one of the most important elements of a successful VMware
Horizon 8 architecture.

vSphere lets you virtualize disk volumes and file systems so that you can manage and configure
storage without having to consider where the data is physically stored.

Fibre Channel SAN arrays, iSCSI SAN arrays, and NAS arrays are widely used storage
technologies supported by vSphere to meet different data center storage needs. The storage
arrays are connected to and shared between groups of servers through storage area networks.
This arrangement allows aggregation of the storage resources and provides more flexibility in
provisioning them to virtual machines.

You can use VMware vSAN, which virtualizes the local physical solid-state disks and hard disk
drives available on ESXi hosts into a single datastore shared by all hosts in a cluster. vSAN
provides high-performance storage with policy-based management, so that you specify only one
datastore when creating a desktop pool, and the various components, such as virtual machine
files, replicas, user data, and operating system files, are placed on the appropriate solid-state
drive (SSD) disks or direct-attached hard disks (HDDs). For more information about vSAN, see
the vSphere documentation at https://docs.vmware.com/en/VMware-vSphere/index.html. For
information on best practices, see the technical white paper VMware Horizon on VMware vSAN
Best Practices.

For more details on storage configuration for Horizon 8, see "Managing Storage for Virtual
Desktops" in the Desktops and Applications in Horizon 8 document.

Storage Bandwidth Considerations

In a VMware Horizon 8 environment, logon storms are the main consideration when determining
bandwidth requirements.

Although many elements are important to designing a storage system that supports a VMware
Horizon 8 environment, from a server configuration perspective, planning for proper storage
bandwidth is essential. You must also consider the effects of port consolidation hardware.

VMware Horizon 8 environments can occasionally experience I/O storm loads, during which
all virtual machines undertake an activity at the same time. I/O storms can be triggered by
guest-based agents such as antivirus software or software-update agents. I/O storms can also be
triggered by human behavior, such as when all employees log in at nearly the same time in the
morning.

You can minimize these storm workloads through operational best practices, such as staggering
updates to different virtual machines. You can also test various log-off policies during a pilot
phase to determine whether suspending or powering off virtual machines when users log off
causes an I/O storm.

In addition to determining best practices, VMware recommends that you provide bandwidth of
1Gbps per 100 virtual machines, even though average bandwidth might be 10 times less than that.
Such conservative planning guarantees sufficient storage connectivity for peak loads.

VMware by Broadcom 61
Horizon Overview and Deployment Planning

Network Bandwidth Considerations

Certain virtual and physical networking components are required to accommodate a typical
workload.

For Wide-Area networks (WANs), you must consider bandwidth constraints and latency issues.
The PCoIP and Blast Extreme display protocols provided by VMware adapt to varying latency
and bandwidth conditions.

For display traffic, many elements can affect network bandwidth, such as protocol used, monitor
resolution and configuration, and the amount of multimedia content in the workload. Concurrent
launches of streamed applications can also cause usage spikes.

Because the effects of these issues can vary widely, many companies monitor bandwidth
consumption as part of a pilot project. As a starting point for a pilot, plan for 150 to 200Kbps
of capacity for a typical knowledge worker.

With the PCoIP or Blast Extreme display protocol, if you have an enterprise LAN with 100Mb or
a 1Gb switched network, your end users can expect excellent performance under the following
conditions:

n Two monitors (1920 x 1080)

n Heavy use of Microsoft Office applications

n Heavy use of Flash-embedded Web browsing

n Frequent use of multimedia with limited use of full screen mode

n Frequent use of USB-based peripherals

n Network-based printing

Optimization Controls Available with PCoIP and Blast Extreme

If you use the PCoIP or the Blast Extreme display protocol from VMware, you can adjust several
elements that affect bandwidth usage.

n You can configure the image quality level and frame rate used during periods of network
congestion. The quality level setting allows you to limit the initial quality of the changed
regions of the display image. You can also adjust the frame rate.

This control works well for static screen content that does not need to be updated or in
situations where only a portion needs to be refreshed.

n With regard to session bandwidth, you can configure the maximum bandwidth, in kilobits
per second, to correspond to the type of network connection, such as a 4Mbit/s Internet
connection. The bandwidth includes all imaging, audio, virtual channel, USB, and PCoIP or
Blast control traffic.

You can also configure a lower limit, in kilobits per second, for the bandwidth that is reserved
for the session, so that a user does not have to wait for bandwidth to become available. You
can specify the Maximum Transmission Unit (MTU) size for UDP packets for a session, from
500 to 1500 bytes.

VMware by Broadcom 62
Horizon Overview and Deployment Planning

For more information, see the "PCoIP General Settings" and the "VMware Blast Policy Settings"
sections in the Horizon Remote Desktop Features and GPOs document.

VMware Horizon 8 Building Blocks

A building block is a logical construct and can contain a certain number of virtual machines. A
building block consists of physical servers, a vSphere infrastructure, VMware Horizon servers,
shared storage, and virtual machine desktops for end users. The scalability of each block
depends on how many virtual machines you deploy per vCenter Server.

Table 6-6. Example of a LAN-Based Horizon 8 Building Block for 4,000 Virtual Machine
Desktops

Item Example

vSphere clusters 1

80-port network switch 1

Shared storage system 1

vCenter Server 1 (can be run in the block itself)

Database MS SQL Server, Oracle, or PostgreSQL database server (can be run in the
block itself)

VLANs 3 (a 1 Gbit Ethernet network for each: management network, storage

network, and VMotion network)

If you have only one building block in a pod, use two connection broker instances for
redundancy.

Horizon 8 Pods
A Horizon 8 pod is a unit of organization determined by VMware Horizon scalability limits. You
can create a Horizon 8 pod with a number of building blocks. Each Horizon 8 pod is a unit of
management and has a separate console management user interface.

Pod Example Using Two Building Blocks

Table 6-7. Example of a LAN-Based Horizon 8 Pod Constructed of Two Building Blocks

Item Number

Building blocks for a Horizon 8 pod 2

vCenter Server 2

Database server 2 (1 standalone database server in each building block) MS SQL

Server, Oracle, or PostgreSQL database server

Connection Servers 7 (5 for connections from inside the corporate network and 2 for
connections from outside)

VMware by Broadcom 63
Horizon Overview and Deployment Planning

Table 6-7. Example of a LAN-Based Horizon 8 Pod Constructed of Two Building Blocks
(continued)

Item Number

vLANs See Table 6-6. Example of a LAN-Based Horizon 8 Building Block

for 4,000 Virtual Machine Desktops.

10Gb Ethernet module 1

Modular networking switch 1

Depending on the specific configuration, each vCenter Server can support up a large number
of virtual machines. This support enables you to have large building blocks of virtual machine
desktops. However, the actual block size is also subject to other VMware Horizon-specific
limitations.

For both examples described here, a network core can load balance incoming requests across
Connection Server instances. Support for a redundancy and failover mechanism, usually at
the network level, can prevent the load balancer from becoming a single point of failure. For
example, the Virtual Router Redundancy Protocol (VRRP) can communicate with a load balancer
to add redundancy and failover capability.

If a Connection Server instance fails or becomes unresponsive during an active session, users
do not lose data. Desktop states are preserved in the virtual machine desktop so that users can
connect to a different Connection Server instance and their desktop session resumes from where
it was when the failure occurred.

Figure 6-1. Pod Diagram for Virtual Machine Desktops

Building Building Building Building Building

blocks blocks blocks blocks blocks

Switched
networks

Each Switched network

connects to each
Horizon Connection Server
HorizonConnection
Server

Load Balancer

Network core

Pod Example Using One vCenter Server

In the previous section, the Horizon 8 pod consisted of multiple building blocks. Each building
block supported 5,000 virtual machines with a single vCenter Server. This topic illustrates an
architecture based on using a single vCenter Server to manage 10,000 desktops.

VMware by Broadcom 64
Horizon Overview and Deployment Planning

Although using one vCenter Server for 10,000 desktops is possible, doing so creates a situation
where there is a single point of failure. The loss of that single vCenter Server renders the
entire desktop deployment unavailable for power, provisioning, and refit operations. For this
reason, choose a deployment architecture that meets your requirements for overall component
resiliency.

For this example, a 10,000-user pod consists of physical servers, a vSphere infrastructure,
VMware Horizon servers, shared storage, and 5 clusters of 2,000 virtual desktops per cluster.

Table 6-8. Example of a LAN-Based Horizon 8 Pod with One vCenter Server

Item Example

vSphere clusters 6 (5 clusters with one instant-clone pool per cluster, and 1
infrastructure cluster)

vCenter Server 1

Database server 1 (standalone) MS SQL Server, Oracle, or PostgreSQL

database server

Active Directory server 1 or 2

Connection Server instances 5

Unified Access Gateway appliances 5

vLANs 8 (5 for the desktop pool clusters, and 1 each for

management, VMotion, and the infrastructure cluster)

Advantages of Using Multiple vCenter Servers in a Pod

Before you attempt to manage many virtual machines with a single vCenter Server instance, you
must take the following considerations into account.

n Duration of your company's maintenance windows

n Capacity for tolerating VMware Horizon component failures

n Frequency of power, provisioning, and refit operations

n Simplicity of infrastructure

Duration of Maintenance Windows

Concurrency settings for virtual machine power, provisioning, and maintenance operations are
determined per vCenter Server instance.

VMware by Broadcom 65
Horizon Overview and Deployment Planning

Pod designs with one Concurrency settings determine how many operations can be queued up for an entire Horizon
vCenter Server instance 8 pod at one time.
For example, if you set concurrent provisioning operations to 20 and you have only one
vCenter Server instance in a pod, a desktop pool larger than 20 will cause provisioning
operations to be serialized. After queuing 20 concurrent operations simultaneously, one
operation must complete before the next begins. In large-scale Horizon 8 deployments, this
provisioning operation can take a long time.

Pod designs with Each instance can provision 20 virtual machines concurrently.
multiple vCenter Server
instances

To ensure more operations are completed simultaneously within one maintenance window, you
can add multiple vCenter Server instances (up to five) to your pod, and deploy multiple desktop
pools in vSphere clusters managed by separate vCenter Server instances. A vSphere cluster can
be managed by only one vCenter Server instance at one time. To achieve concurrency across
vCenter Server instances, you must deploy your desktop pools accordingly.

Capacity for Tolerating Component Failures

The role of vCenter Server in Horizon 8 pods is to provide power, provisioning, and refit (refresh,
recompose, and rebalance) operations. After a virtual machine desktop is deployed and powered
on, Horizon 8 does not rely on vCenter Server for the normal course of operations.

Because each vSphere cluster must be managed by a single vCenter Server instance, this server
represents a single point of failure in every VMware Horizon design.

Important To use one of these failover strategies, the vCenter Server instance must not be
installed in a virtual machine that is part of the cluster that the vCenter Server instance manages.

In addition to these automated options for vCenter Server failover, you can also choose to
rebuild the failed server on a new virtual machine or physical server. Most key information is
stored in the vCenter Server database.

Risk tolerance is an important factor in determining whether to use one or multiple vCenter
Server instances in your pod design. If your operations require the ability to perform desktop
management tasks such as power and refit of all desktops simultaneously, you should spread
the impact of an outage across fewer desktops at a time by deploying multiple vCenter Server
instances. If you can tolerate your desktop environment being unavailable for management or
provisioning operations for a long period, or if you choose to use a manual rebuild process, you
can deploy a single vCenter Server instance for your pod.

VMware by Broadcom 66
Horizon Overview and Deployment Planning

Frequency of Power, Provisioning, and Refit Operations

Certain virtual machine desktop power, provisioning, and refit operations are initiated only
by administrator actions, are usually predictable and controllable, and can be confined to
established maintenance windows. Other virtual machine desktop power and refit operations are
triggered by user behavior, such as using the Refresh on Logoff or Suspend on Logoff settings,
or by scripted action, such as using Distributed Power Management (DPM) during windows of
user inactivity to power off idle ESXi hosts.

If your VMware Horizon 8 design does not require user-triggered power and refit operations,
a single vCenter Server instance can probably suit your needs. Without a high frequency of user-
triggered power and refit operations, no long queue of operations can accumulate that might
cause the connection broker to time-out waiting for vCenter Server to complete the requested
operations within the defined concurrency setting limits.

Many customers elect to deploy floating pools and use the Refresh on Logoff setting to
consistently deliver desktops that are free of stale data from previous sessions. Examples of
stale data include unclaimed memory pages in pagefile.sys or Windows temp files. Floating
pools can also minimize the impact of malware by frequently resetting desktops to a known clean
state.

Some customers are reducing electricity usage by configuring VMware Horizon 8 to power off
desktops not in use so that vSphere DRS (Distributed Resources Scheduler) can consolidate
the running virtual machines onto a minimum number of ESXi hosts. VMware Distributed Power
Management then powers off the idle hosts. In scenarios such as these, multiple vCenter Server
instances can better accommodate the higher frequency of power and refit operations required
to avoid operations time-outs.

Simplicity of Infrastructure
A single vCenter Server instance in a large-scale VMware Horizon 8 design offers some
compelling benefits, such as a single place to manage golden image virtual machines, a single
vCenter Server view to match the console view, and fewer production back-end databases and
database servers. Disaster Recovery planning is simpler for one vCenter Server than it is for
multiple instances. Make sure you weigh the advantages of multiple vCenter Server instances,
such as duration of maintenance windows and frequency of power and refit operations, against
the disadvantages, such as the additional administrative overhead of managing golden image
virtual machine images and the increased number of infrastructure components required.

Your design might benefit from a hybrid approach. You can choose to have very large and
relatively static pools managed by one vCenter Server instance and have several smaller, more
dynamic desktop pools managed by multiple vCenter Server instances. The best strategy for
upgrading existing large-scale pods is to first upgrade the VMware software components of your
existing pod. Before changing your pod design, gauge the impact of the improvements of the
latest version's power, provisioning, and refit operations, and later experiment with increasing
the size of your desktop pools to find the right balance of more large desktop pools on fewer
vCenter Server instances.

VMware by Broadcom 67
Horizon Overview and Deployment Planning

Cloud Pod Architecture Overview

To use a group of replicated connection broker instances across a WAN, MAN (metropolitan
area network), or other non-LAN, in scenarios where a Horizon 8 deployment needs to span data
centers, you must use the Cloud Pod Architecture feature.

This feature uses standard Horizon 8 components to provide cross-data-center administration,

global and flexible user-to-desktop mapping, high-availability desktops, and disaster recovery
capabilities.

A typical Cloud Pod Architecture topology consists of two or more pods, which are linked
together in a pod federation. Pod federations are subject to certain limits. The Cloud Pod
Architecture feature can be used to connect pods running on-premises, on a public cloud, or
a mix of both. For more information, see the Cloud Pod Architecture in Horizon 8 document.

VMware by Broadcom 68
Planning for Horizon 8 Security
Features 7
VMware Horizon 8 offers strong network security to protect sensitive corporate data. For
added security, you can integrate VMware Horizon 8 with certain third-party user-authentication
solutions and implement the restricted entitlements feature.

Important VMware Horizon 8 can perform cryptographic operations using FIPS (Federal
Information Processing Standard) 140-2 compliant algorithms. You can enable the use of these
algorithms by installing VMware Horizon 8 in FIPS mode. Not all features are supported in FIPS
mode. For more information, see the Horizon 8 Installation and Upgrade document.

Read the following topics next:

n Understanding Client Connections

n Choosing a User Authentication Method for a Horizon Environment

n Restricting Remote Desktop Access in Horizon 8 Environments

n Using Group Policy Settings to Secure Remote Desktops and Applications

n Using Smart Policies

n Implementing Best Practices to Secure Client Systems

n Assigning Administrator Roles

n Understanding Communications Protocols

Understanding Client Connections

Horizon Client and the Horizon console communicate with a connection broker over secure
HTTPS connections. Information about the server certificate on the connection broker is
communicated to the client as part of the TLS handshake between client and server.

The initial Horizon Client connection, which is used for user authentication and remote desktop
and application selection, is created when a user opens Horizon Client and provides a fully
qualified domain name for the connection broker or Unified Access Gateway host. The console
connection is created when an administrator enters the console URL into a web browser.

In VMware Horizon 8 environments a default TLS server certificate is generated during

Connection Server installation. By default, TLS clients are presented with this certificate when
they visit a secure page such as the Horizon console.

VMware by Broadcom 69
Horizon Overview and Deployment Planning

You can use the default certificate for testing, but you should replace it with your own
certificate as soon as possible. The default certificate is not signed by a commercial Certificate
Authority (CA). Use of non-certified certificates can allow untrusted parties to intercept traffic by
masquerading as your server.

n Client Connections Using the PCoIP and Blast Secure Gateways

When clients connect to a remote desktop or application with the PCoIP or Blast Extreme
display protocol from VMware, Horizon Client can make a second connection to the
applicable Secure Gateway component on a connection broker instance or Unified Access
Gateway appliance. This connection provides the required level of security and connectivity
when accessing remote desktops and applications from the Internet.

n Tunneled Client Connections with Microsoft Remote Desktop Protocol

When users connect to a remote desktop with the Microsoft Remote Desktop Protocol
(RDP) display protocol, Horizon Client can make a second HTTPS connection to the
connection broker. This connection is called the tunnel connection because it provides a
tunnel for carrying RDP data.

n Direct Client Connections

Administrators can configure connection broker settings so that remote desktop and
published application sessions are established directly between the client system and the
published application or desktop virtual machine, bypassing the connection broker host. This
type of connection is called a direct client connection.

Client Connections Using the PCoIP and Blast Secure Gateways

When clients connect to a remote desktop or application with the PCoIP or Blast Extreme display
protocol from VMware, Horizon Client can make a second connection to the applicable Secure
Gateway component on a connection broker instance or Unified Access Gateway appliance.
This connection provides the required level of security and connectivity when accessing remote
desktops and applications from the Internet.

Unified Access Gateway appliances include a PCoIP Secure Gateway component and a Blast
Secure Gateway component, which offers the following advantages:

n The only remote desktop and application traffic that can enter the corporate data center is
traffic on behalf of a strongly authenticated user.

n Users can access only the resources that they are authorized to access.

n The PCoIP Secure Gateway connection supports PCoIP, and the Blast Secure Gateway
connection supports Blast Extreme. Both are advanced remote display protocols that make
more efficient use of the network by encapsulating video display packets in UDP instead of
TCP.

n PCoIP and Blast Extreme are secured by AES-128 encryption by default. You can, however,
change the encryption cipher to AES-256.

VMware by Broadcom 70
Horizon Overview and Deployment Planning

n No VPN is required if the display protocol is not blocked by any networking component. For
example, someone trying to access their remote desktop or application from inside a hotel
room might find that the proxy the hotel uses is not configured to pass UDP packets.

For more information about Unified Access Gateway virtual appliances, see Deploying and
Configuring VMware Unified Access Gateway.

Tunneled Client Connections with Microsoft Remote Desktop

Protocol
When users connect to a remote desktop with the Microsoft Remote Desktop Protocol (RDP)
display protocol, Horizon Client can make a second HTTPS connection to the connection broker.
This connection is called the tunnel connection because it provides a tunnel for carrying RDP
data.

The tunnel connection offers the following advantages:

n RDP data is tunneled through HTTPS and is encrypted using SSL. This powerful security
protocol is consistent with the security provided by other secure Web sites, such as sites
used for online banking and credit card payments.

n A client can access multiple desktops over a single HTTPS connection, which reduces the
overall protocol overhead.

n Because VMware Horizon 8 manages the HTTPS connection, the reliability of the underlying
protocols is significantly improved. If a user temporarily loses a network connection, the HTTP
connection is reestablished after the network connection is restored and the RDP connection
automatically resumes without requiring the user to reconnect and log in again.

In a standard deployment of connection broker instances, the HTTPS secure connection

terminates at the connection broker. In a DMZ deployment, the HTTPS secure connection
terminates at a Unified Access Gateway appliance.

Clients that use the PCoIP or Blast Extreme display protocol can use the tunnel connection for
USB redirection and multimedia redirection (MMR) acceleration, but for all other data, PCoIP uses
the PCoIP Secure Gateway, and Blast Extreme uses the Blast Secure Gateway, on a Unified
Access Gateway appliance. For more information, see Client Connections Using the PCoIP and
Blast Secure Gateways .

For more information about Unified Access Gateway virtual appliances, see Deploying and
Configuring VMware Unified Access Gateway.

Direct Client Connections

Administrators can configure connection broker settings so that remote desktop and published
application sessions are established directly between the client system and the published
application or desktop virtual machine, bypassing the connection broker host. This type of
connection is called a direct client connection.

VMware by Broadcom 71
Horizon Overview and Deployment Planning

With direct client connections, an HTTPS connection is still made between the client and the
connection broker host for users to authenticate and select remote desktops and published
applications, but the second HTTPS connection (the tunnel connection) is not used.

Direct PCoIP and Blast Extreme connections include the following built-in security features:

n Support for Advanced Encryption Standard (AES) encryption, which is turned on by default,
and IP Security (IPsec)

n Support for third-party VPN clients

For clients that use the Microsoft RDP display protocol, direct client connections to remote
desktops are appropriate only if your deployment is inside a corporate network. With direct
client connections, RDP traffic is sent unencrypted over the connection between the client and
the desktop virtual machine.

Choosing a User Authentication Method for a Horizon

Environment
VMware Horizon 8 uses your existing Active Directory infrastructure for user authentication
and management. For added security, you can integrate VMware Horizon 8 with two-factor
authentication solutions, such as RSA SecurID and RADIUS, and smart card authentication
solutions.

n Active Directory Authentication

Each connection broker instance is joined to an Active Directory domain, and users are
authenticated against Active Directory for the joined domain. Users are also authenticated
against any additional user domains with which a trust agreement exists.

n Using Two-Factor Authentication

You can configure a connection broker instance so that users are required to use
RSA SecurID authentication or RADIUS (Remote Authentication Dial-In User Service)
authentication.

n Smart Card Authentication

A smart card is a small plastic card that is embedded with a computer chip. Many
government agencies and large enterprises use smart cards to authenticate users who
access their computer networks. One type of smart card used by the United States
Department of Defense is called a Common Access Card (CAC).

n Using the Log In as Current User Feature Available with Windows-Based Horizon Client
With Horizon Client for Windows, when users select Log in as current user in the Options
menu, the credentials that they provided when logging in to the client system are used to
authenticate to the connection broker instance and to the remote desktop using Kerberos.
No further user authentication is required.

VMware by Broadcom 72
Horizon Overview and Deployment Planning

Active Directory Authentication

For example, if a connection broker instance is a member of Domain A and a trust agreement
exists between Domain A and Domain B, users from both Domain A and Domain B can connect
to the connection broker instance with Horizon Client.

Similarly, if a trust agreement exists between Domain A and an MIT Kerberos realm in a mixed
domain environment, users from the Kerberos realm can select the Kerberos realm name when
connecting to the connection broker instance with Horizon Client.

You can place users and groups in the following Active Directory domains:

n The connection broker domain

n A different domain that has a two-way trust relationship with the connection broker domain

n A domain in a different forest than the connection broker domain that is trusted by the
connection broker domain in a one-way external or realm trust relationship

n A domain in a different forest than the connection broker domain that is trusted by the
connection broker domain in a one-way or two-way transitive forest trust relationship

The connection broker determines which domains are accessible by traversing trust relationships,
starting with the domain in which the host resides. For a small, well-connected set of domains,
the connection broker can quickly determine a full list of domains, but the time that it takes
increases as the number of domains increases or as the connectivity between the domains
decreases. The list might also include domains that you would prefer not to offer to users when
they log in to their remote desktops and applications.

Administrators can use the vdmadmin command-line interface to configure domain filtering, which
limits the domains that a connection broker instance searches and that it displays to users. See
the Horizon 8 Administration document for more information.

Policies, such as restricting permitted hours to log in and setting the expiration date for
passwords, are also handled through existing Active Directory operational procedures.

Using Two-Factor Authentication

You can configure a connection broker instance so that users are required to use RSA SecurID
authentication or RADIUS (Remote Authentication Dial-In User Service) authentication.

n RADIUS support offers a wide range of alternative two-factor token-based authentication

options.

n VMware Horizon 8 also provides an open standard extension interface to allow third-party
solution providers to integrate advanced authentication extensions into VMware Horizon 8.

VMware by Broadcom 73
Horizon Overview and Deployment Planning

Because two-factor authentication solutions such as RSA SecurID and RADIUS work with
authentication managers, installed on separate servers, you must have those servers configured
and accessible to the connection broker host. For example, if you use RSA SecurID, the
authentication manager would be RSA Authentication Manager. If you have RADIUS, the
authentication manager would be a RADIUS server.

To use two-factor authentication, each user must have a token, such as an RSA SecurID
token, that is registered with its authentication manager. A two-factor authentication token is
a piece of hardware or software that generates an authentication code at fixed intervals. Often
authentication requires knowledge of both a PIN and an authentication code.

If you have multiple connection broker instances, you can configure two-factor authentication
on some instances and a different user authentication method on others. For example, you can
configure two-factor authentication only for users who access remote desktops and applications
from outside the corporate network, over the Internet.

VMware Horizon 8 is certified through the RSA SecurID Ready program and supports the
full range of SecurID capabilities, including New PIN Mode, Next Token Code Mode, RSA
Authentication Manager, and load balancing.

Smart Card Authentication

A smart card is a small plastic card that is embedded with a computer chip. Many government
agencies and large enterprises use smart cards to authenticate users who access their computer
networks. One type of smart card used by the United States Department of Defense is called a
Common Access Card (CAC).

Administrators can enable individual connection broker instances for smart card authentication.
Enabling a connection broker instance to use smart card authentication typically involves adding
your root certificate to a truststore file and then modifying connection broker settings.

All client connections, including client connections that use smart card authentication, are
TLS/SSL enabled.

To use smart cards, client machines must have smart card middleware and a smart card reader.
To install certificates on smart cards, you must set up a computer to act as an enrollment station.
For information about whether a particular type of Horizon Client supports smart cards, see the
Horizon Client documentation at https://docs.vmware.com/en/VMware-Horizon/index.html.

Using the Log In as Current User Feature Available with Windows-

Based Horizon Client
With Horizon Client for Windows, when users select Log in as current user in the Options menu,
the credentials that they provided when logging in to the client system are used to authenticate
to the connection broker instance and to the remote desktop using Kerberos. No further user
authentication is required.

VMware by Broadcom 74
Horizon Overview and Deployment Planning

If you are enrolled with Windows Hello for Business with certificate trust on the client system,
Windows Hello for Business issued user logon certificate is used for single sign-on to the Horizon
Agent system. For more information, see "Authentication with Windows Hello for Business" in the
Horizon 8 Administration document.
To support this feature, user credentials are stored on both the connection broker instance and
on the client system.

n On the connection broker instance, user credentials are encrypted and stored in the user
session along with the username, domain, and optional UPN. The credentials are added when
authentication occurs and are purged when the session object is destroyed. The session
object is destroyed when the user logs out, the session times out, or authentication fails. The
session object resides in volatile memory and is not stored in Horizon LDAP or in a disk file.

n On the connection broker instance, enable the Accept logon as current user setting to allow
the connection broker instance to accept the user identity and credential information that is
passed when users select Log in as current user in the Options menu in Horizon Client.

Important You must understand the security risks before enabling this setting. See,
"Security-Related Server Settings for User Authentication" in the Horizon Security document.

n On the client system, user credentials are encrypted and stored in a table in the
Authentication Package, which is a component of Horizon Client. The credentials are added
to the table when the user logs in and are removed from the table when the user logs out.
The table resides in volatile memory.

When you select Accept logon as current user, you can enable the following user settings:

n Allow Legacy Clients: Support for older clients. Horizon Client versions 2006 and 5.4 and
earlier versions are considered older clients.

n Allow NTLM Fallback: Uses NTLM authentication instead of Kerberos when there is no
access to the domain controller. The NTLM group policy settings must be enabled in
Horizon Client configuration.

n Disable Channel Bindings: An additional security layer to secure NTLM authentication. By

default, channel bindings are enabled on the client.

Note If channel binding is enabled, confirm that NTLMv2 is turned on using

the LMCompatibilityLevel switch and that the security level 3 or higher in the user
environment. For more information, see the Microsoft documentation here.

n True SSO Integration: Enable this setting on the connection broker to allow SSO to the
desktop using True SSO. For example, in a nested mode, True SSO is used to log on to
a nested client and then a secondary desktop logon was performed. For information on
nested mode, see the Horizon Client for Windows Guide.

n Disabled: The user has to enter login information if the client did not receive logon
credentials.

VMware by Broadcom 75
Horizon Overview and Deployment Planning

n Optional: Client credentials are used, if available; otherwise True SSO are used. This is
the recommended setting if both True SSO and Log in as current user are enabled.

n Enabled: True SSO is used to log on to the desktop.

Administrators can use Horizon Client group policy settings to control the availability of the Log
in as current user setting in the Options menu and to specify its default value. Administrators can
also use group policy to specify which connection broker instances accept the user identity and
credential information that is passed when users select Log in as current user in Horizon Client.

The Recursive Unlock feature is enabled after a user logs in to the connection broker with the
Log in as current user feature. The Recursive Unlock feature unlocks all remote sessions after the
client machine has been unlocked. Administrators can control the Recursive Unlock feature with
the Unlock remote sessions when the client machine is unlocked global policy setting in Horizon
Client. For more information about global policy settings for Horizon Client, see the Horizon Client
documentation at the VMware Horizon Clients documentation Web page.

Note The Recursive Unlock feature can be slow when you use Log in as current user with
NTLM authentication if Horizon Client is unable to access the domain controllers. To mitigate
this issue, enable the group policy setting Always use NTLM for servers in the VMware Horizon
Client Configuration > Security Settings > NTLM Settings folder in the Group Policy Management
Editor.

The Log in as current user feature has the following limitations and requirements:

n When smart card authentication is set to Required on a connection broker instance,

authentication fails for users who select Log in as current user when they connect to the
connection broker instance. These users must reauthenticate with their smart card and PIN
when they log in to connection broker.

n The time on the system where the client logs in and the time on the connection broker host
must be synchronized.

n If the default Access this computer from the network user-right assignments are modified
on the client system, they must be modified as described in VMware Knowledge Base (KB)
article 1025691.

Restricting Remote Desktop Access in Horizon 8

Environments
You can use the restricted entitlements feature to restrict remote desktop access based on the
connection broker instance that a user connects to.

With restricted entitlements, you assign one or more tags to a connection broker instance. Then,
when configuring a desktop pool, you select the tags of the connection broker instances that
you want to be able to access the desktop pool. When users log in through a tagged connection
broker instance, they can access only those desktop pools that have at least one matching tag or
no tags.

VMware by Broadcom 76
Horizon Overview and Deployment Planning

For example, your Horizon 8 deployment might include two connection broker instances. The
first instance supports your internal users. The second instance is paired with an Unified Access
Gateway appliance and supports your external users. To prevent external users from accessing
certain desktops, you could set up restricted entitlements as follows:

n Assign the tag "Internal" to the connection broker instance that supports your internal users.

n Assign the tag "External" to the connection broker instance that is paired with the Unified
Access Gateway appliance and supports your external users.

n Assign the "Internal" tag to the desktop pools that should be accessible only to internal users.

n Assign the "External" tag to the desktop pools that should be accessible only to external
users.

External users cannot see the desktop pools tagged as Internal because they log in through the
connection broker tagged as External, and internal users cannot see the desktop pools tagged as
External because they log in through the connection broker tagged as Internal.

You can also use restricted entitlements to control desktop access based on the user-
authentication method that you configure for a particular connection broker instance. For
example, you can make certain desktop pools available only to users who have authenticated
with a smart card.

The restricted entitlements feature only enforces tag matching. You must design your network
topology to force certain clients to connect through a particular connection broker instance.

Using Group Policy Settings to Secure Remote Desktops and

Applications
VMware Horizon 8 includes Group Policy administrative ADMX templates that contain security-
related group policy settings that you can use to secure your remote desktops and applications.

For example, you can use group policy settings to perform the following tasks.

n Specify the connection broker instances that can accept user identity and credential
information that is passed when a user selects the Log in as current user check box in
Horizon Client for Windows.

n Enable single sign-on for smart card authentication in Horizon Client.

n Configure server TLS certificate checking in Horizon Client.

n Prevent users from providing credential information with Horizon Client command line
options.

n Prevent non-Horizon Client systems from using RDP to connect to remote desktops. You can
set this policy so that connections must be Horizon Client-managed, which means that users
must use VMware Horizon 8 to connect to remote desktops.

See the Horizon Remote Desktop Features and GPOs document for information on using remote
desktop and Horizon Client group policy settings.

VMware by Broadcom 77
Horizon Overview and Deployment Planning

Using Smart Policies

You can use Smart Policies for user environment settings in a published desktop or application
and also for computer environment settings that apply during computer boot or session
reconnection.

You can create policies for user environment settings that control a range of behaviors. Horizon 8
Smart Policies for user environment settings are applied during login and can be refreshed during
reconnect of a session. To reapply Horizon 8 Smart Policies when a user reconnects to a session,
you can configure a triggered task.

You can create policies for computer environment settings that Dynamic Environment Manager
applies while end users' computers boot. Horizon 8 Smart Policies for computer environment
settings are applied during computer boot and can be refreshed during the reconnection of a
session.

With Smart Policies, you can create policies that take effect only if certain conditions are met. For
example, you can configure a policy that deactivates the client drive redirection feature if a user
connects to a remote desktop from outside your corporate network.

The Smart Policies feature requires Dynamic Environment Manager. For more information, see
the topics about Smart Policies in Horizon Remote Desktop Features and GPOs.

For information about using Smart Policies to control the behavior of features on a remote Linux
desktop, see Desktops and Applications in Horizon 8.

Implementing Best Practices to Secure Client Systems

Implement these best practices to secure client systems.

n Configure client systems to go to sleep after a period of inactivity and require users to enter
a password before the computer awakens.

n Require users to enter a username and password when starting client systems. Do not
configure client systems to allow automatic logins.

n For Mac client systems, consider setting different passwords for the Keychain and the user
account. When the passwords are different, users are prompted before the system enters
any passwords on their behalf. Also consider turning on FileVault protection.

For a reference to all the security features VMware Horizon provides, see the Horizon Security
document.

Assigning Administrator Roles

A key management task in a VMware Horizon 8 environment is to determine who can use the
Horizon console and what tasks those users are authorized to perform.

VMware by Broadcom 78
Horizon Overview and Deployment Planning

The authorization to perform tasks in the console is governed by an access control system that
consists of administrator roles and privileges. A role is a collection of privileges. Privileges grant
the ability to perform specific actions, such as entitling a user to a desktop pool or changing a
configuration setting. Privileges also control what an administrator can see in the console.

An administrator can create folders to subdivide desktop pools and delegate the administration
of specific desktop pools to different administrators in the console. An administrator configures
administrator access to the resources in a folder by assigning a role to a user on that folder.
Administrators can only access the resources that reside in folders for which they have assigned
roles. The role that an administrator has on a folder determines the level of access that the
administrator has to the resources in that folder.

The Horizon console includes a set of predefined roles. Administrators can also create custom
roles by combining selected privileges.

Understanding Communications Protocols

VMware Horizon components use several different protocols to exchange messages.

The following table lists the default ports that each protocol uses. You can change the port
numbers. For example, you might need to change the port numbers to comply with organization
policies, or to avoid contention.

Table 7-1. Default Ports

Protocol Port

JMS TCP port 4001

TCP port 4002

HTTP TCP port 80

HTTPS TCP port 443

MMR/CDR TCP port 9427

The following features use this port.
n Windows multimedia redirection
n Client drive redirection
n Microsoft Teams optimization
n HTML multimedia redirection
n VMware printer redirection
n USB redirection

RDP TCP port 3389

Note If the connection broker instance is configured for direct client connections, these protocols
connect directly from the client to the remote desktop and are not tunneled through the Horizon
Secure Gateway Server component.

SOAP TCP port 80 or 443

PCoIP TCP port 4172

UDP ports 4172, 50002, 55000

VMware by Broadcom 79
Horizon Overview and Deployment Planning

Table 7-1. Default Ports (continued)

Protocol Port

USB TCP port 32111. This port is also used for time zone synchronization.
redirection

VMware Blast TCP ports 8443, 22443

Extreme UDP ports 443, 8443, 22443

HTML Access TCP ports 8443, 22443

TCP Ports for Connection Broker Intercommunication

Connection broker instances in a group use additional TCP ports to communicate with each
other. For example, connection broker instances use port 4100 or 4101 to transmit JMS inter-
router (JMSIR) traffic to each other. Firewalls are typically not used between the connection
broker instances in a group.

VMware Horizon Security Gateway

Horizon Security Gateway is the server-side component for the secure HTTPS connection
between client systems and an Unified Access Gateway appliance, or connection broker
instance.

When you configure the tunnel connection for the connection broker, RDP, USB, and Multimedia
Redirection (MMR) traffic is tunneled through the Horizon Security Gateway component. When
you configure direct client connections, these protocols connect directly from the client to the
remote desktop and are not tunneled through the Horizon Security Gateway component.

Note Clients that use the PCoIP or Blast Extreme display protocol can use the tunnel connection
for USB redirection and multimedia redirection (MMR) acceleration, but for all other data, PCoIP
uses the PCoIP Secure Gateway, and Blast Extreme uses the Blast Secure Gateway, on an Unified
Access Gateway appliance.

Horizon Security Gateway is also responsible for forwarding other web traffic, including user
authentication and desktop and application selection traffic, from clients to the connection
broker. Horizon Security Gateway also passes Horizon console client web traffic to the Horizon
Administration component.

Blast Secure Gateway

Unified Access Gateway appliances include a Blast Secure Gateway component. When the Blast
Secure Gateway is enabled, after authentication, clients that use Blast Extreme or HTML Access
can make another secure connection to an Unified Access Gateway appliance. This connection
allows clients to access remote desktops and applications from the Internet.

VMware by Broadcom 80
Horizon Overview and Deployment Planning

When you enable the Blast Secure Gateway component, Blast Extreme traffic is forwarded by an
Unified Access Gateway appliance to remote desktops and applications. If clients that use Blast
Extreme also use the USB redirection feature or multimedia redirection (MMR) acceleration, you
can enable the View Secure Gateway component to forward that data.

When you configure direct client connections, Blast Extreme traffic and other traffic goes directly
from a client to a remote desktop or application.

When end users such as home or mobile workers access desktops from the internet, Unified
Access Gateway appliances provide the required level of security and connectivity so that a VPN
connection is not necessary. The Blast Secure Gateway component ensures that the only remote
traffic that can enter the corporate data center is traffic on behalf of a strongly authenticated
user. End users can access only the resources that they are authorized to access.

A Blast native client that operates through a Blast Secure Gateway expects to have its Blast
session TLS connection authenticated by the TLS certificate that is configured on the Blast
Secure Gateway. If the client's Blast connection sees some other TLS certificate then the
connection will be dropped and the client will report a certificate thumbprint mismatch.

If you choose to have the client make its connection to a TLS-terminating proxy placed between
the client and the Blast Secure Gateway, you may satisfy the client's certificate requirement and
avoid a thumbprint mismatch error by arranging for the proxy to present a copy of the Blast
Secure Gateway's certificate (and private key), thereby allowing the Blast connection from the
client to succeed.

An alternative to copying the Blast Secure Gateway's certificate to the proxy is to provide
the proxy with its own TLS certificate, and then configure the Blast Secure Gateway to advise
the client to expect and accept the proxy's certificate rather than the Blast Secure Gateway's
certificate.

You can configure the Blast Secure Gateway in a Unified Access Gateway by uploading the
proxy's certificate in Blast Proxy Certificate in the Unified Access Gateway Horizon settings.
See the Deploying and Configuring VMware Unified Access Gateway document in https://
docs.vmware.com/en/Unified-Access-Gateway/index.html.

Note Only the proxy certificate is uploaded. The corresponding private key is not disclosed to
the Unified Access Gateway.

PCoIP Secure Gateway

Unified Access Gateway appliances include a PCoIP Secure Gateway component. When the
PCoIP Secure Gateway is enabled, after authentication, clients that use PCoIP can make another
secure connection to an Unified Access Gateway appliance. This connection allows clients to
access remote desktops and applications from the internet.

When you enable the PCoIP Secure Gateway component, PCoIP traffic is forwarded by an
Unified Access Gateway appliance to remote desktops and applications. If clients that use PCoIP
also use the USB redirection feature or multimedia redirection (MMR) acceleration, you can
enable the Horizon Security Gateway component in order to forward that data.

VMware by Broadcom 81
Horizon Overview and Deployment Planning

When you configure direct client connections, PCoIP traffic and other traffic goes directly from a
client to a remote desktop or application.

When end users such as home or mobile workers access desktops from the internet, Unified
Access Gateway appliances provide the required level of security and connectivity so that a
VPN connection is not necessary. The PCoIP Secure Gateway component ensures that the
only remote traffic that can enter the corporate data center is traffic on behalf of a strongly
authenticated user. End users can access only the resources that they are authorized to access.

Horizon LDAP
Horizon LDAP is an embedded LDAP directory in the connection broker and is the configuration
repository for all VMware Horizon 8 configuration data.

Horizon LDAP contains entries that represent each remote desktop and application, each
accessible remote desktop, multiple remote desktops that are managed together, and VMware
Horizon component configuration settings.

Horizon LDAP also includes a set of VMware Horizon plug-in DLLs to provide automation and
notification services for other VMware Horizon 8 components.

Horizon Messaging
The Horizon Messaging component provides the messaging router for communication between
the connection broker components and between Horizon Agent and the connection broker.

This component supports the Java Message Service (JMS) API, which is used for messaging in
Horizon 8.

Inter-component message validation uses DSA keys. The key size is 512 bits by default, except in
FIPS mode, where the key size is 2048 bits.

Firewall Rules for Horizon Connection Server

Certain ports must be opened on the firewall for Connection Server instances.

When you install Connection Server, the installation application can optionally configure the
required Windows Firewall rules for you. These rules open the ports that are used by default. If
you change the default ports after installation, you must manually configure Windows Firewall to
allow Horizon Client devices to connect to VMware Horizon 8 through the updated ports.

The following table lists the default ports that can be opened automatically during installation.
Ports are incoming unless otherwise noted.

Table 7-2. Ports Opened During Horizon Connection Server Installation

Protocol Ports Horizon Connection Server Instance Type

JMS TCP 4001 Standard and replica

JMS TCP 4002 Standard and replica

JMSIR TCP 4100 Standard and replica

VMware by Broadcom 82
Horizon Overview and Deployment Planning

Table 7-2. Ports Opened During Horizon Connection Server Installation (continued)

Protocol Ports Horizon Connection Server Instance Type

JMSIR TCP 4101 Standard and replica

AJP13 TCP 8009 Standard and replica

HTTP TCP 80 Standard, replica

HTTPS TCP 443 Standard, replica

PCoIP TCP 4172 in; Standard, replica

UDP 4172 both
directions

HTTPS TCP 8443 Standard, replica

UDP 8443 After the initial connection to VMware Horizon 8 is made, the Web browser or
client device connects to the Blast Secure Gateway on TCP port 8443. The Blast
Secure Gateway must be enabled on a Connection Server instance to allow this
second connection to take place.

HTTPS TCP 8472 Standard and replica

For the Cloud Pod Architecture feature: used for inter-pod communication.

HTTP TCP 22389 Standard and replica

For the Cloud Pod Architecture feature: used for global LDAP replication.

HTTPS TCP 22636 Standard and replica

For the Cloud Pod Architecture feature: used for secure global LDAP replication.

Firewall Rules for Horizon Agent

To open the default network ports, the Horizon Agent installer optionally configures Windows
firewall rules on virtual desktops and RDS hosts.

The Horizon Agent installer configures the local firewall rule for inbound RDP connections to
match the current RDP port of the host operating system, which is typically 3389.

If you instruct the Horizon Agent installer not to enable Remote Desktop support, it does not
open ports 3389 and 32111 and you must open these ports manually.

If you change the RDP port number after installation, you must change the associated firewall
rules. If you change a default port after installation, you must manually reconfigure the firewall
rules to allow access on the updated port. For more information, see the Horizon 8 Installation
and Upgrade document.
On RDS hosts, the Windows firewall rules for Horizon Agent show a block of 256 contiguous UDP
ports as open for inbound traffic. This block of ports is for VMware Blast internal use in Horizon
Agent. A special Microsoft-signed driver on RDS hosts blocks inbound traffic to these ports from
external sources. This driver causes the Windows firewall to treat the ports as closed.

VMware by Broadcom 83
Horizon Overview and Deployment Planning

If you use a virtual machine template as a desktop source, firewall exceptions carry over to
deployed desktops only if the template is a member of the desktop domain. You can use
Microsoft group policy settings to manage local firewall exceptions. For more information, see
Microsoft Knowledge Base (KB) article 875357.

The following table lists the TCP and UDP ports that are opened during Horizon Agent
installation. Ports are incoming unless otherwise noted.

Table 7-3. TCP and UDP Ports Opened During Horizon Agent Installation

Protocol Ports

RDP TCP port 3389

USB redirection and time zone synchronization TCP port 32111

Multimedia redirection (MMR) and client drive redirection TCP port 9427
(CDR) The following features use this port:
n Windows multimedia redirection
n Client drive redirection
n Microsoft Teams optimization
n HTML multimedia redirection
n VMware printer redirection
n USB redirection

PCoIP For RDS hosts, PCoIP uses TCP port 4172 and UDP port
4172 (bidirectional).
For virtual desktops, PCoIP uses port numbers selected
from a configurable range. By default, PCoIP uses TCP
ports 4172 to 4173 and UDP ports 4172 to 4182. The
firewall rules do not specify port numbers. Instead, they
dynamically follow the ports opened by each PCoIP
server. The selected port numbers are communicated to
the client through the connection broker instance.

VMware Blast TCP port 22443

UDP port 22443 (bidirectional)

HTML Access TCP port 22443

Firewall Rules for Active Directory

If you have a firewall between your VMware Horizon 8 environment and your Active Directory
server, you must make sure that all of the necessary ports are opened.

For example, the connection broker must be able to access the Active Directory Global Catalog
and Lightweight Directory Access Protocol (LDAP) servers. If the Global Catalog and LDAP
ports are blocked by your firewall software, administrators will have problems configuring user
entitlements.

See the Microsoft documentation for your Active Directory server version for information about
the ports that must be opened for Active Directory to function correctly through a firewall.

VMware by Broadcom 84

Horizon Architecture Planning
No ratings yet
Horizon Architecture Planning
79 pages
Horizon Architecture Planning PDF
No ratings yet
Horizon Architecture Planning PDF
113 pages
Horizon Architecture Planning
No ratings yet
Horizon Architecture Planning
113 pages
Horizon Arch Planning
No ratings yet
Horizon Arch Planning
114 pages
VMware Horizon Customer Presentation
No ratings yet
VMware Horizon Customer Presentation
39 pages
VMware Horizon: Secure VDI & App Delivery
No ratings yet
VMware Horizon: Secure VDI & App Delivery
15 pages
Quick Start Tutorial For VMware Horizon 8 0
No ratings yet
Quick Start Tutorial For VMware Horizon 8 0
63 pages
View Architecture Planning: Vmware Horizon 7
No ratings yet
View Architecture Planning: Vmware Horizon 7
104 pages
VMW Horizon6 Whatsnew Solution Brief
No ratings yet
VMW Horizon6 Whatsnew Solution Brief
3 pages
EDU - DATASHEET Horizon 8 Deploy and Manage7
No ratings yet
EDU - DATASHEET Horizon 8 Deploy and Manage7
4 pages
Vmware Horizon Cloud With On Premises Infra Datasheet
No ratings yet
Vmware Horizon Cloud With On Premises Infra Datasheet
3 pages
Vmware Horizon 7 What'S New: Desktop and App Virtualization Reimagined
No ratings yet
Vmware Horizon 7 What'S New: Desktop and App Virtualization Reimagined
4 pages
2025-01-23 VMware Horizon Pricing, Packaging, and Licensing - Licenseware
No ratings yet
2025-01-23 VMware Horizon Pricing, Packaging, and Licensing - Licenseware
4 pages
Vmware Horizon Perpetual Feature Comparison
No ratings yet
Vmware Horizon Perpetual Feature Comparison
3 pages
Vmware Horizon 7 Datasheet
No ratings yet
Vmware Horizon 7 Datasheet
7 pages
ADV1084BU
No ratings yet
ADV1084BU
39 pages
VMWare Horizon
No ratings yet
VMWare Horizon
7 pages
VMware Horizon DaaS Datasheet
100% (1)
VMware Horizon DaaS Datasheet
2 pages
VMware Cloud Horizon
No ratings yet
VMware Cloud Horizon
50 pages
Datasheet Horizon 7
No ratings yet
Datasheet Horizon 7
6 pages
VMware Horizon Client
No ratings yet
VMware Horizon Client
98 pages
VMware View Pricing Licensing and Upgrading White Paper
No ratings yet
VMware View Pricing Licensing and Upgrading White Paper
10 pages
ADV1045BU
No ratings yet
ADV1045BU
43 pages
ADV1111BU
No ratings yet
ADV1111BU
67 pages
VMware Horizon 8 Lab Guide
No ratings yet
VMware Horizon 8 Lab Guide
497 pages
Horizon View 60 Architecture Planning
No ratings yet
Horizon View 60 Architecture Planning
96 pages
Horizon Installation Upgrade - 2303
0% (1)
Horizon Installation Upgrade - 2303
177 pages
Horizon Client Windows User
No ratings yet
Horizon Client Windows User
61 pages
Vmware Horizon Pricing Packaging Guide
No ratings yet
Vmware Horizon Pricing Packaging Guide
32 pages
Vmware Horizon 6 Desktop Virtualization Solutions Second Edition Ryan Cartwright Download
No ratings yet
Vmware Horizon 6 Desktop Virtualization Solutions Second Edition Ryan Cartwright Download
85 pages
VMware Horizon 8 Cheat Sheet EN
No ratings yet
VMware Horizon 8 Cheat Sheet EN
6 pages
VMW Horizon On Microsoft Azure Vmware Solution
No ratings yet
VMW Horizon On Microsoft Azure Vmware Solution
2 pages
Virtual Desktops
No ratings yet
Virtual Desktops
297 pages
Vmware Horizon 6 Desktop Virtualization Solutions Second Edition Ryan Cartwright - Downloadable PDF 2025
No ratings yet
Vmware Horizon 6 Desktop Virtualization Solutions Second Edition Ryan Cartwright - Downloadable PDF 2025
52 pages
Horizon Security
No ratings yet
Horizon Security
92 pages
Horizon Client Windows Installation
No ratings yet
Horizon Client Windows Installation
154 pages
VMware Horizon - Deploy and Manage (V8.8) - Lecture Manual Publication PDF
100% (1)
VMware Horizon - Deploy and Manage (V8.8) - Lecture Manual Publication PDF
891 pages
VMware Horizon 7 Tech Deep Dive - PDF en
100% (2)
VMware Horizon 7 Tech Deep Dive - PDF en
73 pages
VMware View Pricing Licensing and Upgrading White Paper
No ratings yet
VMware View Pricing Licensing and Upgrading White Paper
10 pages
Vrealize Operations For Horizon Datasheet
No ratings yet
Vrealize Operations For Horizon Datasheet
2 pages
Desktop Infrastructure
No ratings yet
Desktop Infrastructure
7 pages
VMW VCP DTM Exam Guide
No ratings yet
VMW VCP DTM Exam Guide
5 pages
Step by Step Installing HorizonWP01
No ratings yet
Step by Step Installing HorizonWP01
18 pages
Horizon-Upgrades 2006
No ratings yet
Horizon-Upgrades 2006
43 pages
IE-Lab-VMware VDI V.01
No ratings yet
IE-Lab-VMware VDI V.01
82 pages
VMW Horizon Subscription Feature Comparison
No ratings yet
VMW Horizon Subscription Feature Comparison
4 pages
VMware Horizon Suite Vs Citrix Datasheet
No ratings yet
VMware Horizon Suite Vs Citrix Datasheet
2 pages
Horizon Installation
No ratings yet
Horizon Installation
169 pages
Citrix Virtual Apps & Desktops Vs VMware Horizon - Battlecard
No ratings yet
Citrix Virtual Apps & Desktops Vs VMware Horizon - Battlecard
4 pages
End-User-Computing - Apr 2014
No ratings yet
End-User-Computing - Apr 2014
20 pages
AST-0136206 VMware Dhawan
No ratings yet
AST-0136206 VMware Dhawan
1 page
Omnissa HZ Saas Matrix
No ratings yet
Omnissa HZ Saas Matrix
4 pages
Horizon Architecture Noindex
No ratings yet
Horizon Architecture Noindex
47 pages
Edu en HVDB8 Le4044
No ratings yet
Edu en HVDB8 Le4044
457 pages
VMware Horizon - Deploy and Manage (V8.8) - Lab Manual PDF
No ratings yet
VMware Horizon - Deploy and Manage (V8.8) - Lab Manual PDF
96 pages
Vmware Product Guide February 2024
No ratings yet
Vmware Product Guide February 2024
115 pages
Vmware Product Guide 15 Aug
No ratings yet
Vmware Product Guide 15 Aug
88 pages
Horizon Integration
No ratings yet
Horizon Integration
54 pages
Vsan 80 Planning Deployment Guide
No ratings yet
Vsan 80 Planning Deployment Guide
87 pages
Yemen Mikroubnt IP Address List
No ratings yet
Yemen Mikroubnt IP Address List
7 pages
RouterOS Log Alert Script
0% (1)
RouterOS Log Alert Script
1 page
Automated Backup
No ratings yet
Automated Backup
2 pages
Beep in Mikrotik
No ratings yet
Beep in Mikrotik
1 page
Informatica Admin Interview Questions
100% (5)
Informatica Admin Interview Questions
7 pages
Axxon Next SDK
No ratings yet
Axxon Next SDK
220 pages
Tib Amx BPM Install
No ratings yet
Tib Amx BPM Install
66 pages
Tenable Security Center-User Guide
No ratings yet
Tenable Security Center-User Guide
849 pages
SRX Juniper SEC
No ratings yet
SRX Juniper SEC
12 pages
Serv-U 15.1.5 Release Notes: Last Updated: 2/7/17
No ratings yet
Serv-U 15.1.5 Release Notes: Last Updated: 2/7/17
5 pages
How To Integrate Blackboard and Campus Solutions Using Oracle's SAIP
No ratings yet
How To Integrate Blackboard and Campus Solutions Using Oracle's SAIP
23 pages
Nexus Book PDF
100% (2)
Nexus Book PDF
446 pages
CloudByte ElastiStor Guide
No ratings yet
CloudByte ElastiStor Guide
313 pages
Number: C9510-418 Passing Score: 800 Time Limit: 120 Min File Version: 1
No ratings yet
Number: C9510-418 Passing Score: 800 Time Limit: 120 Min File Version: 1
39 pages
Dell Powerstore 500 DC Spec Sheet
No ratings yet
Dell Powerstore 500 DC Spec Sheet
8 pages
Iib 10
No ratings yet
Iib 10
2 pages
Infosphere Information Server Datastage: Troubleshoot Connection Error 80011
No ratings yet
Infosphere Information Server Datastage: Troubleshoot Connection Error 80011
17 pages
OpenText Directory Services 22.2.0 - Release Notes
No ratings yet
OpenText Directory Services 22.2.0 - Release Notes
35 pages
React LDAP
No ratings yet
React LDAP
4 pages
Bluecoat SGOSAdmin6.77 PDF
0% (1)
Bluecoat SGOSAdmin6.77 PDF
1,642 pages
CLCOR+v1.1+ (350 801) +Practice+Exam
No ratings yet
CLCOR+v1.1+ (350 801) +Practice+Exam
44 pages
Automation Commands for Admins
No ratings yet
Automation Commands for Admins
37 pages
Diff Between 10g and 11g
No ratings yet
Diff Between 10g and 11g
12 pages
86A186FS03-Getting Started
No ratings yet
86A186FS03-Getting Started
62 pages
WorksoftCertifyDeveloper CertificationExam StudyGuide 12-16
No ratings yet
WorksoftCertifyDeveloper CertificationExam StudyGuide 12-16
108 pages
GitHub Provider Resource Guide
No ratings yet
GitHub Provider Resource Guide
35 pages
SAP IdM Strategy for GSK ERP
No ratings yet
SAP IdM Strategy for GSK ERP
26 pages
3573 Im 20221221
No ratings yet
3573 Im 20221221
146 pages
BPM v4 EN
No ratings yet
BPM v4 EN
32 pages
Stoneos Webui Guide - Cloudedge: Version 5.5R8
No ratings yet
Stoneos Webui Guide - Cloudedge: Version 5.5R8
1,175 pages
Information About The Identity Firewall
No ratings yet
Information About The Identity Firewall
28 pages
QUEST Training for SLB Personnel
33% (3)
QUEST Training for SLB Personnel
78 pages
FortiMail Email Filtering Course
No ratings yet
FortiMail Email Filtering Course
7 pages
Nutanix Files User Guide
No ratings yet
Nutanix Files User Guide
70 pages