How the VMware Horizon Architecture has changed

There is an article in the Vembu blog section which describes the VMware Horizon architecture. While it does a solid job of explaining everything, products change, and so did VMware Horizon. This post covers two significant changes in the VMware Horizon architecture and their pros and cons.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

Linked Clones are gone, and so is the Composer

Organizations have been using Linked Clones for many years as their automated desktop pool format. The Instant Clones format has been around for quite some time, and essential features, like vGPU support, have been implemented years ago. Some features, like maintenance mode for desktops, have only been implemented recently.

With Horizon 8.0 (2006) acting as a transition release, legacy components can still be used but must be migrated to modern solutions for future upgrades. However, in Horizon version 8.1 (2012), they have been removed entirely, and upgrading to this version (or anything newer) while having legacy components like the Composer or persistent disks in your environment won’t be possible.

Download Banner

If you are in the situation where you are still using Linked Clones and would like to know what your options are for a future state environment. Check out this guide by VMware, which outlines different scenarios and their migration paths.

What are the benefits?

Instant Clones are now part of all license editions of VMware Horizon – In the past, this was a feature only available for organizations with Horizon Enterprise edition. Now every customer can make use of Instant Clones.

No more Composer server – This was also a single point of failure, as it had to run on a dedicated Windows machine with no option of making it highly available. An added benefit is that this saves you resources, a SQL database, and (multiple) Windows licenses.

Instant Clones deploy faster – While this doesn’t count for the initial deployment. This means that once the Template, Replica, and Parent (when not using Smart Provisioning) have been created, the creation of subsequent virtual desktops is a lot faster.

The downside is that customers need to adapt to the usage of Instant Clones, which might need them to update their processes, making it time-consuming.

Goodbye Security Server, hello Unified Access Gateway!

Another component VMware said goodbye to is the Security Server, which was used to connect to virtual desktops from the “outside”. A Security Server would generally be a part of the DMZ, as it was internet-facing, with only specific firewall ports open to a Connection Server. It would tunnel connections to the virtual desktop after authentication and authorization have been taken care of on the Connection Server.

So does that mean we cannot offer secure connections to our end users anymore? No!

VMware introduced the Unified Access Gateway (UAG) a couple of years ago, and you might know it by the name of Access Point as it was initially called. The UAG is a hardened appliance based on VMware’s Photon OS, which is purposely built to run several of VMware’s EUC solutions. For VMware Horizon, the UAG acts as a front for the Connection Server, but it can also be used for several Workspace ONE solutions, like VMware Tunnel.

The UAG is downloaded in the OVF format and can be deployed manually or using a PowerShell script. Both methods accept a configuration file to get it up and running within minutes, which is also an essential strategy for maintaining and upgrading the appliance.

Another important but sometimes unnoticed change. Is the fact that things like MFA or SAML can be configured on the UAG. Add additional security controls to your arsenal, before traffic actually enters your internal network.

Why should I care?

No more 1-to-1 pairing between Security Servers and Connection Servers – Security Servers had to be paired with a Connection Server. This pairing was a 1-to-1 relationship and drastically increased the number of servers needed.

One (or many) Windows-based server(s) less in your DMZ – The Security Server was a Windows-based server, which was internet-facing. This increased the attack surface of your Horizon infrastructure and the entire environment.

The UAG is easier to maintain – UAG doesn’t need a lot of maintenance. If you have your deployment strategy in place, it is a matter of destroying and replacing the VM, which shouldn’t take more than 5 minutes. Whereas patching a Windows-based OS can take a lot longer.

As you can see in the image below, there is a separate Connection Server for external and internal users. This increases the number of components needed, which increases resource and license consumption. If you had an environment at scale and would incorporate something like N+1 to meet your availability requirements, you can see the number of components needed adding up quickly.

VMware-Horizon

In the image below, you see only a single Connection Server being fronted by a Unified Access Gateway. End-users use the same Connection Server, regardless if they are located externally or internally. Allowing for a much simpler architecture.

VMware-Horizon

In closing

These are just two of my favorite changes VMware has made to VMware Horizon in the past years. Making it a better, more scalable, and more security solution than it was. Removing both the Composer and the Security Server allows for environments to be more agile and makes it easier to design highly available infrastructures.

If you’d like to know more about these or other changes. Check VMware’s Techzone for more information!

To ensure comprehensive protection for your Virtual machines running on either VMware ESXi or vCenter, Try BDRSuite today!

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post