Read on:
VMware Horizon Series: Introduction to VMware Horizon: Part 1
As we learned in the last post, VMware Horizon is a virtual desktop infrastructure platform that provides secure access to virtualized desktops and applications from any device.
A basic setup consists of only a few components to be installed. However, as with any solution you put in place, it is very important to prepare your environment before you start building. The better the preparation, the easier it will be to build on top.
These preparational steps are what will be discussed in this post.
General
In this article I will discuss the different components you should have prepared to install and configure a basic on-prem VMware Horizon environment.
The basic on-prem VMware Horizon environment I will discuss in this series consists of:
- 1 VMware vSphere Environment (vCenter Server + ESXi hosts)
- 1 VMware Unified Access Gateway Server
- 1 VMware Horizon Connection Server
- 1 File Server to store User profile information and Dynamic Environment Manager configuration
- 1 VMware App Volumes Server
Preperation Steps
VMware vSphere environment
VMware Horizon requires a VMware vSphere environment:
- VMware vCenter server is used to create and manage Instant Clone Virtual Desktop pools or Full Virtual Machine desktop pools
- VMware ESXi servers are used to host the Virtual Desktops and/or RDS hosts.
The VMware vSphere environment can be dedicated for the VDI environment or can be mixed with your normal (non-VDI related) server workloads.
If you use a dedicated VMware vSphere environment for the VDI environment, it is not required to buy separate licenses for VMware vCenter and ESXi hosts. The VMware Horizon license includes the necessary licenses for VMware vCenter and ESXi hosts, but these can only be used to manage and host VDI related Virtual Machines.
It will depend on the size of your environment and the available server hardware if it is advised to use a dedicated VMware vCenter server and ESXi hosts for the VDI environment.
VMware Horizon License
Ensure that you have a VMware Horizon License key available as you will need this license key when you are configuring VMware Horizon. Sixty (60)-day evaluation licenses can be requested from https://customerconnect.vmware.com/en/evalcenter?p=horizon-eval-8
Naming Conventions
It is best practice to define a good naming convention for User/Service accounts, Security Groups, Virtual Machines, Horizon Desktop Pools etc.
The naming conventions I will use in this series are the following:
- VMware UAG Servers
- HZN-UAG-01
- HZN-UAG_02
- VMware Horizon Connection Servers
- HZN-CON-01
- HZN-CON-02
- VMware App Volumes Manager Server
- HZN-HAV-01
- HZN-HAV-02
- VMware Horizon Pool IDs
- HZN-Pool-01
- HZN-Pool-02
- VMware Horizon Virtual Desktops
- HZN-Pool-01-xxx
- The number of characters should always be equal or less then 15 characters due to the NETBIOS limitation
- xxx = a sequential numbering
- HZN-Pool-02-xxx
- VMware App Volumes Appstacks
- HAV_xxx
- xxx = a description of the applications contained in the Appstack
- Active Directory Service Accounts related to Horizon View and VMware App Volumes
- SVC_HZN
- SVC_HAV
- Active Directory Security Groups related to Horizon
- G_Admins_VMwareHorizon
- contains all user accounts with VMware Horizon administrator rights
- G_Admins_VMwareAppVolumes
- contains all user accounts with VMware App Volumes administrator rights
- G_HZN_VDI_Pool-01
- contains all users that are entitled to pool VDI_Pool-01
- G_HAV_xxx
- contains all users that will be assigned VMware Appstack HAV_xxx
Active Directory Service Accounts
Active Directory Service accounts are needed for both Horizon and VMware App Volumes. The required rights are the following:
VMware Horizon Service Account: SVC_HZN
- Add the Horizon Service Account to the Security Group “G_Admins_VMwareHorizon”
- Create a new role in VMware vCenter with the name “VMware Horizon Administrators” with the following permissions
- Cryptographic operations
- Clone
- Decrypt
- Direct Access
- Encrypt
- Manage KMS
- Migrate
- Register Host
- Datastore
- Allocate space
- Browse datastore
- Folder
- Create folder
- Delete folder
- Global
- Act as vCenter Server
- Disable methods
- Enable methods
- Manage custom attributes
- Set custom attribute
- Host
- In Configuration
- Advanced settings – Required to exchange initial pairing information with agents.
- In Inventory
- Modify Cluster – Required to tie Instant Clone parent VMs to specific hosts.
- Network
- Assign network
- Profile Driven Storage
- all–If you are using vSAN datastores or Virtual Volumes
- Resource
- Assign virtual machine to resource pool
- Migrate powered on virtual machine
- Storage views
- Not required
- Virtual machine
- In Change Configuration (all)
- Acquire disk lease
- Add existing disk
- Add new disk
- Add or remove device
- Advanced configuration
- Change CPU count
- Change memory
- Change resource
- Change settings
- Change swapfile placement
- Configure Host USB device
- Configure managedBy
- Configure Raw device
- Display connection settings
- Extend virtual disk
- Modify device settings
- Query Fault Tolerance compatibility
- Query unowned files
- Reload from path
- Remove disk
- Rename
- Reset guest information
- Set annotation
- Toggle disk change tracking
- Toggle fork parent
- Upgrade virtual machine compatibility
- In Edit Inventory
- Create from existing
- Create new
- Move
- Register
- Remove
- Unregister
- In Interaction
- Connect devices
- Perform wipe or shrink operations
- Power off
- Power on
- Reset
- Suspend
- In Provisioning
- Allow disk access
- Clone template
- Clone Virtual Machine
- Customize
- Deploy template
- Read customization specifications
- In Snapshot management
- Create snapshot
- Remove snapshot
- Rename snapshot
- Revert snapshot
- Add the Active Directory Security group G_Admins_VMwareHorizon to the global vCenter role “VMware Horizon Administrators”
VMware App Volumes Service Account: SVC_HAV
- The VMware App Volumes Manager connects to Active Directory using the VMware App Volumes Service Account. The VMware App Volumes Service Account requires read-only access to Active Directory.
- Access to the VMware App Volumes Manager is restricted to the VMware App Volumes Administrators group. When you perform the initial configuration, you need to provide the name of the Active Directory security group that will have access to the VMware App Volumes Manager. For this purpose, add the VMware App Volumes Service Account to the Security Group “G_Admins_VMwareAppVolumes”
- To integrate VMware App Volumes with VMware vCenter, you need to create a service account within VMware vCenter with specific privileges. For this, a new role in VMware vCenter with the name “VMware App Volumes Administrators” with the following permissions is created.
- Cryptographic Operations
- Direct Access
- Note: This permission is required only when the virtual machine’s storage has encryption policies.
- Datastore
- Allocate space
- Browse datastore
- Low-level file operations
- Remove file
- Update virtual machine files
- Folder
- Create folder
- Delete folder
- Global
- Cancel task
- Host
- Create virtual machine
- Delete virtual machine
- Reconfigure virtual machine
- Resource
- Assign virtual machine to resource pool
- Sessions
- View and stop sessions
- Tasks
- Create task
- Virtual machine > Configuration
- Add existing disk
- Add new disk
- Add or remove device
- Change resource
- Query unowned files
- Remove disk
- Settings
- Advanced
- Interaction
- Power Off
- Power On
- Suspend
- Inventory
- Create from existing
- Create new
- Move
- Register
- Remove
- Unregister
- Provisioning
- Clone template
- Clone virtual machine
- Create template from virtual machine Customize
- Deploy template
- Remove
- Mark as template
- Mark as virtual machine
- Modify customization specifications
- Promote disks
- Read customization specifications
- Add the Active Directory Security group “G_Admins_VMwareAppVolumes” to the global vCenter role “VMware App Volumes Administrators”
Active Directory Organizational Units
You should create an organizational unit (OU) specifically for your VDIs.
The reason for this OU is to be able to apply group policies where you can control the VMware Horizon VDI specific settings.
You should also create an organizational unit (OU) specifically for your end-user devices.
The reason for this OU is to be able to apply group policies where you can control the VMware Horizon View client settings.
Active Directory Group Policies
Specific .admx and .adml files are available in the download sections of VMware Horizon, VMware App Volumes and VMware Dynamic Environment Manager on the VMware website. These should be downloaded and copied to the %systemroot%\policyDefinitions folder of your Active Directory Server. In later blog articles in this series, these will be discussed in more detail.
Firewall Configuration
The firewall requirements are very well documented on the VMware website in the following locations:
https://techzone.vmware.com/resource/network-ports-vmware-horizonThe easiest way to know which firewall ports should be opened is to look at the table in https://ports.esp.vmware.com/home/Horizon. Download the table as an MS Excel sheet and filter out the rows that do not apply to your environment.
Filtering out the following gives me an excellent overview of the required ports
- Release column
- contains “8 2209”
- Note: the latest version 8 2212 is not yet available in the table but the port requirements are the smane as version 8 2209
- Source
- filter out “Enrollment Server”, “Horizon Cloud Connector”, “Horizon Recording Agent”, “Horizon Recording Server” as these will not be used in this environment.
- Destination
- filter out “Active Directory”, “AD Certificate Services”, “AD Domain Controllers”, “Enrollment Server”, “Horizon Cloud Connector”, “Horizon Recording Server”, “PostgrSQL database” “Radius”, “RSA SecurID Authentication Manager”, “VMware Cloud Services”
- Service Description
- Does not begin with: PCoIP
- Reason: Blast Extreme will be used as remoting protocol
- Does not begin with : RDP
- Reason: Blast extreme will be used as remoting protocol
- Does not begin with “vRealize Operations for Horizon”
- Does not begin with “Cloud Pod Architecture”
- Does not contain “Oracle”
The above filtering gives you a smaller list of firewall ports to be opened.
Microsoft KMS licenses
To activate Windows with volume activation, you use a Key Management Service (KMS), which requires a KMS license key.
However, since VMware Horizon 8 2212, Microsoft MAK licenses are now supported with Instant Clones according to the release notes. I however, did not find any VMware documentation on how this actually works and how this should be configured.
Microsoft SQL Server
Both the VMware Horizon Connection Server and the VMware App Volumes Manager require a database. This will be discussed in further detail in the upcoming posts.
SSL Certificate
An SSL certificate is advised to be used for VMware Unified Access Gateway, VMware Horizon Connection Server and VMware App Volumes. This will be discussed in further detail in the upcoming blog posts.
Wrapping up
Having all the above in place puts you in a comfortable position to start the next steps in building a basic VMware Horizon Virtual Infrastructure Environment. Stay tuned for the next article in this series which will discuss the installation and initial configuration of a VMware Horizon Connection Server.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.