adv1591be delivering virtual desktops and apps via or distribution · 2017-10-12 · johan van...
Post on 11-Jun-2020
7 Views
Preview:
TRANSCRIPT
Johan van Amersfoort & Stephane Padique
ADV1591BE
#VMWORLD #ADV1591BE
Delivering Virtual Desktops and Apps via the Digital Workspace with Workspace ONE and VMware Horizon
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 What is Workspace ONE?
2 Setting up Horizon with Workspace ONE
3 User experience and Demo
3#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 What is Workspace ONE?
2 Setting up Horizon with Workspace ONE
3 User Experience and Demo
4#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
IT/it used to be simple..
5#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Mobile-Cloud Era
Client-Server Era
Bridging Two Worlds
#ADV1591BE CONFIDENTIAL 6
VMworld 2017 Content: Not fo
r publication or distri
bution
Mobile-Cloud Era
Client-Server Era
Bridging Two Worlds
• Domain joined
• Network based security
• Managing devices
• OPEX heavy 1:150 ratio
• Slow
• Migration Projects
#ADV1591BE CONFIDENTIAL 7
VMworld 2017 Content: Not fo
r publication or distri
bution
Mobile-Cloud Era
Client-Server Era
• Domain joined
• Network based security
• Managing devices
• OPEX heavy 1:150 ratio
• Slow
• Migration Projects
• Enrollment
• Identity based security
• Managing policies
• Massive scale 1:15 000 ratio
• Fast
• Continuous Delivery
Bridging Two Worlds
#ADV1591BE CONFIDENTIAL 8
VMworld 2017 Content: Not fo
r publication or distri
bution
Applications in the Enterprise
Universal Windows Apps
9#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Mobile-Cloud Era
Client-Server Era
Bridging Two Worlds
#ADV1591BE CONFIDENTIAL 10
VMworld 2017 Content: Not fo
r publication or distri
bution
Mobile-Cloud Era
Client-Server Era
MirageHorizon PCoIP
ThinApp Horizon BLAST
UEMApp Volumes
Bridging Two Worlds
FlexUnified Access
Gateway
Workspace One
AirWatch
VMware Identity Manager
Horizon Cloud
#ADV1591BE CONFIDENTIAL 11
VMworld 2017 Content: Not fo
r publication or distri
bution
You can’t transform
business without a
great user experience
You don’t need to
compromise security
to get there
VMware Empowers the Digital Workspace
12#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Simple App Delivery Through a Unified Catalog
Web-based Mobile app
Better overall mobile user experience
•
•
•
Any app to any device
13#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 What is Workspace ONE?
2 Setting up Horizon with Workspace ONE
3 User Experience and Demo
14#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Simple Access to Apps & DesktopsAccess to Horizon 7 and Horizon Cloud desktops from Workspace ONE / IDM
• Full support for Horizon 7.x
– Virtual Desktops
– Published Applications
– Horizon Cloud Pod Architecture
– Single Sign On & True SSO
• Support for Horizon Air / Cloud
– Horizon Cloud Hosted with WS1
– Horizon Cloud On-premises with IDM
– SSO to virtual desktops and apps
• Support for Citrix
– XenApp 5/6
– XenDesktop 7.x
15#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
• CAPEX Model
• Greater flexibility in desktop options
• Scalable to customer requirements
• Feature rich management
• Hybrid OPEX/CAPEX model
• Management infrastructure in the cloud
• On-premises virtual desktops & apps on
hyper-converged infrastructure
• Minimal internal expertise required and
easily scalable
Horizon Deployment Options
• OPEX model of utility based pricing
• Scalability on demand
• Minimal internal expertise required
• Remote locations where building data
center capacity is impossible
G
Horizon Cloud with Hosted
Infrastructure
On Premises
(Horizon 7)
Horizon Cloud with On-premises
Infrastructure
LOADBALANCERS
CONNECTIONBROKERS
ACTIVEDIRECTORY
MANAGEMENTSERVERS
CO
MP
UT
E S
ER
VE
RS
RU
NN
ING
VIR
TU
AL
DE
SK
TO
PS
CUSTOMER IT ENVIRONMENT
SANSTORAGE
CLOUD PROVIDER
ACTIVEDIRECTORY
ACCESS POINTS
VIRTUAL DESKTOPS & APPS
ON HYPER-CONVERGED INFRASTRUCTURE
CONTROL PLANE
CLOUD PROVIDER
MOBILEUSERS
REMOTEUSERS
ACTIVEDIRECTORY
USER APPDATA
CORP USER DEVICES
SECURE VPN
SE
CU
RE
VP
N
CUSTOMER IT ENVIRONMENT
16#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Hosted Applications
RDS Farm Connection Server VMware Identity Manager
Get Resources,
Entitlements
Horizon Client
17#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon 7 Integration
18#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
End to End SSO with TrueSSOStreamlined single sign on to Horizon via Workspace ONE
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon TrueSSO
• Users authenticate to VMware Identity Manager using a variety of credential options
• Once authenticated, users select Horizon desktop or hosted application
• No need to enter AD credentials or SmartCard
• Uses SAML to connect the Identity Provider’s (IdP) authentication with user’s UPN for access to AD credentials
• True SSO generates unique, short-lived certificate to manage Windows logon process
20#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon TrueSSO Benefits
• Separates Authentication (validating a user’s identity) from Access (user can use a Windows desktop or application
• Enhanced security. User credentials are secured by digital certificate, no passwords are vaulted or transferred within the datacenter
• Supports a wide range of authentication methods – enterprises can select or change authentication protocols with limited impact to the infrastructure
21#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon TrueSSO Workflow
Virtual Desktop
Horizon Broker
Horizon Client
AD
VMware
Enrollment
Service
Microsoft
Certificate Authority
VMware
Identity
Manager1
2
34
5
6
7
22#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon TrueSSO Support & Requirements
• Horizon 7+ or Horizon Cloud (latest version)
• Horizon Enrollment Server
• Recent Horizon Client (v4+)
• Identity Manager
• On-Premises or SaaS (v2.9+)
• Joined to Active Directory Domain
• Enterprise Microsoft CA
• Custom CA templates for short lived certs
23#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon Client SP Init Flow –Access Policy Support in Horizon
VMworld 2017 Content: Not fo
r publication or distri
bution
Access Policy support for Horizon Applications
• Previously, SP Init launch supported only for web applications like socialcast, Salesforce, Office 365, Slack, etc.
• User experience was confusing or launch resulted in errors from Horizon client, file type association or other shortcuts
• Horizon Administrator enables “Workspace ONE mode” with server hostname
• Supported use cases:
– Users launch Horizon client and click on login (a.k.a SP-Initworkflow)
– Handling file type association (FTA) by Horizon View client
– Application Shortcut or URL launch
25#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Limitations/Known Issues
• Supported as of Horizon 7.2
• Currently supporting only browser based flows, Workspace ONE native client flow is not supported
• For any change in Workspace ONE mode configuration, customer needs to remove the connection server from the server selector & to cleat the cache to see the change
26#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Gotchas!
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon Metadata Expired
• https://kb.vmware.com/kb/2144331
– Change metadata expire period to 4-5 days
– Make sure VMware Identity Manager syncs Horizon Entitlements once per day
– Also mentioned in manual: http://pubs.vmware.com/horizon-7-view/index.jsp?topic=%2Fcom.vmware.horizon-view.administration.doc%2FGUID-3E170C23-097F-46D0-82BD-7CACFF04FC9A.html
28#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Integrating Horizon Cloud PodMultiple Horizon instances with Workspace ONE
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon Cloud Pod Architecture Layout and Sync
Global Finance
London
Paris
Paris Site / POD 2
London Site / POD 1 AD Groups
GlobalEntitlement
Home Site
Home Site
Cloud Pod Federation
IDM VA
SUSE Linux
Core
API
vPostgres tcserver
Connector
ConnectorSync Traffic
ConnectorSync Traffic
31#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon Cloud Pod Architecture Local Configurations
32#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon Cloud Pod Architecture Global Configurations
33#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 What is Workspace ONE?
2 Setting up Horizon with Workspace ONE
3 User Experience and Demo
36#ADV1591BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
DEMOHorizon TrueSSO and Workspace ONE
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Questions!
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
top related