horizon cloud on ibm cloud 19.3 deployment - vmware · horizon cloud service with on-premises...

Horizon Cloud on IBMCloud 19.3 Deployment

VMware Horizon Cloud Service on IBM Cloud 19.3VMware Horizon Cloud Service

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. Copyright and trademark information.

Horizon Cloud on IBM Cloud 19.3 Deployment

VMware, Inc. 2

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

1 Introduction 5

2 About VMware Horizon Cloud Service on IBM Cloud 6What Is the VMware Horizon Cloud Service Family? 6

Service Description 8

System Architecture 8

Understanding Zones 9

Administering the Horizon Cloud Service Environment 10

Managing Desktop and RDSH Server Images 10

Connecting to Horizon Cloud Service Desktops and Applications 10

Connecting to Corporate or Enterprise Resources 11

3 Choosing Strategic Network Options 12Before You Begin: Decisions and Responsibilities 12

Your Decisions 13

Your Responsibilities 13

Prerequisites for Firewall and Ports 15

Local Connections 16

Remote Connections 17

Endpoint Operating System Firewall Ports 17

Bandwidth Considerations 18

VPN and Direct Connect 19

Understanding VPN 20

Sending Traffic Through a Site-to-Site IPsec VPN 20

IPsec VPN Parameters 21

VPN Connectivity Options 22

Understanding Direct Connect 28

Areas of Ownership for Direct Connect Options 28

Sending Traffic Through a Dedicated Connection or MPLS Direct Connect VPN 29

Sending Traffic Through a Network Exchange 30

Connecting Your Existing Rack in the Same Data Center 30

Direct Connect Connectivity Options 30

Direct Connect Setup 36

Network Routing 36

Split DNS 36

Sample Tenant Network Architecture 37

Additional Considerations 39

Choosing Between Integrated and Isolated Active Directory 39

VMware, Inc. 3

Subnet Considerations 40

Choosing Horizon Cloud Service User Portal and Administration Console Portal URLs 41

4 Meeting Active Directory Requirements 43Choosing an Existing or Isolated Active Directory 43

Creating Service Accounts for Active Directory 44

Creating Groups for Active Directory 44

Creating a Unique Horizon Cloud Service OU for Active Directory 44

Setting Up DHCP Scopes and Option Code 74 or Manually Configuring DaaS Agents 45

5 Creating Optimized Images 46Optimizing Your Desktop Images 46

Deciding How Many Images You Need 46

Using Traditional or Instant-Clone Images 47

Creating Images for RDSH Servers 47

Understanding Dedicated, Floating, and Session Desktops 48

Choosing 3D Graphics Options 48

Staggering Automatic Antivirus Updates 49

6 Managing Remote Applications 50

7 Image Management Strategies 51Profile Management 51

Deciding What to Redirect 52

Deciding How to Redirect 52

Deciding Where to Redirect 52

Patch Management 53

Turning Off Automatic Update Features 53

Testing Patches and Updates on Subset Pools 54

Backup Strategies 54


VMware, Inc. 4

Introduction 1VMware Horizon® Cloud Service™ is a family of cloud services from VMware that enables the delivery ofvirtual desktops and applications to end users on any supported device. Horizon Cloud Service isavailable in two ways: as a VMware-hosted IBM Cloud infrastructure or hosted in your own on-premisesinfrastructure. In both scenarios, the management of the infrastructure is done by the Horizon CloudService application.

About This DocumentThis document focuses on VMware Horizon Cloud Service on IBM Cloud. It describes the most commonissues that can arise during deployment and includes tips on how to avoid these issues in your ownimplementation. Although each environment is unique, the general considerations described here canassist you in most effectively deploying Horizon Cloud Service on IBM Cloud.

Intended AudienceThis document is for IT decision-makers, architects, administrators, and others who want to familiarizethemselves with, or are in the process of, a Horizon Cloud Service on IBM Cloud deployment. You shouldbe familiar with Windows data center technologies, such as Active Directory, SQL, and MicrosoftManagement Console. You should also be familiar with cloud computing, site-to-site (S2S) VPNs, andMulti-Protocol Label Switching (MPLS) networks.

VMware, Inc. 5

About VMware Horizon CloudService on IBM Cloud 2This section provides an overview of Horizon Cloud Service on IBM Cloud.

This chapter includes the following topics:

n What Is the VMware Horizon Cloud Service Family?

n Service Description

n System Architecture

What Is the VMware Horizon Cloud Service Family?Horizon Cloud Service delivers virtual desktops and applications using a purpose-built cloud platform thatis scalable across multiple deployment options, including on-premises infrastructure or fully managedinfrastructure from VMware. The service supports a cloud-scale architecture to deliver virtualizedWindows desktops and applications to multiple devices, simplifying setup and scalability.

VMware, Inc. 6

Figure 2-1. VMware Horizon Cloud Service Family

Horizon Cloud Service on IBM CloudHorizon Cloud Service on IBM Cloud simplifies the delivery of Windows desktops and applications as acloud service while maintaining enterprise requirements for security and control. End users benefit from acomplete workspace that they can access from a variety of device types from almost any location.Horizon Cloud Service on IBM Cloud also offers an on-demand, flexible desktop and application deliveryplatform that can grow or shrink based on the needs and demands of your business.


VMware, Inc. 7

Horizon Cloud Service with On-Premises InfrastructureVMware Horizon Cloud Service with on-premises infrastructure, not covered in this document, combinesthe economic benefits of the cloud with the simplicity of a hyper-converged infrastructure. Using thisservice, you have a central solution for delivery and management of on-premises virtual desktops andapplications from the cloud.

Horizon Cloud Service Administration ConsoleThe Horizon Cloud Service Administration Console provides full life-cycle management of desktops andRemote Desktop Session Host (RDSH) through a single, easy-to-use web-based console. Organizationscan securely provision and manage desktop models and entitlements, as well as native and remoteapplications, through the centralized Horizon Cloud Service Administration Console. The AdministrationConsole also provides usage and activity reports for various user, administrative, and capacity-management activities.

Service ModelsHorizon Cloud Service packages come in standard sizes that can be configured to meet yourperformance requirements. You can mix and match the desktop reservation capacity as needed to fit yourenterprise.

Service DescriptionThe Service Description: VMware Horizon Cloud Service on IBM Cloud document details thecomponents, definitions, and service capabilities. It includes information on licensing, management anduser portals, service offerings, and features included in the Horizon Cloud Service on IBM Cloud platform.Review this document for more detailed information about the Horizon Cloud Service.

System ArchitectureThis topic provides an overview of the Horizon Cloud Service on IBM Cloud system.

Horizon Cloud Service on IBM Cloud consists of the following major components:

Component Description

Image, also called image template A desktop or RDSH server image that can be used in a Horizon Cloud Serviceinfrastructure to create desktop or application assignments. It is used as thebase image from which virtual machines (VMs) are cloned.

VMware Horizon Client™ Software-based client installed on a desktop, thin client, mobile device, or tabletthat facilitates connectivity to Horizon Cloud Service–hosted desktops andapplications.

Horizon Cloud Service tenant appliance A hardened Linux appliance that provides desktop and application brokering,provisioning, and entitlement services. It hosts the end-user and administrativeportals.


VMware, Inc. 8

Component Description

Horizon Cloud Service–hosted virtual desktop A virtualized and optimized desktop that is hosted in Horizon Cloud Service. Avirtual desktop supports a single connection, delivering a fully functional desktopto the end user. Horizon Cloud Service agents are installed on the virtualdesktop to support a connection from the Horizon Client.

Horizon Cloud Service–hosted RDSH A server-based model for delivering applications and shared full desktops inHorizon Cloud Service using Microsoft Remote Desktop Services and VMwareHorizon technology. Compared to a single connection for each virtual desktop,RDSH servers can support multiple desktop and application sessions fromdifferent users. Horizon Cloud Service agents are installed on the RDSH serversto support connections from the Horizon Client.

Desktop and services subnets Unique IP subnets that you assign to allow for desktop, application, andadministrative connectivity. The Desktop Zone uses the desktop subnet forvirtual desktops and RDSH servers. The Services Zone uses the servicessubnet for tenant appliances and other utility services.

Horizon Cloud Service User Portal A web-based portal offering users clientless access to Horizon Cloud Servicedesktops and applications using HTML5.

Horizon Cloud Service Administration Console The web-based portal used by IT administrators to provision and manageHorizon Cloud Service desktops and applications, resource entitlements, andimages.

Edge Gateway A gateway that provides network edge security and gateway services to isolatesecurity zones and virtualized networks along with NAT, DHCP, VPN, and a loadbalancer.

VMware Unified Access Gateway A hardened Linux appliance that allows for secure remote access into theHorizon Cloud Service environment and is part of the Security Zone (for externalHorizon Cloud Service access) and the Services Zone (for internal HorizonCloud Service access).

For additional terms and concepts, see the VMware Technical Publications Glossary online.

Understanding ZonesHorizon Cloud Service on IBM Cloud establishes zones that segregate the different resources based ontheir function. Horizon Cloud Service has three zones. Each zone is unique to each Horizon CloudService deployment and is not shared.

Zone Description

Security Zone A DMZ where the external Unified Access Gateway appliances reside. It facilitates secure remoteaccess to the Horizon Cloud Service tenant environment.

Services Zone Where Horizon Cloud Service is hosted, including tenant appliances, utility servers, and internalUnified Access Gateway appliances.

Desktop Zone Zone that hosts the desktops and RDSH servers.


VMware, Inc. 9

Administering the Horizon Cloud Service EnvironmentYou can perform a variety of administrative tasks in Horizon Cloud Service.

n You can provision desktops and RDSH desktops and applications through the Horizon Cloud ServiceAdministration Console.

n You can configure settings for two-factor authentication and Active Directory, manage desktop andapplication entitlements, deploy and update instant and traditional clone images, monitor and observesystem and desktop health, and obtain usage and administrative task reports through the webinterface.

For more information, see the Horizon Cloud Service on IBM Cloud Administration guide.

Managing Desktop and RDSH Server ImagesTo ensure the best possible user experience, have a properly optimized and configured desktop andRDSH image.

With Horizon Cloud Service, you can use your own image or an image provided by the VMware HorizonCloud Service team.

n The image is uploaded to the tenant platform.

n You can complete the installation of applications, tune and optimize the image, make updates, and soon.

n When your image is ready, it is converted to an image template.

n You can use this image template for desktop and application assignments in Horizon Cloud Service.

When the image needs to be updated, you can either update an existing image template or upload a newimage. To update deployed desktops and RDSH servers, you associate a new image with a desktop orremote application assignment. For more information, see Chapter 7 Image Management Strategies.

Connecting to Horizon Cloud Service Desktops and ApplicationsHorizon Cloud Service users can connect to desktops and applications from a mobile, tablet, thin, ortraditional Mac or PC computing device, as well as from a web browser.

Users launch the Horizon Client and securely connect to the desktop or application through UnifiedAccess Gateway. The user’s connection to the Unified Access Gateway can be through your corporateconnection to Horizon Cloud Service or an Internet connection hosted by Horizon Cloud Service. Aftercompleting single- or two-factor authentication, you see a list of authorized applications and desktops.Click a resource, and you connect using either the Blast Extreme or PCoIP display protocols.

For devices without Horizon Clients, or if you need quick access to your applications and desktops, youcan connect to the Horizon Cloud Service User Portal through the same internal or Internet connectionmethod using a web browser. After you securely log in, you have the option of launching desktops andapplications using the VMware HTML5-based client.


VMware, Inc. 10

Connecting to Corporate or Enterprise ResourcesHorizon Cloud Service on IBM Cloud offers several methods of connecting to an existing data center ornetwork with corporate or enterprise applications and data.

During the setup process, you can choose from different connection types and speeds, including VPN,Dedicated Connection, MPLS, or Network Exchange. You can also completely isolate your Horizon CloudService environment from the corporate network. When users request corporate resources from thevirtual desktop or RDSH desktop or application, the network traffic traverses the preconfigured connectionbetween the Horizon Cloud Service data center and your corporate data center.

Some resources, such as user profile or persona, are better served hosted in the Horizon Cloud Servicetenant. A utility server, housed in the Services Zone, is a Windows-based server that provides resourcesfor the services supporting the Horizon Cloud Service infrastructure. In addition to user profile andpersona data, utility servers can also be configured to deliver Active Directory, VMware DynamicEnvironment Manager™, DHCP, DNS, and File Services. Some services may require purchasingadditional storage.

The diagram below shows a typical Horizon Cloud Service on IBM Cloud deployment with the networkconnections between end users, environment, and the Horizon Cloud Service. You can choose whetherto allow end users to access their cloud-hosted virtual desktops through the Internet or only when theyare on the corporate network.

Figure 2-2. Typical Horizon Cloud Service on IBM Cloud Deployment Model


VMware, Inc. 11

Choosing Strategic NetworkOptions 3This section focuses on the network connectivity options available for Horizon Cloud Service on IBMCloud and provides an overview of networking architecture and requirements. It contains the informationnecessary to obtain approval from your networking, security, and other infrastructure stakeholders duringan implementation of Horizon Cloud Service on IBM Cloud.

n Examples use the fictional MYCOMPANY.

n Not all sections are necessarily applicable to your deployment. Optional sections are clearly marked.If you have questions about the specifics of your order, see your Horizon Cloud setup web form, orspeak to VMware or a Value-Added Reseller for VMware.


n Before You Begin: Decisions and Responsibilities

n Prerequisites for Firewall and Ports

n Bandwidth Considerations

n VPN and Direct Connect

n Understanding VPN

n Understanding Direct Connect

n Split DNS

n Sample Tenant Network Architecture

n Additional Considerations

Before You Begin: Decisions and ResponsibilitiesA successful and expedient deployment depends on good communication between the teamsparticipating in Horizon Cloud Service so that they work together in a well-integrated manner before,during, and after the kickoff.

There are several considerations to keep in mind when deciding what the best configuration options arefor your deployment. Collaborate with multiple stakeholders and subject matter experts to find the bestoption.

VMware, Inc. 12

Your DecisionsWhen planning a Horizon Cloud Service deployment, prepare to answer the following questions.

n Do I want to integrate the cloud-hosted desktops and hosted applications with my environment to usemy existing directory, file, application, and print services?

n If yes, how do I want to direct my users’ Internet-bound desktop traffic?

• Through the VMware data center?

• Through my organization’s network?

n If yes, how much traffic must traverse the connection between my virtual desktops and hostedapplications and my organization’s network to access those resources?

• Is an IPsec VPN sufficient?

• Or do I need a dedicated connection such as MPLS?

• Do I need manual or automatic failover for my connection?

n If no, which infrastructure do I need to support my use case and where do I put it?

• Do I need directory, file, and application services?

• Can I put everything required in the Horizon Cloud Service tenant?

• Or do I need an IaaS tenant?

n Do I want my employees to have access to their desktops from outside my organization’s network?

n If yes, do I want to use a custom URL or one provided by VMware?

• Do I want to use desktop.mycompany.com?

• Or do I want to use mycompany.horizon.vmware.com?

Note For questions about desktop subnets and IP addresses, see Subnet Considerations.

Your ResponsibilitiesIt is important to understand what your responsibilities include and which are shared between your teamsand the VMware team. Deploying Horizon Cloud Service on IBM Cloud can be divided into several basicareas of responsibility, as shown in the table below.


VMware, Inc. 13

Phase Areas of Responsibility

Project Kickoff Your SMEs with VMware:

n Meet (your lead and VMware lead)

n Include desktop manager, desktop engineering, security, and network SMEs in your team

n Review and discuss provisioning requirements

n Collect information using the Horizon Cloud setup web form

n Establish success criteria via the VMware-supplied template

n Plan next steps

Capacity Order VMware:

n Orders tenant capacity from data center infrastructure

n Configures capacity for Horizon Cloud Service on IBM Cloud

Network Setup VMware:

n Establishes VPN and Direct Connect configurations and access

n Configures DHCP, DNS, VPN, and Direct Connect

Your SMEs:

n Configure DHCP, Active Directory, and DNS

n Provide SSL certificates

n Provide VPN and Direct Connect information

Tenant Setup VMware:

n Sets up Horizon Cloud Service on IBM Cloud

n Configures storage

n Sets up the Unified Access Gateway

n Installs tenant appliances

n Sets standard desktop capacity

NetworkInterconnect

VMware:

n Installs SSL certificates

Your SMEs with VMware:

n Test and validate connectivity

VMware:

n Provides Horizon Cloud Service Administration Console URL

n Provides starter image templates

Your SMEs:

n Perform Active Directory registration

n Perform post-test (optional) and install your apps

Final Setup andTest

Your SMEs:

n Install applications into VMware-supplied starter image templates

VMware:

n Imports and moves starter image templates to tenant


VMware, Inc. 14

Phase Areas of Responsibility

Your SMEs:

n Create images

n Create assignments

n Assign test desktops and validate

VMware:

n Conducts knowledge transfer

n Establishes support

Complete Your SMEs with VMware:

n Agree that setup is complete

n VMware provides advanced onboarding services (optional)

n Verify that all success criteria are met

Your ResponsibilitiesEnsure that all required internal and external network traffic ports for the protocols are enabled (seePrerequisites for Firewall and Ports). You are also responsible for your organization’s side of the IPsecVPN tunnel, if you choose to deploy in that configuration. If you deploy a dedicated connection, MPLS, orNetwork Exchange, you are responsible for working with your preferred carrier or telecommunicationsprovider to establish connectivity to the VMware data center.

VMware ResponsibilitiesDepending on the network connection option you select, VMware provides you with the information youneed for success.

n IPsec VPN – VMware provides the information required to establish the IPsec tunnel and isresponsible for the VMware side of the VPN IPsec tunnel configuration.

n Dedicated connection, MPLS, Network Exchange, or an existing rack – VMware configures theinterconnect between the Network Service Provider and your networking equipment and your HorizonCloud Service tenant in the VMware data center. You must purchase the Direct Connect with CrossConnect option or Direct Connect with Network Exchange option from VMware. For all connectivitytypes, VMware works with you to perform the necessary network tests to ensure a successfulconnection.

n Island tenant – If you deploy an island tenant without integration between VMware and yourinfrastructure, VMware provides a utility server to use as an Active Directory, DNS, and DHCP server.To function properly, cloud-hosted desktops require that an Active Directory Domain controller andsupporting services be deployed in the tenant.

Prerequisites for Firewall and PortsThis section lists the ports to use for a successful connection to your Horizon Cloud Service environment.Open firewall ports include all remote connections going to or from the endpoint device, tenant appliance,and VMware Unified Access Gateway™.


VMware, Inc. 15

You might need additional ports depending on your Active Directory design. Check with your HorizonCloud Service representative to verify that this information is appropriate for your environment.

Local ConnectionsTo successfully connect to Horizon Cloud Service, allow the ports listed in the table below across theIPsec VPN, Dedicated Connection, MPLS, Network Exchange, or existing rack.

Source Destination Ports in Use Description

Horizon Cloud Service Your Active Directoryinfrastructure

TCP/389

UDP/389

Authenticates users to theHorizon Client VMware HorizonCloud Service User Portal andthe VMware Horizon CloudService Administration Consoleusing LDAP or LDAP SASLGSSAPI for secureauthentication. The configureduser groups and their membersare cached in the tenantinfrastructure for performancepurposes.


TCP/3268 Performs Active DirectoryGlobal Catalog lookup andsearches


TCP/88

UDP/88

Used for Kerberosauthentication

Horizon Cloud Service Your DNS TCP/53

UDP/53

Used for DNS

Horizon Cloud Service Your DHCP or DHCP relayserver

UDP/67

UDP/68

Used for DHCP and DHCPrelay

Horizon Cloud Service RSA authentication manager UDP/5500 Communicates with the RSAauthentication manager whenthe tenant is using SecurID.The authentication managercan be located in a differentdata center from the tenantappliances. A high-availabilityauthentication manager usedfor failover can also be locatedremotely.

Horizon Cloud Service Your RADIUS server UDP/1812

UDP/1813

Communicates with RADIUS-based authentication when thetenant is using RADIUS

Your Site and Endpoint Device Horizon Cloud Service TCP/8443

UDP/8443

Used for Blast Extreme


UDP/443

Used for Blast Extreme


VMware, Inc. 16



UDP/4172

Used for PCoIP


TCP/443

Accesses the VMware HorizonCloud Service User Portal andthe VMware Horizon CloudService AdministrationConsole. Also used by thenative Horizon Client to initiallyconnect to Horizon CloudService resources. If remoteaccess is enabled, the UserPortal must be publiclyavailable. Port 80 redirects toport 443.

Your Site and Endpoint Device Horizon Cloud Service TCP/443 Used for portal access withinthe Administration Console

Remote ConnectionsFor a successful connection to a virtual desktop or application from a public (Internet) location, allow theports listed in the table below.


Your Site and Endpoint Device Horizon Cloud Service TCP/8443 UDP/8443 Used for Blast Extreme

Your Site and Endpoint Device Horizon Cloud Service TCP/443 UDP/443 Used for Blast Extreme

Your Site and Endpoint Device Horizon Cloud Service TCP/4172 UDP/4172 Used for PCoIP

Your Site and Endpoint Device Horizon Cloud Service TCP/80, TCP/443 Accesses the VMware HorizonCloud Service User Portal andthe VMware Horizon CloudService AdministrationConsole. Also used by thenative Horizon Client to initiallyconnect to Horizon CloudService resources. If remoteaccess is enabled, the UserPortal must be publiclyavailable. Port 80 redirects toport 443.

Your Site and Endpoint Device Horizon Cloud Service TCP/443 Used for portal access withinAdministration Console

Endpoint Operating System Firewall PortsIf you have an endpoint-based firewall solution, make sure that the ports listed in the table below areopen on your virtual desktops or Remote Desktop Session Host (RDSH) servers for a successfulconnection.


VMware, Inc. 17


Horizon Cloud Service Desktop or RDSH server TCP/22443 UDP/22443 Used for Blast Extreme

Horizon Cloud Service Desktop or RDSH server TCP/32111 Used for USB

Horizon Cloud Service Desktop or RDSH server TCP/9427 Used for client drive redirection(CDR) and multimediaredirection (MMR)

Horizon Cloud Service Desktop or RDSH server TCP/4172 UDP/4172 Used for PCoIP

Bandwidth ConsiderationsChallenges in providing a good user experience include latency, protocol choice, distance, bandwidth,and connection outages.

Consider the following elements when choosing your networking solution.

Item Description

Requirements of your organization The needs of every organization are different. Assess your needs, such as the typeof computing tasks and workloads expected, graphics intensity, user location,peripherals used, and average bandwidth usage of each type of user.

Bandwidth consumption Many elements can affect network bandwidth, including protocol choice, monitorresolution and configuration, and the amount of multimedia content in the workload.Concurrent launches of streamed applications can also cause usage spikes.Because the effects vary widely, many organizations monitor bandwidthconsumption as part of a pilot project.

Traffic traversing the connection Consider the amount of traffic required for accessing your organization’sapplications, file servers, and authentication.

CPU and RAM saturation Examine the physical network device used for the connection to Horizon CloudService to understand your current CPU and RAM saturation and availablethroughput. Older devices might not be able to simultaneously maintain highspeeds, encryption, and multiple tunnels.

Bandwidth When deploying Horizon Cloud Service and leveraging Horizon Cloud Service–provided Internet connectivity, a specific amount of network bandwidth isguaranteed, called peak bandwidth, which is based on the number and model ofdesktops deployed. This is the bandwidth allotted for as a part of the connection tothe Internet from the Horizon Cloud Service. For more information, see ServiceDescription: VMware Horizon Cloud Service on IBM Cloud.

Network and application assessment To ensure a successful Horizon Cloud Service deployment, perform a thoroughnetwork and application assessment to determine the configuration to support thenecessary bandwidth while meeting latency and packet loss requirements. Includeall active application traffic across the end-to-end network to ensure that sufficientminimum bandwidth is available, even with network congestion.

Optimization controls available with PCoIPand Blast Extreme

If you use the PCoIP or Blast Extreme display protocol from VMware, you can adjustseveral elements that affect bandwidth usage. For more information, see the PCoIPGeneral Settings and VMware Blast Policy Settings sections in the VMware Horizondocumentation.


VMware, Inc. 18

VPN and Direct ConnectBefore deploying Horizon Cloud Service, determine the type of network connection to implement.

The network connection delivers Horizon Cloud Service desktops and RDSH server access toapplications and data in your data center and network. It also provides a path for users-both inside andoutside your network-to connect to Horizon Cloud Service desktop and application resources. It isimportant to engage the necessary management and networking personnel with the appropriate skill setsto address the following considerations and efficiently facilitate the integration of Horizon Cloud Servicewith your environment.

The figure below shows the network access options using IPsec VPN and Direct Connect, which is eithera dedicated connection, MPLS, Network Exchange, or your rack.

Figure 3-1. Access Strategies for a Horizon Cloud Service on IBM Cloud Deployment

Accessing Horizon Cloud Service from the InternetHorizon Cloud Service supports direct Internet access to Horizon Cloud Service on IBM Cloud desktopsand RDSH applications without passing through your organization's infrastructure first. This type ofconnection is particularly convenient for users working from home or other remote locations. Theconnection can be secured with RSA SecurID or RADIUS-compliant two-factor authentication solutions.Internet-based connections are part of the standard Horizon Cloud Service offering.


VMware, Inc. 19

Choosing the Ideal Type of Network ConnectionConsult the Horizon Cloud Service team when choosing between the two main connectivity options. Thechoice depends on a number of variables within your environment, including the number of desktops,RDSH servers, and the type of traffic occurring over the network connection, as follows:

n IPsec VPN – An IPsec VPN can be used for a variety of scenarios, although with a maximumbandwidth of 1 GB, VPN tends to be used in smaller implementations.

n Dedicated connection, MPLS, or Network Exchange – A dedicated connection, MPLS Direct Connect,or Network Exchange is usually recommended for large numbers of desktops and RDSH servers andfor heavy use, such as multiple users accessing the platform simultaneously, accessing multipleapplications, or performing large file transfers.

Note Ease of troubleshooting differs between these two options. Troubleshooting an IPsec VPN can bechallenging because an IPsec VPN runs over the public Internet. When troubleshooting a dedicatedconnection, MPLS Direct Connect, or Network Exchange, the circuit is yours from end to end, and youcan call the provider to resolve issues.

Understanding VPNTake VPNs, router hardware, and the IPsec configuration into account when setting up networkconnectivity to Horizon Cloud Service.

Sending Traffic Through a Site-to-Site IPsec VPNSite-to-site IPsec VPNs connect separate networks to each other through the public Internet. Forexample, a branch office network can connect by site-to-site VPN to a headquarters network. Each siteon the network is equipped with a VPN gateway, such as a router, firewall, VPN concentrator, or securityappliance.

Setting up an IPsec VPN connection from a remote network to Horizon Cloud Service is the mostcommon scenario, because of the relative simplicity and short amount of time necessary to establish theIPsec VPN tunnel. When using IPsec VPN, maximum bandwidth is approximately 1 Gbps because of thelimitation of the Edge Gateway.

The site-to-site IPsec VPN tunnel includes logical and encrypted point-to-point connections betweenHorizon Cloud Service instances and your organization’s site. These connections provide secure accessto your organization’s data center services, such as business applications, Active Directory, DNS, andDHCP servers. They also provide secure access for protocol traffic originating from your organization’snetworks.

When setting up an IPsec VPN connection from a remote network to Horizon Cloud Service, keep thefollowing in mind:


VMware, Inc. 20

Item Description

Latency spikes The IPsec VPN tunnel is built through the public Internet and is subject to congestion orother network-related problems common on public Internet connections that can increaselatency. Latency spikes caused by the public Internet are beyond the control of both yourenterprise and VMware.

Setup When setting up IPsec VPNs, it is recommended that the VPNs be managed using routerhardware for performance reasons. Setting up VPNs using a Windows server is notrecommended. Multiple VPN connections are supported, although they must not have thesame source and destination lists because the Edge Gateway cannot determine whichIPsec tunnel to route traffic to.

Redundancy Incorporating two IPsec VPNs for redundancy is an option, but bonding the VPNs is notsupported. The first VPN is set as active, and the secondary VPN is disabled. Horizon CloudService does not provide automated failover for VPNs. If a failure occurs, the VPN must bemanually failed over.

Horizon Cloud setup web form During the VPN setup, you provide information in the Horizon Cloud setup web form,including your router vendor, router model, and endpoint IP address. VMware provides theendpoint IP address of your Horizon Cloud Service tenant, which is used in establishing theIPsec VPN tunnel. This IP address is provided during the deployment of the Horizon CloudService.

Subnets You must provide which subnets are allowed across the VPN connection, commonlyreferred to as the Protected Networks list or source and destination lists. The list defines theinternal networks that can traverse the VPN to access your virtual desktops and RDSH-hosted applications from within your network, along with what the virtual desktops andRDSH-hosted applications are able to access across the VPN for different services withinyour network.

Network routing For VPN-based connections to Horizon Cloud Service, static routing is configured during theVPN peering process. If other networking routing requirements arise, open a VMwaresupport ticket to have the networks added.

IPsec VPN ParametersThe Horizon Cloud setup web form lists the required and optional IPsec VPN protocols and parameters ifyou choose to set up a site-to-site VPN between your network and the VMware data center.

For IPsec VPNs, Horizon Cloud Service uses Edge Gateway, a virtual appliance that provides additionalsecurity options and features. Edge Gateway supports Main mode for Phase 1 and Quick mode for Phase2. For an explanation of these terms, consult your networking engineer or the VMware NSXAdministration Guide .

The table below lists the protocols and parameters to use in each phase. You must set the sameprotocols and parameters for each phase on your network as in Horizon Cloud Service. For example,ISAKMP parameters are used for Phase 1, IKE parameters are used for Phase 2, and Oakley protocolsare used for authentication as well as MODP Group 2. All parameters are required. In the upgrade toEdge Gateway, the Phase 2 Perfect Forward Secrecy (PFS) for rekeying is optional.

Protocols and Parameters Phase 1 Phase 2

Hash (SHA or MD5) SHA1 SHA1

Authentication mode Main Quick


VMware, Inc. 21

Protocols and Parameters Phase 1 Phase 2

Encryption AES, AES256, Triple DES, AES-GCM AES, AES256, Triple DES, AES-GCM

Diffie-Hellman Group (2, 5, 14, 15, or 16) 2 2

Encapsulation (AH or ESP) N/A ESP

Lifetime 28800 3600

Perfect Forward Secrecy N/A True. Requirements of shared secret: Youcan provide your own shared secret, orHorizon Cloud Service can generate arandom shared secret to use on bothsides.

n Between 32 and 128 characters

n At least 1 uppercase letter

n At least 1 lowercase letter

n At least 1 number

n No special characters

Note Some IPsec VPN parameters, such as the Security Association (SA) lifetime timers, which definethe lifetime that a given tunnel uses to encrypt data, cannot be changed in Edge Gateway. Theseparameters must be changed on the tenant equipment to match those in Edge Gateway. The deploymentprocess includes two phases, and both Phase 1 and Phase 2 include SA lifetime timers. When the SAtimer expires, it renegotiates authentication for both sides. However, Edge Gateway does not re-authenticate on traffic, it re-authenticates only on the lifetime timer. Therefore, if the timers are not set onthe tenant side to match those on the Horizon Cloud Service side, they can cause problems in the VPNtunnel.

VPN Connectivity OptionsYou have several connectivity options to choose from when using a VPN to connect from your enterpriseto Horizon Cloud Service.

One option, known as an island tenant, does not use a dedicated VPN or permanent connection to yourenterprise. The other two options highlight the different routing configurations available for in-guestInternet and user traffic flow based on how you prefer to leverage the VPN connection. A keyconsideration in the process is choosing how Internet traffic is routed from Horizon Cloud Servicedesktops and applications: through an Internet connection provided by Horizon Cloud Service or throughyour own network.

Connectivity Option 1: Island Tenant (No VPN)The fastest and easiest option for deploying Horizon Cloud Service is to set up an island tenant.

As shown in the diagram below, all protocol and in-guest traffic traverses through the Horizon CloudService gateway into the Horizon Cloud Service tenant. There is no connection between the customernetwork and the Horizon Cloud Service tenant. All desktop users, published applications, and RDSHservers connect through the Internet. For more information about possible use cases for island tenants,see Choosing Between Integrated and Isolated Active Directory.


VMware, Inc. 22

Figure 3-2. Isolated Island Tenant Deployment Model


VMware, Inc. 23

Connectivity Option 2: VPN Using the Horizon Cloud Service InternetConnectionThe most common method of connectivity for Horizon Cloud Service deployments is to configure a VPNbetween your organization's network and your Horizon Cloud Service tenant. This method most closelyresembles a branch office environment.

This option routes users' desktop Internet-bound traffic out through the Horizon Cloud Service gateway,while all in-guest traffic, such as desktop applications, authentication, DHCP, and DNS, traverses the VPNto your organization's network. You also have the option of allowing all users to connect through theInternet or allowing only local users to connect over the VPN while external users connect through theInternet into the Horizon Cloud Service desktops and RDSH servers.

As shown in the diagram below, protocol traffic for external users connecting to the desktops and RDSHservers also passes through the Horizon Cloud Service gateway to the Unified Access Gateway. TheUnified Access Gateway acts as a secure proxy for your connection into the Horizon Cloud Serviceenvironment and proxies Horizon Cloud Service traffic to and from the Security Zone. Protocol traffic forusers connecting from your organization's network can be configured to connect through the Internet or totraverse the VPN to reach the desktops and RDSH servers. Internal users also connect through UnifiedAccess Gateways that are located in internal trusted zones.


VMware, Inc. 24

Figure 3-3. VPN with Internet Traffic


VMware, Inc. 25

Connectivity Option 3: VPN with Internet-Bound Traffic Through YourOrganization’s GatewayThis option routes all user Internet-bound and in-guest traffic across the VPN to your organization’snetwork. You maintain the ability to allow all users to connect to Horizon Cloud Service through theInternet, over the VPN, or a combination of the two.

All in-guest traffic, such as desktop applications, authentication, DHCP, and DNS, as well as the Internet-bound desktop traffic, traverses the VPN and passes through your organization’s gateway. The Internet-bound traffic can then be subjected to any web filtering that you have in place. Protocol traffic for externalusers who are connecting to the desktops and RDSH servers passes through the Horizon Cloud Servicegateway, which provides access through the Internet.

As shown in the figure below, this option increases the traffic over the VPN, but provides the businessadvantage of enabling full visibility and control over user and desktop activity. This configuration providesadditional options to ensure the highest levels of security and regulatory compliance.

Note This option does not directly work when moving to a Direct Connect configuration. If you anticipatescaling past the available VPN bandwidth, consult your Horizon Cloud Service representative to fullyunderstand your options and considerations.


VMware, Inc. 26

Figure 3-4. VPN with Desktop Internet Through Your Organization’s Gateway


VMware, Inc. 27

Understanding Direct ConnectDirect Connect allows you to set up an end-to-end private connection with your Horizon Cloud Servicetenant through a dedicated connection, MPLS, Network Exchange, or your own networking equipmentlocated in the same data center.

Horizon Cloud Service offers a 1 GB or 10 GB port when extending your data center and services, suchas business applications, Active Directory, DNS, and DHCP servers, into Horizon Cloud Service. A DirectConnect gives you full control of the connection from your data center to the VMware data center bycontract through your network service provider. The supported Direct Connect options are shown in thetable below.

Option Description

Direct Connect with Cross Connect - 1 GB or 10 GB Direct Connect with Cross Connect is used with a dedicated connection,MPLS, or your own networking equipment located in the same data center.

Direct Connect with Network Exchange - 1 GB or 10GB

Direct Connect with Network Exchange is used when connecting to anetwork or cloud exchange, such as Equinix Cloud Exchange.

Areas of Ownership for Direct Connect OptionsAs shown in the diagram below, the areas of ownership are divided in a typical Horizon Cloud Service onIBM Cloud deployment for Direct Connect options.

The Meet Me Room represents the point of demarcation where the outside connections come into thedata center, such as an outside dedicated connection, MPLS line, or network exchange connecting withthe Horizon Cloud Service network.


VMware, Inc. 28

Figure 3-5. Areas of Ownership

Sending Traffic Through a Dedicated Connection or MPLS DirectConnect VPNA dedicated connection or MPLS routes traffic within a telecommunications network as data travels fromone network node to the next. Building an MPLS Direct Connect VPN tunnel has a higher cost thancreating a site-to-site IPsec VPN connection, but provides some advantages.

MPLS Direct Connect circuits are not shared with others, as is done with connections routed over theInternet, so they are free of the interruptions that can occur on the public Internet. Direct Connectproviders offer committed bandwidth and service-level agreements. The cost of the service depends onthe options you choose and the amount of dedicated bandwidth you require.


VMware, Inc. 29

Sending Traffic Through a Network ExchangeA network exchange, also known as a cloud exchange, is a service that connects your private networkusing your preferred network service provider with cloud service providers, such as Horizon CloudService, using secure, high-throughput, low-latency connections.

A network exchange usually has a lower cost than creating an MPLS Direct Connect VPN tunnel, and inmost cases, can be activated within hours, reducing the overall time it takes to connect Horizon CloudService to your organization’s site. Horizon Cloud Service offers Equinix Cloud Exchange as the networkexchange option.

Connecting Your Existing Rack in the Same Data CenterIf you already have IT resources and services that are collocated in the same data center as HorizonCloud Service, you can connect your existing environment to your Horizon Cloud Service tenant.

Direct Connect Connectivity OptionsYou have several Direct Connect connectivity options to choose from, which provide additional bandwidthand control of your organization's corporate and user data flows based on your configuration.

Besides bandwidth requirements, a k ey consideration is choosing how Internet traffic is routed fromHorizon Cloud Service desktops and applications: through an Internet connection provided by HorizonCloud Service or over the Direct Connect to your own network. Work with your Horizon Cloud Serviceteam to choose a Direct Connect option that best matches your organization's needs.

Direct Connect Option 1: Direct Connect Using the Horizon Cloud ServiceInternet ConnectionSimilar to VPN Option 2, this option routes Internet-bound desktop traffic to use the Horizon CloudService gateway and in-guest traffic using Direct Connect. This option is a good choice when you have asignificant amount of in-guest application traffic using Direct Connect and you want to take advantage ofthe VMware Internet bandwidth provided with your tenant.

As shown in Figure 7, all in-guest traffic, such as desktop applications, authentication, DHCP, and DNS,traverses Direct Connect to your organization’s network. Desktop and RDSH server traffic destined for theInternet is directed out the Horizon Cloud Service gateway.

Protocol traffic for external users connecting to the desktops and RDSH servers also passes through theHorizon Cloud Service gateway to the Unified Access Gateway. The Unified Access Gateway acts as asecure proxy for your connection into the Horizon Cloud Service environment and proxies Horizon CloudService traffic to and from the Security Zone. Protocol traffic for users connecting from your organization’snetwork can be configured to connect through the Internet or to traverse Direct Connect to reach thedesktops and RDSH servers. Internal users also connect through Unified Access Gateways that arelocated in internal trusted zones.


VMware, Inc. 30

Figure 3-6. Connectivity Using the Horizon Cloud Service Internet Connection


VMware, Inc. 31

Direct Connect Option 2: Direct Connect with Internet over Company-OwnedInternet GatewayThis Direct Connect routing configuration is a good choice when you require all in-guest and Internet-bound desktop traffic to traverse Direct Connect through your company-owned Internet gateway, but alsorequire users to be able to connect over the Internet. Desktop traffic destined for the Internet must bemanaged either using your provided proxy agent or through a group policy configuration because nodesktop traffic traverses the VMware gateway.

As shown in the diagram below, external user protocol traffic flows through the Horizon Cloud Servicegateway to provide access to desktops and applications, but all in-guest traffic and Internet-bounddesktop traffic traverses Direct Connect to your organization's data center. This option provides theadvantage of enabling full visibility and control over user and desktop activity. However, it can posesignificant challenges with routing the protocol traffic coming in from the Internet by preventing users fromconnecting remotely to the environment. If you are considering this option, consult your Horizon CloudService representative to fully understand the considerations.


VMware, Inc. 32

Figure 3-7. Connectivity Through Your Organization’s Internet Gateway


VMware, Inc. 33

Direct Connect Option 3: No Internet Connectivity Through Horizon CloudService GatewayIn this option, routing is configured so that all connectivity to Horizon Cloud Service desktops is throughDirect Connect, and no Internet connection is through the Horizon Cloud Service gateway. This optionprovides the advantage of enabling full visibility and control over all protocol, user, and desktop activity toensure the highest levels of security and regulatory compliance. This option is suitable when you requireall users to connect to Horizon Cloud Service through your organization's network.

As shown in the diagram below, this option disables the Horizon Cloud Service gateway, making ittechnically impossible for users to connect externally to Horizon Cloud Service through the Internet. Alltraffic-protocol, in-guest, and Internet-bound desktop traffic-traverses Direct Connect through yourcompany-owned Internet gateway. Users must be on your organization's network or connected remotelythrough your organization's VPN to connect to Horizon Cloud Service. End users who are connectedthrough your organization's VPN require the ports in the diagram below to be open across yourorganization's VPN. These ports are considered internal connections to Horizon Cloud Service.


VMware, Inc. 34

Figure 3-8. No Internet Connectivity Through Horizon Cloud Service


VMware, Inc. 35

Direct Connect SetupThis topic describes the process of setting up Direct Connect.

When setting up Direct Connect, work with your telecommunications provider to establish a connection tothe Horizon Cloud Service data center and then connect to your Horizon Cloud Service tenant byestablishing connectivity between the NSP router and your Edge Gateway. The Horizon Cloud Serviceteam works with you to establish this connection. You must complete the VMware Direct ConnectCollection form to establish connectivity. This form requests basic information, such as a networkadministrator contact, your telecommunications provider, connectivity type, and circuit ID.

When using Direct Connect, you must provide a network subnet with a minimum of two addresses (/30) touse between the carrier termination and Horizon Cloud Service and establish connectivity to your EdgeGateway.

You must also provide a Letter of Authorization – Customer Facility Request (LOA-CFA), which is usuallyfrom your telecommunications provider to VMware, to facilitate the connection of the Cross Connect orNetwork Exchange between the NSP router and the Horizon Cloud Service environment. The LOA-CFAusually provides the cabinet, patch panel, and a port number.

Horizon Cloud Service supports multiple Direct Connects, although load balancing the connections is notsupported. To deploy redundant connections with direct connects and automatic failover requiresimplementing the appropriate network routing. For more information, see Network Routing.

Network RoutingHorizon Cloud Service supports both static routing and dynamic routing, allowing traffic to pass betweenHorizon Cloud Service and your internal network segments.

Dynamic routing capabilities for Dedicated Connection, MPLS, or Network Exchange–based connectionsare offered using Border Gateway Protocol (BGP), a standardized exterior protocol for exchanging routinginformation between systems on the Internet. Dynamic routing via External BGP (eBGP)—a BGPextension used for communication between autonomous systems—allows routing changes to beautomatically propagated to Horizon Cloud Service. When eBGP is used with the proper path attributes,such as local path manipulation using local preference or weight, and a remote path manipulation such asMulti-Exit-Discriminator (MED), you can select which redundant link is active. The protocol also ensuresthat automatic failover between multiple dedicated connections, MPLS, or Network Exchangeconnections is supported. You are responsible for assigning the BGP autonomous system number to theHorizon Cloud Service router, which is usually a private number in the 65xxx range. Static routing isavailable if you cannot support BGP routing.

Split DNSSplit DNS is the preferred method of accessing your Horizon Cloud Service environment when users areconnecting from inside and outside your network. Split DNS enables users on your local network toconnect through the internal network to a private IP address, and external users can connect to a publicIP address while using the same URL. This method simplifies end-user access by not having to use twoURLs, one for internal and the other for external.


VMware, Inc. 36

When setting up split DNS, create a new host (A Record) that points to the virtual IP of the internalUnified Access Gateways in a specific DNS forward lookup zone on your internal DNS servers. The DNSforward lookup zone is based on your current DNS configuration. If you have the same internal DNSname as you do externally, you create the A Record in the forward lookup zone. If you do not have thesame internal DNS name as you do externally, or if you are using the Horizon Cloud Service URL, youcreate a DNS stub zone with forward lookup that matches the external fully qualified domain name. Thencreate the A Record in the forward lookup zone.

Sample Tenant Network ArchitectureThe figure below shows two options for network connectivity to Horizon Cloud Service: an island tenantwith no VPN connectivity, and a tenant with VPN connectivity connecting to your on-premises data center.

The diagram below also introduces the Horizon Cloud Service tenant appliances and Unified AccessGateway appliances, along with utility servers.

Figure 3-9. Example of Tenant Network Architecture


VMware, Inc. 37

Understanding ZonesHorizon Cloud Service on IBM Cloud establishes zones that segregate the different resources based ontheir function. Horizon Cloud Service has three zones. Each zone is unique to each Horizon CloudService deployment and is not shared.

Zone Description

Security Zone A demilitarized security zone (DMZ) where the external Unified Access Gateway appliancesreside. It facilitates secure remote access to the Horizon Cloud Service tenant environment.

Services Zone Where Horizon Cloud Service is hosted, including tenant appliances, utility servers, andinternal Unified Access Gateway appliances

Desktop Zone Hosts the desktops and RDSH servers

Horizon Cloud Service AppliancesThe tenant appliance contains your Horizon Cloud Service Administration Console, Horizon CloudService User Portal, account configuration database and desktop mappings, and domain join information.The Unified Access Gateway appliance allows secure access for both internal and external connectionsto Horizon Cloud Service virtual desktops and RDSH-hosted applications. For redundancy and highavailability, two of each appliance are deployed.

Appliance Description

Tenant appliance A hardened Linux appliance that provides desktop and application brokering, provisioning, andentitlement services. It hosts the end-user and administrative portals, which are part of theServices Zone, and communicates status information to the service provider.

Unified Access Gateway A hardened Linux appliance that provides secure remote access into the Horizon CloudService environment. It is part of the Security Zone (for external Horizon Cloud Serviceaccess) and the Services Zone (for internal Horizon Cloud Service access).

Utility servers By default, one utility server is provided for free and is optional unless noted in the servicedescription. Utility servers can be Active Directory, DNS, DHCP, UEM, or file servers tocollocate services in the Horizon Cloud Service tenant and are connected to your network(Services Zone).

Edge Gateway appliance A gateway that provides network edge security and gateway services to isolate security zonesand virtualized networks along with NAT, DHCP, VPN, and a load balancer.

Network SecurityHorizon Cloud Service uses an Edge Gateway appliance to manage the VPN and Direct Connectconnectivity, as well as any management traffic, in and out of the Horizon Cloud Service tenant where thedesktops, RDSH servers, and management appliances reside.

If you want additional buffering between the management appliances and your organization's networkenvironment, consider deploying a corporate-managed firewall policy as long as all required ports areenabled for internal and remote users and any applications or services that those users require.


VMware, Inc. 38

Understanding Unified Access GatewayVMware Unified Access Gateway (formerly VMware Access Point) is a hardened Linux virtual appliancethat allows secure remote access to the Horizon Cloud Service environment. If your users use an externalconnection through the public Internet—whether the traffic is web-based or protocol-based—the traffic issent to the external Unified Access Gateway. Unified Access Gateway acts as a secure proxy for yourconnection into the Horizon Cloud Service environment. The external Unified Access Gateway proxiesHorizon Cloud Service traffic to and from the Security Zone. The Security Zone is a DMZ networkingsecurity construct that gives a segment of your organization’s network access to the outside but with strictrules regulating access to what is inside your network. For internal users connecting to the Horizon CloudService environment, traffic is sent to the internal Unified Access Gateway appliances located in theServices Zone.

Additional ConsiderationsThe topics linked below provide information regarding some additional issues you may face in setting upyour network environment.

Choosing Between Integrated and Isolated Active DirectoryAlthough the Horizon Cloud Service platform relies on Active Directory, you are not required to integrateHorizon Cloud Service with your existing Active Directory environment. You can integrate your ActiveDirectory into Horizon Cloud Service any time you choose. You have the option of using a separate,isolated Active Directory domain that is local to the Horizon Cloud Service desktops and applications.

Choosing an isolated domain is advantageous for the following use cases:

Use Case Description

Technology proof of concept For an organization to engage in a technology proof of concept without directlyintegrating your organization’s infrastructure. In a pilot domain, you can set upeverything required to test and validate your use cases within a fully sandboxedenvironment.

Organizations with outsourced users For a large organization that offloads development work to other countries and needs toprovide employees with desktops without connecting directly into your organization’sinfrastructure. In a pilot domain, you can set up everything those employees needwithin a fully sandboxed environment.

Organizations with seasonal users For an organization that ramps up two or three times a year for a period of time withoutadding a large number of desktops in your organization’s Active Directory structure. Youcan use a separate pilot domain when you need it and discard it when the season isover.

Organizations with limited resources For a smaller organization without much infrastructure, you can use a separate isolateddomain to save the cost of building a primary directory services infrastructure.

See license considerations in the Horizon Cloud Service Level Agreement when implementing an islandaccount.


VMware, Inc. 39

Subnet ConsiderationsYour Horizon Cloud Service tenant contains multiple zones. For the Services Zone and the Desktop Zone,you must assign the networks to use. If you are integrating with your existing environment, thosenetworks cannot be in use.

The Services Zone hosts the Horizon Cloud Service, including tenant appliances, utility servers, andinternal Unified Access Gateway appliances. It is recommended that you use a subnet that providesapproximately 30 IP addresses (/27), although you determine if that is the appropriate number based onyour requirements. This subnet cannot overlap existing networks in your network infrastructure.

The Desktop Zone is where all your desktops and RDSH servers are located. You define and assign anetwork to support the total number of desktops and RDSH servers that you need. It is recommendedthat you maintain extra address capacity in the subnet for desktop refreshes and maintenance. Thesubnet cannot overlap what is already in use on your network infrastructure.

When using Direct Connect options, you must provide a network with a minimum of two addresses (/30)to use between the carrier termination and VMware. For more information, see Understanding DirectConnect.

Protocol, In-Guest, and Internet-Bound TrafficUnderstanding traffic flows associated with Horizon Cloud Service is key when choosing the type ofnetwork to implement, and it is an important step before deploying Horizon Cloud Service. Consider theprotocol traffic generated by Horizon Clients and network traffic generated by applications and otherservices on Horizon Cloud Service desktops and RDSH servers.

Note At a minimum, site-to-site VPN, Dedicated Connection, MPLS, or Network Exchange is needed forActive Directory, DNS, DHCP, and NTP, except with island accounts. An island account has noconnectivity to the tenant site, so all access into the system is from the public Internet. An island accountis an implementation in which Horizon Cloud Service hosts basic Active Directory, DNS, DHCP, and NTP.When implementing an island account, see the license considerations in the Horizon Cloud Service LevelAgreement Terms of Service Documents.

Protocol Traffic

Protocol traffic is the network traffic exchange between the virtual desktop and the endpoint using PCoIP,Blast Extreme, or Blast HTML5 access protocols. Screen images, keyboard and mouse movements, andUSB and other device traffic travel between the endpoint and virtual desktop using the desired Horizonprotocol. It is important to account for the protocol traffic to properly size your network connection toHorizon Cloud Service. Protocol traffic could be using the same network connection for other in-guesttraffic, potentially impacting the end-user experience.


VMware, Inc. 40

In-Guest Traffic

In-guest traffic is created when an application makes a network call to another application or IT servicefrom within the virtual desktop or RDSH session. An example is when the browser launches from thedesktop and reaches out to an internally hosted corporate website. In-guest traffic bound for internal ITresources is routed to the network connection back to the customer’s data center or network. Properplanning for the network connection back to the customer data center is important. In addition to ensuringample bandwidth, you can specify alternate routes and connections back to data center resources toseparate the protocol traffic and in-guest traffic.

Internet-Bound Traffic

A key step in the process is choosing how Internet traffic is routed from Horizon Cloud Service desktopsand applications. You can leverage the Internet connection provided by Horizon Cloud Service or route allInternet-bound traffic through your own organization’s network. Determining how Internet-bound traffic isrouted within the VMware data center depends on the routing option you choose for the default route(0.0.0.0/0).

DHCPEnsure that the desktop subnet includes enough IP addresses to cover the number of desktops andRDSH servers that are provisioned, along with additional buffer for overlap.

For example, if you provide the /24 in CIDR format for the subnet, you get exactly 252 addresses. Addingadditional subnets up front allows for seamless capacity expansion when it is needed.

Choosing Horizon Cloud Service User Portal and AdministrationConsole Portal URLsUsers and administrators access the desktops, RDSH servers, and management functions throughsecured web-based portals. Both portals use the same URL, followed with /horizonadmin, as shown inthe example below.

Portal Description Sample URL

Horizon CloudService User Portal

A web-based portal offering end usersclientless access to Horizon Cloud Servicedesktops and applications using HTML5

https://desktop.virtualdesktopaccess.com

Horizon CloudServiceAdministrationConsole

The web-based portal used by ITadministrators to provision and manageHorizon Cloud Service desktops andapplications, resource entitlements, andimages

https://desktop.virtualdesktopaccess.com/horizonadmin

You can define the naming convention used for these portals.

Portal URL Option 1This option is the most common for pilots because of its simplicity and ease of use. The DNS domain isowned and provided by VMware. You can also set up split DNS for internal access.

n https://companyname.horizon.vmware.com


VMware, Inc. 41

n Uses the VMware *.horizon.vmwware.com certificate

Portal URL Option 2Option 2 includes two choices. It requires the owner of virtualdesktopaccess.com to provide an SSLcertificate in an Apache2 format and to set up internal and public (if required) DNS records using splitDNS.

n https://desktop.virtualdesktopaccess.com

n https://www.virtualdesktopaccess.com

Choice 1: If you have a site-to-site VPN or Direct Connect, you can choose whether to make the HorizonCloud Service Administration Console accessible from the public Internet.

Choice 2: If you have an island tenant without a site-to-site VPN or Direct Connect, the Horizon CloudService User Portal and Administration Console must be accessible from the public Internet via theUnified Access Gateway.


VMware, Inc. 42

Meeting Active DirectoryRequirements 4It is important to set up your AD before deploying Horizon Cloud Service.

Consult your AD team early and often throughout the deployment process. Include representatives fromyour Active Directory team with proper Domain Admin permissions in the decision-making anddeployment process, from the start. This enables everyone to ask questions, voice concerns, andaddress any issues early in the deployment. Topics that need to be considered are linked below.


n Choosing an Existing or Isolated Active Directory

n Creating Service Accounts for Active Directory

n Creating Groups for Active Directory

n Creating a Unique Horizon Cloud Service OU for Active Directory

n Setting Up DHCP Scopes and Option Code 74 or Manually Configuring DaaS Agents

Choosing an Existing or Isolated Active DirectoryAlthough the Horizon Cloud Service platform relies on AD, you are not required to integrate HorizonCloud Service with an existing AD environment. You can use a separate, isolated AD domain that is localto the Horizon Cloud Service desktops and applications service. You can request an isolated domain fromthe Horizon Cloud Service team.

Choosing a pilot domain is advantageous for the following use cases:

Use Case Description

Companies with outsourced users If your company offloads development work to other countries, you need toprovide employees with desktops, but you might not want them connectingdirectly into your own infrastructure. In a pilot domain, you can set up everythingthose employees need in an isolated environment.

Companies with seasonal users If your company has seasonal work that ramps up two or three times a year for acouple of months, you might not want to add a large number of desktops to yourcorporate AD structure. You can use a separate pilot domain when you need itand discard it when the season is over.

Companies with limited resources If your company has limited infrastructure, you can use a separate isolateddomain to save the cost of building a primary directory services infrastructure.

VMware, Inc. 43

Creating Service Accounts for Active DirectoryTwo types of service accounts are required if you choose to integrate the Horizon Cloud Serviceenvironment with an existing Active Directory: domain bind and domain join.

n The domain bind account parses through your AD structure and pulls in all users designated forHorizon Cloud Service.

n The domain join account joins the virtual desktops and RDSH servers to the AD domain. For moreinformation, see the Administration guide.

See the Horizon Cloud setup web form for examples.

Creating Groups for Active DirectoryTo effectively map users to desktops, applications, and tenant administration functions within the HorizonCloud Service platform, it is prudent to create groups in AD for each type of role, function, and access.

Keep the following points in mind to maintain compatibility with the Horizon Cloud Service platform:

n Avoid nesting – Do not create nested groups to ensure efficient AD object lookups. User objects arethe only members of a group.

n Avoid mixing – Do not mix members from multiple domains (child or trusted) in the same group.

n Create groups – Create separate groups for tenant administration, help desk support, testing andvalidation users, and production users. If multiple domains are configured for a Horizon Cloud Servicetenant, IT administrators should create similar groups for tenant administration, help desk support,testing and validation users, and production users for each individual domain. Tenant administratorshave access to the Horizon Cloud Service Administration Console. Testing, validation, and productionuser groups are used to provision access to Horizon Cloud Service desktops and applications.

Creating a Unique Horizon Cloud Service OU for ActiveDirectoryYou can implement a unique OU for computer accounts that are created by the Horizon Cloud Serviceplatform.

A large company with thousands of OUs and groups can easily have hundreds of thousands of objects inits AD. The company could save deployment time by implementing a unique OU for computer accountsthat are created by the Horizon Cloud Service platform. The unique OU avoids the need for HorizonCloud Service to parse the entire AD for virtual desktop and RDSH server computer objects.

See the Horizon Cloud setup web form for a list of users, accounts, and permissions needed.


VMware, Inc. 44

Setting Up DHCP Scopes and Option Code 74 or ManuallyConfiguring DaaS AgentsYou must provide the VMware Horizon Cloud Service team with a services subnet and a desktop subnetthat are not being used inside your infrastructure, and those subnets must include enough IP addressesto cover the number of desktops or RDSH servers that are provisioned.

Setting Option Code 74 in the desktop subnet DHCP scope directs the desktops and RDSH servers tothe tenant appliances. The VMware Horizon Cloud Service team provides the two IP addresses of thetenant appliances during the deployment process.

Be aware of the following issues:

n Failure to set Option Code 74 properly – If not done properly, the desktops and RDSH servers areunable to locate and register with the tenant appliances. End users are unable to access publisheddesktop and application resources.

n Failure to provide a unique services and desktop subnet – Think of the services and desktop subnetas an extension of your local infrastructure, even though it is in the cloud. If you provide a subnet thatis already in use, conflicts can occur, and network traffic might not properly flow between HorizonCloud Service and your network.

n Failure to consider sizing – If you do not provide a desktop subnet with enough IP addresses to coverthe targeted number of desktops and RDSH servers, you must set up another subnet to support theincreased capacity. For example, if you provide the /24 in CIDR format for the subnet, you get exactly252 addresses. Adding additional subnets upfront allows for seamless capacity expansion whenneeded.

If you cannot configure DHCP Option 74 due to network constraints or other reasons, you can manuallyconfigure the DaaS Agent to communicate to the tenant appliances. The VMware Horizon Cloud Serviceteam provides the two IP addresses of the tenant appliances and manually configures the DaaS Agentusing the monitor.ini file.


VMware, Inc. 45

Creating Optimized Images 5Image optimization ensures that the virtual desktop or RDSH server is properly configured to provide anoptimal end-user experience.

You can adjust optimization settings statically or dynamically based on your needs and networkrequirements and conditions. An unoptimized image can consume unnecessary compute, network, andstorage resources, potentially contributing to a substandard end-user experience.

It is important to create optimized images before deploying Horizon Cloud Service and to consult yourdesktop image management team early and often on the issues linked below.


n Optimizing Your Desktop Images

n Deciding How Many Images You Need

n Using Traditional or Instant-Clone Images

n Creating Images for RDSH Servers

n Understanding Dedicated, Floating, and Session Desktops

n Choosing 3D Graphics Options

n Staggering Automatic Antivirus Updates

Optimizing Your Desktop ImagesAn image template, sometimes called a master image or gold pattern, is the standard base desktop orRDSH server image provided by Horizon Cloud Service.

An image template is fully optimized with all the VMware tools and Horizon Cloud Service desktop serviceagents that are required for the platform. It is recommended that you install your software packages onthe optimized image templates to take advantage of the tools and service agents that are preinstalled andconfigured in accordance with VMware best practices.

Deciding How Many Images You NeedThis topic provides guidance on determining the number of images you need for your environment.

VMware, Inc. 46

It is best to maintain the least number of base images possible to limit maintenance complexity. Eachimage must be patched, updated, and maintained. Planning enables you to choose the optimal number ofbase images for your environment. Your VMware Horizon Cloud Service representative can help youdetermine what your business units, such as accounting, IT, sales, and legal departments, have incommon and which business units must be siloed. Horizon Cloud Service includes up to 10 imagetemplates with each subscription, and you can convert additional images from your standard desktopcapacity. See Service Description: VMware Horizon Cloud Service on IBM Cloud.

Also consider alternative methods of reducing image sprawl, such as application virtualization andapplication layering technologies, which allow you to abstract the application from the desktop, providinga mechanism to dynamically and instantly deliver the application to the desktop without installing orupdating the application directly in the image. The application package is updated instead of the desktopimage, which results in fewer images to manage.

Using Traditional or Instant-Clone ImagesYou can deploy virtual desktop images in Horizon Cloud Service using either traditional or instant clones.

n Traditional clones – Also called full clones, traditional clones are independent copies of a VM thatshare nothing with the parent VM after the cloning operation. Ongoing operation and management ofa traditional clone is typically separate from the parent VM.

n Instant-clone desktops – Desktops that can be rapidly assembled on demand using VMware InstantClone Technology. Instant Clone Technology allows identical VM clones to be created quickly. Thisfeature builds a new VM by cloning an existing, partially booted parent VM, thus significantly reducingthe disk and memory requirements and I/O cost of provisioning. The instant-clone process is fasterthan previous desktop-cloning technology.

For most use cases, instant clones should be leveraged. Instant clones provide the ability to manage agroup of desktops using a single master image.

Traditional clones are still the preferred method for a few use cases, especially for those requiring 3Dgraphics. And you must use a traditional clone with all RDSH images.

Creating Images for RDSH ServersAs part of the Horizon Cloud Service offering, VMware provides one RDSH server and guides youthrough the basic image life cycle for an RDSH server.

n The life cycle includes methods of putting the RDSH server in install mode, installing applications onit, and moving forward into publish mode.

n After moving into publish mode, you can turn the RDSH server into an image from which you candeploy the remote applications that you just installed.

n You can also use RDSH images to provide RDS session desktops. The Horizon Cloud AdvancedOnboarding packages can assist you with completing this process for two to three applications so thatyou are confident to do more on your own.


VMware, Inc. 47

For more information, see the pre-onboarding datasheet provided by the onboarding team.

If you have business units that should have exclusive access to specific applications, such as HR orfinance departments, or applications that require isolated segregation, such as SAP, it is recommendedthat you configure separate RDSH images for each department or application to maintain the necessaryisolation.

Understanding Dedicated, Floating, and Session DesktopsHorizon Cloud Service supports dedicated, floating, and session desktops. Floating (nonpersistent)desktops are recommended in a Horizon Cloud Service implementation because they require less time,maintenance, and expense than the other options.

n Dedicated (persistent) desktops – A virtual desktop is assigned to users the first time they log in, andthey use the same virtual desktop for subsequent logins. Like a physical computer, changes made toa persistent desktop stay with that desktop. You might choose to provide persistent desktops todevelopers who need to install their own software on their VMs. However, for most use cases,persistent desktops require more time to build, more effort to manage, and are more expensive.

n Floating (nonpersistent) desktops – A virtual desktop is assigned to users each time they log in, sousers do not use the same virtual desktop for subsequent logins. When a user logs out, thenonpersistent desktop resets to a pristine state and changes to the desktop are lost. However,changes can be preserved by using profile management and folder redirection. For updating andpatching, you update the image and push the update to the desktop assignment. For most use cases,nonpersistent desktops are the most convenient solution.

n Session (shared) desktops – An RDSH published desktop that is shared across multiple users. Alsocommonly known as a session-based desktop. Shared desktops should be locked down, and usersshould not be allowed to make system changes or install applications. For user-based changes, youcan use Dynamic Environment Management and folder redirection to preserve settings. For imageupdates and patch management, you can update the image and push the update to the RDSHpublished desktop assignment.

Choosing 3D Graphics OptionsYou can leverage the power of GPU-acceleration for any application on any device using either Soft3D orGraphics Workstations 3D graphics acceleration

n Soft3D – Available in the Professional, Premium, and Performance desktop models, along withshared Hosted Application Servers in Horizon Cloud Service. Soft3D provides software-acceleratedgraphics and allows you to run DirectX 9 and OpenGL 2.1 applications without a physical GPU. Usethis feature for less demanding 3D applications, such as Windows Aero themes, Microsoft Office2010, and Google Earth.

n Graphics Workstations – For more high-end 3D needs, including advanced, graphics-richapplications, Horizon Cloud Service offers Graphics Workstations backed with NVIDIA GRID vGPU.


VMware, Inc. 48

Horizon Cloud Service brings workstation-class performance to remote and mobile workers even overhigh-latency networks just like any other desktop. Note that 3D graphics applications typically havedifferent bandwidth requirements than traditional office worker applications. Work with the VMwareHorizon Cloud Service team to define your specific bandwidth requirements.

All required NVIDIA licensing and requisite hardware are included in the price of Graphics Workstation.For more information, see Service Description: VMware Horizon Cloud Service on IBM Cloud. For moreinformation about NVDIA GRID with Horizon 7, see the documentation for Horizon 7 with Blast 3D.

Staggering Automatic Antivirus UpdatesHorizon Cloud Service does not include an antivirus solution. You can use the solution that you alreadyhave by obtaining additional licenses for the Horizon Cloud Service environment. However, this is not aHorizon Cloud Service requirement.

If you choose to use an antivirus solution on your Horizon Cloud Service desktops or RDSH servers thatupdates DAT files, it is best to stagger the updates across your environment. Doing so protects you fromusing all the resources in your environment to update all your VMs at the same time, which could result inslower performance.

In addition to staggering antivirus updates, it is best to use a fixed schedule that avoids large concurrentupdates, such as updating outside of normal business hours or creating a maintenance window. Avoidinglarge concurrent updates also prevents using all resources at the same time, which can slowperformance.


VMware, Inc. 49

Managing Remote Applications 6Remote applications are installed on RDSH servers and seamlessly delivered through the Horizon Clientor Horizon Cloud Service User Portal. Users see an application that appears to be natively integrated withtheir local desktop, but it is actually delivered from the cloud. Windows applications hosted on RDSHservers can be delivered to non-Windows platforms, such as Android and iOS.

Assigning remote applications allows you to publish applications using RDSH servers that are based onan RDSH image, also called published applications, or RDSH-hosted applications. To create a remoteapplication assignment, you select the number of RDSH servers to provision and the number of users perserver. As you select applications to assign to users, all applications installed on the selected RDSHimage are visible to you. In addition to selecting the automatically discovered applications, you can alsodefine and associate customized remote applications with an RDSH image in your application inventory.

VMware, Inc. 50

Image Management Strategies 7Consult your image management team about developing good profile, patch, and backup managementpractices. Involving representatives from your image management team in decision-making anddeployment early enables them to ask questions, voice concerns, and address issues, and helps avoidunexpected problems.


n Profile Management

n Patch Management

n Backup Strategies

Profile ManagementUser profiles are an important part of desktop images. A user profile consists of the folders, files, andconfiguration settings that are unique to a specific user. Setting up user profiles, choosing whether toassign users to persistent or non-persistent desktops or RDSH servers, and deciding when to useredirection are all part of image management.

In a virtual environment, user profiles are typically stored on a server instead of on a physical desktop.That way, the user profile data follows the user from desktop to desktop. When thinking about profilemanagement in a virtual environment, it makes sense to start with assignments. Horizon Cloud Servicehas desktop assignments for dedicated, floating, and session-based desktops, along with remoteapplications.

Type of Assignment Profile Management Considerations

Traditional-clone, dedicated (persistent) desktops A virtual desktop is assigned to the user the first time the user logs in, and theuser uses the same virtual desktop for subsequent logins. Users can customizethe virtual desktop and use it to access their documents and applications. Forusers with a single, persistent desktop, the user profile can be stored directlyon their desktop. Changes that the user makes are maintained on the samevirtual desktop. However, consider storing user profiles on a server to preservechanges in case the virtual desktop becomes corrupt or the user also accessesremote applications.

Instant-clone, dedicated (persistent) desktops This assignment is similar to a persistent traditional clone in that the user usesthe same virtual desktop computer name for all logins. The difference is thatthe virtual desktop is refreshed to a pristine state when the user logs out, andall changes are lost. To provide a persistent-like experience, the user profilemust be stored on a server.

VMware, Inc. 51

Type of Assignment Profile Management Considerations

Traditional-clone and instant-clone, floating (non-persistent) desktops

A new virtual desktop is assigned to users each time they log in, so they do notnecessarily use the same virtual desktop for subsequent logins. A user cannotcustomize a specific desktop or add documents or applications to it, becausethe disk is refreshed to a pristine state when the user logs out, and all changesare lost. However, changes can be preserved by storing the user profile on aserver. For users with multiple desktops or who access remote applications,the user profile follows the user and is available at each desktop or remoteapplication access so that the user’s experience remains consistent.

Traditional clone, session (shared) desktops andremote applications

Users are connected to the RDSH server with the fewest amount ofconnections, so they do not necessarily use the same server for subsequentlogins. The RDSH server should be locked down, and users should not beallowed to make system changes or install applications. To preserve changesand provide a consistent user experience, store the user profile on a server.

Deciding What to RedirectYou can provide a persistent-like user experience on nonpersistent desktops by using redirection withuser profiles. Users get the same application settings and files when they log in, no matter which non-persistent desktop they use. With redirection, your users enjoy the advantages of persistent desktops forthe cost of nonpersistent desktops.

To use redirection, identify the resources your users need to do their work, determine where your userssave their work, and decide how much of their work you want to redirect. For example, you can choose toredirect everything that your users save to their desktops or My Documents folder to a file share. Givingusers access to the file share makes their work always available to them, no matter which desktopassignment or remote application they use. You can also redirect backgrounds, screensavers,configurations for Outlook, and so on. Another option is to train your users to save all their work to a fileshare themselves, thus doing the work of redirecting.

Deciding How to RedirectVMware Dynamic Environment Manager is a good way to manage redirection.

n Dynamic Environment Manager is the critical component of JMP that supports user-centric computingand addresses end-to-end application and user management.

n You can set up Dynamic Environment Manager to work with Horizon Cloud Service to help youmanage user personas across devices and locations.

n Instead of focusing on the user's device, Dynamic Environment Manager focuses on the user'scontext, such as the user profile, personalization settings, application settings, contextual policysettings, user rights, licensing, and reporting settings.

Deciding Where to RedirectWhen you use redirection to store user profiles, the user profile is redirected to a new permanent location.

You have three possible locations to redirect user profile information:


VMware, Inc. 52

Option Description

Redirect to the same location as the virtual desktops andRDSH servers (recommended)

You can redirect the user profile to a file server in the same location asthe virtual desktops and RDSH servers by using a utility server. Theprofile data never leaves your Horizon Cloud Service tenant. Forperformance and security reasons, this option is best. When usingDynamic Environment Manager with Horizon Cloud Service, a utilityserver is required to store the user profile.

Redirect to an infrastructure-as-a-service (IaaS) instance You can redirect user profiles to a file server in the same physical datacenter as the virtual desktops and RDSH servers. These resources canbe in a separate virtual data center using IaaS provided by the HorizonCloud Service provider. An IPsec tunnel can be used to connect thetwo virtual data centers.

Redirect across the VPN You can redirect the user profile across your VPN to a file server inyour main data center. Latency and bandwidth are key factors insuccessfully redirecting back to your data center.

Patch ManagementIt is important to establish good patch management practices.

You might need to alter your existing patch management process based on the type of assignment youuse:

Type of Assignment Patch Management Process

Traditional-clone, dedicated (persistent)desktops

You must push out application updates to each VM as you would to a physicaldesktop or use a third-party utility and also patch the image itself.

Instant-clone, dedicated (persistent) desktops Because these assignments do not retain changes between sessions, imagepatching and application updates are straightforward. Patch the image, and thenrefresh the assignment by pushing or reassigning the image. To patch or updatean application installed on the image, update the application inside the image andthen push or assign the image.

Traditional-clone and instant-clone, floating(non-persistent) desktops

These desktops do not retain changes between sessions, so image patching andapplication updates are straightforward. Patch the image, and then refresh theassignment by pushing or reassigning the image. To patch or update anapplication installed on the image, update the application inside the image andthen push or assign the image.

Traditional-clone, session (shared) desktopsand remote applications

Update by patching the image, and then refresh the assignment by pushing theimage. To patch or update an application install on the image, update theapplication inside the image and then push the image.

Turning Off Automatic Update FeaturesMany applications have an auto-update feature that periodically updates the application.

These automatic updates are lost when a user logs out of a traditional- or instant-clone non-persistentdesktop or an instant-clone persistent desktop. It is recommended that you turn off this feature for thesetypes of desktop assignments.


VMware, Inc. 53

Testing Patches and Updates on Subset PoolsWhen introducing a major change, such as large upgrades, installations, new applications, applicationupdates, or service packs, it is recommended that you first test the change on a subset desktop orapplication assignment. Create a copy of your image so that if the changes cause problems, you canreturn to the original.

Duplicate an image in the Horizon Cloud Service Administration Console. Then apply the service pack,upgrade, or other major change to the copy. If problems occur, you can duplicate the original image again.If the change is successful, you can apply the changes to your primary production assignments.

Backup StrategiesIt is important to establish good backup practices. Include representatives from your backup and desktopteams in the decision-making and deployment from the start to address questions, concerns, and issuesearly.

Supporting Many Backups of ImagesHorizon Cloud Service on IBM Cloud allows you to keep two backups of any given image. If you wantmore than two backups, you must manage subsequent backups manually. It is recommended that youcreate a management pool with several VMs to copy, back up, test, and verify success whenever youmake changes to the image.

Backing Up Before ChangesBefore making changes to an image, it is recommended that you create a backup so that if somethingbreaks while making changes, you can revert to the previous image. Create one basic image, copy itseveral times, and modify one copy for each business unit, such as one for your financial department,another for your operations department, and so on. Then back up all images before the change so thatyou can revert if needed.

Always Testing ChangesAny changes to your infrastructure, whether patches, upgrades, additions, or subtractions, affect theinfrastructure, sometimes in unforeseen ways. Additions can break the system and damage the image,and new patches can conflict with existing applications on the desktops. Therefore, it is important to testeach time you make a change. To verify that your changes have not had an adverse effect, change andtest a small subset of desktops before applying the change to all your production assignments. Useracceptance testing can be included as one of the steps in your testing process.

Backing Up After Successful ChangesBack up again after making successful changes to an image so that if something goes wrong after afuture change, the image can be reinstated in the future.


VMware, Inc. 54

To back up images, you can set up a management assignment specifically for backups and copies ofimages and add VMs to the pool to use for testing and backup purposes. Restoration is then a matter ofreverting to another VM in the management assignment, which is based on a previously successfulimage.


VMware, Inc. 55