Organisations of all sizes are increasingly relying on desktop and application virtualization to deliver their business-critical applications to any device.
Since the announcement of Horizon on VMC in May 2018, there has been a large interest in clients looking to extend their existing on-premises Horizon platforms to the cloud, or build a new Horizon 7 platform on Amazon Web Services (AWS) in order to gain cost-effective scalability and increased business ability.
The following article provides a step by step guide to quickly install Horizon 7 on VMC, including integration with VMware Universal Access Gateway (UAG) and VMware Access Manager. I’ve also referenced a number of available installation guides and fantastic blog articles as well.
Horizon 7 on VMC is the same architecture and software as an on-premises installation. The deployment and management experience is the same. The following diagram best depicts illustrates this in comparison to Horizon Cloud on Azure.
Create your VMware Cloud on AWS
The next step is to login to your VMC account with your VMware ID by going to console.cloud.vmware.com.
Next click on VMware Cloud on AWS as shown:
then click on Create SDDC (short for Software Defined Data Center). Enter the appropriate AWS Region, the name of your SDDC and whether you wish to commission a Single-Host or Multi-Host SDDC as shown in this example:
Once you’ve clicked Next, you can then decide if you wish to link your SDDC to an AWS Account. If you don’t have an AWS account and/or do not want to connect now, you can skip this step. However, you must connect to an AWS account within 14 days of creating this SDDC.
Finally specify the private subnet range to be used for the SDDC management network as shown below. For my lab I selected the default. For a production environment, you would want to chose an IP address range which can eventually connect to an internal management IP network within your on-premises data center.
Finally click Deploy SDDC and within an hour or two, your SDDC will been created !
I’d recommend you next watching the VMware Cloud on AWS Console Overview video to get a feel for the VMC administrator console. As you use VMC, there is a great technical chat feature available if you have any queries.
Setup your SDDC Networking
The following provides an example architecture for Horizon on VMC. You’ll see that the architecture is similar to a typical on-premises installation in terms having an internal Horizon Connection Server (or many) and Unified Access Gateway virtual appliances to provide remote access via the Internet. vCenter and NSX Manager is all provided administered by VMC.
Load balancer for UAG
A third-party load balancer such as F5 LTM or AWS Elastic Load Balancer (ELB) must be deployed to allow multiple Unified Access Gateway appliances and Connection Servers to be implemented in a highly available configuration.
Network options between on-premises and VMC
VMC can be connected to a client’s on-premises network via IPSec VPN (via Internet) or AWS Direct Connect.
You create only one IPsec VPN tunnel between your on-premises environment and cloud data center. This will serve as the VPN connection for both management and compute gateways.
In addition, you can configure AWS Direct Connect for faster communication between your on-prem data center and the cloud SDDC. AWS Direct Connect is a service provided by AWS that allows you to create a high-speed, low latency connection between your on-premises data center and AWS services.
Direct Connect traffic travels over one or more virtual interfaces that you create in your customer AWS account. For SDDCs in which networking is supplied by NSX-T, all Direct Connect traffic, including vMotion, management traffic, and compute gateway traffic, uses a private virtual interface. This establishes a private connection between your on-premises data center and a single Amazon VPC.
With Direct Connect enabled, depending on the customers route advertisements, all traffic may be routed through to an on-premises network. Check with your VMC team on what network options are available.
It’s recommended to advertised the specific RFC private range networks on-premises via direct connect BGP which will get propagated to the VPC route table. This will make sure that for the traffic from on-premises VMs it takes the direct connect path and the rest over the internet.
You can also establish an AWS VPN over an public virtual interface of AWS Direct Connect connectionif encryption between on-premises and VMC is required. Please see the instructions here.
Installing Horizon 7.6
The following instructions provide instructions to install and configure Horizon on VMC. As there are a number of fantastic on-line resources, I’ll refer to those as required.
My Horizon on VMC platform consisted of the following:
- vCenter (included as part of VMC)
- Horizon 7.6 Connection Server
- Active Directory Domain Controller (or Read only DC) running on VMC
- Microsoft SQL Server (for Horizon Console logs)
- Read Only Active Directory Domain Controller(s)
- VMware Dynamic Environment Manager (UEM) – 2 Windows File Shares on the Horizon Connection Server
- Windows 7 and Windows 10 images
- Workspace ONE Access (SaaS)
- IPSec / or Direct Connect link to a client’s on-premises network
VMC was connected to a client’s on-premises network. This can be via IPSec or AWS Direct Connect. With Direct Connect enabled, depending on the customers route advertisements, all traffic may be routed through to an on-premises network. Check with your VMC team on what network options are available.
- Start by installing the Horizon Connection Server. There is a great Quick-Start Tutorial Series for VMware Horizon 7 which covers all the steps you need to follow including installing Microsoft SQL and the required settings for Horizon. See here for further details. Also review the Deploying Horizon 7 on VMware Cloud on AWS article too.Ensure you click the checkbox VMware Cloud on AWS when you install Horizon.
- Upload/install your Windows 7 and/or Windows 10 desktop images and optimise those images according to the Quick-Start tutorial. Install the Horizon Agent and VMware Dynamic Environment Manager (DEM) agent.
- Ensure you’ve configured the appropriate amount of RAM for your Windows Master image as per this article. For example, the default 32MB might need to be appropriately increased.
- Clone your ‘master’ Windows 7/10 VMs as VM Templates.
- I created a two VM Customisation Specifications for both of my workstation operating systems as shown. This would customise the VMs with required serial numbers and Sysprep the VMs as well.I found this SetupCommand.cmd script useful if you wanted the workstation VMs to join an Active Directory in a specific Organisation Group (OU).
- Configure the Blast protocol so it’s optimised for your environment. Below are the settings I applied to my virtual machines:
- I installed the VMware Dynamic Environment Manager (DEM, previously User Environment Manager) console on the Horizon Server and configured two file shares. The two file shares could have easily been setup on an existing File Server, however I wanted the shares to be on the same high speed network as the Windows 7/10 VMs. I followed the excellent Quick-Start Tutorial for User Environment Manager to install/configure DEM. You can configure the DEM Group Policy objects in your Active Directory or local GPO template.
- If you access the Horizon Connection server from a different DNS name (ie. via a UAG below), you will be required to configure the Connection Server’s so it will accept this connection. See this article “Allow HTML Access Through a Gateway” on how to configure this setting.
- (Optional) Install a trusted cert on Horizon server. You can refer to this article to generate a certificate request and this article. Ensure the previous internal certificate for the Connection server is renamed from ‘vdm’ to ‘original certificate’.
- With the desktop pools created, ensure the virtual machines are being deployed and you can logon to them via the Horizon Connection server as shown below:
Now if you will only access your VDI desktops via the internal network (IPSec or Direct Connect) then you’re ready to go ! However, if you would like the option of accessing your VDI desktops from anywhere on the Internet, then proceed with installing a VMware Universal Access Gateway (UAG) below.
Install the VMware Universal Access Gateway (UAG)
The Universal Access Gateway provides secure external access to your internal applications. These applications can be Windows applications, software as a service (SaaS) applications, and of course VDI desktops.
I found Carl Stalhood provided an excellent step by step guide to install the UAG. Likewise the the video VMware Unified Access Gateway: Deployment Utility and Horizon – Feature Walk-through is very helpful too.
- Install the UAG virtual appliance via the OVF template. You must ensure you provide an appropriate complex password for the admin and RESTAPI otherwise the administration UI will not start.
- You can try out the new UAG Deployment Utility (Fling) to aid the deployment of the virtual appliance.
- Enable the Horizon Settings and enter appropriate configuration details as shown in the example below. Note you don’t need to enter the Connection Server URL Thumbprint if you use a well known certificate on the connection server.
- Test that you now access/login to your VDI desktops via the UAG internal URL.
- Within the VMC console, add a public IP address and create a NAT from this address to the internal IP address of the UAG virtual appliance. For example:
- Define a public DNS name for your external IP address. For example, https://horizon.external.org. Now test you can access this address from your web browser, which should show the following Horizon login screen:
(Optional) Activate/Configure Workspace ONE Access
If you wish to have a single portal where you offer your staff virtual desktops, web applications, remote desktop applications, you may wish to leverage Workspace ONE Access (previously VMware Identity Manager). Workspace ONE Access offers a friendly application portal called Workspace ONE as shown below:
This example Workspace ONE application catalog is available from VMware TestDrive which clients and partners can try out for a free 30 day trial. Please contact your VMware contact for an invitation.
You can leverage the Sandbox Workspace ONE tenant in TestDrive, or VMware can provide you with an appropriate tenant for production.
I’ll refer you to two excellent articles by Justin Johnson (VMware) on how you can configure Workspace ONE Access to connect to your existing Active Directory and secondly configure Workspace ONE Access to publish your Horizon VDI desktops.
- Integrating A Cloud Instance Of VMware Identity Manager With Active Directory – link
- Cloud Options For Accelerating Workspace One Adoption In Traditional Horizon Environments – link
Updated 12th December. Justin published a great video on YouTube which shows further integration of Workspace ONE Access and conditional access.
You’re now up and running !
With Horizon, Universal Access Gateway (UAG) and Workspace ONE Access installed and configured, you can now access your desktops via an easy to use application catalog, which can be extended to other application types in the future. For example, managing devices using Workspace ONE UEM.
If you need additional capacity, you can easily add an additional ESXi host within 10-15 minutes using the VMC console.
If you have any questions on VMC I’d recommend the VMware Cloud on AWS community forum. For Horizon, UAG or Access questions, check out the VMware Horizon Community forum.
If you would like further information, you can also contact me directly via my blog contact page.
Article Updated 5 December 2018: Including a number of VMC networking information from Frank Fan (AWS). Thanks!
Additional news. As of December 14, 2018, Horizon 7.7 now provides additional services on VMC such VMware NSX-T network virtualization, VMware App Volumes and VMware Instant Clone Technology are all now supported. See this announcement for more details.
Article Updated 29 March 2020: Link to the new UAG Deployment Utility (Fling)