adv1591be delivering virtual desktops and apps via or distribution · 2017-10-12 · johan van...

Johan van Amersfoort & Stephane Padique

ADV1591BE

#VMWORLD #ADV1591BE

Delivering Virtual Desktops and Apps via the Digital Workspace with Workspace ONE and VMware Horizon

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#ADV1591BE CONFIDENTIAL



bution

Agenda

1 What is Workspace ONE?

2 Setting up Horizon with Workspace ONE

3 User experience and Demo




bution

Agenda



3 User Experience and Demo




bution

IT/it used to be simple..




bution

Mobile-Cloud Era

Client-Server Era

Bridging Two Worlds

#ADV1591BE CONFIDENTIAL 6



bution

Mobile-Cloud Era

Client-Server Era

Bridging Two Worlds

• Domain joined

• Network based security

• Managing devices

• OPEX heavy 1:150 ratio

• Slow

• Migration Projects




bution

Mobile-Cloud Era

Client-Server Era

• Domain joined

• Network based security

• Managing devices

• OPEX heavy 1:150 ratio

• Slow

• Migration Projects

• Enrollment

• Identity based security

• Managing policies

• Massive scale 1:15 000 ratio

• Fast

• Continuous Delivery

Bridging Two Worlds




bution

Applications in the Enterprise

Universal Windows Apps




bution

Mobile-Cloud Era

Client-Server Era

Bridging Two Worlds




bution

Mobile-Cloud Era

Client-Server Era

MirageHorizon PCoIP

ThinApp Horizon BLAST

UEMApp Volumes

Bridging Two Worlds

FlexUnified Access

Gateway

Workspace One

AirWatch

VMware Identity Manager

Horizon Cloud




bution

You can’t transform

business without a

great user experience

You don’t need to

compromise security

to get there

VMware Empowers the Digital Workspace




bution

Simple App Delivery Through a Unified Catalog

Web-based Mobile app

Better overall mobile user experience

•

•

•

Any app to any device




bution

Agenda







bution

Simple Access to Apps & DesktopsAccess to Horizon 7 and Horizon Cloud desktops from Workspace ONE / IDM

• Full support for Horizon 7.x

– Virtual Desktops

– Published Applications

– Horizon Cloud Pod Architecture

– Single Sign On & True SSO

• Support for Horizon Air / Cloud

– Horizon Cloud Hosted with WS1

– Horizon Cloud On-premises with IDM

– SSO to virtual desktops and apps

• Support for Citrix

– XenApp 5/6

– XenDesktop 7.x




bution

• CAPEX Model

• Greater flexibility in desktop options

• Scalable to customer requirements

• Feature rich management

• Hybrid OPEX/CAPEX model

• Management infrastructure in the cloud

• On-premises virtual desktops & apps on

hyper-converged infrastructure

• Minimal internal expertise required and

easily scalable

Horizon Deployment Options

• OPEX model of utility based pricing

• Scalability on demand

• Minimal internal expertise required

• Remote locations where building data

center capacity is impossible

G

Horizon Cloud with Hosted

Infrastructure

On Premises

(Horizon 7)

Horizon Cloud with On-premises

Infrastructure

LOADBALANCERS

CONNECTIONBROKERS

ACTIVEDIRECTORY

MANAGEMENTSERVERS

CO

MP

UT

E S

ER

VE

RS

RU

NN

ING

VIR

TU

AL

DE

SK

TO

PS

CUSTOMER IT ENVIRONMENT

SANSTORAGE

CLOUD PROVIDER

ACTIVEDIRECTORY

ACCESS POINTS

VIRTUAL DESKTOPS & APPS

ON HYPER-CONVERGED INFRASTRUCTURE

CONTROL PLANE

CLOUD PROVIDER

MOBILEUSERS

REMOTEUSERS

ACTIVEDIRECTORY

USER APPDATA

CORP USER DEVICES

SECURE VPN

SE

CU

RE

VP

N

CUSTOMER IT ENVIRONMENT




bution

Hosted Applications

RDS Farm Connection Server VMware Identity Manager

Get Resources,

Entitlements

Horizon Client




bution

Horizon 7 Integration




bution

End to End SSO with TrueSSOStreamlined single sign on to Horizon via Workspace ONE



bution

Horizon TrueSSO

• Users authenticate to VMware Identity Manager using a variety of credential options

• Once authenticated, users select Horizon desktop or hosted application

• No need to enter AD credentials or SmartCard

• Uses SAML to connect the Identity Provider’s (IdP) authentication with user’s UPN for access to AD credentials

• True SSO generates unique, short-lived certificate to manage Windows logon process




bution

Horizon TrueSSO Benefits

• Separates Authentication (validating a user’s identity) from Access (user can use a Windows desktop or application

• Enhanced security. User credentials are secured by digital certificate, no passwords are vaulted or transferred within the datacenter

• Supports a wide range of authentication methods – enterprises can select or change authentication protocols with limited impact to the infrastructure




bution

Horizon TrueSSO Workflow

Virtual Desktop

Horizon Broker

Horizon Client

AD

VMware

Enrollment

Service

Microsoft

Certificate Authority

VMware

Identity

Manager1

2

34

5

6

7




bution

Horizon TrueSSO Support & Requirements

• Horizon 7+ or Horizon Cloud (latest version)

• Horizon Enrollment Server

• Recent Horizon Client (v4+)

• Identity Manager

• On-Premises or SaaS (v2.9+)

• Joined to Active Directory Domain

• Enterprise Microsoft CA

• Custom CA templates for short lived certs




bution

Horizon Client SP Init Flow –Access Policy Support in Horizon



bution

Access Policy support for Horizon Applications

• Previously, SP Init launch supported only for web applications like socialcast, Salesforce, Office 365, Slack, etc.

• User experience was confusing or launch resulted in errors from Horizon client, file type association or other shortcuts

• Horizon Administrator enables “Workspace ONE mode” with server hostname

• Supported use cases:

– Users launch Horizon client and click on login (a.k.a SP-Initworkflow)

– Handling file type association (FTA) by Horizon View client

– Application Shortcut or URL launch




bution

Limitations/Known Issues

• Supported as of Horizon 7.2

• Currently supporting only browser based flows, Workspace ONE native client flow is not supported

• For any change in Workspace ONE mode configuration, customer needs to remove the connection server from the server selector & to cleat the cache to see the change




bution

Gotchas!



bution

Horizon Metadata Expired

• https://kb.vmware.com/kb/2144331

– Change metadata expire period to 4-5 days

– Make sure VMware Identity Manager syncs Horizon Entitlements once per day

– Also mentioned in manual: http://pubs.vmware.com/horizon-7-view/index.jsp?topic=%2Fcom.vmware.horizon-view.administration.doc%2FGUID-3E170C23-097F-46D0-82BD-7CACFF04FC9A.html




bution

https://kb.vmware.com/kb/2144331

http://pubs.vmware.com/horizon-7-view/index.jsp?topic=/com.vmware.horizon-view.administration.doc/GUID-3E170C23-097F-46D0-82BD-7CACFF04FC9A.html

Integrating Horizon Cloud PodMultiple Horizon instances with Workspace ONE



bution

Horizon Cloud Pod Architecture Layout and Sync

Global Finance

London

Paris

Paris Site / POD 2

London Site / POD 1 AD Groups

GlobalEntitlement

Home Site

Home Site

Cloud Pod Federation

IDM VA

SUSE Linux

Core

API

vPostgres tcserver

Connector

ConnectorSync Traffic

ConnectorSync Traffic




bution

Horizon Cloud Pod Architecture Local Configurations




bution

Horizon Cloud Pod Architecture Global Configurations




bution

Agenda







bution

DEMOHorizon TrueSSO and Workspace ONE



bution



bution

Questions!



bution



bution

adv1591be delivering virtual desktops and apps via or distribution · 2017-10-12 · johan van...

Documents