adv1591bu delivering virtual desktops and apps via or distribution · 2019-06-27 · peter bjork...

Peter Bjork @thepeb & Matt Coppinger @mcopping

ADV1591BU

#VMworld #ADV1591BU

Delivering Virtual Desktops and Apps via the Digital Workspace with Workspace ONE and VMware Horizon

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

CONFIDENTIAL 2



bution

Agenda

#ADV1591BU CONFIDENTIAL 3

1 What is Workspace ONE?

2 Setting up Horizon with Workspace ONE

3 User Experience and Demo



bution

Agenda







bution


IT/it Used to Be Simple...



bution

Mobile-Cloud Era

Client-Server Era

Bridging Two Worlds




bution

Mobile-Cloud Era

Client-Server Era

Bridging Two Worlds

• Domain joined

• Network based security

• Managing devices

• OPEX heavy 1:150 ratio

• Slow

• Migration Projects




bution

Mobile-Cloud Era

Client-Server Era

• Domain joined

• Network based security

• Managing devices

• OPEX heavy 1:150 ratio

• Slow

• Migration Projects

• Enrollment

• Identity based security

• Managing policies

• Massive scale 1:15 000 ratio

• Fast

• Continuous Delivery

Bridging Two Worlds




bution


Universal Windows Apps

Applications in the Enterprise



bution

Mobile-Cloud Era

Client-Server Era

Bridging Two Worlds




bution

Mobile-Cloud Era

Client-Server Era

MirageHorizon PCoIP

ThinApp Horizon BLAST

UEMApp Volumes

Bridging Two Worlds

FlexUnified Access

Gateway

Workspace One

AirWatch

VMware Identity Manager

Horizon Cloud




bution

You can’t transform

business without a

great user experience

You don’t need to

compromise security

to get there


VMware Empowers the Digital Workspace



bution

Simple App Delivery through a Unified Catalog


Better overall mobile user experience

•

•

•

Any app to any device

Web-based Mobile app



bution

Agenda







bution

• CAPEX Model

• Greater flexibility in desktop options

• Scalable to customer requirements

• Feature rich management

• Hybrid OPEX/CAPEX model

• Management infrastructure in the cloud

• On-premises virtual desktops & apps on

hyper-converged infrastructure

• Minimal internal expertise required and

easily scalable

Horizon Deployment Options

• OPEX model of utility based pricing

• Scalability on demand

• Minimal internal expertise required

• Remote locations where building data

center capacity is impossible

G

Horizon Cloud with Hosted

Infrastructure

On Premises

(Horizon 7)

Horizon Cloud with On-premises

Infrastructure

LOADBALANCERS

CONNECTIONBROKERS

ACTIVEDIRECTORY

MANAGEMENTSERVERS

CO

MP

UT

E S

ER

VE

RS

RU

NN

ING

VIR

TU

AL

DE

SK

TO

PS

CUSTOMER IT ENVIRONMENT

SANSTORAGE

CLOUD PROVIDER

ACTIVEDIRECTORY

ACCESS POINTS

VIRTUAL DESKTOPS & APPS

ON HYPER-CONVERGED INFRASTRUCTURE

CONTROL PLANE

CLOUD PROVIDER

MOBILEUSERS

REMOTEUSERS

ACTIVEDIRECTORY

USER APPDATA

CORP USER DEVICES

SECURE VPN

SE

CU

RE

VP

N

CUSTOMER IT ENVIRONMENT




bution

Simple Access to Apps & DesktopsAccess to Horizon 7 and Horizon Cloud desktops from Workspace ONE

• Full support for Horizon 5.x 6.x 7.x

– Virtual Desktops

– Published Applications

– Horizon Cloud Pod Architecture

– Single Sign On & True SSO

• Support for Horizon Air / Cloud

– Horizon Cloud Hosted

– Horizon Cloud On-premises

– SSO to virtual desktops and apps

• Support for Citrix

– XenApp 5/6/7.x

– XenDesktop 7.x




bution


RDS FarmHorizon

Connection Server

VMware Identity Manager

Get Resources,

Entitlements

Horizon Client

Horizon 7.x Desktops

Connector

Horizon Entitlement Sync and Access



bution


Horizon 7 Integration



bution

Network Ranges




bution

End to End SSO with TrueSSOStreamlined single sign on to Horizon via Workspace ONE



bution

Horizon TrueSSO

• Users authenticate to VMware Identity Manager using a variety of credential options

• Once authenticated, users select Horizon desktop or hosted application

• No need to enter AD credentials or SmartCard

• Uses SAML to connect the Identity Provider’s (IdP) authentication with user’s UPN for access to AD credentials

• True SSO generates unique, short-lived certificate to manage Windows logon process




bution

Horizon TrueSSO Benefits

• Separates Authentication (validating a user’s identity) from Access (user can use a Windows desktop or application

• Enhanced security. User credentials are secured by digital certificate, no passwords are vaulted or transferred within the datacenter

• Supports a wide range of authentication methods – enterprises can select or change authentication protocols with limited impact to the infrastructure




bution

Horizon TrueSSO Workflow


Virtual Desktop

Horizon Broker

Horizon Client

AD

VMware

Enrollment

Service

Microsoft

Certificate Authority

VMware

Identity

Manager1

2

34

5

6

7



bution

Horizon TrueSSO Support & Requirements


• Horizon 7 or Horizon Cloud (latest version)

• Horizon Enrollment Server

• Latest Horizon Client (v4)

• Identity Manager

• On-Premises or SaaS (latest version)

• Joined to Active Directory Domain

• Enterprise Microsoft CA

• Custom CA templates for short lived certs



bution

Horizon Client SP Init Flow –Access Policy Support in Horizon



bution

Horizon 7 Integrated With Workspace ONE

28

Workspace ONE access policies enforced through the Horizon Client



bution

Workspace ONE Configuration in Horizon 7.2

29

1

2

3

1. Require external authentication (IDM)

2. Enables redirection to WS1 hostname

3. Force access policy compliance



bution

Access Policy Control in Identity Manager

30



bution

Gotchas!



bution

Horizon Metadata Expired

• https://kb.vmware.com/kb/2144331

– Change metadata expire period to 4-5 days

– Make sure VMware Identity Manager syncs Horizon entitlements once per day

– Also mentioned in manual http://pubs.vmware.com/horizon-7-view/topic/com.vmware.horizon-view.administration.doc/GUID-3E170C23-097F-46D0-82BD-7CACFF04FC9A.html

34



bution

https://kb.vmware.com/kb/2144331

http://pubs.vmware.com/horizon-7-view/topic/com.vmware.horizon-view.administration.doc/GUID-3E170C23-097F-46D0-82BD-7CACFF04FC9A.html

Horizon Sync require a Worker

• If deploying many separate connectors in a large environment.

– Make sure you create a Workspace One idP

– Add connector to above worker process..

35



bution

Integrating Horizon Cloud PodMultiple Horizon instances with Workspace ONE



bution

Horizon Cloud Pod Architecture Layout and Sync

Global Finance

London

Paris

Paris Site / POD 2

London Site / POD 1 AD Groups

GlobalEntitlement

Home Site

Home Site

Cloud Pod Federation

IDM VA

SUSE Linux

Core

API

vPostgres tcserver

Connector

ConnectorSync Traffic

ConnectorSync Traffic




bution

Horizon Cloud Pod Architecture Local Configurations




bution

Horizon Cloud Pod Architecture Global Configurations




bution

Integrating Horizon CloudSetting up access to Horizon Cloud with Workspace ONE



bution

Horizon Cloud Hosted Desktops & Apps Integration

• Requires On-Premises IDM Connector

• Requires IDM Connector be joined to Active Directory Domain

• Integrated using sync between Identity Manager & Horizon Cloud

– Enable Horizon Cloud Desktops and Applications in IDM administration console

– Create Horizon Cloud Federation Artifact in IDM

– Configure SAML Authentication in Horizon Cloud

– From IDM initiate Sync with Horizon Cloud

– Desktops and Hosted applications are part of the same sync



bution

Horizon Cloud Hosted Desktops & Apps Integration




bution

Agenda







bution

DEMOHorizon TrueSSO and Workspace ONE



bution



bution

Questions!



bution



bution

adv1591bu delivering virtual desktops and apps via or distribution · 2019-06-27 · peter bjork...

Documents