hpe reference architecture for secure vdi deployments ... · reference architecture page 5. on hpe...

HPE Reference Architecture for Secure VDI deployments using VMware Horizon on HPE Synergy and HPE 3PAR StoreServ 8450 All Flash array Secure VDI infrastructure with micro-segmentation powered by VMware NSX on HPE Synergy

Reference Architecture

http://www.hpe.com/


Contents Executive summary ................................................................................................................................................................................................................................................................................................................................ 4

Introduction ................................................................................................................................................................................................................................................................................................................................................... 5

Solution overview ..................................................................................................................................................................................................................................................................................................................................... 6

Hardware solution components ............................................................................................................................................................................................................................................................................................. 11

HPE Synergy ...................................................................................................................................................................................................................................................................................................................................... 11

HPE Synergy Composer .......................................................................................................................................................................................................................................................................................................... 11

HPE Synergy Image Streamer ........................................................................................................................................................................................................................................................................................... 12

HPE Synergy 12000 Frame ................................................................................................................................................................................................................................................................................................ 13

HPE Synergy 480 Gen 10 Compute Module ...................................................................................................................................................................................................................................................... 13

HPE 3PAR StoreServ 8450 All Flash array ........................................................................................................................................................................................................................................................... 14

HPE Synergy fabric interconnects ................................................................................................................................................................................................................................................................................. 14

HPE Virtual Connect modules ........................................................................................................................................................................................................................................................................................... 14

Software solution components ................................................................................................................................................................................................................................................................................................ 15

Management software layer ................................................................................................................................................................................................................................................................................................ 15

Solution layer ..................................................................................................................................................................................................................................................................................................................................... 15

Storage layer ...................................................................................................................................................................................................................................................................................................................................... 16

Networking and security layer ........................................................................................................................................................................................................................................................................................... 17

Application software.......................................................................................................................................................................................................................................................................................................................... 18

VMware Horizon environment .......................................................................................................................................................................................................................................................................................... 18

VMware NSX for vSphere ...................................................................................................................................................................................................................................................................................................... 19

Micro-segmentation powered by VMware NSX ................................................................................................................................................................................................................................................ 20

Best practices and configuration guidance for the solution ......................................................................................................................................................................................................................... 20

HPE Synergy Solution Configuration .......................................................................................................................................................................................................................................................................... 20

HPE Synergy with VMware vSphere ........................................................................................................................................................................................................................................................................... 22

HPE Synergy with HPE 3PAR StoreServ................................................................................................................................................................................................................................................................. 22

HPE Synergy Image Streamer for VMware ESXi deployment.............................................................................................................................................................................................................. 24

Configuration of micro-segmentation powered by VMware NSX..................................................................................................................................................................................................... 26

Capacity and sizing ............................................................................................................................................................................................................................................................................................................................ 28

About Login VSI ............................................................................................................................................................................................................................................................................................................................. 28

Testing strategy .................................................................................................................................................................................................................................................................................................................................... 29

Benchmarks versus field implementation ............................................................................................................................................................................................................................................................... 29

VMware Horizon RDSH Workload on a single HPE Synergy 480 Gen10 blade server ............................................................................................................................................... 30

VMware Horizon RDSH Workload on a multi-node HPE Synergy 480 Gen10 blade server ................................................................................................................................. 31

VMware Horizon VDI (Instant Clone) Workload on a single HPE Synergy 480 Gen10 blade server............................................................................................................. 32

VMware Horizon VDI (Instant Clone) Workload on a multi-node HPE Synergy 480 Gen10 blade server ............................................................................................... 33

Analysis and recommendations .............................................................................................................................................................................................................................................................................................. 34

HPE Synergy Deployment Analysis ............................................................................................................................................................................................................................................................................. 34


Spectre/Meltdown ........................................................................................................................................................................................................................................................................................................................ 34

Performance Settings ................................................................................................................................................................................................................................................................................................................ 34

VMware Horizon Scalability Guidance ....................................................................................................................................................................................................................................................................... 35

VMware OS Optimization Tool ......................................................................................................................................................................................................................................................................................... 35

Summary ...................................................................................................................................................................................................................................................................................................................................................... 35

Appendix A: Bill of materials ...................................................................................................................................................................................................................................................................................................... 36

Resources and additional links ................................................................................................................................................................................................................................................................................................ 38


Executive summary In today’s Idea Economy, businesses need to turn ideas into services faster. Every new business and established enterprise is at risk of missing a market opportunity and being disrupted by a new idea or business model. It has never been easier, or more crucial, to turn ideas into new products, services, or applications—and quickly drive them to market. But IT needs an infrastructure that enables them to partner with the business to speed the delivery of services.

To address this challenge, Hewlett Packard Enterprise and VMware® have collaborated to address the current IT adaptation in the End User Computing space. The modern workspace is undergoing a rapid digital transformation driven by both users and modern applications. Hence the Reference Architecture Solution addresses the challenges and innovative integration achieving unique security in a Virtual Desktop Infrastructure (VDI) environment and adapt to a bimodal approach where it aligns to traditional and cloud applications in the EUC (End-User Computing) environments.

HPE Synergy is a single composable infrastructure that can help IT simplify operational complexity in traditional IT environments and accelerate service velocity. HPE Synergy is the ideal architectural and management solution that addresses both traditional business applications and the emerging cloud applications driven for current IT environments. Organizations are expected to adopt a strategy that maintains existing infrastructure for traditional applications, and creates a different infrastructure and tools for the new cloud-native and mobile applications that is possible from HPE Synergy Composable Infrastructure.

HPE Synergy Composer and HPE Image Streamer has been highlighted in this reference architecture showcasing the provisioning and management capabilities in a fast-paced IT environment. HPE Synergy Composer powered by HPE OneView integrates over a dozen popular management tools such as Microsoft® System Centre, VMware vCenter, Chef, Docker, Puppet, Ansible, PowerShell and Python to achieve faster deployment, provisioning of modern cloud native applications and manage the modern IT infrastructure efficiently.

Most enterprise IT professionals agree that securing the network only at the perimeter is inadequate for today’s data centers. Once malware has managed to make its way behind the firewall by latching onto an authorized user (or other means), it can move easily from workload to workload. This lateral movement is possible due to a lack of sufficient internal network controls regulating server-to-server or east-west network traffic.

Security in EUC environments is enabled with micro-segmentation powered by VMware NSX which is a breakthrough model for data center security. Network security policies are enforced by firewall controls integrated into the hypervisors that are already distributed throughout the data center. This security model, which reflects and supports the dynamic nature of data center operations, has never been possible before. The model goes beyond the idea of plugging gaps in perimeter security, or even trying to manipulate physical security within the data center to make it more effective. The micro-segmentation model is not about “building up” but “infusing into.” There are no gaps in defense because security is infused into the whole operational environment of the data center.

In this Reference Architecture (RA), the Hewlett Packard Enterprise solution engineering team used an HPE Synergy system consisting of nine (9) HPE Synergy 480 Gen10 Compute Modules across three (3) HPE Synergy 12000 Frames and HPE 3PAR StoreServ 8450 All Flash Storage Array. This Reference Architecture demonstrates the following benefits:

• Having a highly secure VDI Infrastructure with micro-segmentation powered by VMware NSX on HPE Synergy.

• The simple delivery of VMware Desktop solutions using VMware Horizon View and HPE Synergy composable Infrastructure.

• Flexible software defined networking environment using VMware NSX and HPE OneView infrastructure management capabilities.

• High-speed provisioning capabilities for EUC environments leveraging on HPE Synergy strengths in rapid provisioning using HPE Image Streamer.


On HPE Synergy using VMware Horizon solution, two types of workloads namely Office worker and Knowledge worker has been tested using RDSH and Instant clone based VDI desktop pool. The environment is software defined network enabled using VMware NSX and secured via micro-segmentation powered by VMware NSX.

Table 1. VMware Horizon Workload numbers

Workload User Sessions

VMware Horizon RDSH on a single HPE Synergy 480 Gen10 218

VMware Horizon RDSH on a six-node HPE Synergy 480 Gen10 1197

VMware Horizon Instant Clone VDI on a single HPE Synergy 480 Gen10 120

VMware Horizon Instant Clone on a six-node HPE Synergy 480 Gen10 712

*Spectre Meltdown patches applied on the full stack solution

Target audience: This document is intended for IT decision makers and channel partners, as well as architects and implementation personnel who want to understand the HPE Composable Infrastructure capabilities offered by the HPE Synergy platform. The reader should have a solid understanding of end-user computing, software defined networking and security knowledge. An understanding of VMware Horizon products and sizing/characterization concepts and limitations in client virtualization environments is beneficial.

Introduction Securing the client virtualization environment has become an integral part of VDI design. Security concerns can arise behind the data center firewall where large numbers of virtual desktops reside. East-west traffic segments can be susceptible to malware attacks that can be eradicated by adopting to a security model that will reduce the risk of intrusions from hackers. Extending security policy from the data center to desktops and applications would be a judicious move to the organization’s users and mission-critical workloads.

Deploying compute and memory at a rapid pace aligned to the changing business needs of the organization has become mandatory. Hewlett Packard Enterprise has invented a groundbreaking composable infrastructure platform, HPE Synergy that matches the IT business needs of any organization. HPE Synergy is a powerful software-defined solution that lets you manage your infrastructure as code, deploying IT resources quickly and for any workload. Through a single interface, you can compose fluid pools of physical and virtual compute, storage, and fabric resources into any configuration for any application.

With end-user computing demands as the design criteria, Hewlett Packard Enterprise designed and tested an architecture based on VMware’s Horizon 7 Enterprise Edition Reference Architecture: Validated Integration Design, vmware.com/files/pdf/techpaper/vmware-horizon-7-enterprise-validated-integration-design-reference-architecture.pdf, that facilitates the delivery of VMware Horizon 7 technology in a small scale, density optimized, highly manageable fashion. VMware Horizon with VMware NSX micro-segmentation on HPE Synergy has been designed and architected showcasing the performance and scalability of the solution. The combined end-to-end solution delivers a world class end-user computing experience to the end users completely securing the east west network perimeter within the data center thereby making the solution very robust from attacks.

http://www.vmware.com/files/pdf/techpaper/vmware-horizon-7-enterprise-validated-integration-design-reference-architecture.pdf

http://www.vmware.com/files/pdf/techpaper/vmware-horizon-7-enterprise-validated-integration-design-reference-architecture.pdf


For client virtualization, desktop and application delivery can vary based on use case requirements that range from task workers to workstation users. Figure 1 below shows the client virtualization technology landscape as it exists today.

Few Apps, Light Workload Many Apps, Heavy Workload

CPU

Bas

ed G

raph

ics

B

usin

ess

Gra

phic

s 3

-D G

raph

ics

Task Workers Productivity Workers Knowledge Workers Power Users Workstation Users

Session/Application Delivery, Secured Desktop Virtualization

Physical and Secured Virtual hosted desktops

Graphics accelerated desktops and apps

Physical hosted workstation

Client Virtualization Technology Landscape

Figure 1. The client virtualization technology landscape

Solution overview The fundamental building blocks of this Reference Architecture are a suite of core Hewlett Packard Enterprise technologies with VMware software layered on in order to create the foundation for a robust solution. The solution includes HPE Synergy, a single intelligent composable infrastructure that transforms rigid physical systems to flexible virtual resource pools so all resources are instantly available to run the VDI infrastructure. HPE Synergy Composer that houses HPE OneView provides precise composed logical infrastructures enabling administrators to provision, control, and manage software-defined data center components. HPE Synergy Image Streamer that can boot systems at cloud speed where physical machines can be managed as virtual machines. HPE 3PAR StoreServ 8450 All Flash comprises of high-density flash drives which offer space benefits and high-performance without compromising resiliency, scalability or data mobility. VMware Horizon Suite 7 with micro-segmentation powered by VMware NSX has been implemented on HPE Synergy in this reference architecture paper. VMware RDS Desktop Pools using VMware Blast Extreme protocol have been tested for user density and performance.

This technical white paper provides performance and configuration guidelines for popular use cases of the VMware Horizon 7 suite. The solution highlights VMware NSX for VMware Horizon which improves desktop virtualization security and helps address east-west threats by enabling administrators to define policy centrally. To secure virtual desktops and adjacent workloads within the data center, VMware NSX implements micro-segmentation, giving each desktop its own perimeter defense. This shrink-wrapped security uses VMware NSX distributed virtual firewalling capability to police traffic to and from each VM, eliminating unauthorized access between desktops and adjacent workloads.

The rack layout in Figure 2 can be viewed as blocks of functionality and technology segmentation, namely compute, management, network and storage blocks. The Reference Architecture can be viewed as a series of building blocks summarized and described below and detailed later in the document.

https://en.wikipedia.org/wiki/Software-defined_data_center


HPE Synergy Composer and HPE Image Streamer play an integral part in composing and deploying the solution at a very rapid pace.

Figure 2. Reference Architecture hardware physical view


Figure 3 below represents the logical layout of the solution including hardware and software components. It shows the solution layout and deployment topology of VMware Horizon using NSX micro-segmentation on HPE Synergy. The Horizon components are deployed in two portions – Horizon Management Block and Horizon Resource Block. The Management block consists of VMware ESXi hosts that contain all the management components deployed for horizon infrastructure. The Resource block contains VMware ESXi hosts where virtual desktops will be created. Each block is managed by a separate vCenter server and a separate VMware NSX instance.

End of Row switch

HPE VC SE 40GbF8 Module

L 2L 1 Q 4Q 3Q 2Q 1 Q 8Q 7Q 6Q 5Eth / X-Link

L 4L 3 Reset

UID

PIDL/A



L 4L 3 Reset

UID

PIDL/A

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

HPE Synergy Image Streamer deploys Stateless bare-metal compute nodes

OneViewU

ID

Active

Power

Synergy Composer

HPE Synergy Composer

3 x HPE Synergy 480 Gen10 VMware ESXi MANAGEMENT CLUSTER

6 x HPE Synergy 480 Gen10 VMware ESXi SOLUTION CLUSTER

vCenter Server

Workload 1 -VMware Horizon

Hosted Desktops and Apps

iPadAndroid Tablet

Workload 2 -VMware VDI

Windows 10 Instant Clone

Unified Access Gateway

View Connection Servers

OneViewU

ID

Active

Power

Synergy Composer


HPE Synergy 20GbInterconnect Link Module

L 2L 1

UID


L 2L 1

UID


L 2L 1

UID


L 2L 1

UID

HPE Synergy Composable Fabric

6 x 40Gb Uplinks from2x HPE Synergy VC SE 40Gb F8 Module

HPE 3PAR StoreServ 8450

HPE Synergy

HTML

AD

DMZ

Enterprise ActiveDirectory

Thin Client

iPhone

NSX Edge Services Gateway

Uplinks

VXLANUplinks

Provisioned Volumes

HPE VC SE 16GbFC Module

7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID


7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID

NSX Manager vCenter Server NSX Manager Service Composer

SAN Uplinks

End of Row switch

HPE SN6000B 16Gb SAN Switches

Horizon Management Block Horizon Resource Block

Load Balancer

VXLANUplinks

NSX Edge Services Gateway

Physical Router

Load Balancer External Firewall

Internall Firewall

VMware Blast Extreme

Internet

Corporate LAN Users

12

110 23

12

110 23

3PARStoreServ

8450

3PARStoreServ

8450

HP SN6000B 16Gb FC Switch

47434642454144403935383437333632312730262925282423192218211720161511141013912873625140


47434642454144403935383437333632312730262925282423192218211720161511141013912873625140

6 x HPE Synergy VC FC 16Gb Module

Figure 3. Solution architecture layout of VMware Horizon with micro-segmentation powered by VMware NSX on HPE Synergy


In this environment, each block consists of a vSphere cluster. The management cluster is deployed with 3 HPE Synergy 480 Gen 10 servers and the resource block consists of 6 HPE Synergy 480 Gen 10 servers for hosting virtual desktops and applications. The management cluster hosts appliances from both Horizon and NSX such as – Horizon components, Connection servers and Unified Access Gateway servers. The resource cluster hosts the desktop pools – both VDI and RDSH. Each cluster consists of its own VMware NSX implementation which includes a dedicated VMware NSX Manager connected to the VMware vCenter, VMware NSX manager, VMware NSX controllers, VMware NSX Edge gateways and VMware NSX Distributed Logical Routers (DLR).

Figure 4 shows the logical networking layout of the solution. VMware NSX network virtualization is achieved through VXLAN overlay networks. Below are some design principles followed in this environment for deploying VMware Horizon components and desktop pools on VXLAN based networks -

• In the management block, connection servers are deployed on VXLAN based logical switches, to isolate these from other applications. These connection servers communicate with each other via the DLR.

• The DLR has an uplink to VMware NSX Edge Services Gateways (ESGs) for north-south communication.

• A dynamic routing protocol needs to be configured between the DLR and Edge. In this environment, HPE used the Border Gateway Protocol (BGP). If needed, other protocols such as OSPF can also be configured.

• In the resource block, the desktop pools will be deployed on VXLAN based logical switches. In Figure 4 below, we have created two RDSH desktop pools namely Engineering pool and Finance pool.

• Similar to the management block, BGP based routing is configured on the resource block to provide communication between the DLR, ESGs and aggregation switches.

• VMware NSX ESGs enable Active Directory users (external) to communicate with the Connection servers and desktops that are deployed on logical switches. Two ESGs are deployed in this environment to provide an active-active configuration. Additional ESGs can be deployed for scalability purposes.

• In this deployment, ESGs are providing load balancing of the two Horizon Connection servers using a one-armed configuration.

Table 2 defines the VLANs utilized in the creation of this Reference Architecture

Table 2. VLANs utilized

VLAN VLAN ID

Data center Management 21

Horizon Management 102

Horizon Solution 220

VMware vMotion 23

High Availability 106

Table 3 defines the VLANs utilized in the creation of this Reference Architecture.

Table 3. VMware NSX VXLANs utilized

VXLAN VXLAN ID

VXLAN A – VMware Horizon Connection Servers 5000

VXLAN B – VMware Horizon Security Servers 5001

VXLAN C – Desktop Pool 1 6000

VXLAN D – Desktop Pool 2 6001

The below figure represents the network architecture layout that has been designed for this Reference Architecture solution. VMware NSX a Software-Defined Networking (SDN) solution has been adapted in the VMware Horizon block .The solution can be viewed in three blocks namely the VMware Horizon Management block comprising of two VXLANs enabling secure environment for the VMware Horizon management servers,


the VMware Horizon Solution block comprises of two VXLANs where each VXLAN is aligned to a desktop pool thus deriving a secure environment between two groups and the third is the Synergy block which is the network foundation comprising of VLAN environment that exists in any data center environment.

Further secure environment for east-to-west traffic has been achieved via micro-segmentation powered by VMware NSX which is described in the section Configuration of micro-segmentation powered by VMware NSX.

….

VXLAN A

VXLAN Transport Zone

Management Cluster3 x HPE Synergy 480 Gen10

Solut ion Cluster6 x HPE Synergy 480 Gen10

Connection Server 1

Connection Server 2 UAG 1

LIF 1 LIF 2

NSX Distributed Logical Router

Management Edge G/W

BGP

ManagementHorizon dvSwitch

Horizon dvSwitch dvUplinks

Horizon dvSwitch dvUplinks

Uplink

VLAN 21

Network Network

dvPortGroup Management

….

Desktop Pool 1 (Engineering Dept)

Desktop Pool 2 (Finance Dept)

E-RDS 1 E-RDS 2 E-RDS N F-RDS 1 F-RDS 2 F-RDS N

LIF 1 LIF 2

NSX Distributed Logical Router

Solution Edge G/W

BGP

Uplink

…. ….

VXLAN Transport Zone

dvPortGroupSolution

VLAN 220

UAG 2

HORIZON MANAGEMENT BLOCK

HORIZON RESOURCE BLOCK

Management vCenterManagement NSX Manager

ADActive

Directory


HPE Synergy Image Streamer

VLAN 102

End of Row switch

VXLAN B VXLAN C VXLAN D

BGP BGP

VLAN 23

Datacenter Management VLANManagement VLANSolution VLANVMotion VLAN

Management VXLAN AManagement VXLAN BSolution VXLAN CSolution VXLAN D

VLAN 106

High Availability VLAN

Solution vCenterSolution

NSX Manager

One

View

UID

Activ

e

Pow

er

Syne

rgy C

ompo

ser

One

View

UID

Activ

e

Pow

er

Imag

e Stre

amer

HPE 3PARVSP

SolutionHorizon dvSwitch



L 4L 3 Reset

UID

PIDL/A



L 4L 3 Reset

UID

PIDL/A

HPE Synergy Composable Fabric

Uplink

HPE Synergy Block

Figure 4. Solution Network layout architecture


Hardware solution components HPE Synergy HPE Synergy lets IT administrators and developers use infrastructure as code to deploy and manage their data center environments. Developers and ISVs can programmatically control a Composable Infrastructure through a single, open API that is native in HPE Synergy powered by HPE OneView. HPE Synergy Image Streamer adds the ability to manage physical servers like virtual machines. This new approach for Composable Infrastructure combines true stateless computing with rapid deployment and updates. This Reference Architecture is built upon the following composability concepts and capabilities of the HPE Synergy platform as shown in figure 5.

Fluid resource pools HPE Synergy allows the transformation of traditionally rigid physical systems into flexible virtual resource pools. HPE Synergy creates resource pools of “stateless” compute, storage, and fabric capacity that can be configured almost instantly to rapidly provision infrastructure for a broad range of applications.

Software-defined intelligence The software-defined intelligence in HPE Synergy reduces operational complexity and enables IT organizations to make needed programmatic changes quickly and confidently, with minimal human intervention. HPE Synergy abstracts operational details and replaces them with high-level, automated operations. HPE Synergy uses templates to automatically implement change operations such as updating firmware, adding additional storage to a service, or modifying network.

Unified API HPE Synergy delivers automation through a unified API that provides a single interface to discover, inventory, configure, provision, update, and diagnose the Composable Infrastructure in a heterogeneous environment. This fully programmable interface integrates into dozens of popular management tools such as Microsoft System Centre, VMware vCenter and open source automation and DevOps tools such as Chef, Docker, and OpenStack. This Reference Configuration uses simpler and widely used tools, such as Windows PowerShell and VMware PowerCLI to demonstrate the on-demand composability feature of the HPE Synergy platform.

Figure 5. The three architectural principles of HPE Synergy Composable Infrastructure

HPE Synergy Composer HPE Synergy Composer provides enterprise-level management to compose and deploy system resources to your application needs. This management appliance uses software-defined intelligence with embedded HPE OneView to aggregate compute, storage and fabric resources in a manner that scales to your application needs, instead of being restricted to the fixed ratios of traditional resource offerings. HPE OneView server profiles and profile templates capture the entire server configuration in one place, enabling administrators to replicate new server profiles and to modify them as needed to reflect changes in the data center. With HPE OneView Rest API and automation tools, the entire process of server personality definition and configuration can be automated. For this Reference Configuration the HPE OneView REST API and PowerShell library were used to automate the server profile application to “stateless” servers.


HPE Synergy Image Streamer The HPE Synergy Image Streamer management appliance works with HPE Synergy Composer for fast, software-defined control over physical compute modules with operating system and application provisioning. HPE Synergy Composer powered by HPE OneView captures the physical state of the server in a server profile. HPE Synergy Image Streamer enhances this server profile by capturing the “golden image” as the “deployed software state” in the form of bootable image volumes. These bootable images are stored on redundant HPE Synergy Image Streamer appliances, and they are available for fast deployment to multiple compute modules. This enables bare-metal compute modules to boot directly into a running OS with applications in a desired state.

HPE Synergy Image Streamer uses scripts to deploy and capture OS images as part of the server provisioning process. Below are some of the terminologies and concepts used in this document to discuss the server provisioning process via HPE Synergy Image Streamer.

• Plan script: A script used by OS build plans to personalize OS volumes based upon the values of custom attributes.

• OS build plan: A set of plan scripts used to modify the configuration of an OS volume during the deployment or capture process.

• Golden image: A generic format of an application and operating system image that can be customized for multiple deployments.

• Deployment plan: A combination of an OS build plan and golden image that is used by a server profile for the deployment of a server.

• Custom attributes: Custom attributes are used to provide server-specific configuration information.

• Artifacts: Artifacts are entities that combine to either perform deployment of servers or capture operating system images. In HPE Synergy Image Streamer, artifacts include Plan Script (PS), OS Build Plan (BP), Golden Image (GI), and Deployment Plan (DP).

Note The HPE Synergy Image Streamer team has predefined artifacts that can be installed once the HPE Synergy Image Streamer is up and running. These artifacts contain foundation build plans used to capture and deploy images. These artifacts can be downloaded from https://github.com/HewlettPackard/image-streamer-tools.

Figure 6 shows the use of server profiles to deploy software state on a stateless compute module

Figure 6. HPE Synergy Composer server templates and HPE Synergy Image Streamer deployment

https://github.com/HewlettPackard/image-streamer-tools


HPE Synergy server profile templates bring intelligence into the infrastructure with a single interface that allows end-to-end control of the entire infrastructure. These built-in workload templates allow users to provision, configure, and update infrastructure according to the needs of the workload rather than the needs of a particular device.

Figure 7. Server profile templates to update/maintain infrastructure and enforce configuration compliance

HPE Synergy 12000 Frame The HPE Synergy 12000 Frame is a key element of HPE Synergy, providing the base for an intelligent infrastructure with embedded management and scalable links for expansion as business demand requires. The HPE Synergy 12000 Frame is the base infrastructure that pools resources of compute, storage, fabric, cooling, power and scalability. With an embedded management solution combining the HPE Synergy Composer and HPE Synergy Frame Link Modules, IT can manage, assemble and scale resources on demand. The HPE Synergy 12000 Frame is designed for needs now and in the future with expanded compute and fabric bandwidths. HPE Synergy 12000 Frame specifications can be found here. For more information on HPE Synergy architecture and components, visit the HPE Synergy website.

HPE Synergy 480 Gen 10 Compute Module The HPE Synergy 480 Compute Module delivers superior capacity, efficiency, and flexibility in a two-socket, half-height, single-wide form factor to support demanding workloads. Powered by the latest Intel® Xeon® E5-2600 v4 processors and featuring support for up to 1.5TB of HPE DDR4 SmartMemory, flexible storage controller options, three I/O connectors, and designed to create a pool of flexible compute capacity within a composable infrastructure, the HPE Synergy 480 Gen 10 Compute Module is an ideal platform for general-purpose enterprise workload performance now and in the future. Table 4 below describes the configuration tested for this reference architecture.

Table 4. HPE Synergy 480 Gen10 hardware components (quantities are per node)

Hardware Quantity Description

CPU 2 Intel(R) Xeon(R) Gold 6150 CPU @ 2.70GHz

Memory 12 HPE 32GB (1x32GB) Dual Rank x4 DDR4-2666 CAS-19-19-19 Registered Memory Kit

16Gb Fibre Channel HBA 1 HPE Synergy 3530C 16G Fibre Channel Host Bus Network Adapter

10/20Gb CNA 1 HPE Synergy 3820C 10/20Gb Converged Network Adapter


HPE 3PAR StoreServ 8450 All Flash array HPE 3PAR StoreServ 8000 series storage, with one of the lowest all-flash starting prices in the market, delivers the performance advantages of a purpose-built, flash-optimized architecture without compromising resiliency, data services, or data mobility. Unlike other purpose-built flash arrays, HPE 3PAR StoreServ 8450 All Flash array doesn’t require introduction to an entirely new architecture to achieve flash-optimized performance. Options support true convergence of block and file protocols, application managed data protection and simplified fabric zoning along with SAN diagnostics. Best practices for HPE 3PAR StoreServ were followed to build this solution. These best practices are outlined in the HPE 3PAR StoreServ best practices guide. Table 5 below describes the as tested configuration of the storage used to create this reference architecture.

Table 5. HPE 3PAR StoreServ 8450 All Flash configuration

Component Quantity Description

Storage Controller 2 pairs (4 nodes) HPE 3PAR 8000 10-core 2.4GHz Controller Node

Enclosures 2 HPE 3PAR 8000 SFF SAS Drive Enclosure

Drives 24 (12 per enclosure) 480 GiB cMLC SSD

Cache 384 GiB

Host Interface 8 16 Gb/sec Fibre Channel Ports

300GB HDD Storage 2 HPE 300GB SAS 12G Enterprise 10K SFF (2.5in) SC 3yr Wty HDD

HPE Synergy fabric interconnects The HPE Synergy architecture includes three fabric interconnect types; HPE Virtual Connect modules, switches, and pass thru modules. The Virtual Connect modules are managed through the HPE Synergy Composer. The switches and pass through modules can be managed through a command-line interface (CLI), and monitored through the HPE Intelligent Management Centre (IMC).

HPE Virtual Connect modules The HPE Virtual Connect SE 40Gb F8 Module operates as the master module. It has 8xQSFP+ uplinks; six are unified (FC and Ethernet) and dedicated for the upstream switches. The last two being exclusively reserved for ICM Cluster ports that enable M-LAG between two VC modules and cannot be used as Ethernet uplink ports. An FC license is needed to leverage FC interface on uplinks. Once FC uplinks are activated, they can be used for either NPIV or Flat SAN. It has 12 downlinks ports. Each downlink port can operate at 10/20Gb and 40Gb. The 40Gb downlinks will be enabled with 40Gb adapter availability, and a 40Gb license will be needed to activate 40Gb downlinks on Virtual Connect. You can read more in the QuickSpecs document at https://h20195.www2.hpe.com/v2/getdocument.aspx?docname=c04815258.

The HPE VC SE 16Gb FC Module is the first Virtual Connect with quad Small form-factor pluggable (QSFP) uplinks and complements the HPE Virtual Connect SE 40Gb F8 module for fibre channel based SAN networks. This is the ideal module for higher bandwidth applications in FC-based SAN networks. The module is compliant with templates and software-defined infrastructure based on HPE OneView. This complements the disaggregated rack-scale based HPE SE 40Gb F8 module. You can read more in the QuickSpecs document at https://h20195.www2.hpe.com/v2/GetPDF.aspx/c04815258.pdf.

Table 6 below describes the Synergy components used in the creation of this Reference Architecture.

Table 6. HPE Synergy components utilized in this Reference Architecture

Component Description

HPE Synergy 480 Gen10 Compute Module 9 Nodes

HPE Virtual Connect SE 16Gb FC Module for Synergy 6 (Redundant)

HPE Virtual Connect SE 40Gb F8 Module for Synergy 2 (Redundant)

HPE Synergy 20Gb Interconnect Link Module 4 (Redundant)

HPE Synergy 12000 Frame 3 (minimum for configurations with HPE Synergy Image Streamer)

HPE Synergy Image Streamer 2 (Redundant)

HPE Synergy Composer 2 (Redundant)

https://h20195.www2.hpe.com/v2/getdocument.aspx?docname=c04815258

https://h20195.www2.hpe.com/v2/GetPDF.aspx/c04815258.pdf


Software solution components The table below lists the software components used in this Solution Reference Architecture, further below mentions the layers of the full solution stack

Table 7. The software used during testing of this Reference Architecture

Component Version

HPE

HPE OneView 4.0

HPE 3PAR Operating System 3.2.2

HPE 3PAR StoreServ Administrator Console 3.2.0

VMware

VMware vCenter 6.5

VMware ESXi 6.5 U2, Build

VMware Horizon Suite 7.4.0

VMware NSX 6.4

Microsoft

Microsoft Office 2013 Professional

Microsoft Windows 10 Enterprise

Microsoft Windows Server 2016 Standard

Management software layer The management block is comprised of three HPE Synergy 480 Gen10 management host servers running ESXi 6.5 .0 Update 2 as the hypervisor. The management servers provide a management software layer that manages the entire solution. The management stack includes, HPE Composer that hosts HPE OneView 4.0, HPE Image Streamer, and VMware Horizon 7.4 software suite, vCenter 6.5, VMware NSX 6.4 and other management components. Data center management components such as Active Directory, DNS, and user profile shares were external to the solution.

The central management of the entire solution is HP OneView 4.0, with the integration with vCenter via “OneView for vCenter”, it has become much easier for VMware administrators to perform hardware management tasks from the same vCenter interface. HPE Image Streamer is a management appliance in the HPE Synergy solution that is used to deploy stateless compute nodes within the Synergy environment. HPE Image Streamer appliances are deployed in pairs for high availability.

Solution layer The solution block has six HPE Synergy 480 Gen10 servers comprised of ESXi 6.5 hosts. The solution block has been used to test two workloads, RDSH and VDI desktops on HPE Synergy platform. The solution stack also comprises of vCenter 6.5, VMware NSX 6.4 and VMware Horizon software components.


Storage layer Orchestrated by HPE OneView, the storage block is comprised of an HPE 3PAR StoreServ 8450 All Flash array to serve high-performance workloads integrated with storage network of two HPE SN6000B Fibre Channel switches, two drive enclosures, and twenty-four (24) 480GB cMLC SSD drives. Other software components such as the HPE 3PAR StoreServ management console, HPE 3PAR StoreServ OS and plugins are included to enable additional management capabilities and granular tuning of the environment.

FrontPanel

Bay12

Bay6

Bay7

Bay1

ApplianceBay 2

ApplianceBay 1

Synergy12000Frame

UID

UID

Active

Power

Synergy Composer

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

OneViewUID

Active

Power

Image Streamer

FrontPanel

Bay12

Bay6

Bay7

Bay1

ApplianceBay 2

ApplianceBay 1

Synergy12000Frame

UID

UID

Active

Power

Synergy Composer

FrontPanel

Bay12

Bay6

Bay7

Bay1

ApplianceBay 2

ApplianceBay 1

Synergy12000Frame

UID

UID

Active

Power

Synergy Composer

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

1

2

UID

iLO

Synergy480

Gen10

OneViewUID

Active

Power

Image Streamer

OneViewUID

Active

Power

Image Streamer

HPE Synergy Front View

Solution Layer

Network Layer

Management Layer

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

UID

MGMT

EM

LINK

UID

MGMT

EM

LINK


L 2L 1

UID

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

UID

MGMT

EM

LINK

UID

MGMT

EM

LINK



L 4L 3 Reset

UID

PIDL/A


L 2L 1

UID

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

UID

MGMT

EM

LINK

UID

MGMT

EM

LINK



L 4L 3 Reset

UID

PIDL/A


L 2L 1

UID


L 2L 1

UID


7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID


7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID


7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID


7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID


7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID


7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID

HPE Synergy Rear View

Solution Volumes (1TB x 4)

Management Volume (1TB x 2)

HPE 3PAR StoreServ 8450 All Flash

HPE SN6000B SAN Fabric

Storage Layer

To datacenter switching

HPE SY480 G10 Scalable Node

12

110 23

12

110 23

3PARStoreServ

8450

3PARStoreServ

8450

40 51 62 73 128 139 1410 1511 3632 3733 3834 3935 4440 4541 4642 4743

48 49 50 51 56 57 58 59

52 53 54 55 60 61 62 632016 2117 2218 2319 2824 2925 3026 3127

1 3

0 2

HPE SN6600BFC Switch

40 51 62 73 128 139 1410 1511 3632 3733 3834 3935 4440 4541 4642 4743

48 49 50 51 56 57 58 59

52 53 54 55 60 61 62 632016 2117 2218 2319 2824 2925 3026 3127

1 3

0 2

HPE SN6600BFC Switch

Figure 8. Logical storage solution layout


Networking and security layer HPE Synergy Composable Fabric enhance the familiar Virtual Connect ‘wire-once’ experience, it is based on disaggregated, rack-scale design and uses a master/satellite architecture to consolidate data center network connections, reduce hardware and scales network bandwidth across multiple HPE Synergy Frames. This architecture as shown in below figure 9 reduces costs and simplifies networking. The master module contains intelligent networking capabilities that extend connectivity to satellite frames through Interconnect Link Modules. The result being elimination of top of rack switch need, as any addition of new satellite frames are connected to the master module instead of ToR switch, and substantially reduces cost. The reduction in components also simplifies fabric management at scale while consuming fewer ports at the data center aggregation layer.

Figure 9. HPE Synergy Composable Fabric connectivity

The Reference Architecture also brings in network virtualization in VDI deployments. VMware NSX enables virtual networks to be created without requiring any reconfiguration of the physical network. VMware NSX is a non-disruptive solution that is deployed on any IP network, including existing data center network designs or next generation fabric architectures from any networking vendor. With NSX, you already have the physical network infrastructure you need to deliver a software defined data center.

VMware NSX micro-segmentation is implemented in the solution reference architecture that provides security foundation for the software-defined data center. Micro-segmentation decreases the level of risk and increases the security within the data center. VMware micro-segmentation capabilities make VMware NSX ideal for securing intra-data center networks. Software-defined network is the path to provide micro-segmentation though distributed stateful firewalling, overlay-based isolation and centralized policy controls.


Application software VMware Horizon environment VMware Horizon Suite for VDI Infrastructure has been implemented in this Reference Architecture. The VMware Horizon environment design is in use of pods and blocks for a scalable approach. A pod comprises of group of interconnected View Connection Servers to broker desktops and apps as shown in below figure 10. A pod can broker up to 10,000 sessions. Cloud Pod Architecture is used to connect multiple pods. A pod can be further divided into multiple blocks with each block typically serving up to 2000 sessions. In this Reference Architecture we have implemented one Horizon Management Block and one Horizon Resource Block. The Horizon Resource Block can cater approximately 1300 users for both desktops and RDSH that is demonstrated in the paper.

Desktop Pools

HPE Synergy Compute Modules

Storage

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

vSphere Cluster

vSphere Cluster

Virtual Switch

RESOURCE BLOCK

Desktop Pools


Storage

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

vSphere Cluster

vSphere Cluster

Virtual Switch

RESOURCE BLOCK

Desktop Pools


Storage

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

vSphere Cluster

vSphere Cluster

Virtual Switch

RESOURCE BLOCK

vCenter

View Connection Server View Connection Server View Connection Server View Connection Server

Unified Access Gateway Unified Access Gateway

vSphere ClusterHPE Synergy Compute Modules

DB Server(s)

MANAGEMENT BLOCK

vCenter vCenterNSX Manager NSX Manager NSX Manager

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

12

UID

iLO

Synergy480

Gen10

Figure 10. VMware Horizon Deployment Topology with VMware NSX in Pods on HPE Synergy


VMware NSX for vSphere VMware NSX for vSphere is a virtualized networking component in the Software Defined Data Centre (SDDC) architecture, which programmatically creates, snapshots, deletes, and restores software-based virtual networks. With network virtualization, the functional equivalent of a network hypervisor, NSX reproduces the complete set of Layer 2 to Layer 7 networking services (e.g., switching, routing, firewalling, and load balancing) in software. It allows these services to be programmatically assembled in any arbitrary combination to produce unique, isolated virtual networks in a matter of seconds. NSX also provides a platform for various security services both network and endpoint based. NSX provides various built-in services, including L2-L4 firewall and activity monitoring. Additionally, security vendors can leverage its guest introspection and network introspection frameworks to deliver service chained next-generation firewall, IDS/IPS, agentless AV, file integrity monitoring, and vulnerability management capabilities. Figure 11 below depicts components of NSX along with the categorization of each component.

NSX Manager vCenter Message Bus Agent

NSX Logical Router Control VM

NSX Controller

NSX vSwitch

DistributedSwitch

VXLAN Distributed Logical Router

Hypervisor Kernel ModulesESXi

User World Agent

NSX Edge ServicesGateway

Management Plane

Control Plane

Data Plane

• Single Point of configuration• REST API and UI interface

• Manages Logical networks• Run-time state• Does not sit in the Data Path• Control-Plane protocol

• NSX vSwitch• Distributed network edge• Line Rate performance• NSX Edge• VM Form factor• Data Plane for North South traffic• Routing and Advanced Services

Figure 11. VMware NSX Components

VMware NSX Manager NSX Manager is a centralized network management component of NSX. It is installed as virtual appliance on ESXi hosts in vCenter. There’s a one to one mapping between an NSX Manager and vCenter Server. It provides a management UI and integrated with vCenter via a vSphere Web Client plugin. It is leveraged to install & configure VXLANs, Distributed Routing, Firewall kernel modules and agents on ESXi hosts. It also deploys NSX controllers and Edge Appliances.

VMware NSX Controller NSX Controller is an advanced distributed state management system that provides control plane functions for NSX logical switching and routing functions. It is the central control point for all logical switches within a network and maintains information about all hosts, logical switches (VXLANs), and distributed logical routers. The controller cluster is responsible for managing the distributed switching and routing modules in the hypervisors. The controller does not have any dataplane traffic passing through it. Controller nodes are deployed in a cluster of three members to enable high-availability and scale. Any failure of the controller nodes does not impact any data-plane traffic.

VMware NSX Edge NSX Edge can be deployed as an Edge Services Gateway (ESG) or as a DLR. The ESG gives you access to all NSX Edge services such as firewall, NAT, DHCP, VPN, load balancing, and high availability. ESG has uplink interfaces that connect to uplink port groups which have access to a shared corporate network or a service that provides access layer networking. Multiple external IP addresses can be configured for load balancer, site-to-site VPN, and NAT services. The internal interfaces of an ESG connect to secured port groups and act as the gateway for all protected


virtual machines in the port group. On the other hand, DLR provides East-West distributed routing with tenant IP address space and data path isolation. It has uplink interface which connects to an ESG, with an intervening Layer 2 logical transit switch between the DLR and the ESG. An internal interface on a DLR peers with a virtual machine hosted on an ESX hypervisor with an intervening logical switch between the virtual machine and the DLR.

Micro-segmentation powered by VMware NSX NSX as a security platform enables micro-segmentation in the Horizon deployment. NSX offers fine-grained desktop-to-desktop and desktop-to-enterprise application controls, using both distributed and edge firewall configurations to protect a Horizon end user environment. Additionally, NSX can protect the Horizon management infrastructure from attacks. The NSX platform also allows third party vendors to utilize guest and network 7 introspection frameworks to provide next-generation firewall, IDS/IPS, and agentless Anti-Virus. Micro-segmentation provides three foundational security capabilities: isolation, segmentation, and service insertion.

Network Isolation - Isolation is the foundation of most network security, whether for compliance, containment, or separation of distinct operational environments. Manually configured and maintained routing, ACLs, and firewall rules on physical devices have traditionally been used to establish and enforce isolation and multi-tenancy. Virtual networks (e.g., leveraging VXLAN technology) are isolated from other virtual networks as well as from the underlying physical infrastructure by default, delivering the security principle of least privilege. Virtual networks are created in isolation and remain isolated unless specifically connected. No physical subnets, VLANs, ACLs, or firewall rules are required to enable this isolation.

Network Segmentation – Segmentation is related to isolation but applied within a multi-tier virtual network. Network segmentation is traditionally a function of a physical firewall or router, designed to permit or deny traffic between network segments or tiers (e.g., segmentation between a web, application, and database tiers). Network segmentation is also a core capability of VMware NSX network virtualization. A virtual network can support a multi-tier network environment, either multiple L2 segments with L3 segmentation or a single-tier environment where workloads are all connected to a single L2 segment using distributed firewall rules. Both scenarios achieve the same goal of micro-segmenting the virtual network to offer workload-to-workload traffic protection, also referred to as east-west protection.

Advanced Services - NSX as a security platform provides L2-L4 stateful firewalling features that deliver segmentation within virtual networks. Some customers require more advanced network security capabilities; these environments can leverage VMware NSX to distribute, enable, and enforce advanced network security services in a virtualized network environment. A powerful benefit of NSX is its ability to build policies that leverage service insertion, chaining, and steering to drive service execution in the logical services pipeline based on the result of other services. This functionality makes it possible to coordinate otherwise completely unrelated network security services from multiple vendors. Service insertion allows the NSX platform to be leveraged by the entire ecosystem of VMware’s security solution providers.

Best practices and configuration guidance for the solution HPE Synergy Solution Configuration HPE Synergy hardware for this Reference Architecture was set up using the HPE Synergy Configuration and Compatibility Guide. This section describes the setup of components specific to this Reference Architecture. HPE Synergy Image Streamer requires a minimum of three HPE Synergy 12000 Frames in a production environment. For this Reference Architecture three HPE Synergy 12000 Frames were configured, with redundant HPE Synergy Composers and HPE Synergy Image Streamers. Ten HPE Synergy 480 Gen10 servers has been used in the solution. Three HPE Synergy 480 Gen10 servers are used for management cluster where each server resides in each HPE Synergy 12000 frame. Six HPE Synergy 480 Gen10 servers are used for the solution cluster where each of the two servers resides in each HPE Synergy 12000 frame. The servers are spanned across three HPE Synergy frames to achieve high availability and performance.

HPE Synergy supports both traditional single frame-based networking as well as a multi-frame, single switch architecture. The multi-frame architecture is referred to as a Master/Satellite fabric. In a Master/Satellite fabric configuration, there is a single fabric switch or HPE Virtual Connect module (Master) whose ports span across multiple HPE Synergy 12000 Frames through (Satellite) interconnect modules. Logically, all compute modules in a multi-frame Master/Satellite configuration are directly connected to the master switch or master HPE Virtual Connect module. The three-frame Reference Configuration was in a Master/Satellite configuration. The master module contains intelligent networking capabilities that extend connectivity to satellite frames through Interconnect Link Modules. The result being elimination of the need for top of rack (ToR) switches as any addition of new satellite frames are connected to the master module instead of Top of Rack switch, and substantially reduce cost.

http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=c05061206


The reduction in components also simplifies fabric management at scale while consuming fewer ports at the data center aggregation layer. Figure 12 below depicts this Master/Satellite fabric connectivity configuration.

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

UID

MGMT

EM

LINK

UID

MGMT

EM

LINK


L 2L 1

UID


L 2L 1

UID

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

UID

MGMT

EM

LINK

UID

MGMT

EM

LINK



L 4L 3 Reset

UID

PIDL/A


L 2L 1

UID

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

UID

MGMT

EM

LINK

UID

MGMT

EM

LINK



L 4L 3 Reset

UID

PIDL/A


L 2L 1

UID

Uplink Uplink

Figure 12. HPE Synergy Master/Satellite Connectivity


HPE Synergy with VMware vSphere HPE Synergy Multi-Frame architecture provides several options for designing your VMware vSphere clusters, both within a single rack and spanning multiple racks for high availability. A sample configuration in Figure 13 shows HPE Synergy in a three-frame logical enclosure with six VMware vSphere clusters. Each six-node VMware vSphere cluster spans the three HPE Synergy 12000 frames in a design to improve high-availability. Clusters should be homogeneous with all components installed identically across all ESXi hosts. This is to promote a reduction of service related events by making sure all firmware, drivers, and software are at the same revisions. For VMware vSphere environment on HPE Synergy, please refer HPE Synergy and VMware vSphere Best Practices guide.

Figure 13. VMware vSphere scalability example on HPE Synergy

HPE Synergy with HPE 3PAR StoreServ HPE 3PAR StoreServ is positioned as an external-to-the-frame option, but is still a part of the overall HPE Composable Storage family. HPE Composer allows 3PAR storage resources to be aggregated and disaggregated in a fluid manner, and with flexible ratios. Both of these storage solutions are managed through the HPE Synergy Composer software-defined intelligence.

Each HPE Synergy 12000 frame has two Virtual Connect 16Gb FC modules is placed in Interconnect Bay slot 2 and Interconnect Bay slot 3. The unique QSFP ports not only significantly simplify cabling infrastructure, reduces cabling from four to one, but also helps reduce power 2.5x attributed to optics transceivers. The HPE VC SE 16Gb FC module can provide bandwidth of up to 384 Gb/s.

http://h22208.www2.hpe.com/eginfolib/synergy/Deploying%20VMware%20vSphere%20on%20HPE%20Synergy.pdf


HPE 3PAR StoreServ 8450 All Flash storage delivers key advantages for client virtualization. HPE 3PAR StoreServ delivers high performance to meet peak demands, during Boot storms, Login storms, Virus scans, Image updates and patching Non-disruptive scalability to easily support client growth. With All Flash array capabilities application and workload performance acceleration can be achieved by implementing the below few best practices of HPE 3PAR StoreServ in VMware vSphere environment. The HPE Synergy frames were connected to 3PAR StoreServ through HPE SAN switches in below manner as shown in figure 14.


47434642454144403935383437333632312730262925282423192218211720161511141013912873625140

1

0

1

0

3

2

3

2

HP

3PAR

8450

DP-

1

DP-

2

Mfg

PCI-

HBA

UID

RC-1

MG

MT

FC-1

FC-2

Intr

0

Intr

1

HP

3PAR8450

DP-1

DP-2

Mfg

PCI-HBA

UID

RC-1M

GM

T

FC-1FC-2

Intr 0

Intr 1

CAUTION:ATTENTION:

764W PCMGold Series

Disconnect all powerfor complete isolationCoupez l’alimenationPour une isolation parfaite

CAUTION:ATTENTION:

764W PCMGold Series Disconnect all power

for complete isolationCoupez l’alimenationPour une isolation parfaite

CAUTION:ATTENTION:



CAUTION:ATTENTION:

764W PCMGold Series


HP

3PAR

8450

DP-

1

DP-

2

Mfg

PCI-

HBA

UID

RC-1

MG

MT

FC-1

FC-2

Intr

0

Intr

1

HP

3PAR8450

DP-1

DP-2

Mfg

PCI-HBA

UID

RC-1M

GM

T

FC-1FC-2

Intr 0

Intr 1

CAUTION:ATTENTION:

764W PCMGold Series


CAUTION:ATTENTION:



CAUTION:ATTENTION:



CAUTION:ATTENTION:

764W PCMGold Series



47434642454144403935383437333632312730262925282423192218211720161511141013912873625140

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

96%2650W 200-240VAC

96%

UID

MGMT

EM

LINK

UID

MGMT

EM

LINK


7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID


7 85 63 41 2 Q 3 Q 4

1 2

3 4

1 2

3 4

Q 1 Q 2

1 2

3 4

1 2

3 4 Reset

UID

HPE SN6000B SAN Fabric HPE 3PAR StoreServ 8450 All Flash

HPE Synergy 12000 Frame-1

Frame-2 ports

Frame-3 ports



Figure 14. HPE Synergy Connectivity with HPE 3PAR StoreServ 8450 All Flash Array

Thin virtual volumes are provisioned to each cluster, I/O was balanced on each node across all LUNs and storage queues. HPE 3PAR StoreServ virtual volumes should be exported to multiple paths to the host server. This arrangement ensures maximum flexibility and guaranteed performance in the event of a VM migration or component failure in the environment. All volumes were configured with Round Robin load balancing as recommended by HPE 3PAR StoreServ and VMware best practices documentation as you can see in figure 15. All the VMware vmfs datastores had the VMware Storage I/O Control enabled (SIOC) that enhances the IOPS and optimizes the Read/Write latency across the VMs delivering better storage performance.

Figure 15. VMware ESXi Multipath Configuration

https://h20195.www2.hpe.com/V2/getpdf.aspx/4AA4-3286ENW.pdf


HPE Synergy Image Streamer for VMware ESXi deployment Download the HPE Image Streamer Artifacts

a. Download the latest HPE Image Streamer VMware ESXi artifacts from GitHub, https://github.com/HewlettPackard/image-streamer-esxi.

b. In the HPE Image Streamer web page, go to Artifact bundles, and upload the downloaded artifact zip file, under actions extract the zip package. HPE OS Build Plans and Plan Scripts gets extracted in the Image streamer application.

c. In the HPE Image streamer, create an empty volume deployment plan by selecting the empty volume OS build plan. The empty volume deployment plan is further used while creating the server profile to which an empty volume is assigned.

Create Server Profile

a. Create a server profile by selecting the server profile template and assign the empty volume OS deployment plan as shown in the below figure. The OS deployment plan creates an empty volume on the HPE Synergy Image Streamer local storage. This volume will be mapped to the HPE Synergy 480 Compute Modules as an iSCSI volume when the server boots up and this is where VMware ESXi will be installed. A 20GB volume was created and HPE iLO was used to install VMware ESXi.

b. VMware ESXi 6.5 U2 needs to be installed on an HPE Synergy Image Streamer OS volume using iLO. The VMware installer will detect the HPE Synergy Image Streamer OS volume as an iSCSI disk. Complete the VMware ESXi installation and shut down the OS. Figure 16 below shows a snapshot of this process.

Figure 16. HPE iLO console showing image streamer volume

https://github.com/HewlettPackard/image-streamer-esxi


Create golden image of VMware ESXi, for capture and deployment.

a. A golden image needs to be created of the HPE Synergy Image Streamer OS volume on which VMware ESXi is installed. Select the Capture OS build plan as “HPE – ESXi – generalize full state –yyyy-mm-dd”.

b. Create the image of the OS volume on which VMware ESXi was installed. Figure 17 below shows a snapshot of the HPE Synergy Image Streamer capture screen.

Figure 17. HPE Synergy Image Streamer capture screen

Create HPE Synergy Image Streamer deployment plans

a. Create an HPE Synergy Image Streamer deployment plan as shown below in the figure 18, by selecting the HPE-ESXi-Deploy OS build plan extracted from the artifact bundle and select the golden image that was captured. The deployment plan is later used by HPE OneView server profiles to deploy the image in the sequence defined by the build plan.

Figure 18. HPE Synergy Image Streamer capture screen


Configuration of micro-segmentation powered by VMware NSX Below use cases cover security policies configured using NSX Distributed Firewall. These rules are created using a VMware Fling utility called Horizon Service Installer for NSX (See Appendix C). Alternatively these rules can be created manually.

Scenario 1: Securing the Horizon Management Infrastructure To provide micro-segmentation architecture for Horizon management components, the following Distributed Firewall (DFW) rules are created in NSX.

For external endpoints communicating with internal Horizon components

Figure 19. External endpoints communication with internal Horizon components

For communication between internal endpoints and internal Horizon components

Figure 20. Communication between internal endpoints and internal Horizon components

For communication between View Connection Servers

Figure 21. Communication between View Connection Servers

Scenario 2: Securing the Horizon Desktop Infrastructure In Horizon block architecture a Resource block is managed by a separate vCenter and NSX manager. This block hosts multiple RDSH and/or VDI desktop pools, with each pool containing various desktops. The following firewall rules and security groups shown table 8 and table 9 are created to provide micro-segmentation architecture:

Table 8. Firewall rules to secure internal connections to desktops

Name Source Destination Service Action Applied To

Internal – Horizon Client to Horizon Agent

any Horizon 7 VDI

Horizon 7 RDSH

Horizon 7 Blast Extreme TCP Horizon Client to Horizon Agent

Horizon 7 Blast Extreme UDP Horizon Client to Horizon Agent

Horizon 7 RDP Horizon Client to Horizon Agent

Allow Distributed Firewall

Internal – Browser to Horizon Agent HTML

any Horizon 7 VDI

Horizon 7 RDSH

Horizon 7 Browser to Horizon Agent HTML Access Allow Distributed Firewall


Securing VDI or RDSH desktop pools Table 9. Firewall rules to secure VDI or RDSH desktop pools


Desktops – Horizon Agent to View Connection Server

Horizon 7 VDI

Horizon 7 RDSH

View Connection Server

Horizon 7 Horizon Agent to View Connection Server

Allow Distributed Firewall

Desktops – Block VDI to VDI Horizon 7 VDI

Horizon 7 RDSH

Horizon 7 VDI

Horizon 7 RDSH

any Block Distributed Firewall

Scenario 3: Identity based micro-segmentation for desktop pools – Identity based Firewall (IDFW) features allows an NSX administrator to create Active Directory user-based DFW rules. After host preparation in NSX, Active Directory (AD) synchronization needs to be done on NSX so that it can consume AD users and groups. User-based distributed firewall rules are determined by membership in an Active Directory (AD) group membership. IDFW monitors where Active Directory users are logged into and maps the login to an IP Address, which is used by DFW to apply firewall rules. IDFW requires either Guest Introspection framework, and/or Active Directory event log scraping.

The following IDFW functionalities are offered through DFW:

• Application access based on defined user groups

• Policy rules defined based on Active Directory (AD) group membership

• Security Groups based on AD groups as the source of the DFW policy rules

• Destination-based medium permissions (e.g., target must be a VM/virtual desktop)

• User activity monitoring, including applications accessed, top users permitted/denied, top applications, etc.

Figure 22 below showcases different examples of how IDFW policies can provide granular access based on the employee’s role in the organization.

Vendor Access Employee & Developer Access

Call Center/Bank Teller/Doctors

• Restricting Access to Vendors and Contractore to Datacenter

• E.g. Retail

• Access to Development Tools and Environments

• Developers & Offshore Development Centers for Enterprises, Insurance,

Universities

• High Churn access to Datacenter Applications

• E.g. Banks, Hospitals, Call

Centers

Figure 22. Different IDFW polices


Scenario 4: Context aware micro-segmentation for desktop pools – Context aware micro-segmentation is a new feature in NSX 6.4. The key architectural components enabling context awareness are the Context-Engine and Context-table along with other components that allow us to discover contextual information for every connection. The Context-Engine is a user-space component that resides on every host in an NSX-prepared cluster. It receives discovered contextual information and programs the Context-Table with that information. The Context-Table keeps track of Context-Attributes for every flow going through the distributed firewall filter. Every new connection along with its Context-Attributes is then checked against the Distributed Firewall Rule-set and is mapped to a rule. The following table details the rules that are configured in NSX.

Table 10. Firewall rules to secure VDI or RDSH desktop pools


Allow ENG to FIN App SG-ENG-USERS SG-ENG-WEB any Allow Distributed Firewall

Allow FIN to ENG App SG-FIN-USERS SG-FIN-WEB any Allow Distributed Firewall

Block ENG to FIN App SG-ENG-USERS SG-FIN-WEB any Block Distributed Firewall

Block FIN to ENG App SG-FIN-USERS SG-ENG-WEB any Block Distributed Firewall

The table above depicts a rule set for the following scenario:

There are two departments in an organization, namely – Engineering and Finance. Here are some access level requests to the administrator:

• User A belongs to security group ENG and needs access to ENG-WEB application

• User B belongs to security group FIN and needs access to FIN-WEB application

• User A should not have access to FIN-WEB application since he belongs to ENG group

• User B should not have access to ENG-WEB application since she belongs to FIN group

These are the configuration steps:

1. Configure Active Directory synchronization in the NSX Manager.

2. Configure NSX Security Groups and add in the Directory Groups for Engineering and Finance into their own Security Groups – SG-ENG-USERS and SG-FIN-USERS respectively.

3. Build NSX rules as mentioned in the above table using NSX Security Groups for each set of users. RDSH session identity is established in the DFW by creating a new DFW Section and enabling the ‘Enable User Identity at source’ checkbox. This will allow DFW to look at the source as containing user Identities and will make the translation to their Active Directory Group SID for enforcement.

Capacity and sizing HPE set out to validate the HPE Synergy Composable Infrastructure solution integrated with VMware Horizon and micro-segmentation powered by VMware NSX. In addition to our standard test image, HPE made the move to test images with newer versions of Microsoft Office 2013. HPE also wanted to demonstrate that a variety of different workloads could run concurrently on an HPE Synergy 480 Gen10 server while achieving an excellent user experience across user types.

About Login VSI Login VSI 4.1 is a load generating test tool designed to test remote computing solutions via a variety of different protocols. The Login VSI environment was hosted outside the HPE ProLiant DL 360 Gen9 environment. Login VSI works by starting a series of launchers which are best thought of as end-user access devices. These launchers connect to the EUC infrastructure under test via a connection protocol, then a series of scripts executed on the compute resources simulate the load of actual end users. The test suite utilized a series of desktop applications running via automated scripts within the context of the RDS virtual desktop environment.


A standardized set of applications are installed within every virtual machine and actions are taken against the installed applications. The set of applications HPE tested against are listed in Table 11 with versions shown where applicable.

Table 11. Login VSI software specifications

Software Version

Windows client 10 Enterprise, x64

Adobe® Acrobat® 11.1

Adobe Flash Player 11

Adobe Shockwave Player 11

Bullzip PDF printer

FreeMind

7-Zip

Microsoft Office Professional 2013 Professional x64 with SP1

Microsoft Windows 2016 Server

Microsoft Internet Explorer Various

Response times are measured for a variety of actions within each session. When response times climb above a certain level on average, the test is finalized and a score, called VSImax, is created. VSImax represents the number of users at or below the average response time threshold. A detailed explanation can be found on the Login VSI website at loginvsi.com/documentation/VSImax.

Login VSI workloads Table 11 shows the various Login VSI 4.1 workloads available for testing and the recommended resource availability. These benchmarks can be found on Login VSI web page at loginvsi.com/documentation/. Knowledge worker workload is the base workload HPE uses to compare systems across generations and configurations. HPE adjusted the knowledge worker workload to a more real-world configuration which is specified later in this document.

Table 12. Standard Login VSI 4.1 workloads.

Workload VSI

version

Work load VCPU Memory Apps open

Video CPU usage

Disk reads

Disk

writes

Estimated

IOPS

Office worker 4.1 Medium 1vCPU 1.5GB 4-6 240p 82% 90% 101% 8

Knowledge worker 4.1 Medium 2vCPU 1.5GB 4-7 360p 100% 100% 100% 8

Testing strategy The use cases tested focused on validating the broadest swath of VMware Horizon RDSH users. For office worker, RDSH-based shared desktops were used as, in general, office worker do not need a full desktop. All of the tests were run against Office 2013. Therefore, the results in this document using these images are generally comparable to those HPE has published on other platforms. Most of the tested solutions involving individual components host the required management pieces on a separate infrastructure.

Benchmarks versus field implementation Login VSI presents a relatively replicable set of tests that can be used to compare platforms and solutions within a fairly close range. The test uses a standardized set of workloads to create those comparison points. In the real world, it is highly unlikely that a customer will be running the exact set of applications featured in the test. As with most benchmarking tools, Login VSI results should be used in conjunction with results from actual system performance data from the field or via Proof-of-Concept (POC) implementations. Login VSI presents response times from various tasks and applications that could be used as a primitive baseline in a controlled environment with limited applications and resource assignments. Although these metrics are useful when comparing systems with similar resource attributes, they can be misleading when used to extrapolate to real-world implementations. As a result, the numbers in this document are guidelines only.

http://www.loginvsi.com/documentation/VSImax

http://www.loginvsi.com/documentation/VSImax

https://www.loginvsi.com/documentation/


Historically, Hewlett Packard Enterprise has recommended sizing solutions at 60-65% of Login VSI numbers. This recommendation; however, is dependent on the fact that similar resource allocation is used as in the test results presented. HPE now strongly recommends complete analysis of the specific user requirements prior to any VDI implementations, not implementations based solely on benchmark results. Customers new or inexperienced with VDI should undergo a deeper assessment of their environment prior to implementing VDI to make sure they attain the results they desire. If such an assessment interests you, please engage with your HPE account team for further information on our HPE Mobility and Workplace Services, hpe.com/us/en/services/consulting/mobility-workplace.html.

Table 13 shows the two use cases of office workers that were tested on HPE Synergy 480 Gen10 in a six node configuration and on a single node configuration. For both tests, a pool of RDSH servers with Windows Server 2016 standard were used with configurations shown in Table 13. The table shows the workload results for each user type and summarizes VSImax scores for the platforms. Results are disseminated further in the sections that follow.

Table 13. Office worker workload results on VMware Horizon RDSH pool

User type VM type Office version

Windows Server version

Number of users

VM vCPU VM memory VM disk Number of RDSH servers in pool

Office worker (Single Node) RDSH 2013 2016 218 8 40GB 100Gb 8

Office worker (Multi Node) RDSH 2013 2016 1197 8 40GB 100Gb 48

VMware Horizon RDSH Workload on a single HPE Synergy 480 Gen10 blade server Hewlett Packard Enterprise validated the hosting of VMware Horizon RDSH desktops on a single HPE Synergy 480 Gen10 node where an office worker VSImax of 218 user sessions on a single HPE Synergy 480 Gen10 server was achieved. Figure 23 shows the output of this test. A single HPE Synergy 480 Gen10 node can support 218 office worker while running Horizon and vSphere infrastructure pieces.

Figure 23. Office worker workload performance graph on a single node

https://www.hpe.com/us/en/services/consulting/mobility-workplace.html

https://www.hpe.com/us/en/services/consulting/mobility-workplace.html


VMware Horizon RDSH Workload on a multi-node HPE Synergy 480 Gen10 blade server Hewlett Packard Enterprise validated the hosting of VMware Horizon RDSH desktops on six HPE Synergy 480 Gen10 node configuration where an office worker workload of 1197 user sessions ran successfully. Figure 24 shows the output of this test. Six HPE Synergy 480 Gen10 nodes configured for VMware Horizon RDSH workload can support 1197 user sessions.

Figure 24. Office worker workload performance graph on a multi node

Below, figure 25 shows the IOPS of the VMware Horizon RDSH Office worker workload on a HPE 3PAR StoreServ 8450 All Flash Storage. The IOPS was measured against the Fiber Channel Adapter Reads and Writes per second during the workload testing. The volume carved out of SSD drives and from an All Flash array shows that the IOPS is very minimal. HPE 3PAR All Flash array addresses the login storms a form of boot storm where IO builds rapidly as users log onto their assigned resource. They generally occur during the morning hours and on a smaller scale post-lunchtime. Latency remains very good throughout the test run even as sessions end.

Figure 25. IOPS for VMware horizon RDSH office worker workload on HPE 3PAR StoreServ 8450 All Flash array


Table 14 shows the two use cases of knowledge workers that were tested on HPE Synergy 480 Gen10 in a six node configuration and on a single node configuration. For both tests, a pool of VDI instant clone desktops with Windows 10 Enterprise version were used with configurations shown in Table 14. The table shows the workload results for each user type and summarizes VSImax scores for the platforms. Results are disseminated further in the sections that follow.

Table 14. Knowledge worker workload results on VMware Horizon Instant Clone VDI pool

User type VM type Office version

Windows OS version

Number of users

VM vCPU

VM memory VM disk Number of VDI desktops in pool

Knowledge worker (Single Node) VDI 2013 Windows 10 120 2 4Gb 32 150

Knowledge worker (Multi Node) VDI 2013 Windows 10 712 2 4Gb 32 720

VMware Horizon VDI (Instant Clone) Workload on a single HPE Synergy 480 Gen10 blade server HPE validated the hosting of VMware Horizon VDI desktops on a single HPE Synergy 480 Gen10 node where a knowledge worker VSImax of 120 user sessions on a single HPE Synergy 480 Gen10 server was achieved. Figure 26 shows the output of this test. A single HPE Synergy 480 Gen10 node can support 120 knowledge worker while running Horizon and vSphere infrastructure pieces.

Figure 26. Knowledge worker workload performance graph on a single node


VMware Horizon VDI (Instant Clone) Workload on a multi-node HPE Synergy 480 Gen10 blade server Hewlett Packard Enterprise validated the hosting of VMware Horizon VDI desktops on six HPE Synergy 480 Gen10 node configuration where a Knowledge worker workload of 712 VDI user sessions ran successfully. Figure 27 shows the output of this test. Six HPE Synergy 480 Gen10 nodes configured for VMware Horizon VDI workload can support 712 VDI user sessions.

Figure 27. Knowledge worker workload performance graph on a multi node

Below, figure 28 shows the IOPS of the VMware Horizon VDI Knowledge worker workload on a HPE 3PAR StoreServ 8450 All Flash Storage. The IOPS was measured against the Fiber Channel Adapter Reads and Writes per second during the workload testing. The volume carved out of SSD drives and from an All Flash array shows that the IOPS is very minimal. HPE 3PAR All Flash array addresses the login storms a form of boot storm where IO builds rapidly as users log onto their assigned resource. They generally occur during the morning hours and on a smaller scale post-lunchtime. Latency remains very good throughout the test run even as sessions end.

Figure 28. IOPS for VMware horizon VDI worker workload on HPE 3PAR StoreServ 8450 All Flash array


Analysis and recommendations HPE Synergy Deployment Analysis HPE Synergy Composer powered by HPE OneView can initialize the HPE Synergy Infrastructure ground up in a span of less than an hour. Using HPE OneView, the logical infrastructure can be created in the following manner that includes creation of Network, Network Sets, Logical Interconnect Groups, Enclosure Group and Logical Enclosure, the entire process takes less than an hour that is also inclusive of applying the latest HPE Synergy firmware baseline across all three frames.

HPE Synergy Image streamer automation was able to deploy a VMware ESXi 6.5 U2 on HPE Synergy 480 Gen10 stateless node in a span of less than 4 minutes. Capturing the HPE Synergy Image streamer OS volume as a golden image and personalizing the VMware ESXi operating system settings in the deployment plan makes the deployment faster compared to manual means. Creation of golden image and associating with right build plans can take 20-30 mins. The deployment time taken for the management stack and the solution stack comprising of 9 HPE Synergy 480 Gen10 nodes was less than 15 minutes. The server profile template along with golden image and deployment plan assigned was deployed simultaneously on all the 9 HPE Synergy 480 Gen10 nodes and the provisioning was achieved in minutes.

HPE Synergy Solution stack was brought up in less than two hours with all the nine HPE Synergy 480 Gen10 blades across all three frames ready for delivering VMware Horizon EUC solution to the end users.

Spectre/Meltdown It looks like some of the components in this configuration may have mitigations in place for the hypervisor and processor microcode, and the performance is still really good. Windows 10 had been patched to the latest available updates inclusive of Spectre/Meltdown patches. With the latest Intel® processor technology, hypervisor versions and OS release, the performance impact from Spectre and Meltdown is expected to be very low. Please refer to the Resources and Additional Links section for more.

Performance Settings The server profile BIOS settings of the HPE Synergy blade servers has been optimized as shown below for maximum performance, the BIOS settings were tweaked to maximize performance and user experience. Figure 10 captures these BIOS setting.

Figure 29. BIOS settings of an HPE Synergy blade server


VMware Horizon Scalability Guidance One key concept in a Horizon 7 environment design is the use of pods and blocks, which gives us a repeatable and scalable approach. A pod is made up of a group of interconnected Connection Servers that broker desktops or published applications. A pod is divided into multiple blocks to provide scalability. Each block is made up of one or more resource vSphere clusters, and each block has its own vCenter Server and NSX Manager. The number of VMs a block can typically host depends on the type of Horizon 7 VMs used. Depending on the types of VMs (instant clones, linked clones, full clones, whether using App Volumes), a resource block could be up to 5,000, 4,000, or 2,000 VMs, respectively. For more information on VMware Horizon 7 Sizing Limits and Recommendations, see Appendix C.

Please refer VMware KB article for Horizon 7 Sizing limits and recommendations.

VMware Horizon Blast Extreme Optimization Best Practices:

• Make sure you use Horizon 7.4 version and later and Horizon Client 4.4 or later

• The H.264 codec provides best performance and experience. Make sure to use this codec in your environment

• Configure the UAG appliance to use UDP Tunnel Server Enabled

• VMware Blast Extreme Traffic should be prioritized in the environment

• Do not enable client-drive redirection (CDR) if not required

• For Windows desktops, use VMware OS Optimization Tool to disable some features namely, Dynamic Windows Preview, Taskbar Animation and Windows Peek

• Use Group Policy to prohibit Desktop Wallpaper in windows desktops

VMware OS Optimization Tool The VMware OS Optimization Tool (OSOT) provides the easiest and most efficient way to optimize your Windows desktop and server master images. It offers many advantages over traditional scripts, including the ability to roll back changes, selectively edit optimization values, and view detailed audit information before applying optimizations. The OSOT includes customizable built-in templates to enable or disable Windows features and system services across multiple platforms. You use the OSOT to improve Windows performance, as per VMware recommendations and best practices. Some of the best practices to be followed while using OSOT are –

• Use the OSOT on a base image. Apply the tool to an unused system that has been built to match the configuration that you will deploy for virtual desktops or RDSH servers

• Disable as many unnecessary Windows OS components as possible. Consider disabling everything and then performing user-acceptance testing (UAT) to see if there are problems. Re-enable any components that cause a problem when disabled

Summary Hewlett Packard Enterprise and VMware have collaborated to develop a joint solution to address the current IT adaptation in the End-user Computing space. The modern workspace is undergoing a rapid digital transformation driven by both users and modern applications. Hence the Reference Architecture Solution addresses those current challenges and delivers unique security in a Virtual Desktop Infrastructure (VDI) environment and adapt to a bimodal approach where it aligns to traditional and cloud applications in the EUC (End-user computing) environments.

• Provides a highly secure VDI Infrastructure with VMware NSX micro-segmentation on HPE Synergy. VMware Horizon with VMware NSX micro-segmentation on HPE Synergy has been designed and architected showcasing the performance and scalability of the solution. The combined end-to-end solution delivers a world class end-user computing experience to the end users completely securing the east west network perimeter within the data centre thereby making the solution very robust from attacks. VMware NSX enables software defined networking integrated with HPE Synergy composable fabric. VMware NSX micro-segmentation achieves east-west security for VDI environments creating a robust and a very safe environment for the consumers and peace to the organizations from malware and virus attacks.

• Flexible software defined networking environment using VMware NSX and HPE OneView infrastructure management capabilities. HPE Synergy server profiles and templates are a powerful new way to quickly and reliably update and maintain existing infrastructure. HPE Synergy Composer uses templates to simplify one-to-many updates and manage HPE Synergy Compute Module profiles. These templates allow changes to be implemented automatically, significantly reducing manual interactions and errors.

https://kb.vmware.com/s/article/2150348


• High-speed provisioning capabilities and automation for EUC environments leveraging on HPE Synergy strengths in rapid provisioning using HPE Image Streamer to quickly deploy new compute modules or update existing ones by booting them directly into their desired running OS in minutes. HPE Synergy Composer powered by OneView and HPE Synergy Image streamer automation was able to deploy a VMware ESXi 6.5 on HPE Synergy 480 Gen10 stateless node in a span of less than 4 minutes. The server profile template along with golden image and deployment plan assigned was deployed simultaneously on all the 9 HPE Synergy 480 Gen10 nodes and the provisioning was achieved in minutes.

• On HPE Synergy using VMware Horizon solution two types of workloads such as Office worker and Knowledge worker performance have been tested using RDSH and instant clone based VDI desktop pools respectively. The tests were performed on both single node and multi-nodes which have fetched a result of 218 and 1197 for RDSH office worker workload. And for VDI knowledge worker workload the results are 120 and 712 sessions for single node and multi-nodes respectively.

Appendix A: Bill of materials The following table shows the bill of materials (BOM) for this solution.

Note Part numbers are at time of publication/testing and subject to change. The bill of materials does not include complete support options or other rack and power requirements. If you have questions regarding ordering, please consult with your HPE Reseller or HPE Sales Representative for more details. hpe.com/us/en/services/consulting.html

Table 1a. Bill of materials

Qty Part number Description

HPE Synergy Frame Components

3 797739-B21 HPE Synergy 12000 Frame

2 804353-B21 HPE Synergy Composer

2 804937-B21 HPE Synergy Image Streamer

6 804942-B21 HPE Synergy Frame Link Module

2 794502-B23 HPE Virtual Connect SE 40Gb F8 Module for HPE Synergy

6 779227-B21 HPE Virtual Connect SE FC 16Gb Module for HPE Synergy

18 798095-B21 HPE 2650 Watts Titanium Hot Plug AC Power Supply

4 779218-B21 HPE Synergy 20Gb Interconnect Link Module

HPE Synergy 480 Gen10 Compute Module components

9 871940-B21 HPE Synergy 480 Gen10 Configure-to-order Compute Module

9 777454-B21 HPE Synergy 3530C 16Gb Fiber Channel Host Bus Adapter

9 872134-L21 HPE Synergy 480 Gen10 Intel Xeon-Gold 6150 (2.7GHz/18-core/165W) FIO Processor Kit

9 872134-B21 HPE Synergy 480 Gen10 Intel Xeon-Gold 6150 (2.7GHz/18-core/165W) Processor Kit

9 777430-B21 HPE Synergy 3820C 10/20Gb Converged Network Adapter

108 815100-B21 HPE 32GB (1x32GB) Dual Rank x4 DDR4-2666 CAS-19-19-19 Registered Smart Memory Kit

HPE 3PAR StoreServ 8450 All Flash Components

1 BW908A HPE 42U 600x1200mm Enterprise Shock Rack

1 BW908A HPE Factory Express Base Racking Service

1 H6Z23A HPE 3PAR StoreServ 8450 4N Storage Base

4 H6Z00A HPE 3PAR 8000 4-pt 16Gb FC Adapter

24 K2P89A HPE 3PAR 8000 1.92TB SFF SSD

1 L7C17A HPE 3PAR StoreServ 8450 OS Suite Base LTU

2 H6Z26A HPE 3PAR 8000 SFF(2.5in) SAS Drive Encl

http://www.hpe.com/us/en/services/consulting.html


Qty Part number Description

24 QK734A HPE Premier Flex LC/LC OM4 2f 5m Cbl

1 BW909A HPE 42U 1200mm Side Panel Kit

1 AG730A HPE PDU Pivot Kit

4 AF500A HPE 2, 7X C-13 Stk Intl Modular PDU

2 252663-D74 HPE Basic 4.9kVA/L6-30P/NA/J Core PDU

1 BD362A HPE 3PAR StoreServ Mgmt/Core SW Media

1 BD363A HPE 3PAR OS Suite Latest Media

HPE SN6000B 16Gb FC Switch Models

2 QR481B HPE SN6000B 16Gb 48-port/48-port Active Power Pack+ Fibre Channel Switch


Sign up for updates

© Copyright 2018 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Microsoft, Windows, and Windows Server are registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. VMware, vSphere, and vCenter are registered trademarks of VMware, Inc. in the United States and/or other jurisdictions.

a00053301enw, September 2018

Resources and additional links HPE Reference Architectures, hpe.com/info/ra

HPE Synergy Management Infrastructure, https://h20195.www2.hpe.com/v2/getpdf.aspx/4aa6-3754enw.pdf

Composable infrastructure with HPE Synergy, https://h20195.www2.hpe.com/v2/GetPDF.aspx/4AA6-3322ENW.pdf

GitHub - HPE Synergy Image Streamer Artifact Bundles for VMware ESXi, https://github.com/HewlettPackard/image-streamer-esxi

HPE Synergy Image Streamer User Guide, http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00025491en_us-3.pdf

HPE Networking, http://hpe.com/networking

HPE 3PAR StoreServ 8000, https://support.hpe.com/hpsc/doc/public/display?docId=c04896610

HPE Technology Consulting Services, hpe.com/us/en/services/consulting.html

VMware NSX, https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf

VMware NSX micro-segmentation, https://www.vmware.com/in/products/nsx/security.html

VMware Horizon, https://docs.vmware.com/en/VMware-Horizon-7/index.html

Spectre and Meltdown


https://support.microsoft.com/en-in/help/4073757/protect-your-windows-devices-against-spectre-meltdown

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us

http://www.hpe.com/info/getupdated

http://www.facebook.com/sharer.php?u=https://www.hpe.com/h20195/V2/GetDocument.aspx?docname=a00053301enw

http://twitter.com/home/?status=HPE%20Reference%20Architecture%20for%20Secure%20VDI%20deployments%20using%20VMware%20Horizon%20on%20HPE%20Synergy%20and%20HPE%203PAR%20StoreServ%208450%20All%20Flash%20array+@+https://www.hpe.com/h20195/V2/GetDocument.aspx?docname=a00053301enw

http://www.linkedin.com/shareArticle?mini=true&ro=true&url=https://www.hpe.com/h20195/V2/GetDocument.aspx?docname=a00053301enw&title=HPE%20Reference%20Architecture%20for%20Secure%20VDI%20deployments%20using%20VMware%20Horizon%20on%20HPE%20Synergy%20and%20HPE%203PAR%20StoreServ%208450%20All%20Flash%20array+&armin=armin

http://www.hpe.com/info/ra

https://h20195.www2.hpe.com/v2/getpdf.aspx/4aa6-3754enw.pdf

https://h20195.www2.hpe.com/v2/GetPDF.aspx/4AA6-3322ENW.pdf

https://github.com/HewlettPackard/image-streamer-esxi

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00025491en_us-3.pdf

http://www.hpe.com/networking

http://www.hpe.com/us/en/services/consulting.html

https://www.vmware.com/in/products/nsx/security.html

https://docs.vmware.com/en/VMware-Horizon-7/index.html


https://support.microsoft.com/en-in/help/4073757/protect-your-windows-devices-against-spectre-meltdown

hpe reference architecture for secure vdi deployments ... · reference architecture page 5. on hpe...

Documents