vmware horizon flex deployment considerations: horizon flex 1.8

22
TECHNICAL WHITE PAPER – AUGUST 2016 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS VMware Horizon FLEX 1.8

Upload: vuongque

Post on 31-Dec-2016

245 views

Category:

Documents


3 download

TRANSCRIPT

TECHNICAL WHITE PAPER – AUGUST 2016

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS VMware Horizon FLEX 1.8

T E C H N I C A L W H I T E PA P E R | 2

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

What Is VMware Horizon FLEX? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

How Horizon FLEX Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Horizon FLEX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Architecture and Components of Horizon FLEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Horizon FLEX Environment Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Restricted-VM Creation Tools and Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Horizon FLEX Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Storage of Restricted Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Installation and Configuration of Horizon FLEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Horizon FLEX Environment Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installation of Horizon FLEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Network Considerations for Horizon FLEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Horizon FLEX Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Horizon FLEX Security and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Creating a Self-Signed Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Intermediate Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Certificate Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Updating Embedded Certificates Using the Horizon FLEX Administrator Console . . . . . . . . . . . . 11

Troubleshooting Certificate Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Delivering the Horizon FLEX Client to End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Supported Host Operating Systems for Horizon FLEX Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Creation and Management of Restricted Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Creation of Restricted Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Supported Guest Operating Systems for Horizon FLEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Installing the Mirage Client on the Restricted VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Management and Update of Restricted Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Delivering Horizon FLEX Restricted Virtual Machines to End Users . . . . . . . . . . . . . . . . . . . . . . . . . 16

End-User Download of the Restricted Virtual Machines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

End-User Access to Updates of Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Horizon FLEX Log File Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Horizon FLEX Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Authors and Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

T E C H N I C A L W H I T E PA P E R | 3

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

IntroductionThis VMware Horizon® FLEX™ Deployment Considerations paper is intended to help administrators address important matters that may arise during the installation and setup of VMware Horizon FLEX. This document contains information on topology and best practices. It is to be used in conjunction with the existing Horizon FLEX Administration Guide and Horizon FLEX Client User Guide. For more information on the challenges and use cases that Horizon FLEX addresses, see the VMware Horizon FLEX Solution Brief.

What Is VMware Horizon FLEX?VMware Horizon FLEX is a policy-based, containerized desktop solution that allows IT administrators to create, secure, and manage local desktops to meet the needs of workers with their own unmanaged computers. End users work within a restricted virtual machine (VM) on their endpoints and can either be connected to or disconnected from the enterprise network.

Note: A restricted virtual machine is a VMware virtual machine that has had FLEX security policies applied to it. For more information, see the Horizon FLEX Administration Guide.

Horizon FLEX uses existing VMware products, with additional benefits. These products include a Horizon FLEX client and VMware Mirage™. The Horizon FLEX client can be VMware Fusion® Pro, or VMware Workstation Player™. The Horizon FLEX server is built on a Mirage base.

With the Horizon FLEX package, you can create multiple restricted VMs (Horizon FLEX virtual machines) and entitle them to a variety of end users. Restricted VMs can be created with Fusion Pro or VMware Workstation Pro™.

Note: Workstation Pro is not included with Horizon FLEX and must be purchased separately.

Figure 1 shows the components of a Horizon FLEX implementation.

Horizon FLEX

Client Installed on Endpoint

Mirage ManagementComponents

VM Creation

Horizon FLEX Clients (Fusion Pro or Workstation Player)

Horizon FLEX Server

Fusion Pro or Workstation Pro

Figure 1: Horizon FLEX Components

Important: Workstation Pro is not a supported Horizon FLEX client. Using Workstation Pro to run a restricted VM can cause unexpected results.

T E C H N I C A L W H I T E PA P E R | 4

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

How Horizon FLEX WorksIn order to use Horizon FLEX, administrators must enter a Horizon FLEX serial number during a default installation of Mirage. Providing this serial number accesses Horizon-FLEX-specific Mirage features. Virtual machines are created with Fusion Pro or Workstation Pro and given to end users. Users run the VMs in a Horizon FLEX client on their endpoints. The macOS client is Fusion Pro, and the Windows client is Workstation Player. Fusion Pro and Workstation Player are included with the Horizon FLEX product.

Horizon FLEX ServerBecause Horizon FLEX is built on a Mirage engine, it makes use of the Mirage Management server, the server, and the Mirage Web Management component. The Horizon FLEX server is a logical entity that is made up of these three Mirage components. In most cases, all of these components are installed on a single server. You set policies for, and manage restricted VMs with, the Horizon FLEX server.

For detailed instructions on Horizon FLEX and Mirage installation, read the Installation and Configuration of Horizon FLEX section of this document.

Architecture and Components of Horizon FLEXFollowing is a brief overview of the architecture and components of a Horizon FLEX implementation. For additional details about the Horizon FLEX architecture, see the Horizon FLEX Architecture section of the Horizon FLEX Administration Guide.

Horizon FLEX Environment ComponentsThere are several components that are required in a Horizon FLEX environment. They include:

File download location The file download location hosts restricted virtual machines for users. Providing dedicated file servers with IIS, one for all endpoints inside your company’s network and one for all endpoints outside your company’s network, provides security and flexibility.

Mirage Management server

The Mirage Management server manages the Horizon FLEX environment.

Mirage server The Mirage server sets up the database for the Horizon FLEX environment.

Mirage Web Management component

The Mirage Web Management component allows administrators to monitor and make changes to the Horizon FLEX environment. The primary tool used here is the Mirage Web Manager.

Horizon FLEX VM creation tool

The Horizon FLEX VM creation tools are used to create restricted VMs. Creation tools include Fusion Pro for macOS and Workstation Pro for Windows.

Horizon FLEX client The Horizon FLEX client is the software that end users must download to access the Horizon FLEX VMs on their local computers. Clients include Fusion Pro for Macs and Workstation Player for Windows. Fusion Pro and Workstation Player are both included in the Horizon FLEX package.

Storage You need storage for the SQL and MongoDB databases in a Horizon FLEX implementation, as well as for all restricted VMs.

Table 1: Horizon FLEX Environment Components

T E C H N I C A L W H I T E PA P E R | 5

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Restricted-VM Creation Tools and ClientsYou create restricted VMs with Fusion Pro on macOS operating systems and with Workstation Pro on Windows operating systems. Both products can be used to create Windows- or Ubuntu-based restricted VMs. For exact Windows and Ubuntu versions see Supported Host and Guest Operating Systems in the Horizon FLEX Administration Guide.

For Horizon FLEX clients, you can use Fusion Pro on a Mac, and Workstation Player on Windows.

Figure 2 shows the VM creation tools, restricted VMs, Horizon FLEX clients available for use, and their relationship to each other.

VM Creation Tool Restricted VMs Client

Fusion Pro

Workstation Pro

Windows

Linux

Mac with Fusion Pro Client

Windows with Workstation Player Client

Figure 2: Restricted-VM Creation Tools and Clients

Note: Both Fusion Pro and Workstation Pro can be used to create any of the allowed Windows or Linux restricted VMs. Fusion Pro and Workstation Player can be used to run any restricted VM.

T E C H N I C A L W H I T E PA P E R | 6

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Horizon FLEX ArchitectureFigure 3 shows a Horizon FLEX deployment that ensures security and function. In this example, the Horizon FLEX server sets policies for both on-premises and off-premises endpoints.

O�-PremisesFile Serverwith VMs

Horizon FLEX Server

Storage

On-PremisesFile Serverwith VMs

O�-Premises Endpoints

with Horizon FLEX

ClientOn-Premises

Endpointswith

Horizon FLEX Client

HTTPS Proxy

DMZ

Figure 3: A Horizon FLEX Deployment That Ensures Security and Function

In Figure 3, off-premises endpoints use an HTTPS proxy to reach the Horizon FLEX server to get policy updates.

Storage of Restricted Virtual MachinesNote that the file servers storing the restricted VMs are not running on a Horizon FLEX server. Using separate, fast file servers keeps the Horizon FLEX server free to distribute policies. VM storage is typically located on a dedicated IIS server or in an IIS Web farm.

Note: Figure 3 is just one example of a restricted VM deployment model. However, restricted VMs can be stored anywhere users can access them—including from a Web site link, or on removable storage.

T E C H N I C A L W H I T E PA P E R | 7

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Installation and Configuration of Horizon FLEXTo install and configure Horizon FLEX in your environment, you must meet the following requirements for the Mirage / Horizon FLEX server and for the Horizon FLEX Web Management components.

Horizon FLEX Environment RequirementsFollowing are the requirements for the Horizon FLEX server in a Horizon FLEX environment.

•Recommended CPU – 8 vCPU

•Recommended RAM – 16 GB

•450 GB free disk space

•Windows 2008 R2, or Windows 2012 or later

•Microsoft .NET 3.5 SP1 or later

•Mirage server listens to Windows Communication Foundation (WCF) HTTPS requests on the port 8443.

Note: These requirements assume that you will also be using all Mirage functions in your environment. But if you will not be using Mirage itself, there are fewer requirements. For instance, Horizon FLEX does not use the MongoDB database, and, without it, only 40 GB of free disk space are required.

For more information, see Horizon FLEX System Requirements in the Horizon FLEX Administration Guide.

Installation of Horizon FLEXBegin your Horizon FLEX installation with an installation of Mirage, accepting all of the defaults of the Mirage installation wizard. Ensure that you enter your Horizon FLEX serial number. For further details about installing Mirage, see the VMware Mirage Installation Guide.

After installing Mirage, install other Horizon FLEX environment components, set up certificates for restricted VMs, create and entitle restricted VMs, and install a Horizon FLEX client on each endpoint. For more detailed instructions, see Installing Horizon FLEX in the Horizon FLEX Administration Guide, and the blog post Install / Configure VMware Horizon FLEX.

When installing Horizon FLEX, you might see the message

The restriction Server encountered an error

or, in rvm/webapp.log see the entry

an error (1301) occurred while enumerating the groups. The group’s SID could not be resolved

This is a known Microsoft issue. For more information, see the Microsoft Knowledge Base article SID S-1-18-1 and SID S-1-18-2 cannot be mapped on Windows-based computers in a domain environment.

T E C H N I C A L W H I T E PA P E R | 8

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Network Considerations for Horizon FLEXHorizon FLEX allows users to run corporate applications even when disconnected from the network. Restricted VMs are stored locally and can be used without network access so long as the length of time they have been offline keeps them in compliance with security policies configured by the administrator.

A network connection between the Horizon FLEX server and the endpoint is required only in the following scenarios:

•For the initial registration of the restricted VM with the Horizon FLEX server

•To receive periodic policy updates and actions

Horizon FLEX ScalabilityIf you follow the requirements given for the Horizon FLEX server in the Horizon FLEX Environment Requirements section of this document, then Horizon FLEX can accommodate up to 10,000 users. If you exceed that capacity, use multiple Horizon FLEX servers behind a load balancer to ensure reliability and redundancy.

Horizon FLEX Security and Certificates To ensure security, Horizon FLEX requires secure communications from the endpoint to the server. The Horizon FLEX server sends small policy changes over a secure channel from the Mirage database to the endpoints.

If you are using a valid certificate signed by a root or intermediate Certificate Authority (CA), the Horizon FLEX client can set up an HTTPS connection without any additional steps. However, you might want to use a self-signed certificate, especially for a quick proof-of-concept deployment.

The Horizon FLEX client and Horizon FLEX server treat a certificate that is created locally, but signed by a CA, as if it is self-signed. Only certificates that are created by a CA are automatically trusted by an endpoint.

Mirage automatically creates a default self-signed server certificate upon install. You can use this self-signed certificate in Horizon FLEX if this is acceptable for you.

T E C H N I C A L W H I T E PA P E R | 9

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Creating a Self-Signed Server CertificateIf the default self-signed certificate is not a correct one, for example, if the common name of the certificate does not match the server’s FQDN, you must create a new certificate. Use OpenSSL or Keytool to create a new self-signed certificate. Do not use IIS. Self-signed certificates created in IIS might be missing some fields, such as Organizational Unit, Organization, Location, and State. The OpenSSL library in the Horizon FLEX client will reject such certificates.

The following instructions and examples are based on OpenSSL.

Perform the following steps to create a basic self-signed certificate with the OpenSSL command-line tool. These steps can be run on any system with OpenSSL installed.

1. Run the following command:

openssl req -new -days <expiration time> -x509 -newkey rsa:2048 -keyout <key filename> -out <certificate filename> -nodes

•Replace <expiration time> with the number of days that the certificate should be valid for (for example, 365 for 1 year).

•Replace <key filename> with the filename for the key (for example, mirage-test-1.key) and <certificate filename> with the filename for the CERT file (for example, mirage-test-1.cert).

This command generates a new certificate (req -new) and private key (-newkey). It uses a 2048-bit RSA key (rsa:2048) and does not protect the key with a passphrase (-nodes). The key is self-signed (-x509).

2. During certificate creation, you are prompted for several values. Example values follow.

Country name: US

State: California

Locality: Palo Alto

Organization Name: VMware

Organizational Unit Name: EUC

Common Name (this field is critical): the host name of the server to be protected (for example, mirage-test-1.eng.vmware.com)

Email Address: [email protected]

3. This generates a self-signed certificate and associated private key. If you need the private key in PFX format, you can run the additional command:

openssl pkcs12 -export -out <output pfx filename> -inkey <key filename from previous command> -in <cert filename from previous command>

This generates a new PFX file that is password-protected and is suitable for deployment on any machine that requires PFX certificates instead of PEM certificates.

T E C H N I C A L W H I T E PA P E R | 1 0

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Intermediate CertificatesIf you are using a certificate with an intermediate certificate, use care when installing a certificate chain onto IIS on the Horizon FLEX server. If you are using a certificate with an intermediate certificate, IIS might import only the leaf certificate (the last certificate in the chain). When IIS is configured with only the leaf certificate, the Horizon FLEX client rejects the certificate because it cannot locate the intermediate certificate.

Perform the following steps to make sure you deploy the intermediate certificate onto the Horizon FLEX server:

1. To launch the Microsoft Management Console (MMC), go to Start > Run, and enter mmc. Click OK.

2. Select File > Add/Remove Snap-in.

3. On the left side, select Certificates and click Add.

4. Select Computer account and click Next.

5. Keep Local computer selected and click Finish.

6. Click OK on the Add or Remove Snap-ins window.

7. On the left, below Console Root, expand Certificates (Local Computer).

8. To import the root certificate, right-click Trusted Root Certification Authorities and select All Tasks > Import.

9. In the wizard, click Next to advance past the welcome page.

10. Browse for the root certificate file, select it, and click Next.

11. Keep Place all certificates in the following store: Trusted Root Certification Authorities selected and click Next, then click Finish. Click OK to dismiss the successful import dialog box.

12. To import the intermediate certificate, right-click Intermediate Certification Authorities and select All Tasks > Import.

13. In the wizard, click Next to advance past the welcome page.

14. Keep Place all certificates in the following store: Intermediate Certification Authorities selected and click Next, then click Finish. Click OK to dismiss the successful import dialog box.

Some additional instructions from commercial certificate providers include Installing an SSL Certificate in Microsoft IIS 7 and Adding Root and Intermediate certificates via MMC.

After you have completed these steps, the root certificate appears in the Trusted Root Certification Authorities/Certificates folder and the intermediate certificate appears in the Intermediate Certification Authorities/Certificates folder.

Note: If the leaf certificate appears in the certificates manager, then IIS will not work properly.

You can test whether the intermediate certificate is correctly installed on the Horizon FLEX server by executing this command from a Windows command prompt:

openssl s_client –connect <hostname>:<port> -showcerts

If the intermediate certificate is correctly deployed, the output contains two different certificates, both of which start with -----BEGIN CERTIFICATE-----. If only one instance of -----BEGIN CERTIFICATE----- is present, then the intermediate certificate is not correctly deployed on the Horizon FLEX server.

T E C H N I C A L W H I T E PA P E R | 1 1

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Certificate TrustIf the server certificate is not signed by a Certificate Authority, the organization must complete extra steps to ensure that the endpoint trusts the self-signed certificate. This applies whether you use the default certificate created by Mirage or a certificate you have created.

You have two options to ensure that the endpoint trusts the self-signed certificate:

•When creating the restricted VM to distribute, add the server certificate to the VM, creating an embedded certificate.

or

•On the endpoint, you or the user will be prompted to import and trust the self-signed certificate on the host system.

One of these steps must be completed before the restricted VM can boot.

Advantages of an embedded certificate include

•You add the server certificate to the restricted VM at VM creation, and the end user does not have to take additional steps.

• An embedded certificate is more secure than importing and trusting a self-signed certificate on the client endpoint. A hacker cannot swap out a self-signed certificate with a certificate that has the same server name, and which leads to the hacker’s own server. As a result, the embedded certificate is protected.

If embedding a certificate, follow these general guidelines for all certificates:

•If you embed a certificate on the restricted VM, you do not have to put a certificate on the endpoint.

•When embedding a certificate, if the server certificate is signed by a root CA or an intermediate CA, embed the root certificate.

The disadvantage of an embedded certificate is that if there is a problem with the certificate, or if the certificate is changed later, the restricted VM defaults to the built-in certificate and ignores all locally installed certificates. You would have to edit the VM, and the end user would have to download it again. For proofs-of-concept or lab tests, it is simpler to not use embedded certificates.

If you do not embed a certificate on the restricted VM and it is self-signed, the end user gets a warning and must choose to import and trust the certificate.

Updating Embedded Certificates Using the Horizon FLEX Administrator ConsoleIf you are planning to migrate to another Horizon FLEX server, or if your embedded certificate is about to expire, you can add an updated certificate from the Horizon FLEX server. The following steps detail how to update the embedded certificate.

Note: When you add a certificate to the Horizon FLEX Administrator console UI, the console passes the certificates to the endpoint on the next policy update. If there is a problem with a certificate, the restricted VM ceases to get policy updates. For this reason, administrators should always add to the list of certificates, not replace the list.

T E C H N I C A L W H I T E PA P E R | 1 2

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

1. From the Horizon FLEX Administrator console, click the General System Settings icon, which is the gear icon on the far right in the title bar.

2. Select Certificates.

3. Click Import to import the updated embedded certificate.

Figure 4: Steps to Update an Embedded Certificate

T E C H N I C A L W H I T E PA P E R | 1 3

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Troubleshooting Certificate IssuesTo check for certificate errors on the endpoint, review the vmware.log file for the restricted VM and search for the Horizon FLEX server address. You should see connection entries, and any certificate errors if they exist.

Note: To locate the restricted VM’s vmware.log file, see the VMware Knowledge Base article Locating a hosted virtual machine’s files (1003880).

Figure 5: Certificate Errors in vmware .log

If the log indicates a certificate error, follow these steps on the Horizon FLEX server:

1. In IIS, verify that the server has a valid or self-signed certificate under Server Certificates:

a. In the Windows Start menu, select Administrative Tools > Internet Information Services (IIS) Manager.

b. In the Connections pane, select the Horizon FLEX server host name.

c. At the bottom of the window, click Features View, double-click Server Certificates. You should see one or more certificates listed.

d. Double-click the certificate to verify details.

2. In IIS, verify that the Horizon FLEX Administrator console Web site is using the certificate binding:

a. In the Windows Start menu, select Administrative Tools > Internet Information Services (IIS) Manager.

b. In the Connections pane, navigate to the Horizon FLEX server host name and Sites. Select the site you want to secure with the SSL certificate listed in step 1.

c. In the Actions menu, under Edit Site, click Bindings.

d. In the Site Bindings window, select any entry with the Type https, and click Edit to verify the settings. You should see the SSL certificate in the SSL certificate field.

T E C H N I C A L W H I T E PA P E R | 1 4

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

3. Verify there is no certificate in the Horizon FLEX Administrator console:

a. From the Horizon FLEX Administrator console, click the General System Settings icon, which is the gear icon on the far right in the title bar.

b. Select Certificates. This field should be empty. This feature should be used only for migration or advanced configurations.

Delivering the Horizon FLEX Client to End UsersTo access the restricted VM, the user must install a Horizon FLEX client. This client can be Fusion Pro or Workstation Player. The end user starts the Horizon FLEX client to connect to the Horizon FLEX server and download a restricted VM.

Important: Both Fusion Pro and Workstation Pro can be used to change security policies on a restricted VM if the VM’s encryption and restrictions password is known. To ensure security, do not give this password to end users.

Administrators can mass-deploy Horizon FLEX clients to macOS or Windows endpoints with standard package deployment tools, such as

•Microsoft System Center 2012 R2 Configuration Manager (SCCM) (for Windows)

•Apple Remote Desktop (for Macs)

•Casper Suite from JAMF Software (for Macs)

Note: You can include restricted VMs along with Horizon FLEX clients as part of a deployment package.

For delivery of the Fusion Pro-based Horizon FLEX client, see the VMware Knowledge Base article Creating a VMware Fusion mass deployment package (2058680).

For delivery of the Workstation Player-based Horizon FLEX client, use

VMware-player-x.x.x-xxxxxx.exe /s /v EULAS_AGREED=1 SERIALNUMBER=”xxxxx-xxxxx-xxxxx-xxxxx-xxxxx”

Note: Replace VMware-player-x.x.x-xxxxxx.exe with the name of the latest Workstation Player installer file, and replace xxxxx-xxxxx-xxxxx-xxxxx-xxxxx with a volume license key.

Supported Host Operating Systems for Horizon FLEX ClientsUsers can run the Horizon FLEX client and access their restricted VM from the following 64-bit host operating systems:

•Windows 7, Windows 8.1, Windows 10

•Mac OS X 10.9, Mac OS X 10.10, Mac OS X 10.11

Note: Horizon FLEX clients are not supported on 32-bit host operating systems.

In order to ensure the best performance, use the latest available version of Horizon FLEX client.

T E C H N I C A L W H I T E PA P E R | 1 5

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Creation and Management of Restricted Virtual MachinesHorizon FLEX allows administrators to create, manage, and maintain restricted VMs. Instructions for the creation and management of restricted VMs follow.

Creation of Restricted Virtual MachinesAdministrators create restricted Windows VMs using Fusion Pro or Workstation Pro. The VMs created by either Fusion Pro or Workstation Pro will work with both macOS and Windows endpoints. The administrator prepares a restricted VM for the user, as outlined in Figure 6.

Fusion Pro

Horizon FLEX Server

Horizon FLEX Server

DownloadLocation

Register

Win7 VM

Horizon FLEX Server

APP

OS

1. Creates and con�gures a virtual machine with Fusion Pro (or Worksta-tion Pro) according to corporate speci�cations.

3. Speci�es the download location (URL) for the virtual machine. (This does not have to be on the Horizon FLEX server.)

2. Encrypts and restricts the virtual machine. This includes applying any policies via the Horizon FLEX server.

APP

OS

APP

OS

APP

OS

APP

OS

4. Registers the virtual machine as a source virtual machine with the Horizon FLEX server.

5. Entitles the source virtual machine to users or groups.

Source VM

Entitlements

Win7 VM

Source VM

Win7 VM

Restrictions

Expiration: 12/15/2017

<download.company.com>/Win7.zip

Horizon FLEX server adds an entry to the Source VMs database

Horizon FLEX server adds an entry to the Entitlements database

Download Location

User

jdoe

Admin

Figure 6: Administrator Workflow to Create a Restricted VM

T E C H N I C A L W H I T E PA P E R | 1 6

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

As shown in Figure 6, the administrator creates, configures, encrypts, and restricts the VM. Then the administrator specifies the download location of the VM and registers it as a source VM with the Horizon FLEX server. The source VM is then entitled to the user or group who will use it.

Note: If the server address is incorrect, the VM fails to get a policy and does not boot. The Horizon FLEX server address in the source VM must end with the listening port (:7443 by default).

Supported Guest Operating Systems for Horizon FLEXFollowing is a list of supported operating systems for Horizon FLEX VMs.

•Windows XP, Windows 7, Windows 8.x, Windows 10

•Ubuntu 14.04 and 15.10

Notes

•Both 32-bit and 64-bit versions of these operating systems are supported.

•If a guest OS is unsupported, Horizon FLEX does not block its installation but its ability to be managed by Horizon FLEX is unpredictable.

Installing the Mirage Client on the Restricted VMYou can also use Mirage to manage Mirage-specific features of restricted VMs. To enable these Mirage features, you need to install the Mirage client.

To install the Mirage client, see Installing the Mirage Client in the VMware Mirage Installation Guide.

Management and Update of Restricted Virtual MachinesHorizon FLEX distributes the virtual machine and manages policies but does not interact with content inside of the VM. Administrators can use Mirage to take care of all management and updating of the VMs. Alternatively, you can manage Horizon FLEX VMs with other image management tools, such as SCCM. To learn more about managing and updating VMs with Mirage, read the Image Management Overview in the VMware Mirage Administrator’s Guide.

Delivering Horizon FLEX Restricted Virtual Machines to End UsersAfter you plan the virtual machine deployment and create and configure your virtual machines, users must download the restricted VMs, and then access the desktops locally.

In order for users to easily download the VMs, administrators must compress the source VM package into TAR format. To learn more about compressing the VM package, read Compress a Source Virtual Machine Package in the Horizon FLEX Administration Guide.

A Horizon FLEX virtual machine can be deployed in a number of different ways:

•An administrator can create a uniform resource identifier (URI) for each end user and email it to them.

•Users can use an administrator-provided USB drive and drag the server information to the host machine. This will copy the VM file from the USB drive to the local machine, where the user can launch the VM and register it with the Horizon FLEX server.

•Users can launch the client, connect to the Horizon FLEX server, find the VM file, and download it manually.

These are alternative methods by which VMs can be deployed. To learn more about deploying VMs, read Creating and Deploying Horizon FLEX Virtual Machines in the Horizon FLEX Administration Guide.

T E C H N I C A L W H I T E PA P E R | 1 7

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

End-User Download of the Restricted Virtual MachinesEnd users download and access restricted VMs from the Horizon FLEX server, as illustrated in Figure 7.

Horizon FLEX Server

Horizon FLEX Server

Horizon FLEX Server

Horizon FLEX Server

Horizon FLEX User

Horizon FLEX server authenticates user.

Horizon FLEX server delivers a list of entitled VMs.

Horizon FLEX server registers the instance.

Horizon FLEX server delivers initial policy settings.

Horizon FLEX server validates user credentials.

1. Launches the Horizon FLEX client and connects to the Horizon FLEX server.

Connect to Server

Server URL: <tbd>.vmware.com

Username:

Password:

jdoe

••••

2. Sees list of entitled VMs.

VMs for John Doe

3. Downloads a VM.

Preparing Windows 7

4. Powers on the VM.

Windows 7

Figure 7: User Workflow for Downloading a Restricted VM from the Horizon FLEX Server

T E C H N I C A L W H I T E PA P E R | 1 8

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

For the URI method of downloading the restricted VM, the administrator emails the URI to the end user, and the end user clicks the link in the email to start the Horizon FLEX client. The server connection dialog box opens, the Horizon FLEX server validates the user’s credentials, and a list of all restricted VMs entitled to that user is displayed. The end user selects and downloads a virtual machine to their physical machine. When they launch the VM, they enter the general decryption password provided by the administrator. The client registers the VM with the Horizon FLEX server. When the user powers on the VM, the Horizon FLEX server delivers the initial policy settings for the VM. For additional information about downloading a restricted VM, read the Horizon FLEX Client User Guide.

There are some useful tips to keep in mind:

•When the end user is authenticating to the Horizon FLEX server, the server name must end with the listening port and cannot include the URL (for example, server.cme.com:7443).

•When the end user is downloading a restricted VM, if they cannot start the download they should try using HTTP instead of HTTPS.

•When the end user is downloading a restricted VM, if they still cannot download it the administrator should try moving the VM to another file server, or place the VM on the IIS default Web site.

End-User Access to Updates of Virtual MachinesYou can update the contents of a restricted virtual machine through Mirage or through the image management tool of your choice. To completely replace a restricted VM, create a new restricted VM in Fusion Pro or Workstation Pro and distribute it as usual to end users.

In the case of disaster recovery, you can use Mirage to facilitate the process. First, deploy a new restricted VM from Fusion Pro or Workstation Pro. Then, restore a backup of the original VM to the new VM.

For more information about using Mirage for image management and disaster recovery, see the VMware Mirage Administrator’s Guide.

Horizon FLEX Log File LocationsYou can use the Horizon FLEX log files for troubleshooting. Details of Horizon FLEX log file locations follow.

•The Web App log file is located on the Horizon FLEX server at

C:\ProgramData\Wanova Mirage\rvm\logs\webapp.log

•The Horizon FLEX server logs are located on the Horizon FLEX server at

C:\Program Files\Wanova\Mirage Server\logs

The most important log file is mgmtservice.log.

The following VMware Knowledge Base articles provide information on collecting log files from Fusion Pro, Workstation Player, and Workstation Pro.

•Collecting diagnostic information for VMware Fusion (1003894)

•Collecting diagnostic information for VMware Player and VMware Workstation Player (2104004)

•Collecting diagnostic information for VMware Workstation (1346)

T E C H N I C A L W H I T E PA P E R | 1 9

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Horizon FLEX Frequently Asked QuestionsFollowing is a list of frequently asked questions.

Q . Do I need to use Mirage for Horizon FLEX instead of my existing image management tools like SCCM?

A. Use the Horizon FLEX server to deploy and manage your Horizon FLEX VMs. You have the option of using either Mirage or your existing tools for image management. If you would prefer using your own image management tools such as SCCM or Altiris, Horizon FLEX is compatible with these.

Q . How is Horizon FLEX different from VMware Horizon 7 or VMware Horizon Air?A. VMware Horizon 7 and Horizon Air desktops run in your data center, while Horizon FLEX runs locally

on your end users’ computers. Horizon FLEX complements Horizon 7 and Horizon Air desktop setups by giving employees access to a Windows virtual desktop that they can use when offline or disconnected from the network. Users demanding Macs, contractors bringing their own laptops, and employees on the road who want to be productive while offline are better served with Horizon FLEX.

Q . How does Horizon FLEX compare to the Local Mode feature in View?A. Horizon FLEX has some key differences when compared to View Client with Local Mode. In a

Horizon FLEX deployment

•Desktops do not need to be checked out and checked back in by end users because desktops reside locally on the laptop, resulting in better usability.

•When Horizon FLEX is used with the full capabilities of Mirage, user documents and data sync back to the Mirage server.

•The full VMware vSphere® and View technology stack is not required to provide desktops to end users.

•Both macOS and Windows endpoints are permitted.

•You can limit data flow between the host and VM with policies.

Q . Can I use Horizon FLEX if I do not have Horizon 7 or vSphere?A. Yes, Horizon 7 and VMware vSphere are not required to use Horizon FLEX.

Q . Can users be productive even when disconnected from the network?A. Yes. Because Horizon FLEX VMs are stored locally on the users’ Macs or PCs, users can be productive

even when disconnected from the network.

Q . Is Horizon FLEX a Type-1 or Type-2 hypervisor solution?A. Horizon FLEX clients are Type-2 hypervisors that run on top of a host—macOS or Windows—operating

system.

T E C H N I C A L W H I T E PA P E R | 2 0

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

SummaryThis document

•Introduced some key Horizon FLEX concepts

•Listed the requirements for a Horizon FLEX environment

•Presented an example of a Horizon FLEX deployment that ensures security and function

•Described how to generate and embed self-signed certificates

•Gave an overview of the Horizon FLEX clients and the creation and delivery of restricted VMs

•Provided information about log file locations and some frequently asked questions

Authors and ContributorsThe following authors co-wrote this paper:

•Debra Perrin Coltoff, Technical Writer in the End-User-Computing Technical-Marketing Center of Excellence, VMware

•Kristina De Nike, Product Line Manager, End-User Computing, VMware

•Chris White, End-User-Computing Architect, End-User-Computing Technical-Marketing Center of Excellence, VMware

•Jason Bassford, Technical Marketing Manager in the End-User-Computing Technical-Marketing Center of Excellence, VMware

•Gina Daly, Technical Writer in the End-User-Computing Technical-Marketing Center of Excellence, VMware

Many thanks for contributions of content from

•Stéphane Asselin, Senior End-User-Computing Architect, End-User-Computing Technical-Marketing Center of Excellence, VMware

•Chris Halstead, End-User-Computing Architect, End-User-Computing Technical-Marketing Center of Excellence, VMware

•Maor Kuriel, Product Specialist, VMware

•Yaniv Weinberg, R&D Manager, VMware

And for contributing contents of the diagram from the Deployment and Design Considerations for VMware Mirage white paper, a special thanks to

•Alexander West, Technical Writer, formerly with VMware

•Judy Wu, Senior Solution Engineer, Enterprise Desktop, VMware

To comment on this paper, contact the VMware End-User-Computing Technical-Marketing Center of Excellence team at [email protected].

T E C H N I C A L W H I T E PA P E R | 2 1

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Additional ResourcesFor more information, see the following resources.

•VMware Horizon FLEX product Web page

•VMware Horizon FLEX product documentation

•Install / Configure VMware Horizon FLEX (blog post)

•Introducing Flexible Desktop Management for the Mobile User with VMware Horizon FLEX (HOL-MBL-1655) (VMware Hands-On Lab)

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2016 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-TWP-HORIZFLEXDEPCONSID-USLTR-20160831-WEB 8/16