adv1588bu architecting horizon 7 and horizon apps or ...€¦ · architecting horizon 7 and horizon...
TRANSCRIPT
Frank AndersonGraeme Gordon
ADV1588BU
#VMworld #ADV1588BU
Architecting Horizon 7 and Horizon Apps
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#ADV1588BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 Design Methodology
2 Architectural Principles
3 Design of Horizon Components
4 Multi-site Design
5 Performance and Validation
#ADV1588BU CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
Why?
How?Deliver
Validate
What?
Start with Why
• Why are we doing this?
• Do we understand the problem
we are trying to solve?
• What are the business and user
objectives?
• Can we define the requirements?
• How are we going to satisfy
the requirements?
• Define what we will deliver.
• What is required to deliver the
How.
• Design and build the required
components that will be used.
• Build, integrate and
actually deliver.
• Did we actually address the Why?
• Did we satisfy the requirements
and expectations?
#ADV1588BU CONFIDENTIAL 5
VMworld 2017 Content: Not fo
r publication or distri
bution
8
7
6
5
4
3
2
1Business
Drivers &
Use Case
Definition
Services
Definition
Architectural
Principles &
Concept
(Pod & Block)
Horizon 7
Enterprise
Component
Design
vSphere 6
Design
Physical
Environment
Design
Services
Integration
Design
User
Experience
DesignWhy?
How?Deliver
Validate
Design Methodology
What?
#ADV1588BU CONFIDENTIAL 6
VMworld 2017 Content: Not fo
r publication or distri
bution
Start with Why
Requirements
• Number of applications
• Access from corporate location mainly
• Access applications from mobile locations.
• Uses a large number of core.
• Uses departmental applications.
• Installs their own applications.
• SaaS application access.
• Access to USB devices.
• Location-aware printing.
• GPU requirement with API support for DirectX
10+, video playback, and Flash content.
• Two-factor authentication for remote access.
• Restricted access to clipboard, USB devices, etc.
• Windows or Linux applications.
Business Drivers Use Cases
• Static Task Worker
• Mobile Knowledge
Worker
• Software Developer /
IT (Power User)
• Multimedia Designer
/ Engineer
• Contractor
• Mobile access to modern and legacy apps
via laptop, tablet, and smartphone.
• Reduce user support calls by simplifying and
securing access to applications.
• Fast provisioning of and secure access for
internal users and third-party suppliers to
line-of-business applications.
• Centralize and secure corporate data to meet
compliance standards.
• Reduce app mgt overhead and reduce
application provisioning time.
• Simplify root cause analysis and time to
resolution of user issues.
• Reduce physical device management
overhead.
• Allow users to access corporate applications
and data from their own devices.
#ADV1588BU CONFIDENTIAL 8
VMworld 2017 Content: Not fo
r publication or distri
bution
How are We Going to Satisfy the Use Cases?
• Paint a high level picture of what will be delivered to satisfy a certain use case.
• One per Use Case
• Use case requirements will guide you in what are good fits.
• Understand the constraints of the options available and match them to the requirements.
• Think of this like creating food recipes:
– You’ve identified the right meal to satisfy this use case.
– You know most of the ingredients needed.
– You know what you want to cook.
• But not necessarily the quantities,
• how to create those ingredients;
• or how to actually create the final meal.
Horizon 7 Services Definition
#ADV1588BU CONFIDENTIAL 10
VMworld 2017 Content: Not fo
r publication or distri
bution
Sample Service Blueprint
Pool
Profile
Service AppsUser
Remoting
Protocol
ThinApp SharesStreamed
Apps
Master VMInstant
Clone
App Volumes
AppStacks
Writable Volume
Disk
Attachments
vSphere
Virtual SAN
Instant Clone
SaaS, Mobile, Other Apps
Client(s)
Identity Manager
HTML
APP
S
vGPU
En
viro
nm
en
t
AD
DNS
DHCP
Group
Policy
Certs
vRealize Operations for Horizon – (Monitoring & Mgt.)
User Environment
Manager
File Shares
IT Config
User
Personalizatio
n
Home File
SharesFolder
Redirection
#ADV1588BU CONFIDENTIAL 11
VMworld 2017 Content: Not fo
r publication or distri
bution
DesignThe What
• Architectural Principles
• Horizon 7 Enterprise Components Design
• vSphere 6 Design
• Physical Environment DesignVMworld 2017 Content: N
ot for publicatio
n or distribution
Management Block
vSphere Cluster
Resource Block
vSphere
Cluster
Virtual Switch
Storage
vSphere
Cluster
Connection Server
vCenter
Connection Server
Unified Access
Gateway
Connection Server Connection Server
Unified Access
Gateway
Desktop Pools
Desktop Pools
vCenter
Resource Block
vSphere
Cluster
Virtual Switch
Storage
vSphere
Cluster
Application Pools
Application Pools
Resource Block
vSphere
Cluster
vCenter
Virtual Switch
Storage
vSphere
Cluster
Application Pools
Desktop Pools
DB Server(s)
Pod and Block Design
#ADV1588BU CONFIDENTIAL 13
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon 7 Component Design
• Design Areas include:
– On-premise or SaaS
– Versions
– Scalability
– Availability
– Replication
– Load Balancing
– Database
– Authentication
– Networking
– Storage
– VM Build and OS
Components
Identity Manager
View in Horizon
Protocol
Unified Access Gateway
App Volumes
User Environment Manager
TrueSSO
vRealize Operations for Horizon
ThinApp
#ADV1588BU CONFIDENTIAL 14
VMworld 2017 Content: Not fo
r publication or distri
bution
Physical Environment Considerations
• Outside of the Horizon product.
– But required to deliver a complete solution.
• Some of these may already be present.
• Considerations:
– Supported versions
– Highly available
– Expected load
• Compute
• Disk load and space
– Particular configuration needed (e.g.)
• DHCP lease time
• Block GPO Inheritance
Components
Active Directory
Group Policy
DNS
DHCP
Certificate Authority
Key Management Service
Database
Load Balancer
Firewall
RDS Licensing
File Servers
Profiles
#ADV1588BU CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
Service Integration DesignDeliver – Step 7
VMworld 2017 Content: Not fo
r publication or distri
bution
Integrate and Deliver the Service
• Create the required parts from each of the components.
• Assemble and integrating them into the end service that will be delivered to the users.
• Reference the blueprint for the use case.
Part RequiredDedicated Power
Workspace Service
VMware Identity Manager P
Windows 10 instant clone P
Windows 10 linked clone
RDSH linked clone
Linux clone
App Volumes AppStack P
App Volumes writable volume P
User Environment Manager P
Smart Policies P
Application blocking P
Folder redirection P
Mandatory profile P
GPO P
Printing (ThinPrint) P
ThinApps P
SaaS Apps P
Unified Access Gateway P
True SSO P
vGPU
#ADV1588BU CONFIDENTIAL 18
VMworld 2017 Content: Not fo
r publication or distri
bution
ThinApps
Core Service
Identity Manager Workspace
SaaS, Mobile
AppsStreamed
Apps
Workspace Service
#ADV1588BU CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
Horizon Desktop Pool
Core Service
Instant Clone Desktop
Identity Manager Workspace
Instant Clone
Automated Pool
Core Service
#ADV1588BU CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
Master VM
ThinApps
App Volumes
Core Service
Instant Clone Desktop
Identity Manager Workspace
SaaS, Mobile
Apps
Pre-installed
AppsCore Apps
AppStack
Departmental Apps
AppStack
Streamed
Apps
User Installed Apps
Writable Volume
Applications
#ADV1588BU CONFIDENTIAL 21
VMworld 2017 Content: Not fo
r publication or distri
bution
User Environment
Manager
Folder Redirection(File Shares)
Mandatory Profile
Core Service
Windows Session
IT Configuration
User
PersonalizationBase Profile
Documents
Downloads
Music
Pictures
Videos
Profile and User Data
#ADV1588BU CONFIDENTIAL 22
VMworld 2017 Content: Not fo
r publication or distri
bution
Multi-site Design Considerations
VMworld 2017 Content: Not fo
r publication or distri
bution
Active / Active – Roaming Use Cases
Site 1
Pod 1
Connection Servers
Site 2
Pod 2
Connection Servers
CPA
#ADV1588BU CONFIDENTIAL 26
VMworld 2017 Content: Not fo
r publication or distri
bution
Active / Passive – Fixed Location Use Cases
Site 1
Pod 1
Connection Servers
Site 2
Pod 2
Connection Servers
CPA
#ADV1588BU CONFIDENTIAL 27
VMworld 2017 Content: Not fo
r publication or distri
bution
Site 2
Stretched
Site 1
Pod 1
Connection Servers Connection Servers
#ADV1588BU CONFIDENTIAL 28
VMworld 2017 Content: Not fo
r publication or distri
bution
Site 2
Active / Passive – VSAN Stretched Cluster (Metro)
Site 1
Pod 1
Connection Servers
vSphere HA
#ADV1588BU CONFIDENTIAL 29
VMworld 2017 Content: Not fo
r publication or distri
bution
Site 2Site 1
IDM
In
sta
nce
1VMware
Identity
Manager
Node 1
VMware
Identity
Manager
Node 2
VMware
Identity
Manager
Node 3
Win
dow
s F
ailo
ve
r
Clu
ste
r 1
IDM
In
sta
nce
2
VMware
Identity
Manager
Node 1
VMware
Identity
Manager
Node 2
VMware
Identity
Manager
Node 3
Local Load Balancer
Global Load Balancer
Local Load Balancer
Win
dow
s F
ailo
ve
r
Clu
ste
r 2
SQL Server
Always On Listener
Node 1 Node 2 Node 1 Node 2
PrimarySQL Server Database
SecondarySQL Server Database
Identity Manager
#ADV1588BU CONFIDENTIAL 31
VMworld 2017 Content: Not fo
r publication or distri
bution
App VolumesMulti-site design considerations
VMworld 2017 Content: Not fo
r publication or distri
bution
AppStack Replication
• Storage Groups replicate AppStacks
• 1 overlapping Datastore marked as non-attachable.
• Replication across sites when Datastore is visible by one or more vSphere hosts in both sites.
• Could manually export and import AppStacks from one site to the other.
DataStore1 DataStore2 DataStore3 DataStore5DataStore4
Site 1 Site 2
Storage Group #2Storage Group #1
App Volume Managers
App Volume Managers
vSphere Hosts
vSphere Hosts
Not attachable
#ADV1588BU CONFIDENTIAL 33
VMworld 2017 Content: Not fo
r publication or distri
bution
App Volumes Multi-Site Architecture
• Separate deployments of App Volumes
• AppStack Replication
– Use Storage Groups
– Replication across sites when Datastore is visible by both vCenters
– 1 Datastore marked as non-attachable
• AppStack Entitlements will need to reproduced in the other site.
Option 1: Separate instances and databases
DataStore1 DataStore2 DataStore3
Not attachable
DataStore5DataStore4
Site 1 Site 2
Storage Group #2Storage Group #1
SQLDatabase
SQLDatabase
App Volume Managers
App Volume Managers
vSphere Hosts
vSphere Hosts
https://blogs.vmware.com/euc/2017/07/app-volumes-automated-entitlement-replication.html
#ADV1588BU CONFIDENTIAL 34
VMworld 2017 Content: Not fo
r publication or distri
bution
App Volumes Multi-Site Architecture
• Stretched deployment of App Volumes Managers
• AppStack Replication
– Use Storage Groups
– Replication across sites when Datastore is visible by both vCenters
– 1 Datastore marked as non-attachable
• Stretched SQL
• SQL Failover will be needed if the primary instance fails.
Option 2: AlwaysOn SQL Cluster
DataStore1 DataStore2 DataStore3
Not attachable
DataStore5DataStore4
SQL Always-On Database
Site 1 Site 2
Storage Group #2Storage Group #1
App Volume Managers
App Volume Managers
vSphere Hosts
vSphere Hosts
P S
#ADV1588BU CONFIDENTIAL 35
VMworld 2017 Content: Not fo
r publication or distri
bution
Writable Volumes
• Black boxes – Use them sparingly.
• Consider not protecting them at all.
• Virtual Disks not Virtual machines.
• Protection Options
– LUN replication
– Manual Copy
– App Volumes Backup fling: https://labs.vmware.com/flings/app-volumes-backup-utility
– Possibly the PowerCLI 6.5 copy cmdlet (need to test).
• Considerations
– Data Integrity and Consistency
– Recovery Point Objective (RPO) – How long will it take to recover them?
– Recovery Time Objective (RTO) – How much data might be lost?
#ADV1588BU CONFIDENTIAL 36
VMworld 2017 Content: Not fo
r publication or distri
bution
App Volumes Multi-Site Service
Site 2
Site 1
User
Service
Apps DatabaseApp Volumes
Managers
Apps Database
App Volumes
Managers
Desktop/ RDSH Clone Replication
Service
Client(s)
Desktop/ RDSH Clone
Writa
ble
Vo
lum
e
AppS
tacks
SQL
Failover
SQL
#ADV1588BU CONFIDENTIAL 39
VMworld 2017 Content: Not fo
r publication or distri
bution
User Environment ManagerMulti-site design considerations
VMworld 2017 Content: Not fo
r publication or distri
bution
IT Configuration Share
• Only admins make changes.
• Users have read-only rights.
• DFS-Namespace (DFS-N) is fully supported for the UEM configuration share.
• DFS-Replication (DFS-R) is fully supported in a hub and spoke replication topology.
• Connect the Management Console only to the hub member to make changes
– Let DFS-R replicate those changes to the spoke members.
Replication and Availability
#ADV1588BU CONFIDENTIAL 41
VMworld 2017 Content: Not fo
r publication or distri
bution
User Profile Share
• User can Read and Write.
• DFS-Namespace is fully supported.
• DFR-Replication in an Active-Active setup is not supported.
• DFS-R does not have conflict resolution.
– Limitation of DFS-R and also applies to regular Roaming profiles.
– See support statement and blog from Microsoft:
• https://support.microsoft.com/en-us/kb/2533009
• http://blogs.technet.com/b/askds/archive/2010/09/01/microsoft-s-support-statement-around-replicated-user-profile-data.aspx
• Setup DFS-R, and disable the referral to the replicated DFS-N Folder Target(s).
– That way active-passive replication topology is created.
Replication and Availability
#ADV1588BU CONFIDENTIAL 42
VMworld 2017 Content: Not fo
r publication or distri
bution
Multi-Site User Environment Manager Data
Site B
Site A
User
Service
Profile File Server Shares
Profile File Server Shares
Replication
Service
Desktop/ RDSH Clone
Profile and Files
Client(s) Desktop/ RDSH Clone
Profile and Files
Home File
Shares
Home File
Shares
Failover
User
Settings
User
Settings
IT Config
IT Config
Home
Share
User
Share
Config
Share
#ADV1588BU CONFIDENTIAL 43
VMworld 2017 Content: Not fo
r publication or distri
bution
PerformanceHorizon Apps Performance Reference Architecture
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Horizon Apps Reference Architecture
• This architecture utilizes key features of Horizon 7 Enterprise Edition and Horizon Apps Advanced, including Just-in-Time Management Platform, which combines:
– Instant Clone Technology
– VMware App Volumes
– VMware User Environment Manager
• This solution designs and builds out the requirements and best practices using VMware vSAN as a storage platform for RDSH servers.
• vSAN comes with Horizon Apps Advanced and provides an excellent scalable storage layer; however, other storage types can be used instead.
#ADV1588BU CONFIDENTIAL 45
VMworld 2017 Content: Not fo
r publication or distri
bution
Hardware Components
• 4 x Workload Hosts:
– Dell R730 Servers (2x Intel Xeon processor E5-2698 v4 CPUs at 2.2 GHz with 20 cores, 384 GB of memory at 2400 MHz, NICs 2x 10GbE, 2x 1GB, Dell PERC H730P Mini RAID controller, 5x 800GB SSDs
• 2 x Infra Hosts:
– Dell R730 Servers (2x Intel Xeon processor E5-2695 v3 CPUs at 2.3 GHz with 14 cores, 256 GB of memory at 1866 MHz, NICs 2x 10GbE, 2x 1GB
• Cisco Nexus 9372 Switches for core network and storage connectivity
• Cisco 2248 Fabric Extenders
• Tegile T3600 Storage Array
– for App Volumes and UEM user data CIFS/SMB3 shares
• Login VSI Launchers: Dedicated hardware
#ADV1588BU CONFIDENTIAL 46
VMworld 2017 Content: Not fo
r publication or distri
bution
Software Components and Versions
• VMware Horizon 7.1
– VMware Connection Server 7.1
– VMware Horizon Client 4.4
• VMware ESXi 6.5
– VCSA
– VMware VSAN
• VMware App Volumes 2.12.1
• VMware UEM 9.1
• Microsoft Windows Server 2012 R2
• Microsoft Office 2016 32-bit
• Login VSI 4.x
Agent
RDSH
#ADV1588BU CONFIDENTIAL 47
VMworld 2017 Content: Not fo
r publication or distri
bution
Environment Overview
#ADV1588BU CONFIDENTIAL 48
VMworld 2017 Content: Not fo
r publication or distri
bution
Infrastructure and Workload Distribution
• Infrastructure Cluster
• RDSH Workload Cluster Supports 700 Total Sessions
• N+1 Server HA per Cluster
#ADV1588BU CONFIDENTIAL 49
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware App Volumes AppStacks Configuration Overview
#ADV1588BU CONFIDENTIAL 52
VMworld 2017 Content: Not fo
r publication or distri
bution
Login VSI Test Tool Configuration & Workload
#ADV1588BU CONFIDENTIAL 53
VMworld 2017 Content: Not fo
r publication or distri
bution
VSIbase Index
Login VSImax Chart
PASS
Test Results: Login VSI Scores for 700 RDSH Users
#ADV1588BU CONFIDENTIAL 54
VMworld 2017 Content: Not fo
r publication or distri
bution
Test Results: Login VSI Scores for 700 RDSH Users
• Active Session– Total number of sessions reported
as active
• Baseline– The calculated VSI baseline score
(Response time, in ms)
• Launched Sessions– Total number of sessions reported
as launched by the VSI launcher systems
• Stuck Sessions– Total number of reported stuck
sessions where the VSI workload had prematurely terminated
• Threshold– The point where a VSImax is
reached (Baseline + 1000ms)
PASS
Login VSI Comparison Chart
#ADV1588BU CONFIDENTIAL 55
VMworld 2017 Content: Not fo
r publication or distri
bution
RDSH ESXi Hosts Performance
#ADV1588BU CONFIDENTIAL 57
VMworld 2017 Content: Not fo
r publication or distri
bution
CPU Memory
Network
Cold Boot
32 RDSH VMs
30% Peak
65% Avg during
Steady State
150 GB during
Steady State
2 Gbps
500 Mbps
Test Results: RDSH ESXi Hosts Performance
#ADV1588BU CONFIDENTIAL 58
VMworld 2017 Content: Not fo
r publication or distri
bution
Infrastructure ESXi Hosts Performance
#ADV1588BU CONFIDENTIAL 59
VMworld 2017 Content: Not fo
r publication or distri
bution
RDSH Virtual Machine Performance
#ADV1588BU CONFIDENTIAL 61
VMworld 2017 Content: Not fo
r publication or distri
bution
Infrastructure Virtual Machine Performance
#ADV1588BU CONFIDENTIAL 64
VMworld 2017 Content: Not fo
r publication or distri
bution
VSAN Storage Performance for RDSH VMs
#ADV1588BU CONFIDENTIAL 66
VMworld 2017 Content: Not fo
r publication or distri
bution
Latency MBps
IOPS
Test Results: vSAN Storage Performance for RDSH VMs
#ADV1588BU CONFIDENTIAL 67
VMworld 2017 Content: Not fo
r publication or distri
bution
App Volumes AppStacks Storage Performance
#ADV1588BU CONFIDENTIAL 68
VMworld 2017 Content: Not fo
r publication or distri
bution
Conclusion
• The Horizon Apps Performance Reference Architecture address IT needs by delivering a platform that is cost effective and simple to deploy and manage
• Validates product functionality, interoperability, and performance/scalability
• Standardized, validated, readily available components
• Scalable design allows room for future growth
• Tested designs that reduce implementation and operational risks
• Quicker implementations
#ADV1588BU CONFIDENTIAL 70
VMworld 2017 Content: Not fo
r publication or distri
bution
Resources
• Horizon 7 Enterprise Reference Architecture
– http://www.vmware.com/files/pdf/techpaper/vmware-horizon-7-enterprise-validated-integration-design-reference-architecture.pdf
• Multi-site Reference Architecture
– https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-enterprise-edition-reference-architecture-multi-site.pdf
• Horizon 7 Apps Reference Architecture
– https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-apps-reference-architecture-performance.pdf
#ADV1588BU CONFIDENTIAL 71
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution