Featured Post

A Quick And Easy Win Along The Path To Zero Trust: Workspace ONE's Certificate Authentication For Windows 10 And macOS

I was recently introduced to an elegant solution for enabling certificate authentication on Windows 10 and macOS devices through VMware'...

Wednesday, August 3, 2022

If You Can't Bring Your Virtual Desktop To The Cloud, Bring Cloud To Your Virtual Desktop

In late June of this year I had the honor of pre-recording a VMware Explore session with Todd Dayton and Cris Lau.  The session, "Can't Take Your Virtual Desktop To The Cloud? Bring Cloud To It,"  focuses on ways to enhance on-premises Horizon environments with VMware hosted services.   It stems from a recognition that shifting VDI capacity to the cloud is not quite feasible for many customers, at least not yet.   As Todd put's it, "VDI really isn’t an application workload itself. It’s a support system for Windows applications that typically can’t or wouldn’t be modernized….These Windows applications aren’t always a great cloud candidate."  So, sure, you can stuff any application in a cloud based desktop, but if it's too resource hungry, too latency sensitive, or generates too much ingress/egress traffic there could be problems.  Performance or cost savings, or both, can take a serious hit.  For this and other reasons lots of customers have decided to keep virtual desktop workloads on-premises.  However, all is not lost.  There's still plenty to gain from slathering cloud services on top of existing on-premises Horizon environments, shifting management, monitoring, and security to VMware's SaaS offerings.   

These VMware hosted services ease the burden of on-premises Horizon management while wrapping modern capabilities around traditional Windows workloads.  For day 2 operations the Horizon Control Plane, with features like the Universal Horizon Console, Help Desk Tool, and Assist for Horizon, enables effective support  from anywhere in the world.  Further, a subset of the Horizon Control Plane called the Cloud Monitoring Service (CMS) offers high level monitoring and reporting against Horizon from the cloud, capabilities recently improved upon through Workspace ONE Intelligence for Horizon.  Along with SaaS based support and monitoring there's the ability to enhance remote Horizon access with cloud based Workspace ONE and Carbon Black.   These services allow customers to wrap modern capabilities around Horizon sessions while facilitating adoption of 3rd party SaaS solutions like Office 365, Okta, and ServiceNow.  The end result is a comprehensive remote access solution, an on-premises Horizon environment augmented with cloud based services to deliver a digital workspace for remote and hybrid workers. 


COVID-19 Brings Horizon Remote Access To The Foreground

Horizon is more relevant than ever given the spike in remote and hybrid work driven by the pandemic.  For nearly 15 years Horizon had been a relatively niche solution, adopted primarily by segments sensitive to security and regulations.  Despite this narrow vertical adoption, over the years Horizon progressively improved at remoting Windows through updates to its clients, agents and the Blast display protocol.  This finely tuned capability for remoting Windows was an absolute godsend as customers scrambled to accommodate remote access in the early days of the pandemic.







While Citrix and Horizon are very similar solutions, a clear distinction emerges as one explores innovations for remote access.   For Citrix, remote access centers around hardware based versions of Citrix ADC, the artist formerly known as NetScaler.   You place these multipurpose network appliances in your DMZ and, as they are packed with impressive but for most customers largely extraneous features, they cost a small fortune.  In contrast, remote access for Horizon is handled by a free and flexible software based solution, a virtual appliance called Unified Access Gateway (UAG).  It's a mature bespoke technology for securing remote Horizon access with a proven track record integrating with 3rd party solutions to beef up security.  That said, it shines brightest when we combine it with the Workspace ONE suite to wrap functionality like identity and modern management around remote Horizon sessions.  This approach enhances remote access from the cloud while allowing customers to purchase germane technology a la carte. 

VMware Hosted Services Wrap Comprehensive Security And Management Around Remote Horizon Access

Over half a decade ago Workspace ONE UEM (AirWatch) was already shifting towards predominantly SaaS based adoption.  There's certainly exceptions, but generally speaking Workspace ONE UEM is a cloud first solution.   The same goes with Workspace ONE Access nowadays, as customers are entitled to a SaaS based tenant through their Horizon Universal subscriptions.  Offering a unique integration of identity and endpoint management capabilities, WS1 UEM and Access combined offer amazing enhancements to remote Horizon access like contextual authentication, endpoint management, and SSO.  This ideal model for remote and hybrid workers is further enhanced through Workspace ONE Intelligence.  Intelligence, along with providing advance reporting capabilities, enables ruthless automation against WS1 UEM environments as well as any 3rd party solutions supporting REST APIs.  Finally, Carbon Black, a VMware acquisition from 2019, provides cloud based next-gen antivirus for Windows 10 and macOS.   When these VMware hosted services are combined with Horizon you get a solution ideally suited for remote and hybrid workers, a superb remote access Horizon experience augmented with mature cloud based security and management. 

 


These SaaS offerings wrap remote Horizon sessions in modern capabilities like Zero Trust, beefing up security for Windows applications that historically have been less than secure.   Further, while these services are a natural fit for remote endpoints, we can also use them to manage virtual desktop images themselves.  WS1 UEM can be used to manage persistent VDI and Carbon Black is supported on both Instant Clones and Full Clones.  Likewise, WS1 Access can be used to secure SaaS adoption both inside and outside the virtual desktop. 


Harnessing 3rd Party SaaS Based Solutions For An Enhanced Horizon Experience

When it comes to enhancing Horizon from the cloud it's not just about VMware hosted services, but also 3rd party SaaS like Office 365, Okta or ServiceNow.  For over a decade WS1 Access has made access to 3rd party SaaS easy and secure for Horizon users.  Within the virtual desktop it offers incredibly convenient consumption of SAML integrated applications through the WS1 portal or directly from any supporting Windows apps.  Outside the virtual desktop security can be fully addressed by WS1 Access and the rest of the Workspace ONE suite.  As with Horizon, we can use the Workspace ONE suite to enhance and secure access to these SAML integrated solutions. 




















In addition to enabling the adoption of cloud based service providers, there's the option to leverage solutions like Okta, Ping or Azure as identity providers.  By configuring these services as trusted IDPs we can leverage their authentication mechanisms for securing Horizon or any other Workspace ONE integrated application. It's a way to beef up the already impressive set of Workspace ONE security capabilities, another way of bringing cloud to the desktop. 










Finally, there are two very interesting ways in which Workspace ONE Intelligence facilitates cloud adoption.  First, through the Trust Network it can ingest threat events not only from Carbon Black, but other cloud based members of the Trust Network like Lookout.  Second, events collected in the Intelligence data lake can trigger actions through automation connectors.  Out of the box there's built-in connectors for WS1 UEM, Slack and ServiceNow, however there's an option to create custom connectors for any solution that offers a REST API. 

These automation connectors represent an amazing opportunity to fine tune enhancement and support of Horizon environments from 3rd party cloud services.  Horizon admins are usually grizzled veterans when it comes to scripting within the desktops.   With Intelligence they can now turn their attention to scripting against SaaS, automating REST API calls to 3rd party cloud solutions that are becoming increasingly relevant.


The Horizon Control Plane Services 

Horizon Control Plane Services enable day 2 support for on-premises Horizon environments from the cloud.  Its Horizon Universal Console provides Horizon administration enterprise wide through a single web based URL while also providing global access to the Help Desk tool.  So a support team, wherever they are in the world, without the need for direct network access to Horizon environments, can look up real time session details for any Horizon user.  They'll also have the ability to troubleshoot through actions like killing processes or restarting VMs.  If necessary there's even an option to remote into a virtual desktop using Workspace ONE Assist for Horizon.  Finally, for more high level support and monitoring, "the big picture," there's the Cloud Monitoring Service (CMS).  CMS provides health, capacity, and usage metrics for any cloud connected Horizon environment.  (For example, if a certificate expires on a Horizon Connection server, this challenge will trickle up to the Horizon Universal Console through CMS.)  The Universal Console, the Help Desk tool, Assist for Horizon and CMS all connect to on-premises environments through the Horizon Cloud Connector and clone Worker Node(s) that provide redundancy.   

While CMS provides high level insight Workspace ONE Intelligence for Horizon provides additional detail, granularity and customization in terms of monitoring and tracking the health of your on-premises Horizon environments.  It provides more in-depth support for day 2 operations while laying the ground work for future Workspace ONE integration with Horizon.


Workspace ONE Intelligence For Horizon 


Workspace ONE Intelligence For Horizon was first announced during VMworld 2021 and as of July 28th, 2022 is generally available.   This rounds out the overall strategy of porting information from all VMware EUC components into Intelligence.  For someone that specializes in both Horizon and Workspace ONE this is welcome news.  Intelligence has been offering advanced reporting and automation for WS1 UEM for years now and it's great to see VMware extend this functionality to Horizon.  




















This first iteration provides built-in dashboards, custom reports, and custom dashboards, expanding beyond the canned reporting capabilities of CMS.  We're talking boat loads of raw and relevant data regarding the health and performance of Horizon. Just to give you a taste of how vast this dataset is here are screenshots from Intelligence custom reports detailing visible attributes from Horizon PODs, Pools and VMs:


Even more impressive and overwhelming are the available, "Session Snapshot," attributes:


So yeah, there's a lot to work with here. While this info is relevant for Horizon health and performance monitoring across the board, it certainly rounds out the already impressive model of supporting remote Horizon access with cloud based services. When troubleshooting performance challenges with remote access it can provide critical network insight like display protocol packet loss and round trip latency, along with detailed information of virtual desktop resource usage.  You also get invaluable context regarding general POD health and performance.  Finally, you get the ability to slice and dice through this information with WS1 Intelligence customizable dashboards and widgets, allowing you easily zero in on and visualize relevant data.


The fact we get this info enterprise wide from a cloud based service is quite compelling and affords Horizon customers an opportunity to really up their game in terms of monitoring Horizon performance.  Further, as a cloud based service that leverages Horizon Cloud Connectors many customers already have in place, it's very accessible and easy to stand up.  (It took me less than 15 minutes to get it working for my lab.)  Finally, it comes standard with most of the new Horizon entitlements at no additional cost, so the price is right.  


A VMware Explore Session On Extending Cloud To The Virtual Desktop

Though not everyone is ready to move their VDI workloads to the cloud all existing Horizon customers stand to benefit from the adoption of VMware hosted services.  These services, already available today, can be layered on top of existing Horizon environments non-disruptively and easily.  These are the main takeaways of the explore session,  "Can't Take Your Virtual Desktop To The Cloud? Bring Cloud To It."  It begins with an amazing introduction from Todd Dayton.  He elaborates on the benefits of cloud adoption, challenges with Windows workload migrations to the cloud, and the ideal compromise of shifting Horizon management to the cloud.  Then Cris Lau provides an impressive demo of the Horizon Universal Console, Help Desk tool, Assist for Horizon and Intelligence for Horizon.  Finally, I wrap things up reviewing ways we can enhance remote Horizon access with cloud based Workspace ONE and Carbon Black. 



Also, one final anecdote.  Todd pointed out that even if you're confident your virtual desktop workloads will eventually get migrated to the cloud there's absolutely nothing lost if you start off with these cloud based enhancements to your on-premises environment today.  It's not like you'd be burning any bridges or painting yourself in a corner.  In fact, arguably you'd be stacking the deck in your favor for a successful workload migration by already having cloud based management services configured, adopted and in place.  So there's really nothing to loose except the burden of managing on-premises resources.