REVISED 25 MARCH 2020

USING HORIZON 7 TOACCESS PHYSICALWINDOWS MACHINES

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 2

Table of Contents

Overview

Versions

Architecture and Design

– Components

– Sizing

– Load Balancing

– Scaling

– Authentication

– Display Protocols

– Network Ports

– Single DMZ

– Double DMZ

Implementation

– Considerations

– Requirements

– Connection Servers

– Unified Access Gateways

– Horizon Agent Installation

– Desktop Pool

– Horizon Client

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 3

Changelog

Author and Contributors

– Author

– Contributors

– Reviewers

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 4

Using Horizon 7 to Access Physical WindowsMachines

OverviewWhen faced with unpredictable events like natural disasters, emergencies, or public health outbreaks, organizations are beingasked to take action and enable their workforce to access corporate resources remotely. In many cases, the user has a physicalWindows machine located in their normal place of work, the office. That machine has all the applications, access to data, and toolsthat the user needs to do their work. The challenge is that the user is unable to physically get to their machine.

What is needed is a solution to enable working from home that gives users secure remote access to their work machine, and thesolution needs to be quick and easy to deploy.

Figure 1: Securely Accessing Physical Office-Based PCs

VMware is well known for virtualization technologies, but VMware Horizon® 7 goes beyond brokering virtual machines. Althoughbest known for its myriad benefits when implementing virtual desktops and application servers, Horizon also offers the option tobroker access to physical machines. This provides an excellent and familiar experience for employees.

Brokering to physical machines can be implemented either with an existing Horizon 7 environment or with a new one. Withminimal components required, this solution can be implemented quickly.

Connections are encrypted and Horizon 7 supports multiple authentication options including SAML, RADIUS, RSA SecurID, andcertificates, including smart cards. Authentication can be carried out in the DMZ at the Unified Access Gateway, before passingauthenticated traffic through to the internal resource.

To provide support to users, Horizon 7 has the Horizon Help Desk Tool. This is a web application that you can use to get the statusof Horizon 7 user sessions and to perform troubleshooting and maintenance operations. See Using Horizon Help Desk Tool inHorizon Console.

This guide gives technical detail, with design and implementation considerations and guidance, on how to achieve this.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 5

Figure 2: Securely Accessing Physical Office-Based PCs with Horizon 7

Horizon 7 enables access to office-based physical machines by using just a few core Horizon components:

The VMware Horizon® Client authenticates to a Horizon Connection Server.1.The Connection Server brokers a connection to a Horizon Agent running on a Horizon-managed desktop or server. For this2.use case, the Horizon Agent is installed on physical Windows 10 machines.The Horizon Client then forms a protocol session connection to a Horizon Agent in the physical machine.3.

The Horizon Client is available for all major OS platforms including Windows, Mac, Linux, iOS, Android, Chrome OS and also asHTML Access. HTML Access allows users to use a web browser to act as the Horizon Client, where installation of the client softwareis not possible. See VMware Horizon Client Documentation.

To provide secure access from external locations and over the Internet, VMware Unified Access Gateway™ is deployed to providesecure edge services.

The Horizon Client authenticates to a Connection Server through the Unified Access Gateway.1.The Horizon Client then forms a protocol session connection, through the gateway service on the Unified Access Gateway,2.to the Horizon Agent running in the physical desktop.

Figure 3: Secure External Access with Authentication Through Unified Access Gateway

User authentication can be configured in various ways. By default, Active Directory credentials are used, but this can be enhancedwith two-factor or alternative authentication initiated from Unified Access Gateway. See the section on authentication later in this

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 6

guide.

You can quickly set up and configure Horizon 7 for use as an interim solution to broker access to physical machines. This setupalso creates an excellent foundation that can be built on, at a later date, to realize the full benefits of the complete Horizon 7 andVMware Workspace ONE® platform. These include:

Delivering pristine high-performance personalized desktops to end users every time they log inScaling published applications effortlessly at the push of a button while deploying them faster and eliminating image sprawlReducing endpoint security concerns by destroying desktops as soon as users log offDrastically lowering costs by pooling required infrastructure components and providing a truly stateless desktop that stilldelivers the personalization end users expect

VersionsWith Horizon 7 version 7.7, VMware introduced the ability to broker physical machines running Windows 10 version 1803Enterprise Edition or higher, via the Blast Extreme display protocol.

Either the Blast Extreme or RDP protocol can be used, but Blast will give a better user experience. For more information onthe key features see VMware Blast Extreme.For Windows 10 versions 1903 and later, use Horizon 7 version 7.12.

Note: Windows 10 Pro Edition may work but is not officially supported. The RDP protocol should be used for Pro, so that the displayis not mirrored on the physical monitor. If possible, change the license type used for Windows 10 to Enterprise edition.

Earlier versions of Horizon 7, before version 7.7, can broker to physical machines using the RDP protocol.

Physical machines running Windows 7 will work with some caveats. These can only use RDP as the display protocol. The HorizonClient will need to be installed on the employee’s home device because HTML Access is not available for RDP connections.Configure desktop pools that contain Windows 7 to use the RDP protocol.

Table 1: Windows and Horizon 7 Versions

Windows Version Horizon Version Protocol

Windows 10 Enterprise Edition 1903-1909 7.12 Blast or RDP

Windows 10 Enterprise 1803-1809 7.7 - 7.12 Blast or RDP

Windows 10 Enterprise 17xx 7.x RDP only

Windows 10 (non-Enterprise) 7.x RDP only

Windows 7 SP1 or later 7.x RDP only

See Display Protocols for more information on Blast Extreme and RDP.

Architecture and DesignHorizon 7 is a platform for managing and delivering virtualized, session-based, or physical desktops and applications to end users.Horizon 7 allows you to create and broker connections to Windows virtual desktops, Linux virtual desktops, Remote Desktop Server(RDS)–published applications and desktops, and physical machines.

A successful deployment of Horizon 7 depends on good planning and a robust understanding of the platform. This section focuseson the main design topics required for a Horizon environment brokering connections to physical desktops.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 7

ComponentsThe required core components of Horizon 7 are described in the following table.

Table 2: Horizon 7 Components

Component Description

Connection Server

The Horizon Connection Server securely brokers and connects users to desktops andpublished applications running on physical PCs, blade PCs, RDSH servers, or VMwarevSphere® VMs.The Connection Server authenticates users through Active Directory and directs the requestto the appropriate and entitled resource.

Horizon AgentThe Horizon Agent is installed on the guest OS of target physical systems or VMs. This agentallows the machine to be managed by Connection Servers and allows a Horizon Client to forma protocol session to the machine.

Horizon ClientThe Horizon Client is installed on a client device to access a Horizon-managed system thathas the Horizon Agent installed.You can optionally use a web browser as an HTML client for devices on which installing clientsoftware is not possible.

Unified AccessGateway

VMware Unified Access Gateway is a virtual appliance that enables secure remote accessfrom an external network to a variety of internal resources, including Horizon-managedresources.Unified Access Gateway supports multiple use cases, but for the purposes of this guide, wewill focus on providing secure external access to desktops managed by Horizon 7 on-premises.When providing access to internal resources, Unified Access Gateway can be deployed withinthe corporate DMZ or internal network, and acts as a proxy host for connections to yourcompany’s resources. Unified Access Gateway directs authenticated requests to theappropriate resource and discards any unauthenticated requests. It also can perform theauthentication itself, leveraging an additional layer of authentication when enabled.

SizingThis section gives guidance on the recommended sizing and load for each of the required components. For the most currentnumbers, limits, and recommendations, see the VMware Knowledge Base article VMware Horizon 7 Sizing Limits andRecommendations (2150348).

Connection ServerA single Connection Server supports a maximum of 4,000 sessions, although 2,000 is recommended as a best practice. To ensurethat the environment includes redundancy and is able to handle failure, deploy one more server than is required for the number ofconnections (n+1).

One key concept in a Horizon 7 environment design is the use of pods and blocks, which gives us a repeatable and scalableapproach. When we are brokering connections only to physical desktops, we need focus only on the pod construct and can ignorethe block construct. A pod is made up of a group of interconnected Connection Servers that broker connections to desktops orpublished applications. A pod can broker up to 20,000 sessions (12,000 recommended), including desktop and RDSH sessions.

Up to seven Connection Servers are supported per pod with a recommendation of 12,000 desktop sessions in total per pod.Multiple pods can be interconnected using Cloud Pod Architecture (CPA).

For complete design guidance, see the Component Design: Horizon 7 Architecture section in VMware Workspace ONE and VMwareHorizon Reference Architecture guide.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 8

Unified Access GatewayUnified Access Gateway gives three sizing options during deployment: standard, large, and extra-large. When deploying to providesecure edge services for Horizon, the standard size should be used.

A standard-sized Unified Access Gateway supports 2,000 Horizon sessions.

For complete design guidance, see the Component Design: Unified Access Gateway Architecture section in VMware WorkspaceONE and VMware Horizon Reference Architecture guide

Desktop PoolsDesktop pools are required to allow management, entitlement, and user assignment to the desktop objects within Horizon. Thereare two main types of virtual desktop pools: automated and manual. Manual desktop pools are a collection of existing VMwarevCenter Server® virtual machines, physical computers, or third-party virtual machines.

An individual pool should contain no more than 2,000 desktops.

For the use case of managing physical desktops, manual pools are used. Manual assignment is made to the individual desktops toensure that each employee gets connected to their own familiar physical machine.

Load Balancing It is strongly recommended that end users connect to Unified Access Gateway using a load-balanced virtual IP (VIP). This ensuresthat user load is evenly distributed across all available Unified Access Gateway appliances. Using a load balancer also facilitatesgreater flexibility by enabling IT administrators to perform maintenance, upgrades, and configuration changes while minimizingimpact to users. An existing load balancer can be used, or a new one such as VMware Avi Vantage can be deployed. See ConfigureAvi Vantage for VMware Horizon for more details.

When load balancing Horizon traffic to multiple Unified Access Gateway appliances, the initial XML-API connection (authentication,authorization, and session management) needs to be load balanced. The secondary Horizon protocols must be routed to the sameUnified Access Gateway appliance to which the primary Horizon XML-API protocol was routed. This allows the Unified AccessGateway to authorize the secondary protocols based on the authenticated user session.

If the secondary protocol session is misrouted to a different Unified Access Gateway appliance from the primary protocol one, thesession will not be authorized. The connection would therefore be dropped in the DMZ, and the protocol connection would fail.Misrouting secondary protocol sessions is a common problem if the load balancer is not configured correctly.

The load balancer affinity must ensure that XML-API connections made for the whole duration of a session (with a defaultmaximum of 10 hours) continue to be routed to the same Unified Access Gateway appliance.

With the use case of providing secure, external access to resources, there is no need to provide a single namespace to the HorizonConnection Servers because only external users will be connecting. This means that there is no need to provide a load balancerVIP in front of the Connection Servers.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 9

Figure 4: Load Balancer Required for Unified Access Gateway Appliances but Not for Connection Servers

Although the secondary protocol session must be routed to the same Unified Access Gateway appliance as was used for theprimary XML-API connection, there is a choice of whether the secondary protocol session is routed through the load balancer ornot. This normally depends on the capabilities of the load balancer.

For example, with an F5 BIG-IP Local Traffic Manager (LTM), primary and secondary protocol traffic goes to the F5 LTM, and thatensures the correct routing of secondary protocol sessions by using source IP affinity. This has the advantage that there needs tobe only a single public IP address. Where the load balancer does not have this capability, another option is to dedicate additional IPaddresses for each Unified Access Gateway appliance so that the secondary protocol session can bypass the load balancer.

For more detail on load balancing of Unified Access Gateway appliances, see:

Unified Access Gateway Load Balancing TopologiesLoad Balancing across VMware Unified Access Gateway Appliances

High AvailabilityAs an alternative to using an external load balancer, Unified Access Gateway provides, out-of-the-box, a high-availability solutionfor the Unified Access Gateway edge services. The solution supports up to 10,000 concurrent connections in a high-availability(HA) cluster and simplifies HA deployment and configuration of the services.

For more information on the Unified Access Gateway High Availability component and configuration of edge services in HA, see thefollowing resources:

Configure High Availability SettingsUnified Access Gateway Configured with HorizonHigh Availability section in the Workspace ONE and Horizon Reference Architecture.

ScalingDesigning to the recommended sizing of 2,000 sessions per Unified Access Gateway appliance and 2,000 sessions per ConnectionServer, a minimal deployment would have one of each server type.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 10

Figure 5: Minimal Design with Only One Unified Access Gateway Appliance and One Connection Server

But as mentioned earlier, we should design for availability and deploy at least one additional Unified Access Gateway and oneadditional Connection Server. As an additional Unified Access Gateway is added:

It is added to the load balancer VIP.It uses the new Connection Server, deployed at the same time, as a Connection Server URL target.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 11

Figure 6: Design for High Availability Using Two Unified Access Gateway Appliances and Two Connection Servers

As we scale up the environment to cater to an increasing number of connections, we can add up to seven Connection Servers inthe pod.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 12

Figure 7: Design for Maximum Pod Scale Using Seven Unified Access Gateway Appliances and Seven Connection Servers

To scale higher than a single pod, multiple pods can be deployed and can be interconnected using Cloud Pod Architecture (CPA).Pods can be deployed on the same site or on different sites. Using Cloud Pod Architecture gives the option of global entitlements. Auser can be connected to any Connection Server from any Horizon Pod that is part of the same Cloud Pod Architecture and will bedirected and connected to the correct desktop, even if this is managed by another Pod.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 13

Figure 8: Multiple Horizon Pods Federated with Cloud Pod Architecture

For the full documentation on how to set up and configure CPA, refer to Administering Cloud Pod Architecture in Horizon 7.

AuthenticationUnified Access Gateway supports multiple authentication options; for example, pass-through, RSA SecurID, RADIUS, SAML, andcertificates, including smart cards. Pass-through authentication forwards the request to the internal server or resource. Otherauthentication types enable authentication at the Unified Access Gateway, before passing authenticated traffic through to theinternal resource.

These options are depicted in the following diagrams.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 14

Figure 9: Unified Access Gateway Pass-Through Authentication

Figure 10: Unified Access Gateway Two-Factor Authentication

You can also use SAML to authenticate Horizon users against a third-party identity provider (IdP), leveraging Unified AccessGateway as the service provider (SP). This new capability requires Horizon Connection Server 7.11 or later, and user authenticationmust go through Unified Access Gateway.

The authentication sequence can be configured as SAML and Passthrough or as just SAML:

When Auth Methods is set to SAML and Passthrough, the SAML assertion is validated by Unified Access Gateway, andConnection Server authenticates the user against Active Directory when launching remote desktops and applications.When Auth Methods is set to SAML, the SAML assertion is validated by Unified Access Gateway and passed to the backend.Users single sign-on, leveraging the Horizon True SSO feature, to the remote desktops and applications.

In both authentication methods, the user will be redirected to the IdP for SAML authentication. Both SP- and IdP-initiated flows aresupported.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 15

Figure 11: Unified Access Gateway SAML Authentication

For general information and configuration of SAML and Unified Access Gateway support for Horizon, see Configuring Horizon forUnified Access Gateway and Third-Party Identity Provider Integration.

For detailed information and step-by-step guidance on how to integrate Okta and Unified Access Gateway for Horizonauthentication, see the VMware Tech Zone Operational Tutorial Enabling SAML 2.0 Authentication for Horizon with Unified AccessGateway and Okta.

For guidance on how to set up authentication in the DMZ, see Configuring Authentication in DMZ.

Display ProtocolsHorizon 7 is a multi-protocol solution, with three remoting protocols available when creating desktop pools or RDSH-publishedapplications: Blast Extreme, PCoIP, and RDP. When connecting to physical machines, Blast Extreme or RDP can be used.

Blast ExtremeWhere possible, it is recommended to use Blast Extreme because it provides a much richer user experience. Use the Horizon Agentversion 7.12 or later with the Horizon Client version 5.4 or later, as these introduce many optimizations and better performance forBlast. For more information on the key features, see VMware Blast Extreme.

See the VMware Blast Extreme Optimization guide for more information, including optimization tips and how to configure BlastExtreme for certain network conditions.

RDPSome versions of Windows will not support the use of Blast as a display protocol. For these, use RDP.

Non-Enterprise Editions of Windows 10

The only supported edition of Windows 10 is Enterprise, although other editions may work with a few caveats.Where possible, change the license type used for Windows 10 to Enterprise edition to allow the use of Blast.On non-Enterprise editions of Windows 10, the RDP protocol should be used, so that the display is not mirrored on thephysical monitor.

Windows 7

Physical machines running Windows 7 will work with some caveats.These can only use RDP as the display protocol.The Horizon Client will need to be installed on the employee’s home device because HTML Access is not available for RDPconnections.Configure desktop pools that contain Windows 7 to use the RDP protocol.

Versions of Horizon 7 prior to version 7.7 will not support the use of Blast, but can broker to physical machines using the RDPdisplay protocol. Ideally, upgrade the Connection Servers to version 7.12 or later and use Horizon Agent version 7.12 or later and

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 16

Horizon Client version 5.4 or later to allow the use of the Blast display protocol. While not supported for an extended period, it maybe possible to use the newer versions of the Agent and Client while remaining on the existing version of Connection Servers.

Network PortsTo ensure correct communication between the components, it is important to understand the network port requirements forconnectivity in a Horizon 7 deployment. The following diagram shows the ports required to allow a Blast Extreme connection.

Figure 12: Blast Extreme Network Ports

The network ports shown are destination ports. The tables that follow show more detail and indicate the source, destination, andthe direction of traffic initiation. Horizon UDP protocols are bidirectional. Stateful firewalls should be configured to accept UDP replydatagrams.

The following diagram shows the ports required to allow an RDP connection.

Figure 13: RDP Network Ports

The Network Ports in VMware Horizon 7 guide has more detail, along with diagrams illustrating the traffic. It even has specificsections and diagrams on internal, external, and tunnelled connections. To see more detail on the network ports required see theexternal connection table and the External Connection diagram.

Connection ServerThe following table lists network ports for external connections from a client device to Horizon 7 components.

Table 3: Network Ports for External Connections to Horizon Components

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 17

Source Destination NetworkProtocol

DestinationPort Details

HorizonClient

Unified AccessGateway

TCP 443Login traffic.Can also carry tunneled RDP, client-drive redirection, and USBredirection traffic.

UDP 443

Optional for login traffic. BlastExtreme tries a UDP loginconnection if the client experiencesdifficulty making a TCP connectionto the Unified Access Gatewayappliance.

TCP 8443Blast Extreme via Blast SecureGateway on Unified Access Gatewayfor data traffic (performant channel).

UDP 8443Blast Extreme via Blast SecureGateway on Unified Access Gatewayfor data traffic (adaptive transport).

TCP 443

Blast Extreme via Blast SecureGateway on Unified Access Gatewayfor data traffic where port sharing isused. This would be instead of TCP8443.

Browserfor HTMLAccess

Unified AccessGateway TCP 8443

Or 443

Horizon 7 HTML Access (web-basedclient).8443 is the default but can bechanged to 443 on Unified AccessGateway.

Notes:

The Blast Secure Gateway on Unified Access Gateway can dynamically adjusts to network conditions such as varying speeds andpacket loss. In Unified Access Gateway, you can configure the ports used by the BEAT protocol.

By default, Blast Extreme uses the standard ports TCP 8443 and UDP 8443.However, port 443 can also be configured for Blast TCP.Port configuration is set through the Unified Access Gateway Blast External URL property. See Blast TCP and UDP ExternalURL Configuration Options.

Unified Access GatewayThe following table lists network ports for connections from a Unified Access Gateway to the Connection Server and the HorizonAgent.

Table 4: Network Ports for Connections Among Horizon Components

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 18

Source Destination NetworkProtocol

DestinationPort Details

UnifiedAccessGateway

HorizonConnectionServer

TCP 443 Login.

Horizon Agent

TCP 22443 Blast Extreme.

UDP 22443 Blast Extreme.

TCP 3389 RDP.

TCP 9427

Optional for client-driveredirection (CDR) and multi-media redirection (MMR).By default, when using BlastExtreme, CDR traffic is side-channelled in the Blast Extremeports indicated previously. Ifdesired, this traffic can beseparated onto the portindicated here.

TCP 32111

Optional for USB redirection.USB traffic can also be side-channelled in the Blast Extremeports indicated previously. Seenote below.

Note: With the VMware Blast display protocol, you can configure features, such as USB redirection, and client drive redirection, tosend side channel traffic over a Blast Extreme ports. See:

Enabling the USB Over Session Enhancement SDK Feature.Managing Access to Client Drive Redirection.

Horizon AgentThe following table lists network ports for connections from a physical, virtual desktop, or RDSH server to other Horizon 7components.

Table 5: Network Port Connections Between Horizon Agent and Connection Server

Source Destination NetworkProtocol Destination Port Details

HorizonAgent

HorizonConnection Server

TCP 4002 Java Message Service (JMS) whenusing enhanced security (default).

TCP 4001 JMS (legacy).

TCP 389Required when doing anunmanaged agent registration; as isthe case for physical machines.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 19

Single DMZFor on-premises deployment of Horizon within a data center of an organization, it is common to install Unified Access Gatewayappliances in a single DMZ, which provides a network isolation layer between the internet and the customer data center.

Figure 14: Single DMZ Deployment

Unified Access Gateway has built-in security mechanisms for all the Horizon protocols to ensure that the only network trafficentering the data center is traffic on behalf of an authenticated user. Any unauthenticated traffic is discarded in the DMZ.

Double DMZSome organizations have two DMZs (often called a double DMZ or a double-hop DMZ) that are sometimes used to provide an extralayer of security protection between the Internet and the internal network. In a double DMZ, traffic has to be passed through aspecific reverse proxy in each DMZ layer. Traffic cannot simply bypass a DMZ layer.

Note that in a Horizon deployment, a double DMZ is not required, but for environments where a double DMZ is mandated, an extraUnified Access Gateway appliance acting as a Web Reverse Proxy can be deployed in the outer DMZ.

Figure 15: Double DMZ Deployment

It is also possible to configure a double DMZ configuration for Horizon with minimal port requirements. This will not be asperformant as a deployment with full Horizon protocol and port support as depicted above.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 20

Figure 16: Double DMZ Deployment with Minimal Network Ports

For more information, see Unified Access Gateway Double DMZ Deployment for Horizon.

ImplementationThis section provides an overview of the Horizon 7 deployment process, points to specific documents for detailed instructions, andlists certain settings that were used in this guide. This assumes that you do not already have a Horizon 7 environment in place. Ifan existing Horizon 7 environment exists, you might be able to use that instead of setting up a separate environment.

At a high-level, the steps involved are:

Install and configure Horizon Connection Servers.1.Install and configure Unified Access Gateways.2.Install the Horizon Agent on the physical machines.3.Configure the desktop pool – Add physical machines, entitle and assign the users.4.

ConsiderationsBefore deploying and configuring the solution consider the following and adjust the configuration of the solution accordingly.

Machine SettingsEvaluate the power policies for the physical machines and make changes to minimize the possibility of physical machines beingshut down.

All power saving options on physical machines should be disabled. This can be done by the use of a group policy (GPO).If a physical machine crashes or is shuts down, no remote access will be possible to it until it is restarted.Group Policies can be used to disable the shutdown option for users to minimize the risk of this.The use of Wake-On-LAN could also be considered to ensure that machines are powered on.

User AssignmentUnderstand how users normally use their desktops, what type of desktop pool is best suited and how users should be assignedaccess.

One user per physical PC

In this use case, each physical machine has a single primary user.Manual desktop pools will be used.Dedicated user assignment will be used.Users will be assigned to their specific physical desktop within the pool.

Pooled physical PCs

This is typical in a hot desk or shared environment where users can use any one of a pool of physical PCs.In environments like these, good profile management and application deployment systems are usually already in place.Manual desktop pools will be used.Floating user assignment will be used. This ensures that a user is not assigned permanent ownership of any particular

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 21

physical machine, which would exclude other users from using it even when it was available.

It has been reported that in some environments, physical desktop pools with floating assignment has resulted in two users beingallocated the same machine which results in the first user getting disconnected. If this behavior is observed, apply the followingworkaround. On the physical PCs, set the following registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp

Name: MaxInstanceCount

Value: 1

RDP and Network Level AuthenticationIf using RDP protocol, ensure that Network Level Authentication (NLA) is disabled in Windows. See the VMware Knowledge Basearticles Remote Desktop connection with NLA is not supported in Horizon View (67832) and Connecting to View desktops usingRDP protocol fails with the error code 2825 (1034158) for details.

Mac ClientThe Horizon Client for Mac does not support the use of the RDP display protocol. If Mac devices are used as clients, check that thecombination of the version of Windows on the physical PC and version of Horizon 7 support the use of Blast. Configure the desktoppool to use the Blast protocol and have users install the Horizon Client for Mac on their device.

For a full list of supported features on Mac Clients, see Feature Support Matrix for Mac Client.

RequirementsThis solution considers the customers’ existing Active Directory, DHCP, File Server, user profile management and any otherassociated infrastructure is already in-place to server the physical PCs.

Horizon 7 requires a Microsoft Active Directory infrastructure for user authentication and management. Supported Active DirectoryDomain Services (AD DS) domain functional levels are:

Windows Server 2016Windows Server 2012 R2Windows Server 2012Windows Server 2008 R2Windows Server 2008

The WAN connection is a critical dependency on the usability of this solution. Adding thousands of instances of remote desktopprotocols to a WAN link will require a large amount of bandwidth.

Connection ServersThe Horizon Connection Server software must be installed on Microsoft Windows Servers. These should be dedicated servers withno other enterprise software installed. Windows Server 2019, 2016, or 2012 R2 is supported.

It is recommended that these Windows Servers be allocated at least 4 vCPU and at least 10 GB of RAM. As with any otherinfrastructure components, these servers should be monitored to ensure they have sufficient resources. See Horizon ConnectionServer Requirements for more details.

InstallationThis guide is not intended to replace the Horizon 7 documentation. Follow the relevant sections of the Horizon 7 Installationdocumentation to install the following components in the following order:

Install the first standard Connection Server – See Install Horizon Connection Server with a New Configuration.1.Install a second Connection Server – See Install a Replicated Instance of Horizon Connection Server.2.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 22

Repeat step 2 for all other required Connection Servers.3.

Post-Installation ConfigurationConnect to the first Connection Server and perform the following tasks in the following order:

Apply a license key – See Install the Product License Key.1.Configure event reporting – See Configuring Event Reporting.2.Assign administrators and roles – See Configuring Role-Based Delegated Administration.3.

When you first install a Connection Server, it uses self-signed certificates. VMware does not recommend that you use these inproduction. At a high level, the steps for replacing the certificates on the Connection Servers are:

Create a certificate signing request (CSR) configuration file. This file is used to generate the CSR to request a certificate.1.Once you receive the signed certificate, import it.2.Configure Horizon 7 to use the signed certificate.3.

For the full process, see Configuring TLS Certificates for Horizon 7 Servers.

Unified Access GatewaysA Unified Access Gateway is a hardened Linux appliance that is available as a downloadable OVF (Open Virtualization Format) file.When deploying to provide secure edge services for Horizon, the standard size should be used. This allocates 2 vCPU and 4 GB ofRAM to the appliance.

A Unified Access Gateway can be deployed with one, two, or three network interface controllers (NICs). The choice is determinedby your network requirements and discussions with your security teams to ensure compliance with company policy.

Network RoutingDuring Unified Access Gateway deployment it is common to specify a default gateway. In complex environments involving multipleNICs and routing through more than one gateway, Unified Access Gateway also supports the ability to specify static IP routes.These are routes that don't use the default gateway.

Ensure that the network configuration allows for the proper routing of traffic from the Unified Access Gateway appliances to theConnection Servers and the Horizon Agents, as shown in Network Ports. Where necessary, add static routes to Unified AccessGateway.

See DMZ Design for VMware Unified Access Gateway and the use of Multiple NICs.

CertificatesTLS/SSL certificates are used to secure communications for the user between the Horizon Client and the Unified Access Gatewayand between the Unified Access Gateway and internal resources.

Although Unified Access Gateway can generate default self-signed certificates during deployment, for production use, you shouldreplace the default certificates with certificates that have been signed by a trusted certificate authority (CA-signed certificates). You can replace certificates either during deployment or as part of the initial configuration. The same certificate or separatecertificates can be used for the user and the administrative interfaces, as desired.

The following types of certificates are supported:

Single-server-name certificates, which means using a unique server certificate for each Unified Access Gateway applianceSubject alternate name (SAN) certificatesWildcard certificates

Certificate files can be provided in either PFX or PEM format.

For guidance on how to configure and update Unified Access Gateway to use TLS/SSL for the Admin UI, Horizon and Web ReverseProxy edge services, see Configuring Unified Access Gateway Using TLS/SSL Certificates and Update SSL Server SignedCertificates.

InstallationThere are two supported methods of deploying Unified Access Gateway.

Use a PowerShell script with a settings file.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 23

Deploy an OVF template using the vSphere Client.

The recommendation is to use the PowerShell script method. This has several advantages, including the ability to fully configurethe appliance at deployment time with all services configured and certificates applied.

More information on using the PowerShell method is available on the Using PowerShell to Deploy VMware Unified Access Gatewaycommunity page. The PowerShell script and sample INI files can be downloaded from the Unified Access Gateway productdownload page. For step-by-step instructions on how to deploy Unified Access Gateway, see the following articles on Tech Zone:

Deploying Unified Access Gateway with Two NICs Through PowerShellDeploying Unified Access Gateway with One NIC Through vSphere

Specific guides have been released covering the deployment of Unified Access Gateway with the Horizon edge service:

A step-by-step guide on Configuring the Horizon Edge Service in VMware Unified Access Gateway: VMware HorizonOperational Tutorial and shows how to use the Powershell deployment method to install Unified Access Gateway with theHorizon edge service.A new feature walk-through video covering the Unified Access Gateway Deployment Utility and Horizon configuration (EdgeService and Connection Server), including tips for a successful deployment.

Post-Installation ConfigurationIf you are using a load balancer, the Unified Access Gateways should be added to the server pool for the virtual IP (VIP).

To give administrative visibility into the status of the Unified Access Gateways in the Horizon Console dashboard, be sure toregister the appliances. See Monitoring Unified Access Gateway in Horizon Console.

Horizon Agent InstallationYou must install Horizon Agent on the physical machines to register them with the Connection Servers, so that you can then addthem of a manual desktop pool. For instructions, see Install Horizon Agent on an Unmanaged Machine, which is part of the chapterPreparing Unmanaged Machines, in the Setting Up Virtual Desktops in Horizon 7 guide.

Command LineTo install Horizon Agent on multiple machines without having to respond to wizard prompts, you can install Horizon Agent silentlyusing a command-line command. See Install Horizon Agent Silently.

The following example installs Horizon Agent on an unmanaged computer and registers the desktop with the specified ConnectionServer, cs1.domain.com. Note that while you register with a specific Connection Server, this registers it with all Connection Serversin the pod.

VMware-Horizon-Agent-x86_64-y.y.y-xxxxxx.exe /s /v"/qn VDM_VC_MANAGED_AGENT=0VDM_SERVER_NAME=cs1.domain.com VDM_SERVER_USERNAME=domain\usernameVDM_SERVER_PASSWORD=password REBOOT=Reallysuppress"

The following example installs Horizon Agent on an unmanaged computer and registers the desktop with the specified ConnectionServer, cs1.domain.com. In addition, the installer installs the default features (Core, VMware Blast, PCoIP, Virtual video driver,Unity Touch, PSG), and optional features USB redirection, Real-Time Audio-Video, Client Drive Redirection, VMware VirtualizationPack for Skype for Business, Horizon Performance Tracker, Horizon Help Desk Tool, and VMware Integrated Printing.

VMware-Horizon-Agent-x86_64-y.y.y-xxxxxx.exe /s /v"/qn VDM_VC_MANAGED_AGENT=0VDM_SERVER_NAME=cs1.domain.com VDM_SERVER_USERNAME=domain\usernameVDM_SERVER_PASSWORD=passwordADDLOCAL=Core,USB,RTAV,ClientDriveRedirection,VMWMediaProviderProxy,PerfTracker,HelpDesk,PrintRedir REBOOT=Reallysuppress"

For more command-line options, see Microsoft Windows Installer Command-Line Options and Silent Installation Properties forHorizon Agent.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 24

Automation ScriptTo automate silent installation and more, a PowerShell script has been developed that remotely and silently deploys the Horizonagent. This can be downloaded at https://github.com/andyjmorgan/HorizonRemotePCHelperScripts

As well as remotely deploying the Horizon Agent, this will script will:

Set the power policy to maximum performance.Determine the primary user of the machine based on which user has logged in most frequently.Determine the operating system, version, and edition.Return all of these details (along with the exit code and version of the installed agent).

This script will also create a CSV mapping file that lists the machine name and the user name. This CSV mapping file can be usedin the automation of the next step of configuring the Desktop Pool.

Important: This PowerShell script is supplied as-is and is not supported by VMware Global Support Services (GSS). All tasks that itassists with can also be achieved manually without the use of the script.

It is advisable to configure a group policy (GPO) to ensure that the power management settings are not overridden. See ManagingPower with Group Policy.

Prevent RDP Direct AccessRemote Desktop Services must be enabled on the physical PCs and is configured by default when installing the Horizon Agent.Remote Desktop Services are required for the Horizon Agent installation, single-sign-on, and other Horizon session-managementoperations.

In some environments, it may be desirable to prohibit direct access to the physical PCs through the RDP display protocol. Todisable RDP access, create and apply a group policy setting to the physical PCs to disable AllowDirectRDP.

Figure 17: Group Policy to Disable Direct RDP Connections

For instructions on creating the group policy with this setting, see VMware View Agent Configuration ADMX Template Settings.Additionally, see Prevent Access to Horizon 7 Desktops Through RDP.

This applies the following registry setting to the Physical PCs.

HKEY_LOCAL_MACHINE\Software\Policies\VMware, Inc.\VMware VDM\Agent\Configuration

Type = String

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 25

Name: AllowDirectRDP

Value: false

When using the RDP protocol for Horizon connections do not disable the AllowDirectRDP setting. If this setting is disabled, RDPconnections will be blocked and connections will fail with an Access is denied error.

To provide a better user experience and avoid users choosing the RDP protocol, configure the Remote Display Protocol settingsin the Desktop Pool as follows:

Default Display Protocol set to VMware Blast.Allow Users to Choose Protocol set to No.

Desktop PoolA manual desktop pool needs to be created to contain the registered physical machines that have had the Horizon Agent installed.

When defining the desktop pool, use the following settings:

Table 6: Desktop Pool Settings

One User per Physical PC Pooled Physical PCs

Type Manual desktop pool

Machine Source Other Sources

User Assignment DedicatedDisable automatic assignment Floating

Once the pool is created, three steps are required to add and make a physical machine ready for the user to connect to.

Add – The physical machine is added to desktop pool.1.Entitle – The user is entitled to use the desktop pool, either through a user or a group entitlement. This step is not required2.if using Global Entitlements as part of a Cloud Pod Architecture. See below.Assign – If the use case is One User per Physical PC and the desktop pool is using dedicated assignments, the user should3.be assigned to the correct desktop. This step is not necessary for pooled physical PCs.

See Creating Manual Desktop Pools for more detail.

Automation ToolA tool has been written to automate this task. This can be downloaded athttps://github.com/chrisdhalstead/horizon-physical-machines. Instructions on how to use the tool are included at that location.

The tool uses a CSV mapping file to add a list of machines to a pool. The tool then entitles the user and then assigns the user totheir desktop. The CSV mapping file can be manually or automatically created by the PowerShell script described in the previousstep of Horizon Agent Installation.

The CSV mapping file has two columns of data: machine and user name. The following example shows the format:

Machine,Username

machine1,domain\user1

machine2,domain\user2

The tool will also assist in the creation of manual pools.

Important: This tool is supplied as-is and is not supported by VMware GSS. All tasks that it assists with can also be achievedmanually without the use of the tool.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 26

Global EntitlementsGlobal entitlements entitle users and groups to their desktops, when there are multiple Horizon Pods in a Cloud Pod Architecturefederation. Global entitlements provide the link between users and their desktops, regardless of where the desktops reside in thepod federation.

Prerequisites:

Initialize the Cloud Pod Architecture feature. See Initialize the Cloud Pod Architecture Feature in Horizon Console.1.Join any additional Horizon pods into the federation. See Join a Pod to the Pod Federation in Horizon Console.2.

When defining a global entitlement for physical desktops, use the following settings:

Table 7: Global Entitlement Settings

One User per Physical PC Pooled Physical PCs

Type Desktop Entitlement

User Assignment Dedicated Floating

Default Display Protocol VMware Blast or Microsoft RDP

Allow Users to Reset/Restart their Machines Do not select

HTML Access Select if web browser-based access is to be allowed

Display Assigned Machine Name Optional but provides better userexperience N/A

Once the global entitlement is created, the following steps are required to add the local desktop pools to it and to entitle the users.

Entitle Users and Groups – The user is entitled to use the global entitlement, either through a user or a group1.entitlement. This can also be done as part of the global entitlement creation.Add Local Pools – From each Horizon Pod, add the Local Pool to the Global Entitlement.2.

See Create and Configure a Global Entitlement in Horizon Console for more detail.

Horizon ClientIdeally, users should install the Horizon Client on their home computer or personal device.

The client can be downloaded in a variety of ways. Clients can be downloaded from VMware, athttps://www.vmware.com/go/viewclients. If the endpoint device is Android or iOS, the Horizon Client can also be found in theGoogle Play Store and the Apple App Store.

Perhaps the easiest method for a user is to use a web browser and go to the user portal for Horizon 7 after this has been installedand configured. The URL for the user portal uses the following format: https://<horizon.domain.com>/portal/.

The user portal detects the platform the endpoint device is running and presents the option to download the appropriate HorizonClient. For configuration instructions, see Configure the VMware Horizon Web Portal Page for End Users.

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 27

Figure 18: Horizon 7 User Portal

If the physical machine being connected to is using Windows 10 and the Blast Extreme protocol, end users can use the browser-based HTML Access client, which does not require the installation of any software. This web-based client is not as feature rich asthe installed software client, as the features on each platform vary. See the pdf attachment in the VMware Knowledge Base articleHorizon Client 5.3 Feature Matrix with Horizon 7 (76919) for details.

To access Windows 7 physical PCs using the RDP protocol, you must install the Horizon Client.

Changelog2020-03-31

Reorganized and expanded the Blast Extreme protocol into a section on display protocols, covering both Blast and RDP.

Ports diagram for RDP connections

Added networking routing considerations to the Unified Access Gateway implementation section.

New section preventing RDP direct access

2020-03-25

Added section on single and double DMZ deployments

Added section on configuring global entitlements

Added list of contributors

2020-03-20

USING HORIZON 7 TO ACCESS PHYSICAL WINDOWS MACHINES

HORIZON | 28

Added more detail and examples on using the command-line to install the Horizon Agent.

Detail on using floating pools where there is a pool of hot desk or shared physical PCs.

Clearer detail on the versions of Windows and Horizon that can be used.

2020-03-19

A new section was added to more clearly show the versions of Horizon 7 that can be used along with the detail on whatfunctionality this delivers dependent on the version of Windows.

More detail on the use of Cloud Pod Architecture and global entitlements was added along with a diagram illustrating thearchitecture.

All documentation links have been changed to Horizon 7 version 7.12 and Unified Access Gateway version 3.9.

Author and ContributorsAuthorGraeme Gordon is a Senior Staff End-User-Computing Architect, End-User-Computing Technical Marketing, VMware.

ContributorsChris Halstead is a Staff End-User-Computing Architect, End-User-Computing Technical Marketing, VMware. He wrote thetool to automate the creation of a desktop pool, entitlement and assignment of the user.Andrew Morgan is a Staff Engineer, End-User-Computing CTO Office, VMware. He wrote PowerShell script to automate thedeployment of the Horizon Agent to physical PCs.

ReviewersJosh Spencer is a Staff End-User-Computing Architect, End-User-Computing Technical Marketing, VMware.Rick Terlep is a Senior Technical Marketing Architect, End User Computing Technical Marketing, VMware.

To comment on this paper, contact VMware End-User-Computing Technical Marketing ateuc_tech_content_feedback@vmware.com.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax650-427-5001 www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and internationalcopyright and intellectual property laws. VMware products are covered by one or more patents listedat http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc.in the United States and/or other jurisdictions. All other marks and names mentioned herein may betrademarks of their respective companies.