28
VMware ® Horizon Workspace Reference Architecture WHITE PAPER

VMware Horizon Workspace 1.5 Reference Architecture

Embed Size (px)

DESCRIPTION

Workspace architecture

Citation preview

VMware® Horizon Workspace™ Reference ArchitectureW H I T E PA P E R

VMware Horizon Workspace Reference Architecture

W H I T E PA P E R / 2

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Reference Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

System Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Horizon Workspace vApp Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

VMware vSphere Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Physical Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Horizon View Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Reference Architecture Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Workload Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

External Infrastructure Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Horizon Workspace Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

IP Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

NTP 17

Postgres External Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Oracle External Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

vApp Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

vApp Guidance and Upper Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Provisioning Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Mobile Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Horizon File-Sharing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

VMware ThinApp Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Horizon View Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Appendix A (Test Methodology) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

The Horizon Workspace vApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

W H I T E PA P E R / 3

VMware Horizon Workspace Reference Architecture

Executive SummaryVMware® Horizon Workspace™ provides you with a centralized Web management console with which you can both customize and manage entitlements to your organization’s catalog. Your catalog contains resources, such as your organization’s applications and VMware Horizon View™ desktops, as well as the Horizon Files service, which allows users to share files and folders with others.

Horizon Workspace detects user attributes and enforces policies across the applications, data, and desktops. A user’s workspace consists of their set of entitled resources. For each user, you can customize the delivery of Windows, Android, iOS, Web, and Software-as-a-Service (SaaS) applications to a single workspace, while providing users with self-service access to applications and data from anywhere.

In this Horizon Workspace Reference Architecture, we will provide you with all the data that is necessary to construct a well-organized and properly architected Horizon Workspace environment. This Reference Architecture will give you details on how to properly configure your Horizon Workspace environment, using testing data that was measured and observed in various scenarios. This data is used as a proof point for the results that you can expect if the same configurations and conditions are met in your environment.

This reference architecture will guide you through various settings that might be leveraged for specific environmental conditions, as well as provide the details as to when these may be necessary. There are sections of the document that will walk you through each of the interacting pieces of architecture as well. For example, Horizon Workspace can be configured to provide access to Horizon View desktops, and this paper contains guidance on the proper configuration of that integration.

This Reference Architecture is intended as a guide that can be used from the initial stages of the Horizon Workspace plan and design, all the way to production deployment and scale-out.

W H I T E PA P E R / 4

VMware Horizon Workspace Reference Architecture

Reference Architecture OverviewVMware Horizon Workspace combines applications and data into a single, aggregated workspace, with flexible access to the data and applications employees need for productivity, regardless of where they are based. With fewer management points and easier access, Horizon Workspace reduces the complexity of IT administration.

Horizon Workspace is delivered as a virtual appliance that is easy to deploy onsite and to integrate with existing enterprise services. It helps organizations to centralize assets, devices, and applications and to manage users and data securely behind the firewall. Meanwhile, it enables users to share and collaborate with external partners and customers securely when policy allows.

This reference architecture specifies the sizing and connectivity requirements for a 10,000-user Horizon Workspace application-management and file-sharing solution. The design is illustrated in Figure 1 and Figure 5.

Objectives

This reference architecture describes a production environment for Horizon Workspace supporting more than 10,000 users. It takes into account end users with multiple devices, including PCs, Macs, and mobile devices such as smart phones and tablets.

W H I T E PA P E R / 5

VMware Horizon Workspace Reference Architecture

Test ResultsThe following section provides a summary of the testing done on the Horizon Workspace vApp. For further details, please refer to Appendix A (Test Methodology).

As you review the results, keep in mind that the goal is to support 10,000 users with less than 70 percent vCPU utilization, less than 80 percent vRAM utilization, and less than 100TB of data.

The data-gathering portion of the test was done over a period of one month. We gathered performance metrics that include CPU, memory, and disk.

In Table 1, you will find the data aggregated by virtual appliance role. In each column, you will find the number for the data; MHZ for vCPU and GB for vRAM. We measured the peak and average utilization of each virtual appliance.

VIRTUAL APPLIANCE

PEAK CPU UTILIZATION (%)

PEAK MEMORY UTILIZATION (GB)

AVERAGE CPU UTILIZATION (%)

AVERAGE MEMORY UTILIZATION (GB)

MEMORY GOAL ACHIEVED

CPU GOAL ACHIEVED

Configurator 1.55 0.65 0.66 0.63 4 4

Connector 0.66 3.27 0.31 2.43 4 4

Service 66.2 6.29 36.35 6.23 4 4

Data 17.24 3.04 6.57 2.94 4 4

Gateway 15.13 4.79 4.83 4.49 4 4

Table 1: Test Results

Note that peak CPU utilization is very low in all the virtual appliances except for the Service virtual appliance. The average CPU utilization on all the virtual appliances is fairly low, keeping in mind that the hardware used is recent and helps lower the percentage of CPU used. See the System Configurations section for specifications on hardware used.

W H I T E PA P E R / 6

VMware Horizon Workspace Reference Architecture

System Configurations

Horizon Workspace vApp Configuration

Horizon Workspace is delivered as a SUSE Linux-based vApp, an open virtual appliance (.OVA) file consisting of multiple virtual appliances (VA) deployed through VMware® vCenter™. This solution uses the Horizon Workspace virtual appliances described below, plus VMware Horizon View and VMware ThinApp®.

•VMware Horizon Workspace Configurator (configurator-va) – Provides an administrative console and a Web-based user interface to configure the network, Gateway, vCenter, and SMTP settings of all the appliances in the Horizon vApp. The Configurator appliance also allows an administrator to manage security certificates centrally and add and remove active modules in Horizon Workspace.

•VMware® Horizon Workspace Connector™ (connector-va) – Provides local user authentication as well as Active Directory binding and synchronization services. An administrator can define the directory replication schedule and synchronize Horizon View and ThinApp pools and repositories for provisioning to end users.

•VMware Horizon Workspace Manager (service-va) – Provides the Web-based Horizon Workspace administrative interface, allowing an administrator to configure the application catalog, manage user entitlements, and configure groups and reporting for all the systems in the Workspace vApp.

•VMware Horizon Workspace Files™ (data-va) – Provides the datastore for user files, controls file-sharing policy for internal and external users, provides file-preview functionality, and serves the end-user Web interface for Horizon Workspace.

•VMware Horizon Workspace Gateway (gateway-va) – Enables a single, user-facing domain for access to Horizon Workspace. As the central aggregation point for all user connections, the Gateway appliance routes requests to the appropriate destination and proxies requests on behalf of user connections.

•VMware ThinApp – The solution leverages the existing VMware application virtualization solution.

•VMware Horizon View 5.3 – The solution leverages the existing VMware virtual desktop solution.

W H I T E PA P E R / 7

VMware Horizon Workspace Reference Architecture

SaaS Applications

Horizon Workspace

Core Infrastructure

Horizon Mirage Horizon View

Microsoft Active Directory

Infrastructure

VMware Horizon MirageVMware Horizon

View Security ServerVMware Horizon

View Connection Server VMware Horizon View Composer

VMware vCenter

VMware vCenter

Operations

VMware Horizon Workspace – Admin Console

VMware Horizon Data

Box.netGoogle Docs

Salesforce

Enterprise StorageThinApp Repository

Physical Endpoints

Windows 7

Windows XP

ndo

ws XP

77

ndowXPX

WinX

Windows XP

ws XP

nddowXPXPX

WWinX

Windows XP

wss XP

ndowXPX

WWinnX

Windows XP

wss XP

ndowXPX

WWinnX

VDI Desktop Pools

Figure 1: Overview Diagram

VMware vSphere Configurations

This reference architecture uses vCenter 5.1 and VMware vSphere® 5.1, which offer high availability, distributed resource scheduling, power management, and process and infrastructure monitoring of the Horizon Workspace 1.5 vApp. Three servers were configured to be part of one vSphere cluster.

W H I T E PA P E R / 8

VMware Horizon Workspace Reference Architecture

Physical Infrastructure

The physical infrastructure used in this reference architecture has 3 servers with 16 cores, 256GB RAM, and NFS storage.

•3xServers–16coreseachwithhyperthreadingenabled

•IntelXeonE5-2630L2.00GHz,15MBcache,7.2GT/sQPI

•Totalof768GBofvRAM

•VMFSvolumefordeployingHorizonWorkspacevApp

•10x10TBNFSvolumesforuserdata.Allthevirtualappliancedataconnectsbacktothosevolumes

Note that the total amount of memory available is much more than is required. Server memory was acquired for potential Horizon Workspace growth beyond 10,000 seats without the need to change hardware.

Horizon View Configuration

Refer to the standard VMware Horizon View Architecture Planning guide for the configuration of the Horizon View pod and block. Horizon Workspace leverages any Horizon View deployment that is running version 5.2 or above. A Horizon Workspace user connecting to the Web portal, when clicking on the Desktop tab, will obtain all the desktop pools they are currently entitled to use. Refer to the VMware Horizon View Large-Scale Reference Architecture for best practices and recommendations.

To configure additional options for Horizon View and Horizon Workspace integration, use the Connector Web interface. For more information, see the Installing and Configuring Horizon Workspace guide.

W H I T E PA P E R / 9

VMware Horizon Workspace Reference Architecture

Reference Architecture DesignThis reference architecture supports a 10,000-user Horizon Workspace deployment, including enterprise and Web applications, data, and Horizon View desktop integration, as illustrated in Figure 2.

Mobile Users

WebClient

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

VirtualAppliance

Internal Users/Clients

Gateway

Connector

Files

Service

RSA

RSA AD

Kerberos LDAP

Con�gurator

Idap-vipPort 8443

Postgres Databasepostgres-db1 (Active)postgres-d2 (Standby)

gw1 togw4

svc1andsvc2

80, 443, 7071, 7072

data1 to data 11Preview-vipPort 80 Preview 1 to 3

conn1andconn6

443

443

443 443

443

8443

5432

Port443

Port: 443Internal VIP

Port: 443External VIP

5432

84438448448484

IP

4344448443444484

34444444

3

44

3

44

3

44

pPort 80

pPort 80

pPort 80Port 80Port 80

ppppiPreview-vi

VMware

OS

APPOSOSOOAPAAAPAAAPPAA

OS

APPOSOSOOAPAAAPAAAPPAA

OS

APPOSOSOOAPAAAPAAAPPAA

Figure 2: Horizon Workspace Architecture Design

W H I T E PA P E R / 1 0

VMware Horizon Workspace Reference Architecture

The deployment specifications are listed in Table 2.

QUANTITY DESCRIPTION VCPU* RAM* HDD*

1 VMware Horizon Workspace Configurator (configurator-va)

1 vCPU 1GB 5GB

1+1 VMware Horizon Workspace Manager (service-va)

4 vCPU 8GB 36GB

1+1 VMware Horizon Workspace Connector (connector-va) – authentication, Active Directory sync, and Horizon View and ThinApp integration

2 vCPU 4GB 12GB

1+1 VMware Horizon Workspace Connector (connector-va) – Kerberos

2 vCPU 4GB 12GB

5+1 VMware Horizon Workspace Gateway (gateway-va)

6 vCPU 8GB 9GB

11 VMware Horizon Workspace Files (data-va) – 1x Master node, 10x User Data nodes

6 vCPU 16GB 300GB

3 Horizon Files Preview Servers (Windows 2008 R2)

4 vCPU 4GB 50GB

2 vPostgres Database Server 4 vCPU 8GB 52GB

*Pervirtualappliance+1forHighAvailability(HA)andBusinessContinuity/DisasterRecovery(BCDR) Table 2: 10,000-User Horizon Workspace Deployment Specifications

The total required resources for this deployment are summarized below:

•139vCPU

•285GBvRAM

•3.73TBdisk

Note: Storage for users is not included in these calculations; 10 user data node* 10TB NFS volumes are used in addition to the storage mentioned above.

W H I T E PA P E R / 1 1

VMware Horizon Workspace Reference Architecture

Workload Considerations

Table 3 details the workload considerations for Horizon Workspace.

QUANTITY DESCRIPTION

User quota and utilization 25GB per user with 5% utilization

File revisions 2x each file

File sharing 10 users and 10 endpoints per hour

Uploads and downloads 20 uploads and 1 download per hour

Horizon View desktop At least one desktop

VMware ThinApp At least one ThinApp application Table 3: Workload Considerations

W H I T E PA P E R / 1 2

VMware Horizon Workspace Reference Architecture

Network Configuration

Communication among the virtual appliances is based on hostnames, so forward and reverse DNS records for the vApp virtual machines and IP addresses are necessary. The initial deployment requires five IP addresses. Plan ahead for your enterprise deployment by understanding how many virtual appliances you expect to need.

By default, the Horizon Workspace vApp is accessible only to users inside the DMZ. To provide external access (from outside the firewall) to Horizon Workspace, install a reverse proxy or load balancer using SSL termination, as shown in Figure 3.

Horizon Workspace vApp

443 443

VirtualAppliance

gateway-va

VirtualAppliance

service-va

VirtualAppliance

connector-va con�gurator-va data-va

VirtualAppliance

VirtualAppliance

External Load BalancerHostname: Horizon Workspace FQDNExample IP address: 64.x.y.zPort: Horizon Workspace portMust enable X-Forwarded-For headers.

Internal Load BalancerHostname: Horizon Workspace FQDNExample IP address: 10.x.y.zPort: Horizon Workspace portMust enable X-Forwarded-For headers.

gateway-vaHostname: gateway-va.company.comIP address: 10.a.b.cPort: 443

External Users

DMZ Firewall

HosExaPortMus

ll

Internal Users

Workspace vApp

InteHosExaPortMus

Figure 3: Network Configuration with External Access

W H I T E PA P E R / 1 3

VMware Horizon Workspace Reference Architecture

Horizon Workspace FQDN =workspace.company.com

Horizon Workspace FQDN =workspace.company.com

HTTPS (TCP 443)

SSL Termination (Client)

SSL Termination (Client)

SSL (from Load Balancer)

SSL (from Load Balancer)

Insert X-Fowarded-For

Insert X-Fowarded-For

Health Monitor HTTPS Header

Load Balancer / Reverse Proxy

VirtualAppliance

gateway01.corp.localHTTPS (TCP 443)

VirtualAppliance

gateway02.corp.localHTTPS (TCP 443)

HTTPS (TCP 443)

w

w

aBala

o

d

o

d

i

(from Load

PPP

SSL Terminati

SS

roxy

SL (from Loado

Load Balancer / Reverse Proxy

Con (C

d

o

d

o

d

i

PPP

SS

SSL (from Loado

roxy

SSL Terminati

DMZ Firewall

Health Monitor HTTPS Header

HTTPS

Figure 4: Internal and External Access with SSL Termination

W H I T E PA P E R / 1 4

VMware Horizon Workspace Reference Architecture

The default ports required for Horizon Workspace are listed in Table 4. For a graphic representation of the Horizon Workspace network default ports, see Figure 5.

NETWORK PATH PORTS PROTOCOL

Horizon Client or vApp to gateway-va 443 (HTTPS) TCP

connector-va to Active Directory (user authentication)

389 TCP and UDP

connector-va to domain controller (Join Domain) 135 TCP and UDP

All virtual appliances to time server (NTP) 123 UDP

connector-va to ThinApp repository (SMB) 445 TCP

connector-va to domain controller and all Windows clients to connector-va (Kerberos authentication)

88 TCP and UDP

connector-va to global catalog server (user sync) 3268 TCP

connector-va to domain controller (Kerberos password change)

464 TCP and UDP

All virtual appliances to DNS server (DNS) 53 TCP and UDP

Load balancer to gateway-va and gateway-va to all other virtual appliances (HTTPS)

443 TCP

Connector administrator access (internal only) 8443 TCP

Files virtual appliances to internal SMTP server 25 TCP

gateway-va to data-va 7071 and 7072 TCP

connector-va to SecureID server (SecureID) 5500 UDP

service-va to each other, if more than 1 (auditing) 9300–9400 TCP

service-va to each other, if more than 1 (auditing) 54328 UDP

service-va to external database (production only) 5432 TCP and UDP

connector-va to domain controller 749 TCP and UDP

Table 4: Horizon Workspace Network Default Ports

W H I T E PA P E R / 1 5

VMware Horizon Workspace Reference Architecture

443

443

443

445

25* 25*5500*

5432*5432*

88, 464,135 (TCP/UDP)

53 (TCP/UDP)

443443 443

80, 443, 7071, 7072

389*, 636*, 3268*, 3269*

80, 443, 7071, 7072

VirtualAppliance

gateway-va-1**

VirtualAppliance

con�gurator-va-1** vCenter

Con�gurator uses SSH to connect to all virtual machines in

the vApp on port 22

VirtualAppliance

service-va-1**

VirtualAppliance

service-va-2**

RSA SecurID

VirtualAppliance

connector-va-1**

Load Balancer

DMZ Firewall

ncernnand B lad Bala

Horizon ViewServer

ActiveDirectory

Database DomainController

SMTP Server

ThinApp Repository(Windows CIFS Share)

DNS Server

VirtualAppliance

data-va-1**

VirtualAppliance

data-va-2**

VMVM

VM

VMware

VMVM

VM

*Default values are shown. These ports are con�gurable.** Every virtual appliance must have access to the DNS server on port 53.

Figure 5: Horizon Workspace Network and Port Number Details

W H I T E PA P E R / 1 6

VMware Horizon Workspace Reference Architecture

External Infrastructure ComponentsThe external infrastructure of this reference architecture consists of the following components:

•Active Directory – Horizon Workspace requires Active Directory to sync users and groups. This reference architecture uses Windows Server 2008 R2 Active Directory servers with 10,000 user accounts and 300 groups.

•DNS – All the virtual appliances refer to each other by their hostnames. Both forward and reverse records are required for all the virtual appliances in the Horizon Workspace vApp. Make sure that each machine can searchfortheHorizonWorkspaceFQDN.

•SMTP–TheHorizonWorkspacevApprequiresaccesstoanSMTPserver.TheSMTPserverFQDNandportnumber are needed at installation time.

•NTP – All virtual appliances rely on time synchronization. Enable and configure time sync on the vSphere hosts to point to your enterprise NTP server. Failing to do so can cause time drift between the virtual appliances. Kerberos-enabled connectors sync time to the Primary Domain Controller (PDC) role.

• Load balancer and reverse proxy – This reference architecture uses a software-based load balancer and reverse proxy.

•External storage – Horizon Workspace vApp supports external NFS volumes for Horizon file sharing. This reference architecture uses twelve data nodes (one master node, ten user data nodes) with 1x 10TB NFS volume assigned per user data node, for a total of 100TB of external storage for user data.

W H I T E PA P E R / 1 7

VMware Horizon Workspace Reference Architecture

Horizon Workspace ConfigurationHorizon Workspace requires additional configuration of vSphere hosts and vCenter server(s), including Network Time Protocol (NTP) for vSphere hosts and IP pools that provide network configuration to the vApp. These additional configuration settings are described in the following sections.

IP Pools

To deploy the Horizon Workspace vApp correctly, you must define an IP pool in vCenter with the following configurations using the IP Pool Properties wizard:

•ThesubnetthevAppusestocommunicate

•DNSservers

•DNSdomain

You do not have to set up a DHCP scope in the IP pool. The vApp Deploy OVF Template wizard prompts you for the IP addresses.

portgroup/vlan:AllvirtualappliancesmustbedeployedinthesameportgroupandVLAN.

NTP

For time sync to work properly, the Horizon Workspace vApp requires NTP to be enabled on all vSphere hosts where the vApp is deployed.

Postgres External Database

A Postgres database is included in the virtual appliance to speed deployment in proof-of-concept and pilot implementations. For a production implementation, you must use an external Postgres database.

ThisreferencearchitectureisbasedonPostgreSQL9.1,whichsupportsupto30,000users.Configurationdetails are listed Table 5.

RESOURCE VALUE

vCPU 2 minimum, 4 recommended

RAM 8GB

Disk 1 – Root disk (OS) 2GB

Disk 2 – Data disk 32GB

Disk 3 – SWAP disk 16GB

Disk 4 – Diagnostic disk 2GB Table 5: VMware vFabric™ Postgres (30,000 Users) Resource Requirements

W H I T E PA P E R / 1 8

VMware Horizon Workspace Reference Architecture

Oracle External Database

As an alternative to Postgres, your organization might want to utilize an Oracle database, which is fully supported by Horizon Workspace 1.5. VMware supports version 11g R2 or above for an external database. Configuration details are summarized in Table 6.

RESOURCE VALUE

vCPU 2 minimum, 4 recommended

RAM 8GB minimum, 16GB recommended

Disk 1 – Root disk (OS) 40GB

Disk 2 – Data disk 80GB Table 6: Oracle 11g R2 Resource Requirements (10,000 Users)

You should always refer to the manufacturer recommendations for properly sizing an Oracle database virtual server, http://www.oracle.com/us/products/database/overview/index.html.

You can refer to Oracle Database sizing guidelines for additional recommendations. http://docs.oracle.com/cd/E22693_01/doc.21/e22692/sizing.htm.

The guideline to follow would be similar to a small database, less than 80GB with little read and write IOPS. In the resource utilization outlined in Table 6, the database is installed on a Windows 2008 R2 enterprise server (OS disk).

vApp Deployment

To deploy the Horizon Workspace vApp, you must deploy the .OVA file from vCenter. For instructions, see Installing and Configuring Horizon Workspace.

Whenever the vCPU and RAM are customized, as they are for this enterprise deployment, you must manually configure the Java heap sizing. The Connector virtual Appliance and Files virtual appliance also must be updated manually. For more details on adjusting Java heap size settings, see Installing and Configuring Horizon Workspace.

vApp Guidance and Upper Limits

Limits for each of the five Horizon Workspace components are described as follows:

•HorizonWorkspaceConfiguratorvirtualappliance

– The configurator-va is the first virtual appliance to be deployed. It is used to configure the vApp from a single point and deploy and configure the rest of the vApp.

– The configurator-va is also used to add or remove other Horizon Workspace virtual appliances. There can only be one Configurator virtual appliance per vApp.

•HorizonWorkspaceConnectorvirtualappliance

– Enterprise deployments require more than one connector-va to support different authentication methods, such as RSA SecureID and Kerberos SSO.

– When enabling the Connector to use Kerberos authentication and deploying more than one connector-va, you must front-end the Connector virtual appliances with a load balancer to provide high availability.

– Each connector-va can support up to 30,000 users.

W H I T E PA P E R / 1 9

VMware Horizon Workspace Reference Architecture

– Specific use cases, such as Kerberos, ThinApp integration, and Horizon View integration, require the connector-va to be joined to the Windows domain.

•HorizonWorkspaceManagervirtualappliance

– Enterprise deployments require two or more Manager virtual appliances.

– Each service-va can handle up to 100,000 users.

•HorizonWorkspaceGatewayvirtualappliance

– The gateway-va is the single namespace for all Horizon Workspace interactions.

– For high availability, place multiple Gateway virtual appliances behind a load balancer.

– Horizon Workspace requires one gateway-va for every two data virtual appliances, or one gateway-va for every 2,000 users.

•HorizonWorkspaceFilesvirtualappliance

– Each data-va can support up to 1,000 users.

– At least two data virtual appliances (1 master, 1 user node) are required in an enterprise deployment with Horizon File Sharing enabled. The first data-va is a master data node; the others are user data nodes.

– Each user data node requires its own dedicated volume. In proof-of-concept or small-scale pilot scenarios, you can use a virtual machine disk (VMDK). We recommend using NFS in production due to the 2TB limitation on VMDK file size.

– LibreOffice Preview is included to enable viewing of Horizon Workspace documents.

Provisioning Users and Groups

This reference architecture synchronizes 10,000 users and 30 groups from Active Directory to Horizon Workspace. It uses 10 Horizon Workspace custom groups to ease management and entitlements for application, data, and desktop resources.

Web Applications

Enabling the Web Applications module allows you to add both Web and SaaS applications to your Horizon Workspace catalog, and to entitle users and groups. This enables self-service application management for users.

Horizon Workspace also provides a Horizon Application Catalog with preconfigured SaaS applications. Horizon Workspace supports Security Assertion Markup Language (SAML) 1.1 and 2.0 federation standards.

Note: To integrate Horizon Workspace with Horizon View, use SAML 2.0.

Mobile Applications

Two referred mobile applications have been added to the Horizon Catalog, one from the Apple App Store and one from Google Play. For more information, see the Horizon Workspace Administrator’s Guide.

W H I T E PA P E R / 2 0

VMware Horizon Workspace Reference Architecture

Horizon File-Sharing Policies

To manage Horizon Files policy, configure a class of service (COS) as specified in Table 7. For more information, see the Horizon Workspace Administrator’s Guide.

POLICY DESCRIPTION DEFAULT VALUE

COS Name The name for the class of service. After you create a COS, you cannot edit the COS name.

Default

AccountQuota The amount of disk space in megabytes that users are allowed on the server.

0

QuotaWarningMsg The email message sent to users when the amount of disk space they are allowed on the server reaches the threshold percentage.

N/A

Threshold (%) The threshold that triggers the quota warning email message.

90%

Max File size (MB) The maximum size of a file that users can upload to Horizon Workspace.

2048MB

File Types Disallowed Extensions for file types you want to block. None

Trashed File Lifetime Value The period of time a file can still be retrieved (undeleted) in the file's history after it has been deleted, before it is automatically purged.

1 Month

Internal Expiration The amount of time shared files and folders can be accessed by your enterprise's Horizon Workspace users.

0 Days

External Folder Sharing Allowed

When this box is checked, Horizon Workspace users can invite external users to access folders. These external users are also referred to as virtual users.

Enabled

Public Files Sharing Allowed

When this box is checked, Horizon Workspace users can make files available on the Internet.

Enabled

External Expiration The amount of time shared folders can be accessed by virtual users.

0 Days

Public Expiration The amount of time files are accessible on the Internet. 0 Days

Domains Allowed or Not Allowed

This option enables you to restrict or allow virtual-user access to shared folders based on the virtual user's domain.

No Domain Policy

W H I T E PA P E R / 2 1

VMware Horizon Workspace Reference Architecture

POLICY DESCRIPTION DEFAULT VALUE

Allowed domains for external sharing

This option allows you to grant virtual users from specified domains access to shared folders.

Disabled

Restricted domains for external sharing

This option allows you to prevent virtual users from specified domains from accessing shared folders.

Disabled

Host Pool This option is applicable when a Horizon Workspace deployment contains two or more data servers. Horizon Workspace uses the Host Pool setting to assign users to specific Data servers.

N/A

Pin/PasscodeRequired When this box is checked, mobile-device users are prompted to set up a passcode to access Horizon Workspace from their mobile devices.

Disabled

Open/Editwith When this box is checked, users can use third-party applications on their mobile devices to edit files. It is checked by default.

Enabled

Table 7: Horizon Files Class of Service Default Policies

VMware ThinApp Configuration

Horizon Workspace can integrate with VMware ThinApp 4.7 or later to:

•StreamordownloadThinAppapplicationstoWindowsdomainworkstations.

- ThinApp must be enabled for Horizon Workspace.

•PointtoThinAppshare(WindowsCIFSshare).

- Only .exe format is supported (no MSI format).

Horizon View Configuration

To integrate Horizon Workspace with Horizon View 5.2 or above:

1. Install Horizon View 5.2 and above with Feature Pack 1 to provide HTML access to Horizon View desktops.

2. Make sure Horizon Workspace User Directory Sync has been configured to sync the UPN (User Principle Name) attributes.

3. Make sure forward and reverse DNS records exist for Horizon View servers.

4. Enable the Horizon View Module in Horizon Workspace.

5. Join the Connector used for Horizon View integration, or verify that it has been added to the domain.

6. Configure SAML 2.0 authentication in Horizon View.

Note: SAML 1.1 does not support Horizon View and Horizon Workspace integration.

W H I T E PA P E R / 2 2

VMware Horizon Workspace Reference Architecture

ConclusionHorizon Workspace 1.5 enables IT to maintain control over the implementation; aggregate resources; and allow end users to access their entitled applications, data, and Horizon View desktops from inside or outside the corporate firewall, on the device or devices of their choice.

This reference architecture documents the system requirements and configuration settings for an enterprise deployment of Horizon Workspace with 10,000 users.

As seen from the previous pages, this is a straightforward deployment that supports 10,000 users. It features linear growth, which means that if you require an additional 10,000-user block, you can scale up the resources with confidence that you will meet and exceed expected performance.

There is no complex tuning or sizing required. After the vApp is deployed, the additional appliances spin up from the Configurator virtual appliance. You can feel confident that the vApp will run smoothly without interruption.

The built-in policy engine is one of the strongest points of Horizon Workspace. This makes it easy to manage users, and entitle them to applications and data. It also provides administrator control through a very easy-to-use Web console.

About the AuthorsStephane Asselin, EUC Architect in the VMware End-User Computing Technical Enablement Group, has been involved in desktop deployments and virtualization for over 15 years. He has extensive customer, field, and lab experience with VMware End-User Computing and ecosystem products.

Andrew Johnson, EUC Architect in the VMware End-User Computing Technical Marketing Team, is responsible for technical enablement and reference architectures.

Jared Cook is an EUC Architect in the VMware End-User Computing Technical Marketing Team.

Acknowledgments

This reference architecture is the result of collaboration between VMware IT, the Workspace Performance engineering team, and the EUC Technical Enablement team. VMware recognizes the efforts involved in testing and documenting the environment, validating the equipment used, and all the expertise without which this project would not have been possible.

W H I T E PA P E R / 2 3

VMware Horizon Workspace Reference Architecture

ReferencesHorizon Workspace Datasheet

Horizon Workspace FAQ

Horizon Workspace Release Notes

Horizon Workspace Administrator’s Guide

Horizon Workspace Files Command Line Interface Guide

Protection and Disaster Recovery Best Practices for Horizon Workspace Files

Installing and Configuring Horizon Workspace

VMware Horizon Workspace Security Considerations

VMware vFabric Postgres

VMware vFabric Blog – Scaling for the Information Explosion: Master-Slave Cluster with vFabric Postgres 9.2 on vSphere

W H I T E PA P E R / 2 4

VMware Horizon Workspace Reference Architecture

Appendix A (Test Methodology)The goal is to support 10,000 users per Horizon Workspace pod with less than 70 percent vCPU utilization, less than 80 percent vRAM utilization, and less than 100TB of data.

The resource utilization (CPU and memory) for the virtual appliances is detailed below. We’re showing two timelines. The first one is over a 24-hour period, and the second one is over a week.

As illustrated in the performance charts in Figures 6–8, the metrics gathered clearly demonstrate that the allocated resources were sufficient for the number of users tested and the utilization threshold we were aiming to meet.

The Horizon Workspace vApp was configured with the following virtual appliances:

•1Configuratorvirtualappliance

•4Connectorvirtualappliances(2forauthenticationandADsync,2forKerberos)

•11Filesvirtualappliances(1Masternode,10UserDatanodes)

•6Gatewayvirtualappliances

•2Managervirtualappliances

The Horizon Workspace vApp

We assessed and monitored the environment for a period of a month. Note that during this period, no single virtual appliance reached its top configured resource capacity, as seen in the performance charts. To demonstrate our point, the virtual appliance performance charts show the data for 24 hours, then for seven days, and finally for a full month. By comparing these charts, you can see that utilization is fairly consistent and never reaches anything near maximum capacity.

Figure 6: Horizon Gateway Virtual Appliance CPU Utilization in a 24-Hour Period – 10,000 Users

W H I T E PA P E R / 2 5

VMware Horizon Workspace Reference Architecture

Figure 7: Horizon Gateway Virtual Appliance CPU Utilization over Seven Days – 10,000 Users

Figure 8: Horizon Gateway Virtual Appliance CPU Utilization over One Month – 10,000 Users

Note that in the performance charts above, during all the time observed the CPU never went above 20 percent utilized. This leaves plenty of room for peak utilization.

W H I T E PA P E R / 2 6

VMware Horizon Workspace Reference Architecture

Memory utilization follows the same trend as the CPU utilization; we noticed a small increase in utilization, but nothing that would change our recommendation for sizing.

Figure 9: Horizon Gateway Virtual Appliance Memory Utilization over One Month – 10,000 Users

You will notice in the performance chart above that memory at peak utilization went up to 6.2GB utilized, which provides a utilization percentage of 77 percent. On a virtual appliance sized at 8GB, it stayed under the established threshold of 80 percent utilization. The daily and weekly performance charts were almost identical.

The next virtual appliances are the Files (data–va) virtual appliances. As they followed the same utilization trend as the Gateway virtual appliance, we will not show all the charts here. Figure 10 shows a week of utilization on two Files virtual appliances.

Figure 10: Horizon Files Virtual Appliance #1 CPU Utilization over One Week – 10,000 Users

W H I T E PA P E R / 2 7

VMware Horizon Workspace Reference Architecture

You will see from the performance chart in Figure 10 that CPU utilization did not spike to anything higher than 31 percent (Files virtual appliance #1).

Figure 11: Horizon Files Virtual Appliance #2 CPU Utilization over One Week – 10,000 Users

The Configurator virtual appliance was set to 1 vCPU and 1GB. The Configurator virtual appliance is unique for each vApp. It supports the entire vApp. If the Configurator virtual appliance does not play a role in interacting with users, then this appliance does not need many resources. Its main function is to keep the vApp well organized. There were no spikes in resource utilization, and the percentage utilized stayed below 10 percent throughout the testing period.

The Connector virtual appliances (two of them) were set to 2 vCPUs and 2GB. The Connector virtual appliance utilization, both memory and CPU, did not vary during our testing period and stayed below five-percent resource utilization. The Horizon Workspace Connector provides the following services: user authentication (identity provider); directory synchronization; ThinApp-catalog loading; and Horizon View pool synchronization.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-WP-HORIZONWKSPREFARCH-USLET-20140207-WEB

VMware Horizon Workspace Reference Architecture

The Manager (service-va) virtual appliances (two of them) were both configured with 4 vCPUs and 8GB of RAM. The utilization varies on these appliances, depending mostly on user demand, concurrent requests, and synchronization with back-end infrastructure. As shown in Figure 12, utilization still stayed well below maximum capacity, reaching a maximum of 54 percent over a one-week period.

Figure 12: Horizon Service Virtual Appliance #1 CPU Utilization over One Week – 10,000 Users