EUC Layers: Horizon Connectivity or From NSX Load Balancers with Love

Another layer that will hit your end users is the connectivity from the client device to the EUC solution. No intermitted errors allowed in this communication. Users very rarely like connection server are not reachable pop-ups. Getting your users securely and reliably connected to your organization’s data, desktops, and applications while guaranteeing connection quality and performance is key for any EUC solution. For a secure workspace protecting and reacting to threats as they happen even makes software-defined networking more important for EUC. The dynamic software is required. And that all for any place, any device, and anytime solution. And if something breaks well….

Rest of the fire

One of the first things we talk about is the need for reliable load balance several components as they scale out. And for not getting into all the networking bits in one blog post, I am sticking with load balancing for this part.

As Horizon does not have a one package deal with networking or load balancing, you have to look use an add-on to the Horizon offering or outside the VMware Product suite. Options are:

  • interacting with physical components,
  • depending on other infrastructure components such as DNS RR (that is a poor man’s load balancing) preferably with something extra like Infoblox DNS RR with service checks,
  • using virtual appliances like Kemp or NetScaler VPX. VPX Express is a great free load balancer and more.
  • Specific Software-Defined Networking for desktops, using NSX for Desktop as an add-on. Now instantly that question pops up why isn’t NSX included in, for example, Horizon Enterprise like vSAN? I have no idea but probably has something to do money (and cue Pink Floyd for the earworm).

And some people will also hear about the option of doing nothing. Nothing isn’t an option if you have two components. At a minimum, you will have to do a manual or scripted way of redirecting your users to the second component when the first hits the load mark, needs maintenance or fails. I doubt that you or your environment will remain long loved when trying this in a manual way…..

The best fit all depends on what you are trying to achieve with the networking as a larger picture or for example load balancing specifically. Are you load balancing the user connections to two connection servers for availability, doing tunneled desktop sessions, or doing a cloud pod architecture over multiple sites and thus globally. That all has to be taken into account.

In this blog post, I want to show you using NSX for load balancing connection server resources.

Horizon Architecture and load balancers

Where in the Horizon architecture do we need load balancers? Well, the parts that connect to our user sessions and a scaled out for resources or availability. We need them in our local pods and global load balancers when we have several sites.

Externally:

  • Unified Access Gateway (formally known as Access point)
  • Security Server (if you happen to have that one lying around)

Internally:

  • Workspace ONE/vIDM.
  • Connection Servers within a Pod, with or without CPA. However, with CPA we need some more than just local traffic.
  • AppVolumes Managers.

And maybe you have other components to load balance, such as multiple vROPS analytical nodes for user interface load not hitting one node. As long as the node the Horizon for adapter connects to or from is not load balanced.

Load Balancers

To improve the availability of all these kind of components, a load balancer is used to publish a single virtual service that internal or external clients connect to. For example, for the connection server load balanced configuration, the load balancer serves as a central point for authentication traffic flow between clients and the Horizon infrastructure, sending clients to the best performing and most available connection server instance. I will keep the lab a bit simple by just load balancing two connection server resources.

Want to read up more about load balancing CPA? EUC Junkie Bearded VDI Junkie vHojan (https://twitter.com/vhojan) has an excellent blog post about CPA and impact of certain load balancing decisions. Read it here https://vhojan.nl/deploy-cpa-without-f5-gtm-nsx/.

For this one here, on to the Bat-Lab….

Bat-Labbing NSX Edge Load Balancing

Let’s make the theory stick and get it up and running in a Horizon lab I have added to Ravello. Cloned from an application blueprint I use for almost all my Horizon labs and ready for adding a load balancing option NSX for Desktop. The scenario is load balancing the connection servers. In this particular example, we are going to one-armed. this means the load balancer node will live on the same network segment as the connection servers. Start your engines!

Deploying NSX Manager

How do your get NSX in Ravello? Well either deploy it on a nested ESXi or import method to deploy NSX directly on Ravello Cloud AWS or GC. I’m doing the last. As you did not set a password you can log in to the manager with user admin and password ‘default’.
That is the same password you can use to go to enable mode, type enable. And if you wish config t for configuration mode. Flashback to my Cisco days :))….In configuration mode, you can set hostnames, IP and such via CLI.
But the easiest way is to type setup in basic/enable mode. Afterwards, you should be able to login via the HTTPS interface. Use that default password and we are in.

NSX - vTestlab

Add a vCenter registration for allowing NSX components to be deployed. On to the vSphere Web Client. Add this point you must register an NSX license else you will fail to deploy the NSX Edge Security Gateway Appliance.

Next prepare the cluster for a network fabric to receive the Edges. Goto Installation and click the Host Preparation tab. Prepare hosts in your cluster you want to deploy to (and have licensed for VDI components or NSX for Desktop is no option). Click on actions – install when you are all set.

NSX - Prepare Host

For this Edge Load Balancer services deployment, you don’t need a VXLAN or NSX Controller. So for this blog part, I will skip this.

Next up deploying an NSX Edge. Go to NSX Edge and client on the green cross to add. Fill in the details, configure a minimum of one interface (depending on the deployment type) as I am using a one-arm – select the pools, networks and fill in the details. In a production, you would also want some sort of cluster for your load balancers, but I have only deployed one for now. Link the network to a logical switch, distributed vSwitch or standard vswitch. I have only one, so the same network standard vSwitch. Put in the IP addresses. Put in a gateway and decide on your firewall settings. And let it deploy the OVA.

If you forgot to allow for nested in the /etc/vmware/config and get You are running VMware ESX through an incompatible hypervisor error. Add vmx.allowNested = “TRUE” to that file on the ESXi host nested on Ravello. Run /sbin/auto-backup.sh after that. If you retry the deployment this will normally work.

Load Balancing

We have two connection servers in vTestLab

Connection Servers

Go back to the vSphere web client and double-click the just created NSX edge. Go to Manage and tab Load Balancer. Enable the Load Balancer.

Horizon LB - Enable Global

Create an Application Profile. For this configuration, I used an SSL pass-through for HTTPS protocol with SSL-Session persistence in the below example. The single threaded NSX reallyt realy suitable for SSL offloading here. But I should have read the documentation a bit better as source IP is documented. Testing shows the source IP persistence works better. Probably SSL sessions are reinitiated somewhere along the line, and SSL-sessionid gives you a new desktop more often than with source IP.

For this setup, you can leave the default HTTPS service monitor. Normally you would also want to have service checks on for example the Blast gateway (8443) or PCoIP (4172) if components use this.
Next setup your pool to include your virtual servers (the connection servers) and the service check, monitor port, and connections to take into account.

NSX Hor Pool Detail

Next up create the virtual server with the load balancing VIP and match that one to the just created pool.

Virtual Server

After this look at the status and select pool

NSX Pool Status.png

Both are up.
You can now test if an HTTPS to 10.0.0.12 will show you the connection server login page.

Connected.png

Connected. Using HTML Access will fail with an error connecting to the connection server (Horizon 7.1) as I did not change the origin checking. You can disable this protection by adding the following entry to the file locked.properties (C:\Program Files\VMware\VMware View\Server\sslgateway\conf) on each connection server:

balancedHost=URL via loadbalancer such as vdi.euc.nl
portalHost.1=UAG FQDN
portalHost.2=UAG FQDN
portalHost.3=UAG FQDN
checkOrigin=false

Restart the VMware Horizon View Connection Server service.
And of course, you would add a DNS record to 10.0.0.12 to let your users use the connection to the connection servers, like vdi.vtest.lab. And use an SSL certificate with that name.

Now the last check if the load balancing is working correctly. I kill off one of the connection servers.

Man down

And let see what the URL is doing now:

Admin after man down

Perfect the load balancer connects to the remaining connection server. This time for the admin page.

This concludes this small demonstration of using NSX for Load Balancing Horizon components.

– Happy load balancing the EUC world!

Sources: vmware.com

EUC: Can I kick it – upgrading to Horizon 7.1

The 16th of March was a good day. The NLVMUG was going on in the Netherlands (great event!) , great weather and Horizon 7.1 went GA. And I wanted to get my TestLab up and running with that version, and take a little peek if there are any of my’s in the upgrade. See what and where things are changed. So why not write-up this pirate’s adventure….

Upgrade Procedure and Interoperability

Before the upgrade it is important to know in which order the bits are to be upgraded, are we doing an in place or new VM deployment and does new versions still work with other components in the environment or are those also needed to be upgraded or break the upgrade.

The upgrade procedure is more or less the same as with the previous ones:

  • Check the status of the components. If there currently are health issues, fix them before the upgrade. Or use the upgrade to try to fix your issue if they are named as a fix in the release notes.
  • Get out your password manager for database passwords and so on.
  • Complete backups and snapshots. Don’t forget databases and such!
  • Disable provisioning and upgrade Composers. Provisioning can only be enabled when all components are upgraded.
  • Disable connection server and upgrade connection server. If you have more you can do one at a time to leave your users the option to connect. Disable connection server in Horizon admin and load balancer.
  • Optional Upgrade Paired Connection Server and Security Server. Disable connection and prepare security server for upgrade in the Horizon Admin, and in load balancer. First upgrade the paired connection server and then the Security server.
  • Upgrade the Horizon Agent.
  • Upgrade the Horizon Clients.
  • Upgrade the GPO’s to ADMX’s.

Note: during an upgrade it is allowed, or supported, that some older versions interact with the new versions. For example first upgrade the composer in a maintenance window and in the following the connections servers. Just don’t let that upgrade window take for ages.

Your environment probably will have some other upgrades like other Horizon suite components, vSphere, Tools, Windows versions and so on. Be sure to have the steps breakdown before doing any upgrades.

Check if the component versions can work together by checking the VMware Product Interoperability Matrices at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php#interop. Be sure to put in all the VMware solutions you are using. And check with vendors of components outside of the VMware scope. Don’t forget your Zero or Thin Client vendors!

Find a red in there, well stop right there before upgrading.

Trasure map

I have my testlab in the cloud. So for not breaking all the bits, I am cloning my lab in a new lab that I will use for the upgrade. Pretty nice functionality!

Announcement and location

While preparing for the upgrade bit to download we have some time to browse through the 7.1 announcements. Sure you have seen to VMware announcement or blog write ups where you can choose from. If not, ITQ Master of Drones and EUC Laurens has a post on the announcement bit that you can find over here: https://www.vdrone.nl/whats-new-vmware-horizon-7-1/.

Downloads, well easy pease they are in the usual my.vmware.com spot (linkie to the VMware spot: https://my.vmware.com/group/vmware/info?slug=desktop_end_user_computing/vmware_horizon/7_1). Have an active SnS and your entitled to get the upgrade bits or else go for an evaluation.

Grab - Download Horizon 7.1

And while your at it get the ADMX files for all of the Horizon GPO. Thumbs up, finally they are there VMware. Better late than never.

Upgrade Procedure

I have the following components in my vTestlab that need upgrading: Horizon Composer because of the current desktop pools, Horizon Connection Server and databases that are running because of these services. And Horizon Agent in the desktop pools.

For my testlab I used a saved blueprint of my VCAP-DTM lab and used that blueprint to publish a new testlab in Ravello.

After the upgrade I have to check the following components that interact with Horizon, vIDM and vROPS for Horizon. And client connections of course.

Composer

After disabling the provisioning of the desktop pools, log on to your composer server.

Capture - Disable Provisioning Desktop Pool

On the composer server start the installer. After the startup it detects that an upgrade should take place.

Capture - Composer Upgrade

  1. Click next,
  2. Accept the EULA,
  3. Check your destination folder,
  4. Check database settings and input password,
  5. Check port and certificate settings. Note: if you create a new SSL certificate you will have to retrust that one in Horizon. I am reusing the SSL certificate so I select the one installed,
  6. Check and push the install button,
  7. Grab a coffee and check status,
  8. Finish,
  9. Restart server,
  10. Rinse and repeat for other composers in your environment,
  11. If you are done with all components in your desktop block, don’t forget to enable provisioning of the desktop pool!

Connection Server

After disabling the connection server you are going to work on, log on to the connection server.

Capture - Disable connection serverSelect the connection server and click the disable button.

On the connection server start the installer. Like the composer upgrade, the installer will detect it is in an upgrade scenario.Capture - Horizon Connection Upgrade

  1. Click next,
  2. Accept the EULA,
  3. Check and push the install button,
  4. Grab another coffee and check status,
  5. Finish and read the read me. Yes really, depending where your coming from there are some pointers in there to check or change to make your life simpler,
  6. Open a browser to your upgraded host and look at that spiffy portal,
  7. Open the admin console and check connection to other components,
  8. Enable your connection server,
  9. Rinse and repeat for others,
  10. (don’t forget your load balancers….)

Look at that pretty new portal

Capture - Horizon Portal

unfortunately the administration console GUI isn’t changed and flash (ahaaaa) is still around. Sad panda…..

Don’t forget to check if vIDM and vROPS for Horizon isn’t broken. I had to repair/restart the broker agent with vROPS. And have a little patience for the metrics to flow back in.

Agent

I have got an RDSH Hosted application farm server, I will be updating that agent. And some desktop pools, but the procedure is the same. First off, disabling access to the RDSH. Well that depends on the amount of servers you have in the farm and what your hosting from it. Disable hosted desktop pool for example. With my test lab its one server, so disabling the farm would be sufficient. Heck I am the only user so letting everything running would only bug my multiple personalities (who said that?!?).

With several servers you could maintenance one by removing it from the farm. Be sure to have your farm running with the same versions. Or have a cloned pool, just update the template.

On the RDSH host start the installer. Again the installer will notice it is an upgrade.

  1. Click next,
  2. Accept the EULA,
  3. Check your IP version,
  4. Custom setup components, but we are not adding just upgrading click next,
  5. (manual only) Check registered settings RDSH with connection server,
  6. Next and Install,
  7. Finish and reboot,
  8. Enable hosts or pools when the farm is done.

What’s new in the admin?

Instance Clone pools have the option to select specific vLANs for that pool or use the VM network of the template snapshot.

Capture - IC Select Networks

In Global Settings – you have two new client settings:

Capture - Global Settings client

  • hide server information in client interface. You will only see the lock if the certificate is trusted, but not https://connectiontoserver.fq.dn.
  • hide domain list in client interface. Only the username and password boxes are shown. The drop down with the domains are gone. Great for use cases where you want to hide the domain or there is a sh*t load of domains in there. Users have to remember there UPN.

With client user interface this is the Horizon Client and the HTML client (for the domain list the URL is still in your browser if you haven’t hidden that in another way).

Capture - HTML client no domain

Mind that this is currently not working if the Horizon client is pushed from AirWatch to iOS.

In global settings you can also add an automatic refresh of the admin interface (can’t remember if this was already in) or display some MOTD or legal pre-login to all your users. This must be accepted by all your users before able to logon.

What is missing from the admin?

As @jketels already mentioned on twitter:

Still no VLAN selection support for Dedicated and Floating pools. Only Instant-Clones have this new option available. #Horizon #View 7.1 pic.twitter.com/ehYCnZa4nB

— Joey Ketels (@jketels) March 17, 2017

The network selection you can only do from the GUI in instant clone desktop pools. The network selection (step 7 in vCenter settings) are not available in for example Linked clone pools. And like networks are not used in a CPA multiple POD deployment, or all other reasons that a lot of customers are using multi vLANs for the desktop pools. Again a missed opportunity. And no, linked clones are not yet depreciated or planned to be so support this from the GUI. Well if needed, with PowerShell you can still get this in for your linked clones.

That’s it

That it, core components are upgraded and running happily. I probably still have to find out a bit more about what has been changed within this release but for a start it looks pretty slick and without to much of a hassle.

– Happy getting your Horizon going the distance!

Sources: vmware.com, vdrone.nl

 

VCAP-DTM Deploy Prep: La La Land Lab and Horizon software versions

VCAP-DTMmmmmm. After securing the VCP-DTM for version 6 and getting the pass results in for the version 7 DTM Beta, my sniper target is set for the VCAP-DTM’s. Maybe I should cut down on Battlefield 1 a bit ;). Anyhow…..

As the title of this post suggests, first up the deploy exam. Version 6 as version 7 VCAP’s are not yet out. Deploy is possibly the one that fits my person a bit lesser than the design part, but it is always good to have the “weakest” out-of-the-way the fastest. But there is no requirement that you should do deploy first, if you want design out of the way first go with that one.

Sniper Rifle target

With the VCAPs I have attempted and by hearing of the experience from those that have tried, next to actually knowing what you’re doing time management is (still) the key of securing the VCAPs. I think the actually knowing bit is pretty okay for most that will attempt this exam. Maybe some bit of practice in the Mirage parts for myself. And that is exactly needed for time management. Know your weak(est) and strong(est) points in the list of exam objectives. And next to that, with time management comes drill drill drill. And where better to drill than in a lab. Or to put it in other words, you will need a lab for the deploy!

VCAP-DTM Deploy

Now where are we with DTM?

Exam Topics aka Objectives

You will find a lot of blog post explaining how to prepare and going through all the exam objectives. And I do mean a lot. I am not putting in a how to study for that objective in this blog post. Use your google-fu for that.

The exam objectives for this post are important for what components you need to have in your lab.

On the mylearn page of the exam the exam topics are in expendable sections and clickable white papers, documents and such to prepare. Just go to: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=88780&ui=www_cert. I haven’t seen an other PDF exam blueprint document for this exam on the VMware site.

Some bloggers will offer their packages of collected set of documents for preparation. One for example is offering theirs on: http://www.virtuallyvirtuoso.com/vcap6-dtm/.

VCAP6-DTM Component Versions

When going through the VCAP6 objectives we will need the following components and their versions of the Horizon Suite:

  • Horizon 6.2 Components: CPA, Connection Server, Security Server and Composer.
  • Pools: Linked clone PCoIP pool (Windows 7), RDSH Farm (W2K8R2/W2K12R2), Application Pools (Evernote). Reference machine Windows 7 and RDS version for ThinApp and App Volumes.
  • vSphere and vSAN 6.0: vSphere HA/DRS Cluster resources for management and pools. VSAN Storage.
  • Identity Management: vIDM 2.4.1
  • Application Layer Management: App Volumes 2.9, ThinApp 5, version 5.1.1.
  • Image Management: Mirage 5.4
  • Endpoints: Web-based, Horizon Clients, Kiosk.
  • Operations Management: vROPS for Horizon version 6.1.0.
  • Supporting Infrastructure/Tools: Active Directory (DNS,DHCP), GPO, MSSQL Database server, VMware OS Optimization Tool (OSOT) with support for Windows 7/8, File Services ThinApps Repository, syslog and Windows 2012R2 Jump Host.

The easiest way to get the VMware bits is to go to the Horizon Enterprise edition download on my.vmware.com and select the version 6.2. You need evaluation or an entitled my VMware user to access those. You can use this link for your bits: https://my.vmware.com/group/vmware/info?slug=desktop_end_user_computing/vmware_horizon/6_2.

VCAP Lab Download bits

Download OSOT here: https://labs.vmware.com/flings/vmware-os-optimization-tool.

Strange, wondering why they did not put Access Point or UEM in the exam objectives. Access Point for example is designed to be deployed with Horizon version 6.2. A well less bits to put in the lab.

For supporting Infrastructure and tools, and client versions it is up to you, at least put in the supporting versions.

Study Lab options

The deploy part is a lab based exam. Hands-on experience with the Horizon suite is crucial for success. Not everyone has a home lab, cloud lab credits or have enough resources on their notebooks to put in all the resource hungry Horizon suite components, you can use a combination of lab options in your exam preparations. Don’t forget the Horizon suite versions that are used in the VCAP version and components in your study lab. Practice with the right version, or know what have been changed between versions what takes a little more preparation time.

Get command line experience in practicing with vdmadmin, lvmutil, client and dct command line options, web interface locations, RDP to servers, SSH to appliance and log / config file locations.

Home

This can be a lab in a notebook and to some people having a home lab that are offering more services and resources than a small country uses in a decade. Home labs are excellent for build and break your own. You will not have any permissions issues. Downside mostly are the resources required.

Cloud

Again this provides good experience in build and break your own. Accessible from anywhere. Downside mostly are the resources required and the costs that are involved.

If you are a 2017 vExpert like me, Ravello (https://www.ravellosystems.com/go/vexpert/lab-service-description) still offers 1000 CPU hours per month to vExperts. Build your lab, configure an application start-up and stop procedure and set your lab to stop after practicing. For example put in 2:00 hours of studying and after that your lab will shut down and no CPU cycles will be wasted.

You can even simulate the exam lab speed and put your lab in a cost optimized far away cloud provider location. Pretty good for the time management preparations.
Downside for Ravello is the support of VMware OVA appliance deployment, there are some tips and tricks needed to get appliances uploaded to Ravello. Or optionally go for Windows components or nested deployments.

I’m currently building my lab in here: (yes status stopped in screenshot and Windows 10 is my client)

Ravello vExpert VCAP-DTM Prep

Hands on Labs.

VMware Hands on Labs are an excellent place to practice with a whole scale of VMware products. Use the manual to be guided through the labs, or just click it away and go on your own. Choose from the mobility labs for example: http://labs.hol.vmware.com/HOL/catalogs/catalog/125.

I personally use HOL-1751-MBL-1-HOL a lot. Downside no composer as Horizon 7 instant clones is used, version mismatch with exam lab and no vROPS for Horizon. For vROPS for Horizon I use Testdrive. You also aren’t administrator on Windows hosts and there is no Internet connection to get some missing piece in.

VCAP-HOL1751

You start with 1hr:30min, and you can extend the lab time up to 8 times with one hours. Topping up to 9hr:30minutes of lab time per enrollment. Amazing discovery Mike!

Testdrive

VMware Testdrive is the EUC demo environment. Need to show the customer some part they are missing or need some extra’s to make your point, open up a testdrive for the customer and let them show see it. As a superuser I also misuse it to work on some vROPS for Horizon parts. You are admin in vROPS so testing a metric set for a dashboard or showing policies without breaking the customers vROPS environment. The rest of the components are limited in what you can do and practice over there. But that wasn’t the use case of Testdrive in the first place.

Time management studying for the exam

Time management starts with studying. Plan your exam date and schedule your exam up front. Take enough time to prepare and work through the objectives. How much depends on your own strong and weak points. But do schedule the exam, else you will have no target to work to and that VCAP-DTM will be a never-ending story.

Time management throughout the Exam Lab

You can navigate through the lab exercise scenario’s. Go through the objectives. Use you notepad to put an order for easy or though ones. Get the easy one’s done and out-of-the-way. Labs that require deployments, captures, synchronisation or otherwise take time to finish, start-up those actions and go to the next. Don’t waste time watching progress bars……

There are dependencies between questions and skipping a part of a question because you are waiting for a deployment can be tricky for your mind if your also working through the scenario. You have to make sure you come back to that incomplete task and finish it.

ticktock

Test Center Check

If you have the opportunity and have multiple options for test centers in your friendly neighborhood, be sure to check out what lab setup they have. I know where I would go if I had to choose between test centers that have 21″ or 17″ screens. Or ask on twitter or Reddit if someone has experience with the test center.

– Happy prepping your exam!

Sources: vmware.com, ravellosystems.com

EUC Layers: Display protocols and graphics – the stars look very different today

In my previous EUC Layer post I discussed the importance of putting insights on screens, in this post I want to discuss the EUC Layer of putting something on the screen of the end user.

Display Protocols

In short, a display protocol transfers the mouse, keyboard and screen (ever wondered about vSphere MKS error if that popped up) input and output from a (virtual) desktop to the physical client endpoint device and vice versa. Display protocols usually will optimize this transfer with encoding, compressing, deduplicating and performing other magical operations to minimize the amount of data transferred between the client endpoint device and the desktop. Minimize data equals less chance of interference equals better user experience at the client device. Yes, the one the end user is using.

For this blog post I will stick to the display protocols VMware Horizon has under its hood. VMware Horizon supports four ways of using a display protocol: PCoIP via the Horizon Client, Blast Extreme/BEAT via the Horizon Client, RDP via Horizon Client or MS Terminal Client, and any HTML5 compatible browser for HTML Blast connections.

The performance and experience of all the display protocols are influenced by the client endpoint device – everything in between – desktop agent and the road back to the client. : for example virtual desktop Horizon Agent. USB Redirected Mass storage device to your application, good-bye performance. Network filtering and poof black screen. Bad WiFi coverage and good-bye session when moving from office cubicle to meeting room.

poof-its-gone

RDP

Who? What? Skip this one when you are serious about display protocols. The only reason it is around in this list, is for troubleshooting when every other method fails. And yes the Horizon Agent default uses RDP as an installation dependency.

Blast Extreme

Just Beat it PCoIP. Not the official statement of VMware. VMware ensures it’s customers that Blast Extreme is not a replacement but an additional display protocol. But yeah…..sure…

With Horizon 7.1 VMware introduced BEAT to the Blast Extreme protocol. BEAT stands for Blast Extreme Adaptive Transport— UDP-based adaptive transport as part of the Blast Extreme protocol. BEAT is designed to ensure user experience stays crisp across quality varying network conditions. You know them, those with low bandwidth, high latency and high packet loss, jitter and so on. Great news for mobile and remote workers. And for spaghetti incident local networks……..

Blast uses standardized encoding schemes such as default H.264 for graphical encoding, and Opus as audio codec. If it can’t do H.264 it will fallback to JPG/PNG, so always use H.264 and check the conditions you have that might cause a fallback. JPG/PNG is more a codec for static agraphics or at least not something larger than an animated gif. H.264 the other way around is more a video codec but also very good in encoding static images, will compress them better than JPG/PNG. Plus 90% of the client devices are already equipped with a capability to decode H.264. Blast Extreme is network friendlier by using TCP by default, easier for configuration and performance under congestion and drops. It is effecient in not using up all the client resources, so that for example mobile device batteries are not drained because of the device using a lot of power feeding these resources.
Default protocol Blast Extreme selected.

PCoIP

PC-over-IP or PCoIP is a display protocol developed by Teradici. PcoIP is available in hardware, like Zero Clients, and in software. VMware and Amazon are licensed to use the PCoIP protocol in VMware Horizon and AWS Amazon Workspaces. For VMware Horizon PCoIP is an option with the Horizon Client or PCoIP optimized Zero Clients.
PCoIP is mainly a UDP based protocol, it does use TCP but only in the initial phase (TCP/UDP4172). PcoIP is rendered, multi-codec and can dynamically adapt itself based on available bandwidth. In low bandwidth environments it utilizes a lossy compression technique  where a highly compressed image is quickly delivered followed by additional data to refine that image. This process is termed “build to perceptually lossless”. The default protocol behaviour is to use lossless compression when there is minimal network congestion expected. Or explicitly disable as might be required for use cases where image quality is more important than bandwidth for example in medical imaging.
Images rendered on the server are captured as pixels, compressed and encoded and then sent to the client where decryption and decompression happens. Depending on the display, different codecs are used to encode the pixels sent since techniques to compress video images can be different in effectiveness compared to those more effective for text.

 

HTML

Blast Extreme without the Horizon client dependency. Client is a HTML5 compatible browser. HTML access needs to be installed and enabled on the datacenter side.
HTML uses the Blast Extreme display protocol with the JPG/PNG codec. HTML is not feature par with the Horizon Client that’s why I am putting it up as a separate display protocol option. As not all features can be used it not a best fit in must production environments, but it will be very sufficient for enough to use for remote or external use cases.

Protocol Selection

Depending how the pool is configured in Horizon, the end user has either the option to change the display protocol from the Horizon Client or the protocol is set on the pool with the setting that a user cannot change it’s protocol. The latter is has to be selected when using GPU, but it depends a bit on the work force and use case if you would like to leave all the options available to the user.

horizon-client-protocol

Display Protocol Optimizations

Unlike what some might think, display protocol optimization will benefit user experience in all situations. Either from an end user point of view or from IT having some control over what can and will be sent over the network. Network optimizations in the form of QoS for example. PCoIP and Blast Extreme can also be optimized via policy. You can add the policy items to your template, use Smart Policies and User Environment Management (highly recommended) to apply on specific conditions or use GPO’s. IMHO use UEM, and then template or GPO are the order to work from.

uem-smart-policy-example

For both protocols you can configure the image quality level and frame rate used during periods of network congestion. This works well for static screen content that does not need to be updated or in situations where only a portion of the display needs to be refreshed.

With regard to the amount of bandwidth a session eats up, you can configure the maximum bandwidth, in kilobits per second. Try to correspond these settings to the type of network connection, such an interconnect or a Internet connection, that are available in your environment.For example a higher FPS is fluent motion, but more used network bandwidth. Lower is less fluent but a less network bandwidth cost. Keep in mind that the network bandwidth includes all the imaging, audio, virtual channel, USB, and PCoIP or Blast control traffic.

You can also configure a lower limit for the bandwidth that is always reserved for the session. With this option set an user does not have to wait for bandwidth to become available.

For more information, see the “PCoIP General Settings” and the “VMware Blast Policy Settings” sections in Setting Up Desktop and Application Pools in View on documentation center (https://pubs.vmware.com/horizon-7-view/index.jsp#com.vmware.horizon-view.desktops.doc/GUID-34EA8D54-2E41-4B71-8B7D-F7A03613FB5A.html).

If you are changing these values, do it one setting at a time. Check what the result of your change is and if it fits your end users need. Yes, again use real users. Make a note of the setting and result, and move on to the next. Some values have to be redone to find the sweet spot that works best. Most values will be applied when disconnecting and reconnecting to the session where you are changing the values.

Another optimization can be done by optimizing the virtual desktops so less is transferred or resources can be dedicated to encoding and not for example defragmenting non persistent desktops during work. VMware OS Optimization Tool (OSOT) Fling to the rescue, get it here.

Monitoring of the display protocols is essential. Use vROPS for Horizon to get insights of your display protocol performance. Blast Extreme and PCoIP are included in vROPS. The only downside is that these session details are only available when the session is active. There is no history or trending for session information.

Graphic Acceleration

There are other options to help the display protocols on the server-side by offloading some of the graphics rendering and coding to specialized components. Software acceleration uses a lot of vCPU resources and just don’t cut it in playing 1080p full screen video’s. Not even 720p full screen for that matter. Higher clock speed of processor will help graphical applications a lot, but a the cost that those processor types have lower core count. Lower core count and a low overcommitment and physical to virtual ratio will lower the amount of desktops on your desktop hosts. Specialized engineering, medical or map layering software requires graphic capabilities that are not offered by software acceleration. Or require hardware acceleration as a de facto. Here we need offloading to specialized hardware for VDI and/or Published applications and desktops. Nvidia for example.

gpu-oprah-meme

What will those applications be using? How many frame buffers? Will the engineers be using these application mostly or just for a few moments and are afterwards doing work in office to write their reports. For this Nvidia supports all kinds of GPU profiles. Need more screens and framebuffers, choose a profile for this use case. A board can support multiple profiles if it has multiple GPU cores. But per core there only one type of profile can be used, multiple times if you not out of memory (buffers) yet. How to find the right profile for your work force? Assessment and PoC testing. GPU monitoring can be a little hard as not all monitoring application have the metrics up there.

And don’t forget that some applications need to be set to use hardware acceleration to be used by GPU or applications that don’t support or run worse on hardware acceleration because their main resource request is CPU (Apex maybe).

Engineers only? What about Office Workers?

Windows 10, Office 2016, browsers, and streaming video are used all over the offices. These applications can benefit from graphics acceleration. The number of applications that support and use hardware graphics acceleration has doubled over the past years. That’s why you see that the hardware vendors also changed their focus. NVidias’ M10 is targeted at consolidation while its brother M60 is targetted to performance, however reaching higher consolidation ratio’s then the older K generation. But cost a little bit more.

vGPU and one of the 0B/1B profiles and a vGPU for everyone. The Q’s can be saved for engineering. Set the profiles on the VM’s and for usage on the desktop pools.

And what can possibly go wrong?

Fast Provisioning – vGPU for instant clones

Yeah. Smashing graphics and depJloying those desktops like crazy… me likes! The first iteration of instant clones did not support any GPU hardware acceleration. With the latest Horizon release instant clones can be used for GPU. Awesomesauce.

– Enjoy looking at the stars!

Sources: vmware.com, wikipedia.org, teradici.com, nvidia.com

VMworld Barcelona from the notebook: VMware Strategic Summary

At the VMworld conferences in San Francisco and Barcelona VMware we learned that VMware is continuing the strategic priorities it started almost a year ago. Not a real surprise as the road still has a lot of opportunities but also some bumps to take. These are some of the notes that I crafted during my visit of keynotes, sessions and such at VMworld Barcelona. While there where not mind blowing new technical announcements, it does tell about the ever changing world in which we are and what VMware is bringing to help IT business with these changes and challenges.

The VMware strategic priorities are divided in to three pillars to continue to serve the liquefying IT world. Within this strategies there are no limits, and this was also the theme of VMworld this year is (maybe no limits is not that good for the VMworld parties 😉 ).

As we learned from the keynotes the current IT world is moving from a rigid, known, limited IT environment to a more liquid, unknown, unlimited, accessible from everywhere and every device IT environment. Here new business models are needed where data and applications are presented in a uniform way to the users and the devices they are using.

Strategy - Overview 1

These IT business models need more AND decisions instead of the OR decisions it currently sees. We don’t build the infrastructure for traditional application or cloud applications, on or off-premise, we build the infrastructures for traditional and cloud applications available on and off-premise depending on the users and application requirements. The power of AND. And this also includes for the mentioned VMware strategic pilars where cloud is the returning component in the SDDC, Hybrid Cloud and EUC for cloud mobility. Cloud in all it’s glory, private, hybrid, mobile, cloud applications and public cloud services.

Strategy - Power of AND

Software-Defined Data Center (SDDC)

Continuing to further virtualize the data center from the compute virtualization via flagship vSphere (now in vSphere 6.0 Beta) and continue to virtualize the network (via NSX) and storage (via Virtual SAN/VSAN and Virtual Volumes). This can be done by designing and building your own building blocks (as long those blocks are on the VMware compatibilty matrix), VMware ready partner building blocks optimized for vSphere and Horizon View. Since VMworld VMware introduced another building component, the VMware Hyperconverged Infrastructure Architecture in the form of EVO:RAIL and EVO:RACK (the big brother of EVO:RAIL for cloud scalability). These are complete OEM hardware building blocks combining compute, networking and storage, and VMware vSphere and VSAN ready to go (a somewhat simplified explanation). This reduces deployment times, complexity, optimizes resources and performance for a number of reasons. Rack, cable and create a initial configuration from defined wizards and their configuration. Deploy VM’s in 15 minutes with pre-defined VM configuration blocks. Or create your own VM configuration based on your needs, security and such. This probably takes a little more than the announced 15 minutes, but still significant less time then when using your own building blocks or VMware ready blocks.
A the partner level of news, HP is introduced as partner in EVO:RAIL, networking and enterprise mobillity, exciting what that will bring from the partner eco-sphere.

Strategy - SDDC Compute Strategy - SDDC Network Strategy - SDDC Storage

End-User Computing (EUC) in a Mobile Cloud Era

This is one of the layers needed for providing applications and data that run on VMware software products. In the last year there where several knowledge investments (or takeovers) that where needed to put the VMware EUC mobile cloud strategy in the right place on the IT world map. This started with the acquisition of Desktone for Desktop as a server (DaaS), Airwatch as leader in enterprise mobile device management and the latest Cloud Volumes acquisition for delivering virtualized applications (announced around VMworld US). Next to this VMware updated it’s own product from a VDI to a hybrid VDI published application/desktop product suite with VMware Horizon Suite updates. Additionally VMware announced Just in time Dekstops for the mobile users, Horizon Flex for offline BYOD desktops and Project Fargo for rapid duplication and sharing of resources of EUC virtual machines. 

Hybrid Cloud

Cloud is everywhere. It could be that a strategic model with the Hybrid cloud pilar positioned between SDDC and EUC pilars is a little unclear as it is not a pilar on it’s own (but that is that whole AND that was in Pat’s keynote). The cloud pilar is partly for transition and partly for allowing new cloud related functionality from and outside of the VMware product groups. You can also see this a different way, SDDC and EUC are delivered in the cloud, for the cloud which cloud definition this is. But I can see that a business model and strategy requires a little more then just a theoretical term that is everywhere.
The VMware strategy breaths and revolves about cloud. The cloud is presented in services for the private (the local on-premise data center services in SDDC) and public cloud (the public accesible services and cloud applications). Around this tools to seamlessly as possible move fast from the one cloud to the other without affecting but serving the user. Users move from on premises workspaces, to traveling workers back to the office workspaces and to home. All those places have there devices and infrastructures and all need a form of interaction with the company data and applications. In the private cloud the important products are the SDDC. To move from private to a hybrid cloud VMware earlier introduced vCloud Hybrid Services. This got more body (more services like DB as a Service) and a re-branding to vCloud Air. At VMworld a new location for vCloud Air for the EMEA market was announced, Germany will offer a new vCloud Air location.
This last year the main usage of the hybrid cloud was a Disaster Recovery endpoint and testing and developing. This needs to be expanded in other vCloud services like (but not limited to) virtual private cloud (starting piont for IaaS in the cloud for old and new workloads), DB as a Service (DBaaS MSSQL and MySQL) and further using DRaaS.

The IT business experimental phase of cloud is over, now the professional phase is starting with more and more production workloads are landing on the cloud.The growth of 2% workloads in the cloud in 2009 to 6% in 2014 does not show a lot of cloud adoption, but the exceptional growth in the last year (the 6%) is showing faster cloud adaption. Are you next?

vCloud Air is not only positioned for VMware related workloads, vCloud Air is also meant to host new cloud applications for mobile devices or for legacy applications created in the own DevOps environment. vCloud air is a central platform that allows other hypervisors then just VMware proprietary. 

vCloud connector (free) as a product or integrated with vCloud Director and vRealize Automation (the artist formely known a vCloud Automation Center or vCAC) is one of the tools to move workloads from the private to the vCloud.

vCloud Air Virtual Private on Demand beta is opened. An on demand services to offer flexibility to rapidly expand capacity and to integrate with the existing local infrastructure. A workspace in minutes and within a few easy steps. Direct access to cloud services that are the same as the onsite VMware infrastructure. Just have a credit card ready. Pay per minute for the resources you use. Support for 5000+ VMware certified applications and 90+ OS.

An overview of this and other Beta programs with these announcement can be found at my previous blogpost: https://www.pascalswereld.nl/2014/10/15/vmworld-barcelona-keynote-mentioned-beta-and-early-access-programs-link-list/.

Docker containers

A combined architecture of VM’s and application containers is nothing new for this VMworld. More and more organizations are rapidly adopting the Docker platform as it allows them to ship applications faster. Whether these applications are delivered to bare metal, virtualized data center, or public cloud infrastructures, it must not matter. For IT businesses seeking to efficiently build, deliver, and run enterprise applications, Docker and VMware deliver the best of both worlds for developers and IT/operations teams. Docker integration is brought to several VMware products.

Cloud management

Management of the private and public cloud, or physical environments, is delivered via the vRealize suite. vRealize is a suite of management tools for SDDC computer, network and storage virtualization, cloud and EUC (vRealize for Horizon). vRealize is a collection partly from re-branding and new features of old known components. Application and infrastructure automated provisioning is done via vRealize Automation (formally known as vCloud Automation Center or vCAC), management and monitoring is done via vRealize Operations (vCenter Operations Management) and IT billing and cost management is done via vRealize Business (ITBM, or IT Business Management). Not just a new name but also improved visualization, proactive alerting, improved capacity planning, project management with what-if scenario’s and automated resolving of found issues. Not just for the VMware products but also provisioning and management of physical or other hypervisor platforms as Hyper-V, KVN or OpenStack clouds. 

Announcement overview Strategy - SDDC Management

 

+++ Are you ready to go beyond your current limits?

Looking to find more information on VMware products, take a start here: http://www.vmware.com/products/?src=vmw_so_vex_pheld_277.

Next up I will be drafting from my VMworld notes some posts about product demo’s and technical briefings from my multiple visits to the partner ecosphere at the VMworld solutions exchange. I will be doing (or at least trying) a series about the technologies these partners and exhibitors are offering so stay tuned.

Sources: vmware.com.

 

VMware Horizon View 5.3 is available for download and new feature list

VMware Horizon View 5.3 is available for download and can be downloaded at the following location: https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon_view/5_3.

So what new features are available with version 5.3?

The following features are new to this version:

  • 3D graphics with virtual dedicated graphics acceleration (vDGA). This leverages view to use complex 3D graphics in your VDI environment. In combination with vSphere.
  • Virtual Shared Graphics Acceleration (vSGA) now supports AMD/ATI graphics cards next to the NVidia cards.
  • Improved Real-Time Audio-Video experience and performance. With encoding and compression techniques seriously improving reduction to bandwidth consumption. This enables end users rich communication and collaboration over WAN links. Available in the feature pack.
  • Enhancement to mobility features in HTML5 and Unity Touch. Use Blast HTML to provide end users with a mobile workspace experience even when the client is not available. Also available in the feature pack.
  • Windows 8.1 support. Support for the latest Windows version as virtual desktop.
  • VMware® ThinApp® 5.0. Support for application virtualization of 64-bit applications. The support of 64-applications in VDI environments starts with VMware Horizion View 5.3.
  • Manage persistent virtual desktop images with VMware Horizon Mirage™ 4.3. Before 4.3 Mirage was only supported with physical images.
  • Virtual SAN or VSAN support. Leverage Virtual SAN for your Horizon View VDI deployments. (maybe a little over done, but Virtual SAN is Beta.).
  • Support for Windows Server 2008 as virtual desktop.
  • View Agent Direct Connection (VADC). An optional plugin for end user sessions without having to authenticate into a connection server. This let’s your users connect to sessions when a WAN link isn’t available (due to connection problems, poor bandwidth or high latency). Perfect for you mobile workforce.

So go out and download this version if you not already haven’t. Test, plan and update your reference architecture for new deployments with this version.

The updated versions of View, Mirage and Thinapp (etc). are also available via the Horizon suite download link: https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_horizon_suite/1_0.

– Enjoy delivering a mobile workspace with VMware Horizon!