Modernizing and Securing Desktop Infrastructure with VDI

– An Overview of VMware Horizon 7

written by Geoff Shough

In early 2020, many organizations were forced to rapidly adapt to a world where their employees worked remotely. Although the remote/mobile workforce trend was well underway before COVID-19 and many organizations thought they were mature in that journey, the abrupt shift, en masse, to a largely remote workforce brought to light many weaknesses in organizations’ current infrastructure. They faced challenges with security, access, provisioning, and management of desktop resources.

For organizations to properly support their remote workforces, a modern desktop infrastructure is needed that allows for the delivery of desktops and apps with cloud-like economics and elasticity of scale. This new infrastructure should be easier to manage than a traditional desktop infrastructure and be more secure. VMware’s Horizon 7 virtual desktop infrastructure delivers on these goals.

Before we explore how Horizon 7 delivers a modern desktop infrastructure, let’s review what the old way of working looked like vs. the new ways.

The old ways were characterized by:

  • 9-5 jobs. Employees come into the office and worked during a dedicated block of time. There was limited ability to do work outside the office.
  • Employees would logon to a dedicated desktop or shared desktop with separate logins. Those desktops had an OS, files, user data, etc., installed on a local hard drive.
  • For IT teams, this meant dozens, hundreds, and even thousands of local configuration points or images to manage.
  • Data was on the internal network and behind the company firewall.

The new ways of working are characterized by:

  • Remote and mobile workforces where employees work in more than one location and hours are less well defined.
  • Desktops and endpoints are not protected by the company’s firewall and are off the internal network. This potentially presents a greater security risk due to a larger attack surface.
  • The proliferation of device types, operating systems and applications presents management challenges

The ideal for this new way of working in any app, on any device, in any location accessed via a single digital workspace.

Let’s now look at Horizon 7’s high-level logical architecture and define its major components to understand how a modern desktop infrastructure works.

Figure 1.

We start with end-users and their Horizon clients. End-users have the option of connecting into the Horizon environment via a client installed on their device or through a web browser on their device that supports HTML5. The Horizon client is what allows a physical device such as a desktop, laptop, tablet, or phone to access the Horizon environment. If a user is remote, they can securely connect through VMware’s unified access gateway (UAG) which is deployed as a virtual appliance running a hardened, locked-down Linux operating system. The UAG has some advantages over VPN and ensures that the only traffic entering the corporate data center is traffic on behalf of a strongly authenticated remote user. Multiple display protocols are supported. VMware’s Blast Extreme has feature parity with the PC over IP display protocol and is the required display protocol if accessing Horizon via HTML5. If a user is local, inside the company firewall, they will first pass through a load balancer (as will the remote user after coming through UAG) before hitting the connection server. The connection server does many things in the Horizon environment including user authentication via active directory, brokering connections to resources, and running the instant clone engine (more on that later). From the connection server, users are presented access to entitled desktop pools and applications (see figure 2 below for what that dashboard looks like for the end-user). The Horizon agents provide the connectivity to these entitled applications and desktops. The agent is a software service installed on the guest OS of all target VMs and Remote Desktop Session Host (RDSH) servers. The last three components in figure 1 we will discuss constitute the just-in-time management platform (JMP).

They are:

  • Instant clones
  • Dynamic Environment Manager (DEM)
  • App volumes

Instant clones allow for fast desktop and RDSH provisioning, app volumes can rapidly deliver applications to desktops and RDSH servers while DEM is used for persisting user settings.

The JMP technology greatly contributes to better user experience as well as simplifies desktop and application provisioning and management. We will take a closer look at how JMP does this after first reviewing some of the ways Horizon provides for a secure desktop infrastructure.

Figure 2.

VMware’s Horizon 7 secures desktop infrastructure in many ways. First, consider that without VDI where remote workers have traditional desktops and laptops, data is outside the company data center and on those endpoints. This presents a large attack surface (see figure 3 for non-VDI vs. VDI). However, with Horizon, no data leaves the data center, (unless permitted by IT) and only pixels of the virtual desktop screen and mouse and keyboard commands move over the network between the endpoint and the VM. Second, all connections are encrypted. Horizon requires that all client connections use Transport Layer Security (TLS) to access Horizon. TLS in Horizon is set by default to the AES-128 bit but can be changed to 256. SHA-256 security algorithms/certificates are used in Horizon for client device authentication. Users opting for the HTML access method have their connections encrypted through HTTPS and are required to use Blast Extreme which also uses AES-128/256 and SHA-256. Third, users authenticate via active directory, but administrators also have the options of smart cards, single sign-on, SecurID, RADIUS, and SAML. The last point we will discuss is the security advantage of non-persistent desktops. In Horizon, when users log off a non-persistent desktop VM that VM is destroyed (vs. a persistent desktop that is not destroyed with a user logoff event). When the user logs back on to their desktop VM, they have a new VM derived from the golden image VM. In that type of environment, if a desktop is compromised by malware, it is only short-lived.

Figure 3.

In figure 3. we see a traditional desktop infrastructure, where employees have desktops with data on them. Each desktop represents an attack surface and the more endpoints in this model, the greater the attack surface becomes. However, with VDI, the only thing moving across the wire are pixels that constitute the screen and keyboard and mouse commands. Therefore, the attack surface is essentially reduced to the firewall in the datacenter.

Now that we reviewed some of the security features of Horizon 7, let’s look at how the JMP technology simplifies desktop and application provisioning and management. We’ll start by reviewing how instant clones work (see figure 4 for a graphical overview).

The instant clone process starts with a golden image/master VM. This includes the OS and perhaps apps that all employees in the organization or department share. From there, a snapshot of the master VM is created followed by a template VM which is a linked clone to the snapshot VM. This template VM joins the domain so that the domain join process doesn’t have to be performed down the chain when we start creating dozens or hundreds of VMs. That would be quite tedious and time-consuming. Next, a replica VM is created which is a thin provisioned, full clone of our template VM. The replica will serve up all the read requests from the instant clones. We then create a linked clone of the replica, called the parent, and boot it up so that we have one per VMware ESXi server per datastore. We keep the parent VM in a running state because once a user logs in to request a desktop, a hot clone will happen from the parent VM’s memory and disk, allowing rapid creation of a child VM that gets assigned to a user. The cloning process only takes 1-2 seconds per VM and no boot process is required after a clone is created. After the creation of the child VM, the links to the parent VM’s memory and disk are severed and reads will tie back to the disk and memory of the replica VM. This permits the deletion of the parent VM without consequence to the child VMs. Image updates can subsequently occur through the push-image operation. A new snapshot is taken after changes to the master VM are made and a new chain established down to a new parent VM. The Horizon administrator can force logoffs or have the new imaged assigned whenever the end-user chooses to log off. The next time they log in, they will have a clone created off the new parent VM.

To summarize the advantages of instant clone technology: it eliminates the need for desktop maintenance windows, saves resources because the parent VM is the only desktop running until end users put in requests for them, can eliminate boot storms (the parent is copied in a running state), and the security benefits of the desktop being destroyed after logoff.

Figure 4.

The second core component of JMP is app volumes. Whereas instant clones allow for rapid provisioning of desktop VMs, AppVolumes allows for rapid provisioning of application stacks. AppVolumes enable us to segment applications and abstract them away from the operating system so we can build application bundles for different groups of users and assign them based on an active directory. If you move a user from one group in AD to another group, that user’s application assignments will change instantly as well as what applications they see on their desktop.

In figure 5, we show the AppVolumes dashboard and three AD groups next to it: marketing, engineering, and sales. This figure shows how a Horizon administrator might want to utilize AppVolumes. The administrator takes a clean VM image with just the operating system and then builds out application stacks. Perhaps the admin starts with a core stack, that is, applications most users will need (e.g., Microsoft Office, Avaya phone, Adobe Reader, etc.). The admin then builds out three separate stacks that not everyone in the company will share. The AppStack creation process is simple and can be boiled down to four steps (through a couple of dozen clicks):

Step 1: Name and Create the AppStack

Step 2: Provisioning the AppStack to a clean VM resembling your production VM

Step 3: Reboot Provisioning VM and confirm successful installation

Step 4: Back to App Volumes Manager to assign the AppStack either immediately or upon the next reboot to AD group or individual.

 

Figure 5.

The last component of JMP is Dynamic Environment Manager (DEM). DEM allows us to persist in user personalization data and files. For example, a user can open an application and make changes to it (i.e. modifying menu bar layout) and have those changes persist to the next logon. Administrators can also use DEM to assign specific applications to network settings and printer mappings. When DEM is combined with instant clones and App Volumes, we get the advantages of non-persistent desktops with the feel of persistent desktops. Figure 6 shows how this works. When a user requests a desktop from a pool and logs in, they receive a generic desktop-based on the golden image. App Volumes immediately attach the user’s App Stack, so they see all their applications when they logon. DEM saves their personalization changes in those applications, so they persist even after the desktop is destroyed. App Volumes can take it further if Horizon administrators choose to enable and assign writable volumes which allow users to install and configure their applications. The volumes travel with the user.

Figure 6.

Now that we’ve covered some of the core components of Horizon and discussed Horizon security, let’s review how to license a Horizon environment. It’s important to call out that all editions contain bundled vSphere desktop and vCenter desktop licensing which is strictly for running a VDI environment. If non-VDI server environment, VMs will be mixed in with your desktop VMs with regular vSphere and vCenter licensing should be used. Another important licensing call-out is that starting with advanced edition, vSAN advanced licensing for desktop is included. vSAN eliminates the need for an external Storage Area Network (SAN) and allows you to deploy a hyperconverged infrastructure on compatible X86 servers. Furthermore, vSAN advanced has enterprise services such as erasure coding (RAID 5/6) as well as deduplication and compression with support for all-flash deployments. Finally, to truly get the most benefits from Horizon, the enterprise licensing edition is recommended. Enterprise doesn’t only include some nice bells and whistles but also is the only edition that gives us JMP.

 

 

Figure 7.

 

References:

Client Device Certificate Authentication Requirements, https://docs.vmware.com/en/VMware-Horizon-Client-for-Windows/5.4/horizon-client-windows-installation/GUID-3C625B78-65B4-4570-8DF4-BECC225FD3D4.html

VMware Blast Extreme Display Protocol in Horizon 7, https://techzone.vmware.com/resource/blast-extreme-display-protocol-vmware-horizon-7#_Toc37245096

Horizon 7 Architecture Planning, https://docs.vmware.com/en/VMware-Horizon-7/7.12/horizon-architecture-planning/GUID-5CC0B95F-7B92-4C60-A2F2-B932FB425F0C.html

Horizon 7 Installation, https://docs.vmware.com/en/VMware-Horizon-7/7.12/horizon-installation.pdf

Horizon 7 Security, https://docs.vmware.com/en/VMware-Horizon-7/7.12/horizon-security.pdf