By Michael Bradley
The June 2014 release of VMware Horizon® 6 brought with it a long list of exciting new features. Cloud Pod Architecture (CPA), RDS hosted desktop and applications, and integration with VMware vSAN were just a few of the headlines that sent desktop administrators rushing to upgrade.
Although the new features marked huge advances in availability and scalability, they came with certain, shall we say, nuisances. These nuisances had a way of popping up at the most inopportune times, and although not showstoppers by any stretch of the imagination, could become very irritating very quickly. Now, I’m the kind of guy who is easily irritated by nuisances, so, seeing the list of features coming with Horizon 7 made me smile. With this upcoming release, VMware is introducing enhancements that fix three of the items on my personal list of nuisances in VMware Horizon 6. Let’s take a look.
Cloud Pod Architecture Home Sites
The introduction of Cloud Pod Architecture was a huge step forward in providing true high availability and scalability for a VMware Horizon 6 virtual desktop infrastructure. The ability to easily span pools across multiple data centers had been something that VMware customers had been requesting for some time. For the most part, Cloud Pod Architecture did exactly what it was designed to do. However, there was one small thing about it that really irritated me: home sites.
A home site is the affinity between a user and a Cloud Pod Architecture site. Home sites ensure that users always receive desktops from a particular data center, even when they are traveling. Home sites were a nice idea, and worked wonderfully, in most circumstances.
What I found to be irritating was the fact that if resources were unavailable in the user’s assigned home site, Cloud Pod Architecture would stop searching for available desktop/app sessions and deny access to the user, even if there were resources available in an alternate site.
The good news is that, with the release of VMware Horizon 7, this behavior has changed. When a user who is assigned a home site logs in to VMware Horizon, Cloud Pod Architecture will search for available resources in that user’s home site. However, if no available resources can be found, Horizon will search other eligible sites and, if found, assign an available desktop/app session to the user.
Certificate Single Sign-On
This problem is not uncommon to users logging into a VMware Horizon® View™ environment using RADIUS, RSA’s SecurID, or even VMware Identity Manager™. In each of these situations, it is possible that the users may not enter their active directory (AD) credentials, and, although VMware Horizon “trusts” that user, they may be forced to enter their AD credentials in order to access their Windows desktop. This is dependent on the 2 form factor authentication requirements and implementation.
This will change with the introduction of certificate SSO. In VMware Horizon 7, certificate SSO allows users to authenticate to a Windows desktop without requiring AD credentials or a smartcard. Authentication is based on a patented process whereby a short lived certificate is created specifically for the user allowing authentication to a singular Windows session, which then logs the user in. In all cases, the user will have previously been authenticated through another service using other “non AD mechanisms,” such as biometrics, SecurID, RADIUS, or VMware Identity Manager. The VMware Horizon 7 session is launched using security assertion markup language (SAML), and the SAML assertion will include a reference to the user’s UPN, which is then used to generate a custom certificate for the logon process.
Desktop Pool Deletion
It’s the stuff of nightmares. A VDI administrator working in the VMware Horizon administrator console accidently clicks “Delete” on the desktop pool that contains the desktops for every executive in the company. As the administrator watches each desktop delete, all he can do is update his resume and wait for the hammer to fall. If you’ve woken up in a cold sweat with this recurring nightmare, then you are in luck.
With the release of VMware Horizon 7, administrators can only delete desktop pools that are empty. If you try to delete a pool that contains desktops, a message will be displayed, instructing the administrator that the pool contains desktops. In order to delete a desktop pool, you must disable provisioning, and then delete all of the desktops from inventory first. This makes it virtually impossible to accidently delete a desktop pool, allowing desktop administrators everywhere to sleep a little easier.
So, VMware Horizon 7 doesn’t fix nuisances like traffic jams, global warming, or nuclear proliferation, but I’m excited to see its new features and enhancements, and I’m pleased to say that there are plenty more where they came from.
Michael Bradley, a VMware Senior Solutions Architect specializing in the EUC space, has worked in IT for almost 20 years. He is also a VCP5-DCV, VCAP4-DCD, VCP4-DT, VCP5-DT, and VCAP-DTD, as well as an Airwatch Enterprise Mobility Associate.