The Evolution of VMware Horizon for Hybrid and Multi-Cloud Deployments of Virtual Desktops and Applications
Today we announced the general availability of the latest major update to VMware Horizon with Horizon 8. Current events have accelerated the deployment and consumption of virtual desktops and applications across many industries adapting to remote work requirements. For example, some of our largest customers have over 200K users working from home on VMware Horizon, seamlessly accessing their desktops and applications on corporate-issued laptops and BYOD devices on various endpoints, under a variety of network conditions.
It’s been almost four years since we released Horizon 7, where we brought many innovations to market including our Blast Extreme protocol. With quarterly releases of VMware Horizon since then, we have delivered over 100+ new features that enable the best end user experience and management capabilities for virtual desktops and applications. Let’s take a look at some of the new features we have added to Horizon in this latest release, as well as some of the highlights we’ve delivered over the last few years as we continue to strive to provide value and customer success.
Broad Deployment Options
Horizon offers customers a wide range of deployment options, both on vSphere and non-vSphere environments. We support the deployment of Horizon 8 on-premises or in the public cloud, such as VMware Cloud on AWS, Azure VMware Solution (AVS), currently in preview, and Google Cloud VMware Solution (GCVE). Customers can also deploy Horizon on non-vSphere environments (e.g. AWS Native) by leveraging our unmanaged machine option, which includes physical computers and virtual machines running on virtualization platforms other than vCenter Server. Desktop-as-a-Service options are also available with Horizon Cloud on Microsoft Azure and Horizon Cloud on IBM Cloud, further giving customers choice deployments with VMware or partner-managed infrastructure.
Delivering Exceptional End User Experience with Blast Extreme Protocol
Since the introduction of Blast Extreme protocol in Horizon 7, we have added several key capabilities to Blast protocol that improve end user experience while minimizing resource consumption through automation and granular controls. We have partnered closely with NVIDIA on many of these enhancements, especially for 3D graphics workloads. Read more about our integration with NVIDIA here.
New Codec Options:
✓ HEVC – For 3D graphics workloads leveraging GPUs especially 4K/8K monitor display with a broad range of NVIDIA GPUs.
✓ BlastCodec – Optimized for low CPU and bandwidth consumption while delivering a great user experience for task workers and knowledge workers.
✓ Switching codec – Switch between H.264 and Blast Codec depending on application/screen content.
Blast Extreme protocol fully leverages the endpoint capabilities to offload H.264 and HEVC decoding to ensure exceptional user experience. This includes support for both 4:2:0 and 4:4:4 chroma subsampling for optimal color and quality.
Blast Extreme Adaptive Technology:
✓ Delivers the best experience for LAN and WAN environments by dynamically adjusting to varying network conditions.
✓ Dynamically switches between TCP and UDP transport sensing bandwidth/latency changes within the network.
Blast Extreme Optimization Options:
There are several granular controls available to help fine-tune and optimize the end user experience, including:
✓ Frame Rate
✓ Bandwidth usage
✓ Codec selection
✓ TCP/UDP transport
✓ Display quality
✓ Quality of Service (QoS)
Leverage this optimization guide, or talk to a VMware expert who can help you with optimizing your environment based on your use cases.
Blast Extreme Security
A strong emphasis has been put into ensuring Blast Extreme protocol delivers the highest security when end users access their virtual desktops and applications remotely on any network. Blast Extreme includes the following security features:
✓ AES (Advanced Encryption Standard) encryption – All TCP connections use SSL/TLS web sockets to encrypt communication. TLS 1.1 and 1.2 are supported. All UDP connections are encrypted with DTLS encryption. These encryption mechanisms apply to the H.264, H.265, and JPG/PNG codecs.
✓ Security certificates – For external connections, Blast Extreme can use the security certificate on the Unified Access Gateway appliance. Blast Extreme can also use the certificate thumbprint of the Blast Secure Gateway or virtual desktop. A certificate thumbprint is a cryptographic hash of a certificate.
✓ SHA-256 signatures – Blast Extreme uses the latest security algorithms, including SHA-256.
✓ Dual IPv4/IPv6 support – When using Blast Extreme, Unified Access Gateway can be used to bridge between IPv6 VMware Horizon Clients and an IPv4 backend and agents. The Horizon Clients can use either IP version 4 or 6. Blast Extreme must be on TCP 443 only (as described previously for port sharing).
✓ FIPS support – FIPS-ready libraries are used across the products per VMware standards.
✓ Port sharing – If you use a Unified Access Gateway virtual appliance for connections from outside the corporate network, the connection uses TCP port 8443 by default and optionally UDP port 8443. It is possible to configure the Blast External URL on the Unified Access Gateway appliance to use port sharing on TCP port 443 so that no additional ports need be opened on the front-end firewall.
Support for Intel AVX2 Instructions
Advanced Vector Extensions (AVX, also known as Sandy Bridge New Extensions) are extensions to the microprocessors first supported with the Sandy Bridge processor. AVX provides new features, new instructions and new coding scheme.
Blast Extreme protocol fully leverages AVX2 instructions, where it is available, to optimize encoding of Blast Extreme frames before they are sent over the network to the endpoints for decoding.
Remote Experience Features
Publish Apps from Windows 10 Desktop Pools
VMware Horizon provides the ability to publish applications from Windows 10 desktop pools. This feature is useful while delivering published applications that are not compatible with Windows Server. It also provides the ability to publish Windows UWP applications to end users.
The Session Collaboration feature allows end users to invite others to join an existing remote desktop session. Up to 20 users can join a single desktop session from a variety of end points, amplifying collaboration in today’s work from home environments. Check out the video below to understand the capabilities of this feature.
USB Port Consolidation
Opening organizations’ external firewall ports to allow USB peripherals for users connecting remotely used to cause additional delays, as it would trigger additional internal processes. With USB port consolidation, IT admins can now enable USB peripheral access over virtual channels leveraging standard protocol ports 443/8443 greatly accelerating the time to deploy Horizon.
Improvements to Real Time Audio Video
Real Time Audio Video (RTAV) is leveraged by many customers for voice and video experience where an optimization pack for Horizon may not exist. While this does not avoid hair pinning, RTAV has been significantly optimized to leverage H.264 codec technology for improving end user experience along with delivering savings in CPU and bandwidth consumption on both the end point where Horizon Client is installed and on their virtual machine.
With Browser Redirection, when a user launches the Google Chrome browser in a remote desktop, the website is rendered on the client (endpoint) system instead of the agent (virtual machine) system, and it is displayed over the remote browser’s viewport. The viewport is the portion of the browser window that displays the content of a web page. This feature helps to improve user experience for browser-based applications while limiting VDI traffic as the source of the webpage is directly accessed by the client.
VMware Integrated Printing
With VMware Integrated Printing, Horizon Client for Windows, Mac, Linux, Chrome and HTML Access, users can print from a remote desktop to any local or network printer available on their client computer. VMware Integrated Printing supports client printer redirection, location-based printing and persistent print settings. In addition to leveraging universal printer driver, VMware Integrated Printing also allows native printer drivers to be used within the desktop allowing users to fully leverage all printing capabilities and finishing options.
Horizon now supports a new Digital Watermark feature to enable IT administrators to help protect corporate information and intellectual property. The session watermark helps IT administrators deter users from taking photographs and screenshots and enable tracking of data theft by placing traceable information on the session desktops.
Drag and Drop Applications from Local Machine to Virtual Desktop
With Horizon, you can now drag and drop files, folders, text, rich text, and images between the endpoint system and remote desktops and published applications. This is ideal for customers where users access certain published applications via Horizon but use their local machine for all other applications.
Improved Peripheral Support
As we continued to address the needs of our Healthcare vertical, providing a reliable experience for peripherals became critical. To help with that, we established a validation lab where each peripheral is tested with every release of Horizon. You can find the validated peripheral list here. While it’s impossible for us to test every peripheral that is used by our customers, this list captures a broad range of peripherals from various device classes.
Unified Communications is a critical aspect of how businesses thrive when the workforce is spread globally. User experience for voice, video and screen-sharing is a critical aspect of any collaboration platform and virtual desktop users can also enjoy a great user experience thanks to the optimization packs for Horizon. While VMware has invested in building optimization packs for Microsoft Teams and Skype for Business, we also enabled partners our such as Cisco WebEx and Zoom to build optimization packs for Horizon leveraging our Session Enhancement SDK.
HTML Admin Console
An HTML admin console was introduced in Horizon 8 and some prior versions to replace the Flash-based console. The HTML admin console also heavily leverages the RESTFul APIs that we have added to Horizon, which we will talk more about later in the blog. Using the Horizon Console, you can manage your desktop and application pools and farms, segment the type of access given to end-users based on an enhanced role-based access mechanism and do cross-pod management using Cloud Pod Architecture (CPA) from any browser. Learn about the details of HTML admin console in this blog.
Instant Clones has most of the features of Linked Clones. In addition, Instant Clones are faster to provision, don’t require additional components like the view composer server and database, and are much more manageable. The most compelling value of Instant Clone comes in the patching process. You can do a rolling patch with instant clone without having to take down the pool at all, therefore do it with zero downtime. With the release of Horizon 8, Instant Clones are now supported in all packages where Linked Clones were supported.
Instant Clones has been enhanced to support Smart Provisioning. Smart Provisioning is the ability for Horizon to choose the best way to provision an instant clone depending on the environment. In certain cases, instant clones are provisioned to optimize for the speed of clone creation by creating and leveraging parent VM’s on each host. In other cases, when speed is not paramount, they can be provisioned in a way that does not require parent VMs, thus freeing up more host memory for desktop workloads. Horizon can seamlessly choose one method or another without the administrator’s involvement, sometimes even in the same pool.
Resiliency, scale and upgrade capabilities have been improved in the Connection Server to support large-scale deployments.
Connection Server provides the following management capabilities:
✓ Authenticating users
✓ Entitling users to specific desktops and pools
✓ Assigning applications packaged with VMware ThinApp to specific desktops and pools
✓ Managing remote desktop and application sessions
✓ Establishing secure connections between users and remote desktops and applications
✓ Enabling single sign-on
✓ Setting and applying policies
✓ Ability to assign multiple users to persistent desktops
✓ Support for up to 4K connections per instance
Dynamic Environment Manager
VMware Dynamic Environment Manager simplifies end user profile management, personalization and dynamic policy configuration across any virtual, physical and cloud-based Windows desktop environment. Time-to-desktop and time-to-application are accelerated by replacing bloated roaming profiles and unmaintainable, complex logon scripts with a single, light-weight and scalable solution that leverages existing infrastructure. It maps environmental settings (such as networks and printers), and dynamically applies end-user security policies and personalization settings. Some of the key benefits of Dynamic Environment Manager are:
✓ Centralized and simplified user environment management with policies and settings
✓ Consistent and personalized experience
✓ Enterprise-grade scalability
✓ Supports both user and machine policies
App Volumes 4.0
App Volumes simplifies application delivery by employing dynamic new methods of delivering applications in real-time based on the user and user groups. It provides applications to your end users which include packaging, delivering and updating, all of which can be challenging, whether in a physical or virtual environment. VMware App Volumes 4.0 includes enhancements to simplify both application lifecycle management and app assignments, as well as enhance user experience. For details, please review this blog.
VMware Horizon has supported PowerCLI and View API for many years. While this is great for handling automation and reporting, many of our customers don’t want to have to rely on Microsoft PowerShell and VMware PowerCLI tools. Alternatively, they want to leverage RESTFul APIs to create compiled applications with the flexibility of choosing different programming languages.
We have diligently worked to add RESTful APIs to Horizon which can be leveraged by our customers and partners. These APIs are fully documented with examples on the VMware developer documentation website. These include APIs for monitoring, deployment and managing day two operations of Horizon. We will continue to introduce more and more APIs with every release of Horizon based on requests from customers and partners. Any new feature will also be designed with an API-first approach to facilitate automation.
Horizon Apps allows IT administrators to deliver business-critical Windows and Linux apps cost-effectively alongside SaaS and mobile apps by bringing them all together in a single unified digital workspace with single sign-on (SSO) authentication. Yes, you read it right- we have introduced the ability to publish Linux applications with this release.
Horizon Apps publishing is also leveraged heavily in Healthcare today to deliver EMR applications in conjunction with our ecosystem partners. The VMware Horizon Deployment Guide for Healthcare leverages many years of our experience working with Healthcare customers and documents the best practices for a successful Horizon deployment.
Horizon Extended Service Branch
With Horizon Extended Service Branches (ESB), IT administrators can leverage the maintenance updates for bug fixes and security fixes, rather than being worried about constant feature changes between releases. This is very critical for customers who are running 24/7 operations and may not want to upgrade Horizon infrastructure quite often.
✓ Each update will only contain critical bug, security fixes and new Windows 10 support, no new features will be added to these updates.
✓ Product & features covered as part of the ESB are Horizon Server & Agents, App Volumes (AV), Dynamic Environment Manager (DEM), formerly User Environment Manager.
✓ Each AV and DEM will have their corresponding ESB with coordinated release cadence.
✓ Whenever a maintenance update is released, corresponding release notes and download pages will reflect the ESB update explicitly.
✓ Approximately every 12 months, a new ESB release version will available, accumulating updates and features since the previous ESB release.
✓ No new special licensing requirements are needed for ESBs. It’s available to all VMware Horizon customers.
✓ With Horizon 8, ESB will be extended to 3-year support from the current 2-years.
With Cloud Pod Architecture (CPA), you can link together multiple pods to provide a single large desktop and application brokering and management environment.
A pod consists of a set of Connection Server instances, shared storage, a database server, and the vSphere and network infrastructures required to host desktop and application pools. In a traditional Horizon implementation, you manage each pod independently, but with Cloud Pod Architecture, you can join multiple pods to form a single Horizon implementation called a pod federation.
A pod federation can span multiple sites and datacenters and simultaneously simplify the administrative effort required to manage a large-scale Horizon deployment. To meet the demands of large institutions, who are pushing the limits of Horizon deployments by delivering virtual desktops to a majority of their employees, we increased the scale of Horizon to support up to 20K sessions per pod, 50 pods across 15 sites and 4K connections per Connection Server. This enables customers to support up to 1M users in a single Cloud Pod Architecture (CPA) deployment.
Common Cloud Services
Our vision for VMware Horizon is to enable a true hybrid cloud environment enabling customers to deploy desktops and applications in on-premises, cloud environments, or a combination of the two. Horizon provides a single pane of glass to manage this hybrid cloud environment through the Horizon Control Plane for customers who have subscription licensing.
Some of the services provided to our customers are:
Cloud Monitoring Service is built into Horizon Control Plane to monitor sessions, applications, usage reports, infrastructure, Health status, Agent information, Client information, reporting and other information useful to manage Horizon Environment. Cloud Monitoring Service works in a multi-cloud environment and supports both on-premises and cloud deployments.
Help Desk is an intuitive web application accessible via the Horizon Control Plane designed for support staff and admins to easily look up user sessions, troubleshoot problems and perform desktop maintenance operations such as restart or reset desktops.
Universal Brokering and Multi-Cloud Assignments
Universal broker and Multi-Cloud Assignments are cloud services that easily enable the admin to entitle end-users to desktops and applications spanning multiple sites. Not only that, but end users can also now access their desktop and application entitlements from a single interface, regardless of whether the workloads are running on-premises or in the cloud. Universal Broker is especially beneficial to avoid hair pinning of protocol traffic and east-west traffic across pods and GSLBs (Global Server Load Balancer).
Horizon Image Lifecycle Management introduces a simplified and comprehensive content management and distribution framework for Horizon customers which requires minimal hands on support. It is focused on managing Windows settings and line of business applications. It provides a simple mechanism for change management with easy ways to distribute images across Horizon pods, update fleets of pools with a single command via markers, build a catalog from existing templates and snapshots, and keep track of changes with versioning.
Cloud connector acts as the bridge that connects any on-prem Horizon deployment to Horizon Control Plane services. Cloud connector was established initially to enable license management but has been expanded to leverage Horizon Control Plane services such as Image Management, Monitoring, Universal Broker and more. The cloud connector comes included with the Horizon subscription and can either be deployed manually or automatically via the Horizon Lifecycle Manager cloud service. The Cloud connector now also supports automatic upgrade capability.
Horizon Client Enhancements
Horizon supports a broad range of clients and all types of endpoints designed to give customers flexibility. We aim for ease of use and smooth functionality for all our end users using operating systems like Windows, Linux, MacOS, iOS, Android, Chromebook and HTML/browser access. A large part of our efforts on the Horizon Clients has been to enable and improve remote experience capabilities, which we talked about previously in this blog.
One of the major areas of focus for Horizon Clients is to enable a great user experience leveraging the underlying hardware platform for Blast Extreme protocol.
Desktop Horizon Clients
To support the popularity of bring-your-own-device (BYOD) initiatives, we offer clients for a variety of endpoints, including Horizon Client for Windows, Horizon Client for Linux and Horizon Client for Mac. Our integration, through VMware UAG, with OPSWAT MetaAccess allows customers to check the end user’s device security posture before allowing it to connect to Horizon. As users add high-resolution monitors, the Horizon client has settings to allow the end user to select which screens they want to use and at what resolution/scaling. To get users working faster, we’ve added support for pre-launch, either as an API directly to the Horizon server or on the endpoint to kick off your apps or VM on connection. We’ve also added support for pushing administrator specified shortcuts down to the endpoint for easy launching on Windows and macOS. Accessibility is an on-going priority and towards that end we’ve added Windows key commands to help users navigate in and out of sessions.
Mobile Horizon Clients
Taking a cue from the market, we added support for derived credential authentication in our mobile clients. By creating a virtual smart card with the local certificate, users can authenticate to Horizon and forward the card into the VM to use with applications running remotely. The Horizon Client for iOS and the Horizon Client for Android also work with the OPSWAT MetaAccess agent for endpoint security checking. Customers with Workspace ONE UEM can preconfigure the mobile Horizon Clients. We work beautifully with Samsung DEX giving users a full Windows system in their pocket. IOS users can run a presentation from their VM and use their iPhone as a remote control.
HTML Access & Horizon Client for Chrome
HTML Access gives users access to their virtual apps and desktops from a wide variety of browsers, including our own Workspace ONE Web. From a Chrome browser, you can get a full-screen desktop across two monitors. Using the latest APIs from Google, VMware completely rewrote the Horizon Client in the Chrome Web Store. Since the launch, we’ve added improvements such as printing, smart card authentication, drive redirection, support for an additional monitor, and controls from the Google Admin Console or Workspace ONE UEM. Launching from Workspace ONE web portal into Horizon Client for Chrome works seamlessly.
VMware has been listening to customers and making improvements to our supported use cases. We’ve expanded the double hop, or nested cases we support, allowing customers to access remote desktops and apps from within a Horizon VM. We also added support for full IPv6 networks or IPv4 and IPv6 at the endpoint, translated to IPv4 through UAG. We strive for day-0 support for all OS updates, and when we can’t achieve that we follow up with quick point release. We work closely with our thin client partners to test, validate, and certify a wide range of endpoints. Customers who use Horizon with Workspace ONE can enforce launching policy from the web catalog by setting up Workspace ONE mode. Lastly, we’ve made significant improvements to the look and feel of the Horizon Clients since Horizon 7 first launched, including adding support for dark mode.
Horizon supports a broad range of software ecosystems and thin client partners who work with us closely via our Technology Alliance Program (TAP). The Technology Alliance Partner (TAP) Program enables partners to develop and deliver proven solutions that work in conjunction with VMware Horizon by providing tools and resources to test, integrate and package joint products.
The Horizon platform modernizes virtual workspace delivery and management with an agile, lightweight, approach that spans the hybrid cloud. The result is secure, fast, and simple virtual desktop and application delivery that extends the best digital workspace experience to all apps.
This release has been made possible by the efforts of our Product Management and R&D team, Customer and Sales feedback and collaboration with our partners across various verticals. I would like to take this opportunity to thank everyone involved and look forward to strong adoption of Horizon 8.