Upload
anish-reddy-n
View
76
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Workspace architecture
Citation preview
VMware Horizon Workspace Reference Architecture
W H I T E PA P E R / 2
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Reference Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
System Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Horizon Workspace vApp Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
VMware vSphere Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Physical Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Horizon View Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Reference Architecture Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Workload Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
External Infrastructure Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Horizon Workspace Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
IP Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
NTP 17
Postgres External Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Oracle External Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
vApp Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
vApp Guidance and Upper Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Provisioning Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Mobile Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Horizon File-Sharing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
VMware ThinApp Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Horizon View Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Appendix A (Test Methodology) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
The Horizon Workspace vApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
W H I T E PA P E R / 3
VMware Horizon Workspace Reference Architecture
Executive SummaryVMware® Horizon Workspace™ provides you with a centralized Web management console with which you can both customize and manage entitlements to your organization’s catalog. Your catalog contains resources, such as your organization’s applications and VMware Horizon View™ desktops, as well as the Horizon Files service, which allows users to share files and folders with others.
Horizon Workspace detects user attributes and enforces policies across the applications, data, and desktops. A user’s workspace consists of their set of entitled resources. For each user, you can customize the delivery of Windows, Android, iOS, Web, and Software-as-a-Service (SaaS) applications to a single workspace, while providing users with self-service access to applications and data from anywhere.
In this Horizon Workspace Reference Architecture, we will provide you with all the data that is necessary to construct a well-organized and properly architected Horizon Workspace environment. This Reference Architecture will give you details on how to properly configure your Horizon Workspace environment, using testing data that was measured and observed in various scenarios. This data is used as a proof point for the results that you can expect if the same configurations and conditions are met in your environment.
This reference architecture will guide you through various settings that might be leveraged for specific environmental conditions, as well as provide the details as to when these may be necessary. There are sections of the document that will walk you through each of the interacting pieces of architecture as well. For example, Horizon Workspace can be configured to provide access to Horizon View desktops, and this paper contains guidance on the proper configuration of that integration.
This Reference Architecture is intended as a guide that can be used from the initial stages of the Horizon Workspace plan and design, all the way to production deployment and scale-out.
W H I T E PA P E R / 4
VMware Horizon Workspace Reference Architecture
Reference Architecture OverviewVMware Horizon Workspace combines applications and data into a single, aggregated workspace, with flexible access to the data and applications employees need for productivity, regardless of where they are based. With fewer management points and easier access, Horizon Workspace reduces the complexity of IT administration.
Horizon Workspace is delivered as a virtual appliance that is easy to deploy onsite and to integrate with existing enterprise services. It helps organizations to centralize assets, devices, and applications and to manage users and data securely behind the firewall. Meanwhile, it enables users to share and collaborate with external partners and customers securely when policy allows.
This reference architecture specifies the sizing and connectivity requirements for a 10,000-user Horizon Workspace application-management and file-sharing solution. The design is illustrated in Figure 1 and Figure 5.
Objectives
This reference architecture describes a production environment for Horizon Workspace supporting more than 10,000 users. It takes into account end users with multiple devices, including PCs, Macs, and mobile devices such as smart phones and tablets.
W H I T E PA P E R / 5
VMware Horizon Workspace Reference Architecture
Test ResultsThe following section provides a summary of the testing done on the Horizon Workspace vApp. For further details, please refer to Appendix A (Test Methodology).
As you review the results, keep in mind that the goal is to support 10,000 users with less than 70 percent vCPU utilization, less than 80 percent vRAM utilization, and less than 100TB of data.
The data-gathering portion of the test was done over a period of one month. We gathered performance metrics that include CPU, memory, and disk.
In Table 1, you will find the data aggregated by virtual appliance role. In each column, you will find the number for the data; MHZ for vCPU and GB for vRAM. We measured the peak and average utilization of each virtual appliance.
VIRTUAL APPLIANCE
PEAK CPU UTILIZATION (%)
PEAK MEMORY UTILIZATION (GB)
AVERAGE CPU UTILIZATION (%)
AVERAGE MEMORY UTILIZATION (GB)
MEMORY GOAL ACHIEVED
CPU GOAL ACHIEVED
Configurator 1.55 0.65 0.66 0.63 4 4
Connector 0.66 3.27 0.31 2.43 4 4
Service 66.2 6.29 36.35 6.23 4 4
Data 17.24 3.04 6.57 2.94 4 4
Gateway 15.13 4.79 4.83 4.49 4 4
Table 1: Test Results
Note that peak CPU utilization is very low in all the virtual appliances except for the Service virtual appliance. The average CPU utilization on all the virtual appliances is fairly low, keeping in mind that the hardware used is recent and helps lower the percentage of CPU used. See the System Configurations section for specifications on hardware used.
W H I T E PA P E R / 6
VMware Horizon Workspace Reference Architecture
System Configurations
Horizon Workspace vApp Configuration
Horizon Workspace is delivered as a SUSE Linux-based vApp, an open virtual appliance (.OVA) file consisting of multiple virtual appliances (VA) deployed through VMware® vCenter™. This solution uses the Horizon Workspace virtual appliances described below, plus VMware Horizon View and VMware ThinApp®.
•VMware Horizon Workspace Configurator (configurator-va) – Provides an administrative console and a Web-based user interface to configure the network, Gateway, vCenter, and SMTP settings of all the appliances in the Horizon vApp. The Configurator appliance also allows an administrator to manage security certificates centrally and add and remove active modules in Horizon Workspace.
•VMware® Horizon Workspace Connector™ (connector-va) – Provides local user authentication as well as Active Directory binding and synchronization services. An administrator can define the directory replication schedule and synchronize Horizon View and ThinApp pools and repositories for provisioning to end users.
•VMware Horizon Workspace Manager (service-va) – Provides the Web-based Horizon Workspace administrative interface, allowing an administrator to configure the application catalog, manage user entitlements, and configure groups and reporting for all the systems in the Workspace vApp.
•VMware Horizon Workspace Files™ (data-va) – Provides the datastore for user files, controls file-sharing policy for internal and external users, provides file-preview functionality, and serves the end-user Web interface for Horizon Workspace.
•VMware Horizon Workspace Gateway (gateway-va) – Enables a single, user-facing domain for access to Horizon Workspace. As the central aggregation point for all user connections, the Gateway appliance routes requests to the appropriate destination and proxies requests on behalf of user connections.
•VMware ThinApp – The solution leverages the existing VMware application virtualization solution.
•VMware Horizon View 5.3 – The solution leverages the existing VMware virtual desktop solution.
W H I T E PA P E R / 7
VMware Horizon Workspace Reference Architecture
SaaS Applications
Horizon Workspace
Core Infrastructure
Horizon Mirage Horizon View
Microsoft Active Directory
Infrastructure
VMware Horizon MirageVMware Horizon
View Security ServerVMware Horizon
View Connection Server VMware Horizon View Composer
VMware vCenter
VMware vCenter
Operations
VMware Horizon Workspace – Admin Console
VMware Horizon Data
Box.netGoogle Docs
Salesforce
Enterprise StorageThinApp Repository
Physical Endpoints
Windows 7
Windows XP
ndo
ws XP
77
ndowXPX
WinX
Windows XP
ws XP
nddowXPXPX
WWinX
Windows XP
wss XP
ndowXPX
WWinnX
Windows XP
wss XP
ndowXPX
WWinnX
VDI Desktop Pools
Figure 1: Overview Diagram
VMware vSphere Configurations
This reference architecture uses vCenter 5.1 and VMware vSphere® 5.1, which offer high availability, distributed resource scheduling, power management, and process and infrastructure monitoring of the Horizon Workspace 1.5 vApp. Three servers were configured to be part of one vSphere cluster.
W H I T E PA P E R / 8
VMware Horizon Workspace Reference Architecture
Physical Infrastructure
The physical infrastructure used in this reference architecture has 3 servers with 16 cores, 256GB RAM, and NFS storage.
•3xServers–16coreseachwithhyperthreadingenabled
•IntelXeonE5-2630L2.00GHz,15MBcache,7.2GT/sQPI
•Totalof768GBofvRAM
•VMFSvolumefordeployingHorizonWorkspacevApp
•10x10TBNFSvolumesforuserdata.Allthevirtualappliancedataconnectsbacktothosevolumes
Note that the total amount of memory available is much more than is required. Server memory was acquired for potential Horizon Workspace growth beyond 10,000 seats without the need to change hardware.
Horizon View Configuration
Refer to the standard VMware Horizon View Architecture Planning guide for the configuration of the Horizon View pod and block. Horizon Workspace leverages any Horizon View deployment that is running version 5.2 or above. A Horizon Workspace user connecting to the Web portal, when clicking on the Desktop tab, will obtain all the desktop pools they are currently entitled to use. Refer to the VMware Horizon View Large-Scale Reference Architecture for best practices and recommendations.
To configure additional options for Horizon View and Horizon Workspace integration, use the Connector Web interface. For more information, see the Installing and Configuring Horizon Workspace guide.
W H I T E PA P E R / 9
VMware Horizon Workspace Reference Architecture
Reference Architecture DesignThis reference architecture supports a 10,000-user Horizon Workspace deployment, including enterprise and Web applications, data, and Horizon View desktop integration, as illustrated in Figure 2.
Mobile Users
WebClient
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
VirtualAppliance
Internal Users/Clients
Gateway
Connector
Files
Service
RSA
RSA AD
Kerberos LDAP
Con�gurator
Idap-vipPort 8443
Postgres Databasepostgres-db1 (Active)postgres-d2 (Standby)
gw1 togw4
svc1andsvc2
80, 443, 7071, 7072
data1 to data 11Preview-vipPort 80 Preview 1 to 3
conn1andconn6
443
443
443 443
443
8443
5432
Port443
Port: 443Internal VIP
Port: 443External VIP
5432
84438448448484
IP
4344448443444484
34444444
3
44
3
44
3
44
pPort 80
pPort 80
pPort 80Port 80Port 80
ppppiPreview-vi
VMware
OS
APPOSOSOOAPAAAPAAAPPAA
OS
APPOSOSOOAPAAAPAAAPPAA
OS
APPOSOSOOAPAAAPAAAPPAA
Figure 2: Horizon Workspace Architecture Design
W H I T E PA P E R / 1 0
VMware Horizon Workspace Reference Architecture
The deployment specifications are listed in Table 2.
QUANTITY DESCRIPTION VCPU* RAM* HDD*
1 VMware Horizon Workspace Configurator (configurator-va)
1 vCPU 1GB 5GB
1+1 VMware Horizon Workspace Manager (service-va)
4 vCPU 8GB 36GB
1+1 VMware Horizon Workspace Connector (connector-va) – authentication, Active Directory sync, and Horizon View and ThinApp integration
2 vCPU 4GB 12GB
1+1 VMware Horizon Workspace Connector (connector-va) – Kerberos
2 vCPU 4GB 12GB
5+1 VMware Horizon Workspace Gateway (gateway-va)
6 vCPU 8GB 9GB
11 VMware Horizon Workspace Files (data-va) – 1x Master node, 10x User Data nodes
6 vCPU 16GB 300GB
3 Horizon Files Preview Servers (Windows 2008 R2)
4 vCPU 4GB 50GB
2 vPostgres Database Server 4 vCPU 8GB 52GB
*Pervirtualappliance+1forHighAvailability(HA)andBusinessContinuity/DisasterRecovery(BCDR) Table 2: 10,000-User Horizon Workspace Deployment Specifications
The total required resources for this deployment are summarized below:
•139vCPU
•285GBvRAM
•3.73TBdisk
Note: Storage for users is not included in these calculations; 10 user data node* 10TB NFS volumes are used in addition to the storage mentioned above.
W H I T E PA P E R / 1 1
VMware Horizon Workspace Reference Architecture
Workload Considerations
Table 3 details the workload considerations for Horizon Workspace.
QUANTITY DESCRIPTION
User quota and utilization 25GB per user with 5% utilization
File revisions 2x each file
File sharing 10 users and 10 endpoints per hour
Uploads and downloads 20 uploads and 1 download per hour
Horizon View desktop At least one desktop
VMware ThinApp At least one ThinApp application Table 3: Workload Considerations
W H I T E PA P E R / 1 2
VMware Horizon Workspace Reference Architecture
Network Configuration
Communication among the virtual appliances is based on hostnames, so forward and reverse DNS records for the vApp virtual machines and IP addresses are necessary. The initial deployment requires five IP addresses. Plan ahead for your enterprise deployment by understanding how many virtual appliances you expect to need.
By default, the Horizon Workspace vApp is accessible only to users inside the DMZ. To provide external access (from outside the firewall) to Horizon Workspace, install a reverse proxy or load balancer using SSL termination, as shown in Figure 3.
Horizon Workspace vApp
443 443
VirtualAppliance
gateway-va
VirtualAppliance
service-va
VirtualAppliance
connector-va con�gurator-va data-va
VirtualAppliance
VirtualAppliance
External Load BalancerHostname: Horizon Workspace FQDNExample IP address: 64.x.y.zPort: Horizon Workspace portMust enable X-Forwarded-For headers.
Internal Load BalancerHostname: Horizon Workspace FQDNExample IP address: 10.x.y.zPort: Horizon Workspace portMust enable X-Forwarded-For headers.
gateway-vaHostname: gateway-va.company.comIP address: 10.a.b.cPort: 443
External Users
DMZ Firewall
HosExaPortMus
ll
Internal Users
Workspace vApp
InteHosExaPortMus
Figure 3: Network Configuration with External Access
W H I T E PA P E R / 1 3
VMware Horizon Workspace Reference Architecture
Horizon Workspace FQDN =workspace.company.com
Horizon Workspace FQDN =workspace.company.com
HTTPS (TCP 443)
SSL Termination (Client)
SSL Termination (Client)
SSL (from Load Balancer)
SSL (from Load Balancer)
Insert X-Fowarded-For
Insert X-Fowarded-For
Health Monitor HTTPS Header
Load Balancer / Reverse Proxy
VirtualAppliance
gateway01.corp.localHTTPS (TCP 443)
VirtualAppliance
gateway02.corp.localHTTPS (TCP 443)
HTTPS (TCP 443)
w
w
aBala
o
d
o
d
i
(from Load
PPP
SSL Terminati
SS
roxy
SL (from Loado
Load Balancer / Reverse Proxy
Con (C
d
o
d
o
d
i
PPP
SS
SSL (from Loado
roxy
SSL Terminati
DMZ Firewall
Health Monitor HTTPS Header
HTTPS
Figure 4: Internal and External Access with SSL Termination
W H I T E PA P E R / 1 4
VMware Horizon Workspace Reference Architecture
The default ports required for Horizon Workspace are listed in Table 4. For a graphic representation of the Horizon Workspace network default ports, see Figure 5.
NETWORK PATH PORTS PROTOCOL
Horizon Client or vApp to gateway-va 443 (HTTPS) TCP
connector-va to Active Directory (user authentication)
389 TCP and UDP
connector-va to domain controller (Join Domain) 135 TCP and UDP
All virtual appliances to time server (NTP) 123 UDP
connector-va to ThinApp repository (SMB) 445 TCP
connector-va to domain controller and all Windows clients to connector-va (Kerberos authentication)
88 TCP and UDP
connector-va to global catalog server (user sync) 3268 TCP
connector-va to domain controller (Kerberos password change)
464 TCP and UDP
All virtual appliances to DNS server (DNS) 53 TCP and UDP
Load balancer to gateway-va and gateway-va to all other virtual appliances (HTTPS)
443 TCP
Connector administrator access (internal only) 8443 TCP
Files virtual appliances to internal SMTP server 25 TCP
gateway-va to data-va 7071 and 7072 TCP
connector-va to SecureID server (SecureID) 5500 UDP
service-va to each other, if more than 1 (auditing) 9300–9400 TCP
service-va to each other, if more than 1 (auditing) 54328 UDP
service-va to external database (production only) 5432 TCP and UDP
connector-va to domain controller 749 TCP and UDP
Table 4: Horizon Workspace Network Default Ports
W H I T E PA P E R / 1 5
VMware Horizon Workspace Reference Architecture
443
443
443
445
25* 25*5500*
5432*5432*
88, 464,135 (TCP/UDP)
53 (TCP/UDP)
443443 443
80, 443, 7071, 7072
389*, 636*, 3268*, 3269*
80, 443, 7071, 7072
VirtualAppliance
gateway-va-1**
VirtualAppliance
con�gurator-va-1** vCenter
Con�gurator uses SSH to connect to all virtual machines in
the vApp on port 22
VirtualAppliance
service-va-1**
VirtualAppliance
service-va-2**
RSA SecurID
VirtualAppliance
connector-va-1**
Load Balancer
DMZ Firewall
ncernnand B lad Bala
Horizon ViewServer
ActiveDirectory
Database DomainController
SMTP Server
ThinApp Repository(Windows CIFS Share)
DNS Server
VirtualAppliance
data-va-1**
VirtualAppliance
data-va-2**
VMVM
VM
VMware
VMVM
VM
*Default values are shown. These ports are con�gurable.** Every virtual appliance must have access to the DNS server on port 53.
Figure 5: Horizon Workspace Network and Port Number Details
W H I T E PA P E R / 1 6
VMware Horizon Workspace Reference Architecture
External Infrastructure ComponentsThe external infrastructure of this reference architecture consists of the following components:
•Active Directory – Horizon Workspace requires Active Directory to sync users and groups. This reference architecture uses Windows Server 2008 R2 Active Directory servers with 10,000 user accounts and 300 groups.
•DNS – All the virtual appliances refer to each other by their hostnames. Both forward and reverse records are required for all the virtual appliances in the Horizon Workspace vApp. Make sure that each machine can searchfortheHorizonWorkspaceFQDN.
•SMTP–TheHorizonWorkspacevApprequiresaccesstoanSMTPserver.TheSMTPserverFQDNandportnumber are needed at installation time.
•NTP – All virtual appliances rely on time synchronization. Enable and configure time sync on the vSphere hosts to point to your enterprise NTP server. Failing to do so can cause time drift between the virtual appliances. Kerberos-enabled connectors sync time to the Primary Domain Controller (PDC) role.
• Load balancer and reverse proxy – This reference architecture uses a software-based load balancer and reverse proxy.
•External storage – Horizon Workspace vApp supports external NFS volumes for Horizon file sharing. This reference architecture uses twelve data nodes (one master node, ten user data nodes) with 1x 10TB NFS volume assigned per user data node, for a total of 100TB of external storage for user data.
W H I T E PA P E R / 1 7
VMware Horizon Workspace Reference Architecture
Horizon Workspace ConfigurationHorizon Workspace requires additional configuration of vSphere hosts and vCenter server(s), including Network Time Protocol (NTP) for vSphere hosts and IP pools that provide network configuration to the vApp. These additional configuration settings are described in the following sections.
IP Pools
To deploy the Horizon Workspace vApp correctly, you must define an IP pool in vCenter with the following configurations using the IP Pool Properties wizard:
•ThesubnetthevAppusestocommunicate
•DNSservers
•DNSdomain
You do not have to set up a DHCP scope in the IP pool. The vApp Deploy OVF Template wizard prompts you for the IP addresses.
portgroup/vlan:AllvirtualappliancesmustbedeployedinthesameportgroupandVLAN.
NTP
For time sync to work properly, the Horizon Workspace vApp requires NTP to be enabled on all vSphere hosts where the vApp is deployed.
Postgres External Database
A Postgres database is included in the virtual appliance to speed deployment in proof-of-concept and pilot implementations. For a production implementation, you must use an external Postgres database.
ThisreferencearchitectureisbasedonPostgreSQL9.1,whichsupportsupto30,000users.Configurationdetails are listed Table 5.
RESOURCE VALUE
vCPU 2 minimum, 4 recommended
RAM 8GB
Disk 1 – Root disk (OS) 2GB
Disk 2 – Data disk 32GB
Disk 3 – SWAP disk 16GB
Disk 4 – Diagnostic disk 2GB Table 5: VMware vFabric™ Postgres (30,000 Users) Resource Requirements
W H I T E PA P E R / 1 8
VMware Horizon Workspace Reference Architecture
Oracle External Database
As an alternative to Postgres, your organization might want to utilize an Oracle database, which is fully supported by Horizon Workspace 1.5. VMware supports version 11g R2 or above for an external database. Configuration details are summarized in Table 6.
RESOURCE VALUE
vCPU 2 minimum, 4 recommended
RAM 8GB minimum, 16GB recommended
Disk 1 – Root disk (OS) 40GB
Disk 2 – Data disk 80GB Table 6: Oracle 11g R2 Resource Requirements (10,000 Users)
You should always refer to the manufacturer recommendations for properly sizing an Oracle database virtual server, http://www.oracle.com/us/products/database/overview/index.html.
You can refer to Oracle Database sizing guidelines for additional recommendations. http://docs.oracle.com/cd/E22693_01/doc.21/e22692/sizing.htm.
The guideline to follow would be similar to a small database, less than 80GB with little read and write IOPS. In the resource utilization outlined in Table 6, the database is installed on a Windows 2008 R2 enterprise server (OS disk).
vApp Deployment
To deploy the Horizon Workspace vApp, you must deploy the .OVA file from vCenter. For instructions, see Installing and Configuring Horizon Workspace.
Whenever the vCPU and RAM are customized, as they are for this enterprise deployment, you must manually configure the Java heap sizing. The Connector virtual Appliance and Files virtual appliance also must be updated manually. For more details on adjusting Java heap size settings, see Installing and Configuring Horizon Workspace.
vApp Guidance and Upper Limits
Limits for each of the five Horizon Workspace components are described as follows:
•HorizonWorkspaceConfiguratorvirtualappliance
– The configurator-va is the first virtual appliance to be deployed. It is used to configure the vApp from a single point and deploy and configure the rest of the vApp.
– The configurator-va is also used to add or remove other Horizon Workspace virtual appliances. There can only be one Configurator virtual appliance per vApp.
•HorizonWorkspaceConnectorvirtualappliance
– Enterprise deployments require more than one connector-va to support different authentication methods, such as RSA SecureID and Kerberos SSO.
– When enabling the Connector to use Kerberos authentication and deploying more than one connector-va, you must front-end the Connector virtual appliances with a load balancer to provide high availability.
– Each connector-va can support up to 30,000 users.
W H I T E PA P E R / 1 9
VMware Horizon Workspace Reference Architecture
– Specific use cases, such as Kerberos, ThinApp integration, and Horizon View integration, require the connector-va to be joined to the Windows domain.
•HorizonWorkspaceManagervirtualappliance
– Enterprise deployments require two or more Manager virtual appliances.
– Each service-va can handle up to 100,000 users.
•HorizonWorkspaceGatewayvirtualappliance
– The gateway-va is the single namespace for all Horizon Workspace interactions.
– For high availability, place multiple Gateway virtual appliances behind a load balancer.
– Horizon Workspace requires one gateway-va for every two data virtual appliances, or one gateway-va for every 2,000 users.
•HorizonWorkspaceFilesvirtualappliance
– Each data-va can support up to 1,000 users.
– At least two data virtual appliances (1 master, 1 user node) are required in an enterprise deployment with Horizon File Sharing enabled. The first data-va is a master data node; the others are user data nodes.
– Each user data node requires its own dedicated volume. In proof-of-concept or small-scale pilot scenarios, you can use a virtual machine disk (VMDK). We recommend using NFS in production due to the 2TB limitation on VMDK file size.
– LibreOffice Preview is included to enable viewing of Horizon Workspace documents.
Provisioning Users and Groups
This reference architecture synchronizes 10,000 users and 30 groups from Active Directory to Horizon Workspace. It uses 10 Horizon Workspace custom groups to ease management and entitlements for application, data, and desktop resources.
Web Applications
Enabling the Web Applications module allows you to add both Web and SaaS applications to your Horizon Workspace catalog, and to entitle users and groups. This enables self-service application management for users.
Horizon Workspace also provides a Horizon Application Catalog with preconfigured SaaS applications. Horizon Workspace supports Security Assertion Markup Language (SAML) 1.1 and 2.0 federation standards.
Note: To integrate Horizon Workspace with Horizon View, use SAML 2.0.
Mobile Applications
Two referred mobile applications have been added to the Horizon Catalog, one from the Apple App Store and one from Google Play. For more information, see the Horizon Workspace Administrator’s Guide.
W H I T E PA P E R / 2 0
VMware Horizon Workspace Reference Architecture
Horizon File-Sharing Policies
To manage Horizon Files policy, configure a class of service (COS) as specified in Table 7. For more information, see the Horizon Workspace Administrator’s Guide.
POLICY DESCRIPTION DEFAULT VALUE
COS Name The name for the class of service. After you create a COS, you cannot edit the COS name.
Default
AccountQuota The amount of disk space in megabytes that users are allowed on the server.
0
QuotaWarningMsg The email message sent to users when the amount of disk space they are allowed on the server reaches the threshold percentage.
N/A
Threshold (%) The threshold that triggers the quota warning email message.
90%
Max File size (MB) The maximum size of a file that users can upload to Horizon Workspace.
2048MB
File Types Disallowed Extensions for file types you want to block. None
Trashed File Lifetime Value The period of time a file can still be retrieved (undeleted) in the file's history after it has been deleted, before it is automatically purged.
1 Month
Internal Expiration The amount of time shared files and folders can be accessed by your enterprise's Horizon Workspace users.
0 Days
External Folder Sharing Allowed
When this box is checked, Horizon Workspace users can invite external users to access folders. These external users are also referred to as virtual users.
Enabled
Public Files Sharing Allowed
When this box is checked, Horizon Workspace users can make files available on the Internet.
Enabled
External Expiration The amount of time shared folders can be accessed by virtual users.
0 Days
Public Expiration The amount of time files are accessible on the Internet. 0 Days
Domains Allowed or Not Allowed
This option enables you to restrict or allow virtual-user access to shared folders based on the virtual user's domain.
No Domain Policy
W H I T E PA P E R / 2 1
VMware Horizon Workspace Reference Architecture
POLICY DESCRIPTION DEFAULT VALUE
Allowed domains for external sharing
This option allows you to grant virtual users from specified domains access to shared folders.
Disabled
Restricted domains for external sharing
This option allows you to prevent virtual users from specified domains from accessing shared folders.
Disabled
Host Pool This option is applicable when a Horizon Workspace deployment contains two or more data servers. Horizon Workspace uses the Host Pool setting to assign users to specific Data servers.
N/A
Pin/PasscodeRequired When this box is checked, mobile-device users are prompted to set up a passcode to access Horizon Workspace from their mobile devices.
Disabled
Open/Editwith When this box is checked, users can use third-party applications on their mobile devices to edit files. It is checked by default.
Enabled
Table 7: Horizon Files Class of Service Default Policies
VMware ThinApp Configuration
Horizon Workspace can integrate with VMware ThinApp 4.7 or later to:
•StreamordownloadThinAppapplicationstoWindowsdomainworkstations.
- ThinApp must be enabled for Horizon Workspace.
•PointtoThinAppshare(WindowsCIFSshare).
- Only .exe format is supported (no MSI format).
Horizon View Configuration
To integrate Horizon Workspace with Horizon View 5.2 or above:
1. Install Horizon View 5.2 and above with Feature Pack 1 to provide HTML access to Horizon View desktops.
2. Make sure Horizon Workspace User Directory Sync has been configured to sync the UPN (User Principle Name) attributes.
3. Make sure forward and reverse DNS records exist for Horizon View servers.
4. Enable the Horizon View Module in Horizon Workspace.
5. Join the Connector used for Horizon View integration, or verify that it has been added to the domain.
6. Configure SAML 2.0 authentication in Horizon View.
Note: SAML 1.1 does not support Horizon View and Horizon Workspace integration.
W H I T E PA P E R / 2 2
VMware Horizon Workspace Reference Architecture
ConclusionHorizon Workspace 1.5 enables IT to maintain control over the implementation; aggregate resources; and allow end users to access their entitled applications, data, and Horizon View desktops from inside or outside the corporate firewall, on the device or devices of their choice.
This reference architecture documents the system requirements and configuration settings for an enterprise deployment of Horizon Workspace with 10,000 users.
As seen from the previous pages, this is a straightforward deployment that supports 10,000 users. It features linear growth, which means that if you require an additional 10,000-user block, you can scale up the resources with confidence that you will meet and exceed expected performance.
There is no complex tuning or sizing required. After the vApp is deployed, the additional appliances spin up from the Configurator virtual appliance. You can feel confident that the vApp will run smoothly without interruption.
The built-in policy engine is one of the strongest points of Horizon Workspace. This makes it easy to manage users, and entitle them to applications and data. It also provides administrator control through a very easy-to-use Web console.
About the AuthorsStephane Asselin, EUC Architect in the VMware End-User Computing Technical Enablement Group, has been involved in desktop deployments and virtualization for over 15 years. He has extensive customer, field, and lab experience with VMware End-User Computing and ecosystem products.
Andrew Johnson, EUC Architect in the VMware End-User Computing Technical Marketing Team, is responsible for technical enablement and reference architectures.
Jared Cook is an EUC Architect in the VMware End-User Computing Technical Marketing Team.
Acknowledgments
This reference architecture is the result of collaboration between VMware IT, the Workspace Performance engineering team, and the EUC Technical Enablement team. VMware recognizes the efforts involved in testing and documenting the environment, validating the equipment used, and all the expertise without which this project would not have been possible.
W H I T E PA P E R / 2 3
VMware Horizon Workspace Reference Architecture
ReferencesHorizon Workspace Datasheet
Horizon Workspace FAQ
Horizon Workspace Release Notes
Horizon Workspace Administrator’s Guide
Horizon Workspace Files Command Line Interface Guide
Protection and Disaster Recovery Best Practices for Horizon Workspace Files
Installing and Configuring Horizon Workspace
VMware Horizon Workspace Security Considerations
VMware vFabric Postgres
VMware vFabric Blog – Scaling for the Information Explosion: Master-Slave Cluster with vFabric Postgres 9.2 on vSphere
W H I T E PA P E R / 2 4
VMware Horizon Workspace Reference Architecture
Appendix A (Test Methodology)The goal is to support 10,000 users per Horizon Workspace pod with less than 70 percent vCPU utilization, less than 80 percent vRAM utilization, and less than 100TB of data.
The resource utilization (CPU and memory) for the virtual appliances is detailed below. We’re showing two timelines. The first one is over a 24-hour period, and the second one is over a week.
As illustrated in the performance charts in Figures 6–8, the metrics gathered clearly demonstrate that the allocated resources were sufficient for the number of users tested and the utilization threshold we were aiming to meet.
The Horizon Workspace vApp was configured with the following virtual appliances:
•1Configuratorvirtualappliance
•4Connectorvirtualappliances(2forauthenticationandADsync,2forKerberos)
•11Filesvirtualappliances(1Masternode,10UserDatanodes)
•6Gatewayvirtualappliances
•2Managervirtualappliances
The Horizon Workspace vApp
We assessed and monitored the environment for a period of a month. Note that during this period, no single virtual appliance reached its top configured resource capacity, as seen in the performance charts. To demonstrate our point, the virtual appliance performance charts show the data for 24 hours, then for seven days, and finally for a full month. By comparing these charts, you can see that utilization is fairly consistent and never reaches anything near maximum capacity.
Figure 6: Horizon Gateway Virtual Appliance CPU Utilization in a 24-Hour Period – 10,000 Users
W H I T E PA P E R / 2 5
VMware Horizon Workspace Reference Architecture
Figure 7: Horizon Gateway Virtual Appliance CPU Utilization over Seven Days – 10,000 Users
Figure 8: Horizon Gateway Virtual Appliance CPU Utilization over One Month – 10,000 Users
Note that in the performance charts above, during all the time observed the CPU never went above 20 percent utilized. This leaves plenty of room for peak utilization.
W H I T E PA P E R / 2 6
VMware Horizon Workspace Reference Architecture
Memory utilization follows the same trend as the CPU utilization; we noticed a small increase in utilization, but nothing that would change our recommendation for sizing.
Figure 9: Horizon Gateway Virtual Appliance Memory Utilization over One Month – 10,000 Users
You will notice in the performance chart above that memory at peak utilization went up to 6.2GB utilized, which provides a utilization percentage of 77 percent. On a virtual appliance sized at 8GB, it stayed under the established threshold of 80 percent utilization. The daily and weekly performance charts were almost identical.
The next virtual appliances are the Files (data–va) virtual appliances. As they followed the same utilization trend as the Gateway virtual appliance, we will not show all the charts here. Figure 10 shows a week of utilization on two Files virtual appliances.
Figure 10: Horizon Files Virtual Appliance #1 CPU Utilization over One Week – 10,000 Users
W H I T E PA P E R / 2 7
VMware Horizon Workspace Reference Architecture
You will see from the performance chart in Figure 10 that CPU utilization did not spike to anything higher than 31 percent (Files virtual appliance #1).
Figure 11: Horizon Files Virtual Appliance #2 CPU Utilization over One Week – 10,000 Users
The Configurator virtual appliance was set to 1 vCPU and 1GB. The Configurator virtual appliance is unique for each vApp. It supports the entire vApp. If the Configurator virtual appliance does not play a role in interacting with users, then this appliance does not need many resources. Its main function is to keep the vApp well organized. There were no spikes in resource utilization, and the percentage utilized stayed below 10 percent throughout the testing period.
The Connector virtual appliances (two of them) were set to 2 vCPUs and 2GB. The Connector virtual appliance utilization, both memory and CPU, did not vary during our testing period and stayed below five-percent resource utilization. The Horizon Workspace Connector provides the following services: user authentication (identity provider); directory synchronization; ThinApp-catalog loading; and Horizon View pool synchronization.
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-WP-HORIZONWKSPREFARCH-USLET-20140207-WEB
VMware Horizon Workspace Reference Architecture
The Manager (service-va) virtual appliances (two of them) were both configured with 4 vCPUs and 8GB of RAM. The utilization varies on these appliances, depending mostly on user demand, concurrent requests, and synchronization with back-end infrastructure. As shown in Figure 12, utilization still stayed well below maximum capacity, reaching a maximum of 54 percent over a one-week period.
Figure 12: Horizon Service Virtual Appliance #1 CPU Utilization over One Week – 10,000 Users