Vmware Horizon view 7桌面虚拟化平台系统架构部署研究

1、VMware Horizon 7介绍通过Horizon，IT部门可以在数据中心部署虚拟化环境，并将这些环境交付给员工。

最终用户可以获得熟悉的个性化环境，并且可以在企业或家庭网络中的任何地方访问此环境。

将桌面数据全部至于数据中心，管理员可以进行集中式管理，同时还能提高效率、增强安全性、降低成本（用户可以使用落后的PC或瘦客户机访问虚拟桌面环境）。

VMware Horizon 7虚拟桌面部署由以下几个组件组成•客户端设备•Horizon Client•Horizon Agent•Horizon Connection Server•Horizon Composer•Horizon ThinApp1.1客户端设备Horizon的一大优势在于，用户可以在任何地点使用任何设备访问桌面。

用户可以通过公司的笔记本电脑、家用PC、瘦客户端设备、MAC或平板访问个性化虚拟桌面。

在PC中用户只要打开Horizon Client就能显示Horizon桌面。

瘦客户端借助瘦客户端软件，管理员可以进行配置，让Horizon Client成为用户在瘦客户端上唯一能直接启动的应用程序。

将传统PC作为瘦客户端使用，可以延长硬件使用寿命。

乾颐堂数据中心1.2 Horizon ClientHorizon提供了多平台客户端，包括Windows、MAC OS、Linux、瘦客户端平台。

可以让用户通过各种硬件来访问虚拟桌面。

1.3 Horizon Agent需要在远程桌面源虚拟机、RDS服务器上安装，通过与Horizon Client连接来为用户提供连接监视，虚拟打印USB映射等功能1.4 Horizon Connection Server该服务充当客户端的连接点，Horizon Connection Server通过Windows Active Directory对用户提供身份验证，并将请求定向到相应的虚拟机、或服务器。

Horizon Connection Server还提供以了下管理功能•用户身份验证•授权用户设访问特定的桌面和池•将通过Horizon ThinApp打包的应用程序分配给特定桌面和池•管理本地和远程桌面会话乾颐堂数据中心1.5 Horizon Composer该服务可以安装在Windows版的vCenter实例上或单独的服务器（虚拟机）上。

VMware Horizon View 7 安装部署一、Horizon View 7 的介绍（摘录）通过Horizon，IT部门可以在数据中心部署虚拟化环境，并将这些环境交付给员工。

最终用户可以获得熟悉的个性化环境，并且可以在企业或家庭网络中的任何地方访问此环境。

将桌面数据全部至于数据中心，管理员可以进行集中式管理，同时还能提高效率、增强安全性、降低成本（用户可以使用落后的PC或瘦客户机访问虚拟桌面环境）。

VMware Horizon 7虚拟桌面部署由以下几个组件组成：∙客户端设备∙Horizon Client∙Horizon Agent∙Horizon Connection Server∙Horizon Composer∙Horizon ThinApp1.客户端设备Horizon的一大优势在于，用户可以在任何地点使用任何设备访问桌面。

用户可以通过公司的笔记本电脑、家用PC、瘦客户端设备、MAC或平板访问个性化虚拟桌面。

在PC中用户只要打开HorizonClient就能显示Horizon桌面。

瘦客户端借助瘦客户端软件，管理员可以进行配置，让Horizon Client成为用户在瘦客户端上唯一能直接启动的应用程序。

将传统PC作为瘦客户端使用，可以延长硬件使用寿命。

2. Horizon ClientHorizon提供了多平台客户端，包括Windows、MAC OS、Linux、瘦客户端平台。

可以让用户通过各种硬件来访问虚拟桌面。

3. Horizon Agent需要在远程桌面源虚拟机、RDS服务器上安装，通过与HorizonClient连接来为用户提供连接监视，虚拟打印USB映射等功能4. Horizon Connection Server该服务充当客户端的连接点，Horizon Connection Server通过WindowsActive Direc tory对用户提供身份验证，并将请求定向到相应的虚拟机、或服务器。

VMWare Horizon 7 安全体系规划指南目录Horizon 7 安全性51 Horizon 7 帐户、资源和日志文件6Horizon 7 帐户6Horizon 7 资源7Horizon 7 日志文件72 Horizon 7 安全性设置9Horizon Administrator 中的安全性相关全局设置9Horizon Administrator 中的安全性相关服务器设置11View LDAP 中的安全性相关设置123 端口和服务13Horizon 7 的TCP 和UDP 端口13Horizon 7 TrueSSO 端口16连接服务器主机上的服务17安全服务器上的服务184 证书指纹验证和自动生成证书195 在连接服务器实例或安全服务器上配置安全协议和密码套件20安全协议和密码套件的默认全局策略20配置全局接受和建议策略21在单个服务器上配置接受策略22在远程桌面上配置建议策略23在Horizon 7 中禁用的旧协议和密码246 为Blast 安全网关配置安全协议和密码套件26为Blast 安全网关(BSG) 配置安全协议和密码套件267 在安全的Horizon 7 环境中部署USB 设备28对所有类型的设备禁用USB 重定向28对特定设备禁用USB 重定向298 连接服务器和安全服务器上的HTTP 保护措施31Internet 工程任务组标准31万维网联盟标准32其他保护措施36Horizon 7 安全配置HTTP 保护措施38Horizon 7 安全性《Horizon 7 安全指南》提供了对VMware Horizon 7 的安全功能的简明参考。

⏹所需的系统和数据库登录帐户。

⏹安全性相关的配置选项和设置。

⏹必须受到保护的资源，如安全性相关的配置文件和密码，以及对安全操作的建议访问控制。

⏹日志文件的位置及其用途。

⏹为确保Horizon 7 正常运行而必须打开或启用的外部接口、端口和服务。

桌面虚拟化部署VMware Horizon View 7部署图文教程1：VMware Horizon 7介绍通过Horizon，IT部门可以在数据中心部署虚拟化环境，并将这些环境交付给员工。

最终用户可以获得熟悉的个性化环境，并且可以在企业或家庭网络中的任何地方访问此环境。

将桌面数据全部至于数据中心，管理员可以进行集中式管理，同时还能提高效率、增强安全性、降低成本（用户可以使用落后的PC或瘦客户机访问虚拟桌面环境）。

VMware Horizon 7虚拟桌面部署由以下几个组件组成•客户端设备•Horizon Client•Horizon Agent•Horizon Connection Server•Horizon Composer•Horizon ThinApp1.1客户端设备Horizon的一大优势在于，用户可以在任何地点使用任何设备访问桌面。

用户可以通过公司的笔记本电脑、家用PC、瘦客户端设备、MAC或平板访问个性化虚拟桌面。

在PC中用户只要打开Horizon Client就能显示Horizon桌面。

瘦客户端借助瘦客户端软件，管理员可以进行配置，让Horizon Client成为用户在瘦客户端上唯一能直接启动的应用程序。

将传统PC作为瘦客户端使用，可以延长硬件使用寿命。

乾颐堂数据中心1.2 Horizon ClientHorizon提供了多平台客户端，包括Windows、MAC OS、Linux、瘦客户端平台。

可以让用户通过各种硬件来访问虚拟桌面。

1.3 Horizon Agent需要在远程桌面源虚拟机、RDS服务器上安装，通过与Horizon Client连接来为用户提供连接监视，虚拟打印USB映射等功能1.4 Horizon Connection Server该服务充当客户端的连接点，Horizon Connection Server通过Windows Active Directory对用户提供身份验证，并将请求定向到相应的虚拟机、或服务器。

VMware Horizon桌面虚拟化平台部署与应用摘要：VMware Horizon套件是目前行业领先的桌面虚拟化解决方案，它将数据、应用和操作系统桌面部署转变为集中化的服务，可以实现虚拟桌面的高效配置和集中管理。

本文分析了VMware Horizon 的主要组成和部署安装，在公司班组数字化升级改造及培训教室搭建过程中进行了实际的部署和应用，对进一步的更大范围的使用具有重要意义。

关键词：桌面虚拟化 VMware Horizon 服务器虚拟化引言在当前企业信息化过程中，桌面管理面临着应用环境复杂，管理集成度低，终端安全难以保障等种种困境。

随着社会的飞速发展,基于云计算的信息化技术已成为网络信息化发展的必然趋势。

桌面虚拟化技术是云计算的核心技术之一,它可以将硬件环境、操作系统、应用程序、用户数据进行分离。

用户可以实现非特定时间、非特定地点、非特定终端的桌面访问与操作;技术人员可以实现操作系统、应用程序和用户数据的安全防护、快速部署、个性化定制及备份恢复。

因此桌面虚拟化技术在企业应用中实现了桌面标准化、数据安全化、使用简单化、管理规范化,这使得它具有广阔的应用前景。

桌面虚拟化技术简介桌面虚拟化是指将远程主机的桌面通过某种虚拟桌面显示协议虚拟到用户本机的桌面上。

通过桌面虚拟化技术，用户可以在本机显示器上使用在远程安装的操作系统和应用程序，好像直接登录到远程桌面一样。

桌面虚拟化的部署依托于服务器虚拟化，通常都是利用数据中心的服务器实现其安装和配置，生成大量的独立虚拟桌面，同时为各种用户提供服务。

采用桌面虚拟化技术后，用户不用关心所使用操作系统和应用软件的软硬件平台，也不需要担心系统数据的安全，直接通过客户端程序登录到远程主机上使用桌面即可。

本文以VMware最新版的VMware Horizon 7套件为对象，详细分析了VMware Horizon 7 的平台系统架构，在公司环境中实现了试验性的部署，并在班组数字化改造中进行了实际验证。

VMware Horizon 7 on VMware vSAN 最佳实践技术白皮书TECHNICAL WHITE PAPERTable of ContentsIntroduction 3 Purpose (3)Audience (3)Technology Overview and Best Practices 3 Overview (3)VMware vSAN (4)Introduction (4)All-Flash vs. Hybrid Architecture (4)Storage Hardware (6)Deduplication and Compression (7)Storage Policies (9)Swap Thin Provisioning (11)Native Encryption (11)vSAN Encryption vs. VM-level Encryption (12)VMware Horizon 7 (13)Introduction (13)Cloning Technology (13)Full Clones (13)Linked Clones (14)Instant Clones (15)VMware View Storage Accelerator and vSAN Client Cache (18)References 20 White Papers (20)Product Documentation (20)About the Authors (21)IntroductionPurposeAs more virtual desktop infrastructure customers are embracing hyper- converged infrastructure (HCI) technology to provide cost-effective, highly scalable, and easy-to-manage solution, they are looking for more information and recommendations for how these products work in conjunction.This white paper provides best practice recommendations when running VMware Horizon® 7 on VMware vSAN™ for a virtual desktop infrastructure (VDI) environment. This document is not meant to be a complete best practice guide on Horizon 7 or on vSAN. Excellent solution architectures are already available (links provided in the Reference section). This document focuses on the specific intersection points between the VDI platform and the storage platform and covers areas such as cloning, deduplication, storage consumption, etc.Note that Horizon 7 is the full name of the VMware desktop and application management platform and does not denote any specific product versions. AudienceThis reference architecture is intended for customers—IT architects, consultants, and administrators—involved in the early phases of planning, design, and deployment of VDI solutions using VMware Horizon 7 running on vSAN. It is assumed that the reader is familiar with the concepts and operations of VMware vSphere, vSAN and Horizon 7 technologies. Technology Overview and Best PracticesOverviewThis section provides an overview of the technologies that are used in this solution as well as best practices when using these technologies: •VMware vSAN™o All-Flash and Hybrid Architectureo Deduplication and Compressiono Storage Policieso Native Encryption•VMware Horizon® 7o Full Clone Technologyo Linked Clone Technologyo Instant Clone TechnologyVMware vSANIntroductionVMware vSAN™ is a hyper-converged infrastructure platform that is fully integrated with VMware vSphere. vSAN aggregates locally attached disks of hosts that are members of a vSphere cluster to create a distributed shared storage solution. Seamless integration with vSphere and the VMware ecosystem makes it the ideal storage platform for Horizon 7 VDI. vSAN provides scale-out storage within a Horizon 7 environment, enabling a grow- as-you-go model, with scaling up by adding disk drives in each host, or with scaling out by adding hosts to the cluster.All-flash vSAN configurations provide the highest levels of performance with very low latencies for the most demanding virtual desktop workloads. Space efficiency features such as deduplication, compression, and RAID-5/6 erasure coding minimize capacity consumption, which reduces the cost per gigabyte of usable capacity.Hybrid configurations use both flash and magnetic disks to provide a cost- effective platform for enterprise-class performance and resiliency.Per-virtual machine (VM) storage policy-based management lowers operational expenditures by enabling administrators to manage performance, availability, and capacity consumption with ease and precision. Native data- at-rest encryption, with FIPS 140-2 validation, can be enabled without the need for specialized hardware, which provides regulatory compliance without the typical costs associated with procuring and maintaining self-encrypting drives.Many deployment options are available for vSAN. These options range from 2-node clusters for small implementations to multiple clusters each with as many as 64 nodes--all centrally managed by VMware vCenter Server. vSAN stretched clusters can easily be configured to enable cross-site protection with no downtime for disaster avoidance and rapid, automated recovery from entire site failure.All-Flash vs. Hybrid ArchitecturevSAN provides two different configuration options:•An all-flash configuration• A hybrid configuration that uses both flash-based devices and magnetic disksThe all-flash configuration uses flash for both the caching layer and capacity layer. All-flash vSAN is an optimized platform for high performance and delivers greater and more consistent overall performance vs. hybrid configurations.All-flash vSAN aims at delivering extremely high IOPS with predictable low latencies. In all-flash architecture, two different grades of flash devices are commonly used in the storage hardware configuration:•Lower capacity and higher endurance devices for the cache layer •More cost-effective, higher capacity, and lower endurance devices for the capacity layerThe hybrid configuration uses:•Server-based flash devices to provide a cache layer for optimal performance•Magnetic spinning disks to provide capacity and persistent data storage Hybrid vSAN configurations delivers both enterprise-ready levels of performance and a resilient storage platform.All incoming writes are performed at the cache layer and then de-staged to the capacity layer. All data in the cache layer must be eventually de-staged, which happens asynchronously to achieve maximum efficiency. This helps extend the usable life of lower endurance flash devices in the capacity layer and lower the overall cost of the solution. All-flash configurations are required for storage efficiency capabilities such as deduplication, compression and RAID-5/6 erasure coding, all of which minimize raw capacity consumption.vSAN All-Flash DatastoreHybrid vSAN configurations use both flash and magnetic disks to provide a cost-effective platform for enterprise-class performance and resiliency.Hybrid configurations offer the lowest TCO due to the inherent lower cost of magnetic disks when compared to flash disks for the capacity layer. However, it is important to know that properly designing and sizing a vSAN hybrid configuration is extremely important to deliver predictable performance. Correct sizing of the cache device is the chief consideration, with sizing of the magnetic disk subsystem behind the cache being the secondary consideration. Hybrid configurations do not support storage efficiency capabilities such as deduplication, compression or RAID-5/6 erasure coding.vSAN Hybrid DatastoreStorage HardwarevSAN hosts that contribute storage can be configured with between one and five disk groups for the storage of vSAN objects. Disk groups require at least a single flash disk drive used for the cache tier, and between one and seven disk drives for the capacity tier. In all disk group configurations, a flash device is used for cache. In hybrid configurations, the capacity devices are comprised of SAS or NL-SAS magnetic disks. In all-flash configurations, the capacity devices may be flash SATA, SAS, PCIe, or NVMe.Devices such as SAS, NL-SAS, or SATA are attached to a Host Bus Adapter (HBA) or RAID controller for consumption of vSAN. These devices should be connected in pass-through mode and not RAID0 mode, depending on the HBA/RAID controller. For controllers that do not support pass-through mode, each device must be presented as an individual RAID0 device. While RAID controllers may support drive mirroring, striping, or erasure coding, these are not supported, nor required by vSAN. vSAN is an object-based storagesystem and distributes data across hosts in the cluster, which removes the need for these hardware-level mirroring, striping, or erasure coding. Instead, data protection and performance properties are defined logically using the Storage Policy Based Management (SPBM) framework instead.Just as compute and networking must be on the VMware Compatibility Guide, vSAN storage devices, such as Host Bus Adapters (HBA), RAID controllers, and storage devices must be on the VMware Compatibility Guide for vSAN to be supported. It is also important that these devices are running a supported firmware version as detailed in the HCL.With regards to availability, consider choosing hosts that have sufficient disk drive slots to accommodate more than one disk group, for both hybrid and all- flash configurations. Having multiple groups will increase availability by reducing the storage failure domain per host. In other words, for hosts with a single disk group and a single cache device, a cache device failure will result in failure of the entire host. However, for hosts with two disk groups with one cache device each, a single cache device failure in one disk group will not impact data being served from the remaining disk group. In addition, when deduplication and compression is enabled, the loss of a single capacity disk, in any disk group, will also result in failure of that entire disk group.With regards to performance, choosing hosts with multiple disk groups will improve overall performance for both front-end VM traffic and back-end vSAN traffic. Back-end vSAN traffic occurs after a disk device or host goes offline, fails, or when the capacity utilization of any disk exceeds 80%. Having multiple disk groups per host enables greater parallelism in these operations. Recommendation: Configure hosts with more than one disk group to achieve the highest levels of vSAN availability and performance. In addition, for hosts that are configured with many disk drives and multiple disk groups, distribute the storage I/O path across more than one HBA controller. Deduplication and CompressionvSAN deduplication and compression provides enterprise-class storage efficiency by minimizing the space required to make data persistent in the capacity layer. Deduplication and compression are always enabled or disabled together at the cluster level using a simple drop-down menu. It is not possible to enable vSAN deduplication or compression individually or for individual VMs. All-flash vSAN is required to use deduplication and compression. Note that a rolling reformat of all disks in the vSAN cluster is required, which can take a considerable amount of time depending on the amount of data. However, this process does not incur VM downtime and can be done online, usually during an upgrade.Recommendation: If vSAN deduplication and compression is part of the design decision, enable the service before any virtual desktops are deployed to the vSAN datastore. This will expedite the time required to enable the service.Enabling vSAN Deduplication and CompressionDeduplication occurs when the data is de-staged from the cache tier to the capacity tier. The deduplication algorithm utilizes a 4K-fixed block size and is performed within each disk group. In other words, redundant copies of a block within the same disk group are reduced to one copy, but redundant blocks across multiple disk groups are not deduplicated. Upon writing a 4K block, it is hashed to find whether an identical block already exists in the capacity tier of the disk group. If there is one, only a small metadatum is updated. If no such identical block is available, compression is then applied to the 4K block. If the 4K block can be compressed to 2K or less, vSAN persists the compressed data to the capacity tier. Otherwise, the 4K block is persisted to the capacity tier uncompressed.Deduplication and compression are applied to data in the capacity tier, commonly accounting for approximately 90% of all data on a vSAN datastore. Storing this data in 4K blocks enables effective deduplication and compression with minimal resource overhead for these operations. Deduplication and compression are not applied to data in the cache tier, which serves as a write buffer in an all-flash vSAN configuration. Naturally, the cache tier is being written to much more frequently than the capacity tier.Deduplication and Compression Space EfficiencyThe processes of deduplication and compression on any storage platform incur overhead and potentially impact performance in terms of latency and maximum IOPS. vSAN is no exception. However, considering deduplication and compression are only supported in all-flash vSAN configurations, these effects are predictable in the majority of use cases. The extreme performance and low latency of flash devices easily outweigh the additional resource requirements of deduplication and compression. Enabling deduplication and compression consumes a small amount of capacity for metadata, such as hash, translation, and allocation maps. The space consumed by this metadata is relative to the size of the vSAN datastore and is typically around 5% of the total capacity. Note that the user interface displays the percentage of used capacity, not total capacity (used and free space). In addition, enabling deduplication and compression consumes minimal CPU overhead –typically around 5% of the total cluster processing capacity. Recommendation: If using an all-flash vSAN configuration, enable deduplication and compression for Horizon 7 linked clone environments for both storage efficiency and accurate reporting of storage utilization. For instant clones, only enable deduplication and compression for improved reporting of storage utilization.Storage PoliciesPer-VM storage policy-based management is a foundational benefit of vSAN hyper-converged infrastructure. Unlike traditional storage solutions which must apply storage policies on a LUN or volume which may contain several VMs, vSAN enables precise control on a per-VM level. Administrators can manage performance, availability and capacity consumption with ease and precision for each VM in the environment.Typically, vSAN storage policies are created and managed using the vSphere Client. Storage policies can be assigned to entire VMs or individual VMDKswithin those VMs. Storage policies are either applied to VMs at the time of deployment or reassigned if the application requirements have changed. These modifications are performed with no downtime and without the need to migrate VMs from one datastore to another. It is important to note that changing the vSAN default storage policy or a global policy that applies to many VMs will require temporary storage overhead and may take a long time to complete depending on the scope of changes.Recommendation: Only apply storage policy changes to small groups of VMs at any one time to minimize temporary storage overhead and overall resynchronization activity.For Horizon 7 virtual desktop infrastructure, default storage policies are automatically created during desktop pool creation, depending on the type of pool you create. Horizon 7 creates vSAN storage policies for linked clone desktop pools, instant clone desktop pools, full clone desktop pools, or an automated farm per Horizon 7 cluster. Once these storage policies are created for the desktop pool; they will never be changed by Horizon 7. An administrator can edit these storage policies in vCenter, similar to a regular vSAN policy if Horizon 7 was not in use. Any new default storage policies enacted by Horizon 7 will not impact existing desktops pools. Each VM maintains its storage policy regardless of its physical location in the cluster. If the storage policy becomes non-compliant because of a host, disk, network failure or workload changes, vSAN reconfigures the data of the affected VMs and load balances to meet the compliance of the storage policy.Default vSAN storage policies configured by Horizon 7The default policy settings that Horizon 7 automatically configures are similar to the default vSAN storage policy settings that are configured for all vSAN deployments. These settings provide the baseline vSAN capabilities and are appropriate for many use cases unless the environment requires higher levels of availability, performance or storage efficiency.Recommendation: If storage efficiency is part of the design decision, consider using RAID-5/6 erasure coding instead of the default RAID-1 mirroring. If virtual desktops have already been deployed using the default policy settings, make a clone of the existing policy and then change the failure tolerance method to RAID-5/6 of the cloned policy. Then, apply this new storage policy to small groups of desktops at one time to minimize the impact of vSAN policy reconfiguration. In addition, consider using FTT=2 for the replica VM to increase availability.Swap Thin ProvisioningvSAN storage policies allow configuration of the VM or VMDK object space reservation, which is synonymous with enabling thick-provisioning on vSAN. When the administrator (or Horizon 7) configures an object space reservation of 0%, the VM or VMDK is thin-provisioned. However, this is not applied to the VM swap file (.vswp) in versions prior to vSAN 6.7. In these earlier versions, the .vswp file always has an object space reservation of 100%, even if the storage policy specifies 0%. This behavior can be disabled by configuring the advanced host setting “SwapThickProvisionedDisabled”, so that the .vswp file is thin provisioned for these versions of vSAN. Recommendation: Since swap files are thin provisioned in vSAN 6.7 by default, manually enable swap file thin provisioning in vSAN versions prior to 6.7 using the above advanced setting. It is important to only use swap file thin provisioning in environments where physical memory is not overcommitted, or where storage efficiency is part of the design decision.Native EncryptionvSAN native encryption for data-at-rest further improves security and provides compliance with increasingly stringent regulatory requirements. vSAN encryption uses an AES 256 cipher and is FIPS 140-2 validated. vSAN encryption is hardware-agnostic, meaning it can be deployed on any supported hardware in all-flash or hybrid configurations. Self-encrypting drives (SEDs) are not required. vSAN encryption is enabled and configured at the datastore level. In other words, every object on the vSAN datastore is encrypted when this feature is enabled. Note that a rolling reformat of all disks in the vSAN cluster is required, which can take a considerable amount of time depending on the amount of data. However, this process does not incur VM downtime and can be done online, usually during an upgrade. Recommendation: If vSAN encryption is part of the design decision, enable the service before any virtual desktops are deployed to the vSAN datastore. This will expedite the time required to enable the service.Enabling vSAN encryptionData is encrypted when it is written to persistent media in both the cache and capacity tiers of a vSAN datastore. Encryption occurs just above the device driver layer of the storage stack, which means it is compatible with all vSAN features such as deduplication and compression, RAID-5/6 erasure coding, stretched cluster configurations. All vSphere features including VMware vSphere vMotion, VMware vSphere Distributed Resource Scheduler (DRS), VMware vSphere High Availability (HA), and VMware vSphere Replication are supported.A Key Management Server (KMS) is required to enable and use vSAN encryption. Nearly all KMIP-compliant KMS vendors are compatible, with specific testing completed for vendors such as HyTrust®, Gemalto®, Thales e-Security®, CloudLink®, and Vormetric®. These solutions are commonly deployed in clusters of hardware appliances or virtual appliances for redundancy and high availability. Encryption keys are transferred to vSAN hosts using the Key Management Interoperability Protocol (KMIP). Industry standards and compliance with regulations often require the generation of new keys on a regular basis. This reduces the risk of a key being exposed or compromised by brute force. Generating new keys is performed in the vSAN UI with just a few clicks.KMS configured for use with vCenter ServervSAN Encryption vs. VM-level EncryptionVMware vSphere and vSAN provide two different methods of encrypting data, and it is important to understand the differences between the two solutions.•vSAN provides native data-at-rest encryption for the entire datastore, as covered previously in this section.•VMware vSphere provides VM-level encryption, which is not associated or related to the vSAN encryption capabilities.VM-level encryption can be used by non-vSAN users. vSAN encryption is enabled one time for the entire datastore, whereas VM-level encryption is enabled through policy-based management on a per-VM basis.Other than the granularity of encryption, the primary differences are when the data is encrypted and if storage efficiency capabilities are supported. With vSAN, data is transmitted unencrypted until it reaches the datastore, where it is then encrypted. vSAN encryption can co-exist and benefit from deduplication and compression capabilities. With VM-level encryption, data is encrypted in upper layers before it is transmitted to the underlying datastore, however this feature cannot take advantage of vSAN deduplication and compression.Recommendation: If storage efficiency or cluster-wide encryption is part of the design decision, only enable vSAN data-at-rest encryption. If data-in-flight encryption or per-VM encryption granularity is more important, use VM-level encryption instead.VMware Horizon 7IntroductionVMware Horizon® 7 delivers virtualized or hosted desktops and applications through a single platform to end users. These desktop and application services—including Remote Desktop Services (RDS) hosted apps, packaged apps with VMware ThinApp®, software-as-a-service (SaaS) apps, and even virtualized apps from Citrix—can all be accessed from one digital workspace across devices, locations, media, and connections without compromising quality and user experience. Leveraging complete workspace environment management and optimized for the software defined data center, Horizon 7 helps IT control, manage, and protect all of the Windows resources end users want, at the speed they expect, with the efficiency that business demands. Cloning TechnologyA clone is a copy of a master VM or golden image with a unique identity of its own, including a MAC address, UUID, and other system information. VMware Horizon 7 provides three types of cloning technologies to provide customers choice and flexibility. Persistent virtual desktops can be deployed using full clones. Non-persistent virtual desktops can be deployed using linked clones or the newest cloning technology, instant clones.Full ClonesA full clone is an independent copy of a VM. It shares nothing with its master VM or golden image, and it operates entirely separately from the golden image used to create it. Since each full clone VM is almost identical to thegolden image, this means that there is high degree of duplication across a pool of full clone VMs.Recommendation: If using an all-flash vSAN configuration, always enable vSAN deduplication and compression to reduce the duplication across multiple full clone VMsLinked ClonesA View Composer linked clone uses significantly less storage space than a full clone because it accesses software on shared virtual disks. Because of this sharing mechanism, a linked clone must always have access to the disk used for cloning.To make a linked clone, you take a snapshot of the golden image and then the Horizon 7 cloning process creates a replica VM to use for cloning. The linked clone shares virtual disks with the replica VM. The differential—the bits of software that are unique to the linked clone—is stored in a diff disk or redo disk. The differential is called delta disks. This arrangement allows the linked clone to occupy a smaller amount of physical disk space than the golden image, but still access the software installed on the shared virtual disks. You can create hundreds of linked diff disks from one replica, reducing the total storage space required.Linked clones are generated on Horizon 7 by the View Composer server. In the process of creating delta disks, two vmdks are created for each linked clone:.vmdk and checkpoint.vmdk.•The .vmdk disk is a snapshot of the state of the delta disks at the time of creation. It cannot be modified in any way by the user or by the system.View Composer creates this snapshot and persists it so that you canrapidly revert to a pristine copy of the delta disks during a refresh orrecompose operation.•The checkpoint.vmdk disk is where all the system and user changes are written. As such, it will grow as the virtual desktop is used. When alinked clone is refreshed or recomposed, the checkpoint.vmdk disk isdeleted and recreated, but the .vmdk disk remains.vSAN logical units of space are allocated in 4MB blocks, whereas VDI data is often written to the filesystem in smaller blocks (e.g. 512KB). This can result in free space allocated in each 4MB block. This behavior explains why at the time of initial linked clone creation, the .vmdk and checkpoint.vmdk disks appear larger than they actually are in the physical layer. This also explains why these disks will appear much larger than linked clones deployed on traditional VMFS storage.However, the empty spaces will be utilized for future writes as users begin to use their virtual desktops. As additional data is written these empty spaces are consumed, the eventual storage utilization become comparable to VMFS. By design, enabling vSAN deduplication and compression will provide thebest storage efficiency at the logical and physical layers. This is due to removal of redundant copies of data (including empty spaces) and compression of data after it has been deduplicated. Even if there are no deduplication savings (i.e. data is completely unique), enabling this mode will report the actual physical storage consumption to the logical layer, post- compression.Recommendation: If using an all-flash vSAN configuration, enable deduplication and compression for Horizon 7 linked clone environments for both storage efficiency and accurate reporting of storage utilization.As the end-user creates and deletes content on their desktops, Windows automatically creates and deletes system files. When the end-user and OS delete data, the corresponding data are marked for deletion but are not immediately deleted on the physical storage hardware. This behavior occurs for any storage system and may cause storage bloat.Recommendation: To avoid consuming unnecessary storage when using linked clones:•Refresh or recompose the pool on a frequent basis•Set logoff policy of the pool to “ref resh on logoff”•Use an SDD (System Disposal Disk), on which you redirect the temporary writes. This disk is deleted and recreated on every logoff. Instant ClonesLike a linked clone, an instant clone shares virtual disks with the replica VM after the linked clone is created. The process of creating instant clones differs from that used for linked clones in the following way: The cloning process creates a running parent VM from the replica VM. At creation time, the instant clone shares the memory pages of the running parent VM from which it is created.Instant clones use copy-on-write for memory and disk management. Instant clones are based on a running parent VM, derived from a master VM. At the instant when an instant clone is created from a running parent VM, any reads of unchanged information come from the already existing running parent VM. However, any changes made to the instant clone are written to a delta disk, not to the running parent VM. This strategy preserves security and isolation between the instant clones by ensuring the following:•Each instant clone is immediately accessible.•Changes do not affect the shared data and memory of the running parent VM on which all other instant clones are based. Sharing thememory page of a running parent VM at creation time enables instantclones to be created within a few seconds and instantly powered on.With a few exceptions such as vGPU enabled desktop and Linuxdesktop, an instant clone requires no extra boot when the cloningprocess is finished.。

VMWare Horizon 7 集成指南VMware Horizon 7 7.5目录Horizon 7 集成51 Horizon 7 集成简介6Horizon 7 组件6Horizon 7 的集成接口72 将Horizon 7 与事件数据库相集成8事件数据库表和结构定义8Horizon Connection Server 事件10Horizon Agent 事件15Horizon Administrator 事件16事件消息属性24示例数据库查询和视图253 在VMware Cloud on AWS 上部署Horizon 7 28VMware Cloud on AWS 上的Horizon 7 部署方案30VMware Cloud on AWS 上的Horizon 7 的网络配置30为Horizon 7 部署配置VMware Cloud on AWS 31用于在VMware Cloud on AWS 上部署Horizon 7 的连接和防火墙配置31准备Active Directory 以在VMware Cloud on AWS 上部署Horizon 7 32VMware Cloud on AWS 上的Horizon 7 环境33将VMware Cloud on AWS 上的Horizon 7 与内部部署的Horizon 7 相链接34链接VMware Cloud on AWS 上的Horizon 7 容器34Horizon 7 混合云部署入门354 自定义LDAP 数据36LDAP 配置数据简介36修改LDAP 配置数据375 使用WMI 查看PCoIP 会话统计信息42使用PCoIP 会话统计信息42常规PCoIP 会话统计信息43PCoIP 音频统计信息44PCoIP 图像处理统计信息44PCoIP 网络统计信息45PCoIP USB 统计信息47使用PowerShell cmdlet 查看PCoIP 统计信息的示例486 使用启动会话脚本设置桌面策略49获取启动会话脚本的输入数据49使用启动会话脚本的最佳做法49准备Horizon 7 桌面以使用启动会话脚本50示例启动会话脚本52Horizon 7 集成《Horizon 7 集成指南》文档介绍如何将Horizon 7™软件与第三方软件集成，例如Windows PowerShell 和商业智能报告引擎。

VMware Horizon 7测试方案目录一、解决方案概述 (3)1.1 业务挑战 (3)1.2解决方案 (3)1.3 价值体现 (6)二、测试简介 (6)2.1 测试内容 (7)2.3 测试结论 (7)三、附录 (11)3.1 测试环境 (11)3.1.1 硬件配置 (11)3.1.2软件配置 (12)3.1.3 网络配置 (14)3.1.4 逻辑架构 (15)3.2测试用例 (17)3.2.1 基本功能测试 (17)3.2.2 显示效果测试 (18)3.2.3 软件系统兼容性测试 (18)3.2.4 外设兼容性测试 (19)一、解决方案概述1.1 业务挑战公司现有的桌面系统是基于传统PC方式，需要在每台PC上安装监控所需的软件程序及客户端，同时重要的数据也分散在各PC上，不能很方便的进行集中存储及备份。

此外客户端安全隐患增加，由于PC机的安全漏洞较多，因此业务数据在客户端有泄露及丢失的危险，并且用户的业务工作环境也有受攻击和被破坏的危险。

而员工工作环境被绑定在PC机上，出现软硬件故障的时候，业务人员只能被动地等待IT维护人员来修复，因此维护响应能力的不足，直接导致了响应能力的降低，带来工作效率低下。

终端的维护成本也不断上升，IT运维人员不仅要进行PC机进行维护，还要对操作系统环境、应用的安装配置和更新进行桌面管理和维护，随着应用的增多，维护工作呈上升增长趋势。

随着应用场景越来越复杂，对IT的功能性，安全性，方便性的要求越来越高，例如：●业务连续性：随着应对各种自然灾害和环境变化，要求业务连续性能力增强，能够快速恢复业务访问。

●工作场所搬迁及扩张：在工作人员来越来越多的情况下，如何做到投入最少的IT资源，达到以往或超过以往的用户接入的能力。

因此简化客户端环境，实施集中化部署、管理和运维，桌面虚拟化是有效解决方案1.2解决方案VMware View建立在业界领先的虚拟化平台基础之上，是通用客户端解决方案，能以彼此独立的方式管理操作系统、硬件、应用程序和用户，而不受其驻留位置的影响。

VMWare Horizon 7 安装指南VMware Horizon 7 7.5目录Horizon 7 安装61 服务器组件的系统要求7Horizon 连接服务器的要求7Horizon Administrator 要求9View Composer 的要求92 客户机操作系统的系统要求12Horizon Agent 支持的操作系统12独立Horizon Persona Management 支持的操作系统13远程显示协议和软件支持133 在IPv6 环境中安装Horizon 7 19在IPv6 环境中设置Horizon 7 19IPv6 环境中支持的vSphere 数据库和Active Directory 版本20IPv6 环境中Horizon 7 Server 支持的操作系统20IPv6 环境中桌面和RDS 主机支持的Windows 操作系统21IPv6 环境中支持的客户端21IPv6 环境中支持的远程协议21IPv6 环境中支持的身份验证类型22IPv6 环境中其他受支持的功能224 以FIPS 模式安装Horizon 7 25以FIPS 模式安装Horizon 7 的概述25FIPS 模式的系统要求265 准备Active Directory 27配置域和信任关系27为远程桌面创建OU 28为Kiosk 模式客户端帐户创建组织单位和组29创建用户组29为vCenter Server 创建用户帐户29为独立的View Composer Server 创建用户帐户29为View Composer AD 操作创建用户帐户30为即时克隆操作创建用户帐户31配置受限制的组策略31使用Horizon 7 组策略管理模板文件32为智能卡身份验证准备Active Directory 32在SSL/TLS 中禁用弱密码356 安装View Composer 37准备View Composer 数据库37为View Composer 配置SSL 证书45安装View Composer 服务45对从View Composer 进行的vCenter 和ESXi 连接启用TLSv1.0 47为View Composer 配置基础架构487 安装Horizon 连接服务器50安装Horizon 连接服务器软件50安装Horizon 连接服务器的前提条件51使用新配置安装Horizon 连接服务器51安装Horizon 连接服务器副本实例58配置安全服务器的配对密码64安装安全服务器65Unified Access Gateway 设备优于VPN 的方面72Horizon 连接服务器的防火墙规则73使用备份配置重新安装Horizon 连接服务器74Microsoft Windows Installer 命令行选项76使用MSI 命令行选项静默卸载Horizon 7 组件778 为Horizon 7 Server 配置TLS 证书80了解Horizon 7 Server 的TLS 证书80TLS 证书设置任务概述82获取CA 签发的TLS 证书83配置Horizon 连接服务器、安全服务器或View Composer 以使用新TLS 证书84配置客户端端点以信任根证书和中间证书89为服务器证书配置证书撤消检查91配置PCoIP 安全网关以使用新TLS 证书92将Horizon Administrator 设置为信任vCenter Server 或View Composer 证书96使用CA 签发的TLS 证书的优势96Horizon 连接服务器和安全服务器上的证书问题故障排除969 首次配置Horizon 7 98为vCenter Server、View Composer 和即时克隆配置用户帐户98首次配置Horizon 连接服务器103配置Horizon Client 连接114替换Horizon 7 服务的默认端口121调整Windows Server 设置以支持您的部署12710 配置事件报告129为Horizon 7 事件添加数据库和数据库用户129为事件报告准备SQL Server 数据库130配置事件数据库130为Syslog 服务器配置事件日志记录132Horizon 7 安装《Horizon 7 安装指南》介绍如何安装VMware Horizon® 7 服务器和客户端组件。

View 体系结构规划指南VMware Horizon 7版本 7.0在本文档被更新的版本替代之前，本文档支持列出的每个产品的版本和所有后续版本。

要查看本文档的更新版本，请访问/cn/support/pubs。

ZH_CN-001993-00View 体系结构规划指南2 VMware, Inc.最新的技术文档可以从VMware 网站下载：/cn/support/VMware 网站还提供最近的产品更新信息。

您如果对本文档有任何意见或建议，请把反馈信息提交至：**********************版权所有 © 2009–2016 VMware, Inc. 保留所有权利。

版权和商标信息。

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304 北京办公室北京市海淀区科学院南路2号融科资讯中心C 座南8层/cn 上海办公室上海市浦东新区浦东南路 999 号新梅联合广场 23 楼/cn广州办公室广州市天河北路 233 号中信广场 7401 室/cn目录View 体系结构规划指南51View 简介7使用 View 的优势7View 功能9组件如何组成在一起11集成并自定义 View142规划丰富的用户体验19Horizon Agent 的功能支持表19选择显示协议21使用托管的应用程序24使用 View Persona Management 保留用户数据和设置25结合使用 USB 设备与远程桌面和应用程序26将实时音频-视频功能用于网络摄像头和麦克风26使用 3D 图形应用程序27将多媒体文件流式传输到远程桌面27从远程桌面打印28使用单点登录功能进行登录28显示器和屏幕分辨率283从中心位置管理桌面和应用程序池31桌面池的优势31应用程序池的优点32降低并管理存储要求32应用程序置备38使用 Active Directory GPO 管理用户和桌面404远程桌面部署的体系结构设计元素与规划指导原则43远程桌面的虚拟机要求44View ESXi 节点47特定类型员工的桌面池48桌面虚拟机配置51RDS 主机虚拟机配置51vCenter Server 和 View Composer 虚拟机配置52View 连接服务器最大连接数和虚拟机配置53vSphere 群集55存储和带宽要求56View 构建基块63VMware, Inc. 3View 体系结构规划指南View 容器64在一个容器中使用多个 vCenter Server 的优势665安全功能规划69了解客户端连接69选择用户身份验证方法71限制远程桌面访问73使用组策略设置保护远程桌面和应用程序74使用智能策略75实施最佳实践来保护客户端系统75分配管理员角色75准备使用安全服务器75了解 View 通信协议816View 环境设置步骤概述89索引914 VMware, Inc.View 体系结构规划指南《View 体系结构规划指南》主要介绍了 VMware Horizon™ 7 的相关信息，包括主要功能特性和部署选项，同时简要介绍了生产环境中的常见组件设置方式。

VMWare Horizon 7 安装指南VMware Horizon 7 7.5目录Horizon 7 安装61 服务器组件的系统要求7Horizon 连接服务器的要求7Horizon Administrator 要求9View Composer 的要求92 客户机操作系统的系统要求12Horizon Agent 支持的操作系统12独立Horizon Persona Management 支持的操作系统13远程显示协议和软件支持133 在IPv6 环境中安装Horizon 7 19在IPv6 环境中设置Horizon 7 19IPv6 环境中支持的vSphere 数据库和Active Directory 版本20IPv6 环境中Horizon 7 Server 支持的操作系统20IPv6 环境中桌面和RDS 主机支持的Windows 操作系统21IPv6 环境中支持的客户端21IPv6 环境中支持的远程协议21IPv6 环境中支持的身份验证类型22IPv6 环境中其他受支持的功能224 以FIPS 模式安装Horizon 7 25以FIPS 模式安装Horizon 7 的概述25FIPS 模式的系统要求265 准备Active Directory 27配置域和信任关系27为远程桌面创建OU 28为Kiosk 模式客户端帐户创建组织单位和组29创建用户组29为vCenter Server 创建用户帐户29为独立的View Composer Server 创建用户帐户29为View Composer AD 操作创建用户帐户30为即时克隆操作创建用户帐户31配置受限制的组策略31使用Horizon 7 组策略管理模板文件32为智能卡身份验证准备Active Directory 32在SSL/TLS 中禁用弱密码356 安装View Composer 37准备View Composer 数据库37为View Composer 配置SSL 证书45安装View Composer 服务45对从View Composer 进行的vCenter 和ESXi 连接启用TLSv1.0 47为View Composer 配置基础架构487 安装Horizon 连接服务器50安装Horizon 连接服务器软件50安装Horizon 连接服务器的前提条件51使用新配置安装Horizon 连接服务器51安装Horizon 连接服务器副本实例58配置安全服务器的配对密码64安装安全服务器65Unified Access Gateway 设备优于VPN 的方面72Horizon 连接服务器的防火墙规则73使用备份配置重新安装Horizon 连接服务器74Microsoft Windows Installer 命令行选项76使用MSI 命令行选项静默卸载Horizon 7 组件778 为Horizon 7 Server 配置TLS 证书80了解Horizon 7 Server 的TLS 证书80TLS 证书设置任务概述82获取CA 签发的TLS 证书83配置Horizon 连接服务器、安全服务器或View Composer 以使用新TLS 证书84配置客户端端点以信任根证书和中间证书89为服务器证书配置证书撤消检查91配置PCoIP 安全网关以使用新TLS 证书92将Horizon Administrator 设置为信任vCenter Server 或View Composer 证书96使用CA 签发的TLS 证书的优势96Horizon 连接服务器和安全服务器上的证书问题故障排除969 首次配置Horizon 7 98为vCenter Server、View Composer 和即时克隆配置用户帐户98首次配置Horizon 连接服务器103配置Horizon Client 连接114替换Horizon 7 服务的默认端口121调整Windows Server 设置以支持您的部署12710 配置事件报告129为Horizon 7 事件添加数据库和数据库用户129为事件报告准备SQL Server 数据库130配置事件数据库130为Syslog 服务器配置事件日志记录132Horizon 7 安装《Horizon 7 安装指南》介绍如何安装VMware Horizon® 7 服务器和客户端组件。

桌面虚拟化部署VMware Horizon View 7部署图文教程2：安装VMware Horizon 7的前期准备2.安装VMware Horizon 7的前期准备
1）准备vSphere环境，可以使用ESXi 6.0/5.5并安装vCenter。

2）准备域环境，VMware Horizon必须使用域来为用户提供统一账户和验证支持。

3）创建Horizon用户和组
Horizon不需要修改AD中的任何信息，不过建议用户在AD中创建属于Horizon的OU 和用户组，创建OU的目的在于方便应用各种域策略。

DC上需要创建3个OU：
1.Horizon OU：Horizon的根组织单元
1、Horizon Users：Horizon用于存放的用户和组
1、Horizon Computer：用于存放虚拟桌面计算机
1、在Horizon Users组织单元中创建Horizon group，创建test1和test2两个用户并加入到Horizon group组中。

接下来创建用户
实验环境中可以选择密码永不过期。

接着在成员中将用户加入组
添加完成后，可以在Horizon Group组属性中看到两个用户。

VMWare Horizon 7 安全体系规划指南目录Horizon 7 安全性51 Horizon 7 帐户、资源和日志文件6Horizon 7 帐户6Horizon 7 资源7Horizon 7 日志文件72 Horizon 7 安全性设置9Horizon Administrator 中的安全性相关全局设置9Horizon Administrator 中的安全性相关服务器设置11View LDAP 中的安全性相关设置123 端口和服务13Horizon 7 的TCP 和UDP 端口13Horizon 7 TrueSSO 端口16连接服务器主机上的服务17安全服务器上的服务184 证书指纹验证和自动生成证书195 在连接服务器实例或安全服务器上配置安全协议和密码套件20安全协议和密码套件的默认全局策略20配置全局接受和建议策略21在单个服务器上配置接受策略22在远程桌面上配置建议策略23在Horizon 7 中禁用的旧协议和密码246 为Blast 安全网关配置安全协议和密码套件26为Blast 安全网关(BSG) 配置安全协议和密码套件267 在安全的Horizon 7 环境中部署USB 设备28对所有类型的设备禁用USB 重定向28对特定设备禁用USB 重定向298 连接服务器和安全服务器上的HTTP 保护措施31Internet 工程任务组标准31万维网联盟标准32其他保护措施36Horizon 7 安全配置HTTP 保护措施38Horizon 7 安全性《Horizon 7 安全指南》提供了对VMware Horizon 7 的安全功能的简明参考。

⏹所需的系统和数据库登录帐户。

⏹安全性相关的配置选项和设置。

⏹必须受到保护的资源，如安全性相关的配置文件和密码，以及对安全操作的建议访问控制。

⏹日志文件的位置及其用途。

⏹为确保Horizon 7 正常运行而必须打开或启用的外部接口、端口和服务。