VMware Horizon 7 – announcements – part1
VMware announced Horizon 7 today, it will be released Q1. In this article I walk you through the major changes from the last version. This is part 1, part 2 has more announcements Let me start by making a list of topics;
- CloudPod architecture
- Instant clones
- Smart policies
- Access Point
- Flash redirection
- Scanner and serial
- URL content redirection
- Horizon 4.0 client
- Horizon for Linux
That’s a vast list, let’s walk through it one by one..
I wrote different article for instant clone and smart policies for they where to vast to incorporate here. Smart policies is integrated with the UEM article. Please click the link to read the article about that there.
Cloud pod architecture
Cloud Pod architecture offer multi datacenter deployments of Horizon view, without it every datacenter is a island and users are offered multiple desktop pools or apps each in different datacenters. With a Cloud Pod you can combine them in one large entity.
Four improvements where made:
With Horizon 7 you can include 10 Horizon View Pod’s and span 4 different sites. 50.000 sessions are supported with this setup.
With Horizon 7 you can set a home site for users even when they are in a nested AD group.
If a home site of a user is exhausted the user is redirected to another desktop or another site if needed.
Cloud Pod with Horizon 7 is fully integrated with identity manager. Identity manager will provide a desktop to the user from any site.
The changes in SSO are related to the certificate based authentication, authentication is done through the identity manager. passwords of the user are not transferred any further in the datacenter, all validation is done based on certificates.
So how does this work?
- A user authenticates with the identity manager.
- The administrator setup authentication methods like SecurID, RADIUS or Biometric based on company policies.
- After the user is authenticated he or she can select an app or desktop
- The Horizon client is launched with the users identity, as we just established that.
- The broker is validating that identity with the identity manager
- A short lived certificate is requested from the internal CA
- that certificate is presented to the Windows OS to log the user on
- Windows validates that certificate and logs the user on
- The session is initiated on the Horizon client.
No more passwords roaming the datacenter. Identity manager uses SAML to connect to the identity provider authentication with the users UPN for AD access.
Last year the successor of the Security server was announced, Access Point. Access Point is a Linux based appliance that lives in the DMZ. It’s a hardened appliance with less attack surface than a Windows platform.
The good thing about an Access Point is that it’s independent from the connection servers, no no pairing for external access. That was true when you didn’t need 2FA authentication, when you did you still needed to pair.
With Horizon 7 this requirement is gone for some scenarios.
When you use RADIUS or RSA SecurID you can authenticate the user in the DMZ, there is no need to access the LAN anymore for this. The pairing of the connection server is a thing of the past. It also offers full support for smart card authentication from now on.
Third party authentication is support, SAML pass-thru can be setup but still has to be setup on the connection server.
From Horizon 7 port sharing for Blast and PCoIP is supported, one less port to open in the firewall.