Evaluation Guide for Horizon Cloud Service

Purpose of This Guide

This evaluation guide introduces you to Omnissa Horizon Cloud Service, which combines the management functionality of the Horizon Cloud Service control plane with the cost-saving capacities of scalable cloud platforms.

Use Horizon Cloud to manage VDI machines and published Windows applications that are hosted in a cloud platform, such as a Microsoft Azure infrastructure, on RDSH servers or Windows 10 or Windows 11 Enterprise multi-session desktops. You have the flexibility to choose the deployment option that best meets the needs of your organization or use cases.

The first tutorials in this guide show you how to deploy Horizon Cloud Service components into a Microsoft Azure capacity. (At the time of this writing, Microsoft Azure is the first supported resource capacity provider.) Later tutorials explore core capabilities and key features.

  • What Omnissa manages – With Horizon Cloud – next-gen, the VDI infrastructure services, app-packaging services, connection brokering service, edge gateways, databases, and so on are managed by Omnissa in the Horizon Control Plane.
  • What you manage – The components you will be managing have to do with the virtual desktop images and applications you want to deploy. You can also leverage automation to perform basic agent updates to VDI and RDSH server VMs.

Important: The exercises in this guide are for evaluation purposes, based on minimum required resources for a basic deployment, and do not explore all possible features. The resulting environment should not be used as a template for deploying a production environment. To deploy a production environment, see the Horizon Cloud Service documentation.

Technical Introduction and Features

  Horizon Cloud Service delivers virtual desktops and applications using a DaaS (desktop-as-a-service) platform that is scalable across multiple deployment options. The overall Horizon Cloud tenant environment consists of the Omnissa-hosted cloud service, your designated resource capacity, on a cloud platform, and the Horizon software you deploy into that capacity. For a detailed description, see What Is Omnissa Horizon Cloud Service - next-gen?

Features and Benefits

Key features of Horizon Cloud Service include:

  • Application and desktop delivery: Dedicated and floating desktops are available with virtual desktop infrastructure (VDI). If Microsoft Azure is used as the resource capacity provider, Azure Virtual Desktop is used, and you get the associated advantages of built-in licensing, special Azure instance pricing, and the Windows 10 or Windows 11 Enterprise multi-session desktop operating system.
  • Low-cost hourly billing and power management options: You benefit from consumption-based pricing for capacity, as well as no upfront costs or termination fees. Horizon Cloud has built-in features that automatically allocate and deallocate RD Session Hosts based on demand. For VDI machines, you can schedule powering off for weekends, holidays, and non-working hours.
  • Simplified deployment and management: Depending on the complexity of your configuration, it can take as little as 60 minutes to deploy the service to your own capacity provider instance. Even when you have deployments in multiple regions, you still use the same cloud-based management UI to configure and manage all your Horizon Cloud environments.
  • Advanced automation: Horizon Cloud - next-gen is built entirely using APIs, so that anything you can do from the management interface is accessible through APIs. This public API platform supports third-party ticketing or monitoring solutions, partner-built managed service offerings, and customer-built integrations and automations that leverage existing workflows.
  • Cloud monitoring and image management: You can avoid needing a third party or additional tool to monitor or manage your Horizon Cloud Service deployment. Our new cloud-based monitoring feature allows you to keep an eye on your deployment from a single UI.
  • Certified Azure Virtual Desktop Solution - Omnissa is an approved Azure Virtual Desktop provider, which means that customers can leverage the Azure Virtual Desktop benefits from their Microsoft 365 subscription or Enterprise Agreement in Horizon Cloud Service. This includes Windows 10 and 11 Enterprise multi-session, which is exclusive to Azure Virtual Desktop.

Components and Architecture

The core elements of Horizon Cloud Service include:

  • Horizon Cloud control plane, which also hosts the Horizon Universal Console UI
  • Horizon Edge Gateway
  • Unified Access Gateway
  • Horizon Agent
  • Horizon Client
  • App Volumes
  • Dynamic Environment Manager

For a description of how these components work together, along with a logical architecture diagram, see the Architectural Overview section of the Horizon Cloud Service – next-gen Architecture document.

Packaging and Licensing

Two licensing models are available:

  • Per named user: For virtual environments with end users that require dedicated access to VMs throughout the day
  • Per concurrent connection: For virtual environments with a high number of users who share machines throughout the day, such as students or shift workers

The following types of subscription license are available:

  • Universal subscription for Horizon apps only or Horizon apps and desktops
  • Standard subscription for Horizon apps only

For more information, go to the “Compare Horizon SaaS Editions and Pricing” section of the Horizon Cloud Service product page.

Prerequisites for Completing the Exercises in This Guide

Before starting the exercises in this guide, you must provide your own Microsoft Azure IaaS capacity. See the documentation topic Microsoft Azure Capacity Requirements.

Tip: If you do not have a Microsoft Azure subscription, you might be able to sign up for a free Microsoft Azure account.

Although some of the exercises in guide walk you through performing some of the prerequisite tasks in Microsoft Azure, there are some networking prerequisites that are not included in the exercises. See the following product documentation links and make sure your environment satisfies these requirements before you proceed:

For a complete list of all the requirements, see the documentation topic called Requirements Checklist for Deploying a Microsoft Azure Edge.

Horizon Cloud Onboarding and Domain Registration

Most of the setup and administration tasks for Horizon Cloud Service are accomplished by using the Horizon Universal Console. The exercises in this chapter walk you through signing up for a free trial and registering an Active Directory domain to be used for machine identity.

Exercise: Sign Up for a Free Trial and Onboard to Horizon Cloud

This exercise walks you through signing up for an Omnissa Customer Connect account and directs you to the Horizon Cloud product page, available at https://www.omnissa.com/horizon-cloud-service so that you can contact a sales representative to request a free trial.

This exercise covers the process of:

  • Creating an account on the Omnissa Customer Connect website
  • Onboarding—activating Workspace ONE services, which include Horizon Cloud – next-gen
  • Launching the Horizon Cloud Service and logging in to the Horizon Universal Console

Note: The following video, Starting a Free Trial of  Horizon Cloud Service and Onboarding, demonstrates how to perform this procedure.

Exercise: Register the Active Directory Domain to Be Used for Machines

In this exercise, you bind an Active Directory domain to Horizon Cloud Service so that machine objects can be created in Active Directory. These machine accounts are for virtual desktops and app servers of published apps.

There are several options for Active Directory configurations, as described in the documentation topic Machine Identity Requirements. The configuration used in this exercise is for an on-premises Active Directory.

This exercise covers:

  • Verifying that the on-premises Active Directory is connected to the vNet that will be used in Microsoft Azure
  • Making sure the domain bind and domain join AD user accounts have been created and have the required permissions
  • Specifying the DNS domain name and the organizational unit (OU) to use for storing the computer accounts that get automatically created for virtual desktops and RDSH app servers

Note: The following video, Registering the Domain to Be Used with  Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.

Setting Up Omnissa Access as the User Identity Provider

The exercises in this chapter walk you through setting up Omnissa Access (formerly Workspace ONE Access) to be the identity provider that authenticates end users, authorizes their access to desktops and apps, and provides single sign-on. This setup integrates with Horizon Cloud Service, as well as other Workspace ONE services such as Workspace ONE UEM.

Exercise: Install the Omnissa Access Connector

In this exercise, you perform a default installation, which installs the Directory Sync, User Auth, Kerberos Auth, and Virtual App services. For information about a custom installation, see the production documentation topic Installing the Omnissa Access Connector.

Server host requirements: In the video demonstration, we used a Windows Server 2019 Desktop Experience virtual machine, with 4 CPU cores, 12 GB of RAM, and 100 GB of disk space. For complete system requirements, see the product documentation topic Omnissa Access Connector Systems Requirements.

This exercise covers:

  • Checking to see if the .NET Framework 4.8 is installed on the server that is to host the Omnissa Access Connector
  • Downloading the connector installer and configuration file
  • Running the installer
  • Specifying the service account to be used for running the services that get installed

Note: The following video, Installing the Omnissa Access Connector, demonstrates how to perform this procedure.

Exercise: Sync Active Directory User Groups with Omnissa Access

Now that you have installed the Directory Sync service, which is a component of the Omnissa Access Connector, you can create a directory in Omnissa Access (formerly Workspace ONE Access) and sync it to Active Directory users and groups in your enterprise. Although it is possible to use various types of directories, for this exercise, we use Active Directory over Integrated Windows Authentication.

A limited number of user and group attributes, which you, the administrator, specify, are synced to the Omnissa Access service. User passwords and any attributes other than the ones specified by the administrator are not synced.

Important: Before you start this exercise, you must have an Active Directory security group whose members include the user accounts you want to add to Horizon Cloud. If necessary, create the group in Active Directory Users & Groups and add the accounts as members.

This exercise covers:

  • Adding a directory to Omnissa Access
  • Specifying the AD user account that has permission to query users and groups for the required domains
    For information about what permissions that user needs, see the product documentation topic called  Configuring Active Directory Connection to the Omnissa Access Service.
  • Specifying the user and group distinguished names (DNs) from AD, as described in the Microsoft documentation topic Distinguished Names
  • Setting a schedule that specifies how frequently synchronization will be performed

Note: The following video, Syncing Active Directory User Groups in Omnissa Access, demonstrates how to perform this procedure.

When you sync user groups between Omnissa Access and an on-prem Active Directory server, some user attributes get mapped from one system to the other. In this exercise, you map the additional custom attributes that are required for Horizon Cloud. You also map custom attributes that are required for the people search component of the Intelligent Hub, which is required if you plan to use Omnissa Access as the user identity provider.

Employees use the Workspace ONE Intelligent Hub app, or the browser-based Hub portal, to access, discover, and connect with corporate resources, teams, and workflows within a company.

This exercise covers:

  • Adding and mapping the ObjectGuid, sid, and netBios custom attributes for integration with Horizon Cloud – next-gen
  • Manually syncing the directory to add the custom attributes to the group
  • Adding and mapping the managerDN and businessUnit people search custom attributes for integration with Horizon Cloud – next-gen

Note: The following video, Adding Custom User Attributes and Turning On People Search in Omnissa Access, demonstrates how to perform this procedure.

Exercise: Connect Omnissa Access as the User Identity Provider for Horizon Cloud

Separating machine identity from user identity offers flexibility. For user identity, you can use either Microsoft Entra ID or Omnissa Access (formerly Workspace ONE Access). For information about the various choices, see the documentation topic called Connecting Your Identity Provider.

Earlier exercises showed how to connect Omnissa Access to an on-premises Active Directory and synchronize user directories. In this exercise, you connect Omnissa Access to Horizon Cloud Service.

This video covers:

  • Determining the FQDN of the Omnissa Access tenant
  • Completing the Identity Provider wizard

Note: The following video, Connecting Omnissa Access as an Identity Provider in Horizon Cloud, demonstrates how to perform this procedure.

Exercise: Create a Single Sign-On Configuration

With single sign-on, or SSO, users log in to Horizon Cloud once, and then they can access their virtual desktops and apps without having to log in again. In this exercise, you configure a certificate authority to issue short-lived certificates for authentication to accomplish SSO.

This exercise covers:

  • Setting the certificate authority mode to root
    For information about the other modes, see the documentation topic called About Using a CA for SSO with Horizon Cloud Service - next-gen.
  • Specifying an SSO configuration name and SSO configuration domain name
  • Downloading the certificate authority (CA) bundle, which includes a PowerShell script, on the domain controller
  • Running the PowerShell script that:
    • Publishes the root certificate and the various certificate revocation lists, and adds them to the DS store
    • Adds the certificate to the Enterprise NTAuth store
    • Updates the computer policy

Note: The following video, Creating a Single Sign-On Configuration in Horizon Cloud, demonstrates how to perform this procedure.

Deploying a Horizon Edge

The Horizon Edge is the “thin edge” part of the Horizon Cloud – next-gen architecture. It securely connects end users to their virtual desktops and apps in a cloud platform, such as Microsoft Azure. It also connects to the Horizon Control Plane, so that administrators can create, manage, and assign those virtual desktops and apps.

Each Horizon Edge can support up to 20,000 end users. Scaling beyond that number is straightforward by adding additional Horizon Edges.

This chapter incudes an exercise about running the deployment wizard for a Horizon Edge and also an exercise that walks you through three prerequisite tasks that must be completed in Microsoft Azure prior to deploying an edge.

Exercise: Create a Service Principal and Managed Identity, and Register Required Resource Providers

In this exercise, you create accounts and configure resources that are required for integrating with Microsoft Azure resources:

  • Service principal – A service principal is similar to a service account in an on-prem Active Directory. The service principal is for enterprise apps that need to access Azure resources.

    Important: When creating the service principal, you are strongly advised to copy the client secret and paste it into a document so that you can copy and paste it into the Edge Deployment wizard later. Also make note of the expiration date you specify for the service principal. 
  • Azure resource providers – There are 11 resources that the service principal will access. The providers of these resources must be registered.
  • User-managed identity – A user-managed identity is just like a service principal except that it is linked to an Azure resource rather than to an app. For Horizon Cloud, the Azure resource linked to the user-managed identity is the Azure Kubernetes Service.

For information about the permissions required to perform these tasks in Microsoft Azure, see Permissions required for registering an app, Register resource provider, and Create a user-assigned managed identity.

Note: The following video, Creating a Service Principal & Managed Identity, and Registering Resource Providers in Horizon Cloud, demonstrates how to perform this procedure.

Exercise: Deploy a Horizon Edge

A Horizon Edge consists of one or more Horizon Edge Gateways and one or more pairs of load-balanced Unified Access Gateway virtual appliances; there are no connection servers and no cloud connectors. If more capacity is needed, you need only deploy a new Horizon Edge.

Because the exercises in this guide build on one another, before you attempt this exercise, be sure you have completed all the preceding exercises.

Not all of the prerequisites are covered in the exercises in this guide. Therefore, be sure to read and complete the tasks listed in the earlier section Prerequisites for Completing the Exercises in This Guide.

Besides the networking tasks, you must determine the fully qualified domain name (FQDN) you want to use for the load balancer that will front the pair of Unified Access Gateways that the deployment wizard creates. Before you run the wizard, you must also acquire a security certificate that corresponds to that FQDN, as described in the documentation topic Unified Access Gateway Requirements.

Note: The following video, Deploying a Horizon Edge Using  Horizon Cloud – Next-Gen, demonstrates how to perform this procedure.

Deploying Desktops and Apps to End Users

The exercises in this chapter walk you through creating and publishing a Windows OS image and then using that image to create a desktop and app pool. To assign the desktops and apps to end users, you add the pool to a pool group and then entitle users.

Exercise: Import and Publish a Windows OS Image

Creating a Windows OS image that you can use for VDI desktops or session-based desktops and published applications involves importing an OS image, making any changes or additions to the image, and then publishing the image. In this exercise, you also auto-scan the multi-session VM for applications that you want to publish.

Note: The following video, Creating and Publishing a Windows OS Image in Horizon Cloud, demonstrates how to perform this procedure.

Exercise: Create a Pool and Group and Assign Desktops and Apps

In this exercise, you first create a pool from the multi-session Windows VM that you published in the previous exercise. You then add that pool to a pool group, select which apps to publish, and then entitle the pool group to end users and groups.

Note: The following video, Creating Pools and Pool Groups and Assigning Them in Horizon Cloud, demonstrates how to perform this procedure.

Exercise: Log in to a Horizon Cloud – Next-Gen Desktop or App as an End User

In this exercise, you first log in to a virtual desktop and published app using Horizon Client and take a tour of the user interface. You then log in using a browser and explore that user interface.

Also included in this exercise is a task for administrators: Configuring a custom URL for client access to desktops and apps.

Important: Before you start this exercise, on the client device you plan to use—preferably a desktop or laptop—navigate to the Download Horizon Clients page and download the appropriate client installer for that OS type.

Note: The following video, Logging in to a Horizon Cloud – Next-Gen Desktop or App as an End User, demonstrates how to perform this procedure.

Exercise: Monitor Horizon Cloud Components

With the Horizon Cloud Universal Console, you can monitor user, pool, pool group, and infrastructure information and events. There is even a help-desk feature.

With the intelligence and analytics information available from the Workspace ONE Admin Hub, you can create dashboards and reports to monitor the health of your deployment over time. In this exercise, you take a brief tour of the dashboards of both administrative interfaces.

Note: The following video, Monitoring  Horizon Cloud Components, demonstrates how to perform this procedure.

Summary and Additional Resources

Now that you have completed the exercises in this guide, you should have a basic setup of Horizon Cloud – next-gen. Following is an outline of the tasks you accomplished:

Initial setup:

  1. Completed Horizon Cloud Service onboarding
  2. Set up a machine identity provider and a user identity provider, as well as a single sign-on configuration
  3. Deployed a Horizon Edge to connect end users to their virtual desktop and app resources

With initial setup complete, you then:

  1. Imported a Windows image from the Azure Marketplace
  2. Published the image to Horizon Cloud
  3. Created desktop and app pools and pool groups and entitled end users.
  4. Connected to a virtual desktop and app as an end user
  5. Took a tour of the admin UIs for monitoring the environment, analyzing the health deployment, and using the help-desk feature

Additional Resources

Although the basic environment you just set up is for evaluation purposes only, you can now explore further on your own as you evaluate this offering. When you are ready to deploy a production environment, see the following resources.

 Omnissa Digital Workspace Tech Zone Resources

What Is Horizon Cloud Service - next-gen?

Horizon Cloud API

Horizon Cloud Service Evaluation Guide (YouTube playlist of videos from this document)

    Product Documentation Resources

  Horizon Cloud Service - next-gen Release Notes

Managing Horizon Images with Deployments on Microsoft Azure

Omnissa Product Interoperability Matrices

Changelog

The following updates were made to this guide:

Date

Description of Changes

2024/11/21

Updated various links.

2024/09/25

Updated video links.

2024/07/26

Updated documentation links and product names.

2023/10/10

Added exercises for accessing virtual apps and desktops as an end user and for monitoring the Horizon Cloud environment.

2023/09/20

Added the chapter “Deploying Desktops and Apps to End Users.”

2023/09/09

Original publication date.

About the Author and Contributors

This guide was written by Caroline Arakelian, Senior Technical Marketing Manager, Omnissa. Important contributions were provided by Rick Terlep, Staff Technical Marketing Architect, Omnissa. Some videos in this series were narrated by Gina Daly, Technical Marketing Manager, Omnissa.

Feedback

Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com. 

Filter Tags

Horizon Horizon Cloud Service Document Quick-Start Intermediate