Horizon 8 on VMware Cloud on AWS Configuration

This chapter is one of a series that make up the Omnissa Workspace ONE and Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Omnissa Workspace ONE and Omnissa Horizon solutions. This chapter provides information about deployment and configuration of Omnissa Horizon 8 on VMware Cloud on AWS (referred to as VMC on AWS throughout this document)

This guide is not intended to replace the product documentation, but to reference and supplement it with additional guidance.  companion chapter, Horizon 8 on VMware Cloud on AWS Architecture, provides guidance on the architecture and design.

Deploying Horizon 8 on VMware Cloud on AWS

This chapter covers specific information for deploying and configuring Omnissa Horizon 8 on VMware Cloud on AWS (VMC on AWS). For more general information on deploying and configuring Omnissa Horizon 8, see Horizon 8 Configuration.

The recommendation for a production environment is to use a minimum of three hosts in a cluster. Using a single host is recommended only for testing because with a single host, there is no HA. By default, a single-node SDDC gets deleted after 30 days.

To deploy Omnissa Horizon 8 on VMC on AWS:

1. Create an SDDC instance on VMC on AWS. See the VMC on AWS documentation.
2. Deploy Horizon 8 or Horizon 7.5 or later on VMC on AWS.
   • For more details on supported versions of Horizon 8 on VMC on AWS, see Product Interoperability Matrix.
   • Check the knowledge base article 58539 for feature parity between Horizon on VMC on AWS and Horizon on-premises.
   • See the Horizon 8 product documentation for more information on Horizon.
3. Set up the Horizon 8 environment on VMC on AWS.

SDDC Preparation

Create an SDDC instance on VMC on AWS and set up the required networking. See the VMC on AWS documentation for more details.

Provision an SDDC

1. Using a browser, go to https://vmc.vmware.com.
2. Select Create SDDC and choose the region, deployment model, SDDC name, and number of hosts.
3. When prompted, select your AWS account and the VPC and subnet to use with this SDDC.
4. Define a management subnet for the vCenter Server, NSX Manager, and ESXi hosts.
5. Finish by selecting Deploy SDDC.

Create Network Segments

Network segments can be added using the VMware Cloud admin console:

1. View Details of the SDDC.
2. Select Networking & Security > Network > Segments.
3. Under Segment List, select Add Segment.
4. Add segments for the following networks, defining a Segment Name and Subnet. The Type should be left as the default Routed.

• Add segments for External-DMZ, Internal-DMZ, Horizon-Management, VDI, and RDSH.
• For the VDI and RDSH segments, also launch and complete the Set DHCP Config wizard.

Other Networking Configuration

• Create security groups.

• Set firewall rules.
• Configure DNS.
• Request public IP addresses.

Create Resource Pools

Two vSphere resource groups are automatically created when the SDDC is created. It is recommended that the Compute-Resource Pool has child resource pools created in it to allow prioritization of the management servers and desktops/ RDS Hosts.

In the vSphere Client:

1. Click Menu and select Hosts and Clusters.
2. Browse to and expand vCenter > SDDC-Datacenter > Cluster-1 > Compute-ResourcePool.
3. Right-click and select New Resource Pool.
4. Create two new resource pools for Horizon-Management and Horizon-User.

See Managing Resource Pools for more information.

Window Server Template

To facilitate the creation of Windows servers for the various Horizon management components, either import an existing vSphere VM template or create a new VM and convert it to a template.

• Upload VM template or Windows Server ISO.
• Import customization specifications.

Horizon 8 Deployment

When you set up the Horizon 8 environment on VMC on AWS, you must install and configure the following components:

• Install Active Directory, DNS, DHCP, and KMS servers.
• Optionally, install RDS license servers.
• Install Horizon Connection Servers.
• Register the SDDC vCenter Server.
• Install Unified Access Gateway appliances.

Connection Server

With Horizon 8, when deploying the first Connection Server in the SDDC, make sure to choose AWS as the deployment type. This sets the proper configuration and permissions on the Connection Server and Virtual Center.

Figure 1: Choose the Horizon Deployment Location

Deploy the Connection Servers to the following locations:

• Folder = Workloads
• Compute resource = SDDC-Datacenter > Cluster-1 > Compute-ResourcePool > Horizon-Management
• Storage = WorkloadDatastore

Horizon 8 and Horizon 7.5 and later are supported on VMC on AWS. For details, see the Knowledge Base article: Horizon on VMware Cloud on AWS Support (58539).

vCenter Server

When registering the vCenter Server with the Horizon Connection Servers, use cloudadmin@vmc.local for the vCenter Server credential username.

If using a single-node vSphere cluster (usually for a proof of concept), you will need to modify the vSAN VM storage policies to “No data redundancy.” These policies are automatically created when the first desktop pool or RDS Farm is deployed.

Figure 2: vSAN Storage Policies for Horizon

Unified Access Gateway

Deploy the Unified Access Gateway appliances and register them with the Connection Servers if your deployment supports remote users.

Deploy the Unified Access Gateway appliance to the following locations:

• Folder = Workloads
• Compute resource = SDDC-Datacenter > Cluster-1 > Compute-ResourcePool > Horizon-Management
• Storage = WorkloadDatastore

Instant Clones

When you install and configure Horizon for instant clone for deployment on VMC on AWS, do the following:

• CBRC is not supported or needed on VMC on AWS. CBRC has been turned off by default.
• On the golden image VM, add the domain’s DNS to avoid customization failures.

When creating Horizon instant-clone pools on VMC on AWS, use the following settings in the provisioning wizard:

• Folder = Workloads
• Compute resource = SDDC-Datacenter > Cluster-1 > Compute-ResourcePool > Horizon-User
• Storage = WorkloadDatastore

Firewall Rules

The firewall service on VMC on AWS is based on NSX-T and provides both Distributed (Micro-segmentation) and Gateway Firewall Services.

To simplify the management of Gateway Firewall it is recommended to use Groups (located under Networking & Security -- Inventory) both for Compute and Management.

• Pre-create groups for your on-premises vSphere managements components, VDI components, and applications to be accessible from VMC on AWS.
• Do the same for VDI components deployed on VMC on AWS. Groups for vSphere management components are already pre-created. While creating a group, you need to specify IP addresses using CIDR notation.
• You can include a single host as a member by specifying /32 mask or a continuous range of IPs using relevant CIDR (such as /24 to include all IPs within a 24-bit subnet).

Note: Default behavior of both Management and Gateway Firewall is set to deny all traffic not explicitly enabled.

You can run the Firewall Rule Accelerator in VMC on AWS for all VPNs to create all the required firewall rules.

Management Gateway Firewall Rules

At minimum, you need to enable the traffic flow between the Horizon management components, such as the Connection Servers, and the SDDC provided vCenter and ESXi hosts in VMC on AWS.

Note: There are a predefined set of services that you can use while configuring rules for the Management Gateway Firewall. You cannot add or modify theses services. Each group (ESXi hosts, vCenter, and so on) has its own set of services.

You can achieve this by creating the following rules:

Table 1: Management Gateway Firewall Rules for Horizon Connectivity to vSphere

Name	Sources	Destinations	Services	Action
ESXi Inbound	Horizon Management Servers	ESXi	Provisioning & Remote Console ICMP All VMware VMotion HTTPS	Allow
vCenter Inbound	Horizon Management Servers	vCenter	SSO ICMP ALL HTTPS	Allow

Compute Gateway Firewall Rules

The Compute Gateway Firewall runs on the SDDC router (Tier 0) and provides firewalling for the Compute Gateway and the network segments defined on it. You will need a rule to allow Horizon connections into the External DMZ network segment and the Unified Access Gateways. You will also probably want to add a rule to allow the virtual desktops or published applications to access the internet.

Table 2: Compute Gateway Firewall Rules

Name	Sources	Destinations	Services	Applied To	Action
External DMZ Inbound	Any	External-DMZ-Segment	HTTP HTTPS Blast PCoIP	Internet Interface	Allow
Outbound Internet Access	VDI-Segment Horizon Management-Segment	Any	HTTP HTTPS DNS DNS-UDP	Internet Interface	Allow

Summary and Additional Resources

Now that you have come to the end of this design chapter on Omnissa Horizon 8 on VMware Cloud on AWS, you can return to the reference architecture landing page and use the tabs, search, or scroll to select further chapter in one of the following sections:

• Overview chapters provide understanding of business drivers, use cases, and service definitions.
• Architecture chapters give design guidance on the Omnissa products you are interested in including in your deployment, including Workspace ONE UEM, Access, Intelligence, Workspace ONE Assist, Horizon Cloud Service, Horizon 8, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
• Integration chapters cover the integration of products, components, and services you need to create the environment capable of delivering the services that you want to deliver to your users.
• Configuration chapters provide reference for specific tasks as you deploy your environment, such as installation, deployment, and configuration processes for Omnissa Workspace ONE, Horizon Cloud Service, Horizon 8, App Volumes, Dynamic Environment Management, and more.

Additional Resources

For more information about Omnissa Horizon 8 on VMC on AWS, you can explore the following resources:

• Deploying VMware Horizon 8 on VMware Cloud on AWS

• Knowledge Base

Changelog

The following updates were made to this guide:

Date	Description of Changes
2024-06-04	Updated for Omnissa docs, KB, and Tech Zone links.
2023-07-25	Added this Summary and Additional Resources section to list changelog, authors, and contributors within each design chapter.

Author and Contributors

This chapter was written by:

• Graeme Gordon is a Senior Staff Architect, Omnissa.
• Hilko Lantinga is a Staff Engineer 2, Omnissa.

Feedback

Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.