VMware Horizon 7 announced today is a real (re)evolution of the product. Just-in-time desktops are in! Feature known as Project Fargo (it’s a very lightweight VM because it shares all memory and disk with the original.) or also called vmFork technology which allows to provision desktop from parent desktop in just few seconds…. So in Horizon View 7 there is no more composer, and no more recomposing operations. Desktop admin folks know what this is about… Also Blast get's enhanced with Blast Extreme allowing up to 4K resolutions on client's devices.
Identity manager takes over and in this release, where users can authenticate via different credential options and then they just select any windows desktop or application without the need to present AD credentials.
Horizon client 4.0 has been announced, for all platforms (Linux, Windows, Mac, iOS or Android). Details in this post. I have the feeling that VMware has had to throw in some massive development force because the product offering just gets larger and larger with different platforms accessing the Horizon View product. So when you look at all what's new, it's just … huge. But let's get started. This is an exciting day…
Update: Horizon 7 Has been Released !!
VMware Horizon 7 details – What's New?
Massive scale improvement – Cloud pod architecture can now have up to 10 Horizon PODs across up to 4 sites with a maximum 50 000 destkops. It's two and a half number increase than in Horizon 6.2.1.
More Flexible entitlements – The cloud pod architecture (CPA) allows site assignment for nested AD security groups.
Better Failover Support – In case the home site resources are exhausted or not available, the user will be automatically redirected to available desktop at other site.
VMware Identity Manager Integration – Identity manager is integrated with CPA, where it will present the destkops or applications available from any CPA Pod.
Instant Clones details – the vmFork technology. Instant Clones leverage VMware vmFork technology
- A running, powered on desktop (Parent Virtual Machine) is quiesced and cloned.
- Clones share the disk and memory of the Parent VM for reads – space and memory efficiency
- The guest OS is customized, joins the domain, and is ready for user login as the desktop fully powers on
Instant clones can be persistent or non-persistent.
The desktop is destroyed at the time of user logoff. A new, fresh and updated desktop is created and ready for the next user log in.
No need to do maintenance (recompose)
- Patching the Operating System is as simple as updating the Parent Virtual Machine. A user automatically gets an updated desktop at next login. No lengthy recompose operation.
- Desktops are short-lived and always recreated and automatically optimized for best performance. No separate rebalance operation is required.
- No boot storms (desktops Always On)
- Desktop clones share disk and memory for reads
- Less load on vCenter
- No need for SE-Sparse and clone-level CRBC
- Uses App Volumes and User Environment Manager (UEM) for desktop personalization
- vmx-11 and higher virtual hardware
Instant Clones limitations – there are some limitations in the v1.0 release. For example, only floating desktops are supported. No dedicated desktops for now, but v2 shall have it. Also no RDSH or Apps support, only VDI. The scale is up to 2000 desktops with single vCenter, single vLAN only.
- No Nvidia GRID and there is a limited SVGA options.
- As a Storage options – there are VSAN or VMFS datastores
- Desktop personalization using AppVolumes User-Writeable Drives and UEM.
Smart Policies – customization desktops on location and user's identity in real time (during the session). The desktop is personalized at boot on, but due to the constant monitoring it's possible to add/remove function on-the-fly by applying a policy.
- Application blocking
- Control of PCoIP
- Policies based on User Identity, location, Desktop tagging
- Desktop capabilities provide client drive redirection, clipboard cut/pastte, USB, printing…
The workflow:
Desktop admin uses UEM console to create policies which are applied to group of desktops. The administrator allows or disables desktop features such as USB, Local Printing, Clipboard access, and Drive Redirection. The policies can be applied based on a set of conditions:
- The user’s login or group member (e.g. all users in Finance)
- Whether the user is accessing the desktop from a remote location
- A general list of conditions such as any tags associated with a desktop pool
The authentication on Horizon 7 is done through VMware Identity Manager which uses different ways of identifying users. Users can select any Windows desktop or app without to present AD credentials.
The True SSO technology uses SAML for connecting Identify provider's (IdP) authentication with the user's UPN for access to AD credentials. True SSO generaes unique, short-time certificate to manage the Windows logon process.
Advantages:
- Separate authentication
- Credentials secured by digital certificate. No paswords.
How it works – Identity manager is able to be configured for use with many authentication methods (SecurID, RADIUS, Biometric) and after user's authentication, the user selects a desktop or application which he wants to start.
- Horizon client is started at the user's workstation with user's identity and directed to the Horizon broker
- Broker validates user's identity with Identity Manager
- Via Enrollment service, Horizon requests Microsoft CA to generate a temp certificate for the user
- Horizon presents the certificate to the Windows OS
- Windows validates the certificate with AD
- User is logged onto his/her desktop or to his/her app. Remote session is initiated on the Horizon client.
Horizon Access Point
The hardened appliance get stronger, updated. It's an alternative to security server. Can be configured for RADIUS or RSA SecurID. Support for smart card identification. User gets identified within the DMZ.
Supports SAML pass-thru where forward third party authentication to Horizon servers.
- Allows Blast to be used (port 443)
- Environment is more secure as only authenticated traffic flows on the LAN.
- Easy to configure and scale, as you can scale Acces point independently of Connection server
Improvements in v7
AMD Graphics support for vSGA
- Enable multiuser GPU solution for Horizon via AMD graphics hardware
- AMD SR-IOV support (single root I/O virtualization)
- Native AMD driver support for OpenGL, DirectX and OpenCL acceleration
- Solidworks, PTC and Siemens ISV certification planned
Advantages and benefits
You can share single GPU with up to 15 users for efficient 3D applications where the native AMD driver is used and which offer 3D and multimedia over vSGA.
- Workstation performance (2-6 users)
- Power User ( CAD/CAM/CAE) – 6-10 users
- Knowledge worker (up to 15 users)
Intel vDGA Graphics support with Intel Xeon E3 – Support for CPUs with integrated Iris Pro GPU and compatible with Intel Graphics Virtualization Technologies (Intel GVT-d), with support up to 3 monitors per user.
Flash Redirection
This is in tech preview (supports only server-side fetch of the flash content). It allows to redirect flash content from the server to the client in order to get decoded and rendered locally.
Allows the flash streaming content play more smoothly with lower bandwidth and CPU usage at the server side…
Improved printing Experience
Local and network printing is up to 4x faster.
Windows 10 Improvements
Scan and serial port redirection supported, where the scanner redirection supports TWAIN and WIA stndards on Windows clients. Serial port redirection allows serial port redirection from the client to the server.
URL Content Redirection
Allows to redirect URL from VDI to the local browser. Admin can configure policies to control whether user can access the content with application on the server or the client. Supports HTTP and HTTPs. Can be usefull for customers which needs to separate interrnal browsing from external browsing domains. Allows to secure the environment because content which is potentially dangerous is executed on the client computer instead on the VDI desktop.
Admin can configure GPO which does restrict the content that will be opened in a browser inside VDI over Browser on the client's PC.
Blast Extreme
Optimized for mobile. All existing Horizon View remote features works with Blast extreme and latest horizon 4 clients. (read bellow about new horizon 4 clients). Blast extreme has lower requirements on bandwidth.
Blast extreme is optimized for NVIDIA GRID allowing very good graphics even on lower cost PCs allowing better frame rate, higher server scalability, reduced latency or better bandwidth optimization. Allows up to 4K resolution !!!
- Supports NVIDIA GRID K1, K2, M6 and M60 graphics cards
- H.264 encoder option on NVIDIA GRID GPUs to lower CPU consumption and increase scalability
VMware Horizon Client 4.0
Newly announced horizon clients 4.0 for Windows, Linux, Mac, OSx.. everything…
Horizon Client 4.0 Windows – has full support for PCoIP and Blast Extreme. Hardware acceleration.
- Offers scaled resolution option for high DPI clients which allows better readability
- Auto-share USB drivers with Client Drive Redirection. Has been improved, more easier to use, and has better performance using CDR.
- Up to 4x faster printing via Horizon 7
- Up to 50% more performant over WAN, through security server, for Client drive redirection (CDR) and USB.
- Updated OpenSSL and TLS
- Supported on Windows Server 2012 (untill now it was supported only on W7, W8.1 and W10
VMware Horizon Client MAC – support Blast Extreme and PCoIP
- Works with split view in OS X El Capitan
- Full Screen improvements for one display and All displays
- Open local files with horizon hosted apps (double-click, Open With or Drad-drop files with Horizon Apps)
- Up to 4x faster printing via Horizon 7
- Up to 50% more performant over WAN, through security server, for Client drive redirection (CDR) and USB
- 64 bit client version
- Allows remembering username/domain credentials
- Updated OpenSSL and TLS
Linux Client 4.0 – Now supports RHEL 7.2 x64 and Ubuntu 14.04 x64
- VMware Blast Extreme and PCoIP full support
- Up to 4x faster printing via Horizon 7
- Up to 50% more performant over WAN, through security server, for Client drive redirection (CDR) and USB
- FIPS mode for Blast Extreme, PCoIP and USB
IOS Client 4.0 – can also use split view on iPad Air 2 and iPad Pro
- Full support for Blast extreme with hardware acceleration
- Use Apple Pencil as a remote mouse
- Real-time Audio in to use microphone with desktop & apps
- Client settings now in client and easier to use
- Updated OpenSSL and TLS for improved security
Android Client 4.0 – allows accessing the environment via Android Fingerprint (if enabled and if Android 6.0 and higher or Horizon 6.2 with biometric auth. enabled)
- Support for VMware Blast Extreme and PCoIP, and Blast extreme with hardware acceleration
- Real-time Audio-In support to use mic with desktop and apps
- Possibility to access device built-in storage in remote apps and (or) desktop with client drive redirection
- Updated OpenSSL and TLS
Chrome OS Client 4.0 – support too Blast extreme and PCoIP. Possibility to access Google drive and USB storage in remote apps and desktops with client drive redirection.
HTML Access 4.0 – support now Linux desktops, works with mobile Safari on iOS devices. Also F5 APM (Access Policy Manager (APM) ) is supported.
VMware Horizon for Linux
- Newly supported SLED 11 SP3 has been added.
- Allows copy/paste between Linux desktop and Horizon Client (6.2.1)
- vGPU for RHEL 7.x (6.2.1)
- SSO enablement for RHEL 6.6 and CentOS 6.6 without smartcard (6.2.1)
Horizon Air Hybrid mode
This mode has been announced as a new platform which allows to run the control plane in the cloud.
- Desktops and apps reside localy (on-premise)
- Cloud control plane allows the single-pane management, user profiles, data. Also provides automated service updates for SaaS.
VMware Announcements Today:
- VMware Workspace One Announced
- VMware Horizon 7 Details – Instant Clones, Blast Extreme ++ (this post)
- VMware VSAN 6.2 Announced – Inline dedupe, Erasure Coding, QoS ++
Thoughts:
VMware certainly brought many innovations to life in this major release of Horizon 7. This is certainly one of the biggest releases of Horizon so far. Perhaps because there is not much to invent in the core hypervisor or virtualization technologies, except new VSAN 6.2 features annouced, but VSAN is storage…
While few years back we could assist on really innovative releases of vSphere, since vSphere 5.5 the rhythm of acceleration has lowered a bit. But not everything is working as it should with vSphere web client not satisfying many customers because of it's slowness, browser integration plugins gotchas and legacy Flash requirements.
doug storms says
Any improvements or changes to the View admin console, integration with Airwatch etc?
Vladan SEGET says
I’m not Airwatch user. Did a trial, while back. Plus, this is announce, which is not a release…
Najt says
Since there is no GA build yet available to download is there beta software available to ordinary people ?
We are small customer with View 5.3 deployed and this one looks really exciting and worth upgrading.
Also regarding blast protocol is this new that it uses h.264 as video codec ? What kind of codec was used in previous version of blast for image ?
Vladan SEGET says
I’m not aware of beta, but from what has been said; the availability is planned in 2-3 weeks time from now…
Thomas Fenton says
VMware sometimes lets it’s customers run beta bits. Contact your VMware Sales executive or Engineer as they may be able to hook you up with an early release of the product.
fbifido (@fbifido) says
Hi,
[Video]
Hypervisor can virtualize CPU & Network in a machine, why can’t that be done for Video?
why are hypervisor vender trying to follow NVidia?
Yes, Grid is a great technology, but it does not scale. Why can they do for video, what they did for CPU?
Microsoft is trying to do the real deal, but they using CPU & software to do it (RemoteFX in Windows 2016).
If every basic server video card can do Hardware Accelerated openGL 4.4/ openCL/ H.265/ H.264/ DX9-12/etc…, then why can’t the hypervisor software use this as a key to do video-virtualization?
Is the video card in xen/hyper-v/kvm/esxi/etc.. server use for anything other than to display stuff for the physical machine? Is any part of it use for the Vms running in on that server?
All hypervisor vSVGA should use on-board video to offload GPU, this is the right-path to real-grid-gpu.
Just like how you have VT-x/AMD-v for CPU, we need something similar for video/graphics
eg: VT-xg/AMD-vg
or even better if they can create a open standard for CPU virtualization, Network virtualization, Video virtualization.
Memory & Storage can’t seem to be able to virtualize, mainly because we can only use one bit at any given time, while CPU can use one cycle many different time at any given time.
[vSAN 6.2]
This inline-dedup, does it also have auto-defrag?
this feature is very important.
Thanks.
alex says
Any increase on the 4 monitors limit with VMware View and PCoIP?
the.observer says
Is there any official reference link for the information above – or where did it come from (especially those screenshots)?
Vladan SEGET says
I used all I had. VMware has published their own informations as well, but it’s not organized in single place…
Bob Eadie says
Just gone to the download pages, and Composer is the first component listed . . . but above suggests that Composer is not now required? Optional Extra for something, or?
Perhaps I need to read the documentation!
John says
How can I use Blast Extreme protocol? I heard its uses only port 443 .This simplifies access and allows users to access it in many locations where ports 8443 and 8172 are blocked. I did not see any where to select this protocol. I saw only Blast and it needs port 8443
Vladan SEGET says
Check the network port diagram and a VMware View ports and network connectivity requirements
Eddyc says
I came across similar situation. You need to allow port 443 for both tcp and udp and also tcp8443.
Then at security server, make sure your Blast External URL matches your external FQDN/IP address and change the port 8443 to custom port if port forwarding is configured at firewall.
Caroline Arakelian says
See a video version of Tarique Chowdhury’s True SSO blog post here: https://youtu.be/V4B-mRWTKlw