Working from Home Via VMware Horizon in the Age of COVID-19
In emergencies, organizations may not have the 2-3 weeks normally needed to set up full-blown virtual desktop infrastructure (VDI), says Tom Fenton, who has come up with his own solution using VMware Horizon to get remote workers up and running in a timely manner with minimal hardware requirements and user impact.
Due to the recent COVID-19 coronavirus outbreak, many companies are having to come up with strategies to allow their employees to work from home. For some individuals, working from home is as simple as taking their laptops home, but others may have specialized PCs that are not as easy to transport back and forth between a home office and workplace. To further complicate things, corporate governance may dictate that the hardware or the data on an employee's desktop computer cannot leave the company premises.
For years now, I along with other proponents have been stressing the benefits of using virtual desktop infrastructure (VDI) for situations such as this as it allows users to work from any location as long as it has network connectivity. Standing up a full VDI solution usually involves acquiring hardware, installing VDI software, creating virtual desktop images, and then deploying those virtual images. Unfortunately, when a global crisis like COVID-19 hits, time is of the essences and we simply don't have the 2-3 week time-frame to acquire the hardware and set up a full-blown VDI infrastructure.
With this current situation in mind, I came up with a solution that will allow companies to quickly address the issue of allowing their employees to remotely access their office PCs in a timely manner with minimal hardware requirements and user impact. This solution uses a company's existing user desktops, which greatly decreases the cost and enables users to work on the exact same desktop to which they are accustomed.
Usually VDI solutions use virtual desktops (hence the "VD" in the name VDI); however, VMware Horizon and other VDI solutions also allow users to remotely access physical PCs, effectively eliminating the barrier of setting up the infrastructure to host virtual desktops. In this article, I will show you how I did just that -- allowed a physical PC to be securely accessed and managed remotely using VMware Horizon.
Some people may be tempted to simply punch holes in their corporate firewall and use RDP to allow workers to access their physical PCs from home. However, this is an insecure and non-scalable solution compared to using VDI as many of the advantages of using Horizon to connect to virtual machines from remote locations extend to using it with physical machines.
The most obvious advantage of using Horizon with physical machines is the flexibility that the connection server gives and the security that the VMware Unified Access Gateway (UAG) provides. By using a connection server, you can specify which users are allowed to use a physical PC.
Whereas the connection server provides entitlement and connectivity for users to the system, the UAG provides security from outside a company's firewall to the system. It also provides secure edge services and access to resources that reside in the internal network. This allows authorized external users to access internally-located resources in a secure manner. UAG is usually deployed in the DMZ and has FIPS and Common Criteria certification. It offers many options for authentication, including smart card, certificates, SAML pass-through, RADIUS and RSA SecurID. Furthermore, the UAD's architecture keeps unauthenticated traffic in the DMZ; traffic is allowed through to the internal network and the physical machine only after authentication has been successful.
Once a user authenticates through the UAG and connection server, and is associated to the physical machine, a connection will be made directly from the physical machine to the UAG to the VDI client it is using (see Figure 1).
Preparing the Physical PC
The rest of this article assumes that you have a VMware Horizon connection server and UAG already set up; if you don't, the process is well documented by VMware and others. The "Horizon 7 Architecture Planning VMware Horizon 7 7.11" document states that one connection server can support 2,000 physical systems. The process of using physical PCs with Horizon, on the other hand, isn't as well documented, so I will walk you through that process.
Before looking at using Horizon with physical machines, you should first check to see if the OS that it is running is in fact supported. A list of supported Windows operating systems can be seen on the VMware Knowledge Base (KB) articles: http://kb.vmware.com/kb/2149393 and http://kb.vmware.com/kb/2150295.
The PC that I will be adding to my Horizon environment and accessing remotely in this article is an Intel NUC NUC10i7FNH, a mini form-factor PC which comes 16 GB of RAM, a 256 GB M.2-based SATA SSD, a 7mm 1 TB SATA3 HDD, a Core i7-10710U CPU with an integrated Intel UHD Graphics 620 GPU, and has Windows 10 Pro installed on it (see Figure 2). I feel this unit is fairly representative on physical PC that someone may want to access using Horizon.
In order for the physical machine to be added to Horizon, it must be a member of a domain and the Horizon Agent must be installed on it (see Figure 3). When installing Horizon Agent, you will be presented with a panel to enter the IP address or hostname of the connection server (see Figure 4). After the agent is installed, you will need to reboot the physical machine.
After the system reboots, log back in to the physical PC as a domain administrator and go to Settings -> System -> Remote Desktop. Then, click Select users that can remotely access this PC, and add the groups and users that you would like to have remote access to the physical PC. These must be domain users and/or groups (see Figure 5).
In this article I discussed the advantages of your physical PC from a remote location and then showed you how to set up a physical PC so Horizon can use it. In my next article I will show you how to add a physical PC to Horizon.
Update: See Part 2 here. Also, VMware has announced: "Extended free trials of Horizon 7 on-premises, Horizon 7 on VMware Cloud on AWS, and Horizon Cloud on Azure for 90 days and 100 named users through July 31, 2020" in view of the crisis.
Tom Fenton has a wealth of hands-on IT experience gained over the past 25 years in a variety of technologies, with the past 15 years focusing on virtualization and storage. He previously worked at VMware as a Senior Course Developer, Solutions Engineer, and in the Competitive Marketing group. He has also worked as a Senior Validation Engineer with The Taneja Group, where he headed the Validation Service Lab and was instrumental in starting up its vSphere Virtual Volumes practice. He's on Twitter @vDoppler.