This morning, VMware announced enhancements to both the on-premises Horizon Suite and Horizon Cloud product sets. Although there are a lot of additions to all products in the Suite, the VMware blog post did not go too indepth into many of the new features that you’ll be seeing in the upcoming editions.
VMware Horizon 7.5
Let’s start with the biggest news in the blog post – the announcement of Horizon 7.5. Horizon 7.5 brings several new, long-awaited, features with it. Some of these features are:
- Support for Horizon on VMC (VMware on AWS)
- The “Just-in-Time” Management Platform (JMP)
- Horizon 7 Extended Service Branch (ESB)
- Instant Clone improvements, including support for the new vSphere 6.7 Instant Clone APIs
- Support for IPv4/IPv6 Mixed-Mode Operations
- Cloud-Pod Architecture support for 200K Sessions
- Support for Windows 10 Virtualization-Based Security (VBS) and vTPM on Full Clone Desktops
- RDSH Host-based GPO Support for managing protocol settings
I’m not going to touch on all of these items. I think the first four are the most important for this portion of the suite.
Horizon on VMC
Horizon on VMC is a welcome addition to the Horizon portfolio. Unlike Citrix, the traditional VMware Horizon product has not had a good cloud story because it has been tightly coupled to the VMware SDDC stack. By enabling VMC support for Horizon, customers can now run virtual desktops in AWS, or utilize VMC as a disaster recovery option for Horizon environments.
Full clone desktops will be the only desktop type supported in the initial release of Horizon on VMC. Instant Clones will be coming in a future release, but some additional development work will be required since Horizon will not have the same access to vCenter in VMC as it has in on-premises environments. I’m also hearing that Linked Clones and Horizon Composer will not be supported in VMC.
The initial release of Horizon on VMC will only support core Horizon, the Unified Access Gateway, and VMware Identity Manager. Other components of the Horizon Suite, such as UEM, vRealize Operations, and App Volumes have not been certified yet (although there should be nothing stopping UEM from working in Horizon on VMC because it doesn’t rely on any vSphere components). Security Server, Persona Management, and ThinApp will not be supported.
Horizon Extended Service Branches
Under the current release cadence, VMware targets one Horizon 7 release per quarter. The current support policy for Horizon states that a release only continues to receive bug fixes and security patches if a new point release hasn’t been available for at least 60 days. Let’s break that down to make it a little easier to understand.
- VMware will support any version of Horizon 7.x for the lifecycle of the product.
- If you are currently running the latest Horizon point release (ex. Horizon 7.4), and you find a critical bug/security issue, VMware will issue a hot patch to fix it for that version.
- If you are running Horizon 7.4, and Horizon 7.5 has been out for less than 60 days when you find a critical bug/security issue, VMware will issue a hot patch to fix it for that version.
- If you are running Horizon 7.4, and Horizon 7.5 has been out for more than 60 days when you find a critical bug/security issue, the fix for the bug will be applied to Horizon 7.5 or later, and you will need to upgrade to receive the fix.
In larger environments, Horizon upgrades can be non-trivial efforts that enterprises may not undertake every quarter. There are also some verticals, such as healthcare, where core business applications are certified against specific versions of a product, and upgrading or moving away from that certified version can impact support or support costs for key business applications.
With Horizon 7.5, VMware is introducing a long-term support bundle for the Horizon Suite. This bundle will be called the Extended Service Branch (ESB), and it will contain Horizon 7, App Volumes, User Environment Manager, and Unified Access Gateway. The ESB will have 2 years of active support from release date where it will receive hot fixes, and each ESB will receive three service packs with critical bug and security fixes and support for new Windows 10 releases. A new ESB will be released approximately every twelve months.
Each ESB branch will support approximately 3-4 Windows 10 builds, including any recent LTSC builds. That means the Horizon 7.5 ESB release will support the Windows 10 1709, 1803, 1809 and 1809 LTSC builds of Windows 10.
This packaging is nice for enterprise organizations that want to limit the number of Horizon upgrades they want to apply in a year or require long-term support for core business applications. I see this being popular in healthcare environments.
Extended Service Branches do not require any additional licensing, and customers will have the option to adopt either the current release cadence or the extended service branch when implementing their environment.
The Just-in-Time Management Platform, or JMP, is a new component of the Horizon Suite. The intention is to bring together Horizon, Active Directory, App Volumes, and User Environment Manager to provide a single portal for provisioning instant clone desktops, applications, and policies to users. JMP also brings a new, HTML5 interface to Horizon.
I’m a bit torn on the concept. I like the idea behind JMP and providing a portal for enabling user self-provisioning. But I’m not sure building that portal into Horizon is the right place for it. A lot of organizations use Active Directory Groups as their management layer for Horizon Desktop Pools and App Volumes. There is a good reason for doing it this way. It’s easy to audit who has desktop or application access, and there are a number of ways to easily generate reports on Active Directory Group membership.
Many customers that I talk to are also attempting to standardize their IT processes around an ITSM platform that includes a Service Catalog. The most common one I run across is ServiceNow. The customers that I’ve talked to that want to implement self-service provisioning of virtual desktops and applications often want to do it in the context of their service catalog and approval workflows.
It’s not clear right now if JMP will include an API that will allow customers to integrate it with an existing service catalog or service desk tool. If it does include an API, then I see it being an important part of automated, self-service end-user computing solutions. If it doesn’t, then it will likely be another yet-another-user-interface, and the development cycles would have been better spent on improving the Horizon and App Volumes APIs.
Not every customer will be utilizing a service catalog, ITSM tool and orchestration. For those customers, JMP could be an important way to streamline IT operations around virtual desktops and applications and provide them some benefits of automation.
Instant Clone Enhancements
The release of vSphere 6.7 brought with it new Instant Clone APIs. The new APIs bring features to VMFork that seem new to pure vSphere Admins but have been available to Horizon for some time such as vMotion. The new APIs are why Horizon 7.4 does not support vSphere 6.7 for Instant Clone desktops.
Horizon 7.5 will support the new vSphere 6.7 Instant Clone APIs. It is also backward compatible with the existing vSphere 6.0 and 6.5 Instant Clone APIs.
There are some other enhancements coming to Instant Clones as well. Instant Clones will now support vSGA and Soft3D. These settings can be configured in the parent image. And if you’re an NVIDIA vGPU customer, more than one vGPU profile will be supported per cluster when GPU Consolidation is turned on. NVIDIA GRID can only run a single profile per discrete GPU, so this feature will be great for customers that have Maxwell-series boards, especially the Tesla M10 high-density board that has four discrete GPUs. However, I’m not sure how beneficial it will be with customer that adopt Pascal-series or Volta-series Tesla cards as these only have a single discrete GPU per board. There may be some additional design considerations that need to be worked out.
Finally, there is one new Instant Clone feature for VSAN customers. Before I explain the feature, I can to explain how Horizon utilizes VMFork and Instant Clone technology. Horizon doesn’t just utilize VMFork – it adds it’s own layers of management on top of it to overcome the limitations of the first generation technology. This is how Horizon was able to support Instant Clone vMotion when the standard VMFork could not.
This additional layer of management also allows VMware to do other cool things with Horizon Instant Clones without having to make major changes to the underlying platform. One of the new features that is coming in Horizon 7.5 for VSAN customers is the ability to use Instant Clones across cluster boundaries.
For those who aren’t familiar with VSAN, it is VMware’s software-defined storage product. The storage boundary for VSAN aligns with the ESXi cluster, so I’m not able to stretch a VSAN datastore between vSphere clusters. So if I’m running a large EUC environment using VSAN, I may need multiple clusters to meet the needs of my user base. And unlike 3-tier storage, I can’t share VSAN datastores between clusters. Under the current setup in Horizon 7.4, I would need to have a copy of my gold/master/parent image in each cluster.
Due to some changes made in Horizon 7.5, I can now share an Instant Clone gold/master/parent image across VSAN clusters without having to make a copy of it in each cluster first. I don’t have too many specific details on how this will work, but it could significantly reduce the management burden of large, multi-cluster Horizon environments on VSAN.
Blast Extreme Enhancements
The addition of Blast Extreme Adaptive Transport, or BEAT as it’s commonly known, provided an enhanced session remoting experience when using Blast Extreme. It also required users and administrators to configure which transport they wanted to use in the client, and this could lead to less than optimal user experience for users who frequently moved between locations with good and bad connectivity.
Horizon 7.5 adds some automation and intelligence to BEAT with a feature called Blast Extreme Network Intelligence. NI will evaluate network conditions on the client side and automatically choose the correct Blast Extreme transport to use. Users will no longer have to make that choice or make changes in the client. As a result, the Excellent, Typical, and Poor options are being removed from future versions of the Horizon client.
Another major enhancment coming to Blast Extreme is USB Redirection Port Consolidation. Currently, USB redirection utilizes a side channel that requires an additional port to be opened in any external-facing firewalls. Starting in Horizon 7.5, customers will have the option to utilize USB redirection over ports 443/8443 instead of the side channel.
The last item I want to cover in this post is Performance Tracker. Performance Tracker is a tool that Pat Lee demonstrated at VMworld last year, and it is a tool to present session performance metrics to end users. It supports both Blast Extreme and PCoIP, and it provides information such as session latency, frames per second, Blast Extreme transport type, and help with troubleshooting connectivity issues between the Horizon Agent and the Horizon Client.
As you can see, there is a lot of new stuff in Horizon 7.5. We’ve hit 1900 words in this post just talking about what’s new in Horizon. We haven’t touched on client improvements, Horizon Cloud, App Volumes, UEM or Workspace One Intelligence yet. So we’ll have to break those announcements into another post that will be coming in the next day or two.