Before we can start with the implementation guide I want to give a brief description what key functionalities must exist.
The following components has been installed and configured:
- vSphere ESXi host (physical or nested)*
- vCenter Server (Appliance)*
- HA/DRS Cluster
- vSAN Cluster
- Active Directory Domain Controller (including DNS)*
- Microsoft Certificate Authority Role*
- NSX Manager*
- FTP Service (for backing up NSX Manager)
- CIFS-Share for UEM User Profile Archive and Config files
*Required.
This will be the first post in my Horizon Guide implementation section. Since my focus is on Horizon I will not go through each of the steps that are involved in setting up the foundation. If you want to get a feeling of the purpose of my blog series: Check it out here.
In my design guide I will write a little bit about general design decisions regarding the management & virtualization topic. In my implementation guide I will quickly go through the setup I have chosen. As a side note I want to remember you to always use English Language and Keyboard Layout :-). Going into native US-Mode for all kind of setup will keep a lot of pain away from you.
vSphere ESXi host
The ESXi host is installed on a physical server and abstracts the physical resources CPU, Memory, Storage, Network (and GPU) into a virtual consumable format: Virtual Machines. Within Horizon multiple Virtual Desktops will run in form as Virtual Machines (including Operating Systems, Agents, etc.) on the physical servers.
### Lab-Design Decision. For production use discuss implications of every Parameter
- Type: Physical
- Version: 6.5
- Virtual Switch: Distributed Virtual Switch (Version 6.5)
Input required for installation:
- Root Password (must be defined here)
Dependencies for Installation:
- ESXi binaries (eventually including drivers)
- Network Management Connectivity
- IP-Address, DNS-Server, Gateway
- NTP-Server
- Hostname & DNS-Entry (Forward and Reverse Lookup)
Recommendation:
- Use vSphere 6.X to make usage of Horizon Instant Clones
- Make sure to have a consistent vSphere Configuration
vCenter Server
The vCenter is the management component for all datacenter related parts within the Horizon environment. Within the vSphere WebClient you can manage ESXi-Hosts, Disitributed Switches, Virtual Machines, VM Templates, etc. The vCenter should be high available and easy recoverable since it is the central integration point for many Horizon components and might lead to service outage in case of non-availability.
### Lab-Design Decision. For production use discuss implications of every Parameter
- Type: Appliance
- Version: 6.5
- Deployment Type: Embedded (PSC and vCenter on one virtual machine – no enhanced linked mode)
- Database: Embedded
Deployment Size: Tiny - Storage Size: Default
Input required for installation:
- Root Password (for the Appliance itself) (must be defined here)
- SSO-Domain Information: (must be defined here)
- SSO Domain Name
- SSO Password (for user: administrator@SSO Domain Name
- Site Name
Dependencies for Installation:
- Network Management Connectivity
- IP-Address, DNS-Server, Gateway
- NTP-Server
- Hostname & DNS-Entry (Forward and Reverse Lookup)
- Computing Resource (ESXi host or vCenter)
- AD-Account that can join the vCSA to the domain
- Datastore
Recommendation:
- Join vCenter Server Appliance to the Active Directory Domain.
- Configure Integrated Windows Authentication.
- Configure an Active Directory Group for vSphere Administrations and give this AD group an Administrators role in the Global Permissions section. Tip: If you cannot access AD-Groups/User remove and re-add the Domain from the SSO-Configuration Identity Sources.
- Make sure your vCenter is backed up properly (via a vSphere API Data Protection tool & integrated Backup mechanism in the vCenter Server Appliance (vCSA).
- With the vCSA 6.5++ you have an integrated HA-mechanism.
Tutorial:
vSphere Cluster
The vSphere Cluster groups multiple ESXi installed server into a single logical unit. The cluster is used to run Virtual Machines (which will become Desktops at one point within the lifecycle) and offers services like Distributed Resource Scheduling – VM placement based on Load and Rules – and High Availability – Restart of Virtual Machines after an ESXi or VM failure.
### Lab-Design Decision. For production use discuss implications of every Parameter
- HA: Enabled
- DRS: Enabled
- DRS-Automation Mode: Fully Automated
- DRS-Automation Level: Conservative
- EVC-Mode: On (set to the maximum possible CPU compatibility)
- Admission-Control: Disbaled (Lab-Only)
Input required for configuration:
- Cluster-Name
- Redundant Management/vSAN Network
Recommendation:
- Use an automation level of conservative or conservative + 1.
- Make sure you have redundancy in your HA-Network.
- If you are using vSAN, the vSAN Network will be used for HA failure detection.
- If you are using vSAN, configure the isolation response to power off.
Tutorial:
HA-Cluster: Click here
DRS-Cluster: Click here
vSAN Cluster
The vSAN Cluster functionality offers a scaled out shared storage consisting of local devices over a vSAN network. vSAN eliminates the need for a dedicated SAN / NAS and is included with Horizon Advanced or higher.
### Lab-Design Decision. For production use discuss implications of every Parameter
- Type: All-flash
- Dedup / Compression: Enabled
Dependencies for configuration:
- vSAN Network Connectivity
- IP-Address
- vSAN VMkernel Adapter
Recommendation:
- Validate all components (firmware, driver, SCSI-Controller) against the vSAN HCL.
- Dedup / Compression only available within an All-Flash vSAN Configuration.
- Size your Disk-Group properly. Remember: If you have dedup/compression enabled the loss of a single capacity disk will lead to absent Disk Group –> All data objects of this diskgroup will be resynced.
- Update to vSAN 6.6 to get rid of the multicast network requirement.
Tutorial:
NSX Manager
The NSX Manager will be used to integrate security mechanisms into our virtual Desktop environment. After preparation of the ESXi hosts you can make use of Guest introspection services – like existing Anti-Virus/Malware solutions – or micro segmentation – implementation of a dynamic / context-based distributed firewall between Virtual Desktops. Firewall rules will be stored on every single ESXi host, but the rule-set will be managed and controlled by the NSX Manager.
Input required for installation:
- CLI Password (must be defined here)
- CLI Password (Privilieged Mode) (must be defined here)
Dependencies for Installation & Configuration:
- Network Management Connectivity
- IP-Address, DNS-Server, Gateway
- NTP-Server
- Hostname & DNS-Entry (Forward and Reverse Lookup)
- Computing Resource (ESXi host or vCenter)
- Datastore
- A SSO Domain Service Account to register the NSX-Manager against the vCenter
Recommendation:
- Create a dedicated Service User within the SSO-Domain (default: vSphere.local) on the vCenter and assign it to the SSO group Administrators. Use this service account to connect the NSX-Manager with the vCenter.
- By default service user the used for the registration against the vCenter can interact within the NSX-Manager Section of the vSphere Web Client: Network & Security.
- If you only want to make use of Guest Introspection Services (e.g for Anti-Malware/Virus) or the distributed firewall you don’t need the NSX-Controller deployed.
- Check the product interoperability matrix to make sure you have a NSX Version matching the correct vCenter/vSphere and VMware Tools.
Tutorial:
Microsoft Certificate Authority
Dealing with certificates in Horizon is important. Dealing with certificates in other VMware products might be less important (depending on companies security policies) but quite painful. To make sure we can built a fully-featured Horizon environment it is important for us to have a Certifiacte Authority in place installed on a dedicated Windows Machine.
Since I am not an Windows expert I refer to the following blog post on how to set up such an environment in your lab.
Recommendation:
- Make sure to create a root certificate key based on SHA-256 with a key length of 4096. Otherwise modern Browsers like Chrome will still complain if you connect to a web-service having a ‘CA-signed’ certificate.
Tutorial:
Active Directory
An Active Directory Domain is mandatory for all kind of Horizon functionality. Since I am not an Windows expert I refer to the following blog post on how to set up such an environment in your lab.
Recommendation:
- Make sure to create the VM hosting the AD-Role manually or select the change SID option when cloning and customizing the machine from a Windows Server template. Windows instances with the same SID as the Domain Controller will not be able to join the domain.
Tutorial: