VDI Deployment Models and 6 Best Practices for a Successful Deployment

What is a VDI Deployment?

A virtual desktop infrastructure (VDI) deployment enables enterprises to remotely provision resources to employees, including full desktops and applications. 

There are three main deployment models for desktop virtualization:

  • Virtual desktop infrastructure (VDI) – enables the organization to manage large numbers of virtualized desktops. Requires setting up a complex local infrastructure including a virtualization server and a connection broker.
  • Remote desktop services (RDS) – enables the organization to deliver several end-user desktops from a single Windows Server operating system.
  • Desktop as a service (DaaS) – uses a managed cloud-based service to deliver virtualized desktops to users.

Desktop Virtualization Deployment Models

We’ll review the three desktop virtualization models in a bit more detail.

Virtual desktop infrastructure (VDI)

VDI deployments run the OS on a virtual machine (VM), which is hosted on a server located in the data center. Administrators can then remotely deliver desktop images, which contain an OS and applications, to the end user. 

Each remote desktop uses a dedicated VM with an OS, which contains unique resources like CPUs, memory, and drivers. A hypervisor, which is a software layer, is in charge of managing resource allocation across multiple VMs. The hypervisor enables the VMs to run on the same server. 

Remote desktop services (RDS)

Remote desktop services (RDS), or remote desktop session host (RDSH), provides users with remote access to desktops and Windows applications, stacked on top Windows Server OS. Microsoft Remote Desktop Protocol (RDP), or  is responsible for serving applications and desktops. This service was formerly called Microsoft Terminal Server.

In RDS, a Windows Server instance can support multiple simultaneous users, and is only limited to the capacity of the server hardware. In regular VDI, on the other hand, each desktop image sits on one VM, and the hypervisor manages how they run on the server. This makes RDS more cost-effective than other VDI options. 

Desktop-as-a-Service (DaaS)

Desktop as a service (DaaS) solutions host virtualized desktops on a scalable cloud infrastructure. DaaS provides flexible options and can be quickly deployed. The cloud provider manages the infrastructure, and provides administrative functionality that enables desktop deployment. However, the majority of configurations are not customizable.

 

6 VDI Deployment Best Practices

Here are a few best practices that will help make your VDI deployment a success.

Understanding End User Requirements

To successfully deploy a high-performance VDI solution in your organization, you need to determine the needs of your end users:

  • Which applications end users need for their jobs (this will be different for each department or business unit)
  • How many end users does the organization have in each application category
  • Special hardware requirements such as high end machines for power users, or graphical processing units (GPUs) for uses like machine learning or 3D graphics

These basic parameters can help you size your VDI deployment and understand hardware and licensing requirements. 

In addition, take note of practical requirements such as:

    • Monitor support – you’ll need to support monitors your user are currently using
  • User profile persistence – identify whether users need to keep profile settings persistent between sessions
  • Peripherals – do users need USB drives, audio devices, printers, scanners, etc.
  • Authentication – use of multi-factor authentication or other security measures

Control BYOD and Remote Endpoints

VDI lets you deliver a desktop experience to many types of endpoints and devices. If your organization has a bring your own device (BYOD) program, you’ll need a strategy for device and user control. 

To ease the burden of managing a large number of device types, define a list of common devices which you will support for VDI access. Provide clear policies to users indicating what they may or may not do on their personal devices, and mandating basic security measures like antivirus. 

Most importantly, set up monitoring of any connection to your VDI site from external devices, ensure that legitimate users are following security procedures, and identify anomalous behavior that could indicate a breach.

Related content: read our guide to VDI security

Make VDI Highly Available

A critical aspect of VDI is high availability, because employees and contractors rely on virtualized desktops for their day to day job, and any interruption in service will hurt productivity and cause financial loss.

With a VDI solution, all end-user desktops depend on the availability of the backend VDI management layer. Modern hypervisors, such as VMware ESXi and Citrix, have built in features that provide resiliency and high availability. But you must make sure you have enough hosts in a VDI cluster, with redundant storage, power and networking, to mitigate availability issues.

Consider Thin Clients for Improved Security

VDI systems can enable users to install software and customize their virtual desktops, however, this has security consequences. Even if they are not malicious, users can unknowingly install malware or change desktop configuration in a way that creates security vulnerabilities. 

Many IT and security teams prefer to treat user devices as thin clients. This means devices are allowed to connect to the VDI environment, but cannot install software or permanently change the application’s configuration. When the user logs out, the settings are restored to safe defaults (a non-persistent VDI configuration). However, this type of setup has a negative impact on user productivity and satisfaction.

Hysolate Isolated Workspace provides a cost effective, more user friendly VDI alternative. Hysolate can be scaled up and deployed in minutes, and doesn’t require costly infrastructure or hardware to run. Unlike most VDI solutions, Hysolate doesn’t depend on network conditions, bandwidth requirements or latency, making it an ideal choice for remote or distributed environments. Hysolate provides a totally separated workspace on a single user device, minimising security issues by totally isolating more risky activities from corporate data.

Use Flash or Hybrid Storage

VDI workloads are highly intensive, requiring more IOPS than the average virtualized environment. It is highly advised to use solid state disks (SSD) in dedicated flash arrays, or hybrid storage systems that combine HDD with flash-based SSD. SSD can support many more IOPS and will provide a high return on investment in a VDI environment. 

Addressing VDI Challenges with Hysolate Isolated Workspace

Creating and managing a VDI solution is a large project and a huge undertaking for an organization. Creating, planning the infrastructure correctly, and making sure everything is tested, has the proper sizing to support the target population requires thousands of hours of work and a huge investment. In addition, running the servers on premise, involves tremendous costs of purchasing the servers, and of course maintaining the infrastructure leading to high OpEx and CapEx costs.

With that said, in today’s remote first world, users connecting to the datacenter VDI solution, sometimes over a VPN tunnel will get poor performance and user experience and desktops are not available when offline.

Hysolate solves these problems with an innovation called isolated workspace as a service (IWaaS). Users get a local isolated operating system running on their machine deployed within minutes which is managed from the cloud. 

Isolated workspaces enable: 

  • A higher level of freedom on employees corporate devices
  • Ability to receive 3rd party generated content in an isolated zone 
  • Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
  • Access to employees from personal, unmanaged devices

 

The behavior of the workspace is managed in the cloud, while all of the computing resources run locally on user machines.

This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience, with offline availability.

VDI on VMware: Architecture and Solution Overview

What is VMware VDI?

Large enterprises use VMware Virtual Desktop Infrastructure (VDI) solutions to centrally manage desktops and applications and deliver them to users remotely. The core product of the VMware VDI solution is VMware Horizon. It is based on VMware vSphere virtualization, adding functionality to manage and deliver virtualized desktops.

In VMware Horizon, user desktops are based on VMs running on ESXi hosts. These in turn are managed by a full version of VMware vSphere. This allows you to take advantage of vSphere features such as Snapshot, vMotion, High Availability, and Distributed Resource Scheduler.

Users can connect to a VMware Horizon virtual desktop through a personal computer (PC), tablet, smartphone, thin client, or zero client. Thin clients are low-cost computing devices with low-performance hardware (just enough to connect to the server and input/output signals). A zero client is a small box connected to a keyboard, mouse and monitor, which has only a network interface, and operates in a client-server model, with no local storage capacity.

VMware Horizon VDI Architecture

An important part of the VMware Horizon strategy is making it suitable for hybrid and multi-cloud deployments. Organizations looking to build a hybrid architecture can get started with VMware Horizon, vSphere, Microsoft RDSH, and virtual desktop servers running locally, and operated using a cloud-based control plane.

This allows your organization to run desktop and application workloads in multiple clouds, while also running some Horizon pods in a local data center, and move workloads between these locations. Horizon supports any cloud that works with VMware vSphere, or dedicated Horizon infrastructure created in partnership with VMware on AWS, IBM Cloud or Microsoft Azure.

The main components of the VMware VDI system are:

  • View Connection Server—management server that helps desktop users connect and authenticates them via Active Directory/LDAP.
  • View Composer—manages storage on the vCenter Server, and improves storage efficiency using a technique called linked cloning—holding any shared data in a common location, and only the unique data belonging to each user on their virtual hard disk (VMDK).
  • Horizon Administrator—a web-based interface for managing a Horizon VDI site. Administrators can use this interface to add more vCenter Server and View Composers as needed.
  • View Agent—this component is included in every VM managed by the View Connection Server. It provides features such as USB and peripheral support, as well as connection monitoring.
  • Horizon Client—installed on a user’s local device (Windows, MacOS or Linux), communicates and authenticates with the View Connection Server.

Related content: read our in-depth guide to vmware horizon architecture

VMware VDI Solutions

Let’s take a look at the main solutions offered as part of VMware’s VDI portfolio.

VMware Horizon 7

VMware Horizon 7 delivers virtual desktops, running both Windows and Linux operating systems, as well as locally published software applications. It is available in the following editions:

  • Standard Edition—provides complete, basic VDI functionality
  • Advanced Edition—enables unified workspaces which improve utilization on VDI hosts, also provides app virtualization and application catalog
  • Enterprise Edition—provides improved VDI management and automation capabilities

Additionally, notable features include:

  • Blast Extreme protocol—enabling better user experience and longer battery life on user devices
  • GPU support via NVIDIA GRID technology
  • Single sign on—enabling users to conveniently log into desktops and applications

VMware Horizon 8

VMware Horizon 8, officially known as VMware Horizon version 2006, was released in September 2020. The updated Horizon platform includes:

  • Stronger support for cloud-based VMware stacks—including Azure VMware Solution (AVS) and Google Cloud VMware Engine (GCVE)
  • Instant Clone Smart Provisioning—reduces costs by removing the need for parent VMs and improving desktop consolidation on each host
  • REST APIs—enables automation and orchestration of Horizon management functions
  • Support for Microsoft Teams and other collaboration tools
  • Linux hosted applications—leverages the Linux operating system to reduce licensing costs
  • Dynamic Environment Manager—enables smart policies for user profiles
  • Digital watermark—enables improves privacy protection and compliance auditing
  • 8K display support—enables end users to use the latest display technology for a better experience

Horizon Air

With VMware Horizon Air, businesses can offer end users virtual workspaces, including complete Windows client desktops, shared desktops and applications, as a subscription service. Because Horizon Air is built and delivered by VMware, you can launch desktops and applications using a single cloud control plane, greatly simplifying desktop management.

Horizon Air is offered in two models:

  • Hybrid mode—allows customers to combine cloud-based subscription services with local infrastructure and desktops.
  • Cloud hosting—allows customers to use a hosted VDI infrastructure running entirely in VMware’s data centers.

Workspace Security VDI

VMware Workspace Security VDI integrates VMware Horizon and Carbon Black Cloud into a single solution, providing a more secure virtual desktop and application solution for distributed employees.

The solution includes Carbon Black’s Next Generation Antivirus (NGAV), which can protect against threats that traditional antivirus cannot stop, such new and unknown attacks, fileless attacks, PowerShell vulnerabilities and remote logins.

In addition it provides multiple layers of protection for virtual desktops, using behavioral endpoint detection and response (EDR). VMware Carbon Black Cloud collects data from across the VDI environment and analyzes it using machine learning and behavioral models. These models not only detect and prevent attacks, but can also predict new attack vectors. Administrators can use policy-based controls to fine-tune security in their VDI environment.

VMware VDI vs. Hysolate IWaaS

Creating and managing a VMware VDI solution is a huge undertaking for an organization. Creating, planning the infrastructure correctly, and making sure everything is tested, has the proper sizing to support the target population requires thousands of hours of work and a huge investment. In addition, running the servers on premise, involves tremendous costs of purchasing the servers, and of course maintaining the infrastructure leading to high OpEx and CapEx costs.

With that said, in today’s remote first world, users connecting to the datacenter VDI solution, sometimes over a VPN tunnel will get poor performance and user experience and desktops are not available when offline.

Hysolate solves these problems with an innovation called isolated workspace as a service (IWaaS). Users get a local isolated operating system running on their machine deployed within minutes which is managed from the cloud.

Isolated workspaces enable:

  • A higher level of freedom on employees corporate devices
  • Ability to receive 3rd party generated content in an isolated zone
  • Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
  • Access to employees from personal, unmanaged devices

The behavior of the workspace is managed in the cloud, while all of the computing resources run locally on user machines.

This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience, with offline availability.

Learn more about the Hysolate Workspace as-a-Service platform

Ultimate Guide to Virtual Desktop Infrastructure: Implementation, Costs, Cloud, and Security

What is Virtual Desktop Infrastructure?

Virtual desktop infrastructure (VDI) enables organizations to deliver desktop operating systems, such as Microsoft Windows and Linux, remotely to user devices.

VDI lets organizations run operating systems and applications in a central, virtualized environment in their data center. From this centralized environment, they can serve desktops and applications to user devices, which may be PCs, mobile devices, or thin clients.

This generates major cost savings, as it eliminates the need to provision an entire workstation to each employee. However, VDI is a complex infrastructure that requires large upfront investments. This is why many organizations are opting for cloud-based desktop as a service (DaaS) model instead of setting up VDI on-premises.

VDI Use Cases

Here are several use cases where VDI can provide substantial benefits to an organization:

  • Employee workstations—in a modern work environment, employees need access to applications regardless of where they work, in the office, at home or in the field. With VDI, the user can securely access a virtual desktop wherever they are, using either corporate or personal equipment.
  • Healthcare—in a healthcare environment, safety and privacy are critical. HIPAA regulations require strict protection of patient data. With VDI, medical staff can only view patient records based on the security profile assigned to their virtual desktop.
  • Education—the organization can issue devices to both teachers and students. Teachers can be restricted to viewing specific data and applications for their classes, while students only see data and applications for courses they are enrolled into. When an employee or student leaves, the virtual desktop is deleted.
  • Call centers—in large organizations that employ staff in shifts, such as call centers, shared desktops are used. Employees log onto an empty workstation, start a desktop, and log off at the end of their working hours, releasing the resources for the use of employees in the new shift.
  • Engineering and design—employees in these types of organizations frequently use graphic-intensive applications. Previously, this type of work required expensive hardware. Advances in VDI have made it possible to set up graphical processing units (GPUs) in a centralized manner, using GPU virtualization technology to substantially reduce costs. Users can then get the benefits of hardware acceleration via any device.

How Does VDI Work?

In a VDI system, the organization manages operating system images, which represent types of desktops that need to be provisioned to users. These images run on virtual machines (VM) managed by a hypervisor. Desktops are delivered over the network to the endpoint device (laptops, desktop computers, tablets, smartphones, and thin clients), and the user can use the endpoint device to interact with the operating system and its applications.

A similar model can be used to run virtualized applications (rather than entire operating systems), and deliver them to users so they can run these applications on their local device.

All VDI deployments have the following characteristics:

  • Servers in the local VDI site hold multiple VMs via a hypervisor , each running a desktop instance. The number of desktops per host is known as “density”.
  • In order to gain access to the virtual desktop, the endpoint client must authenticate themselves and maintain a connection to the centralized server.
  • Clients that have successfully accessed the VDI environment are allocated a virtual desktop from the pool of available resources. This is done by the VDI connection broker.
  • Users have a consistent experience of their desktop regardless of the device they used to connect to it.

Persistent vs Non-persistent VDI

A major deployment consideration in VDI systems is whether to persist user desktops. A persistent desktop is a dedicated desktop saved for each user, which retains all user settings from session to session.

Persistent VDI

With persistent VDI, each desktop runs from its own disk image. The image saves all the user’s settings, enabling more customization of the desktop environment, but requiring more storage per user.

Pros:

  • Easier to personalize, preserves user’s data, shortcuts and files
  • Similar setup to physical desktops, making administration easier

Cons:

  • Requires more storage, because individual disk images require more space than a single “golden image” of the operating system
  • Storage is managed as a separate logical drive integrated with the VM, while user data is stored in the desktop image
  • Complex to manage and optimize a large number of desktop images compared to one master image

Non-Persistent VDI

With non-persistent desktops, every time a user logs out, their settings and data are not stored as part of the virtualized desktop. Personal data and settings are stored in a separate user layer, which is later added on top of the “golden image”. Each time a user logs in, they receive a fresh image.

Pros:

  • Built from a master image, making it easier to patch and update the operating system
  • Improved security, because users cannot change operating system settings or install software
  • If the image is compromised, it is easy to revert desktops to a clean state, and attackers will not possess any sensitive data or credentials
  • Requires less storage space per user
  • Separation of operating system and user data, making it possible to move user data to lower-cost storage equipment

Cons:

  • Users cannot easily personalize their desktop, does not support full user profiles
  • Because users share a disk image, administrators need to customize the image to ensure access to all required operating system features
  • Commonly, administrators create a golden images for each type of user or department, which requires application virtualization or user environment virtualization

How to Determine VDI Solution Costs

VDI is a heavyweight infrastructure that requires dedicated hardware, software licenses for VDI management components, and other indirect costs. Here are some of the key components of a VDI solution.

  • Initial hardware costs—buying the hardware to run VDI management components, which can support expected capacity with high performance. The organization must provision additional hardware for peak periods, near- and long-term growth.
    • Consulting and implementation—in many cases organizations use consultants to guide or fully manage the initial implementation of a VDI site.
  • Hardware maintenance—cost of hardware maintenance, upgrades and hardware replacement over time, and support contracts.
    • Operations and administration—a significant cost is the time spent by IT staff operating the VDI site, managing VDI-related activities like desktop images, and supporting users.
  • Redundancy and backup—setting up systems to facilitate fault tolerance, backup, and disaster recovery. This may include redundant servers on standby in case a VDI server fails.
  • VDI licenses—VDI software from vendors like Citrix or VMware is a major part of a VDI site’s cost. Licenses may be priced per user, per device, or as a flat-fee license for the VDI management components.
  • End-user software licenses—the operating system or software used by VDI end users must also be accounted for (unless it is proprietary to the organization or open source). Most software vendors have different pricing for desktop and virtualized environments.
  • Facility costs—VDI requires a dedicated data center, or at least additional rack space in an existing data center. This involves adding storage equipment, network devices, power, cooling, etc.
  • Workstations for special uses—there might be special cases in which the organization will provision users with dedicated workstations, in addition to the VDI deployment, representing an additional expense.

Learn more in our detailed guide to making VDI cost effective

VDI vs DaaS

Increasingly, organizations are questioning the cost and complexity of setting up an on-premise VDI site, and turning to desktop as a service (DaaS) solutions.

DaaS is a cloud-based VDI offering that does not require the organization to set up infrastructure locally. The organization only needs to manage licenses and disk images, and the rest is taken care of by the DaaS provider.  Below are some of the key differences between VDI and DaaS.

Setup

VDI requires extensive setup including hardware procurement, deployment and configuration.

DaaS makes it possible to launch virtualized desktops immediately, all prior setup is handled by the provider.

Cost

VDI has a high upfront cost, as well as ongoing costs for hardware, maintenance and ongoing operations.

DaaS does not have upfront costs. All costs of the service are rolled into a per-hour or per-user subscription price. Each organization should carry out an economic analysis to compare the expected ongoing costs of VDI with the subscription costs of DaaS.

Backup and High Availability

With VDI, backup servers and high availability needs to be set up and maintained at the organization’s expense.

With DaaS, most providers automatically backup data, and provide high availability built in, with a guaranteed service level agreement (SLA).

Agility and Elasticity

VDI is not elastic—If the organization needs to support peaks of usage, it must set up extra resources, and during non-peak time those resources are unutilized. In addition, if there are new requirements, like graphical processing units (GPU) for graphic-intensive tasks, there is a need to purchase and configure new hardware to support them.

DaaS is elastic, allowing the organization to scale up and down according to the actual number of desktops it needs. For example, it is easy to add desktops for temporary staff hired for a seasonal promotion, and stop paying for them when no longer needed. Adding special hardware configurations can be done instantly with no upfront cost (as long as the hardware is supported by the DaaS provider).

How to Enhance VDI Security

VDI infrastructure carries highly sensitive data, and virtual desktops can provide access to critical IT systems. Here are a few best practices you can use to improve VDI security.

Learn more in our guide to breaking VDI security myths

Restrict End-User Functionality

Ensure users never have access to services or networks they do not need for their job. Consider whether to disable user functions that can cause security issues, such as access to USB drives, copy-paste, or screen captures. Use content filtering to ensure users cannot access malicious or inappropriate websites.

Remove Unnecessary Services in Golden Image

Evaluate the operating system “golden image” for any service or feature that is not necessary for user productivity, or that increases the attack surface. For example, the printer spooler is a service that is not needed in a virtualized desktop and could have security implications.

If a service is necessary for users but represents a security threat, consider how to mitigate the threat, for example by patching the golden image.

Use Security Tools

It is mandatory to secure a VDI site using at least basic security measures, such as firewalls and intrusion detection/prevention systems (IDS/IPS).

Seriously consider the use of endpoint protection solutions, which include antivirus, behavioral analysis to detect suspicious activity on an endpoint, and the ability to directly respond to security threats occurring on endpoints. Prefer agentless software, as it will provide better performance in a virtualized environment.

Ensure the security setup can secure:

  • VDI control plane servers
  • The hypervisor
  • Virtual machines
  • Guest operating systems running on VMs

Manage BYOD

It is common for organizations to allow users to bring their own device (BYOD). In a VDI context, this presents a serious risk, because attackers who gain access to a personal device can access VDI and impersonate the user.

Attackers could then gain unauthorized access to data and systems, alter desktop configuration and add malicious content. In a worst case scenario, attackers could escalate privileges to take control of the hypervisor, and shut down the entire VDI site.

Here are a few precautions you can take to reduce the risk of compromised BYOD devices:

  • Enforce strong passwords and use multi factor authentication (MFA)
  • Consider using single sign-on (SSO) software
  • Take measures to prevent users from connecting to unsecured wifi networks
  • Restrict a user’s ability to download files or data to their local device
  • Restrict applications users can install on their personal devices

When users are working on personal devices, many security precautions are impractical, because the organization has limited control over BYOD devices, and users will resist restrictions on use of their personal device. Hysolate can help by giving employees and contractors access to corporate applications from a non-corporate BYOD via an isolated and secure virtual environment.

Addressing VDI Challenges with Hysolate Isolated Workspace as a Service

Creating and managing a VDI solution is a large project and a huge undertaking for an organization. Creating, planning the infrastructure correctly, and making sure everything is tested, has the proper sizing to support the target population requires thousands of hours of work and a huge investment. In addition, running the servers on premise, involves tremendous costs of purchasing the servers, and of course maintaining the infrastructure leading to high OpEx and CapEx costs.

With that said, in today’s remote first world, users connecting to the datacenter VDI solution, sometimes over a VPN tunnel will get poor performance and user experience and desktops are not available when offline.

Hysolate solves these problems with an innovation called isolated workspace as a service (IWaaS). Users get a local isolated operating system running on their machine deployed within minutes which is managed from the cloud.

Isolated workspaces enable:

  • A higher level of freedom on employees corporate devices
  • Ability to receive 3rd party generated content in an isolated zone
  • Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
  • Access to employees from personal, unmanaged devices

The behavior of the workspace is managed in the cloud, while all of the computing resources run locally on user machines.

This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience, with offline availability.

Learn more about our Isolated- Workspace as-a-Service platform

VMware Horizon Architecture: Planning Your Deployment

What is VMware Horizon?

Virtual desktop infrastructure (VDI) products like VMware Horizon enable IT departments to run desktop applications and virtual machines in the data center or cloud, and deliver these desktop and remote applications to employees as managed services.

For administrators, this means simplified and automated desktop and application security management. Administrators can quickly create virtual desktops based on a required location and user profile, and securely manage desktops as services from a single control plane. VMware Horizon supports local, hybrid (local but managed in the cloud) and multi-cloud deployment strategies.

End users can access custom virtual desktops or remote RDSH applications from company laptops, home PCs, Mac computers, thin clients, or mobile devices. Horizon provides a consistent user experience (UX) for virtualization services, across devices, locations and networks.

VMware Horizon stores data securely and in compliance with many regulations and industry standards, and enables migration of virtual desktop workloads to cloud platforms including Microsoft Azure, IBM Cloud, Google Cloud Platform, and VMware Cloud on AWS.

VMware Horizon Hybrid and Multi-Cloud Architecture

Organizations looking for a quick hybrid architecture set up can start with VMware Horizon, vSphere, Microsoft RDSH, and virtual desktop servers running on-premise, using a cloud-based control plane.

Typically, organizations leverage a VMware Horizon hybrid and multi-cloud architecture strategy for urgent matters. For example, when provisioning remote offices, maintaining business continuity, achieving disaster recovery, and ensuring high availability.

This enables enterprises to deploy and extend Horizon desktop and application pods to one or more public or private clouds, while keeping some Horizon horizon pods running locally. Therefore, the business can migrate any part of the deployment from local to cloud and back, as needed. Cloud options include any public cloud that supports VMware vSphere infrastructure, or the dedicated Horizon Cloud Service on Microsoft Azure or IBM Cloud.

The following figure shows the logical architecture of a Horizon deployment.

Source: VMware

Components of VMware Horizon

VMware Horizon is composed of infrastructure components, VDI components, and user management components.

Virtualization Infrastructure

vCenter Server

The central management system of VMware vSphere. vCenter can be deployed on physical or virtual machines.

You can deploy vCenter as a vCenter Server Appliance using pre-configured OVA templates. Do not use existing vCenter servers in a VMware Horizon environment—VMware recommends using new vCenter servers for licensing purposes, because you get a vCenter license included in the price of a Horizon license.

ESXi Hypervisor

This is the server that runs the VMs for your virtualized desktop workloads. It is managed by vCenter Server.

VDI Infrastructure

Horizon View Connection Server

This is the central management server that accepts connections from virtualized desktop users, authenticating them via Active Directory. It stores a copy of the organization’s LDAP database.

View Composer

A component that must be installed on each vCenter Server. Manages vCenter Server virtual desktop storage, improving storage efficiency through linked cloning. It creates a clone of a user’s storage from the base virtual hard disk (VMDK), comparing the user’s data to the parent disk and storing only the user’s unique data locally. This technique can save 50-90% of disk space, however it means that virtual desktops are dependent on their parent disks.

Horizon Administrator

A web-based interface for managing Horizon VDI. VMware recommends using a separate Horizon Administrator instance for each Horizon Connection Server. Using this interface, administrators can add vCenter Servers and View Composers to the View configuration.

View Agent

A component that must be part of all VMs the Horizon View Connection Server needs to manage. There should be an agent deployed on each machine that is served to users as a virtual desktop. It provides features important for virtualized desktops, including support for USB and peripherals, printing, and monitoring connectivity.

Horizon Client

Allows the user’s virtualized desktop to interact with the View Connection Server, and authenticate via the Active Directory server on the Connection Server. It can be installed on Windows, MacOS or Linux.

User Management Infrastructure

Workspace ONE UEM

VMware Workspace ONE is a platform that lets you deliver applications to any device, with integrated access control, central application management and endpoint management. It is based on VMware unified endpoint management (UEM) technology, and integrates with VMware Horizon, sharing the same identity system.

Application Delivery

There are two components VMware uses to deliver applications to users:

  • App Volumes – a real-time application delivery system that dynamically delivers and manages applications to user devices.
  • ThinApp – provides agentless application virtualization. Users can access remote applications without having to install software on their personal devices.

Architecture Design for VMware Horizon VDI

The design of a typical Horizon deployment is based on pods. A pod can have varying hardware configurations, and may have different versions of Horizon and vSphere.

There are several key design considerations for VMware Horizon, including whether virtual desktops should be persistent or not, and how to allocate enough memory, CPU and disk space to support virtualized workloads.

Persistent/Non-persistent

There are two primary options for virtual desktops in VMware Horizon – persistent and non-persistent.

Non-Persistent Desktops

If virtual desktops are non-persistent, after disconnecting or restarting, VMware Horizon does not keep any user data, such as user settings, application settings, or bookmarks. All desktops are identical, copied from the same master image. You can use folder redirection to maintain user-specific data – the user’s settings are stored in a central location and applied to all desktops that the user logs into.

Non-persistent desktops do not allow users to install applications and retain them in the next login. However, ThinApp can be used to provide access to applications from a virtualized desktop, without installing it locally and without requiring persistence.

Non-persistent desktops provide several benefits:

  • Reduction of approx. 80% in storage requirements
  • Easier maintenance of updates, because only one master image needs to be updated
  • Improved security, because any desktop have a lifespan of up to one day before it is refreshed from a master image
  • User settings data is also backed up centrally, further conserving storage

Persistent Desktops

This option enables users to store data on their desktops, and regain access to the data each time they connect or reboot. You do not need methods like folder redirection to copy user data to another desktop. In addition, users can directly install or manage individual applications on their desktops, even if those applications do not exist for other users, and without using app virtualization.

A persistent desktop model means each user has a unique virtualized desktop. The desktop is built from the main image, but over time, becomes a unique version maintained by the user.

Persistent desktops provide an improved user experience for users, but this comes at significant expense for the VDI operator:

  • Dramatically increases storage usage compared to non-persistent desktops – user-specific settings and applications may take up to 25-35 GB per desktop
  • Desktop updates need to be managed, typically using a solution like Altiris or WSUS
  • Security is less robust because desktops can remain persistent for months, and users may install software or make configuration changes that introduce vulnerabilities
  • User settings are not backed up centrally, so may be lost in case of loss of the virtualized desktop

Memory Requirements

RAM accounts for most of the cost of server hardware, so it is important to determine the correct storage allocation when planning a virtual desktop deployment. Too little RAM increases the use of Windows paging, which hurts end user performance. Conversely, if too much RAM is allocated, the guest operating system page file, swap file and suspend files may become too large and affect storage capacity.

CPU Requirements

When calculating CPU requirements, collect information about the average CPU utilization of different types of employees in the company. During your POC, use performance monitoring like Perfmon or the ESXi utility esxtop to determine the average and maximum CPU utilization of each group.

Take into account that there can be performance spikes on a VM, for example when agents perform the same action together, such as a scheduled software update or virus scan. Identify how many agents one virtual machine can support without causing performance issues.

Disk Size

Ensure that each VM has just enough storage space for operations systems, user content and applications. This is typically smaller than the size of a disk included on an employee’s workstation. Make a special effort to reduce the size of the operating system, because this will result in a large storage saving across your data center.

A few considerations when estimating storage size:

  • ESXi uses a suspend file with the same size as the RAM allocated to the VM
  • Windows page file is, by default, 150% of RAM
  • Log files require approx. 100MB per VM

Addressing VDI Challenges with Hysolate Isolated Workspace as a Service

Creating and managing a VDI solution is a large project and a huge undertaking for an organization. Creating, planning the infrastructure correctly, and making sure everything is tested, has the proper sizing to support the target population requires thousands of hours of work and a huge investment. In addition, running the servers on premise, involves tremendous costs of purchasing the servers, and of course maintaining the infrastructure leading to high OpEx and CapEx costs.

With that said, in today’s remote first world, users connecting to the datacenter VDI solution, sometimes over a VPN tunnel will get poor performance and user experience and desktops are not available when offline.

Hysolate solves these problems with an innovation called isolated workspace as a service (IWaaS). Users get a local isolated operating system running on their machine deployed within minutes which is managed from the cloud.

Isolated workspaces enable:

  • A higher level of freedom on employees corporate devices
  • Ability to receive 3rd party generated content in an isolated zone
  • Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
  • Access to employees from personal, unmanaged devices

The behavior of the workspace is managed in the cloud, while all of the computing resources run locally on user machines.

This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience, with offline availability.

Learn more about our Isolated- Workspace as-a-Service platform

VDI Solutions: Comparing Top 6 Solutions

What is VDI and How Does it Work?

Virtual desktop infrastructure (VDI) enables organizations to deliver operating systems and applications in a centralized manner, without having to deploy a dedicated workstation for each employee. VDI solutions are based on desktop images, which a user connects to and uses as if it was running locally on their device. VDI solutions support a variety of endpoints including Windows, Linux and MacOS computers, mobile devices, or thin clients.

The term “VDI” typically refers to an on-premise deployment model, in which organizations run VDI infrastructure in their local data center and use it to deliver virtualized desktops to users. However, VDI technology can be operated by cloud providers or other vendors, who use it to deliver VDI as a managed service—a deployment model known as Desktop as a Service (DaaS).

Enterprise VDI Solutions

Enterprise VDI solutions are full-featured offerings that allow an organization to deliver VDI services to large numbers of users. They can be used by individual organizations, or by service providers to deliver managed desktop virtualization services to many organizations.

VMware Horizon

VMware Horizon is a VDI solution based on the popular vSphere hypervisor. Each user’s desktop is managed as an ESXi virtual machine. Horizon supports endpoint devices including personal computers, tablets, smartphones, thin clients, and zero clients (an endpoint device with no local storage capacity, which connects remotely to a server).

Unlike vSphere, VMware Horizon is licensed according to the number of desktops the organization can serve concurrently.

VMware Horizon components include:

  • Horizon View Connection Server—management server which allows desktop users to connect and authenticate via LDAP.
  • View Composer—installed on vCenter Server, manages virtual desktop storage and can save up to 90% of virtual desktop disk space through linked cloning.
  • Horizon Administrator—UI for managing the VDI deployment. Can be used to add vCenter Servers and View Composers.
  • View Agent—installed on all VMs that are managed as part of the VDI infrastructure. Provides features like access to peripherals and connectivity monitoring.
  • Horizon Client—installed on the user’s device (Windows, MacOS or Linux), and lets the user connect and authenticate on the View Connection Server, and access their virtualized desktop.

Citrix Virtual Apps and Desktops

Citrix provides a popular VDI platform, which provides fine-grained control over virtual machines, licensing, applications, and security. It enables organizations to run virtual desktops on any device, regardless of the operating system of the local device. It is based on the Citrix FlexCast Management Architecture (FMA), which can be used to deliver individual applications as well as entire desktops to users.

Citrix Virtual Apps and Desktops offers two price tiers—Citrix VDI, Enterprise Edition and Platinum Edition, with three payment models—payment per concurrent users, payment per device, or payment per team.

Citrix components include:

  • Delivery Controller—the central management component of a VDI deployment. Communicates with the hypervisor to run desktops and manage user access.
  • Database—Microsoft SQL Server used for configurations and session data.
  • Virtual Delivery Agent (VDA)—installed on each physical or virtual machine that hosts virtualized desktops.
  • Citrix StoreFront—authenticates users and directs them to the desktop or application they are eligible to access.
  • Citrix Workspace App—installed on user devices, or delivered via HTML5 in a browser. Lets users access their virtual desktop and personal data.
  • Citrix Studio—a management console that lets administrators control the VDI deployment and track licensing.
  • Citrix Director—an administrative interface that allows IT teams to troubleshoot issues and support end users.
  • Citrix Hypervisor—the VDI solution can run on the Citrix hypervisor, or use a hypervisor from another vendor.

Cloud-Based VDI Solutions (Desktop as a Service)

Several major cloud providers provide managed VDI solutions, in a model known as desktop as a service (DaaS). These solutions run a VDI stack behind the scenes, but do not require an upfront investment, and allow organizations to get started with VDI quickly and pay per actual usage.

Amazon WorkSpaces

A cloud-based desktop service that lets you configure Windows or Linux desktops in minutes, and scale quickly to deliver thousands of concurrent desktops. It is billed monthly, according to the number of workspaces launched, or hourly per desktop usage.

Amazon WorkSpaces was designed to eliminate many administrative tasks related to desktop lifecycle management, such as provisioning, deployment, and maintenance. It provides one cloud-based management interface, and does require the organization to manage multiple VDI components.

Azure Windows Virtual Desktop (WVD)

This new service is the successor of the legacy Microsoft offering, Remote Desktop Service (RDS), which was also offered in a DaaS model. WVD allows users to access a Windows 10 desktop from any device. The service is fully hosted in Azure, with extensive compliance and security features.

WVD lets users access Office 365 Pro Plus, and is fully integrated with the Microsoft 365 platform. It is based on a multi-session version of Windows 10 which was especially designed for the DaaS platform. An important advantage is that WVD users receive free Extended Security Updates for Windows 7.

IBM Cloud

IBM Cloud offers a virtual desktop solution with accelerated graphics capabilities. It lets several virtual desktops use the same graphical processing unit (GPU), using high performance NVIDIA GRID hardware. This offers mobile workers a workstation-like experience for graphic-intensive use cases on any device.

IBM Cloud enhances security for virtual desktops by never sending any data—only encrypted visual output and mouse or keyboard input over the network. This means users don’t need to keep a local copy of their files.

Evolve IP

Evolve provides a third-party desktop as a service solution based on Microsoft Azure. Its unique features include:

  • PCoIP (PC over IP) distribution protocol for accessing local USB peripherals.
  • Integration with Microsoft Office, SharePoint and Evolve IP applications.
  • Built-in antivirus, anti-malware and two-factor authentication for virtualized desktops.
  • Full control and customization of your virtual desktop environment—configure how the solution provides application, desktop and storage space.
  • Customize the operating systems and applications provided to users to optimize license costs.

Addressing VDI Challenges with Hysolate Isolated Workspace as a Service

Creating and managing a VDI solution is a large project and a huge undertaking for an organization. Creating, planning the infrastructure correctly, and making sure everything is tested, has the proper sizing to support the target population requires thousands of hours of work and a huge investment. In addition, running the servers on premise, involves tremendous costs of purchasing the servers, and of course maintaining the infrastructure leading to high OpEx and CapEx costs.

With that said, in today’s remote first world, users connecting to the datacenter VDI solution, sometimes over a VPN tunnel will get poor performance and user experience and desktops are not available when offline.

Hysolate solves these problems with an innovation called isolated workspace as a service (IWaaS). Users get a local isolated operating system running on their machine deployed within minutes which is managed from the cloud. 

Isolated workspaces enable: 

  • A higher level of freedom on employees corporate devices
  • Ability to receive 3rd party generated content in an isolated zone
  • Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
  • Access to employees from personal, unmanaged devices

The behavior of the workspace is managed in the cloud, while all of the computing resources run locally on user machines.

This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience, with offline availability.

Learn more about our Isolated- Workspace as-a-Service platform

VDI Citrix: An In-Depth Look

What is Citrix VDI?

Citrix is a veteran player in the virtual desktop infrastructure (VDI) space. Its core VDI solution is Citrix Virtual Apps and Desktops, an enterprise solution that enables organizations to deliver a large number of virtualized desktops and applications to employees, instead of provisioning full workstations.

The solution provides several components that provide:

  • A back-end infrastructure that enables serving virtualized desktops in a scalable and secure manner.
  • A client application that lets end users to view virtualized desktops on their local device.
  • Administrative systems that allow administrators to configure the VDI deployment, set up access for users, and troubleshoot problems.

Citrix Virtual Apps and Desktops is based on the Citrix FMA technology (FlexCast Management Architecture), which enables resource provisioning, cloud management, and application delivery.

Related content: learn how to run VDI on VMware

Citrix Virtual Apps and Desktops Key Components

The Citrix architecture includes several components. The backend components are deployed in the local data center, while the WorkSpace App is deployed on end user devices.

Delivery Controller

A central component that manages a VDI site. There can be one or several Deliver Controllers. Because they are mission critical, it is advised to deploy this component on at least two separate servers.

In VDI sites that include a hypervisor, the Delivery Controller uses it to deploy desktops, manage access, perform connection brokering, and manage load balancing of user sessions.

Database

A Citrix VDI site requires at least one SQL Server database, which holds session information, configuration, and other data collected by Deliver Controller services. The database must have a fast connection to the Controller.

Virtual Delivery Agent (VDA)

Installed on every machine or VM that runs virtualized desktops or applications. VDA allows you to register a system with the controller. This makes the computer host-hosted resources available to users. VDA also verifies licenses and policies.

Citrix StoreFront

Used to authenticate connections and manage desktops and applications available for users to access (known in Citrix as a “store”). The enterprise application store gives users self-service 

access to desktops and applications they are eligible to access. It also keeps record of each user’s application subscriptions and other profile data, which lets Citrix provide the same experience to the same user across all their devices.

Citrix Workspace App

A client application that users install on their devices—available either as a downloadable application, or as an HTML5 app that can be accessed over a web browser. Allows the user to view and interact with a virtualized desktop or application as if it were running on their local device.

Citrix Studio

An administration interface that lets IT staff configure the VDI deployment. It provides wizard-based controls for setting up the environment, provisioning resources to host desktops, assigning them to users, and managing Citrix licenses for VDI components. 

Citrix Director

Another administrative tool that enables IT staff to monitor the VDI site, identify and troubleshoot issues, and support end users experiencing problems with their virtualized desktops. One Director instance can be used to support and monitor several Citrix VDI sites.

Citrix Hypervisor

In many Citrix environments, virtualization is managed by the Citrix hypervisor. The hypervisor manages virtual machines that run user desktops and applications. A Citrix VDI site can also run on hypervisors from other vendors.

Citrix VDI Support Models

Citrix lets you choose between two support models for its VDI infrastructure:

  • Long-Term Service Release (LTSR) provides a stable environment and reduces the frequency of feature releases.
  • Current Release (CR) model enables more frequent updates, bringing more new features to virtual apps and desktops, but requiring more frequent maintenance.

Citrix recommends that organizations use the CR-supported model as new features may be introduced. As many applications and platforms move to an update-based subscription-based model, more Citrix customers are moving to the CR model.

Citrix Security Considerations

VDI is a mission critical system that holds a lot of sensitive data. Security is an essential consideration. Here are several important security best practices.

Use App Protection

App Protection is provided as part of the Citrix Workspace App. You can enable it via PowerShell command (there is no UI). It provides two key capabilities:

  • Keylogger protection—encrypts the user’s keystrokes, so a keylogger installed by an attacker cannot see what the user is typing. 
  • Anti screen capturing—prevents attackers from taking screenshots on a virtualized desktop—can protect the entire screen on Windows or only the active window in MacOS.

Transport Layer Security (TLS)

It is essential to protect user connections using secure protocols. Citrix supports TLS for TCP-based connections, and DTLS for UDP based connections. Both protocols operate similarly and can use the same certificates. 

Manage User Privileges

Provide user access only to the operating system features they actually need. You can continue to apply Microsoft Windows permissions through User Rights Assignment and adding members to groups with specific policies. One of the benefits of this method is that you can give users administrative rights to their desktops without also giving them control of the entire machine.

Citrix Virtual Desktop Deployment Considerations

Test Extensively Before Deploying

One of the most important best practices for Citrix VDI is to run tests before fully deploying virtual applications and desktops. Otherwise, IT administrators will face application compatibility issues, insufficient resource allocation, and performance issues, which can make IT management difficult.

End-user storage, memory requirements, and desktop login time are three important aspects of VDI testing. For example, users who run video editing software have different requirements than knowledge workers who use Microsoft Word. IT must predict these requirements as accurately as possible to avoid performance issues.

IT admins can test using native Citrix tools such as Citrix QuickLaunch, or using third-party tools such as Automai AppLoader.

Monitor for Performance Issues and Adjust

Even if IT admins have thoroughly tested virtual applications and desktops, performance issues can still arise when faced with real users and workloads. IT must adhere to Citrix VDI best practices to identify and eliminate these issues. 

There are two primary techniques for improving performance:

Optimize the operating system 

Operating systems like Windows 10 are bloated with features and services that are not relevant for all users. This makes it difficult for them to run as a virtual desktop operating system. 

Operating system optimization helps reduce operating system size and significantly improve image performance. Citrix provides Citrix Optimizer, a tool which comes with built-in templates for specific Windows builds.

Review configuration of Citrix Provisioning Services (PVS)

IT admins running non-persistent Citrix deployments can run into misconfigured PVS environments. 

To follow Citrix VDI best practices, administrators should set the amount of RAM on the PVS server appropriately. Also, they should automate vDisk creation, to avoid having too many versions of PVS on the same vDisk.

Addressing VDI Challenges with Hysolate Isolated Workspace as a Service

Creating and managing a VDI solution is a large project and a huge undertaking for an organization. Creating, planning the infrastructure correctly, and making sure everything is tested, has the proper sizing to support the target population requires thousands of hours of work and a huge investment. In addition, running the servers on premise, involves tremendous costs of purchasing the servers, and of course maintaining the infrastructure leading to high OpEx and CapEx costs.

With that said, in today’s remote first world, users connecting to the datacenter VDI solution, sometimes over a VPN tunnel will get poor performance and user experience and desktops are not available when offline.

Hysolate solves these problems with an innovation called isolated workspace as a service (IWaaS). Users get a local isolated operating system running on their machine deployed within minutes which is managed from the cloud. 

Isolated workspaces enable: 

  • A higher level of freedom on employees corporate devices
  • Ability to receive 3rd party generated content in an isolated zone 
  • Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
  • Access to employees from personal, unmanaged devices

The behavior of the workspace is managed in the cloud, while all of the computing resources run locally on user machines.

This eliminates the need to invest in a large and costly infrastructure, and provides a better local user experience, with offline availability.

Learn more about our Isolated- Workspace as-a-Service platform