TECHNICAL WHITE PAPER – AUGUST 2016

VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS VMware Horizon FLEX 1.8 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Table of Contents Introduction...... 3 What Is VMware Horizon FLEX?...... 3 How Horizon FLEX Works ...... 4 Horizon FLEX Server...... 4 Architecture and Components of Horizon FLEX ...... 4 Horizon FLEX Environment Components...... 4 Restricted-VM Creation Tools and Clients ...... 5 Horizon FLEX Architecture...... 6 Storage of Restricted Virtual Machines...... 6 Installation and Configuration of Horizon FLEX...... 7 Horizon FLEX Environment Requirements...... 7 Installation of Horizon FLEX...... 7 Network Considerations for Horizon FLEX ...... 8 Horizon FLEX Scalability ...... 8 Horizon FLEX Security and Certificates...... 8 Creating a Self-Signed Server Certificate...... 9 Intermediate Certificates...... 9 Certificate Trust...... 11 Updating Embedded Certificates Using the Horizon FLEX Administrator Console...... 11 Troubleshooting Certificate Issues...... 13 Delivering the Horizon FLEX Client to End Users...... 14 Supported Host Operating Systems for Horizon FLEX Clients...... 14 Creation and Management of Restricted Virtual Machines...... 15 Creation of Restricted Virtual Machines...... 15 Supported Guest Operating Systems for Horizon FLEX ...... 16 Installing the Mirage Client on the Restricted VM...... 16 Management and Update of Restricted Virtual Machines...... 16 Delivering Horizon FLEX Restricted Virtual Machines to End Users...... 16 End-User Download of the Restricted Virtual Machines...... 17 End-User Access to Updates of Virtual Machines ...... 18 Horizon FLEX Log File Locations...... 18 Horizon FLEX Frequently Asked Questions...... 19 Summary...... 20 Authors and Contributors...... 20 Additional Resources...... 21

TECHNICAL WHITE PAPER | 2 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Introduction This VMware Horizon® FLEX™ Deployment Considerations paper is intended to help administrators address important matters that may arise during the installation and setup of VMware Horizon FLEX. This document contains information on topology and best practices. It is to be used in conjunction with the existing Horizon FLEX Administration Guide and Horizon FLEX Client User Guide. For more information on the challenges and use cases that Horizon FLEX addresses, see the VMware Horizon FLEX Solution Brief.

What Is VMware Horizon FLEX? VMware Horizon FLEX is a policy-based, containerized desktop solution that allows IT administrators to create, secure, and manage local desktops to meet the needs of workers with their own unmanaged computers. End users work within a restricted (VM) on their endpoints and can either be connected to or disconnected from the enterprise network.

Note: A restricted virtual machine is a VMware virtual machine that has had FLEX security policies applied to it. For more information, see the Horizon FLEX Administration Guide.

Horizon FLEX uses existing VMware products, with additional benefits. These products include a Horizon FLEX client and VMware Mirage™. The Horizon FLEX client can be VMware Fusion® Pro, or VMware Workstation Player™. The Horizon FLEX server is built on a Mirage base.

With the Horizon FLEX package, you can create multiple restricted VMs (Horizon FLEX virtual machines) and entitle them to a variety of end users. Restricted VMs can be created with Fusion Pro or VMware Workstation Pro™.

Note: Workstation Pro is not included with Horizon FLEX and must be purchased separately.

Figure 1 shows the components of a Horizon FLEX implementation.

Horizon FLEX

Fusion Pro or Workstation Pro VM Creation

Horizon FLEX Server Mirage Management Components

Horizon FLEX Clients Client Installed (Fusion Pro or Workstation Player) on Endpoint

Figure 1: Horizon FLEX Components

Important: Workstation Pro is not a supported Horizon FLEX client. Using Workstation Pro to run a restricted VM can cause unexpected results.

TECHNICAL WHITE PAPER | 3 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

How Horizon FLEX Works In order to use Horizon FLEX, administrators must enter a Horizon FLEX serial number during a default installation of Mirage. Providing this serial number accesses Horizon-FLEX-specific Mirage features. Virtual machines are created with Fusion Pro or Workstation Pro and given to end users. Users run the VMs in a Horizon FLEX client on their endpoints. The macOS client is Fusion Pro, and the Windows client is Workstation Player. Fusion Pro and Workstation Player are included with the Horizon FLEX product.

Horizon FLEX Server Because Horizon FLEX is built on a Mirage engine, it makes use of the Mirage Management server, the server, and the Mirage Web Management component. The Horizon FLEX server is a logical entity that is made up of these three Mirage components. In most cases, all of these components are installed on a single server. You set policies for, and manage restricted VMs with, the Horizon FLEX server.

For detailed instructions on Horizon FLEX and Mirage installation, read the Installation and Configuration of Horizon FLEX section of this document.

Architecture and Components of Horizon FLEX Following is a brief overview of the architecture and components of a Horizon FLEX implementation. For additional details about the Horizon FLEX architecture, see the Horizon FLEX Architecture section of the Horizon FLEX Administration Guide.

Horizon FLEX Environment Components There are several components that are required in a Horizon FLEX environment. They include:

File download location The file download location hosts restricted virtual machines for users. Providing dedicated file servers with IIS, one for all endpoints inside your company’s network and one for all endpoints outside your company’s network, provides security and flexibility.

Mirage Management The Mirage Management server manages the Horizon FLEX environment. server

Mirage server The Mirage server sets up the database for the Horizon FLEX environment.

Mirage Web The Mirage Web Management component allows administrators to monitor and make Management changes to the Horizon FLEX environment. The primary tool used here is the Mirage Web component Manager.

Horizon FLEX VM The Horizon FLEX VM creation tools are used to create restricted VMs. Creation tools creation tool include Fusion Pro for macOS and Workstation Pro for Windows.

Horizon FLEX client The Horizon FLEX client is the software that end users must download to access the Horizon FLEX VMs on their local computers. Clients include Fusion Pro for Macs and Workstation Player for Windows. Fusion Pro and Workstation Player are both included in the Horizon FLEX package.

Storage You need storage for the SQL and MongoDB databases in a Horizon FLEX implementation, as well as for all restricted VMs.

Table 1: Horizon FLEX Environment Components

TECHNICAL WHITE PAPER | 4 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Restricted-VM Creation Tools and Clients You create restricted VMs with Fusion Pro on macOS operating systems and with Workstation Pro on Windows operating systems. Both products can be used to create Windows- or Ubuntu-based restricted VMs. For exact Windows and Ubuntu versions see Supported Host and Guest Operating Systems in the Horizon FLEX Administration Guide.

For Horizon FLEX clients, you can use Fusion Pro on a Mac, and Workstation Player on Windows.

Figure 2 shows the VM creation tools, restricted VMs, Horizon FLEX clients available for use, and their relationship to each other.

VM Creation Tool Restricted VMs Client

Windows Fusion Pro Mac with Fusion Pro Client

Workstation Pro Windows with Workstation Player Client

Figure 2: Restricted-VM Creation Tools and Clients

Note: Both Fusion Pro and Workstation Pro can be used to create any of the allowed Windows or Linux restricted VMs. Fusion Pro and Workstation Player can be used to run any restricted VM.

TECHNICAL WHITE PAPER | 5 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Horizon FLEX Architecture Figure 3 shows a Horizon FLEX deployment that ensures security and function. In this example, the Horizon FLEX server sets policies for both on-premises and off-premises endpoints.

On-Premises File Server Horizon FLEX Server with VMs

O -Premises File Server with VMs Storage

O -Premises Endpoints HTTPS with Proxy Horizon FLEX On-Premises Client Endpoints DMZ with Horizon FLEX Client

Figure 3: A Horizon FLEX Deployment That Ensures Security and Function

In Figure 3, off-premises endpoints use an HTTPS proxy to reach the Horizon FLEX server to get policy updates.

Storage of Restricted Virtual Machines Note that the file servers storing the restricted VMs are not running on a Horizon FLEX server. Using separate, fast file servers keeps the Horizon FLEX server free to distribute policies. VM storage is typically located on a dedicated IIS server or in an IIS Web farm.

Note: Figure 3 is just one example of a restricted VM deployment model. However, restricted VMs can be stored anywhere users can access them—including from a Web site link, or on removable storage.

TECHNICAL WHITE PAPER | 6 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Installation and Configuration of Horizon FLEX To install and configure Horizon FLEX in your environment, you must meet the following requirements for the Mirage / Horizon FLEX server and for the Horizon FLEX Web Management components.

Horizon FLEX Environment Requirements Following are the requirements for the Horizon FLEX server in a Horizon FLEX environment. • Recommended CPU – 8 vCPU • Recommended RAM – 16 GB • 450 GB free disk space • Windows 2008 R2, or Windows 2012 or later • .NET 3.5 SP1 or later • Mirage server listens to Windows Communication Foundation (WCF) HTTPS requests on the port 8443.

Note: These requirements assume that you will also be using all Mirage functions in your environment. But if you will not be using Mirage itself, there are fewer requirements. For instance, Horizon FLEX does not use the MongoDB database, and, without it, only 40 GB of free disk space are required.

For more information, see Horizon FLEX System Requirements in the Horizon FLEX Administration Guide.

Installation of Horizon FLEX Begin your Horizon FLEX installation with an installation of Mirage, accepting all of the defaults of the Mirage installation wizard. Ensure that you enter your Horizon FLEX serial number. For further details about installing Mirage, see the VMware Mirage Installation Guide.

After installing Mirage, install other Horizon FLEX environment components, set up certificates for restricted VMs, create and entitle restricted VMs, and install a Horizon FLEX client on each endpoint. For more detailed instructions, see Installing Horizon FLEX in the Horizon FLEX Administration Guide, and the blog post Install / Configure VMware Horizon FLEX.

When installing Horizon FLEX, you might see the message

The restriction Server encountered an error

or, in rvm/webapp.log see the entry

an error (1301) occurred while enumerating the groups. The group’s SID could not be resolved This is a known Microsoft issue. For more information, see the Microsoft Knowledge Base article SID S-1-18-1 and SID S-1-18-2 cannot be mapped on Windows-based computers in a domain environment.

TECHNICAL WHITE PAPER | 7 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Network Considerations for Horizon FLEX Horizon FLEX allows users to run corporate applications even when disconnected from the network. Restricted VMs are stored locally and can be used without network access so long as the length of time they have been offline keeps them in compliance with security policies configured by the administrator.

A network connection between the Horizon FLEX server and the endpoint is required only in the following scenarios: • For the initial registration of the restricted VM with the Horizon FLEX server • To receive periodic policy updates and actions

Horizon FLEX Scalability If you follow the requirements given for the Horizon FLEX server in the Horizon FLEX Environment Requirements section of this document, then Horizon FLEX can accommodate up to 10,000 users. If you exceed that capacity, use multiple Horizon FLEX servers behind a load balancer to ensure reliability and redundancy.

Horizon FLEX Security and Certificates To ensure security, Horizon FLEX requires secure communications from the endpoint to the server. The Horizon FLEX server sends small policy changes over a secure channel from the Mirage database to the endpoints.

If you are using a valid certificate signed by a root or intermediate Certificate Authority (CA), the Horizon FLEX client can set up an HTTPS connection without any additional steps. However, you might want to use a self-signed certificate, especially for a quick proof-of-concept deployment.

The Horizon FLEX client and Horizon FLEX server treat a certificate that is created locally, but signed by a CA, as if it is self-signed. Only certificates that are created by a CA are automatically trusted by an endpoint.

Mirage automatically creates a default self-signed server certificate upon install. You can use this self- signed certificate in Horizon FLEX if this is acceptable for you.

TECHNICAL WHITE PAPER | 8 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Creating a Self-Signed Server Certificate If the default self-signed certificate is not a correct one, for example, if the common name of the certificate does not match the server’s FQDN, you must create a new certificate. Use OpenSSL or Keytool to create a new self-signed certificate. Do not use IIS. Self-signed certificates created in IIS might be missing some fields, such asOrganizational Unit, Organization, Location, and State. The OpenSSL library in the Horizon FLEX client will reject such certificates.

The following instructions and examples are based on OpenSSL.

Perform the following steps to create a basic self-signed certificate with the OpenSSL command-line tool. These steps can be run on any system with OpenSSL installed.

1. Run the following command: openssl req -new -days -x509 -newkey rsa:2048 -keyout -out -nodes • Replace with the number of days that the certificate should be valid for (for example, 365 for 1 year). • Replace with the filename for the key (for example,mirage-test-1.key ) and with the filename for the CERT file (for example,mirage-test-1.cert ). This command generates a new certificate req( -new) and private key (-newkey). It uses a 2048-bit RSA key (rsa:2048) and does not protect the key with a passphrase (-nodes). The key is self-signed (-x509). 2. During certificate creation, you are prompted for several values. Example values follow. Country name: US State: California Locality: Palo Alto Organization Name: VMware Organizational Unit Name: EUC Common Name (this field is critical): the host name of the server to be protected (for example, mirage-test-1.eng.v m ware.com) Email Address: [email protected] 3. This generates a self-signed certificate and associated private key. If you need the private key inPFX format, you can run the additional command: openssl pkcs12 -export -out -inkey -in This generates a new PFX file that is password-protected and is suitable for deployment on any machine that requires PFX certificates instead of PEM certificates.

TECHNICAL WHITE PAPER | 9 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Intermediate Certificates If you are using a certificate with an intermediate certificate, use care when installing a certificate chain onto IIS on the Horizon FLEX server. If you are using a certificate with an intermediate certificate, IIS might import only the leaf certificate (the last certificate in the chain). When IIS is configured with only the leaf certificate, the Horizon FLEX client rejects the certificate because it cannot locate the intermediate certificate.

Perform the following steps to make sure you deploy the intermediate certificate onto the Horizon FLEX server:

1. To launch the Microsoft Management Console (MMC), go to Start > Run, and enter mmc. Click OK. 2. Select File > Add/Remove Snap-in. 3. On the left side, select Certificates and click Add. 4. Select Computer account and click Next. 5. Keep Local computer selected and click Finish. 6. Click OK on the Add or Remove Snap-ins window. 7. On the left, below Console Root, expand Certificates (Local Computer). 8. To import the root certificate, right-click Trusted Root Certification Authorities and select All Tasks > Import. 9. In the wizard, click Next to advance past the welcome page. 10. Browse for the root certificate file, select it, and click Next. 11. Keep Place all certificates in the following store: Trusted Root Certification Authorities selected and click Next, then click Finish. Click OK to dismiss the successful import dialog box. 12. To import the intermediate certificate, right-clickIntermediate Certification Authorities and select All Tasks > Import. 13. In the wizard, click Next to advance past the welcome page. 14. Keep Place all certificates in the following store: Intermediate Certification Authorities selected and click Next, then click Finish. Click OK to dismiss the successful import dialog box. Some additional instructions from commercial certificate providers include Installing an SSL Certificate in Microsoft IIS 7 and Adding Root and Intermediate certificates via MMC.

After you have completed these steps, the root certificate appears in theTrusted Root Certification Authorities/Certificates folder and the intermediate certificate appears in the Intermediate Certification Authorities/Certificates folder. Note: If the leaf certificate appears in the certificates manager, then IIS will not work properly.

You can test whether the intermediate certificate is correctly installed on the Horizon FLEX server by executing this command from a Windows command prompt: openssl s_client –connect : -showcerts If the intermediate certificate is correctly deployed, the output contains two different certificates, both of which start with -----BEGIN CERTIFICATE-----. If only one instance of -----BEGIN CERTIFICATE----- is present, then the intermediate certificate is not correctly deployed on the Horizon FLEX server.

TECHNICAL WHITE PAPER | 10 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Certificate Trust If the server certificate is not signed by a Certificate Authority, the organization must complete extra steps to ensure that the endpoint trusts the self-signed certificate. This applies whether you use the default certificate created by Mirage or a certificate you have created.

You have two options to ensure that the endpoint trusts the self-signed certificate: • When creating the restricted VM to distribute, add the server certificate to the VM, creating an embedded certificate. or • On the endpoint, you or the user will be prompted to import and trust the self-signed certificate on the host system.

One of these steps must be completed before the restricted VM can boot.

Advantages of an embedded certificate include • You add the server certificate to the restricted VM at VM creation, and the end user does not have to take additional steps. • An embedded certificate is more secure than importing and trusting a self-signed certificate on the client endpoint. A hacker cannot swap out a self-signed certificate with a certificate that has the same server name, and which leads to the hacker’s own server. As a result, the embedded certificate is protected.

If embedding a certificate, follow these general guidelines for all certificates: • If you embed a certificate on the restricted VM, you do not have to put a certificate on the endpoint. • When embedding a certificate, if the server certificate is signed by a root CA or an intermediate CA, embed the root certificate.

The disadvantage of an embedded certificate is that if there is a problem with the certificate, or if the certificate is changed later, the restricted VM defaults to the built-in certificate and ignores all locally installed certificates. You would have to edit the VM, and the end user would have to download it again. For proofs-of-concept or lab tests, it is simpler to not use embedded certificates.

If you do not embed a certificate on the restricted VM and it is self-signed, the end user gets a warning and must choose to import and trust the certificate.

Updating Embedded Certificates Using the Horizon FLEX Administrator Console If you are planning to migrate to another Horizon FLEX server, or if your embedded certificate is about to expire, you can add an updated certificate from the Horizon FLEX server. The following steps detail how to update the embedded certificate.

Note: When you add a certificate to the Horizon FLEX Administrator console UI, the console passes the certificates to the endpoint on the next policy update. If there is a problem with a certificate, the restricted VM ceases to get policy updates. For this reason, administrators should always add to the list of certificates, not replace the list.

TECHNICAL WHITE PAPER | 11 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

1. From the Horizon FLEX Administrator console, click the General System Settings icon, which is the gear icon on the far right in the title bar. 2. Select Certificates. 3. Click Import to import the updated embedded certificate.

Figure 4: Steps to Update an Embedded Certificate

TECHNICAL WHITE PAPER | 12 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Troubleshooting Certificate Issues To check for certificate errors on the endpoint, review thev mware.log file for the restricted VM and search for the Horizon FLEX server address. You should see connection entries, and any certificate errors if they exist.

Note: To locate the restricted VM’s v mware.log file, see theVMware Knowledge Base article Locating a hosted virtual machine’s files (1003880).

Figure 5: Certificate Errors in .log

If the log indicates a certificate error, follow these steps on the Horizon FLEX server:

1. In IIS, verify that the server has a valid or self-signed certificate under Server Certificates: a. In the Windows Start menu, select Administrative Tools > Internet Information Services (IIS) Manager. b. In the Connections pane, select the Horizon FLEX server host name. c. At the bottom of the window, click Features View, double-click Server Certificates. You should see one or more certificates listed. d. Double-click the certificate to verify details. 2. In IIS, verify that the Horizon FLEX Administrator console Web site is using the certificate binding: a. In the Windows Start menu, select Administrative Tools > Internet Information Services (IIS) Manager. b. In the Connections pane, navigate to the Horizon FLEX server host name and Sites. Select the site you want to secure with the SSL certificate listed in step 1. c. In the Actions menu, under Edit Site, click Bindings. d. In the Site Bindings window, select any entry with the Type https, and click Edit to verify the settings. You should see the SSL certificate in theSSL certificate field.

TECHNICAL WHITE PAPER | 13 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

3. Verify there is no certificate in the Horizon FLEX Administrator console: a. From the Horizon FLEX Administrator console, click the General System Settings icon, which is the gear icon on the far right in the title bar. b. Select Certificates. This field should be empty. This feature should be used only for migration or advanced configurations.

Delivering the Horizon FLEX Client to End Users To access the restricted VM, the user must install a Horizon FLEX client. This client can be Fusion Pro or Workstation Player. The end user starts the Horizon FLEX client to connect to the Horizon FLEX server and download a restricted VM.

Important: Both Fusion Pro and Workstation Pro can be used to change security policies on a restricted VM if the VM’s encryption and restrictions password is known. To ensure security, do not give this password to end users.

Administrators can mass-deploy Horizon FLEX clients to macOS or Windows endpoints with standard package deployment tools, such as • Microsoft System Center 2012 R2 Configuration Manager (SCCM) (for Windows) • Apple Remote Desktop (for Macs) • Casper Suite from JAMF Software (for Macs)

Note: You can include restricted VMs along with Horizon FLEX clients as part of a deployment package.

For delivery of the Fusion Pro-based Horizon FLEX client, see the VMware Knowledge Base article Creating a VMware Fusion mass deployment package (2058680).

For delivery of the Workstation Player-based Horizon FLEX client, use

VMware-player-x.x.x-xxxxxx.exe /s /v EULAS_AGREED=1 SERIALNUMBER=”xxxxx-xxxxx-xxxxx- xxxxx-xxxxx”

Note: Replace VMware-player-x.x.x-xxxxxx.exe with the name of the latest Workstation Player installer file, and replacexxxxx-xxxxx-xxxxx-xxxxx-xxxxx with a volume license key.

Supported Host Operating Systems for Horizon FLEX Clients Users can run the Horizon FLEX client and access their restricted VM from the following 64-bit host operating systems: • Windows 7, Windows 8.1, Windows 10 • Mac OS X 10.9, Mac OS X 10.10, Mac OS X 10.11

Note: Horizon FLEX clients are not supported on 32-bit host operating systems.

In order to ensure the best performance, use the latest available version of Horizon FLEX client.

TECHNICAL WHITE PAPER | 14 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Creation and Management of Restricted Virtual Machines Horizon FLEX allows administrators to create, manage, and maintain restricted VMs. Instructions for the creation and management of restricted VMs follow.

Creation of Restricted Virtual Machines Administrators create restricted Windows VMs using Fusion Pro or Workstation Pro. The VMs created by either Fusion Pro or Workstation Pro will work with both macOS and Windows endpoints. The administrator prepares a restricted VM for the user, as outlined in Figure 6.

Admin Win7 VM 1. Creates and con gures a virtual machine with APP Fusion Pro (or Worksta- Fusion Pro tion Pro) according to OS corporate speci cations.

2. Encrypts and restricts the virtual machine. APP Horizon FLEX This includes applying Server any policies via the OS Horizon FLEX server.

3. Speci es the download location (URL) for the APP Download virtual machine. Location (This does not have to OS be on the Horizon FLEX server.)

4. Registers the virtual machine as a source APP Horizon FLEX virtual machine with Server the Horizon FLEX OS Register server.

Source VM Download Location Win7 VM /Win7.zip Horizon FLEX server adds an entry to the Source VMs database

Horizon FLEX Server 5. Entitles the source virtual machine APP to users or groups. OS

Source VM User Restrictions Entitlements Win7 VM jdoe Expiration: 12/15/2017 Horizon FLEX server adds an entry to the Entitlements database

Figure 6: Administrator Workflow to Create a Restricted VM

TECHNICAL WHITE PAPER | 15 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

As shown in Figure 6, the administrator creates, configures, encrypts, and restricts the VM. Then the administrator specifies the download location of the VM and registers it as a source VM with the Horizon FLEX server. The source VM is then entitled to the user or group who will use it.

Note: If the server address is incorrect, the VM fails to get a policy and does not boot. The Horizon FLEX server address in the source VM must end with the listening port (:7443 by default).

Supported Guest Operating Systems for Horizon FLEX Following is a list of supported operating systems for Horizon FLEX VMs. • Windows XP, Windows 7, Windows 8.x, Windows 10 • Ubuntu 14.04 and 15.10

Notes • Both 32-bit and 64-bit versions of these operating systems are supported. • If a guest OS is unsupported, Horizon FLEX does not block its installation but its ability to be managed by Horizon FLEX is unpredictable.

Installing the Mirage Client on the Restricted VM You can also use Mirage to manage Mirage-specific features of restricted VMs. To enable these Mirage features, you need to install the Mirage client.

To install the Mirage client, see Installing the Mirage Client in the VMware Mirage Installation Guide.

Management and Update of Restricted Virtual Machines Horizon FLEX distributes the virtual machine and manages policies but does not interact with content inside of the VM. Administrators can use Mirage to take care of all management and updating of the VMs. Alternatively, you can manage Horizon FLEX VMs with other image management tools, such as SCCM. To learn more about managing and updating VMs with Mirage, read the Image Management Overview in the VMware Mirage Administrator’s Guide.

Delivering Horizon FLEX Restricted Virtual Machines to End Users After you plan the virtual machine deployment and create and configure your virtual machines, users must download the restricted VMs, and then access the desktops locally.

In order for users to easily download the VMs, administrators must compress the source VM package into TAR format. To learn more about compressing the VM package, read Compress a Source Virtual Machine Package in the Horizon FLEX Administration Guide.

A Horizon FLEX virtual machine can be deployed in a number of different ways: • An administrator can create a uniform resource identifier (URI) for each end user and email it to them. • Users can use an administrator-provided USB drive and drag the server information to the host machine. This will copy the VM file from the USB drive to the local machine, where the user can launch the VM and register it with the Horizon FLEX server. • Users can launch the client, connect to the Horizon FLEX server, find the VM file, and download it manually.

These are alternative methods by which VMs can be deployed. To learn more about deploying VMs, read Creating and Deploying Horizon FLEX Virtual Machines in the Horizon FLEX Administration Guide.

TECHNICAL WHITE PAPER | 16 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

End-User Download of the Restricted Virtual Machines End users download and access restricted VMs from the Horizon FLEX server, as illustrated in Figure 7.

Horizon FLEX User

1. Launches the Horizon FLEX client and connects to the Horizon FLEX server. Horizon FLEX Server

Connect to Server

Server URL: .vmware.com

Username: jdoe Horizon Password: FLEX server Horizon •••• authenticates user. FLEX server validates user credentials. 2. Sees list of entitled VMs. VMs for John Doe Horizon FLEX Server

Horizon FLEX server delivers a list of entitled VMs.

3. Downloads a VM. Preparing Windows 7 Horizon FLEX Server Horizon FLEX server registers the instance.

4. Powers on the VM. Windows 7 Horizon FLEX Server

Horizon FLEX server delivers initial policy settings.

Figure 7: User Workflow for Downloading a Restricted VM from the Horizon FLEX Server

TECHNICAL WHITE PAPER | 17 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

For the URI method of downloading the restricted VM, the administrator emails the URI to the end user, and the end user clicks the link in the email to start the Horizon FLEX client. The server connection dialog box opens, the Horizon FLEX server validates the user’s credentials, and a list of all restricted VMs entitled to that user is displayed. The end user selects and downloads a virtual machine to their physical machine. When they launch the VM, they enter the general decryption password provided by the administrator. The client registers the VM with the Horizon FLEX server. When the user powers on the VM, the Horizon FLEX server delivers the initial policy settings for the VM. For additional information about downloading a restricted VM, read the Horizon FLEX Client User Guide.

There are some useful tips to keep in mind: • When the end user is authenticating to the Horizon FLEX server, the server name must end with the listening port and cannot include the URL (for example, server.cme.com:7443). • When the end user is downloading a restricted VM, if they cannot start the download they should try using HTTP instead of HTTPS. • When the end user is downloading a restricted VM, if they still cannot download it the administrator should try moving the VM to another file server, or place the VM on the IIS default Web site.

End-User Access to Updates of Virtual Machines You can update the contents of a restricted virtual machine through Mirage or through the image management tool of your choice. To completely replace a restricted VM, create a new restricted VM in Fusion Pro or Workstation Pro and distribute it as usual to end users.

In the case of disaster recovery, you can use Mirage to facilitate the process. First, deploy a new restricted VM from Fusion Pro or Workstation Pro. Then, restore a backup of the original VM to the new VM.

For more information about using Mirage for image management and disaster recovery, see the VMware Mirage Administrator’s Guide.

Horizon FLEX Log File Locations You can use the Horizon FLEX log files for troubleshooting. Details of Horizon FLEX log file locations follow. • The Web App log file is located on the Horizon FLEX server at C:\ProgramData\Wanova Mirage\rvm\logs\webapp.log • The Horizon FLEX server logs are located on the Horizon FLEX server at C:\Program Files\Wanova\Mirage Server\logs

The most important log file ismgmtservice.log . The following VMware Knowledge Base articles provide information on collecting log files from Fusion Pro, Workstation Player, and Workstation Pro. • Collecting diagnostic information for VMware Fusion (1003894) • Collecting diagnostic information for VMware Player and VMware Workstation Player (2104004) • Collecting diagnostic information for VMware Workstation (1346)

TECHNICAL WHITE PAPER | 18 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Horizon FLEX Frequently Asked Questions Following is a list of frequently asked questions.

Q . Do I need to use Mirage for Horizon FLEX instead of my existing image management tools like SCCM? A. Use the Horizon FLEX server to deploy and manage your Horizon FLEX VMs. You have the option of using either Mirage or your existing tools for image management. If you would prefer using your own image management tools such as SCCM or Altiris, Horizon FLEX is compatible with these.

Q . How is Horizon FLEX different from VMware Horizon 7 or VMware Horizon Air? A. VMware Horizon 7 and Horizon Air desktops run in your data center, while Horizon FLEX runs locally on your end users’ computers. Horizon FLEX complements Horizon 7 and Horizon Air desktop setups by giving employees access to a Windows virtual desktop that they can use when offline or disconnected from the network. Users demanding Macs, contractors bringing their own laptops, and employees on the road who want to be productive while offline are better served with Horizon FLEX.

Q . How does Horizon FLEX compare to the Local Mode feature in View? A. Horizon FLEX has some key differences when compared to View Client with Local Mode. In a Horizon FLEX deployment • Desktops do not need to be checked out and checked back in by end users because desktops reside locally on the laptop, resulting in better usability. • When Horizon FLEX is used with the full capabilities of Mirage, user documents and data sync back to the Mirage server. • The full VMware vSphere® and View technology stack is not required to provide desktops to end users. • Both macOS and Windows endpoints are permitted. • You can limit data flow between the host and VM with policies.

Q . Can I use Horizon FLEX if I do not have Horizon 7 or vSphere? A. Yes, Horizon 7 and VMware vSphere are not required to use Horizon FLEX.

Q . Can users be productive even when disconnected from the network? A. Yes. Because Horizon FLEX VMs are stored locally on the users’ Macs or PCs, users can be productive even when disconnected from the network.

Q . Is Horizon FLEX a Type-1 or Type-2 solution? A. Horizon FLEX clients are Type-2 that run on top of a host—macOS or Windows—.

TECHNICAL WHITE PAPER | 19 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Summary This document • Introduced some key Horizon FLEX concepts • Listed the requirements for a Horizon FLEX environment • Presented an example of a Horizon FLEX deployment that ensures security and function • Described how to generate and embed self-signed certificates • Gave an overview of the Horizon FLEX clients and the creation and delivery of restricted VMs • Provided information about log file locations and some frequently asked questions

Authors and Contributors The following authors co-wrote this paper: • Debra Perrin Coltoff, Technical Writer in the End-User-Computing Technical-Marketing Center of Excellence, VMware • Kristina De Nike, Product Line Manager, End-User Computing, VMware • Chris White, End-User-Computing Architect, End-User-Computing Technical-Marketing Center of Excellence, VMware • Jason Bassford, Technical Marketing Manager in the End-User-Computing Technical-Marketing Center of Excellence, VMware • Gina Daly, Technical Writer in the End-User-Computing Technical-Marketing Center of Excellence, VMware

Many thanks for contributions of content from • Stéphane Asselin, Senior End-User-Computing Architect, End-User-Computing Technical-Marketing Center of Excellence, VMware • Chris Halstead, End-User-Computing Architect, End-User-Computing Technical-Marketing Center of Excellence, VMware • Maor Kuriel, Product Specialist, VMware • Yaniv Weinberg, R&D Manager, VMware

And for contributing contents of the diagram from the Deployment and Design Considerations for VMware Mirage white paper, a special thanks to • Alexander West, Technical Writer, formerly with VMware • Judy Wu, Senior Solution Engineer, Enterprise Desktop, VMware

To comment on this paper, contact the VMware End-User-Computing Technical-Marketing Center of Excellence team at [email protected].

TECHNICAL WHITE PAPER | 20 VMWARE HORIZON FLEX DEPLOYMENT CONSIDERATIONS

Additional Resources For more information, see the following resources. • VMware Horizon FLEX product Web page • VMware Horizon FLEX product documentation • Install / Configure VMware Horizon FLEX(blog post) • Introducing Flexible Desktop Management for the Mobile User with VMware Horizon FLEX ( H O L- M B L-1 6 5 5 ) (VMware Hands-On Lab)

TECHNICAL WHITE PAPER | 21 VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright © 2016 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-TWP-HORIZFLEXDEPCONSID-USLTR-20160831-WEB 8/16