With the recent onset of the Covid-19 pandemic, many people are being asked by their companies to work from home as much as possible to minimize the risk of spreading or contracting the disease, which may pose significant logistical issues for some employees.
For instance, in a recent discussion I had with a coworker, he mentioned that his partner, who uses a specialized workstation that is not easy to transport back and forth between their home office and workplace, was having an issue figuring out how to best make that work-from-home situation viable. While my initial reaction was to suggest that his partner look into VMware Horizon as a solution, my coworker reminded me that this was a physical system with an NVMe drive and other specialized hardware—not a virtual machine. Fortunately, though, VMware Horizon supports the Horizon agent running on physical machines as well as virtual machines.
In this article, I will discuss the advantages of using Horizon with physical systems, provide an overview of how to add a physical machine to a Horizon environment, show you how to monitor a physical machine with ControlUp, and then give my overall final thoughts on using physical machines with Horizon.
I have talked to many folks without in-depth VDI knowledge who don’t see the need to use Horizon when connecting to a physical system in their workplace. In fact, I have even known those folks to simply RDP into their work systems from home; however, this is an insecure and non-scalable solution, and many of the advantages of using Horizon to connect to virtual machines from remote locations extend to using it with physical machines.
The most obvious advantage of using Horizon with physical machines is the flexibility that the connection server gives and the security that the VMware Unified Access Gateway (UAG) provides. By using a connection server, you can specify which end-users are allowed to use the system; since many expensive physical workstations are not needed by a single end-user, they can be shared by other end-users, thereby spreading the cost of the system over many end-users.
Whereas the connection server provides entitlement for end-users to the system, the UAG provides security to the system. The UAG also provides edge services and access to resources that reside in the internal network. This allows authorized external end-users to securely access internally-located resources. UAG is usually deployed in the DMZ and has FIPS and Common Criteria certification. It also offers many authentication options, including smart card, certificates, SAML pass-through, RADIUS, and RSA SecurID.
Furthermore, the UAG’s architecture keeps unauthenticated traffic in the DMZ; traffic is allowed through to the internal network and the physical machine only after being successfully authenticated.
Once a user authenticates through the UAG and connection server, and is associated with the physical machine, a connection is made directly from the physical machine to the UAG to the VDI client it is using.
Before looking at using Horizon with physical machines, you should first check to see if the OS that is running on the physical machine is in fact supported. A list of supported Windows operating systems is included in this VMware Knowledge Base (KB) article.
Additionally, the physical machine to be added to Horizon must be a member of the domain and the Horizon Agent must be installed on it. When installing the agent, you will not see the option to enable the instant or linked clone feature; but, you will be presented with a panel to enter the IP address or hostname of the connection server. After the agent is installed, you will need to reboot the physical machine.
From the Horizon Client, create a manual desktop pool by selecting Other source as the Machine Source.
When adding the machines, if you see an “Agent Unreachable” message in the state field as shown immediately below, refer to VMware KB 2001870, which will walk you through issue resolution.
After adding the machine to the manual desktop pool, you will be able to see the physical system under Machines -> Others.
At this point, you can confirm that the machine has been added by logging in to the physical system remotely using a VDI client.
If you get a message indicating that the end-user doesn’t have the right to sign in through remote desktop services, you will need to add the right manually.
To correct this issue, log on to the physical machine as a user with administrator rights. Then, from the settings menu, go to System -> Remote Desktop, and click Select users that can remotely access this PC. Next, add the groups and users that are entitled to access the physical machine.
VMware provides software that allows Windows, Mac, iOS, Linux, Chrome and Android devices to connect to a VMware Horizon desktop from the device. For end-users who want a dedicated hardware VDI client, they can choose from a wide range of devices, including VDI clients as small as a pack of playing cards to laptops. Some devices support a single monitor while others support six monitors. These devices range in price from under $100 to over $1,000.
One of the downsides of using physical machines rather than virtual machines is that you can’t closely monitor them using vSphere performance monitor. You will be able to see basic information from the Horizon Console, but not any in-depth metrics.
Although Horizon Help Desk can give a few more details than the Horizon Console, it does not keep metrics for trending purposes, and requires you to view each desktop independently. So what can you do to monitor and manage physical desktops more holistically?
ControlUp can manage physical machines as easily and completely as it manages virtual machines. ControlUp also allows you to shadow sessions when troubleshooting, edit registries, add and remove files, and perform many of the other day-to-day management tasks that EUC admins are responsible for.
Adding a physical desktop to the ControlUp Console is easy: click Add Machine in the ribbon bar, select the machine, click Add, and then click Ok.
You can then right-click the physical system and select Connect.
You will then be able to monitor the overall health of the physical machine as well as dive into discrete metrics.
An example of ControlUp’s power in monitoring and managing a physical system is in its ability to dive into any process that is running.
For instance, in the screenshot below of the Processes view, you can see that the View agent processes (VMBlast, wsnm_jms) are running on this system and that they have minimal impact on resource usage.
Many people think of Horizon as just a tool to connect to virtual desktops, but many people don’t realize that it can also be used to connect to physical machines. This feature has some interesting implications as it allows you to set up a remote “work-from-home” environment very quickly, and in doing so you won’t need to procure the infrastructure to support virtual desktops. The only additional resources that you will need are a server or two for the connection server and the UAG, but those resources will be minimal — the Horizon 7 Architecture Planning VMware Horizon 7.7.11 document states that one connection server can support 2,000 physical systems.
As a final note of caution this article is just a brief overview of how to use Horizon with physical systems. Fully implementing a complex solution such as Horizon requires careful consideration and planning. But in times like these, it’s good to have a fallback position that doesn’t necessarily require significant hardware and time investment.