Hey Guys,
i have to size a new VDI Enviroment and i´m not sure how i configure this.
If i install two Unified Access Gateway in our DMZ .
Is it still needed that i configure two Horizon View Connection Server for External purpose and two for internal?
I want to work with UEM Profiles (i think its better than windows roaming profiles to hold our userprofiles smaller)- how can i make this HA? Is there any best practices guides for this?
What i would do:
2 Access Unified Gateway in our DMZ with a Loadbalancer in front
2 Connection View Server in our LAN with a Loadbalancer in front
2 Appvolume Server with a SQL Cluster in our LAN with a Loadbalancer in front
UEM Profiles unclear
Thanks for your help!
Regards
UEM profiles are stored on a file share. I highly recommend it over roaming profiles. You just need to make your file shares highly available. For windows, you can setup WSFC to provide the shares or use some type of NAS device.
Your "what I would do" is a great way to make your environment HA. That is how I deploy environments with everything has a load balancer in front of it. Its recommended to forward all traffic (internal and external) to your UAGs. They can handle the load thus only having two CS internally.
Without knowing little about your environment, if you are trying to span two data centers, you should look at using a Pod architecture.
For best practices:
http://blogs.vmware.com/euc/2018/06/workspace-one-on-premises-reference-architecture.html
UEM profiles are stored on a file share. I highly recommend it over roaming profiles. You just need to make your file shares highly available. For windows, you can setup WSFC to provide the shares or use some type of NAS device.
Your "what I would do" is a great way to make your environment HA. That is how I deploy environments with everything has a load balancer in front of it. Its recommended to forward all traffic (internal and external) to your UAGs. They can handle the load thus only having two CS internally.
Without knowing little about your environment, if you are trying to span two data centers, you should look at using a Pod architecture.
For best practices:
http://blogs.vmware.com/euc/2018/06/workspace-one-on-premises-reference-architecture.html
Thanks for your answer.
Sorry i forgot an important thing.
I want to implement 2FA with SMS Passcode for external access.
As far as i know i have to activate 2FA on our View Connection Server - so i have to configure 4 Connectionserver , because i don´t want 2FA for internal purpose.
If its recommended to forward internal traffic to our UAG´s too i have to configure 4 UAG´s?
2 UAGs with a load balancer in front which points to the 2 connectionserver where 2FA is activated.
2 UAG´s with a load balancer in front which points to the 2 connectionserver for internal access?
Regards, Daniel
MFA does change things up a bit.
If you're not worried about the extra layer of security then I would send internal traffic to the load balanced connection servers. You can configure RADIUS settings (or whatever you use) on the UAG and have external users going through that.
Another architecture designed that I use for my large deployment is to use Workspace to provide MFA and front Horizon. Its more complex but better for larger environments. It has network policies that allows you forward to different IDPs based on IP range. For Horizon login, we enable TrueSSO for seamless integration.
So no matter if i configure my enviroment with workspace or with UAG´s for external and internal access i have to use 2 view connection server with MFA and 2 without MFA?
UAG will handle the MFA so you only need two connection servers.
OK - Thanks a lot for your help!
There is one instance where you may want to have another set of connect servers, thats if you want to separate desktop pools that are available internally and ones that are available externally. If that seems like something you may want to do, you would need to have a pair of connection servers for the external connections as well. They can be replicas, but you can use the connect server tagging feature to label them external connection servers. Its a requirement I had with our environment, we didn't want to have some desktop pools available anywhere, and we didn't want to use workspace yet.
This is the reason we have a pair of internal and a pair of external connection servers. Keep this in mind.
sorry for the late response.
Is the VMware Identity Manager not a better Option for those scenarios?
I think it depends on your environment and needs. We already have a identity management/MFA platform that is managed by different teams so I'm just a consumer. If we didn't already have something in place and I was going to have to deploy/manage it I would look at VMware Identity Manager (VIDM).