TECHNICAL WHITE PAPER DECEMBER 2017 VMWARE HORIZON CLOUD SERVICE ON MICROSOFT AZURE SECURITY CONSIDERATIONS. White Paper

Similar documents
A: SETTING UP VMware Horizon

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

Service Description VMware Horizon Cloud Service on Microsoft Azure

EXPLORING MONITORING AND ANALYTICS VMware Horizon

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

NETWORKING AND ACTIVE DIRECTORY CONSIDERATIONS ON MICROSOFT AZURE FOR USE WITH VMWARE HORIZON CLOUD SERVICE. VMware Horizon Cloud Service

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Service Description VMware Horizon Cloud Service on Microsoft Azure

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Cloud Pod Architecture with VMware Horizon 6.1

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Getting Started with VMware Horizon Cloud Service on Microsoft Azure

VMware vrealize Operations for Horizon Administration

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

VMware vrealize Operations for Horizon Administration

VMWARE HORIZON CLOUD SERVICE HOSTED INFRASTRUCTURE ONBOARDING SERVICE SILVER

Horizon Air 16.6 Release Notes. This document describes changes to Horizon Air for version 16.6

Horizon Cloud with On-Premises Infrastructure Administration Guide. VMware Horizon Cloud Service Horizon Cloud with On-Premises Infrastructure 1.

VMware Horizon Migration Tool User Guide

VMware vrealize Operations for Horizon Administration. Modified on 3 JUL 2018 VMware vrealize Operations for Horizon 6.4

Horizon DaaS Platform 6.1 Release Notes. This document describes changes to the Horizon DaaS Platform for Version 6.1.

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

PRINTED 13 APRIL 2018 NETWORK PORTS IN VMWARE HORIZON 7

Horizon Workspace Administrator's Guide

VMware vrealize Operations for Horizon Administration. 20 SEP 2018 VMware vrealize Operations for Horizon 6.6

VMware vrealize Operations for Horizon Administration

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

INSTALLATION AND SETUP VMware Workspace ONE

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

Administration. VMware Horizon Cloud Service. Horizon Cloud with Hosted Infrastructure 18.1

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: UNIFIED ACCESS GATEWAY ARCHITECTURE

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

HySecure Quick Start Guide. HySecure 5.0

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Administration. VMware Horizon Cloud Service. Horizon Cloud with Hosted Infrastructure 17.2

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Horizon Console Administration. 13 DEC 2018 VMware Horizon 7 7.7

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

All you need to know about Horizon Cloud on Azure. Dennis Sigmond

VMWARE HORIZON 7. End-User Computing Today. Horizon 7: Delivering Desktops and Applications as a Service

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Service Description VMware Workspace ONE

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

VMware Identity Manager Administration

Integrating AirWatch and VMware Identity Manager

VMware vcloud Air User's Guide

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

XenApp 7.x on Oracle Cloud Infrastructure

Horizon DaaS Platform 6.1 Patch 3

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

vcloud Director Administrator's Guide

Administering Cloud Pod Architecture in Horizon 7. Modified on 26 JUL 2017 VMware Horizon 7 7.2

Administering View Cloud Pod Architecture. VMware Horizon 7 7.0

Administering Cloud Pod Architecture in Horizon 7. Modified on 4 JAN 2018 VMware Horizon 7 7.4

Getting Started Guide. VMware NSX Cloud services

Advanced Architecture Design for Cloud-Based Disaster Recovery WHITE PAPER

vcenter Operations Manager for Horizon View Administration

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

Service Description VMware NSX Cloud

Monitoring Hybrid Cloud Applications in VMware vcloud Air

VMware AirWatch Content Gateway Guide for Linux For Linux

Implementing Microsoft Azure Infrastructure Solutions

Configuring Single Sign-on from the VMware Identity Manager Service to Exterro E-Discovery

VMware Horizon Workspace Security Features WHITE PAPER

vrealize Orchestrator Load Balancing

USING PRODUCT PROVISIONING TO DELIVER FILES TO WINDOWS 10: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Setting Up Resources in VMware Identity Manager

vcloud Automation Center Reference Architecture vcloud Automation Center 5.2

VMWARE VSPHERE FEATURE COMPARISON

VMware Identity Manager Administration

Migrating vrealize Automation 6.2 to 7.2

VMware Horizon Client for Chrome Installation and Setup Guide. 15 JUNE 2018 VMware Horizon Client for Chrome 4.8

Unified Access Gateway Double DMZ Deployment for Horizon. Technical Note 04 DEC 2018 Unified Access Gateway 3.4

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Installing and Configuring VMware Identity Manager for Linux. Modified MAY 2018 VMware Identity Manager 3.2

Configuring Single Sign-on from the VMware Identity Manager Service to Vizru

VMware AirWatch Content Gateway Guide for Windows

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Workspace ONE UEM Notification Service. VMware Workspace ONE UEM 1811

Workspace ONE UEM Notification Service 2. VMware Workspace ONE UEM 1811

WHITE PAPER SEPTEMBER VMWARE vsphere AND vsphere WITH OPERATIONS MANAGEMENT. Licensing, Pricing and Packaging

Installing and Configuring VMware Identity Manager. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Transcription:

TECHNICAL WHITE PAPER DECEMBER 2017 VMWARE HORIZON CLOUD SERVICE ON MICROSOFT AZURE SECURITY CONSIDERATIONS White Paper

Table of Contents Executive Summary... 3 Audience.... 3 Introduction.... 3 Architecture.... 4 Architecture Components....5 Multi-Tenant Service....6 Component Ownership.... 7 Deployment of the Horizon Cloud Node....8 Connectivity Between Horizon Cloud Control Plane and Microsoft Azure.... 8 Networking.... 9 Protocols and Ports.... 11 Data Storage and Access.... 12 Active Directory Domain Registration.... 15 Secure Credential Storage.... 15 Backup and Protection.... 15 Monitoring... 15 Metrics Collected by Horizon Cloud Monitoring Service... 16 Operational Access... 16 Conclusion.... 16 References.... 17 About the Authors.... 17 TECHNICAL WHITE PAPER 2

Executive Summary This white paper provides security details related to VMware Horizon Cloud Service on Microsoft Azure. The paper discusses the architecture of the service, the different components and their respective ownership, networking, and cloud connectivity. The document also describes the different types of data stored, including sensitive and personally identifiable information (PII), and the access available. Audience The information in this document is intended for experienced data center IT administrators with knowledge of Microsoft Azure, virtualization technology, and networking. Introduction Horizon Cloud on Microsoft Azure is a software service from VMware that enables the delivery and management of virtual desktops and applications on Microsoft Azure. Horizon Cloud on Microsoft Azure allows you to bring your own existing Microsoft Azure infrastructure capacity and pair it with the Horizon Cloud service. Built from the ground up as a cloud-native, multi-tenant solution, Horizon Cloud on Microsoft Azure combines the benefit of consuming desktop and application virtualization as an always up-to-date, software-as-a-service from VMware with the consumption-based infrastructure pricing and extensive global footprint of Microsoft Azure. TECHNICAL WHITE PAPER 3

Architecture The Horizon Cloud service is delivered via a control plane that VMware hosts and maintains in the cloud. The control plane enables the central orchestration and management of remote desktops and applications in your Microsoft Azure capacity. The cloud control plane also hosts a common management user interface referred to as the Horizon Cloud Administration Console. Horizon Cloud allows you to connect your Microsoft Azure infrastructure to the control plane and securely deliver virtual desktops and apps hosted in any of the globally located Microsoft Azure data centers. Figure 1: Horizon Cloud Service on Microsoft Azure TECHNICAL WHITE PAPER 4

Architecture Components The key components of Horizon Cloud Service are the Horizon Cloud control plane and Horizon Cloud nodes: Horizon Cloud Control Plane The Horizon Cloud control plan enables the central orchestration, management, and monitoring of remote desktops and applications in your Microsoft Azure capacity. There are two instances of Horizon Cloud control plane one in the U.S. and one in EMEA (Germany), with other locations expected soon. These different control plane locations allow organizations to keep their data local to their geography of choice to meet compliance and data locality requirements, if necessary. When your organization subscribes to the Horizon Cloud service, a subscription account is created and mastered in the Horizon Cloud control plane in the U.S. Outside of the initial account creation and management, an organization is always paired to only one of the control plane instances. For example, in Figure 2 below, Organization 1 is paired with the control plane U.S. instance, and Organization 3 is paired with the control plane in EMEA. In other words, an account cannot be paired with multiple control plane instances. Any data for an organization is maintained solely within the control plane region selected for that account, including logs of the service. Organizations can choose the control plane location to pair with. Typically, this decision is governed by the need for data locality and sovereignty. Horizon Cloud Node(s) Every organization that subscribes to the Horizon Cloud service may deploy one or more Horizon Cloud nodes. A node is a logical construct that defines a unit of Microsoft Azure infrastructure capacity that the Horizon Cloud service pairs with. You can select any Microsoft Azure data centers to deploy the node(s). There is no restriction on where a node is located with respect to the control plane location. In other words, while you may choose to pair with the Horizon Cloud control plane in EMEA, the connected nodes may be located in any Microsoft Azure data center globally. TECHNICAL WHITE PAPER 5

Multi-Tenant Service Horizon Cloud is a multi-tenant cloud service. A subscription to the service is a tenant of the service. An organization that subscribes to the service is a tenant. An organization is paired with only one Horizon Cloud control plane instance at any time. However, an organization can have multiple nodes spread globally across any of the Microsoft Azure data centers. Figure 2: Example Showing Organizations 1, 2, and 3 Subscribed to the Horizon Cloud Service TECHNICAL WHITE PAPER 6

Component Ownership When you subscribe to the Horizon Cloud service, you are responsible for providing the following items: Valid Microsoft Azure subscription You are responsible for completing the prerequisites as described in the VMware Horizon Cloud Service on Microsoft Azure requirements checklist. File storage (on premises or in Microsoft Azure) Active Directory Windows OS licenses Master image and applications to publish Optional VPN/MPLS connectivity to the on-premises corporate network VMware will provide: Horizon Cloud service delivered via the control plane Horizon Cloud Administration Console Secure connectivity between the control plane and Microsoft Azure Automatic pairing between the control plane and desired Microsoft Azure data center and subsequent deployment of node(s) in the Microsoft Azure data center Remote access for end users to virtual desktops and applications via VMware Unified Access Gateway VMware Workspace ONE portal for end-user access Service updates Support TECHNICAL WHITE PAPER 7

Deployment of the Horizon Cloud Node Once you specify your Microsoft Azure subscription details in the Horizon Cloud Administration Console, a Horizon Cloud node deployment service is automatically initiated via the control plane. A transient Linux VM is deployed in the Microsoft Azure subscription which initiates an outbound request to the control plane to orchestrate the download and deployment of the Horizon Cloud node within the provided Microsoft Azure subscription. The transient VM is then deleted. Figure 3 illustrates the internal components of the Horizon Cloud node. Figure 3: Horizon Cloud Node Deployment in Microsoft Azure Connectivity Between Horizon Cloud Control Plane and Microsoft Azure Each node maintains a management connection to the Horizon Cloud control plane. This connection is outbound from the node to the control plane. There is no requirement for a VPN connection. There is no requirement for inbound management connectivity to a node from the Internet. The control plane can use this connection to access the node, enabling: Configuration changes Live state queries Supportability requests, including interactive support, log fetching, and component health queries This management connection is protected using TLS and authenticated using strong, periodically rotated keys. The node makes outbound connections to the control plane over the Internet. These connections are protected by TLS to ensure the identity of the target service and protect the content of the communication. The node authenticates to the control plane using same string, periodically rotated keys. TECHNICAL WHITE PAPER 8

Networking Figure 4 illustrates the major components of a Horizon Cloud solution. Its shows how the components interact with the relevant networks, indicating the direction in which communication is initiated. IT Admin Control Plane External Users Internet Azure API DMZ Unified Access Gateway Management Node Manager Desktop RDSH Agent Node (in Azure) VPN Gateway To External Network Internal Users Figure 4: Horizon Cloud on Microsoft Azure Networking TECHNICAL WHITE PAPER 9

Cloud components The IT administrator using the service, external end users, control plane, and the Azure API are all on the Internet. The control plane accepts inbound requests from the IT administrator and the nodes and makes outbound calls to the Azure API. Horizon Cloud Node on Microsoft Azure The node uses three networks to connect components: DMZ Enables inbound traffic from the Internet to the Unified Access Gateway. Management An internal management network, allowing the Node Manager to control the Unified Access Gateway and providing an outbound Internet channel for connection to the control plane and the Azure API. There is no inbound networking connectivity to this network. Desktop Customer-controlled network for the RDSH and Node Manager (user-facing interface). On-premises corporate network Horizon Cloud service may optionally communicate to the on-premises, corporate network via a VPN, MPLS, or ExpressRoute connection. This connection may be required if the Active Directory and/or user data and applications are located on premises. Typically, internal end users connect to the node over this VPN. TECHNICAL WHITE PAPER 10

Protocols and Ports Figure 5 provides a schematic of the ports used between components. IT Admin External Users Control Plane Internet HTTPS (443) HTTPS (443) HTTPS/BLAST (443) BLAST (8443 UDP) PCOIP (4172 TCP/UDP) RDP (3389) Azure API HTTPS (443) DMZ HTTPS (443) Unified Access Gateway Management BLAST (22443 TCP/UDP) PCoIP (7172 TCP/UDP) RDP (3389) MMR (9427) USB (32111) HTTPS (443) Node Manager HTTPS (443) RDSH Agent JMS (4001, 4002) DaaS Agent (5678 UDP, 8443) Node (in Azure) DaaS Agent (Dynamic) VPN Gateway Desktop BLAST (22443 TCP/UDP) PCoIP (7172 TCP/UDP) RDP (3389) MMR (9427) USB (32111) To External Network Internal Users Figure 5: Ports and Protocols Used in Horizon Cloud on Microsoft Azure In the diagram, the grey lines indicate flows, annotated with the network ports used. Ports are all TCP, unless indicated. TECHNICAL WHITE PAPER 11

Data Storage and Access The Horizon Cloud service stores and handles different categories of data. Table 1 defines each category, indicating where the data is stored, who has access to it, and how this data might have personally identifiable information (PII) implications. The PII data is further divided into: Primary PII Data that identifies an individual, for example, username, client IP address Secondary PII Data that when combined with an identity could be considered sensitive or private, for example, login times, app launch information DATA TYPE WHAT WHERE WHO PII IMPLICATIONS End-user data Data created by end users, for example, files, user settings, and user installed applications. This is stored only in the RDSH and external services (for example, file servers) which you deploy and configure. You are responsible for the ownership, access and management of these file services and VMware has no access to this data. User data is not replicated, nor is it stored in the control plane. End users access this data from within their RDSH app and desktop sessions. You may have access to this data, depending on how you configure RDSH or external file services. VMware does not manage nor access this data. Because this data is authored by end users, it may contain PII data. You have full control of where this data is stored. TECHNICAL WHITE PAPER 12

DATA TYPE WHAT WHERE WHO PII IMPLICATIONS End-user usage data Data about the end users usage of the system, for example, login times, application and desktop launches, RDSH performance data, RDSH server hostname, and client IP address. This data is not collected if you disable the Horizon Cloud monitoring service (see Monitoring for more details). The data is normally stored for the life of your Horizon Cloud subscription and provides historical reporting and aggregated viewing of data. Once the monitoring service is enabled, you may further opt out of collecting user session information (Enable User Session Information = No) to reduce the long-term storage and anonymize the PII data as stored by the monitoring service. End-user usage data is maintained both in the nodes and in the control plane. Data is explicitly stored in the node for immediate and historic query. Data is implicitly logged in log files as part of the operation of the system. Data is explicitly stored in the control plane for immediate and historic query. Data is implicitly stored in the control plane as part of administrator notifications which may identify end users. This data is used by you to help manage your end user s experience. VMware may use this data to monitor the overall service and provide service support. The following PII data is stored unless the Horizon Cloud monitoring service is disabled. Primary PII User identity: name, username, user IDs (for example, AD SID) Client IP address Secondary PII Login times RDS Server hostname Application launches Both you and VMware can see both Primary and Secondary PII data. Opting in or out of Enable User Session Information determines how long the Primary PII data is stored. When disabled, this data is maintained to provide immediate service and support (for example, who is currently logged in?), but this data is not stored historically (for example, who logged in last week?). TECHNICAL WHITE PAPER 13

DATA TYPE WHAT WHERE WHO PII IMPLICATIONS Horizon Cloud subscription account definition Data about the definition of your service, for example, Active Directory configuration; node configuration; pool, farm, and app definitions; entitlements to services; and assignments to services. This includes storing usernames and credentials for integrated services like Active Directory and Microsoft Azure. See Secure Credential Storage for more information. This data is stored in both, the nodes and in the control plane. You own this data and manage it through the Administration Console. VMware can access this data to provide support and understand the service usage. The service itself can use the supplied credentials to operate. VMware operations and support staff are not given access to stored credentials. The following PII data is stored: Primary PII User/admin identity: name, username, user IDs (for example, AD SID). The main use of PII is to identify the entitlement of end users to services (VDI desktops, remote applications, AV applications, UEM policies), and the assignment of end users to resources (for example, linking an end user to a specific VDI desktop VM in a dedicated pool). In addition, IT administrators are identified and given rights within the system. IT administrator usage data Data about your usage of the system, for example, login times, and audit information tracking changes to service configuration and operations. This data is stored in both the nodes and in the control plane. You can see audit data. VMware can access this data to provide support and understand the service usage. The following PII data is stored: Primary PII Admin identity: name, username, user IDs (for example, AD SID). Audit and log data for system changes will identify the IT administrator who caused the change. Table 1: Data Categories TECHNICAL WHITE PAPER 14

Active Directory Domain Registration After you have successfully deployed your first node and it is successfully paired with Horizon Cloud, you log in to the Horizon Cloud Administrator Console to register an Active Directory domain, perform the domain join and bind, and assign the super administrator role to at least one of the groups in that domain. The node connects to the Active Directory domain controller on LDAP port 389 and global catalog on port 3268. LDAP connections are secured using GSSAPI/Kerberos. There are two types of Active Directory accounts required: Domain bind account Active Directory domain bind account (a standard user with read access) that has permission to read objects in AD. Both GSSAPI and NTLMSSP binds are used for these accounts. Domain join account Active Directory domain join account that has additional permissions to perform Sysprep operations and join computers to the domain, create new accounts, and more. Only GSSAPI binds are used for these accounts. Minimal information on Active Directory groups (and their descendant groups) is cached to entitle RDSH desktop and application assignments, URL redirection assignments, and more. When a user logs in, they are authenticated and authorized without using the cache to ensure that only the most recent data is used. Once logged in, entitlement checks are made against the cached data to ensure high performance. Secure Credential Storage The Horizon Cloud on Microsoft Azure service stores the following credentials for each Horizon Cloud subscription account: Active Directory domain bind username and password Active Directory domain join username and password File share username and password Azure subscription credentials The user credentials are protected with AES 128-bit encryption when stored in the cloud. These credentials are accessible by the Horizon Cloud service when performing operations on behalf of the account, or to distribute to components that need access. On the node, these credentials are stored encrypted with a per-node key. These credentials are accessible by the node service when performing operations on behalf of the organization. Backup and Protection The Horizon Cloud control plane stores data in a fully replicated cluster across multiple fault domains in the service s region. Furthermore, explicit offline backups of the data are taken and stored in-region. Monitoring The Horizon Cloud monitoring service enables collection of user session information for service utilization, trending, and historical analysis. The data is used in charts on the Dashboard page and in reports on the Reports page. The data collected is regarding the end users usage of the system, for example, login times, application and desktop launches, RDSH performance data, RDSH server hostname, client IP address, and user name. You can opt out of the monitoring service at any time. TECHNICAL WHITE PAPER 15

When the monitoring service is enabled, there are two modes of operation one, where collection of User Session Information is enabled and two, where it is disabled. You can use the Enable User Session Information toggle to enable or disable this mode at any time. When the Enable User Session Information is disabled (Enable User Session Information: No), the system will collect user session information for a limited period and will no longer store user identities for historical queries. Instead, the data is anonymized using hashing so that certain aggregated queries are still possible and to enable real-time administration, but individual users cannot be identified. In addition, the historical and aggregated viewing of that user information will be disabled. Thus, the reports that would display historical and aggregated viewing of that data, such as the Session History report, are not available. Note that even when Enable User Session Information is disabled, user-identifying data is stored for up to 24 hours to provide real-time support of the service. You can disable the monitoring service entirely if you do not want any of this data to be stored at all. Metrics Collected by Horizon Cloud Monitoring Service The data collected by the Horizon Cloud monitoring service is collected via two main channels: Desktop Agent on the Windows Server Monitoring Service on the Node The data collected can be summarized into the following categories: SUMMARY DESCRIPTION Collected from the Windows Servers by the Desktop Agent General Server CPU Server Memory Server Disk Server Network Interface RDS Session Service Status Client Firewall Tenant ID, Node ID, Client Version, Server Hostname, Device Type (Desktop/Server) Details such as interrupts/second, % of processor time spent in idle mode, user mode, etc. Details such as rate of read/write operations to disk, average time of a read from disk, etc. Details such as amount of physical memory, rate of pages read/write, rate of recovery of page faults Details such as the rate of packets received and sent, length of the output packet queue, ports opened, etc. Details such as time to load a profile, time to connect/disconnect, login/logout timestamp, duration of a connected session, number of handles currently opened for the session, etc. Status of various services like DaaS agent, firewall, VMware tools, Session Manager, etc. Horizon Client details like client ID, IP address, client protocol, client type, etc. Stats like protocol enabled (PCoIP/Blast), Remote Desktop enabled, etc. TECHNICAL WHITE PAPER 16

SUMMARY DESCRIPTION Collected from the Windows Servers by the Desktop Agent User Information (Hashed when User Session Information is disabled) PCoIP protocol metrics BLAST protocol metrics Client Keyboard/Mouse/Display User Name, domain, Session status PCoIP protocol related metrics such as estimated bandwidth for uplink/ downlink, jitter, latency, bytes transmitted and received for audio, USB, thinprint, imaging, overall, etc. BLAST protocol related metrics such as estimated bandwidth for uplink/downlink, jitter, latency, bytes transmitted and received for audio, USB, thinprint, imaging, overall, etc. Client Keyboard, Mouse Details like language, key delay, type, display type, etc. Collected from the Node by the Monitoring Service General Tenant ID, Node ID, Customer ID, Desktop/Application Assignment Name, ID, Type, Capacity, Apps used Table 2: Metrics Collected by Horizon Cloud Monitoring Service Operational Access In the event of troubleshooting or diagnosing an issue, VMware can: Obtain log files and crash reports from the Horizon Cloud node (made available as Support Bundle ), which will show user names, times when users have accessed the system, and other environment information including IP addresses and hostnames. Obtain other files, such as configuration files, from the deployed infrastructure VMs within the Horizon Cloud node. Have real-time access to the current operational health status of the Horizon Cloud node. Have interactive shell access on the Node Manager appliance for troubleshooting and support. Conclusion The VMware Horizon Cloud service allows you to connect your Microsoft Azure infrastructure to the Horizon Cloud control plane and securely deliver virtual desktops and applications hosted in any of the globally located Microsoft Azure data centers. This white paper covered many security aspects of VMware Horizon Cloud Service on Microsoft Azure, including architecture, components, networking, data storage, and access. TECHNICAL WHITE PAPER 17

References Horizon Cloud on Microsoft Azure Prerequisites Getting Started with VMware Horizon Cloud Service on Microsoft Azure VMware Horizon Cloud Service on Microsoft Azure Administration Guide Horizon Cloud on Microsoft Azure Terms of Service About the Authors This paper was written by: Frank Taylor, Principal Engineer, Horizon Cloud Service, VMware Shikha Mittal, Director, Product Management, Horizon Cloud Service, VMware TECHNICAL WHITE PAPER 18

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: 5215-VMW-WP-HORIZON-CLOUD-MICROSOFT-AZURE-USLET-20171221 12/17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback