Horizon Mobile Secure Workplace - Design Guide: VMware, Inc.

VMware® Horizon™ Mobile Secure Workplace™

VA L I D AT E D D E S I G N G U I D E

VMware Horizon Mobile Secure Workplace

VA L I D AT E D D E S I G N G U I D E / 2

Table of Contents

About the Validated Design Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4What Is Mobile Secure Workplace? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Mobile Secure Workplace Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Key Components of the Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Core Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Additional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Solution Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Lab Equipment List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Optional Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Overview of Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Datacenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 RADIUS Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Single Sign-On for “Follow-Me Desktop” Experience . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Endpoint Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Persona Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Optional: User-Installed Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 User Connection Flow Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Design Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Appendix 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Functional Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Performance Validation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Appendix 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

How to Set Up Location-Based Printing on a Zero Client . . . . . . . . . . . . . . . . . . . . . . 34



About the Validated Design GuideVMware® Validated Design Guides provide an overview of the solution architecture and implementation. The validated designs and solutions have been created through architectural design development and lab testing.

The guide is intended to provide guidance for the introduction of proof of concepts, emerging new technology and architectures, as well as enhancement of customer use cases.

The Validated Design Guides:

• Incorporategenerallyavailableproductsintothedesign

•Employrepeatableprocessesforthedeployment,operation,andmanagementofcomponentswithinthesolution.

Validated Designs are tested for a specific use case or architectural practice on a limited scale and duration. These guides ensure the viability of theoretical designs or concepts in real world practices.

The Validated Design Guides provide an overview of the solution design and implementation guidance that includes:

•Usecasesthatarecateredtothedesign

•Productsthatwerevalidatedaspartofdesigntesting

•Softwarethatwasusedforeachcomponentofthedesign

•Configurationsusedtosupportthedesigntestcases

•Alistofdesignlimitationsandissuesdiscoveredduringthetesting



IntroductionThisValidatedDesignGuideprovidesyouanoverviewoftheVMwareHorizon™MobileSecureWorkplace™solution. The architecture uses products from VMware and its ecosystem of partners to build a comprehensive solution that satisfies the specific requirements of various use cases in enterprises such as mobility, bring your own device (BYOD), security, compliance, and printing.

This document will provide an overview of the various use cases, logical solution architecture, and results of the testedconfiguration.Thesolutionisnotexclusivetotheproductstestedwithinthearchitecture.ConsultyourVMware representative for more information about how to modify the architecture with your preferred vendors.

AudienceThis document is intended to assist solution architects, sales engineers, field consultants, advanced services specialists,andcustomerswhowillconfigureanddeployavirtualmobilesecureworkplacesolution.

Business CaseToday’sworkforceisnolongertetheredtotraditionalstationarydesktops.Newdeviceshaveproliferatedatcompaniesofallsizes.Workersareincreasinglymobile,andmorethan60percentofenterprisefirmsand85percentofSMBorganizationsarelookingtoinitiateBYODprograms.Althoughendusersareembracingthesetrends,ITdepartments—facedwithtightbudgets—arestrugglingwithhowtobestsupportandmanagethesenewdeviceswhileprotectingcorporatedataasitisaccessedacrossnetworksandlocations.

Aneedtofindasecure,streamlinedandmorecost-effectivewaytomanageendusersacrossdevicesandlocations has become a top priority for many customers today.

Researchshowsthat97percentofemployeescarrymorethantwodevicesand50percentofemployeescarrymorethanthreedevices.Itisestimatedthatbytheendof2013,therewillbemorethan272milliontablets.Withthepopularityofthesenewdevicesandwithcompaniesincreasinglysupportingteleworkingandremoteworking,itisbecomingimportanttoprovideawaytoenablesecureaccesstoworkplacesoverawidevarietyof devices for end users across locations.



What Is Mobile Secure Workplace?TheVMwareHorizonMobileSecureWorkplacesolutionprovidesaninnovativewayforITtosupportdevicediversity and bring your own device initiatives by improving user access and mobility, streamlining application updates,enhancingdatasecurity,anddeliveringthehighest-fidelityuserexperience.

Thissolutionenablesyoutoaddressthefollowingthreekeyrequirements:

Mobility

TheMobileSecureWorkplacesolutionbuiltonVMwareHorizonView™placesdesktopsinthedatacenterandprovidesaccesstothedatacenterthroughanydevice.Withamultitudeofclientdevicessupported,thedesktopscanbeaccessedfromanyworkstation,thinclient,ormobiledevice.ThisenablestrueBYODsupportand,withsessionpersistence,enablessessionmobilityacrossdevices—soyougettousethesamedesktopfromdifferentdevices.WithPersonaManagementandoptionaluser-installedapplicationssupport,theMobileSecureWorkplacesolutionprovidestruesessionpersistenceacrossdevicesandsessions.Inadditiontoprovidingsessionpersistenceacrossdevices,VMwareHorizonViewusesPCoIPprotocoltodeliverthebestdesktopuserexperiencefromanydevice.

Security

Withsupportforend-useraccessviatwo-factorauthentication(RSASecurID,RADIUSauthentication,etc.),theMobileSecureWorkplacesolutionemphasizesdataandapplicationsecurityintheorganization.Inadditionto providing the right level of access to the right resources, it also simplifies patch management and update management.Sinceallthedesktopsareinthedatacenter,theMobileSecureWorkplacesolutionhelpsITadministratorsupdateandpatchthedesktopstothelatestversion.Thisensuresthatnovulnerabilitiesexistintheenvironmentduetounpatchedororphanedsystems.Alsosincethedataresidesinthedatacenter,andisprotectedbyVMwarevShield™,itprovidessuperiorsecurityfortheenvironment.

Management

Oneofthekeychallengesfacingorganizationstodayistheabilitytomanageandgetanoverviewoftheenvironment,desktops,accesspolicies,andservicelevels.TheMobileSecureWorkplacesolution,withoptionallyintegratedVMwarevCenter™OperationsManager™,providesanintegrateddashboardwithintelligentresponseonalldesktop-relatedevents,whichhelpsITadministratorstoprovidetherightamountofinterventionandguidancewhenvirtualinfrastructureperformancelookstobeexceedinganexpectedrangeofbehavior.ThesolutioncanalsoincludevCenterConfigurationManager(vCM)forimportingsuggestedconfigurations and to meet regulatory compliance requirements.



User ProfilesInatypicalorganization,therearemultipleuserprofileswithuniquerequirements.Thissolutionarchitecturecaters to the following five distinct user profiles.

USER PROFILE CHARACTERISTICS

Office-BasedInformationWorker

Workerswithabroaderskillsetthatrequireassimilationandmanipulationofinformationorinputfrommultiplesources.Examplesincludehigher-levelback-officefunctions,suchasfinance,IT,andmid-levelmanagement.Theseuserswillrequirearelatively broad application portfolio. They will also need some level of control over how they access applications and data, but not full administrative control. They are unlikelytobemobile,butmightworkfrommorethanonefixedlocation.Theywillrequiremulti-channelcommunicationandcollaborationcapabilitiesforworkingwithpeers.

Content/MediaWorker/SoftwareDeveloper

Workerswithahighlevelofexpertiseinanareaofcreativityorsciencethatrequiresdetailedmanipulationofcontent.Thesearethetraditionalpowerusers.Examplesinclude engineers, graphic designers and some developers. They typically require a narrow,butspecialized,portfolioofapplications.Theyareunlikelytobemobileandwillnormallyworkfromasingle,fixedlocation.Theywillalsoneedsomelevelofcontrol over how they access applications and data, but not full administrative control, andmaybering-fencedfromothercorporatefunctions.Theywillrequirehighlevelsofcomputation capability and graphical display. They may also require specialist peripheral devices.

HomeOfficeWorker Workerswithabroaderskillsetthatrequireassimilationandmanipulationofinformationorinputfrommultiplesources.Theseworkersalsoneedtoroamwithinadefinedareaorsetofareassuchasacampusoroffice,ortraditionallyworkfromhome.Examplesincluderemoteworkers,teachers,doctors,andhigher-levelmanagers.

TravelingWorker Workerswhospendatleast50percentoftheirtimeinanon-officeornon-campuslocation. They will typically be oriented to a single function, often customer facing. Examplesincludesalesandservicerepresentatives.Theytypicallyrequireaccesstoonly a narrow portfolio of applications and only create information content in a highly structured manner. They will not require control over how they access applications or data, but will need access from almost any location within geographic boundaries. They typically tend to use laptops.

VIP Business executives who will typically require access to only a small number of applications, but they will expect control over how they access these applications and corporate data. They will need to be mobile and typically tend to use tablets and laptops.

Table 1: Business User Profiles Considered in the Mobile Secure Workplace Architecture



Thesefivebusinessuserprofilescanbetransposedtothreedistinctuserworkloadprofilesaslistedbelow:

USER PROFILE REQUIREMENTS

KnowledgeWorker Application Profile:MSOffice,Adobe,IE,Firefox,Chrome,Outlook,SaaSapplications(usingJRE),Windowsapplications(Notepad,Calculator),multimediaplayers(Flash,WMP,etc.),antivirus,WebExNetwork Profile:LANSecurity Profile: AuditcapabilityandGPOsettingsforUXpolicy;andantivirusandDLP(datalossprotection–RSAandSymantec)Other:Multi-monitor;printtonearestprinter

PowerUser Application Profile: MSOffice,Adobe,IE,Firefox,Chrome,Outlook,SaaSapplications(usingJRE),Windowsapplications(Notepad,Calculator),multimediaplayers(Flash,WMP,etc.),antivirus,WebEx,mediaanddevelopmentenvironmentsNetwork Profile:LANandWANSecurity Profile: Two-factorauthentication,auditcapabilityandGPOsettingsforUXpolicy;dataencryptionandantivirusOther:Multi-monitor;printtonearestprinter

Mobile Knowledge Worker

Application Profile: MSOffice,Adobe,Outlook,IE,Firefox,Chrome,SaaSapplications,Windowsapplications,multimediaplayers(Flash,QuickTime,etc.),antivirus,WebexNetwork Profile: LANandWANSecurity Profile: Two-factorauthentication,auditcapabilityandGPOsettingsforUXpolicy;dataencryptionandantivirus;autodisconnectuponconnectingtonewdeviceOther:Printtonearestprinter

Table 2: User Workload Profiles

The validated design in this document supports the unique requirements of these user profiles and also helps theITteammanagetheenvironmentsecurely.



Mobile Secure Workplace Architecture OverviewThefollowingdiagramshowsthelogicaltopologyfortheMobileSecureWorkplacesolution:

DMZ

Infrastructure

Management

Virtual Desktops

HorizonViewClientDevices

Horizon View Security Servers

Layer 7 Load Balancer for Horizon View Security and Connection Servers

Horizon View Connection Servers

ActiveDirectory

vCenter Antivirus vCM vCOps

ManagementvSphere

Infrastructure

Virtual DesktopvSphere

Infrastructure

Local SSD Datastores

for Horizon View Composer

Linked Clone Storage

Shared Storage Infrastructurefor Persona, User Data,

ThinApp Applications and VM Master Images

vShield

PrintServer

Certi�cateAuthority

RADIUS SSO

VMware

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

VMware

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP VMware

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

ExternalNetwork

Internal Network

AndroidTablet

iPad PDA ZeroClient

ThinClient

Windows Horizon View

Client

Windows Horizon View Client

with Local Mode

Macintosh Horizon View

Client

Figure 1: Mobile Secure Workplace Reference Architecture



The architecture consists of two virtual machine clusters, the management cluster and virtualdesktopcluster forscalabilitypurposes.Inaddition,thethird-partysoftwaremanagementoradd-onfunctionsincludingtheecosystempartnerproductsforprinting,user-installedapplications,security,SIEM,systemmanagement,andantivirus, can be segmented into the third resource boundary.

The management cluster includes all the management components required for the VMware Horizon View base architecturealongwithvCenterOperationsManagerandvShield-relatedVMwareproducts.Thevirtualdesktopclusterisdedicatedtohostthestatelessvirtualdesktops,accessedbytheendusers.Theenvironmentsaresegregatedtoeffectivelyutilizetheunderlyinghardwareresources,andsupportstoragelayertieringwhererequired.

The management architecture can host multiple connection servers, load balanced to provide redundancy andavailability.Enterpriseuserscanaccesstheclosestdesktopimmediatelybyaccessingthenetworkofloadbalancersusingasinglenamespace,andremoteuserscanaccesstheenvironmentusingViewSecurityServersdeployedinthedemilitarizedzone(DMZ).UsageofsecurityserversenablestheenduserstoaccessthedesktopsviaPCoIPandhaveabetteruserexperience.

The architecture is built based on the standard reference architectures published by VMware and is scalable.

VA L I D AT E D D E S I G N G U I D E / 1 0


Key Components of the ArchitectureThough the architecture is vendor agnostic, below is a list of components that are part of the architecture:

Core Components

vSphere and vCenter–ThesolutionisbuiltontopofvSphere,theindustry-leadingvirtualizationplatform.TherearemanybenefitstousingthevSphereplatformandmoreinformationontheplatformcanbefoundontheVMware Web site.

VMware Horizon View–ThecentralcomponentofthesolutionarchitectureisVMware Horizon View, which is the industry-leadingvirtualdesktopinfrastructure(VDI)product.

VMware vShield–VMwarevShieldprovidesbest-in-classsecuritytothevirtualdesktopenvironment.vShieldEndpointwiththehypervisor-basedAntivirusprotection(fromourleadingAVvendors),providestremendousbenefitsintermsofmanagementandeaseofusefortheenvironment.Inaddition,vShieldAppandvShieldEdgeproductsaddsecuritytotheenvironment.VisittheVMwareWebsiteformoreinformationonthevShield line of products.

ThinPrint–Mostoftheusecasescateredtobythissolutionhavealocation-awareprintingrequirement.ThinPrintsoftware,OEM’dbyVMware,providesthefunctionalityoflocation-awareprintingfrommanydevices.MoreinformationaboutThinPrintcanbefoundontheThinPrint Web site.

Additional Components

Management–OneofthebiggestchallengesfacedbytheITgroupison-demandmanagementoftheentireenvironment and an ability to proactively identify and plan the infrastructure. VMware vCenter Operations Manager for Horizon View provides the management infrastructure required for the environment.

Compliance–Oneofthekeyrequirementsofmanyverticalindustriesistheabilitytomanagecomplianceto various industry regulations. VMware vCenter Configuration Manager helps organizations achieve their compliance requirements.

Persona Management and User-Installed Applications–Manyusecasesdefinedinthesolutionhavearequirementtopersistuserinformationacrosssessions.Butthebiggestcostsavings,bothintermsofCapExandOpEx,canbeachievedbyusingstatelessdesktops.Toeffectivelyachievethis,HorizonViewhasafeaturecalledPersonaManagementtomaintainuserdataandprofilepersistenceacrossstatelesssessions.Inadditiontotheprofilepersistence,someusecasesrequiresupportforuser-installedapplications.Thiscanbeachievedbyusingsome of our partner products.

The next section of the document details the architecture as it was built for testing within the lab environment at VMware.

www.vmware.com/products/vsphere

http://www.vmware.com/products/view/overview.html

http://www.vmware.com/products/vshield/overview.html

http://www.vmware.com/products/vshield/overview.html

http://www.thinprint.com/

http://www.vmware.com/products/desktop_virtualization/vcenter-operations-manager-view/overview.html

http://www.vmware.com/products/desktop_virtualization/vcenter-operations-manager-view/overview.html

http://www.vmware.com/products/configuration-manager/overview.html



Solution ValidationThesolutionimplementedinthelabwassizedtoscaletomanythousandsofdesktopsperthesizingguidelinesprovided in VMware published reference architectures. The architecture was built in podsorbuildingblocksforeasyscalability.Forthefunctionaltestingaspects,thesolutionwasimplementedwith250desktopsandwasdeployed on the following hardware in the validation.

Lab Equipment List

PRODUCT FUNCTION / DESCRIPTION / VERSION

Servers 5-1Userverswith2IntelXeonE788372.67GHzprocessors,96GBRAM

1-3Userverswith2IntelXeonE788372.67GHzprocessors,128GBRAM

Hard drives 8–300GBIntel320SSDDrives

8–600GB7200RPMHDD

Attachedstorage iSCSIstoragearray,RawDiskCapacity:8TB,RawFlashCache160GB,24GBRAM, 4–1GbEnetworkports

Networking Unmanagedlayer2–10/10024portswitch

Table 3: Lab Equipment

Solution Components


vSphere 5.0.1

vSpherewithvCenter 5.0

VMware Horizon View 5.1

VMware Horizon View Composer

3.0

vShieldEdge™, vShieldApp™,and vShieldEndpoint™

5.0.1

SSOwithRADIUS SafenetAuthenticationManagerv6.1.7

Desktopantivirus TrendMicroDeepSecurity

Table 4: Solution Components

Optional Components


vCenterOperationsManager for Horizon View

1.0

Load balancer BigIPGTMLTMAPM

MicrosoftSystemCenter SystemCenter2012

Liquidware Lab ProfileUnity

Data security Verdasys

FollowMedesktopsession roaming

HIDNaviGO

Table 5: Optional Components



Overview of ArchitectureIntheMobileSecureWorkplacedesignitisimportanttoseparatethemanagementanddesktopcomponentsintotwodiscreteblocksofinfrastructure.InthedesignwecreatedamanagementclusterandaHorizonViewpodinordertoestablishasubscription-orconsumption-basedmodel.Thismethodologyisimportantinorderto scale the solution easily, as another pod can be plugged into the architecture as required and services can beextendedtoaccommodatetheexpansion.Third-partyserviceswerealsogroupedtogetherasaseparatevirtualappliance(vApp)entityinordertoprovideperformanceisolation.

vShieldnetworkingwasconfiguredtoprovidethesecurityarchitecture,specificallyaroundvirtualdesktopcommunicationandapplicationprotocolflowinandoutofthemanagement,services,anddesktoppoolsecurity zones.

Inordertosatisfythemobilityandsecurityspecificationsinthisdesign,thearchitectureleveragedseveralthird-partysolutions.



Datacenter

This diagram shows how each software component was deployed on each host.

Management Cluster with HA and DRS

VDI Cluster

Connection Server

Security Server

100GBSQL DB

500GBVM Storage

500GBVM Storage

2TBThinApps, User Data, User Pro�le Storage

Antivirus

iSCSI Storage Array, Raw Disk Capacity 8TB, with Raw Flash Cache 160GB, 24GB RAM

SSO

Security Server

vShield

RADIUS Certi�cateAuthority

Certi�cateAuthority

Print Server

ActiveDirectory

SQLDB

ActiveDirectory

vCMvCOps

Connection ServervCenter

Third-Party Components

Load Balancer Applance

Load Balancer Applance

Third-Party Components

Optional Components

Intel Xeon E7 8837 2.67GHz Processors,

96GB RAM


96GB RAM


96GB RAM


96GB RAM


96GB RAM

Intel Xeon E7 8837 2.67GHz Processors, 128GB RAM

Intel Xeon E7 8837 2.67GHz Processors, 128GB RAM

Figure 2: Datacenter Configuration in Three Clusters

The datacenter was configured with three clusters: management, virtualdesktop, and ViewServices (forthird-partyproducts).



Asnapshotoftheenvironmentisprovidedbelow:

Figure 3: Datacenter Environment

The infrastructure components required for the environment are configured in the management cluster, and the ViewServicescomponentsareconfiguredintheViewServicescluster.

ThemanagementclusterincludestwoActiveDirectoryvirtualmachinesforredundancy,avCenterserverwithSQLvirtualmachine,andaCertificateAuthorityforRADIUSauthentication,usingSafeNetAuthenticationManager.

TheViewServicesclusterincludestheViewConnectionServer,vCenterComplianceManager,vShieldSecurityManager,andViewSecurityServers.Theseformthecoreandoptionalservicesrequiredfortheenvironment,tosatisfy the requirements of the five user profiles discussed earlier.

Separateresourcepoolswereaddedforeachoneoftheuserprofiles.Thefiveuserprofilesweretransposedtothreetechnologyprofiles:KnowledgeWorker,PowerUser,andMobileKnowledgeWorker.Thevirtualdesktopsforeachoneoftheprofileswillbecreatedwithintheseresourcepools.ThevShieldEdgeproductwasconfiguredtoensurethattheseresourcepoolsaresegregatedandcannottalktoeachother.

Inadditiontotheaboveclusters,forthevalidation,theenvironmentincludedaViewPlannerinstancetolaunchworkloads.



Storage

FortheMobileSecureWorkplacedesign,thetypicalstorageconfigurationcanbelogicallysegregatedintotwoclusters: management andVDI. The management cluster is in turn is segmented into general,SQL, vShield and third-party.TheVDIclusterissegregatedintovirtualdesktopsandUser/Corporatedatasegments,followingthelogicalsegregationofworkloadsinthesedatastores.

The general datastore clusterinthemanagementsegmentconsistsofActiveDirectory,DNS,ViewConnectionManager,ViewSecurityServers,etc.Allgeneralinfrastructurecomponentsarelocatedinthissegment.Storagebestpracticesarefollowedwhenthedatastoresarecreated(e.g.,twoinstancesofAD,VCM,andVSSarelocatedintwoseparatedatastoresforfailoverprotection).FollowStorageBestPracticeswhendesigningaproduction environment.

The SQLlogicalclustercontainsthedatastoresforallSQLdatabasesusedforComposer,vCenter,etc.,andthevShieldclustercontainsthedatastoresforallvShieldvirtualmachines.Inaddition,aseparatedatastoreclusterhostsallthird-partysoftwaresuchasuser-installedapplicationsupport.

The VDIlogicalclustercontainsdatastoresforvirtualdesktopsanduserandcorporatedata.

Typically,themanagementlogicalclustercanbeFibreChanneloriSCSIandthevirtualdesktopdatastoresareinSSDforfasterperformance.TheuserdataandcorporatedataarelocatedinNFSdatastores.

The diagram below shows the storage configuration for the environment.

Figure 4: Storage Configuration



Inthislabdesign,themanagementlogicalcluster(general,SQL,vShieldandthird-partyvirtualmachinedatastores)islocatediniSCSIdatastores.TheVDIcluster(virtualdesktops)islocatedinSSDandtheuserdataislocatedinNFSdatastores.Forproductionenvironments,VMwarerecommendsthatITadministratorsreviewStorageBestPracticesdocumentationonthebeststorageoptionsforvarioustypesofvirtualmachines.

Networking

Forthisarchitecture,vSpherenetworkdistributedswitchtechnologywasleveragedtosimplifytheconfigurationforMobileSecureWorkplace.

Management Cluster

vDS

VDI Cluster

Uplink Port 1 Uplink Port 2

ESXiHost

ESXiHost

Management 1 VLAN

Management 2 VLAN

Fault Tolerance Logging VLAN

vMotion VLAN

ESXiHost

ESXiHost

ESXiHost

ESXiHost

ESXiHost

VM Pool 1 VLAN

VM Pool 2 VLAN

VM Pool 3 VLAN

Figure 5: Network Overview of the Environment

StandardVLANswereusedtosegregatevSpheremanagement,servicesmanagement,anddesktopvirtualmachinetraffic.InthisconfigurationalluplinkportswereconfiguredasVTPtrunkportsintothevSpherehosts.Allnetworkingwasthenbrokenoutatthevirtualdistributedswitch(vDS)level.



Figure 6: vDS Portgroup Layout

Security

ThefigurebelowillustrateshowthevShieldAppSecurityZonesweresetupforcommunicationbetweenthemanagementcomponentsandthedesktoppools.

vShieldEdgeallowsustocontroltheapplicationtrafficflowsbetweendiscretecomponentsatagranularlevel.vShieldEdgewasusedtosegregatethemanagementclusterfromthedesktopcluster.Itcanalsobeusedtosegregatepoolsofdesktopswhichhavestringentsecurityrequirements.

vShieldAppwasusedasaloadbalancerfortheinternalViewConnectionManagers,usedexclusivelybyusersinsidethecorporatenetwork.

Theexternalconnectionsareloadbalancedvianetworkloadbalancers.

VMwarevShield App

VMwarevShield App

VMwarevShield App

VM Pool 1

VM VM VM VM VM VM

VM VM VM VM VM VM

VM VM VM VM VM VM

Management Cluster

VM VM VM VM VM VM VM VM VM VM

VM Pool 2

VM VM VM VM VM VM

VM VM VM VM VM VM

VM VM VM VM VM VM

VM Pool 3

VM VM VM VM VM VM

VM VM VM VM VM VM

VM VM VM VM VM VM

VMwarevShield App

Figure 7: vShield App Security Zone Setup



AscreenshotofthevShieldEdgeconfigurationfortheManagementandDMZnetworksisshownbelow:

Figure 8: vShield Edge Configuration for Management and DMZ Networks

vShieldEdgeisalsousedtosegregatetheManagementandUserProfilepools.AscreenshotofvShieldEdgeconfigurationfortheManagementandKnowledgeWorkerprofilepoolisshownbelow:

Figure 9: vShield Edge Configuration for Management and Knowledge Worker Profile Pool



vShieldEdgeisconfiguredaroundeachuserprofilepooltoensurethatdatadoesnotcrossoverbetweenuserprofilepools,butonlybetweenManagementandUserprofilepools.AsampleconfigurationfortheKnowledgeWorkerprofilepoolisshownbelow:

Figure 10: Knowledge Worker Profile Pool



Firewallruleswerealsoestablishedtorestrictdatamovement.Asnapshotofthefirewallrulesisshownbelow:

Figure 11: Firewall Rules



RADIUS Two-Factor Authentication

HorizonViewsupportsavarietyoftwo-factorauthenticationdevicesincludingRSASecurID,RADIUScompliantOne-TimePasswordtoken,contacted/contactlesscard,andsmartcards.ThisarchitectureemployedtheRADIUSauthenticationfeatureinView5.1usingaSafeNetRADIUSservertoauthenticateallusers.

TheRADIUSclientwasfirstaddedtotheViewConnectionServerfromthe Windows Server Manager folder > Roles > NPS (Local) > RADIUS Clients and Servers > Radius Clients.Asnapshotoftheconfigurationisprovided below:

Figure 12: Creating New RADIUS Client



OncetheRADIUSclientwasaddedtotheserver,itwaspairedwiththeViewConnectionServerusingtheHorizonViewadministratordashboard,byeditingtheConnectionServersettingsintheadministratorconsole,and selecting RADIUS authentication from the 2-factor Authentication drop down menu in the Authentication tab.

Figure 13: View Connection Authentication Server Settings

TheRADIUSserverinformationwaspopulatedusingtheCreate New Authenticator button. This provides enhancedauthenticationusingOTSP.

Single Sign-On for “Follow-Me Desktop” Experience

OneofthekeyfeaturesofMobileSecureWorkplaceissessionpersistence.Thisenablestheusertodisconnectandreconnecttotheirdesktopsessionfromandbetweenanydevice.ThisfeatureisenabledinHorizonViewbydefault.Inadditiontothestandardfeature,thisarchitecturealsoemploysHIDNaviGOforeasiertap-inaccesstodesktops.Thisfeatureenablestheusertodisconnectadesktopsessionfromonedeviceandreconnect to it from another device. The session state, along with the user profile information, is preserved across sessions, thereby providing true mobility across devices.



Management

TheViewConnectionManagershowsthehealthofvariouscomponentsdeployedwithintheinfrastructure(notincludingthethird-partyproducts).Thisbasiclevelofinformationcanbesufficientformanyorganizations.

Figure 14: View Connection Manager System Health



Fororganizationsthatrequireenhancedmonitoringandmanagement,includingcapacityplanning,theMobileSecureWorkplacesolutionintegratestheVMwarevCenterOperationsManagerforHorizonViewproduct.Thisproduct,whenintegrated,providesend-to-endvisibilityoftheHorizonViewenvironment.Thepatentedanalytics and integrated approach to performance, capacity, and configuration management deliver simplified healthandperformancemanagementalongwithabetterend-userexperience,sinceissuescanbeidentifiedand solved proactively.

Figure 15: vCenter Operations Manager Dashboard

Inadditiontotheaboveanalytics,thearchitecturealsosupportsaddingmorethird-partyanalyticsandmonitoring tools to suit any organizational needs.

Endpoint Management

TheOS,applications,andsettingsontheendpointalsoneedtobemanaged.WhentheseendpointsrunanembeddedversionofMicrosoftWindows,theycanbemanagedinmuchthesamewayasaphysicaldesktop.Endpointmanagementtoolscanbeusedtoautomateandsimplifythetaskofprovisioningandmonitoringthedesktopvirtualizationendpoints.Network-basedservicessuchasDynamicHostConfigurationProtocol(DHCP)and file servers can also be used to provision and update endpoints.

Therearemanyendpointmanagementsolutionsavailableinthemarket.Forthisarchitecture,weusedtheSystemCenterConfigurationManager(SCCM)tomanagetheWindows-basedendpoints.InadditiontotheOSupdatesandpatchesbeingdeliveredbySCCM,thesoftwarewasalsousedtodeliverThinApppackagestotheendpoints.Iftheorganization’sendpointsconsistofamixofWindowsandotherendpoints,multiplethird-party software products can be used to manage them.



Persona Management

Inatraditionalphysicaldesktopwithlocalstorage,allofthechangesausermakestotheirprofilearestoredonthelocalharddiskintheirprofile.Inthevirtualdesktopworld,desktopscomeintwoflavors:dedicated desktops(alsoknownaspersistentdesktops)inwhichusersareassignedaspecificdesktopandusethatdesktopeachtimetheylogin;andfloatingdesktops(alsoknownasnon-persistent)whichprovidetheuseranyavailabledesktopforeachsession.Fordedicateddesktops,theuser’sprofileisstoredinthepersistentdatadisk.Butdedicateddesktopsarenotstorageefficient,increasingthetotalcostofownershipforthesolution.

TheMobileSecureWorkplacesolutionemploysfloatingdesktopswithPersonaManagementenabled.Thisfeatureseamlesslypreservesauser’sprofileonanetworkshareforsafekeepingbetweensessionsineitherfloatingordedicateddesktops.Personapersistsdataandsettingsstoredintheprofilewithoutspecificknowledgeofhowaparticularapplicationworks.Thisenablesthearchitecturetobemorestorageefficient.ThePersonaManagementfeatureisalsoefficientduringlogintimes,sinceitdownloadsonlythefilesthatWindowsrequires,suchasuserregistryfiles.Otherfilesarecopiedtothedesktopwhentheuseroranapplicationopensthem from the profile folder, thus increasing efficiency.

Printing

Thelocation-basedprintingfeature,enabledbyThinPrintandbuiltintoHorizonView,helpsmapprintersthatarephysicallyclosetothethinclientsinanenterprise.Inthisarchitecture,location-basedprintingwasenabledbyconfiguringtheActiveDirectorygrouppolicysettingAutoConnect Location-based Printing for VMware View, which is located in the Microsoft Group Policy Object Editor in the Software Settings folder under Computer Configuration.Sincethispolicyisdevicespecificandnotuserspecific,theuseralwaysgetstoprint to the printer closest to the device. This also enables the printer to print to locally attached printers (athomesforhomeofficeemployees).DetailedinformationontheThinPrintGPOconfigurationisprovidedinthe Appendix.

Thissolutiondoesnotincludelocation-awareprintingfrommobiledevicesorlaptops.Therearenumerousthird-partysoftwareproductswhichenablesecureprintingfrommobiledevices.Moreinformationcanbefound in the Secure Printing with VMware View paper.

Optional: User-Installed Applications

Inanyenterprise,therearesomeuserprofileswhichrequiresupportforuser-installedapplications.ThisfeatureisinadditiontotheprofilepersistencefeatureofferedbyPersonaManagement.TheMobileSecureWorkplacedesignusestheLiquidwareLabsProfileUnityFlexAppproducttoenabletheusertoinstalltheirownapplicationsinafloatingdesktop,andhavethatapplicationpersistacrosssessions.TheFlexAppproductenablestheapplicationstobestoredseparatelyfromtheWindowsoperatingsystemwhileintegratingthematlogon.Thereareotherthird-partyapplicationswhichalsoenablethisfunction.

http://www.vmware.com/files/pdf/view/Secure-Printing-with-VMware-View-Solution-Brief.pdf



User Connection Flow Sequence

ThediagrambelowillustratesthevirtualdesktopconnectionpathafterauserinitiatestheHorizonViewclientand logs in to the environment.

Figure 16: Virtual Desktop Connection Path

TheinternalnetworkusersreachtheappropriateConnectionServerviatheloadbalancer,whiletheWANusersreachtheConnectionServerviatheViewSecurityServers.AfterauthenticationusingRADIUSOTSP,theuserispresenteduser-installedapplications.User-installedapplicationsaresnappedtotheVirtualDesktopatthetimeofassignment,makingtheenvironmentefficient.



Design Optimizations

StorageThisdesignusestheViewStorageAcceleratorfeaturetooptimizethestoragearrayconfiguration.

Figure 17: View Storage Accelerator Feature Enabled

This feature optimizes the environment for ReadsandcansignificantlylowertheIOPSrequiredfromthearray.

Horizon View ComposerInthisdesign,theComposerwasdeployedasastandaloneserverforscalabilityandfailoverpurposes.

Figure 18: View Composer Server Settings as Standalone



Summary TheMobileSecureWorkplacedesignprovidesworkloadoptimizationforVDImobilityandsecurityinthedesktopcomputingenvironment.Thisarchitecture,builtwithVMwareHorizonViewandecosystempartnerproducts,wastestedfortheintegrationofvariousproductstoprovideavalidatedend-to-endsolution.ThisdesigncanbeusedtobuildaMobileSecureWorkplacesolutioninyourorganization.Thearchitecture,whiletightlyintegrated,isalsobuilttobemodular,socustomerscanpickandchoosethevariouscomponentsthatfit their specific needs. The architecture is also scalable per the guidelines provided in the VMware Horizon View reference architectures.

Thisdesigncaterstothethreekeyvirtualdesktoprequirementsinanyorganization:Mobility,SecurityandManagement.WithBYODsupportandsessionpersistenceacrossdeviceswithPersonaManagement,thisdesign enables true mobility for the end users in an organization.

IntegrationwithVMwarevShieldEndpoint,AppandEdgeproductsallowstheinfrastructureboundarytobeclearly identified. Virtual machines are secure from external virus threats by offloading the detection to the vShieldsecurevirtualmachine,andinternaldatabreachescanbeavoidedbyavirtualresourceboundarysegregation.

Finally,withsupportfromvCenterOperationsManagerforHorizonView,thedesignprovidesITprofessionalsthe ability to see the infrastructure from a single integrated dashboard, managing the service levels for their organization as well as capacity planning.

TheMobileSecureWorkplacedesignemploysvariousthird-partycomponentstosupporttheend-userrequirements.Thesethird-partycomponentscanbereplacedwiththecustomer’spreferredvendors.Thisdesign provides the ability to modularly replace various components, while achieving the same results described in this design.



Appendix 1

Test Cases

Forthisarchitecture,thetestcasescoverthreekeyfeatures:Mobility,Security,andManagement.Inadditionto the test cases explained below, the VMware ecosystem of partners conducted their own testing to see how theirproductsintegratewiththissolution.MoreinformationonpartnertestingwillbefoundintheHow-ToGuides for this solution.

Belowisanoverviewofthekeytestcasesandtheirresults.

Functional Test Cases

Mobility

# TEST CASE DESCRIPTION RESULT

1 BYOD ConnecttoavirtualdesktopviaHorizonViewclientsinWindowslaptop,Mac,thinclient,iPhone,iPad,andAndroiddevice

Pass

2 UserExperience Accesscommonofficeapplications(MSWord,MSExcel,MSPowerPoint,AdobeAcrobatReaderandWindowsMediaPlayer)fromthinclientandmobiledeviceswithgoodtogreat user experience

Pass

3 SessionMobility ConnecttoadesktopsessionfromWindowssystem,disconnect,andconnectbacktothesamesessionusingaMac (with all the profile and user data intact)

Pass

Table 6: Mobility Test Case Summary

Security


1 VirusProtection AfterAVisupdatedusingvShieldEndpoint,useEICARfiletotesttheAVprotection

Pass

2 EnvironmentAccess

Confirmthatdesktopaccessisnotprovidedwhenthefollowing are used:

-Incorrectpassword-IncorrectOTSPpasscode-Deactivatedusername

Pass

3 DesktopAccess Ensurethatusergetsaccesstothecorrectdesktoppoolbytestingaccessandtheinabilitytoaccessdesktopsinotherpools

Pass

4 PoolSecurity Ensurethatdesktopsinonepoolcannotaccessresourcesinanotherpool,exceptforthemanagementandViewServicescluster

Pass

5 DataProtection Ensuredataprotectionby:-ChangingGPOandtestingthatusercannotdownload

anydatatoUSB-ChangingGPOandtestingthatusercannotdownload

any data to host computer

Pass

Table 7: Security Test Case Summary



Management


1 AlertsonUnauthorizedAccess

Ensurethatalertsaregeneratedforunauthorizedaccesstotheenvironment,desktoppoolsandGPOpolicyviolation

Pass

2 CapacityPlanning GeneratecapacityplanningdatafromvCenterOperationsManager

Pass

3 Virtual Machine Status

EnsurethatvirtualmachinesthatmissedanyupdatesarereportedinvCenterOperationsManager

Pass

Table 8: Management Test Case Summary

Performance Validation Results

Inadditiontothemanualfunctionaltests,thedesignwastestedusingViewPlannerforworkload.

ThegraphsbelowdetailtheresultsfromViewPlannerfor64virtualmachineswithaheavyworkloadrunningthreeiterationswithun-tunedimages.

Figure 19: CPU Usage Test Results



Figure 20: Memory Usage Test Results



Figure 21: Application Network Bit Rate Test Results



Figure 22: Datastore Byte Rate Test Results

Appendix 2



How to Set Up Location-Based Printing on a Zero Client

Step 1: Reinstall AgentIfyoufollowedtheoptimizationguidewhenyoufirstsetupyourHorizonViewenvironmentyouweretoldtodisableVirtualPrintinginaZeroClientenvironment.ThiswasrecommendedbecauseThinPrintwasnotsupportedinaZeroClientenvironmentandthereforeCPUcycleswerewastedbyenablingthisfeature.WithVMwareView4.5andlater,location-basedprintingissupported,sotheVirtualPrintercomponentisneeded.Toenablethis,re-runtheView Agent installer, select Modify and change the Virtual Printing setting, as seen below.

Figure 23: VMware View Agent Installer

Figure 24: VMware View Agent Virtual Printing Setting

Step 2: Install the Print Driver Theprinterdriverneedstobeinstalledonthevirtualmachine;todothisweneedtoinstalltheprintdriverintotheOS.



Windows XPToinstallaprintdriveronWindowsXPopenPrinters and Faxes,rightclickanywhereinthewhitespaceandgo to Server Properties.Fromtherechoosethe Drivers tab and select Add.Followthewizardtoaddthedriveryou need.

Figure 25: Adding a Print Driver in Windows XP

Windows 7ServerPropertiesisnotavailableonWindows7.InsteadyouhavetoinstallthedriverbygoingthroughtheAdd Printerwizard.SelectAdd a local printer, follow the directions in the wizard, and and add the printer driver on the driver selection screen.

Figure 26: Adding a Print Driver in Windows 7

Asafinalstepyouwillneedtodeletetheprinterthatyoujustcreated.

Step 3: Set Up DLL on Domain ControllerInthisstepwewillberegisteringaDLL,addinganADMfiletoGroupPolicy,andconfiguringtheGroupPolicy



itself.ThesefilesenableadditionalfeaturesinGroupPolicythatallowlocation-basedprintingtowork.

Register the Location-Based Printing Group Policy DLL FilePleasereviewSettingUpLocation-BasedPrinting in the latest VMware Horizon View Administration Guide for complete details

Beforeyoucanconfigurethegrouppolicysettingforlocation-basedprinting,youmustregistertheDLLfileTPVMGPoACmap.dll.VMwareprovides32-bitand64-bitversionsoftheTPVMGPoACmap.dll file on your ViewConnectionServer.

install_directory\VMware\VMware View\Server\Extras\GroupPolicyFiles\ThinPrint

Procedure1. Copy the appropriate version of TPVMGPoACmap.dll to your Active Directory server or to the domain

computer that you use to configure group policies.

2. Use the regsvr32 utility to register the TPVMGPoACmap.dll file.

a.For example: regsvr32 “C:\TPVMGPoACmap.dll”

Step 4: Set Up Group PolicyEnable Loopback Processing for Horizon View DesktopsPleasereviewAddViewADMTemplatestoaGPO in the latest VMware Horizon View Administration Guide for complete details.

TomakeUserConfigurationsettingsthatusuallyapplytoacomputerapplytoalloftheusersthatlogintothatcomputer,enableloopbackprocessing.

Prerequisites•CreateGPOsfortheHorizonViewcomponentgrouppolicysettingsandlinkthemtotheOUthatcontains

yourHorizonViewdesktops.

•VerifythattheMicrosoftMMCandtheGroupPolicyObjectEditorsnap-inareavailableonyourActiveDirectory server.

Procedure1. On your Active Directory server, select Start > All Programs > Administrative Tools > Active Directory

Users and Computers.

2. Right-click the OU that contains your Horizon View desktops and select Properties.

3. On the Group Policy tab, click Open to open the Group Policy Management plug-in.

4. In the right pane, right-click the GPO that you created for the group policy settings and select Edit.

a. The Group Policy Object Editor window appears.

5. Expand the Computer Configuration folder and then expand the Administrative Templates, System, and Group Policy folders.

6. In the right pane, right-click User Group Policy loopback processing mode and select Properties.

7. On the Setting tab, select Enabled and then select a loopback processing mode from the Mode drop-down menu.

8. Click OK to save your changes.

Set Up AutoConnect Map Additional PrintersPleasereviewConfiguretheLocation-BasedPrintingGroupPolicy in the latest VMware Horizon View Administration Guide for complete details.

http://www.vmware.com/support/pubs/view_pubs.html




VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-VDG-MOBILESECWKPL-USLET-20130405-WEB


ThescreenshotillustrateshowtosetupaprintertoconnecttoAllIPRanges,AllClientNames,AllMacAddresses,andAllUserGroups.ThePrinterNamewillbeTEST-NETWORK,itwillusetheHPLaserJet4driver(whichwasinstalledinStep2),anditwillconnectontheIPaddressof192.168.100.5.

Figure 27: Sample Printer Setup

Important:PrintDriveriscasesensitive(andspacesensitive)—thedrivernamemustmatchthedrivernamefrom the virtual machine exactly as it appears on the virtual machine. This may mean that if you have one networkprinteranduseitfrombothXPandWindows7,youmayneedtosetupmultiplemappingstothesame printer.

TroubleshootingOpen a command prompt and go to this directory: C:\Program Files\VMWare\VMWare Tools\

Fromwithinthatdirectoryrunthesecommands:

tpautoconnect.exe –d all

-ThiswilldeleteallprinterscreatedbyThinPrint

tpautoconnect.exe –v –i vmware –a COM1 –F 30

-ThiscommandisthesamecommandthatisrunbytheTPprocess.Theonlydifferenceisthatinsteadofrunning the process with the quiet flag (-q) we want to run it in verbose mode (-v). This will help us see if there are any errors.

Common ErrorsCan’t get Client Name–ThiserrormostlikelymeansthattheGroupPolicyisnottakingeffect.

No suitable client protocol found.–Thiserrorcanbeignored.Followingthiserroryoushouldsee your printer’s map.

Horizon Mobile Secure Workplace - Design Guide: VMware, Inc.

Documents

Transcript of Horizon Mobile Secure Workplace - Design Guide: VMware, Inc.