VMware Horizon™ Workspace provides you with a centralized Web management console that allows you to customize the Catalog, which contains your enterprise's applications and desktops, as well as the Data module, which allows users to share files and folders with others.

Horizon Workspace detects users' attributes and enforces policies across the applications, data, and desktops. For each user, you can customize the delivery of Windows, Android, iOS, Web, and SaaS applications to a single workspace while providing users with self-service access to applications and data from anywhere.

Horizon Workspace consists of the following virtual appliances bundled together in a vApp.

Horizon Workspace Server Components

Horizon Workspace Server Component

Description

VMware Horizon Workspace Configurator Virtual Appliance (configurator-va)

You start configuring Horizon Workspace with this virtual appliance, using both the Configurator virtual appliance interface and the Configurator Web interface. The configurations you make with the Configurator are distributed to the other virtual appliances in the vApp.

VMware Horizon Workspace Manager Virtual Appliance (service-va)

Horizon Workspace Manager handles ThinApp package synchronization and gives you access to the Administrator Web interface, from which you can manage users, groups, and resources.

VMware Horizon Workspace Connector Virtual Appliance (connector-va)

Horizon Workspace Connector provides the following services: user authentication (identity provider), directory synchronization, ThinApp-catalog loading, and View pool synchronization.

VMware Horizon Workspace Data Virtual Appliance (data-va)

Horizon Workspace Data Virtual Appliance controls the file storage and sharing service, stores users' data (files), and synchronizes users' data across multiple devices.

VMware Horizon Workspace Gateway Virtual Appliance (gateway-va)

Horizon Workspace Gateway Virtual Appliance is the single endpoint for all end user communication. User requests come to the gateway-va virtual machine, which then routes the request to the appropriate virtual appliance.

Users can access Horizon Workspace with Horizon Web client (an agentless client), Windows client, Mac client, Android client, or iOS client. Each client provides users with access to the Horizon Workspace user interface, but access to applications, desktops, and data varies depending on the client.

Horizon Workspace User Client Components

Horizon Workspace User Client Component

Description

VMware Horizon Workspace Web Client

The Horizon Workspace Web Client is an agentless client. It is the default client used when users access Horizon Workspace with a browser. Using the Horizon Workspace Web Client, users can access their Horizon Workspace Data, Horizon View Desktops and Horizon Workspace Web Applications.

If an end-user has a ThinApp entitled and is on a Windows system with the Horizon Workspace for Windows Client active, they can also view and launch their local ThinApp packages in the Web Client.

VMware Horizon Workspace Client for Windows

When Horizon Workspace Client for Windows is installed on users' Windows systems, they can access their Horizon Workspace Data and Windows applications (captured as ThinApp packages) locally. When this client is installed, a user's personal and shared folders and files are synchronized between their system and Horizon Workspace.

VMware Horizon Workspace Client for Mac

When Horizon Workspace Client for Mac is installed on users' Apple Mac OS X systems, they can access their Horizon Workspace Data locally. When this client is installed, users' personal and shared folders and files are synchronized between their system and Horizon Workspace.

VMware Horizon Workspace Client for Android

When Horizon Workspace Client for Android is installed on users' Android devices, they can access their Data and Web applications. They can also install mobile applications that you have curated from Google Play.

VMware Horizon Workspace Client for iOS

When Horizon Workspace Client for iOS is installed on users' iOS devices, they can access their Data and Web Applications. They can also install mobile applications that you have curated from the Apple App Store.

Additionally, if your deployment is configured to access Horizon View desktops, iPad users can view their entitled desktops using Horizon View Client for iOS.

The Connector acts as an identity provider within your network, creating an in-network federation authority that communicates with Horizon Workspace using SAML 2.0 assertions. The Connector authenticates the user with Active Directory within the enterprise network (using existing network security).

The following authentication methods are supported by Horizon Workspace: Active Directory username/password, Kerberos, and RSA SecurID.

Horizon Workspace Authentication Type

Description

Username/password

Active Directory username/password authentication is the default user authentication method. This method authenticates users directly against your Active Directory.

Kerberos

When properly configured, Kerberos authentication provides Windows users with single sign-on access to Horizon Workspace, eliminating the requirement for Windows users to log in to Horizon Workspace after they log in to the enterprise network. The Connector validates user desktop credentials using Kerberos tickets distributed by the key distribution center (KDC).

RSA SecurID

RSA SecurID authentication requires users to use a token-based authentication system. RSA SecurID is the recommended authentication method for users accessing Horizon Workspace from outside the enterprise network.

Username/password authentication is the authentication method in use when you initially deploy Horizon Workspace. The username/password authentication method can authenticate users regardless of whether users are inside or outside the enterprise network. To provide user access to Horizon Workspace from outside the enterprise network, you can either require VPN access or you can install Horizon Workspace in a manner that allows Internet access.

If you decide to use username/password authentication to provide users outside the enterprise network access to Horizon Workspace, you can configure Horizon Workspace in one of the following ways:

Install a reverse proxy server in the DMZ pointing to the Gateway virtual appliance.

Configure firewall port forwarding or router port forwarding to point to the Gateway virtual appliance.

To implement Kerberos authentication or RSA SecurID authentication, you must deploy one or more additional Connector instances. See Installing Horizon Workspace for information about creating additional Connector instances. To implement both Kerberos authentication and RSA SecurID authentication, you first deploy Horizon Workspace, which includes all the Horizon Workspace virtual appliances.

You can configure one or more Connector instances to handle Kerberos authentication and one or more Connector instances to handle RSA SecurID authentication. Configuring any single Connector instance to handle both Kerberos authentication and RSA SecurID authentication is not a best practice. When you use more than one Connector instance in your deployment, you must use the Administrator Web interface to configure IdP discovery.

If you decide to use Kerberos authentication to seamlessly authenticate Windows users (applies to users inside the enterprise network only) to Horizon Workspace, issue the hznAdminTool addvm command in the configurator-va virtual machine to add a new connector-va virtual machine. Since the Connector acts as an identity provider, when you add a new Connector instance you are adding a new identity provider instance.

If you decide to use RSA SecurID authentication to provide users outside the enterprise network access to Horizon Workspace, you must add the connector-va virtual machine using the addvm option of the hznAdminTool command. This command creates an additional identity provider. You can then configure the new identity provider using the Horizon Workspace Administrator Web interface.

The supported authentication types can be used in a variety of ways to provide users, both inside and outside the enterprise network, access to Horizon Workspace.

Overview of Providing User Access to Horizon Workspace

User Access From Inside the Enterprise Network

User Access From Outside the Enterprise Network

Username/password authentication: Functions by default. No additional Connector instances are required for this authentication method when users are inside the enterprise network.

Kerberos authentication: Requires an additional Connector instance.

RSA SecurID authentication: Not recommended. This authentication method is not recommended for authenticating users who are inside the enterprise network.

Username/password authentication: To implement username/password authentication for users outside the enterprise network, you must enable Internet access to the Gateway virtual appliance. VPN is an option, too.

Kerberos authentication: Not applicable. This authentication method is not an option for authenticating users outside the enterprise network.

RSA SecurID authentication: When practical, this authentication method is preferred for authenticating users outside the network. The best practice is to install a Connector instance dedicated to RSA SecurID authentication.

Note

Horizon Workspace handles RSA SecurID authentication and Kerberos authentication failures differently:

If Kerberos authentication fails for any reason, the Connector falls back to username/password authentication. In such cases, users are presented with a login page that prompts them for their username and password to access Horizon Workspace. The Connector then validates users against the directory server.

If RSA SecurID authentication fails, the Connector does not fall back to username/password authentication. Since RSA SecurID is only recommended for users outside the enterprise network, such users will not be able to access Horizon Workspace until the cause of failure is resolved.

IdP discovery matches users from specific IP addresses with their corresponding identity providers (Connector instances). For example, users with IP addresses outside the enterprise network might be directed to a Connector instance dedicated to RSA SecurID authentication, while internal users might be directed to a Connector instance dedicated to Kerberos authentication. Though different users are directed to different Connector instances, you provide all users with a single Horizon Workspace URL since IdP discovery does the work behind the scenes to locate the appropriate Connector instance.

The default IdP discovery configuration applies to the default Horizon Workspace deployment, which uses username/password authentication with a single Connector instance. If you deploy Horizon Workspace in this manner, you do not need to change the IdP discovery configuration.

When you deploy multiple Connector instances using the addvm option of the hznAdminTool command for the purpose of maintaining multiple identity providers, you need to use the Horizon Workspace Administrator Web interface to access the Settings > Identity Providers page, where you must perform the following:

Locate each additional Connector instance name in the list of identity providers. When you use the addvm option of the hznAdminTool command to create a new Connector instance, that Connector instance name is added to this page.

Edit the order of the identity providers as necessary. The order in which the corresponding Connector instances are listed in Horizon Workspace is important if the IP ranges overlap. In such cases, the first Connector instance in the list to include an IP address is given precedence.

Caution

When you remove or reset a Connector instance, you must remove the corresponding Connector name from the Identity Providers page.

You can deploy Horizon Workspace with IdP Discovery in a variety of ways, one of which is summarized in the example that follows.

External RSA SecurID and Internal Kerberos Authentication Example of IdP Discovery

This is one possible way to configure IdP Discovery for Kerberos and SecurID in the same Horizon Workspace deployment.

Internal - First Connector instance: You configure Kerberos for this Connector instance. In the Horizon Workspace Administrator Web interface, on the Identity Providers page, you configure IP address ranges to include users within the enterprise network.

External - Second Connector instance: You configure SecurID for this Connector instance. In Horizon Workspace, you configure a single IP address range that includes all possible users. Therefore, you set the IP address range from 0.0.0.0 to 255.255.255.255.

The result of this configuration is that users attempting to access Horizon Workspace from inside the enterprise network are redirected to the first Connector instance and authenticated with Kerberos or username/password authentication while users outside the enterprise network are redirected to the second Connector instance and authenticated with SecurID authentication.

Note

Virtual users are not prompted for SecurID credentials even when the virtual users are external to your enterprise and are redirected to a Connector instance that enforces SecurID authentication. See Horizon Workspace User and Group Types for a description of virtual users.

Each interface gives you access to different functions. Each Web interface URL listed uses a placeholder, such as HorizonWorkspaceFQDN, ConnectorHostname, and ConfiguratorHostname for the hostname. Replace the placeholder names with the actual values.

Horizon Workspace URLs

URL

User Interface

What you can do here

https://HorizonWorkspaceFQDN/admin

Administrator Web interface (Active Directory user)

Manage the Catalog, users and groups, entitlements, reports, etc. (Login as Active Directory user with administrator role.)

https://HorizonWorkspaceFQDN/SAAS/login/0

Administrator Web interface (non-Active Directory user)

Use this URL if you cannot login as the Active Directory user with the administrator role. (Log in as an administrator using the username admin and the password you set during configuration.)

https://HorizonWorkspaceFQDN/web

Web Client (end user)

Manage files, launch applications, or launch View pools. (Login as an Active Directory user or virtual user.)

https://ConnectorHostname/hc/admin/

Connector Web interface

Configure additional ThinApp settings, View pool settings, check directory sync status, or alerts. (Log in as an administrator using the password you set during configuration.)

https://ConfiguratorHostname/cfg

Configurator Web interface

See system information, check modules, set license key, or set admin password. (Log in as an administrator using the password you set during configuration.)