1. Home
  2. Applications
  3. Secure Distributed Desktops using NSX for Horizon with Sphere3D Appliances

Secure Distributed Desktops using NSX for Horizon with Sphere3D Appliances


After last week’s Black hat event in Las Vegas (https://www.blackhat.com/) I can say the landscape is changing and the securing of east and west traffic in VDI should be on this year’s Christmas list or you may be a project Sauron away from your next exploit. (http://www.bbc.com/news/technology-37021957).

Distributed Security for Distributed Virtual Desktops

We recently introduced the capabilities of decentralized VDI with centralized management allowing users the best user experience with actual desktop resilience. Distributed Desktop Hyperconvergence appliances (http://sphere3d.com/v3-hyperconverged-solutions/)  come loaded with a prebuilt vSphere 6 stack to support Horizon and Desktop Orchestration with DCO 2.5.11 (http://sphere3d.com/desktop-orchestrator-software/and how moving the virtual desktop compute out to the edge is the way we are able to reduce the cost of the virtual desktop against a physical desktop but still retain the “single pane of glass” approach to the distributed VDI architecture. This month I want to talk about another important aspect about the distributed desktop architecture and that’s the Network services. The recent exploits demonstrated at 19th annual Blackhat USA showed increasing complexity of hackers to leverage machine to machine communication and compromise desktops using malware and ransomware for desktop to desktop or desktop to application server hacks.

As a Consultant where I was building VDI solutions for customers I saw the rise of east and west traffic for VDI defined as, desktop to desktop and desktop to application traffic vulnerabilities in virtualization as we started building out VLAN’s in the datacenter to support centralized compute VDI. Logically as we are bringing the desktops into the datacenter we are creating increased risk and exposure from Zero-day infection timelines to ransomware as we start centralizing these End users as well as complicating the Datacenter networking trying to implement compliancy and regulatory provisions over the desktop domain and the server domain. This was of course just one of many discussions when you talk about security and the desktop  as an example with the recent loss of windows secure boot gold key allows back door exploits that are lurking http://appleinsider.com/articles/16/08/10/oops-microsoft-leaks-its-golden-key-unlocking-windows-secure-boot-and-exposing-the-danger-of-backdoors.

The Distributed Desktop Hyperconvergence architecture is designed to help reduce these risks by  keeping the Desktop compute out at the edges instead of the datacenter to enhance this capability leveraging NSX for Horizon (https://www.vmware.com/products/horizon/horizon-nsx.html) and decentralized compute appliances as well as create new network services that help reduce small business to mid-enterprise WAN connection charges to possibly eliminating the cost all together leveraging L2/L3 Tunnels. As well as provide Desktop failover assuring persistent protection and securing of the network requirements as they fail or move from appliance to appliance.

What’s NSX for Horizon?

VMware NSX™ for Horizon® brings speed and simplicity to VDI networking. Administrators can set policies that dynamically adapt to the end user’s computing environment, with network security services that map to the user based on role, logical grouping, desktop operating system, and more—independent of the underlying network infrastructure. Centrally administered policy is automatically attached to each desktop VM as soon as the desktop is created, so organizations can scale with confidence, with security that persistently follows the virtual desktop across multiple V3 Desktop appliances.

 Sphere 3D V3 Appliances and Network virtualization

Leveraging the portfolio of appliances, I have created a reference Architecture of how the Sphere 3D EUC Nodes create a complete multi-site strategy for the small to the large.  First let’s talk about the rationalized compute platform that is laid on all V3 appliances. This is the vSphere 6 Hypervisor based on a prescribed BOML that has loaded Drivers and VIBs to support GPU’s, Networking and Advanced PCI technologies. Once turned on it leverages DCO to support desktop orchestration and automation for Horizon to deploy desktops. This deployment could be with an EUC Node (2U) Hosted Desktop or our (1U) Flex Node for Offline desktops or Horizon Flex. Flex Nodes are built as a building block for the V3 DDH providing management functions as well for small to medium vCenter and View or for secure environments to support distributed functionality like NSX Manager, Service composer and Controller Clusters. NSX for Horizon once deployed will enable DFW and DRL on the (2U) EUC Nodes.  Below or Attached is an architecture diagram to illustrate how we would deploy a Multi-site architecture with minimal requirement of an Internet connection to connect 2 Branch offices at L2VPN (software VPN to Software VPN) or up to 10 Branches using L3 (Hardware based VPN to NSX) Edge Services.

Secure Distributed Desktops using NSX for Horizon with Sphere3D Appliances DABCC


DCO and VMware NSX for Horizon improves desktop virtualization security and helps address east-west threats by enabling administrators to define policy centrally. That policy is then distributed to the hypervisor layer within every V3 appliance, and automatically attached to each virtual desktop as soon as the desktop is created. To secure virtual desktops and adjacent workloads within the data center, VMware NSX implements “micro segmentation,” giving each desktop its own perimeter defense. This “shrink-wrapped security” uses VMware NSX distributed virtual firewalling capability to police traffic to and from each VM, eliminating unauthorized access between desktops and adjacent workloads. When DCO moves the virtual desktop from one appliance to the next, or across different sites, policy will automatically follow it.

The example presented in the architecture of a main branch needing to connect to two other branches. Using Business Cable and a NSX Edge Services on the V3 Desktop appliance you can create a transport layer Site to Site VPN and leverage the multiple appliances as one logical network. This would usually involve having to coordinate and pay for a MPLS and a PVC monthly cost on top of the service costs. IT can now setup DFW rules and implement Multi-tiered information access based on compliancy for Site one and it get replicated out via the controllers at the main office to the edge services on all the appliances.  Now control of east to west traffic and traditional North South traffic are now under simplified control. Integration of the major third parties like trend Deep inspection into NSX allow for us to provide a single centralized approach to image management and maintaining compliancy when enforcing polices. This allows IT to respond to threats verses reacting to contain or fear of contamination once exposed if a single appliance gets compromised.

Secured Distributed Desktops

Understanding that an ATP (Advanced Threat Protection) could be resident as we speak on any number of your desktops and that the level of cyber-attacks isn’t decreasing. Desktop security is an inevitability that IT has to respond to not react to. You can find most anti-virus, anti- malware, deroot kit…etc. only do 80 percent of the job not because of failure but because of human interaction and intent. NSX allows for you to create true micro segmentation to help you respond to the threat verse just react to the threats of today.

Implementing DDH with NSX is the next level of desktop security for End User Computing.

  • Providing Site to Site failover for Persistent Virtual Desktops
  • Providing Desktop to Desktop security form internal threats or compromised desktops.
  • Providing Desktop to End Application server security
  • Creating a security services offload capabilities like Load Balancing, End-Point Protection or Firewalls
  • Providing Automation and Orchestration for desktop management and recovery
  • Reducing the cost of remote and branch office desktop and infrastructure management

Sphere 3D Elite and Elite Pro partners

Finding the talent and capabilities to deliver this business outcome is key to the mission with end point protection. We have worked to build our portfolio of partners to support advanced designs with virtual desktops supporting both knowledge worker, business graphics and professional graphics users.  Our Elite and Elite Pro have experience in delivering End User Computing solutions that incorporate a company’s unique needs with our scalable platform to provide a next generation desktop platform that is truly taking advantage of technology for today and building for tomorrow.  Contact Sales@sphere3D.com if you want to know more of find the local resources to help understand what’s involved with a Distributed Desktop hyperconvergence solution.

Editorial Note: I will be out at VMworld 2016 so if you see me stop me and say hi!

Jaymes Davis Jaymes Davis is the Guru of Innovation and Professional Services, Office of the CTO for Sphere3D. With nearly two decades of experience in the IT services industry, Jaymes Davis is considered one of the industry’s top consultants, having implemented more than 1000 virtualization and access delivery projects for clients ranging from global enterprises with 20,000+ employees, to local and regional SMBs with five to 25 employees. During his career, Jaymes has helped his clients leverage virtualization technologies to increase their IT efficiencies, address business requirements, and lower the total cost of ownership for their IT infrastructures. He is responsible for the design and development of Entisys Solutions’ Virtualization Oriented Architecture™ (VOA), a methodology that closely aligns business strategies with IT infrastructure solutions. Jaymes is a published author whose whitepapers and articles have been endorsed by the industry’s top virtualization experts and innovators. Prior to joining Entisys Solutions in 2006, Jaymes held the position of Chief Technical Architect with Server Centric Consulting. Speaking at VMworld 2011, 2012 Citrix Synergy Best Practices for Xendesktop, Autodesk University and NVIDIA GPU Conference 2016. Recognized by CRN for the top virtualization Practice in North America in 2012 and Tech Elite 250 #1 Virtualization practice for 2011 to 2015. 

Featured Resources:

Related Articles:


White Papers

‘All You Need to Know About Microsoft Windows Nano Server’ Veeam White Paper

Now updated for Windows Server 2016 GA release! You probably heard about Windows Nano Server already … but what is it exactly, and how do you get started with it? What value will it bring to your environment? Nano Server is a headless, 64-bit only deployment option for Windows Server 2016. Microsoft created this component specifically with […]


Download Commvault VM Backup and Recovery: end-to-end VM backup, recovery and cloud management

Commvault’s ability to provide end-to-end VM backup, recovery and cloud management creates a significantly better way to build, protect and optimize VMs throughout their lifecycle. Our best-in-class software for VM backup, recovery and cloud management delivers a number of significant benefits, including: VM recovery with live recovery options; backup to and in the cloud; custom-fit […]

On-Demand Webinars

Architecting for today’s desktop environments – FSLogix On-Demand Webinar

October 19, 2017 Webinar with David Young, Solutions Architect and Product Champion, and Brandon Lee, Solutions Marketer. Video Recording of a live demo of FSLogix and an overview of the latest release of FSLogix Apps featuring Roaming XenApp Email Search and OneDrive App along with Skype for Business Global Address List and Device Based Licensing. […]

Latest Videos

Current State of EUC – E2EVC Video

Session from @E2EVC 2017 Orlando. For event information please visit www.e2evc.com/home. For slides, additional info etc please contact the presenter directly on Twitter. For best video and sound quality do visit the event! This video is from the fine folks at E2EVC Conference

Views All IT News on DABCC.com
Views All IT Videos on DABCC.com
Win a Tesla P100D

Visit Our Sponsors