VMware 2V0-51.23 Practice Test - Questions Answers, Page 2

Cloud Pod Architecture is a feature that allows administrators to link multiple Horizon pods across sites and data centers to form a single logical entity called a pod federation. Cloud Pod Architecture enables global entitlements, which allow users to access desktops and applications from any pod in the pod federation. Cloud Pod Architecture also provides load balancing, high availability, and disaster recovery capabilities for Horizon deployments.

However, Cloud Pod Architecture has some feature limitations that administrators should be aware of. Two of these limitations are:

Cloud Pod Architecture does not support Active Directory two-way trusts between domains: This means that the domains that contain the Horizon pods in the pod federation must have a one-way trust relationship, where the domain that contains the Cloud Pod Architecture home site trusts all the other domains, but not vice versa. A two-way trust relationship, where each domain trusts and is trusted by all the other domains, is not supported by Cloud Pod Architecture and can cause authentication and entitlement issues.

Kiosk mode clients are not supported unless a workaround has been implemented: This means that users who log in to Horizon Client in kiosk mode, which is a mode that allows users to access a single desktop or application without entering credentials, cannot access desktops or applications from a Cloud Pod Architecture implementation. Kiosk mode clients are not compatible with global entitlements and load balancing features of Cloud Pod Architecture. However, there is a workaround that involves creating a dedicated user account and a dedicated desktop pool for each kiosk mode client and using a script to launch Horizon Client with the appropriate parameters.For instructions, see VMware Knowledge Base (KB) article 21488881.

The other options are not limitations of Cloud Pod Architecture:

Cloud Pod Architecture is supported with Unified Access Gateway appliances: Unified Access Gateway is a platform that provides secure edge services for Horizon deployments, such as secure remote access, load balancing, and authentication. Unified Access Gateway is compatible with Cloud Pod Architecture and can be configured to route user requests to the appropriate pod in the pod federation based on global entitlements and load balancing policies.

Cloud Pod Architecture can span multiple sites and data centers simultaneously: This is one of the main benefits of Cloud Pod Architecture, as it allows administrators to scale up and out their Horizon deployments across different geographic locations and network boundaries. Cloud Pod Architecture can support up to 15 pods per pod federation and up to 5 sites per pod federation, with a maximum of 200,000 sessions per pod federation.

The Cloud Pod Architecture feature is supported in an IPv6 environment: IPv6 is the latest version of the Internet Protocol that provides a larger address space and enhanced security features for network communication. Cloud Pod Architecture supports IPv6 environments and can operate in mixed IPv4 and IPv6 environments as well.

Horizon Connection Server instances keep their data in an AD LDS database, which is automatically synchronized between the Connection Server. AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services (AD DS). AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. In a Horizon environment, each Connection Server instance has a copy of the AD LDS database and replicates changes to other Connection Server instances in the same pod.This ensures that the Connection Server instances have consistent and up-to-date information about the Horizon resources and user sessions12Reference:

Configuring Horizon Connection Server1

Understanding VMware Horizon Services2

VMware Horizon Cloud on Microsoft Azure is the only deployment solution that meets all the requirements.VMware Horizon Cloud on Microsoft Azure supports Windows 10 Enterprise multi-session desktops, which are a new Remote Desktop Session Host exclusive to Azure Virtual Desktop on Azure1. It also supports App Volumes, which is a real-time application delivery system that enables IT to instantly provision applications to users or desktops. VMware Horizon Cloud on Microsoft Azure supports centralized brokering, which means that the Horizon Cloud Service acts as a single point of entry for end users to access their virtual desktops and applications. VMware Horizon Cloud on Microsoft Azure also supports automatic routing of end-users to the most appropriate virtual workspace, using the Universal Broker feature. Universal Broker is a cloud-based brokering service that provides a unified user experience across multiple Horizon pods and clouds.

VMware vSphere Desktop Edition does not support Windows 10 Enterprise multi-session desktops, as they are only available on Azure Virtual Desktop1. VMware Workspace ONE Unified Endpoint Management does not support App Volumes, as it is a different solution for managing devices and applications. VMware Horizon On-Premises does not support automatic routing of end-users to the most appropriate virtual workspace, as it requires manual configuration of load balancing and global entitlements.Reference:

Profile production applications in Azure with Application Insights Profiler1

Using Application Profiler - VMware Docs2

First look at profiling tools - Visual Studio (Windows)3

App Volumes Overview

Horizon Cloud Service on Microsoft Azure Architecture

Universal Broker Overview

Workspace ONE UEM Overview

Load Balancing Across Pods and Sites in a Cloud Pod Architecture Environment

The VMware Horizon component that needs to be deployed to allow users to log into VMware Workspace ONE Access and connect to remote desktops and applications without having to provide Active Directory credentials is the Enrollment Server.The Enrollment Server is a standalone service that integrates with VMware Workspace ONE Access and enables True Single Sign-On (SSO) for Horizon clients that are using non-AD-based authentication methods such as RSA SecureID, RADIUS, or SAML1.The Enrollment Server requests short-lived certificates on behalf of the users from a certificate authority (CA), and these certificates are used for authentication to the Horizon environment2.The Enrollment Server must be installed and configured in the same domain or forest as the Connection Server, and it must have an enrollment agent certificate that authorizes it to act as an enrollment agent2.

The other options are not valid or feasible because:

A Replica Server is a Connection Server instance that replicates the Horizon LDAP configuration data from another Connection Server instance, and provides high availability and load balancing for user connections3. A Replica Server does not request or issue certificates for users, and it does not integrate with VMware Workspace ONE Access.

A Security Server is a Connection Server instance that resides within a DMZ and acts as a proxy for external user connections to the Horizon environment4. A Security Server does not request or issue certificates for users, and it does not integrate with VMware Workspace ONE Access.Security Servers are deprecated in Horizon 8 and replaced by Unified Access Gateways (UAGs)4.

A vCenter Server is a management platform that provides centralized control and visibility of vSphere hosts and virtual machines in the Horizon environment5. A vCenter Server does not request or issue certificates for users, and it does not integrate with VMware Workspace ONE Access.

VMware Horizon 8.x Professional by Vmware1

Install and Set Up an Enrollment Server2

Install a Replica Connection Server Instance3

Install a Security Server4

vCenter Server Overview5

Prepare the Windows Server 2019 golden image.

Add an Automated Farm.

Add a RDS deskptop pool.

Entitle AD users and/or groups.

Launch Horizon Client and verify access to RDS desktop.

In a load balanced Horizon POD with three Connection Servers, there are 450 active Blast sessions connected. If one of these Connection Servers runs into an unplanned outage, only the active sessions from the failed Connection Server are disconnected, because HTTPS Secure Tunnel is disabled. This means that the other two Connection Servers can still handle the remaining sessions without interruption.

The HTTPS Secure Tunnel is a feature that allows Horizon Client devices to establish secure connections to virtual desktops and applications through the Connection Server. When this feature is enabled, all the display protocol traffic is tunneled through the Connection Server, which acts as a proxy between the client and the desktop.This increases the security and simplifies the network configuration, but also adds some overhead and dependency on the Connection Server availability1.

When this feature is disabled, the Horizon Client devices connect directly to the desktops using their IP addresses or hostnames, bypassing the Connection Server.This reduces the load and dependency on the Connection Server, but also requires more network configuration and firewall rules to allow direct access to the desktops2.

The Blast Secure Gateway is a similar feature that allows Horizon Client devices to establish secure connections to virtual desktops and applications using the Blast Extreme protocol through the Connection Server. When this feature is enabled, the Blast Extreme traffic is tunneled through the Connection Server, which acts as a gateway between the client and the desktop.When this feature is disabled, the Horizon Client devices connect directly to the desktops using Blast Extreme3.

In this scenario, both HTTPS Secure Tunnel and Blast Secure Gateway are disabled, which means that the Horizon Client devices connect directly to the desktops using Blast Extreme. Therefore, if one of the Connection Servers fails, only the sessions that were authenticated by that Connection Server are affected.The other sessions can continue without interruption, as long as they can reach their desktops directly4.

The other options are not correct for this scenario:

All 450 active sessions are disconnected, and have to re-connect again by the end-user. This would be true if HTTPS Secure Tunnel or Blast Secure Gateway were enabled, and all the display protocol traffic was tunneled through the Connection Server.In that case, any failure of a Connection Server would disconnect all the sessions that were using it as a proxy5.

All active sessions will stay connected, because HTTPS Secure Tunnel and Blast Secure Gateway are disabled. This would be true if there was no dependency on the Connection Server after authentication. However, even with HTTPS Secure Tunnel and Blast Secure Gateway disabled, there is still some communication between the Horizon Client and the Connection Server for session management and heartbeat monitoring. If a Connection Server fails, these communications are lost and the sessions are terminated.

All 450 active session are logged off immediately. This would be true if there was a global setting in Horizon Console to log off users when a Connection Server fails. However, there is no such setting in Horizon Console. The default behavior is to disconnect users when a Connection Server fails, not log them off.

Configuring HTTPS Secure Tunnel

Configuring Network Ports for Direct Connections

Configuring Blast Secure Gateway

Load Balancing Across Multiple Pods

Horizon 7: Monitoring health of Horizon Connection Server using Load Balancer

[Horizon 7 Pods]

[Global Settings for Client Sessions in Horizon Console]

[VMware Horizon Architecture Planning]

Collaboration is a feature that allows users to invite other users to join an existing Windows or Linux remote desktop session with both screen sharing and audio out features enabled. A remote desktop session that is shared in this way is called a collaborative session. The user that shares a session with another user is called the session owner, and the user that joins a shared session is called a session collaborator. A Horizon administrator must enable the Session Collaboration feature for the desktop pool or farm that contains the remote desktops that support collaboration.

One of the requirements to enable Session Collaboration is to use the VMware Blast display protocol for the remote desktops. VMware Blast is a protocol that provides high-performance, high-quality graphics and multimedia delivery over LAN or WAN networks. VMware Blast supports Session Collaboration by allowing multiple users to view and interact with the same remote desktop session simultaneously. Other display protocols, such as PCoIP or RDP, do not support Session Collaboration and will not allow users to share or join collaborative sessions.

Therefore, to enable Session Collaboration in the VMware Horizon environment, the administrator needs to use the BLAST protocol as a requirement.Reference:Configuring Session Collaboration,Sharing Remote Desktop Sessions, and [VMware Horizon 8.x Professional Course]

The URL Content Redirection feature allows administrators to configure specific URLs to open on the client machine or in a remote desktop or published application. This can help reduce the risk of users downloading malware to the corporate network, as well as improve the user experience and performance of certain web applications.

To meet the requirements of the scenario, the administrator needs to enable the URL Content Redirection feature in Horizon Agent when installing or upgrading it on the instant-clone desktops. This will allow Horizon Agent to send or receive URLs from Horizon Client, depending on the redirection direction. The administrator also needs to configure group policy settings to indicate how Horizon Agent redirects the URL. Specifically, the administrator needs to enable agent-to-client redirection, which means that Horizon Agent sends the URL to Horizon Client, which opens the default application for the protocol in the URL on the client machine. The administrator also needs to specify which URLs are redirected from a remote desktop to a client, and which URLs are not redirected. In this case, the administrator needs to configure a whitelist of intranet websites that are allowed to open inside the virtual desktop, and a blacklist of all other websites that are automatically redirected to a browser on the client machine.

The other options are not relevant or sufficient for meeting the requirements. Disabling the Allow External Website feature in Horizon Agent will prevent users from accessing any external websites from their virtual desktops, which might not be desirable or practical. Enabling secure website settings in the Global Settings Security menu will not affect how URLs are redirected, but only how secure connections are established between Horizon components. Enabling the URL Content Redirection feature on the desktop pool settings will not work unless it is also enabled in Horizon Agent and configured with group policy settings.Reference:Configuring URL Content Redirectionand [VMware Horizon 8.x Professional Course]

VMware App Volumes is a real-time application delivery system that allows administrators to assign applications to users and groups in Horizon. App Volumes uses virtual disks called packages to store and deliver applications. When a user logs on to a desktop, the App Volumes agent attaches the assigned packages to the desktop and merges them with the OS disk. The user can then access the applications as if they were natively installed.

App Volumes is a suitable solution for deploying an application to specific users in an instant-clone desktop environment with the following characteristics:

The application needs to be updated very frequently: App Volumes allows administrators to update applications in real time by using the update or push-image operations. These operations replace the existing packages with new ones that have the latest updates applied, without affecting the user data or settings. The updated packages are delivered to the users at the next login or refresh.

The application needs to be installed as soon as possible: App Volumes allows administrators to install applications quickly and easily by using a clean packaging system and capturing the application installation process. The resulting package can be assigned to users or groups immediately, without requiring any recomposing or rebooting of the desktops.

The application is not multi-user aware: App Volumes allows administrators to deliver applications that are not multi-user aware by using writable volumes. Writable volumes are user-specific virtual disks that store user-installed applications, data, and settings. Writable volumes can be attached to desktops along with application packages, and they can isolate the user-installed applications from the system-installed applications.

The other options are not suitable for meeting the requirements:

VMware Horizon Published Application: This option allows administrators to publish applications from RDS hosts to users in Horizon. However, this option requires a separate RDS infrastructure and licensing, and it does not support instant updates or writable volumes for user-installed applications.

VMware Dynamic Environment Manager: This option allows administrators to manage user profiles and policies in Horizon. However, this option does not deliver or update applications, and it does not support writable volumes for user-installed applications.

VMware ThinApp: This option allows administrators to package applications into portable executables that can run on any Windows system without installation. However, this option requires a separate packaging process and licensing, and it does not support instant updates or writable volumes for user-installed applications.