Hybrid deployment guide – vSphere
Revision 1.2, November 2024
Hybrid deployment of Apporto NextGen requires actions from your own on-premises team as well as the Apporto team. Prospective customers should confirm that all necessary prerequisites are in place prior to starting the deployment.
Some activities will require involvement from Apporto. Contact your assigned Apporto Customer Success Manager for assistance in implementation, setup, and training.
Use the information in this guide to learn about:
- Prerequisites
- How to prepare for deployment
- Installation of on-premises components
- Configuration of system connections
- Security measures
- As-built configurations
Prerequisites
Hardware
All Apporto components can be deployed in a virtual environment running on VMware, Hyper-V, etc. Physical servers are not required unless customers want to present physical GPU cards without the loss of performance and potential extra licensing fees from hypervisor passthrough. Virtualized servers are recommended for the ability to create snapshots and clone VMs.
The base configuration for Apporto is a single cluster of three Linux-based appliances to host the hyperstream technology. A standard Microsoft RDS farm is recommended for multi-user desktop delivery or a collection of dedicated VMs for single user desktop delivery. The Apporto management portal is cloud hosted and managed by Apporto.
- Hyperstream Linux servers: 3x Nodes. 2vCPU, 8 GB RAM, 50 GB Disk
- RDS farm members: Dependent on the workload and performance required for each user and deployed software
- The table below classifies workload based on the type of users and the type of applications.
Workload Example users Example applications Light Users doing data entry Data entry application. Command Line Interface Small Content creators MS Office Medium Software engineers MS Outlook, Software development, dynamic web pages Large Data science research, Math research SPSS, SAS, MatLAB GPU Graphic designers, 3D engineers, Machine Learning research CAD/CAM, Machine Learning - The following table lists the maximum suggested number of users per CPU core.
Workload type Maximum users per core Minimum cores & RAM Light 4 8 cores, 16 GB RAM + storage (varies by use-case) Small 2 8 cores, 16 GB RAM + storage (varies by use-case) Medium 1 8 cores, 16 GB RAM + storage (varies by use-case) Large 1/2 8 cores, 16GB RAM + storage (varies by use-case) GPU 1/4 8 cores, 16GB RAM + storage (varies by use-case) - All VMs should have more than two cores. The UI components in Windows rely on the use of at least two parallel threads for some of the heavier rendering operations. Four cores are the lowest recommended number of cores that a stable multi-session VM should have.
- VMs shouldn’t have more than 32 cores. As the number of cores increases, the system’s synchronization overhead also increases. For most workloads, at around 16 cores, the return on investment gets lower, with most of the extra capacity offset by synchronization overhead. User experience is better with two 16-core VMs instead of one 32-core one.
- The table below classifies workload based on the type of users and the type of applications.
Network
- Port 443 inbound: A customer provided load-balancer is recommended to be placed in front of the hyperstream cluster. However, a simple NAT from a public IP to a floating IP on the hyperstream appliance network can be utilized for customers that do not have a load-balancer. IP Addresses for three hyperstream nodes are required to set up the cluster appliances.
If a network load-balancer is to be used, we require the load-balancer to terminate the SSL connection on the VIP and re-encrypt the real-server traffic. This enables the customer to use their own SSL certificate and also allows the load-balancer to be configured using a sticky-session LB algorithm.
If a load-balancer will not be utilized, a floating IP must be allocated on the same subnet as the hyperstream nodes. This floating IP will need to be NATed to the public IP, providing ingress access to the hyperstream cluster. - Port 30443 & 30080 internal: Internal communications channels for Hyperstream cluster nodes
- Port 3389 internal: Used to connect hyperstream cluster nodes and an RDS farm
- Port 636 internal: Used for LDAPS communication during authentication and Active Directory synchronization of usernames and groups
- Public IP and public domain address: Used to facilitate the connection between the Apporto cloud-hosted control plane and the internally-hosted hyperstream cluster
Licensing
Customers should obtain RDP CALs from Microsoft or a reseller if planning to run multi-user desktop sessions. Use the diagram below to visualize the system setup.
How to prepare for deployment
- Apporto Engineering will deploy the cloud-hosted management portal upon receipt of payment for Apporto licensing. Customer logins will be provided by the Apporto Customer Success team during the onboarding process.
- It is recommended that customers take into consideration the capacity required to scale out the RDS farm and hyperstream cluster as user adoption increases. For any new system deployment, a solid backup and DR/BC plan is important to maintain a high level of service. Apporto recommends snapshotting the hyperstream nodes.
- Deployment preparation checklist:
- Compute capacity
- Storage capacity
- Backup capacity
- Load balancer
- IP addresses (private & public)
- SSL certificate
- Active Directory
- Domain admin account
- Windows Server installation media
- Additional software installation media
- License keys, as needed
- Software deployment tool (SCCM, Intune, etc.)
- Anti-virus/malware protection
- Profile management solution (FSLogix, ProfileUnity, etc.)
Installation of on-premises components
- Prepare and build your RDS farm according to Microsoft best practices for session-based desktop deployment. See the following Microsoft article for additional information – https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/welcome-to-rds.
The following roles do not need to be deployed: Remote Desktop Connection Broker (RD Broker), RD Web Access, and Remote Desktop Gateway (RD Gateway). Depending on existing services, customers may need to deploy the Remote Desktop Licensing role to manage and issue RDS CALs.
- Confirm connectivity to your hosted desktops via RDP using the native client.
- Apply the GPO settings provided by Apporto to each RDS farm server. Use the image below for reference.
- Request OVA prep from Apporto.
- Download the OVA file to your hypervisor environment and place it on shared storage.
- Deploy three (3) hyperstream nodes from the OVA file. Refer to the following article for additional information – https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.hostclient.doc/GUID-FBEED81C-F9D9-4193-BDCC-CC4A60C20A4E_copy.html.
- Configure the hyperstream nodes with the correct compute, memory, storage, and network settings
- ClusterName = customer’s choice (lowercase)
- Region ID = any 6 character designation for environment’s location
- Node_Role = mix for 1 VM, worker for remaining 2 VMs (*Apporto may change this configuration based on the number of expected concurrent users in production.)
- RegistrationID = provided by Apporto team
- Node Host Name = customer’s choice (lowercase)
- Network Mode = DHCP/Manual selection
- IP Address (CIDR) = customer’s choice
- Default Gateway = customer’s choice
- Nameservers = customer’s choice
- Search Domains = customer’s choice
- Deploy the SSL certificate to your load balancer (if in use) or provide it to Apporto for installation on the hyperstream nodes.
- Contact Apporto for a hyperstream node configuration push.
- Create a test user account in Active Directory.
- Create a matching test user account in Apporto admin. See the article on adding users for more details.
- Create a test desktop connection in Apporto. See the article on creating virtual desktops.
- Provision your test desktop to the test user.
- Test your virtual desktop launch. See the article on launching desktops for more info.
Configuration of system connections
- Confirm secure connections to your virtual desktops.
- Add the servers to your backup plan.
Security measures
- Apporto offers a high level of security through its browser-based connection and limited number of port requirements. Modern browsers offer good isolation from the end user’s endpoint device and thus a natural security barrier can be leveraged. In addition, the Apporto platform requires only two ports, which dramatically reduces the complexity of deployment and management as well as the resulting attack surface.
- SSL certificates are critical to encrypting all data to/from Apporto desktops while in transit.
As-built configurations
Keep a record of the following component details.