24
Desktop Hosting Reference Architecture Guide Session-Based Desktops and Remote Application Services for Hosting Providers Published: June 2013 Microsoft Corporation
Desktop Hosting Reference Architecture Guide Session-Based Desktops and Remote Application Services for Hosting Providers
Published: June 2013Microsoft Corporation
Copyright information
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet website references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
Microsoft, Active Directory, Hyper-V, SQL Server, Windows PowerShell, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
© 2013 Microsoft Corporation. All rights reserved.
Desktop Hosting Reference Architecture Guide 2
Contents1 Desktop Hosting Service Logical Architecture......................................................................................6
2 Service Layer........................................................................................................................................7
2.1 Tenant Environment....................................................................................................................7
2.1.1 Remote Desktop Web Access..............................................................................................7
2.1.2 Remote Desktop Gateway...................................................................................................8
2.1.3 Active Directory Domain Services........................................................................................9
2.1.4 Remote Desktop Connection Broker..................................................................................10
2.1.5 RD Licensing.......................................................................................................................10
2.1.6 Remote Desktop Session Host...........................................................................................10
2.1.7 File Server..........................................................................................................................12
2.2 Provider Management and Perimeter Environments................................................................12
2.2.1 Active Directory Domain Services......................................................................................12
2.2.2 System Center 2012 SP1 Virtual Machine Manager...........................................................12
2.2.3 SQL Server..........................................................................................................................13
2.2.4 Tenant Provisioning Portal.................................................................................................13
2.2.5 Hyper-V Networking Virtualization Gateway.....................................................................13
2.2.6 Security Considerations.....................................................................................................14
3 Virtualization Layer............................................................................................................................16
3.1 Hyper-V and Virtual Machine Manager.....................................................................................16
3.2 Scale-Out File Server..................................................................................................................16
4 Physical Layer....................................................................................................................................17
4.1 Servers.......................................................................................................................................17
4.2 Network.....................................................................................................................................17
5 Tenant On-Premises Components.....................................................................................................19
5.1 Clients........................................................................................................................................19
5.2 Active Directory Domain Services..............................................................................................19
3 Desktop Hosting Reference Architecture Guide
This document defines a set of architectural blocks for creating a multitenant, hosted Windows® desktop and application service, referred to in this document as “desktop hosting.” The primary goal is to enable hosting providers to create secure, scalable, and reliable desktop hosting solution offers for small- and medium-sized organizations with up to 1500 users.
The intended target for this reference architecture are hosting providers who deliver cloud services via the Microsoft Service Provider Licensing Agreement (SPLA) program. To deliver a desktop hosting solution via Microsoft’s SPLA program, hosting partners leverage Windows Server® and the Windows Desktop Experience feature to deliver Windows users an application experience that is familiar to business users and consumers. Although Windows 8, Windows 7, and earlier Windows client versions are not licensed for SPLA, the Desktop Experience feature in Windows Server 2012 provides a similar user experience and application support. Hosting providers can leverage the virtualization rights in Windows Server Datacenter edition to minimize infrastructure licensing costs as the hosting providers scale the number of users.
The scope of this document is limited to:
Architectural design guidance for a desktop hosting service. Detailed information, such as deployment procedures, performance, and capacity planning is explained in separate documents. For more general guidance about the fabric and infrastructure, see the following documents: Infrastructure-as-a-Service Product Line Architecture Fabric Architecture GuideInfrastructure-as-a-Service Product Line Architecture Fabric Management Architecture Guide
Session-based desktops, RemoteApp applications, and server-based personal desktops that use Windows Server 2012 Remote Desktop Session Host (RD Session Host). Windows client-based virtual desktop infrastructures are not covered because there is no Service Provider License Agreement (SPLA) for Windows client operating systems. Windows Server-based virtual desktop infrastructures are allowed under the SPLA, and Windows client-based virtual desktop infrastructures are allowed on dedicated hardware with end-customer licenses in certain scenarios. However, client-based virtual desktop infrastructures are out-of-scope for this document.
Microsoft® products and features, primarily Windows Server 2012 and System Center 2012 Service Pack 1 (SP1) Virtual Machine Manager (VMM). In a few cases, this document identifies components that must be provided by a third party to complete the desktop hosting solution, but deeper architectural guidance is not provided for third-party components.
Virtualized service workloads To maximize deployment flexibility, all service workloads are run in Hyper-V® guest partitions, also known as virtual machines.
High availability provided by Hyper-V in a failover cluster.Additional levels of high availability can be provided by guest clustering, but that is out-of-scope for this document. For more information about host and guest clustering, see the following topics:
Desktop Hosting Reference Architecture Guide 4
Your Hyper-V Hosts and ClusteringSuper-fast Failovers with Virtual Machine Guest Clustering
Desktop hosting services for tenants ranging in size from 5 to 1500 users. For larger tenants, this architecture may need to be modified to provide adequate performance.
After reading this document, the reader should understand:
The building blocks that are necessary to provide a secure, reliable, multitenant desktop hosting solution.
The purpose of each building block and how they fit together.
There are multiple ways to build a desktop hosting solution based on this architecture. Throughout the document, variations are noted to address different requirements for scale and capability.
5 Desktop Hosting Reference Architecture Guide
1 Desktop Hosting Service Logical ArchitectureA logical architecture diagram of the software and hardware components in a host provider’s data center is shown in Diagram 1.
Diagram 1: Desktop hosting service logical architecture
The logical architecture diagram shows a three-layer architecture with the following layer definitions:
1. Service: Virtual machines, virtual subnets, and virtual storage that make up the functional service for each tenant and the provider’s management and perimeter services.
2. Virtualization: Windows Server 2012 operating system instances running the Hyper-V role and the Scale-Out File Server for storage virtualization and Hyper-V clustering support.
3. Physical: The racks of physical servers, storage units, networks switches, routers, and so on that make up the provider’s data center.
Hyper-V virtualization technologies enable software components to run on a variety of configurations of servers and networking devices. This allows the software to be relatively hardware independent. Consequently, most of the remainder of this document describes the Service and Virtualization layers.
Desktop Hosting Reference Architecture Guide 6
Section 5 briefly describes the physical servers, networks, storage, and so on that are recommended to support this architecture.
2 Service Layer
2.1 Tenant EnvironmentThe provider’s desktop hosting service is implemented as a set of isolated tenant environments. Each tenant’s environment consists of virtual machines that are connected to an isolated virtual subnet. Each virtual machine contains one or more of the components that make up the tenant’s hosted desktop environment. The following subsections describe the components that make up each tenant’s hosted desktop environment.
2.1.1 Remote Desktop Web AccessThe Remote Desktop Web Access (RD Web Access) component allows the tenant’s employees to have a single website where they can authenticate and then access Windows desktops and applications that are hosted in the provider’s data center. By using RD Web Access, Windows applications can be published to a variety of Windows and non-Windows client devices, and they can be selectively published to specific users or groups.
The RD Web Access virtual machine must be dual-homed to connect from the provider’s external network to the tenant’s isolated virtual subnet. Consequently, it has two Hyper-V network adapters. Each of these adaptors is connected through a Hyper-V virtual network switch, and each switch connects to the one of the host’s physical adaptors. One of the physical adaptors is connected to the provider’s external network and the other is connected to the provider’s tenant network.
The Hyper-V network adapter that is connected to the provider’s external network is configured by using VMM to connect directly to the external network so that packets on this network use the provider’s address space. The Hyper-V network adapter that is connected to the provider’s tenant network is configured with Network Virtualization using Generic Routing Encapsulation (NVGRE) so that the packets are isolated to the tenant’s virtual subnet and address space. This enables users to connect from the public Internet to their RD Web Access server and access Remote Desktop Session Host (RD Session Host) servers and other resources in the tenant’s isolated virtual subnet. This is shown in Diagram 2.
7 Desktop Hosting Reference Architecture Guide
Diagram 2: Dual-homed guest virtual machine
The RD Web Access component requires installation of Internet Information Services (IIS). A Hypertext Transfer Protocol Secure (HTTPS) connection is used to provide an encrypted communications channel between the clients and the server. Matching digital certificates must be installed on the server and clients. For development and testing purposes, this can be a self-generated and self-signed certificate. For a released service, the digital certificate must be obtained from a trusted certification authority.
For tenants with small numbers of users, the RD Web Access and Remote Desktop Gateway (RD Gateway) workloads may be combined in a single virtual machine to reduce cost.
Additional information:Deploying and Configuring RD Web AccessPublishing RemoteApps in Windows Server 2012Distribution of Remote Apps and Desktops in Windows Server 2012
2.1.2 Remote Desktop GatewayThe Remote Desktop Gateway (RD Gateway) component enables tenant employees who are using client devices on the public Internet to access Windows desktops and applications that are hosted in an isolated virtual subnet in the provider’s data center. The RD Gateway virtual machine must be dual-homed, so it has two Hyper-V network adapters. Each of these adaptors is connected through a Hyper-V virtual network switch, and each switch connects to one of the host’s physical adaptors. One of the physical adaptors is connected to the provider’s external network and the other is connected to the provider’s tenant network.
Desktop Hosting Reference Architecture Guide 8
The Hyper-V network adapter that is connected to the provider’s external network is configured by using VMM to connect directly to the external network so that packets on this network use the provider’s address space. The Hyper-V network adapter, which is connected to the provider’s tenant network is configured to use Hyper-V NVGRE so that the packets are isolated to the tenant’s virtual subnet and address space. This enables users to connect from the public Internet through RD Gateway and access RD Session Host servers and other resources in the tenant’s isolated virtual subnet. This is shown in the Diagram 2.
The RD Gateway component uses Secure Sockets Layer (SSL) to provide an encrypted communications channel between the clients and the server. Matching digital certificates must be installed on the server and client. For development and testing purposes, this can be a self-generated and self-signed certificate. For a released service, the digital certificate must be obtained from a trusted certification authority.
For tenants with small number of users, the RD Web Access and RD Gateway can be combined on a single virtual machine to reduce cost.
Additional information:Deploying and Configuring RD GatewayWhat’s New In Windows Server 2012 RD Gateway ? RD Gateway Capacity Planning in Windows Server 2012
2.1.3 Active Directory Domain ServicesThe tenant’s network includes an Active Directory® Domain Services (AD DS) server for the tenant’s forest and domain. The AD DS server may be provided by the hosting provider and located in the provider’s data center, or it can be located on the tenant’s premises and connected using a VPN connection through the Hyper-V Network Virtualization gateway. All the virtual machines in the tenant’s virtual subnet are joined to the tenant’s domain. All the tenant’s users have user accounts in the tenant’s domain.
To provide a continuously available service, two AD DS server guest virtual machines can be configured on two separate physical servers. The first AD DS domain controller deployed creates the tenant’s domain and the forest. By default, it holds the DNS role, and it is the operations master for all five operations master roles. A second domain controller is promoted as a replica in the tenant’s domain. The second domain controller’s preferred DNS server must be configured to point to the IP address of the first domain controller before running the promotion user interface.
The tenant’s forest does not require any trust relationship with the provider’s management forest. A domain administrator account may be set up in the tenant’s domain to allow the provider’s technical personnel to perform administrative tasks in the tenant’s environment (such as monitoring system status and applying software updates by using System Center 2012) and to assist with troubleshooting and configuration.
9 Desktop Hosting Reference Architecture Guide
For small tenants, the physical resource cost can be reduced by combining AD DS, the file server, and Remote Desktop Licensing (RD Licensing) on a single virtual machine on the tenant’s virtual subnet.
Additional information:What is Active Directory?Windows Server 2012: What’s new in Active Directory Domain Services?
2.1.4 Remote Desktop Connection BrokerRemote Desktop Connection Broker (RD Connection Broker) manages incoming remote desktop connections to the servers in Remote Desktop Session Host (RD Session Host) server farms, known as collections. RD Connection Broker handles connections to collections of full desktops and to collections of RemoteApps. For new connections, RD Connection Broker can balance the load across the servers in the collection. For a session that was disconnected, RD Connection Broker reconnects the user to the correct RD Session Host server and the disconnected session, which already exists in the RD Session Host farm.
Additional information:Overview of Remote Desktop Connection Broker (RD Connection Broker)RD Connection Broker Performance and Scalability
2.1.5 RD LicensingEach tenant’s environment includes an activated Remote Desktop Licensing server to allow users to connect to the Remote Desktop Session Host (RD Session Host) servers that host the tenant’s desktops and applications. The licensing server is configured in “per user” mode. The provider must acquire the proper number of RDS subscriber access licenses (SALs) based on the number of users signing in to the service each month.
For small tenants, the physical resource cost can be reduced by combining the AD DS, the file server, and RD Licensing components on a single virtual machine in the tenant’s environment.
Additional information:Overview of Remote Desktop LicensingDeploying Remote Desktop Licensing Step-by-Step GuideManaging RDS Licensing Using PowerShell on Windows Server 2012Generate Per User CAL Report
2.1.6 Remote Desktop Session HostThe Remote Desktop Session Host (RD Session Host) component provides a tenant’s users with session-based desktops and RemoteApp programs. The desktops and apps can be accessed over the Internet from any device running a capable remote desktop connection client. For more information, see the Client section later in this document.
The remote desktops and applications can be organized into collections of one or more RD Session Host servers. The collections can be customized for specific groups of users within each tenant. For example,
Desktop Hosting Reference Architecture Guide 10
a collection could be created so that tenant A’s accounting group can access accounting applications but the engineering group cannot access them.
To increase scale to support more users, or applications that use more computer resources, each collection can be expanded by adding more RD Session Host server virtual machines.
In most cases, the RD Session Host servers are shared by multiple users simultaneously. This is the most efficient way to utilize the provider’s data-center hardware resources for a desktop hosting solution. However, in this configuration, users must sign in to collections by using non-administrative accounts. In certain cases, some users want full administrative access to their Remote Desktop session or RemoteApp session. This can be achieved by using scripts to manually create a personal desktop collection in RD Connection Broker, based on a template that is created by using Windows Server 2012 with the RD Session Host role service enabled.
When the user signs in to a full desktop collection, by default, the user sees a server desktop. Administrators can install the Desktop Experience feature to provide a more client-like experience for the end user. We strongly recommend leveraging the Desktop Experience feature as part of a desktop hosting solution.
2.1.6.1 User Profile DisksUser profile disks allow users to save personal settings and files when they are signed in to a session on an RD Session Host server in a collection, and then have access to the same settings and files when signing in to a different RD Session Host server in the collection. When the user first signs in, a user profile disk (.vhdx file) is created on the tenant’s file server, and that disk is mounted to the RD Session Host server to which the user is connected. For each subsequent sign-in, the user profile disk is mounted, and with each sign-out, it is unmounted. The contents of the .vhdx file can only be accessed by that user.
Additional information:Remote Desktop Services OverviewWindows Server 2012: What’s New in Remote Desktop Services ? Using Powershell to install, configure and maintain RDS in Windows Server 2012Easier User Data Management with User Profile Disks in Windows Server 2012Desktop Experience OverviewInstall Desktop Experience on an RD Session Host Server
11 Desktop Hosting Reference Architecture Guide
2.1.7 File ServerThe file server provides a shared folder by using the Server Message Block (SMB) 3.0 protocol that is used to create and store user profile disk files (.vhdx) when a user first signs in, and to mount the user profile disk to the appropriate RD Session Host server each time the user signs in. The file server is a member of the tenant’s domain, and access to the user disks are limited. Users don’t have direct access, and they can access only the .vhdx file that is mounted to the session host. Additional shared folders can be configured on the file server to allow users a place to share data with other users on the tenant’s private subnet.
Additional informationFile and Storage Services Overview
2.2 Provider Management and Perimeter Environments
2.2.1 Active Directory Domain ServicesThe provider’s management includes an Active Directory Domain Services (AD DS) server for the provider’s management forest and domain. All the virtual machines in the provider’s management environment and the hosts in the virtualization layer are joined to the provider’s management domain. All the provider’s administrative users have user accounts in the provider’s management domain. The provider’s forest does not require any trust relationship with the tenant forests.
Hyper-V host clusters can be used to provide a base level of high availability for the management and perimeter workloads. To provide a more continuously available service, two AD DS server guest virtual machines can be configured on two separate clusters. The first AD DS domain controller that is deployed creates the provider’s domain and forest. By default, it holds the DNS role, and it is the operations master for all five operations master roles. A second domain controller is promoted as a replica in the provider’s domain. The second domain controller’s preferred DNS server must be configured to point to the IP address of the first domain controller before running the promotion user interface.
2.2.2 System Center 2012 SP1 Virtual Machine ManagerSystem Center 2012 Virtual Machine Manager (VMM) is installed on a virtual machine in the provider’s management network, and it is joined into the provider’s management domain. The provider’s administrators use VMM to create and configure the virtual machines and virtual networks in the tenant’s environments. The VMM database utilizes a database in the SQL Server® failover cluster instance (FCI) that is also on the provider’s management network.
The VMM console is installed to allow administrators to manually create virtual machines and virtual networks. This can later be automated by using Windows PowerShell® scripts. Before you install VMM, the following components must be installed:
SQL Server 2012 command-line utilities and the native client. This enables VMM to communicate with SQL Server, which is running in a separate virtual machine.
Windows Assessment and Deployment Kit (ADK) for Windows 8.
Desktop Hosting Reference Architecture Guide 12
Hyper-V host clusters are used to provide high availability for the management and perimeter workloads, including VMM.
Additional information:System Center 2012 – Virtual Machine ManagerSystem Requirements for System Center 2012 SP1 System Requirements for SC 2012 - VMMSystem Requirements: VMM DatabaseInstalling a Highly Available VMM Management ServerWindows ADK for Windows 8SQL Server 2012 Command Line UtilitiesSQL Server 2012 Native clientUsing a Remote Empty Database for VMM InstallationOverview of System Center 2012 – Virtual Machine Manager
2.2.3 SQL ServerMicrosoft SQL Server is used by VMM to save information about the data center deployment. Hyper-V host clusters are used to provide high availability for the management and perimeter workloads, including SQL Server. To provide a more continuously available SQL Server service, a native high availability solution can be implemented in SQL Server.
Additional information:Configuring a Remote Instance of SQL Server for VMMUsing a Remote Empty Database for VMM InstallationHigh Availability Solutions (SQL Server ) AlwaysOn Failover Cluster Instances (SQL Server)Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)
2.2.4 Tenant Provisioning PortalThe provider may want to create a tenant provisioning portal that resellers and tenant administrators can use directly to self-provision. A tenant provisioning portal for desktop hosting is not provided by Microsoft at this time, but one can be obtained from third party developers or developed by using the Service Provider Framework (SPF) for VMM or the Windows Azure Pack.
Additional information:Service Provider FrameworkWindows Azure Pack
2.2.5 Hyper-V Networking Virtualization GatewayThe tenant’s components communicate with each other in a virtualized network environment that is running Hyper-V. Packets are isolated on the tenant’s virtual subnet. However, the tenant’s sessions running on the RD Session Host servers need to communicate with the non-network virtualized environment to access the Internet. This is done by using Hyper-V Network Virtualization Gateway, which de-encapsulates the packets and routes them to the Internet.
13 Desktop Hosting Reference Architecture Guide
Hyper-V Network Virtualization Gateway is dual-homed. One network adapter connects to the provider’s tenant network and carries encapsulated traffic from each tenant’s virtual subnet, and the other network adapter connects to the provider’s perimeter network.
Hyper-V Network Virtualization Gateway can also support site-to-site virtual private networking (VPN) connections between the tenant’s on-premises network and the tenant’s virtual subnet in the provider’s data center. This is referred to as a hybrid cloud model in the Hyper-V Network Virtualization Gateway Architectural Guide.
This allows the hosted desktops to access the on-premises resources. For example, a tenant’s desktop hosting environment can utilize an AD DS server on the tenant’s on-premises network. In this configuration, an AD DS virtual machine is no longer needed in the hosted environment. Alternatively, an AD DS virtual machine could be provided in the hosted environment, but promoted as a replica in the tenant’s domain.
Microsoft does not provide Hyper-V Network Virtualization Gateway in Windows Server 2012. However, third-party products are available, based on the specifications that are detailed in the Additional information list that follows. (Note that Windows Server 2012 R2 will include Hyper-V Network Virtualization Gateway.)
Additional information:Hyper-V Network Virtualization Technical DetailsWindows Server 2012 Hyper-V Network Virtualization Survival GuideHyper-V Network Virtualization Gateway Architectural GuideNVGRE Draft RFC
2.2.6 Security ConsiderationsThis desktop hosting Reference Architecture Guide is designed to provide a highly secure and isolated environment for each tenant. The security of the system also depends on safeguards taken by the provider during deployment and operation of the hosted service. Following is a list of some mitigations that the provider must consider to ensure the security of a desktop hosting solution based on this reference architecture.
RD Web Access and RD Gateway are connected to the provider’s external network, which is exposed to the Internet through one or more firewalls. The provider must apply techniques (such as traffic monitoring, analysis, and control) to mitigate denial-of-service (DoS) attacks from overloading the RD Web Access and RD Gateway components.
Restrictions must be set on resources (such as storage, CPU, memory, and networking) to mitigate one tenant from interfering with the performance and functionality of other tenant’s services.
All administrative passwords must be strong, and ideally randomly generated, changed frequently, and saved in secure central location that is only accessible by a select few provider administrators.
Care must be taken when replicating the tenant environment for new tenants to avoid using the same or weak administrative passwords.
Desktop Hosting Reference Architecture Guide 14
The RD Web Access site URL, name, and certificates must be unique and recognizable to each tenant to mitigate spoofing attacks.
Additional information:Security and Protection OverviewStrong PasswordsSecurity Best Practices for IIS 8Secure Windows Server 2012
15 Desktop Hosting Reference Architecture Guide
3 Virtualization Layer
3.1 Hyper-V and Virtual Machine ManagerThe physical computer and networking resources in the provider’s data center are virtualized by using Hyper-V and VMM. Computers are virtualized by using Hyper-V virtual machines. Networks are virtualized by using Hyper-V virtual switches, Hyper-V network adapters, and Hyper-V Network Virtualization using Generic Routing Encapsulation (NVGRE).
Two node Hyper-V host clusters with cluster shared volumes (CSVs) provides the base level of high availability for the services in the data center. When a physical host server fails, the virtual machines on that host restart on the other physical host server in the cluster. For a workload that is impacted by the failure, the down time is the time it takes to start the virtual machine’s guest operating system and the associated workload. To reduce down time, guest clustering can be optionally implemented on top of the host clusters.
All the Hyper-V hosts are members of the provider’s Active Directory forest, and they are included in the provider’s VMM fabric as Hyper-V hosts.
Additional information:Hyper-V OverviewFailover Clustering OverviewUsing Hyper-V and Failover ClusteringHyper-V Network Virtualization Technical DetailsWindows Server 2012 Hyper-V Network Virtualization Survival GuideUse Cluster Shared Volumes in a Windows Server 2012 Failover ClusterYour Hyper-V Hosts and Clustering Super-fast Failovers with Virtual Machine Guest Clustering
3.2 Scale-Out File ServerPhysical storage in the provider’s data center is virtualized by using the Scale-Out File Server and other storage technologies such as storage pools, storage spaces, and virtual hard disks. Individual disks are combined in a chassis, pooled into logical storage units, and then exposed to the Hyper-V hosts as virtual hard disks on SMB 3.0 shares on the Scale-Out File Server. To provide high availability Cluster Shared Volumes (CSVs) to the Hyper-V host clusters, the Scale-Out File Server is also implemented in a failover cluster.
All the storage hosts are members of the provider’s Active Directory forest, and they are included in the provider’s VMM fabric as storage servers.
Additional Information:Scale-Out File Server for Application Data OverviewWhat’s New in Failover Clustering?
Desktop Hosting Reference Architecture Guide 16
How to Configure a Clustered Storage Space in Windows Server 2012
17 Desktop Hosting Reference Architecture Guide
4 Physical Layer
4.1 ServersThe basic compute block in the provider’s data center consists of two Hyper-V hosts implemented in a failover cluster with a Cluster Shared Volume (CSV) that provides shared storage. The minimum hardware requirements for Hyper-V hosts are as follows:
64-bit processor Hardware-assisted virtualization. This is available in processors that include a virtualization
option—specifically processors with Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) technology.
Hardware-enforced Data Execution Prevention (DEP) must be available and enabled. Specifically, you must enable the Intel XD bit or the AMD NX bit.
The minimum and recommended server hardware is out-of-scope for this document, but it is typically determined by the maximum workloads running on the RD Session Host servers or the maximum number of simultaneous connections through RD Gateway. A tenant’s desktop hosting environment can be scaled up by adding more virtual memory and virtual processors to the virtual machines. The minimum hardware in the provider’s data center must be sufficient to support the maximum tenant virtual machine workloads.
Additional information:Hyper-V OverviewRD Gateway Capacity Planning in Windows Server 2012
4.2 NetworkTo support desktop hosting, a minimum of five independent networks must be implemented as follows:
1. External network This network carries the incoming traffic from the public Internet via the provider’s firewalls.
2. Tenant network This network carries the encapsulated traffic for all tenants that are hosted in the provider’s data center. This network is not directly accessible by any of the tenants (it is only accessible through NVGRE). This network must use static IP addresses in the provider’s address space, and it must be defined in a VMM logical network pool.
3. Management network This network carries the provider’s management traffic to manage Hyper-V hosts that are using AD DS and VMM.
4. Storage network This network carries all storage traffic between the Scale-Out File Server and the Hyper-V hosts.
5. Perimeter network This network carries traffic to and from the public Internet.
Desktop Hosting Reference Architecture Guide 18
Each of these networks must be implemented with a minimum of two redundant connection paths to ensure high availability in the event of a network hardware failure. All networks must be a minimum of 1 GB Ethernet, and a 10 GB Ethernet is recommended.
Additional information:Windows Server 2012 NIC Teaming (LBFO) Deployment and Management
19 Desktop Hosting Reference Architecture Guide
5 Tenant On-Premises Components
5.1 ClientsTo access the hosted desktops and applications, the tenant’s users must use Remote Desktop Connection (RDC) clients that support Remote Desktop Protocol (RDP) 7.1 or higher. In particular, the client must support Remote Desktop Gateway and Remote Desktop Connection Broker. To deliver applications to the local desktop, the client must also support the RemoteApp feature. To achieve highest gateway scale, the client must support the pure HTTP transport connections to RD Gateway. Examples include the RDC clients that are available in computers running Windows 7 with SP1 or Windows 8. There are also third-party RDC clients available for non-Windows operating systems.
Additional information:RemoteFX Enabled DevicesWhat’s new in Windows Server 2012 Remote Desktop Gateway
5.2 Active Directory Domain ServicesSome larger and more sophisticated tenants may choose to host an Active Directory Domain Services (AD DS) server on their premises. This is supported by allowing a VPN connection through the Hyper-V Network Virtualization Gateway from the tenant’s premises network to the tenant’s virtual subnet in the provider’s data center. This is described in the Hyper-V Network Virtualization section earlier in this document and in the Hybrid Cloud (S2S VPN) section of the Hyper-V Network Virtualization Gateway Architectural Guide.
Desktop Hosting Reference Architecture Guide 20
