Architecture and Operation

IT Asset Management (Cloud)

The following diagram shows the operational architecture for the VMware Horizon adapter. Note: The Citrix Cloud adapter architecture is identical to VMware Horizon, except for the Horizon Pod and Horizon Pod Federation, which is replaced with Citrix Cloud, and Citrix Cloud does not use a REST API.



Summary

Both VDI adapters have been created to collect supplementary VDI data. This data will show:
  • Existing VDI devices and templates
  • Existing desktop pools in Horizon, or delivery groups in Citrix where these VDI devices and templates are installed
  • What users have access to these desktop pools and delivery groups.

The FlexNet inventory agent which is installed on the VDI template, collects application evidence from each of the VDI devices purported by the VMware Horizon and Citrix Cloud adapters. This application evidence shows all of the software that end-users have access to.

For Horizon, to import the collected supplementary VDI data into IT Asset Management, the VMware Horizon adapter uses PowerShell to query the REST APIs available on each connection server. The connection server acts as a broker and is the main component that fetches the virtual desktop or application(s) and delivers it to the end-user.

For Citrix, to import the collected supplementary VDI data into IT Asset Management, the Citrix Cloud adapter uses the Citrix Remote PowerShell SDK in order to connect to Citrix Cloud and query the relevant API(s).

VMware Horizon documentation pertaining to the REST API used for gathering application evidence on the connection server is available here.

Citrix Cloud documentation pertaining to the API used for gathering application evidence on the connection server is available here.

There are 5 main components in the above diagram:
  • Desktop pool (Horizon)/ Delivery group (Citrix): A collection of existing virtual machines. The FlexNet inventory agent collects the application evidence from these machines which is then mapped to users who have access to that desktop pool or delivery group. Note: Access to a desktop pool or delivery group is defined in Active Directory.
  • Pod / Pod Federation (applicable to Horizon only):
    • A Pod is a collection of existing connection servers. The connection server in VMware Horizon acts as the broker and is the main component that fetches the virtual desktop or application(s) and delivers it to the end-user. The connection server verifies what each user can access by checking the group and user permissions defined in Active Directory. To be able to pull the data into IT Asset Management, the connection server is queried by the VMware Horizon adapter which is set up on the inventory beacon. The VMware Horizon adapter then collects the information needed to represent the VMware Horizon inventory in IT Asset Management.
    • A Pod Federation is a collection of existing connection server pods.
  • Inventory Beacon: For Horizon, connects to a single connection server in each pod, or in the case of a pod federation a single connection server in that federation. For Citrix, connects to a single connection to Citrix Cloud. Inventory is then uploaded to the Batch and Inventory Servers. The inventory beacon also imports data from Active Directory, including groups (and their members), users, and computers, and the security identifiers for each item within Active Directory. (These security identifiers, or SIDs, are the same identifiers that the VMware Horizon and Citrix Cloud adapters report for usage of the applications delivered by VMware Horizon and Citrix Cloud).
  • Inventory Server: Is where the application evidence (.NDI file from each VDI device) is received, processed and imported to the IM inventory database. .NDI files are produced by running the FlexNet inventory agent on the VDI.
  • Batch Server: Is where data from the IM Inventory Database is processed and imported to the IT Asset Management Compliance database which in turn drives the VDI template UI. Note: The VMware Horizon and Citrix Cloud adapters have been configured as a new compliance connections. VDI data is sent to the Batch server as intermediate data files which are then processed (matched/merged) with data from other compliance connections to produce a single view of the data and imported to the IT Asset Management database.

What data is retrieved

The data listed below is retrieved by means of running functions in the PowerShell reader that is used to connect to the VMware Horizon REST API or Citrix Cloud API on the configured connection server.
Functions Retrieved data
Site name For Horizon

Returns a string that represents the site name associated with the data from the connection server. If Cloud Pod Architecture (CPA) is in use, the name of the Pod Federation is used: (/rest/federation/v1/cpa - name).

If CPA is not in use, the cluster name which represents a group of connection servers sharing the same configuration is used: (/rest/config/v1/environment-properties - cluster_name).

For Citrix

The Name property of the Citrix site as returned by the Get-BrokerSite cmdlet.

Desktop pools (Horizon) or Delivery groups (Citrix) For Horizon

Returns each desktop pool along with the following properties for each pool.

/inventory/v2/desktop-pools - source

/inventory/v2/desktop-pools - provisioning_settings - base_snapshot_id

/rest/inventory/v2/desktop-pools - name

/rest/inventory/v2/desktop-pools - id

For Citrix

The delivery groups are interrogated with the Get-BrokerMachine cmdlet. Relevant properties are:
  • DesktopGroupName
  • CatalogName
  • DesktopGroupUUID
Machines Returns a list of VDIs associated with a desktop pool or delivery group and the corresponding properties for that VDI.

/rest/inventory/v1/machines - name

/rest/inventory/v1/machines - dns_name

/rest/inventory/v1/machines - desktop_pool_id

Specific to Citrix
The VDIs are queried with the Get-BrokerMachine cmdlet. Relevant properties are:
  • DNSName
  • DeliveryType
  • PersistUserChanges
User access

For Horizon

Returns the Active Directory SID for a user or group that has access to a desktop pool.

/rest/entitlements/v1/desktop-pools- ad_user_or_group_ids

If CPA is in use: /entitlements/v1/global-desktop-entitlements

For Citrix

User access is collected with the Get-BrokerAccessPolicyRule cmdlet. Active Directory SID for each user or group in the IncludedUsers property is collected.

Test connection A test connection button is available in the FlexNet Beacon UI. Selecting test connection will show a successful test if the configured user is able to successfully log into the API, going through any configured proxy.

If the connection fails, the relevant error is fed back to the user.

IT Asset Management (Cloud)

Current