1 mid new england network users group april 02, 2008 patrick rouse
TRANSCRIPT
2
About Quest Software
Desktop Virtualization Basics & Benefits
Desktop Virtualization Best Practices & Tutorials
Provision Networks Virtual Access Suite
Live Demo
Agenda – Desktop Virtualization
3
Who We Are – Quest Software
– ESX vRanger Pro, vConverter, vOptmizer
– Foglight – Root Cause Analysis for VMware
– Desktop Authority
– Virtual Access Suite
4
Who We Are – Provision Networks
Provision Networks, a division of Quest Software, produces and markets the award-winning Virtual Access Suite – an enterprise-grade application delivery, virtual desktop provisioning, management and brokering solution.
The Virtual Access Suite is available in three editions:
Standard Edition: Enhances manageability, stability and usability of Citrix and Terminal Services Desktop Services Edition: Enables blade PC and virtual client connections from any virtual infrastructure, including VMware, Virtual Iron, Microsoft and SWsoft.Enterprise Edition: Encompasses the Desktop Services & Standard Editions and adds support to Provision-enabled terminal server platforms
1996 2004 2006 2007
- Emergent Online founded
- Provision Management Framework Launched
- Virtual Desktop Solution Introduced
-Virtual Access Suite Introduced
-Acquired by Quest Software
- Universal Print Driver fo
r ICA and RDP
2001
5
App
OS
Presentation Virtualization
Server Hardware
Access Software
OS
Client HardwareT
ransm
ission
P
rotoco
l
App
IP Connection
App
OS
Shared Remote Desktops
Server Hardware
Access Software
OS
Client Hardware
Tran
smissio
n P
roto
col
App
OS
Hypervisor
IP Connection
Application
OS
Blade Hardware
Display HardwareConnection
Dedicated Remote Desktops
Application Virtualization
App
OS
Server Hardware
Access Software
OS
Client Hardware
App
Stre
am
/ Tra
nsf Proto
col
IP Connection
Conflicting AppsRemote Access
Limited Amt. Of ApplicationsRemote Access
Fixed SecurityFixed Users
High Performance Application
OS
Client Hardware
Hypervisor
Host OS
Client Hosted Desktop Virtualization
Fully Customized MobilityExternal Security
Lower PerformanceFixed Users
CustomizationSource: IDC
Virtual Client Computing Models
6
VDI Connection Broker Basics
What is a Connection Broker?
A basic connection broker is a service that authenticates a client, retrieves a list of Virtual Desktops and directs the client to its’ destination.
1. Authenticate and receive back the address of the hosted desktop
2. Connect to the hosted desktop using some type of remote display protocol (for example, RDP)
7
Physical / Blade PCs
PhysicalMachine
PhysicalMachine
PhysicalMachine
PhysicalMachine
HYPERVISOR
HARDWARE LAYER TASK USERS Shared OS / Apps Not customized No user control Server OS desktop “Published” desktop One user impacts all
KNOWLEDGE WORKERS Fast and Personal; can be user-customized Provisioned on-demand Fully isolated and secure Standard desktop OS Platform-agnostic (VMware, Virtual Iron, XenSource, SWsoft, Microsoft)
POWER USERS Fast, Powerful and Consistent Demanding users / applications Fully isolated and secure Standard desktop OS Platform-agnostic (HP, IBM etc.)
PN Broker Infrastructure
Ded
icat
ed a
nd /
or
pool
ed d
eskt
ops
/ O
S
Shared desktops /
OS
Our Offerings:The Right Desktop for the Right User
8
• Centrally control and manage all off-site access to sensitive applications and data. Extend corporate network security policies to off-site facilities.
• Contain desktop proliferation and build standardized, centrally managed desktop environments. Meet HIPAA, SOX, GLBA compliance.
• Quickly recover, re-provision, and re-establish user access to complete desktop environments to ensure business continuity.
• Contingency plans in place to accommodate work-from-home users and employees quarantined due to a pandemic. Telecommuting!
• Each desktop environment is encapsulated in a VM, completely independently of other VMs. If anything goes wrong with one VM, other VMs remain unaffected.
• No lack of support from ISVs. No complex IT training (desktop administrators). No application code modifications and/or repackaging.
• Eliminate squandering of precious computing resources. Eliminate loss/theft of corporate data stored on stolen PCs.
Benefits of Desktop Virtualization
• Branch Office Connectivity. Mergers and Acquisitions. Distributed computing environments can be integrated without major investments in remote IT infrastructures.
9
Benefits of Desktop Virtualization
Physical desktop TCO
Source: Gartner Research
Source: Gartner Research
10
Best Practices – VDI Host Planning
No more than 1500 Virtual Desktops per VMware Virtual Center
Dedicate specific Virtual Infrastructure (VI) Hosts or Data Centers for VDI
Use Dual Processor, Quad Core, Blade or 1U Servers for VI Hosts
Use iSCSI SAN instead of Fiber Channel to reduce cost per user.
11
Best Practices – VDI Host Planning
Utilize iSCSI HBA to reduce CPU usage on VI Hosts.
4-10 Virtual Desktops per CPU Core
16-32GB of RAM per VI Host (unless allocating > 640MB per VM)
12
Best Practices – Component Placement
Deploy SSL Gateway in DMZ
Web Interface on the same machine, or on the Private Network.
Deploy two Connection Broker Servers (for redundancy and load balancing).
Do NOT allow DRS to move Connection Brokers to the same ESX Host.
All infrastructure servers can be virtualized
13
Best Practices – Virtual Desktop OS
>= 384MB for each XP Pro Virtual Desktop
Keep VM Disk Files as small as possible
Utilize a Universal Printer Driver (reduced Mgmt, CPU & Bandwidth)
14
Best Practices – Virtual Desktop OS
Disable screen savers on VMs (utilize client screensaver)
Schedule Shutdown/Reboot of Virtual Desktops
Enable Remote Control of Desktops (via Terminal Services Manager, Shadow or Remote Assistance)
17
Configuring Remote Control
Enable tsadmin on XP
Allows tsadmin.exe (Terminal Services Manager) or shadow.exe to connect from a remote RDP Session.
19
Best Practices – Virtual Desktop OS
Configure User GPO Settings for Folder Redirection (for My Documents, Desktop, Start Menu & Application Data) environment lockdown (for non-administrators)
VDI Computer GPOVDI User GPO
Configure Computer GPO Settings, i.e. Loopback Policy Processing, RDP Connection Settings, Disabling of Offline Files, Deletion of Roaming Profile Cache…
Roaming Profile Path is defined in the properties of the User’s Active Directory Account
VDI GPOs
20
Best Practices – Virtual Desktop OS
Install User Profile Hive Cleanup Service (UPHClean)
Alter the Default Explore Path when using Folder Redirection to redirect the Start Menu to a Network Share, so user’s Default Explore Path is their Home Folder.
Default Explore Path
Prevent NTFS from tracking reads on the local file system
NtfsDisableLastAccessUpdate
UPHClean
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\ddeexec]@="[ExploreFolder(\"%u:\\\\\\\", %u:\\\\, %S)]"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]"NtfsDisableLastAccessUpdate"=dword:00000001
Unloads user profiles that might otherwise get hung unloading
21
Best Practices – Virtual Desktop OS
Lock down the System Drive’s NTFS Permissions so normal users can’t install software, spyware, malware… or save data on their Virtual Desktops.
Recommended NTFS Permissions on New System Builds:%SystemDrive% - Authenticated Users = "Read and Execute" %SystemDrive% - Administrators = "Full Control" %SystemDrive% - System = "Full Control"%SystemDrive% - Creator Owner = "Full Control"
%ProgramFiles% - Authenticated Users = "Read and Execute" %ProgramFiles% - Administrators = "Full Control" %ProgramFiles% - System = "Full Control" %ProgramFiles% - Creator Owner = "Full Control"
Remove the Hgfs Registry Entry so user’s profiles will unload completely. Setting added by VMware Tools.
RemoveHgfs
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order]"ProviderOrder"="RDPNP,LanmanWorkstation,WebClient"
22
Best Practices – Disable Unnecessary Windows Services
Computer Browser
Error Reporting
Help & Support
Indexing Service
IPSec
Network Local Awareness
Security Center
Shell Hardware Detection
SSDP Discovery Service
System Restore Service
Task Scheduler
Themes
Windows Firewall
Windows Zero Configuration
Consider disabling the some or all of the following services, if they are not required in your specific environment
23
Best Practices – Client Devices
Don't assume that everyone can use a thin client. (No DVD+R, CDR/RW, High-end Graphics)
Choose XPe based thin clients when needing to support USB peripheral devices (printers, scanners, handhelds, storage)
Consider devices with local Internet Browser, Windows Media Player, Adobe Flash Player…
Convert older PCs into diskless thin clients via PXE Boot
25
Provision NetworksVirtual Access Suite
Physical and virtual machines
Fully sysprep’d virtual desktops from templates (VMware, Virtual Iron)
Policy-driven virtual machine power management and pooling
Policy-driven access
Standard desktops managed as single-user Terminal Servers
Integration with MS SoftGrid (Application Virtualization)
Familiar end-user experience (i.e., desktop and application publishing)
Seamless windows (w/multi-monitor support)
Universal print driver
USB-based PDA redirection
Web interface and SSL gateway
Bi-Directional Audio
Many more…
VAS: more than just a “connection broker”
In contrast, VAS is a comprehensive provisioning and delivery framework with a sophisticated brokering service at its core.
Support for Standard Windows desktop OS (i.e., WinXP, Vista)…
27
New features for version 5.10 (April-May 2008)
Provision NetworksVirtual Access Suite
Managed Desktop Group Auto-Expansion. Automatically add additional desktops based on policy.
Deployment of MSI-Based Application Packages: Install/track/remove MSI-based application packages to managed desktops.
Scheduled Tasks: Power On, Power Off, Logoff, Reset, Suspend, Resume, Delete Desktop, Enable/Disable Desktop, Copy file to desktop, Install/Uninstall MSI Package
“Disable Desktop” Option: Individual desktops and desktop groups can be instantly disabled, allowing scheduled maintenance.
Cross-Group Desktop Naming: Allows multiple desktop groups to conform to a shared (enterprise-wide) desktop naming convention.
Linux-based PXE Boot Client
True Multi-Monitor Support, instead of just spanning.
Bi-Directional Audio / Microphone Redirection
Server Provisioning: Provision fully sysprep’d virtual Windows Terminal Servers from existing VM Templates, as well as deploy server-based MSI packages.
Type Ahead: Improves the end-user experience by instantly echoing keystrokes regardless on network latency conditions.
Time Zone Management: Enables administrators to specify the desired time zone for assignees.
28
Available Clients
Provision NetworksVirtual Access Suite
Windows 2000, 2003, XP, XP Embedded, Vista
Windows CE
Linux
Wyse Thin OS
HP NeoLinux
Java
Thinstall
PXE Boot - Linux
Computer Labs (CLI)
Devon IT
HP
Wyse
Affirmative Computing
Thin Client Vendors
30
VDI Solution on VMware ESX 3.x with Virtual Center Cost Per User Total Cost Value Variable Description$750.08 $1,125,120.00 8 CPU Cores Per Virtual Infrastructure Host
Qty Description Price Total 5 Virtual Machine Guest OS Per CPU Core (4-10)
40
IBM X3550, 1U Dual-Quad Core, 16GB, 2x72GB 10KRPM 2.5" SAS, RAID1, QLogic iSCSI Dual Port PCIe HBA - 2 Extra Servers for HA and Infrastructure Servers $8,000.00 $320,000.00 $10.00 Cost of SAN Storage per GB
40 VMware ESX Ent. 2P Lic $5,898.00 $235,920.00 5 Size of VM Disk Files (GB) on SAN1500 Virtual Access Suite Desktop Services Edition License $50.00 $75,000.00 384 RAM (MB) Per Virtual Machine Guest OS
1500 Windows Guest OS License Cost $290.00 $435,000.00 16384 Minimum Required RAM (MB) per Virtual InfrastructureHost1500 AntiVirus License $25.00 $37,500.00 1500 Maximum Number of Concurrent Users
2 VAS Connection Broker Servers (Virtual) $700.00 $1,400.00 56 Average Bandwidth Per Session (Kb)1 VAS SSL Gateway Server (Virtual) $700.00 $700.00 20 Percentage of WAN Users
2 VAS Web Server (Virtual) $700.00 $1,400.00 16800 Required WAN Bandwidth (Kb)
1 Virtual Center Server (Virtual) $700.00 $700.00 300 Maximum WAN Connected Users40 Rack Space, UPS, KVM $300.00 $12,000.00 1000 Maximum Users Supported by SSL Gateway1 Vmware Virtual Center License $5,000.00 $5,000.00 1000 Maximum Users Supported by Web Server
$10 SAN Storage Cost Per VM $50.00 $500.00 $8,000.00 VDI Host Hardware CostNot Included in Config Cost: $700.00 Windows Server OS License for Web/SSL/CB Servers
$50.00 VAS Desktop Services License CostSQL Server - Provision Database $300.00 Rack Space, UPS, KVM CostActive Directory Infrastructure $25.00 Antivirus Client License CostFile Server(s) for User Profiles $290.00 Windows Guest OS License Cost
Windows Print Servers References:Firewall with DMZ Port VMWare ESX 3.5 IO GuideRedundancy for SSL Gateway and Web Servers Vmware Infrastructure 3 Configuration MaximumsNotes: Reasons to use iSCSI HBA instead of TOE NIC1 Virtual Center Host can manage a maximum of 1500 Virtual Desktops QLOGIC QLE4062C Dual Port PCIe iSCSI HBA2 Connection Brokers Per Farm, built in redundancy (no load balancer required). Unlimited Connection Brokers allowed.
Installing, Configuring and Administering Virtual Access Suite, Desktop Services
Desktop VirtualizationSolution Calculator
31
Provision NetworksVirtual Access Suite
Demo and Q&A
Provision Networks Demo
References:
VMware – Windows XP Deployment Guide
VMware VDI Best Practices
How to configure Folder Redirection
VMware Infrastructure 3 Configuration Maximums
How to install, configure and administer Virtual Access Suite, Desktop Services. (VDI Connection Broker)
Using the Flex Profile Kit with VDI
Provision Networks Metaprofiles-IT
Memory Overcommitment in the Real World
RDP Audio - Hotfix
Idle session Group Policy settings do not work - Hotfix