1 mid new england network users group april 02, 2008 patrick rouse

1

Mid New EnglandNetwork Users Group

April 02, 2008

Patrick Rouse

2

About Quest Software

Desktop Virtualization Basics & Benefits

Desktop Virtualization Best Practices & Tutorials

Provision Networks Virtual Access Suite

Live Demo

Agenda – Desktop Virtualization

3

Who We Are – Quest Software

– ESX vRanger Pro, vConverter, vOptmizer

– Foglight – Root Cause Analysis for VMware

– Desktop Authority

– Virtual Access Suite

4

Who We Are – Provision Networks

Provision Networks, a division of Quest Software, produces and markets the award-winning Virtual Access Suite – an enterprise-grade application delivery, virtual desktop provisioning, management and brokering solution.

The Virtual Access Suite is available in three editions:

Standard Edition: Enhances manageability, stability and usability of Citrix and Terminal Services Desktop Services Edition: Enables blade PC and virtual client connections from any virtual infrastructure, including VMware, Virtual Iron, Microsoft and SWsoft.Enterprise Edition: Encompasses the Desktop Services & Standard Editions and adds support to Provision-enabled terminal server platforms

1996 2004 2006 2007

- Emergent Online founded

- Provision Management Framework Launched

- Virtual Desktop Solution Introduced

-Virtual Access Suite Introduced

-Acquired by Quest Software

- Universal Print Driver fo

r ICA and RDP

2001

5

App

OS

Presentation Virtualization

Server Hardware

Access Software

OS

Client HardwareT

ransm

ission

P

rotoco

l

App

IP Connection

App

OS

Shared Remote Desktops

Server Hardware

Access Software

OS

Client Hardware

Tran

smissio

n P

roto

col

App

OS

Hypervisor

IP Connection

Application

OS

Blade Hardware

Display HardwareConnection

Dedicated Remote Desktops

Application Virtualization

App

OS

Server Hardware

Access Software

OS

Client Hardware

App

Stre

am

/ Tra

nsf Proto

col

IP Connection

Conflicting AppsRemote Access

Limited Amt. Of ApplicationsRemote Access

Fixed SecurityFixed Users

High Performance Application

OS

Client Hardware

Hypervisor

Host OS

Client Hosted Desktop Virtualization

Fully Customized MobilityExternal Security

Lower PerformanceFixed Users

CustomizationSource: IDC

Virtual Client Computing Models

6

VDI Connection Broker Basics

What is a Connection Broker?

A basic connection broker is a service that authenticates a client, retrieves a list of Virtual Desktops and directs the client to its’ destination.

1. Authenticate and receive back the address of the hosted desktop

2. Connect to the hosted desktop using some type of remote display protocol (for example, RDP)

7

Physical / Blade PCs

PhysicalMachine

PhysicalMachine

PhysicalMachine

PhysicalMachine

HYPERVISOR

HARDWARE LAYER TASK USERS Shared OS / Apps Not customized No user control Server OS desktop “Published” desktop One user impacts all

KNOWLEDGE WORKERS Fast and Personal; can be user-customized Provisioned on-demand Fully isolated and secure Standard desktop OS Platform-agnostic (VMware, Virtual Iron, XenSource, SWsoft, Microsoft)

POWER USERS Fast, Powerful and Consistent Demanding users / applications Fully isolated and secure Standard desktop OS Platform-agnostic (HP, IBM etc.)

PN Broker Infrastructure

Ded

icat

ed a

nd /

or

pool

ed d

eskt

ops

/ O

S

Shared desktops /

OS

Our Offerings:The Right Desktop for the Right User

8

• Centrally control and manage all off-site access to sensitive applications and data. Extend corporate network security policies to off-site facilities.

• Contain desktop proliferation and build standardized, centrally managed desktop environments. Meet HIPAA, SOX, GLBA compliance.

• Quickly recover, re-provision, and re-establish user access to complete desktop environments to ensure business continuity.

• Contingency plans in place to accommodate work-from-home users and employees quarantined due to a pandemic. Telecommuting!

• Each desktop environment is encapsulated in a VM, completely independently of other VMs. If anything goes wrong with one VM, other VMs remain unaffected.

• No lack of support from ISVs. No complex IT training (desktop administrators). No application code modifications and/or repackaging.

• Eliminate squandering of precious computing resources. Eliminate loss/theft of corporate data stored on stolen PCs.

Benefits of Desktop Virtualization

• Branch Office Connectivity. Mergers and Acquisitions. Distributed computing environments can be integrated without major investments in remote IT infrastructures.

9

Benefits of Desktop Virtualization

Physical desktop TCO

Source: Gartner Research

Source: Gartner Research

10

Best Practices – VDI Host Planning

No more than 1500 Virtual Desktops per VMware Virtual Center

Dedicate specific Virtual Infrastructure (VI) Hosts or Data Centers for VDI

Use Dual Processor, Quad Core, Blade or 1U Servers for VI Hosts

Use iSCSI SAN instead of Fiber Channel to reduce cost per user.

11

Best Practices – VDI Host Planning

Utilize iSCSI HBA to reduce CPU usage on VI Hosts.

4-10 Virtual Desktops per CPU Core

16-32GB of RAM per VI Host (unless allocating > 640MB per VM)

12

Best Practices – Component Placement

Deploy SSL Gateway in DMZ

Web Interface on the same machine, or on the Private Network.

Deploy two Connection Broker Servers (for redundancy and load balancing).

Do NOT allow DRS to move Connection Brokers to the same ESX Host.

All infrastructure servers can be virtualized

13

Best Practices – Virtual Desktop OS

>= 384MB for each XP Pro Virtual Desktop

Keep VM Disk Files as small as possible

Utilize a Universal Printer Driver (reduced Mgmt, CPU & Bandwidth)

14


Disable screen savers on VMs (utilize client screensaver)

Schedule Shutdown/Reboot of Virtual Desktops

Enable Remote Control of Desktops (via Terminal Services Manager, Shadow or Remote Assistance)

15

Configuring Remote Control

16


Classic is the default setting when XP Pro & 2003 are domain members

17


Enable tsadmin on XP

Allows tsadmin.exe (Terminal Services Manager) or shadow.exe to connect from a remote RDP Session.

18


19


Configure User GPO Settings for Folder Redirection (for My Documents, Desktop, Start Menu & Application Data) environment lockdown (for non-administrators)

VDI Computer GPOVDI User GPO

Configure Computer GPO Settings, i.e. Loopback Policy Processing, RDP Connection Settings, Disabling of Offline Files, Deletion of Roaming Profile Cache…

Roaming Profile Path is defined in the properties of the User’s Active Directory Account

VDI GPOs

20


Install User Profile Hive Cleanup Service (UPHClean)

Alter the Default Explore Path when using Folder Redirection to redirect the Start Menu to a Network Share, so user’s Default Explore Path is their Home Folder.

Default Explore Path

Prevent NTFS from tracking reads on the local file system

NtfsDisableLastAccessUpdate

UPHClean

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\ddeexec]@="[ExploreFolder(\"%u:\\\\\\\", %u:\\\\, %S)]"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]"NtfsDisableLastAccessUpdate"=dword:00000001

Unloads user profiles that might otherwise get hung unloading

21


Lock down the System Drive’s NTFS Permissions so normal users can’t install software, spyware, malware… or save data on their Virtual Desktops.

Recommended NTFS Permissions on New System Builds:%SystemDrive% - Authenticated Users = "Read and Execute" %SystemDrive% - Administrators = "Full Control" %SystemDrive% - System = "Full Control"%SystemDrive% - Creator Owner = "Full Control"

%ProgramFiles% - Authenticated Users = "Read and Execute" %ProgramFiles% - Administrators = "Full Control" %ProgramFiles% - System = "Full Control" %ProgramFiles% - Creator Owner = "Full Control"

Remove the Hgfs Registry Entry so user’s profiles will unload completely. Setting added by VMware Tools.

RemoveHgfs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order]"ProviderOrder"="RDPNP,LanmanWorkstation,WebClient"

22

Best Practices – Disable Unnecessary Windows Services

Computer Browser

Error Reporting

Help & Support

Indexing Service

IPSec

Network Local Awareness

Security Center

Shell Hardware Detection

SSDP Discovery Service

System Restore Service

Task Scheduler

Themes

Windows Firewall

Windows Zero Configuration

Consider disabling the some or all of the following services, if they are not required in your specific environment

23

Best Practices – Client Devices

Don't assume that everyone can use a thin client. (No DVD+R, CDR/RW, High-end Graphics)

Choose XPe based thin clients when needing to support USB peripheral devices (printers, scanners, handhelds, storage)

Consider devices with local Internet Browser, Windows Media Player, Adobe Flash Player…

Convert older PCs into diskless thin clients via PXE Boot

24

Provision NetworksVirtual Access Suite

25


Physical and virtual machines

Fully sysprep’d virtual desktops from templates (VMware, Virtual Iron)

Policy-driven virtual machine power management and pooling

Policy-driven access

Standard desktops managed as single-user Terminal Servers

Integration with MS SoftGrid (Application Virtualization)

Familiar end-user experience (i.e., desktop and application publishing)

Seamless windows (w/multi-monitor support)

Universal print driver

USB-based PDA redirection

Web interface and SSL gateway

Bi-Directional Audio

Many more…

VAS: more than just a “connection broker”

In contrast, VAS is a comprehensive provisioning and delivery framework with a sophisticated brokering service at its core.

Support for Standard Windows desktop OS (i.e., WinXP, Vista)…

27

New features for version 5.10 (April-May 2008)


Managed Desktop Group Auto-Expansion. Automatically add additional desktops based on policy.

Deployment of MSI-Based Application Packages: Install/track/remove MSI-based application packages to managed desktops.

Scheduled Tasks: Power On, Power Off, Logoff, Reset, Suspend, Resume, Delete Desktop, Enable/Disable Desktop, Copy file to desktop, Install/Uninstall MSI Package

“Disable Desktop” Option: Individual desktops and desktop groups can be instantly disabled, allowing scheduled maintenance.

Cross-Group Desktop Naming: Allows multiple desktop groups to conform to a shared (enterprise-wide) desktop naming convention.

Linux-based PXE Boot Client

True Multi-Monitor Support, instead of just spanning.

Bi-Directional Audio / Microphone Redirection

Server Provisioning: Provision fully sysprep’d virtual Windows Terminal Servers from existing VM Templates, as well as deploy server-based MSI packages.

Type Ahead: Improves the end-user experience by instantly echoing keystrokes regardless on network latency conditions.

Time Zone Management: Enables administrators to specify the desired time zone for assignees.

28

Available Clients


Windows 2000, 2003, XP, XP Embedded, Vista

Windows CE

Linux

Wyse Thin OS

HP NeoLinux

Java

Thinstall

PXE Boot - Linux

Computer Labs (CLI)

Devon IT

HP

Wyse

Affirmative Computing

Thin Client Vendors

29


30

VDI Solution on VMware ESX 3.x with Virtual Center Cost Per User Total Cost Value Variable Description$750.08 $1,125,120.00 8 CPU Cores Per Virtual Infrastructure Host

Qty Description Price Total 5 Virtual Machine Guest OS Per CPU Core (4-10)

40

IBM X3550, 1U Dual-Quad Core, 16GB, 2x72GB 10KRPM 2.5" SAS, RAID1, QLogic iSCSI Dual Port PCIe HBA - 2 Extra Servers for HA and Infrastructure Servers $8,000.00 $320,000.00 $10.00 Cost of SAN Storage per GB

40 VMware ESX Ent. 2P Lic $5,898.00 $235,920.00 5 Size of VM Disk Files (GB) on SAN1500 Virtual Access Suite Desktop Services Edition License $50.00 $75,000.00 384 RAM (MB) Per Virtual Machine Guest OS

1500 Windows Guest OS License Cost $290.00 $435,000.00 16384 Minimum Required RAM (MB) per Virtual InfrastructureHost1500 AntiVirus License $25.00 $37,500.00 1500 Maximum Number of Concurrent Users

2 VAS Connection Broker Servers (Virtual) $700.00 $1,400.00 56 Average Bandwidth Per Session (Kb)1 VAS SSL Gateway Server (Virtual) $700.00 $700.00 20 Percentage of WAN Users

2 VAS Web Server (Virtual) $700.00 $1,400.00 16800 Required WAN Bandwidth (Kb)

1 Virtual Center Server (Virtual) $700.00 $700.00 300 Maximum WAN Connected Users40 Rack Space, UPS, KVM $300.00 $12,000.00 1000 Maximum Users Supported by SSL Gateway1 Vmware Virtual Center License $5,000.00 $5,000.00 1000 Maximum Users Supported by Web Server

$10 SAN Storage Cost Per VM $50.00 $500.00 $8,000.00 VDI Host Hardware CostNot Included in Config Cost: $700.00 Windows Server OS License for Web/SSL/CB Servers

$50.00 VAS Desktop Services License CostSQL Server - Provision Database $300.00 Rack Space, UPS, KVM CostActive Directory Infrastructure $25.00 Antivirus Client License CostFile Server(s) for User Profiles $290.00 Windows Guest OS License Cost

Windows Print Servers References:Firewall with DMZ Port VMWare ESX 3.5 IO GuideRedundancy for SSL Gateway and Web Servers Vmware Infrastructure 3 Configuration MaximumsNotes: Reasons to use iSCSI HBA instead of TOE NIC1 Virtual Center Host can manage a maximum of 1500 Virtual Desktops QLOGIC QLE4062C Dual Port PCIe iSCSI HBA2 Connection Brokers Per Farm, built in redundancy (no load balancer required). Unlimited Connection Brokers allowed.

Installing, Configuring and Administering Virtual Access Suite, Desktop Services

Desktop VirtualizationSolution Calculator

31


Demo and Q&A

Provision Networks Demo

References:

VMware – Windows XP Deployment Guide

VMware VDI Best Practices

How to configure Folder Redirection

VMware Infrastructure 3 Configuration Maximums

How to install, configure and administer Virtual Access Suite, Desktop Services. (VDI Connection Broker)

Using the Flex Profile Kit with VDI

Provision Networks Metaprofiles-IT

Memory Overcommitment in the Real World

RDP Audio - Hotfix

Idle session Group Policy settings do not work - Hotfix

32

Questions and Answers

Patrick RousePatrick.Rouse@quest.com619.994.5507www.provisionnetworks.com

1 mid new england network users group april 02, 2008 patrick rouse

Documents

virtual desktop solution

virtual desktop provisioning

virtual client connections

user control server

virtual infrastructure

virtual iron

list of virtual desktops

rdp slide