310 likes | 447 Views
Patrick Rouse. Mid New England Network Users Group April 02, 2008. Agenda – Desktop Virtualization. About Quest Software Desktop Virtualization Basics & Benefits Desktop Virtualization Best Practices & Tutorials Provision Networks Virtual Access Suite Live Demo.
E N D
Patrick Rouse Mid New England Network Users Group April 02, 2008
Agenda – Desktop Virtualization • About Quest Software • Desktop Virtualization Basics & Benefits • Desktop Virtualization Best Practices & Tutorials • Provision Networks Virtual Access Suite • Live Demo
Who We Are – Quest Software – ESX vRanger Pro, vConverter, vOptmizer – Foglight – Root Cause Analysis for VMware – Desktop Authority – Virtual Access Suite
Who We Are – Provision Networks Provision Networks, a division of Quest Software, produces and markets the award-winning Virtual Access Suite – an enterprise-grade application delivery, virtual desktop provisioning, management and brokering solution.The Virtual Access Suite is available in three editions: Standard Edition: Enhances manageability, stability and usability of Citrix and Terminal Services Desktop Services Edition: Enables blade PC and virtual client connections from any virtual infrastructure, including VMware, Virtual Iron, Microsoft and SWsoft. Enterprise Edition: Encompasses the Desktop Services & Standard Editions and adds support to Provision-enabled terminal server platforms • Virtual Access Suite Introduced • Acquired by Quest Software - Provision Management Framework Launched - Virtual Desktop Solution Introduced - Universal Print Driver for ICA and RDP - Emergent Online founded 2007 2001 2006 1996 2004
Application Virtualization App App Presentation Virtualization OS Stream / Transf Protocol Server Hardware Limited Amt. Of Applications Conflicting Apps IP Connection App App Transmission Protocol Remote Access Remote Access Access Software OS OS Server Hardware Client Hardware IP Connection Access Software Dedicated Remote Desktops OS Application Client Hardware Application OS OS Shared Remote Desktops Client Hosted Desktop Virtualization Hypervisor Blade Hardware Host OS Connection App App Client Hardware Display Hardware External Security OS OS Transmission Protocol Fully Customized Mobility Fixed Users Fixed Security Hypervisor High Performance Server Hardware IP Connection Access Software Lower Performance Fixed Users OS Customization Client Hardware Virtual Client Computing Models Source: IDC
Authenticate and receive back the address of the hosted desktop • Connect to the hosted desktop using some type of remote display protocol (for example, RDP) VDI Connection Broker Basics What is a Connection Broker? A basic connection broker is a service that authenticates a client, retrieves a list of Virtual Desktops and directs the client to its’ destination.
Physical / Blade PCs Dedicated and / or pooled desktops / OS Physical Machine Physical Machine Physical Machine Physical Machine HYPERVISOR PN Broker Infrastructure HARDWARE LAYER Our Offerings:The Right Desktop for the Right User KNOWLEDGE WORKERS • Fast and Personal; can be user-customized • Provisioned on-demand • Fully isolated and secure • Standard desktop OS • Platform-agnostic (VMware, Virtual Iron, XenSource, SWsoft, Microsoft) TASK USERS • Shared OS / Apps • Not customized • No user control • Server OS desktop • “Published” desktop • One user impacts all POWER USERS • Fast, Powerful and Consistent • Demanding users / applications • Fully isolated and secure • Standard desktop OS • Platform-agnostic (HP, IBM etc.) Shared desktops / OS
Benefits of Desktop Virtualization • Centrally control and manage all off-site access to sensitive applications and data. Extend corporate network security policies to off-site facilities. • Contain desktop proliferation and build standardized, centrally managed desktop environments. Meet HIPAA, SOX, GLBA compliance. • Quickly recover, re-provision, and re-establish user access to complete desktop environments to ensure business continuity. • Contingency plans in place to accommodate work-from-home users and employees quarantined due to a pandemic. Telecommuting! • Each desktop environment is encapsulated in a VM, completely independently of other VMs. If anything goes wrong with one VM, other VMs remain unaffected. • No lack of support from ISVs. No complex IT training (desktop administrators). No application code modifications and/or repackaging. • Eliminate squandering of precious computing resources. Eliminate loss/theft of corporate data stored on stolen PCs. • Branch Office Connectivity. Mergers and Acquisitions. Distributed computing environments can be integrated without major investments in remote IT infrastructures.
Physical desktop TCO Source: Gartner Research Source: Gartner Research Benefits of Desktop Virtualization
Best Practices – VDI Host Planning • No more than 1500 Virtual Desktops per VMware Virtual Center • Dedicate specific Virtual Infrastructure (VI) Hosts or Data Centers for VDI • Use Dual Processor, Quad Core, Blade or 1U Servers for VI Hosts • Use iSCSI SAN instead of Fiber Channel to reduce cost per user.
Best Practices – VDI Host Planning • Utilize iSCSI HBA to reduce CPU usage on VI Hosts. • 4-10 Virtual Desktops per CPU Core • 16-32GB of RAM per VI Host (unless allocating > 640MB per VM)
Best Practices – Component Placement • Deploy SSL Gateway in DMZ • Web Interface on the same machine, or on the Private Network. • Deploy two Connection Broker Servers (for redundancy and load balancing). • Do NOT allow DRS to move Connection Brokers to the same ESX Host. • All infrastructure servers can be virtualized
Best Practices – Virtual Desktop OS • >= 384MB for each XP Pro Virtual Desktop • Keep VM Disk Files as small as possible • Utilize a Universal Printer Driver (reduced Mgmt, CPU & Bandwidth)
Best Practices – Virtual Desktop OS • Disable screen savers on VMs (utilize client screensaver) • Schedule Shutdown/Reboot of Virtual Desktops • Enable Remote Control of Desktops (via Terminal Services Manager, Shadow or Remote Assistance)
Configuring Remote Control Classic is the default setting when XP Pro & 2003 are domain members
Configuring Remote Control Allows tsadmin.exe (Terminal Services Manager) or shadow.exe to connect from a remote RDP Session.
Best Practices – Virtual Desktop OS • Configure User GPO Settings for Folder Redirection (for My Documents, Desktop, Start Menu & Application Data) environment lockdown (for non-administrators) • Configure Computer GPO Settings, i.e. Loopback Policy Processing, RDP Connection Settings, Disabling of Offline Files, Deletion of Roaming Profile Cache… • Roaming Profile Path is defined in the properties of the User’s Active Directory Account
Best Practices – Virtual Desktop OS • Install User Profile Hive Cleanup Service (UPHClean) • Alter the Default Explore Path when using Folder Redirection to redirect the Start Menu to a Network Share, so user’s Default Explore Path is their Home Folder. Unloads user profiles that might otherwise get hung unloading [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\ddeexec] @="[ExploreFolder(\"%u:\\\\\\\", %u:\\\\, %S)]" • Prevent NTFS from tracking reads on the local file system [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem] "NtfsDisableLastAccessUpdate"=dword:00000001
Best Practices – Virtual Desktop OS • Remove the Hgfs Registry Entry so user’s profiles will unload completely. Setting added by VMware Tools. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order] "ProviderOrder"="RDPNP,LanmanWorkstation,WebClient" • Lock down the System Drive’s NTFS Permissions so normal users can’t install software, spyware, malware… or save data on their Virtual Desktops. Recommended NTFS Permissions on New System Builds: %SystemDrive% - Authenticated Users = "Read and Execute" %SystemDrive% - Administrators = "Full Control" %SystemDrive% - System = "Full Control" %SystemDrive% - Creator Owner = "Full Control" %ProgramFiles% - Authenticated Users = "Read and Execute" %ProgramFiles% - Administrators = "Full Control" %ProgramFiles% - System = "Full Control" %ProgramFiles% - Creator Owner = "Full Control"
Best Practices – Disable Unnecessary Windows Services Consider disabling the some or all of the following services, if they are not required in your specific environment • Shell Hardware Detection • SSDP Discovery Service • System Restore Service • Task Scheduler • Themes • Windows Firewall • Windows Zero Configuration • Computer Browser • Error Reporting • Help & Support • Indexing Service • IPSec • Network Local Awareness • Security Center
Best Practices – Client Devices • Don't assume that everyone can use a thin client. (No DVD+R, CDR/RW, High-end Graphics) • Choose XPe based thin clients when needing to support USB peripheral devices (printers, scanners, handhelds, storage) • Consider devices with local Internet Browser, Windows Media Player, Adobe Flash Player… • Convert older PCs into diskless thin clients via PXE Boot
Provision NetworksVirtual Access Suite VAS: more than just a “connection broker” In contrast, VAS is a comprehensive provisioning and delivery framework with a sophisticated brokering service at its core. Support for Standard Windows desktop OS (i.e., WinXP, Vista)…
Provision NetworksVirtual Access Suite New features for version 5.10 (April-May 2008)
Provision NetworksVirtual Access Suite Available Clients Thin Client Vendors
Desktop Virtualization Solution Calculator
Provision NetworksVirtual Access SuiteDemo and Q&A • Provision Networks Demo • References: • VMware – Windows XP Deployment Guide • VMware VDI Best Practices • How to configure Folder Redirection • VMware Infrastructure 3 Configuration Maximums • How to install, configure and administer Virtual Access Suite, Desktop Services. (VDI Connection Broker) • Using the Flex Profile Kit with VDI • Provision Networks Metaprofiles-IT • Memory Overcommitment in the Real World • RDP Audio - Hotfix • Idle session Group Policy settings do not work - Hotfix
Questions and Answers Patrick Rouse Patrick.Rouse@quest.com 619.994.5507 www.provisionnetworks.com