Professional Documents
Culture Documents
Joe Jessen
Analyst – Desktop Virtualization
September 2009
Contents
Executive Overview
Distributed computing continues to challenge large organizations, exponentially increasing in
complexity with the growth of portfolios of applications and devices. Today’s work environment is
both global and agile, with employees working in any number of environments, including homes,
client sites, even the local coffee shop. As this diversity increases, so do the challenges of compliance
and risk requirements regarding distributed data.
Current state of the art solutions look to blend and balance the controlled stability of a centralized
computing environment with the rich application portfolio of the personal computing platform. Two
complimentary technical movements are making this possible, virtualization and centralization.
Virtualization creates distinct areas for applications and data to reside, removing dependencies on
hardware and the environment. Centralization pulls data and the program code operating against it
into data center environments, leaving only interface issues to end user devices.
Virtual Desktop Infrastructure (VDI) solutions are now presenting organizations with an alternative to
deploying traditional PC desktops. VDI follows the trend of server consolidation and virtualization
where workloads are moved from physical devices to virtual instances hosted in the corporate data
center. Implementing a managed desktop solution that incorporates traditional and virtual desktops,
an organization should expect to gain greater flexibility in delivering workspaces to users while
reducing hardware, software, and maintenance costs of supporting this new infrastructure.
An organization’s typical position on application and desktop virtualization revolves around
implementing a process to identify user profile characteristics to map the ideal desktop solution.
Typically they will have multiple options available to ensure the user experience is optimized for any
given user. This document details the process and plan to reduce the total cost of ownership while
providing the best possible user desktop experience.
HARDWARE
The computing hardware is the layer on which most organizations have historically standardized.
Procurement of one machine type from a single vendor for all users reduces the complexity of
supporting the device once it has been deployed. System lifecycles vary, especially in large enterprise
environments, so inevitably, multiple machine types, with similar but not exact images of the
operating system, are supported.
PC vs. Thin Clients
Many organizations that have adopted server-based computing models (i.e., Terminal Services,
Citrix) to deliver user applications have also chosen to deploy thin client devices where no local
application processing is required. These organizations have benefited from the reduced support
required to maintain these devices and the working environment lends itself to being accessed from
multiple locations, including, potentially from the user’s home. The apparent downside to this model
is that the user must always be connected to the corporate network to get their applications and data.
PCs and laptops are the only options for organizations that have either not adopted a server based
computing model or have a large population of users who work disconnected from the corporate
network. In these scenarios it is best to establish a standard configuration specification from a single
vendor, ensuring the specifications meet the organization and application needs, for example:
Graphical display
Memory
Network connectivity
Operating System
Peripherals
Server based computing (SbC), Virtual Desktop Infrastructure (VDI), and Application Streaming and
Virtualization are all technologies that enable thin client devices to look and feel just like standard
PCs and laptops. Thin client devices significantly reduce the hidden costs of supporting the end point
computing device, such as shadow support staff (i.e., co-worker support), floor space, power and
cooling costs, transportation, travel, turnover, and time off for training. Organizations should
consider replacing PCs with thin clients wherever the applications and user data can be accessed
through server based computing solutions (Citrix and Terminal Server) or through a Virtual Desktop
infrastructure.
Organizations can realize some of the following benefits when implementing thin clients:
Centralized support – Support of the device is done through native remote control utilities,
reducing the need to send help desk engineers to visit the end user. Failed devices can be replaced
by a non-technical user in locations where no technical staff exists.
Centrally Managed Device Images– Embedded operating systems (Linux or Windows) are
deployed and managed from a centralized console.
Easier Patch Management – Patches are provided by the hardware vendor, usually within 48
hours of release from the operating system vendor, and are centrally deployed.
Increased Device Lifespan – The lifespan of thin clients is typically six to eight years, which
reduces the number of devices that need to be refreshed annually.
Increased Security – With no local hard disks, no data lives on the physical device. Deployment
of these devices to remote or public locations can be done with less concern of intellectual
property or patient data loss.
Protected Operating Environment – The operating systems are protected from the user making
any changes and are typically read-only, reducing the likelihood of the device becoming infected
by malware or viruses.
Application and Desktop Virtualization Page 3
Enterprise Desktop Strategy – White Paper
Reduced power consumption – Thin clients use less than 10% of the power of standard PCs.
WYSE provides the following sample of a comparison between 1,000 PCs and 1,000 thin client
users connected to a centralized server environment over a one year period.
OS Streaming – These solutions load a pre-configured image of the operating system from a
central network location to a LAN-attached PC, a thin client device, or a virtual desktop. The
operating system is never installed on the local device and uses RAM and the local disk (if any)
for temporary files. When the device is rebooted, the central image is reloaded, so any changes
made by the user are lost, unless they have been stored in their roaming profiles or network file
shares.
OS Virtualization – Leveraging hypervisor technology, OS Virtualization loads multiple
instances of the operating system on network servers from a single image source. The user
interface is delivered using a presentation protocol such as Citrix’s ICA or Microsoft’s RDP.
Users have the same user experience as a locally installed operating system, regardless of their
connectivity to the network or the configuration of the local device.
Server Based Desktops – Microsoft Terminal Server enables delivery of server-based desktops
and applications to end users using PCs or thin clients. Citrix XenApp (formerly Presentation
Server) provides added features and functionality that many enterprises take advantage of.
Citrix’s ICA protocol has clients that run on all Windows and non-Windows desktop operating
systems and has historically been used as the primary method of deploying applications to remote
users.
Desktop Policies and Security
Group Policies
Central to the desktop design is the method by which the operating environment is configured and
controlled. Machines that are members of the Active Directory domain can leverage security policies
defined in Group Policy Objects (GPOs) and login scripts. Implemented in a hierarchical manner, the
top GPOs should provide the most stringent lockdowns with subsequent policies allowing additional
functionality as necessary.
Organizational Units (OU) within Active Directory can be used to group common machine types or
user types to ensure that proper security policies are implemented. It is recommended to limit the
number of OUs and Security groups that control the configuration of the desktop so as to keep the
complexity of supporting the environment to a minimum.
Active Directory tools can also be implemented to assist in creating and managing Group Policies.
Many of them have the capability of testing the effects of policies before they are implemented into
production.
Privilege by Application, not by User
To ensure the integrity of the working environment, desktop policies should restrict users from
making permanent system configuration changes. Changing the privilege state of the user or
configuring the Run As feature in Windows XP and above should be done to allow the specific
application to run. This method will maintain the system integrity while ensuring applications will
function.
APPLICATIONS
Access to applications and data is the core purpose of IT infrastructures and the desktop has
traditionally been tasked with hosting the application executables. Keeping the operating environment
performing at its peak, while hosting a complete application set has been one of the greatest
challenges IT has had to face. Traditional desktop deployments classify applications as core or line-
of-business (LOB). The core applications are those that all users require access to, whereas LOB
applications are only utilized by specific users or groups of users. Installing LOB applications locally
limits those users to working only on specific machines, preventing them from roaming or accessing
the applications remotely.
Once an application has been deployed to the desktop, the next challenge for IT is the maintenance of
the application. Code updates and patches are sometimes difficult to deploy and can possibly affect
other applications installed on the machine. For instance, some applications use commonly named
DLL files, which are expected to be on the local machine. One application may overwrite an existing
version during installation or update, causing a conflict with another application. (This is commonly
known as DLL-Hell.)
It is estimated that software product updating accounts for up to 55% of a desktop system's total cost,
whereas the initial purchase and support account for less than 45%. Electronic software distribution
(ESD) packages offer a cost-effective solution for automating the distribution and installation process.
In addition, ESD can provide capacity checking, auditing and management reports, and tools that ease
the initial installation of applications on the desktops. These solutions statistically achieve an 80%
success rate for first time installation of application packages and patches. The remaining failed
deployments usually require a desktop visit and possibly a manual installation by an engineer.
Application Streaming and Virtualization
Application Streaming and Virtualization solutions provide an alternative to the legacy ESD
solutions. These tools leverage the application packaging standards that were utilized with the ESD
solutions but instead of installing applications on the local machine, the application code is streamed
and then executed in protected memory space.
These solutions separate the application from the operating system as well as from other applications.
This application isolation eliminates the application conflicts that have been experienced in the past.
It also keeps the operating system clean, because the applications are never installed. Different
application and user security policies can be applied to individual packages, eliminating the need to
grant users elevated access on their desktops to ensure the applications will run.
Application updates and patches can be applied once to the centrally stored package and distributed
automatically to each user on their next launch of the application. In addition, previous versions of the
application can be stored for easy rollback in the event an application update causes an issue.
USER DATA
Management of users’ data is a daunting task for IT. Data lives anywhere a user has privileges – the
network, local hard drives, and portable devices (USB). A best practice is to keep all users’ data on
the network and allow nothing to be stored locally. Providing a dynamic desktop environment will
require the centralization of all application and user profile data. The user’s profile stores application
and user personalization and preferences. When configured, these preferences will load with every
user session regardless of the device they are logged into.
Roaming Profiles
A dynamic desktop environment should enable users to roam to any device, log on, and get access to
their applications and data. Roaming profiles, which allow users to save data that is typically saved in
their registry, along with profile folders that cannot be redirected (My Documents, Desktop,
Application Data, Start Menu), are one method for providing a consistent user experience for
Citrix\Terminal server environments.
A centralized user profile keeps application and user personalization in a central location and is
loaded upon logon. A roaming profile will be critical to those organizations implementing SbC and
VDI solutions, as these single image source solutions do not enable the user to make permanent
customizations to their working environment.
Level 3
Subject Matter
Expert
Escalation
Level 2
Operations Support
Level 1
Help Desk
Level 1: Help Desk support is the first tier of the support structure and provides first-line, client-
facing support to the end-user. Level 1 support responsibilities include initial issue analysis, problem
definition, problem ticket routing, and low level issue resolution. The appropriate skill set, in
conjunction with the right tools, will aid the Help Desk in successfully performing its role. Level 1
support should also include automated tools that perform event-driven issue identification and
automatic routing to Level 2 – Operations Support.
Level 2: Operations Support is the intermediate tier in the support structure and handles all issues
forwarded from the Help Desk or from automatically generated alerts. Level 2 Support rarely
interfaces directly with the end-user community, but has the authority to engage IT Technical
Management when addressing issues. Level 2 support responsibilities include core network
infrastructure, network server support, and advanced issue resolution. The appropriate skill set, in
conjunction with the right tools, will optimize these processes. Level 2 Support also implements any
new technology that directly interacts with the environment.
The Level 3: Subject Matter Expert (SME) is the highest level of expertise within the organization.
SMEs are responsible for engaging directly with IT Technical Management, and serve as technical
liaisons with vendors and the user community. The SME must possess advanced networking,
operating systems, and server hardware knowledge and highly developed troubleshooting skills.
SMEs will also be responsible for the development, testing, architecture of all designs. They are also
responsible for validating the proper implementation of any new technology that directly interacts
with the environment.
PRESENTATION VIRTUALIZATION
With Presentation Virtualization, applications are installed and managed on centralized servers in the
data center; screen images are delivered to the users, and the users' client machines, in turn, send
keystrokes and mouse movements back to the server
Applications can be installed locally or leverage application streaming and isolation solutions
Multiple servers can act as a single resource (i.e., a server farm) to deliver applications and
desktops to client devices
Common protocols ICA and RDP are used to connect to the back end servers. Both clients and
their protocols are available from traditional desktops and from thin clients
Applications execute on the server so the client never communicates directly with the data on the
back end
This model provides only connected user access to applications; there is no offline access
capability of this solution
Parallels http://www.parallels.com/solutions/vdi/
Quest vWorkspace http://vworkspace.com/default.aspx
Red Hat http://www.redhat.com/rhel/desktop/
RES PowerFuse http://www.ressoftware.com/pm-products.aspx?PageID=70&menuid=1
RingCube vDesk http://www.ringcube.com/portal/content/products/vdesk/
Sentillion http://www.sentillion.com/solutions/remote-access.html
Sun Virtual http://www.sun.com/software/vdi/index.jsp
Desktops
Symantec EVS http://www.symantec.com/business/solutions/solutiondetail.jsp?solid=sol_infrastruct_op&solfid=sol_endpoin
t_virtualization
Teradici http://www.teradici.com/pcoip/pcoip-technology.php?gclid=CIPphNLdrJkCFQw9GgodgFhXJQ
Unidesk http://www.unidesk.com/
VDIworks http://www.vdiworks.com/new_vdi/?q=node/5
Virtual Computer http://www.virtualcomputer.com/Products+page
NxTop
VMware View http://www.vmware.com/products/view/
Presentation Virtualization refers to the delivery of applications and desktops over a common protocol that displays application
user interface on a client machine, but whose code is executed on a multi-user Windows server
2X Software http://www.2x.com/
Citrix XenApp http://www.citrix.com/English/ps2/products/product.asp?contentID=186
Microsoft Terminal http://www.microsoft.com/windowsserver2008/en/us/rds-product-home.aspx
Services
Quest vWorkspace http://vworkspace.com/default.aspx
Application Virtualization refers to the uncoupling of applications from host operating systems, dramatically easing deployment and
allowing the virtualized application to run in its own isolated sandbox
Citrix Application http://www.citrix.com/English/ps2/products/subfeature.asp?contentID=163987
Streaming
InstallFree http://www.installfree.com/products/overview/
Microsoft App-V http://www.microsoft.com/systemcenter/appv/default.mspx
Microsoft Med-V http://www.microsoft.com/windows/enterprise/products/mdop/med-v.aspx
Symantec EVS http://www.symantec.com/business/solutions/solutiondetail.jsp?solid=sol_infrastruct_op&solfid=sol_endpoin
t_virtualization
VMware ThinApp http://www.vmware.com/products/thinapp/
Operating System Streaming refers to uncoupling a client operating system environment from underlying hardware, allowing end-
user workspaces to be dynamically streamed from a central repository to local client machines.
Citrix Provisioning http://www.citrix.com/English/ps2/products/product.asp?contentID=683392
Server
Profile (Personalization) Virtualization refers to the isolation of the user’s application and environment settings, storing them in a
central location and applying them upon login to a physical or virtual desktop environment
AppSense EM http://www.appsense.com/products/environment_manager.aspx
Citrix Profile http://www.citrix.com/English/ps2/products/subfeature.asp?contentID=1686118
Manager
Liquidware Labs http://www.liquidwarelabs.com/products/profileunitypro.asp
Quest vWorkspace http://vworkspace.com/default.aspx
RTO VirtualProfiles http://www.rtosoft.com/Products/VirtualProfiles/VP.htm
ScriptLogic http://www.scriptlogic.com/products/desktopauthority/
Desktop Authority
Symantec EVS http://www.symantec.com/business/solutions/solutiondetail.jsp?solid=sol_infrastruct_op&solfid=sol_endpoin
t_virtualization
Tranxition http://www.tranxition.com/index.shtml
Tricerat http://www.tricerat.com/profile
SimplyProfiles
Wanova http://www.wanova.com/
The desktop delivery use case should be used as both a strategic planning tool and to validate
functionality requirements. The desktop delivery use case is made up of three profiles: Application,
Access, and User Privilege.
Application Profile
The application profile is made up of business and technical criteria that determine the best suited
platform for applications to be delivered to the end user’s desktop device.
Major Criteria Sub Criteria Description
Operating System Which operating systems are required and supported by the application
Compatibility
RAM What are the physical RAM requirements for the application
License What is the use-license for the application: Named User, Concurrent or
Unlimited Use
Disk – Installation How much disk space does the application code occupy when installed
Footprint
Hardware – Identify the local and network hardware that the application is required to
Peripherals interact with.
Network Application Server Does the application require connectivity to a back-end application server to
function
Bandwidth – Data How much network bandwidth is required while the application is running
Bandwidth – UI How much network bandwidth is required for the UI to perform to acceptable
(Latency) levels
Connectivity Is connectivity to the datacenter (network) required for the application to
function
Database Does the application connect to a back-end database resource to function
File Share Does the application connect to a back-end file share resource to function
Printing Does the application need to print to local or network printers
Authentication Biometrics Does the application use a biometric device to authenticate the user
Directory Services Does the application use a directory service or ACL list to authenticate the
user
User Privileges What level of local and domain privileges does the user require to run the
application
Offline Use User requires access to the application when they are disconnected from the
network
Audio The application delivers audio content
Video High Resolution The application requires high resolution video to function
Multi – Monitor The application uses multiple monitors
Streaming Media The application delivers streamed audio and video content to the user
Software The application requires the existence of other software in order to function
Dependencies
Compliance Audit The application usage or data changes in the application requires to be
audited for corporate compliance
Standards The application falls under the guidance of such standards as: HIPPA, SOX,
PCI. Additional auditing and usage restrictions may apply
The application profile should be created when an application is first being tested and packaged for
the environment. The profile can be created in spreadsheet or database format. The criteria in the
table above have both business and technical criteria that would affect the outcome. Organizations
will have to determine if business requirements, such as auditing, will have stronger weighting in the
decision process, or if the decisions will be weighted on purely technical capability.
Access Profile
Applications and data need to be accessed by different people from different devices over different
connections, all with different levels of access that are governed by some set of standards and
governance. This may require an organization to provide different methods of access to the same
data; depending on the access scenario. The access profile is going to determine what level of access
will be required for the application or data set. Some of the questions that need to be answered when
defining the profile are:
Who am I?
What device am I connecting from?
How am I connecting?
What network access will I require?
What network services will I need to access?
What application and data services will I need to access?
The answers to these questions answered are the core of your access profile. Understanding the access
requirements for a particular application or user can have an effect on the decision on how that
application is delivered to the user. Applications that may have sensitive data tied to it, should be kept
away from local installations, or be put on machines that may be accessed while outside the corporate
network. Data Loss Prevention (DLP) initiatives should have some stated guidelines on data
classification and data protection solutions.
The access profile can be represented in a decision tree format, such as the one below:
A user (or use case) requests a network login. In the first decision, it is determined if the user will be
granted access to a desktop login. Short-term contractors or employees who do not access any
applications or data to perform their job function would not be granted access to the network.
If they are authenticated, then the device they are logging in from is checked if it is an organizational
asset or not. If the device is not an organizational asset, then no local apps or data should be allowed.
The user should be redirected to a Web Interface portal where they will be provisioned a Citrix or
VDI desktop.
Authenticated users on sanctioned devices will then be checked on how they are connecting to the
network. LAN/WAN users will be able to access their full application and data sets. Remote users
may be required to access their desktop through Citrix or VDI and may only have limited access to
applications and data from their local machine.
User Privilege
User privilege refers to the level of local administrative privileges that a user requires to perform their
job function, as defined in the use case. Elevated levels of user privileges allow the system’s user to
make changes to its configuration and install applications if necessary. We define these two decisions
as User Level and Admin Level. Network and system administrators and application developers are
two examples of such user types whose accounts will be granted administrative level access.
Tasks performed by these users may include making system-wide changes to their working
environment. In a multi-user environment, such as a Terminal Server with Citrix XenApp, those
changes could have an adverse effect on the other users accessing that server. In such cases, physical
desktops or virtual desktops would be the best suited environment for them.
Gotham has observed working with numerous clients that there is clear need to host multiple
solutions. We have found that the typical distribution of desktop use cases is approximately 20%
physical, 50% presentation virtualization, and 30% virtual desktop.
In this step of the decision tree, we are using the user’s business need to work offline, or disconnected
from the network, as the root criteria for which a desktop solution will be deployed. If it is determined
from the first step that the user does not need to work offline, or that the application profile dictates
that their applications can only be accessed when connected to the network, then the model moves on
to the next major criteria – user privilege.
If it is determined that the user requires offline access, the next decision criteria is which operating
system does this user require, or on which operating system platforms are the applications supported.
The final decision in this process is how applications will be delivered to the user’s desktop. The
options are streamed/virtualized, isolated, or locally installed (traditional ESD). A dynamic and
efficient desktop solution will leverage streamed/virtualized applications as its method for software
delivery. If the application does not function while streamed or virtualized, then it can be considered
for isolation with a solution such as Microsoft’s Med-V or installed locally with traditional software
delivery tools.
User Privileges
The second major criteria chosen for this decision process is User Privileges. Similar to the user
privilege profile identified earlier, user privileges refers to the level of local administrative privileges
that a user requires to perform his/her job function, as defined in the use case. Elevated levels of user
privileges allow the system’s user to make changes to its configuration and install applications if
necessary. We define these two decisions as User Level and Admin Level.
After a User Level decision has been determined, we then look at whether the applications can be
supported in a Citrix/Terminal Server environment. This information would be obtained from the
Application Profile process. If the application set is suited for the Citrix/Terminal Server environment
then we follow the same application virtualization decision tasks as we did in the Offline Access tree.
If the User level is determined to be Admin Level, or the application is not suited for a
Citrix/Terminal Server environment, we determine if the user can be placed in a virtual desktop or
have to remain on a Physical desktop. The Application Profile will drive this decision, but
requirements such as access to local data will affect the virtual desktop decision. Once a decision has
been made to put the user in a virtual desktop environment we then follow the same decision criteria
for operating system and application virtualization as was done in the Offline Access tree.
Connecticut Office
4 Research Drive, Suite 402
Shelton, CT 06484