presentation network design and security for your v mware view deployment with vmware and f5

Network Design and Security for

Your VMware View Deployment

with VMware and F5

Philippe Bogaerts

Senior Field Systems Engineer - Benelux

© F5 Networks, Inc.

F5 & VMware

• F5 & VMware are global partners

• 5+ years of history

• Primary partnership goals

Compatibility / Interoperability testing

New Solution Development & Documentation

• Across all major F5 and VMware products

• Ongoing cooperative solution development


Recent Highlights

• F5 named Technology Innovator Partner of the Year

VMware awards highest honor to F5 at 2011 Partner Exchange

Recognition for deep integration and solution development

• “VMware-Ready” certifications

• F5 BIG-IP, ARX and FP Virtual Edition appliances

• vSphere, vCloud Director, View

• Single Unified Namespace

• iApp rapid solution deployment for View 4.6, 5.0

• vSphere 5.0 Metro-Distance Live Migration

• Netapp FlexCache, EMC VPLEX


Common Desktop Virtualization Challenges

• User Experience

• Performance over the Wide Area Network

• Access methods / complexity

• Login steps / annoyance

• Security

• Encryption of all WAN traffic

• Unified Access (Local vs. Remote, Desktop vs. Smart Phone)

• Integration with existing authentication infrastructure

• Endpoint integrity inspection

• Scalability/Availability

• Ensuring total availability of connection servers, VMs

• Single unified namespace across datacenters


• VMware abstracts all hosts and and storage into “one big

computer”

• F5 connects users to applications running on vSphere

F5 Networks: Application Delivery Networking


Why Does Application Delivery Networking

Matter for Virtualization Projects?

Servers are more agile

Storage is more agile

Applications are more agile

Clients are more agile

Data centers are more agile

What’s missing?

The network!


Taking A Step Back: What’s The Point?

Application Delivery Networking

F5 Networks



• Control point for all traffic inbound and outbound

• Separate user connections from server connections

• Dynamically apply appropriate policies

Full Proxy



• Encrypt application and data in transit

• User and Device authentication & authorization

Security



• Caching

• Protocol optimization

Acceleration



• Load balancing

• Persistence

• Connection Multiplexing

High Availability


4 Key Functions of Application Delivery Networking

Scaling Migrating

Protecting Managing


Architecture


Connection Servers Connection Servers

BIG-IP LTM + APM

Remote Clients

Local LAN Clients

Local Mode Desktop

Primary Site

Centralized Virtual

Desktops

Internet

Encryption (DTLS or SSL)

Unencrypted RDP or Natively Encrypted PCoIP)

Security Servers Security Servers

Secondary

BIG-IP GTM


User Experience


Simplify Sign-On Frustrations

Step 1

Local

Login

Step 2

VPN

Login

Step 3

Desktop

Login

SSO

Login

Once


Traffic QoS

View

Desktops

Rate Shape to ensure client-side View traffic receives priority

over client-outbound outbound traffic

Edge Client

Edge Client

Edge Client


Security


Unify Access to the Data Center

DMZ

Use existing user directories

View Servers

BIG-IP Edge Gateway

• One solution to manage all access policies regardless of access network

• Capacity and performance to secure all user traffic

• Optimizes application delivery to remote and mobile users

• Improves quality of real-time applications; soft phones and streaming media

Mobile Users

Wireless Users

Internet

Branch Office Users

Internal LAN

VLAN2

LAN Users

Internal LAN

VLAN1


Unified AAA Services for View

• Pre-Logon Checks:

• OS, AV, firewall, process, file, registry, extended windows info,

client and machine certs, etc.

• Remediation:

• Group Policy enforcement (Corp & Non-Corp Assets)

• Protected Workspace

• Intuitive, Visual Policy Editor


Optimize Authentication & Authorization

• Integration with existing authentication mechanisms

• AD, LDAP, RADIUS, 2-Factor, Client Certs, Etc.

• Support for PKI infrastructures

• Extensible and scriptable

• Comprehensive auditing/accounting

• Check the device prior to logon

• OS, AV, firewall, process, file, registry, 2-factor auth,

client/machine certs, etc.

• Remediate if necessary, automatically

• Use protected workspaces for untrustworthy devices

• Enforce Group Policies on all assets (even non-corporate assets)

• Meets FIPS compliance requirements


DMZ

Stringent Corporate Security Policies

View Security Server

Running on

Windows Server

2008 R2

BIG-IP APM

FIPS Compliant

Appliance

Connection Server

Connection Servers

BIG-IP provides a high capacity, FIPS compliant alternative to the View Security Server

Up to 2,000

concurrent

users per

server, 10,000

per pod.

Up to 40,000

concurrent

users on a

single device


Maintain Native PCoIP Performance

Connection

Brokers

Mobile Users

Remote Users

Branch Office Users

LAN Users

DTLS Encryption

View

Servers

DTLS Encryption

SSL Encryption

PCoIP

PCoIP

RDP

DT

LS

Encry

ption

PC

oIP

Support for DTLS (UDP) encryption

Support for SSL (TCP) encryption

Avoids the alternative method of

encapsulating UDP into TCP for SSL

encryption (thus degrading UDP).


Availability & Scalability

in the Data Center


Enable Scalability by Offloading Processes from View Connection Servers

1. Improve efficiency by offloading SSL

2. HA & load balancing for View Connection Servers

Connection

Servers


Local Mode Acceleration

BIG-IP Edge Gateway

View pod

BIG-IP Edge Gateway

WAN

Optimized

Link

Branch Office

Datacenter

Local Mode

Check-out

Check-in

Synch


DMZ

Ubiquitous View Client Support for Large Deployments

View Security Server

BIG-IP LTM

FIPS Compliant

Appliance

Connection Servers

BIG-IP allows thick, thin, and zero clients access to View deployments, which are > 2000 users


DMZ

Maximum Scalability for View

BIG-IP APM

BIG-IP Global

Traffic Manager

BIG-IP Local

Traffic Manager

Pod 2

Pod 1

DMZ

BIG-IP APM

BIG-IP Local

Traffic Manager

Pod 3

Max 10,000 users

Per Cluster

Global Load

Balancing Among

Multiple Sites

Local Load

Balancing >70,000

concurrent users

@ 1Mbps each on

a single device

BIG-IP enables you to make multiple sites and multiple clusters, look like one big cohesive unit


• iApps: Rapid, tested, streamlined, best practice deployment

iApp for VMware View 5.0

Deploy F5 LTM and APM in a matter of

minutes

Provide best practice configuration

Avoid human error

F5 iApps: Rapid Deployment for Enterprise Applications


• Rapid, tested, streamlined, best practice deployment of F5

functionality for VMware View environments

F5 iApp for VMware View


Summary – VMware View & F5

• Improve and streamline User Experience

• Integrate, simplify, and unify Security

• Scale and provide global High Availability

• Reduce OPEX and CAPEX

Flexible deployment architectures and product

Platforms to support any size enterprise View deployment


Thank You F5 Networks

www.f5.com/vmware

presentation network design and security for your v mware view deployment with vmware and f5

Documents