vmware user group march 25, 2008 san diego, ca
DESCRIPTION
Patrick Rouse. VMware User Group March 25, 2008 San Diego, CA. Agenda – Desktop Virtualization. Desktop Virtualization (VDI) Benefits Desktop Virtualization Best Practices & Tutorials Provision Networks Virtual Access Suite Live Demo. Who We Are – Pinnacle Technologies. - PowerPoint PPT PresentationTRANSCRIPT
1
VMware User GroupMarch 25, 2008San Diego, CA
Patrick Rouse
2
Desktop Virtualization (VDI) Benefits
Desktop Virtualization Best Practices & Tutorials
Provision Networks Virtual Access Suite
Live Demo
Agenda – Desktop Virtualization
3
Who We Are – Pinnacle Technologies
4
Who We Are – Quest Software
– ESX vRanger Pro, vConverter, vOptmizer
– Foglight – Root Cause Analysis for VMware
– Desktop Authority
– Virtual Access Suite
5
Who We Are – Provision Networks
Provision Networks, a division of Quest Software, produces and markets the award-winning Virtual Access Suite – an enterprise-grade application delivery, virtual desktop provisioning, management and brokering solution.
The Virtual Access Suite is available in three editions:
Standard Edition: Enhances manageability, stability and usability of Citrix and Terminal Services Desktop Services Edition: Enables blade PC and virtual client connections from any virtual infrastructure, including VMware, Virtual Iron, Microsoft and SWsoft.Enterprise Edition: Encompasses the Desktop Services & Standard Editions and adds support to Provision-enabled terminal server platforms
1996 2004 2006 2007
- Emergent Online founded
- Provision Management Framework Launched
- Virtual Desktop Solution Introduced
-Virtual Access Suite Introduced
-Acquired by Quest Software
- Universal Print Driver fo
r ICA and RDP
2001
6
VDI Connection Broker Basics
What is a Connection Broker?
A basic connection broker is a service that authenticates a client, retrieves a list of Virtual Desktops and directs the client to its’ destination.
1. Authenticate and receive back the address of the hosted desktop
2. Connect to the hosted desktop using some type of remote display protocol (for example, RDP)
7
• Centrally control and manage all off-site access to sensitive applications and data. Extend corporate network security policies to off-site facilities.
• Contain desktop proliferation and build standardized, centrally managed desktop environments. Meet HIPAA, SOX, GLBA compliance.
• Quickly recover, re-provision, and re-establish user access to complete desktop environments to ensure business continuity.
• Contingency plans in place to accommodate work-from-home users and employees quarantined due to a pandemic. Telecommuting!
• Each desktop environment is encapsulated in a VM, completely independently of other VMs. If anything goes wrong with one VM, other VMs remain unaffected.
• No lack of support from ISVs. No complex IT training (desktop administrators). No application code modifications and/or repackaging.
• Eliminate squandering of precious computing resources. Eliminate loss/theft of corporate data stored on stolen PCs.
Benefits of Desktop Virtualization
• Branch Office Connectivity. Mergers and Acquisitions. Distributed computing environments can be integrated without major investments in remote IT infrastructures.
8
Benefits of Desktop Virtualization
Physical desktop TCO
Source: Gartner Research
Source: Gartner Research
9
Best Practices – VDI Host Planning
No more than 1500 Virtual Desktops per VMware Virtual Center
Dedicate specific VI Hosts or Data Centers for VDI
Use Dual Processor, Quad Core, Blade or 1U Servers for VI Hosts
Use iSCSI SAN instead of Fiber Channel to reduce cost per user.
10
Best Practices – VDI Host Planning
Utilize iSCSI HBA to reduce CPU usage on ESX Hosts.
4-10 Virtual Desktops per CPU Core
16-32GB of RAM per ESX Server (unless allocating > 640MB per VM)
11
Best Practices – Component Placement
Deploy SSL Gateway in DMZ
Web Interface on the same machine, or on the Private Network.
Deploy two Connection Broker Servers (for redundancy and load balancing).
Do NOT allow DRS to move Connection Brokers to the same ESX Host.
All infrastructure servers can be virtualized
12
Best Practices – Virtual Desktop OS
>= 384MB for each XP Pro Virtual Desktop
Keep VM Disk Files as small as possible
Utilize a Universal Printer Driver (reduced Mgmt, CPU & Bandwidth)
13
Best Practices – Virtual Desktop OS
Disable screen savers on VMs (utilize client screensaver)
Schedule Shutdown/Reboot of Virtual Desktops
Enable Remote Control of Desktops (via Terminal Services Manager, Shadow or Remote Assistance)
14
Configuring Remote Control
15
Configuring Remote Control
Classic is the default setting when XP Pro & 2003 are domain members
16
Configuring Remote Control
Enable tsadmin on XP
Allows tsadmin.exe (Terminal Services Manager) or shadow.exe to connect from a remote RDP Session.
17
Configuring Remote Control
18
Best Practices – Virtual Desktop OS
Configure User GPO Settings for Folder Redirection (for My Documents, Desktop, Start Menu & Application Data) environment lockdown (for non-administrators)
VDI Computer GPOVDI User GPO
Configure Computer GPO Settings, i.e. Loopback Policy Processing, RDP Connection Settings, Disabling of Offline Files, Deletion of Roaming Profile Cache…
Roaming Profile Path is defined in the properties of the User’s Active Directory Account
VDI GPOs
19
Best Practices – Virtual Desktop OS
Install User Profile Hive Cleanup Service (UPHClean)
Alter the Default Explore Path when using Folder Redirection to redirect the Start Menu to a Network Share, so user’s Default Explore Path is their Home Folder.
Default Explore Path
Prevent NTFS from tracking reads on the local file system
NtfsDisableLastAccessUpdate
UPHClean
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\ddeexec]@="[ExploreFolder(\"%u:\\\\\\\", %u:\\\\, %S)]"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]"NtfsDisableLastAccessUpdate"=dword:00000001
Unloads user profiles that might otherwise get hung unloading
20
Best Practices – Virtual Desktop OS
Lock down the System Drive’s NTFS Permissions so normal users can’t install software, spyware, malware… or save data on their Virtual Desktops.
Recommended NTFS Permissions on New System Builds:%SystemDrive% - Authenticated Users = "Read and Execute" %SystemDrive% - Administrators = "Full Control" %SystemDrive% - System = "Full Control"%SystemDrive% - Creator Owner = "Full Control"
%ProgramFiles% - Authenticated Users = "Read and Execute" %ProgramFiles% - Administrators = "Full Control" %ProgramFiles% - System = "Full Control" %ProgramFiles% - Creator Owner = "Full Control"
Remove the Hgfs Registry Entry so user’s profiles will unload completely. Setting added by VMware Tools.
RemoveHgfs
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order]"ProviderOrder"="RDPNP,LanmanWorkstation,WebClient"
21
Best Practices – Client Devices
Don't assume that everyone can use a thin client. (No DVD+R, CDR/RW, High-end Graphics)
Choose XPe based thin clients when needing to support USB peripheral devices (printers, scanners, handhelds, storage)
Consider devices with local Internet Browser, Windows Media Player, Adobe Flash Player…
Convert older PCs into diskless thin clients via PXE Boot
22
Provision NetworksVirtual Access Suite
23
Provision NetworksVirtual Access Suite
Physical and virtual machines
Fully sysprep’d virtual desktops from templates (VMware, Virtual Iron)
Policy-driven virtual machine power management and pooling
Policy-driven access
Standard desktops managed as single-user Terminal Servers
Integration with MS SoftGrid (Application Virtualization)
Familiar end-user experience (i.e., desktop and application publishing)
Seamless windows (w/multi-monitor support)
Universal print driver
USB-based PDA redirection
Web interface and SSL gateway
Bi-Directional Audio
Many more…
VAS: more than just a “connection broker”
In contrast, VAS is a comprehensive provisioning and delivery framework with a sophisticated brokering service at its core.
Support for Standard Windows desktop OS (i.e., WinXP, Vista)…
24
Provision NetworksVirtual Access Suite
Application publishing
Load-balancing
Seamless windows (w/multi-monitor support)
End-to-end Universal print driver
User profile management
CPU utilization management
Virtual memory optimization
USB-based PDA redirection
Integration with Microsoft SoftGrid (Application Virtualization)
Session configuration and lockdown
Registry Entry Deployment
Logon Scripts
File & Registry Redirection
Virtual IP
Web interface
SSL gateway
Bi-Directional Audio
Many more….
VAS: more than just a “connection broker”
Support for Windows Terminal Server…
25
New features for version 5.10 (April-May 2008)
Provision NetworksVirtual Access Suite
Managed Desktop Group Auto-Expansion. Automatically add additional desktops based on policy.
Deployment of MSI-Based Application Packages: Install/track/remove MSI-based application packages to managed desktops.
Scheduled Tasks: Power On, Power Off, Logoff, Reset, Suspend, Resume, Delete Desktop, Enable/Disable Desktop, Copy file to desktop, Install/Uninstall MSI Package
“Disable Desktop” Option: Individual desktops and desktop groups can be instantly disabled, allowing scheduled maintenance.
Cross-Group Desktop Naming: Allows multiple desktop groups to conform to a shared (enterprise-wide) desktop naming convention.
Linux-based PXE Boot Client
True Multi-Monitor Support, instead of just spanning.
Bi-Directional Audio / Microphone Redirection
Server Provisioning: Provision fully sysprep’d virtual Windows Terminal Servers from existing VM Templates, as well as deploy server-based MSI packages.
Type Ahead: Improves the end-user experience by instantly echoing keystrokes regardless on network latency conditions.
Time Zone Management: Enables administrators to specify the desired time zone for assignees.
26
Available Clients
Provision NetworksVirtual Access Suite
Windows 2000, 2003, XP, XP Embedded, Vista
Windows CE
Linux
Wyse Thin OS
HP NeoLinux
Java
Thinstall
PXE Boot - Linux
Computer Labs (CLI)
Devon IT
HP
Wyse
Affirmative Computing
Thin Client Vendors
27
Provision NetworksVirtual Access Suite
28
VDI Solution on VMware ESX 3.x with Virtual Center Cost Per User Total Cost Value Variable Description$750.08 $1,125,120.00 8 CPU Cores Per Virtual Infrastructure Host
Qty Description Price Total 5 Virtual Machine Guest OS Per CPU Core (4-10)
40
IBM X3550, 1U Dual-Quad Core, 16GB, 2x72GB 10KRPM 2.5" SAS, RAID1, QLogic iSCSI Dual Port PCIe HBA - 2 Extra Servers for HA and Infrastructure Servers $8,000.00 $320,000.00 $10.00 Cost of SAN Storage per GB
40 VMware ESX Ent. 2P Lic $5,898.00 $235,920.00 5 Size of VM Disk Files (GB) on SAN1500 Virtual Access Suite Desktop Services Edition License $50.00 $75,000.00 384 RAM (MB) Per Virtual Machine Guest OS
1500 Windows Guest OS License Cost $290.00 $435,000.00 16384 Minimum Required RAM (MB) per Virtual InfrastructureHost1500 AntiVirus License $25.00 $37,500.00 1500 Maximum Number of Concurrent Users
2 VAS Connection Broker Servers (Virtual) $700.00 $1,400.00 56 Average Bandwidth Per Session (Kb)1 VAS SSL Gateway Server (Virtual) $700.00 $700.00 20 Percentage of WAN Users
2 VAS Web Server (Virtual) $700.00 $1,400.00 16800 Required WAN Bandwidth (Kb)
1 Virtual Center Server (Virtual) $700.00 $700.00 300 Maximum WAN Connected Users40 Rack Space, UPS, KVM $300.00 $12,000.00 1000 Maximum Users Supported by SSL Gateway1 Vmware Virtual Center License $5,000.00 $5,000.00 1000 Maximum Users Supported by Web Server
$10 SAN Storage Cost Per VM $50.00 $500.00 $8,000.00 VDI Host Hardware CostNot Included in Config Cost: $700.00 Windows Server OS License for Web/SSL/CB Servers
$50.00 VAS Desktop Services License CostSQL Server - Provision Database $300.00 Rack Space, UPS, KVM CostActive Directory Infrastructure $25.00 Antivirus Client License CostFile Server(s) for User Profiles $290.00 Windows Guest OS License Cost
Windows Print Servers References:Firewall with DMZ Port VMWare ESX 3.5 IO GuideRedundancy for SSL Gateway and Web Servers Vmware Infrastructure 3 Configuration MaximumsNotes: Reasons to use iSCSI HBA instead of TOE NIC1 Virtual Center Host can manage a maximum of 1500 Virtual Desktops QLOGIC QLE4062C Dual Port PCIe iSCSI HBA2 Connection Brokers Per Farm, built in redundancy (no load balancer required). Unlimited Connection Brokers allowed.
Installing, Configuring and Administering Virtual Access Suite, Desktop Services
Desktop VirtualizationSolution Calculator
29
Provision NetworksVirtual Access Suite
Demo and Q&A
Provision Networks Demo
References:
VMware VDI Best Practices
How to configure Folder Redirection
VMware Infrastructure 3 Configuration Maximums
How to install, configure and administer Virtual Access Suite, Desktop Services. (VDI Connection Broker)
Using the Flex Profile Kit with VDI
Provision Networks Metaprofiles-IT
Memory Overcommitment in the Real World
RDP Audio - Hotfix
Idle session Group Policy settings do not work - Hotfix
30
Questions and Answers
Patrick RousePatrick.Rouse@quest.com619.994.5507www.provisionnetworks.com