vmware user group march 25, 2008 san diego, ca

1

VMware User GroupMarch 25, 2008San Diego, CA

Patrick Rouse

2

Desktop Virtualization (VDI) Benefits

Desktop Virtualization Best Practices & Tutorials

Provision Networks Virtual Access Suite

Live Demo

Agenda – Desktop Virtualization

3

Who We Are – Pinnacle Technologies

4

Who We Are – Quest Software

– ESX vRanger Pro, vConverter, vOptmizer

– Foglight – Root Cause Analysis for VMware

– Desktop Authority

– Virtual Access Suite

5

Who We Are – Provision Networks

Provision Networks, a division of Quest Software, produces and markets the award-winning Virtual Access Suite – an enterprise-grade application delivery, virtual desktop provisioning, management and brokering solution.

The Virtual Access Suite is available in three editions:

Standard Edition: Enhances manageability, stability and usability of Citrix and Terminal Services Desktop Services Edition: Enables blade PC and virtual client connections from any virtual infrastructure, including VMware, Virtual Iron, Microsoft and SWsoft.Enterprise Edition: Encompasses the Desktop Services & Standard Editions and adds support to Provision-enabled terminal server platforms

1996 2004 2006 2007

- Emergent Online founded

- Provision Management Framework Launched

- Virtual Desktop Solution Introduced

-Virtual Access Suite Introduced

-Acquired by Quest Software

- Universal Print Driver fo

r ICA and RDP

2001

6

VDI Connection Broker Basics

What is a Connection Broker?

A basic connection broker is a service that authenticates a client, retrieves a list of Virtual Desktops and directs the client to its’ destination.

1. Authenticate and receive back the address of the hosted desktop

2. Connect to the hosted desktop using some type of remote display protocol (for example, RDP)

7

• Centrally control and manage all off-site access to sensitive applications and data. Extend corporate network security policies to off-site facilities.

• Contain desktop proliferation and build standardized, centrally managed desktop environments. Meet HIPAA, SOX, GLBA compliance.

• Quickly recover, re-provision, and re-establish user access to complete desktop environments to ensure business continuity.

• Contingency plans in place to accommodate work-from-home users and employees quarantined due to a pandemic. Telecommuting!

• Each desktop environment is encapsulated in a VM, completely independently of other VMs. If anything goes wrong with one VM, other VMs remain unaffected.

• No lack of support from ISVs. No complex IT training (desktop administrators). No application code modifications and/or repackaging.

• Eliminate squandering of precious computing resources. Eliminate loss/theft of corporate data stored on stolen PCs.

Benefits of Desktop Virtualization

• Branch Office Connectivity. Mergers and Acquisitions. Distributed computing environments can be integrated without major investments in remote IT infrastructures.

8

Benefits of Desktop Virtualization

Physical desktop TCO

Source: Gartner Research

Source: Gartner Research

9

Best Practices – VDI Host Planning

No more than 1500 Virtual Desktops per VMware Virtual Center

Dedicate specific VI Hosts or Data Centers for VDI

Use Dual Processor, Quad Core, Blade or 1U Servers for VI Hosts

Use iSCSI SAN instead of Fiber Channel to reduce cost per user.

10

Best Practices – VDI Host Planning

Utilize iSCSI HBA to reduce CPU usage on ESX Hosts.

4-10 Virtual Desktops per CPU Core

16-32GB of RAM per ESX Server (unless allocating > 640MB per VM)

11

Best Practices – Component Placement

Deploy SSL Gateway in DMZ

Web Interface on the same machine, or on the Private Network.

Deploy two Connection Broker Servers (for redundancy and load balancing).

Do NOT allow DRS to move Connection Brokers to the same ESX Host.

All infrastructure servers can be virtualized

12

Best Practices – Virtual Desktop OS

>= 384MB for each XP Pro Virtual Desktop

Keep VM Disk Files as small as possible

Utilize a Universal Printer Driver (reduced Mgmt, CPU & Bandwidth)

13


Disable screen savers on VMs (utilize client screensaver)

Schedule Shutdown/Reboot of Virtual Desktops

Enable Remote Control of Desktops (via Terminal Services Manager, Shadow or Remote Assistance)

14

Configuring Remote Control

15


Classic is the default setting when XP Pro & 2003 are domain members

16


Enable tsadmin on XP

Allows tsadmin.exe (Terminal Services Manager) or shadow.exe to connect from a remote RDP Session.

17


18


Configure User GPO Settings for Folder Redirection (for My Documents, Desktop, Start Menu & Application Data) environment lockdown (for non-administrators)

VDI Computer GPOVDI User GPO

Configure Computer GPO Settings, i.e. Loopback Policy Processing, RDP Connection Settings, Disabling of Offline Files, Deletion of Roaming Profile Cache…

Roaming Profile Path is defined in the properties of the User’s Active Directory Account

VDI GPOs

19


Install User Profile Hive Cleanup Service (UPHClean)

Alter the Default Explore Path when using Folder Redirection to redirect the Start Menu to a Network Share, so user’s Default Explore Path is their Home Folder.

Default Explore Path

Prevent NTFS from tracking reads on the local file system

NtfsDisableLastAccessUpdate

UPHClean

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\ddeexec]@="[ExploreFolder(\"%u:\\\\\\\", %u:\\\\, %S)]"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]"NtfsDisableLastAccessUpdate"=dword:00000001

Unloads user profiles that might otherwise get hung unloading

20


Lock down the System Drive’s NTFS Permissions so normal users can’t install software, spyware, malware… or save data on their Virtual Desktops.

Recommended NTFS Permissions on New System Builds:%SystemDrive% - Authenticated Users = "Read and Execute" %SystemDrive% - Administrators = "Full Control" %SystemDrive% - System = "Full Control"%SystemDrive% - Creator Owner = "Full Control"

%ProgramFiles% - Authenticated Users = "Read and Execute" %ProgramFiles% - Administrators = "Full Control" %ProgramFiles% - System = "Full Control" %ProgramFiles% - Creator Owner = "Full Control"

Remove the Hgfs Registry Entry so user’s profiles will unload completely. Setting added by VMware Tools.

RemoveHgfs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order]"ProviderOrder"="RDPNP,LanmanWorkstation,WebClient"

21

Best Practices – Client Devices

Don't assume that everyone can use a thin client. (No DVD+R, CDR/RW, High-end Graphics)

Choose XPe based thin clients when needing to support USB peripheral devices (printers, scanners, handhelds, storage)

Consider devices with local Internet Browser, Windows Media Player, Adobe Flash Player…

Convert older PCs into diskless thin clients via PXE Boot

22

Provision NetworksVirtual Access Suite

23


Physical and virtual machines

Fully sysprep’d virtual desktops from templates (VMware, Virtual Iron)

Policy-driven virtual machine power management and pooling

Policy-driven access

Standard desktops managed as single-user Terminal Servers

Integration with MS SoftGrid (Application Virtualization)

Familiar end-user experience (i.e., desktop and application publishing)

Seamless windows (w/multi-monitor support)

Universal print driver

USB-based PDA redirection

Web interface and SSL gateway

Bi-Directional Audio

Many more…

VAS: more than just a “connection broker”

In contrast, VAS is a comprehensive provisioning and delivery framework with a sophisticated brokering service at its core.

Support for Standard Windows desktop OS (i.e., WinXP, Vista)…

24


Application publishing

Load-balancing

Seamless windows (w/multi-monitor support)

End-to-end Universal print driver

User profile management

CPU utilization management

Virtual memory optimization

USB-based PDA redirection

Integration with Microsoft SoftGrid (Application Virtualization)

Session configuration and lockdown

Registry Entry Deployment

Logon Scripts

File & Registry Redirection

Virtual IP

Web interface

SSL gateway

Bi-Directional Audio

Many more….

VAS: more than just a “connection broker”

Support for Windows Terminal Server…

25

New features for version 5.10 (April-May 2008)


Managed Desktop Group Auto-Expansion. Automatically add additional desktops based on policy.

Deployment of MSI-Based Application Packages: Install/track/remove MSI-based application packages to managed desktops.

Scheduled Tasks: Power On, Power Off, Logoff, Reset, Suspend, Resume, Delete Desktop, Enable/Disable Desktop, Copy file to desktop, Install/Uninstall MSI Package

“Disable Desktop” Option: Individual desktops and desktop groups can be instantly disabled, allowing scheduled maintenance.

Cross-Group Desktop Naming: Allows multiple desktop groups to conform to a shared (enterprise-wide) desktop naming convention.

Linux-based PXE Boot Client

True Multi-Monitor Support, instead of just spanning.

Bi-Directional Audio / Microphone Redirection

Server Provisioning: Provision fully sysprep’d virtual Windows Terminal Servers from existing VM Templates, as well as deploy server-based MSI packages.

Type Ahead: Improves the end-user experience by instantly echoing keystrokes regardless on network latency conditions.

Time Zone Management: Enables administrators to specify the desired time zone for assignees.

26

Available Clients


Windows 2000, 2003, XP, XP Embedded, Vista

Windows CE

Linux

Wyse Thin OS

HP NeoLinux

Java

Thinstall

PXE Boot - Linux

Computer Labs (CLI)

Devon IT

HP

Wyse

Affirmative Computing

Thin Client Vendors

27


28

VDI Solution on VMware ESX 3.x with Virtual Center Cost Per User Total Cost Value Variable Description$750.08 $1,125,120.00 8 CPU Cores Per Virtual Infrastructure Host

Qty Description Price Total 5 Virtual Machine Guest OS Per CPU Core (4-10)

40

IBM X3550, 1U Dual-Quad Core, 16GB, 2x72GB 10KRPM 2.5" SAS, RAID1, QLogic iSCSI Dual Port PCIe HBA - 2 Extra Servers for HA and Infrastructure Servers $8,000.00 $320,000.00 $10.00 Cost of SAN Storage per GB

40 VMware ESX Ent. 2P Lic $5,898.00 $235,920.00 5 Size of VM Disk Files (GB) on SAN1500 Virtual Access Suite Desktop Services Edition License $50.00 $75,000.00 384 RAM (MB) Per Virtual Machine Guest OS

1500 Windows Guest OS License Cost $290.00 $435,000.00 16384 Minimum Required RAM (MB) per Virtual InfrastructureHost1500 AntiVirus License $25.00 $37,500.00 1500 Maximum Number of Concurrent Users

2 VAS Connection Broker Servers (Virtual) $700.00 $1,400.00 56 Average Bandwidth Per Session (Kb)1 VAS SSL Gateway Server (Virtual) $700.00 $700.00 20 Percentage of WAN Users

2 VAS Web Server (Virtual) $700.00 $1,400.00 16800 Required WAN Bandwidth (Kb)

1 Virtual Center Server (Virtual) $700.00 $700.00 300 Maximum WAN Connected Users40 Rack Space, UPS, KVM $300.00 $12,000.00 1000 Maximum Users Supported by SSL Gateway1 Vmware Virtual Center License $5,000.00 $5,000.00 1000 Maximum Users Supported by Web Server

$10 SAN Storage Cost Per VM $50.00 $500.00 $8,000.00 VDI Host Hardware CostNot Included in Config Cost: $700.00 Windows Server OS License for Web/SSL/CB Servers

$50.00 VAS Desktop Services License CostSQL Server - Provision Database $300.00 Rack Space, UPS, KVM CostActive Directory Infrastructure $25.00 Antivirus Client License CostFile Server(s) for User Profiles $290.00 Windows Guest OS License Cost

Windows Print Servers References:Firewall with DMZ Port VMWare ESX 3.5 IO GuideRedundancy for SSL Gateway and Web Servers Vmware Infrastructure 3 Configuration MaximumsNotes: Reasons to use iSCSI HBA instead of TOE NIC1 Virtual Center Host can manage a maximum of 1500 Virtual Desktops QLOGIC QLE4062C Dual Port PCIe iSCSI HBA2 Connection Brokers Per Farm, built in redundancy (no load balancer required). Unlimited Connection Brokers allowed.

Installing, Configuring and Administering Virtual Access Suite, Desktop Services

Desktop VirtualizationSolution Calculator

29


Demo and Q&A

Provision Networks Demo

References:

VMware VDI Best Practices

How to configure Folder Redirection

VMware Infrastructure 3 Configuration Maximums

How to install, configure and administer Virtual Access Suite, Desktop Services. (VDI Connection Broker)

Using the Flex Profile Kit with VDI

Provision Networks Metaprofiles-IT

Memory Overcommitment in the Real World

RDP Audio - Hotfix

Idle session Group Policy settings do not work - Hotfix

30

Questions and Answers

Patrick RousePatrick.Rouse@quest.com619.994.5507www.provisionnetworks.com