Welcome!

If everyone is thinking the same, someone isn't thinking

Lori MacVittie

Subscribe to Lori MacVittie: eMailAlertsEmail Alerts
Get Lori MacVittie via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Virtual Education

Blog Feed Post

F5 Friday: Secure, Scalable and Fast VMware View Deployment

For a Secured Virtual Desktop Infrastructure

f5friday_thumb[2]

 

Virtual Desktop Infrastructure (VDI) is designed to deliver virtual, managed desktops in the corporate environment. There imageare many benefits to this model, especially when applied to traditionally high-maintenance desktops in call centers where users may not be technically savvy and insist on, oh, changing the fonts and background to be black and then calling the help desk to “fix” the problem*.  Fixing the problem becomes a simple case of pushing the clean desktop to the user.

But as VDI broadens its use from limited, internal deployments to off-site deployments supporting remote workers and disaster recovery scenarios, it becomes necessary to evaluate the infrastructure to ensure that remote access and VDI performs well and is secured.


CHALLENGES DELIVERING VIRTUAL DESKTOPS

Today I work remotely on a corporate laptop with a standard corporate “image” containing the applications I use on a daily basis. An SSL VPN provides secure remote access to corporate resources. That’s not an uncommon scenario at all. Organizations use this model to support both telecommuting employees as well as employees in remote offices or that are always roaming (sales and field engineers) to keep them connected. As noted by Gartner earlier this year, many organizations are looking at solutions like VMware View as a more efficient method of delivering corporate “images” to off-premise employees. But doing so introduces some challenges in the areas of security, scalability, and user-experience.

When deploying VMware View for off-premise use you need to consider the following:

  • WAN connections are bandwidth constrained and can lead to poor user experience using virtual desktops
  • Virtual desktops should be delivered to off-premise users securely
  • Off-premise users should be authenticated using the same authentication mechanisms, e.g. Active Directory, as on-premise users
  • Off-premise users may use their personal hardware to access virtual desktops and thus require inspection for viruses, malware, and other potentially harmful software
  • Introducing secure delivery of virtual desktops via SSL increases consumption of resources to perform encryption and decryption which impacts scalability and capacity of View servers and decreases performance of virtual desktop delivery
  • Most SSL VPN solutions (popular for supporting off-premise employee access to corporate resources) cannot securely transport PCoIP without degrading its performance

Interestingly enough, without an external solution there’s currently no means by which all these challenges can be addressed.


HOW F5 ADDRESSES THESE CHALLENGES

F5 BIG-IP Edge Gateway (EGW) provides the means by which VMware View 4 deployments can be securely delivered over WAN and LAN without degrading performance. Really. BIG-IP EGW also integrates endpoint security checks and authentication via existing user directories, such as Active Directory, to reduce the complexity of administration and the user-login experience. Additionally, EGW increases capacity and the performance of View servers by offloading and imagecentralizing SSL. And it can do it for PCoIP, which means a better user-experience and thus eliminates the negative impact on productivity often incurred by such remote solutions.

SECURITY

EGW provides a secured (via SSL if the endpoint uses RDP and DTLS is the endpoint is using PCoIP), optimized tunnel over which the virtual desktop is delivered to the end-user, regardless of location. The ability to determine at run-time which encryption scheme to use – DTLS or SSL – makes more consistent the performance of securely delivered virtual desktops. That’s a  big deal, because PCoIP was developed specifically to address rich media and long distance delivery of solutions like VMware View. But PCoIP is UDP based, and most VPNs use SSL today to secure tunnels, which is TCP-based. This results in essentially tunneling UDP through TCP, which degrades the performance of PCoIP very quickly.

Employing intelligent inspection of application data, EGW can also vary policy based on who you are, what device you’re on, and where you’re coming from. This gives administrators the ability to determine access to corporate resources based on context to protect sensitive data from being delivered to insecure endpoints and stops remote machines from sharing any infections and malware that might be present.

SIMPLIFICATION

Connections are not always “connected”. Sometimes they drop unexpectedly. Sometimes a user might move and need to re-establish connections (e.g. walking between campus wireless networks, disconnecting from the office and reconnecting at the coffee shop). EGW removes the hassle for users associated with constantly logging onto the VPN manually and can re-establish a VMware View session in the event of a connection disruption. Although VMware View maintains maintains persistence between clients and their desktops based on their source IP this is insufficient for users behind proxies or NATs, because multiple users share the same source IP. Using intelligent inspection capabilities, EGW can leverage user-specific session information such as cookies and uniquely persist users to existing virtual desktop sessions. This allows end-users to move about freely without concern and supports scenarios in which multiple off-premise employees are accessing corporate resources from the same location.

PERFORMANCE

The BIG-IP EGW client employs outbound rate-shaping policies to ensure virtual desktop traffic is afforded a higher priority than other outbound traffic, which 46E-649-BD1improves performance over bandwidth constrained networks. It further employs WAN optimization and acceleration technology to improve the flow of data imagebetween remote desktops and corporate servers, which results in virtual desktops that are more responsive and perform closer to LAN expectations.

BIG-IP EGW also improves the scalability VMware View Manager servers by mediating for clients, improving the overall capacity of the services and availability through load balancing, SSL offload and health monitoring. Offloading SSL is an important facet of the solution as it decreases management costs and ensures that the organization’s private keys are not only improves scalability and performance, but ensures that keys and certificates are not stored on insecure servers. BIG-IP EGW is FIPS compliant and securely manages certificates and keys in a centralized location, reducing the risk of compromise and simplifying deployment and management.

A combined F5-VMware solution for deploying virtual desktops to off-premise locations allows organizations to realize the benefits associated with virtual desktops without sacrificing security or performance.

* True story. Users are likely more savvy now but anecdotal evidence like this proves you never know what to expect from end-users.


Related blogs & articles:

Follow me on Twitter View Lori's profile on SlideShare friendfeed icon_facebook

AddThis Feed Button Bookmark and Share

 

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.