|RSS | MY PROFILE | PRIVACY|
This week's newsletter is all about the advantages of persistent vs. pooled virtual desktop infrastructure (VDI) with a guest editorial by Helge Klein, MVP. But before we go any further, did you know there's a word for the condition where someone has an abnormal and persistent fear of work?
By the way, another thing those of us who manage IT systems tend to fear is change. It's important to keep close tabs on what's happening in your server environment so you can be aware of any changes that occur and act accordingly. That's where change management software such as NetWrix Change Reporter Suite can come in handy since it audits and reports on any changes that happen in your infrastructure:
NetWrix is the sponsor for this issue of WServerNews, so please be sure check out their line of products. Thanks!
In our issue Cloudy Thinking: Identity Management (Issue #916) we included the following Reader Needs Help item from a reader named Jim from Florida:
I've been struggling with find a method or software to block IP address from hackers that are trying a dictionary attack on my 2007 MS Exchange server. I have several clients that also have this issue. The ideal method or software would see that there is more than X amount of connection attempts from the same IP address and then block the connection. If you could post this question out to the community I would appreciate it.
Reader Tony Gore responded with the following:
I have found that the NETGEAR UTM5 (this is the smallest in the range -- there are bigger capacity models for larger companies) is a great way of keeping the malware out.
It lets you set up whitelists and blacklists, as well as a whole host of other stuff. I am not sure if you can do precisely what you want i.e. block after so many connections, but despite its low price, the UTM5 is a beast of a device which I have barely scratched the surface of.. There are couple of experiences I have had with it that are possibly worth mentioning. It does AV checking on the fly (with a subscription from Sophos) which means that you can use a different AV solution within the network. Previously it had been tricky to use two AV solutions. It also means that you can (if you want to trade risks and performance) slacken off the AV scanning a bit within the network if this is causing too much of a performance hit on older machines.
BUT, and this is a big but -- disable TLS on your mail server (TLS provides an encrypted channel for your SMTP mail). You may be thinking that this is a backward step. However, it is not as insane as you think. When I first started using it, I could not figure out why some emails were scanned and not others. Then I discovered that by default, the SBS2008 version of Exchange 2007 has TLS enabled by default. You would think that this is a good idea. However, encrypted email cannot be scanned by your peripheral protection. When I looked at what mail servers used TLS, I found it was mostly the junk emailers and the scammers. Then of course it hit me -- if you understand this, then using TLS to deliver virus laden emails gets you through all the peripheral protection -- right to the core of your network (unless you put a separate mail server in an intermediate zone separated from your main network by another firewall). So although TLS protects you on the outside, it can make you more vulnerable through your peripheral defenses.
For more info on the NETGEAR UTM5 and similar products, see the Tip of the Week section of this newsletter.
Here's one more item from this week's Mailbag:
I just read your write up at:
"Printing from Windows 7 to Windows XP in a workgroup"
I thought, "This is ridiculous. It won't work, just like most of the crap advice you see online." But I'm really trying to get my customer taken care of so I tried it. I didn't carry in the printer in here, just installed the driver from HP and followed your tip for pointing the port to the UNC path. WOW I COULD KISS YOU!
Thank you so much!
Thanks Corey but instead of a kiss I'd prefer it if you would tell others about WServerNews...lol
And now on to our guest editorial by Helge Klein...
A different kind of VDI
At the age of 7, VDI is ready for production, but not necessarily the way vendors try to sell it to you.
When the term VDI was coined by VMware in 2006, it started the transfer of a very successful business model from the server to the client: virtualization. In an effort to grow its business, VMware had discovered the existence of another market at least as big as the one they already were the undisputed leader of: desktop virtualization. Why not replace clunky physical PCs with agile virtual machines, centrally hosted in the datacenter? Management would be easier, security higher and the costs might even be lower! The VDI hype was born.
Today we know that some of the early dreams were a bit unrealistic. As it turned out, clients are very much different from the easily virtualizable servers. Clients have users sitting in front of a screen. If you move the machine from under the desk to the datacenter, you need something to replace USB and similar connections between peripheral devices and the computer: a remoting protocol like HDX, RDP or PCoIP. Remoting protocols are hard to get to work really well, especially over WAN links.
Another thing that changes when a PC is yanked from a user's desk and - virtually - stuffed into the datacenter: the client operating system is not the sole master of the hardware any more. There are many others just like it, and they each want part of the performance. Especially disk performance, since that is typically a scarce resource. With (spinning) disk latencies being high even in single-user scenarios, many VMs accessing the same set of disks does not improve the situation. Without very careful planning this results in varying response times: sometimes it is OK, sometimes slow. Users hate that.
The answer: fast SAN storage - which is expensive. Much more expensive than simple PC hard drives. So much more expensive that storing hundreds of virtual machine images, at dozens of Gigabytes each, is out of the question even for most large enterprises. In order to make VDI work, the vendors had to come up with a solution to the storage space problem. And they did.
The pooled approach
The VDI configuration most actively promoted by vendors does not give you a full, private instance of Windows that you can customize to your heart's desire. Instead you will get a desktop that feels like a - terminal server (the very platform VDI competes against). Such a pooled desktop is yours while you are logged on, but is destroyed the second you log off. Gone are any customizations not stored in a roaming user profile or on a networked home drive. Installing applications? Possible, but futile. Configuration changes? Gone after a reboot.
The reason pooled desktops work this way is that they are not booted off individual virtual disk files. Instead, one master image is put in read-only mode and used for all desktops. Any changes (that involuntarily occur) are written to a separate file, the so-called write cache. Each vendor has his own version of this technology. They work well, generally, but they all have the same disadvantage: whenever the master image needs to be updated, the write caches get out of sync and need to be discarded. With pooled desktops, user customizations survive at most till the next patch day.
That is a severe limitation and the vendors are well aware of it. To counter the shortcomings of the pooled VDI model, more software is added to the stack. The basic idea: if drive C: needs to be discarded whenever the master image is updated, why not use an additional drive D: for user apps and data? There are even solutions available where the system tries to determine automatically what needs to go to C: and what to D:. This generally works well, but it adds another layer to the stack and brings a lot of additional complexity. And such solutions are never compatible with all applications. There is always a certain percentage of apps that needs to be dealt with differently.
One thing we did not discuss yet is management. Most organizations have well-established tools and processes for managing physical PCs. VDI vendors ignore that. Their products are so revolutionary that traditional client management is not required any more, or so they think. You will be hard pressed to find terms like 'electronic software distribution' (ESD) on their websites. Yet many companies have considerable investments in both software deployment infrastructure and software packages.
An alternative to pooled virtual desktops
Is there no other path towards the future of the desktop than the pooled desktop route, adding multiple layers of complexity and forcing customers to relearn everything they know? A path where well-understood technologies are married with innovation, where existing software packages can be reused and administrators' skill sets do not become redundant over night? There is: persistent VDI with optimized local storage.
Until recently there was a big downside to using local storage for virtualization: vMotion (aka Live Migration) was not possible without shared storage, in other words a SAN. But luckily this has changed with the latest generation of hypervisors.
Think of a VDI machine as a PC. Manage it like a PC. Use the same tools and processes for physical and virtual PCs. That gets rid of most problems and leaves but one: storage. We cannot use a SAN to store hundreds or thousands of virtual disks, but we can use local storage. New enterprise SSDs like Intel's S3700 are easily fast enough for the 40 VDI machines a typical host supports. And they are finally inexpensive enough to put two of them in a RAID-1 configuration into each VDI host. With a size of 800 GB they are also large enough.
If you have been doing the math: no, I am not suggesting that 20 GB per virtual machine is enough for a modern desktop. It is not, of course. Windows 7 along with a typical set of locally installed applications requires disks of at least 80 GB. Often more. 80 GB times 40 VMs amounts to a total required net capacity of 3.2 TB. In order to provide that capacity we can either add disks, but even with 800 GB SSDs we would need 8 disks per server in a mirrored setup and that might prove to be a little expensive, although perfectly doable. Or we can be a little cleverer. If we were to take a good look at the 40 virtual disks stored per server, we would notice that their content is largely identical. If we could get rid of the duplicate bits, 800 GB of net storage capacity per server would be more than enough.
Deduplication as a technology has been around for a while. Nearly every SAN, NAS and even Microsoft Windows is capable of storing multiple identical blocks only once. But with these devices deduplication is an afterthought, they only do it in intervals. That is not good enough for VDI.
One company is doing it differently. Atlantis Computing has built their business around real-time deduplication. IO traffic from the VMs is moved through a virtual appliance that takes care of the deduplication (and reduces the number of IOs almost as a side-effect). This is the missing piece that allows us to serve persistent virtual desktops from local storage in an efficient manner. For more information see:
Replacing the SAN with local server storage has long been deemed too inflexible, too difficult to manage. Today it is a very interesting option that helps us deploy VDI the way it should be: as a true alternative to a physical PC.
About Helge Klein
Helge Klein (CTP and MVP) is an independent consultant and developer. He has worked in Citrix projects for various large German corporations and architected the user profile management product sepagoPROFILE whose successor is now available as Citrix Profile Management. Helge is also the author of the popular free tools Delprof2 and SetACL. Helge has presented at many conferences, including BriForum 2012 and Citrix Synergy 2011 and 2012.
Find out more about Helge here:
Send us feedback
Got comments or questions about VDI as an alternative to traditional desktop computing? Email us at firstname.lastname@example.org
This week's tip comes from reader Tony Gore who works at Aspen Enterprises in the UK:
NETGEAR make a range of devices for keeping malware out of your environment, with the UTM5 being the smallest and cheapest. Without subscriptions it is around $250 and the subscriptions are about $120 per year. There are three subscriptions available -- the AV, antispam and URL. The URL blocking is impressive -- sometimes a few pages browsing Google can result in a few hundred blocked URLs. It is pretty good at protecting you from drive-by downloads:
As an aside, there is no "per user" licensing of the protection, so for low use, large user networks it can be very cost effective. It is also a decent idea for cheap and easy protection of a "guest" network.
For personal use, Sophos have a free UTM software to put on an old PC:
Contact me at email@example.com if you have a tip you'd like to share with our readers.
This week we have a couple of announcements from the Microsoft Virtual Academy:
New Microsoft Virtual Academy Course: Windows Server 2012 Essentials
Learn to deploy, manage, and use the powerful features and technologies of Windows Server 2012 Essentials with a free course from Microsoft Virtual Academy:
Microsoft Tools for VMware Integration & Migration Jump Start
Free half-day online Jump Start on March 14, 2013 8:00am-12:00pm PST featuring Technical Evangelist Symon Perriman and Principal System Center PM Lead Eric Winner, who will deliver best practices and insights on how to manage, monitor and automate VMware using System Center 2012. Register online today!
"Don't punish yourself for the past, aim towards the future." --Mitch Tulloch
For more nuggets of wisdom from me about business and life, follow me on Twitter:
Until next week,
BTW feel free to:
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at firstname.lastname@example.org and we’ll try to troubleshoot things from our end.
Email Archiving made easy – Exclaimer Mail Archiver provides you with all the benefits of email archiving in a package that’s simple to install, easy to maintain and low cost to own.
Download SolarWinds free WMI Monitor to monitor any Windows® application or server, giving you amazing insight into real-time performance with a slick desktop dashboard!
Accelerate Citrix XenDesktop and VMware View VDI deployments using Atlantis ILIO:
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact email@example.com
Lead the way into the cloud-centric IT job market with industry panelists that include Paul Thurrott and Mark Russinovich. Register today for this broadcast event on March 12, 2013, 8:30 am PST and enter to win an Acer tablet!
PLANNING A WEBCAST you'd like to tell our 100,000 subscribers about? Contact firstname.lastname@example.org
We'll start with some links to some VDI products and solutions:
Pooled VDI is also available as a built-in solution in Windows Server 2012 as the following blog post describes (Ask the Performance Team Blog):
For additional discussion of persistent vs. non-persistent VDI, see the following post on Rob's Blog (VirtualDesktopManagement.net):
If you're planning on implementing a VDI solution using Windows 7 running on Windows Server 2008 R2, make sure you read through the following best practices information (Group Policy Central):
Note that VDI isn't always the best approach and sometimes plain old session virtualization can work better (BizTech Magazine):
Now on to some other stuff...
This first part of a new series of articles by Scott Lowe discusses the discovery and client deployment processes (WindowsNetworking.com):
Containerization separates the business and personal use of smartphones and tablets (BizTech Magazine):
David Davis demonstrates that networking doesn't have to be expensive or complex. There are fewer network devices in the datacenter. Now, the network is in the software (WindowsNetworking.com):
Many organizations are purchasing the right gear, deploying the right technologies, but still forgetting the policy creation process (Data Center Knowledge):
DameWare Remote Support was selected the winner in the Remote Control category of the WindowsNetworking.com Readers' Choice Awards. EMCO Remote Desktop Professional was runner-up while Smart-X ControlUp and and VNC Enterprise Edition were second runners-up (WindowsNetworking.com):
Corporate leaders share reasons for migrating to virtualized infrastructure (BizTech Magazine):
In this article Derek Melber looks into ways to help you with your quest to get your Windows Server 2008 R2 domain controllers up and running smoothly (WindowsNetworking.com):
Many organizations are expected to explore the hybrid cloud this year, but that doesn't mean they fully understand it. In fact, most are unclear on the fundamentals of this dynamic cloud model. Inside this tip, learn how to define the hybrid cloud and review the top advantages it can offer.
While thin clients may be the most popular endpoint devices used to run VDI sessions, they aren't your only option. Access this tip to explore insights on three alternatives – zero clients, tablet PCs and smart clients – and review the pros and cons of each so you can determine which is best for your business.
Many IT pros are hesitant to leverage Infrastructure-as-a-Service (IaaS) providers, and as a result, they're missing out on a number of benefits. Find out what IaaS can offer your organization and why your enterprise IT department should embrace this evolving trend.
While there are some common concerns regarding cloud-based backup, when leveraged effectively, it can offer a number of key benefits. Inside this guide, explore insights on the top VMware backup options available in the cloud market and find out whether this approach is right for your business.
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at email@example.com
How single cats were spending Valentine's Day:
The million dollar 650-horsepower Ferrari Enzo is not usually driven as a rally car ...
Skier employs a backflip to outrun an avalanche during the Swatch Skiers Cup 2013 in Zermatt, Switzerland:
An amazing performance of "Shadowland" by the Pilobolus Dance Troupe:
And here's one from Tapani Laiho from Finland that shows cart racing on ice:
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.