business process desktop - vmware.com · in the business process desktop design, we deployed vmware...

Business Process Desktop VA L I D AT E D D E S I G N G U I D E

Business Process Desktop

VA L I D AT E D D E S I G N G U I D E / 2

Table of Contents

About the Validated Design Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

What is a Business Process Desktop? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Security and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Scale On Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Overview of Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Logical Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Key Components of the Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Core Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

VMware View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

VMware vShield Edge, App and Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Restore and Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Additional Components: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Validation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Overview of Workload Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Single Namespace and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

RADIUS Integration for user authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

RADIUS Two Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

vShield Edge, App, and Endpoint Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Using vShield App with Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Storage Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

High Availability with Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

DFS Replication Between Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Appendix A: Performance Validation Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29



About the Validated Design GuideVMware’s Validated Design Guides provide an overview of the solution architecture and implementation. The validated designs and solutions have been created through architectural design development and lab testing.

The guide is intended to provide guidance for the introduction of proof of concepts, emerging new technology and architectures, as well as enhancement of customer use cases.

The Validated Design Guides:

• Incorporategenerallyavailableproductsintothedesign

•Employrepeatableprocessesforthedeployment,operation,andmanagementofcomponentswithinthesolution.

Validated Designs are tested for a specific use case or architectural practice on a limited scale and duration. These guides ensure the viability of theoretical designs or concepts in real world practices.

The Validated Design Guides provide an overview of the solution design and implementation guidance that includes:

•Usecasesthatarecateredtothedesign

•Productsthatwerevalidatedaspartofdesigntesting

•Softwarethatwasusedforeachcomponentofthedesign

•Configurationsusedtosupportthedesigntestcases

•Alistofdesignlimitationsandissuesdiscoveredduringthetesting



IntroductionThisValidatedDesignGuideprovidesyouanoverviewoftheBusinessProcessDesktopsolution.ThearchitectureusesproductsfromVMwareanditsecosystemofpartnerstobuildacomprehensivedesktopsolutionforcentrallymanagingoffshoreandoutsourcedworkers.

LeveragingVMwareand3rdpartytechnology,theVMwareBusinessProcessDesktopisdesignedtomeetspecificrequirementsformanagingandenablingoffshoreoroutsourcedworkers,includingdatabackup,restore,dataencryption,security,endpointdevicemanagement,andWANoptimization.

This document will provide an overview of the various requirements, the logical solution architecture and the results of the validation. The solution is not exclusive to the products tested within the architecture and isintendedasablueprintdesignwhichcustomersandpartnerscanuseasa‘toolkit’topickandchoosecomponents with their preferred vendors.

AudienceThis document is intended to assist solution architects, sales engineers, field consultants, advanced services specialistsandcustomerswhowillconfigureanddeployaBusinessProcessDesktopsolution.

For more information on contact center and unified communication solutions, please refer to On-Demand Call Center with VMware View.

Business CaseTheVMwareBusinessProcessDesktopenablesorganizationslookingtooffshoreoroutsourceprocessestoremote or third party locations to:

•Increasesecurityandcompliancebycentralizingbusiness-criticalinformation

•Simplifyandcentrallymanagemedesktopstodrivedownoperationalexpenses

•ImproveSLAsbyensuringfast,easyanduninterruptedaccesstodataandapplicationsforendusersacrosstheWAN

•Ensuredesktopsarebackedup,dataiseasilyretrievableanddesktopscanbedeliveredondemandasaservice to support changing business dynamics and requirements.

http://www.vmware.com/files/pdf/view/vmw-view5-mitel-unified-communication-practice.pdf

http://www.vmware.com/files/pdf/view/vmw-view5-mitel-unified-communication-practice.pdf



What is a Business Process Desktop?Increasingly,organizationsacrosstheglobeareturningtooutsourcingtoimproveSLAs,increaseoperationalefficienciesanddrivedowncosts.Whetheritisoutsourcingnon-coreactivitiesorcombininginternalteamswithoutsourcedteamsforcollaborativedesign,development,engineering,ormanufacturing-outsourcingprovidesanattractivevehicleforgettingworkdoneintoday’seconomy

PopularfunctionsthatarebeingoutsourcedtodayincludeenterpriseservicessuchasHR,legalandfinance,customermanagementthroughthirdpartycontactcentersandtestinganddevelopmentwork.

Asnapshotofthevariousoutsourcedsegmentsofatypicalenterpriseisbelow:

Figure 1: Outsourced Enterprise Segments

Thisdesignguideaddressesoutsourcedoroffshoredenterpriseservices.Itdoesnotprovideguidancearounddesign considerations for customer management implementations.

Enterpriseservices,forthepurposeofthisdocumenthavebeenbrokenintotwocategories:

1. Enterprise Offshore Desktops (owned by corporate enterprise to service application developers and offshore IT testing). These end users require:

•Corporatequality,hi-fidelitydesktoptobeusedbypowerusers.

•Accesstomanycomplexapplications

•Requirementforhighresolutiongraphics

•Higherstorageandnetworkrequirement

2. Enterprise Offshore Desktops (outsourced to 3rd party backoffices that can be offshore or local). These end users require:

•Conventionaldesktopsusedprimarilybyprocessworkerswithlowtomediumdesktopcomplexity

•Desktopswithaccesstolimitedsetof5-8applicationstodelivertheservices.

•DesktopswithlowtomediumhardwareresourceutilizationintermsofCPU,memory,networkandstorage.

•DesktopswithnodependencyoncommunicationresourceslikesoftphoneorVOIP



Design OverviewThedesignenablesyoutoaddressthefollowingrequirementsfortheoutsourced/offshoreddesktops:

•SecurityandCompliance

•CentralizedManagement

•ManagementDatabackupandrecovery

•ScaleonDemand

Security and Compliance•Singlenamespaceandgloballoadbalancing

•Centralizedmanagement

•Managementdatabackupandrecovery

•Theabilitytoscaleondemand

Inthebusinessprocessdesktopdesign,therearemultipleVMwareViewvirtualdesktopinstances,andasaresult there is a requirement for a simplified user access strategy to route users to their appropriate sites and ensuresecurityandauditingatthenetworkedge.

To achieve this, a global single namespace and load balancing solution is deployed to handle global incoming trafficfordesktopconnection.

The access infrastructure allows us to direct all users to a central point for connection, there we can evaluate the security requirements based on credentials, then redirect the connection to the appropriate site and initiate the connectionwiththecorrectdesktop.

This also allows us to redirect in the event of maintenance or outage, and scale out to new sites transparently to theuserpopulation.TofurtherenhancesecurityRADIUSwasimplementedintheVMwareViewbrokeringlayertoprovide2-factorchallengeauthenticationtotheusersandgroupsrequiringrobustsecurityfeatures.

VMwarevirtualinfrastructurecanbeeasilyaugmentedwiththevShieldsuiteofsecurityproducts,vShieldApp,vShieldEdgeandvShieldEndpoint.

InthisdesignweleveragevShieldApptoprovideahypervisorbasedapplicationawarefirewalltoprotectandmonitorintra-VMcommunications.Thisallowsustoprovidepolicybasedaccessforthedifferent“zones”intheinfrastructure,limitorblockintra-VMcommunicationandprovidereportingforcompliance.Forsecure3rdpartyaccesss,vShieldEdgeenabledVPNwillbeopenondemand.

Securityfrommalwareforthevirtualdesktopandinfrastructureservicesinthedesignareofparamountimportance.ToprovideascalableandhighperformingsolutionweleveragevShieldendpoint,whichallowsustooffloadsecuritytaskssuchasscanningandon-accessprotectiontoasecurityvirtualmachineoneachESXhost.Thisoptimizestheprocessbytakingtheprocessingoverheadoutofthevirtualmachinesandplacingitonthehypervisor,allowingustoaccommodatetheperformancerequirementsinthesizingprocess.Byhaving’outofband’securityprocessandmanagementwecanrealizemuchgreaterefficiencyandcontrolwithrespectto our virtual machines.

FormonitoringandcomplianceweimplementedvCenterOperationsManager(vCOps)forView,which

includesvCenterconfigurationmanagertoensurecomplianceintheenvironment.



Management •Userandpersonamanagement

•Desktopsandapplications

•PCoIPoptimizationforWANremoteaccess

•DistributedvCenter(linkedmode)andvCOpsforView(V4V)

AsarequirementofthestatelessdesktoparchitectureweimplementedPersonaManagement,aVMwareViewfeature,toroamuserdesktopandapplicationspecificdataandsettings.Inconcertwithstandardsbasedpracticearoundfolderredirection,wehaveenabledausertoroamtoanydesktopinanysiteandhavetheircorporateandpersonaldatadeliveredtothedesktop.ApplicationsarevirtualizedusingVMwareThinAppandassignedtousersleveragingexistingMicrosoftActiveDirectorybestpracticewithGroupPolicypreferenceextensions.

InsomecircumstancesusersinthebusinessprocessdesktopsolutionmayhavetotraverseaWANinordertoconnecttotheirViewdesktop.InordertooptimizetheuserexperiencePCoIPtuningpolicieswereimplementedintheActiveDirectorytoensurethebestpossibleexperiencewithconstrainedbandwidth.

Inthisdistributedconfiguration,thelastthingyouwanttodealwithisthemultiplegranularmanagementconsolesordashboards.WithvCOpsforView,ithelpsprovidethesinglepaneofviewintoyourcompletecorporateoperationsfromsecurity,complianceandthehealthofdesktopinfrastructure.

Scale On Demand•Statelessarchitecture

•Modularsizingforlinearscaling

•Performance

Inthebusinessprocessdesktopdesign,wedeployedVMwareViewinfrastructuretosupportusersatboththeHQDatacenterandCorpcolocationdatacentersites.

InbothsitesthevirtualdesktopinfrastructureisbasedontheVMwareViewreferencearchitectureforstatelessvirtualdesktops.

By leveraging the stateless design we give the maximum possibly flexibility for partners and customers by providingapre-sizedandpre-validatedbuildingblockorblueprintwhichcanbefollowedtoacceleratethedesignphaseofavirtualdesktopdeployment.

Thestatelessdesignallowsacustomerorpartnertorightsizethevirtualdesktopdesignfirsttimeandscaleoutincrementallybydeployingmore“blocks”asneeded.Thisallowsforastandardizedandrepeatabledeploymentstrategy that scales up and down inline with capacity requirements.

By using this blueprint as a basis for your deployment capacity and performance scale proportionately to user capacity.

Afterreviewingthesolutionfeatures,thefollowingsectionswillprovideaquicksnapshotsontheuserprofilesandhowtheirdailyworkloadroutinelookslike.



User ProfilesInatypicalorganization,therearemultipleuserprofileswithuniquerequirements.ThissolutionarchitecturecaterstothefollowinguserprofileswithintheBusinessProcessDesktopusecase.Thesecanallbefulfilledusingthestatelessdesktopdesign.

USER PROFILE CHARACTERISTICS

ProductivityTaskWorkers

Workerswhoparticipateinalimitednumberofbusinessprocessesinaclearlydefinedfashion.Exampleswouldincludemostback-officeadministrativefunctions,likeaccountspayable.Outsourcedfunctionsoftenmatchthisprofile.Theseuserstypicallyneedaccesstoasmallnumberofapplications(<10)inacontrolledandmanagedfashion.Theyareunlikelytobemobile,butmightworkfrommorethanonefixed location. They will have little autonomy in the way they can access processes (applications)anddata.

Content/Mediaworker/Softwaredeveloper(offshore)

Workerswithahighlevelofexpertiseinanareaofcreativityorsciencethatrequiresdetailedmanipulationofcontent.Thesearetraditionalpowerusers.Examplesincludeengineers, graphic designers and some developers. They typically require a narrow, butspecializedportfolioofapplications.Theyareunlikelytobemobileandwillnormallyworkfromasingle,fixedlocation.Theywillalsoneedsomelevelofcontrolover how they access applications and data, but not full administrative control and maybering-fencedfromothercorporatefunctions.Theywillrequirehighlevelsofcomputationcapabilityandgraphicaldisplay.Theymayalsorequirespecializedperipheral devices.

CommunicationsTaskWorkers(coveredintheUnifiedCommunicationswithView solution design; not part of this architecture)

Workerswithafrontlinecustomerorcolleaguefacingactivitythattheyexecuteinaclearlydefinedfashion.Examplesincludecallcenters,retailassistants.Intechnologyterms, they will typically use only one or two applications, but require access to rapid communication and collaboration capabilities. These capabilities may be multichannel. Theyareunlikelytobemobile,butmightworkfrommorethanonefixedlocation.Theywillhavelittleautonomyinthewaytheycanaccessprocesses(applications)anddata

Thesethreebusinessuserprofilescanbetransposedto2distinctuserworkloadprofilesaslistedbelow:

USER PROFILE REQUIREMENTS

TaskWorker ApplicationProfile:MSOffice,Adobe,IE,Firefox,Chrome,Outlook,CorporateApps,AntivirusNetworkProfile:LAN(remoteofficeLAN);UCtrafficoverWANSecurityProfile:Auditcapability,AntivirusandDataLossProtection

KnowledgeWorker ApplicationProfile:MSOffice,Adobe,IE,Firefox,Chrome,Outlook,SaaSApps,WindowsApps,multimediaplayers(Flashetc),Antivirus,WebExNetworkProfile:LAN(remoteofficeLAN)SecurityProfile:AuditcapabilityandGPOsettingsforUXpolicy;AntivirusandDataLossProtection Other:Multi-monitor;printtonearestprinter

The validated design in this document supports the unique requirements of these user profiles and also helps theITteammanagetheenvironmentsecurely.



Overview of ArchitectureIntheBusinessProcessDesktopdesigntherearemultipleViewdeploymentsatvariouscorporateowned,corporateleasedand3rdpartysites.Itisimperativetohavearobustsecurityandback-upinfrastructure,whichincludesrolebasedaccessandadministrativeprivileges.EachsiteisbuiltpertheViewbestpracticesguide,withemphasisoninter-siteconnectivityandenhancinguserexperiencethroughSingleNamespaceandWANoptimization.Withineachsite,theinfrastructureconsistsof2clusters:managementandvirtualdesktopclusters.Themanagementinfrastructureistypicallyseparatedfromthevirtualdesktopsforscalabilitypurposes,asdependingontheneedsofthebusiness,anothervirtualdesktoppodcanbeaddedtotheexistinginfrastructuretoscaleup.Inadditiontotheabove,a3rdclustercanbecreatedtohostalltheapplications.

ThearchitectureusestheCorporateowneddatacenter(enterpriseheadquarters)asthemainsitetohostallmanagementcomponents.vCOpsprovidesveryefficientmanagementoftheentireinfrastructurefromonesite. The unified communications infrastructure will also be in the enterprise headquarters and will be shared across all the sites. We will go through the design based on the requirements.

VA L I D AT E D D E S I G N G U I D E / 1 0


Logical DesignThefollowingdiagramshowsthelogicaltopologyfortheBusinessProcessDesktopsolution:

Fig

Corp CoLo

AD vC RADIUS

BACKUP DLP vCOps

VMware View DesktopsKnowledge and Task Worker

AV

SSO CA

VMware

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

Third-Party CoLo

AD vC RADIUS

VMware View Stateless Task Workforce

SSO CA

VMware

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APPCorp HQ

AD vC RADIUS

ALTIRIS ENCRYPT

VMware View Desktops

Image Replication and User Files Backup

100Mbps/100ms 24Mbps/250ms

AV

SSO CA

VMware

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

VMware View Connection

Servers

VMware View Security Servers

Single Namespace Access: Layer 7 Load Balancer for View Security and Connection Servers

External NetworkInternal Network

BACKUP DLP vCOpsAV

ure 2: Business Process Desktop Reference Architecture

Thedesignassumes3sites,tosimulateacorporateheadquarters(enterpriseownedfacility),corporatecolocationcenter(enterpriseleased)and3rdpartyremotecolocationcenter(3rdpartyownedorleased).TheenterpriseHQhostsallthemanagementcomponentslikevCOpsetc(CallManagerforUnifiedCommunicationswillbehostedintheenterpriseheadquartersalthoughthisisnotcoveredinthispaper).The2remotesites–CorporateColocationcenterand3rdpartyColocationcenterhoststhefullViewinfrastructuretobeself-sufficientandcatertothelocaluserrequirements.Allcriticaldata,includingPersonaandprofiledataintheremotesitesisbackedup to the datacenter in the enterprise headquarters.

Eachsiteconsistsoftwodiscretevirtualizedenvironments,formanagementandvirtualdesktopservicesrespectively.

ThemanagementclusterincludesallvSphereandViewrelatedmanagementinfrastructureandtheVirtualDesktopClusterhostsallthevirtualdesktops.

TheVDIinfrastructureisbasedonVMware’sreferencearchitectureforstatelessvirtualdesktops.OneofthedesigndriversbehindkeepingtheVDIinfrastructureseparateistoallowthevirtualdesktopplatformtobescaledup as necessary, independently of the management infrastructure.

AllthecomponentsinthisvalidateddesignguidewereinstalledandconfiguredfollowingVMwareandvendorbest practices.



Key Components of the ArchitectureThough the architecture is vendor agnostic, below is a list of components that are part of the architecture:

Core Components

vSphereincludingvCenter:ThesolutionisbuiltontopofvSphere,theindustryleadingvirtualizationplatform.TherearemanybenefitstousingthevSphereplatformandmoreinformationontheplatformcanbefoundatwww.vmware.com/products/vsphere.

VMware View

VMwareViewsimplifiesdesktopsandapplicationsbymovingthemintothecloudanddeliveringthemasamanagedservice.WithVMware®View™andThinApp™ITcangrantorrestrictaccesstodesktops,data,andapplicationsbasedonendpointdeviceconfiguration,networklocation,anduseridentity.MoreinformationonVMware View can be found at www.vmware.com/products/view

VMware vShield Edge, App and Endpoint

VMwarevShieldprovidesbestinclasssecuritytothevirtualdesktopenvironment.vShieldEndPointwiththeHypervisorbasedAntiVirusprotection(fromourleadingAVvendors),providestremendousbenefitsintermsofmanagementandeaseofusefortheenvironment.Inaddition,vShieldAppandvShieldEdgeproductsaddsecuritytotheenvironment.MoreinformationonthevShieldlineofproductscanbefoundatwww.vmware.com/products/vShield

Restore and Backup

BackupandRestorefeatureisaddedasacorecomponentinthisdesigntoprotectthedataatremotesitesandtoprovidefail-overcapabilitiesifasitegoesdown.Thisdesignincorporatestwotypesofbackup:Image-levelprotectionandGuest-levelprotection.Image-levelprotectionenablesbackupclientstomakeacopyofallthevirtualdisksandconfigurationfilesassociatedwiththeparticularvirtualdesktopintheeventofhardwarefailure,corruptionoraccidentaldeletionofavirtualdesktop.

Guest-Levelprotectionrunsliketraditionalbackupsolutions.Guest-levelbackupcanbeusedonanyvirtualmachinerunninganoperatingsystemwiththebackupagentinstalled.Itenablesfine-grainedcontroloverthecontent and inclusion and exclusion patterns. This can be leveraged to prevent data loss due to user errors, suchasaccidentalfiledeletion.Thisallowsfortheend-usertorecovertheirdatathemselves.

User Experience:Userexperience,thoughqualitative,isincludedasoneofthecorerequirementsofthesolution.Userexperienceinthisdesignisenhancedbyprovidingsinglenamespaceaccesstoallthesites,andbyprovidingasimilarorbetterexperiencethantraditionalPCsusingPCoIP.

vSphere and vCenter:ThesolutionisbuiltontopofvSphere,theindustry-leadingvirtualizationplatform.TherearemanybenefitstousingthevSphereplatformandmoreinformationontheplatformcanbefoundatwww.vmware.com/products/vsphere.

Additional Components:

ManagementWith the environment spread across multiple sites, streamlined management and single pane dashboard becomeanecessityforITtoeffectivelymanagetheBPDenvironment.VMwarevCOpsforView,intheenterprise headquarters, provides the management infrastructure required for the entire environment, includingtheremotesites.MoreinformationonVMwarevCOpscanbefoundathttp://www.vmware.com/products/desktop_virtualization/vcenter-operations-manager-view/overview.html

www.vmware.com/products/vsphere

http://www.vmware.com/products/desktop_virtualization/vcenter-operations-manager-view/overview.html

http://www.vmware.com/products/desktop_virtualization/vcenter-operations-manager-view/overview.html



ComplianceOneofthekeyrequirementsofmanyverticalindustriesistheabilitytomanagecompliancetovariousindustryregulations.TheDLPisincludedinthevShieldManagerandcomeswiththecompliancetemplate.YoucanalsohavetheoptiontousevCenterComplianceManager(vCM)invCOpsforfurthergovernanceguidance.

The next section of the document details the architecture as it was built for testing within the lab environment at VMware.

Validation ConfigurationThesolutionimplementedinthelabwassizedtoscaletothousandsofdesktopsperthesizingguidelinesprovidedinthereferencearchitecturespublished.Thearchitecturewasbuiltin‘pods’or‘buildingblocks’tobescaledeasily.Forthefunctionaltestingaspects,thesolutionwasimplementedwith250desktopsandwasdeployed on the following hardware in the validation.

Lab Equipment List PRODUCT FUNCTION / DESCRIPTION / VERSION

Servers 2Userverwith2IntelXeonE526202GHzprocessors,128GBRAM1Userverwith2IntelXeonE756452.4GHzprocessors,96GBRAM(Colocation1)

1Userverwith2IntelXeonE756452.4GHzprocessors,96GBRAM(Colocation2)

Storage nimblestorage26024Tb(HQ)nimblestorage2104Tb(Colocations)

iSCSIstoragearray,RawDiskCapacity:8TB,RawFlashCache160GB,24GBRAM,4–1GbEnetworkports

Networking Unmanagedlayer3–10/100/100048portswitch

Solution Components PRODUCT FUNCTION / DESCRIPTION / VERSION

vSphere 5.0.1

vSpherewithvCenter 5.0

VMware View with PersonaManagement

5.1

VMware View Composer

3.0

vShieldEdge,App,andEndpoint

5.1

SSOwithRADIUS SafenetAuthenticationManagerv6.1.7

DesktopAntivirus McAfeeMOVEanti-virus

BackupandRestore EMCAvamar6.1

StorageReplication MicrosoftDistributedFilesSystem(DFS)Replication



Optional Components PRODUCT FUNCTION / DESCRIPTION / VERSION

vCOpsforView 1.0

Load Balancer F5BigIPGTMLTMAPM

Liquidware Lab FlexApp

Data security vShieldManagerDLPwithComplianceconfiguration

Overview of Workload ProfilesForsolutionvalidationinthelab,VMwareViewPlannerwasusedforthetestingwithstandardworkloads,andthemappingoftheworkloadswiththevarioususerprofilesisgivenbelow:

Figure 3: Workload Profiles



Single Namespace and Load BalancingToprovidesinglenamespaceaccesstotheusers,aloadbalancersolutionisdeployedinallthesites.Anoverviewofthesinglenamespaceworkflowisprovidedbelow:

Home Office

Remote Office

Data Center

Foreign Office

BIG-IP Access Policy Manager

Local LAN

clients



BIG-IP Global Traffic Manager

BIG-IP Access Policy

Manager + Local Traffic Manager

WAN

View Connection

Servers

Centralized Virtual Desktops Encryption (DTLS or SSL)

Natively Encrypted PCoIP)

Figure 4: Single namespace using F5 global traffic management

Withthesinglenamespacedesignusingamixtureofloadbalancers,usersgloballycanuseasingleURLtogettotheirvirtualdesktops.ThisprovidesaseamlessuserexperiencesincetheuseralwaysconnectstothesameURL,butisprovidedwithadesktopthatisgeographicallylocaltotheuser.

AlltheclientsareconfiguredtoaccessthesameURL.TheURLterminatestotheloadbalancer,anddependingontheIPandotherparameters,theconnectionisforwardedtothepreferreddatacenterbytheloadbalancer.



RADIUS Integration for user authentication

RADIUS Two Factor Authentication

VMwareViewsupportsvarietyoftwo-factorauthenticationdevicesincludingRSASecurID,RADIUScompliantOne-TimePasswordtoken,contacted/contactlesscard,andsmartcards.ThisarchitectureemployedtheRADIUSauthenticationfeatureinView5.1usingSafeNetRADIUSservertoauthenticateallusers.

OncetheRADIUSclientisaddedtotheserver,itwaspairedwiththeViewConnectionServerusingtheViewAdmindashboard,byeditingtheConnectionServersettingsintheAdminpage,andaddingtheRADIUSauthenticationinthe“2-factorAuthentication”dropdownmenuinthe“Authentication”tab.:

TheRADIUSserverinformationwaspopulatedusingthe“CreateNewAuthenticator”button.ThisprovidesenhancedauthenticationusingOne-TimeSecurityProtocol(OTSP.)

TheRADIUSconfigurationdifferenceatBusinessProcessDesktopoverVMwareMobileSecureDeskotpisthemultiple sites and server instances configuration.

OnyourWindowsServermachinewithRADIUSenabledandyourpreferredRADIUSenabled2FAvendorsoftwareinstalled,youwillneedtoaddaRADIUSClienttoconnecttotheViewConnectionServer.LoadtheWindowsServerManagerfolder,andnavigatetotheRolessection->NPS(Local)->RADIUSClientsandServers->RADIUSClients.Clickon“ConfigureRADIUSClients”

Figure 5: RADIUS Client Configuration



YouwillseetheprompttoaddanewRADIUSClient.Fillinthedetailsbelow.

Figure 6: Add Client

Leavethedefaults,andfillintheappropriatedetailsbelowforyourenvironmentandpress“OK”.

Figure 7: Client Settings

NowyouwillseethenewRADIUSClientaddedtoyourlistofclients.NextyouwillneedtogointotheVMwareViewAdmindashboardinordertopairyourRADIUSservertoyourViewConnectionServer.

FromtheVMwareViewAdministrationpage,youwillwanttogotoServers->ConnectionServersandthen



clickontheConnectionServeryouwishtopairwithyourRADIUSClient.Thenclickonthe“Edit...”button.

NowyouwillnavigatetotheAuthenticationtab.

Figure 8: Authenticator Settings

NextchooseRADIUSfromthe“2-factorauthentication”dropdownmenu.

Figure 9: Configure RADIUS in View managment console

Clickandcheckthetwoboxes“Enforce2-factorandWindowsusernamematching”and“UsethesameusernameandpasswordforRADIUSandWindowsauthentication”.UnderAuthenticator,choose“CreateNewAuthenticator”whichwilllaunchanewdialogbox.FollowthroughtheapplicationdialogandfillintheappropriatefieldsforyourenvironmentandRADIUSserver.

Thenclickon‘Next>’andenterasecondaryauthenticationserverifdesired.

NowyourauthenticatorshouldshowupintheAuthenticationWindow.



Figure 10: Advanced Authentication

ClickOKandnowopentheViewClienttotestoutyourRADIUSServer.

AsyoucanseeafterconnectingtoourViewConnectionServer,itispromptingusforourRADIUSPrefVendorAuthenticatorpasscode.EnteryourcredentialsandenjoythecompletionofpairingRADIUS2FAtoVMwareViewConnectionServer.



vShield Edge, App, and Endpoint Deployment

ThisdiagramshowshowthevShieldAppwassetupforcommunicationbetweentheManagementComponentsandtheDesktopPools.Thisconfigurationisrepeatedateachsite.

Figure 11: Use vShield App to provide access policy among different functional groups

Forzoningconcept,thecorporateownedcolocationdatacenterisregardedasthesamezoneasthecorporatedatacenter.YoucanuseActiveDirectorypolicyorstandardLayer2networksecuritypracticesforthissecurityzone.Forthe3rdpartycolocationdatacetner,usethevShiledEdgetoestablishVPNforimagereplicationanduserfilebackupfromsitetosite.

vShieldEdgeallowsustocontrolatagranularleveltheapplicationtrafficflowsbetweendiscretecomponents.vShieldEdgewasusedtosegregatethemanagementclusterfromthedesktopclusterateachsite.Itcanalsousedtosegregatepoolsofdesktopswhichhasstringentsecurityrequirements(e.g.3rdpartycontractworkerpool).

vShieldAppwasusedasaloadbalancerfortheinternalViewConnectionManagers,usedexclusivelybyuserswitheachsite’slocalnetwork.

VMwarevShieldEndpointoffloadsvirtualdesktopantivirusandanti-malwarescanningoperationstoadedicatedsecurevirtualappliancedeliveredbyVMwarepartners.Offloadingscanningoperationsimprovesdesktopconsolidationratiosandperformancebyeliminatinganti-virusstorms,whilealsostreamliningantivirusand antimalware deployment and monitoring and satisfying compliance and audit requirements through detailedloggingofantivirusandanti-malwareactivities.

UsingvShieldEdgeforVPNbetweenSites Inanoutsoucingconfiguration,aVPNisopentoallowdesktopimagereplicationandcontinuousbackupalldata and files in the colocation sites.

RoleofvShieldEndpointhttp://www.vmware.com/products/vshield-endpoint/overview.html

VMwarevShield™EndpointprovidesindustrystandardAPIstooptimizeantivirusandanti-malwaresecurityforvirtualenvironmentsviaintegrationwithVMwarepartners.VMwarevShieldEndpointallowssecuritytechnologypartnerstooffermoreefficientantivirusandanti-malwareprotectionforvirtualhosts,includingVMwareViewdesktops.Youcanoffloadantivirusandanti-malwarefunctionsfromindividualvirtualmachinestoacentralizedsecurevirtualappliance.



Using vShield App with Data Security

DeployingvShieldAppwithDataSecurityprovidesthefunctionalitytobeabletoscanforsensitivedataacrossourentirevirtualinfrastructure.Itincludespredefinedtemplatesforcountryandindustryspecificregulationsand will provide reporting of found violations.

Figure 12: Selecting compliance profiles such as PCI-DSS

Figure 13: Dashboard displays the compliance profiles enabled.

Figure 14: Dashboard showing violations as a result of compliance scanning.

Afterwalkingthroughthemodulardesigns,thefollowingsectionwillreviewthegeneralstorage,networkandcompute design.



Network ConfigurationIntheBusinessProcessDesktopdesign,networkingineachsitehassimilarconfigurationineachdatacenter.The lab configuration is shown below.

Figure 15: Network design in a single site

Storage Configuration

IntheBusinessProcessDesktopdesign,storageisoneofthekeyelementstoensureuserexperienceandprovideback-upandrestorecapabilitiesforremotesites.Inthelabvalidation,traditionalViewpoddesignisfollowedwiththeManagementVMs(includingAD,ViewSecurityServer,vShield,vCOpsetc)locatedintheiSCSIdatastoreandthevirtualdesktopsintheSSDdatastores.ThevirtualdesktopscanalsobeintheFCdatastoreswiththereplicasintheSSD(highreadcapacity)datastores.TheuserdataandpersonafilesarelocatedintheNFSdatastores.

High Availability with Backup and Restore

Betweenthecolocationdatacenter,userfilesanddataarereplicatedbacktoheadquarterstorage.FolderredirectionisaccomplishedusingMicrosoftADGPOs.TheGPOmapstheend-user’s“MyDocuments”foldertoaDFSglobalnamespace.MicrsoftDFSreplicationisusedhere.

Sincecontinuousaccesstodesktopsisacriticalneedforthebusinessprocessfunction,thisdesignincorporateshighavailabilityfeaturesalongwithbackupandrestoreforallthecriticalVMsandmasterimages.

Alongwiththesinglenamespaceconfiguration,eachsiteisalsoconfiguredtosupportusersinothersiteincase of a fail over. The load balancer is configured to route the incoming connections to the closest site, but if the site fails, it routes all the connections to the head quarters.

Forquickfail-back,themanagementVMsattheremotesitesarebacked-upatregularintervalstoalocalbackupapplianceandalsototheheadquarters.Thiswillhelprestorethesitequicklyincaseofafailover.



To ensure image consistency, the master image is maintained at the corporate head quarters and replicated to theremotesites.Changestothemasterimageareusuallykepttoaminimum.

TheconfigurationissegregatedbythetypeofVMstofacilitateremoteback-upandlocalbackup.ThemanagementVMsaretypicallybacked-upforimmediaterestore,usingalocalbackupappliance.Inthevalidation,EMC’sAvamarappliancewasusedtobackupallthemanagementVMs.

Inthislabvalidation,EMCAvamar’sVirtualEditionisdeployedandmanagedfromCorporateHQ.AvamarprovidestheabilitytodobothGuestandImageLevelbackups.InourimplementationwetakeadvantageofdoingaguestlevelbackupacrossHQandCorporatecolocationsites.

Figure 16: Avamar New Client

Figure 17: Configure VM level backup including scheduling



Figure 18: Backup initialized

Installation,configuration,andbestpracticesforEMCAvamarcanbereferencedfromthefollowingguides:

•EMCAvamarVirtualEdition6.1InstallationGuide

•EMCAvamarVirtualEdition6.1AdministrationGuide

•Whitepaper:BackupandRecoveryforVMwareEnvironmentswithAvamar-ADetailedReview

Theuserdata,locatedintheNFSdatastores,isreplicatedfromtheremotesitestothecorporateheadquarters.This is done to ensure high availability in case of any site failure. The master image is usually replicated from the corporate headquarters to the remote sites to ensure image consistency.

Theuserdata,locatedintheNFSdatastores,isreplicatedfromtheremotesitestothecorporateheadquarters.This is done to ensure high availability in case of any site failure. The master image is usually replicated from the corporate headquarters to the remote sites to ensure image consistency.

DFS Replication Between Sites DistributedFileSystem(DFS)isasetofclientandserverservicesthatallowsanorganizationusingMicrosoftWindowsserverstoorganizemanydistributedSMBfilesharesintoadistributedfilesystem.DFSprovideslocation transparency and redundancy to improve data availability in the face of failure or heavy load by allowingsharesinmultipledifferentlocationstobelogicallygroupedunderonefolderorDFSroot.

DFShastwomajorlogicalcomponents.First,DFSnamespacesprovideanabstractionlayerforSMBnetworkfileshares,allowingonelogicalnetworkpathtobeservedbymultiplephysicalfileservers.Second,DFSsupportsthereplicationofdatabetweentheserversusingDFSReplication(DFSR).Forthissolutiondesign,adomain-basedDFSnamespacewasusedtostoreuserdataandDFSRwasusedtocross-sitereplicatethefilesto ensure user access during a site outage.

Adomain-basedDFSnamespacestorestheDFSconfigurationwithinActiveDirectory.TheDFSnamespacerootisaccessibleat\\domainname\<dfsroot>or\\fq.domain.name\<dfsroot>.Thenamespacerootsdonothavetoresideondomaincontrollers,theycanresideonmemberservers.Ifdomaincontrollersarenotused



as the namespace root servers, then multiple member servers should be used to provide full fault tolerance. DFSReplicationfromMicrosoftisanefficient,multiple-masterreplicationtoolthatyoucanusetokeepfolderssynchronizedbetweenserversacrosslimitedbandwidthnetworkconnections.ItreplacestheFileReplicationService(FRS)asthereplicationengineforDFSNamespaces,aswellasforreplicatingtheActiveDirectoryDomainServices(ADDS)SYSVOLfolderindomains.TheconfigurationbelowshowsthemappingforViewPersonashareinDFS.

Figure 19: Setting up DFS in Windows 2008 Server

AfterselectingtheroleservicesforDFSreplicationandDFSnamespace,intheBusinessProcessDesktopscenario,youcanmaptheDFSnamespacetosomethinglike\\bpd.local\bpdcorpdatatoreplicateuserfiles.from the colocation datacenters.



Figure 20: File Share Mapping in DFS Configuration

Figure 21: Figure X: Lab DFS Configuration

FormoreinformationontheMicrosoftDFS,pleasereferencetohttp://technet.microsoft.com/en-us/library/cc771058.aspx



Networking vSphereDistributedSwitch(vDS)wasusedinthesolutionvalidationtosimplifytheconfigurationofvarioussites.vLANswereusedtosegregatemanagement,virtualdesktopandUCtraffic.AlluplinkportswereconfiguredasVTPtrunkportsintothevSpherehostsandthenetworkingwasthenbrokenoutatthevirtualdistributed switch level.

User AccessInthebusinessoutsourcingscenario,thesignificantriskposedbytheneedtoshareproprietaryandconfidential information across widely geographically dispersed third parties. it is even more critical than ever toroutetheuserstotheirdesignatedworkspace.Inthisdesign,theuserexperienceisenhancedbycollocatingthe View infrastructure geographically local to the users, and by providing high availability, single namespace accessandWANacceleration(optionally)toenhanceTCPtrafficbetweensites.

ThisBusinessProcessDesktoplogicaldiagramshowshoweachsoftwarecomponentwasdeployedoneachhostwithinasite.AllsitescontainafullViewinfrastructuretocatertotheuserslocaltothatsite.Theinfrastructureisreplicatedacrossallthesites.Dependingonthesizeandtheneedsofanorganization,existingADthesignificantriskposedbytheneedtoshareproprietaryandconfidentialinformationacrosswidelygeographicallydispersedthirdpartiesnfrastructureisusedoranew(child)ADiscreated.

For the corporate owned colocation center and the 3rd party center, in addition to the standard host configuration,thesitealsoincludesaback-upVMandoptionally,aWANacceleratorfortheTCPtraffic

Inallthesites,theinfrastructurecomponentsareconfiguredintheManagementclusterandthevirtualdesktopsareintheVirtualDesktopcluster.

Forthevalidation,aseparateADandDNSinfrastructurewascreatedforallthesites.ThemanagementclusterinallthesitesincludestwoADVMsforredundancy,avirtualcenterserverwithSQLVMandaRADIUSserverfor authentication.

TheclusteralsoincludesstandardViewcomponentslikeViewConnectionManager,ViewSecurityServerandastandaloneViewComposer.



Monitoring

VMwarevCenterOperationsManager(vCOps)forViewextendsthetrustedanalyticalcapabilitiesofthevCenterOperationsManagerproductfamilytotheViewdesktopenvironment.vCOpsforViewfocusesonthevirtualdesktopend-users’experience,providingmonitoringandmanagementofperformancemetricscriticaltosuperiorViewuserperformance.vCOpsforViewmonitorstheViewdesktop,aswellasallofthesupportingelementsofthevirtualinfrastructure,froma“View-specific”customizedconsole.

Figure 22: vCOps for View Dashboard – VDI Health

vCOpsforViewisdeployedintheCorporateheadquartersandisusedtomonitoralltheremotesites.Thisprovidesasingledashboardformonitoringtheentireinfrastructurefortheorganization.YoucanusevCOpstomonitor multiple VMware View infrastructure and datacenter located in the distributed location by configuring theanalyzerattheHQandthecollectorsatanysitewhereyoucangatheranalytics.

Figure 23: vCOps Dashboard Environment Overall Health



Summary

InarecentKPMGInternationalFirms’SharedServicesandOutsourcingAdvisor,topdriversforglobalbusinessservice improvement efforts were cited as: reducing operating costs, supporting business growth/expansion agendas, and improving global delivery and operating models.

TheVMwareBusinessProcessDesktopsolutionarchitectureprovidesbusinessesacrosstheglobewithacost-effectiveblueprinttosupportoffshoreandoutsourcedemployeesthatimprovesuseraccess,centralizesdesktopmanagement,enhancesdatasecurity,andmaximizesemployeeuptime.

ThecornerstoneoftheViewBusinessProcessDesktopsolution,VMwareViewmodernizesdesktopsandapplicationsbymovingthemtothecloudanddeliveringthemasamanagedservice.WithView,IThastheabilitytograntordenyaccesstodesktops,data,andapplicationsaccordingtoendpointdeviceconfiguration,networklocation,anduseridentity.ViewwithPersonaManagementfurthermakesitpossibleforenduserstoworkfromvirtuallyanylocationusinganyqualifieddevicetoaccesstheirpersonaldesktops.

ByleveragingstatefuldesktopswithPersonaManagement,ITcanensureenduserscancarrytheirpersonawiththemacrosssessionsanddevicesforamorepersonalizeddesktop.EnduseraccessviaRADIUStwo-factorauthenticationissecuredviatheVMwareViewsecurityserverorSSL.vShieldproducts,togetherwithVMwareViewandleadingsecurityvendorsolutions,allowITtooffloadAVandprovidehighlevelsofisolationbetweenresourcepoolsandnetworks.ThisallowsITtoapplypoliciesacrossvirtualmachinesandpoolsofusers.AndITorganizationscanstreamlineandautomatedesktopmanagementwithVMwarevCenterOperationsManager.Thisarchitecturefurtherensuresthatorganizationscanquicklyrecoverandrestoredataacrosssitestoensure24/7/365uptimeanddesktopavailability.



Appendix A: Performance Validation MethodologyInordertoemulateaWANenvironment,wedeployedanappliancetobridgeourViewclientandViewdesktopnetworks.VMwareselectedanindustrystandardapplianceinordertosimulatetheT1(1.544Mbps/100ms)andT3(44.736Mbps/60ms)connectionstothecorporatecolocationsiteforourgeographicallyremoteusers.

Figure 24: PCoIP Untuned Profile in LAN (Source: Xangati)



Figure 25: Datastore Byte Rate (Source: Xangati)

Figure 26: CPU Usage (Source: Xangati)

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-VDG-MOBILESECDKTP-USLET-20120824-WEB


UsingVMware’sViewPlannertool,wegeneratedastandardthree-iterationworkloadwhichgeneratesa1:1connectionfromtheclientstothedesktopvirtualmachines,withVMwarePCoIPasthedisplayprotocol.

Figure 27: Bandwidth Utilization in LAN

Tocollectperformancedata,weranthreediscretetestswithanidenticalworkload.

• LANbasedscenariousinganuntunedPCoIPimage

•T3scenariousingalightlytunedPCoIPpolicy

•T1scenariousingabandwidthlimitedpolicy.

PerformancedatawasthencollectedtoshownetworkbandwidthutilizationovertheemulatedlinksforeachtestcasetodemonstratethedynamicbehaviorofVMwarePCoIPontheWAN.

Figure 28: The Composite LAN vs. T3 PCoIP Bandwidth Diagram, XLS, and Xangati Traces from the T3 Run

YoucanseewithonlyBTLswitchedoffandlimitframeratesetto30fps,bandwidthutilizationis~60%lessrunningthesameworkload.