Intel® Cloud Builders Guide to Cloud Design
and Deployment on Intel® Platforms
Lenovo* Secure Cloud Access powered by Stoneware webNetwork*
Audience and Purpose
As cloud computing continues to accelerate within the marketplace, a growing disconnect is being created between the cloud and the client. This technical paper discusses how Lenovo*, using Secure Cloud Access (Lenovo SCA), addresses this problem by leveraging Intel’s client-aware cloud Web APIs to create a richer cloud experience for the end user by making the cloud aware of the client and its capabilities.
INTEL® 2ND GENERATION CORETM PROCESSORS WITH VPROTM TECHNOLOGY
Table of Contents
Introduction . . . 3
Why a Cloud Ready Client is Important . . . 3
Underlying Technologies . . . 3
Lenovo* Secure Cloud Access . . . 3
Lenovo Secure Cloud Access Console . . . 3
Usage Scenarios . . . 4
Optimization and End User Experience . . . 4
Efficiency . . . 4
Enhanced Authentication . . . 4
Enhanced Security . . . 4
Connect to a Multitude of Directory Services . . . 5
Implementation Overview . . . 5
Recommended Server Configuration . . . 6
Deploying Applications . . . 6
Cloud Ready Client . . . 13
Configuring Intelligent Application Delivery* . . . 14
Introduction
Over the last three years, many forms of cloud computing have evolved focusing on the delivery of software, infrastructure, desktops, and content. Because many of these service offerings are Web-based in nature, they have had little focus on the role of the client in cloud computing architectures. Intel, with partners like Lenovo*, understands that the client can play a more valuable role in the delivery of cloud services. This underlying belief led Intel to create the client-aware cloud Web APIs (Application Programming Interface). The client-aware cloud Web APIs expose contextual information about the client that can be consumed by any cloud service for the purpose of enhancing the delivery of cloud solutions to the end device. Lenovo’s Secure Cloud Access (SCA) is one of the first “client aware” cloud products in the market to utilize the Intel Web APIs for the purpose of enhancing the delivery of applications, content, and services from the cloud.
Why a Cloud Ready Client is
Important
A Cloud Ready Client (CRC) improves the way cloud services are delivered by enabling smarter delivery of services. Rather than a one size fits all model, where the delivery of cloud services is driven from the data center, a more balanced approach is enabled with cloud-ready clients, such as Lenovo Secure Cloud Access. This Lenovo solution enables cloud services to capitalize on the capabilities of the client to improve service delivery based on parameters such as user experience, cost, or performance. This gives IT far more control and flexibility as well as the opportunity for cost savings as compared to current approaches. Cloud Ready Clients can also improve authentication and security by taking advantage of features such as Intel® Identity Protection Technology (Intel®
IPT) with support for One Time Password. Enabling additional access authentication and security can easily be accomplished by using Lenovo’s fingerprint reader to use One Time Password as the only, or as a second, authentication before allowing access to specific cloud services.
Underlying Technologies
Lenovo Secure Cloud Access Solution Lenovo SCA, powered by Stoneware’s webNetwork*, is a software-based solution that delivers a context aware browser-based desktop. It mimics a Windows* desktop while enabling on-premise private/hybrid cloud services. It is the first commercial software utilizing the Intel Web APIs and Lenovo’s Cloud Ready Client to deliver a consistent end-user experience. It provides the end-user with seamless access from any device with browser capability to the Web, published (Windows Terminal Services, Citrix*, or, VMware*), virtualized or local Windows applications, local and remote files. Lenovo SCA's easy to use configuration utility allows organizations to quickly deploy Lenovo SCA as their own private cloud inside their data center on either physical or virtual servers. It allows delivery of applications and services to end users without having to recode or change existing infrastructure or application stacks. For access, the user only needs to have an Internet connection and a Web browser.
Lenovo Secure Cloud Access Console The Lenovo SCAs console improves the ability of IT organizations to control how cloud services are delivered. The console enables application delivery to be managed based on predetermined parameters set by the administrator. Service delivery can be defined based on specific user groups, device type, location, capabilities, and context.
Service delivery can also be managed based on application requirements. If a user is attempting to access a given application but has a poor quality connection, Lenovo SCA can default to a lower bandwidth application or services option.
Intel APIs:
Intel has developed a series of Web APIs which, when used with Lenovo SCA, enable cloud services to become aware of the compute, context, and capabilities of the device.
By understanding the compute capabilities of the local device, cloud services can, when appropriate, capitalize on the local compute resources to support application delivery and optimize end-user experience. Compute includes areas such as CPU type and load, graphics, and available local memory.
Context builds on compute by enabling the cloud service to better understand the current operating environment of the device. Context also includes areas like network connectivity or bandwidth available to support delivery of a given application, and power, including whether the device is plugged in or running off battery. In addition, if on battery, amount of battery life remaining. Based on this information, a cloud service can make an informed decision about where best to run a given application.
Device capability includes the ability of the cloud service to understand the security features supported by the device accessing a cloud service. For example, while a tablet may be fine for consuming content, most current tablets lack security features commonly available on PCs. This can mean that applications requiring security be driven from the cloud data center. Even within the PC category, devices vary in their support for security features.
Lenovo Cloud Ready Clients: Lenovo Cloud Ready Clients are optimized to interact with Lenovo SCA, to provide end users the best possible experience when accessing cloud applications and services. Lenovo is quickly expanding its hardware support for Cloud Ready Clients.
At the time this document was published all models of ThinkPad* laptops and ThinkCentre* desktop PCs that are powered by 2nd generation Intel® Core™ or Core™ vPro™ processors and running Microsoft* Windows 7, 32 or 64-bit; using the CRC enablement layer based on Intel Web APIs are cloud ready.
Usage Scenarios
Optimization and End User Experience While cloud solutions can often be optimized for a particular backend infrastructure, they typically are not optimized for the client. Client compute, video, and storage can, if available, be leveraged by the cloud. Because Lenovo SCA is capable of making runtime decisions to optimize the relationship between the cloud and the client, it can help optimize application delivery by enabling a more “balanced” approach to the cloud and cloud computing. One of the primary features of Lenovo SCA is its ability to simplify the delivery of applications to end users using a Lenovo SCA enabled desktop. Lenovo SCA’s delivery capabilities can support a variety of different delivery methods, easily configured based on the context of the device as well as user groups.
As an example, with Microsoft Word*, IT can choose from a variety of delivery methods, offering different delivery costs, capabilities, and network requirements. Application options include, but are not limited to: locally installed, virtualized, terminal server published applications, applications published via Citrix, as well as published as a Web application (i.e.
Microsoft Office 365*). While each of these delivery methods may be viable, at runtime only one or two of these methods may be optimal to deliver the best end-user experience.
For example, a user accessing the cloud from a hotspot in a coffee shop may find a virtualized version of Microsoft Word, which downloads over a slow wireless link, far from an optimal experience. Using Lenovo SCA contextual information from the Cloud Ready Client, the cloud can determine available bandwidth and device capability to dynamically select the best and optimal delivery method for the end user. Using the example of the user at the coffee shop, IT could configure Lenovo SCA to dynamically deliver access to a local or Web-based version of Microsoft Word based on the context in which the access was requested.
Cost Efficiency
While cloud computing can be efficient, it is also like an electric utility. Organizations in effect pay for the resources they consume. While this mode is inherently flexible and can be efficient, organizations can increase overall resource utilization and efficiency by enabling cloud services to tap into local, device based compute resources.
With Lenovo SCA, the cloud is always communicating with the Cloud Ready Client to determine how to best deliver applications and give the user authorized access to resources within the cloud or at the client. It is this communication and the ability to dynamically choose between local or cloud processing at runtime, which helps IT improve efficiencies without sacrificing end-user experience. One of the greatest efficiencies to be gained from a balanced approach to cloud computing is minimizing of software licensing costs.
Lenovo SCA utilizes a feature known as Intelligent Application Delivery to dynamically determine when a software application should be executed locally or from the cloud. This feature can be configured to gain efficiencies in software licensing by, for example, preferring the locally licensed version (already paid for) of a software package on the device first. If a user does not have a locally installed version, Lenovo SCA can, for example, provide access to the Web or published software version delivered through the cloud.
Enhanced End-User Authentication Intel Identity Protection Technology (Intel IPT) improves authentication to cloud based applications by providing an additional method of authentication. The first iteration of Intel IPT uses a well-known authentication capability called one-time password, where both the server and client side device are provisioned in sync, so that they know how to mathematically / cryptographically generate random numbers that are matched in sequence and time, but are not easy for a non-synchronized party to compute or guess. For customers that use a similar solution today, either have a less secure software only solution, or a more expensive and harder to use separate physical device, such as a key chain fob, from which they have to read the number and type in to the PC. Intel IPT is hardware-based and more secure than the software only solutions – and yet easier to use than the separate devices.
Enhanced Device Security
The Lenovo SCA Relays act as secure entry points into the Lenovo SCA enabled cloud and are normally placed on the DMZ but can also be strategically positioned within any existing network infrastructure (e.g. inside DMZ, outside the firewall, internally, etc.). The relays will pass requests from the users to the
Lenovo SCA Servers located inside the data center.
Between the Lenovo relay and the Lenovo server there are a trusted relationship. Through this trusted relationship, the servers will forward the requests to the appropriate application server. The responses are sent through the Lenovo server to the relay and then to the end users’ browser.
This two-tier server approach isolates the application/resource requested from the browser-based device. The isolation means that the device can only see the Lenovo relay and the application can only see the Lenovo server, making it impossible for any virus on the clients to contaminate the data center.
This security isolation makes Lenovo SCA a very suitable solution for connecting both unmanaged and managed devices to data center enabled applications and resources. As part of the security architecture, the Lenovo SCA also can manage multiple end user authentication methods such as single or multifactor authentications to enhance the process and improve access security.
For example, using Lenovo SCA two-factor authentication methods can include the Lenovo fingerprint scanners as a part of the authentication in combination with IPT one-time passwords.
In addition, communication encryption is provided by the Lenovo SCA solution. Encryption ensures that all communications between the end user and the Lenovo SCA cloud are secure via the SSL (Secure Socket Layer) protocols. All conversations between end users and the system will be securely controlled through the Lenovo SCA Relay and are encrypted as part of the communication process.
Connect to a Multitude of Directory Services
Lenovo SCA leverages an organization's investment in directory services by integrating all access control methods with their existing Directory Service. Organizations can leverage their existing user management processes to control access to cloud applications and services without creating another account management headache.
Users connecting to Lenovo SCA are automatically presented with the applications and resources through a Web desktop. Access to the resources in this Web based desktop is based on the directory group to which the user belongs to, as well as the capability (context) of the device. This rights system provides access to all data center applications, services, and content that has been assigned to their group or individual account.
The Web desktop easily scales to
thousands of concurrent users on a single server and is capable of running on any device that has a Web browser including laptops, netbooks, tablets, pads, and smartphones.
Implementation Overview
Lenovo SCA is implemented as a two-tier solution within the data center. The unique, two-tier server/relay architecture provides secure access to applications and resources published within the Lenovo SCA cloud (see diagram).
The Lenovo SCA Relays act as secure entry points into the cloud and can be strategically positioned within any existing network infrastructure (e.g. inside DMZ, outside the firewall, internally, etc.).
Relays will pass requests from the users to the Lenovo SCA Servers located inside the data center. From their trusted position, servers forward requests to the appropriate application server and wait for a response to send back to the browser via the relay. As part of the security architecture, the Lenovo SCA system manages multiple authentication methods. These methods allow users to authenticate with their network username and password, or to enhance the process and improve security by utilizing various two-factor authentication methods including fingerprint scanners using one time passwords. In addition,
encryption is provided by the Lenovo SCA ensuring that all ommunications between the end user and the Lenovo SCA cloud are communicated via SSL (Secure Socket Layer) protocols. All conversations between the user and system are controlled through the Lenovo SCA Relay, and encrypted as part of the process. Lenovo SCA leverages an organization's investment in directory services by integrating all access control methods with their existing network management. Organizations can leverage their existing user management processes to control access to cloud applications and services without creating another account management headache.
Users connecting to Lenovo SCA will automatically be presented with a Web desktop that provides access to all data center applications, services, and content that has been assigned to their account. Because Lenovo SCA is a two-tier solution, it requires a two step deployment process. The first step in a Lenovo SCA deployment is to install and configure the internal Lenovo SCA server. Lenovo SCA can be installed on most enterprise installed on most enterprise operating systems including Windows 2003, Windows 2008, Red Hat*, SuSE*, and Ubuntu* running on either a physical or virtual server platform. The installation process will automatically deploy all required files to the local operating system and configure Lenovo SCA to run as a service. Once installed, a wizard will be invoked to step through the process of configuring the connection between the Lenovo SCA server and the directory service. The connection to the directory service is a secure LDAP connection, therefore, will require the IP address and port number of a directory server. All authentication, access control, and configuration requests will be passed through the secure directory connection.
Once the wizard is complete, the Lenovo SCA server should be up and running. It is now ready for remote Lenovo SCA Relays to connect to the system. The Lenovo SCA Relay can be installed and configured in much the same way as the Lenovo SCA server. The same installation process is run on the host operating system to deploy all required files. When complete, a new wizard will be automatically invoked to step through the process of creating and connecting a remote Lenovo SCA relay to the internal Lenovo SCA server. The wizard will prompt for the name of the relay and IP address of the internal Lenovo SCA server. The relay will attempt to communicate with the server over a pair of high ports (i.e. 1100, 4500). Once a connection is made, the remote Lenovo SCA Relay will attempt to connect to the Lenovo SCA server and establish itself as a secure entry point into the Lenovo SCA system. With the relay connected to the system, the cloud has been successfully deployed. Users are ready to begin authenticating and accessing services from the cloud.
(For more details regarding the installation process, go to http://www.stone-ware. com/help.)
Recommended Server Configuration A recommended server configuration is as follows: For < 10,000 concurrent users, an Intel® Xeon® processor, 4GB memory on the Lenovo SCA relay server and 8GB memory on the Lenovo SCA server, a 32 or 64-bit operating system (Windows or Linux*), 80 GB hard drive, 100 MB Ethernet card or higher.
For a 10,000-20,000 user configuration we recommend a 64-bit operating system and 4 GB memory (webNetwork relay) or 8 GB memory for the Lenovo SCA server as well as a Gigabit Ethernet card.
Deploying Applications
With the completion of the Lenovo SCA installation, a private/hybrid cloud is established and ready to provide secure access to the applications and services within the organization’s data center. Lenovo SCA’s application delivery architecture is based on three key elements: application configuration, user provisioning, and link assignments.
• Application configuration stores the necessary information required for the Lenovo SCA server and relay to communicate with the internal or external hosted application. Typically this would include information such as IP address, port number, startup parameters, optional parameters, and single sign-on information.
• User provisioning is the assignment of the application to selected users, groups, or organizational units. Users accessing the system will effectively see a view of all applications and services directly or indirectly assigned to their user account through the Lenovo SCA Web desktop. • The link assignment controls how
the application will interact with the Lenovo SCA Web desktop interface. Icons, windowing, and contextual restrictions are managed through the link configuration that is associated with the application and assigned to the end user. With these settings, the administrator can control the end user experience when accessing the cloud.
These three elements are combined to create a method of deploying a diverse set of applications within the Lenovo SCA system. Applications can be classified into one of four categories:
• Web • Web-hosted • Windows • Local
By providing support for a broad range of application technologies, organizations can create a cloud that can bridge the gap between a traditional client-centric computing environment and an increasingly Web-oriented, cloud environment. An overview of each application category and its basic configuration will be described in the following section.
Web Applications
Web applications refer to the growing number of HTML and HTML5 applications being created by in-house developers or third party ISVs. These applications execute within the user’s Web browser and run over either the HTTP or HTTPS protocol. Web applications are hosted within the organization’s data center and can be natively provisioned into the Lenovo SCA Web desktop environment. Web applications can be secured,
Figure 3: Virtual Web application
provisioned, dynamically modified, and authenticated (single sign-on) when configured within Lenovo SCA. In order for the administrator to integrate these types of applications into the Lenovo SCA system, an HTTP Virtual Web Application configuration will need to be created inside the webAdmin Dashboard (Web management interface for Lenovo SCA). A Virtual Web Application configuration will map a DNS name assigned to the Lenovo SCA Relay with a Web server, Web service, or Web application running inside the internal network. The steps below outline how a Web application is configured within the Lenovo SCA system.
1. As the Lenovo SCA Administrator, open the webAdmin Dashboard and expand the Web applications folder view
2. Right-click on the Applications folder and select the option to Publish a Virtual Web Application
3. Enter a name for the new published Web application (e.g. MS-OWA) 4. Enter the IP Address or DNS name of
the internal Web server
5. Enter the Virtual DNS Name+ for the internal web application
+the Virtual DNS Name should resolve to the relay. The relay will associate requests to the DNS name with the internal Web application.
6. Enter the Startup URL. This is the relative URL that launches the specific Web application or service 7. Select the menu that will hold the
reference link to the Web application. The link will determine how the application is presented within the Web desktop interface.
8. Finally the administrator will browse for the users and groups that will have access to the Web application; these users and groups are defined within the directory service (i.e. Active Directory, eDirectory, OpenLDAP) and associated with the Lenovo SCA application or service After the application has been configured and provisioned, users will be able to access the Web application through the Lenovo SCA Web desktop. All requests for the application will be made through the relay/server architecture and users that are not authenticated or assigned to the application will not be able to access it from their Web desktop.
(For more details regarding Web applications, go to http://www.stone-ware.com/help.)
Hosted Web Applications (Public) A hosted Web application differs from a standard Web application in that it is not located on servers within the organization’s data center. Like a Web application, it executes within the user’s browser, integrates natively into the Web desktop, and communicates over the HTTP or HTTPS protocol. However, hosted Web applications are not located in the data center. Instead, they are often offered as a service (SaaS – Software as a Service) over the Internet by a third party provider. In Lenovo SCA terms, these types of applications are often referred to as “public” applications.
Regardless of where the application is hosted, IT is still responsible for securing, provisioning, and integrating public applications into a common desktop. A Public Application configuration is designed to simplify the process of integrating a hosted Web application into the Lenovo SCA Web desktop. It invokes different federating technologies such as SAML, Form, and Live ID to accomplish this task and therefore requires a different management configuration.
1. As the Lenovo SCA administrator, open the webAdmin Dashboard and expand the Applications folder 2. Right-click on the Applications and
select the option to Create a Public
Application
3. Enter the name for the new published public application (i.e. Google Docs) 4. Select the Authentication tab and
enable SAML authentication 5. Select the Properties tab to enter
the specific Google application information
a. Enter a CONTEXT PATH of / GoogleApps
b. Select the Lenovo SCA relays that will allow access to the public application
6. Save the changes to the public application configuration 7. Select the Authentication tab to
configure the identity+ information
Figure 4: Hosted Web application
The steps below will outline specifically how a public (or hosted) Web application like Google Docs* is integrated through SAML connection.
+The identity will be the ID that is passed to Google on behalf of the user. Typically this will be the user's email address; therefore, the administrator should select an email address attribute from the directory such as Internet Email Address.
8. Use the WIZARD to create a public key that will be passed to Google as part of the authentication
9. Select the Algorithm Type as DSA or RSA
10. Press the GENERATE button to create the public key; the private key will also be automatically generated 11. Use the EXPORT button to export
the key to a file; save the file to your desktop; this file will be imported using Google's administrative tools
Once the public application has been configured, the administrator will need to configure a set of links that will launch the Google applications from the Lenovo SCA Web desktop. The steps below describe the configuration of the link for Google Docs.
1. From the webAdmin Dashboard, expand the Link-Menu Admin folder 2. Expand the Applications menu,
right-click and select Create Link option 3. Enter Google Docs for the link name
and set the Link Type to STANDARD 4. Enter the following URL to connect to
Google's Document application 5. http://docs.google.com/a/[Your
Domain Name].com/
Note - Do not forget to change the URL to include the domain that was registered with Google
6. Use the Add button to select users and groups that will be assigned to the public Web application
7. Browse and select the users and groups that should have access to the Google Documents application 8. Select the Options tab and check the
Enable box in the New Window and
1. As the Google administrator for your domain, login to the Google Admin (go to http://www.google. com/a/[Your Domain Name]) with the administrator's user ID and password 2. Select the Advanced Tools tab 3. Select the Setup Single Sign-on (SSO)
link
4. Check the Enable Single Sign-on box 5. Enter the Sign-in Page URL of
https://[Your Relay Address]/ swPublicSSO/SAML/GoogleApps
Note - this URL will direct Google to the SAML service on the Lenovo SCA Relay
Native Window Override options; this will open Google Docs in its own browser window
9. Save the changes
Finally, you will need to configure the Google Apps to recognize the SAML connection with the Lenovo SCA system. These steps will describe how to
configure the settings through the Google administrative interface.
Figure 5: Google Web hosted application
6. Enter the Sign-out Page URL https:// [Your Relay Address]/apps/google/ close.html
Note - this URL will direct the browser to close the Google Application window when the user logs out
7. Enter the Change Password URL https://[Your Relay Address]/ password/ChangePassword
Note - this URL will direct the user to the Lenovo SCA Change Password page if the user wishes to reset his password through the Google application
8. Select the Replace Certificate link (if a certificate has already been installed)
9. Select the Browse button and locate the public key file downloaded to the desktop
10. Press the Upload button to submit the key to Google
Select the Save Changes button and the administrator should be ready to test the configuration. Log in as a user that has access to Google Apps and click one of the Google applications.
(For more details regarding hosted web applications , go to http://www.stone-ware.com/help.)
Windows Applications
Organizations that wish to deploy Windows applications through the Lenovo SCA cloud can accomplish this in one of two ways:
• Publish – Windows application is displayed remotely from a remote Microsoft Terminal server or Citrix server by Lenovo SCA
• Virtualize – bundled software package (e.g. App V, Thin App, AppZero ) is deployed to local desktop and then executed by Lenovo SCA
Both methods allow organizations to provide their users with access to corporate Windows applications, however, each method has its advantages and drawbacks.
When publishing a Windows application, the Windows application is installed on the Terminal or Citrix server. The Lenovo SCA administrator can then configure access to the remote Windows application through the webAdmin Dashboard. Users accessing the Windows application will see it running embedded within the Lenovo SCA web desktop. Keyboard and mouse movements by the user are communicated over the secure SSL connection to the Lenovo SCA Relay. The benefits of this method are as follows:
• Can be accessed from any client platform (e.g. Windows, Linux, and Mac* OS X)
• Remote Windows applications embed within the Web browser
• Can access remote Windows application over low-bandwidth connection The risks to this type of deployment:
• Not suitable for graphically intensive Windows applications (e.g. CAD, video, etc.)
Figure 6: Published Windows application
• Requires additional Microsoft or Citrix licensing
Virtualized application delivery takes a packaged Windows application provided by a third party vendor and deploys the application to the client through the Lenovo SCA system. Once the application is delivered, it is executed locally where graphics, processing, and resource utilization takes place on the local device. The virtualized application can dissolve after execution of the application or remain for a period of time in a cached state. The benefits of this Windows application delivery method are listed below:
• Application executes locally on the device and therefore provides a better user experience
• Applications requiring significant processing or graphics processing will leverage the capabilities of the local device
The risks of this type of Windows application deployment:
• Large virtualized application deployments may not be suitable for wireless networks
• Most virtualized applications run on Windows platforms but not on Mac OS X and Linux
Lenovo SCA simplifies many Windows application delivery decisions by allowing administrators to select from multiple delivery methods. The steps required to configure each method within the Lenovo SCA system are provided below.
Published Windows Application
The steps for publishing a Windows application (sample – MS Word) from a Microsoft Terminal server are listed below:
Note – The application being published should be installed on the Terminal Server prior to publishing the Windows application within the Lenovo SCA system.
1. As the Lenovo SCA Administrator, open the webAdmin Dashboard and expand the Applications Admin folder 2. Right-click the Applications Admin
folder and select Publish Terminal
Server Application or Desktop
3. Enter a name of MS-Word for the Windows application being published 4. Enter the IP Address or DNS name of
the internal Terminal Server 5. Accept the default port number of
3389
6. Select the SSL radio button to ensure remote Windows communications are encrypted
7. Enter the Windows application parameters required to start the remote application on the Terminal Server
a. Start Program - the path, relative to the Terminal Server, for the application executable (i.e. c:\ Program Files\... )
Note – For 2008 Terminal Servers, the Terminal Server administrator will need to allow access to the selected application through the Terminal Server Management interface.
8. Select the appropriate redirection options for the Redirection Screen. For Microsoft Remote Desktop Protocol clients audio, printer, and file redirection is supported
9. Select the Applications Menu located under the Stoneware container where the newly created published Windows application link will be created
10. Use the Select button and assign users, groups, and containers that should be assigned to the published Windows application
11. When complete select the Done button
Log out of the system and test the new published Windows application. It should be located under the Applications menu within the Lenovo SCA Web desktop. (For more information related to publishing Windows applications go to http://www.stone-ware.com/help.) Virtualized Windows Application The steps for the delivery of virtualized Windows applications (example – Free Commander) are listed below. The process will start by creating a File Services Node for the storage of virtualized applications. Once complete, the Lenovo SCA administrator will create a virtualized application configuration to deliver to virtualized Windows apps to the end user via their Lenovo SCA Web desktop.
Note – The Lenovo SCA administrator should have a bundled virtualized application ready for deployment prior to following the steps listed below. Virtual application packages can be created by many third party vendor products.
Create a File Services Node to Store all Virtualized Applications
1. As the Lenovo SCA Administrator, open the webAdmin Dashboard and expand the File Services Admin folder 2. Right-click on the File Services Admin
folder and select the Create File
System Node option
3. Enter a name for the File Services
Node (e.g . Virtual Application
Storage)
4. Enter the properties of the File
Services Node (See File Services
for a detailed explanation of the properties)
a. Folder Name - friendly name for the file system folder storing the thin application bundles (e.g. Virtual Application Storage) b. Path - file system location where
thin application bundles will be stored
5. Select the Rights tab
6. Use the Add icon to assign users, groups, and organizational units to the File Services Node
7. Check the Browse and Read options for rights to the node. Users will only need to read the node to download the virtualized application packages. 8. Select the SAVE button to apply
changes
The creation of a File Services Node to store virtualized applications is complete. Continue to the "Copying the Thin Application Files" section.
Copying the Thin Application Files Copy the thin application bundles to the directory path specified in the File Services node created above. These files can be copied to the root of the path or the administrator can create subdirectories for organizing the bundles. In this example, Free Commander was downloaded from http://www. thindownload.com and copied into the path specified on the File Services Node. Continue to the next section to create the Virtualized Application configuration in the webAdmin Dashboard.
Configuring the Virtualized Application 1. As the Lenovo SCA Administrator,
open the webAdmin Dashboard and expand the Applications Admin folder 2. Right-Click on the Applications Admin folder and select Publish Virtualized Application
3. A wizard will appear to assist in the configuration of the virtualized application, enter the virtualized application's name (e.g. Free Commander)
4. Use the Select button and locate the thin application bundle under the Virtual Applications Storage file service node
5. Leave the RELATIVE PATH blank unless the virtual application bundle is a ZIP file. If so, open the ZIP file and locate the application's executable. Enter the application's executable file name in the field. 6. Enter any required Command Line
Parameters for the thin application 7. Use the Select button to browse for a
menu for the new virtual application (e.g. Applications)
8. Set the operating system restriction to ensure that the icon within the Web desktop only displays the icon on the applicable client operating systems.
9. Use the Select button and assign the users, groups, or organizational units who should access the virtualized applications.
10. Select the Done button when complete and then log out of the Lenovo SCA system
11. Log out of the system and then back into SCA to test the new virtualized Windows application
(For more information related to virtual Windows applications go to http://www. stone-ware.com/help.)
Local Applications
Local applications are different than other SCA application types in that they are not delivered from the SCA system. Instead, they are invoked from the native file system of the local client. This feature makes it possible for the administrator to represent local resources within the same SCA Web desktop as other cloud applications and services. Combining both local and cloud services within a common Web desktop is critical to the Cloud Ready Client strategy and makes it possible to create differentiated end user experiences. More on this topic will be discussed in the Intelligent Application Delivery* section.
Figure 7: Location application The SCA administrator can define a native application through the application configuration screen in the webAdmin Dashboard. The administrator can create native application configurations that will work on Windows, Mac OS X, and Linux platforms. The steps below will outline the configuration of a native application on a Windows platform.
1. As the SCA administrator, open the webAdmin Dashboard and expand the Applications Admin folder 2. Right click on the Applications Admin
folder and select the Create Local Application option
3. Enter a name for the local application that will be invoked by the SCA system
4. Enter the File Name that should be executed on the local system. File names should reflect the native operating system of the client (e.g. word.exe, write.bin, write.app) 5. Set the Folder Depth for the
application; the folder depth will determine how many directories below the default program directory the system will look for the local application executable; the default program directory will differ for each native client operating system 6. Set the operating system restriction
to ensure that the icon within the Web desktop only displays the icon on the applicable client operating systems
7. Use the Select button to assign the appropriate users, groups, and organizations to the local application 8. Select the Done button when
complete and then log out of the SCA system
9. Log back into the SCA system to test the new local application; the application should only be displayed in the Web desktop on devices where
the application is supported by the client operating system
10. Local applications can be strategically integrated with the cloud applications by the organization to create a bridge between the client and cloud world.
Cloud Ready Client
As discussed earlier in this document, the Cloud Ready Client’s purpose is to provide information (context) about the client device to the cloud. The cloud in turn uses that information to enhance the experience of the end user as it relates to cloud services and cloud-based applications. The results are a better or more optimized cloud experience for the end user that can leverage the functionality of the local device. The Cloud Ready Client operates as a service on the local operating system of the device. This service surfaces information about the device such as CPU type, memory utilization, hard disk space, video, LAN, and power status to the cloud through a Web API that can be read by a plug-in snapped into the user’s Web browser. For security purposes, the service works in conjunction with a local policy manager that enables a user to allow or deny requests for device specific information from the cloud. If the user elects to allow these information requests, the cloud can make real-time decisions about the status and capabilities of the device that is accessing the cloud. Lenovo SCA integrates the Cloud Ready Client into the distinct product features: Web desktop, hardware restrictions, and Intelligent Application Delivery.
Web desktop – displays the current status of the local device through Web API calls made to the Cloud Ready Client. The following information is displayed within system tray of the SCA Web desktop.
• CPU type • CPU utilization • Available memory • Total memory • Battery Status • Battery % • Network connection • Network bandwidth • Graphics controller
A user can readily access this information by selecting one of three icons (system, power, or LAN) from in the system tray of their Web desktop. The icons will only appear when the SCA Web desktop detects the presence of a Cloud Ready Client enabled device.
Hardware Restrictions – enables the SCA administrator to restrict the deployment of an application or service based on the status or capabilities of the local device which were determined at runtime through the Cloud Ready Client. By accessing the Hardware Restriction panel in the webAdmin Dashboard on an application or service link, the administrator can control the deployment specifications. A range of restrictions can be applied to any application or service, and are describe in detail below:
• Minimum CPU – application will only be deployed if the local device meets or exceeds the processor specified through the dropdown box. If blank, no CPU restrictions are applied.
• CPU Utilization – the application or service will only be deployed if the device utilization is below the percentage specified. If blank, the application or service will be deployed regardless of CPU utilization on the device.
• Minimum Installed Memory – the application or service will only be deployed if the device meets or exceeds the memory specified (in MB) in the
entry field. If left blank, the application or service will be deployed regardless of the device’s memory configuration. • Minimum Free Memory – the application
or service will only be deployed if the available memory of the device exceeds the value specified (in MB) in the entry field. If left blank, the application or service will be deployed regardless of the available memory on the device. • Network Bandwidth – the application or service will only be deployed if the available bandwidth between the cloud and user’s device exceed the bandwidth specified (in MB) in the entry field. If left blank, the application and service will deploy regardless of available bandwidth.
• LAN Connection – when the box is checked, the application or service will only be deployed if the device is connected through a wired network connection. If the box is left unchecked, the application or service will be deployed on either a wired or wireless network connection.
• Power Cord – when the box is checked, the application or service will only be deployed if the device is plugged into a power source. If the box is left unchecked, the application or service will be deployed regardless of whether the device is plugged into a power source or not.
• Minimum Battery Life – the application or service will only be deployed if the device’s available power (as a percentage) exceeds the setting in the entry field. If left blank, the application or service will be deployed regardless of the available battery power on the device.
• OTP – With Lenovo’s Secure Cloud Access, the user can be prompted to provide a “one time password” before accessing the application or service assigned to the link.
• This feature is extremely useful to an SCA administrator who is trying to match the capabilities of the device with the services provided through the cloud. As an example, the administrator could restrict the delivery of a virtualized Windows application to devices that were connected to the cloud through a wired connection. Enabling this restriction would ensure that the download of a large virtualized application did not occur over a wireless network with limited bandwidth capabilities.
Figure 8: Hardware restriction screen Setting the restrictions for an application or service utilizing the Cloud Ready Client is very easy to accomplish. Using the example above, the administrator would take the follow the steps:
1. As the SCA administrator, open the webAdmin Dashboard and expand the
Links and Menus folder
2. Expand the menu where the application or service is defined and then click on the link for the application you wish to restrict
3. Select the Hardware Restrictions tab 4. Check the box labeled Network
Connection, this will force the application to execute only if the device has a wired connection to the network
5. Finally, save the changes to the selected link
Users accessing the application will now be restricted to a wired network connection in order to run the virtualized Windows application. Users accessing the application from a wireless network will be forced to resolve the connection type before executing the application through the cloud.
Intelligent Application Delivery – utilizes the Cloud Ready Client to determine the best application delivery method at the runtime of a cloud application or service. Many times an application such as a word processor (i.e. Word) will have several viable delivery methods (i.e. hosted Office 365, published MS Word, virtualized MS Word, or local Microsoft Office) through the Lenovo SCA cloud.
Intelligent Application Delivery allows the administrator to determine which delivery method is optimal based on the current context of the user and their device. The administrator would set the restrictions for each delivery method of Word and then bind these methods through an application cost object. When the user selected the Word application from the SCA Web desktop, the SCA cloud would inspect the restriction of each delivery method and then determine which version of Word is optimal for the end user. The result would be an optimized experience of Word for the end user. For a user accessing the cloud from a desktop with Microsoft Office locally installed, they might see MS Word running off their local machine. For another user accessing the cloud from a netbook in a coffee shop, they might see Word from Microsoft Office 365. By leveraging the contextual information from the Cloud Ready Client, Intelligent Application Delivery can determine the best cloud delivery method to create an optimal end user cloud experience.
Configuring Intelligent Application
Delivery*
To enable Intelligent Application Delivery, an SCA administrator will need two or more alternative delivery methods for a given application category. As an example, if the administrator has two options for delivering graphics editing software (i.e. virtualized GIMP and local Adobe Photoshop*) from the SCA cloud, the administrator can use Intelligent Application Delivery to determine the best delivery method at runtime. The steps for configuring Intelligent Application Delivery within SCA will be outlined in this section of the document.
To configure Intelligent Application Delivery on two or more similar application types follow the steps below. These steps will assume that the SCA administrator has already defined the delivery for two graphics editors within the SCA cloud. 1. As the SCA administrator, open the
webAdmin Dashboard and expand the Link-Menu Admin folder
2. Expand the Applications menu and then right click on the Applications menu
3. Select the Create Application Cost Object option
4. Enter the name for the Application Costing object (i.e. Graphics Editor) 5. Use the Add button in the Assigned
Links section to select the application configurations that should be assigned to the costing object. Use the Up and Down arrow buttons to determine their order of preference. As an example, if executing local Adobe Photoshop is always the preferred delivery method it should be ordered first and then GIMP as the
Figure 9: IAD screen
second option. If Photoshop is not available on the device or does not meet the requirement restrictions, GIMP will become the delivery method to the end user device. 6. Use the Add button in the Assigned
Users section to select the users, groups, and organizational units that will have access to the Intelligent Application Delivery (Cost) object When users log into the SCA cloud they will see the Intelligent Application Delivery for the graphics application on their Web desktop. When they select the Intelligent Application Delivery icon, the SCA Server/ Relay will check the context of both the user and device (through the Cloud Ready Client) to determine the preferred application delivery method for the graphics package. If the user meets the requirements for Adobe Photoshop, it will launch locally on their device. If the user does not meet the requirements, Gimp will launch as a virtualized application as long as requirements have been met.
Summary and Conclusion
With SCA, Lenovo is the first company to provide an end-to-end cloud-ready client solution. Creating a balance between the cloud and device creates a richer experience for the end user while at the same time allows IT to more efficiently deploy enterprise resources. Intel’s ability to provide device-level context will change how the world sees cloud computing. The addition of contextual information about the device will allow the cloud infrastructure to dynamically determine where and when cloud services and applications should be processed locally or within the cloud.
These capabilities added to cloud
deployments enable organizations to fully utilize all available resources as well as optimize into the future. The enablement of cloud-aware clients gives IT abilities to migrate toward cloud deployments, providing end users with a single interface to all their applications and services, even those that are local to the system the user is on. This approach will also enable IT to provide cost controls related to application licensing and delivery methods centered typically around user experience. This model of cloud computing effectively handles all forms of security, access, devices, and end user needs coupled with IT’s ability to deliver and optimize. The significant advantages being delivered via Secure Cloud Access and Cloud Ready Clients are both strategic as well as cost advantageous. The strategic nature of this solution enables organizations to move toward a Web environment of application delivery and devices. This is already happening and this solution harnesses the move. Additionally, the cost advantages are very apparent as analysis of deployment vehicles and costs related to this solution as opposed to other approaches are considered. Typically organizations are able to save tremendous costs in the data center and
have greater flexibility for optimizing application delivery into the future. Finally, a noticeable improvement in end user productivity becomes available through the use of this solution. End users are presented a consistent desktop experience with access to all available resources (even local to their system). This means that end users no longer have to think about what and how to do their work from any device. In addition, when coupled with Single-Sign On, end users no longer have to spend time entering credentials. This productivity enhancement is critical for the full effect of cloud computing to be realized and enabled.
Security has been the final frontier to be tackled as it relates to Cloud Computing. In fact many organizations are not as keen to implement any form of cloud due to perceived lack of Security. The reality with this solution is that IT controls every bit of security from authentication to encryption as well as when applications will be available, giving the user choices of time, location, and device.
Lenovo’s SCA and Cloud Ready Clients are the answer to the perplexing questions that IT organizations face when they are implementing cloud solutions but have trouble justifying the costs or handling the security issues. The most troubling however has been making the user experience as rich as possible given the myriad of devices that users now have choices to utilize. IT now has been enabled to effectively deliver the promise of Cloud Computing. Realizing that no one is making it an imperative to have everything hosted and that a mix of applications and delivery methods will be available, Lenovo’s Secure Cloud Access and Cloud Ready Clients provide the right capabilities to enable your organization’s cloud without fork lifting or software coding or living in a one size fits all mentality.
To learn more about deployment of cloud solutions, visit www.intel.com/ cloudbuilders.
Disclaimers
∆ Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. See www.intel.com/ products/processor_number for details.
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROP-ERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.
No system can provide absolute security under all conditions. Requires an Intel® Identity Protection Technology-enabled system, including a 2nd gen Intel® Core™ processor enabled chipset, firmware and software, and participating website. Consult your system manufacturer. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked “reserved” or “undefined.” Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.
The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intel’s Web site at www.intel.com. Copyright © 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, Xeon, Xeon inside, and Intel Intelligent Power Node Manager are trademarks of Intel
Corporation in the U.S. and other countries.
