Vblock Systems Mobile Secure Desktop Solution Architecture
© 2013 VCE Company, LLC. All Rights Reserved.
VBLOCK
™
SYSTEMS MOBILE SECURE
WORKSPACE SOLUTION ARCHITECTURE
Version 1.1
May 2013
www.vce.com
2
© 2013 VCE Company, LLC. All Rights Reserved.
Copyright © 2012, 2013 VCE Company, LLC. All Rights Reserved.
VCE believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." VCE MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OR
3
© 2013 VCE Company, LLC. All Rights Reserved.
Contents
Introduction ... 6
About this document ... 6
Solution overview ... 6
Objectives ... 7
Scope ... 7
Audience ... 7
Feedback ... 7
Technology overview ... 8
Solution components ... 8
Architecture overview... 9
Logical layout ... 9
Physical layout ... 11
Hardware and software components ... 12
Design considerations... 14
Mobile user experience security considerations ... 14
Plan to enable security for mobile endpoint device connections ... 14
The end user access risk mitigation plan ... 15
Untrusted-to-trusted network connection risk mitigation plan ... 15
Workspace provisioning risk mitigation plan ... 15
User session and data risk mitigation plan ... 15
Compute configuration ... 16
Network configuration ... 16
Network considerations ... 16
VMware vSphere network configuration ... 17
Storage configuration ... 18
VMware vSphere and VMware Horizon View Persona Management storage ... 19
Horizon View Linked Clone Storage layout ... 20
EMC VNX shared file Systems ... 20
VMware Horizon View Persona Management and folder redirection ... 20
EMC VNX for File Home Directory configuration ... 21
Virtualization configuration ... 21
VMware vSphere Distributed Resource Scheduler ... 21
VMware high availability ... 22
Compute virtual container design ... 22
4
© 2013 VCE Company, LLC. All Rights Reserved.
Application configuration ... 24
VMware Horizon View installation overview ... 25
VMware Horizon View setup ... 25
VMware Horizon View workspace pool configuration ... 26
VMware Horizon View Persona Management ... 29
VMware vShield Endpoint and Trend Micro Deep Security ... 30
VMware vCloud Networking and Security App... 34
Implement App firewall rules ... 35
RSA SecurID integration with Horizon View ... 40
VMware vCenter Configuration Manager ... 45
VMware vCenter Operations Manager for View ... 46
Imprivata OneSign ... 47
Solution validation ... 49
Test environment design... 50
VMware Horizon View – Environment Characteristics ... 50
Performance test and objective ... 51
Performance test objective ... 51
Knowledge user workload... 51
Test parameters ... 52
Test results ... 52
Performance tests ... 52
Conclusion ... 55
Next steps ... 55
Appendix – Description of the solution components ... 56
Vblock™ Systems... 56
Vblock System 720 ... 56
Vblock System 320 ... 57
High availability AMP ... 57
Microsoft Windows 7 ... 57
Microsoft Windows 2008 ... 58
VMware Horizon View Premier ... 58
VMware vCloud Networking and Security ... 60
VMware vCenter Configuration Manager ... 60
VMware vCenter Operations Manager ... 61
VMware vCenter Operations Manager for View Adapter ... 61
Trend Micro Deep Security ... 61
RSA SecurID and RSA Authentication Manager ... 62
EMC PowerPath/VE ... 63
5
© 2013 VCE Company, LLC. All Rights Reserved.
6
© 2013 VCE Company, LLC. All Rights Reserved.
Introduction
About this document
This solution architecture addresses the needs of mobile users using thin-clients, or zero clients, in enterprises that have adopted VDI in the production environment. This includes users in in the healthcare, hot-desk, and non-mobile security-aware environments.
Having successfully adopted the Vblock™ Systems virtual workspace infrastructure into their test and development environments, enterprise customers are now ready to extend virtualization into their production environments. For mobile and thin clients, this requires provisioning and management capabilities, as well as advanced security.
Solution overview
The Mobile Secure Workspace solution architecture project is important because enterprise
customers are increasingly adopting VDI in the production environment. Industry analysts expect that within five years thin client and other users will outpace workspace Internet adoption and continue to grow. To support their security objectives, enterprises are providing mobile users with a thin client, or a zero client, to access SaaS, Enterprise, or Windows-based applications. Enterprise customers are now demanding advanced mobile security features to match their security policies.
The Mobile Secure Workspace solution architecture provides virtualization with Vblock Systems. It also provides guidance on sizing and scaling, and provisioning.
Validation for the Mobile Secure Workspace solution architecture includes the deployment and testing of security products and demonstrates operations management. In addition, the Mobile Secure Workspace:
Shows security and operations management capabilities using VMware vCenter Configuration Manager and VMware vCenter Operations for Horizon View.
Applies a comprehensive, but not prohibitively expensive, security model to the solution using products from VMware, TrendMicro, and EMC RSA.
7
© 2013 VCE Company, LLC. All Rights Reserved.
Objectives
This paper describes the best practices, recommendations, and building blocks of the Mobile Secure Workspace solution architecture with Vblock Systems, and demonstrates:
Virtual provisioning of virtual machines (VMs) and how they can be successfully and easily implemented on Vblock Systems
Rapid deployment and sustainable operation of VDI users, with up to 500 knowledge worker users at 100% concurrency
Linear scalability valid for 2000 users based on testing 500 users and sharing the data for subsets High availability (HA) of VDI users clusters across all services and components
The best practices for deployment and scalability of the product and recommendations along with performance details
Scope
The objectives describe the scope for this project. Out of scope are RSA correlation and alerting, and enhanced data loss prevention.
Audience
The solution architecture paper is intended for IT managers, system/network administrators and architects, technical engineering staff, IT managers/planners, and other IT professionals who are evaluating, acquiring, managing, operating, or deploying a mobile secure workspace solution in the enterprise segment on a single campus. All Vblock Systems customers, existing and potential, with a current or future mobile secure workspace project will also benefit from the information in this paper.
Feedback
To suggest documentation changes and provide feedback on this paper, send email to
[email protected]. Include the title of this paper, the name of the topic to which your comment
8
© 2013 VCE Company, LLC. All Rights Reserved.
Technology overview
This section contains a list of technology used in the Mobile Secure Workspace solution. See the
Appendix for a description of each of these products and technologies.
Solution components
The solution uses the following hardware and software components and technologies. Vblock Systems
High availability AMP Microsoft Windows 7
Microsoft Windows Server 2008
VMware Horizon View Premier (includes ESXi, vCenter, Horizon View Manager, Horizon Persona Manager, Horizon View Composer, ThinApp, and so on.)
VMware vCloud Networking and Security (previously known as VMware vShield) VMware vCenter Configuration Manager
VMware vCenter Operations Manager VMware vCenter Operations for View Adapter Trend Micro Deep Security
RSA SecurID/RSA Authentication Manager EMC PowerPath/VE
9
© 2013 VCE Company, LLC. All Rights Reserved.
Architecture overview
The following topics discuss the architecture enabled to support testing security for the Mobile Secure Workspace solution. This architecture creates a virtualized VDI environment with security products for VMware Horizon View on Vblock Systems.
Logical layout
Figure 1 shows the overall logical architecture of the environment.
10
© 2013 VCE Company, LLC. All Rights Reserved.
The logical architecture diagram shows:
The types of devices that might potentially initiate client workspace connections are represented across the top of the diagram. These types of devices might access the VDI environment from outside the network, or from the core network.
VMware Horizon View Security Servers, along with the VDI infrastructure and connection brokers, are installed on the Vblock System.
The private network area on the left side, which includes the wireless and LAN connections through the WLAN access point, provides the interactions necessary to establish a VDI session using VMware Horizon View 5.x on the Vblock System. It also provides the interactions necessary to manage the environment, including load balancing with Cisco ACE load balancer.
The installed security technology is shown in the lower block on the right of the VDI infrastructure area, above the label “Security Infrastructure.” It is a 2-host cluster.
The Horizon View management infrastructure has been installed and configured on a 2-host cluster. This cluster is shown above the label “Management Infrastructure.”
Farther to the right, the public network connection goes to the network aggregation core. There is a connector through the Cisco ACE load balancer from the WLAN connection to the aggregation area.
11
© 2013 VCE Company, LLC. All Rights Reserved.
Physical layout
Figure 2 shows the physical architecture of the Mobile Secure Workspace solution environment.
Figure 2: Physical layout of the Mobile Secure Workspace solution
The physical architecture diagram shows that:
The Cisco Nexus 7000 aggregation layer provides all layer 3 VLAN network capabilities to Vblock Systems, as well as to other core components such as ACE load balancer and Wireless
Controller.
The Cisco ACE load balancer connects to the Nexus 7000 with a specified VLAN. The Cisco Wireless Controller directly connects to the Nexus 7000 with a specified VLAN. The Cisco Access Points connected to the Wireless Controller which controls the access points
for wireless access to the endpoint and DHCP service.
The Cisco Nexus 5548 (which is integral to Vblock Systems) directly connects to the Nexus 7000 for all network services.
12
© 2013 VCE Company, LLC. All Rights Reserved.
Hardware and software components
Table 1 lists the hardware used to validate this solution.
Table 1: Hardware resources used to validate the Mobile Secure Workspace solution
Hardware resource
Description Source
Vblock 300 FX: 1 Local
Compute Cisco Unified Computing System (UCS):
14 x UCS blades B200 M2
- 10 used to host VDI workspaces
- 2 used for Management virtual machines
- 2 used for Security virtual machines
Local
Network 2 x Fabric Interconnects
2 x Cisco MDS 9148 Switch
2 x Cisco Nexus 5000 Switch
2 x Cisco Application Control Engine (ACE)
1 x Wireless LAN Controller (Cisco 5508)
2 x Wireless Access Point
Storage 1 x EMC VNX 5500
Virtualization Details are provided in the Test Environment section.
Other components 10 x Endpoint devices
1 x High availability AMP
13
© 2013 VCE Company, LLC. All Rights Reserved.
Table 2 lists the software used to validate this solution.
Table 2: Software used to validate the Mobile Secure Workspace solution
Software Quantity or type
Microsoft Windows 2008 Volume License
VMware Horizon View Premier (includes ESXi, vCenter, Horizon View Manager, Horizon Persona Manager, Horizon View Composer, ThinApp, etc.)
Enterprise
VMware vCloud Networking and Security (includes Manager, App with Data Security, Edge)
Enterprise
VMware vCenter Configuration Manager 2
VMware vCenter Operations Manager 2
VMware vCenter Operations for View Adapter
Trend Micro Deep Security Volume License
RSA SecurID/Authentication Manager Enterprise
EMC PowerPath/VE 16
Windows 7 Volume License
14
© 2013 VCE Company, LLC. All Rights Reserved.
Design considerations
Design considerations for the present solution are discussed in this section and include the following design plans:
The plan to enable security for mobile endpoint device connections The end user access risk mitigation plan
An untrusted-to-trusted network connection risk mitigation plan The workspace provisioning risk mitigation plan
The user session and data risk mitigation plan
Enabling security in a mobile secure workspace environment comprises addressing point threat vectors and holistically managing the point solutions and the data they produce. As with all security solutions, people, processes, and technologies working together are essential. This solution focuses on the technology used to implement controls or to validate aspects of the environment. However, technology alone is not sufficient to achieve compliance with any of the most common major regulatory regimes.
Mobile user experience security considerations
The following sections walk through the security considerations associated with the different phases of the mobile user experience.
Plan to enable security for mobile endpoint device connections
1. A VMware Horizon View user using Horizon View Client connects to the View Security Server and authenticates.
2. When a PCoIP workspace is selected, the PCoIP protocol goes to the View Security Server. 1. If the PCoIP session is on behalf of an authenticated user, it is then forwarded to the correct
workspace.
2. The VMware Horizon View management console is used to provision workspaces and set user access, entitlement, and permission policies.
3. User data is stored within the data center using the company’s privacy policies and selected encryption technologies.
4. Vendor management tools are used for aggregate workspace configuration, reporting, and compliance management.
15
© 2013 VCE Company, LLC. All Rights Reserved.
The end user access risk mitigation plan
1. Minimize workspace risk through the use of VCM by managing patches, application updates, and platform policy compliance for persistent workspaces.
2. Enhance authentication by using RSA SecurID.
3. The use of VMware Horizon View Security Servers is required in order to encrypt any information leaving the network perimeter.
4. The use of commercial certificates is required for all possible SSL/TLS transactions where an endpoint potentially resides outside of the trusted network. If all client systems are Windows hosts within the domain, Active Directory-issued certificates for SSL/TLS interfaces are acceptable.
Untrusted-to-trusted network connection risk mitigation plan
1. Implement a virtual firewall that can detect and counter denial of service (DoS) attacks and null route any malicious traffic identified as a DoS attack, and can provide Network Address Translation (NAT) services.
2. Implement a load balancer to distribute incoming connections among multiple security servers. 3. Disable account logon privileges after X failed login attempts.
4. Ensure all nodes in the system are configured to use NTP and have time zones set appropriately. 5. Ensure the virtual firewall(s) and all other boundary infrastructure components are configured to
generate log data.
6. Use VCM to actively monitor the patch and configuration status of the Windows servers in the boundary infrastructure (View Security and Connection Servers).
7. Use Trend Micro Deep Security to enable virus protection for the Windows servers in the boundary infrastructure.
Workspace provisioning risk mitigation plan
1. Use Trend Micro Deep Security to ensure that workspaces are not generated with viruses or malware.
2. Use VCM to ensure that workspaces are patched, applications are updated, and configurations are compliant with security policies.
3. Create a management plane by using vCloud Networking and Security App. Place all
administrative virtual machines in this zone. Define different security zones for workspaces as needed.
User session and data risk mitigation plan
1. Classify data in workspace sessions to ensure appropriate network access policies using vCloud Networking and Security App with Data Security (classification and zones) and VCM.
16
© 2013 VCE Company, LLC. All Rights Reserved.
Regular port scans of endpoints and the boundary infrastructure are strongly recommended. Changes in the exposures of the environment should be closely tracked. The same targets must be regularly checked for vulnerabilities and aggressively remediated.
Compute configuration
Compute components in Vblock Systems are built on the Cisco UCS line of products. The individual components include one or more blade server chassis, the included compute blades, the IO modules, and the fabric interconnects that connect the unified fabric to the rest of the environment.
In the Mobile Secure Workspace solution validation environment, the compute components in Table 3 are used.
Table 3: Compute components used in the Mobile Secure Workspace solution
Component Quantity
Cisco UCS B200 M2 16
Memory 96 GB each
CPU 12 core each
Network configuration
The network components in Vblock Systems comprise various models of Cisco Nexus and Cisco MDS storage switches. These include the Cisco Nexus 7000 Series, Cisco Nexus 5000 Series, Cisco Nexus 1000V, Cisco Catalyst 3000 Series, and the Cisco MDS 9000 Series switches.
The Cisco Nexus 1000V Switch is used in the Mobile Secure Workspace solution.
The following sections provide additional network information about the Mobile Secure Workspace solution, including general network considerations, and a description of the vSphere network configuration.
Network considerations
The primary users for this solution are those with LAN/WLAN connectivity having low latency and high bandwidth.
17
© 2013 VCE Company, LLC. All Rights Reserved.
VMware vSphere network configuration
The vSphere network configuration includes the Cisco Nexus 1000V switch.
In this solution, all network interfaces on the vSphere servers use 10-GbE connections. All virtual workspaces are assigned an IP address by using a DHCP server. Figure 3 shows the Nexus 1000V distributed switch configuration in the vCenter Server.
18
© 2013 VCE Company, LLC. All Rights Reserved.
Table 4 provides the list of port groups configured in the Cisco Nexus 1000V Switch.
Table 4: Port groups configured in Nexus 1000V
Port group name Use
DATA-UPLINK Used as uplink port group for all vSphere hosts
Vblock_msd_mgmt Used for all View management and security management services
Vblock_esx_mgmt Used for all vSphere host management networks
Vblock_esx_vmotion Used for all vSphere host vMotion networks
Vblock_cifs Used for View User Share repository for Persona Management
Vblock_vdesk_fin Used for virtual workspaces (supports maximum of 1024 workspaces)
Vblock_vdesk_hipaa Used for HIPAA zone virtual workspaces (supports maximum of 1024 workspaces)
Storage configuration
The Mobile Secure Workspace solution uses the EMC VNX based storage arrays provided in the Vblock Systems. The VNX is a dedicated network server optimized for file and block access that delivers high-end features in a scalable and easy-to-use package.
The VNX delivers a single-box block and file solution that offers a centralized point of management for distributed environments. This makes it possible to dynamically grow, share, and cost-effectively manage, multiprotocol file systems and to provide multiprotocol block access. Administrators can take advantage of simultaneous support for NFS and CIFS protocols by enabling Windows and
Linux/UNIX clients to share files by using the sophisticated file-locking mechanisms of VNX for File and VNX for Block for high-bandwidth or for latency-sensitive applications.
This solution uses VNX storage to leverage the benefits that each of the following provides: Block-based storage over the FC protocol is used to store the VMDK files for all virtual
workspaces. This has the following benefit:
- The Unified Storage Management plug-in provides seamless integration with VMware vSphere to simplify the provisioning of datastores or virtual machines.
File-based storage over the CIFS protocol is used to store user data and the VMware Horizon View Persona Management repository. This has the following benefits:
- Redirection of user data and VMware Horizon View Persona Management data to a central location for easy backup and administration
19
© 2013 VCE Company, LLC. All Rights Reserved.
VMware vSphere and VMware Horizon View Persona Management storage
This section explains the configuration of the storage provisioned over FC for the vSphere cluster to store the VMDK images and the storage provisioned over CIFS to redirect user data and provide storage for the VMware Horizon View Persona Management repository.
The following configurations are used in the solution architecture:
Five SAS disks in the RAID 5 Storage Pool 0 are used to boot the ESXi hosts. - 20 GB boot LUNs have been carved out for each of the hosts.
35 SAS disks in RAID 5 Storage Pool 1 are used to store virtual workspaces. FAST Cache is enabled for the entire pool.
- Two LUNs of 1 TB each are carved out for the management virtual machines. - One LUN of 500 GB is carved out for the security appliances (vCloud Networking and
Security App and Deep Security appliance).
- Five LUNs of 600 GB each and two LUNs of 50 GB each are carved out of the pool and presented to the vSphere servers for use as VMFS datastores.
Four Flash drives are used for EMC VNX FAST Cache. There are no user-configurable LUNs on these drives.
- Eight NL-SAS disks in the RAID 6 Storage Pool 2 are used to store user data and roaming profiles. FAST Cache is enabled for the entire pool.
- Four LUNsof 2 TB each are carved out of the pool to provide the storage required to create two CIFS file systems.
- FAST Cache is enabled on both storage pools that are used to store the FC and CIFS file systems used by the virtual workspaces.
Two shared file systems are used for 500 virtual workspaces.
- One file system for the VMware Horizon View Persona Management repository. - One file system to redirect user storage that resides in home directories. In general,
20
© 2013 VCE Company, LLC. All Rights Reserved.
Horizon View Linked Clone Storage layout
The following data storage configuration is listed for storing Horizon View linked clones: Two LUNs:
- Each of the 50 GB datastores stores a replica that is responsible for 550 linked clone workspaces.
- The I/O to these LUNs is strictly read-only except during operations that require copying a new replica into the datastore.
Five LUNs:
- Each of these 600 GB datastores accommodates 100 virtual workspaces allowing each workspace to grow to a maximum average size of approximately 6 GB.
- Each pool of workspaces provisioned in Horizon View Manager is balanced across five distinct datastores.
EMC VNX shared file Systems
Virtual workspaces use two EMC VNX shared file systems, one for VMware Horizon View Persona Management data and the other to redirect user storage. Each file system is exported to the environment through a CIFS share.
Table 5: File systems used for user profiles and redirected user storage
File system Purpose Size
Profile1 VMware Horizon View Persona Management Repository 2TB
Home1 Use Home folder for user data 4TB
VMware Horizon View Persona Management and folder redirection
21
© 2013 VCE Company, LLC. All Rights Reserved.
EMC VNX for File Home Directory configuration
The EMC VNX for File Home Directory feature uses the file systems to automatically map the H: drive of each virtual workspace to each user dedicated subfolder on the share.
This ensures that each user has exclusive rights to a dedicated home drive share. This share is created by the File Home Directory feature, and does not need to be created manually. The Home Directory feature automatically maps this share for each user. The VNX file systems for the VMware Horizon View Persona Management repository and user documents are configured as follows:
Profile1 share configured to consume 2 TB of space.
With 50% space saving, each profile can grow up to 4 GB in size. The file system extends if more space is required.
Home1 share configured to consume 4 TB of space.
Each user is able to store 8 GB of data, providing a 50% space saving. The file system extends if more space is required.
Virtualization configuration
Vblock Systems virtualization components include VMware ESXi, VMware vCenter Server, and VMware vSphere.
For the Mobile Secure Workspace solution, clustering is performed using vSphere for the virtual container design. The Mobile Secure Workspace environment clustering design implementation, components, and characteristics are described in the following tables for the:
Horizon View management infrastructure cluster Security infrastructure cluster
Virtual workspace cluster for 500 workspaces
VMware vSphere Distributed Resource Scheduler
22
© 2013 VCE Company, LLC. All Rights Reserved.
VMware high availability
VMware high availability (HA) is enabled for the management and security cluster to provide easy-to-use and effective high availability for all the management virtual machines in the event of physical server failure. In the case of server failure, HA restarts the affected virtual machine on the spare server.
Compute virtual container design
Table 6: Horizon view infrastructure cluster
Components Characteristics
vSphere hosts 2
Data store size 1TB
Management virtual machines 12
Network 2 x 10 GB uplink connectivity for each host
DRS Enabled
HA Enabled
Table 7: Security infrastructure cluster
Components Characteristics
vSphere hosts 2
Data store size 1TB
Security service virtual machines 10
Network 2 x 10 GB uplink connectivity for each host
DRS Enabled
23
© 2013 VCE Company, LLC. All Rights Reserved.
Virtual workspace cluster for 500 workspaces
Table 8 and Table 9 provide the components and characteristics of the workspace clusters.
Table 8: Workspace cluster-1
Components Characteristics
vSphere hosts 6
Data store size (FC) 3 x 600 GB
Virtual workspaces 300
Network 2 x 10 GB uplink connectivity for each host
DRS Enabled
HA Disabled
Table 9: Workspace cluster-2
Components Characteristics
vSphere hosts 5
Data store size (FC) 2 x 600 GB
Virtual workspaces 200
Network 2 x 10gig uplink connectivity for each host
DRS Enabled
HA Disabled
High availability is disabled due to the setting floating workspace assignment. In this environment, we are not dependent on a certain specific virtual workspace. In addition, the Horizon View floating assignment setting should be able to pick up any other available virtual workspace from a pool for the user in the event of a host or workspace failure.
24
© 2013 VCE Company, LLC. All Rights Reserved.
Application configuration
This section provides an overview of the configuration and integration of the following: VMware Horizon View installation overview
VMware Horizon View setup
VMware Horizon View workspace pool configuration VMware Horizon View Persona Management
vShield Endpoint and Trend Micro Deep Security Manager vCloud Networking and Security App
Implement vCloud Networking and Security firewall rules RSA SecurID
VMware Configuration Manager Imprivata OneSign (provides SSO)
Complete installation instructions for application setup and configuration for the following components are available on the VMware website:
VMware Horizon View Manager Server 5.0 VMware Horizon View Composer 3.0 VMware Horizon View Storage Accelerator VMware Horizon View Persona Management VMware vSphere 5.0
VMware vCenter Operations
VMware vCenter Configuration Manager
The installation and configuration steps for the following components are not covered: Microsoft Active Directory, Group Policies, DNS, and DHCP
25
© 2013 VCE Company, LLC. All Rights Reserved.
VMware Horizon View installation overview
The VMware Horizon View Installation Guide (available on the VMware website) includes detailed procedures for installing Horizon View Manager Server and Horizon View Composer 3.0. No special configuration instructions are required for this solution.
The vSphere Installation and Setup Guide (available on the VMware website) contains detailed procedures for installing and configuring vCenter Server and vSphere. As a result, these subjects are not covered in further detail in this paper. No special configuration instructions are required for this solution.
VMware Horizon View setup
Before deploying the workspace pools, ensure that the following steps from the VMware Horizon View Installation document have been completed:
1. Prepare Active Directory, DNS and DHCP.
2. Install Horizon View Composer 3.0 on the vCenter Server. 3. Install the Horizon View Manager Server.
26
© 2013 VCE Company, LLC. All Rights Reserved.
5. Next, edit vCenter Server to enable host caching for View: click the vCenter Servers tab, click Edit, then complete the settings as shown:
VMware Horizon View workspace pool configuration
To create one of the persistent automated workspace pools as configured for this solution, complete the following steps:
1. Log on to the VMware Horizon View Administration page at https://server/admin where server is the IP address or the DNS name of the server.
2. In the left pane, click Pools.
3. Click Add under the Pools banner. The Add Pool page appears.
4. Under Pool Definition, click Type. The Type page appears on the right pane. 5. Select Automated Pool in the right pane. Click Next.
6. In the User Assignment area, click Floating and leave the automatic assignment checkbox checked.
7. Click Next. The vCenter Server page appears.
8. Click View Composer linked clones and in the server list, click a vCenter Server that supports Horizon View Composer.
27
© 2013 VCE Company, LLC. All Rights Reserved.
12. Complete the following steps: a. Click Use a naming pattern.
b. In the Naming Pattern field, type the naming pattern.
c. In the Max number of workspaces field, type the number of workspaces to provision.
13. Click Next. The View Composer Disks page appears. Make any required changes. 14. Click Next. The Storage Optimization page appears.
15. Click Next and select Replica disks. Make sure the checkbox is checked for: Select separate datastores for replica and OS disk.
16. Click Next. The vCenter Settings page appears.
17. In the vCenter Settings page sections, complete the following steps: a. Default Image: click Browse in each of these sections, to select the:
i. Parent VM
ii. Snapshot (the snapshot to use for the default image)
b. Virtual Machine Location: click Browse to select: VM Folder Location (a folder for the virtual machines)
c. Resource Settings-click Browse in each of these sections, to select the: i. Host or Cluster (the cluster hosting the virtual workspace)
ii. Resource Pool (the resource pool to store the workspaces)
iii. In Linked clone datastores, click Browse. The Select Linked Clone Datastores page appears.
18. Click the checkboxes for each of the four LUNs that were provisioned for linked clone storage. Click OK.
28
© 2013 VCE Company, LLC. All Rights Reserved.
20. Click OK. The Advanced Storage Options page appears.
21. Verify that the Use host caching checkbox is checked and enable Blackout times for host cache regeneration.
Note: Host cache regeneration may temporarily impact workspace performance. It is recommended to set a blackout time to prevent the host cache regeneration from taking place during periods of heavy workspace usage.
29
© 2013 VCE Company, LLC. All Rights Reserved.
23. In the Guest Customization page, complete the following steps: a. In the Domain list box, select the domain.
b. In the AD container field, click Browse, and then select the AD container. c. Click Use QuickPrep.
24. Click Next. The Ready to Complete page appears.
25. Verify the settings for the pool. Click Finish. The deployment of the virtual workspaces starts. 26. Repeat this process as needed to provision additional workspace pools.
VMware Horizon View Persona Management
The Profile1 and Home1 CIFS file systems are used for the VMware Horizon View Persona
Management repositories. VMware Horizon View Persona Management is enabled using a Windows group policy template. The group policy template is located on the View Connection Server in the directory: Install Drive\Program Files\VMware\VMware Horizon View\Server\extras\GroupPolicyFiles. The group policy template entitled ViewPM.adm is needed to configure VMware Horizon View Persona Management. VMware Horizon View Persona Management is enabled by using computer group policies applied to the organizational unit containing the virtual workspace computer objects.
The screenshot below shows an example of the policies configured to enable VMware Horizon View Persona Management in the Mobile Secure Workspace environment.
30
© 2013 VCE Company, LLC. All Rights Reserved.
When deploying VMware Horizon View Persona Management in a production environment, VCE recommends redirecting the folders that users commonly use to store documents or other files. The screenshot below shows the VMware Horizon View Persona Management group policy settings required to redirect the user workspace and My Documents folders. You can also set policies for Downloads and for the My Pictures folder.
Figure 5: VMware Horizon View Persona Management group policy settings
VMware vShield Endpoint and Trend Micro Deep Security
VMware vShield Endpoint (part of VMware vSphere) is a primary requirement, and is used with Trend Micro Deep Security to provide agentless malware protection to the virtual workspaces. vShield Endpoint is installed on each of the hosts. Go to vCenter and install vShield Endpoint directly, or alternatively, log on to vShield Manager to install it.
31
© 2013 VCE Company, LLC. All Rights Reserved.
Trend Micro Deep Security consists of the following set of components that work together to provide protection:
Deep Security Manager (DSM)
- The centralized management component which administrators use to configure security policy and to deploy protection for enforcement of the Deep Security Virtual Appliance and Deep Security Agent components. These are installed on a windows host.
Deep Security Virtual Appliance
- A security virtual machine built for VMware vSphere environments that provides anti-malware, IDS/IPS, firewall, web application protection, and application control protection. The virtual appliance needs to be pushed from the Deep Security Manager console to each ESXi host. Deep Security Agent
A security agent deployed directly on a computer which can provide IDS/IPS, firewall, web application protection, application control, integrity monitoring, and log inspection protection. This is installed on the protected virtual machines.
Figure 6 shows the Deep Security 8.0 architecture.
32
© 2013 VCE Company, LLC. All Rights Reserved.
The following files are downloaded from the Trend Micro website. It is also important to download the filter-driver which then must be pushed from DSM to each ESXi host. For installation of Deep Security on a Windows OS, see the Deep Security Getting Started and Installation Guide located at:
www.trendmicro.com/ftp/documentation/guides/Deep Security 8 Getting Started and Installation Guide.pdf
After Deep Security is installed, but before using DSM, add the VMware vCenter Server into Deep Security using the following steps:
1. In the Deep Security screen left menu, navigate to Computer, right-click, and then select Add VMware vCenter.
After adding vCenter, you will able to see the hosts and cluster, with all hosts’ status showing as unprepared and with a blue status.
2. Select a host and right-click.
3. Click the menu items Actions>Prepare ESX.
This prepares your ESXi host to be ready with necessary port groups for deploying the Deep Security appliance. The prepare process will reboot the ESXi host, and then the host will take some time to come back up.
After the host is back up, the status is green and shows as prepared.
4. Next, select the host again and right-click. Click Actions>Deploy Appliance.
The next steps are to provide the appliance name, datastore, and network for the appliance to communicate. A datastore is required to store this virtual appliance. For this solution, we have dedicated an FC LUN for all of our security components, such as Deep Security, vCloud Networking and Security App, and so forth.
5. Enter a name in the Appliance Name field. From the lists, select a Datastore, a Folder, and a Management Network. Click Next.
33
© 2013 VCE Company, LLC. All Rights Reserved.
7. After completing the above steps, you will be able to see that an appliance has been deployed on the specified host. Select the appliance. The related screen appears.
8. To verify the status, ensure that the vShield Endpoint field shows Registered.
If vShield Endpoint is not registered, then you must go back to restore the ESXi, and then redeploy the appliance.
9. Next, in the Deep Security left menu select Security Profiles and create a security profile specific to your organization’s security settings.
34
© 2013 VCE Company, LLC. All Rights Reserved.
11. Apply the new security profile to the deployed Deep Security appliance.
12. Next, associate that profile with the Deep Security virtual appliance for each host, then click Save.
When completed, Deep Security will provide agentless malware protection to all the virtual workspaces.
VMware vCloud Networking and Security App
Use the vCloud Networking and Security App firewall to ensure proper zoning and traffic separation between two separate workspace pool zones. A PCI compliance workspace zone and an HIPAA compliance workspace zone are used in this case. Two resource pools have been created as workspace zones (HIPAA-ZONE and PCI-ZONE), and the zones are in different VLANs.
Before implementing any App firewall rule, install an App component on each of the ESXi hosts that are part of your firewall rule. See the following image for the App Firewall installation in vCenter.
Figure 7: App firewall installation in vCenter
Note: To ease customer's transition from vShield 5.0 to vCloud Network and Security and ensure continuity, the user interface for vCloud Network and Security still refers to the capabilities using existing vShield product names.
Refer to the following guide for installation information:
35
© 2013 VCE Company, LLC. All Rights Reserved.
The next section provides three scenarios for implementing App firewall rules.
Implement App firewall rules
Following are scenarios and best practices for implementing firewall rules in vCloud Networking and Security App.
Scenario 1
Any traffic from HIPAA-ZONE to PCI- ZONE, and vice versa, must be blocked, as shown in Figure 8.
36
© 2013 VCE Company, LLC. All Rights Reserved.
Create two firewall rules in the App firewall to enable the blocking. Block any traffic from HIPAA-ZONE to PCI-ZONE
1. On the Mobile Secure Workspace page, select Inside HIPAA-ZONE. The Edit L3-IP protocols box appears.
2. Select the following: a. Source: HIPAA-ZONE b. Source boundary: Inside c. Destination: PCI-ZONE d. Destination boundary: Inside
e. Type of traffic: Blank. If you leave this blank, it defaults to “any” traffic f. Action: Block
37
© 2013 VCE Company, LLC. All Rights Reserved.
Block any traffic from PCI-ZONE to HIPAA-ZONE
1. On the Mobile Secure Workspace page, select Inside HIPAA-ZONE. The Edit L3-IP protocols box appears.
2. Select the following: a. Source: PCI-ZONE b. Source boundary: Inside c. Destination: HIPAA-ZONE d. Destination boundary: Inside
e. Type of traffic: Blank. If you leave this blank, it defaults to “any” traffic f. Action: Block
g. Logging: Log (This means yes, I want to log the traffic.) i. Enabled: Enabled (This means yes, I want to enable.) ii. Click OK>Publish Changes.
Scenario 2
In a virtual workspace environment, host multiple web applications for each workspace zone or specific group. Depending on your network design, keep them in the same management network, or in a management zone.
In this scenario, two web application servers were hosted for each zone (PCI and HIPAA) on a common application management network sharing the same VLAN.
38
© 2013 VCE Company, LLC. All Rights Reserved.
Ensure that PCI-ZONE can only access the PCI-WEB application server, and not the HIPAA-WEB Server, even though it is on a management network. Likewise, HIPAA-ZONE should only be able to browse the HIPAA-WEB application server, and not the PCI-WEB server.
To successfully implement the scenario above, create four firewall rules:
1. Allow only HTTP (web) traffic from HIPAA-ZONE workspace to HIPAA-WEB server.
2. Next, allow only HTTP (web) traffic from PCI-ZONE workspace to PCI-WEB server. 3. Block any traffic from PCI-ZONE workspace to HIPAA-WEB server.
39
© 2013 VCE Company, LLC. All Rights Reserved.
Scenario 3
Each workspace zone should be able to browse specific web servers. However, they should not “ping” the server. In this case, HIPAA-ZONE can browse the HIPAA-WEB server; but ICMP traffic is blocked from that zone. Likewise, PCI-ZONE can browse the PCI-WEB server, but PING or ICMP traffic is blocked.
To implement this scenario, create two firewall rules:
1. Block ICMP traffic from HIPAA-ZONE to HIPAA-WEB server.
2. Next, block ICMP traffic from PCI-ZONE to PCI-WEB server.
40
© 2013 VCE Company, LLC. All Rights Reserved.
RSA SecurID integration with Horizon View
Before working on RSA integration, make sure you have following in your custody (received as part of your purchase from RSA) and installed:
RSA Authentication Manager 7.1 SP4 installed software
- Refer to the guide located at ftp://ftp.rsa.com/pub/docs/AM7.0/install.pdf for installation information
License file, server key, and certificate files RSA token record media – contains token record
RSA token record password for importing the token records RSA key fob token
RSA Authentication Manager Agent
Once you have installed RSA Authentication Manager, select All Program Files > RSA Security.to see the RSA Security Console and RSA Operations Console in your workspace.
Integrate LDAP/AD into RSA Authentication manager
1. Log in to the RSA Operations Console and click Deployment Configuration>Identity Sources>Add New.
2. The Identity Source Properties page appears.
41
© 2013 VCE Company, LLC. All Rights Reserved.
3. In the Connection(s) screen specify all the details as appropriate to your environment. Make sure your LDAP/AD server and Directory User ID DN are matching, as per your LDAP server. You can test your connection and see if that is successful.
4. In the Identity Source Properties>Identity Connection(s) page, select Type>Active Directory. (Refer to the Example in the following step. In this solution the type was AD).
5. Complete User Base DN and Group Base DN as per the AD schema. Fill out other options as appropriate. In this example the defaults were used. You can save and finish yours at this time. Example: In AD, the default User and Group DN is = cn=users,dc=abc,dc=xyz,dc=net
Map your identity source to SystemDomain realm in RSA Security Console: 1. Open RSA Security Console>Administration>Realm>Manage Existing.
2. Verify your LDAP/Active Directory is working correctly and you are able to see the users and groups.
42
© 2013 VCE Company, LLC. All Rights Reserved.
Assign a token to a user
Before you assign a token, import the token record (found with your token record media) to the database:
1. In RSA Security Console, navigate to Administration>SecurID Tokens>Import Token Jobs>Add New>Browse the File location>Import the file.
(File name example: 12345_00_1_TOKEN.XML)
2. You are prompted with the token PASSWORD. Make sure this password matches the correct token record. Click Submit Job.
If the password is incorrect, the job status indicates an error. If the password is correct the status indicates complete.
43
© 2013 VCE Company, LLC. All Rights Reserved.
4. Right-click the user name and select SecureID Tokens.
5. Click Assign Token. The Assigned SecurID Tokens screen appears.
6. The User screen shows the available tokens. Select the desired token(s), and then click Assign. The following screenshot shows the message received when a token has been assigned to a user.
44
© 2013 VCE Company, LLC. All Rights Reserved.
Prepare Horizon View Connection Server for user authentication through RSA SecurID To prepare the Horizon View Server for user authentication, install RSA Authentication Agent on the Connection Server host. If you do not have it, download RSA Authentication Agent:
1. After installation, open RSA Security Console. Navigate to Access>Authentication Agents>Add New.
2. Provide the Hostname, as per your View Connection Server.
3. Provide the IP Address, as per your View Connection Server. Click Save.
4. To generate the agent configuration file (sdconf.rec), navigate to Access>Authentication Agents>Generate Configuration File.
5. Next, select Download the configuration file (sdconf.rec).
6. Click Save, or copy the file to your View Connection Server. For example, in this case the destination is C:\RSA\ AM_Config)
7. Next, go to View Connection Server and install the agent RSA Authentication Agent.MSI. Ensure that while installing the agent you provide the RSA Authentication Manager system configuration file (sdconf.rec), which you created and downloaded from the Authentication Manager console.
45
© 2013 VCE Company, LLC. All Rights Reserved.
VMware vCenter Configuration Manager
VMware vCenter Manager is used for compliance management around the virtual infrastructure and for patch management of the View infrastructure.
VMware vCenter Manager includes built-in compliance toolkits for Policy and Compliance. Toolkits translate a broad range of standards and best practices into compliance templates that can be used to assess configuration compliance within your environment. Toolkits also include reports and
dashboards to support unified compliance reporting. VMware vCenter Manager is tightly integrated with vSphere and delivers fundamental capabilities that support hardening the VMware infrastructure. This includes configuration compliance assessment (and in many cases automated remediation) for VMware ESX, ESXi, vCenter, and other VMware products.
Figure 9 shows a compliance result of a Mobile Secure Workspace virtual infrastructure environment.
Figure 9: Virtual environments compliance result
Patch Management with VMware vCenter Manager
VMware vCenter Manager collects, stores, remediates, and manages configuration settings from servers and workstations in both physical and virtual environments. With this critical data, VMware vCenter Manager eliminates the hassle and expense associated with using multiple tools for
46
© 2013 VCE Company, LLC. All Rights Reserved.
Figure 10 shows a virtual machine called MSD-THINAPP which requires patching. It also shows suggested patching information.
Figure 10: Virtual machine MSD-THINAPP
After successfully deploying the patch, the Suggested Patch column displays None (Patch Already Applied). Figure 11 provides an example of this in the Mobile Secure Workspace environment.
Figure 11: Successful patch deployment example
VMware vCenter Operations Manager for View
47
© 2013 VCE Company, LLC. All Rights Reserved.
To successfully install vCenter Operations, access the vCenter Operations Installation and Configuration Guide: www.vmware.com/pdf/vcops-enterprise5-install-guide.pdf
Depending on the size of your VDI environment, select the memory and storage requirements for vCenter Operations.
Figure 12 shows the comprehensive visibility into the performance and health of the Mobile Secure Workspace infrastructure.
Figure 12: Mobile Secure Workspace infrastructure performance and health
Imprivata OneSign
Imprivata OneSign is configured to provide SSO capability in the Mobile Secure Workspace environment. To successfully configure OneSign, download the appliance and install it as per Imprivata best practices. Follow these steps to ensure your SSO operates properly:
1. After installation of the appliance, make sure that it is updated and patched as per the latest code. 2. Install the OneSign license.
3. Install the OneSign agent on your VDI gold image.
4. Add your AD domain controller into the appliance to ensure the OneSign appliance is now able to communicate with AD to read your user and computer database.
5. Add your View Connection Server.
48
© 2013 VCE Company, LLC. All Rights Reserved.
Configuration examples in a Mobile Secure Workspace environment
Figure13 and Figure 14 provide examples of Horizon View Connection Server settings and user policy settings, respectively.
Figure 13: Horizon View Connection Server settings example
49
© 2013 VCE Company, LLC. All Rights Reserved.
Solution validation
The tests performed for this solution include the following:
Item Test scenario Explanation
1 Single server scale and
performance testing.
2 Ensure end-to-end security with
VMware vCloud Networking and Security, Trend Micro Deep Security, and Imprivata SSO for Mobile Secure Workspace.
Each of the components (such as Trend Deep Security Malware Protection, vCloud Networking and Security App, RSA two-factor authentication and Imprivata SSO) has been configured as shown in the application configuration section. This solution has been tested as a standard integration and functional testing has been performed to ensure that everything works as per their features.
3 Provide ongoing reporting for
security breaches.
vCloud Networking and Security App firewall and Deep Security have been configured as shown in configuration section. This provides reports of any traffic anomalies.
4 Security practice for corporate
extended boundary using vCloud Networking and Security.
vCloud Networking and Security App firewall has been configured in the application configuration section to ensure best security
isolation, and traffic management has been defined in each security zone. This has been tested as a normal functionality test and is shown in the configuration section.
5 End point SSO validation. Ensure
SSO connection from workspace (physical) endpoint to virtual workspace is complete in less than 5 seconds.
This has been tested as per standard SSO configuration best practice. A sample configuration is shown in configuration section.
6 Compliance auditing with VMware
vCenter Manager.
VMware vCenter Manager has been configured as per VMware best practices and an example of AD compliance in an Mobile Secure Workspace environment is shown in configuration section.
7 Use vCenter Operations to present
behavior of workspace workloads and key performance indicators.
vCenter Operations has been installed and configured as per VMware best practices. An example of Mobile Secure Workspace dashboard, performance metrics, and analytic view is shown in the configuration section.
8 Antivirus scanning/update and
patching for the virtual workspace.
Trend Micro Deep Security manager has been configured with a relay server to manage the antivirus updates. Deep Security agent and appliances have been configured to manage scanning and patching of the antivirus software. This is shown in the configuration section and is tested as functional feature testing.
9 RSA two factor authentication. RSA SecurID has been configured and tested to verify two factor
authentications. A sample configuration is been shown in the application configuration section.
10 “Follow me” workspace with
proximity card and SSO integration
Imprivata SSO and proximity card have been used to simplify logon and mobility of the workspaces and have been tested as a feature testing.
11 Ensure on-boarded device
authenticate seamlessly across the wired and wireless media.
Wireless Controller and Access Point has been configured as per data center best practices to onboard the endpoint devices and provide DHCP services to all wireless devices. This has been tested as a part of normal feature testing.
12 Impact on the system behavior
and load balancing performance explored when a single failure event occurs.
50
© 2013 VCE Company, LLC. All Rights Reserved.
Item Test scenario Explanation
13 Validate wireless capability and
features of Horizon View with endpoint devices.
The solution has been tested to ensure that the wireless network, endpoint devices, and view environment work normally with 500 users and 10 endpoint devices.
Test environment design
The test environment design and configuration is described in the previous sections.
VMware Horizon View – Environment Characteristics
Profile Characteristics Value
Number of virtual workspaces 500
Virtual workspace OS Windows 7 Enterprise 64bit
CPU per virtual workspace 2 vCPU
Number of virtual workspaces per CPU core 4
RAM per virtual workspace 2 GB
Average linked-clone capacity 6 GB
Average IOPS per virtual workspace in steady state 11
Average peak IOPS per virtual workspace 14
Number of datastores used to store linked clones 5
Number of datastores used to store replicas 2
Number of virtual workspaces per datastore 100
Disk, RAID type, and Datastore SAS, RAID 5, 600 GB
Disk, RAID type for CIFS shares to host the VMware Horizon View Persona Management repository
NL-SAS, RAID 6, 2 TB
51
© 2013 VCE Company, LLC. All Rights Reserved.
Performance test and objective
Performance test objective
Measure the number of Horizon View workspaces that can be hosted on the given test environment to indicate scalability.
The scalability of the environment is positively indicated by the performance results when application tasks are performed by increasing numbers of users resulting in an increased and heavy workload, yet the performance time remains under a given threshold.
Knowledge user workload
The knowledge user-level workload:
Consumes more memory and CPU assets because more applications are running in the background
Simulates a power user
Is based on the medium workload
Differences in comparison to the medium workload - Type rate is 130 ms per character
- Idle time total is only 40 seconds
Simultaneously opens up to eight applications
In lab testing, only the knowledge user type has been tested. Knowledge users are meant to be intensive in CPU and Memory consumptions. Testing using the knowledge user profile addresses most of the user classes in workspace environments in the real world. In this design, 2 GB of RAM has been allocated to each of the Virtual workspaces in order to sustain a knowledge user workload. If a different type of workload is chosen, for example the task users-level workload, the CPU and Memory consumption would be relatively low because the associated workload is light in terms of number of applications.
The Login VSI Tool was used to measure the maximum capacity of a given environment. The Login VSI tool simulates the application load of a real user. Applications such as Word, Excel, Outlook and Internet Explorer are simulated by Login VSI.
In this solution, 25 Login VSI Launchers were used to simulate application load on the View
workspaces. Workspaces were scaled from 150 to 500 to find the optimum number of workspaces the test environment could handle and maintain an acceptable user experience.
52
© 2013 VCE Company, LLC. All Rights Reserved.
Test parameters
Table 10 provides the parameter type and the parameter used for testing.
Table 10: Test parameter types and parameters
Parameter type Parameter
Total number of Launchers 25
Each launcher starts 20 sessions
Timeframe 30 seconds
Test results
This topic provides the results and a summary of the Performance Tests.
Performance tests
The Performance test consisted of the application response time test, and the CPU and memory use test. The results of these tests are discussed in the following topics.
Application response time test
The Application Response Time graph shows the number of users and the application response times in milliseconds (ms) for each task. Plotted in the graph are the color-coded tasks performed by each of the 500 heavy concurrent users on the increments up to 500 workspaces. These tasks included Request for Server (RFS), LOAD, Open, Notepad, Print, Find, and Zip. RFS is a background process at application start up. Load means the number of applications open (up to 8). The users first write in the Notepad application, then Print, then use the Find feature, and then Zip a file (or files). The application instance response time for the tasks are measured during the time that the number of workspaces are being scaled, beginning with 150 and then increasing in increments of 25 up to 500 as seen on the “x” axis of the graph.
The “y” axis on the graph shows the Response Time (ms) and increments to use to plot the task behavior against the number of workspaces scaling from to 150 to 500.You can see the graphed lines plotted across for each task as the application response time is measured under the load.
The scaling impact is small. As Figure 15 indicates, Most of the operations are well below an excellent 200 ms rate even when the workspace numbers are scaled upwards. RFS and Load are relatively slower but still well below the 3 second acceptable range.
53
© 2013 VCE Company, LLC. All Rights Reserved.
Figure 15: Application response time
CPU and memory usage test
Figure 16, the workspace CPU and memory usage graph, shows the average CPU and memory usage of the ESXi server hosting the workspaces. For the 500 knowledge users load, memory has maxed out to over 90%. For the same number of users, CPU usage is around 50%. It is clear that the VDI workspace environment is memory intensive. By increasing the host memory, more workspaces can be hosted.
Figure 16: Workspace CPU and memory usage
Summary
It is clear that memory is the limiting factor in VDI. Increasing the total amount of memory in the ESXi server will allow you to accommodate a higher number of workspaces.
0 200 400 600 800 1000 1200 1400 1600 1800 2000 150 D es kt ops 175 D es kt ops 200 D es kt ops 225 D es kt ops 250 D es kt ops 275 D es kt ops 300 D es kt ops 325 D es kt ops 350 D es kt ops 375 D es kt ops 400 D es kt ops 425 D es kt ops 450 D es kt ops 475 D es kt ops 500 D es kt ops R es pons e T im e (m s) workspaces
Application Response Time
RFS LOAD Open Notepad Print Find Zip 0 20 40 60 80 100 P er cent %
CPU, Memory Utilization
54
© 2013 VCE Company, LLC. All Rights Reserved.
Network usage test
The Network usage graph, Figure 17, shows the network usage in KBps.
Figure 17: Network usage
Summary
Network usage peaked at the point where all the users logged in (around 12:50 pm). The network is not a limiting factor in this solution.
Storage IOPS data
Storage IOPS data was gathered throughout the test using EMC UniSphere.
Figure 18: Storage IOPS data
Figure 18 shows the IOPS on the backend storage during the 500 knowledge worker user test. As seen in the graph, the IOPS in the first 15 minutes of the test are higher because that is when the users login and open up the applications. After that, due to the steady workload, the IOPS remained constant.
55
© 2013 VCE Company, LLC. All Rights Reserved.
Conclusion
The performance test results indicate that memory is the limiting factor. Increasing the total amount of memory in the ESXi server allows you to accommodate a higher number of workspaces. The network usage results show that network is not a limiting factor in this solution.
The objectives for this project have been met and descriptions are included in this paper to show: The ability to successfully and easily implement virtual provisioning on Vblock Systems The rapid deployment and sustainable operation of VDI users is demonstrated, with up to 500
knowledge worker users at 100% concurrency
The testing results for 500 users include data for subsets demonstrating that linear scalability is valid for 2000 users
High availability of the VDI user clusters was demonstrated across all services and components Performance details, best practices for deployment, and scalability of the product were
demonstrated
Next steps
56
© 2013 VCE Company, LLC. All Rights Reserved.
Appendix – Description of the solution components
This appendix contains descriptions of all hardware and software components and technologies used in the solution:
Vblock Systems High Availability AMP Microsoft Windows 7
Microsoft Windows 2008 Server
VMware Horizon View Premier (includes ESXi, vCenter, Horizon View Manager, Horizon Persona Manager, Horizon View Composer, ThinApp, and so forth)
VMware vCloud Networking and Security (Manager, App with Data Security, Edge) VMware vCenter Configuration Manager
VMware vCenter Operations Manager VMware vCenter Operations for View Adapter Trend Micro Deep Security
RSA SecurID and RSA Authentication Manager EMC PowerPath/VE
Imprivata OneSign SSO
Vblock™ Systems
The Vblock System from VCE is the world's most advanced converged infrastructure—one that optimizes infrastructure, lowers costs, secures the environment, simplifies management, speeds deployment, and promotes innovation. The Vblock System is designed as one architecture that spans the entire portfolio, includes best-in-class components, offers a single point of contact from initiation through support, and provides the industry's most robust range of configurations.
