We compared hosted virtual desktop infrastructure (VDI) products from Microsoft, Citrix, VMware, Oracle and Ericom and came to many conclusions, but the most important one is this: Setting up hosted desktop sessions in a BYOD world is a complex undertaking.
When a user grabs a device and wants to access a session, the first step is downloading an app for the device, which may or may not have additional configuration steps. Thankfully, most of the client-side apps we tested needed no more than an IP or DNS address name -- and one (Oracle) could do an automated search by an address pre-seeded in the client.
If and where possible, we strongly recommend mandating a VPN connection before linking to a network, but this isn't always possible or feasible. Once a user initiates a session, a connection broker takes the user's request, and after an authentication step, the broker chooses an ad hoc or persistent session.
Here's where things get thick. The session is a live instance running as a virtual machine on the network, therefore, the session must wake up and be a fully functioning member on that network so as to reach its resources and deliver some of the characteristics of the session to the user's remote device. No matter what device they’re on or where they are, users want a beautiful analog of what they might see on their desktop at the office.
The user must also be authenticated, often through a local user database, LDAP or Microsoft's Active Directory. Printing resources must be defined. By user or group attribute, an administrator must determine sharing of information in concepts like: do you allow the user to store data away from the host session? Can a user launch a web session on the virtualized and remotely connected session? Is there just one or a handful of apps to use, or is the session wide-open? Does the user get to own the session for the next reuse, thus burning a license?
Indeed licensing issues, and how Microsoft treats Windows licenses, cause VDI makers considerable grief, because of the many licensing plans Microsoft offers, and how VDI sessions might use up available licenses. Careful consideration is required as in some cases, 100 non-persistent sessions could decrement the entire 100-license pool quickly and permanently until the problem is found and resolved.
Then there are session customizations, so that users land with the correct session customizations. The sessions must work well, perhaps in ugly circumstances such as over-subscribed Wi-Fi access points in remote locations.
Uncontrollable events can occur, such as logon storms, when many people must suddenly meet for online meetings using VDI, or other event storms that can task building ad hoc sessions. It's a lot of work. We know because we did it. And there were items we had to gloss, like multi-monitor capabilities (Horizon View has it), constraining video characteristics (shared by most all), super-multimedia (too many device differences), and strict adherence to policies (Active Directory or session-managed).
[Watch a slideshow version of this story.]
-- Our Clear Choice Test winner is Citrix's VDI-in-a-Box for its ease of integration, flexibility of both hosted operating systems and variety of clients, and its end-user experience.
-- VMware's re-done Horizon View 5.2 is also very capable and can scale dramatically, but it’s more limited in both hosts (Windows) and clients served.
-- Oracle VDI, a combination of Sun and Solaris (or Linux), has potentially more limited use for smaller organizations but does something surprising: it can host non-Windows images. *** Editor's Note: Oracle announced this week that it has ended new feature development for Oracle Virtual Desktop Infrastructure, but customer support will continue uninterrupted and customers can continue to purchase new licenses. Oracle said it will continue to invest in Oracle Secure Global Desktop and Oracle VM VirtualBox software.***
-- Windows 2012 Server is good, yet requires a buy-in to Microsoft's Windows System Center Configuration Manager, and has less client flexibility.
-- We also tested Ericom's PowerConnect as both a connection broker and transport system -- and it rocks. Here are the individual reviews:
Citrix VDI-in-a-Box 5.2
VDI-in-a-Box is a downloaded, then licensed application that functions as a VDI controller. It sits in your data center as a VM appliance, and merrily tosses sessions between either VMware 5.0 update 1+, Microsoft Hyper-V 2008 R2, or Citrix XenCenter 6.1 hypervisor and user devices -- a breathtaking number of them.
You can virtualize host sessions for Windows XP SP3+, but not for non-Windows host operating systems. Citrix uses the HDX protocol, which is an enhancement of Microsoft's RDP protocols.
One final hurdle: you'll need to have a Microsoft volume licensing agreement, so that Windows virtual licensed desktops are available. You can try experiments and proofs-of-concept with trial or Microsoft Developer Network-use Windows licenses, but production systems require Windows volume agreements. A volume license key, or an KMS (license pool service) with a minimum of 25 users in it must be present. A DHCP server is also necessary, along with a data store, and a naming convention for hosted VMs must be considered and chosen.
There's a different download for each supported hypervisor. We tried all three, and they work essentially in the same way: Unzip and deploy. A grid name is initially established, even though that might be just one VDI-in-a-Box server. You can use an internal VDI-in-a-Box-specific user database or connect to an Active Directory. If this is an iterative installation, an actual grid of VDI-in-a-Box hosts is formed by logging in subsequent appliance installations to the initial host.
From there, Citrix glue apps are installed inside VM instances to be hosted. The instances must be built correctly for the environment chosen, and this part is critical. If you clone a bad prototype by having users login, you'll have multiple bad instances of VMs with problems – all in seemingly record time. For that reason, and with each clone-able hosted instance, we strongly recommend spending a good amount of time in prototype “draft” instances. When bad instances mutate, they create external help-desk problems and considerable teardown and retrofit under pressure.
Citrix lags only a bit behind VMware's native instance image considerations -- although both companies have extra/optional products that weren't tested for this review. Once one gets the images correctly installed, there is the consideration of how to license these images (if Microsoft's Windows) to permit correct licensing decrementing and pools differentiations for persistent and non-persistent uses -- which have different licensing constraints. Let Microsoft or Citrix explain it to you, if you're unsure.
Citrix also allows VDI-in-a-Box to be configured to prevent resource drainage during event peaks, like morning startup-time, or everyone-in-a-remote-meeting time. We were unable to summon sufficient resources to truly test which of our compared products can withstand the test of both disk and memory-use storms. Citrix-recommended server infrastructure descriptions for Citrix running Citrix VDI are less detailed than VMware, as VMware's construction recommendations are fairly precise. We feel that some of this may come from the fact that Citrix as a connection broker runs with and over several different hypervisor families, which is flexible, where VMware's Horizon View is in a more controlled environment.
We cobbled sample images. This is a comparatively simple process after considerations for the environment where the image will live and be used. VDI-in-a-Box delivered them to our local and remote-based desktops without a hitch. The “draft” images allowed us to choose either Microsoft's RDP protocol or Citrix HDX. HDX is our preference, but is unavailable for Windows 2012 Server logons through the agent that must live inside the host -- for server VDI. Ultimately, on fast links, HDX was felt to be as good as the PCoIP protocol that VMware uses -- although over slower links or those with unpredictable latency, we preferred PCoIP, but we cannot find an exact tipping point where PCoIP is demonstrably better.
We could also choose whether the hosted VMs had use of network/local-to-the-VM or device disk drives, printers, smart cards or other USB devices. We could also limit color depth, which can have a dramatic effect in terms of low speed or high latency connections for performance.
The end-user side of VDI allowed for clear images of Windows 7 and our test product, Office 2010. We were able to obtain Citrix Receiver for iOS, Android, Mac/Linux/Windows, and even our Blackberry/RIM Playbook2. Citrix Receiver seems to play everywhere. Connections we tested from our lab to our network operations center over broadband were easy to effect, and had uniformly high quality. One device, the Playbook 2, went slowly, but we suspect this could be a function of the lack of power in the Playbook 2, as other devices worked well.
As Citrix VDI-in-a-Box works over a number of hypervisor family platforms, and either with its own user database or Active Directory, security concerns are largely outside of the scope of the product, and must be “buttoned down” prior to installation. As most organizations already (hopefully) use best practices, chances for misuse are somewhat limited. This contrasts with VMware's Horizon View model, which uses and dramatically enforces certificate-based security, and we feel a stronger security regimen for Active Directory infrastructure.
VMware Horizon View 5.2
Horizon View is very extensible, fits in VMware's products model, and contains an Active Directory-specific connectivity and security model. There are many optional components to the base installation, and while the stripped-down version we tested was useful and flexible, the others are the secret sauce -- and should be included -- even if this raises the base price of the Horizon View product, we feel. The secret sauce, View Composer, which is optional, allows very strong customization potential, but in our oranges-to-oranges base product comparison, we're leaving it out of our testing equation. Horizon View is expandable and served up beautiful VDI client experiences, and requires both strong VMware and Active Directory expertise to install.
With a few hindsight-driven cautions, Horizon View is vastly expandable, but it's only supported VDI desktop is Windows, just like Citrix's VDI-in-a-Box.
The base Horizon View package allows a wide variety of clients to access hypervised Windows virtual machines, and VMware also optionally permits “ThinApps” to be accessed, although this wasn't tested. The experience for users is flexible and initial connectivity is easy to understand. On the back-end, they're authenticated, and members of Active Directory, where present and needed. Horizon View is glued well to Microsoft's Active Directory and uses strenuous security methods.
We needed a host for ESXi, and the vSphere 5.1 (older versions of vSphere are not supported) Server Appliance. Horizon View Connection Server is a Windows 2008R2 Standard virtual machine/VM, and another instance of Windows 2008R2 Standard is a security server. Optionally, we could add an extra-cost template maker, Horizon View Composer to the Connection Server, but putting them on the same server instance is not recommended for higher-traffic installations.
None of the Horizon View servers can be Active Directory Domain Controllers, and Active Directory Light Weight LDAP services are installed on Connection Servers. The scorecard so far: base-host plus two servers (or more), and base images/templates that will be used to spawn other images used for pools of desktops.
Running optional View Composer requires its own compatible Microsoft or Oracle database. One creates templates of variants of Windows VDI hosts that are customized in various ways. But it's not part of the base kit, so we stop here.
While VMware allows self-signed Horizon View certificates to be used, we found this to be potentially fraught with difficulties and contributed to our sense of product brittleness. A dead/missing certificate can be difficult to re-admit.
We strongly advise using Microsoft's Certificate Authority Services, or better still, an actual root certificate to generate the SSL certificates Horizon View needs from a trusted source. We were able to make self-signed certificates work, but there is pain and suffering involved.
Once certificate issues were sorted, Horizon View had the best overall security of the VDI products we tested, although there are many, many server ports open for things to communicate with each other. Clients connect to Horizon View, and are bound via an SSL relationship and Active Directory security. Where VMware/Teradici's PCoIP protocol is supported in a client and there were no latency issues, the user experience on the client side was very, very good.
Like Oracle VDI, Horizon View could cache memory and storage among desktops and could be optimized to help survive an access storm. We had insufficient resources to characterize the duty cycle of logon accesses that makes this useful when deployed, but we had a strong sense that much detail was given to optimizing storage.
Apple in a few weeks will reportedly release new iPads, a revamped iPhone SE and a brand-new red iPhone...
In some ways, Google is like every other large enterprise. It had the typical defensive security...
The U.S. government reportedly pays Geek Squad technicians to dig through your PC for files to give to...
With more and more workloads going to the cloud, and the top vendors being as competitive as they’ve...
Former Amazon executive John Rossman says these 10 principles can help leaders successfully approach...
The proliferation of insecure devices in every facet of our lives will have consequences far beyond the...
Learn how the San Diego’s security team is eliminating blind spots, prioritizing threats, and reducing...