|
Overview1.1. The TechnologyWith VDI technology single-user operating systems such as Windows XP or Windows Vista no longer run on the user's desktop PC, but in the computer center. These operating systems and the applications running with them then run in the computer center as virtual machines. 1.2. Access via the RDP ProtocolAccess from the client usually is done over the performant RDP protocol (Remote Desktop Protocol), which is included as standard in the Windows XP Pro and Windows Vista operating systems. In the corresponding Home Editions, however, the Microsoft RDP server is not enabled. With HOB VDI you can have either direct, unencrypted access or SSL-encrypted access using the comprehensive secure remote access solution HOB RD VPN. 1.3. SUOS PoolWith HOB VDI you have a pool of VDI Single-User Operating Systems, in short SUOS. When a user starts his RDP client he will be automatically assigned a free SUOS. If the connection is interrupted, the SUOS will remain in the disconnected state for a configurable amount of time and the user merely has to restart the RDP client to automatically reconnect to the session. 1.4. Different Than Terminal Server SolutionsVDI, as compared with WTS (Windows Terminal Services), has the advantage that applications can be used that are not WTS-capable. Also, the individual VDI users are more isolated from each other, which is often a desirable security advantage. With VDI , however, one requires considerably more hardware than with WTS. 1.5. The Solutions: HOB VDI-WSP and HOB VDI-VS1HOB has two related VDI solutions, VDI-WSP and VDI-VS1. With VDI-WSP access coordination is performed in the HOB WebSecureProxy (WSP); the HOB WebSecureProxy is a component of the comprehensive security solution HOB RD VPN. HOB RD VPN is SSL-based. Access is done browser-based without any installation on the client and the user doesn't need any administrator rights. With VDI-VS1 (Virtual Solution One) the VDI single-user operating systems, in short SUOS, are installed on a VMware Server. Access can be made locally, without SSL, as well as SSL-encrypted over the comprehensive security solution HOB RD VPN. 2. The Architecture2.1. The Load Balancing TechnologyHOB has a patented technology for load balancing for WTS (Windows Terminal Services), which is also used for HOB VDI. The RDP client sends small UDP packets to find the server or VDI single user operating systems, in short SUOS. These UDP packets can be sent as a broadcast. Or one has a server list and UDP Unicast packets are sent to all servers or SUOS (or relays, see below). If there is an available SUOS or a reconnect can be carried out, that SUOS responds with a corresponding UDP packet. If an RDP client receives several UDP packets in response to itsload balancing request, then the RDP client can select the best-suited server or SUOS. 2.2. RDP Components with HOB Load BalancingLoad balancing is integrated into the Java RDP client HOBLink JWT (Java Windows Terminal) and in the Unix/Linux RDP client HOBLink UWT (Unix Windows Terminal). HOB load balancing is also integrated into the server component HOB WebSecureProxy (WSP) , which is part of the comprehensive security solution HOB RD VPN. The HOB WebSecureProxy encrypts data being sent to the client with SSL. 2.3. The VDI AgentThe program ibbslb02, the VDI Agent, is an inherent component of the HOB VDI solution . This VDI Agent is installed on each SUOS, e.g., Windows XP or Windows Vista, and runs as a service. The VDI Agent knows the current status of the SUOS. The VDI Agent receives UDP packets for load balancing or VDI administration. When required, the VDI Agent responds with corresponding UDP packets. 2.4. The HOB VDI Administration ToolFor the HOB VDI solutions there is a corresponding administration tool. This tool is an MMC (Microsoft Management Console) Snap-In in compliance with the standard MMC version 3. With this administration tool an administrator can query all VDI SUOS and the current state of the corresponding system. An administrator can also use the administration tool to actively intervene in the SUOS and force a disconnect or user logoff. The administration tool can also be used to shutdown or restart one or more SUOS's. The administrations tool sends UDP packets to the VDI Agent. These packets have an encrypted password. Each SUOS has a list of valid passwords and also information on whether the password allows only queries or also active intervention in the SUOS. In addition to password encryption the UDP packets also have a timestamp, which prevents replay attacks. 2.5. Functions of the HOB RDP Clients HOBLink JWT and HOBLink UWTIf the user uses his desktop as a VDI over the HOB RDP clients HOBLink JWT or HOBLink UWT, he can do anything he could do at a local workstation. Thanks to the resource-saving RDP protocol, access is highly performant. This is especially so when data is being sent over the Internet. The user can copy and paste between the local client and the SUOS over the RDP protocol and the clipboard. The user can print at the local client; this is simplified via HOB EasyPrint, which operates driver independently. Audio from the SUOS can be output at the local client. Via the integrated Local-Drive-Mapping, data can be exchanged between the local client and the SUOS. 3. HOB VDI-WSP3.1. Access Over HOBLink JWTThe solution HOB VDI-WSP is a component of the comprehensive security solution HOB RD VPN. The Java RDP client HOBLink JWT (Java Windows Terminal) is used as the client component. Neither a local installation on the client nor administrator rights are required, everything is browser-based. HOBLink JWT, as it is a Java program, is platform-independent; thus, one can use HOB VDI-WSP to access the SUOS from Windows, Linux or Apple MAC. This access is secure as all data are SSL-encrypted. Access can be made over the Internet, for example, from home, a hotel, a business partner's location or on the road from a laptop. Access can also be made from an Internet Café, if desired (this can be disabled).
3.2. AuthenticationWhen someone wants to use HOB VDI-WSP to access a SUOS, he first starts a browser, enters the appropriate URL and then authenticates himself. User authentication can be carried out in in three different ways, depending on the corresponding installation:
Authentication is carried out over the browser, which is connected to the WSP over an SSL / HTTPS connection. Thus the authentication is already encrypted and secure. Depending on the complexity of the corresponding HOB RD VPN's installation, the user then arrives either directly at the VDI-WSP or first makes a selection of the desired activity. 3.3. Inspection of the Client PCAs of HOB RD VPN 1.3 the client can also be inspected as to certain criteria before access to enterprise-internal data is granted. When desired, this can be determined during installation in the enterprise network. 3.4. The HOB WebSecureProxyThe core component of HOB RD VPN is the server component HOB WebSecureProxy (WSP). The current version of the WebSecureProxy is 2.2 and is available for Windows, Linux and Unix in altogether 11 different platform-specific versions. The WSP can also run in HOB SCS, the Open-Source, Unix-based server operating system from HOB. HOB SCS stands for HOB Secure Communications Server. The WSP works with SSL encryption. HOB SSL supports all conventional encryption algorithms, including AES (Advanced Encryption Standard) with up to 256 bit key lengths. The HOB WSP has an integrated Web server, the components of the Java RDP client HOBLink JWT are preferably downloaded by this integrated Web server. It is also possible to do a Java installation of the Web server built into WSP. For server authentication over SSL the WSP needs an X.509 certificate, which is also used, e.g., in Web servers with SSL / HTTPS. The HOB WSP has an integrated Radius interface, enabling authentication to all conventional radius servers. The HOB WSP has special built-in functions for VDI-WSP, e.g., the communication with the VDI agents. 3.5. Twin TrimmingWhen one uses HOB VDI-WSP and wants to avoid having a single-point-of-failure, then several WSP' should be installed. Load balancing for these WSP's can be activated via several Internet addresses in a DNS server or also using round-robin. There is then the problem that, under certain circumstances, two WSP's assign the same SUOS to different clients. To avoid this, the so-called twin trimming functionality is built into the WSP; several version 2.2 WSP's communicate with each other over UDP and thus this problem does not arise. 3.6. Configuration Data and HOB Enterprise AccessVDI-WSP needs configuration data. The security-critical configuration data for the WSP are stored in an XML file, therefore they need not leave the DMZ. To configure these XML files HOB supplies a convenient and platform-independent Java GUI program. Additional, optional configuration data can be stored in HOB Enterprise Access. HOB Enterprise is the central component for comprehensive configuration data. HOB Enterprise Access uses either an integrated database or the data are saved to an LDAP server. HOB Enterprise Access supports all conventional LDAP servers as well as Microsoft Active Directory. When HOB Enterprise Access is configured to store data in an LDAP server, the required structures are created via a schema extension. 3.7. Server for the SUOS of the VDI-WSPThe SUOS, either Windows XP or Windows Vista, needs hardware on which it is installed and running. With the solution HOB VDI-WSP the SUOS can run virtualized on correspondingly large servers. With HOB VDI-WSP, any virtualization software can be used, as long as it supports Windows XP or Windows Vista as guests. Among these are products from VMware, Microsoft or XEN, to name the most important ones. 3.8. Other Information on HOB VDI-WSPHOB VDI-WSP is part of the comprehensive security solution HOB RD VPN. HOB RD VPN has been certified in accordance with the Common Criteria by the German Federal Office for Information Security (BSI Bundesamt für Sicherheit in der Informationstechnik). In larger installations, all HOB RD VPN components can be redundantly installed in the enterprise network. Thus there is no single-point-of failure and uninterrupted operation is possible. The HOB VDI-WSP solution previously was named HOB Desktop-on-Blade. 4. HOB VDI-VS14.1. Overview of HOB VDI-VS1VS1 stands for Virtual Solution One. With HOB VDI-VS1 the VDI Single-User Operating Systems, in short SUOS, are installed on a VMware server. Hereby, the VMware Server runs under Linux. All components can thus be had free of charge. On the SUOS either Windows XP or Windows Vista run as so-called guests. In each guest the HOB VDI Agent runs. In the host operating system Linux the load balancing Relay nbbrlb01 runs. Access is made over the HOB RDP clients HOBLink JWT or HOBLink UWT. HOB VDI-VS1 can also be deployed together with the comprehensive security solution HOB RD VPN.
4.2. VMware ServerThe product VMware Server is available from the company VMware free of charge. The company VMware offers together with the VMware Server support and add-on products which must be paid for. With the HOB VDI-VS1 solution, no add-ons from VMware are required. 4.3. The HOB Load Balancing Relay nbbrlb01The HOB load balancing relay nbbrlb01 runs directly in the Linux host operating system. nbbrlb01 always has a connection to the ibbslb02 VDI Agents, which run in the SUOS. The connection is established over a certain functionality of the VMware Server, the COM port of a SUOS becomes a FIFO (Unix Pipe) in Linux. nbbrlb01 knows the states in all SUOS. The load balancing packets from the RDP clients or the WSP always go to nbbrlb01, not to the VDI Agents. As all SUOS of a host run in the same hardware, the performance in the SUOS is not important, rather the load on the host server. nbbrlb01 thus always determines the host load and sends this information in the load balancing reply packets to the RDP client or WSP. If there are several hose servers each with several SUOS's, the RDP client or WSP can detect which host server has the least load and then connect the client to a SUOS on the least loaded host server. This is an optimal load balancing with HOB VDI-VS1. If a client has temporarily lost a TCP connection, a reconnect can be made; this is supported by nbbrlb01. Hereby, the RDP connection between the RDP client and the Windows XP or Windows Vista doesn't go through nbbrlb01. Thus resources are saved and the connection runs at optimum speed. 4.4. Load Balancing ParametersThe most important parameter for load balancing is the CPU load The CPU performance is still the greatest bottleneck in current computer systems. The number of active SUOS's is also important in the calculation of the load. Additionally, other parameters such as memory load, network load, etc. can be included in the load calculation. The load is calculated in accordance with a formula that the administrator can stipulate. 4.5. Configuration of the Windows XP und Windows Vista SUOS'sIn Windows XP or Windows Vista, the RDP server has to be enabled. When configuring the RDP parameters it is recommended to activate keep-alive packets and to specify a certain maximum time after which a disconnected user will be logged off automatically. 4.6. Operation in HOB RD VPNMixed operation is possible, in which some clients have direct access and others go over HOB RD VPN. When configuring the HOB WebSecureProxy the corresponding load balancing relays are treated as terminal servers, i.e., they are configured in the same way as WTS. 4.7. OtherFunctions of the HOB RDP clients or HOB RD VPN and the WebSecureProxy are described further above. This information is also valid for HOB VDI-VS1 Author: KB HOB Sales PartnersHOB software can be purchased from an: Further Informationor sales information, please contact one of our
International Offices. Whitepapers and Articles
| ||||||
webmaster@hobsoft.com, Last Updated: 11-Nov-09
