VMware Branch O ce Desktop · This Validated Design Guide provides an overview of the VMware® Branch Office Desktop ... home and may also need to roam within a defined area or set

VMware® Branch Office Desktop™

VA L I D AT E D D E S I G N G U I D E

VMware Branch Office Desktop

VA L I D AT E D D E S I G N G U I D E / 2

Table of Contents

About the Validated Design Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Business Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What is a Branch Office Desktop? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Design Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Key Components of the Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Validation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Lab Equipment List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Solution Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Resource Pool Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

WAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

LAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

vCNS Edge, App, and Data Protection Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

vShield App Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

vCNS Data Protection Compliance Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Secure Connectivity Between Branch Site and Headquarters Site . . . . . . . . . . . . . . . . 19

Antivirus Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

VMware Mirage Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Storage Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

CIFS Configuration – ThinApp, Persona, and Corporate Data . . . . . . . . . . . . . . . . . 26

Backup and Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Security Single Sign-On (Optional Component) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28



About the Validated Design GuideA VMware Validated Design Guide provides an overview of a solution architecture and implementation. The validated designs and solutions have been created through architectural design development and lab testing.

The guide is intended to provide guidance for the introduction of proof of concepts, emerging new technology and architectures, as well as the enhancement of customer use cases.

Validated Design Guides:

•Incorporategenerallyavailableproductsintothedesign

•Employrepeatableprocessesforthedeployment,operation,andmanagementofcomponentswithinthesolution

Validated designs are tested for a specific use case or architectural practice of a limited scale and duration. These guides ensure the viability of theoretical designs or concepts in real-world practices.

Validated Design Guides provide an overview of the solution design and implementation that include the following elements:

•Usecasescateredtobythedesign

•Productsvalidatedaspartofdesigntesting

•Softwareusedforeachcomponentofthedesign

•Configurationsusedtosupportthedesigntestcases

•Alistofdesignlimitationsandissuesdiscoveredduringtesting

IntroductionThis Validated Design Guide provides an overview of the VMware® Branch Office Desktop™ solution. The architecture uses products from VMware and its ecosystem of partners to build a comprehensive solution that satisfies the specific requirements of various use cases in enterprises such as security, compliance, and printing.

This document provides an overview of the various use cases, logical solution architecture, and results of the testedconfiguration.Thesolutionisnotexclusivetotheproductstestedwithinthearchitecture.ConsultyourVMware representative on how to modify the architecture with your preferred vendors.

The key benefits of the Branch Office Desktop are local performance, streamlined remote image management, and enhanced data security and compliance.

AudienceThis document is intended to assist solution architects, sales engineers, field consultants, advanced services specialists, and customers who configure and deploy a Branch Office Desktop solution.



Business Case

Today there are over 11 million branch offices worldwide with 80% of employees accessing their desktops remotely.AndwhenitcomestomanagingITinbranchoffices,it’snotuncommonfororganizationstolookatcentralization.Why?Becauseitsimplyisn’tefficienttomaintainlocalITstaffandresourcesineachlocation,especially when the work tasks being supported in each location are near-identical. Not only is the inefficiency ofreplicatedanddistributedITmanagementanunnecessaryresourcedrain,itcanexposetheorganizationtogreater risks of lost productivity and revenues by creating many more points of vulnerability.

Againstthisbackdrop,desktopvirtualizationisacompellingtechnologyoption,becauseitprovidesaquickandstraightforwardmechanismforcentralizingexistingdistributedend-usercapabilities.Therecognizedsecurity,highavailabilityandcoststreamliningcharacteristicsofdesktopvirtualizationseemideallysuitedtothebranch-officerequirement–unfortunatelyonemajorhurdlehasconsistentlystoodintheway:theWAN.Notonly is bandwidth expensive and in some cases a constraint on application performance, but the single point of failureitpresentsagenuineriskfororganizationsthatneedconstantuptime.

Wheredesktopvirtualizationhasbeendeployedforbranchofficeworkers,it’snotuncommontoseecriticalapplication servers still located in the branch, while the virtual desktops sit in a corporate datacenter. This compounds the impact of network latency on application performance and can make life more difficult for branch employees trying to get their work done.

Of course, not all branches were created equal and not all users have the same application requirements – in terms of function and performance. Many branches have an abundance of bandwidth, but others clearly do not.Inotherwords,anysolutiontothebranch-officeworkerrequirementneedstobeableaddressavarietyofrequirements.

Toholisticallyaddressthesedifferentneeds,VMwarehasrecentlytestedandvalidatedanewBranchOfficeDesktopsolutionthatdeliverstheefficienciesandcostsavingsofcentralization,butdoesn’tassumethateverydesktopimagemustbecentralized.Itcombineshostedvirtualdesktops,withimagemanagementforphysicaland virtual endpoints located in the branch. By supporting a spectrum requirements through an adaptable solutionthatcombinesbothapproaches,weensureourBranch-OfficeDesktopcanberight-sizedtothespecific needs of individual branch locations and workers.

Fororganizationswithamplebandwidth—thesolutionleverageshostedvirtualdesktopswithVMwareViewandViewComposertohelpenhancesecurity,ensurehighavailabilityandstreamlinemanagement.Forthosebranches where bandwidth is constrained, but security and mobility remain critical, the solution incorporates the use of storage and compute appliances to ensure LAN-like performance can be maintained.



What is a Branch Office Desktop? Regional and branch offices need access to corporate assets but often lack local administrative resources to maintain and manage these assets in a timely manner. The Branch Office Desktop solution delivers consistent andscalabledesktopsasamanagedserviceforremoteandbranchofficeworkersacrosstheWANtomaximizeuptime, streamline desktop management, and drive down operational costs.

By implementing the Branch Office Desktop solution, you can benefit from:

• Enhancedlocaluserexperience

• Easeofmanagement

• Security

Design Overview Thedesignwehavevalidatedinthesolution’slabidentifiesthehybridapproachcombiningthebestofbothworlds in VMware View and VMware Mirage™ technologies. The VMware Branch Office Desktop is seamlessly assembledtoofferuserflexibility,enforcebranchofficepolicy,enablesingleimagemanagement,anddeliveroptimumexperience.ByintegratingtheVMwarevCenter™OperationsManagementSuite(vCOps)andViewAdaptercollectionatthebranch,thesolutionoffersthebusinessbettervisibilityandmoreflexibilityformanaging branches.

The core design includes the following elements:

• Applicationperformancemanagementandend-usermonitoringtoolstoensurethebestpossibleuserexperience

• vCOpsforView(V4V)providesasinglepaneofmanagementforourvirtualdesktopinfrastructure

• VMwareViewandVMwareMiragetosupportbothphysicalandvirtualimagemanagement,andpersistentand stateless desktops

• AntivirusprotectionwithvSphereEndpointforvirtualdesktops,traditionalAVinguestOSforphysicaldesktops and recovery from virus infections for physical desktops to the last known good image with VMware Mirage

• FullVMDK–levelbackuppracticesonvirtualprofiles/personaserver,SQLdatabase,andallinfrastructurevirtual machines to ensure fast recovery when needed

The design can leverage VMware Rapid Desktop Appliances.



User Profiles Inatypicalorganizationmultipleuserprofilesexist,eachwithuniquerequirements.Thissolutionarchitecturecaters to the following user profiles within the Branch Office Desktop use case. These can be fulfilled using a mixed type of deployment including Mirage-managed persistent virtual desktops, Mirage-managed physical desktops, and stateless virtual desktops.

User PrOfIle ChArACterIstICs

Office-Based InformationWorker

Workerswithabroaderskillsetthatrequireassimilationandmanipulationofinformationorinputfrommultiplesources.Examplesincludehigher-level,back-officefunctions,suchasfinance,IT,andmid-levelmanagement.Userswillrequirearelatively broad application portfolio and need some level of control over how they access applications and data, but not full administrative control. They are unlikely to be mobile, but might work from more than one fixed location. They will require multi-channel communication and collaboration capabilities for working with peers.

Content/MediaWorker/ SoftwareDeveloper

Workerswithahighlevelofexpertiseinanareaofcreativityorsciencethatrequiredetailedmanipulationofcontent.Thesearethetraditionalpowerusers.Examplesinclude engineers, graphic designers, and some developers. They typically require a narrow,butspecializedportfolioofapplications.Theyareunlikelytobemobileandnormally work from a single, fixed location. They also need some level of control over how they access applications and data, but not full administrative control, and may be ring-fenced from other corporate functions. They require high levels of computation capability and graphical display and may also require specialist peripheral devices.

HomeOfficeWorker Workerswithabroaderskillsetthatrequireassimilationandmanipulationofinformation or input from multiple sources. These workers traditionally work from home and may also need to roam within a defined area or set of areas such as a campusoroffice.Examplesincluderemoteworkers,teachers,doctors,andhigher-level managers.

TravelingWorker Workerswhospendatleast50percentoftheirtimeinanon-office/non-campuslocation. They typically perform a single function which is often customer facing. Examplesincludesalesandservicerepresentatives.Theytypicallyrequireaccesstoonly a narrow portfolio of applications and only create information content in a highly structured manner. They do not require control over how they access applications or data, but need access from almost any location within geographic boundaries. They tend to use laptops.

VIP Business executives that typically require access to only a small number of applications, but expect control over how they access these applications and corporate data. They need to be mobile and tend to use tablets and laptops.



The business profiles featured above can be translated into two distinct user workload profiles as listed below:

User PrOfIle CharaCteristiCs

Task Worker ApplicationProfile–MicrosoftOffice,Adobe,InternetExplorer(IE),Firefox,Chrome,Outlook,corporateapps

AntivirusNetworkProfile–LAN(remoteofficeLAN)

SecurityProfile–Auditcapability,antivirusanddatalossprotection

Knowledge Worker ApplicationProfile–MicrosoftOffice,Adobe,IE,Firefox,Chrome,Outlook,SaaSapps,Windowsapps,multimediaplayers(Flash,etc.),antivirus,WebEx

NetworkProfile–LAN(remoteofficeLAN)

SecurityProfile–AuditcapabilityandGPOsettingsforUXpolicy,antivirusanddata loss protection

Other – Multi-monitor; print to nearest printer



Design ComponentsThe design uses a single-tier branch profile consisting of a fully integrated, one-box solution; all necessary branchofficenetworkfunctionssuchasLANorWANexistinasingletierordevice.

Asingle-tierbranchdesignallowscustomerstotakeadvantageofVMwareRapidDesktopProgram–certifiedappliances. The VMware Rapid Desktop View Appliance is a fully certified, converged, and scalable solution. Eachcertifiedandvalidatedappliancedeliverspredictableunitsofperformanceanduserexperience.

VMwareMirage

vCenter

ESX Host - Main Datacenter

Datacenter - Basic

Branch

ESX Host - Branch View Appliance

vCOps

VSS AD VCS vCenter

VMware Mirage Branch Re�ector(s)

VMware MirageSingle Image

Update &App Layering

Physical Desktopwith VMware Mirage Agent

vShieldManager

Backup

View Appliance + VMware Distributed Branch O�ce

AppServers

RADIUS PrintServer

EndpointSecurity i.e AV

Load Balancer

Appliance

SQLDB

GlobalCatalog

MailServer

DomainController

WAN

VDI Desktopwith VMwareMirage Agent

Figure 1: VMware Branch Office Desktop Architecture



Key Components of the ArchitectureThough the architecture is vendor agnostic, below is a list of components that are part of the architecture.

COre COmPOnents

COmPOnent DesCrIPtIOn

VMwarevSphere andvCenter

ThesolutionisbuiltontopofvSphere,theindustry-leadingvirtualizationplatform.TherearemanybenefitstousingthevSphereplatformandmoreinformationonthis platform can be found at www. vmware.com/products/vsphere.

VMware View The central component of the solution architecture, VMware View is the industry-leadingvirtualdesktopinfrastructure(VDI)product.Moreinformationon VMware View can be found at www.vmware.com/products/view.

VMware Mirage VMwareMiragecandistributeasingleimagetoagroupofPCsanywhereonthe network, quickly and easily. These images are seamlessly merged into a Windowsendpoint.WithjustafewclicksintheMirageManagementConsole,ITcaninitiatea‘BaseLayerenforce’operationthatbringsanydesktopbackintofullcompliancewithoutimpactinguserprofilesoruserdata.User-installedapplicationscanbemaintainedorremoved,iftheITadministratorwishes,during this operation as well.

VMwarevCloudNetworking and Security(vCNS)App,Edge,DataSecurity(formerlyvShieldApp,Edge,DataSecurity)

VMwarevCloudNetworkingandSecurityistheleadingsoftware-definednetworking and security solution that enhances operational efficiency, unlocks agility,andenablesextensibilitytorapidlyrespondtobusinessneeds.Itprovides a broad range of services in a single solution, including virtual firewall, VPN,loadbalancing,andVXLANextendednetworks.

VMwarevCOps OneofthebiggestchallengesfacedbyITison-demandmanagementoftheentire environment and the need to proactively identify and plan the infrastructure.VMwarevCOpsforViewprovidesthemanagementinfrastructurerequiredfortheenvironment.MoreinformationonVMwarevCOpscanbefoundat http://www.vmware.com/products/desktop_virtualization/vcenter-operations-manager-view/overview.html.

PersonaManagementand user-installed apps

Many use cases defined in the solution have a requirement to persist user information across sessions. The biggest cost savings, however, both in terms of CAPEXandOPEX,canbeachievedbyusing“stateless”desktops.Toeffectivelyachievethis,VMwareViewhasafeaturecalled“PersonaManagement”tomaintainuserdataandprofilepersistenceacrossstatelesssessions.Inadditionto profile persistence, some use cases require support for user-installed apps. This can be achieved by using some of our partner products.

Backup and restore Backup and restore capabilities are added as a core component in this design to protect data at each branch site. This design incorporates two types of backup: image-levelprotectionandguest-levelprotection.Image-levelprotectionenables backup clients to make a copy of all the virtual disks and configuration files associated with the particular virtual desktop in the event of hardware failure, corruption, or accidental deletion of a virtual desktop.

http://www.vmware.com/products/datacenter-virtualization/vsphere/overview.html

http://www.vmware.com/products/view

http://www.vmware.com/products/desktop_virtualization/vcenter-operations-manager-view/overview.html

http://www.vmware.com/products/desktop_virtualization/vcenter-operations-manager-view/overview.html

VA L I D AT E D D E S I G N G U I D E / 1 0


Validation Configuration Insomeuserscenarios,VMwareMiragecanbedeployedatthebranchonitsownforsimple,single-image-managementdeployment.Inoursolutionlabvalidation,wedeployedthehybridapproach:VMwareViewcentralizedmanagementandVMwareMirageimagemanagement.Inthebranchlocation,oneormoreclientscanbedesignateddynamicallyasareflectortoservepeers.

Inthemaindatacenter,asimpledeploymentofVMwareMirageServerclusterwithfileportalisdeployed.AttheMirageServerlevel,weenablethebranchreflectorsforeachsite.TodeployMirage-managedclients,bothphysicalandvirtual,a2MBMirageClientistheninstalled.Thisusecaseallowseasyfailoverfromphysicaltovirtual with the exact same desktop experience.

Forstorageimplementation,SAN,NAS,orlocalstorageissupported.Inourlabvalidation,weassume15GBperuserandenablecompressionontheselectedMiragestoragevolume(forsavingsupto25percent).

Onthenetworkside,Mirageconsumesanaverageof15Kbits/secperuser,whichequalsroughly50MBperuserperday.Workloadswillvarybyusecaseandbandwidthwillbedynamicallyadjusteddependingonuseractivities to ensure the best user experience.

VMware View provides central management and real-time secure access. You can create persistent desktops or stateless desktops for various workloads in any branch functions. All View event databases, security events, userbusinessapplicationtransactionQoSdata,andbackupeventscanbefullyintegratedintothevCOpswithViewAdapter(V4V).

Inthisdesign,theBranchOfficeDesktopincludessomeVMwareISVpartnersolutionsincludingloadbalancing,backup,replication,WANacceleration,andsecurityanddatalossprotection(DLP)products.Theexhaustivelist of vendors is designed to remain neutral for functional validation purposes only.



Lab Equipment List

heADqUArters sIte

PrODUCt fUnCtIOn / DesCrIPtIOn / VersIOn

Servers 2Userverwith2IntelXeonE5-26202.0GHzprocessors,128GBRAM

Storage NimblestorageCS2208TBArray

iSCSIstoragearray,RawDiskCapacity:8TB,RawFlashCache160GB,24GBRAM,4–1GbEnetworkports

Networking Unmanagedlayer3–10/100/1,00048-portswitch

BrAnCh sIte


Servers 4Userverwith2IntelXeonE7-8837,128GBRAM

Storage NimblestorageCS2208TBArray

iSCSIstoragearray,RawDiskCapacity:8TB,RawFlashCache160GB,24GBRAM,4–1GbEnetworkports

Networking Unmanagedlayer3–10/100/1,00048-portswitch



Solution Components

heADqUArters sIte


vSphere 5.0.1

vSpherewithvCenter 5.0

VMware Mirage 3.6

vCloudNetworkingandSecuritySuite 5.1

BrAnCh sIte


vSphere 5.0.1

vSpherewithvCenter 5.0

VMwareViewwithPersonaManagement 5.1

VMwareViewComposer 3.0

VMware Mirage 3.6

vCloudNetworkingandSecuritySuite 5.1

vCOps 5.0.3

vCOpsforView 1.0

VMware Zimbra 8.0

Antivirus TrendMicroDeepSecurity8.0

Backup and restore CommVaultSimpana9

Applicationtransactionmonitoring/userperspectives Aternity5.6

OPtIOnAl COmPOnents


Load balancer F5BigIP

Singlesign-on IndigoIdentityware–InSession



resource Pool Configuration AresourcepoolallowsustoallocateasectionofCPUandmemoryresourcesdedicatedforaparticulartypeofworkload. This allows granularity in ensuring each workload can be properly managed.

To handle the multiple desktop workloads, in each branch we created resource pools for each of the following components:

•VMwareView–managedstatelessdesktoppool

•VMwareMirage–managedpersistentdesktoppool

•Infrastructure,monitoring,andViewvApps

Figure 2: Resource Pool Configuration



WAn servicesInabranchofficedeploymentthereisoftensomescopeforoptimizationservicesofthewideareanetwork.

Considerationshouldbegiventoapplicationservicessuchasnetworkde-duplication,compression,latencyoptimization,andcachingtechniqueswhendeployinginproduction.

These services can deliver multiple benefits and should be strongly considered.

VMwarehasseveraltechnologypartnersthatcanbeleveragedtoprovideWANapplicationservicesandmoreinformation on these solutions can be found here. http://www.vmware.com/solutions/desktop/remote-branch/partners.html

lAn servicesDue diligence, for both corporate headquarters and branch networks, must be performed as part of the Branch OfficeDesktopdesigntorealizethebestpossibleperformancefortheoverallsolution.

Agooddesignwillconsiderqualityandclass-of-servicepoliciesthatoptimizedeliveryofreal-timeprotocolssuchasPCoIP,alongwithgeneralbestpracticesforbandwidthoptimization,congestionalgorithms,andlatency/jittertuning.

Further information can be found in the VMware View 5 with PCoIP Network Optimization guide.

http://www.vmware.com/files/pdf/view/VMware-View-5-PCoIP-Network-Optimization-Guide.pdf



network ConfigurationThe network design for this solution has been implemented using industry-standard best practices and VMware best practices.

Forallbroadcastdomains,VLANshavebeenimplementedtosegregatevSpheremanagementandvirtualmachinetrafficwhereappropriate,andallESXhostportuplinksareconfiguredas802.1qtrunks.

Inthevirtualinfrastructure,vSphereDistributedSwitchtechnologyhasbeenleveragedinheadquartersandbranchhostsandthensecuredusingVMwarevCloudNetworkingandSecurity.

Wherepossible,jumboframeswereimplementedinthevirtualswitchesalongwithVMXNET3networkadaptersinWindowsguestsforbothinfrastructureanddesktopvirtualmachines.

Further information can be found in the VMware Performance Best Practices guide.

Configurationofvirtualdistributedswitches(vDS)forthebranchsiteisillustratedinthediagrambelow.

ESXi Host

vDS

UplinkPort 1

Management 1 VLAN

Management 2 VLAN

Mirage Managed Persistent VM Pool VLAN

Stateless VM Pool VLAN

Fault Tolerance Logging VLAN

vMotion VLAN

UplinkPort 2

UplinkPort 3

UplinkPort 4

Figure 3: vDS Configuration for the Branch Site

http://www.vmware.com/pdf/Perf_Best_Practices_vSphere5.0.pdf



vCns edge, App, and Data Protection Deployment ThefigurebelowillustrateshowthevCNSAppSecurityZonesweresetupforcommunicationbetweenthemanagement components and the desktop pools.

VMwarevShield App

Branch

VMwarevShield App

Mirage ManagedPersistent Pool

VM VMVM VM

VM VM

VM VMVM VM

VM VM

VM VMVM VM

VM VM

Management Infrastructure

VM VMVM VM

VM VMVM VM

VM VM

VM VMVM VM

VM VM

VM VMVM VM

VM VM

VM VMVM VM

VM VM

VMwarevShield App

StatelessDesktop Pool

Figure 4: vCNS App Provides Access Policy among Different Functional Groups



vShield App Firewall Rules

Foreachofthedesktoppools,wehaveblockedalltrafficbetweenthetwopools.Wehavealsodefinedtheallowable traffic between the desktop pools and the management infrastructure with vApps. By only allowing the required traffic for defined applications in the desktop pools, we are able to protect the infrastructure virtualmachinesfromanyunauthorizedcommunication.

Figure 5: Dashboard of vCNS App Firewall Rules



vCns Data Protection Compliance ConfigurationDeployingvCNSwithDataSecurityenablesITtoscanforsensitivedataacrosstheentirevirtualinfrastructureanddesktops.Itincludespredefinedtemplatesforcountry-andindustry-specificregularstoquicklyidentifyand report sensitive data violations.

ItisdeployedatthebranchasitsownvirtualmachineaspartofthevCNSsuite.Sincethedatadiscoveryfunctions are offloaded to this virtual machine, compliance can be maintained without sacrificing performance at the branch.

Figure 6: Dashboard Illustrating Enabled Compliance Profiles at the Branch Site



secure Connectivity Between Branch site and headquarters siteIntheBranchOfficeDesktopsolution,weusevCNSEdge(formallyvShieldEdge)secureIPSecsite-to-siteVPNstoconnecttheheadquartersandbranchnetworksites.Inatypicalproductiondeployment,thenetworksattheheadquartersandbranchsitesareusuallynotcontiguousandaVPNallowsbothsitestocommunicateas though they were locally attached.

Thisgivesustwomainbenefits:simplifiednetworkingdesignandsecurecommunicationsovertheWAN.

More information can be found in the VMware technical brief Securing Hybrid Clouds with VMware vShield Edge VPNs.

Figure 7: Site-to-Site VPN Configuration

Figure 8: Site-to-Site VPN Configuration – Network Menu

http://www.vmware.com/files/pdf/vmware-vshield-technical-brief.pdf

http://www.vmware.com/files/pdf/vmware-vshield-technical-brief.pdf



Figure 9: Site-to-Site VPN Configuration – Add IPSec-VPN Tunnel

Figure 10: Site-to-Site VPN Configuration – Configure Services Settings



Antivirus Configuration VMwarevShieldEndpoint(nowincludedwithvSphere)providesindustry-standardAPIstooptimizeantivirusandanti-malwaresecurityforvirtualenvironmentsviaintegrationwithVMwarepartners.VMwarevShieldEndpointallowssecuritytechnologypartnerstooffermoreefficientantivirusandanti-malwareprotectionfor virtual hosts, including VMware View desktops. You can offload antivirus and anti-malware functions from individualvirtualmachinestoacentralizedsecurevirtualappliance.

For physical desktops, we deployed a traditional antivirus server and antivirus clients to each of the desktop OSimages.Forthevirtualdesktops,VMwarevShieldEndpointoffloadsvirtualdesktopantivirusandanti-malware scanning operations to a dedicated secure virtual appliance delivered by VMware partners. Offloading scanning operations improves desktop consolidation ratios and performance by eliminating antivirus storms, while streamlining antivirus and anti-malware deployment and monitoring and satisfying compliance and audit requirements through detailed logging of antivirus and anti-malware activities.

Vmware mirage Configuration VMwareMirageServerwasdeployedattheheadquarterssite.Abranchreflectorwastheninstalledandconfigured at the branch site. A resource pool was created to contain all of the Mirage-managed persistent desktops at the branch.

Figure 11: VMware Mirage Dashboard Listing All Mirage-Enabled Clients



Figure 12: VMware Mirage Dashboard Showing the Branch Reflector Status

ACentralizedVirtualDesktop(CVD)representsthedesktopimageandcanbeefficientlystoredandmanaged,modularly restored, or re-deployed to any physical or virtual system client. For our validation we had both typesofclients,physicalandvirtual,thatweremanagedbytheMirageServerabove.

Figure 13: VMware Mirage Dashboard Showing an Image Sync Up in Progress for Each Clients



Physical Device failover to a Vm with mirageWhathappenswhenaphysicaldevicefails?Inatypicalbranchoffice,theuserexperiencesdataloss--fromminimal to catastrophic depending on how frequently they may have synced their files with their current data backupsolution.Inourvalidation,physicaldevicesatthebrancharemanagedwithMirage.ThismeansthattheiruserdatahasbeencontinouslysyncedtotheMirageServersointheeventofhardwarefailure,theirdataissafelystoredandcanberestored.Whiletheuserwaitsfornewhardwaretoarrive,Mirageallowstheabilityto restore the user data to a virtual desktop. The virtual machine will have the Mirage Agent which will start restoring the user data and files therefore allowing the user minimal downtown.

HerearethestepsanITAdministratorcantaketorestoretheuser’sdataandfilestoavirtualdesktop.Anewvirtual desktop must be provisioned but not have the View Agent or VMware VM Tools installed. The virtual desktopshouldhavetheMirageAgentinstalledandbeabletocommunicatewiththeMirageServerattheheadquarters site.

GointotheMirageServerManagementConsole,andgointothe“PrendingDevices”areawherenewunassigneddevices(includingthenewvirtualdesktop)arelisted.Fromhererightclickonthecomputernameofthenewvirtualdesktopthatwasprovisionedforthedatarecoveryandselect“DisasterRecovery.”



Thewizardfordisasterrecoveryappearsandselectontheoption“ReplacetheUserMachine.”

SelectthecorrectstoredImage(CVD)fortheuserthatyouwantrestoredtothenewvirtualdesktop.



Inthismenuweselectthenewnamingconventionfortheimageandputinthedomaincredentialsforthedesired target domain for the virtual desktop. Then you will click next and finish.

Logging onto the virtual desktop will show the Mirage Agent and the status of the users files and data being copiedfromtheMirageServerontothevirtualdesktop.Oncethishascompleted,rebootthevirtualdesktopand log back in and proceed with installing VMware Tools and VMware View Agent. Now the virtual desktop will be ready for the user to use and access all of their files.



storage ConfigurationIntheBranchOfficeDesktopdesign,storageisanimportantelementtoensureoptimaluserexperienceandprovide backup and restore capabilities in case a branch site were to go down.

CIFS Configuration – ThinApp, Persona, and Corporate Data

VMwareThinApp™packagesarestoredoncommodityCIFSstorageforsimpledistributiontoWindowsendpoints in the Branch Office Desktop design.

As part of the design, the ThinApp repository was replicated to headquarters from the branch site using Active DirectoryDistributedFileSystemservices.

For persona and corporate files, the same methodology was implemented and a one-way replication was established. This methodology is primarily for data retention; however it is also leveraged in the event of a branch-hosted user connecting back to headquarters, where the data can be made available.

Backup and Disaster recovery Between headquarters and the branch site, users that have a stateless virtual desktop have their files and data replicatedbacktoheadquartersstorage.FolderredirectionisaccomplishedusingMicrosoftADGroupPolicyObjects(GPOs).TheGPOmapstheenduser’s“MyDocuments”foldertoaDFSglobalnamespace.MicrosoftDFSreplicationisusedhere.

ForMirageclients,userdata(alongwiththeirentireimage)isreplicatedbacktotheMirageServeratheadquarters.Incaseofvirtualmachineorphysicaldevicefailure,theMirageclientcanbesettosyncbackthatdevice’simage(includingallfilesandapplications)toanynewMirage-enabledphysicalorvirtualdesktop.

At each branch site, the management virtual machines are backed up at regular intervals to a local backup appliance and also to the headquarters. This helps to restore the site quickly in case of a failover.

security single sign-On (Optional Component) Singlesign-on(SSO)softwareandtap-and-gocardsprovideaccesscontrolformultiplerelated,butindependent,softwaresystems.UsinganSSOproductinthearchitectureenhancesuserexperiencesincetheuserlogsintotheenvironmentonlyoncetoaccessallapplicationsprovisionedforthem.SSOsoftwarecanbeused in conjunction with a tap-and-go card which further enhances user experience.

FortheBranchOfficeDesktop,atypicaldeploymentofSSOsoftwarewouldincludedeployingtheSSOservertotheheadquartersinfrastructure.BycentralizingtheSSOserver,allcredentialsforaparticularsitecanbedefinedandmanagedbyITpersonnelatheadquarters.Atthebranchoffice,anadditionalSSOreplica/childservercanbedeployed(ifsupportedbythevendorproduct)tospeeduptheauthenticationprocesslocally.



monitoring VMwarevCenterOperationsManager(vCOps)forViewextendsthetrustedanalyticalcapabilitiesofthevCenterOperationsManagerproductfamilytotheViewdesktopenvironment.vCOpsforViewfocusesonthevirtual desktop end-user experience, providing monitoring and management of performance metrics critical tosuperiorViewuserperformance.vCOpsforViewmonitorstheViewdesktop,aswellasallofthesupportingelementsofthevirtualinfrastructure,fromaView-specificcustomizedconsole.

Figure 14: vCOps for View Dashboard Showing VDI Health

vCOpsandthevCOpsforViewadapteraredeployedandconfiguredateachbranchsiteprovidingasingledashboardformonitoringtheentireinfrastructureforthebranch.Byaddingthird-partyQualityofServicemonitoring software, additional feedback such as application response times can be checked to ensure that the local user experience remains high. Third-party software that provides additional metrics can be integrated with vCOpstherebyenrichingthesingledashboardexperienceforIT.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed athttp://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-DG-BRANCHOFF-USLET-20121003-WEB


summary The main objectives for this validation were:

• Enhancedlocalexperience–BringingVDIworkloaddirectlytothelocalbranch

•Easeofmanagement–AnylevelofITprofessionalcanhaverole-basedaccesstomanagethebranchofficeenvironmentviatheViewAdministrationconsoleorvCOpsmanagementconsole

•Security–FullydeployedwithcompletevCloudNetworkingandSecurity(vCNS)fromEdge,App,toEndpointalongwiththird-partyISV’santivirusproducts.Inaddition,thelabalsodeploysMicrosoftRADIUSforViewRADIUSauthenticationwith2FAauthenticationsuchasUSBeTokenaccessintothephysicalandvirtual desktops

The Branch Office Desktop solution lab validation tested the main objectives by extending coverage of VMware ViewandMirage,andcombiningandexploringinteractionsbetweenISVproductsaswellasNetworkSystemsin a customer-representative environment.