Wednesday, May 09, 2012
Citrix RemotePC feature for XenDesktop
I recently posted an article discussing a scenario where I wanted to connect to a user's physical desktop when they were away from the office.
In that article I discussed how to configure that using then available Citrix XenDesktop components, and the issues I'd seen trying to do this in customer environments.
Well, today at Citrix's Synergy conference Citrix announced the inclusion of "RemotePC" as an additional FlexCast delivery model. RemotePC is exactly the use case I described, with some extra goodies thrown in to make things even better for enterprise deployments.
If this use case is attractive to you, take a close look at RemotePC.
Tuesday, May 01, 2012
Connect to My Physical Desktop PC
One of the big sales pitches for Desktop Virtualization is the ability of users to connect to their computers (or environment) from anywhere and from any device. I see customers putting in hosted virtual desktop infrastructures just so they can run Outlook on an iPad. I see XenApp deployed just so users can work from home without using a VPN.
It works, but it's overkill. Like gopher hunting with an AK-47.
There are simpler solutions out there. And really users' just want to connect to their PC anyway.
You can (still) go buy PC Anywhere, or you can enable remote desktop services. You can even grab a copy of VNC. Problem is none of these really address things like firewalls, and for users to use them you have to pretty much put every PC on public internet.
You can use LogMeIn, or GoToMyPC, which are great consumer level solutions that take care of the firewall issue but really don't provide much in terms of corporate control of data and access.
Desktop Virtualization solutions typically address data control and movement, firewalls, and corporate control, but often with a huge infrastructure investment (Servers, SANs, SSD Disk, Hypervisors...). And hey.. what if I just did a desktop refresh and have lots of powerful modern hardware sitting under user's desks?
What if we could offer a solution with the control of Hosted Desktop Virt, but using the existing desktops people already have? If you could connect to your own desktop from your iPad, but IT could still ensure governance and control over data movement?
Well.. you can .. mostly.
With Citrix XenDesktop you can (today) make all this work if your end users are running Windows XP. You build out your Access Gateway, Web Interface, and Delivery Controller infrastructure just like you would for a typical HVD deployment, but instead of using virtual machines for desktops you install the virtual desktop agent on the user's existing physical desktop. A little data collection to assist with maping desktops to users and pretty quick a user can launch a session on their desktop from any device that supports a Citrix Receiver.
Reality is that this can be done with as few as two VM's if you really want to (one gateway appliance and one Delivery Controller). As a benefit you get all the features and mobility provided by XenDesktop, and a killer remote user experience. And by the way this is not new ... this has worked since at least XenDesktop 3.
Hold on... Windows XP?
Yes... Windows 7 (and Vista for that matter) introduce a problem. It's not that it can't work, but I'm afraid I have to add some caveats which aren't issues for Windows XP.
Windows Vista introduced a new display driver model (WDDM vs XPDM) which sent our Desktop Virtualization vendors into a bit of a tailspin. The software used to capture the video display (to send it to the remote system) installs on windows a video driver, and windows does not support switching between drivers of different models. Think of your higher end laptops which have both a low power integrated video chipset and a high performance video chip and dynamically switch between them based on the situation at hand. The desktop agent does the same kinda thing based on if a user is connected to the machine remotely or not.
So in order to support switching to and from an XPDM video driver for the Desktop agent, an XPDM video driver must be used to support the local console. Turns out the windows standard VGA driver is such an entity. If you are able to live with the single-monitor with a display size of 1600x1200 or less, then you can just install the Virtual Desktop Agent on the Windows 7 PC, and use the standard Windows VGA driver for console and all of this works. Victory! And by the way, the virtual desktop agent will switch the video drivers for you so all you really have to do is install the agent and go.
Oh... but you're like me, have two monitors, and they're wide-screen 24-inchers? Well... maybe...
Citrix offers the HDX-3D versions of the virtual desktop agent. This desktop agent is designed for use on systems where 3D rendering is a requirement, but users still want the mobility and capability of connecting from remote systems. Generally we're talking blade PC's here, but the agent doesn't really care. The important thing is that this agent is a WDDM driver, and will co-exist with other WDDM video drivers.
Unfortunately the HDX-3D driver does have a fairly narrow official compatibility list. That doesn't mean it won't work with other stuff, but doesn't mean it will either. Note that most of the hardware on the list is nVidia, with a handful of ATI chipsets (but none oft the ATI's support dual monitors).
So again, if you've got supported hardware you're golden. Enjoy running 3D Studio Max on that iPad at the golf course!
If it's unsupported ...well your mileage will vary. Some examples:
If you haven't tried this, you really should.
It works, but it's overkill. Like gopher hunting with an AK-47.
There are simpler solutions out there. And really users' just want to connect to their PC anyway.
You can (still) go buy PC Anywhere, or you can enable remote desktop services. You can even grab a copy of VNC. Problem is none of these really address things like firewalls, and for users to use them you have to pretty much put every PC on public internet.
You can use LogMeIn, or GoToMyPC, which are great consumer level solutions that take care of the firewall issue but really don't provide much in terms of corporate control of data and access.
Desktop Virtualization solutions typically address data control and movement, firewalls, and corporate control, but often with a huge infrastructure investment (Servers, SANs, SSD Disk, Hypervisors...). And hey.. what if I just did a desktop refresh and have lots of powerful modern hardware sitting under user's desks?
What if we could offer a solution with the control of Hosted Desktop Virt, but using the existing desktops people already have? If you could connect to your own desktop from your iPad, but IT could still ensure governance and control over data movement?
Well.. you can .. mostly.
With Citrix XenDesktop you can (today) make all this work if your end users are running Windows XP. You build out your Access Gateway, Web Interface, and Delivery Controller infrastructure just like you would for a typical HVD deployment, but instead of using virtual machines for desktops you install the virtual desktop agent on the user's existing physical desktop. A little data collection to assist with maping desktops to users and pretty quick a user can launch a session on their desktop from any device that supports a Citrix Receiver.
Reality is that this can be done with as few as two VM's if you really want to (one gateway appliance and one Delivery Controller). As a benefit you get all the features and mobility provided by XenDesktop, and a killer remote user experience. And by the way this is not new ... this has worked since at least XenDesktop 3.
Hold on... Windows XP?
Yes... Windows 7 (and Vista for that matter) introduce a problem. It's not that it can't work, but I'm afraid I have to add some caveats which aren't issues for Windows XP.
Windows Vista introduced a new display driver model (WDDM vs XPDM) which sent our Desktop Virtualization vendors into a bit of a tailspin. The software used to capture the video display (to send it to the remote system) installs on windows a video driver, and windows does not support switching between drivers of different models. Think of your higher end laptops which have both a low power integrated video chipset and a high performance video chip and dynamically switch between them based on the situation at hand. The desktop agent does the same kinda thing based on if a user is connected to the machine remotely or not.
So in order to support switching to and from an XPDM video driver for the Desktop agent, an XPDM video driver must be used to support the local console. Turns out the windows standard VGA driver is such an entity. If you are able to live with the single-monitor with a display size of 1600x1200 or less, then you can just install the Virtual Desktop Agent on the Windows 7 PC, and use the standard Windows VGA driver for console and all of this works. Victory! And by the way, the virtual desktop agent will switch the video drivers for you so all you really have to do is install the agent and go.
Oh... but you're like me, have two monitors, and they're wide-screen 24-inchers? Well... maybe...
Citrix offers the HDX-3D versions of the virtual desktop agent. This desktop agent is designed for use on systems where 3D rendering is a requirement, but users still want the mobility and capability of connecting from remote systems. Generally we're talking blade PC's here, but the agent doesn't really care. The important thing is that this agent is a WDDM driver, and will co-exist with other WDDM video drivers.
Unfortunately the HDX-3D driver does have a fairly narrow official compatibility list. That doesn't mean it won't work with other stuff, but doesn't mean it will either. Note that most of the hardware on the list is nVidia, with a handful of ATI chipsets (but none oft the ATI's support dual monitors).
So again, if you've got supported hardware you're golden. Enjoy running 3D Studio Max on that iPad at the golf course!
If it's unsupported ...well your mileage will vary. Some examples:
- On my Laptop with Intel and FireGL video it works ok as long as I don't do anything strange like try to change display resolution remotely, or attach a second monitor to the laptop.
- At a customer recently with a dual-video card ATI setup it worked ok, but the local (Physcial) console didn't blank when connected so someone could physically watch everything that happened in the session, and he couldn't get video on a Xenith client - but Windows and Mac receivers worked fine.
- Another customer with dual monitors found that remotely it worked ok, but that if the session was started from a remote device it wouldn't resize properly when it returned to the physical console.
- For another customer .. well, it just worked perfectly...
If you haven't tried this, you really should.
It's Mine, not Yours! (or IT's)
Folks, Bring Your Own Device (BYOD) is really all about users owning the equipment, and by association the base environment on that device. It means that any other folks with a footprint, apps, or data on that device are guests and not owners. And only the Owner should make decisions about the device.
That's not to say that IT organizations don't have the right to protect their data and applications - they absolutely do; but they need to do it without imposing on the Owner's right to use his device as/how they want to.
I'll point out a few failures of being a good guest in this context.
I was talking to a IT professional not long ago about his company's policy on smartphones and tablets and was told that "Users can connect and use anything they want, as long as we can remotely wipe it." If IT wipes my device and I loose my apps and personal data as a result that's much like inviting a friend into my home and having them decide that they don't like my furnishings and packing them all up and taking them to the dump. I'm left with an empty house because someone else didn't like my photos!
When I left a previous employer, I had an older Windows based Smartphone that had been configured to connect to the corporate Exchange environment (which worked quite well!) and to my personal Gmail account. It was my personal device, but I wanted to read/reply to my work email and sync my calendar. After my employer terminated my accounts the phone became very cranky about not being able to connect to Exchange. When I removed the Exchange account from the phone it promptly deleted all of my contacts off the device - even those that were really part of the gMail account, and the local phone book. Suddenly I didn't have my father's phone number anymore. Fail! My device. My data. Why should deciding to detach from corporate email remove my personal phonebook? That's like my guest emptying my clothes closet when the leave because they brought some clothes with them.
I was working with a very nice client hypervisor which seems like a perfect solution for a consultant. The idea is that I have a computer, I go onsite with a customer who provides me with a corporate VM for their environment and I use that to connect to their systems. I keep my own stuff separate and never touch their net. The problem here is in implementation - as soon as I connect my hypervisor to their environment to get the VM, the hypervisor marries itself to their systems. I can't login to my own computer anymore without authenticating the to client's servers. Further it can only marry to one client system at a time, and when you separate them all the VM's on my computer get deleted. FAIL! That's like a guest changing the locks when the arrive and buldozing the house when the leave!
Many users choose not to connect to the corporate resources from their equipment because the cost of that guest is simply too high. It's easier to have a separate phone or do without then it is to invite IT to come visit.
All of the above are examples of well meaning folks trying to protect corporate data. But the implementation and execution are simply wrong. At least for BYOD. If this were company hardware this would all be fine, but in all cases it was Mine, not Theirs.
So how do we be a better guest on someone else's machine? How do we protect our data?
Well first things first - Users get to pick their own devices, just like they get to pick their own cars. If it gets them to work then it's done it's job. That means we don't get to say "as long as we can remotely wipe it." or "as long as it's got Anti-Virus" ... (Yeah, I know that last hurts).
If we can accept the above premise, then we know we have to treat the device as an unstrusted entity - that is we can't trust the device to not do bad things, nor (really) to not disclose what it knows to someone we'd rather we didn't know. It's a little like having a party line and not knowing who else it listening.
As an untrusted device we don't want to store data on it. We don't want to accept data from it. and we want to control what data it sees. Hm... if only we had a way of offering corporate applications and data without actually sending or storing them on the PC/Tablet/Phone ... A way that we could control and filter what the device can see.
Ok, the above sounds fine, but I need to work offline?
Well, the need for being disconnected does need to be evaluated; but if you have to then it's time to think about protected, safe, trusted, containers ... Endpoint Inspection (are you clean right now?), and data encryption not of the whole device, but of the corporate data with it's own access controls. These containers should have controls in place to prevent their 'leaking' and to facilitate their destruction, but in either case without harming the device or hindering it's ability to concurrently entertain other guests. It's ok if a guest wants to blow up their suitcase, as long as they don't blow up the guest-room too.
Well, we can do that but our solution only works on <insert platform here>.
Sorry to say, that's a little like "I'll come visit, but only if your house is blue." If your solution is restrictive then it's not really a solution. If the user can't pick the device they want, then it's not their device. Sooner or later someone important will have a white house and you'll have to figure out how to make it work. Better to get ahead of the curve on this one.
One last point here - End-User IT technology is a consumer commodity item these days. Manufactures market to your users, to your children, your spouse, and your executives. They do not market to IT. Consumers want what is sexy and hot today, not what IT tells them they should have. Let's be clear, IT has already lost this battle.
So what do we do? Well I suggest you invest in providing access that protects your data and applications. That doesn't expose your data, or require trust of the end-user device. And that allows flexibility and end-user choice. But in the end remember that the device is Mine, not Yours!
That's not to say that IT organizations don't have the right to protect their data and applications - they absolutely do; but they need to do it without imposing on the Owner's right to use his device as/how they want to.
I'll point out a few failures of being a good guest in this context.
I was talking to a IT professional not long ago about his company's policy on smartphones and tablets and was told that "Users can connect and use anything they want, as long as we can remotely wipe it." If IT wipes my device and I loose my apps and personal data as a result that's much like inviting a friend into my home and having them decide that they don't like my furnishings and packing them all up and taking them to the dump. I'm left with an empty house because someone else didn't like my photos!
When I left a previous employer, I had an older Windows based Smartphone that had been configured to connect to the corporate Exchange environment (which worked quite well!) and to my personal Gmail account. It was my personal device, but I wanted to read/reply to my work email and sync my calendar. After my employer terminated my accounts the phone became very cranky about not being able to connect to Exchange. When I removed the Exchange account from the phone it promptly deleted all of my contacts off the device - even those that were really part of the gMail account, and the local phone book. Suddenly I didn't have my father's phone number anymore. Fail! My device. My data. Why should deciding to detach from corporate email remove my personal phonebook? That's like my guest emptying my clothes closet when the leave because they brought some clothes with them.
I was working with a very nice client hypervisor which seems like a perfect solution for a consultant. The idea is that I have a computer, I go onsite with a customer who provides me with a corporate VM for their environment and I use that to connect to their systems. I keep my own stuff separate and never touch their net. The problem here is in implementation - as soon as I connect my hypervisor to their environment to get the VM, the hypervisor marries itself to their systems. I can't login to my own computer anymore without authenticating the to client's servers. Further it can only marry to one client system at a time, and when you separate them all the VM's on my computer get deleted. FAIL! That's like a guest changing the locks when the arrive and buldozing the house when the leave!
Many users choose not to connect to the corporate resources from their equipment because the cost of that guest is simply too high. It's easier to have a separate phone or do without then it is to invite IT to come visit.
All of the above are examples of well meaning folks trying to protect corporate data. But the implementation and execution are simply wrong. At least for BYOD. If this were company hardware this would all be fine, but in all cases it was Mine, not Theirs.
So how do we be a better guest on someone else's machine? How do we protect our data?
Well first things first - Users get to pick their own devices, just like they get to pick their own cars. If it gets them to work then it's done it's job. That means we don't get to say "as long as we can remotely wipe it." or "as long as it's got Anti-Virus" ... (Yeah, I know that last hurts).
If we can accept the above premise, then we know we have to treat the device as an unstrusted entity - that is we can't trust the device to not do bad things, nor (really) to not disclose what it knows to someone we'd rather we didn't know. It's a little like having a party line and not knowing who else it listening.
As an untrusted device we don't want to store data on it. We don't want to accept data from it. and we want to control what data it sees. Hm... if only we had a way of offering corporate applications and data without actually sending or storing them on the PC/Tablet/Phone ... A way that we could control and filter what the device can see.
Ok, the above sounds fine, but I need to work offline?
Well, the need for being disconnected does need to be evaluated; but if you have to then it's time to think about protected, safe, trusted, containers ... Endpoint Inspection (are you clean right now?), and data encryption not of the whole device, but of the corporate data with it's own access controls. These containers should have controls in place to prevent their 'leaking' and to facilitate their destruction, but in either case without harming the device or hindering it's ability to concurrently entertain other guests. It's ok if a guest wants to blow up their suitcase, as long as they don't blow up the guest-room too.
Well, we can do that but our solution only works on <insert platform here>.
Sorry to say, that's a little like "I'll come visit, but only if your house is blue." If your solution is restrictive then it's not really a solution. If the user can't pick the device they want, then it's not their device. Sooner or later someone important will have a white house and you'll have to figure out how to make it work. Better to get ahead of the curve on this one.
One last point here - End-User IT technology is a consumer commodity item these days. Manufactures market to your users, to your children, your spouse, and your executives. They do not market to IT. Consumers want what is sexy and hot today, not what IT tells them they should have. Let's be clear, IT has already lost this battle.
So what do we do? Well I suggest you invest in providing access that protects your data and applications. That doesn't expose your data, or require trust of the end-user device. And that allows flexibility and end-user choice. But in the end remember that the device is Mine, not Yours!
Subscribe to:
Comments (Atom)