All White Papers

White Paper

Delivering Virtual Desktop Infrastructure with a Joint F5-Microsoft Solution

Updated October 29, 2010

Introduction

In data centers, virtualization has evolved from the realm of emerging technology into a standard deployment tool used by organizations of all sizes, regardless of industry. The extension of virtualization technology to the desktop makes it possible for organizations to achieve even greater benefits in terms of cost reductions, simplified management, and reduced support requirements.

Virtual desktop infrastructure (VDI) is rapidly becoming synonymous with desktop virtualization. As the next evolutionary phase in desktop delivery, VDI combines a thin-client approach with server-side virtualization. Each user has a virtual desktop contained as a virtual machine (VM) within the data center.

A survey conducted by InformationWeek Analytics in mid-2010 indicates that VDI is in widespread use, with 77 percent of respondents either "actively using or testing VDI (42%) or assessing its benefits (35%)." (Research: VDI Adoption Trends, September 2010)

Broad interest and increasing adoption rates do not mean VDI comes without challenges in regard to availability, scalability, reliability, and security. These challenges, which affect the core desktop virtualization building blocks, components, and elements similarly, affect user state, applications, sessions, and infrastructure.

Microsoft Virtual Desktop Infrastructure offerings provide solutions for organizations of all sizes to help reduce their total cost of ownership, increase security, and employ flexible deployment choices, enabling a more agile IT environment that is resilient within and across data centers. Better reliability, performance, and scalability of a Microsoft VDI implementation improves the success rate of virtual desktop initiatives and enables the organization to realize benefits.

To address these challenges, Microsoft and F5 have leveraged their long-term strategic partnership and developed a joint solution. F5 products add resiliency to Microsoft VDI deployments, thus ensuring business continuity by enabling cross-site failover capabilities. Virtual desktop delivery performance is enhanced through the use of efficient connection management techniques, the application of protocol acceleration policies, and the offloading of compute-intensive security functions. Additionally, scalability of Microsoft VDI is improved through the use of intelligent application delivery capabilities and the integration of monitoring and management with Microsoft's management solutions.

77% of those surveyed by InformationWeek Analytics are either "actively using or testing VDI (42%) or assessing its benefits (35%)."

(Research: VDI Adoption Trends)

Many of the challenges associated with Microsoft VDI are not specific to Microsoft but rather are germane to any VDI implementation. While this paper focuses on a tested and documented Microsoft-F5 solution, the capabilities of the F5 solutions can also be applied to other VDI deployments. This also applies to heterogeneous deployments that include Citrix XenApp as part of a Microsoft VDI solution.

Benefits of a Joint Solution

Microsoft VDI suites include products and technologies that work together to provide desktop virtualization, application virtualization, and centralized management of user data and settings for anywhere access. These solutions can provide a range of notable solutions, including the ability to:

  • Improve the recoverability of desktops by centrally managing and enabling the use of server-class tools to back up and aid in restoration.
  • Enhance the organization's ability to meet security, regulatory compliance, and e-discovery mandates by ensuring data remains in the data center at all times.
  • Reduce operational expenses by simplifying lifecycle management, including patching, provisioning, packaging, and delivery.
  • Improve user productivity by decoupling users from specific desktops, enabling maximum mobility for employees who work remotely.
  • Extend the life of applications that might not be supported on newer operating systems, enabling the organization to defer associated rollout costs for upgraded or replacement applications.
  • Maximize licensing of applications by enabling on-demand provisioning, which eliminates over-provisioning of applications that is based on perception of need rather than actual use.

Many of these benefits are lost or greatly reduced when the delivery of virtual desktops to users, regardless of their location, is sub-optimal or unreliable.

F5 solutions play a role in scaling, securing, and improving the reliability of Microsoft VDI offerings. F5 BIG-IP Local Traffic Manager (LTM) enables the seamless scalability of Microsoft VDI servers, mitigating the disruption to users often caused by other scaling-out processes. BIG-IP LTM insulates users from changes and migration of virtual desktops throughout the virtual desktop infrastructure by mediating between the user and the data center hosted virtual desktop servers.

65% of IT organizations gained better end-user experience by deploying F5 BIG-IP solutions with Microsoft technologies.

Source: TechValidate TVID: CFC-86B-33D

When deployed in such a strategic position, BIG-IP LTM can employ optimization and acceleration techniques such as connection management optimization and protocol acceleration to improve the performance and overall delivery of virtual desktops to users.

F5 BIG-IP LTM also provides the ability to offload compute intense cryptographic processing to its specialized cryptographic acceleration hardware. Doing so has dual benefits; it improves the performance of the secure connection required to ensure end-to-end secure delivery of virtual desktops by accelerated the transport protocol layer while decreasing the consumption of resources by the virtual desktop executing in the data center on the physical server. This can allow for an increase in virtual desktop density per server and improves the overall scalability of the Microsoft VDI deployment.

F5 BIG-IP Global Traffic Manager (GTM) provides cross-site resiliency in the form of failover to alternate sites in the event of a service disruption. This level of resiliency is imperative to organizations for which business continuity is a high priority. Even a single hour of downtime can be costly, with Find/SVP reporting an average hourly downtime cost of $82,500 per hour across Fortune 1000 companies. Mitigating the possibility of downtime requires the ability to quickly migrate users from one data center location to another with as little disruption as possible. BIG-IP GTM makes this possible for Microsoft VDI implementations while also allowing for other architectural uses, such as ensuring remote users accessing virtual desktops are directed to the geographically nearest site as a means to improve application and virtual desktop delivery performance.

Together, F5 and Microsoft can support a homogeneous solution deployment as readily as a hybrid architecture that comprises multiple solutions working in concert to achieve the greatest benefits and the highest return on investment.

This combination results in optimal efficiency as it leverages centralized management of desktops, ensures security of corporate data, and takes advantage of server-side virtualization to maximize utilization of data center resources. But just as virtualization leveraged within the data center to enable elastic applications and maximize resource utilization requires a strong infrastructure and network to ensure availability, reliability, and performance so, too, does VDI.

itSM Solutions compiled statistics from three separate research reports, calculating the average cost of downtime across all three studies as $65,833 per hour, or $1,097 per minute.

ItSM, The Paradox of the 9s

Microsoft VDI Delivery Challenges and Solutions

The challenges associated with VDI are an amalgamation of issues often encountered by other virtualization solutions and traditional network-based applications. Primarily, these include scalability, security, cross-site reliability, and performance. These challenges can be met by deploying F5 solutions in conjunction with Microsoft VDI.

Scalability

Scalability is a common challenge for all data center applications, but it becomes particularly challenging for architectures in which some level of application affinity is required, as is the case with VDI. The traditional scale-out strategy is certainly applicable in the general sense of supporting increasing numbers of concurrent users, but it is atypical in the sense that simply load balancing connections will not suffice. There are several architectural solutions to scaling out VDI, all of which all require an intelligent intermediary to ensure that the user session is maintained correctly. If the user session mapping is lost and the user is load balanced to another server, productivity plummets because any work in progress is lost. Loss of work and productivity causes frustration for users and can inhibit adoption rates; every minute of lost productivity can be costly to the organization.

The ways in which these scalability challenges can be addressed are well-understood and leveraged in other application scalability problem domains. The use of persistence and global application delivery combined with proven methods of ensuring true application availability enables a truly flexible, scalable VDI implementation.

Persistence

Because it has the ability to persist sessions, also known as affinity, the BIG-IP LTM Application Delivery Controller can maintain the user-server mapping necessary to seamlessly scale out a VDI implementation. When a user requests a virtual desktop, BIG-IP LTM establishes a mapping between that user and a VDI server in the data center. All further communication between the user and the virtual desktop in the data center is directed to that mapped server to ensure availability of the user’s desktop.

By maintaining the user-server mapping, BIG-IP LTM can assure user productivity is not impeded by being misdirected to a different VDI server. This raises the adoption rate of VDI by making the move from physical to virtual desktops less painful for the users, as it intermittent connectivity issues and loss of work is one of the primary inhibitors of corporate wide VDI adoption.

Availability

Availability is one of the core drivers for deploying a scalability solution because scaling an application addresses the two most common availability issues: outages and performance. Outages can occur when resources are at or over capacity; therefore, in order to manage scale and growth of applications, it is vital to ensure resources can be dynamically increased without causing disruption. This is particularly important for VDI implementations, which typically roll out to additional users over time. Enabling a seamless growth strategy that maintains availability is critical to the overall success of such initiatives. BIG-IP LTM enables seamless increases in capacity without negative impact on service availability.

Availability is also an important factor in maintaining acceptable performance levels. While an application might actuality be responding, a delayed response can have the same impact on user productivity as a complete outage. By increasing capacity or simply leveraging the capability of BIG-IP LTM to intelligently monitor virtual desktop infrastructure resources, users can be dynamically distributed across all available VDI resources in a way that maximizes utilization while maintaining any service-level agreement related performance requirements.

Cross-Site Resiliency

When deploying any application globally, across multiple data centers, the goal is to ensure business continuity in the face of an outage. This continuity becomes difficult to achieve for stateful session-based applications, and it is particularly challenging for VDI if a user's desktop is contained within a data center that suddenly is inaccessible.

Using the BIG-IP GTM solution in combination with BIG-IP LTM provides a global application delivery solution through which continuity can be maintained in the instance of an outage or other connectivity interruption. By constantly monitoring the health and performance of all VDI deployments across data centers, BIG-IP GTM can initially direct users to the data center that best meets their specific performance and availability requirements. In the case of a service interruption, BIG-IP GTM can further migrate sessions from one data center to another with virtually no interruption in user productivity.

Cultural resistance from end users has been cited as the #1 challenge when implementing VDI. It's not VDI itself users hate; it's the reduced productivity. 
Bob Hoffman, President and Chief Operating Officer of Tranxition "Barriers Clearing for VDI Adoption"

Security

Security is often a barrier to adoption of a variety of technologies, but is particularly challenging in a VDI implementation because users rely on the performance of both the server and the network. For organizations that require a high degree of security internally as well as for remote access, VDI ensures that corporate data stays on the server—in the data center and under control—at all times. This is due to the way VDI works. VDI is essentially the next evolutionary phase in desktop delivery, combining both a thin-client approach with server-side virtualization. Each user has a virtual desktop contained as a virtual machine within the data center. Delivery is accomplished via a traditional thin-client architecture leveraging well-known and supported protocols such as RDP. In transit, the data exchanged between the client and ultimately the server is protected via SSL. Because SSL relies in part on the length of keys to provide protection and Microsoft—along with many others—is moving to use only 2048-bit key lengths, the use of SSL can consume more than 30 percent of a server's resources.

BIG-IP LTM offloads this processing and leverages its hardware-accelerated processing capabilities to ensure a high level of security while improving VDI server desktop capacity by removing the need for the server to shoulder the burden of cryptographic processing.

Performance

As key lengths continue to increase, the computational burden imposed by SSL degrades performance significantly and can cause connectivity between the user and session to appear sub-optimal. The additional time required to encrypt and decrypt data exchanged between the client and server can decrease productivity as users are forced to wait longer for responses from the server. In a VDI deployment, cryptographic processing can impact all users whose desktops are executing on that server because all VMs executing on the same server will suffer the impact of the overhead associated with performing encryption and decryption operations.

BIG-IP LTM addresses performance degradation by offloading SSL functionality, which results in higher capacity per physical server. It also mitigates the performance impact of SSL and higher key lengths by leveraging purpose-built hardware acceleration designed specifically for the cryptographic operations utilized by SSL and related secure transport protocols. This ultimately enables the servers to host more VMs and, in turn, support a higher number of users at lower capital and operational expense.

31% of surveyed IT organizations report that they improved their VM density (placing more VMs on the same host) in some manner by using their F5 BIG-IP solutions.

Source: TechValidate TVID: 19A-09C-61F

Secure Remote Access

From an architectural perspective, a VDI deployment can appear similar to many web application deployments; however, the business requirements are not the same. A VDI implementation is designed to provide access to the corporate desktop, complete with applications and data that need to be protected. While VDI is an increasingly attractive solution for supporting off-site users while protecting the sensitive nature of corporate data, VDI requires more controlled access because the user will access an entire application environment, rather than just one application.

To provide the highest level of control over remote access to virtual desktops, the F5 BIG-IP Edge Gateway advanced remote access solution provides flexible authentication and authorization in the form of an intelligent SSL VPN. A flexible SSL VPN provides granular control over access in a contextually aware manner, ensuring that user environments are free of malware and other malicious data. While not specifically dangerous to virtual desktop environments, malware and malicious data are potentially hazardous to the network and server infrastructure upon which VDI implementations are deployed and desktops delivered.

Authentication and Authorization

One of the benefits of a deployment contained in the data center is single sign-on (SSO) capabilities. Users benefit from increased productivity enabled by the seamless transition between applications. At the same time, the security of those applications is enhanced because users no longer need to remember multiple passwords.

By integrating with a range of corporate-standard identity stores and enabling SSO capabilities across applications, F5 BIG-IP Access Policy Manager (APM) provides the necessary flexibility and centralized control over user authentication.

Integrated Management

Virtualization, whether leveraged for server or desktop initiatives, can increase the complexity of an architecture and introduce additional management burdens on operations staff, which can be perceived as a drawback to virtualization.

We were able to publish applications in a secure, reliable manner providing new lines of service to the physician community. We also took advantage of F5's BIG-IP [products] to strengthen our overall remote access solution.
TechValidate TVID: 673-FBF-F15

Using F5 PRO-enabled Management Pack to integrate the VDI delivery infrastructure with Microsoft System Center Operations Manager and Microsoft System Center Virtual Machine Manager greatly reduces the management burden placed upon operations staff to scale, secure, and optimize a VDI deployment. F5 Management Pack integration enables centralization of management, monitoring of F5 solutions, and control of resource allocations, making visible contextual information used to drive IT decisions. The F5 PRO-enabled Management Pack enables two-way communication between BIG-IP devices and Virtual Machine Manager 2008 R2 via the F5 iControl API. This integration enables IT administrators to quickly and easily adjust the network to changing application conditions, both within a data center and across data centers.

In cases where the integration does not provide the control required, Windows PowerShell from Microsoft can be leveraged to automate management tasks, thereby decreasing the time investment required to manage a combined F5­Microsoft architecture as well as reducing the possibility of human error causing service disruption.

Conclusion

VDI is quickly becoming a feasible option for organizations. It gives IT many benefits in regard to reducing capital and operating expenses, which makes it appealing to a wide range of organizations of different sizes and from varied industries. The ability to scale, secure, manage, and optimize VDI implementations is paramount to success and should be considered part of a holistic virtual desktop delivery strategy.

F5 solutions are highly integrated with Microsoft VDI solutions and management offerings; together, the joint solutions provide the flexibility, scale, and security options required to successfully implement a virtual desktop infrastructure.

Whether an architecture is homogeneous or heterogeneous, F5 solutions provide a flexible foundation for secure, fast, and reliable delivery of Microsoft VDI. F5's extensibility model is flexible and powerful, offering seamless integration with monitoring and management products to ensure an agile virtual infrastructure that can be automated as required while remaining firmly under the control of the organization.