Virtualization Forum 2015, Praha, 7.10.2015
sál VMware
Jestliže SlideShare nezobrazí prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf.
2. New Approach
Manage and secure
apps and content
Device Trust established
through enrollment
Access Controlled by
Identity Management
…and Drives a New Approach to Mobile Security and Identity
3
Old Mindset
Only trust devices where
you manage the OS
Device Trust established
by the Domain
Access Controlled by
Network Management
7. Common App Delivery Model
• The most flexible and intuitive experience for enterprise self-service
9
Entitlement: 1000 Apps
in App Center
Subscribed: 100 Apps
in Launcher
Favorites: 10 Apps
on Home Screen
8. 10
One Login | Same Experience | Any Device
Virtual Desktops
Citrix XenApp
Office 365 View Hosted Apps
ThinApp PackagesGoogle Apps
App Approvals
App Catalog
Custom Branding
Context Aware
9. Citrix XenApp Native MobileNative Mobile
Horizon Air
Web ApplicationsWeb Applications
On-premises ThinApp
and Web Apps
VMware Identity Manager
On-Premises Offering
CONFIDENTIAL
12. 4K Resolution Support
17
4K (3840x2160) Windows VDI desktop
resolution support
Single monitor support with Aero on
Win7 / Win 8 with HW10
3 x Monitor support with Win7
(Aero Disabled) with HW11
Client 3.5 & View Agent v6.2
4K Guest resolution – Not 4K monitor
support with high DPI scaling
13. Simple Application Provisioning
No packaging, no sequencing, no streaming. Simply install applications natively.
Provision applications as easily as installing them.
2
Mount the AppStack
and install applications
1
Create a new,
empty AppStack
3 Provision the AppStack
14. UEM: Consistent and Personalized Access Across Devices
Personalized Published App Settings Persist to Virtual Desktop at login
19
15. Client Info at Logon– VMware UEM Integration
20
Client Information available to UEM before the user logs
on
Enables UEM to access View Client IP / Client Name
Information from Horizon Volatile Environment Variables
Client information updated on reconnect
VMware
UEM
Enables more control for UEM Dynamic Configuration
for Horizon sessions
RDS Applications
Works with VDI desktop and RDS desktops and
applications
User Logon
Dynamic Configuration
based on client info
VDI Desktops RDSH Desktops
16. NSX: Automated Security in a Software Defined Data Center
Quarantine Vulnerable Systems until Remediated
21
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2
Isolated Network}
Security Group = VDI
TierPolicy Definition
Standard Desktop VM Policy
Anti-Virus – Scan
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
17. Datastore 1
Linked Clones in Action
1
Master RDSH
VM
2
Replica 1
1
C Drive
Datastore 2
3
4
Replica 1
Read-
only
18. RDSH Load Balancing - Perfmon-based Load Reporting
25
View Connection
Server
0
VB Script
View
Agent
RDS Host 1
VB Script
View
Agent
RDS Host 1
VB Script
View
Agent
RDS Host 1
1
3
Magnetic Sessions: A user with an existing session will re-use that session and
ignore the load balancing rules.
19. Access Point – Overview
Hardened appliance for external user access –
Security Server alternative
SLES 11 Linux Appliance
Added Security & Multifactor Authentication
Pass-Through Authentication
Smart Card Support – Tech Preview
Feature Parity with Security Server
Overview
Benefits
Remove Windows VM’s from DMZ
Scale Out independent of Connection Server
Product Independence
Simplified Installation
Access Point
Appliances
Internal Network
External
Connection
Servers
Load
Balancer CS1
CS2
DMZ
Load
Balancer
20. Overview
Benefits
Windows 10 VDI desktops and RDSH
desktops with Lync client installed
Windows 10 VDI desktop now supported
Client support includes Windows 7, Windows
8, Windows 8.1 & Windows 10 with Microsoft
VDI Plug-in for Lync
Customers can migrate to Windows 10 or leverage
RDSH desktops for VOIP and video.
Highly scalable VOIP and video calling within the
VDI infrastructure
Enterprise grade UC VOIP and video using
standard codecs
QoS support for real-time VOIP and video
Lync 2013 (Skype for Business) Support RDS & Windows 10
RDSH Desktops
Desktops
21. Access Point and Security Server Comparison
Feature AP SS
Hardened Linux Appliance
Optional Multifactor Authentication Smartcard (Tech Preview)
Dynamic Pairing to Connection Server Via Load Balancer
Windows Server
Static Pairing to Connection Server
Horizon View
Horizon Air
Mirage Gateway Future Release
Workspace Portal Future Release
Project Enzo Future Release
[Clip 2] 90 seconds (entirety spoken by ted OFF Camera)
To begin our talk.. I’d like to introduce two analogies which illustrate and draw parallels to the Modernization of today’s datacenter
The first analogy is tied to one of my passions, architecture..
Moving left to right the images progress to show improvements in construction materials and techniques
The Roman aqueduct on the far left was the height of technology in it’s day.. and starting in the year 1,110 the innovation of a structural ‘buttress’ allowed taller buildings w/ larger windows.
But it was the development of construction quality steel that ignited our ability to go higher and allowed the Empire State building to rise to fourteen hundred feet. Today the use of steel has become the norm. Finished in 2010, the Burj Kalifa is the world’s largest building and amazingly it was created with a smaller construction crew and approx one-half the steel used in the Empire State building.
The second analogy is the development of the modern automobile. Initially assembled by hand in small custom workshops, production was revolutionized with new techniques such as the assembly line. This allowed the process to move much faster and also reduced errors. Today’s modern manufacturing plants are highly automated with robots performing an extensive amount of the work. The improved ‘automation’ has made the line faster and also reduced human errors. Staff workload has shifted to mostly design and engineering.
This growth and movement towards application access on the go drives a whole new approach to Mobile Security and Identity
We can now see the old mindset was myopic and even limited.
For example, in the old world of devices, the mantra was always “lock it down…device by device”. However, the Ugly truth is only a small percentage of mobile devices were actually secured.
The focus was usually on encrypting devices like routers to prevent denial of service attacks.
This is the legacy security model - Optimized for securing data but not the apps which tap into the data.
And now in the world of cloud data centers, with this mindset we see those who have invested billions to shore up the perimeter are not always keeping the bad guys out.
CLICK
Taking the new approach with identity management, the entire chain is secured
We have to think beyond locking down an individual smart phone, tablet, or even a router – and focus instead on securing the applications and users in a dynamic way
Equally important, we need to think beyond managing compliance – and instead manage risk in a substantive way
T: What we need is a smart game plan. As I thought about this, an analogy came to mind that’s appropriate here in the home of the great “Barca” (pronounced “Barsa”) football club…
Consumerization has created employees with high expectations.
And as a result…employees have moved on and the enterprise is stuck in the client-server world. And my assertion is that those that don’t move on, every single one of them will be obsolete within the next 5 years.
In the not-too-distant past, we saw Software-As-A-Service spending begin to out-pace On-Premises Software Spending. In doing so, security shifted from the traditional “Network” model to the very mobile “Identity” model.
COMPANY SIZE
10,000+ customers in 150 countries
1,600+ employees across nine offices
500+ research and development resources
Recognized as the industry leader
Expertise in building enterprise solutions
PRODUCT SCALABILITY
Advanced integration and partner ecosystem
Common development platform
Broadest mobility solution set
Multitenant, highly scalable architecture
Flexible delivery: cloud and on premise
As we can see, Identity Management and Mobility Solutions go hand in hand by allowing flexible management and security of the data accessed by users on the end point devices in question.
VMware Identity Manager does this by providing a Common Application Delivery Model for customers to deliver ANY number of applications across all devices. Whether a customer has one or one-thousand applications, the physical and management costs are the same.
1 or 1000… The cost is the same…
No matter the application, the service, or the device, the user gets the same experience with one login.
Currently the SaaS offering does not support On-Premises features such as Horizon 6, Citrix XenApp, and ThinApp deployment.
These features/functionalities are only supported by the On-Premises offering of VMware Identity Manager standard.
The On-Premises offering of VMware Identity Manager comes bundled with Horizon 6 Advanced and Enterprise bundles as well as the Horizon App Management Bundle.
VMware Identity Manager comes in two flavors – the SaaS offering and the On-Premises offering.
VMware Identity Manager Standalone SKUs come in two flavors as well:
-Standard – This is just the On-Premises Offering (only VMware offering)
-Advanced – This gives the customer the choice is either the On-Premises or SaaS offerings.
NOTE: STAND ALONE SKUS WILL NOT EXIST AFTER 2015!
VMware Identity Manager Advanced comes bundled with AirWatch Blue and Yellow. The customer has the option of going with the SaaS offering or the On-Premises offering.
Which option chosen will depend upon what features they need.
Currently the SaaS offering does not support On-Premises features such as Horizon 6, Citrix XenApp, and ThinApp deployment.
When connecting VMware Identity Manager with AirWatch, this allows for a number of enhanced benefits such as:
A single application catalog of all applications and services provided across all systems and devices to present the exact application in the fashion needed – whether that be SaaS applications, Mobile applications, or even Windows applications
This also provides a variety of policies for dynamic conditions and give admins the ability to use Device Restrictions for greater control of corporate content whether the device is corporate owned or a personal device.
Finally, this can provide not only application but device usage analytics for better understand how your end users work.
So in that context, let’s look at three core pillars.
What we're doing in the world of desktops and laptops, what are we doing in the world of mobile and machine, and how we think we can help you share content and data in the next generation.
This feature will enable 4K (3840x2160) monitor support for View.
Up to 3 monitors are supported with HW11 Windows 7 with aero off.
Only a single monitor is supported with Windows 8 or aero on in Windows 7 or with HW10.
Expect some bandwidth increase but not necessarily 4x - If you take for example, 1080p video inside a 4k resolution desktop, the video is still only 1080p and not 3840 x 2160. Now if video happens to be in 3840 x 2160 resolution then the bandwidth will go up. No test data at this point to refer to. It will require more but will depend on the usage patters and of course number of monitors. WAN use cases will need to be tested for implementation.
zero clients will be supported, but they won’t necessarily support High DPI scaling. We don’t have DPI scaling Windows clients, even though we have it for the mac client already.
When you enable 3d support for a desktop or RDS applicaion, the maximum resolution inside the guest that you will be able to support is 2560 x 1600 - http://blogs.vmware.com/euc/2015/03/nvidia-grid-vgpu-vmware-horizon.html
Video memory guidance around 4K monitors will be provied a t GA
Susie launches a media player app
Changes settings on the application
She then logs on to a virtual desktop with Win 8 and open up the media player app with the resized window and icon bar persistent across session
Will enable UEM to act on information from the client prior to the user logging into the session. This will enable UEM to customise the user experience at an earlier stage.
Tested on WAN up to 250ms latency but performance may be a factor as latency and packet loss increase.
Now includes Compression to reduce network bandwidth and reduce the time to load
Now included AES Encryption (SHA 256) to protect data in transit
Support for MAC is now GA
Existing Legacy farms are renamed to Manual Farms
At present, RDSH Servers have to be manually created and added to farms which form the building blocks of Remote Desktop(RDS)/Application pools. As the RDS servers in a farm are not linked clones, it is not possible to recompose farms resulting in the following drawbacks...
Requires an ESD tool set to mange the patching and application deployment
Using view composer's linked clone technology to build out RDS Server farms will solve all the above issues
Increased storage requirements as there is no sharing of base OS/App disk across multiple RDS servers
With RDSH, there is only a OS, internal disk. There is no UserData Disk or System Disposable disk
This feature provides a configurable means for a RDSH to report it's current load to the broker. This takes the form of a script which the agent can execute whose output is a single number. The load value is then reported back to the broker with session state responses ( asynchronous and queried ).The script may report CPU utilisation, Memory utilisation or any other metric the administrator wishes to use for performing load-balancing. For new sessions, the broker will use the load values to order the servers. The load value returned by a script is a single number. The agent will map the single number to a preference as shown in the table for the 4 possible values that can be returned:
The default load value for an agent is MED. This will be returned for all cases where a load script hasn't been configured. For cases where a script is executed but doesn't complete within 10 seconds or returns an unsupported value, the load preference value will be set to BLOCK and the agent will set it's state to 'configuration error' which will effectively remove the RDSH from the pool of available RDSH for brokering. For the case where a valid load preference value is already cached it will be possible with a registry flag to override the default behaviour of placing the RDSH into a 'configuration error' state.
An authenticating reverse proxy implemented as a hardened SLES 11 virtual appliance
Transparent to client and Connection Server
Ensures that all traffic entering the data center or cloud tenant environment is traffic on behalf of an authenticated user
Optional Authentication will mean that you can authenticate users @ the DMZ and only pass-through authenticated users sessions, this is planned for future releases.
Remove Windows servers from the DMZ
Hardend SLES 11 Appliance
Many to Many, means that there is no longer a tie between Security Server to Connection Server
Dynamic Pairing
Improved remote access deployment flexibility
Any combination of remote or local access
Independent horizontal scale up/scale down
An authenticating reverse proxy implemented as a hardened SLES 11 virtual appliance
Transparent to client and Connection Server
Ensures that all traffic entering the data center or cloud tenant environment is traffic on behalf of an authenticated user
Authentication support through a common identity (auth broker) service, enabling Multi-Stage authentication (e.g. SmartCard in the DMZ)
Smart Card/CAC Card (X.509 user certificates) – Tech Preview
Pass-Through
RSA SecurID and RADIUS, SAML & AD Username/Password are performed on the Connection Server using Pass-Through
Feature Parity with Security Server
Product version independence
Access Point or Horizon View can be upgraded independently of each other
So to round it out-Vmware is continuing to innovate. Some of the most recent innovations that I just went through including Horizon Flex-now allow us to address more use cases and more end users than ever before.
These services can all be delivered centrally from the datacenter—and in the case of Horizon 6—really allow you to deliver virtualized desktops and apps to end users across devices and locations. Horizon Air extends these capabilities to 3rd parties and allows customers to offload the management and costs associated with the day to day maintenance of these services. And now Horizon FLEX allows us to address BYO users who are largely disconnected from the network with containerized desktops or what I like to call MDM for the laptop.