Protected workplace based on VDI Huawei FusionCloud Desktop Solution 6.1
We continue to publish materials from the “Collaborative Security of Cloud Solutions for Business” forum , which we conducted together with Kaspersky Lab and HUAWEI on May 31 in Moscow. We present the report by Ivan Yudichev from Huawei, "Protected workplace based on VDI Huawei FusionCloud Desktop Solution 6.1."
My name is Ivan Yudichev, I work at Huawei for cloud projects and public sector support. I have been engaged in cloud projects for quite a long time already, I started it when I worked in the customer, somewhere in 2010. Then there was Microsoft, then there was VMware, and finally, Huawei, where we continue to develop good traditions of server virtualization and VDI. But today I will talk more about VDI.
')
For several years, Huawei has intensively developed a portfolio of its cloud products, and these efforts were not in vain. At today's IDC, which is difficult to catch in some inadequate estimates, put us in Major Players. Three years ago nobody could even think about it, but today our solution is in many ways at the level, or even better known, in the market of manufacturers. Let's look at the key functions in more detail.
Solution architecture. By itself, VDI is deployed in some kind of cloud environment, theoretically it can work by providing remote access using traditional computers, but when we talk about virtualization of the working environment, it is usually about the cloud. And if we are talking about VDI in this section, then the solution architecture is as follows. At the lower level there is equipment — servers, storage systems, a network, which are then abstracted using a cloud environment. Further in on this cloud platform, we deploy, respectively, the entire set of software, which allows, first, to deploy virtual machines for users, and, second, to serve as a connection broker for users to distribute and automate the process. Basics of VDI, I think you are familiar. Thus, the complete Huawei solution looks like the FusionSphere platform and Huawei FusionAccess as software that allows you to create virtual desktops.
We work intensively with partners, for example, with RUVDS, and therefore we can create some, let's say, not boxed solutions, namely solutions aimed at cloud providers. That is, a partner's personal account, while we provide the infrastructure and ensure the work of the desktop, we offer our efficient desktop access protocol (HDP), while receiving all the benefits of using a local domestic cloud.
About the architecture. In principle, many of these components are replaceable, for example, the equipment can be from another vendor. Theoretically, the hypervisor may be different too, but we still recommend using ours, because we carry out a full cycle of testing and guarantee the quality of the final solution. Although in principle, there may be options.
For thin clients. We, as a supplier of a single solution, naturally also supply thin clients, but if you already have some workstations that you don’t want to write off, you can safely use them. We have a software client that runs under Linux, under Windows, under Mac, so you can save and use existing hardware.
By guest operating systems which we support. Naturally, Windows 7, 8, 10, that is, their full support exists today. Also, in order to avoid paying for the Microsoft VDA license, and to reduce the cost of the desktop in CapEx, you can deploy virtual desktops based on Windows Server. This is one of the opportunities we provide. There is an obligatory stage of certification, testing of applications, whether they will work under Windows Server or not, because there may be nuances. But 90 percent of cases - it all works fine, in the client operating system, in the server one. And many customers use this method, deploying server operating systems as client ones. Most often, questions arise with some samopisnyh applications, such as Java, or self-developed plug-ins. That is, some standard things, like MS Office, will almost completely work in a server environment. In my practice, there were no situations that the well-known software did not work in Windows Server. Problems arose with some highly customized software, but such things happen when migrating from XP to 7, from 7 to 8, that is, this is a standard story.
Returning to the methods of provision, today we still say that we have a cloud, that is, it is enough to take a thin client to install, connect to a remote environment, and everything will work for us. Yes, this option is possible, of course. This is a desktop as a service, daas in this case. There are also options to build the infrastructure on your own, to maintain it yourself, this is a higher degree of control, but at the same time, higher costs. There is an option to build hybrid solutions, as I have here shown in the picture. That is, something can be deployed in a public cloud, something can be deployed locally. Here you need to choose the best solution for yourself. According to the experience of the best dog owners, public desktops are suitable for almost everything, with rare or rare exceptions, if you have very specific data that should only be available in Russia, you can use the “Rucloud” data center in the Queen. But here I must point out that our software allows different options.
Further, the software that provides the VDI service is called FusionAccess. To date, the current version is version 6.1, but even in version 6.0 there are a lot of interesting features that I will briefly run now. I highlighted a few of the most important, in my opinion.
What do we support since version 6.0? We support Linux as a guest operating system. This is such a frequent question when you start supporting Linux, since the beginning of this year we support it. Ubuntu and RedHat distributions are supported. Thus, now there is no need to use only Windows, pay for a license, you can use free Linux, and get an even more profitable VDI at the expense of it. That is, functional, almost the same. Naturally, the maximum set of functions you get in Windows, but such basic things as working with flash drives, working with printers, with audio are available, including in Linux. 80 percent of cases - the use of standard features, so that you can choose one and the other (Windows or Linux) and at the same time do not feel somehow deprived.
Further, there was full support for working with 4K resolution. This can be in principle and multi-monitor configuration, or it is a single monitor with a resolution of Ultra HD. Most often used in graphic design or in development for CAD-applications. Looking ahead, I’ll say that in version 6.1 we also added support for graphic video editors that work in 4K mode. There were some specific requirements, it took half a year to fully test the solution. Now it works too.
There is a watermark function on the desktop. Let's just say, in order to read something super secret and carry it with you in your head, this naturally will not save, but this function somewhat complicates the lives of those who photograph confidential information on a smartphone in order to put it somewhere in the future. public space and refer to it. That is, you can now put watermarks with the date and user name, they can be not only static but also dynamic. Traces of such signs usually remain in the photo, it is very difficult to remove them. Thus, the life of this kind of characters is somewhat more complicated.
We have greatly simplified the deployment of the system kernel in version 6, you are unlikely to be familiar with FusionAccess version 5, but from my own experience I remember that to run the solution it was necessary to deploy a huge number of virtual machines, some of them on Linux, some on Windows Here, from version 6.0, we dramatically simplified this process, there is one installation package, one version of Linux, all virtual machines are installed from this disk, and the deployment process shrank about five times in time.
Further, after the software is installed, there is no need to run through the various menu items. An automatic wizard is launched, which allows you to customize the software with prompts in the way it meets your requirements.
There was a function LazyDesk. That is how it looks. There is a thin client, a specific virtual machine is uniquely associated with it by its ID. Further, when you enter credentials in the thin client, the connection to the virtual machine automatically occurs, and there is no visual difference for the user, he enters the local PC or works with VDI. This can be very convenient for some public terminals, warehouses, medical institutions, or for some remote points where there are a lot of problems with users, it is difficult for them to understand that they need to log in once, then log in again. In order to avoid this, you can use the LazyDesk function, rigidly associate the client with the virtual machine, log in the credentials once, log in once, and all is a complete feeling that you are working on a local computer.
Further, from the point of view of the system administrator. This is probably more a simplification for our partners, but nonetheless. The process of preparing a template for a virtual machine has been reduced by a factor of three to four. Previously, there was a huge 30 points guide that needed to be carefully passed, to make sure that the operating system is configured correctly, now there is no such thing. We have a master with three big buttons, make me such a desktop, such and such, depending on what task you have. That is, you press the button once, the scripted process goes through - everything, the virtual machine is ready, you can wrap it in a template.
Further, a very wide range of compatible peripherals. In fact, we have a large list of specific products tested, you can contact us, we will send it, we will show it. There are a lot of things, there are both webcams and printers, all the main client devices that can be included in the thin client, they most likely have already been tested by us. Here it is meant to work with software and to work with our thin clients.
And returning to the question of third-party thin clients and workstations, you can go through a specialized process, the certification process, and upon its completion, if all the points are passed, you can get the HuaweiReady label. This means that this thin client is fully compatible, it can be used to work with VDI.
And now a few words about what appeared just recently, less than a month ago, when version 6.1 was released. If earlier desktops on server operating systems were on 8 and 12 versions, now you can use Windows Server 2016. The sixteenth version is a fully 64-bit operating system, a block responsible for emulating the 32-bit environment is cut out, therefore There are compatibility issues, as noted earlier. That is, you need to test. That is why we put the plate that this function is in limited commercial use, that is, it is limited for use, not for wide use, but only after preliminary tests. Technically, there are no problems, it looks just like Windows 10. The advantages for VDI, like any server operating system, are in licensing.
Further, with version 6.1, a universal webcam driver appeared. Previously, the only way to interact with a webcam was to use Windows DirectShow filters. Now there is an option to contact the camera directly, and this thing is very much in demand when working with corporate VoIP applications, Cisco Jabber, for example, or Skype, that is, you can now work with the camera directly and use its capabilities, not to mention the fact that it somewhat reduces loss of performance.
There was an opportunity to combine graphic cards into pools, that is, the graphics support itself worked even earlier, but each time you had to manually assign a graphics adapter to a virtual machine. Now this is not necessary, all graphics cards are in the pool and automatically picked up from it if necessary, if the task is to start such a virtual machine (graphic). At the end of work with it, respectively, the graphics card returns to the pool. This solution is very convenient when there are, for example, about a dozen engineers who work in CAD systems, but there can be about five or even fewer nVidia M60 cards. That is, it allows you to save a little on the cost of the schedule, increase control and facilitate management.
4K resolution in video editing, as I said, is now fully certified, tested, and works.
There was a function of redirection of sound and video when working with thin clients. Previously, a virtual machine, a virtual desktop, was used to install a VoIP application client, and audio and video were processed there. The sound is sent to the data center, it is processed, it is returned. This process overloads the channels. In order to avoid this, there is a function of audio and video redirection, while an application or a plugin is placed on a thin client, and in the future, sound and video go directly from the thin client, bypassing this loop in the data center and back, that is, do not contact The data center every time you need to call someone, and ultimately this possibility allows more users to get on the same channel. Now we have had tests with Cisco Jabber, but theoretically any software can work, you just need to test, check.
There is a separate plugin for Skype for Business. In the thin client, in the case of Skype, put the plugin. In the case of Cisco Jabber, as mentioned earlier, the entire application is placed directly into the thin client.
Further, another interesting function that we have appeared is the function of rollback to the original version of the desktop. Traditionally, the work is as follows: the user works in his working environment, changes the system files, makes entries in the registry, then, suppose he stopped working with this desktop, disconnected from it, logged out. Previously, this virtual machine had to be destroyed, a new one was deployed, now it is possible to write all the changes that the user makes to a separate file. After the user doesn’t need a virtual machine anymore, he turns off accordingly, the file is deleted, and the machine is ready to work again. That is, it somewhat reduces the time for the introduction of new machines into operation and, in principle, reduces the parasitic costs of deployment, redeployment of typical virtual machines.
Appeared function WAN Optimization. Its essence is that when the channel is not very good, unstable, weak, it may be enough for office work, but if you start the video in the window, the channel after that can simply lie down. And, unfortunately, even the video can not be turned off, because the interface simply lost its responsiveness. So in order for this not to happen, there is a WAN Optimization function, it automatically determines that the video in the virtual machine has eaten the entire channel, the interface has lost responsiveness and as a result just this window, it stops drawing, the interface comes to life and you can continue to work accordingly.
There was a function to manage user profiles. In principle, it was possible to manage profiles earlier using the Windows Roaming Profile, but such a solution has certain drawbacks, because the Windows Roaming Profile itself needs to be set up. It sometimes does not work very stably when the connection is lost, and with the central server where the profiles are stored, that is, there may be a brief disconnection, after the server returns to the working mode, it happens that the desktop is not rendered, you have to re-login, which is not there is convenient. To avoid this, either if you don’t want or cannot configure the Roaming Profile in Active Directory, or if you simply don’t want to use Active Directory, for example, for test users with enough local machines, you can use the built-in Profile Management. It is integrated both with Active Directory, if it exists, and with our local LiteAD and allows you to manage profiles using FusionAccess, and not some external system.
Mentioned LiteAD, it can serve for some applications, where a full-fledged Active Directory is clearly unnecessary, maybe this is some kind of closed test environment, or a company of ten people, why should she have AD. You can use the built-in functions of FusionAccess, that is, the built-in system catalog with user management through the FusionAccess interface. This allows you to very quickly, effectively deploy a working environment for a not very large number of users.
As for licensing. If this product is purchased in its own data center, then it is licensed in two types. There is a license named, there is a license on connections. Accordingly, three types of licenses. Standard is the usual desktop, that is, just a virtual machine in which the user works. SBC, Server-based Computing, in fact, these are terminals. That is, SBC is a license to use the terminal VDI mode. Advance, respectively, allows you to use both standard mode and terminal, the most complete edition. It is important to note that when using the FusionSphere cloud platform only for VDI deployment, the platform is provided free of charge.
My name is Ivan Yudichev, I work at Huawei for cloud projects and public sector support. I have been engaged in cloud projects for quite a long time already, I started it when I worked in the customer, somewhere in 2010. Then there was Microsoft, then there was VMware, and finally, Huawei, where we continue to develop good traditions of server virtualization and VDI. But today I will talk more about VDI.
')
For several years, Huawei has intensively developed a portfolio of its cloud products, and these efforts were not in vain. At today's IDC, which is difficult to catch in some inadequate estimates, put us in Major Players. Three years ago nobody could even think about it, but today our solution is in many ways at the level, or even better known, in the market of manufacturers. Let's look at the key functions in more detail.
Solution architecture. By itself, VDI is deployed in some kind of cloud environment, theoretically it can work by providing remote access using traditional computers, but when we talk about virtualization of the working environment, it is usually about the cloud. And if we are talking about VDI in this section, then the solution architecture is as follows. At the lower level there is equipment — servers, storage systems, a network, which are then abstracted using a cloud environment. Further in on this cloud platform, we deploy, respectively, the entire set of software, which allows, first, to deploy virtual machines for users, and, second, to serve as a connection broker for users to distribute and automate the process. Basics of VDI, I think you are familiar. Thus, the complete Huawei solution looks like the FusionSphere platform and Huawei FusionAccess as software that allows you to create virtual desktops.
We work intensively with partners, for example, with RUVDS, and therefore we can create some, let's say, not boxed solutions, namely solutions aimed at cloud providers. That is, a partner's personal account, while we provide the infrastructure and ensure the work of the desktop, we offer our efficient desktop access protocol (HDP), while receiving all the benefits of using a local domestic cloud.
About the architecture. In principle, many of these components are replaceable, for example, the equipment can be from another vendor. Theoretically, the hypervisor may be different too, but we still recommend using ours, because we carry out a full cycle of testing and guarantee the quality of the final solution. Although in principle, there may be options.
For thin clients. We, as a supplier of a single solution, naturally also supply thin clients, but if you already have some workstations that you don’t want to write off, you can safely use them. We have a software client that runs under Linux, under Windows, under Mac, so you can save and use existing hardware.
By guest operating systems which we support. Naturally, Windows 7, 8, 10, that is, their full support exists today. Also, in order to avoid paying for the Microsoft VDA license, and to reduce the cost of the desktop in CapEx, you can deploy virtual desktops based on Windows Server. This is one of the opportunities we provide. There is an obligatory stage of certification, testing of applications, whether they will work under Windows Server or not, because there may be nuances. But 90 percent of cases - it all works fine, in the client operating system, in the server one. And many customers use this method, deploying server operating systems as client ones. Most often, questions arise with some samopisnyh applications, such as Java, or self-developed plug-ins. That is, some standard things, like MS Office, will almost completely work in a server environment. In my practice, there were no situations that the well-known software did not work in Windows Server. Problems arose with some highly customized software, but such things happen when migrating from XP to 7, from 7 to 8, that is, this is a standard story.
Returning to the methods of provision, today we still say that we have a cloud, that is, it is enough to take a thin client to install, connect to a remote environment, and everything will work for us. Yes, this option is possible, of course. This is a desktop as a service, daas in this case. There are also options to build the infrastructure on your own, to maintain it yourself, this is a higher degree of control, but at the same time, higher costs. There is an option to build hybrid solutions, as I have here shown in the picture. That is, something can be deployed in a public cloud, something can be deployed locally. Here you need to choose the best solution for yourself. According to the experience of the best dog owners, public desktops are suitable for almost everything, with rare or rare exceptions, if you have very specific data that should only be available in Russia, you can use the “Rucloud” data center in the Queen. But here I must point out that our software allows different options.
Further, the software that provides the VDI service is called FusionAccess. To date, the current version is version 6.1, but even in version 6.0 there are a lot of interesting features that I will briefly run now. I highlighted a few of the most important, in my opinion.
What do we support since version 6.0? We support Linux as a guest operating system. This is such a frequent question when you start supporting Linux, since the beginning of this year we support it. Ubuntu and RedHat distributions are supported. Thus, now there is no need to use only Windows, pay for a license, you can use free Linux, and get an even more profitable VDI at the expense of it. That is, functional, almost the same. Naturally, the maximum set of functions you get in Windows, but such basic things as working with flash drives, working with printers, with audio are available, including in Linux. 80 percent of cases - the use of standard features, so that you can choose one and the other (Windows or Linux) and at the same time do not feel somehow deprived.
Further, there was full support for working with 4K resolution. This can be in principle and multi-monitor configuration, or it is a single monitor with a resolution of Ultra HD. Most often used in graphic design or in development for CAD-applications. Looking ahead, I’ll say that in version 6.1 we also added support for graphic video editors that work in 4K mode. There were some specific requirements, it took half a year to fully test the solution. Now it works too.
There is a watermark function on the desktop. Let's just say, in order to read something super secret and carry it with you in your head, this naturally will not save, but this function somewhat complicates the lives of those who photograph confidential information on a smartphone in order to put it somewhere in the future. public space and refer to it. That is, you can now put watermarks with the date and user name, they can be not only static but also dynamic. Traces of such signs usually remain in the photo, it is very difficult to remove them. Thus, the life of this kind of characters is somewhat more complicated.
We have greatly simplified the deployment of the system kernel in version 6, you are unlikely to be familiar with FusionAccess version 5, but from my own experience I remember that to run the solution it was necessary to deploy a huge number of virtual machines, some of them on Linux, some on Windows Here, from version 6.0, we dramatically simplified this process, there is one installation package, one version of Linux, all virtual machines are installed from this disk, and the deployment process shrank about five times in time.
Further, after the software is installed, there is no need to run through the various menu items. An automatic wizard is launched, which allows you to customize the software with prompts in the way it meets your requirements.
There was a function LazyDesk. That is how it looks. There is a thin client, a specific virtual machine is uniquely associated with it by its ID. Further, when you enter credentials in the thin client, the connection to the virtual machine automatically occurs, and there is no visual difference for the user, he enters the local PC or works with VDI. This can be very convenient for some public terminals, warehouses, medical institutions, or for some remote points where there are a lot of problems with users, it is difficult for them to understand that they need to log in once, then log in again. In order to avoid this, you can use the LazyDesk function, rigidly associate the client with the virtual machine, log in the credentials once, log in once, and all is a complete feeling that you are working on a local computer.
Further, from the point of view of the system administrator. This is probably more a simplification for our partners, but nonetheless. The process of preparing a template for a virtual machine has been reduced by a factor of three to four. Previously, there was a huge 30 points guide that needed to be carefully passed, to make sure that the operating system is configured correctly, now there is no such thing. We have a master with three big buttons, make me such a desktop, such and such, depending on what task you have. That is, you press the button once, the scripted process goes through - everything, the virtual machine is ready, you can wrap it in a template.
Further, a very wide range of compatible peripherals. In fact, we have a large list of specific products tested, you can contact us, we will send it, we will show it. There are a lot of things, there are both webcams and printers, all the main client devices that can be included in the thin client, they most likely have already been tested by us. Here it is meant to work with software and to work with our thin clients.
And returning to the question of third-party thin clients and workstations, you can go through a specialized process, the certification process, and upon its completion, if all the points are passed, you can get the HuaweiReady label. This means that this thin client is fully compatible, it can be used to work with VDI.
And now a few words about what appeared just recently, less than a month ago, when version 6.1 was released. If earlier desktops on server operating systems were on 8 and 12 versions, now you can use Windows Server 2016. The sixteenth version is a fully 64-bit operating system, a block responsible for emulating the 32-bit environment is cut out, therefore There are compatibility issues, as noted earlier. That is, you need to test. That is why we put the plate that this function is in limited commercial use, that is, it is limited for use, not for wide use, but only after preliminary tests. Technically, there are no problems, it looks just like Windows 10. The advantages for VDI, like any server operating system, are in licensing.
Further, with version 6.1, a universal webcam driver appeared. Previously, the only way to interact with a webcam was to use Windows DirectShow filters. Now there is an option to contact the camera directly, and this thing is very much in demand when working with corporate VoIP applications, Cisco Jabber, for example, or Skype, that is, you can now work with the camera directly and use its capabilities, not to mention the fact that it somewhat reduces loss of performance.
There was an opportunity to combine graphic cards into pools, that is, the graphics support itself worked even earlier, but each time you had to manually assign a graphics adapter to a virtual machine. Now this is not necessary, all graphics cards are in the pool and automatically picked up from it if necessary, if the task is to start such a virtual machine (graphic). At the end of work with it, respectively, the graphics card returns to the pool. This solution is very convenient when there are, for example, about a dozen engineers who work in CAD systems, but there can be about five or even fewer nVidia M60 cards. That is, it allows you to save a little on the cost of the schedule, increase control and facilitate management.
4K resolution in video editing, as I said, is now fully certified, tested, and works.
There was a function of redirection of sound and video when working with thin clients. Previously, a virtual machine, a virtual desktop, was used to install a VoIP application client, and audio and video were processed there. The sound is sent to the data center, it is processed, it is returned. This process overloads the channels. In order to avoid this, there is a function of audio and video redirection, while an application or a plugin is placed on a thin client, and in the future, sound and video go directly from the thin client, bypassing this loop in the data center and back, that is, do not contact The data center every time you need to call someone, and ultimately this possibility allows more users to get on the same channel. Now we have had tests with Cisco Jabber, but theoretically any software can work, you just need to test, check.
There is a separate plugin for Skype for Business. In the thin client, in the case of Skype, put the plugin. In the case of Cisco Jabber, as mentioned earlier, the entire application is placed directly into the thin client.
Further, another interesting function that we have appeared is the function of rollback to the original version of the desktop. Traditionally, the work is as follows: the user works in his working environment, changes the system files, makes entries in the registry, then, suppose he stopped working with this desktop, disconnected from it, logged out. Previously, this virtual machine had to be destroyed, a new one was deployed, now it is possible to write all the changes that the user makes to a separate file. After the user doesn’t need a virtual machine anymore, he turns off accordingly, the file is deleted, and the machine is ready to work again. That is, it somewhat reduces the time for the introduction of new machines into operation and, in principle, reduces the parasitic costs of deployment, redeployment of typical virtual machines.
Appeared function WAN Optimization. Its essence is that when the channel is not very good, unstable, weak, it may be enough for office work, but if you start the video in the window, the channel after that can simply lie down. And, unfortunately, even the video can not be turned off, because the interface simply lost its responsiveness. So in order for this not to happen, there is a WAN Optimization function, it automatically determines that the video in the virtual machine has eaten the entire channel, the interface has lost responsiveness and as a result just this window, it stops drawing, the interface comes to life and you can continue to work accordingly.
There was a function to manage user profiles. In principle, it was possible to manage profiles earlier using the Windows Roaming Profile, but such a solution has certain drawbacks, because the Windows Roaming Profile itself needs to be set up. It sometimes does not work very stably when the connection is lost, and with the central server where the profiles are stored, that is, there may be a brief disconnection, after the server returns to the working mode, it happens that the desktop is not rendered, you have to re-login, which is not there is convenient. To avoid this, either if you don’t want or cannot configure the Roaming Profile in Active Directory, or if you simply don’t want to use Active Directory, for example, for test users with enough local machines, you can use the built-in Profile Management. It is integrated both with Active Directory, if it exists, and with our local LiteAD and allows you to manage profiles using FusionAccess, and not some external system.
Mentioned LiteAD, it can serve for some applications, where a full-fledged Active Directory is clearly unnecessary, maybe this is some kind of closed test environment, or a company of ten people, why should she have AD. You can use the built-in functions of FusionAccess, that is, the built-in system catalog with user management through the FusionAccess interface. This allows you to very quickly, effectively deploy a working environment for a not very large number of users.
As for licensing. If this product is purchased in its own data center, then it is licensed in two types. There is a license named, there is a license on connections. Accordingly, three types of licenses. Standard is the usual desktop, that is, just a virtual machine in which the user works. SBC, Server-based Computing, in fact, these are terminals. That is, SBC is a license to use the terminal VDI mode. Advance, respectively, allows you to use both standard mode and terminal, the most complete edition. It is important to note that when using the FusionSphere cloud platform only for VDI deployment, the platform is provided free of charge.
Source: https://habr.com/ru/post/331656/
All Articles