Transcript
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
Issue
01
Date
2017-02-03
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd. Address:
Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China
Website:
http://e.huawei.com
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
i
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
Contents
Contents 1 Overview ................................................................................................................................... 1 1.1 Application Virtualization Overview ...................................................................................................................... 1 1.2 Comparison Between Mainstream Desktop Cloud Solutions and Selection Suggestions .......................................... 3 1.3 SBC Benefits for Customers .................................................................................................................................. 4
2 Introduction to Application Virtualization Solutions ........................................................ 6 2.1 Application Virtualization Solution Architecture..................................................................................................... 6 2.1.1 Logical Application Virtualization Architecture ................................................................................................... 6 2.1.1.1 Infrastructure Components ............................................................................................................................... 7 2.1.1.2 Security Access Gateway ................................................................................................................................. 8 2.1.1.3 Application Release Server............................................................................................................................... 8 2.1.2 Physical Application Virtualization Topology ...................................................................................................... 9 2.1.3 Application Virtualization Software Deployment ................................................................................................10 2.2 Application Virtualization Implementation Principle.............................................................................................. 11 2.2.1 Typical Service Process of Application Virtualization ......................................................................................... 11 2.2.1.1 Application Virtualization Features Depending on Windows Operating System Services .................................. 11 2.2.1.2 Application Virtualization Obtaining an Application List .................................................................................12 2.2.1.3 Application Virtualization Pre-Connection Process ..........................................................................................12 2.2.1.4 Application Virtualization Login and Connection Process ................................................................................14 2.2.1.5 Application Virtualization HDP Supporting Isolation Between Sessions ...........................................................15 2.2.1.6 Service Provisioning Process of Application Virtualization ..............................................................................16 2.2.2 Main Application Virtualization Features ...........................................................................................................16 2.2.2.1 Application Access Service .............................................................................................................................16 2.2.2.2 Shared Desktop...............................................................................................................................................17 2.2.2.3 Remote Application ........................................................................................................................................17 2.2.2.4 APS Load Balancing .......................................................................................................................................17 2.2.2.5 GUI ................................................................................................................................................................17 2.2.2.6 Native Gesture Experience ..............................................................................................................................17 2.2.2.7 Application Self-service Maintenance..............................................................................................................17 2.2.2.8 Local Application Experience..........................................................................................................................17 2.2.2.9 Application Session Management ....................................................................................................................17 2.2.2.10 Policy Configuration .....................................................................................................................................18 2.2.2.11 User Data Storage .........................................................................................................................................18
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
ii
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
Contents
2.2.2.12 Running Remote Applications on Shared Desktops ........................................................................................18 2.2.2.13 Comparison with Features of XenApp ...........................................................................................................18 2.3 Limitations on Application Virtualization ..............................................................................................................23 2.3.1 Windows Server Operating System ....................................................................................................................23 2.3.2 Terminal Type ....................................................................................................................................................23 2.3.3 User Experience ................................................................................................................................................23 2.3.4 Software Compatibility ......................................................................................................................................23 2.3.5 Profile and Personal User Data Storage ..............................................................................................................23 2.4 Application Virtualization Competitiveness Comparison .......................................................................................24 2.4.1 Competitiveness Comparison (Do Not Provide This Table for the Customer) ......................................................24
3 Application Virtualization Scenarios .................................................................................. 27 3.1 Branch Scenarios ..................................................................................................................................................27 3.1.1 Scenario Description ..........................................................................................................................................27 3.1.1.1 Challenges ......................................................................................................................................................27 3.1.1.2 Solution ..........................................................................................................................................................28 3.1.2 Solution Advantages ..........................................................................................................................................29 3.2 Scenarios for Separation Between Intranet and Internet .........................................................................................30 3.2.1 Scenario Description ..........................................................................................................................................30 3.2.1.1 Challenges ......................................................................................................................................................30 3.2.1.2 Solution ..........................................................................................................................................................30 3.2.2 Solution Advantages ..........................................................................................................................................32 3.3 Simple Office Scenarios .......................................................................................................................................33 3.3.1 Scenario Description ..........................................................................................................................................33 3.3.1.1 Challenges ......................................................................................................................................................33 3.3.1.2 Solution ..........................................................................................................................................................33 3.3.2 Solution Advantages ..........................................................................................................................................34 3.4 Mobile Office Scenarios .......................................................................................................................................34 3.4.1 Scenario Description ..........................................................................................................................................34 3.4.1.1 Challenges ......................................................................................................................................................34 3.4.1.2 Solution ..........................................................................................................................................................34 3.4.2 Solution Advantages ..........................................................................................................................................35
4 Key Application Virtualization Performance Indicators .................................................. 37 4.1 Key Performance Indicators..................................................................................................................................37
5 FAQs ........................................................................................................................................ 39
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
iii
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
1 Overview
1
Overview
1.1 Application Virtualization Overview Traditional distributed application deployment becomes more and more complex with continuous cost increase. IT personnel must continuously update new application versions and install patches for thousands of devices. Therefore, applications of the latest versions are not installed on many user devices. In addition, applications and data stored on user devices are insecure and conflict with each other, which may cause the device to slow down or even break down. IT service cost increase and production efficiency reduction cannot ensure data security and high-quality user experience and meet service requirements. Quick infrastructure increase and great increase of IT hardware and applications push virtualization development. Increasingly larger IT systems are distributed wider and wider, which causes complex and difficult management; however, service, management, and monitoring pressures for IT control enhancement are increasing. Application virtualization helps organizations improve service efficiency, enhance employee mobility, comply security and monitoring and management specifications, new market development, service outsourcing, and service continuity. Taking an IT application client centralized deployment platform as a core, application virtualization aims to enable unified computing and running of user applications and data on cloud platforms in a mode transparent to users and ensure that users can enjoy the same experience in accessing local applications and that users can obtain the same computing results.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
1
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
1 Overview
Huawei FusionAccess SBC provides flexible customized application delivery systems, in which optimal application delivery modes can be dynamically selected based on user, application, and network requirements. Huawei FusionAccess SBC features:
Simplified IT management Applications are centrally deployed in data centers so that IT can deliver applications to any users anywhere and delivery modes can be adjusted to meet changing service requirements, reducing support necessary after deployment.
Issue 01 (2017-02-03)
Quick application performance and IT response
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
1 Overview
Centralized architecture improves performance of applications connected to devices over any networks or applications that run on any devices. New applications can be delivered to users in a few seconds, the applications can be updated in one-off mode, and update programs are released for users in a timely manner. This helps IT departments to allocate resources, ensuring optimal performance of key users and applications.
Centralized application delivery based on service modes Centralized application deployment reduces application management costs, and centralized control and secure access improve security. Centralized architecture frees IT personnel from installing or managing applications on distributed terminals. Instead, applications and server mirrors are stored, maintained, and updated in data centers in one-off mode, and then delivered to users as required. This simplifies IT management, avoids application conflicts, implements real-time updates, and reduces repair and upgrade necessity.
Any device and anywhere Users can access applications by using any devices anywhere in self-service mode. Users can access applications and data in secure and timely manner by using any clients, operating systems, or devices, such as a desktop PC, portable computer, thin client, iPhone, or Android phone.
Improved information security Centralized application delivery enables the most secure application delivery architecture. Data is stored in data centers. Little control information and screen updates performed by the mouse and keyboard are transferred through a network. IT administrators can assign permission to access, print, and store applications to specific applications and user groups, ensuring security of important information.
1.2 Comparison Between Mainstream Desktop Cloud Solutions and Selection Suggestions Widely used mainstream desktop cloud solutions include virtual desktop infrastructure (VDI) and server-based computing (SBC). Centralized management desktop based on virtual machines (VMs) refers to traditional VDI, which enables Windows XP, Windows 7, or Vista desktop to run on a server. For example, using server virtualization technologies, one physical server can concurrently run 60 Windows 7 desktops, and then these desktops are transferred to terminals of 60 users. The users find virtual desktops on the terminals, but real desktops run in a data center. Desktop virtualization VDI is applicable to scenarios in which applications are complex and users have more requirements on personalization. In certain application scenarios, SBC is also a good choice for application virtualization because:
Applications need to be installed only once. During application virtualization, multiple users share the same application instances. Therefore, applications only need to be updated at one place, and the applications of all users can be immediately updated.
Costs are reduced. In an SBC environment, one physical server supports concurrent access of hundreds of users.
Application compatibility problems are inevitable because VDI can release server desktops only, desktops are basic units for load balancing, and all necessary applications
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
3
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
1 Overview
must be installed on each server. SBC can install incompatible applications on different servers and release them for a same user.
Compared with VDI, SBC is applicable to mobile terminals, such as mobile phones, because SBC enables application windows to be displayed on screens of mobile phones, bringing good experience.
The following table compares the mainstream desktop virtualization technologies. VDI
SBC Shared session desktop
Shared session application
User experience
Users have dedicated operating systems.
Users have different desktops that are based on a same operating system.
Users can only see shortcut icons of the published applications. User experience is the same as that of local applications.
Hardware resource usage
Hardware resource usage is high because a VM is provided for each user. Each VM occupies CPU, memory, storage, and I/O resources.
Less resources are required because each user only occupies the resources required by a virtual desktop.
The least resources are required because each user only occupies the resources required by running the desired application.
Software requirement
Software requirements are high because VDI software and license VDA of virtual operating systems must be purchased.
Less software is required because only SBC software license and Microsoft Remote Desktop Services (RDS) license must be purchased.
Less software is required because only SBC software license and Microsoft RDS license must be purchased.
Deployment cost
The server, storage performance and capacity requirements are high; therefore the deployment cost is high.
The deployment cost is low because user intensity is high.
The deployment cost is low because user intensity is high.
Management difficulty
Management difficulty is high because user data and systems are deployed on servers, and therefore VDI software and background infrastructure components must be maintained.
Management difficulty is low because only shared operating systems and released applications need to be managed and SBC software and background infrastructure components must be maintained.
Management difficulty is low because only shared operating systems and released applications need to be managed and SBC software and background infrastructure components must be maintained.
1.3 SBC Benefits for Customers Centralized application deployment and IT management optimization ensure that all clients do not need to be maintained, maintenance workload of IT departments is reduced, and deploying new applications and upgrading application software speed up. Good application access experience and network bandwidth reduction: SBC has low requirements for network bandwidth. In normal state, each user occupies about dozens of
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
4
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
1 Overview
kbit/s bandwidths. Branches can reach satisfied speeds and performance, reducing costs on private lines. High data transfer security: During application access through desktop protocols, actual service data is not transferred over networks, and only mouse and keyboard actions on clients and screen updates are transferred. This ensures centralized, unified, and secure data. Client PC reuse and device update cost reduction: Virtualization-based application access reduces performance requirements on client PCs, prolongs device updates, and saves costs. Low project implementation risks, few impacts on existing customer systems, and no change of user habits: Existing systems do not need to be reconstructed for deploying the SBC solution, but only new SBC servers need to be deployed. Original operation GUIs and use modes are retained so that no extra user operation training is necessary. Mobile office anywhere at any time: Users can use various terminals (including mobile phones, tablets, and laptops) to access service applications over networks anywhere at any time. This improves office flexibility and efficiency.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
5
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2
2 Introduction to Application Virtualization Solutions
Introduction to Application Virtualization Solutions
2.1 Application Virtualization Solution Architecture 2.1.1 Logical Application Virtualization Architecture Figure 2-1 Logical application virtualization architecture
TC/SC
Virtual desktop management Virtual application management
Access control
HDC
License
ITA
DB
Loggette r
TCM
Existing IT systems
AD
vLB/vAG HDP Client SVN
DHCP Virtual desktop resource pool
VM
WI HDP Client
DNS
Virtual application resource pool
APS
HDA
HDP
HDP multisession Win7/Winxp
HDA Windows 2012 R2
HDP multisession
Cloud platform
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
6
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
Application virtualization is developed based on VDI. Compared with VDI, application virtualization provides application resource pool APS and Huawei Desktop Protocol (HDP) multisession functions. In addition, the virtual desktop management module provides capabilities for managing virtual applications. Therefore, unified access protocols, desktop application management, and access control are available on unified architecture of VDI and SBC. The following table describes main software components of the SBC solution. Logical Division
Component Name
Function
Client
AccessClient
HDP client
Security gateway
vAG/SVN
Security access gateway
Infrastructure component
WI
Site for user access and application display
HDC
Session access management
License
License server
GaussDB
System data storage
ITA
Provisioning of virtual application services and monitoring of system performance and user access experience
Microsoft RDS Licensing
Microsoft RDS licensing
APS (HDA)
Computing resources for application release
Application release server
2.1.1.1 Infrastructure Components
Web Interface (WI): WIs provide web login pages for users. After a user sends a login request to a WI, the WI forwards user login information (encrypted username and password) to HDC, and displays a VM list or application list provided by HDC to the user. In FusionAccess solution, multiple WIs implement load balancing. WIs implement load balancing between HDCs after you set HDC IP addresses on the WIs.
Huawei Desktop Controller (HDC): HDC, a core component of FusionAccess, provisions virtual desktop services or virtual application services, and manages virtual desktops or virtual applications, login to virtual desktops or virtual applications, and VMs or virtual application policies.
GaussDB: GaussDB stores data for ITA and HDC. The data includes information about associations between VMs and users or virtual applications and users, desktop groups, VM naming rules, and scheduled tasks.
IT Adapter (ITA): ITA provides interfaces and a portal for users to manage virtual IT assets, such as creating and assigning VMs or virtual applications, managing VM images and status of VMs or virtual applications, and operating and maintaining virtual desktops.
License: License manages and delivers licenses of the desktop cloud system and can be used to control the number of users accessing the desktop cloud system.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
7
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
TC Manager (TCM): TCM manages TCs in a centralized manner, including version upgrades, status management, information monitoring, and log management.
AD/DNS/DHCP: AD is used to authenticate login users. DHCP is used to assign IP addresses in the domain. DNS is used to resolve computer names and desktop cloud domain names for login.
2.1.1.2 Security Access Gateway
vAG: It is a desktop cloud software gateway, used for desktop cloud to access a gateway in secure mode and isolation between internal and external networks.
SVN: It is a desktop cloud hardware gateway, used for desktop cloud to access a gateway in secure mode and isolation between internal and external networks.
2.1.1.3 Application Release Server Application Server (APS): APS is a component added for SBC features. It is used to externally release applications or shared desktops. Applications released for users must be installed on APS. APS is composed of VMs that run in Windows 2012 R2 and applications that run on the VMs and can be accessed by multiple users.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
8
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
2.1.2 Physical Application Virtualization Topology Figure 2-2 Physical application virtualization topology
Office
Cloud terminal
Intranet
Firewall Core switch
VRRP
Access gateway
Transfer channel
Access gateway
Access switch
Service network Management network Management VM FusionSphere)
AD
Office VM
FusionAcess
Application virtualization
Management cluster VDI desktop cluster
Application virtualization cluster
VM
XX application system cluster
Storage network
Cloud data center
Issue 01 (2017-02-03)
Storage resource pool
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
9
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
In physical application virtualization topology, the cloud terminal and access network are the same as those in physical desktop virtualization topology. Application virtualization clusters are added only for a data center. The following table describes main hardware components of the application virtualization solution. Hardware Type
Subtype
Model
Function
Server
Computing server
E9000/RH2288 H
Provides loading resources for virtual applications.
Management server
Implements resource management and scheduling for application virtualization.
Security gateway
vAG (soft gateway)/SVN
Provides security access functions.
Storage device
NAS
Stores personal and personalized data of users.
2.1.3 Application Virtualization Software Deployment Figure 2-3 Application virtualization software deployment Management cluster
Manage ment node 1
Virtual desktop resource pool
VR M
ITA
HDC /WI/ DB
TCM /Log get
AD/ DHC P
WIN 7
VM1
VM2
VM3
VM4
VM5
VM1
WIN 7
UVP
Manage ment node 2
VR M
ITA
HDC /WI/ DB
VM1
VM2
VM3 UVP
Virtual application resource pool WIN 7
WIN2008
WIN2008
WIN2008
VMn
APS Server
APS Server
APS Server
UVP
VM4
AD/ DHC P
WIN 7
VM5
VM1
WIN 7
UVP
WIN 7
WIN2012
WIN2012
WIN2012
APS Server
APS Server
APS Server
VMn UVP
UVP
The mode for deploying software virtualization software is the same as the mode for deploying VDI software.
Management cluster: It deploys FusionCompute and FusionAccess management software.
Virtual desktop resource pool: Virtual application resource pools can be separately provided or provided together with virtual desktops.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
10
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
Virtual application resource pool: It provides shared desktops and virtual applications. Multiple APS Servers are deployed on one server. Based on current test, it is recommended that four to six APSs be installed on one server, and load balancing is implemented between the APSs.
2.2 Application Virtualization Implementation Principle 2.2.1 Typical Service Process of Application Virtualization 2.2.1.1 Application Virtualization Features Depending on Windows Operating System Services Application virtualization depends on Windows operating system features. Understanding Windows components and their functions helps understand the application virtualization implementation principle. Shell and Terminal Services are components provided by Windows, and they are depended by application virtualization.
Shell Shell is a graphical user interface of the Windows operating system. It contains a desktop, Start menu, task bar, special folders, files, and common folders.
RDS RDS is called Terminal Services in Windows Server2008 and earlier versions. It is a Windows operating system component, which allows a user to control remote computers or VMs through a network. Initially introduced in Windows NT 4.0 Terminal Server Edition, RDS improves in each Windows edition from Windows 2002. Since Windows Server 2008 R2 was released in 2009, it is called RDS. Service RDS provides a multisession environment in which end users can obtain and save virtual Windows desktops and execute Windows programs on servers and multiple users can connect to a same server and interact with each other. Multiple users can connect to and control a same server, and desktops and applications are displayed on remote computers. In the latest Windows Server 2008 R2 edition, Microsoft allows users to use their own desktop protocols rather than the original Remote Desktop Protocol (RDP) to perform the access and control. FusionAccess SBC features depend on RDS and support entire desktops and remote applications released based on RDS of Windows Server 2012 R2. HDP is adopted for remote access. Application virtualization quotation includes RDS license quotation because Windows RDS is used.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
11
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
2.2.1.2 Application Virtualization Obtaining an Application List Figure 2-4 Obtaining an application list
A client initiates an application list query request, which then is forwarded to HDC through WI. HDC queries the list of applications released by the user based on the client user name, and then WI sends the generated application list to the client.
2.2.1.3 Application Virtualization Pre-Connection Process Figure 2-5 Application virtualization pre-connection process
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
12
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
HDC-->HDA pre-connection process Figure 2-6 HDC-->HDA pre-connection process
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
13
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
2.2.1.4 Application Virtualization Login and Connection Process Figure 2-7 Application virtualization login and connection process
HDP client —>HDA login and connection process Figure 2-8 HDP client —>HDA login and connection process
HDPClient
WI
HDC
Mainservice
RDS Adaptation Module
RDS Server
Comm
Shell
Initialization interface
Pre-connection phase
Client connection requrest
Send data.
Check whether there is a new session.
Invoke the OnConnected interface.
Send(socket) OK Set up communication between a client and communication module.
Send(logonTicket) Notify MainService of application process startup.
Shell sends a notification to the application.
Application delivery
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
14
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
Principles for remotely running applications 1.
Set global message hooks on a remote session desktop, monitor behavior of windows displayed on the desktop, and instruct a client to create windows based on the server mode.
2.
The client receives instructions from the server for creating or updating windows rather than displaying the remote session desktop. Then the client instructs the server to specify windows based on operations performed by a user on remote application windows on the client.
3.
Updates on the display area on the remote session desktop are sent to the client, and intersections between the area and remote application windows are updated in a specified window area.
Process for Shell to start an application 1.
A user clicks the icon of an application virtualization program on a client.
2.
Shell receives a request form the client for starting the application.
3.
If the number of applications that have been started exceeds the maximum number specified in policies, a message is displayed on the client.
4.
Shell decrypts the received request and parses HASHID and parameters of the application.
5.
Shell checks whether the user has the permission to start the application and whether application parameters are valid to verify the application to be started. If invalid requests are received multiple times, an attack is considered. If this happens, Shell obtains login information, such as session information, IP addresses, and accounts, and sends such information to the administrator.
6.
An application virtualization system sets the permission to start processes to prevent excess permission from being used to start processes.
7.
The application virtualization system starts the processes. If the startup fails, the system sends the error message to the client.
2.2.1.5 Application Virtualization HDP Supporting Isolation Between Sessions 1.
Mouse and keyboard operations can be isolated by session.
2.
Audio files can be isolated by session.
3.
Peripherals can be isolated by session. This version support redirection of printers and file systems.
The following table describes supported peripherals. Support for Redirection
VDI
Application Virtualization
Pointer and keyboard
Supported
Supported
Audio
Supported
Supported
Printer
Supported
Supported
File system (USB flash drive, folder, and clipboard)
Supported
Supported
Serial port
Supported
Not supported
Parallel port
Supported
Supported
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
15
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
Support for Redirection
VDI
Application Virtualization
PC/SC smart card
Supported
Supported
Camera
Supported
Supported
High-speed document scanner/scanner TWAIN
Supported
Supported
USB flash drive
Supported
Supported
2.2.1.6 Service Provisioning Process of Application Virtualization Set up the RDS license server.
Create an APS server template.
Create an APS VM.
Create an application group.
Add the APS VM to the application group. Release a shared desktop.
Release applications.
The service provisioning process of application virtualization is similar to the VDI service provisioning process. The difference is that shared desktops or applications of application virtualization are released by using APS Server, the APS template uses Windows Server 2012 R2, and the RDS licensing server must be configured.
2.2.2 Main Application Virtualization Features 2.2.2.1 Application Access Service Users can remotely access, start, and stop applications using HDP and access remote applications by using an agent.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
16
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
Remote applications and shared desktops can be managed in lists. Remote application collection (adding and deleting) and page turning are supported.
2.2.2.2 Shared Desktop Complete desktops are provisioned based on SBC, and Windows Server shared desktops are supported. Users are isolated based on sessions, and data is stored in the profile file which is stored on the file server in roaming mode. The Windows Server 2012 R2 operating system supports this feature.
2.2.2.3 Remote Application Remote applications are released based on SBC, and Windows Server shared desktops are supported. Users are isolated based on sessions, and data is stored in the profile file which is stored on the file server in roaming mode. The Windows Server 2012 R2 operating system supports this feature. End users can access multiple shared desktops and remote applications, and switch them in the task bar.
2.2.2.4 APS Load Balancing Shared desktops and remote applications can be assigned based on APS load balancing according to load scheduling policies, such as the number of users, CPU usage, and memory usage.
2.2.2.5 GUI Shared desktops and remote applications can be viewed on GUIs. Remote applications support Windows and Linux terminals.
2.2.2.6 Native Gesture Experience Windows Server native gesture operation experience is supported.
2.2.2.7 Application Self-service Maintenance The following functions are supported: application tray (Windows, Linux, and mobile terminals), self-service application login, and forcible application shutdown on clients.
2.2.2.8 Local Application Experience Released remote applications can be seamlessly integrated to the local Windows start menu to improve user experience. Local shortcut integration and local task bar integration are supported.
2.2.2.9 Application Session Management After a user is disconnected from a shared desktop or remote application for a certain period, the connection can be automatically disconnected or the session can be automatically deregistered. The period can be configured.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
17
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
2.2.2.10 Policy Configuration 1.
RDS policy configuration of shared desktops is supported. The policies include user home directory, clearing of sessions that are disconnected or have no operation for a long time, deletion of temporary folders after user logout, and session IP virtualization.
2.
Policy configuration in the management system is supported. The policies include idle duration for disconnection, disconnection duration for logout, and IP virtualization.
2.2.2.11 User Data Storage User personal profile roaming of shared desktops and remote applications are supported. The roaming user configuration and folder redirection functions enable profile data roaming. Profile data is stored on a shared file server provided by a third party. User personal data storage of shared desktops and remote applications is supported. User personal data is stored on a shared storage system (such as NAS) provided by a third party.
2.2.2.12 Running Remote Applications on Shared Desktops Remote applications can be released on shared desktops so that end users can run various applications on shared desktops.
2.2.2.13 Comparison with Features of XenApp The following table describes comparison between FusionAccess features and XenApp features. Feature Dimension
Feature
Citrix Xenapp7.6 Advanced
FusionAccess SBC
Basic feature
XenApp published apps (Server-based hosted apps) can be deployed on 5 generations of Windows operating systems, enabling secure access to Windows apps on any type of device including iOS, Android and Windows devices for on-demand access from anywhere, lets users focus on work.
Supported
Supported
XenApp published desktops are low-cost, locked-down virtual desktops that provide the flexibility and mobility benefits of desktop virtualization while maximizing IT control through enhanced security and simplified management.
Supported
Supported
Pre-launch technology creates a local-like app launch experience by expediting the session creation process. With pre-launch, a session waits for the user in an active or disconnected state, enabling quick, instant-on app access to an already active app session making for a fast and local-like app launch experience. Pre-launch configurations have been improved on the FMA platform, making it simple to configure from the Citrix Studio management console.
Supported
Not supported
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
18
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
Feature Dimension
User experience
2 Introduction to Application Virtualization Solutions
Feature
Citrix Xenapp7.6 Advanced
FusionAccess SBC
Session linger keeps the user session open after the user closes the app, to provide a quick app reconnect or enable the user to open a new app without repeating the logon process. Admin-configurable time-based policy automatically releases a license consumed by a pre-launched and lingering session to improve license management.
Supported
Partially supported. Cache policies support durations only but do not support CPU thresholds based on single APS servers and average CPU thresholds based on APS server clusters.
Anonymous Logon (unauthenticated user) enables instant, unauthenticated access to a single app while access to other, more personalized apps such as email remains authenticated.
Supported
Not supported
USB 3.0 ready, enabling new Receivers coming for Windows and Linux to include automatic device mapping and provide users with a plug-n-play capability with the latest 3.0 devices such as web cams, microphones, headsets and other peripherals to enhance user experience.
Supported
Supported
HDX™ user experience optimization delivers a superior high-definition user experience on any device, over any network. With Citrix HDX, the virtual experience rivals a local PC, even when using multimedia, real-time voice and video collaboration, USB peripherals and 3D graphics. Virtual Windows apps become mobile device aware and optimized to support touch gestures and other native mobile device features. Integrated WAN optimization capabilities boost network efficiency and performance even over challenging, high-latency networks.
Supported
Partially supported. Audio and video capabilities provided by HDP are inherited, but capabilities similar to Citrix HDX MediaStream, HDX 3D, HDX 3D Pro™ are unavailable.
Citrix X1 Mouse delivers the complete Windows experience to Apple iPad and iPhone devices by enabling physical mouse precision needed for Windows apps and desktops accessed via Citrix Receiver, delivering the best user experience on every device.
Supported
Windows application native gesture experience is supported.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
19
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
Feature Dimension
BYOD
2 Introduction to Application Virtualization Solutions
Feature
Citrix Xenapp7.6 Advanced
FusionAccess SBC
Unified Communications optimization seamlessly integrates solutions from Microsoft, Cisco, Avaya, and Vidyo to deliver real time communication applications with "local PC" quality without having to increase bandwidth investments with built-in optimized point to point transfer of voice and video traffic.
Supported
Not supported
WAN optimized XenApp and XenDesktop delivers a superior user experience even over low-bandwidth, high latency connections. Citrix HDX technology can intelligently detect bandwidth capacity and dynamically transform communication on the fly.
Supported
Not supported
Any device access empowers employees to choose the devices that are right for them and their work style with a universal client that works natively on the broadest range of desktops, laptops, tablets and smart phones to ensure device investment protection without added work for IT.
Supported
Supported
Enterprise app store powered by StoreFront empowers users with self-service selection of their authorized apps and desktops, delivering a consistent experience across different devices and networks, and quickly reconnecting users for speed and convenience.
Supported
Supported
Clientless HTML 5 Receiver offers a clientless access solution, making it easy to access virtual apps and desktops from any device include devices that are unable to install a physical client.
Supported
Supported
Universal Printing services mitigate the administrative burden associated with the management of hundreds or thousands of network and local printer drivers through centralized, universal printing services and further optimize printing performance across local, mobile, and remote connections.
Supported
Supported
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
20
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
Feature Dimension
Security and central management
2 Introduction to Application Virtualization Solutions
Feature
Citrix Xenapp7.6 Advanced
FusionAccess SBC
Support for 16-, 32-, and 64-bit apps on Windows Server 2008R2 and 2012R2 and Windows 7/8 delivers a seamless user experience using any of five generations of Windows letting users focus on work, not juggling multiple desktops by supporting 16& 32-bit apps on a desktop OS and 64-bit apps on a server OS.
Supported
Supported
FIPS compliant, helping IT administrators simplify security compliance and data protection by adhering to strict security compliance.
Supported
Not supported
Common Criteria certified, used by 19 countries worldwide, with many more countries following the standards unofficially, XenApp and XenDesktop is the only app and desktop virtualization solution to achieve such worldwide security recognition.
Supported
Not supported
Centrally secured apps are protected in the datacenter and securely delivered on-demand to any user anywhere making it easy to keep sensitive information safe based on an inherently secure architecture.
Supported
Supported
Centrally secured desktops are protected in the datacenter and securely delivered on-demand to any user anywhere making it easy to keep sensitive information safe based on an inherently secure architecture.
Supported
Supported
High security with XenApp and XenDesktop enables secure access from anywhere without exposing the corporate network. All mission-critical data remains protected in the datacenter unless it can be audited, controlled and enforced by policy. Only screen updates, mouse clicks and keystrokes-not data-traverse the remote connection keeping application data safe from hackers and protecting the corporate network from unmanaged devices.
Supported
Supported
2-factor authentication support enhances secure access from anywhere through integrated solutions including RSA SecureID, RADIUS server, and Aladdin SafeWord for Citrix.
Supported
Supported
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
21
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
Feature Dimension
Simplified O&M management
2 Introduction to Application Virtualization Solutions
Feature
Citrix Xenapp7.6 Advanced
FusionAccess SBC
ICAProxy provides secure access to virtual Windows apps and desktops published on XenApp and XenDesktop while keeping apps, desktops and data safely protected within the datacenter without requiring a VPN.
Supported
Supported
ShareFile integration with virtual apps and desktops for optimized on-demand, on or off-premise data sharing and sync service meeting the mobility and collaboration needs of users and the data security requirements of the enterprise. ShareFile priced separately.
Supported
Not supported
App folders allow IT to better organize apps based on logical segmentation for simplified management for enterprises that have hundreds, even thousands, of published apps that are being managed.
Supported
Not supported
Improved connection resiliency available through database connection leasing, which caches the results of successful users' connections for any number of days set by an admin. XenApp and XenDesktop can then reference this repository of secure connection information in the event of a database failure to ensure users can still connect to their published apps and desktops.
Supported
Not supported
Automated virtual machine provisioning (Machine Creation Services) assists with the management of small and large deployments of virtual machines, virtual desktops or virtual XenApp servers, to support any type of use case and reduces shared storage requirements.
Supported
Supported
Integrated Profile management (User Profile Manager) intelligently distinguishes user profile settings between active XenApp and XenDesktop session to ensure user settings are consistent and intelligently streams profile setting and data on-demand to expedite the user login process.
Supported
Partially supported. AD group policies control profile sizes and the profiles to be filtered.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
22
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
2.3 Limitations on Application Virtualization 2.3.1 Windows Server Operating System Supported: Windows Server 2012 R2 standard edition, professional edition, and data center edition Recommended: Windows Server 2012 R2 standard edition for typical configurations in a configurator
2.3.2 Terminal Type 1.
2.
Supported PC and TC clients: (a)
PC: Windows XP, Windows 7, Windows 8.1, Windows 10 (MAC is not supported)
(b)
Windows TC: CT5000/5100/6000/6100, GI945
(c)
Linux TC: CT3000/3100/5000/5100/6000/6100, GI945, Sunniwell (shared desktops do not support GUI)
Supported mobile clients: (a)
iOS mobile client: iOS later than iOS7.0, for example, iPad 2, iPad 3, iPad Air, iPad mini, iPad Pro, iPhone 5, iPhone 5s, iPhone 4, iPhone 4s, iPhone 6, iPhone 6 plus, iPhone 6s, iPhone 7, and iPhone 7 plus
(b)
Android mobile client: Android later than Android 4.0, for example, Huawei MediaPad 10link, Huawei MediaPad10FHD, Huawei MediaPad, Huawei 7Vogue, Huawei X1, Huawei P6, Huawei P7, Huawei P8, Huawei P9, Huawei Mate 1, Huawei Mate 2, Huawei Mate 7, Huawei Mate 8, Huawei Mate 9, Samsung Table 8, Samsung S5, and Samsung Notes 3
On mobile clients, some software cannot automatically adjust the windows as the system resolution changes. If the window size exceeds the screen size, you must move the window to view information.
2.3.3 User Experience Native touch experience is available since Windows Server 2012 R2, and therefore, only shared desktops and remote applications released when Windows Server 2012 R2 is used support Windows native touch experience.
2.3.4 Software Compatibility Requirements on deployed remote application software are as follows: 1.
The remote application software can be deployed in Windows Server 2012 R2.
2.
The remote application software supports concurrent running of multiple instances, and multiple program instances can be concurrently started.
2.3.5 Profile and Personal User Data Storage The roaming user configuration and folder redirection functions of Windows enable storage of user profile data of shared desktops and remote applications. Profile data is stored on a shared file server provided by a third party, and user application configurations can be stored on only one server. This feature is provided by Microsoft. If a user starts multiple applications to connect to multiple application servers, multiple roaming user configuration duplicates are
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
23
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
generated. If user configurations are modified during the access, configurations conflict, and modified configurations cannot be saved to roaming user configurations. Personal user data is stored in a shared system provided by a third party, such as NAS.
2.4 Application Virtualization Competitiveness Comparison 2.4.1 Competitiveness Comparison (Do Not Provide This Table for the Customer) Comparison Item
R6C10 SBC
Citrix (XENAPP 7.6)
VMware (Horizon 6.2)
RDS desktop
Supported
Supported
Supported
RDS application
Supported
Supported
Supported
Remarks
Basic application
Peripheral capability USB port redirection
Supported
Supported
Supported
Camera redirection
Supported
Supported
Supported
COM port redirection
Not supported
Supported
Supported
VMware applies only to RDS.
Line print terminal (LPT) port redirection
Supported
Supported
Not supported
A parallel port can be operated but a parallel port printer cannot be operated.
File redirection
Supported
Supported
Not supported
Printer mapping
Supported
Supported
Not supported
TWAIN device redirection
Supported
Supported
Supported
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
XenApp and FA6.1 SBC redirection does not support USB flash drives, audio devices, smartcard readers, or other devices that are not completely virtualized (such as printers). VMware USB redirection supports only USB flash drives.
24
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
Comparison Item
R6C10 SBC
Citrix (XENAPP 7.6)
VMware (Horizon 6.2)
Clipboard redirection
Not supported
Supported
Not supported
Smartcard mapping
Supported
Supported
Not supported
Shadowing redirection
Supported
Supported
Not supported
Remarks
Multimedia capability Multimonitor mapping
Supported
Supported
Supported
Multimedia redirection
Not supported
Supported
Supported
Audio
Supported
Supported
Supported
Video hardware acceleration redirection
Not supported
Not supported
Not supported
Flash redirection
Not supported
Supported
Not supported
TC (Linux)
Supported
Supported
Supported
TC/PC (win)
Supported
Supported
Supported
Android
Supported
Supported
Supported
iOS
Supported
Supported
Supported
Mac
Supported
Supported
Supported
Windows Phone
Not supported
Supported
Not supported
Automatic recovery of application servers
Supported
Supported
Not supported
Alarm management
Supported
Supported
Not supported
Hot migration of application servers
Supported
Supported
Not supported
VMware applies to RDS.
Client capability
Reliability
Enhanced service
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
25
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
2 Introduction to Application Virtualization Solutions
Comparison Item
R6C10 SBC
Citrix (XENAPP 7.6)
VMware (Horizon 6.2)
Remarks
Local input method editor
Supported
Supported
Not supported
R6C10 supports only Windows TCs.
User access security
Supported
Not supported
Not supported
Voice identification of mobile terminals
Supported
Not supported
Not supported
Seamless local application
Not supported
Supported
Not supported
HTML 5 client
Not supported
Supported
Supported
Seamless Windows
Supported
Supported
Supported
Desktop integration
Supported
Supported
Supported
Floating touch ball
Supported
Not supported
Not supported
Group policy
Supported
Supported
Supported
Application category
Supported
Supported
Not supported
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
26
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3
3 Application Virtualization Scenarios
Application Virtualization Scenarios
3.1 Branch Scenarios 3.1.1 Scenario Description 3.1.1.1 Challenges
Complex system running and maintenance and high cost: Maintenance costs of applications of the C/S architecture increase. Each application modification or update involves updates of each remote client. This requires manpower, material, and capital resources
System security: When branches exchange data with headquarters, real original data is transferred over a network, and such data can be easily intercepted by competitors or hackers. This may cause great loss for enterprise development.
Application access rate: When application systems are integrated into a data center and a client accesses an application system in a traditional mode, the client may be affected by bandwidth and stability problems because the mode for the application to transfer data is different. Access speed in such a mode is low, and the number of branches is increasing, which will also slow down access.
Difficult data centralization: When a branch accesses an application of the traditional C/S architecture, data can only be stored locally to ensure performance, and headquarters cannot understand service situations of the branch in real time.
Questions: 1.
How to install application systems for devices in each branch, remotely maintain and provide support for such systems, and flexibly implement expansion and migration?
2.
How to ensure the remote access speed, network stability, and data transfer security?
3.
How to ensure security of application servers or database servers when users outside headquarters access Huawei application systems?
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
27
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3 Application Virtualization Scenarios
3.1.1.2 Solution Figure 3-1 Application virtualization branch scenario
Deployed applications include the ERP system, E-HR system, and Kingdee K/3 system. Deployment of the application virtualization solution brings customers the following benefits:
Maintenance Maintenance implemented in branches is integrated into headquarters, which reduces maintenance workload. Deployment of new applications speeds up, and headquarters deploy new services for all branches in unified way, which improves efficiency by dozens of times.
Access speed Using desktop protocols to access application systems, each user requires only dozens of kbit/s, reducing application requirements on bandwidth of branches.
System security When accessing application systems over a network, users use desktop protocols for communication, and only keyboard and mouse operations on clients and GUI updates rather than entire data packets are transferred over the network through desktop protocols. Permission (such as access, modification, backup, copy, and print) of each client is specified in desktop protocol policies so that security of application software and data is ensured. Enterprise application systems and database servers are deployed on an intranet, and only APS server addresses need to be published on a public network. This ensures security of enterprise application systems and data.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
28
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3 Application Virtualization Scenarios
3.1.2 Solution Advantages
Centralized application deployment and optimized IT management An application virtualization server collects clients of all applications to APSs, which then distribute and manage the clients in centralized mode. No plug-in is required for terminal access, and all clients do not need to be maintained. This reduces maintenance workload of IT departments. In addition, new applications can be quickly deployed, and application software needs to be upgraded only on a few servers.
Support for various clients After installing HDP AccessClient software on a terminal, such as a mobile phone, a user can directly access all background applications. Various desktop OS platforms and mobile phone platforms are supported. Users can access background services and office systems at any time anywhere through any terminals.
High speed HDP, a data transfer protocol dedicated to application virtualization, ensures that all necessary applications are executed on servers, featuring low requirements on network bandwidth. In normal states, each user requires only dozens of kbit/s. This reduces private line costs.
High availability If a network fault occurs, system processes are not interrupted because all applications and data are managed on servers and running status of desktops is automatically stored on the servers. Once the network connection is recovered, all operations can continue. Load balancing is available between APSs. The system automatically loads users to different servers based on policies developed by administrators or loads of each server. Usage of other servers is not affected if any server shuts down, except for the license server.
High security Applications and data are stored on servers, and only updates on server computing screens can be found on clients. Actual data computing ensures data centralization, unifying, and security. Client permission can be set based on policies, including whether desktops can be viewed, printed, or saved to a local directory. This ensures controllable information usage permission.
Low project implementation risks Existing systems do not need to be switched to new systems because the existing systems do not need to be reconstructed for application virtualization solution deployment. New systems can be set up only after new server layers are added to a network. Original operation GUIs and use modes are retained so that no extra user operation training is necessary.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
29
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3 Application Virtualization Scenarios
3.2 Scenarios for Separation Between Intranet and Internet 3.2.1 Scenario Description 3.2.1.1 Challenges With quick Internet development, people can obtain more and more efficient information from Internet. This information is helpful to daily work. For example, R&D personnel can obtain functional modules and sample code from Internet to participate in discussion, research personnel can better understand industry development trends on Internet, and marketing personnel can obtain competitor information from Internet to understand real-time market situations. However, Internet helps people obtain more important information but also provides channels for attacks from viruses and worms. How to manage employees to use Internet in security and efficient mode is a challenge for IT personnel.
3.2.1.2 Solution Centralized surfing enabled by application virtualization resolves the problem. PCs on user desktops cannot directly visit Internet. Instead, all Internet access is available only after related applications (such as Internet Explorer, MSN, QQ, and FTP) are publicized on application virtualization servers. Administrators can determine whether users can use special applications based on user accounts. For example, only development personnel can use FTP tools. APS Servers for centralized surfing are managed by administrators, and end users have common user permission only. The following figure shows architecture of the management system for centralized surfing of application virtualization.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
30
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3 Application Virtualization Scenarios
Figure 3-2 Separation between the intranet and internet for application virtualization
Secure office network
Internet
Security gateway
Before optimization: All clients can directly access applications on Internet, causing security risks. After optimization: Clients access Internet through the servers for centralized surfing of application virtualization, and administrators assign corresponding permission to users to prevent misuse of P2P software, enable security cache functions, and protect clients from being attacked by viruses. Deployment of the application virtualization solution brings customers the following benefits:
User PCs cannot directly access Internet, and P2P software cannot be installed on APS Servers that can access Internet so that overuse of P2P software is prevented.
User clients will not be attacked by viruses, worms, and Trojan horses from Internet because Internet Explorer runs on APS Servers and common users do not have the permission to download and install Internet Explorer. This avoids most security holes.
Administrators set Internet Explorer security options and install anti-virus software on virtualization servers in centralized mode. The administrators regularly update and scan virus code to prevent system security holes.
Only authorized users can access specific applications. For example, only administrators can specify the users who can use IM software such as MSN and QQ.
Bandwidth is reduced because users cannot proactively or negatively perform operations not specified in policies so that abnormal traffic generated by movie download and P2P can be avoided.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
31
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3 Application Virtualization Scenarios
3.2.2 Solution Advantages Security isolation:
Intranet PCs access VMs deployed on Internet, and users can access Internet only by using virtual desktops or applications.
Physical user desktops can access service systems only.
Internet access traffic is separated from service network access traffic.
Data security:
Data in VMs can be transferred to PCs, which cannot copy the data to VMs. This unidirectional transfer ensures data security.
Network transfer protocols enable access to data on terminal clipboards and local disks so that copying and pasting of text, files, and images are managed and controlled, realizing management and control of peripherals.
Centralized data control: Desktops and data are separated from terminals and centrally controlled on the cloud. Only screen refresh information is transferred to terminals.
Controllable virtual channels of peripherals: Each virtual channel can be separately enabled or disabled, such as print control and USB port mapping management.
Unidirectional data flow control: Virtual desktops or applications can be imported into physical servers, but data cannot be written from physical servers to virtual desktops or applications.
Protocol-based encrypted transfer: Desktop protocols adopt the AES128 algorithm by default to encrypt transferred data.
Management of mobile media used by internet: Permission to read, write, and access mobile storage media can be managed and controlled.
Centralized management:
User work environments and data are deployed and managed in centralized mode.
Application permission and data access permission are managed in centralized mode.
Software is upgraded and maintained in centralized mode, and data is stored and backed up in centralized mode.
Personal data and configurations are separated from desktop systems and applications. User data storage space is not affected by desktop update, upgrade, and deletion.
Shielding of threat sources:
Threat sources are reduced and shielded so that risks caused by access to Internet are avoided.
Centralized, standard, and unified permission management is gradually implemented.
Integrity, security, availability, and expansion of service application system architecture are ensured.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
32
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3 Application Virtualization Scenarios
3.3 Simple Office Scenarios 3.3.1 Scenario Description 3.3.1.1 Challenges
More and more complex services and applications are used, bringing greater deployment, maintenance, and delivery pressures. This required flexible and efficient deployment and O&M.
How to resolve the problems that service clients must be continuously upgraded and patched? How to ensure data security even though more security products are deployed? How to prevent clients from being attacked by viruses and malicious software?
In large organizations, PCs are used in most traditional office OA scenarios, and PCs occupy large space and consume more power.
Simple OA scenarios indicate that only certain Windows applications are used for office, and there are few requirements on hardware performance of Windows hosts. Such scenarios involve industries such as education, medical care, finance, call centers, airports, and hotels. In such scenarios, if customers can use only certain applications rather than configuring dedicated OSs on PCs, desktop service costs will be reduced.
3.3.1.2 Solution Figure 3-3 Simple OA scenario for application virtualization
Issue 01 (2017-02-03)
Traditional PCs are replaced with TCs, and shared desktops are used for simple office, which reduces resource occupation of virtual desktops, ease maintenance and upgrades, reduces noise, and saves power consumption.
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
33
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3 Application Virtualization Scenarios
Information security can be ensured because shared desktops are used and application data is stored on cloud.
Software can be distributed to all terminals only after being installed on cloud. This reduces enterprise O&M costs and implements centralized management for enterprises.
3.3.2 Solution Advantages
Cost: The cost is lower than costs of VDI and PCs.
O&M: The deployment and O&M efficiency is higher than that of PCs.
Security: Information security is ensured.
3.4 Mobile Office Scenarios 3.4.1 Scenario Description 3.4.1.1 Challenges 1.
How to ensure that mobile office personnel can handle office work in real time?
2.
How to ensure that company branches, customer service centers, and mobile personnel can synchronize policy and customer information to company databases?
3.
How to deal with issues related to dispersed management, large energy consumption, and high IT O&M management costs?
3.4.1.2 Solution Figure 3-4 Mobile office scenario for application virtualization Application server
Firewall
Domain controller
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
34
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3 Application Virtualization Scenarios
Deployment of the application virtualization solution brings customers the following benefits:
Mobile office: Administrative and service personnel can handle office work at any time anywhere, which improves work efficiency and customer satisfaction.
Centralized management and flexible deployment: Application virtualization ensures centralized management of office software. Administrators can manage, monitor, and schedule enterprise resources at any time, and deploy one or more application servers in a few minutes. This improves server management and maintenance efficiency, and IT architecture of branches can be easily expanded.
3.4.2 Solution Advantages
Cross-platform access from various smart mobile phones
Various OS platforms and mobile phone platforms are supported so that secondary development is unnecessary for applications to adapt to each collection platform. This reduces system complexity and development workload. Users can access background services and office systems at any time anywhere through any terminals, including smart mobile phones, PCs, and tablets. Agile experience of end users Only updates of running screens of applications on servers are displayed for end users, and such screens are encrypted and compressed, generating little traffic, usually dozens of kbit/s. Low bandwidth consumption ensures smooth use experience of end users. In addition, application clients do not need to be installed on each mobile phone. Instead, administrators can authorize users, who can enjoy the same application user experience that can be enjoyed on PCs on mobile phones. Limited network traffic ensures low network investment, improving system publicity and usability.
Quick and centralized application publication Compared with traditional mobile application solutions, application virtualization publicizes service and office systems of enterprises to ensure more convenient support for mobile terminals, without secondary development. In addition, existing system architecture is not affected.
Issue 01 (2017-02-03)
High security
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
35
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
3 Application Virtualization Scenarios
Service applications and servers exchange data between intranet server clusters of APS Servers and application servers, and actual service data is not transferred to user terminals. This ensures smoothness of service data exchanges and data security. The external vAG gateway provides SSL/TSL encryption for user connections so that data security is ensured during data transfer.
High reliability and stability If a network fault occurs, system processes are not interrupted because all applications and data are managed on servers and running status of desktops is automatically stored on the servers. Once the network connection is recovered, all operations can continue.
Easy system maintenance and management System maintenance workload does not increase even though system functions are added because secondary development is not required. All application software is managed on servers in centralized mode, which reduces manpower and material resources for daily maintenance.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
36
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
4
4 Key Application Virtualization Performance Indicators
Key Application Virtualization Performance Indicators
4.1 Key Performance Indicators The intensity of SBC shared desktops is calculated based on VDI VSI test results, and the intensities for heavy, middle, and light loads are determined based on the proportions in a same module of SBC and VDI. Middle load is recommended for SBC shared desktops, but the load can be adjusted based on the actual module and the number of users who use shared desktops. A maximum of three virtual applications are configured for each user, and configured intensity is calculated based on 1.5 times the middle-load module (four or five applications) of a share desktop. Based on performance and costs of single APS Servers, four VMs, each with six vCPUs are configured for two-socket hexa-core servers, six VMs, each with six vCPUs are configured for two-socket octa-core servers, seven VMs, each with six vCPUs are configured for two-socket ten-core servers, and eight VMs, each with six vCPUs are configured to two-socket 12-core servers. 1.5 GB memory is configured for each user. The size of VM system disks is set to 80 GB, and IOPS is configured for five to seven services per user. The following table describes intensities of virtual applications and current shared desktops of SBC and APS deployment specifications. Intensity Specifications for SBC Shared Desktops (Based on TR5 Test Data) Service Scenario
VM CPU
Concurrency
E5-2620 V3*2
E5-2640
E5-2660 V3*2
E5-2680 V3*2
E5-2690
Load_E5-2620 V3
Rate
(6-Core, 2.4 GHz)
V3*2
(10-Core, 2.6 GHz)
(12-Core, 2.5 GHz)
V3*2
OA heavy load
32%
100%
41
56
71
81
85
OA middle load
25%
100%
46
62
78
91
96
OA light load
13%
100%
59
81
101
118
122
SPEC
527
527
729
908
1063
1106
(8-Core, 2.6 GHz)
(12-Core, 2.6 GHz)
(recommended)
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
37
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
4 Key Application Virtualization Performance Indicators
Intensity Specifications for SBC Virtual Applications (Based on TR5 Test Data) Service
Number of
Concurrency
E5-2620
E5-2640
E5-2660 V3*2
E5-2680
E5-2690
Scenario
Applications Per
Rate
V3*2
V3*2
V3*2
V3*2
(6-Core, 2.4 GHz)
(8-Core, 2.6 GHz)
(10-Core, 2.6 GHz)
(12-Core, 2.5 GHz)
(12-Core, 2.6 GHz)
69
93
117
137
144
User (Simple Office Application) Virtual application
Not more than three
100%
Recommended APS deployment specifications 1. APS specifications: 6 vCPUs, 24 GB memory, 80 GB disk space IOPS specifications: 34 OSs (considering Servers) + 5 x Number of users APS uses RAID10 and 600 GB SAS for loading. 2. Number of APSs corresponding to each server: Two hexa-core servers: four APSs Two octa-core servers: six APSs Two ten-core servers: seven APSs Two 12-core servers: eight APSs For other physical servers, the number of all vCPUs of APSs must be greater than or equal to the number of super threads of a server.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
38
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
5 FAQs
5 1.
FAQs
How to divide work between VDI and SBC? Edition
Deployment Mode
Application Scenarios Feature
Application Scenario
Standard edition
TC+VDI
1. Personalized office desktop + Non-unified application update
1. Common OA
2. Link clone desktop + Unified application update
4. Cloud workstation
1. Personalized office + Unified application update
1. Common OA
Advanced edition
TC+VDI+SBC
2. Unified application update performed by SBC SBC standard edition
PC+SBC Mobile terminal + SBC
1. Centralized application management 2. Office architecture using old PCs
2. Security office 3. Public terminal 5. Branch office
2. Security office 3. Public terminal 4. Cloud workstation 5. Branch office 1. Branch, using old PCs 2. Mobile office 3. Isolation between internal and external networks 4. Simple task office, requiring few peripherals
2.
Is SBC applicable to call centers?
Voice involved: SBC is inapplicable to call centers that do not involve voice.
Voice not involved: Both VDI and SBC are applicable to web call centers, but VDI is recommended. Call centers are not light-load applications. c
3.
Issue 01 (2017-02-03)
What Are SBC Application Compatibility Issues?
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
39
Huawei FusionCloud Solution 6.1 Application Virtualization Technical White Paper
5 FAQs
Software compatibility issues in application virtualization scenarios are classified into the following types: −
Compatibility between software and OSs
−
Compatibility between software and multiple sessions
−
Compatibility of software GUI display
The first two types of compatibility issues refer to constraints of software and Microsoft systems, and it is unnecessary to traverse all software. Instead, site deployment POC test software ensures compatibility. The last type of compatibility issues belongs to protocol mechanism compatibility, which requires more attention. For details about SBC software compatibility, see the list of SBC software compatibility.
Issue 01 (2017-02-03)
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
40