Virtual Desktop Infrastructure (VDI) not only opens the door to easy desktop virtualization, but it also opens possibilities of security breaches.
We live in a world where security is paramount. As our daily life becomes more and more online-based, we need to understand more about how to secure our life online. The trend toward replacing existing physical desktops with VDI is rapidly strengthening, especially with the strong emergence of tablets and other high-end mobile devices coupled with wider and faster mobile network access. It is not only accessibility that drives the process, corporations are driven by the rising cost of CBD floor space, investment reductions in physical desktops, and the ability to centralize user data and management are key motivators for adoption of VDI. Corporations are reducing the amount of office space by introducing working-from-home schemes, using hot desks and providing the ability to work from anywhere, anytime. VDI makes this possible, thus enabling users to take their desktop home, or to the coffee shop around the corner. However, this introduces new risks to the corporate desktop environment that were not apparent before.
Corporations now have to deal with:
Network security for remote users
The ability of users to access confidential corporate information offsite
Securing data against theft using a simple USB stick
Redirecting printing to the nearest printer
VMware View is one of the leading VDI products. Its strength is that it builds upon existing capabilities, features, and investments made into the VMware infrastructure. This book will focus on the essential security features and how to address them using VMware View. Let's start off with defining what View actually contains.
You might be already familiar with most of this; however, I think a quick refresher is not a bad idea. The VMware View product is based on VMware vSphere. Let's just go over the vSphere 5.1 products that are needed to create a vSphere environment.
ESXi: The base workhorse of virtualization. This is where VMs live and run.
vCenter: This manages multiple ESXi servers, is responsible for creating cluster, run HA, DRS, and is responsible for features such as vMotion.
Single Sign-On (SSO): This is a new addition to vSphere in 5.1 and is responsible for Identity management. However, there is currently no integration for View into SSO.
Inventory Service: This keeps an inventory of vSphere objects, making the response time for inventory requests faster, creating less load onto the vCenter service.
WebClient Server: VMware announces that the WebClient interface will in future replace the Windows-based vSphere Client. The WebClient has some advantages compared to the vSphere Client; however, it requires people to change their thinking as things look and feel differently.
The View environment consists of the following products that may need to be installed:
View Connection Server: This is the main component for View. It contains the HTTPS-based View Administrator interface. The heart of the operation View Connection Server comes in four varieties:
Standard: The main component. You will need one install of this. We will look at it in this chapter.
Replica: A replica server is used for load balancing and failover capacity. It is basically an additional Standard Connection Server. We will look at it in this chapter.
Security: The security server can be deployed in a DMZ and forward incoming View Client connection to a View Standard Server. We will look at this in the Chapter 2, Securing Your Base.
Transfer: The transfer server is a buffer service between the View Connection Server and local desktop images (check in and out). We will look at this in the Chapter 2, Securing Your Base.
View Composer: This is used to reduce the amount of storage used for the virtual desktops by creating View Linked Clones. It also reduces deployment time of desktops as not the full desktop has to be cloned.
View Persona Management: The Persona Manager helps with the synchronization of roaming profiles. It is an extra service that needs to be installed. We will look at this in Chapter 3, Securing the Connection.
View Agent: This is installed on the virtual desktop that is the source template for a given pool of virtual desktops. It is also responsible for things like USB redirection and Single Sign-On.
View Client: The View Client comes for almost any operating system out there including iPad and Android. It enables the ability to connect to a View Connection Server. It comes in two versions: the normal one and the one that allows to checkout a desktop to a local computer.
View desktop: This is a Virtual Machine (VM) that contains a desktop OS and is provisioned by a View desktop pool.
ThinApps: ThinApps is a product that allows you to virtualize and package an application. We will not be able to discuss this feature in this book due to the page limitation.
Now after this short inventory, the following diagram illustrates how these components work together:
Tip
Downloading the color images of this book
We also provide you a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output.
You can download this file from: http://www.packtpub.com/sites/default/files/downloads/0082EN_Graphics.pdf
In addition to this, we have several services that a View installation offers:
View Administrative Console: This is the interface that manages the View environment. It is an HTTPS-based interface that is installed as part of the View Connection Server (Standard).
View Portal: The View Portal is an HTTPS interface that lets people select and connect to a virtual desktop. It is installed as part of the View Connection Server (Standard).
View desktop pool: A View desktop pool is a collection of rules that define how View desktops are deployed.
This short chapter holds the introduction to this book. It gives an overview of the View infrastructure elements, as well as defining the technical terms we will be using.
In the next chapter, we will start with a quick overview and definition of the View environment, followed by security considerations of the underlying vSphere environment. We will also talk about logging and SSL certificates, and build up a View Replication Server and then shortly discuss load balancing it.