- Schley Andrew Kutz
Today deployed desktop systems have sprawled to an unmanageable number. For at least a decade, IT managers in corporate environments have managed an ever-increasing number of desktops. And for about that long, some vendors have offered point solutions that are mere Band-Aids and have addressed only part of the problem. Now widespread server consolidation projects—many of which are based on virtualization—have naturally led to a desire to corral desktop sprawl too. And as vendors have responded to that desire, IT managers must sift through a fleet of desktop delivery and management products to decide which have promise and which are lemons.
IT administrators have trouble managing distributed desktops for a simple reason: There’s no one tool or suite that allows them to administer desktops from a distance. This is where desktop delivery comes in. And this is where desktop delivery systems have the opportunity to become the tool by which administrators deploy desktops and manage users, operating systems and applications.
Even if a desktop delivery system doesn’t include all these tools, it should integrate with systems that do to provide a single point of interface. The No. 1 way to reduce complexity in data centers or on the desktop is to reduce the number of management interfaces with which an administrator must contend. Moreover, that management has to be reduced intelligently. The interface should not be so Spartan that nothing useful is left. Nor should an interface look like it was designed by committee.
I would suggest that we stop referring to “desktop delivery systems” as such and instead just call them “desktop management platforms.” Indeed, that’s what we are really talking about. From delivering desktop applications to the appropriate users to ensuring desktop security, all the way to ensuring that Microsoft Office has the latest patches installed, it’s all about management.
Categorizing desktop management platforms
So let’s look at the current crop of platforms with which you can manage desktops. Luckily, some companies offer products that are true first-generation desktop management platforms. Unfortunately, other products masquerade as desktop management platforms but lack crucial components.
Shared desktop systems: Harking back to the Unix era, a shared desktop system is the oldest kind of desktop management system. A modern example of such a system is Microsoft Windows Terminal Services, where a single system provides concurrent system and application access to multiple users.
Application delivery servers: Application delivery servers are remote servers that stream applications to a client via streaming technology or some other application distribution mechanism. Citrix Systems Inc.’s XenApp and Microsoft’s SoftGrid are both examples of application delivery servers.
Remote virtual desktops: Virtual desktops are similar to desktop blades and shared desktop systems. They give users access to a fully functional desktop environment like a desktop blade; but the desktop resides in a virtual machine (VM), not on remote physical hardware. A good example of this is Vmware Inc.’s Virtual Desktop Infrastructure (VDI).
Local virtual desktops: This is a fancy phrase to describe the oldest x86 virtualization technology available: hosted desktop virtualization. The twist is that the desktop virtualization software must include the ability for a central authority to manage it.
Connection brokers and managers: Software packages that sit between an end user and a remote desktop management system are called “connection brokers.” When a user connects to a Web page in order to select a remote desktop, he makes use of the connection broker or manager. Two examples are Leostream’s Hosted Desktop Connection Broker and ClearCube Technology Inc.’s Sentral. In addition to these software-only approaches, any discussion of desktop virtualization technologies warrants consideration of the following two kinds of devices:
Desktop blades: These specialized server blades deliver remote desktops to users. Such systems are commonly available from major independent hardware vendors, such as Hewlett-Packard Co. and IBM Corp., and from smaller companies that focus on desktop management systems, such as ClearCube (for more, see sidebar “Hardware and Startup Software Vendors” below).
Thin clients: A thin client is essentially a computer that is stripped down to nothing more than a network interface with a keyboard, video, mouse output and, in some cases, enough onboard RAM to offer significant caching. Its sole purpose is to deliver a desktop from a central location to a user in a remote office.
Desktop management product roundup
There are some well-established products and a growing number of new desktop management products. They come from the categories listed previously and have a range of features, security and management options as well as maturity and a breadth of functionality.
Citrix XenApp and XenDesktop: Citrix Systems is the elder statesman of the United Nations of Desktop Management Suites. In 2005 the company began the game with WinFrame and is still a major player with its recently renamed XenApp product. The following Citrix products fit into these categories:
- XenApp for application servers
- XenDesktop for virtual desktops and connection managers
Citrix’s products have evolved to target mostly application servers. Even with its recent acquisition of XenSource, Citrix’s homepage still lists XenApp application server above Citrix’s virtual desktop solution, XenDesktop. This is a smart move, because XenApp is a fully managed, end-to-end application delivery system.
The killer combination is to use XenApp in conjunction with XenDesktop and to combine application streaming with virtualization to reduce the number of servers in a data center as well as desktops in offices. In providing both XenApp and XenDesktop in combination with XenServer, Citrix has created a virtualization ecosystem that is large and diverse enough to offer an alternative to Microsoft and VMware. As far as security concerns, Citrix XenApp offers fine-grained control over the applications and data to which a user has access but doesn’t have full desktop management capabilities. XenDesktop relies on the security of the remoting protocols of the guest OSes, such as the open source Virtual Network Computing or Microsoft’s Remote Desktop Protocol (RDP). Citrix’s own
Independent Computing Architecture protocol is obviously still used for XenApp.
Management-wise, XenApp is a fully mature product that offers in-depth application management and is the premier technology when it comes to application streaming management. XenDesktop offers centralized monitoring and control of deployed desktop appliances.
If you can afford a premium-priced application streaming product, Citrix could be your solution. In spite of substantial competition, Citrix has maintained a leadership position for a reason: It is proven, reliable and well understood. XenApp is a strong product. Additionally, XenDesktop is a stellar packaged solution for virtual desktop management.
Microsoft SoftGrid and Windows Terminal Server: Microsoft hasn’t strived to make desktop delivery an area of focus or competition. Its two main products and categories are the following:
- SoftGrid for application servers
- Windows Terminal Server for shared desktop systems
Windows Terminal Server has been around for a while, but the features of its earlier incarnation didn’t stack up to what was then known as Citrix Presentation Server. On deck since 2004, Windows Server 2008 Terminal Server has more advanced new features. In 2006, Microsoft’s acquisition of Softricity - now SoftGrid—added application delivery, a must-have in anticipation of the Hyper-V hypervisor, which is due for release in August 2008.
As far as security, Microsoft has a poor track record. If its early attempts at a firewall are any indication, there is ample question whether Microsoft can be trusted to secure the security holes it leaves open. On the other hand, version 6 of RDP supports Secure Sockets Layer (SSL), and SoftGrid allows you to define access restrictions, promising a new era in Microsoft security standards.
In management, Microsoft has some excellent products, particularly Active Directory’s Group Policy and System Center. I love Macs. I love Linux. But if I have to roll out a thousand desktops and centrally manage them, I don’t want to run anything other than Windows.
Simply put, combine Active Directory with System Center—which replaces Windows Server Update Services in the new release—and Systems Management Server, and you’ll get fine-grained control over desktops. But there’s a hitch, of course. This package of technologies and management tools works only with a Windows-based desktop.
If one way to reduce complexity is to reduce vendors, then why not choose Microsoft, which seems to deliver all you need? After all, Microsoft now has the Hyper-V virtualization technology for hosting virtual desktops, the SoftGrid application streaming technology and management tools like System Center.
But Microsoft’s suite of products does not fill every niche, and sometimes you need an alternative that can manage heterogeneous environments with non Microsoft desktops.
The bottom line: If you can live with the straight-and-narrow feature set that Microsoft provides, you’ll get great desktop delivery and application streaming products. But if you need capabilities that you can get only in another product suite, keep looking.
VMware VDI and ACE: When it comes to x86 desktop and server virtualization, VMware is the market leader, so it is no surprise that it has tried to coordinate the two in a harmonious fashion. VMware's desktop management products are the following:
- Virtual Desktop Infrastructure for virtual desktops and connection managers
- Assured Computing Environment (ACE) for locally managed virtual desktops
VMware’s virtual desktop capabilities more than make up for a lack of production-level application streaming. In addition, its Thinstall acquisition has already delivered a beta product. Unlike Citrix XenServer, which has the ability to host virtual desktop OSes, VDI provides a broker interface for virtual desktops, enabling users to choose the desktop that fits their needs when they need it. VMware ACE also offers a way to distribute pre-packaged virtual machines (VMs) to a user’s laptop or desktop when a user may not have network connectivity.
As for security, ACE allows tight control over distributed VMs, making it a good choice for administrators who want to give executives’ VMs to access sensitive data in remote locations. ACE even encrypts deployed VMs with Federal Information Processing Standard compliant encryption, an important feature for organizations such as hospitals, insurance companies and other businesses that maintain sensitive information. VDI’s security relies largely on the protocols used to access the VMs it hosts as well as the security of the desktop OSes it hosts, although VMware made a step in the right direction with inclusion of RSA Security Inc.’s SecurID support in the latest release of Virtual Desktop Manager (VDM).
ACE’s management features allow administrators to fine-tune VMs prior to distribution. VDI admins can choose the VMs to which a user will have access based on group affiliation. Vmware recently released VDM 2, which includes enhanced management capabilities and integration with Microsoft Active Directory.
In an age of diversity, VMware is a purist. Unlike OS vendors such as Microsoft or Sun Microsystems Inc.,
VMware focuses on one thing—virtualization—and does so very well, including the distribution and management of virtualized desktops. But right now, VMware does not yet offer a production level application streaming product. In my view, however, if you can afford VMware, use it. It has a lot of polish.
Sun Ray, Secure Global Desktop, VDI Software: Sun Microsystems is the only company of which I am aware that offers a total desktop delivery and management package that includes thin clients, connection managers and virtual desktops. Here are Sun’s key products:
- Sun Secure Global Desktop Software for connection managers
- Sun Ray 2, Sun Ray 2FS, Sun Ray 270, Sun Ray Software for thin clients
- Virtual desktops: Sun VDI Software
Sun’s Sun Ray thin clients have a sleek appearance and fast connectivity. The Sun Ray 2 and Sun Ray 2FS are great book-end products for companies with an existing investment in monitors. Sun Ray 2FS includes support for smart cards and fiber-optic network cabling to enhance security by reducing magnetic transmissions. Sun Ray 270 fits businesses just beginning a foray into desktop deployment, offering an all-in-one technology similar to Apple’s iMac.
Sun’s Secure Global Desktop Software is the second tier in Sun’s three-tier desktop management solution, sitting between clients and servers in data centers. Sun’s VDI software enables administrators to deploy a connection manager that not only supports Sun’s own xVM virtualization technology but also acts as a broker for VMware VDI as well.
For security, Sun supports RSA SecurID and integrates with Microsoft Active Directory and other Lightweight Access Directory Protocol (LDAP) servers for authentication. Sun says that its support of fiber-optic network cabling improves security, but does it matter? Most shops have made a heavy investment in Ethernet networking technology. For them, running fiber to desktops would be expensive. And to realize fiber’s security benefit requires replacing existing Ethernet, at least in publicly accessible areas. Besides, at this point
I’d be more concerned about the security of wireless LANs. Sun Secure Global Desktop Software centralizes desktop management by moving OSes off the desktop and into data centers. With Sun Ray Software, it’s possible to deploy and manage thousands of Sun Ray clients with only a few administrators. It’s slick. If I had to build a desktop management solution from the ground up, you might find me giving Sun a call.
ClearCube Sentral VDI Management System: ClearCube focuses on virtual desktops and offers desktop management software in this category:
- Sentral VDI Management System for connection managers
ClearCube’s Sentral VDI Management system does it all. Sentral manages blades and user ports—or thin clients— as well as integrates with existing VDI solutions from VMware and others.
ClearCube’s thin clients and desktop (PC) blades are innovative. Referred to as “user ports,” these devices are treated as ports to desktops in data centers. These user ports range from the simple I/Port, which provides basic connectivity to the Digital Fiber C/Port that is designed to reduce magnetic transmissions in data centers. ClearCube desktop blades are called PC blades and, like their matching user ports, also range in functionality, from the R1300 to the A1410.
The combination of desktop hardware and Sentral presents a complete product suite, and ClearCube’s biggest challenge is Sun, which offers equivalent hardware and software and a virtualization solution as well.
HP Systems Insight Manager and OpenView: HP’s desktop blades, combined with its management software suites— Systems Insight Manager and OpenView—are a good option for minimizing desktop sprawl. Systems Insight Manager and OpenView are multifeatured suites and don’t fit my basic categories.
On the hardware side, HP desktop blades are standard blades but include HP’s Remote Graphics Software to enhance the graphical experience of remote clients. HP entered the thin client business by acquiring Neoware Inc., which was a good move. The HP Neoware thin clients are one of the few thin clients to include wireless capabilities.
Coupled with HP’s legendary hardware management software, HP has a strong offering for a company investing in thin clients in conjunction with desktop blades.
Pano Desktop Service and Management Server: Hands down, Pano Logic Inc. makes the sexiest desktop device on the planet. The Pano device is elegant, and its supporting management products do their jobs well. Its technologies are the following:
- Pano Desktop Service for virtual desktops
- Pano Management Server for connection managers
Pano Logic’s architecture includes Pano Desktop Service, Pano Device and Pano Management Server. The desktop service and management server and typical middleware connection manager applications cover the functionality bases. The true draw is the Pano Device, a thin client that consumes only 5 watts of power and enables a user with a desktop problem simply to hit the single button vice and roll back the desktop to an earlier version.
For security, Pano transmits data using the 128-bit Advanced Encryption Standard, and local storage can be disabled to prevent users from copying data to USB keys.
The Pano Management Server enables administration of security and access control, including use of USB ports. With it, IT managers can configure virtual machines for user groups or individuals; roll out updates, upgrades and patches seamlessly; and perform backups of all PCs on their own schedule.
The Pano Device is innovative, reliable and ranks high on my chart. If you are going to use thin clients, Pano Logic’s device is just genius. If you want a more trusted and proven name, check out Wyse Technology Inc.’s thin clients.
Leostream Hosted Desktop Connection Broker: The company best known for itsphysical-to-virtual (P2V) migration products has branched out. Leostream now offers a connection broker for proxy access to data center desktop solutions. Its connection broker is the following:
- Leostream Hosted Desktop Connection (HDC) Broker
Leostream’s HDC Broker provides managed access to hosted desktops. It allows access via the Web, clients fat and thin, and even allows users to be assigned to virtual or physical desktops.HDC has some nice enterprise features, including global DNS integration and clustering, making it one of the most solid connection brokers.
HDC security comes in hardware based SSL virtual private network (VPN) support by integrating with Cisco, F5 and Juniper SSL VPNs. HDC also enables external authentication via Microsoft Active Directory, Novell Inc’s eDirectory and other OpenLDAP servers.
HDC allows for central management of clients via dynamic and policy-based configurations but does not allow for management of guest OSes.
HDC is a great connection broker for businesses that don’t already have some type of partnership with an OS vendor or virtualization solution. Then again, most major original software vendors and virtualization providers offer connection managers for their products, which marginalizes companies like Leostream. If you build infrastructure piece by piece with best-of-breed products, then HDC is a good choice. But most administrators will trade the extra 5% in performance and features for a completely integrated solution.
Provision Networks Virtual Access Suite for Desktops: Provision Networks Inc. also provides a connection manager for VMware’s VDI. Provision Networks offers the following feature-rich desktop management technology:
- VAS, Desktop Services Edition (DSE) for connection managers
VAS DSE is one of the best connection managers on the market. In addition to providing access to VMware’s VMs, it supports physical machine access. A feature of DSE is that it automatically discovers desktops and VMs to manage by enumerating the objects in Microsoft’s Active Directory and VMware’s VirtualCenter.
In security, DSE supports RDP over SSL as well as pass-through Kerberos authentication and smart-card logons. Another cool management feature is the ability to create VM pools so that virtual desktops are pre-created and ready to use.
The VAS Desktop Suite Edition is a single-purpose connection manager. And much like Leostream’s Hosted Desktop Connection Broker, it does its job well. But much more feature-rich, all in-one solutions are available in lieu of a single-purpose app.
Qumranet Virtual Desktop Server and Virtual Desktop Controller: Qumranet is an Israel-based company charged with managing the development of the Linux kernel-based virtual machine, and it has developed a full virtual desktop management suite. Qumranet’s core product, Solid ICE, is a fully integrated desktop virtualization product. Its desktop management tools include the following:
- Virtual Desktop Server (VDS)for virtual desktops
- Virtual Desktop Controller (VDC) for connection managers
The most interesting thing about Solid ICE is neither VDS nor VDC. Qumranet’s claim to fame is its Simple Protocol for Independent Computing Environments, or SPICE, which allows virtual desktops to stream rich, multimedia content over a LAN link to remote clients.
Solid ICE is an interesting product, but it’s also quite new and I haven’t reviewed it yet. Virtualization evangelist Alessandro Perilli has said that, with KVM, Qumranet could pose strong cost competition to VMware’s and Microsoft’s virtual desktop technologies.
AppStream: AppStream is one of the few remaining application-streaming technologies that hasn’t been purchased by a major virtualization or OS vendor and offers the following technology:
- AppStream application delivery server
The latest version of AppStream is pretty nice. It includes support for Vista, LDAP integration, a Firefox plug-in, and even the ability to email users when a license limit has been reached.
Like standalone connection manager programs, AppStream is a standalone application delivery server and, as such, encounters stiff competition from major OS and virtualization vendors that offer application servers. Although Appstream has nice features, the product isn’t compelling enough to stand out from the competition.
The right desktop delivery solution
When VMware announced VDI, there was confusion was about why virtual desktops are so special. The question that I heard most was “How is this different from terminal services or thin clients?” The answer is that VDI was just one more way to accomplish the task of delivering desktops to users in a managed fashion. All product reviews, of course, have their pros and cons, so ultimately you have to choose technologies based on what’s right for your situation. Barb Goldworm of Focus Consulting echoes this notion:
“The key to success will be to understand all of the user requirements and use cases, determine which technology best fits each need, and then evaluate the available solutions in that area to see which product best fits your particular environment and needs.”
Still, with the caveat that your particular situation may dictate a certain set of technologies, here are my recommendations for each of the major technology options:
Desktop blades: HP and ClearCube offer an equally diverse number of desktop blades, but I select HP as the top pick because it can integrate its blades with an already vast product base, such as HP Systems Insight Manager.
Thin clients: If you are going to use thin clients, Pano Logic’s device is sheer genius. If you want a more trusted and proven name, consider Wyse Technology’s thin clients.
Virtual desktop managers: Until Vmware gets its application streaming technology up and running, Citrix offers the most comprehensive technology available.
Total solution: Sun is the only company that provides the total package, from hardware to software. If you’re partial to dealing with just one vendor, Sun sells thin clients, connection managers and a virtual desktop platform.
This article provides only a brief overview of the remote desktop landscape. Summarizing the entire scope of the field in a single article would be to assert that such a task is possible when there is clearly too much content to do all of it justice. For a complete guide to desktop management systems and application streaming packages, check out the Focus Research Series “Desktop and Application Delivery Alternatives.”
But if you’re ready to get started, the most important step is to identify your priorities. Do you want a best-of-breed solution? Do you want to minimize complexity by interacting with the least number of vendors as possible? Is cost your central concern? Are you willing to take a chance on a new and unproven technology for the sake of performance?
You have to ask these questions to know where to begin. Once you know the road you plan to take, this article can act as a series of street signs to guide you on your path. If you get lost on the way, you can always contact me at firstname.lastname@example.org. And enjoy the trip.
About the Author
Schley Andrew Kutz has more than 10 years of professional experience in computer systems design, security, programming, implementation and management. Kutz is a site expert for SearchServerVirtualization.com and the author of Sudo for Windows. He is a Microsoft Certified Solutions Developer, a SANS/ GIAC Gold Certified Windows Security Administrator and a VMware Certified Professional in VMware Infrastructure 3.