in that case do take a look at my favorite - Provision Networks VAS - they deliver VDI, Terminal Services (their own flavor similar to Citrix), App Streaming (integration with Softricity), and blade PCs (in beta) - all integrated so the user doesn't know where apps or desktops are coming from.

Thomas,

you are right. In fact I didn't want to "downplay" the Citrix "shared services" model.

However this model (and their products) have been around for years and I think they have reached their "plateu". This doesn't mean that there are many other customers looking into it and deploying it ..... It's just that if they had a 10% penetration in 10+ years .... they might hit how much 12/14/20 ? ? ? ... but clearly this will never be a "for the masses" thing. And if you look at their pricing strategy it is consistent .... they want to maintain an "elite" customer base which is willing to pay their bills. There is nothing wrong with this ..... it's just the way they have decided to go to market.

So in the end what I see is that many traditional VDI brokers will move to embrace all these 3 models (VDI, Shared Services (TS), PC Blades) whereas Citrix is doing the same with their project trinity. The key point is to see the ratio of the marketshare of these 3 technologies ........ My take is that virtual clients / vdi will take the lion share......

Time will tell ..... time will tell ....

Massimo.

Looks good so far, but you need to Web 2.0 it, :D. But in seriousness, it needs a legend on the page to describe what LOW, MED, HIGH etc... are.

You were not supposed to look at the home page ......

Seriously .... I know what you are talking about ...... low / med / high is really opinable at the very least and this might cause confusion .............

Thanks. Massimo.

Just wanted to mention to all that I have updated the page with some more info.

http://it20.info/misc/brokers.htm

Feedbacks are (more than) welcome.

Massimo.

Been neck deep for the last week so did not get a chance to place any input.

I think a big consideration should be the accessibility of the service,

1) does it support SSL

2) does it use Java or ActiveX for web based connectivity

3) does it have guest - > broker interaction to allow for state awareness beyond the info provided by VC.

4) Does it support permanent machine assignment or only pool modelling

5) Is the Administrative UI good/bad/ugly

6) Does it have any reporting

7) How managable is it (monitoring/alerting/ etc)

😎 Does it have any decent reporting

9) Does it support role based security

10) Does it support a distributed model (e.g. regional childs to master)

Unless things have changed I am not aware of any Broker that provides everything at this stage. Maybe it is time to register a new project on SourceForge under Desktop Brokering.

almost forgot aboutthe other big win with VDI for test and development purposes.

\- Snapshot and rollback support

\- Multi machine to user assignment

Thanks Dave.

Good feedback. A few comments:

>1) does it support SSL

When I said in the chart "security out of the box" I meant SSL support. Alternatively you need something at the networking level to do that (i.e. VPN). Isn't that good enough ?

>2) does it use Java or ActiveX for web based connectivity

This is a good one. So for example a portal could be used from a browser of a WinCE thin client only if the brokering package uses ActiveX. Is that the idea ?

>3) does it have guest - > broker interaction to allow for state awareness beyond the info provided by VC.

Can you make an example ?

>4) Does it support permanent machine assignment or only pool modelling

Isn't that in the chart already? I have also differentiated between personal ssigment at first logon and pre-emptive personal assignment.

>5) Is the Administrative UI good/bad/ugly

Oh boy ... this gets into the "subjective" space and quite frankly I don't want to waste my time fighting with people on different opinions as far as an interface is nice or odd. Having this said I have tried to summarize this into the "Easy to Configure/Use" raw.

>6) Does it have any reporting

Mh... I need to think about this ...... right

>7) How managable is it (monitoring/alerting/ etc)

See #5

>8) Does it have any decent reporting

isn't this the same as #6 ?

>9) Does it support role based security

What do you mean ? I assume all integrates with LDAP/AD to profile users. Do you mean user Dave from AD needs is set as the "broker administrator" while user Massimo from AD is set as a simple "broker user" ?

>10) Does it support a distributed model (e.g. regional childs to master)

Mh .... I need to think about this as well.....

>11) Snapshot and rollback support

Ok ... (even though I think you are thinking about future development of the technology as I don't think any of the current broker provides this). But it is good to put things that an end-user is willing to have so they know where to go ....

>12) Multi machine to user assignment

Correct. I will add this.

Thanks. Massimo.

Slow turn around by me at the moment but see if I can respond

1) True

2) I find there are issues both ways - ActiveX gives a nice experience but is Windows centric and can have compatability and security issues. Java is nice as it is more platform independant but can be slow - nice to have best of both worlds really

3) How does a Broker ascertain the current state of a device e.g. does it have somehting report to it from the guest or does it assume if Virtual Center says it is running that it is OK to give out to a user.

4) Reading it upside down

5) Think of this scenerio - If i have 10,000 devices how does the interface allow you to readily manage them, detect issues, etc

6) Capacity reporting, allocation stats etc - or alternatively an open database schema and you do your own

7) Very true but how about SNMP, alerting and the quality of the information (emphasis on the quality)

😎 I was defintely on my head

9) Can you delegate functions within the broker to various groups. SOme manage machine, some users, some both, some can change config etc

10) Back onto the 10,000 users, think if they are in 50 offices of various sizes - or contained to three sites

11) Wishful thinking really

12) users are greedy

Still think it is time to register a project on sourceforge

Just want to mention that I have updated the table based on my interpretation of Dave's feedbacks.

More feedbacks about the structure of the charts (brokers and characteristics) are welcome. Also, if you want to fill some of the blank fields (based on your knowledge/experience playing with the products) that would be excellent.

http://www.it20.info/misc/brokers.htm

Thanks !

Massimo.

Hops, only now I see your update .... You must have posted while I was typing mine ......

I am just to tired now to go through it again ..... well this means tomorrow night I will have something to do .....

Thanks. Massimo.

Are you sure that Propero does not act as a proxy? For remote access clearly you go through the Propero system. For local access all their documentation has the broker in the middle acting as a proxy?

I would recommend adding a section regarding if they provide their own ICA/RDP client or depend on someone else. In the case of RDP clients providing their own positions them to possibly build off the channels for added features such as device redirection.

I would also add a section around device redirection, if it provides its own display protocol or provides a client using RDP/ICA other, does it provide smart card passthru,Bi-Directional Audio, local printing, serial redirection, mass storage etc. Some claim extended USB support for PDA's etc. but only support one or two models etc.

Mh ... that is a good point.

I have limited knowledge of propero but it is my understanding that their architecture is similar to that of Provision Networks in the sense that the "security component" of their offering act as a proxy to create the secure tunnel between the client device and the "infrastructure" which in turns query the "brokering" piece to understand which vm they need to connect to. Once the broker has responded back with the IP all the communication happens between either the client device (if sitting on the intranet) and the vm or the security gateway (if the client device is on the internet) and the vm.

This is my current understanding.

So my "act as a proxy" really means whether or not the broker piece itself is acting as a proxy not just the security components of the solution (of course they need to act as a proxy to create the SSL tunnels etc etc).

To the best of my knowledge there are two solutions right now where the broker itself act as a proxy which are the Citrix Desktop Broker and the SUN offering (I understand that that is the case for SUN because of their legacy SANRey value proposition where the SANRey would not support RDP but rather their own remote kvm protocol called AIP).

I am still looking into those things but this is my current understanding.

If you (and all the others) know more about this please post ........

I will valuate adding the other "characteristics" you have mentioned along with the latest Deve's comments.

Thanks. Massimo.

Well, I know a little more about the Sun solution. The Sun solution can be deployed a few ways.

For local access - In the office. They position their Sun Ray thin clients. They have their own RDP client that sits on the Sun Ray server all the Sun Rays talk ALP from teh device to the Sun Ray server and RDP to XP.

For Remote Access - They use their Sun Secure Global Desktop software and drop that into the DMZ. Remote users using a PC can connect remotely via a web interface. In this case its AIP over HTTPS from the browser to the DMZ and RDP from the DMZ to XP.

The use their VMware Access Kit add on to enable session mobility between the two so, you start a session at home via a browser, go to the office connect from a Sun Ray and get the same session. What is a little unique is you cna actually use the Sun Ray at home as it has a bulit in VPN client. Or you can use SSGD in the office with PC's as you transistion to Sun Ray's or other thin clients.

Just like Citrix RDB all local or remote traffic goes through the " Session Broker " Like a proxy.

What I think is important to note about both is the fact they own their own protocols and clients ICA, RDP, ALP, AIP. For both they have the option to enhance supportable options using virtual channels, if they decide too. So can Provision as they own their own RDP client. Others depend on MS or the device manufacture.

Also, because they both own their own protocols in theory their remote access performance should be better than those that don't. AIP, ALP and ICA have all been optimized for low bandwidth connections for a long time now where RDP never really has been. Some might argue that the protocol conversion could cause slowed performance. In the case of local access I agree a broker not in the way or path is better for performance. In the remote cases even with the protocol conversion, I think RDP tunneled over these other protocols rather then just RDP will perform better in situations like low latency.

looking at the Propero link here http://www.propero.com/PDFs/factsheet_workspace_connection_manager.pdf

Clearly, the " Session Broker" sits in the middle. Also, Load balancing and other references to " Session Management " are made this is another tip all traffic, local and remote is always routed through the broker. Not as bad as a protocol conversion but also not as ideal as brokering the connection and not staying in the path of communication.

My comments below:

>Well, I know a little more about the Sun solution. The Sun solution can be

>deployed a few ways.

>For local access - In the office. They position their Sun Ray thin clients.

>They have their own RDP client that sits on the Sun Ray server all the

>Sun Rays talk ALP from teh device to the Sun Ray server and RDP to XP.

>For Remote Access - They use their Sun Secure Global Desktop software

>and drop that into the DMZ. Remote users using a PC can connect

>remotely via a web interface. In this case its AIP over HTTPS from the

>browser to the DMZ and RDP from the DMZ to XP.

Right so this is very similar to whatever Provision / Propero etc etc does with their secure access technologies out-of-the-box with the only difference that they use RDP over https rather than AIP over https.

>The use their VMware Access Kit add on to enable session mobility

>between the two so, you start a session at home via a browser, go to

>the office connect from a Sun Ray and get the same session. What is a

>little unique is you cna actually use the Sun Ray at home as it has a bulit

>in VPN client. Or you can use SSGD in the office with PC's as you

>transistion to Sun Ray's or other thin clients.

>Just like Citrix RDB all local or remote traffic goes through the " Session

>Broker " Like a proxy.

>What I think is important to note about both is the fact they own their

>own protocols and clients ICA, RDP, ALP, AIP. For both they have the

>option to enhance supportable options using virtual channels, if they

>decide too. So can Provision as they own their own RDP client. Others

>depend on MS or the device manufacture.

Well this is debatable. Others might argue that you are at the mercy of SUN or Citrix and not dependant on a "standard" like the MS RDP protocol. Also consider that while for Citrix this is core business (so less than a problem) for SUN this is really another attempt to enter into this space (after the original failure of the SUNRey). Now the fact that I work for IBM might lead you to think I am bashing my competitor but in reality I am just sharing my genuine thoughts.

>Also, because they both own their own protocols in theory their remote

>access performance should be better than those that don't. AIP, ALP and

>ICA have all been optimized for low bandwidth connections for a long

>time now where RDP never really has been. Some might argue that the

>protocol conversion could cause slowed performance. In the case of local

>access I agree a broker not in the way or path is better for performance.

>In the remote cases even with the protocol conversion, I think RDP

>tunneled over these other protocols rather then just RDP will perform

>better in situations like low latency.

I agree with the last part. As per the optimization of the protocols ... I agree for the ICA.. I am not sure for AIP/ALP. While Citrix has been optimizing this because it was their core business I am not sure how much efforts SUN put into that. I am not saying they haven't ..... I am saying I am not sure if it made sense to do that given the little return they had so far.

>looking at the Propero link here

>http://www.propero.com/PDFs/factsheet_workspace_connection_manage

>r.pdf

>Clearly, the " Session Broker" sits in the middle. Also, Load balancing and

>other references to " Session Management " are made this is another tip

>all traffic, local and remote is always routed through the broker. Not as

>bad as a protocol conversion but also not as ideal as brokering the

>connection and not staying in the path of communication.

I am not sure if from that picture we could jump to that conclusion. First because it's a basic high level picture and second because they not only do brokering but also secure access so for a very simple picture the layout does make sense even though they don't proxy the connection.

Last but not least I am not sure why you would be forced to proxy the connection if you don't translate the protocol anyway. That is ...... I can undrstand Citrix / SUN doing that because they need to convert from ICA/AIP to RDP ...... but why would Propero need to do that since the initiator will talk native RDP ?

I am just trying to understand .... not saying that you are wrong.

Massimo.

>>Well this is debatable. Others might argue that you are at the mercy of >>SUN or Citrix and not dependant on a "standard" like the MS RDP protocol. >>Also consider that while for Citrix this is core business (so less than a >>problem) for SUN this is really another attempt to enter into this space >>(after the original failure of the SUNRey). Now the fact that I work for IBM >>might lead you to think I am bashing my competitor but in reality I am >>just sharing my genuine thoughts.

I do not think your bashing as I understand some parts of IBM have OEMed Sun Rays through partners and are re-selling them. You are debating and trying to draw out the pros and cons. I am not going to go into any great defense for them, they can defend themselves. But from the Sun Ray server to XP it is RDP, they licensed the MS RDP and build their own client so they are investing and have been. It is their protocol from the broker to their device though.

>>I agree with the last part. As per the optimization of the protocols ... I >>agree for the ICA.. I am not sure for AIP/ALP. While Citrix has been >>optimizing this because it was their core business I am not sure how much >>efforts SUN put into that. I am not saying they haven't ..... I am saying I am >>not sure if it made sense to do that given the little return they had so far.

I can confirm they have done optimizations for low bandwidth. Both the AIP and ALP protocols have had work done in this area for some time. Everyone has made improvements recently MS, Citrix, Sun I will not disagree its core to Citrix. For a third party view here is a good paper on the topic, slightly dated though http://www.ncl.cs.columbia.edu/publications/tocs2003_i2thin.pdf

>>I am not sure if from that picture we could jump to that conclusion. First >>because it's a basic high level picture and second because they not only do >>brokering but also secure access so for a very simple picture the layout >>does make sense even though they don't proxy the connection.

>>Last but not least I am not sure why you would be forced to proxy the >>connection if you don't translate the protocol anyway. That is ...... I can >>understand Citrix / SUN doing that because they need to convert from >>ICA/AIP to RDP ...... but why would Propero need to do that since the >>initiator will talk native RDP ?

>>I am just trying to understand .... not saying that you are wrong.

The picture is high level but accurate for remote and local cases. Their managed VM's support a wide array of feature functionality, pooling, suspend resume, Session resumption etc. when a client connects it establishes a tunnel through the Propero server where session management occurs, is tracked and monitored. If that server fails sessions being proxyed, tunneled,routed on that server are interrupted.

I confirmed this with a laptop, Propero server and XP VM on ESX. Pointed laptop browser to Propero server, logged in, connected to the desktop established XP session. From the VC console logged into the Propero server and did an ifconfig on eth0. The XP session on the laptop hung.

To be 100% sure, I spoke with Propero today and need to make a correction.

You CAN configure connections NOT to go through the broker. It is handled on a per connection basis and you do NOT loose the fuctionality of a managed client.

Warren,

thanks for the post. Good info. Just to reiterate I was not downplaying SUN I have added their stuff on my page (again I am really concentrating on the structure at the moment trying to fill the cells where I know I could/should put a yes/no easily). I wouldn't bet they are all accurate though.

I have also inserted additional raws as per Dave's suggestion in his last post.

www.it20.info/misc/brokers.htm

As per Propero I understand that we agree that they do not act as a proxy. I think that what confuses here is the fact that they put a strong accent on Infrastructure access so they are really "how do I access my vm's"-centric rather than focusing on the broker functionalities. This leads them to appear as if they are proxying all connections but in reality they don't need to. At least this is my feeling so far.

Thanks all and keep the comments coming.

Massimo.