VMware Horizon Community
JLogan3o13
Contributor
Contributor

Interested in other experiences re: "PC on a stick"

I'd be interested to see any feedback on what other forum members have done, or what you have plans to do, in regards to our setup below. It's a bit of a read, but I am curious if anyone has done something similar, or if you've found a commercial device to do what we ended up doing.

Setup:

    

     Our company is preparing for a rollout of up to 150 VDI users, both internal and external, in the coming months. Part of this group will be remote employees that work 100% from a home office, as well as a group of "road warriors". There is also a growing initiative toward "bring your own pc" that we are being asked to take into consideration. We deal in sensitive information, so if at all possible all data needs to reside completely within the data center and only be accessed remotely, as opposed to pulling down a VM to the local machine.

Challenges:

     Internally, this does not pose much of a problem. We have already successfully completed both a POC and a formal pilot of internal users. We use the Samsung NC240 PCOIP monitor, with an HP L2245wg for those roles that require a second monitor (LOTS of screen real estate!). The hurdles come in with the remote users.

     We attempted to start with the home-based remote users. Currently they are issued laptops, and log into our SSL VPN. Once logged in, they have full VPN access, and work as they would in the office. Our thought was to embed a link to the VDI session into the home page of the VPN. Once the user logged in and clicked the link, their VDI session would commence. We found however, that the Juniper device we used would only support RDP on the sessions, rather than full PCOIP. Installing the View client locally, and having the users run this solved the problem with PCOIP, but was sometimes very slow. Also, as the users were running the View client on top of a full XP laptop, they would often only do certain tasks in the VDI session, and run other tasks locally. This defeated the benefits of VDI.

     Road warriors are even more of a challenge. They often have spotty connections from wireless at coffee shops or personally purchased mobile broadband cards. Also the process to log in to the VPN, run through all of our network policies and drive mappings, and then launch the VDI session was too long for them. Lastly, many are now carrying their own personal laptops/Macbooks/iPADs/etc. and would like to get down to one device that can be used for both work and personal surfing.

Our solution:

     As technical lead on the desktop side of the VDI environment, I've worked at slimming the images down. We now have about 90% of our applications virtualized through ThinApp, and have a single Master Template from which all users get a dynamic, non-persistent machine. Roaming profiles are employed, so once the user logs out the machine is shut down and deleted. A new machine is then added to the pool. Internet proxying and content filtering have actually allowed us to remove AV from the template, as any infection would be deleted as soon as the user logs out (we care only about keeping it from propagating WHILE the machine is active). These additions to the environment helped a lot with the general response time of the machines, and seem to have worked well for us.

     To resolve the issue of BYOPC, I've done a lot of research online. A lot of companies have an offering under this umbrella, but it is usually a case in which a copy of the vm is "checked out" and copied locally. The user then has so many days to use the copy without connecting back to the network. After the time expires, they must re-synch to continue using the machine. But this didn't satisfy all our needs, and made our security guys nervous.

     In the end, just because I'd not seen anyone else who's done it, I turned back to ThinApp. I began by virtualizing IE7.0 and saving it off. I then virtualized the View 4.5 client, with all of our company-specific settings (was amazed when this worked!). I then linked the two, and installed them on an encrypted thumb drive. So when a user inserts the thumb drive, the order of events is:

  • The ThinApp'd version of Internet Explorer comes up, with the home page set to our VPN.
  • The user logs in as they normally would. However, instead of full VPN connectivty they receive ONLY access to the VDI server.
  • Once the login is complete, the virtualized View client automatically launches. The user authenticates, and is granted access to their VDI desktop.
  • Once the user is done, they log out of the remote session. Once they have logged out, all of the ThinApp stub files are deleted out of the user's directory, leaving no remnants of the remote session behind.
  • If the user wants to log back in, they must remove and reinsert the thumb drive.
  • We have successfully tested on all Windows versions, as well as thin client laptops with Linux kernels as well as XP embedded. We plan to test in the next week or so on an iPAD.
0 Kudos
4 Replies
Suiname
Enthusiast
Enthusiast

Would booting into a different OS on a USB stick be an option for these remote users?  I recently found out about 2x cloud client, an OS that includes many clients to connect to a VDI environment, including a vmware view client which supports PCoIP.  Since you can live-boot, the users wouldn't have to make any changes to their existing machines at all, and since it is a customized linux kernel, it pretty much supports almost any device they could possibly have that can boot from USB (you can also install the OS permanently if you don't want to live boot all the time).  Check it out here http://www.2x.com/ccos/ and see if you like it, it's also free.

0 Kudos
idle-jam
Immortal
Immortal

if you need PCOIP features, i would suggest VDIBlaster from DevonIT.

0 Kudos
Joxster
Contributor
Contributor

I have been going through pritty much the same thing apart from the fact we can not allow users to have booted into there own PC and connect to our network via it..

I came up with a solution from Becrypt (http://www.becrypt.com) which boots in a secure encrypted USB Stick which can come with Cisco VPN VMware View client so the user just connects to the VPN and runs VMware View... works well..

0 Kudos
anonimous
Enthusiast
Enthusiast

and how much does it cost the licence per Cisco VPN VMware View client by Becrypt (http://www.becrypt.com)?

0 Kudos