buckethead
Hot Shot
Hot Shot

How to handle workstation and Virtual PC in the environment

Jump to solution

We have pretty good size virtual environment that is growing every day. We are currently a mix of VI3 and 2.5.x and no Lab Manager at the moment. I have been asked how we want to handle installations of VMware workstation in the environment.

My question is how are people handling this in other companies? Are you prohibiting virtualization on the workstation and forcing the users to utilize the servers?

For the people that are allowing people to utilize workstation are there concerns about unsecure machines being built and brought online?

I don't think we have a large number of workstations in the company, but there could be a lot of Microsoft Virtual PC since it is free.

I have thought we could encourage people to utilize Lab Manager instead of Workstation, but it would take time to get that implemented.

0 Kudos
1 Solution

Accepted Solutions
peetz
Leadership
Leadership

We do not have so many installations of VMware workstation. We currently do not support it as a software package that can be requested through normal workflows and then deployed via SMS.

Regular users are also not able to install it on their own, because they lack Administrators' rights on their workstations. So, currently, it is mainly used by IS staff that has sufficient skills and awareness of the related security and management issues.

And if we want to discover any "unauthorized" installation of VMware workstation (or any other application) we can do this via SMS Software inventory.

However, some day we might arrive in a situation where more and more users request having VMware WS installed on their desktop (and can explain that with a real business need), and then we'd better have a good strategy/product available. Right now I do not have any good ideas besides from looking at the VMware ACE product and see if and how the various issues are addressed there.

\- Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de

View solution in original post

0 Kudos
10 Replies
peetz
Leadership
Leadership

Hi,

this a tough question since it depends on so many factors: available resources (human and computing resources), your users' skills, support structures in your organization, access and security policies, etc.

A while ago I decided against having Workstation users on ESX/VirtualCenter. Why?:

People using VMware Workstation mostly do this because they want to have a maximum amount of flexibility and features available. First of all ESX will always be behind the Workstation in terms of features available, because new features (like the brand new Record/Replay) will be made available in the Workstation product first.

Okay, ESX has the snapshot manager, and this is enough for most people using VMs for test/dev purposes, but now imagine what happens if you allow a lot of users to use snapshots and other advanced features on your VI3 environment: It will soon get in an uncontrollable state.

The free VMware server might be an alternative here, but it is not as manageable as ESX/VC. We currently do not deploy VMware Server, because we do not want to have another Virtualization environment to take care of. For us it is a question of standards to implement and human resources that are not available.

So, if you allow lots of VMware Workstation installations in your company you will of course get another problem: Managing the local VMs, at least in terms of patch compliance. VMware tries to address this with its VMware ACE product. We do not use it, but I think we probably should. At least, it is worth looking at.

\- Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
0 Kudos
chandlm
Expert
Expert

I have a similar situation where we have a dedicated test/dev VI3 server for the developers and any other test boxes. When we were asked about using Workstation/Server we made a decision that for security and management issues we would prefer the test desktops, etc. be on that server as well. Once we put them there we were told that doesn't work because the developers want control of them. Of course when I ask what they mean by 'control' and what they need that is not availble with the provided solution I get no answer.

Smiley Happy

Rob_Bohmann1
Expert
Expert

One thing to be careful about if you have workstation out in your environment is the risk of someone incorrectly setting up networking on their Workstation and allowing another DHCP server to advertise on the network. We have experienced this a couple of times, and it can be difficult to determine which workstation is doing this, and the consequences are not pretty.

0 Kudos
sbeaver
Leadership
Leadership

LOL oh you bring back some memories Smiley Happy

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
0 Kudos
dpomeroy
Champion
Champion

Our rule is generally that if someone is going to bring a Server OS online and attach it to our network, then it needs to meet all our standards for security, build standards, management, etc. , regardless of if it is a VM, physical server, or a desktop in someones cube.

buckethead
Hot Shot
Hot Shot

That is definitely a concern that I have.

You are bringing back some bad memories. We had a desktop guy studying for his MCSE back in 2000 take down the whole network while he was setting up his 'lab'. That was a bad day.

0 Kudos
buckethead
Hot Shot
Hot Shot

We have the same rules, but it is some times difficult to catch them. We have things setup that as soon as they join the domain we have our framework installed and setup on the machine.

Do all of the virtual instances on workstation have a certain MAC address? I am pretty sure they do and I just can't recall what it is. We could have networks scan for those devices to help us find the virtual machines.

0 Kudos
buckethead
Hot Shot
Hot Shot

Andreas,

So at this point how is your company managing all of the installations of VMware workstation in your environment? I am not totally opposed to them being out there I just want to make sure we know about them and can report against them to show they are not a potential security issue.

0 Kudos
peetz
Leadership
Leadership

We do not have so many installations of VMware workstation. We currently do not support it as a software package that can be requested through normal workflows and then deployed via SMS.

Regular users are also not able to install it on their own, because they lack Administrators' rights on their workstations. So, currently, it is mainly used by IS staff that has sufficient skills and awareness of the related security and management issues.

And if we want to discover any "unauthorized" installation of VMware workstation (or any other application) we can do this via SMS Software inventory.

However, some day we might arrive in a situation where more and more users request having VMware WS installed on their desktop (and can explain that with a real business need), and then we'd better have a good strategy/product available. Right now I do not have any good ideas besides from looking at the VMware ACE product and see if and how the various issues are addressed there.

\- Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
0 Kudos
buckethead
Hot Shot
Hot Shot

Thanks for the information. We use a product like SMS and I can find the instances of workstation that are on Windows machines.

I appreciate all of the thoughts and insight that everyone has provided on this question.

0 Kudos