 |
|||||||||||||||||||||||||||||
HOB VDI Business - Virtual Desktop InfrastructureOverview1.1. The TechnologyWith VDI technology single-user operating systems such as Windows XP or Windows Vista no longer run on the user's desktop PC, but in the computer center. These operating systems and the applications running with them then run in the computer center as virtual machines. 1.2. Access via the RDP ProtocolAccess from the client usually is done over the performant RDP protocol (Remote Desktop Protocol), which is included as standard in the Windows XP Pro and Windows Vista operating systems. In the corresponding Home Editions, however, the Microsoft RDP server is not enabled. With HOB VDI you can have either direct, unencrypted access or SSL-encrypted access using the comprehensive secure remote access solution HOB RD VPN. 1.3. SUOS PoolWith HOB VDI you have a pool of VDI Single-User Operating Systems, in short SUOS. When a user starts his RDP client he will be automatically assigned a free SUOS. If the connection is interrupted, the SUOS will remain in the disconnected state for a configurable amount of time and the user merely has to restart the RDP client to automatically reconnect to the session. 1.4. Different Than Terminal Server SolutionsVDI, as compared with WTS (Windows Terminal Services), has the advantage that applications can be used that are not WTS-capable. Also, the individual VDI users are more isolated from each other, which is often a desirable security advantage. With VDI , however, one requires considerably more hardware than with WTS. 1.5. The Solution: HOB VDI-WSPWith VDI-WSP access coordination is performed in the HOB WebSecureProxy (WSP); the HOB WebSecureProxy is a component of the comprehensive security solution HOB RD VPN. HOB RD VPN is SSL-based. Access is done browser-based without any installation on the client and the user doesn't need any administrator rights. 2. The Architecture2.1. The Load Balancing TechnologyHOB has a patented technology for load balancing for WTS (Windows Terminal Services), which is also used for HOB VDI. The RDP client sends small UDP packets to find the server or VDI single user operating systems, in short SUOS. These UDP packets can be sent as a broadcast. Or one has a server list and UDP Unicast packets are sent to all servers or SUOS (or relays, see below). If there is an available SUOS or a reconnect can be carried out, that SUOS responds with a corresponding UDP packet. If an RDP client receives several UDP packets in response to itsload balancing request, then the RDP client can select the best-suited server or SUOS. 2.2. RDP Components with HOB Load BalancingLoad balancing is integrated into the Java RDP client HOBLink JWT (Java Windows Terminal). HOB load balancing is also integrated into the server component HOB WebSecureProxy (WSP) , which is part of the comprehensive security solution HOB RD VPN. The HOB WebSecureProxy encrypts data being sent to the client with SSL. 2.3. The VDI AgentThe program ibbslb02, the VDI Agent, is an inherent component of the HOB VDI solution . This VDI Agent is installed on each SUOS, e.g., Windows XP or Windows Vista, and runs as a service. The VDI Agent knows the current status of the SUOS. The VDI Agent receives UDP packets for load balancing or VDI administration. When required, the VDI Agent responds with corresponding UDP packets. 2.4. The HOB VDI Administration ToolFor the HOB VDI solutions there is a corresponding administration tool. This tool is an MMC (Microsoft Management Console) Snap-In in compliance with the standard MMC version 3. With this administration tool an administrator can query all VDI SUOS and the current state of the corresponding system. An administrator can also use the administration tool to actively intervene in the SUOS and force a disconnect or user logoff. The administration tool can also be used to shutdown or restart one or more SUOS's. The administrations tool sends UDP packets to the VDI Agent. These packets have an encrypted password. Each SUOS has a list of valid passwords and also information on whether the password allows only queries or also active intervention in the SUOS. In addition to password encryption the UDP packets also have a timestamp, which prevents replay attacks. 2.5. Functions of the HOB RDP Client HOBLink JWTIf the user uses his desktop as a VDI over the HOB RDP clients HOBLink JWT, he can do anything he could do at a local workstation. Thanks to the resource-saving RDP protocol, access is highly performant. This is especially so when data is being sent over the Internet. The user can copy and paste between the local client and the SUOS over the RDP protocol and the clipboard. The user can print at the local client; this is simplified via HOB EasyPrint, which operates driver independently. Audio from the SUOS can be output at the local client. Via the integrated Local-Drive-Mapping, data can be exchanged between the local client and the SUOS. 3. HOB VDI-WSP3.1. Access Over HOBLink JWTThe solution HOB VDI-WSP is a component of the comprehensive security solution HOB RD VPN. The Java RDP client HOBLink JWT (Java Windows Terminal) is used as the client component. Neither a local installation on the client nor administrator rights are required, everything is browser-based. HOBLink JWT, as it is a Java program, is platform-independent; thus, one can use HOB VDI-WSP to access the SUOS from Windows, Linux or Apple MAC. This access is secure as all data are SSL-encrypted. Access can be made over the Internet, for example, from home, a hotel, a business partner's location or on the road from a laptop. Access can also be made from an Internet Café, if desired (this can be disabled).
3.2. AuthenticationWhen someone wants to use HOB VDI-WSP to access a SUOS, he first starts a browser, enters the appropriate URL and then authenticates himself. User authentication can be carried out in in three different ways, depending on the corresponding installation:
Authentication is carried out over the browser, which is connected to the WSP over an SSL / HTTPS connection. Thus the authentication is already encrypted and secure. Depending on the complexity of the corresponding HOB RD VPN's installation, the user then arrives either directly at the VDI-WSP or first makes a selection of the desired activity. 3.3. Inspection of the Client PCAs of HOB RD VPN 1.3 the client can also be inspected as to certain criteria before access to enterprise-internal data is granted. When desired, this can be determined during installation in the enterprise network. 3.4. The HOB WebSecureProxyThe core component of HOB RD VPN is the server component HOB WebSecureProxy (WSP). The current version of the WebSecureProxy is 2.2 and is available for Windows, Linux and Unix in altogether 11 different platform-specific versions. The WSP can also run in HOB SCS, the Open-Source, Unix-based server operating system from HOB. HOB SCS stands for HOB Secure Communications Server. The WSP works with SSL encryption. HOB SSL supports all conventional encryption algorithms, including AES (Advanced Encryption Standard) with up to 256 bit key lengths. The HOB WSP has an integrated Web server, the components of the Java RDP client HOBLink JWT are preferably downloaded by this integrated Web server. It is also possible to do a Java installation of the Web server built into WSP. For server authentication over SSL the WSP needs an X.509 certificate, which is also used, e.g., in Web servers with SSL / HTTPS. The HOB WSP has an integrated Radius interface, enabling authentication to all conventional radius servers. The HOB WSP has special built-in functions for VDI-WSP, e.g., the communication with the VDI agents. 3.5. Twin TrimmingWhen one uses HOB VDI-WSP and wants to avoid having a single-point-of-failure, then several WSP' should be installed. Load balancing for these WSP's can be activated via several Internet addresses in a DNS server or also using round-robin. There is then the problem that, under certain circumstances, two WSP's assign the same SUOS to different clients. To avoid this, the so-called twin trimming functionality is built into the WSP; several version 2.2 WSP's communicate with each other over UDP and thus this problem does not arise. 3.6. Configuration Data and HOB Enterprise AccessVDI-WSP needs configuration data. The security-critical configuration data for the WSP are stored in an XML file, therefore they need not leave the DMZ. To configure these XML files HOB supplies a convenient and platform-independent Java GUI program. Additional, optional configuration data can be stored in HOB Enterprise Access. HOB Enterprise is the central component for comprehensive configuration data. HOB Enterprise Access uses either an integrated database or the data are saved to an LDAP server. HOB Enterprise Access supports all conventional LDAP servers as well as Microsoft Active Directory. When HOB Enterprise Access is configured to store data in an LDAP server, the required structures are created via a schema extension. 3.7. Server for the SUOS of the VDI-WSPThe SUOS, either Windows XP or Windows Vista, needs hardware on which it is installed and running. With the solution HOB VDI-WSP the SUOS can run virtualized on correspondingly large servers. With HOB VDI-WSP, any virtualization software can be used, as long as it supports Windows XP or Windows Vista as guests. Among these are products from VMware, Microsoft or XEN, to name the most important ones. 3.8. Other Information on HOB VDI-WSPHOB VDI-WSP is part of the comprehensive security solution HOB RD VPN. HOB RD VPN has been certified in accordance with the Common Criteria by the German Federal Office for Information Security (BSI Bundesamt für Sicherheit in der Informationstechnik). In larger installations, all HOB RD VPN components can be redundantly installed in the enterprise network. Thus there is no single-point-of failure and uninterrupted operation is possible. The HOB VDI-WSP solution previously was named HOB Desktop-on-Blade.
Author: KB Edited: JR08.03.11 JR 01.07.11 JR 16.01.12 |
|
||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||
