With a large VDI deployment across seven sites, the U.S. Army has increased productivity using virtual desktops -- although IOPS, Group Policy and security all proved challenging.
Running XenDesktop 5.6 on VMware ESXi and XenApp 6.5 published applications, the U.S. Army Medical Command implemented more than 10,000 virtual desktops at military hospitals in the United States and Europe. Its goal was to improve efficiency by providing doctors with access to clinical care applications from multiple devices.
To achieve that goal, administrators repurposed existing PCs as virtual desktops and deployed Wyse Xenith zero clients for about 10% of the user base. The environment runs AppSense performance management technology to regulate resource usage and the company's environment virtualization software to manage user personalization.
In this Q&A, Lloyd Havekost, virtualization architect at the U.S. Army Medical Information Technology Center, describes the obstacles his team encountered with the VDI project and how users have responded.
What were the users' needs that led to this VDI project?
Lloyd Havekost: The stability, consistency and configuration of the environment wasn't where it needed to be. Doctors told us that they would like to have their email and all their clinical applications available. They see a new patient every 15 or 20 minutes, so if it's a 3-minute logon time to get to an application, that's not a very good experience.
Why did you choose to run XenDesktop on VMware?
Lloyd Havekostvirtualization architect, U.S. Army Medical Information Technology Center
Havekost: We integrate with Medical Health Services, and they had purchased a lot of Citrix licenses for another project. We stayed with VMware because our XenApp servers and virtual desktops are non-persistent, and we wanted to avoid putting agents in the servers. Antivirus is very important because you're dealing with military information, and our McAfee HBSS [Host Based Security System] software didn't lend itself to using the proper security policy. So, we moved to Trend Micro, which integrates with VMware's hypervisor and means you don't have to install an agent; you use the hypervisor to implement the security policy.
How did mobile access fit into the VDI project?
Havekost: When you log off one device and onto another, you're waiting a long time and there was no roaming of the user personalization settings. This is where AppSense and Citrix come in. If users want to connect to their iPad remotely from home, they can now access the application through a virtual desktop … instead of using a VPN [virtual private network] to log in.
In a military environment of course, there is concern with BYOD [bring your own device]. Using HTTPS encryption between the endpoint and the data center, we try to encrypt capabilities for downloading files when using an iPad. We have also weighed other tools, like Good, but we're really waiting for Citrix to come out with encryption as part of their solution; they're just not there today. We don't want to go down the mobile device management road because that kind of defeats the purpose of BYOD.
Were there any applications that weren't easy to virtualize?
Havekost: Dragon NaturallySpeaking for voice dictation. It's very convenient for the doctors to prescribe medicine by talking into a computer instead of typing, but it's a difficult app to virtualize because it has a very heavy footprint. To work around the issue, we're engaged with the application's manufacturer to develop an enterprise edition that can offload some of the processing to an endpoint device.
What were some other challenges?
Havekost: The problem with storage is you get a site assessment that basically gives you an inventory of what applications users have and how much CPU, memory and bandwidth those apps use. But that is a point-in-time measurement; it's just an average. Initially, the IOPS were substantial for the permanent number of disks on the SAN [storage area network]. With our new Atlantis storage, we can go to 200 IOPS for a short window and there's no impact on the network or SAN.
Probably the most difficult thing we encountered is that all of these sites have their own Group Policy Objects that manage the security of Windows. So, when AppSense is trying to capture user personalization settings when everyone is doing their Group Policy differently, you run into problems.
Printers are also always a problem. Session awareness becomes very important, for instance, if you need to know that a user has moved from a laptop-connected printer to 'Office Printer A.'
Also, being given applications and not knowing exactly how they work. Case in point: Alta, a clinical application for patient records, has a default time-out of 15 minutes, and Citrix's XenApp servers didn't see that time-out setting so you lost your Alta session after 15 minutes.
How have IT and users responded to the VDI project?
Havekost: It's difficult to explain to folks how to use a totally new interface with Citrix. As [systems admins at the hospitals] get more familiar with the setup, we'll start delegating more and more responsibility to the sites. When something happens, people immediately assume it has to do with VDI.
Has desktop virtualization improved productivity?
Havekost: Absolutely. Some of the sites previously tried VDI on their own and failed because they didn't have a complete solution or enough disks, etc. Some had issues where their database went down and nobody could access their desktops. All of these things give folks skepticism, and rightfully so. It's been difficult to win them over, but when users see how well it works when done correctly, there's overwhelming open-mindedness.