There are a lot of factors to take into account if you want to succeed with a virtual desktop infrastructure. Networking, security and application selection are just a few of them.
In part one of this series, we learned how virtual machine density and storage
VDI relies on the network to deliver the entire end-user experience, not just whatever network resources the user is accessing. For that reason, it's vital for VDI success that the network infrastructure between users and VM hosts be robust.
With VDI, the biggest networking issue typically isn't bandwidth, but latency. This becomes most problematic when the desktop display data is rendered across the network, as with Microsoft's Remote Desktop Protocol or Citrix's ICA. Some latency can be offset by using the client's own resources -- Microsoft's RemoteFX, for instance -- but this works only if you're using clients that support such optimizations in the first place.
The other problem is that most of the network issues are not in the data center itself. It's the traffic sent over the WAN to remote clients that runs into the biggest stumbling blocks. This is yet another reason to use protocols and optimizations that keep WAN traffic to a minimum.
Some third-party solutions have sprung up to address this. F5 for VMware View, for example, claims anywhere from 4:1 to 12:1 improvements in WAN bandwidth conservation by using HTTPS to transport the bulk of the data.
Keeping things secure
Since they're not physical boxes under a desk, virtual desktops aren't vulnerable to casual physical intrusion. But they're not immune to security problems.
User error and careless browsing can cause the same type of damage as can be caused on a conventional desktop, so virtual desktops must be secured like physical endpoints. The back end should be isolated as much as possible, and individual desktops should be kept patched and protected with whatever measures are appropriate to your organization.
User data itself should also be protected, whether via on-disk encryption on the host or by preventative steps, such as forbidding copying to the client device.
The security of the network link itself is also vital for VDI success. Connections should always be encrypted, and two-factor authentication is never a bad idea if you can implement it. Connections to the VDI host should always be brokered through a firewall or other perimeter-protection system. A VMware white paper on the subject breaks out many individual points to consider for network security.
More networking and security tips
How app delivery and security affect VDI
Guide to virtual desktop security
Network management guide for VDI admins
The choice to deploy VDI should be determined at least in part by the applications used in your environment. Apps that are heavy in I/O or graphics -- video-editing suites, for instance -- are poor choices for desktop virtualization and should be run locally whenever possible.
Even if an application looks as if it might be a good candidate, the way it is used in your organization may defy common sense. Record its I/O and resource usage over the course of a few days. If its usage is modest, or bursty at most, it ought to be delivered via VDI without issues. Note also that a per-user approach -- rather than a per-application one -- also helps here, because users with different workloads can make markedly different use of the same apps.
VDI technology is still swiftly evolving, and it rarely works as a mere drop-in solution for cutting costs or enhancing security. The more thought you put into a VDI deployment -- why you're doing it and what you want from it -- the more it'll pay you back.
This was first published in September 2013