Kirill Kedrinski - Fotolia


When workspace tools can stand in as VDI brokers and when they can't

For smaller companies, workspace tools, which bring users' resources into one access point, can work as VDI brokers. VMware and Citrix offer options, as well as some other vendors.

Capable workspace tools provide enough VDI functionality to fill some companies' needs. For others, however, a workspace product is just an adjunct to a more complex VDI deployment.

Workspace tools allow IT professionals to centralize user access to the virtual applications and resources they need to do their jobs by putting everything into a single webpage or mobile application. Workspace applications can be as simple as a list of web links customized to each user, or they can provide access to applications that are not webpages, including old-fashioned Windows applications.

Some workspace tools function like a basic VDI broker by connecting users to their virtual resources. If a VDI shop has fairly simple needs, workspace tools might actually be a better fit than a full VDI product.

What does a VDI broker do?

A VDI broker, which connects users to their virtual resources, must authenticate users securely, especially when the users are on untrusted networks. Then, the broker must present a customized list of desktops or published applications for the user.

When the user launches a desktop, the broker handles single sign-on (SSO), so the user only needs to authenticate once. Usually, the VDI broker also has a function to secure the connection between the user's device and the desktop or published application. Mostly, this is a reverse proxy, which allows authenticated users on an untrusted network to access specific resources on the corporate network. The broker authenticates internet users and allows them to access their desktops through the secure proxy.

The broker's functions overlap with workspace products quite a bit but not completely. VDI brokers are usually responsible for the lifecycle of the users' desktops. And VDI brokers create, update and destroy the desktops, which workspace products do not.

How do workspace tools work?

A typical workspace tool starts by securely authenticating users, possibly from untrusted networks, such as the internet. It also presents a customized list of resources. Most workspace services handle SSO for applications, and a few can provide secure access to applications.

The big difference between VDI brokers and workspace tools is that the workspace doesn't usually provision resources for the user, but adding provisioning is not too challenging. Instead, workspace tools provide access to existing resources. Even without provisioning, a workspace that can provide access to Remote Desktop Session Host (RDSH) for legacy applications may be sufficient for some companies.

What do workspace tools look like?

VMware's workspace tool is Workspace One, and Citrix delivers its workspaces through Citrix Cloud. These products extend a VDI product to also deliver virtualized applications and web links. They both deliver applications to mobile devices, such as smartphones and tablets. The reality is, however, that both vendors are just adding features to their existing VDI tools, with additional complexity. For large customers who need to extend the value of an existing VDI deployment, this is great, but for businesses with less extensive VDI needs, a workspace product with some VDI broker capabilities might be a better fit.

There are also standalone workspace services, such as Workspot from Workspot Inc., which provides workspace as a service. The Workspot portal runs in the public cloud and provides workspaces for users. The user workspace can contain web links, as well as access to RDSH sessions or remote desktops.

In collaboration with Nutanix, Workspot added the ability for IT to provision new desktop virtual machines (VM) for users. The capability is simple. Each user in an Active Directory group gets his own VM provisioned when he first logs in. The VMs are full clones IT manages and updates outside the Workspot interface. But as a basic way of making sure users have access to Windows desktops, it automates the provisioning. Workspot assumes customers already have secure access -- there is no virtual private network (VPN) or reverse proxy capability.

A workspace product should enable multiple devices, not impede them.

Another option is to have a lightweight VDI product that integrates with any workspace portal. Ericom Connect is an HTML5-based VDI broker, with no client to install. Users access their desktops in an HTML5 browser window. The Ericom software sits in a demilitarized zone and functions as the secure gateway between the internet and the user's desktop. For the Workspace product, the Ericom page is just another web application the user accesses. Users can have their Ericom desktops linked alongside other applications, such as Salesforce, in their workspaces.

Why workspace can't replace a complex VDI deployment

Workspace tools may create desktops, but they don't help with lifecycle management once IT creates the VM. Citrix and VMware both have technologies to reduce the disk space desktop VMs use and ease the burden of updating hundreds of desktops. Both also have tools that allow application virtualization, so IT pros don't have to manually install applications after they provision desktops.

Second, workspace products may not provide a secure desktop access layer. Workspot, for example, expects that customers already deploy and integrate a Secure Sockets Layer with their VPN. On a related note, customers should evaluate workspace and VDI access using mobile devices and untrusted laptops. Users want to access their corporate resources from a variety of devices, and a workspace product should enable multiple devices, not impede them.

Next Steps

Explore the future of workspace products

Should you believe the workspace hype?

Take a closer look at Citrix Workspace

Dig Deeper on Virtual desktop management