Consider desktops in the cloud for BYOD
- 21 May, 2012 14:29
Desktop-as-a-Service is an interesting way for IT execs to provide cloud-based Windows desktop sessions, as well as shared resources such as storage. DaaS can help companies roll out new desktops and support Bring Your Own Device policies.
DaaS or Hosted Virtual Desktop (HVD) providers offer a pristine, policy-controlled session (either persistent or ad hoc) that can be accessed by a wide variety of devices. If you have an iPad3 and a Bluetooth keyboard, you're in. Mac? You're in. An old and wheezing Windows XP patched-to-death machine? You're in. The machine used to access a DaaS session is largely irrelevant to the session's use, which can be for standard "office" functions, or as part of an application-specific setup.
The products we tested ranged from simple to comprehensive. All of the DaaS service providers in our test -- Desktone, dinCloud, ICC Global Hosting, Applications2u, and Nivio -- used a Citrix infrastructure to provide desktop sessions. But each of them arrived at their product offering from a different perspective, and sometimes, with a different attitude.
For this test, we accessed cloud-based sessions in three different ways: Comcast residential broadband, Comcast 'business' broadband (higher data rate), and through several different VM configurations via our data center installation at nFrame in Carmel, Ind.
We logged on via browsers or through the DaaS vendor's proprietary application. Nivio could use Flash or HTML5; Desktone used Quest vWorkspace, while the rest used varying Citrix apps to logon to the HVDs.
We liked Nivio for its very simple configuration. And Nivio's "happiness messages" (headers and banners that customers could configure with their own slogans) showed that it wants to appeal to more than just stodgy geek-types. DinCloud had strong and fast performance.
Desktone was highly configurable. ICCGlobalHosting (ICCGH) had a strong vertical application feel, and Applications2u seemed targeted towards independent software vendors (ISV) and application providers that prefer an entire desktop offering rather than just a web-based app.
Some of the service providers in this test have an involved customer intake process (Desktone, dinCloud, and ICCGH), while others were more like "desktops on the hoof" (Applications2u and Nivio). The intake process is important for several reasons as the number of decisions that need to be made prior to deployment require planning and thought.
We could only find support for hosted Windows (Windows 7 and Windows 2008R2 "terminal") sessions. You can't find Mac OS because of Apple's licensing constraints, and hosted Linux sessions are difficult to find.
In terms of productivity applications, most of the vendors could supply Microsoft Office and SharePoint. They also expressed a willingness to brand DaaS desktops with organizational logos, "stock" applications and resource links, as well as to negotiate preloaded software for both persistent and ad hoc sessions.
How DaaS works
In the simplest form, DaaS is like Remote Desktop Protocol (RDP), Virtual Network Control (VNC), and similar provisioning that dates back to the the PCAnywhere days, where you got screen, keyboard, and mouse (at minimum) connected to another computer, so as to use that system as though you were sitting comfortably nearby.
Today's iteration is Virtual Device Interface-Infrastructure (VDI), which includes the basics, plus sound, local drive, and local ports (like USB). VDI can be accomplished on premise or in the cloud.
DaaS service providers are the gateway for cloud-based connectivity, which includes virtualized desktop sessions and applied administrative constraints. The selling points are hosted external applications, shared storage resources, joining DaaS resources as extensions of an existing (or new) Active Directory infrastructure, and extended device compatibility in a BYOD scenario.
Here are the individual reviews:
Desktone uses Citrix components mixed with its own desktop portal and management infrastructure. The Citrix pieces, including session access applications like Citrix Receiver, give remote users choices for what kind of device, such as a Mac or a Windows XP client, might be compatible with a Desktone-hosted Windows7 session.
Hosted sessions can reside in an isolated Active Directory or workgroup environment, or could be connected via a VPN (many types are supported) linking Desktone's provisioned desktops and network with a customer network.
VPN connectivity can be problematic because of the varying types of VPNs possible. Those connected with firewall and VPN appliances are said to be the most easily (and quickly) deployed.
The customer intake process revolved around deciding on networking characteristics, choosing different hosted desktop variants based on an average installation, then upgrades to hosted sessions based on memory, disk and number of CPUs (up to four) that would be hosted on Desktone's cloud, which consists largely of blades in a multi-tenant environment.
Like several other DaaS service providers we tested, Desktone has an administrative portal application to manage DaaS operations security and asset formation (making customized versions of Windows 7 for DaaS access). Also, like other DaaS service providers tested, we found we could join our Active Directory network logon characteristics if needed; a network "join" is available for VPN purposes, too.
The Desktone portal allowed us to check site configuration, desktop asset distribution and pools, which are aggregations of resource groupings. Pools allowed us to differentiate RDP-connected machines by resources, like local-to-session clipboard, drive, printer, smartcard or COM port connectivity.
Dividing pools in this way allows an organization to create Active Directory pools, then to differentiate between persistent and non-persistent sessions, and then to aggregate local resources.
Desktone provides the ability to try the instances prior to deployment by administratively accessed instances that use Windows SysPrep (as opposed to image snapshots, so as to correctly establish the hardware licensing requirements for Windows 7) and should be familiar to Microsoft admins.
The landing URL (the starting page that clients access via a browser) can be customized with organizational logos and imprints. It's also possible to link to third party trouble-ticket applications and systems management applications. We found out about Desktone through an announcement by Quest Software that its applications will soon be able to resource-manage Desktone's portal and DaaS resources under their "umbrella.''
The Citrix infrastructure helps expand accessibility; common desktop operating system browser connections are available, as well as various Citrix Receiver clients for devices ranging from iOS and Android through Linux, Mac OS, and of course, older and newer versions of Windows. This would also hold true for other DaaS service providers we tested.
The Desktone speed was very good in our light performance testing, and we encountered no difficulties using Windows 7 instances. We'd like to see stronger password and smartcard use, as we could change passwords to those easily cracked by dictionary attacks, although passwords are wrapped by the default https session encryption.
Desktone was fast and easy to provision, made easily accessible by the largely Citrix-based connectivity infrastructure. Performance was good, and extensibility to existing networks should be simple.
The dinCloud client is vWorkstation from Quest Software. On Windows clients, that means Flash is used, although there are other client-types that don't use Flash, like the iPads and other devices under iOS and Linux. The vWorkstation software gave us a rapid access under Windows 7, but requires a few user-side settings (that can be scripted, if you're gifted) on other platforms. The results, however, are pretty spectacular for users.
If you've used Windows 7 on a desktop or notebook, subject to your connection speed, you get an identical experience. Our connection was fast, and it was difficult to tell that it wasn't the resident host operating system on our clients. The caveat is that we have a strong broadband connection and couldn't detect any latency at all. Those with slower connections or congestion may experience weaker response. Those searching for a remotely-hosted Windows 7 session that feels like a hypervisor-based Windows 7 session will be pleased.
The administrative experience for dinCloud is very simple, and it's not for civilians, although civilians/users can be given policy-controlled choices. DinCloud presented us with an organizational URL and a base set of users; then we were required to update to Adobe FlashPlayer 10+. The yourorg.dinCloud.com landing URL was called, a link was provided and the sessions began.
The vWorkspace client supports RDP, ICA, and even VNC (although potentially unencrypted) access protocols, and logged us on quickly, but took a bit of work to get Firefox 11 working; IE 8/9 worked easily to access sessions. There is also a dinCloud Server offering, but this was not tested.
The Quest vWorkspace client supports device sharing; it's possible to administratively permit/allow sharing of local drives, printers, COM ports, smartcards, USB devices (where Windows 7 supports them), "Universal Printers" (print to PDF, etc), microphone and interactive clipboard contents. Screen sizes can be autosized or forced to default geometry. We could also set performance optimizations and add various speed enhancements, including media player redirection (Windows Media Player pops up locally, if available, rather than drag it through the session connection).
Overall, dinCloud was fast, and the intake process was professional and showed skills at varying architectural possibilities. If we wanted to rapidly join a flock of policy-enforced, yet generic Windows 7 desktops together, dinCloud would be our choice.
The Nivio experience was different than the other DaaS providers, following a model that's very retail-like on the surface, but had some depth of configuration. Based on Citrix XenServer, Nivio used a commodity-based session model for its desktop services. You can get persistent or non-persistent sessions, rent or license apps, and use the session-spawned "nDrive" to save and collaborate pre-loaded or production data among groups of users. The feel of Nivio is more ad hoc (and for less formal deployments) and spontaneous. There's an "nApps" store, an organizational URL yourorg.niv.io, and the nDrive. The "n" theme was catchy; some will find it gets old to them.
Nivio doesn't provision standard Windows 7 sessions. Instead, we got terminal-server like sessions running on Windows 2008R2 Server. Nivio uses Ericom AccessNow 2 graphics acceleration server for HTML5 graphics speed enhancement, a product we saw in a prior edition (and earlier stages) in our coverage of VDI server infrastructure.
Nivio eshews typical Citrix XenServer client infrastructure, and used Adobe Flash-based browser access or HTML5 browser access. Flash adds compatibility but at the potential sacrifice of non-Flash client-types -- but it's possible to use an HTML5-compatible browser (apparently IE9 is incompatible with Nivio's sofware) to logon to a virtual Nivio session. We ran into some access problems with Firefox 11, but Nivio proved to us that there's a bug in Firefox 11 in which mixed SSL-encrypted and non-encrypted data aren't correctly handled from their perspective; perhaps it's fixed by the time your read this, but we found the portions of the session used were encrypted correctly, just not reported by Firefox as encrypted.
The sessions are hosted in turn on a Windows 2008 R2 server, terminal server-style. The sessions were highly policy controlled, but contained a full payload of standard-issue Microsoft Office apps. If you use Windows, you're in Windows and no retraining ought to be required to make use of the Citrix Windows session UI.
The Nivio nApp offerings were divided into several categories, including free and rentable. While the list wasn't very long, we found its inclusion interesting in the face of other application stores like iTunes or Google Marketplace. If you want to use free office applications, several choices are available, as well as familiar Microsoft Office at a rental price.
In use, Nivio was the longest to load a session unless it was a persistent session (which still takes a little time to set up a session). That said, the length of time was less than a half minute, and sessions performed well according to the benchmark we used. Nivio has a youthful appeal to it that betrays its depth of configuration. It was refreshing.
ICC Global Hosting
ICC Global hosts a number of line-of-business applications for a variety of ISVs and says its "sweet spot" is sessions for five to 500 users. Like others in our DaaS testing, ICCH uses Citrix infrastructure, and after a customer intake and provisioning process, we logged into Citrix XenApp.
As with others that we tested, Citrix XenApp provisioned us with a Windows 2008R2 "terminal" session, and it was extraordinarily fast, due to a short four-hop connection between our facilities in Bloomington and from nFrame, our hosting facility in Carmel, Ind., and their sites in Atlanta and eastern Kentucky. Other may have our experience depending on their connectivity. The XenApp software is available for a variety of Windows and Mac hosts, and we found all of them -- MacOS, Linux, Windows, and Android, via Citrix Receiver, equally featured in terms of resource sharing and speed.
After an initial provisioning exchange, we were given a URL, logon, and initial passwords. From there, all was lightning fast, and the plain-vanilla Windows-over-Citrix experience. ICCGH was otherwise fastidious regarding building up the provisioned desktops quickly, and has experience in multi-tenant, ISV environments.
ICCGH also has experience in putting together a variety of Active Directory environment extensions, or isolated, server-based authentication mechanisms through the use of VPNs. A number of VPN configurations are supported, including IPSec, GRE, and PPTP that allow "islands" of resources to be connected (or not) for extension, isolation, or application-specific off-premises pools of resources.
Like other DaaS provider services tested, ICCGH can make available local resources such as disk storage, USB, printers, etc., or otherwise control them through either customer-supplied policies or those imposed by Active Directory connections. Microsoft-savvy admins will feel at home.
The Applications2u (A2U) environment is also underpinned by Citrix infrastructure, and downloads Citrix Receiver on initial access for users. There are a wide variety of compatible Citrix Receiver clients available -- meaning Windows machines, Macs, iOS and Android; some of the clients are more difficult to install than others, but Windows and Apple users shouldn't have much problem.
Applications2u with Citrix Receiver allows a fully virtualized desktop experience, and/or allows only Windows-compatible applications to be accessed. The apps-only experience is A2U's secret sauce (a version of XenApp is also offered by ICCGH that provides a similar service), and it's done well. Using the Receiver, remote applications can be launched on a Receiver-launched device, rather than an entire Windows 7-ish desktop. This permits "foreign" applications to run wherever communications and security mandates permit.
Receiver-launched applications could be a simple Excel spreadsheet, an SAP application, something .NET, or whatever might run on the hosted virtual session, in isolation from most of what happens on the client-side environment. The DaaS is in the cloud, or just a cloud-hosted application within A2U construct.
While Applications2u stresses Managed Service Provider (MSP) services, we confined our use and testing to application and hosted virtual desktop use. A2U uses SunGard as its hosting facility. The customer intake process was poised towards setting up extensions of existing resources, but also duplication of internal infrastructure for use as disaster recovery "hot site" use, or other alternate use.
Like other Citrix infrastructure tested, A2U allows resource sharing, local, or A2U-hosted. Like Nivio, the A2U-based storage can be group-shared, we found, as well as policy-enforced (optional) local resource sharing, drives, printers, and the like. In testing, configuration and deployment was fast, and responsiveness was very good. The A2U cloud-hosted sessions were quick, and we were reminded of our Desktone experience.
We did not extensively test hosted applications, and we did not try to pen-test applications hosted via the virtualization provided by the Citrix Receiver application. Apps hosted by A2U have moderate isolation from whatever's going on in the client's hardware and OS environment, but application sessions may be subject to client-side keyloggers or other entrapments that might make them insecure. However, we could find no current CVE notes that portend that Microsoft Office applications are remotely exploitable when hosted elsewhere from a virtualized access. Only the client host, via Citrix Receiver, receives an infection vector. Applications virtualized by A2U aren't necessarily immune from BYOD connection malware. Communications to A2U hosted components were fast, and logon to A2U resources was equally fast.
Applications can be placed in user desktop menus like other applications, and only possible latencies betray the remote execution of the application.
We found Applications2u both resourceful and responsive. Like ICCGH, A2U seems targeted towards larger organizations and vertically-integrated Windows applications and the experience was both efficient and drama-free. We like that.
While it seemed as though we were reviewing Citrix Desktop-as-a-Service, we found much differentiation among the vendors. Desktone and dinCloud were easily provisioned and fast. Applications2u had a bit of useful option shock, but also the secret sauces of application virtualization specialties, as well as ready-made options for alternate/hot-site capabilities (if Windows 7 is your favorite). Nivio had HTML-5 access going for it, despite Firefox 11 oddities, and had our vote for something that was actually "fun". ICCGH, like Applications2u, performed well.
A Final Word of Caution
Three of the five service providers we tested had issues with TLS/SSL certificates. All the issues that we ran into were corrected quickly. Administrators are cautioned to initially, then randomly check for TLS/SSL certificate validity (and correct chain of certificate authority) when accessing through browsers.
Henderson is managing director for ExtremeLabs, of Bloomington, Ind. Henderson can be reached at email@example.com.