It is a returning saying year to year in IT, “this will be the year of VDI”, but usually this never happens. There are implementations here and there – in Hungary I mean – but never too wide.
Due to recent crysis the remote working solutions are more actual than ever before as governments and employers are sending their workforce or prefer have them working from their homes in case the situation gets worse and they plan to do so for extended period. Not just for some days. Solutions for this need have been around always, but not in the spotlight.
Many workplaces are still tied to the desk itself, mainly in a form of a desktop computer. We both agree, bringing a desktop computer to home might be possible, but certanly these devices were not designed to be carried, nor prepared to log in to VPN. Laptops and notebooks are common, but not for every employee have that. I often see laptops that are not enabled for remote work, they stay in the office area but giving the freedom for the user to use them in a meeting room, connected to the corporate internal wireless network.
A portion of these notebook/laptop devices are luckily enabled for VPN, they can log in to the corporate network and reach corporate internal applications. These devices are all managed – should be – so VPN client, antivirus/malware protection, asset tool, software deployment agent etc are all running there. If a client – as a corporate – has their majority of the workforce in this category, they will be able to take the home office demand quite easily. They might need to scale up their internet conenctivity which handles VPN connections, their firewalls or/and their VPN licenses, but it would be fairly simple. Paper based workflows will be impacted since even if a solution can enable local printing for example no need to consume them.
But how to solve this puzzle if no laptops are around only desktops, but home office is a must.
This is where VDI comes into play. Not sure if anyone patended it before, now I do “PDI” called physical desktop infrastructure.
As you hear “You can use physical machines remotely, in a secure manner.”
The red arrow above is the machine, the deskop computer that some employee use.
There are some vendors which can do this like Citrix and VMware, in this article I focus on VMware Horizon View.
How to get there?
Without knowing any specifics and go deep dive, I see two options.
Option 1: Internet -> UAG -> Horizon Connection Server -> Desktop computer. This is displayed below, what more we can add second factor at any time.
If you need to record a session – because you need to and have a Balabit SCB for example – feel free, make sure you use RDP as a display protocol.
This setup needs no VPN, the entry point is on the internet in the form of the Unified Access Gateway.
What do you need?
- VMware vSphere ESXi to run the UAG and the Horizon Connection Server. Latter one can be a physical server if you want. Connection server is Windows based.
- Horizon Agent must be deployed to the machine the user will remotely log onto.
- Horizon Client must be deployed to machines from where the users will come from. This is optional as HTML based access is also there and in that you need nothing but a modern browser.
Option 2: VPN -> UAG (optional here) -> Horizon Connection Server -> Desktop computer. Second/multi factor plays here as you wish.
What do you need?
- One Horizon Connection Server. Can be a physical server if you want. Connection server is Windows based.
- Horizon Agent must be deployed to the machine the user will remotely log onto.
- Horizon Client must be deployed to machines from where the users will come from. This is optional as HTML based access is also there and in that you need nothing but a modern browser.
How is the look and feel?
Without an agent you can use HTML based access. Not saying it will work from Netscape Navigator, so better to use something this century.
For mobile devices – Android and IOS here – it will look like this.
From the Horizon Client there is nothing to show as it is seamless.
Between the two options the difference is the entry point, if a VPN terminates and authenticates the user or no VPN and the UAG does that.
How can I control what is allowed and what is not?
By using policies. There are some basic ones in the Horizon Connection Server’s page, but use the supplied ADMX templates to enhance the group policy in the domain. My favourite example is the directon of the clipboard.
Literally hundreds of options:
Licenses?
Depends on your need, but for the thing above you are fine with Horizon Standard. Only thing that is pain is the Help desk toop which can help you supporting your remote workers in their session.
VMware has just announced that they extended the trial period until 31th July 2020.
Link: https://www.vmware.com/solutions/business-continuity.html
Time required to implement it?
If existing physical machines will be used as targets it is extremely flattened, since no need to set up the working environment, plan application delivery, configure folder redirection and maintain user profiles as all of those are already in place.
The milage may vary if some redundancy is needed as we need to double the server count above and preferably add a load balancer – can live without is using DNS round robin. Also we can throw in Workspace ONE/Airwatch but that adds a little complexity so needs more time and effort. Same if we put in NSX-T in a way I delivered in an another article describing zero trust workplace – NSX-T, Trend Micro agentless and Cisco Duo with instant clones.
So if only physical machines for remote work, from home, this can be done within a day!
No brainer, go for it!
