Introduction
When a growing organization deploys desktop virtualization (VDI) services, one of the main challenges it faces is how to enable secure access to the virtual desktops hosted in corporate office, branch or in the datacenter over Internet. As network security risks increase and regulatory compliance becomes essential, it is important to address these critical needs.
As would be obvious that VMware’s PCoIP display protocol performance over Internet depends mainly on the performance of underlying VPN , available network bandwidth and network latency. It also depends upon the latency injected by the VPN solution and its ability to process the data at higher speed. The WAN requirement can pose a challenge to IT organizations that not only need to deliver desktop services to these end-users but must also do so in a secure manner. For this purpose, many customers opt for NeoAccel's SSL VPN-Plus™ solution to provide secure connection to end users accessing virtual desktops from branch and home office, as well as other remote locations over a high performance, reliable SSL tunnel.
Challenges in deploying VMware View over WAN The major issue faced when deploying VMware® View™ over a WAN is the ability to pass the traffic through a firewall and NAT devices seamlessly. VMware View PCoIP runs over UDP datagram thereby making it difficult to pass through firewalls, as firewalls block UDP traffic by default. Hence there is need of a secure TCP tunnel which can help address the issues of firewall pass-through and NAT traversal. Besides securing the clear traffic, the end user experience and resolution available over PCoIP relies upon the delivery mechanism used. Therefore latency injected in tunneling PCoIP traffic over VPN products plays a major role in the overall end user experience of VMware View. A poor performing VPN solution makes it difficult to roll out the solution over a WAN. While deploying VMware View solution, administrators also should decide which variant of the solution is more suited for a user: a full-featured application which can be installed by the user; or one time standalone use. For example, when a user is planning to access the VMware View from her corporate laptop, where she has administrative rights, the solution should automatically use a full access mode detecting that this is a trusted system. The solution should also check whether VMware View is already installed or not; and if not; it should download the same and install it. If however, a user is connecting from an airport kiosk or similar un-trusted system wherein administrative privileges are not available; then the solution should automatically download the standalone application and should use a mechanism that doesn’t require administrative privileges for data tunneling.
Deployment Diagram
NeoAccel Advantages
NeoAccel’s advantage lies in its intelligence to provide access to VMware® View™ without any user intervention in a secure manner over a high performing SSL channel. Depending on a combination of the following three factors:
- Whether the end user has admin rights,
- Whether NeoAccel Full Access client is already installed,
- Whether VMware® View™Full client is already installed,
- NeoAccel SSL VPN-Plus™solution secures VMware® View™traffic without any compromise on performance. Using its patented "ICAA" (Internet Connection Acceleration Architecture) technology, kernel encryption and dynamic compression, NeoAccel provides unmatched performance to provide a rich end user experience with the highest screen resolution possible over PCoIP
- NeoAccel SSL VPN-Plus works in tandem with VMware® View™PCoIP to provide remote users with secure, seamless access to virtual desktops from remote locations. Administrators now can enforce Access Control Policies for the global remote users from a centralized console
- Supports Single Sign On for VMware View
- Using the patented ICAA technology, NeoAccel SGX series SSL VPN-Plus gateways can scale up to 10,000 CCUs with 1,800 login sessions per seconds
- Support for both PCoIP and RDP modes of access
- Works for users with admin rights as well as limited users working from kiosks
- Wide range of Supported platforms End Point Security Compliance & Data leakage Prevention mechanisms
- Detailed Logging and Auditing capabilities
Connection Flow
- Remote user opens Web browser and visits NeoAccel Portal. The user is prompted for authentication.
- On successful authentication NeoAccel’s advanced logon script assesses end user’s machine to check for presence of administrative rights and VMware View client already installed.
- Depending on the outcome of the above assessment NeoAccel intelligently deploys the best possible solution in a silent manner without any end user intervention.
- For example when a user tries to access the solution from a kiosk where no admin rights are present and neither VMware View client nor NeoAccel Full Access Client are pre-installed, NeoAccel automatically downloads the VMware View Thin Client and launches it with SSO over NeoAccel Java based port forwarding engine (clientless mode)
- While if the user is accessing from his laptop for the first time wherein he has admin rights are present but neither VMware View client nor NeoAccel Full Access Client pre-installed, NeoAccel launches NeoAccel Full Access Client and then downloads and installs VMware View Client in silent mode and launches it with SSO over SSL tunnel
- After successful authentication the VMware View Manager displays the available virtual desktops available to the end-user. The end-user then selects and connects to the desired VMware View desktop to establish the virtual desktop session.
No comments:
Post a Comment