Workspace Virtualization Grows Up
With vDesk 2.0, RingCube takes an innovative approach to desktop virtualization.
What do you get when you cross application streaming with client-hosted virtual desktops? Workspace virtualization, a serious and emerging architecture that focuses on users and desktops.
Workspace virtualization, similar in architecture to OS virtualization, provides a means to virtualize user desktops but leave behind the overhead of running a virtual desktop inside a virtual machine (VM). To understand this architecture further, take a look at Figure 1.
Unlike other client-hosted virtual desktop solutions, workspace virtualization doesn't require a full hypervisor or dedicated guest OS per VM. Instead, VMs use the hardware resources of the host, improving performance and significantly reducing the amount of overhead associated with each virtual desktop. Instead of packaging and deploying a full-blown OS, virtual workspaces just contain the essential files that make up the user's virtual workspace environment, such as applications and the user's profile. As a result, virtual workspaces run with far less resource overhead than do traditional VMs.
[Click on image for larger view.]
|Figure 1. A typical workspace virtualization architecture.
For example, depending on the applications it runs, a virtual workspace may require as little as 45MB of RAM on its host OS, compared to 512MB or more with a typical desktop VM. Also, without having to package an OS with each virtual workspace, you save several gigabytes of storage. Drawing on their similarities with application streaming, virtual workspace packages don't need a full-blown virtual infrastructure like VMware View or Citrix XenDesktop. Instead, you can host virtual desktops on a Windows-based file server.
For all the good that they bring, virtual workspaces come with drawbacks from their dependence on host OSes. For starters, a virtual workspace built to run on Windows XP will require an XP-based host and won't run on a Windows Vista-based host. The only way around that compatibility problem would be to run the virtual workspace inside a VM; for example, on VMware Player or Virtual PC.
RingCube vDesk, now at version 2.0, is one of the earliest entrants in this category. vDesk virtualizes the Windows shell to create a secure container for a user's virtual desktop, apps, profile settings and saved files. Users can store the virtualized container on a local desktop or laptop, removable storage drive, smartphone or inside a VM in a server-hosted virtual desktop environment. vDesk virtual workspaces have the look and feel of a typical PC, and RingCube Technologies Inc. has added some innovative features to the 2.0 release, including virtualization of the Windows Local Security Authority (LSA).
Ask other application-streaming vendors about LSA virtualization and they'll testify to the engineering challenge RingCube has overcome. LSA virtualization is more than a checkbox. It allows you to join virtual workspaces to a domain, and even manage them using Group Policy Objects (GPOs). Remember, this is all happening inside a virtualization container that doesn't include a Windows OS.
Consider this typical vDesk scenario: At work, vDesk runs on your desktop computer. Before you leave for the day, you "check out" and store your vDesk on your iPhone. You head home, plug your iPhone into your XP Home Edition PC, and run your vDesk from there. So on your XP home system, you have a virtual desktop that's a domain member -- which is something XP Home Edition doesn't natively support. Now that's some magic.
A Closer Look
vDesk's management capabilities are impressive for a 2.0 product. The Web-based management console is shown in Figure 2. The console dashboard provides essential management features, and is organized as you'd expect. I found the management console to be fairly intuitive once I fully understood the vDesk management architecture.
[Click on image for larger view.]
|Figure 2. The vDesk Web-based management console is intuitive.
Deployment is straightforward, with installation of the vDesk Administration Server taking fewer than five minutes on one of my Windows Server 2003 hosts. Once the server installed, I connected to it from an XP-based client, downloaded the vDesk Client and created my first virtual workspace. (vDesk supports XP Service Pack [SP] 2 or higher, and Vista SP1 or higher.)
Virtual workspaces include an option to use vDeskNet, a virtual network adapter that gives each vDesk a unique Media Access Control (MAC) address and hence its own identity on the network. I was able to launch the workspace I created and install user applications, including Adobe Reader, Adobe Flash and Microsoft Office 2007. Finally, I used the client console to convert the workspace into a master template, which serves as the base image for newly deployed vDesks. You can assign master templates to vDesk users or groups.
From the vDesk Administration Server, you can import users and groups from Active Directory. AD domain controllers continue to authenticate users following the import, with imported accounts able to have assigned vDesks through the vDesk management interface. Use of master templates can allow organizations to change how they deploy application and OS updates. Instead of having to deploy updates to each desktop, an administrator can deploy the update to a master template. Each vDesk associated with the master template gets the new settings the next time the user logs on. If errors occur, you can quickly revert a master template to a previous version. Deploying Office 2007 SP1 to multiple vDesks by updating a master template worked as expected.
I appreciated that I could apply my existing domain GPO settings to each vDesk, and also liked the support for VPN client software inside the vDesk environment. With vDesks dependent on a host OS, endpoint security and the potential risks of deploying a vDesk to an untrusted endpoint concerned me. vDesk policies put me more at ease.
vDesk 2.0 includes policies that can validate the presence of specific anti-virus, anti-spyware and firewall products -- and associated signature levels -- on a host OS. If validation isn't met, the vDesk won't boot. vDesk 2.0 supports products from major endpoint security vendors. Host Security Scan policy settings are shown in Figure 3.
[Click on image for larger view.]
|Figure 3. vDesk 2.0 Host Security Scan policy settings.
Policy settings exist for:
- Isolating a vDesk from the host (no clipboard, drive access, etc.).
- Checking for anti-virus, anti-spyware and firewall software on the host prior to starting a vDesk.
- Joining a vDesk to a Windows domain and adding the account to a specific organizational unit.
Administrators also have the option of encrypting vDesks using one of two open source encryption products: TrueCrypt and FreeOTFE. The integrated encryption secures data at rest, and running a VPN client inside a vDesk would secure network traffic for mobile vDesk users.
A New Wrinkle to NAS
Products like vDesk 2.0 will do for desktop virtualization what network-attached storage (NAS) did for storage. NAS, which provides a simple way to deploy storage, has a huge enterprise presence. Microsoft capitalized on NAS with the purpose-built Windows Storage Server. By bundling vDesk 2.0 and a Windows 2003 or 2008 server, you effectively have desktop virtualization in a box. Desktops are still centrally stored and managed, as with traditional server-hosted desktop virtualization, yet they leverage the OS of the endpoint device.
NAS evolved to become a major part of most storage infrastructures, often running as a standalone networked storage infrastructure or complement to storage-area networks (SANs). Virtual desktop solutions that can be self-contained on a Windows server can give you the same type of flexibility. Similar to the impact of NAS, I expect RingCube and alternatives to VMware View and Citrix XenDesktop to carve out a sizable chunk of the desktop virtualization market.
Besides the reduced capital for virtual infrastructure, you also save on licensing costs. Because workspace virtualization solutions like vDesk don't require an OS instance to load for the virtual desktop environment, you don't have to pay for the additive licensing costs associated with traditional server-hosted virtual desktop implementations -- specifically, Vista Enterprise Centralized Desktop licensing. Of course, you'd still need to have licensed OS software on the endpoints. I expect most organizations deploying vDesk will continue using their existing licensed XP-based devices.
A Ringing Endorsement
vDesk 2.0 is a massive improvement over 1.0. The AD integration, ability to join vDesks to a domain and straightforward policy-based management provide a great foundation for the product. vDesk deployment and its mobility features, such as taking my vDesk on my iPhone 3GS, are great.
Still, like most 2.0 products, vDesk has room for improvement. Most desktop and application virtualization vendors are working overtime on getting third-party desktop and application software vendors to support their platforms, and RingCube will have to do the same. In addition, out-of-the-box, fault-tolerant management will be required for some organizations. While you can deploy vDesk Administrator to multiple servers for fault tolerance, the actual vDesk data would reside on a single file server. Of course, you could cluster the file server, or you could use a fault-tolerant virtual or physical server to provide resiliency to a physical server failure. Also, the host OS requirement will slightly hamper mobility. For example, vDesks can't be natively deployed to a Mac; you'd need to run a vDesk inside a Windows VM on a Mac.
RingCube's unique offering is likely to fill the desktop virtualization needs for many organizations, especially those looking to leverage consolidated management benefits without having the capital to lay out for a full-blown virtual desktop infrastructure.
Chris Wolf is VMware's CTO, Global Field and Industry.