Today, the main problem of companies, especially large ones, is that sending several thousand employees to work remotely is a difficult task both for information security and for the IT service as a whole. You can send people home, make a VPN, but connecting to a corporate network of a large number of devices that are not very controlled by you is really a difficult task. Obviously, it will not be possible for each remote employee to issue an antivirus and a leak prevention system.
Another problem is how to ensure that the entire set of enterprise applications from home work on a diverse fleet of equipment: from an old Windows 7 PC to an iPad’s.
The essence of creating a virtual desktop infrastructure (VDI) is the transfer of user IT capabilities to the server infrastructure / to the cloud. With this approach, user workstations become an Enterprise solution for which all the functionality available for business critical IT systems is available: fault tolerance, security, centralized management, updates, backup and recovery. It is easiest to organize a secure remote access to such a system.
What complicates the implementation of VDI today?
- Most companies need to implement the technology very urgently. That is, in fact, they needed remote access “already yesterday”.
- As a rule, no one has any budget for the VDI implementation project, everyone has to find funds, which further complicates the situation.
- The VDI system assumes the availability of sufficiently productive servers and storage systems, and few of the companies have them, and the purchase, in addition to a certain cost, also involves the time spent on coordination, logistics, etc.
- Lack of qualified specialists within the company – “hands and heads”.
What else should be considered when choosing means of organizing remote access?
- For many companies, it is not enough to make secure remote access to their IT infrastructure: a VPN or a secure publication of services protects against external negative factors, but does not protect against the risks of transmitting information that is a corporate secret by unscrupulous employees, or banal virus infection when employees connect via VPN from their home workstations / laptops. It is highly advisable to organize a secure perimeter for employees connecting remotely.
- With mass remote connection of employees, the load on the network channels of the data center, where the company’s IT systems are located, obviously increases. It is important to ensure that the width of the existing channels is sufficient, and they themselves are organized in a fault-tolerant configuration.
Types of Remote Access
Faced with an increased flow of requests for organizing remote access, for ourselves we came up with the following classification of types of remote access:
All IT systems are completely isolated on the perimeter of the organization, there is no remote access. Of course, such an infrastructure is as safe as possible, but the current situation is forcing most customers to move to other levels.
This is the most common type of remote access now, from whom it is already organized: either the connection is through a VPN, or some of the services can simply be published (the most common is corporate mail, VKS service).
Such technologies have been around for decades. Additional equipment is usually not required, the company can relatively quickly configure most of the functionality for remote employees. However, this approach has many disadvantages.
- User work is usually not functionally limited by anything, access is possible from any device, which in the case of a VPN is fraught with virus attacks, and in the case of publishing services outside, the IT service will not be able to control where corporate data that leaves the network perimeter is moved. Nothing will stop an unscrupulous employee from sending some kind of email message / attachment via WhatsApp or Telegram to someone who shouldn’t.
- The more applications we publish, the more we create potential vulnerabilities in the external network for hacker attacks.
- It is difficult to predict the load on network channels, because different IT systems require different network bandwidth.
- For users, such a remote work environment does not always look convenient: not everyone has sufficiently productive personal laptops, may not get any corporate software clients, etc.
The so-called “quick start” is a transitional option to a full-fledged VDI through the use of VDI components, but the connection is made not to virtual desktops on dedicated virtualization servers, but to physical workstations (AWPs) of employees. With this option, the requirements for additional server resources are minimal, because we are talking about deploying 6-8 virtual machines that are not very resource-demanding, the deployment time is also minimal, and the connection protocols and policies are the most common – based on Citrix Virtual Apps and Desktops, or VMware Horizon.
What are the benefits?
- Users can already work completely remotely in their usual environment: they are sitting at home computers, but they see the familiar screens of their office PCs.
- Only one type of traffic comes to users – display of remote desktops. If necessary, WMware and Citrix allow you to fine-tune permissions to forward other data: multimedia traffic from a microphone and camera, smart cards, etc.
- WMware and Citrix protocols are very well optimized. The Citrix protocol is generally considered the best option for working on narrow unstable communication channels.
- It is much better to predict the load on the network channel: an average of 512 Kbps is enough to transfer data in VDI to a user session.
- The traffic of any applications remains inside the perimeter of the corporate network and does not go outside. There is no way to download something to your home PC, or vice versa, upload to the network perimeter. All corporate data is much better controlled.
- High speed of deployment of such infrastructure – in less than a week you can connect the first users.
Now about the disadvantages:
- Compared to the usual work of users, additional points of failure appear in the office, because we are deploying new components, albeit in a fault-tolerant configuration.
- At the office, technical specialists should be on duty to service corporate PCs to which employees connect: turn on / restart / restore work in case of a power surge.
The most advanced level, which is a full-fledged VDI. To all of the above, we add target resources – virtual machines and individual virtualized applications. The scheme is very similar to level 2, but it will already require separate physical resources in the form of servers and data storage systems, or hyperconverged clusters.
What are the benefits?
- An added advantage of VDI over Layer 2 is the complete remote infrastructure management. Up to the point that technical specialists in the office are no longer required (VDI in the external cloud is a standard story).
- User workstations are unified: virtual tables are created on the basis of a single template, are deployed and managed serially, and are guaranteed to be updated.
- You can easily back up user profiles. That is, much more freedom appears and administration is greatly simplified. Many routine tasks are being automated, due to this the load on those employees is reduced. support and the influence of the human factor.
- VDI integrates perfectly with third-party security systems: anti-virus protection, DLP, MDM.
Now about the disadvantages:
- The considerable cost of sales. In normal times, costs paid off in the medium term, in about 5 years, and then the savings began. Today, times are tense, so often the question is not payback, but the survival of companies.
- Duration of implementation. You need to create virtual desktops, virtualize individual applications, configure everything, make roaming profiles, migrate users. We are talking about terms from three weeks to two to three months (excluding the timing of equipment delivery).
- Quite productive equipment will be required because VDI loads servers and storage quite heavily.
- Level 0 – there is no remote access.
- Level 1 – basic remote access, which can be implemented in two to three days, most likely, without the purchase of additional equipment.
- Level 2 is a transitional option to a full-fledged VDI – forwarding user sessions on VDI technologies to physical workstations.
- Level 3 – full-fledged VDI with templates, automation, fault tolerance and other Enterprise-capabilities.
What else is worth paying attention to?
In order to organize the remote work of employees to companies without a budget for the implementation of VDI as soon as possible, you can start deploying using temporary (trial) licenses and in a week begin to connect users to their workplaces without buying hardware and software.
The validity period of a temporary license depends on the technology, usually 2-4 months with the agreement of the software manufacturers. In parallel, you can go to level 2.
And if the situation with remote work drags on, it would be nice to organize a full-fledged VDI. Citrix this year has a new licensing scheme for the local version – on an annual subscription. Its cost is approximately 2.5 times lower than a permanent license. WMware offers the VDI quick start service, but it is available only to those customers who can pay with loans – it costs 212 credits. This service offers one VDI template for up to 25 users.
Remote access information security
This is a separate topic, about which we wrote in detail in a previous post. See detailed recommendations from Alexander Asmolov.
Operational implementation of videoconferencing
If the events of recent weeks had occurred several years ago, then massively moving everyone to a remote location would be much more difficult, more expensive and inconvenient. Especially to build communications between employees, partners and contractors so that everyone is comfortable.
Today is different. Video conferencing systems (video conferencing, this is an outdated name) have already turned into full-fledged collaboration platforms. We communicate in a way that is convenient for us; using devices that are convenient for us; at a time that is convenient for us.
What services are available as part of the collaboration platform:
- Audio and video communication.
- Multipoint conferences with any subscribers within your organization and beyond.
- Scheduling conferences through portals and email applications.
- During the conference, we exchange data and can work together on documents.
- Record audio and video.
- Conference broadcast in real time.
- Mobile Clients From your phone or tablet, you can connect almost anywhere where there is Internet access, take part in a meeting, talk with someone, and solve all your work issues.
- Corporate messenger. Now many company employees communicate through WhatsApp, Telegram and other programs. At the same time, some working documents are often sent there that go beyond the perimeter of the company. Also, almost all platforms allow you to exchange text messages, send and receive files, view them, organize groups, connect chat bots and so on.
- You always see the current status of the subscriber: talking on the phone, in a meeting, busy or free. This significantly saves time. After all, if there weren’t a status function, you would have to call the subscriber, wait a while, hang up and think about when to call him again. It will take about 20 seconds, but if such calls per day are under 100, and even multiplied by the number of employees, then a lot of man-hours are running.
All of the above services are building blocks, a set of bricks that can be dialed as needed. The same thing with scalability: they created a system for 100 users, after some time they realized that it works very well and needs to be expanded – just buy licenses and add server capacities.
How to provide videoconferencing services for your employees?
The first, fastest and easiest option is to connect to one of the most popular cloud services of the VKS: Cisco Webex, Microsoft Teams, Zoom. The system starts almost instantly (the next business day), the service is provided by subscription for a certain period. We offer this option in several cases.
- As a temporary solution, while a full-fledged VKS system will be designed and put into operation.
- Small business representatives, for whom the introduction and support of their own videoconferencing system is too expensive. But at the same time, videoconferencing is required for doing business.
The disadvantages of this option are:
- All traffic exchange takes place outside the perimeter of your company.
- Tool management is limited.
- The biggest drawback: all public services today are very heavily overloaded.
If the cloud service is not even suitable as a temporary solution, you can consider the second option – the operational implementation of HVAC systems on premises based on popular Russian and foreign vendors (Yealink, Vinteo, TrueConf, Videoport, IVA), whose solutions are deployed “out of the box” to the shortest deadlines.
In both versions, the popular WebRTC technology is available: this is a connection to conferences via a browser. Generate a link, people use it to go to your conference. You can chat, exchange documents, and work together. All you need is a laptop with a camera and a browser.
The material is based on a webinar “Emergency organization of remote jobs. What to consider. ” Full version is available watch on youtube
- Dmitry Galkin, Head of VDI
- Roman Mornev, voice and video direction consultant