2.2 Intel Virtualization Technology
XenClient is designed to take full advantage of the hardware-assisted virtualisation capabilities in Intel vPro technology. These capabilities include the following:
- Intel Active Management Technology (AMT): available as part of the vPro feature set, Intel AMT is hardware technology used for remotely managing and securing PC s out-of-band
- Intel VT-d : Intel VT-d is an input/output memory management unit which enables virtual machines to directly access peripheral devices such as Ethernet, GPUs, and hard drive controllers
- Intel VT-x: CPU Virtualisation
- Intel Trusted Execution Technology (TXT): Intel TXT is a virtualisation security technology for enhanced hypervisor protection
- Intel Advanced Encryption Standard (AES)-NI : Intel Advanced Encryption Standard (AES ) is an encryption standard defined by the U.S. government. AES -NI is the set of new instructions in Intel Core™ processors that accelerate AES operations. Intel AES -NI is widely used across the software ecosystem to protect network traffic, personal data, and corporate IT infrastructure
PCs powered by Intel Core vPro processors provide essential hardware enabled virtualization, security, and isolation functionality and provide direct access to the full graphics capabilities of the device.
3 Product Capabilities: IT Management and Other Usage Scenarios
3.1 IT Management
3.1.1 Desktop Administration
XenClient enables fast deployment of new virtual desktops with standard desktop images to employees or contractors. For temporary staff such as contractors, part-timers, and interns, IT can use XenClient to provide time-limited virtual desktops that expire automatically.
XenClient offers the same desktop administration methods as in a VDI:
- Use of master desktop images to support large populations of users
- Centralized definition and implementation of security and backup policies for all managed devices
- Automatic backup of local desktop environments to a central server
- Granular policy controls that can be enforced to disable USB devices, optical drives, and networks in order to protect valuable corporate data
- Remote disablement of distributed desktops and virtual machines
- Backup of block-level changes to VHD files. The backups should be quite small since they include only blocks that have changed and that use additional compression
- The ability to go back and forth between backup versions, as each version is a snapshot
- Backend and centrally-managed patches/updates to user images
- A new snapshot layered image is automatically downloaded and applied to the user’s device
- Scalable up to 5000 users/desktops per single Synchronizer Server
3.1.2 Image Management
Desktop images can be categorized into the following types of images
- Static images:These images are intended for a one-time deployment. Any updates come through existing tools and IT processes
- Dynamic images: These images break up the image into 3 parts – system, profile/user settings and data, and applications. The system component is centrally managed and can’t be altered by the user (making it sort of a golden sub-image). The other two parts can be changed by the user per policy. If a user installs an application on a dynamic image, the policy doesn’t enable them to save those changes, meaning that the application will vanish upon reboot. The user profile sub-image is usually writeable by the user and saves changes
3.1.3 Device Independence
XenClient can run in a mode that isolates and virtualizes all the underlying hardware for the virtual machines running on top of the platform. In this case, the drivers all run in the control domain. This model of operation enables the creation of truly hardware-independent virtual machines that can be moved between different PCs and even between different vendors’ PCs.
IT departments can reduce their management burden through the use of a Client Hypervisor that abstracts the OS and application environment from the underlying platform hardware, using as few image derivatives as possible. The hardware needs to be compatible with XenClient. XenClient can also run in a mode of operation where the Xen Hypervisor enables a pass-through for certain devices, such as the graphics hardware, directly to a virtual machine. In this case, the regular Windows drivers would run and provide the fastest graphics performance possible. This pass-through technology makes use of hardware virtualization provided by Intel vPro technology.
3.1.4 Self-Service Capabilities
The self-service capabilities in XenClient further increase employee productivity while reducing help desk calls. Users can download for themselves, the preconfigured corporate desktops to their client device. They can also create new local virtual machines and install desktops with different OS or application configurations.
3.1.5 Backup and Restore
Whenever users connect to the Internet, XenClient creates a secure connection to the datacenter to back up the system. In the event that a laptop is lost, stolen, or fails, users can restore the entire virtual desktop to another XenClient-enabled computer. The user simply procures any compatible laptop and then downloads and installs XenClient software. The user then configures the Synchronizer IP address. XenClient automatically downloads and restores the VM from the last backup. The recovery process can happen in a single day. The ability to pick a point in time to backup also enables users to roll back changes and even restore test environments to their previous state without involving IT staff, improving the time to recovery and decreasing the load on IT.
The ability to pick a point in time to backup also enables users to roll back changes and even restore test environments to their previous state without involving IT staff, improving the time to recovery and decreasing the load on IT.
Additional security features include:
- Users can be assigned a locked image on their client device, managed centrally by Synchronizer. Synchronizer authentication connects with the AD
- Authentication happens over HTTPS, but the image transfer/backup can be over HTTP for increased speed (at the cost of security)
- VHD (VM image) files can be configured for encryption on the client side, providing additional security. Even if HTTP is used for transfer, the image is still actually encrypted (HTTPS transfer would be dual encryption)
- The ‘timeout/lock’ setting that enables VMs to talk with Synchronizer is configurable
- XenClient XT technology provides additional security features, including multiple isolated networks per virtual desktop and multiple classification levels on the same system
3.2 Usage Scenarios
3.2.1 Managed and Unmanaged Corporate Images
IT desires to maintain a standard image that delivers specific applications to a wide variety of users in an enterprise.