1 Introduction:VM Desktop Delivery

1.1 Research Objectives 

Wipro, a Global Information Technology, Consulting, and Outsourcing business, recently collaborated with Intel® to conduct a research project to understand the best approaches for utilizing local virtual machine (VM) desktop delivery for desktop and laptop users. The research team undertook an in-depth analysis of the software and hardware technology that enables such a virtualization model. The objective of the research was to understand the features and capabilities of the technology and identify a set of practical usage scenarios for enterprises. This document provides a summary of the research findings and conclusions. 

1.2 Desktop Virtualization 

Traditionally, every personal computer (PC ) requires an individual operating system (OS). The desktop image, also referred to as “desktop”, contains the OS , applications, user settings, and data. Every PC requires the IT staff to install each application and perform application patching in a distributed manner. Because of the time and effort required in such scenarios, more and more companies today adopt desktop virtualization in order to simplify management of their end-user computing infrastructure, improve security, enhance scalability, and provide users remote access to corporate data and applications. 

There are four main approaches to deliver virtual desktops:

• Local VM desktop - The desktop OS runs in a VM on the client device. Users can have multiple VMs and dynamically switch between them. When the desktop connects to the network, it synchronizes any updates with a copy of the desktop image in the datacenter
• Streamed virtual hard disk (VHD) desktop - The desktop OS runs on the client device. The latest image of the desktop OS uploads from the central server and streams to the client PC every time someone turns on the client PC
• Virtual desktop infrastructure (VDI)  -The entire desktop is hosted in a VM running on a server with the graphical display output being sent to the client device. Users connect to their desktop through the graphics protocol that delivers screen images to their end-user device
• Session virtuaSlization (V) - Users connect into their sessions through a Microsoft® Windows Server® OS that runs on a datacenter server
  

These four virtual desktop approaches fall under two categories: client-based computing and server-based computing. The differences between the two types of computing are as follows:

•  Client-based computing - The OS runs on the client device, utilizing local hardware capabilities and taking advantage of dedicated hardware resources. Local VM desktop and streamed VHD desktop serve as examples of client-based computing models 
  
• Server-based computing - Users access an OS that runs on a datacenter server. Computing resources are dynamically allocated to users when needed. Because this is a time-sharing solution, more users can be accommodated on a server with a certain capacity. When this capacity is split into individual workstations, every end user receives a fixed compute power. Virtual desktop infrastructure and session virtualisation serve as examples of server-based computing models 
  

1.2 Desktop Virtualization

This whitepaper focuses on the local VM desktop delivery approach in desktop virtualization. The research utilized Citrix® XenClient and Citrix Synchronizer that work in tandem to complete the local VM desktop solution. The user experiences XenClient as a small software component loaded on the client hardware, with a simple user interface (UI) for creating multiple VMs and uploading the master image from the server. XenClient enables users to fully take advantage of desktop virtualization whether they are online or offline. With XenClient, multiple virtual machines can run side by side on a single client device. 

2 Technology:Blending Citrix with Intel Virtualization

2.1 Citrix XenClient and Synchronizer

2.1.1 Architecture The XenClient and Synchronizer architecture includes the following components:

• Xen® Hypervisor: allocates the hardware resources to the virtual machines
• Control Domain: a Linux VM that runs an agent. Control Domain has the hardware drivers that make other user VMs hardware independent, enabling deployment of a single desktop image on multiple systems
• Receiver for XenClient: a wizard for creating local VMs, switching between VMs, and adjusting relevant settings. The receiver has a connector that communicates and exchanges data with the Synchronizer 
• Synchronizer: a virtual appliance for XenServer that sits on a datacenter server. Synchronizer enables Active Directory® (AD)- linked authentication, delivery of VM images to devices with XenClient and their backup, blocking of USB devices, and remote disabling of a VM

 Additional details about key technology components are provided below:

• Hypervisor:  XenClient includes a 64-bit hypervisor built on top of Xen 3.4. It is a type 1 hypervisor that runs on the bare metal hardware of the client device. Xen virtualization technology has been used in XenServer for more than 5 years and has been adopted in XenClient for desktop virtualization purposes 
• Memory: XenClient supports static memory allocation as the memory allocation method from the hypervisor to each VM. XenClient pre-allocates memory for itself, leaving all other available allocation memory to virtual machines. The recommended minimum memory allocation is 1GB for Windows VMs
  
• CPU: XenClient utilizes Intel technologies for CP U virtualization, specifically Intel VT-x, a subset of Intel vPro™ technology. For dynamic CPU allocation, XenClient virtualizes CPU cores of the physical processor and presents them as virtual CPUs (vCPUs) to the guest virtual machines. The vCPU cores are manually allocated to virtual machines with XenClient automatically sharing the computing load across the vCPUs. Additional vCPU’s can be added/configured to the VMs when they are powered off
• Storage: XenClient employs Intel VT-d for virtualization for I/O devices such as Ethernet, graphics cards, and hard drive controllers. XenClient offers ‘thin provisioning’ and only allocates space that is actually used by the VM on the physical disk drive. This is not ‘dynamic storage’, since data deleted on the VM cannot be recovered by the hypervisor. Once the data has been written, XenClient considers this storage space to be permanently used by the VM. At the same time, this ‘thin provisioning’ does enable over-commitment of disk space
  
• Graphics: XenClient offers a high-quality video and graphics experience in a 3D-enabled virtual desktop, including full Windows Aero, OpenGL, and DirectX support. The graphics processing unit (GPU) is virtualized and shared across virtual machines. XenClient supports the Intel Graphics Media Accelerator (GMA) 4500 and Intel HD Graphics chipsets. There will be support for other GPUs in the future. With Intel technology, the graphics can be displayed on two monitors. This technology enables virtual machines to access the GPU’s 3Dprocessing capabilities. Only one virtual machine can use 3D graphics at a time, meaning there is no ‘sharing’ of 3D processing
  
• Networking: Network connectivity for all virtual machines is managed and routed through the XenClient Hypervisor. XenClient can be connected to an Ethernet network via Wi-Fi or a physical Ethernet port. Only one network connection can be supported at any given time. Within this connection there are two network levels – one for the hypervisor and one for the VMs. The hypervisor and VMs can have individual IP addresses and be on different layer 3 networks/subnets within one physical network connection for the entire system. There is also a virtual internal network which can be used for communication within VMs 
• Optical Media: XenClient Hypervisor virtualizes optical media devices, such as CD/ DVD readers/writers, to each of the VMs. Simultaneous sharing of optical media drives is supported in a read-only mode. When a VM is writing to an optical drive, the drive will automatically disappear from other VMs and re-appear upon completion of writing
• USB: USB devices are supported and virtualized through XenClient. Human Interface Devices (HIDs) are support. The graphics processing unit (GPU) is virtualized and shared across virtual machines. XenClient supports the Intel Graphics Media Accelerator (GMA) 4500 and Intel HD Graphics chipsets. There will be support for other GPUs in the future. With Intel technology, the graphics can be displayed on two monitors. This technology enables virtual machines to access the GPU’s 3D-processing capabilities. Only one virtual machine can use 3D graphics at a time, meaning there is no ‘sharing’ of 3D processing
• Networking: Network connectivity for all virtual machines is managed and routed through the XenClient Hypervisor. XenClient can be connected to an Ethernet network via Wi-Fi or a physical Ethernet port. Only one network connection can be supported at any given time. Within this connection there are two network levels – one for the hypervisor and one for the VMs. The hypervisor and VMs can have individual IP addresses and be on different layer 3 networks/subnets within one physical network connection for the entire system. There is also a virtual internal network which can be used for communication within VMs 
• Optical Media: XenClient Hypervisor virtualizes optical media devices, such as CD/ DVD readers/writers, to each of the VMs. Simultaneous sharing of optical media drives is supported in a read-only mode. When a VMs is writing to an optical drive, the drive will automatically disappear from other VMs and re-appear upon completion of writing
• USB: USB devices are supported and virtualized through XenClient. Human Interface Devices (HIDs) are managed by the hypervisor and can be used by all VMs simultaneously without any additional configuration. Non-HID devices are either assigned to the hypervisor for use within XenClient or to VMs on an exclusive basis. A slight disadvantage is that a USB device gets disconnected when switching between VMs
• Synchronizer: Citrix XenClient 2.1 has a dynamic layering feature, which essentially keeps a read-only golden image and then uses snapshots for any changes made from the server or client side. As a result, golden images stay as golden images, but server-side changes by the IT department or client-side changes by the user create new ‘versions’ of the golden image. The changes, treated as snapshots, are maintained and reconciled on both the Synchronizer side and the XenClient side

2.2 Intel Virtualization Technology

XenClient is designed to take full advantage of the hardware-assisted virtualisation capabilities in Intel vPro technology. These capabilities include the following: 

• Intel Active Management Technology (AMT):   available as part of the vPro feature set, Intel AMT is hardware technology used for remotely managing and securing PC s out-of-band 
• Intel VT-d : Intel VT-d is an input/output memory management unit which enables virtual machines to directly access peripheral devices such as Ethernet, GPUs, and hard drive controllers 
• Intel VT-x: CPU Virtualisation
• Intel Trusted Execution Technology (TXT): Intel TXT is a virtualisation security technology for enhanced hypervisor protection 
• Intel Advanced Encryption Standard (AES)-NI : Intel Advanced Encryption Standard (AES ) is an encryption standard defined by the U.S. government. AES -NI is the set of new instructions in Intel Core™ processors that accelerate AES operations. Intel AES -NI is widely used across the software ecosystem to protect network traffic, personal data, and corporate IT infrastructure

PCs powered by Intel Core vPro processors provide essential hardware enabled virtualization, security, and isolation functionality and provide direct access to the full graphics capabilities of the device. 

3 Product Capabilities: IT Management and Other Usage Scenarios

3.1 IT Management 

3.1.1 Desktop Administration

XenClient enables fast deployment of new virtual desktops with standard desktop images to employees or contractors. For temporary staff such as contractors, part-timers, and interns, IT can use XenClient to provide time-limited virtual desktops that expire automatically.

XenClient offers the same desktop administration methods as in a VDI:

• Use of master desktop images to support large populations of users
• Centralized definition and implementation of security and backup policies for all managed devices
• Automatic backup of local desktop environments to a central server 
• Granular policy controls that can be enforced to disable USB devices, optical drives, and networks in order to protect valuable corporate data 
• Remote disablement of distributed desktops and virtual machines 
• Backup of block-level changes to VHD files. The backups should be quite small since they include only blocks that have changed and that use additional compression 
• The ability to go back and forth between backup versions, as each version is a snapshot 
• Backend and centrally-managed patches/updates to user images 
• A new snapshot layered image is automatically downloaded and applied to the user’s device 
• Scalable up to 5000 users/desktops per single Synchronizer Server

 3.1.2 Image Management

Desktop images can be categorized into the following types of images

• Static images:These images are intended for a one-time deployment. Any updates come through existing tools and IT processes 
  
• Dynamic images: These images break up the image into 3 parts – system, profile/user settings and data, and applications. The system component is centrally managed and can’t be altered by the user (making it sort of a golden sub-image). The other two parts can be changed by the user per policy. If a user installs an application on a dynamic image, the policy doesn’t enable them to save those changes, meaning that the application will vanish upon reboot. The user profile sub-image is usually writeable by the user and saves changes
  

3.1.3 Device Independence

XenClient can run in a mode that isolates and virtualizes all the underlying hardware for the virtual machines running on top of the platform. In this case, the drivers all run in the control domain. This model of operation enables the creation of truly hardware-independent virtual machines that can be moved between different PCs and even between different vendors’ PCs.

IT departments can reduce their management burden through the use of a Client Hypervisor that abstracts the OS and application environment from the underlying platform hardware, using as few image derivatives as possible. The hardware needs to be compatible with XenClient. XenClient can also run in a mode of operation where the Xen Hypervisor enables a pass-through for certain devices, such as the graphics hardware, directly to  a virtual machine. In this case, the regular Windows drivers would run and provide the fastest graphics performance possible. This pass-through technology makes use of hardware virtualization provided by Intel vPro technology.

3.1.4 Self-Service Capabilities 

The self-service capabilities in XenClient further increase employee productivity while reducing help desk calls. Users can download for themselves, the preconfigured corporate desktops to their client device. They can also create new local virtual machines and install desktops with different OS or application configurations.

3.1.5 Backup and Restore

Whenever users connect to the Internet, XenClient creates a secure connection to the datacenter to back up the system. In the event that a laptop is lost, stolen, or fails, users can restore the entire virtual desktop to another XenClient-enabled computer. The user simply procures any compatible laptop and then downloads and installs XenClient software. The user then configures the Synchronizer IP address. XenClient automatically downloads and restores the VM from the last backup. The recovery process can happen in a single day. The ability to pick a point in time to backup also enables users to roll back changes and even restore test environments to their previous state without involving IT staff, improving the time to recovery and decreasing the load on IT.

3.1.6 Security

The ability to pick a point in time to backup also enables users to roll back changes and even restore test environments to their previous state without involving IT staff, improving the time to recovery and decreasing the load on IT.

Additional security features include:

•  Users can be assigned a locked image on their client device, managed centrally by Synchronizer. Synchronizer authentication connects with the AD
•  Authentication happens over HTTPS, but the image transfer/backup can be over HTTP for increased speed (at the cost of security)
• VHD (VM image) files can be configured for encryption on the client side, providing additional security. Even if HTTP is used for transfer, the image is still actually encrypted (HTTPS transfer would be dual encryption) 
• The ‘timeout/lock’ setting that enables VMs to talk with Synchronizer is configurable
•  XenClient XT technology provides additional security features, including multiple isolated networks per virtual desktop and multiple classification levels on the same system

3.2 Usage Scenarios

3.2.1 Managed and Unmanaged Corporate Images

IT desires to maintain a standard image that delivers specific applications to a wide variety of users in an enterprise.

Delivering such an image precludes providing the user with any ability to add additional personal tools or other application services including their favorite browser (Firefox or Chrome vs. IE), local backup tools, widgets, and so on. XenClient can provide a mechanism for IT to deliver a highlystructured image and in parallel a second image where the usage rules are more relaxed. If the second image breaks, only a fresh OS image is delivered. The user is then responsible for reloading any applications into the image. Basic patching and security services are provided to maintain a base level of management.

3.2.2 Multiple OS Images

IT departments often need to support longstanding enterprise applications that only work on certain older OS versions. In such cases, XenClient can be configured with multiple corporate images such as Windows XP and Windows 7.

3.2.3 Application Container

Certain corporate applications require isolation from other applications due to compatibility or security reasons. XenClient enables a mode of operation where one application can be accessible in one VM while running in a separate VMs with a separate OS. Accordingly, some special applications can be delivered in a self-contained container to users. This can include short-term application loaners or limited application sign-out services.

3.2.4 Multiple Environments

IT engineers in software development and testing often work with multiple environments. XenClient can create independent environments on a single PC , supporting different use cases such as a multi-machine sales demos or a temporary computing environment for testing.

3.2.5 Corporate and Personal

Organizations can provide their employees a separate desktop image for personal use that’s strictly isolated from the corporate image. The corporate applications are located on the corporate-managed VMs, limiting the exposure of corporate data to viruses, introduced in the personal environment.

4. Summary

Desktop Administration: Local VMs desktop technology enables desktop virtualisation on the client device. This offers an alternative method for desktop administration - managing desktop images through incremental image synchronization to the golden image rather than a traditional route of patching and updating to multiple individual desktops. IT departments can easily roll out standardized corporate desktop images while maintaining a central point of management.

Multiple desktop images: Most of the usage scenarios with a local VMs desktop concern using one device for multiple desktop images, each for a separate specific purpose:

• Managed corporate desktop 
• Unmanaged desktop
• Personal desktop
• Application container
• Development environments

Self-service: A local VMs desktop introduces alternative methods for managing corporate images and self-service desktop backup and recovery. This functionality greatly reduces the maintenance burden on IT and simplifies disaster recovery for laptop users.

Security: A local VMs desktop introduces additional security layers and increases the ability of administrators to control the desktop. Laptops and desktops can be seamlessly managed by setting enforceable data protection and data movement policies. Offering a separate desktop image for personal use enables separation of corporate and personal data and further improves data protection. XenClient XT provides advanced endpoint security features, delivering an ideal solution for mobile users with high security requirements.

Intel vPro technology enables hardware-assisted virtualisation and direct access to the full graphics capabilities of the device, improving the overall system performance and security. A local VMs desktop takes advantage of virtual computing technology. It also offers new possibilities in terms of user flexibility by providing anywhere, anytime access to virtual desktops. At the same time, a local VMs desktop gives the desktop administrator additional means for solving many key desktop management and security issues faced by IT departments today.

Andrey Zhulenev, Client Partner – Cloud Computing Strategy and Incubation

Andrey Zhulenev has 20 years of experience in management consulting and IT services. Over the past 8 years with Wipro, he has worked with customers in different industries, including Education, Banking, Financial Services, Manufacturing, Aerospace, Retail, and Healthcare. Andrey brings a deep understanding of technology and practical expertise in IT services, BPO , and Product Engineering. He is an expert in advanced delivery models and quality systems such as Lean and Six Sigma. Andrey is responsible for identifying and incubating next generation Wipro cloud solutions. The conceptualization of the cloud solutions starts with understanding a particular industry’s needs, identifying core and non-core business processes, analyzing the most recent technology trends, and studying the IT ecosystem of Independent Software Vendors (ISVs) and cloud providers. He is currently leading the incubation of the Wipro Desktop as a Service (WDaaS) solution. Prior to Wipro, Andrey worked in a variety of roles within IT services provider LUXOFT, AIG private equity fund, and AT Kearney management consulting. He is based in Seattle, WA. 

Stevan Arychuk, Solution Architect – Cloud Computing Services and Solutions

Stevan Arychuk has 12 years of experience in datacenters, IT operations, infrastructure, network, and Internet technologies, designing and implementing complex technical infrastructure solutions. Stevan has a strong knowledge of content delivery and digital video technologies. At Wipro, Stevan is currently responsible for hardware architecture of the Wipro application and desktop virtualization solutions and technology Research and Development (R&D). He has also worked at Wipro as Vice President of Technology & CTO , Sr. Technologist for Digital Entertainment Services, Infrastructure Solutions Architect, and Network Architect. Prior to Wipro, Stevan worked at Nextactive Networks, Hewlett Packard, Yipes Communications, AvantGo, and Telus. He is based in Portland, OR.