VDI Oh My!

This is a post originally written for the company blog — posted here for posterity.

Have you seen the cost analysis sheets from various entities over the years pointing out how much money you can save with Virtual Desktop Infrastructure (VDI)? In most cases, they’re wrong. But like most things, there are outliers. Today I want to look at VDI and break it down and tell you why you might want to use it – and why you might not. Then we’ll take a look at a few options for VDI, along with their specific advantages and maybe even a few disadvantages thrown in.

Why VDI?

  • Security: I believe that the number one benefit to any organization that VDI brings to the table is security. Security advantages to VDI include:
    • When you abstract the desktop away from the end-user environment, you also have the ability to abstract the data away and into the data center where you can better manage, backup and protect that data.
    • When you use VDI, you create a smaller attack surface. It also makes the attack surface easier to patch, update, monitor and audit.
    • Through proper policies, a VDI environment can be centrally controlled and harder to subvert – basically you have the ability to restrict data transfers, unauthorized access, and even revoke unwanted access from miles away. In the simplest terms, you can better control the number one cause of data breaches: people (Source: Baker & Hostetler, LLP. “BakerHostetler 2016 Data Security Incident Response Report”).
  • Application Management: This one may get me in trouble from VDI purists. I tend to look at VDI today as more than just delivering a desktop, and I suspect most consumers do as well. Most major VDI products have the capability to handle application package management, provisioning and access controls. What this allows you to do is maintain a stranglehold on software access and subsequently licensing usage. Licensing costs are HUGE in enterprises, and true-up and/or violation costs can be surprisingly daunting. Avoid them (or get really close) with VDI. It can make a real difference in cost. I won’t tell anyone if you don’t.
  • Availability: When you put your VDI in your data center, you are inherently gaining redundant power, UPS backup, dual connectivity and typically a better hardware class for your VDI infrastructure than you would have with haphazard desktops. Need I say more?
  • Management: Management become much easier. While I hinted at it above in the security section, it is necessary to point out that you make things easier to manage when you can update a single shared image, application or host server and have that roll out to all your users with the click of a button (or two).

Why Not VDI?

  • Security: If you are looking to invest in VDI and you do not take the time to properly secure the solution, it can be a disadvantage too. Security disadvantages to VDI include:
    • You just allowed all of your users to access their desktops from anywhere…maybe. If you have not properly locked down remote access to the right groups, secured peripheral access, and/or set up security policies, you could be opening some additional risks while eliminating others.
    • When you implement VDI using best practices, your VDI environment will become isolated from your server platforms. If you just throw VDI in without working through proper segregation, you can end up with users in the same network space as the server farms. This is generally not a good thing.
  • Management: It may be easier to manage those desktop images and you won’t need to manually go to desktops as much anymore, but the trade-off is that you’ll likely need a more skilled engineering staff to manage the underlying VDI infrastructure. With the proper staff, training, and/or the right partner (like Sentinel), you can head this off at the pass fairly well.
  • Cost: I don’t deal in money much, but I can tell you that you would be sorely mistaken to think that you will save money with VDI. You may lower either capital or operational expenditures, while increasing the other. The reality is, you are gaining features (security, application management, central management and even controlled costs) while spending the same if not more in some cases. Your mileage will vary.

Which VDI Is Best?

There are two major players in the VDI and published application world: Citrix (XenApp & XenDesktop) and VMWare (Horizon/View). Both are fully capable application and desktop delivery platforms. Citrix has the historical install base and decades of experience, but VMWare has been making leaps and bounds with their very solid product offering. VMWare owns the hypervisor space that most deployments will be installed on, yet there are some bells and whistles in Citrix that the advanced VDI deployments may need. The truth is, without sitting down and having a discussion to review your specific needs, no one can tell you which is best. I won’t try here.

Outside of the vendor platform, there is always Desktop-as-a-Service, which is available through Sentinel CloudSelect®.

Bottom Line

The bottom line is this: If you plan it well, implement it on solid technology (check out my previous article on HyperFlex as an example) with the right policies, procedures, and partner, your business and customers will be very happy. Just don’t expect to fill up a piggy bank with the extra savings.

The article here is my opinion, I wrote it.  I work for/with the companies/technologies mentioned here — if you don’t like that, tough.  If you want to learn more about Virtual Desktop Infrastructure (VDI) and determine the best solution for your business, please contact Sentinel; they pay me and that allows me to keep work on technologies like these and writing these blogs.  If you ask really nice, you might even be able to work with me.  Never know.  If you really want to help me out, contact me directly — I will get you all setup with the right people to help you out.

A Data Center Engineers Look At Ransomware Protection

Your worst nightmare just happened.  You have just been presented with a screen popup telling you that your data is being encrypted and that you have so many days to pay.  It gets worse.  Every day you delay, chunks of your data are deleted.   It happens.  I have been on the outside – helping restore data, remove the threats, and salvage business operations and prevent further damage.  I have a unique perspective on ransomware.

We have things like Cisco AMP, a truly robust and state of the art anti-malware system that integrates at every level from the firewall to the endpoint with telemetry systems and response rates beyond anything else in the industry at a crazy fast 13 hours!  However, even Cisco will tell you that it is not possible to rely on prevention alone.  That is why they embed their AMP endpoints into everything – they keep watch for Malware that may have slipped through that 13-hour window.  If you don’t have Cisco AMP, you could have a much larger “window”, an industry average of 100 days.

So, how do you as a data center engineer protect your data when something gets through.  How do you guarantee the ability to recover and restore?  Will you be ready when that popup box shows up?


This may seem obvious, but backups are critical to a recovery.  When your data is encrypted, there is a very strong chance you will not be able to recover it using decrypting tools, so having proper backups will help.  So, what is a proper backup?  I like Veeam Backup & Replication as it has some really handy features that can make it, and its backups a little more resilient to malware.

  • Out of the box, it will backup its own configuration and repository data. If the Veeam Controller is infected, you have the ability to restore the Veeam system quickly.
  • It can replicate itself. In fact, it should if you can.  Having a secondary copy in another location can be handy – especially if you have non-real-time replication scheduled for the Controller.
  • It can backup to a variety of locations, including the cloud to protect your data from afar.
  • You can backup to deduplication appliances like Dell EMC Data Domain appliances that use protocols that are not typically prone to malware attacks.

If you don’t have Veeam, you can still achieve some of this, or all of it.  It just may not be as easy.  Either way, multi-location and multi-type backup and/or replication strategies are critical to protecting data.

SAN Snapshots

How can snapshots help?  If you are using a snapshot inclusive EMC Unity or Nimble Storage array, you can configure snapshots with retention schedules to allow you to quickly rollback to a point in time – BEFORE the malware got into the system.  You might lose a few minutes or an hour of data, but it is much better than the alternative.  If your SAN supports snapshots and you are not using them, set them up as soon as you can.


Patching is crucial.  Without patching you are more vulnerable to ransomware and malware attacks.  Typically, security patches for software are free.  A no cost or low cost measure to protect your systems, yet they are so often overlooked.  Why?  Usually it is a lack of a management system or personnel to perform the patching.  This can be addressed with things like WSUS, Microsoft System Center, or VMware Update Manager.  Use them.

Control System Access

This is more than making sure you have passwords for employees – it is often protecting employees from themselves.  You can invest in, or make use of several of the following options to restrict access to data – which is how ransomware propagates in general – through data access.

  1. Grant read-only access. If ransomware can’t write – it can’t encrypt.  Write access should be only as necessary.  This applies to databases, file systems, servers, Active Directory, etc.  You can use things like Microsoft Identity Manager to help control and automate that access.
  2. Use VDI to your advantage. Create an air-gap of sorts between your end user’s local systems and the critical systems.  Lock down folder redirection and USB redirection.  Both Citrix XenDesktop and VMware Horizon with View apply here.
  3. Use Group Policies to lock systems down. If allowing users to set a screen background worth losing all your data?
  4. Use things like Cisco ISE with posturing to ensure that only secure systems connect to the network.

You will be attacked.  That attack may not breach your systems – or it might.  Don’t say I did not warn you.  Protect your data.  Thank me later.

For the record, I work a lot with Microsoft, EMC Unity, VMware, Cisco, VCE, EMC Data Domain, Veeam, and the other technologies here.  They are what I know best, so if you feel I am biased — well, I am.  They are what I know best!

Load Balancing Exchange 2013 With Citrix NetScaler 11

Today, I am publishing a small guide written and intended to be used as a starting point for Load Balancing Microsoft Exchange 2013 via Citrix NetScaler 11 Build 64.34 and newer with the following expectations:

  • Provide Load Balancing (LB) to all Exchange services.
  • Provide ActiveSync Kerberos Constrained Delegation to function with iPhone, iPad (iOS Configuration Utility or AirWatch), Android (TouchDown Mail Client or AirWatch), or Windows Phone (AirWatch).
  • Provide service monitors that are in line with Microsoft best practices.
  • Provide all Exchange services via Content Switching Services (CSS) to only use one IP address.
  • Utilize responder and rewrite policies and actions to automatically redirect unsecured and root URL connections.
  • All communication from the client through to the Exchange 2013 servers will be secured.

I hope that this will be a help to the Citrix NetScaler community as a whole.  Thanks go to Rafyel G. Brooks who published a guide back in 2014 on how to deploy ActiveSync with KCD.  This guide resolves some issues with the configuration with the new NetScalers and expands on it to encompass the entire Exchange 2013 Load Balancing scenario.

Here It Is: NS11-Exchange2013-KCD-ActiveSync-Deployment

Please Enjoy!