VDI lets end users connect to Windows desktops without having to come to the office

Virtual desktop infrastructure (VDI) is rooted in an idea from the beginning of computing: green screen terminals talking to apps. With VDI, thin client software (a device that runs from resources stored on a central server instead of a localized hard drive) that’s running on a laptop, desktop or mobile device becomes a window into an app client, web browser or desktop OS. The real app client is running in a virtual server in a data center somewhere, not in front of the user. All you need to join is that thin client software. It seems counterintuitive: Why would you dramatically increase your servers and give every user another layer? Well, because deploying VDI comes with huge benefits, such as:

• Improving accessibility and security at the same time by completely isolating apps from end-user mobile devices and desktops, while still allowing users to easily connect to those apps
• Reducing the burden of buying, managing and supporting desktop computers by replacing them with thin clients or mobile devices such as smartphones and tablets
• Controlling software costs closely by purchasing and distributing licenses only to active end users
• Becoming more responsive by leveraging VDI to quickly add server and client resources as needed — and remove them when they’re unnecessary

Some organizations are setting up a VDI project plan to deliver  apps to end users — apps that require a special thick client (a networked computer system with most resources installed locally, rather than distributed over a network), have special licensing or are too heavyweight to install on every workstation.

Other organizations are doing away with client workstations entirely, building Windows server VDI — to deliver Windows desktop services via VDI — which lets end users have access to “their” Windows desktops on any device they want.

Whichever path you take, implementing VDI can feel like a big project, and figuring out how to set up VDI can be difficult when you don’t know where to start, but it’s easy with the right plan. Follow these seven basic steps and you’ll be delivering VDI capabilities quickly:

1. Decide the scope of your project
2. Pick your VDI vendor
3. Set up and scale up your hypervisor server farm
4. Review security
5. Bolt everything into place
6. Distribute clients and train users
7. Sit back and enjoy the savings

Step 1: Decide the scope of your VDI project

Your VDI project may have a huge scope, but as you get started with your virtual desktop project plan, you have to narrow things down. The fastest way to focus is to decide whether you’re using VDI for a full desktop replacement or just for specific apps.

A full desktop replacement generally requires more work, because you’re replacing each of your business PCs with a virtual desktop. Performance and storage are hard to estimate, but there are some shortcuts. For example, some service providers offer a virtual desktop hardware client, while others provide cloud-based desktop-as-a-service solutions (Amazon calls this Amazon Workspaces) that can scale up and down quickly and reduce the amount of work required to manage your desktop “golden master” image. But there’s an additional cost in connecting your data center and Active Directory to the service provider’s cloud, and you’re trading initial capital expenses for increased operational expenses that will never go away.

The alternative to full desktop replacement is to start with a few specific apps that you want to move to a VDI environment. In this case, calculating performance and storage requirements is simpler because you’re not shifting every Windows desktop to the cloud; you’re just delivering specific apps to specific end users.

Your scope here won’t limit the project; you can always expand your VDI later. But focusing on one use case with a clearly defined scope will result in a more refined virtual desktop project plan, which will speed your path forward.

You can use this initial VDI scenario to start capacity planning — a particularly important part of your VDI project. How many users will be using this service simultaneously? Is your internet and in-building network infrastructure prepared for this new load of client-server communications? And more importantly, does your data center have the server, storage and network capacity? We’ll dive deeper into that question further on in this guide.

Step 2: Pick your VDI vendor

You may already have some experience with VDI technology, using remote desktop connection (RDC) clients to connect to servers in your data center. The display technology behind RDC and VDI is fundamentally the same, whether you’re connecting to a single server or handling a farm of 1,000 virtual workstations.

The main difference between using RDC to talk to a server and a true VDI solution is the scalability offered by that simple connection between client and server. This infrastructure — often called a connection broker — is responsible for managing the user portal, handling authentication and authorization, starting and stopping virtual machines (VM) that serve desktops and apps and setting up connections between the users and their virtual desktops or apps.

Different VDI vendors use different terminology, but it’s important to understand the difference between the connection broker and the VDI servers themselves. The connection broker is overhead: It’s all of the pieces that are used to set up, report on and manage the VDI connections. For all but the smallest of VDI deployments, the pieces of the connection broker will themselves consume a number of virtual servers.

The VDI servers are what actually run the app or desktop on the user’s behalf. If you’re using VDI to virtualize your Windows desktops, for example, then your Windows server VDI needs a virtual VDI server for every simultaneous user. You can pack those virtual servers into physical servers running a hypervisor — 10 per physical server, 20 per server, whatever the performance data sheets say for the hardware you have available. But each real user’s VDI client is talking to a unique virtual server somewhere in your VDI deployment. We’ll talk about these physical servers and their hypervisors in Step 3.

When you select your VDI vendor, you’re focusing on that first part: the connection broker. The two big names in this realm are Citrix’s Virtual Apps and Desktops and VMware’s Horizon. Amazon (Amazon Workspaces) and Microsoft (Azure) have also entered the VDI game, leveraging their reliable and super-powerful data centers to handle both the connection broker piece and the hypervisor piece. Other, smaller competitors, including Parallels and Nutanix, may also be able to meet your needs.

Decide whether you want to run the VDI servers themselves in the cloud. For some IT managers, VDI means moving app clients or virtual desktops out of people’s desks and into their own data center. Often, this is for security reasons, or because the app and network topology require users to be “inside” the corporate network for things to work properly.

But that’s not always necessary. If your apps have all been moved to the cloud and you have little or no VPN requirement, then you have the option to run VDI inside the cloud as well. You may still choose an on-premises solution with Citrix or VMware, but you have more vendors to consider if the VDI servers can be in the cloud, too.

Step 3: Set up and scale up your hypervisor server farm

If you’ve chosen a cloud service provider, such as Amazon or Microsoft, then there’s not much to do here, because these providers deliver both the connection broker and the physical hosts for the VDI VMs, using their own technology.

But if you’ve decided on an on-premises (or hybrid) solution with servers in your own data centers, you’ll have to select a hypervisor and scale it up properly. Picking isn’t a big decision for most IT managers. You probably have a preferred hypervisor — vSphere, Hyper-V, XenServer, RHEV and KVM are the big names here — and you probably want to stick with whatever you already have experience with. Don’t let a salesperson from your VDI vendor talk you into changing your hypervisor technology. All of the VDI products work with all the major hypervisors.

Scaling the VDI host physical servers requires careful analysis. Remember: Every single VDI user is going to be using a virtual desktop hardware client that talks to a virtual server somewhere in your farm of physical servers running the hypervisor, and this can be a huge performance and capacity load to accommodate.

You won’t be able to wedge your VDI host physical servers (and the connection broker ones as well) into an existing infrastructure without some increase in capacity: more physical hypervisor servers, more network-attached storage and very possibly more network.

Make sure you have a good handle on what the server, disk and network performance requirements will be when VDI is fully up and running, and get that hardware installed immediately.

Step 4: Review security

Most VDI deployments are internet-facing, so you need to be sure that the security here is consistent with what your organization needs. Remember: Once someone is logged onto a server in your VDI, they’re effectively inside your network. Building in security at the beginning is a lot simpler than trying to add security once things are already running.

Here’s a checklist of things to consider:

• If you’re not already using two-factor authentication (2FA) or multifactor authentication (MFA), this should be a minimum requirement for logging onto the VDI. Usernames and passwords are so easily stolen that an internet-facing VDI needs the best authentication you can afford — not just a simple password.
• Now’s the time to consider network micro segmentation in your data center. When the VDI spins up a new VM to support a VDI user, that server should be extremely well firewalled from the rest of the data center network. Use traditional network firewalls to keep VDI user VMs isolated from the rest of the data center. Even better, put different types of VDI VMs into different network segments, isolated from each other and with strictly defined access to the rest of your network.
• Make sure the VDI connection broker is self-protecting. In addition to the network-layer firewall, all connection broker servers should have host-based firewall, antimalware and intrusion prevention systems. Review the security settings for features such as break-in evasion.
• Don’t forget antimalware on the VDI user VMs, especially if you’re running virtual desktop services. The VDI VMs may be wiped between users, but while someone is logged on, there’s plenty of time for malware to infect and propagate through your network.
• Evaluate remote client security. If users will be connecting to the VDI from a virtual desktop hardware client on a personal PC, typical VDI features such as USB, file and printer sharing may be inappropriate. Users coming from thin clients and mobile devices, such as smartphones and tablets, have a very different security profile. You may want to approach these more secure clients differently.

Step 5: Bolt everything into place

Installing VDI means getting the connection broker technology in place, as well as any upgrades you need for your VDI to support the anticipated load. Here’s a quick checklist to guide you through the installation part of your virtual desktop project plan:

• If you don’t know how to set up VDI, this is a great time to hire a consultant or use the vendor’s professional services team. Most of the installation steps are one-time operations, and it may be cost-effective to have someone who’s done this many times walk you through the process.
• Performance and scalability are a big deal. If you’re installing on-premises, make sure you separately consider virtual server capacity (CPU and memory), storage systems and networking.
• Your internet connection has to handle the VDI load and do so reliably. Evaluate your data center’s internet connection to make sure it has both capacity and redundancy.
• If you’ve chosen a pure cloud or hybrid cloud/on-premises deployment, leave ample time for your network and security teams to set up VPN tunnels and directory connections. The VDI vendors will say it’s easy. It’s not. Having dedicated VPN firewalls for this project is smart and increases reliability. Don’t try to overload your existing data center firewalls with tunnels to cloud data centers.
• Take baseline performance measurements of storage systems and data center networks before VDI is running so you can see the true impact of VDI as things begin to ramp up.

Step 6: Distribute clients and train users

VDI is just another app, but it’s one that can be confusing to end users because they don’t necessarily understand the virtualization or the extra layer you’ve added. Prepare some basic training sessions so that everyone diving into VDI knows what’s happening and why.

Make sure the VDI client gets installed properly. For mobile users, point them to their app store, or push the virtual desktop hardware client down using your mobile device management (MDM) solution. Desktops and laptops can load the client as part of their first connection, but it’s more secure for the user — and faster — if you preinstall the client where possible.

If your VDI will also have at-home users, create a short how-to guide detailing where to get the client and how to install it.

Step 7: Sit back and enjoy the savings

VDI isn’t cheap, and pursuing the upgrade will require an upfront investment for servers, licenses and other infrastructure components. You can shift some of those costs to continuing operational expenses by selecting a cloud services provider, but without question, deploying VDI definitely costs money. After all, you’re taking something that already works and adding another layer of hardware and software. That’s never free.

On-premises VDI deployments will deliver some savings, especially if you’re going with full desktop replacement. The job of installing, debugging, supporting, repairing, deploying and redeploying end-user PCs becomes simpler — or disappears entirely — if you shift to thin clients and mobile devices. But don’t predicate your VDI project on saving money.

The goal of VDI is to deliver services to users so they can work more flexibly. When you understand how to set up VDI, you can easily accomplish tasks that were once difficult or downright impossible. You can connect end users to Windows desktops without them setting foot in the office. You can provide mobile access to Windows apps so that smartphone and tablet users can access these apps without a laptop. You can tear down complicated VPN configurations and simply deliver apps from your data center over the internet — a great stepping stone in businesses’ shift to cloud-based hosting.

As you plan your VDI rollout, learn how to better protect the personal and work data on your mobile phone in this free guide. And explore exclusive business pricing, financing and trade-in options and other deals on everything from phones and tablets to monitors and memory.