IBM Software Tivoli
Optimizing virtual desktop infrastructures How Tivoli Endpoint Manager improves the performance and security of VDIs
Thought Leadership White Paper
2
Optimizing virtual desktop infrastructures
Contents 2 Introduction 2 Better management for virtualized environments 3 Performance challenges for virtualized desktops 3 Addressing the needs of desktop virtualization 4 Management challenges in a virtualized environment 6 Gaining real control over virtualized environments 6 For more information
Introduction Virtualizing the data center offers well-established benefits, with capabilities for hardware optimization, flexible endpoint deployment, reduced management complexity and lower total cost of ownership. Virtualizing desktop environments using virtual desktop infrastructure (VDI), however, presents a very different business case and some unique challenges. Organizations undertaking desktop virtualization typically are seeking benefits that include easy end-user access to applications and information from a variety of devices, enhanced security, rapid provisioning and simplified software deployment. However, virtualization of any kind is not without its technology and IT management challenges. And desktop virtualization, with its potentially huge numbers of devices and users, combined with high demands that it can place on network throughput and bandwidth, can create issues that can affect business operations. Consider this example: a company deploys virtualized desktops and application streaming across the organization to simplify the management of end-user client devices. The business benefits from this strategy are significant, but the burden that running virtualized desktops places on the network and server infrastructure are so great, and IT has so little visibility into and control over the virtual desktops, that quality of service dwindles to the point where critical business applications become unusable. On today’s smarter planet, no one can afford that kind of bottleneck.
IBM® Tivoli® Endpoint Manager provides a single, multifunction, low overhead agent that can be placed inside of virtual desktop instances, on user host devices, on virtualized servers and on the servers delivering virtualization services. This provides IT with real-time visibility, with command and control for all dimensions involved in delivering virtualization technologies in the same place and in the same way as nonvirtualized devices. Tivoli Endpoint Manager supports up to 250,000 endpoints (including virtual machines) with a single management server, single console and endpoint agents. Agents average less than 2 percent CPU capacity and less than 10 MB RAM, delivering high levels of endpoint management and enabling high guestto-host ratios. IBM Tivoli Endpoint Manager also delivers an efficient, cost-effective answer to reducing the impact of the large infrastructure footprints that come with desktop and application virtualization solutions. Utilizing streaming mode when bandwidth is ample but also enabling an automated offline mode to preserve bandwidth when usage is high, Tivoli Endpoint Manager enables organizations to implement its technologies without massive upgrades to the network infrastructure.
Better management for virtualized environments As desktop virtualization grows, organizations typically find they need new and better ways to manage their infrastructures. Once virtualization is in place, setting up additional virtual machines is quick and easy, resulting in a sprawl of hard-to-locate and hardto-manage virtual machines. In an environment where virtual machines may be moved from server to server dynamically based on policy, how do IT administrators quickly and easily access virtual machines for patch, configuration and vulnerability management? What’s more, even in a virtualized environment, physical devices remain—creating the need for tools that can manage virtual and physical machines together, from a single unified view.
IBM Software
●
●
Tivoli Endpoint Manager provides a graphical view of virtual desktops, physical endpoints and host servers through a single, unified console.
Tivoli Endpoint Manager is designed to seamlessly bridge the gap between physical and virtual device management, and to provide insight and control for devices of both kinds. While its small footprint helps preserve device performance, its single, unified management console reaches physical and virtual endpoints regardless of their location, connection type or status. The solution’s ability to control and protect devices, applications and information can help ensure greater success with virtualization, with higher levels of manageability and reliability.
Performance challenges for virtualized desktops In creating a virtual desktop environment, organizations typically encounter three principal performance challenges: Latency and bandwidth: Controlling and enhancing throughput are a constant struggle. But the issue is more than managing the pipes—it’s also knowing what’s connected to them. IT first has to know where all its virtual and physical assets reside. Many organizations, even fairly small ones, are unable to locate all their devices. ●
Scalability limits: The conventional client-server model that uses “push” technology to patch and manage endpoints typically has a limit of 10,000 to 20,000 nodes per server. Tivoli Endpoint Manager is specifically designed for large enterprise environments, with scalability to easily support hundreds of thousands of physical devices and/or virtual instances with only one or two servers. Agent overload: Multiple agents on virtual machines, particularly management agents such as those providing malware protection, need to be coordinated so that they do not overwhelm the server hardware on which they run. For example, antivirus scans are often scheduled to begin at the same time every day. Thousands or hundreds of thousands of virtual desktops, all scanning at the same time, can result in a performance nightmare. Tivoli Endpoint Manager for Core Protection’s malware scanning capabilities are virtualization-aware, serializing scans so that virtual desktops do not all scan at the same time. Tivoli Endpoint Manager can also reduce the need for multiple management agents altogether.
Addressing the needs of desktop virtualization To deal with these challenges, Tivoli Endpoint Manager enhances the performance of application virtualization solutions such as Microsoft App-V software with four key capabilities: Real-time knowledge of local endpoint conditions: Tivoli Endpoint Manager can enhance App-V client behavior and package selections. It can, for example, force App-V into an offline mode that utilizes a local copy of the application when bandwidth is low. The Tivoli Endpoint Manager agent is also bandwidth-aware, performing tasks such as patch management, configuration management and software distribution without impacting network performance. ●
3
4
Optimizing virtual desktop infrastructures
●
IBM Tivoli Endpoint Manager and Microsoft App-V
Manage App-V clients
●
Install role-based applications
Manage client settings Manage application state and cache If bandwidth to corporate infrastructure is good
If bandwidth to corporate infrastructure is poor
Tivoli Endpoint Manager enables management of the entire App-V deployment life cycle, with controls that help optimize App-V bandwidth utilization to help ensure desktop and network performance.
●
Reduced infrastructure cost and maintenance time: With the costs of installing, repairing, maintaining and updating systems far outstripping the initial cost or purchase, the ongoing expense of a large-footprint endpoint management infrastructure can increase IT expense considerably. Large footprint solutions may require a server in each physical location. Tivoli Endpoint Manager requires only one dedicated server per 250,000 endpoints. It relies for scalability on distributed, nondedicated “relays,” incurring much lower capital and operational costs than other systems.
Unified tools and processes for physical and virtual machines: Technologies that require unique management infrastructures increase IT complexity. With Tivoli Endpoint Manager, deployment and management of applications on virtualized and nonvirtualized endpoints are completely transparent. From distribution to updates, each software package is managed the same way, from the same console. Unified server infrastructure: A large-footprint endpoint management application designed as a standalone solution with its own console, tools and requirements for distribution, configuration and maintenance generally also requires its own servers. Tivoli Endpoint Manager fits easily into existing environments without requiring an extensive hardware- and labor-intensive deployment.
Management challenges in a virtualized environment Tivoli Endpoint Manager directly addresses the core challenges inherent in managing a virtualized environment: visibility and discovery, security configuration and patching, licensing and compliance, and management complexity. For each of these challenges, the solution provides features and functionality that support the administrator in maintaining seamless control over assets in a single view. Visibility and discovery
With virtualized applications, traditional asset discovery methods often fail because applications reside within a virtualized container that makes it possible to easily and automatically move them from one host to another. Thus, they can be “hidden” from detection by standard discovery tools. Even where detection is possible, traditional discovery methods often do not provide the ability to identify whether an application is physical or virtualized. Tivoli Endpoint Manager offers the same level of discovery and visibility for virtual as for physical assets, ensuring that software inventories are up to date, accurate and complete. Its asset
IBM Software
discovery capabilities can find new machines as they come up in real time, and can identify whether a machine is physical or virtual. The solution provides agents for the hypervisor or host operating system, providing visibility into the base layer as well as the items on top of it. Security
Virtualization increases the potential velocity of change, as virtual machines can be created and decommissioned in minutes. Organizations need to ensure that these activities have the appropriate level of change control and auditability—at both the hypervisor and individual virtual machine levels. The need to manage, track and maintain online and offline virtual machines and snapshots only increases this complexity. Virtualization also adds a new level of complexity to the patching process. “Gold” virtual machine images, upon which virtual desktops are based, can easily fall out of currency with security patch and configuration baselines. Tivoli Endpoint Manager’s antimalware capabilities powered by Trend Micro not only protect physical and virtual endpoints, but are the first also to be VDI-aware. This means that Tivoli Endpoint Manager can: ●
●
●
Limit the number of virtualized endpoints performing a full system scan or antimalware updates at the same time. This can reduce performance impact and optimize end-user productivity. Prescan and white list elements of the base image so that each instance of the virtual desktop is scanning only incremental differences. This can result in fewer scans and much shorter scan times. Integrate with VDI management to retrieve information about the status and location of secured virtual desktops. This helps optimize resource utilization across the entire virtual desktop environment.
5
Tivoli Endpoint Manager automates the process of detecting, enforcing and reporting security configuration policies. Newly provisioned or previously offline virtual desktops are automatically “topped off” with the latest security patch and configuration baselines within minutes of activation. Capabilities for discovering rogue devices and quarantining at-risk machines until remediation can occur enable unparalleled visibility and control over security and vulnerability exposure. With Tivoli Endpoint Manager, administrators can patch and continuously enforce security configuration baselines on hundreds of thousands of physical and virtual workstations, servers and remote devices worldwide—all from a single point of control. Licensing and compliance
A virtualized application can be provisioned, come online and go offline several times within the same day. From a licensing perspective, administrators need to know when a virtual machine’s status changes, as well as whether an offline machine could be turned on. If the company is charging back for support, or the virtual application is delivered as a service to a business unit, it is necessary to know who is consuming which applications—and for how long. Tivoli Endpoint Manager enables organizations to improve efficiencies by creating reliable linkages between inventory information and purchasing and procurement tools and processes. For physical and virtual assets, it helps ensure that each asset has the software it is supposed to have and is not running unauthorized applications. It helps identify underused software to manage costs, and help identify overused licenses to stay on the right side of software license agreements, all while providing timely and reliable information for regulatory and governance compliance. It also can reduce software audit costs by rapidly providing license usage reports across both physical and virtual desktops.
Management complexity
As the use of virtualization grows, organizations need to manage physical and virtual environments seamlessly. However, while persistent virtual machines should be managed like assets, they are much more dynamic than their physical counterparts. Addressing the greater level of complexity they create requires a consolidated lifecycle approach to the provisioning and configuration of physical and virtual assets. Tivoli Endpoint Manager can perform full lifecycle management, from configuration to patching, on a virtual machine as easily and effectively as on a physical machine. The solution gives staff the power to see all computing devices, manage their power usage and minimize change control window requirements with a single agent, infrastructure and console. Because Tivoli Endpoint Manager treats virtual assets on par with physical assets, it provides a convergent, unified management system for both—eliminating the need for multiple point solutions.
Gaining real control over virtualized environments With the ease of bringing up a new virtualized desktop, administrators can quickly lose visibility into the total asset picture, leading to lack of control and ineffective management. Tivoli Endpoint Manager enables the organization to enjoy up-tothe-minute visibility and control of the most granular properties and processes across tens of thousands, or even hundreds of thousands, of physical and virtualized computing assets. By managing the entire asset lifecycle, Tivoli Endpoint Manager brings cost savings and operational excellence to key management functions, including asset discovery and inventory, software license management, power management, software distribution and patch management. Consolidating and streamlining the most common operational tasks, Tivoli Endpoint Manager delivers the highest levels of automation combined with fine-grained accuracy, enabling IT departments to maintain service levels, focus on critical issues and ensure overall operating efficiency.
For more information To learn more about IBM Tivoli Endpoint Manager, contact your IBM representative or IBM Business Partner, or visit
© Copyright IBM Corporation 2011 IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America June 2011 All Rights Reserved IBM, the IBM logo, ibm.com and Tivoli are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml BigFix is a registered trademark of BigFix, Inc., an IBM Company. Microsoft is a trademark of Microsoft Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates. Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. The information provided in this document is distributed “as is” without any warranty, either express or implied. IBM expressly disclaims any warranties of merchantability, fitness for a particular purpose or noninfringement. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The customer is responsible for ensuring compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law or regulation. Please Recycle
ibm.com/tivoli/endpoint
TIW14079-USEN-00