Options for secure access to campus Enterprise Applications
Background:
Campus security is a high priority for Berkeley and the campus workstation administrators are required to keep workstations current to meet the campus minimum-security standards. Workstations are consistently needing to be refreshed and new software releases are frequently released.
At the same time, enterprise vendors (Hyperion BAIRS, Hyperion Cal Planning and OBIEE CalAnswers) have been slow to certify their software with new browser and Java versions. In addition, the upgrade schedules for these applications do not always align with the OS, browser and Java updates.
The ever-changing software on the workstation and the need to support older certified browsers and Java is causing a security challenge for the campus.
An example to demonstrate this conflict is listed below:
BAIRS currently supports 2000+ users and utilizes Oracles Hyperion EPM applications (BAIRS - version 9 & CalPlanning latest version 11). This suite of applications unfortunately only supports the following browsers:
Internet Explorer 7.x
Internet Explorer 8.x
Firefox 3.5x
Support matrix
system / version / supported browser / Java Runtime Environment (server not desktop) / Microsoft Office integrationBAIRS (- >2000 users) / Oracle/Hyperion 9.3.1.1 / Internet Explorer 7.x / 32 bit - JRE 1.5.0 Update 21 current 1.6
Internet Explorer 8.x / 64 bit - JRE 1.5.0 Update 21
Firefox 3.5x
CalPlanning (estimated 600 users) / Oracle/Hyperion 11.1.2.1 / Internet Explorer 7.x / 32 bit - JRE 1.5.0 Update 21 current 1.6.0.21 / Windows XP Professional with SP2+
Internet Explorer 8.x / 64 bit - JRE 1.5.0 Update 21 current 1.6.0.21 / Windows Vista with SP1+
Firefox 3.5x / Windows 7 (32bit & 64bit)
Apple Mac OS X Release 10.6.x
note: office versions 2003, 2007 2010 32 bit only
Oracle/Hyperion 11.1.2.2 just released April / Internet Explorer 7.x / 32 bit - JRE 1.5.0 Update 21 current 1.6.0.21 / Windows XP Professional with SP2+
Internet Explorer 8.x / 64 bit - JRE 1.5.0 Update 21 current 1.6.0.21 / Windows Vista with SP1+
Internet Explorer 9.x / Windows 7 (32bit & 64bit)
Firefox 3.5+ / Apple Mac OS X Release 10.6.x
Firefox 10.x
note: office versions 2003, 2007 2010 32/64 bit
CalAnswers (estimated >2000 users) / OBIEE 11.1.1.5 / Internet Explorer 9.x
Firefox 5+ - 9 (not 10, 11, 12 three version in three months) / Microsoft Office 2003
Google Chrome 10+ / Microsoft Office 2010
Safari 5.x / Apple Mac OS X Release 10.6.x
Because the application does not work for new IE and Firefox browsers, desktop administrators have been uninstalling new versions of these browsers and installing the older Hyperion supported browsers. This adds extra effort and expense for the administrator, and does not allow them to keep campus workstations patched to meet minimum-security standards. In addition, many campus workstations receive automatic updates to their browser version. The recent Firefox 10 release caused significant problems for the user community since the BAIRS application is not only not supported, but does not work on these browsers. NOTE: In some case, administrators can set the compatibility mode back to a prior version and execute the BAIRS reports.
This document presents some options for discussion in hopes of finding a solution that will allow desktops administrators to maintain secure campus workstations and allow users to utilize vendor supported enterprise applications.
Options Explored:
For each of the options below, a windows image is created presenting the customer with windows like workstation that will contain the Vendor supported browsers for BAIRS, CalPlanning and CalAnswers. Included might be a set of software such Hyperion plug-in, MS Office, Oracle office integration software SmartView, and other required applications required by BAIRS, CalPlanning and CalAnswers.
Listed below are three options; Terminal server, Application Virtualization and Desktop Virtualization.
Terminal Server (Remote Desktop Services) (A)
Remote Desktop Services in Windows Server 2008 R2, formerly known as Terminal Services in Windows Server 2008 and previous versions, is one of the components of Microsoft Windows (both server and client versions) that allows a user to access applications and data on a remote computer over a network, using the Remote Desktop Protocol (RDP). Terminal Services is Microsoft's implementation of thin-client terminal server computing, where Windows applications, or even the entire desktop of the computer running Terminal Services, are made accessible to a remote client machine.
With the Terminal server option, customers would be required to remote into the server. Once on the server all required vendor supported software is made available. As part of the configuration set-up, browsers and web access controls would be implemented to create a secure environment.
The customers will be allowed to print and move data to their desktop as they normally would. Other than signing into the terminal server the user experience would be the same as a window workstation running an older IE browsers.
Application Virtualization (B)
Application virtualization is an umbrella term that describes software technologies that improve portability, manageability and compatibility of applications by encapsulating them from the underlying operating system on which they are executed. A fully virtualized application is not installed in the traditional sense, although it is still executed as if it were. The application is fooled at runtime into believing that it is directly interfacing with the original operating system and all the resources managed by it, when in reality it is not. In this context, the term "virtualization" refers to the artifact being encapsulated (application), which is quite different to its meaning in hardware virtualization, where it refers to the artifact being abstracted (physical hardware).
With this option, a windows image is created similar to the terminal server option. The difference is that the application and windows image with the required software.
Customers would access this virtual desktop by selecting the icon on their desktop and transferring control to the virtual image. Once in the virtual desktop, the user experience would be the same a window workstation running older IE browsers.
Desktop Virtualization (C)
Desktop virtualization as a concept, separates a personal computer desktop environment from a physical machine using the client–server model of computing.
Some virtualization platforms allow the user to simultaneously run multiple virtual machines on local hardware, such as a laptop. Virtual machine images are created and maintained on a central server, and changes to the desktop VMs are propagated to all user machines through the network, thus combining both the advantages of portability afforded by local hypervisor execution and of central image management. This approach requires more capable user hardware capable of running the local VM images, such as a personal computer or notebook computer, and thus is not as portable as the pure client-server model.
With this option, a windows image is created similar to the terminal server option. The difference is that the application is sitting on the customer’s desktop and image installed with the required software.
Customers would access this virtual desktop by selecting the icon on their desktop and transferring control to the virtual image. Once in the virtual desktop, the user experience would be the same a window workstation running older IE browsers.
Options Matrix
A / B-1 / B-2 / B-3 / CTerminal Services (Enterprise Windows Team) / Standalone AppV with TEM (BigFix) / AppV with
SCCM / AppV Management Server / vBox
End Point / Remote Desktop Client / AppV Client / AppV Client / AppV Client / Oracle VirtualBox
Distribution Point / Mac users can download the client (self-supported or DOCS support). Windows XP/Vista/7 users already have it / TEM / SCCM/TEM / Appv Management Server
Control Point / Terminal Services Manager / TEM / SCCM / AppV Management Server
Advantages / BAIRS MAC customers are doing this today.
Provides secure firewall environment
Users must sign into server using remote desktop or VPN
Centrally managed / Runs on Windows Image supported by DOCS
Can be distributed by TEM (BigFix) – no additional costs for distribution/control point tools
Application runs in a “container” and does not conflict with other applications on the image / All benefits of AppV with the following additional benefits:
Managed and distributed via SCCM
Is scalable
User targeting using AD
Machine based targeting
SCCM (management console + database) offered by the Windows team
SCCM can be used to address other campus needs as machine inventory, Windows updates, management of XP mode machines, etc. / Windows Image supported by DOCS
True HTTPs application streaming (in the standalone version apps are not technically streamed)
Active package upgrades: when available newer version of the application downloads when application is restarted
Reporting features: licensing/metering
User targeting using AD groups / Open source
Cross platform – Macs and Windows
Patches and Updates Available
Option to select: Standard Windows 7 DOCS image (includes all enterprise applications) or “light”( Windows 7 OS + Calplanning + Calanswers + MS Office)
Disadvantages / Cost / No Macs
Additional MDOP per FTE per year costs
Limited targeting, and reporting functionality with TEM / No Macs
Additional layer of complexity with SCCM (support + training costs) / No Macs
Additional infrastructure components: AppV Management Server + SQL server
Additional training, setup and support costs
Can only be used for AppV streaming and management / No in-house knowledge or programmers
No published TEM patches/ will need custom patching or will need to patched at the end point
No central configuration management
option
No scalability
Requires additional RAM for VMs
Cost / Based on 1800 BAIR customers,
Support + Microsoft remote desktop and terminal servers.
Microsoft remote desktop license**** per customer @ 15.15
(9 Windows Team hosted VMs*** @ $1969.20 annually per server.)
Total forecasted cost:18K annually plus 27K for licenses. / Support* + MDOP Cost**
Total forecasted cost: 4.2K for licenses.
Potential additional DOCs/admin labor cost (TBD) / Support* + MDOP Cost** + Infrastructure
(2 Windows Team hosted VMs***)
Total forecasted cost:4K annually plus 4.2K for licenses.
Potential additional DOCs/admin labor cost(TBD) / Support* + MDOP Costs** +Infrastructure
(2 Windows Team hosted VMs***)
Total forecasted cost:4K annually plus 4.2K for licenses.
Potential additional DOCs/admin labor cost(TBD)
* Support: creating, delivering and updating AppV packages
** MDOP Cost = $2.35/FTE
*** Windows Terminal Server (VMs) Cost per server = $1969.20
**** MS remote desktop services Cost = $15.16/FTE
Request for Feedback
- Is there another option we should explore?
- Of the options presented, which would be easiest to administer?
- We believe the chosen solution(s) must support Macs and Windows. Agreed?
Comments from Micronet
- Multifire software for Macs is a possible solution (allows user to use a earlier version of Firefox 3.5.9 but still have Firefox 11 as the browser)
- Would like to have an open reporting solution. PI need greater flexibility to access their financial information (interpret this to mean direct database access)
- Vbox sounds intriguing
- Commenter is curious if there are plans to replace these enterprise applications with something that isn't so dependent on particular browser versions.
The solutions presented in this document appear to address the symptoms of the problem without addressing the cause.
- Commenter regularly use Remote Desktop on my UCB laptop today to access services and it regularly fails to allow me to connect to my desktop environment, necessitating frequent hard reboots to my desktop and calls to IST DOCs to fix my remote desktop.
After a year of unsuccessful tickets to IST DOCS, I would oppose any attempt to require Remote Desktop use as a daily part of business.