Always amusing when I see on social media “Is this year going to be the year of VDI?” Which has been going back a lot of years already? The issue with VDI projects back in the day (Starting to write like an old guy…) was that the architecture and storage didn’t quite scale to that extent since VDI projects were heavy when it came to resource usage, and therefore launching a successful VDI project was difficult of course there weren’t a lot of good products in the market as well. I don’t know how many blog posts and reference architectures I looked at about “scaling and designing VDI”, “How to scale VDI for IOPS” etc.. The first uprising in VDI projects started when the new players in the software-defined market came along and changed the market with its hyper-converged infrastructure made VDI projects a lot easier in terms of performance and more players in the VDI space as well. Now I’ve seen large reference VDI projects from most of the different hyper-converged / software-defined players in the market and also seeing more and more VDI deployments leveraging the cloud as well since you have the economics which can make it suitable for many use-cases. So is 2018 going to be the year of VDI? Not gonna happen! My personal opinion is that the year of VDI is not going to happen this year as well. I believe that the VDI ship has sailed, and moving forward more and more SaaS-based services are going to replace the windows based applications at a much faster rate. There is, of course, going to be a need for a VDI solution to deliver applications for a long time to come, but we need to look away from VDI solutions and focus more on application delivery (and not just windows based)
However, the key moving forwards it to be able to deliver all these applications in a single unified manner. Combining all those Windows-based applications, Linux based applications, those sloppy web-based apps which have their own authentication mechanism or using Basic Web authentication. Also to deliver those modern web applications which support open authentication mechanisms such as SAML and OAuth. The key is also to have a single security plane as well to control access and maintain security to these applications and also have a single source of truth for identity as well.
Handling security in a Cloud-based scenario such as with Google Gsuite or Office 365 also requires more investment into the different CASB products such as Microsoft 365 with Cloud App Security to allow integration directly with the cloud providers. So is it actually possible to build this type of unified application delivery platform? We are pretty close, so what kind of products do we need?
There are multiple identity solutions that can be used, most tend to look at the cloud-based identity sources such as Azure AD and Google Identity since they are proven for scale and have advanced functionality both to setup federation/trust but also a rich ecosystem which allows for building new applications which support these are identity sources. Both have a lot of built-in mechanisms to handle authentication such as SAML and OAuth. Azure AD, however, has a bit more security features built-in compared to Google at this time. There are also other solutions which provide these built-in authentication solutions such as Ping Identity, Okta, and One Identity. For on-premises deployments, we also have VMware identity manager. This depends on where you want the identity source to be located. Of course, vendors such as Ping, Okta and One identity are companies which only focus identity field and have proven products for that purpose.
Application Delivery Platform:
Here we also have a couple of solutions which can deliver both Windows/Linux applications from a single platform, such as Citrix XenDesktop and VMware Horizon. Both of these platforms support LDAP/AD but also other authentication mechanisms such as SAML to support user-based authentication from end-user to backend. This allows us to for instance authenticate against XenDesktop or Horizon using any of the identity sources listed above.
This is of course to handle traffic and proxy connections with authorization rules against internal resources such as on-premises web applications which only supports basic web authentication for instance or to handle traffic to a backend VDI or RDS host. Both Citrix NetScaler and VMware Identity Manager can handle authentication mapping from SAML to for instance basic web authentication, both different in terms of function since NetScaler is more an advanced beast since it is a network application focusing on ADC but has advanced functionality to handle authentication and authorization while Vmware Identity Manager is more aimed at handling user lifecycle management and application access. VMware has traffic flow through its Unified Gateway. But also the online identity providers can also handle traffic against Basic Web applications. Microsoft also has Azure Active Directory App Proxy which allows authentication and traffic flow against on-premises web applications using Kerberos for instance.
Identity is the new firewall, which makes even more sense in this type of environment where we cannot control the end-users traffic and therefore we need to make sure there are security mechanisms in place to ensure data confidentiality. Only Microsoft of the large vendor has a solution which falls within the CASB (Cloud Access Security Broker) domain to handle connections and activities done against a SaaS product. The product Cloud App Security is now tightly integrated within Azure AD as well. VMware and Citrix have some policies controls which determine what kind of activity an end-user can do within a Terminal server environment and conditional access on the device connecting, but they do not have any functionality to control what a user can do within a SaaS service. Of course, controlling the user and what the user does is only a small part of the puzzle, we also need to be able to control to an extent, how the endpoint is which the end-user is using as well. Most all vendors Citrix, VMware, Microsoft, and Okta have MDM solutions which allow us to make more advanced authentication rules to determine if an end-user should have access to a business critical application from certain endpoints. Microsoft and VMware both have Conditional Access rules where we can build a solution to ensure that device is compliant before gaining access to an application or system.
Unified Application Portal:
There are multiple portals which we can utilize which can expose all these different applications from multiple sources, however we will be taking a closer took at those from Citrix, VMware and Microsoft.
Azure AD My Apps:
My Apps in Azure is directly integrated into Azure Active Directory and can expose applications which have been added to Azure AD. This can also be Office365 which also has its own App Launcher solution which reflects and shows the same application. It can also add other 3.party applications using SAML (Citrix and VMware can be added here but just as a hard link) but VDI desktops cannot be shown directly here. Azure also has support for an internal web application using Azure AD application proxy which can publish internal web applications and supports SSO using Kerberos and NTLM. The good thing is that this also integrates directly with Office365 så applications can be shown directly to the end-users App Launcher. Of course that we can protect access using Azure MFA and Azure Conditional Access which can now be integrated into Cloud App Security.
Workspace One is a combination of VMware Identity Manager, AirWatch Enterprise Mobility Management Suite, and Horizon which is running as a local server setup. The Workspace portal allows us to present out VDI/RDSH Desktops and application combined with web-based applications using SAML, where can also protect resources using conditional access rules. And also VMware has its own MFA solution as well that be used to provide additional security on top. The advantage here is that we can present both Windows/Linux application and web application within a single portal and multiple security policies on top.
VMware Workspace One:
Citrix Workspace Services which is the future workspace portal from Citrix which will be able to serve both applications and data from the same UI. Which will be more similar to Office365 app launcher with Sharepoint data in it. A Similar setup is possible with Unified Gateway where we can present out Windows/Linux applications and desktop, SAML based applications using NetScaler as the SAML SP and RDP sessions using RDP proxy etc. Citrix also has the advantage of being able to deliver VPN solutions as well so it provides a strong range of different solution which can be presented from within the same portal.
Citrix Workspace / Unified Gateway:
So what does the workspace of tomorrow look like? I’m guessing that this is the product that many vendors are working towards solving or finding the secret ingredients.
With more and more business applications become more and more web-based there is no denying that the workspace will need to have tight integrations with modern SaaS products such as Google GSuite, Salesforce, Service Now, Workday, Office365 and such, but also be able to integrate with on-premises based applications on legacy systems such as Windows/Linux based applications and Desktop but also older internal web applications. The workspace will also need to have certain security policies in place such as conditional access to give a more granular approach to security when it comes to giving access to applications and or SaaS services. We also need to have certain security products backend as well to take control of the data and API access to the SaaS services to ensure compliance and so on.