Introduction of Depp Lianhua Desktop Cloud Solution

2.1 One-stop solution overview

One of the most important features of Depp Lianhua's desktop cloud products is "one-stop". Depp Lianhua provides customers with server virtualization software (VMS), desktop cloud virtualization (VDC) and thin terminal (aDesk) in It can help users reduce investment and operation and maintenance costs, and realize the deployment of virtual desktops more quickly.

Thin terminal aDesk: small and exquisite appearance, using ARM architecture (A9 chip) and Android system, strong performance and fast processing speed. Compared with the thin terminal of X86 architecture, it has lower energy consumption, higher long-term running stability (no heat dissipation), and simplified operating system, which can achieve zero maintenance. At the same time, using peripheral redirection technology, it is compatible with various peripherals in desktop applications.

Virtual desktop controller VDC: It mainly implements user access authentication, fine-grained policy control, unified monitoring and management of virtual desktops and thin terminals, and delivers Windows desktops at a lower cost, safer, and more reliable. It supports hardware VDC and software VDC (deployed on a virtual machine) has two deployment modes.

Server Virtualization Software (VMS): The bare metal structure is directly installed on the physical server, providing a virtualized computing platform with strong performance and high reliability, enabling rapid deployment of virtual machines, resource management and monitoring, dynamic online migration, data backup and Recovery, etc., provides advanced capabilities for cloud desktop workloads, supports large-scale deployment and is easy to operate.

2.2 List of main functions

2.3Multiple desktop delivery types

u Exclusive desktop: Based on server virtualization technology, an independent virtual machine (installation of Windows XP, Windows 7 and other desktop operating systems) is allocated to each user on the server, and each user's desktop has independent and complete desktop use and control rights. Users can remotely access their own virtual machines (desktops)。

Applicable scenarios: For users who are allowed to install software independently and have relatively complex application environments (such as R&D, sales, marketing, leadership, etc.), the exclusive desktop can provide a personalized Windows desktop experience. Meet daily personalized office needs。

u Shared desktop: Multiple user sessions share the Windows Server desktop environment running on the server. Each user's desktop is locked and standardized, and can access a pre-installed set of core applications, but cannot install software or change the desktop independently configure。

Applicable scenarios: For users who need to use desktops and do not allow self-installation of software (such as counter business, data entry, process operations, production lines, etc.), shared desktops can provide standardized desks to meet standard office needs。

u Virtualization application: user session sharing and application multi-instance functions based on server operating systems (such as Windows Server 2003, Windows Server 2008, Windows Server 2012), allowing multiple users to connect to the same application remotely at the same time, users can have Individual application data and shared use of the same set of isolated applications。

Applicable scenarios: For users who do not need to use desktops and have a small number of applications (for example: public inquiry machines, etc.), virtual application technology can directly deliver the required applications to users, and access them through various devices to meet task-oriented office needs。

2.4Summary of program value

1. Operation and maintenance costs are greatly reduced

The application of the desktop cloud will greatly reduce the later operation and maintenance costs. After adopting the templated deployment method, a new desktop user can be delivered and used in about 10 minutes, and the troubleshooting and repair time of faults is greatly reduced. , IT administrators who can only manage 100 terminals can now easily manage thousands of virtual desktops. Conservative estimates, including the cost of equipment replacement and operation and maintenance, the total IT cost of 5 years can be saved by more than 40%。

2. Energy saving and noise reduction, green office

The power consumption of a traditional PC is about 190W per hour, while the power consumption of a thin terminal is only 10W. Taking the deployment scale of 1,000 units as an example, it is calculated at the industrial and commercial electricity price of 0.75 yuan per kilowatt-hour of power on for 10 hours a day, 240 working days per year, and even if the electricity cost of the new servers in the data center is included, 1,000 units Replacing a PC with a thin terminal can save at least 250,000 yuan in electricity bills every year.

*The average cost of electricity for industrial and commercial use in China is calculated at 0.75 ￥/kWh.

3.Protect the security of information assets

The desktop cloud centrally stores all data in the data center, and front-end devices such as notebooks and thin terminals only receive images, and the data does not fall during the entire business process, ensuring security. The centralized deployment method is also more conducive to the unified management of information assets by the IT department. Not only that, the desktop cloud can easily establish multiple logically isolated networks within the organization to meet the needs of different types of business.

4.  Desktop portable office mode

Adapting to the trend of mobile informatization construction, users can access their personal desktops at any time, at any place, and through any terminal, with the permission of the policy, so that the desktop can really go anywhere, and desktop operations on any terminal can be performed on another. Continue to work in one terminal, and work will not be interrupted due to changes in the place, thereby improving the work efficiency of employees。

2.5Introduction of program advantages

þ  A complete series of cloud solutions: covering the three major links of thin terminal, virtual desktop controller VDC, and virtual machine management software VMS, the industry's most comprehensive solution, the best compatibility, the most cost-effective, provides a more streamlined and secure solution for IT. methods to manage users and provide on-demand access to agile desktop services.

þ  Excellent user experience: Performance tuning is performed for various application scenarios, and the efficient transmission protocol SRAP increases the speed by more than 6 times, reduces the access bandwidth to a minimum, and achieves the same access experience as traditional PCs. And the use of the built-in high-definition video protocol processor of the thin terminal ARM architecture can smoothly play 1080P high-definition video.

þ More comprehensive security protection mechanism: up to 8 kinds of identity authentication methods can be freely combined to ensure user access security, comprehensive encryption algorithms to ensure transmission security, flexible access control for centralized authentication, data storage encryption to ensure personal data security, and ultimately to achieve end-to-end security. End-to-end desktop cloud security protection.

þ  Centralized WEB management mode: Only two components (VDC and VMS) are required for the construction of the entire solution. Compared with other manufacturers in the industry, it has the fewest deployment components, and can provide a centralized and single remote operation and maintenance mode, which improves the deployment efficiency of virtual desktops. Ease of use and maintainability.

þ  Professional localization service model: The only domestic manufacturer with independent research and development of a complete virtualization product system, with a large-scale development team in China, which can quickly respond to user needs; more than 40 offices nationwide provide localized technical support and after-sales service The system is perfect.

Chapter 3 Overall Architecture Design of Desktop Cloud

3.1 The overall architecture of Depp Lianhua Desktop Cloud

Multiple desktop servers (X86 servers) are deployed on the server side, and advanced features such as testing tiger to HA and migration need to use independent disk arrays to store virtual machines and data (supports iSCSI, FC, NAS), and one or more additional Virtual desktop controller VDC (supports asymmetric cluster deployment). Of course, the VDC also supports software deployment. Create a virtual machine on the desktop server for deployment (import the software VDC image and use it), and deploy the VDC on the switch in one-arm mode. in (as shown). At the same time, in the infrastructure, AD domain controller and DHCP server are also required (if there is an existing domain controller DC/DNS/DHCP, the existing server can be used). AD domain controller is mainly used for linkage authentication, and can also be used Local authentication (adding the user name and password directly on the VDC), and the DHCP server mainly automatically assigns IP addresses to thin terminals and virtual desktops.

3.2Components and Modules Introduction

3.2.1AD/DHCP server

The Active Directory (AD) server provides standard LDAP directory services. The VDC supports linkage with AD and is responsible for user authentication and automatic permission import.

DHCP is the abbreviation of Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol), its role is to automatically assign IP addresses to thin terminal and virtual desktop users.

3.2.2Desktop Servers and Disk Arrays (VMS)

Install server virtualization software (VMS) on each desktop server. VMS is a bare metal structure, no host operating system is required, and the wizard-style installation process is simple and easy to operate. It can build a powerful, highly reliable, and highly scalable virtual machine operation and management platform for cloud desktop solutions to achieve dynamic allocation of physical resources, rapid deployment of virtual machines, monitoring and management. Since the backend is deployed with independent storage devices, virtual machines and user data are stored on the disk array, and the high availability of the server can be guaranteed through HA and migration technology.

3.2.3Virtual Desktop Control VDC

The hardware VDC (such as VDC-2500) is deployed in the network in one-arm mode, or the software VDC (image import virtual machine) is deployed on the VMS virtual machine platform. It mainly provides functions such as user creation and authentication, resource access control, and desktop monitoring and management. VDC simplifies the management, provisioning, and deployment of cloud desktops. Users can access cloud desktops safely and conveniently through VDCs, and IT administrators can effectively manage data. Hundreds or even thousands of desktops, saving time and resources.

3.2.4Terminal Equipment

Support PCs, notebooks, thin terminals, iPads, iPhones, Android phones or smart terminals to access virtual desktops;

Support Windows 7 (32-bit and 64-bit), Windows XP (32-bit), Windows 8 (32-bit and 64-bit), Windows XPE, iOS, Android and other client operating systems.

3.3Server Cluster Design Ideas

As shown in the figure above, by installing server virtualization software (VMS) on each X86 server, the VMS software can provide the highest availability for the cloud desktop platform. Not only is the configuration method simple, but also third-party cluster software is not required, so the cost is lower. . The HA configuration of VMS adopts the one-click mode. After the HA function is quickly turned on in the console interface, all or some servers can be formed into a high-availability architecture. Whether it is an unplanned downtime or a server failure, this architecture can provide the highest level of service availability.

The VMS HA mechanism guarantees service availability in the following ways:

ü Continuously monitor the running status of virtual machines and servers without installing other software in the virtual machines;

ü After a failure is detected, restart the virtual machine on other normal hosts in the cluster to prevent server failure;

ü Incorporates automatic scheduling of VMS resources to prevent failures and provide load balancing among hosts within a cluster.

Of course, if a physical server needs maintenance, the virtual machines on the server can be dynamically migrated to other servers without interrupting the service, and administrators can quickly and completely perform transparent operation and maintenance.

3.4 Detailed explanation of DAPU SRAP protocol technology

Dapu Lianhua launched the SRAP efficient delivery protocol designed for the aDesk desktop cloud solution to quickly provide users with a "high-definition desktop experience". The technical protocol framework can improve the transmission efficiency by more than 6 times compared with the traditional RDP protocol. SRAP adopts adaptive adjustment, efficient algorithm, intelligent optimization and other technical means, which can dynamically optimize the end-to-end delivery performance in real time to adapt to various application scenarios, whether it is ordinary office applications or multimedia applications such as voice and video. Self-developed innovative technologies can comprehensively improve user experience.

As a brand-new virtual delivery protocol, SRAP essentially adds a SRAP module to the server to implement a protocol proxy, and the SRAP client and its delivery process are optimized in terms of speed and experience. The DP-Link SRAP protocol is oriented to a variety of virtual desktops and application types. It provides a user experience comparable to or even better than traditional PC software through data forwarding control, data compression, caching and filtering. Depending on the unique situation of the usage scenario, the best optimization method can be adopted to adapt to environmental changes and further improve the user experience.

Efficient and intelligent optimization methods

The SRAP virtual protocol technical framework mainly works together through four optimization methods: efficient stream compression, intelligent cache optimization, dynamic image filtering, and multimedia redirection. Manually and automatically adapt to various user scenarios to provide the best desktop experience, and support smooth playback of 1080P high-definition video.

Comparison of ordinary office effects

For ordinary office environments such as business halls, intranet offices, dispatched branches, and production workshops, users need to access various OA, ERP and other applications through the desktop cloud, and open PDF, Office and other documents.

Through actual tests in different office environments (local area network and Internet), we found that when optimization methods are not used, the operation of PPT switching on the virtual desktop will have problems such as slow display speed and incomplete images.

(PPT switching effect comparison chart)

After the SRAP protocol optimization function is enabled, in the case of high network delay and serious packet loss, a smooth desktop operation experience can still be guaranteed. Users can work efficiently in both the LAN environment and the Internet environment.

(SRAP Optimized Data Analysis)

Note: 1. Traffic unit Byte; 2. Compression factor = total amount of data / amount of data after SRAP optimization.

HD video playback effect comparison

In addition to common office scenarios, for call centers, multimedia training rooms/classrooms, Internet browsing and other application scenarios, users also need the desktop cloud to provide a smooth voice and high-definition video experience.

(Comparison of video playback effects)

The traditional playback method using server-side decoding is as shown in the picture above before optimization. There will be problems such as blurred video, missing video frames, out-of-sync audio and video, and high bandwidth usage, and it is basically impossible to watch videos normally. Dapu Lianhua innovatively proposes multimedia redirection technology, adopts advanced encoding and streaming media technology, sends the compressed and encoded streaming media to the terminal on the server, realizes local playback through software and hardware-based processing capabilities, and improves multimedia Playback performance, can play 1080P high-definition video smoothly.

In general, the SRAP framework independently designed by Depp Lianhua continues to provide users with a high-definition desktop experience in an intelligent and adaptive mode. The high-definition desktop operation experience meets the access requirements of end users, and promotes the actual implementation of desktop cloud technology solutions among enterprise-level users.

Chapter 4. Software and hardware requirements of desktop cloud solutions

4.1 Selection basis of server storage

The selection of desktop cloud hardware mainly considers four factors: CPU, memory, hard disk capacity, and IOPS (the number of read and write operations per second). Therefore, we must first determine the resource consumption of a single-user virtual machine (such as a CPU with a frequency of 1.5GHz). , 4G memory, 50G hard disk space, 25 IOPS), and then superimpose the resource occupation of all virtual machines to match one or more physical servers.

In order to obtain a better reading and writing experience, it is recommended to follow the design principles of small capacity and large number when selecting hard disks. Multiple hard disks can improve IOPS; if the scale of concurrent users is large, it is recommended to use independent storage devices. On the one hand, the guarantee is high. Availability, on the other hand, independent storage devices can accommodate more hard drives and have better overall performance. In addition, multiple hard disks in the server generally need to be configured with RAID mode. RAID10 is recommended, which has the best IOPS performance and high data reliability.

The first step of selection: clear application scenarios

Analysis: Due to the high configuration of the computer, there is no need to distinguish between different application scenarios, and basically all of them can meet the needs. However, the purpose of building virtual desktops is to make full use of resources and save investment costs. Therefore, when selecting models, as long as they are "enough", it is necessary to distinguish different application scenarios. The performance consumption of ordinary office scenarios and R&D center scenarios is absolutely Different. For some task-based workplaces, such as service halls and public inquiry machines, the light-load model is sufficient. However, if it is a typical office scenario and the Internet is required, the medium-load model needs to be selected. Of course, if it is a development-related scenario, That must use the overloaded model.

The second step of selection: distinguish the resource allocation principles of different load models

Analysis: Virtual machines with different load models occupy different resources. The data in the table above are the recommended parameters of a single virtual machine in each load model. For example, in a typical office scenario, it is recommended to choose a medium load model, and the corresponding single virtual machine parameter is 1200MHz. Main frequency CPU, 2G memory, 15 IOPS and 50G storage space. Of course, user scenarios may have both medium-load models and light-load models, so these parameters can be superimposed, for example, 20 medium-load virtual machines and 30 light-load virtual machines. The superimposed results are as follows:

CPU: 20*1200MHz+30*800MHz=48000MHz (48GHz), if one 8-core CPU (clocked at 3.0GHz), at least two CPUs (3.0Ghz*8=24GHz) are required

Memory: 20*2G+30*2G=100G, if 1 memory is 16G, at least 7 memory is required (16G*7=112, Note: The memory must be an even number, that is, 8 memory is required here)

IOPS: 20*15IOPS+30*10IOPS=600IOPS, if the IOPS of one hard disk is 80, at least 8 hard disks are required. Of course, we recommend 10 hard disks to maintain redundancy, because concurrent operations of users consume a lot of IOPS, by increasing The number of hard disks can improve the user's reading and writing experience

(Note: Calculated based on the IOPS capability of raid10, when the read and write ratios account for 50% each, 3/4 of the total IOPS is the actual value. For example, the IOPS of 10 hard disks is 800, then the actual total IOPS is calculated as 600. In addition, the raid card must have a cache, at least 1G is recommended, no cache is fatal to IO performance consumption.)

Storage capacity: 20*50G+30*50G=2500G, the server hard disk has better quality, higher performance and higher price than the computer hard disk. Therefore, it is recommended not to allocate 300G or 500G hard disk to each user according to the computer parameters, so the overall construction cost will be reduced. It is relatively high, and it actually meets the storage of daily office files, 50G is enough.

4.2 Capacity estimation and performance analysis

In terms of physical server selection, the desktop cloud platform construction project for 200 users of XXXX Company includes 50 shared desktop users (for production line office work) and 150 exclusive desktop users (for daily office work, no design software). A total of 5 servers are designed in this solution, 1 dual-channel 4-core, 32G memory, 4*1T hard disk, for deploying shared desktops; 4 dual-channel 8-core, 128G memory, 2*1T hard disk, for deploying independent Share desktops (each server supports 50 XP or W7 virtual desktops, one of which is used for redundancy). In addition, it is recommended to choose a low-profile server (single-socket 4-core, 16G memory) for the AD/DHCP server, which can also be directly deployed on the virtual machine of the VMS platform.

In terms of storage device selection, shared desktop users directly use the server's local hard disk, exclusive desktop users use external independent storage, and each user is allocated a 50G data disk, so at least one storage device (dual-controller, 4-port\control block, FC, 10K SAS 900GB*18, 4GB cache/control block, array raid10).

Bandwidth requirements: In a typical office scenario without video viewing, the traffic per user is about 200Kb; if high-definition video is played, it requires 1Mb~2Mb (depending on the bit rate). Therefore, if you access the cloud desktop on the intranet, you can use a 100M or Gigabit switch to connect the thin terminal to meet the traffic requirements. However, if you access the cloud desktop on the Internet, you need to superimpose the traffic according to the number of concurrent users to evaluate the final required bandwidth. Capacity, for example, in this project, 30 concurrent users access the cloud desktop from the Internet, and the recommended bandwidth is 6Mb.

4.3 Configuration Parameters of aDesk Desktop Cloud Solution

4.3.1capacity planning

Note: This value is a conservative estimate, and the standard parameters are output after evaluation by Depp Lianhua。

4.3.2Hardware and software list

Chapter 5, Analysis of Highlights of Products

5.1 Good user experience

5.1.1 HD Video Experience

Depp Lianhua's desktop cloud solution allows viewing or editing images and multimedia information in virtual desktops, and can support 1980*1200 resolution and 32-bit color desktop display. In addition, the traditional desktop virtualization solution mainly uses the server to decode and play high-definition video, and then transmit the changing image to the front-end display device frame by frame, but this method requires high server performance and takes up bandwidth resources. Ineffective. Depp Lianhua proposed audio and video redirection technology to encode and compress 1080P high-definition video streams on the server, and then directly transmit them to the front-end equipment, and use the high-definition video processor and local decoding technology to play high-definition video smoothly. Bring a great video viewing experience.

5.1.2 Efficient SRAP Protocol

Cloud desktops need to be delivered to front-end devices through the network, and the most important part is the desktop delivery protocol. Developed in 2011, the SANGFOR SRAP protocol is specifically designed for efficient delivery of virtual desktops or remote applications, meeting the needs of low-bandwidth transmissions with optimal peripheral compatibility. The SRAP protocol mainly improves transmission efficiency by more than 6 times through optimization technologies such as efficient streaming compression algorithms, lossy compression, image cache matching, dynamic content recognition filtering, and intelligent compression for text and image recognition. The minimum bandwidth requirement is only 20~30K/s, and it can still be used normally in a network environment with high packet loss and delay, ensuring the user's desktop experience to the greatest extent.

5.1.3 Single sign-on technology

Customers may use multiple virtual applications or Windows virtual desktops, and each application system or desktop system will have separate authentication measures. Generally, multiple authentications are required to work normally, which is very tedious and error-prone. , affecting work efficiency. In order to improve the satisfaction of end users, Dapu Lianhua introduced the single sign-on technology. After passing the strict VDC authentication, there is no need to re-authenticate virtual applications and virtual desktops. The "one-click" mode is used to open the operation interface of desktops and applications. . Currently, it supports BS and CS-type remote applications and the single sign-on function of Windows virtual desktops, realizing multi-system and multi-desktop integration, avoiding the tedious operation of repeatedly entering accounts or passwords, and improving employee work efficiency and operational satisfaction. At the same time, for virtual applications that have enabled single sign-on, the user can set the single sign-on account and password for these applications in the personal settings after successful login, and the set data will be transmitted in an encrypted way. It is invisible to administrators to ensure the security of user accounts.

5.1.4 Automated Desktop Deployment

In the DHCP environment, users using thin terminals can quickly access the cloud desktop without guidance, realizing a plug-and-play terminal operation experience. In addition, compared with a series of tedious and complicated processes such as hardware procurement, system installation, desktop operation and maintenance, etc. before the traditional PC goes online, after the desktop cloud platform is deployed, administrators can quickly and automatically create new software through virtual machine templates. Users derive virtual desktops, and administrators can not only view the CPU, memory, and disk details of the user virtual machine on the console, but also perform power level operations such as power-on, shutdown, suspend, and restart of the user virtual machine. When a user's virtual machine fails, the administrator can quickly replace it with a new virtual machine template, or remotely access the user's virtual desktop on the console to assist in dealing with system failures.

5.2 Optimal flexibility

5.2.1 Extensive terminal support

Users can access their own personal virtual desktops through any terminal device, and can realize the terminal migration function, switch between multiple terminals, without affecting the original desktop operation behavior, and truly make the desktop portable. Currently supports PCs, notebooks, thin terminals, iPads, iPhones, Android phones or smart terminals to access virtual desktops; supports Windows 7 (32-bit and 64-bit), Windows XP (32-bit), Windows 8 (32-bit and 64-bit), Windows XPE, iOS, Android and other client operating systems.

5.2.2 Rich desktop types

Employees in different scenarios and positions need different types of desktops. DP Lianhua provides a variety of different types of virtual desktops through SRAP delivery technology to meet the diverse desktop needs of users, as follows:

Shared desktop: Utilize the multi-user session sharing function of the server operating system to allow multiple users to remotely connect to the same operating system at the same time, and provide each user with a different desktop, users can have their own desktop configuration and personal data, and share The same complete desktop system; a standardized desktop office environment, which can provide a set of core applications, suitable for task-oriented employees who do not need (not allow) personalized installation software or do not have independent desktop control rights, such as office halls, functional offices, Production lines, training centers, etc.

Remote application: Utilize the user session sharing and application multi-instance function of the server operating system to allow multiple users to remotely connect to the same application at the same time, users can have their own application configuration and personal data, and share the same set of applications; specific It is suitable for employees with a small number of applications, who only need to operate certain types of software during daily office work, or employees who need mobile office, such as business halls, production lines, sales departments, and management mobile office.

Exclusive desktop: Remotely accessible desktop based on server virtualization, that is, the server can automatically assign a virtual machine to each user according to the template (installation of Windows XP, Windows 7 and other desktop operating systems, and each exclusive desktop is isolated from each other) , users can remotely access their own virtual machines and have independent and complete desktop use and control rights. It is suitable for desktop users who have personalized system requirements and high performance requirements. Of course, deploying exclusive desktops requires relatively high server and storage resources.

No matter how diverse user application scenarios and user needs are in the enterprise, through SRAP delivery technology, a suitable technology can always be found to meet the needs of various scenarios and users. IT departments can deliver a wide variety of virtual desktops – each customized to meet the performance, security and flexibility requirements of each user.

5.2.3 Bus Mapping Technology of Peripherals

The Depp Lianhua desktop cloud solution allows peripherals to be connected to the terminal, peripheral drivers are installed on the server, and then various peripherals can be used like a local desktop, although the virtual desktop is running on the server. Through the bus mapping technology, a dedicated tunnel is constructed between the terminal connecting the peripheral interface such as USB or serial port and the virtual desktop on the server, which is used to transmit the control commands of various peripheral devices, which can support scanning guns, scanners, cameras, Password keypad, second-generation ID card reader, tablet, printer mapping, USB-key and other common bus office equipment, and maintain isolation between sessions. In addition, Depu Lianhua launched a proprietary virtual printing technology. By selecting the SANGFOR virtual printer on the server side, files can be printed on the local printer on the client side, and there is no need to install a local printer driver on the virtual machine on the server side.

5.2.4 Intelligent switch machine

The intelligent switch machine can truly realize the automatic control of the user's virtual desktop on and off. Even if the thin terminal is closed, the user may forget to close the virtual machine located on the server. At this time, the function of automatically closing the virtual machine can be realized, thereby saving the hardware resources of the server. At the same time, through the built-in timing boot function of the software, you can specify to start a personal virtual machine at any time, and the user virtual machine can be automatically scheduled to a server with sufficient resources when it is turned on. On the one hand, this technology can avoid IO storms and speed up the system. Logon time, on the other hand, simplifies the operation steps for users to access virtual desktops through automation technology, allowing users to experience simple and convenient desktop operations.

5.3 End-to-end security design

From the perspective of preventing illegal users and malicious system administrators, virtual desktops carry out all-round security protection to ensure high security of users and data accessing virtual desktops. The aDesk desktop cloud solution of Dapu Lianhua integrates rich VPN security features. The security measures adopted by each layer are as follows:

5.3.1 Terminal Security

The thin client is based on Android OS, and the thin client has no local storage. It can be said that data is always stored in the safest place. When users access virtual desktop resources, terminal security is ensured through legal authentication, USB flexible and controllable policies, application policy-based control, and restoration mode.

− Integrate identity authentication mechanisms such as local authentication, SMS authentication, dynamic token, digital certificate, and third-party authentication, and multiple identity authentication methods can be freely combined to ensure the uniqueness of the access user;

− Set USB port usage rights based on flexible policies, such as whether to allow the use of USB devices (including printers, scanners, etc.), and flexibly control the one-way usage rights of USB hard disks (for example, only allowing access to the terminal to copy data to the virtual desktop, not allow desktop-to-terminal data copy);

− Policy-based access control: Appropriate access rights can be assigned to users, networks, services, devices, systems, etc. through associated policies. Support the client security check function, which can specify the user's access control strategy according to the system version, access IP, access time, installation and update of anti-virus software, etc. of the client's access terminal;

− The desktop is restored to the original state when the desktop is logged out. In this mode, except for some specified directories, the operations performed by the user will be restored after restarting. After the template is upgraded, the virtual machine reopened by the user contains the contents of the template upgrade, which can reduce the risk of terminal poisoning.

5.3.2 Transmission Security

Through VLAN isolation, and built-in enterprise-level firewall module for stateful ACL access control, HTTPS encrypted transmission is used when administrators log in, and transmission encryption is used for users to access virtual desktops to ensure business operation and maintenance security.

− Only image changes and instruction information are transmitted between the terminal and the virtual desktop, and actual data is not directly transmitted.

− IP and service-based access control policies can be implemented for encrypted transmission channels to reduce abnormal traffic transmission, and support isolation control of different sessions on the same transmission channel, including storage sessions, virtual printing sessions, bus mapping sessions, etc., thus improving transmission flexibility of the channel;

− By encrypting the entire traffic from the terminal to the virtual desktop, man-in-the-middle attacks are avoided. Currently, it supports AES, DES, 3DES, MD5, SHA, DH, RSA and other algorithms, and supports the expansion of other encryption algorithms such as SCB2 (SM1). ensure the security of communications;

− An enterprise-level firewall module is built into the desktop cloud access platform, which provides stateful packet filtering and basic security protection for the entire platform through flexible ACL access control policies and DDoS settings.

5.3.3 Platform Security

The security of the virtualized infrastructure (VMS) is related to the stability and data security of the entire virtual desktop access. This solution first meets business stability requirements through high-availability design, and then implements virtual machine isolation, data disk encryption control, and management. Security mechanisms such as user authority refinement ensure the security of user data.

− In the case of exclusive desktops, each user has an exclusive virtual machine, and the isolation of CPU scheduling, memory, network access, disk IO, and storage space is realized through the underlying mechanism of VMS, and the failure and security problems of the user's virtual machine will not affect other users, to ensure isolation and security between virtual machines;

− Each user is allocated a personal data disk to store documents. When the user migrates to the virtual desktop usage mode, all data is centrally stored in the data center. Therefore, by encrypting and storing personal data disks, other users, including administrators, cannot access them, which can ensure the personal stability and security of users;

− Different administrator roles, grant appropriate jurisdiction, and save operation logs. Support hierarchical management rights, including the upper-level administrators have the right to operate the configuration behavior of lower-level administrators, but not on the contrary; support upper-level administrators to authorize virtual desktop resources to lower-level administrators.

Through the end-to-end and multi-faceted security mechanisms of terminal security, transmission security, and platform security, it is possible to improve the protection of user access security, data security, management security, virtualization security, infrastructure security and other construction links. Cope with the security threats and challenges faced during the construction of virtual desktops.

5.4 Lowest overall IT cost

5.4.1 Thin Terminals with High Efficiency and Low Energy Consumption

The Depp Lianhua aDesk thin terminal is an ideal desktop device. It is small in size, operates without noise, consumes only 10 watts of daily power, and is economical and environmentally friendly. aDesk allows connecting to the SANGFOR virtual desktop platform anytime, anywhere, not only to obtain the same access experience as a traditional PC, but also to provide reliable security; at the same time, central management and control through the virtual desktop controller VDC greatly simplifies the management of aDesk thin terminals.

Depp Lianhua aDesk thin terminal is suitable for a variety of office scenarios in the financial, operator, enterprise, government, education, medical and other industries. Troubleshooting, software installation and system upgrade are all completed on the server side, which improves security and management. Convenience, and save a lot of IT investment for enterprises.

5.4.2 Memory page merge technology

In the desktop cloud construction plan, the server investment accounts for a large proportion, and the saving of hardware resources can reduce the investment cost of the whole set of solutions and better promote the implementation of the cloud desktop application model. Therefore, Depp Lianhua innovatively proposed memory page merging technology, because we found that a server hosts dozens or even hundreds of user virtual machines, but these virtual machines have the same read-only memory pages, such as operation The system executes code, etc., for the same page, the memory page merging technology of Depu Lianhua realizes the sharing of memory areas, so as to maximize the efficiency of memory, save the physical memory space of the server, and improve the deployment density of user virtual machines. The actual test data shows that this technology can save at least 20% of server costs.

5.4.3 Mirror separation and IO acceleration

       Under normal circumstances, each user's virtual desktop and personal data occupy an exclusive storage space. In fact, everyone may use the same set of Windows operating systems, and it is nothing more than different applications and personal data. Therefore, Depp Lianhua aDesk desktop cloud solution converts operating system images and personal data (including applications

As shown in the figure above, the virtual machine management software VMS is installed on each X86 server, and the VMS software can provide the highest availability for the virtual desktop platform. Not only is the configuration method simple, but also third-party cluster software is not required, so the cost is lower. The HA configuration of VMS adopts the one-click mode. After the HA function is quickly turned on in the console interface, all or some servers can be formed into a high-availability architecture. Whether it is an unplanned downtime or a server failure, this architecture can provide the highest level of service availability.

The VMS HA mechanism guarantees service availability in the following ways:

ü Continuously monitor the running status of virtual machines and servers without installing other software in the virtual machines;

ü After a failure is detected, restart the virtual machine on other normal hosts in the cluster to prevent server failure;

ü Incorporates automatic scheduling of VMS resources to prevent failures and provide load balancing among hosts within a cluster.

Of course, if a physical server needs maintenance, the virtual machines on the server can be dynamically migrated to other servers without interrupting the service, and administrators can quickly and completely perform transparent operation and maintenance.