Most of modern office networks are designed around the idea of independent users' desktop computers, with all means of data exchange and centralized setup bolted onto a traditional standalone desktop computer, running a business, or even consumer version of Windows. In simple configurations all data resides on individual computers, and is accessible through mutual file sharing.
More advanced configurations include servers that provide common storage, usually accompanied with some access policy that limit users' access to various files and directories. It is also common to use centralized servers for company email that often doubles as hierarchical documents storage. Directory and configuration services such as Active Directory can centralize configuration and access control of the desktops in the common database, thus simplifying the management of the large number of desktops. In addition to the desktop-hosted applications there usually are some applications running on servers, providing their user interface through the web browser or some proprietary client, manipulating data stored in databases, or exchanging data with other systems such as computer telephony, inter-company services, customer-accessible web sites, etc.
The requirements for desktop computers' resources for all above mentioned configurations are very low, and they do not increase as the complexity of the office network and the tasks it performs grows. Centralized storage is usually larger and safer than local hard drives, complex business logic is handled by applications hosted on the servers, databases respond to complex queries, returning amounts of data that are nowhere close to the RAM sizes of the client computers. Large documents, email and occasional graphics work determine the true requirements for client computers' memory, CPU speed and hard drive sizes.
A separate kind of work usually performed on desktop computers does not fit into this pattern -- 3D CADs, professional graphics, sound/movie editing, scientific computations and computer games often require significantly higher amount of resources, plus fast, hardware-accelerated low-latency 3D graphics. Most office desktops fall short of those requirements, and usually all CAD and graphics work is limited to graphics workstations, specialized desktop computers with more powerful (and more expensive) components.
In companies that have small number of computers, and have locally resource-consuming graphics work often performed on all of its computers, it makes sense to turn all desktops into graphics workstations -- either with professional-level components, or high-end consumer graphics cards and motherboards. However this setup is not typical for most of modern offices, where the work on the majority of workplaces involves document processing, use of server-hosted applications, possibly telephony and minor 2D graphics and media playback, but no 3D CAD or complex media creation.
So while typical CAD or media workstation is often built to specifications around or higher than home gaming PC (typical design target for commonly produced components and systems) and costs $2,000-$4,000, office desktops can be $400-$1000 minimal configurations, available from various manufacturers. As the development of technology progresses, low-end computers are getting produced with increasing number of cost-saving measures that are useless or undesirable on workstations -- currently it's onboard graphics and sound, cheaper low-end CPUs. In the future the gap in cost between "desktop" and "graphics workstation" is likely to widen as more cost-saving measures will become available for the former. This fits into the common usage pattern in large offices where large percentage of "desktop" work is never combined with "graphics workstation" tasks.
The above description, while realistic for many offices that implement safe computing practices, omits one component that often pushes up RAM and CPU requirements, and even can require the use of faster hard drives -- antivirus and anti-spyware applications, that became a mandatory part of the modern desktop configuration after widespread proliferation of viruses, worms, and other forms of malware. Even versions specifically designed for corporate offices that lack excessive user interface and intrusive self-update procedures, have components that reside on desktops, responsible for scanning local storage, intercepting network responses containing known-malicious scripts, keeping track of configuration changes, blocking startup of malware that ended up on local or networked storage, etc.
CPU manufacturers went as far as to advertise multi-core and hyperthreading CPUs as specifically being good for running virus scans in background with reduced impact on the interactive office applications. Unusual RAM and hard drive interface usage patterns produced by antivirus software often create an impression of overall slowdown of applications, what often is being remedied by suboptimal upgrades that increase the wrong resource. For example, excessive hard drive access that can be remedied by changing scanning schedule and/or moving storage to networked shares monitored by a centralized scanner on the server, is remedied by increasing the RAM size, because it would be the correct remedy for excessive swapping that has similar symptoms. It slightly improves data caching yet keeps the overall access pattern unchanged.
The worst kind of problem is the fact that all those resource-consuming additions to the typical desktop configuration do not guarantee an effective defense from malware -- they reduce or eliminate known strains/products and their minor variations, however new ones are constantly being created, remaining undetectable or detectable but unfixable for sufficient time to present a constant threat. Often the malware removal tools first come in the form of standalone program, requiring manual startup and interaction on the infected computer. Centralized storage with server-side antivirus/antispyware and strict access policy for executables can reduce the risk of cross-contamination, however it can't prevent infection of the files and registry entries on the desktops. Since malware often bypasses normal system security, this happens even if the configuration policy is supposed to prevent it.
When malware successfully infects office desktops, the problem switches from prevention and detection to containment, damage control and recovery. In common configurations with little centralized control and no predefined reimaging procedures recovery can be extremely tedious and may involve manual reinstallation of OS and applications on tens if not hundreds of infected or suspected to be infected systems. In the best-case scenario when all office desktops can be remotely re-imaged, and users have all current data stored on the invulnerable servers, there is still a problem of locally installed applications that may have license requirements or copy protection mechanisms that prevent automated remote installation or inclusion in general-purpose recovery images. Even when system and network administrators wish to be prepared for this kind of disaster recovery, they are often faced with complex disk image creation and management procedures with manual steps, and those images quickly become obsolete when desktops are updated. Massive amount of work necessary to simplify eventual recovery quickly becomes unjustified given the random nature of successful infections.
Office desktops usually are used in environments that by themselves do not cause frequent physical failures, so even the cheapest desktop computers have a reasonably long average lifetime in those conditions. Nevertheless, some components are known to fail randomly (hard drives) or have less than expected lifetime due to some factors that users are usually unaware of (dust buildup in heatsinks, undiagnosed fans failures, etc.)
In a typical office setup users have sufficient access to the system configuration of their computers to be able to cause irreversible damage to the software configuration, and some end up causing it due to ignorance or convoluted configuration procedures that they may have to perform. When hardware failure happens, user usually gets a replacement desktop computer, pre-configured or installed with a standard image. If there was some locally stored data, not copied to the server, it is lost or requires some complex data recovery procedure. Uniquely installed applications may have to be reinstalled as well, however some of configuration can be preserved through existing network policy/configuration mechanisms. When software is rendered unusable usually re-imaging procedure and its consequences are the same as after malware infection or security compromise.
One solution that increases manageability and simplifies various kinds of recovery is placing applications on the server and reducing the desktop computer to the role of a client. A virtualization environment running on a few servers can provide large number of virtual machines running desktops' operating systems and applications. Virtual machines can be configured to work with remote peripherals located on the client machines, so the users on those client machines will see exactly the same user interface as if those applications were running locally. Desktop may have nothing but the client software on its hard drive, or have no local storage and boot the client image from the network using PXE, then automatically connect to the server running the corresponding virtual machine and provide no other interface to the user, so the common problem with remote desktops on top of the traditional desktop, a combination of local and remote interfaces, won't exist.
Client-side security will be improved as well -- if client has its own hard drive with boot image, there would be no local components talking across the network other than the client software, and if the client is booted from the network, it will have no locally stored executables to infect. Desktop environment running inside a virtual machine remains vulnerable to the same kinds of malware that can compromise/infect a standalone desktop, however virtual environment can provide various means that can improve prevention and detection of malware and simplify the recovery procedure:
The most obvious advantage of this solution is for disaster recovery -- if it is possible to keep the snapshots of every desktop's state taken at various points in time, no disaster or compromise/infection would require full re-installation. A virtual desktop can be returned into the last recorded state before the problem happened, and at that point it would be even possible to run some preventative measures (system/applications update, modification of the filters, etc.) before giving it to the user and allowing it to access the "real" network. However the other parts of the problem, prevention and detection are improved as well. If all network connections pass through the virtual network interface, that interface is the best place to put all filtering. Intrusive and resource-consuming network monitoring parts of the antivirus products can be completely removed from the virtual desktop environment, replaced by a single network filter/monitor on the server. It will always run in a known-safe environment, its list of detection procedures and signatures can be easily updated, and it will not consume resources allocated to the desktop environments. If a single server runs tens of the virtual desktops, the addition of a this network monitoring process, no matter how complex, will have insignificant performance impact on those environments, and the worst possible effect of it would be increased latency of its network connections with outside world.
Since a virtual environment can be very flexible, it's possible to place all applications and data on the storage seen as "networked" by the virtual desktop, leaving only core of the operating system on what it perceives as its local drives. The data that is not meant to be "shared" can still be placed on the unique "share" accessible only to its "owner" desktop, just to keep it away from the "local" disk image.
Since virtualization software usually can not provide translation between internal filesystem used by the desktop OS and a filesystem on the server, virtual hard drive is opaque for the software running on the server. This means that "local" drive scanning or blocking of read/write operations on it that involve malicious data or protected files should be still performed from within each of virtual desktops, however the scope of those operations can be greatly reduced, thus reducing the amount of resources that should be spent on them. All "remote" shares/filesystems, even if they are physically located on the same storage as "local" images, are accessed through a file server such as Samba, so all monitoring can be performed by a filtering plugin running on the server in the same manner as network filter/monitor. Scheduled scanning of this centralized storage is trivial as well, and it also happens on the server that can have faster disk interfaces and larger cache, thus reducing the impact on performance.
Virtual environments can provide other benefits such as easy deployment of various configurations, "live" transfer of virtual machines between servers, allow easy backup of snapshots to external storage, provide immediate administrator's access to desktop interface without any additional software on the desktop itself, etc., thus simplifying common operations in mid-size and large offices. This allows to reduce the workload of the system administrators and help desks, reducing the time spent by the IT personnel on those trivial operations.
Even though virtualization software is supposed to simplify all kinds of operations that involve installation and configuration of software, installation of the environment itself and migration to it from traditional desktops usually is not easy. Virtualization environment has to be installed on the servers, either on existing OS for small setups, or with its host OS for the larger ones, thus subjecting the IT personnel to the procedure of choosing hardware and installing a large, often previously unfamiliar system on it. The currently most advanced and popular virtualization software, VMWare, is produced by EMC, the company whose primary products are storage systems. It makes sense for them because virtualization environments greatly benefit from being provided vast amounts of networked storage, however for the user a large SAN storage system plus VMWare ESX does not equal a desktop virtualization solution -- it has to be installed on a server with properly matched resources, various additional services such as server-side antivirus software should be added, existing desktop hardware (regular desktop computers or terminals) should be configured to run clients, client images should be installed on the server and configured to be installed or booted over the network on those clients, etc.
While large companies usually have in-house personnel that can perform planning, configuration, installation and even development of missing components, most companies have no such resources. They have to rely on consultants, and even then they usually can't get all components that the system described above includes. Server hardware support from hardware manufacturers usually includes VMWare as a supported configuration, however it is targeted for "consolidated servers" and does not include support for all necessary additional software and configuration for virtual desktop environment. Therefore there is a gap between EMC-provided support of their hardware and software but not all kinds of possible server hardware it can run on, and server manufacturers' support of their own hardware but not virtualization environment on it.
This creates a need for a preconfigured virtual desktop solution that includes all components necessary for the virtual desktop environment that would be superior to the original office network that it is supposed to replace, and can be easily installed with setup/conversion procedure that can be implemented by a typical IT department without outside consultants. It should be designed in a way that typical upgrade (adding servers and storage, update of software) and maintenance procedures should be easy as well, so there would be no threat of falling behind the available technology, what often happens when a company chooses a pre-made solution that is easy to install and use yet hard to update or expand.
The virtual desktop server implementation should include:
This relatively complex system should provide a virtual desktop environment that will be possible to install by merely connecting hardware to the existing network, configuring addresses and types of clients, and installing the operating systems in virtual machines from media or images bundled with this system.
Beyond the described virtual desktop functionality the system should allow some users to keep full desktop/workstation computers on the same network. It may provide OS installation/upgrade/backup/reimaging functionality for those machines in a way similar to the same operations on virtual desktops, implemented through networked boot-up and special installation/maintenance image similar to the client image distributed to client-only desktops. It should be possible to install a regular client software on those desktops, allowing their users simultaneous access to local (real) and remote (virtual) desktops, so those users can utilize both their custom configuration and company-standard environment provided for them on the server.
Currently there are two significant problems that keep Linux desktops from becoming a viable solution for corporate offices -- unsupported file formats and applications that only exist on Windows platform. The progress in standardization of document formats, and in particular the adoption of OpenDocument formats on Windows is likely to remove the first of those obstacles, however it still won't be sufficient for a widespread adoption of Linux desktops. The second problem is significantly more difficult because for almost every particular business environment there is a Windows-only application incompatible with all existing Windows emulators.
Resources necessary to port all those showstopper applications or support them in emulators are beyond the capability of any potential Linux desktop vendor, and possibly beyond the capability of any existing software company. While it is likely that eventually this will cease to be a problem due to software obsolescence and expanding number of Linux applications, currently most of Windows-using businesses would not migrate to any other OS unless any new desktop system will provide a safe and seamless fallback procedure to run any of those "irreplaceable" Windows applications -- and usually even identifying them is a difficult task when any migration project's viability is being evaluated.
The virtual desktops setup can provide an easy solution for that problems. Since Windows environment can easily run in a virtual machine, and all access to the user's files can be controlled on the server, it should be trivial to provide a hybrid desktop configuration with two environments sharing common filesystems and application control accessible to the same client. A Linux desktop environment may be configured separately from Windows, on the same or different physical server. Filesystem access can be configured to be shared between both environments, so files created or downloaded by applications in one OS are accessible to the other, allowing applications to seamlessly handle the same data. Linux desktop can be pre-configured to have one or more of its virtual screens occupied by Windows interface, and applications that are assigned as handlers for various file types can be made accessible by running "stub" launchers in either of the systems.
For example, users runs Firefox on Linux, downloading mostly DXF files handled by QCad. One of the downloaded files happens to be DWG, that can be only edited in AutoCAD. Firefox runs AutoCAD stub that in its turn launches real AutoCAD in the virtual machine and switches desktop to Windows. User continues working with the file in Windows, saving it to his directory, also accessible on Linux, and produces DXF and EPS files that also end up being saved under his Linux home directory or desktop. From that point AutoCAD would be just one of the applications available to the user -- the only visible difference will be that it is tied to the Windows desktop and can't be visually mixed with other applications. Therefore in environments where Linux desktop advantages in security, modularity and configurability justify its use, yet some Windows applications require Windows environment being readily accessible, such a solution will allow to easily satisfy both those requirements.
Even though it is unlikely that currently there is a demand for this particular configuration, it makes sense to plan for it in the future, especially considering that it would not require any significant additional effort compared to the rest of this system.
Virtual desktop appliance server can provide a secure, reliable and manageable system for mid-size and large offices that solves various problems and deficiencies of traditional desktops in modern office networks. The implementation of such server based on TD-44 series servers should include some existing virtualization software, some additional security and management software that has to be developed, and a set of supported hardware configurations.