This is the part 2 of a 4-part Mad About MED-V series. This screencast presents the user experience of running MED-V applications by going through essential user operations of a MED-V client.
The Mad About MED-V screen series include:
and each link is to be updated once the associated screencast is published. The remainder of this posting highlights some of the content presented in Part 2.
As discussed in Part 1 of this series, a MED-V workspace policy optionally allows a MED-V application integrated into the All Programs menu of the host computer as shown below, despites the fact that the MED-V application is configured and running in a Virtual PC behind the scene.
To run a MED-V application, the workspace must first be started. A MED-V client can be loaded at Widows startup time if specified in the MED-V Client Settings, in such case a workspace can be also set to start automatically. This ensures the workspace is always in place, should a user require running a MED-V application once the computer has been started. And if the workspace has not been initialized, it will start on demand followed by bringing up the application upon completing the workspace initialization. Once a workspace is started, additional options like locking/restarting/stopping workspace become available when right-clicking the MED-V client icon in the system tray. A user also at this time has the access to utilities like the File Transfer tool as shown below. The Fire Transfer tool enables a user to transfer files between the host computer and the MED-V application running in the Virtual PC in the background.
In MED-V workspace policy, a MED-V administrator can optionally configure a color border to surround a running MED-V application as shown above. The setting of showing a color border can be easily changed or disabled within workspace policy by a MED-V administrator.
A MED-V workspace policy can be configured to automatically redirect a request for a target website from the host computer to the browser in the Virtual PC. This allows every request to a target URL with a web application incompatible with the browser installed on the host computer gets redirected to a compatible browser running in the Virtual PC behind the scene. The following screen capture shows a request redirected from the host computer which runs IE7 to the IE6 (with a red border) running in the hidden Virtual PC.
Microsoft Enterprise Desktop Virtualization, or MED-V, is a desktop virtualization solution providing a self-contained computing environment including the OS, intended applications, and customized settings, if any. Desktop virtualization allows an application to run in a specific OS environment different from the OS running the hosting computer. MED-V uses Virtual PC 2007 to provide a virtualized and customizable computing environment required by an intended application, yet incompatible or conflicting with that in the hosting computer. In other words, MED-V allows computing environments which are incompatible, conflicting, or with different requirements to run currently in the same physical device. For instance, running a legacy or line-of-business application requiring Windows XP SP2 in a Vista SP1 desktop or deploying a managed computing environment (like a corporate-managed desktop) to a non-managed (like a personal or home) desktop are some of the business challenges MED-V addresses.
MDOP now includes 6 tools and solutions as below and is available to Software Assurance customers.
Customers interested in MDOP should review the faq and contact their software vendor or Microsoft for additional information. For a comprehensive guide on Microsoft Virtualization from data center to desktop, download it here. I have produced the 4-part Mad About MED-V screencast series to offer a quick review of MED-V solutions including the following. I will update each link, once the associated screencast is published.
The following is the part 1 screencast with a focus on the MED-V fundamentals to establish a baseline for subsequent discussions in the series. The remaining of this post highlights the key concept, architecture, and pertinent information of a MED-V solution.
MED-V is perhaps the least understood piece in Microsoft Virtualization Solutions. A desktop virtualization solution MED-V is as opposed to App-V, an application virtualization. This distinction is an important one since they solve two different areas of business problems. Desktop virtualization addresses the incompatibility between a target application and the host operating system by virtualizing an entire desktop, i.e. a self-contained runtime environment including the operating system and the application. Such that a target application requiring, for instance, Windows XP SP2 and incompatible with Windows Vista can still be deployed to a Vista desktop by running the application in a hidden Virtual PC running Windows XP SP2 while using MED-V to seamlessly make the application accessible from the Start-All Programs menu on the host computer. App-V, on the other hand solves the incompatibility between two applications by offering a virtualized application runtime environment, the so-called bubble, while allowing these applications running on the same operating system instance. The following illustrates the concept.
Conceptually desktop virtualization using Virtual PC is easy to understand. Nevertheless to deploy desktop virtualization to enterprise, system administration and scalability are rather challenging. In essence, a Virtual PC lifecycle management solution is the key to make enterprise desktop virtualization a reality, and this is where MED-V comes in. MED-V makes Virtual PC deployable and saleable with a centralized lifecycle management solution including: image creation, delivery, monitoring, and maintenance.
To run a MED-V application the associated workspace must be first started. And if a user tries to start a MED-V application while the workspace is not in place, the workspace will start on demand and once the workspace is loaded, the application will start. A workspace is a Virtual PC image with a usage policy defined by a MED-V administrator. An administrator will use MED-V management console to configure usage policy which is a set of settings defining how MED-V applications will behave for a target Active Directory users or groups. Notice that the Virtual PC is where a MED-V application is configured, and the Virtual PC is also running in the background. MED-V workspace policy allows a MED-V application to seamlessly integrate into the All Programs menu on the host computer and runs transparently with the locally installed applications. A conceptual model of the integration is shown below.
The high level MED-V architecture as shown below starts with: (1) and (2) to create, test and upload Virtual PC images encapsulating a target computing environment of an OS, applications and optional management and security tools to the image repository by administrator; (3) MED-V Management Server, the brain of the whole system, enabling an administrator to control image repository which is an IIS virtual directory and (4) provision images for targeted Active Directory Users and Groups along with usage policies; and finally (5) delivering the images and usage policies to clients. And a client starts a MED-V application, the client will authenticate against the management server, retrieve the workspace policy, and acquire the workspace image.
Notice a MED-V Management Server also aggregates clients' events, and stores them in an external database (MS SQL) for monitoring and reporting purposes. Also a MED-V client has two functional components – the first connecting to the server and retrieving the usage policy and an associated image form the repository, while the second offering the end-user experience and managing the Virtual PC from user experience and troubleshooting aspects.
The information provided here is as of March of 2009.
In order to prevent antivirus activity from affecting the performance of the virtual desktop, it is recommended where possible to exclude the following Virtual Machine file types from any antivirus or backup processing running on the host:
*.VHD *.VUD *.VSV *.CKM *.VMC *.INDEX
*.VHD *.VUD *.VSV *.CKM *.VMC *.INDEX
One very interesting piece of MED-V solution is the Trim Transfer technology as illustrated below. Trim Transfer accelerates the download of initial and updated Virtual Machine images over the LAN or WAN, thereby reducing the network bandwidth needed to transport a Workspace Virtual Machine to multiple end-users. It uses existing local data to build the Virtual Machine image, leveraging the fact that in many cases, much of the Virtual Machine (e.g., system and application files) already exists on the end-user's disk. For example, if a Virtual Machine containing Microsoft Windows XP is delivered to a client running a local copy of Windows XP, MED-V will automatically remove the redundant Windows XP elements from the transfer. To ensure a valid and functional Workspace, the MED-V Client cryptographically verifies the integrity of local data before it is utilized, guaranteeing that the local blocks of data are absolutely bit-by-bit identical to those in the desired Virtual Machine image. Blocks that do not match are not used.
The process is bandwidth efficient and transparent, and transfers run in the background, utilizing unused network and CPU resources. When updating to a new image version (e.g., when administrators want to distribute a new application or patch), only the elements that have changed ("deltas") are downloaded, and not the entire Virtual Machine, significantly reducing the required network bandwidth and delivery time.
You can configure which folders are indexed on the host as part of the Trim Transfer protocol according to the host OS. These setting are configured in the ClientSettings.xml file which can be found in the Servers\Configuration Server\ folder.
I had the opportunity to be one of the reviewers of the just published Hyper-V Security Guide. And want to invite those who are interested in virtualization security to download and review it as well. This document is about Hyper-V in Windows Server 2008 and provides IT professionals with guidance, instructions, and recommendations to address key security concerns about server virtualization. Specifically how to harden Hyper-V role, safely and securely delegate administrative access to virtual machine resources, and protect virtual machines are examined. Check it out.