Solved

Network segmentation VDI

Posted on 2014-01-29
3
682 Views
Last Modified: 2014-03-23
Hi

I want to know best practices of segmenting user vlans in a virtual desktop platform.
Say I have a user department of 1000 users and they use same golden image...should I keep them in single vlan..subnet or multiple.

Second scenario is I have one golden image used by three departments..some of applications used by one department should not be accessible to other department although it's there in golden image..I don't want to maintain multiple images..for those few web apps..currently in physical desktops since these departments sit in different vlans ..we have firewall rule which prevents traffic from that particular vlan...what I want to know in VDI scenario,what's best way to do this segregation...
0
Comment
Question by:Sukku13
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Brainstormer
ID: 39818692
Using vLANs will add complexity in a PVS environment. PVS servers using option 66/67 will not be redundant during TFTP/PXE because you can only add 1 server in that field. Additionally you have to worry about DHCP IP helpers configured for each network segment. Instead use PXE broadcast, and have all VMs in same subnet as PVS servers. I don't see a reason why separate the users, since they are sharing a single image.

Sharing apps in single image can be prevented using MS AppLocker policies at a minimum, there are other 3rd party solutions like AppSense as well.
0
 

Author Comment

by:Sukku13
ID: 39819770
brainstomer...we are a financial institution and as per current security guidelines..even though if some users share same golden image..we would need to prevent some user groups from accessing certain web based applications used by other departments..currently in physical desktops its done by having firewall rules from a particular floor VLAN to the app servers of the application etc...Also we don't want to have a flat network so we don't want all vm's to have a single subnet and instead prefer to have vm pools having different..because in case of a security threat we don't impact all desktops at once and also to avoid broadcast storm
0
 
LVL 6

Accepted Solution

by:
Brainstormer earned 500 total points
ID: 39820675
In that case I would recommend a pair of PVS servers for redundancy on each vLAN, setup as sites under the same PVS farm. The same gold image can be shared among all PVS servers.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The 21st century solution to antiquated pagers.
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question