Solved

Network segmentation VDI

Posted on 2014-01-29
3
650 Views
Last Modified: 2014-03-23
Hi

I want to know best practices of segmenting user vlans in a virtual desktop platform.
Say I have a user department of 1000 users and they use same golden image...should I keep them in single vlan..subnet or multiple.

Second scenario is I have one golden image used by three departments..some of applications used by one department should not be accessible to other department although it's there in golden image..I don't want to maintain multiple images..for those few web apps..currently in physical desktops since these departments sit in different vlans ..we have firewall rule which prevents traffic from that particular vlan...what I want to know in VDI scenario,what's best way to do this segregation...
0
Comment
Question by:Sukku13
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Brainstormer
ID: 39818692
Using vLANs will add complexity in a PVS environment. PVS servers using option 66/67 will not be redundant during TFTP/PXE because you can only add 1 server in that field. Additionally you have to worry about DHCP IP helpers configured for each network segment. Instead use PXE broadcast, and have all VMs in same subnet as PVS servers. I don't see a reason why separate the users, since they are sharing a single image.

Sharing apps in single image can be prevented using MS AppLocker policies at a minimum, there are other 3rd party solutions like AppSense as well.
0
 

Author Comment

by:Sukku13
ID: 39819770
brainstomer...we are a financial institution and as per current security guidelines..even though if some users share same golden image..we would need to prevent some user groups from accessing certain web based applications used by other departments..currently in physical desktops its done by having firewall rules from a particular floor VLAN to the app servers of the application etc...Also we don't want to have a flat network so we don't want all vm's to have a single subnet and instead prefer to have vm pools having different..because in case of a security threat we don't impact all desktops at once and also to avoid broadcast storm
0
 
LVL 6

Accepted Solution

by:
Brainstormer earned 500 total points
ID: 39820675
In that case I would recommend a pair of PVS servers for redundancy on each vLAN, setup as sites under the same PVS farm. The same gold image can be shared among all PVS servers.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now