Virtual Desktop Savings is not in the Hardware

Here’s a great article that I recently was referred to:

Citrix: Virtual desktops about to become cheaper than physical ones

In it Citrix is helping to develop yet another lower cost zero-client device.  These are literally just a small box about the size of a deck of cards that have ports for a monitor, Ethernet and USB.  No moving parts, very slim, reliable and inexpensive. However, I still maintain that the savings of Virtual Desktop (VDI) are not in the hardware.

I think the real savings are in staffing and time.  Unfortunately these are much harder to measure but well worth the move in my opinion.

You can already use the hardware you have for VDI so new zero-clients only save you money for new installations or when you are replacing a desktop that is completely dead. 

You still need a keyboard, mouse and monitor (video) to hook up to zero-clients and Windows/Office & CAL licenses.  If you subtract the cost of the license & kvm these days you can purchase a reliable desktop for probably about $500, and even less if you plan to purchase refurbished and replace them more often.

So, initially you do probably save $300-$400.  However, you must move these virtual desktops to a server you never had to have before in the data center.  More than likely you are moving them to a high-capacity set of servers, much like the Cisco UCS system we are rolling out out my district.  This is very expensive.

It doesn’t stop there.  My network manager and I attended a VDI training and learned that you have to make sure your network can also withstand the high traffic all the way from the data center to the user’s “desktop”.  It was fine if a user had to wait a few seconds to open a Word doc but waiting a few seconds to click a mouse is unacceptable.  Suddenly you may have to upgrade much of your entire network infrastructure.  This is much the same issue you encounter when you first migrate to IP phones.

Oh, and what about disaster recovery?  With Virtual Desktop you have effectively moved their “desktop” to a data center.  Right now at our district if a desktop dies we advise the user to log onto another one nearby and schedule a tech to replace their desktop within 24 hours.  With Virtual Desktop, if the connection to the data center goes down there is no nearby desktop to go to.  So you have to have a disaster recovery data center (i.e. at our District Office).

This starts sounding really expensive really quick.  Fortunately VMware (et al) have great tools that let you leverage the most out of your equipment.  A classic disaster recovery site is unused most of the year and only kicks in when you have an emergency.  From a business cost perspective it is a loss until those few minutes it is in use.  VMware lets you cluster your data centers together effectively using them in tandem for full production load balancing.  If one were to go down the other would simply take the entire load.  You still have to purchase double the equipment but it is used much more efficiently.

I would imagine that as you scale the costs start becoming more relative.  I would think that if you implemented VDI on 90% of the computers at a site it is much more economical than, say, 50%.

Like I said above, I think the real savings are in staff and time.  If you can reduce the amount of equipment you have to service while increasing its reliability you don’t have to hire additional techs as you grow your desktop base and your current techs can also deal with higher level issues.  Same thing with your network services staff at the data center.  In addition, your users as a whole experience far less downtime and a far more reliable working environment.

How do you measure those benefits?  Theoretically you can measure the amount of technology growth vs. payroll, but you really can’t measure downtime for the users unless you have a very sophisticated ticket system where you can somehow quantize and compare downtime for users.

IIS7 Won’t Respond Over SSL if No Certificate is Selected

Ugh, while the title of this post doesn’t sound like that much of an issue chalk this one up to an experience I hope someone else doesn’t have to deal with.

We had an issue with our A/C unit in our data center last night and several of our servers were shut down due to excessive temperatures.  We are slowly brining them up as we are managing the cooling and they are all fairly coming up as normal. Some of the older servers reported errors with batteries or failed drives but these are fairly routine.

However, we had one of our brand new servers start up with seemingly no issues but IIS 7 was not responding to web requests.

This server serves up only two web applications over SSL and has worked fine for the last month that it has been in service.

Looking at the IIS logs, event viewer and any other sort of diagnostic tool we could think of reported no errors at all…and no connection attempts either.  Connecting from the local host offered no error messages.  Connecting through Fiddler2 only showed the cryptic message, “the server has actively closed the connection”.

Finally after restarting the entire server, the IIS service, the web site and the app pools we were grasping at straws.  Bindings were correct, permissions were correct, doing a “netstat –an” revealed the server was indeed listening on port 443.

In the end, what solved it is in the binding settings the Certificate dropdown showed None.  I selected the self-signed server certificate and the whole thing suddenly came alive.  I attempted to set the SSL certificate back to None, which wasn’t an option anymore.

Of course that makes sense.  How can you serve up SSL traffic when there is no certificate to authenticate the request with?  However, why a server restart caused the certificate to no longer be selected is beyond me. 

And why did IIS never throw an event or some type of log error that said, “Hey, you’re trying to serve SSL but no certificate is selected!”???

Anyway, hopefully this will show up on a Google search for someone else.  Cheers. Smile

Microsoft Intune – The Beginning of Small Business IT Management in the Cloud

Microsoft just released information regarding their new cloud management service for small organizations, Microsoft Intune.  you can read about it on their blog post here.

It’s geared towards smaller companies that have between 25 and 2,500 PCs that may not be able to afford a standard IT infrastructure and server deployment.  Honestly, with some of my clients using SBS 2003 with a decent IT consultant (me :)) companies with as little as 15 machines can easily make use of the standard Microsoft infrastructure.  If you’re beyond 100 PCs I don’t know how you would ever manage this effectively without having Windows Server, Active Directory and many of the management tools such as WSUS and a managed virus/malware setup.  But, that’s beyond the point.

What is Microsoft Intune and what does it do for you?  Here are the basics:

  • Manage PCs through web-based console: Windows Intune provides a web-based console for IT to administrate their PCs. Administrators can manage PCs from anywhere.
  • Manage updates: Administrators can centrally manage the deployment of Microsoft updates and service packs to all PCs.
  • Protection from malware: Windows Intune helps protect PCs from the latest threats with malware protection built on the Microsoft Malware Protection Engine that you can manage through the Web-based console.
  • Proactively monitor PCs: Receive alerts on updates and threats so that you can proactively identify and resolve problems with your PCs—before it impacts end users and your business.
  • Provide remote assistance: Resolve PC issues, regardless of where you or your users are located, with remote assistance.
  • Track hardware and software inventory: Track hardware and software assets used in your business to efficiently manage your assets, licenses, and compliance.
  • Set security policies: Centrally manage update, firewall, and malware protection policies, even on remote machines outside the corporate network.
  • Licensing to upgrade all your PCs to Windows 7 Enterprise.  Includes all applicable upgrades to the latest Windows as well as downgrades while you are under the subscription.

Intune is only in beta at the moment.  You can sign up here until May 16th.  It isn’t scheduled to be released in production until next year.  At that time it will be a subscription based service, most likely ona per PC basis. 

A few things of note:

  • The tracking of hardware and software would be nice.  I don’t know if this only tracks PCs or if it also tracks hardware like printers and network appliances and I’m not sure if it tracks non-Microsoft software.  We’ll have to wait and see how thorough their system is.
  • Setting of security policies seem to be limited to templates that affect security settings like Windows Firewall, updates, etc.  It doesn’t seem to be a full fledged Active Directory Group Policy infrastructure. 
  • Allowing the upgrading of all of your PCs to Windows 7 enterprise is a pretty great deal.

Not a replacement for Small Business Server

I don’t see this as a replacement for SBS.  Honestly, I don’t really see anything that can’t already be accomplished by a decent network setup by an IT consultant, and that you don’t have to pay a monthly fee for.  You still have to have someone knowledgeable (or your IT consultant) to handle the setup and monitoring of Intune, so you aren’t getting rid of your IT guy, just adding the management layer on top of your current network.

What does SBS do that Intune doesn’t do?  Pretty much everything else.  It gives you a full fledged AD infrastructure, user/group/hardware authentication/authorization, shared resources such as folders/printers, Exchange, SQL Server, IAS, etc.

Microsoft already makes Exchange available as a subscription based service, though I don’t know if this is technically in the MS Azure cloud yet.  Azure currently also is starting to handle the SQL space. 

I think Intune will really be able to fill the small business space when I can have a SBS server locally to handle shared resources and local caching of my AD/DNS, but then offload everything else to the cloud, including my licensing management of all my MS products including Windows, Office, etc, AD management, GPO management, intranet, etc.  Then this might really be a full on solution that I could see businesses shelling out $50 annually a computer for.

So, am I signing up for the beta?  Yeah, why not.  I’d really like to see how this works out and where it’s headed.  One of my clients is due to renew their annual license for their virus vendor and we haven’t been that happy lately with the product.  So, this will give us a chance to try out the Microsoft offering for little cost (if anything) and see if this really lets me manage the network better.  Having the remote access through Silverlight will be nice.  That way I don’t have to remote into the server and then remote from there.  Until I see actual estimates on licensing though I will be hesitant to upgrade the PCs to Windows 7.