How we did it: A desk-less workforce built on Surface tablets and Windows RDS
One of the biggest problems I have with all those fancy iPad rollouts in corporate America is that they are merely patching a larger problem instead of solving it. Let's face it, nearly 60 percent of tablet buyers currently are not replacing their primary mobile devices -- they're merely supplementing them. Less than 9 percent truly see themselves replacing their laptops with tablets. If tablets are the future of mobile computing, there is a serious problem with their perception by non-consumption driven buyers.
When one of my customers approached us about helping them migrate an aging, near-crippled fleet of netbooks into modern tablets, I knew there had to be a better way than the "iPad standard". We initially toyed with the idea of getting tablets to use in conjunction with GoToMyPC or LogMeIn, but the recurring costs on such an approach started to balloon. Plus, a workforce that lives and dies by the full Microsoft Office suite would never adjust to a touch-only future.
So our needs dwindled down to a list that I covered in detail in a previous article here:
- Ability to use full Microsoft Office; not crippled half-baked copycat suites.
- Wi-Fi compatibility with all major wireless standards for usage out at Starbucks to libraries to any other hotspot areas.
- Achieving the highest levels of data security without the need to rely on passing documents back and forth over a VPN.
- Being able to equip a worker with a lost or stolen tablet in a matter of a few hours, not days, with a replacement unit.
- Flexible input and port options for USB devices, flash drives, external mice, etc.
- Giving users only one endpoint device; the replacement device had to fully replace a laptop or desktop computer.
The iPad was a potential option, but its severely limited input options that go over a single proprietary port was a big knock against it. Android tablets were also a possibility, but they didn't solve the keyboard/mouse problem in any way, and they too didn't have any way of leveraging Microsoft Office other than through expensive LogMeIn/GoToMyPC routes -- which would have also increased, not decreased, device footprint for us to manage. We toyed with full blown replacement laptops, but they too would need constant antivirus licensing and patch management which would not solve our maintenance dilemma.
What did the customer's network look like before the Surface move? A tangled mess of inefficient technologies. Netbooks and VPN working off a 1.5Mbps T1 were one of the biggest nightmares, from slow access down to VPN router problems. Three physical Server 2003 machines were doing what one physical Server 2012 box handles today. It was a patched quilt of technology that in the end didn't provide much value for the end users, and was a downright management nightmare for IT.
After tossing around ideas, we settled on giving the Surface RT tablet a trial run. It was just the device we were looking for. It gave us the port options we wanted; the tactile keyboard and touchpad users needed; a slim form factor with excellent battery life; and most of all: ability to access the entire array of traditional Windows applications including Office over Windows Remote Desktop. Yes, the near decade old technology provides a zero recurring cost gateway into a full featured Windows desktop that no other tablet can offer its users.
In a surprising about-face, the same day I launched my last article the previous week, Microsoft came out and said it was working on remote desktop apps for the iOS and Android realm. The apps should be out around the time Server 2012 R2 launches. However, like with any new software release, their feature sets will likely be crippled compared to what native Windows devices get, and will take some time to get feature parity. Even with this knowledge, I wouldn't place my bets on a tablet fleet using Remote Desktop from Apple or Android devices as the app functionality and stability is as-of-yet still unseen.
Where The Fun Begins: What's Needed On the Backend
As an infrastructure geek, the cool parts of this project were not in the end user devices. Sure, I like the sleekness and capabilities of the Surface RT like any other person, but the real joys from this project were the awesome tools that we had to deploy behind the scenes. From new switches to a fast cable internet connection, down to Windows Server 2012 and the virtualization powerhouse known as Hyper-V. The icing on the cake was Windows Remote Desktop Services which was the sandbox for providing everyone their own personalized virtual desktop accessible from the Surface RT tablets.
So what kind of necessities are there for getting this kind of setup into place? Here's a brief overview of what we used:
- Cable internet service coming into a Cisco RV042G VPN Firewall/Router.
- A Netgear 24 port ProSafe gigabit switch.
- (1) physical Dell Poweredge server with dual, quad core Xeon processors and 24GB of RAM.
- ESET File Security for Windows Server as our antivirus platform.
- StorageCraft ShadowProtect Server for our bare-metal backup needs.
- The primary host OS was Windows Server 2012 handling AD, file shares, DNS, LOB apps, etc.
- The guest OS for handling Remote Desktop Services was Server 2012 running on Hyper-V.
- Office 2013 Standard licensing for each user that was going to use a Surface tablet.
- Remote Desktop User CALs to license each virtual desktop user.
- Even though it's unrelated, we moved an in-house PBX phone system to RingCentral VoIP and in-house Exchange to Office 365.
And that was it. Aside from Microsoft licensing for this project, which is always a bear and a half, the breadth of infrastructure needed was far from expensive or crazy. We were doing a server consolidation to begin with, so we went from 3 physical Dell servers down to one running a host OS and a guest RDS environment. We also managed to downsize our desktop PC footprint from about 12-14 systems down to only three, as all mobile users at the company are now on Surface devices. And we transitioned from cruddy T1 service between two offices to a high speed VPN powered by Comcast Business cable internet giving us speeds of roughly 25/7 on our most recent speed test.
I always believe that less is more, and this revised IT footprint we implemented at this organization exemplifies simplicity through a lean backbone that does its job. If I were doing this over today, I probably would have went straight for Server 2012 R2 to take advantage of some new Hyper-V capabilities Microsoft baked in. But that's a minor gripe. Overall the setup as outlined is working great with no issues, and the customer is very happy with what we accomplished.
The Magic That Is Windows Remote Desktop Services
All the above hardware and software items are fine and dandy, but without one critical piece of the puzzle, a Surface fleet is completely useless beyond its local capabilities. That secret ingredient is known as Remote Desktop Services, which used to be called Terminal Services until Server 2008 R2 came out. In server 2012, Microsoft has vastly increased the capabilities of what Terminal Services used to be able to do by now giving you the choice of offering users Pooled VMs or even Personal VMs. While I won't get into the details about these as they don't pertain to what this project utilized, the latter two (more costly) options are closer to what competitors like Citrix are providing in the marketplace. I suggest you take a look at the excellent overview video on RDS in Server 2012 from the TechEd 2013 conference earlier this year.
We decided to use Session Hosting for our Remote Desktop approach for two big reasons: cost and ease of management. Firstly, the amount of labor time that would need to go into not only the initial deployment, but ongoing maintenance, for a Pooled VM or Personal VM approach would be too much to bear for a smaller organization. Every extra VM you need to maintain is just like an extra server that needs upkeep, albeit without the hardware aspect.
That translates directly into consulting cost which would have deemed this project not viable to sustain for the longer term. Secondly, the complexity needed to maintain any of the other non-Session based approaches just skyrocketed for what we wanted to accomplish. If this were a large corporation with a dedicated server staff on board, these may have been feasible. But not for a 25 and under seat organization using my company for managed IT services.
Remote Desktop Services in Windows Server 2012 provides you with three options for providing virtual desktops. The way we went, which is also the cheapest to roll out and maintain, is Session Hosting. You can also branch out into Pooled VMs, or for the most personalization per user, Personal VMs. Session Hosting is the new name for traditional Terminal Services as we know it. Watch the excellent TechEd 2013 overview video about RDS in Server 2012 for a further look into the tech. (Image Source: Microsoft)
Providing session based RDS access for Surface tablets is pretty much what it sounds like. You setup an RDS server (in our case, a virtual server on Hyper-V) that has the RDS role turned on for session hosting, and users are able to remote in from anywhere with internet access to use full blown Windows apps, as if they were on a traditional laptop or desktop. Our needs for applications weren't that heavy. Microsoft Office 2013. A line of business apps. Adobe Reader. Internet Explorer 10. QuickBooks Enterprise 14. And a few other odds and ends.
Perhaps just as powerful as the ability to get access to full traditional Windows apps is the fact that we can easily sandbox our data footprint within the virtual desktop environment. Unlike a traditional VPN approach where users have to dial in and then get full open access to internal file shares, when users are working within file shares over RDS, the files never leave the internal network. They are doing their work over a "window" into the office RDS server.
There is no such thing as file loss from stolen Surface tablets. The tablets themselves are encrypted by the use of Microsoft accounts for local sign in, so loss of a device is near meaningless to the company beyond the cost of the device. The thief will very unlikely be able to get past the Surface login password, and even if so, they would need to get past the login process for Remote Desktop into the RDS server -- another unlikely hurdle as we would have forced a password change for the user's network credentials by then. A double mountain that 99 percent+ of thieves would never overcome.
One question others ask me always: do users lose any functionality compared to using a traditional laptop or desktop? Remember, with this radical new approach to a tablet fleet, we weren't aiming at doing the standard "PC-plus" approach to tablet usage -- equipping everyone with a tablet while leaving their traditional computer in place at the office. That's old hat to me at this point. This Surface fleet was fully replacing any need for a user to rely on a Windows laptop or desktop. And for the most part, we did it. Our situation didn't have any loopholes that we couldn't fill.
There are a few niche instances where you may have to fall back on a non-RDS approach for unique situations. For one, using Lync 2013 through an RDS connection is supposedly supported now, but as you can see from Microsoft's blog post, it's definitely a tricky endeavor. While I have had great results with streaming audio and video over RDS (thanks to the excellent improvements in the RDS RemoteFX technology) I have yet to test any kind of VoIP or Lync connectivity. This customer moved onto RingCentral VoIP which uses desk phones and regular cell phone capabilities, so we didn't have this roadblock, but I am forewarning anyone about the stickiness that RDS could present for VoIP, potentially.
All other critical functions are working great. File share access is fast and swift due to the new SMB 3.0 that Server 2012 support (which compared to the old Server 2003 systems they had, is a huge improvement in speed and management). Aside from a few manufacturer-related glitches we ran into regarding drivers in the beginning, printing is working for all users now at both offices they frequent. As mentioned, streaming media over YouTube and voicemail audio messages from RingCentral through Outlook client have no problems either. RDP version 8 that is available in Windows 7 SP1 and higher handles the slowest to the fastest internet connections with ease due to its innate auto scaling abilities when it comes to cranking features up or down as needed.
And users are even using the Surface USB port to transfer photos taken on their cell phones or from flash drives, and dump them straight into their RDS desktops for long term storage on file shares. No extra software beyond the standard Remote Desktop client on the Surface was necessary to get this done. If you are using more traditional PCs to connect over RDP, you can leverage connecting printers through sessions so that users can work in Word 2013 for example on their virtual desktop, yet still print to their local desk printer over USB.
And while some technicians may scoff at this, users are actually getting accustomed to the Start screen interface of their local Surface devices and that of the RDS desktops on Server 2012. Touch DOES work over RDS so they can use full pinching, swiping, and other gestures on their remote desktops. Touch when they need it -- and traditional keyboard and mouse usage when they don't. That's the flexibility that Surface RT provides which Android and iPads can't lay claim to. And for our purposes, it's working darn well.
A Note on RDS User Customization: Say Hello to User Profile Disks (UPD)
If you have used Terminal Services in the past, you may remember that there was no such thing as personalization of the desktop environment between users. What they got from the administrator, is what they were forced to use. No custom shortcuts, personalized wallpaper, etc. That's a definite thing of the past. Microsoft introduced a cool new feature called User Profile Disks in Server 2012 which takes Terminal Services to a whole new level.
Previously, Terminal Services forced all users to work off a common set of variables. The same shortcuts, desktop layout, customization options, etc. UPD is built right into the RDS platform at no extra cost, and allows you to specify a share on your file server where per-user VHDX "profile disks" can be stored for access by respective individual users. This happens behind the scenes for each new RDS user, and requires no configuration on their end. After turning the feature on within RDS, the template VHDX gets auto created and this is used to provide each new user with a baseline for their virtualized profile storage area. It's like folder redirection and roaming profiles on steroids, without the headaches of the former.
Does the technology work? I absolutely love it. I don't think I would have recommended RDS if we couldn't have the level of customization that UPD provides now. Every single user can customize their desktop shortcuts, wallpaper, and even have per-application settings such as within Outlook and other apps that would have otherwise had customizations wiped away on user logoff. If you have a lot of users, you may need to be watchful of how much space these UPD files are taking up (we're averaging 200-400MB per UPD now) but seeing as we have under 25 seats at this organization, our 2TB RAID 1 storage array is more than plenty.
I highly recommend anyone implementing RDS 2012 to leverage User Profile Disks for their deployment. Your users will definitely thank you for it.
Post-Conversion: A Lean, Mean IT Backbone
While the Surface tablet deployment was not the sole driving force in streamlining the IT footprint as far as the network goes, the time was ripe for getting rid of overlapping technologies and servers. And that's exactly what we did. From three barely functional Server 2003 boxes to a single beefy Server 2012 box that handles everything the three separate boxes did pre-conversion, and more. That's because on top of the traditional server roles we dumped onto the new server like Active Directory Domain Services, DNS, file shares, etc we also threw Hyper-V onto the box.
In the year 2013, installing a separate server just to run Hyper-V would have been ridiculous for our needs. Especially for a smaller organization, a 25 and under, where load on the server is not going to be tremendous at any given time. It was a no brainer for us. With dual 3+ GHz, quad core Xeon processors and 24GB of RAM at our disposal, there was no reason not to consolidate. We also managed to get dual RAID 1 arrays going on the box; one dual-SSD setup for the OS installation and RDS virtual server, and a second array solely for storage (file share) purposes. The arrangement is working without fuss, and markedly better than the old RAID 5 that was hobbling along.
After the consolidation was done (shown above), our IT footprint was exactly where we wanted it. A single Windows 2012 server that was hosting a virtualized Hyper-V instance of Server 2012 for Remote Desktop purposes, and our email needs were moved from on-premise Exchange 2007 to Office 365. Surface tablet users now connect directly over RDP to the RDS server anywhere in the world they have internet. We increased security, ease of accessibility, and overall speed many times over. It was a resounding success that took only a few months to complete.
Some people in the IT world claim that Remote Desktop has security concerns for usage over the internet. Of course it does -- just like any other technology that is implemented without forethought and planning. The amount of options Microsoft provides for RDP security, especially in the 2012 and 2012 R2 release of Server, trounce its 2008 and earlier brethren quite a bit. You can combine the use of certificate authentication, Network Level Authentication, RDP version restrictions, session encryption, RDP port obfuscation alongside firewall rules, as well as only allowing a small subset of your AD user base to access the RDS server. If that combination of options isn't strong enough for your tastes, you shouldn't be rolling out a mobile tablet fleet in the first place.
A guide I used for hardening our Remote Desktop Services environment was this excellent post from the Berkely University IT Department. While their guide is targeted at 2003 and 2008 servers, the guidance is all still super relevant.
For hardening the security of the actual RDS server user interface, I implemented Windows AppLocker which is the grown up version of Software Restriction Policies of years before. We did this on a local GPO level for that virtual server only, but we just as easily could have done it on a domain policy level. The technology works great in locking down a whitelist of applications that users should be able to access, and closing up everything that shouldn't have prying eyes. This simple getting started guide from Microsoft should get you off on the right footing.
Microsoft had an awesome demo on how AppLocker works back at TechEd 2010 which you can re-watch for yourself.
How Does Hyper-V Compare to VMWare for Virtualization?
I know a lot of IT pros may be skeptical of the new kid on the block. Windows Hyper-V, which is Microsoft's first serious foray into the enterprise virtualization arena (Virtual PC doesn't count), may surprise more than a few of you. VMWare is the 800 pound gorilla that has excellent products like ESXi and vSphere on the market which have defined the new era of server virtualization. But being first doesn't always mean being the best.
Making a decision on what platform you are going to virtualize your servers upon should be qualified not only through the prism of costs, but also in respect to capacity, stability, virtual networking resiliency, and other qualitative factors. While any deployment I may use Hyper-V for will never touch the scale of the headroom that the platform has, I do want to show some evidence of the kind of scalability that Hyper-V allows for in a truly enterprise setting.
Here is a chart that compares the limits of what both Hyper-V (2012) and VMWare's vSphere offer today:
If you thought Hyper-V wasn't ready for primetime enterprise usage, guess again. Hyper-V allows for double the amount of logical processors; 125 times the amount of physical memory and memory per VM; and double the amount of active VMs per host system. That's quite a showing for a relatively young product, especially up against a behemoth like VMWare. (Image Source: Chris Avis)
The upsides don't end there. Microsoft allows for native VM replication, incremental backup capability, failover prioritization, and more:
(Image Source: Chris Avis)
You can also check out some related information on how Hyper-V handles availability better than VMWare, as well as how the two giants compare in terms of licensing on features. Again, many of these aspects don't even apply to my circumstances since our deployment is so low scale and rudimentary, but if you are from a larger organization debating the merits of Hyper-V vs VMWare, these discussion points should without a doubt be on the table.
Another big reason that Hyper-V was a much better option for us is pricing. We didn't want to go the Type 1 hypervisor route for this project because it would have required a second dedicated server and would have increased our IT footprint, not lowered it. This small business wanted to keep their backbone lean. So that meant we had to choose a Type 2 hypervisor, and the two obvious choices were Hyper-V (completely free) or VMWare in the form of Workstation.
The cost for a VMWare Workstation license would have run us an easy $250 just for the hypervisor, plus another outlay of money to purchase a third party backup program to allow for automated backup of a VMWare Workstation VM instance since the software provides no out of box backup functionality. On the opposite, Microsoft provides integrated free backup of Hyper-V VMs using the native Windows Server Backup utility that is included in every copy of Server 2012. And if I didn't mention it already, installing the Hyper-V Role on full Server 2012 is always free.
You can see how the decision to go Hyper-V was a no brainer for us at this point. Virtualization licensing on Server 2012 is dirt simple, and basically comes in two forms:
- Windows Server 2012 Standard: Allows you to run up to 2 fully functional VMs on Hyper-V on up to 2 physical CPUs.
- Windows Server 2012 Datacenter: Allows for unlimited VMs across 2 physical CPUs.
The price difference between Datacenter and Standard is quite hefty, and therefore, we logically went with Server 2012 Standard for our needs. But a company that may need more than 2 VMs running off a single host may want to invest in Datacenter edition, as it will greatly reduce licensing costs over buying separate physical servers for the long term.
Hyper-V 2012 Brings a Lot of New Enterprise Features to the Table
The latest iteration of Hyper-V has a lot to offer, and much of it we aren't even leveraging at our customer location since the scale of our project is small compared to what some companies may need. But Microsoft put a lot of work into ensuring that Hyper-V 2012 isn't just another "me too" product in their portfolio. This puppy packs a punch.
You can look through all of the improvements that were introduced in the 2012 release yourself, but here are some of the major ones that will be of most benefit to organizations big and small:
- Host Clustering: You can attach up to a disgusting 8000 VMs per cluster in order to provide for truly enterprise grade high availability and failover capability. For small orgs this is not practical, but big companies handling massive mission critical workloads on Hyper-V may find this necessary.
- Hyper-V Replica: Out of the box, you can replicate VMs on the fly to other systems in your datacenter or office. But Microsoft is rolling out on-premise to Azure replica functionality with the release of Server 2012 R2. The service is in testing right now, but Microsoft is expected to have this in GA form soon. Companies will be able to leverage Azure as a true hot site emergency datacenter location with relatively little effort.
- Virtual Networking: SDN (Software Defined Networking) has replaced cloud as the new "it" technology for the enterprise. Server 2012 and Hyper-V already have SDN covered in the form of Hyper-V virtual switching capabilities. No need to wait until the big boys like Cisco and Juniper get their act together. You can check out this in-depth starter's guide to virtual networking in Windows Server here.
- Live Migration: Taking down a VM before you need to migrate it is a definite thing of the past. Hyper-V lets you migrate live VMs across hosts without any downtime. I've never used the technology, but you can read into it yourself.
- Dynamic Memory: Hyper-V 2012 allows you a plethora of options for assigning memory usage weights and ceiling/floor quotas for when guest VMs needs start inflating. The tech is similar to, but slightly different, from VMWare's Ballooning approach.
You can get started on your own Hyper-V environment by getting the full Server 2012 Trial which allows you to install the Hyper-V Role for free. For those planning on setting up their own RDS environment on a single physical server, this is the best approach to take. Conversely, if you wish to just have a dedicated Hyper-V server that can host numerous VMs for your production or testing needs, you can grab the completely FREE Windows Hyper-V Server 2012 from Microsoft (yes, it is truly free).
I hope this lengthy post provides not only the proof of concept that Hyper-V is a production worthy virtualization host, but also that a true "tablet only" future IS possible if done on a proper platform like Surface RT tablets. Don't buy into the hype that iPads are the only way to go when it comes to mobile tablet fleets. The Surface line offers all of the same benefits as the iPad does, but brings full traditional desktop and input to the table in a way that no other competitor can as of yet.
Have you rolled out a Surface fleet of your own? Or, did you just finish an iPad rollout and wish you waited? Let us know in the comments area below. And we would also love to hear your feelings on the Hyper-V vs VMWare debate. Which platform is your organization using or planning on moving to?
If you didn't read part 1 of my miniseries on going Surface at your organization, please ensure you check out last week's entry titled "5 reasons Surface tablets blow away iPads for a mobile business workforce".
Derrick Wlodarz is an IT Specialist who owns Park Ridge, IL (USA) based technology consulting & service company FireLogic, with over eight+ years of IT experience in the private and public sectors. He holds numerous technical credentials from Microsoft, Google, and CompTIA and specializes in consulting customers on growing hot technologies such as Office 365, Google Apps, cloud-hosted VoIP, among others. Derrick is an active member of CompTIA's Subject Matter Expert Technical Advisory Council that shapes the future of CompTIA exams across the world. You can reach him at derrick at wlodarz dot net.