Virtualise servers, virtualise desktops, virtualise applications/services these are all things avaliable now and are mature and well understood technologies.
Now I guess we should discuss how to virtualise the user. Which is pretty much the final piece in the puzzle.
There are companies doing this now. In various guises. What divides opinion at the moment is what exactly a user is. Sorry about the Yoda style there!
Monday, 4 November 2019
Friday, 15 June 2012
Collaboration Collolary
Who in the real world doesn't have some IIS web sites?
Recently a new(ish) piece of software came to my attention. Aptimizer. These guys recently joined forces (got bought by) Riverbed. Riverbed is a WAN optimiser.
Back to Aptimizer, the claim is that this little peice of software once installed can convert your IIS website, homebrewed or not, from a slow and painful experience (which takes a lot of developer effort :) ) into a blisteringly fast and fun one, with no developer involvement at all.
What?
I don't need to talk to the developers or the server team?? My site is just faster, despite the best efforts of the original web/server monkeys? How is this magic done?!
It's quite simple really. Taken from a browser perspective it is quicker to load less, larger items than it is to load lots of small ones. Lets take IE for instance, it may make 10 connections to your IIS site, each connection can download one item. A typical website may have around 50+ items it is pretty easy to do the maths. So IE has gotta work pretty hard tearing down connections and making new ones (although this doesn't always happen and can cause even more performance issues!)
So reducing the amount of connection required can produce faster websites. Couple this with whitespace and comment removal (comments? Do developers read these?! Your browser certainly doesn't!) which will shrink files further.
A pretty smart feature of Aptimzer is also Data:URIs this is the embedding of data (normally an image) into the HTML rather than sending an image file. Nice. Use this with sprites (group all images into one image, an uber-collage) and yet again more shrinking and reduced connections.
Not all websites work though. I've attempted this on a couple of sites I have, one of which is the System Center Operations Manager site. Not good. You can fiddle around with the settings but I'm an out of the bag kinda guy. So I haven't.
There is a special edition solely for Microsoft Office SharePoint Services sites. Which is pretty much the market they are going for, Microsoft even use Aptimizer for themselves it seems!
Recently a new(ish) piece of software came to my attention. Aptimizer. These guys recently joined forces (got bought by) Riverbed. Riverbed is a WAN optimiser.
Back to Aptimizer, the claim is that this little peice of software once installed can convert your IIS website, homebrewed or not, from a slow and painful experience (which takes a lot of developer effort :) ) into a blisteringly fast and fun one, with no developer involvement at all.
What?
I don't need to talk to the developers or the server team?? My site is just faster, despite the best efforts of the original web/server monkeys? How is this magic done?!
It's quite simple really. Taken from a browser perspective it is quicker to load less, larger items than it is to load lots of small ones. Lets take IE for instance, it may make 10 connections to your IIS site, each connection can download one item. A typical website may have around 50+ items it is pretty easy to do the maths. So IE has gotta work pretty hard tearing down connections and making new ones (although this doesn't always happen and can cause even more performance issues!)
So reducing the amount of connection required can produce faster websites. Couple this with whitespace and comment removal (comments? Do developers read these?! Your browser certainly doesn't!) which will shrink files further.
A pretty smart feature of Aptimzer is also Data:URIs this is the embedding of data (normally an image) into the HTML rather than sending an image file. Nice. Use this with sprites (group all images into one image, an uber-collage) and yet again more shrinking and reduced connections.
Not all websites work though. I've attempted this on a couple of sites I have, one of which is the System Center Operations Manager site. Not good. You can fiddle around with the settings but I'm an out of the bag kinda guy. So I haven't.
There is a special edition solely for Microsoft Office SharePoint Services sites. Which is pretty much the market they are going for, Microsoft even use Aptimizer for themselves it seems!
Thursday, 24 May 2012
The Myth of Finger Prints
Something most established IT environments will have is a password policy.
This will say something like passwords lockout after 3 failed attempts, passwords must change every 3 months and meet certain character count requirements.
Whilst there is nothing outwardly wrong with having a password policy things have to move on, we no longer live in the 90s where we have one password and one device.
My suggestion would be to have password policies based on the impact of that password being breached against the likelyhood of that password being breached.
Or put it another way have some common sense around user passwords and treat them differently to service or secure passwords.
Sure have your company bullion locked behind a password that is 64 characters long, complex, locks after one failed attempt and changes every hour. However the average user account shouldn't be treated the same.
Have a password rating based on the business impact of that password being breached. This rating should determine what level of policy the password should have.
I hate the 3 strikes rule, irrespective of how many strikes you are allowed this is a denial of service attack on your own users.
I don't like my password changing either, again this leads to issues where a remote user might not complete the password change process correctly and end up with out of sync passwords. Add into this an iPhone or Android device connecting to email and you have a major service desk head ache.
I do like a long password which never changes or get locked out.
I read somewhere that a 14 character password will take a dedicated specialised application 5 seconds to crack when it has access to the hash of the password. Interesting but the likelyhood is that a person who is after a user's password will find social engineering far more effective and practical.
I think we should encourage our users to create their own "algorithm" for password creation, set the password once, and never lock it. Ok lets say change it once a year. I would also throw the idea of not writing passwords down in to the bin. Let your user own their own passwords. They will write them down anyway! You may find that people are more willing to choose complicated passwords if they feel they can write them down.
Here's a rubbish "starter for 10" on a user's algorithm....
SMTWTFS or JFMAMJJASOND
Obviously all this gumph is in your Security Policy right? What do you mean you don't have one! ;)
This will say something like passwords lockout after 3 failed attempts, passwords must change every 3 months and meet certain character count requirements.
Whilst there is nothing outwardly wrong with having a password policy things have to move on, we no longer live in the 90s where we have one password and one device.
My suggestion would be to have password policies based on the impact of that password being breached against the likelyhood of that password being breached.
Or put it another way have some common sense around user passwords and treat them differently to service or secure passwords.
Sure have your company bullion locked behind a password that is 64 characters long, complex, locks after one failed attempt and changes every hour. However the average user account shouldn't be treated the same.
Have a password rating based on the business impact of that password being breached. This rating should determine what level of policy the password should have.
I hate the 3 strikes rule, irrespective of how many strikes you are allowed this is a denial of service attack on your own users.
I don't like my password changing either, again this leads to issues where a remote user might not complete the password change process correctly and end up with out of sync passwords. Add into this an iPhone or Android device connecting to email and you have a major service desk head ache.
I do like a long password which never changes or get locked out.
I read somewhere that a 14 character password will take a dedicated specialised application 5 seconds to crack when it has access to the hash of the password. Interesting but the likelyhood is that a person who is after a user's password will find social engineering far more effective and practical.
I think we should encourage our users to create their own "algorithm" for password creation, set the password once, and never lock it. Ok lets say change it once a year. I would also throw the idea of not writing passwords down in to the bin. Let your user own their own passwords. They will write them down anyway! You may find that people are more willing to choose complicated passwords if they feel they can write them down.
Here's a rubbish "starter for 10" on a user's algorithm....
SMTWTFS or JFMAMJJASOND
Obviously all this gumph is in your Security Policy right? What do you mean you don't have one! ;)
Friday, 18 May 2012
Enterprise Mortality
Whilst drowning myself in internet blogs I remembered once saying something a long time ago...
"The xxx is not Enterprise ready"
Replace xxx with whatever new gadget was coming up...iMac, psion, newton whatever was around in the 90s. This was used carte blanche as a pendulum axe which the hapless user would have to lay under should they want to connect their new shiny toy to the "Enterprise". 100% kill rate.
Recently I heard this repeated, yes I was ear wigging.
I am officially recinding my comment. Well amending. It probably was true in the 90s (when I said it!)
Now I believe the opposite is true.
"The Enterprise is not ready for xxx"
Far too often I hear my colleagues saying "no" to users requests. This is not due to anything other than they are asking us for something we don't know how to fit into our enterprise, or - God forbid, hadn't even heard of.
I now think that, in IT terms, the Enterprise as we knew it is dead. Or at least needs to be killed off. It is the shackle that holds IT back in the 90s. Yes we got to figure out what to do about consumer products and whatnot but unless we kill the Enterprise at least in our minds we are toast.
"The xxx is not Enterprise ready"
Replace xxx with whatever new gadget was coming up...iMac, psion, newton whatever was around in the 90s. This was used carte blanche as a pendulum axe which the hapless user would have to lay under should they want to connect their new shiny toy to the "Enterprise". 100% kill rate.
Recently I heard this repeated, yes I was ear wigging.
I am officially recinding my comment. Well amending. It probably was true in the 90s (when I said it!)
Now I believe the opposite is true.
"The Enterprise is not ready for xxx"
Far too often I hear my colleagues saying "no" to users requests. This is not due to anything other than they are asking us for something we don't know how to fit into our enterprise, or - God forbid, hadn't even heard of.
I now think that, in IT terms, the Enterprise as we knew it is dead. Or at least needs to be killed off. It is the shackle that holds IT back in the 90s. Yes we got to figure out what to do about consumer products and whatnot but unless we kill the Enterprise at least in our minds we are toast.
The Desktop Motion
Someone somewhere said, "Server virtualisation is soooo cool. I bet we can do the same for desktops!"
And so began the marketing strategy to sell VDI to the Enterprise. I think that was about 5 years ago. Where's your VDI?
Now don't get me wrong. I love VDI. I just dont see it as a solution to any real problems the Enterprise has at the moment. IT professionals are eating up the marketing Kool Aid and implementing VDI against very flimsy if indeed any business case.
What needs to happen first is a culture change towards desktop deployment. Instead of seeing DD as a stepping stone for the apprentice/student/newbie, a kind of easy fix for finding something for someone with relatively little IT experience to do - change tapes anyone?
Desktop delivery needs to be valued as I've said before a desktop is how users connect into the infrastructure. Get this wrong and no manner of technical wizardry in the Data Center will numb the pain. Too often is heard "I really love the new SharePoint site...when I can get to it" Ok I was pushing it with SharePoint but you get the idea.
Anyways back on track. VDI. Basically if you have a good desktop, by that I mean, UAC is ON, users are NOT administrators, MyDocuments at least is redirected to a network share and you have a solid and reliable build process, MDT for example. Then VDI could be implemented.
However pushing VDI past implementation/pilot/IT and into the big wide world is an entirely different noodle salad.
I've been looking at the Citrix XenClient. This is a bare metal or "type 1" Hypervisor for laptops. This allows you to have a number of builds on one device. Obviously the number of VMs is limited to the amount of memory you can cram into your laptop.
As with all VDI I still feel that XenClient is not ready for the main stream user base. It is a useful tool for an engineer to be able to carry around various builds to differents sites, or for a testing team to check out how things may affect users in different domains by having different VMs connected to different domains but all in one laptop.
I guess I should mention that Citrix also has a server piece in this VDI puzzle which can synchronise the vm desktop back to the server. Yeah whatever.
And so began the marketing strategy to sell VDI to the Enterprise. I think that was about 5 years ago. Where's your VDI?
Now don't get me wrong. I love VDI. I just dont see it as a solution to any real problems the Enterprise has at the moment. IT professionals are eating up the marketing Kool Aid and implementing VDI against very flimsy if indeed any business case.
What needs to happen first is a culture change towards desktop deployment. Instead of seeing DD as a stepping stone for the apprentice/student/newbie, a kind of easy fix for finding something for someone with relatively little IT experience to do - change tapes anyone?
Desktop delivery needs to be valued as I've said before a desktop is how users connect into the infrastructure. Get this wrong and no manner of technical wizardry in the Data Center will numb the pain. Too often is heard "I really love the new SharePoint site...when I can get to it" Ok I was pushing it with SharePoint but you get the idea.
Anyways back on track. VDI. Basically if you have a good desktop, by that I mean, UAC is ON, users are NOT administrators, MyDocuments at least is redirected to a network share and you have a solid and reliable build process, MDT for example. Then VDI could be implemented.
However pushing VDI past implementation/pilot/IT and into the big wide world is an entirely different noodle salad.
I've been looking at the Citrix XenClient. This is a bare metal or "type 1" Hypervisor for laptops. This allows you to have a number of builds on one device. Obviously the number of VMs is limited to the amount of memory you can cram into your laptop.
As with all VDI I still feel that XenClient is not ready for the main stream user base. It is a useful tool for an engineer to be able to carry around various builds to differents sites, or for a testing team to check out how things may affect users in different domains by having different VMs connected to different domains but all in one laptop.
I guess I should mention that Citrix also has a server piece in this VDI puzzle which can synchronise the vm desktop back to the server. Yeah whatever.
Mailbox determination
Exchange 2010 come replete with 4 mailbox types.
Equipment
Room
User
Linked
There is not much between them to be honest, the Room mailbox has some extra attributes such as capacity but they are just mailboxes albeit with nice icons.
The interest comes when the Calendar Attendant is used.
On a standard User mailbox the attendant does some rudimentary house keeping *yawn* but on the Room and Equipment mailbox the attendant can approve or reject meeting requests.
This is really cool as now the Rooms or Equipment mailbox can effectively manage it's own calendar. You can have a "real" person own the calendar too for fine tweaking but calendar conflicts can be managed by the organiser, they receive a kind email saying that the room is not avaliable during that time.
If the organiser is sensible it is also possible to add a Room or Equipment mailbox as an attendee of the meeting and use the Scheduling Assistant to see when the Room or Equipment is actually avaliable.
Unfortunately Microsoft have missed a trick in whilst you can search for a "resource" based on the extra attributes, like room capacity, it is clunky (the search and it is possible to jam a room full and the Room mailbox wont query this. It would be nice if the Calendar Attendant was able to count the attendees (less itself of course) and decide on whether it is a suitable room. Maybe feeding this back using the excellent MailTips..?
Another annoyance is that you cannot link resources so you cannot link the calendar of a projector to the calendar of a room. This means you have to add both to the invite to book them. It would be better to allow either to be booked seperately however the container also books the contained. MailTips could be used here again to feedback that for an added room whether resources are avaliable.
One step at a time I guess.
Equipment
Room
User
Linked
There is not much between them to be honest, the Room mailbox has some extra attributes such as capacity but they are just mailboxes albeit with nice icons.
The interest comes when the Calendar Attendant is used.
On a standard User mailbox the attendant does some rudimentary house keeping *yawn* but on the Room and Equipment mailbox the attendant can approve or reject meeting requests.
This is really cool as now the Rooms or Equipment mailbox can effectively manage it's own calendar. You can have a "real" person own the calendar too for fine tweaking but calendar conflicts can be managed by the organiser, they receive a kind email saying that the room is not avaliable during that time.
If the organiser is sensible it is also possible to add a Room or Equipment mailbox as an attendee of the meeting and use the Scheduling Assistant to see when the Room or Equipment is actually avaliable.
Unfortunately Microsoft have missed a trick in whilst you can search for a "resource" based on the extra attributes, like room capacity, it is clunky (the search and it is possible to jam a room full and the Room mailbox wont query this. It would be nice if the Calendar Attendant was able to count the attendees (less itself of course) and decide on whether it is a suitable room. Maybe feeding this back using the excellent MailTips..?
Another annoyance is that you cannot link resources so you cannot link the calendar of a projector to the calendar of a room. This means you have to add both to the invite to book them. It would be better to allow either to be booked seperately however the container also books the contained. MailTips could be used here again to feedback that for an added room whether resources are avaliable.
One step at a time I guess.
Tuesday, 15 May 2012
Mobius Strip Conjecture
Streams. Streams. Sleep on a bed of streams.
Hmmm. Streams.
So everyone knows about the AppV streaming applications to your doorstep. Not many people know that Citrix has been able to do this long before AppV was snaffled up by the King of Snaffling, Microsoft.
Yes. Citrix can stream applications - IIRC this has been possible since Presentation Server 4. To do this you needed a seperate client called the offline client. You also needed an online client to access all your online - or standard Citrix applications. Pretty nasty.
This then turned into one client called Receiver were you could extend the power of Receiver with plugins.
Again still not very nice as now Citrix has dained to drop support of GPO deployment, reading the next sentence you can see why... So now we have an agent which is supported on Windows, Mac, Linux, iOS, Android and Blackberry however we have no reliable - read single, method of deploying it!
"Oh yes there is."
Ok you knew that was coming.
Merchandising server. This is a virtual appliance which once setup can manage and deploy the required plugins and agents to your environment. All devices can go to and sign into a website hosted by the appliance and receive the correct version of the Receiver agent and all the plugins which the device supports.
As I mentioned this is currently, online plugin, offline plugin, AppV plugin. Hang on did I say AppV plugin?
It is possible to use Receiver to get you AppV applications, whilst this initially sounds redundant, "Why would I want Citrix in the way of AppV?"
Remember that there is no AppV client for MacOS, iOS, Android or Blackberry.
Cool.
Citrix have added, in keeping with the current trend, a storefront to the applications pool. You can now select applications which you wish to use from a "pool" of approved applications. No longer will you have countless prescribed applications hanging around in your desktop.
Couple this with the fact that Citrix have consolidated the Receiver interface across devices. Receiver now looks the same no matter what device you use.
Did I mention seamless session state across devices too? Work on a document on the train on your iPad get into work and log into your desktop and the application and document will "move" over to your desktop.
Excited. Me. Never.
Hmmm. Streams.
So everyone knows about the AppV streaming applications to your doorstep. Not many people know that Citrix has been able to do this long before AppV was snaffled up by the King of Snaffling, Microsoft.
Yes. Citrix can stream applications - IIRC this has been possible since Presentation Server 4. To do this you needed a seperate client called the offline client. You also needed an online client to access all your online - or standard Citrix applications. Pretty nasty.
This then turned into one client called Receiver were you could extend the power of Receiver with plugins.
Again still not very nice as now Citrix has dained to drop support of GPO deployment, reading the next sentence you can see why... So now we have an agent which is supported on Windows, Mac, Linux, iOS, Android and Blackberry however we have no reliable - read single, method of deploying it!
"Oh yes there is."
Ok you knew that was coming.
Merchandising server. This is a virtual appliance which once setup can manage and deploy the required plugins and agents to your environment. All devices can go to and sign into a website hosted by the appliance and receive the correct version of the Receiver agent and all the plugins which the device supports.
As I mentioned this is currently, online plugin, offline plugin, AppV plugin. Hang on did I say AppV plugin?
It is possible to use Receiver to get you AppV applications, whilst this initially sounds redundant, "Why would I want Citrix in the way of AppV?"
Remember that there is no AppV client for MacOS, iOS, Android or Blackberry.
Cool.
Citrix have added, in keeping with the current trend, a storefront to the applications pool. You can now select applications which you wish to use from a "pool" of approved applications. No longer will you have countless prescribed applications hanging around in your desktop.
Couple this with the fact that Citrix have consolidated the Receiver interface across devices. Receiver now looks the same no matter what device you use.
Did I mention seamless session state across devices too? Work on a document on the train on your iPad get into work and log into your desktop and the application and document will "move" over to your desktop.
Excited. Me. Never.
Subscribe to:
Comments (Atom)