Introduction... 3 Advantages of Providing Remote Access to Personal PC... 4 Disadvantages of Typical Remote Access Solutions in a Corporate Environment... 5 Why Use Leostream for Remote Access... 5 Using the Leostream Connection Broker as a Corporate Remote Access Solution... 7 About Connection Brokers... 7 Introduction to the Leostream Connection Broker... 7 How Leostream Supports Users on the WAN and LAN... 7 Step-by-Step Guide to Configuring the Leostream Connection Broker... 8 Step 1: Setup a relationship between user and their desktop... 8 Step 2: Register Your Active Directory Server with the Connection Broker... 8 Step 3: Inventorying Your Computers...10 Step 4: Build a User Policy...11 Step 5: Assign the Policy to Users...12 Advanced Scenarios Supported by Leostream...13 Location-Awareness...13 Leostream Agent Features...13 Release Plan Idle-Time Actions...14 Summary...14
Virtual Desktop Infrastructures (VDI) provide large corporations with one method for giving users anywhere access to desktop and data. But, in some environments and for some users, VDI is not a viable option. In these organizations, instead of building out VDI, IT invests time and money purchasing, configuring, and maintaining individual desktop hardware for each user in the organization, in addition to handling conference room machines, loaner laptops, etc. Even though each employee is issued a laptop or desktop, however, that machine is not by the employee s side 24/7. To provide anywhere access to a dedicated physical machine, organizations turn to remote access solutions. Typical remote access solutions are designed for individuals, not enterprises, making them difficult to configure and manage in a corporate environment. The typical remote access solution requires individual configuration for each end user and are difficult to control by IT. Instead, Leostream proposes taking a VDI approach to remote access. By using the Leostream Connection Broker to provide remote access to physical desktops, enterprises can reap the benefits of remote access while securing their desktops and data using the benefits inherit in VDI.
Constant Leostream >
Why provide remote access in the first place? Remote access solutions pay for themselves by making employees productive even when they are away from their physical machines. When you provide a remote access solution for your employees, you: Increase employee productivity: An employee can work on their corporate machine from anywhere, allowing them to be productive when they are traveling, in the coffee shop, or with a few minutes to spare in anyplace with internet connectivity. Provide emergency access to resources: During unexpected absences, due to weather, illness, or any other cause, employees can access their corporate machine and remain productive. Typical remote access solutions were designed with the consumer in mind. In a corporate environment, these solutions can be: Difficult for IT to manage: Remote access solutions designed for small scale require constant maintenance by IT as employees join and leave the organization. Invasive: Some remote access solutions require specialized software be installed on the user s corporate machine. Software installation adds tasks to an already full IT schedule, plus organizations may have strict guidelines on what software can be installed on corporate machines. Expensive: Typical remote access solutions are sold as a service, requiring monthly fees per desktop. In a large organization, the monthly cost can grow quite large. Leostream provides the advantages of typical remote access solutions and, by taking a VDI approach to the solution, solves the disadvantages. The Leostream Connection Broker is designed to manage user-to-desktop assignments and connections in largescale enterprise environments. Whether the organization has virtual or physical desktops, the comprehensive Leostream management concepts enable Leostream to provide: Simple configuration: IT configures pools and policies once using the Leostream Administrator Web interface and then never needs to reconfigure the system to support new users and desktops
Automatic user provisioning: Connection Broker policies are automatically applied to new users; IT never needs to add or remove users manually Wake-on-LAN: Leostream can automatically power up physical desktops using Wake-on-LAN commands, giving users remote access even if they turned their machine off Integration with corporate systems: Leostream authenticates users against standard corporate authentication servers, such as Microsoft Active Directory Detailed logging: The Leostream Administrator Web interface provides up-to-date information about who is remotely logging into their desktop Lower cost: Leostream is sold as a perpetual per-user license with a low annual support fee
A connection broker lies at the heart of any hosted desktop deployment, whether the resources are hosted in a datacenter or simply on the user s desk. A connection broker consists of a set of rules that determine which desktop a user has access to, based on the user s identity and their location. Using a connection broker designed for VDI provides control and security that dedicated remote access solutions do not. For example, a connection broker allows IT to maintain control over the environment by monitoring and performing actions on the user s session, such as disconnecting the user after their session is idle. Unlike dedicated remote access solutions, a connection broker ties into additional pieces of an organization s infrastructure, including authentication servers, load balancers, SSL VPNs, etc. Using a connection broker, users authenticate against Active Directory to obtain remote access to their desktop. Plus, they get a secure connection from home by logging in via an SSL VPN. Leostream was founded in 2002 to provide a management platform for complex, largescale, privately hosted VDI. The flagship Leostream Connection Broker has evolved into the most flexible and powerful Connection Broker on the market. Using the Connection Broker Administrator Web interface, administrators build policies and plans that define what resources a user has access to and how those resources are managed, based on who the user is and their location. Enterprises often need to treat remote access connections differently when the user connects from within the corporate firewall versus outside of it. When users are connecting on the LAN, often IT relaxes security constraints. When connecting over the WAN, security becomes a bigger issue. The Leostream Connection Broker provides a number of tools that allow IT to tailor the user s session based on if the connection is over the LAN or WAN, including: Location awareness: IT can change the end-user experience based on where the user logs in. Location awareness allows IT to, for example, secure the system by blocking local drive redirection when the user logs in from off campus. SSL VPN integration: Many large enterprises have existing SSL VPN solutions. When on the LAN, users can typically connect directly to their desktop. To get a secure connection over the WAN, users can log into Leostream via the corporate SSL VPN.
Display protocol support: Leostream supports over ten display protocols. Enterprises can choose which display protocol best supports the user s current location. Over the LAN, administrators can allow users to connect to their desktops using a protocol that requires more bandwidth, while over the WAN they may want to restrict the user to a less bandwidth-intense display protocol. The Connection Broker Administrator Web interface contains a wealth of configuration options. When it comes to providing remote access, however, the Leostream Connection Broker is extremely easy to set up. The following procedure describes the five simple steps to configure Leostream for remote access. All Connection Broker options not mentioned in the following procedure are assumed to be left at their default value. The end of the chapter describes advanced scenarios that can be supported with further configuration. Note, the Leostream Connection Broker is a virtual appliance that is easily installed in any major hypervisor, such as those from VMware, Citrix, or Microsoft. The following procedure assumes you have already installed the Connection Broker. Many organizations have a corporate standard for how desktops are named and configured in Active Directory. To provide remote access, identify an AD attribute of the desktop that can be used to link that desktop to the user. For example, does the user s desktop have a name that equals their username? If you do not have a desktop attribute that you can link the user, consider using the computer s managedby attribute, as shown in the following figure. Simply configure each computer so it is managed by the user it belongs to.
The Connection Broker uses your Active Directory server to inventory your computers and authentication your users. To add your Active Directory authentication server to your Connection Broker 1. Go to the > Users > Authentication Servers tab. 2. Click Add Authentication Server, as shown in the following figure. 3. In the Authentication Server name edit field, enter a friendly name 4. In the Domain Name edit field, enter your actual domain name. 5. In the Hostname or IP address edit field in the Connection Settings section, shown in the following figure, enter the hostname or IP address of your Active Directory authentication server. 6. In the Search Settings section, shown in the following figure, enter the username and password for an administrator account that has read rights to the user and computer records in Active Directory. Leostream never writes to your Active Directory, so you can use an account with limited permissions.
7. In the Sub-tree: Starting point for user search field, enter the fully qualified path in LDAP format to the lowest point on the authentication server tree from which you want the Connection Broker to search for users. For simplicity, you can start at the top of the Active Directory tree, for example: DC=YOUR_DOMAIN,DC=com 8. Click Save. Now that the Connection Broker can connect to your Active Directory server, you can create a center that inventories the computer records in Active Directory. Leostream defines a center as an external system that the Connection Broker uses to learn about desktops. To add an Active Directory center: 1. Go to the > Resources > Centers page. 2. Click the Add Center link. 3. Select Active Directory from the Type drop-down menu. 4. Enter a friendly name for the center in the Name edit field. 5. Make sure the Active Directory authentication server you created in step 2 is selected in the Authentication Server drop-down menu. 6. Click Save. After you create your Active Directory center, go to the > Resources > Desktops page. This page lists the computer records the Connection Broker imported from the Active Directory tree, for example: When you finish your setup and users start logging in, the User column displays the user s login name when they are remotely connected to their desktop. The Connection Broker automatically places all imported desktops into a default All Desktops pool. More complicated environments can create customized pools using Leostream s flexible pool definitions. For simple remote access, you can use the default All Desktops pool and, therefore, go straight to defining policies.
The Leostream Connection Broker defines a policy as a set of rules that determine how desktops are managed for a user, including: what specific desktops are offered, what display protocol is used to connect to those desktops, how long the user is assigned to a resource, what USB devices the user can access in their remote desktop, and more. Policies use a subset of rules called plans. A plan (Protocol, Power Control, and Release) is a set of behaviors that are applied to desktops in a pool. Plans provide IT with event-based control over the user s session, for example to perform actions when the user disconnects or logs out of their remote session. The Leostream Connection Broker comes with default Protocol, Power Control, and Release plans that work just fine for remote access. These default plans connect the user to their desktop using RDP and keep the user assigned to the desktop for as long as they are logged in. The Connection Broker provides a Default policy that assigns one desktop from the All Desktops pool. For remote access, modify the Default policy to ensure that the desktop offered by the policy is the desktop that belongs to the user based on the contents of the computer records managedby field, as follows. 1. Go to the > Users > Policies page 2. Click the Edit link next to the Default policy 3. Scroll down to the When User Logs into Connection Broker header in the Desktop Assignments from the Pool All Desktops section. 4. Select Yes, regardless of Leostream Agent status from the Offer running desktops drop-down menu, shown in the following figure. You must select this option unless you plan to deploy the optional Leostream Agent on your users desktops.
5. Scroll down to the Pool Filter header in the Desktop Assignments from the Pool All Desktops section. 6. Configure the pool filter as shown in the following figure, which indicates the Connection Broker should look for a computer that has an AD managedby field that contains the user s AD distinguishedname. 7. Scroll down to the bottom of the form and click Save. Lastly, you must ensure that the policy defined in step 4 is assigned to your users when they log into Leostream. Policy assignment is done based on the user s Active Directory group membership, for example: 1. Go to the > Users > Assignments tab. 2. Click the Edit link associated with your Active Directory authentication server from step 2. 3. In the Assigning User Role and Policy section, select Domain Users from the Group drop-down menu, as shown in the following figure. With this configuration, any domain user who logs into the Connection Broker is offered the Default policy and, hence, their desktop. 4. Click Save. Leostream makes it easy to test that your Connection Broker is configured correctly by allowing you to simulate a user login. To test your Connection Broker setup: 1. Go to the > Users > Users page 2. Click the Test Login link at the top of the page.
3. In the User name field, enter the username for a user who will use the system. 4. Click Run Test The bottom of the test results shows that the user will be offered their desktop when they log in. Users can now start logging into Leostream to access their desktops! You do not need to manually add users to the Connection Broker; they are automatically added the first time they log in. When a user logs into the Connection Broker, Leostream gathers information about the user s client device, such as the IP address, MAC address, manufacturer, etc. You can use that information to create Connection Broker locations. Locations are groups of clients that can be, but do not need to be, geographically co-located. Typically, you group clients that should be provided with similar experiences, for example, all the thin clients on the third floor must provide access to the printers on the third floor. Locations ultimately serve two purposes: 1. Allowing you to assign location-based plans, such as printer plans that attach printers to the remote desktop based on where the user is sitting 2. Allowing you to change the user s policy in order to, for example, log the user in via an SSL VPN, restrict USB device redirection, or even prevent access to a desktop based on where the user is sitting The Leostream Agent is a small, optional service that can be installed on the user s computer. When installed, the Leostream Agent provides additional control and end-user experience, including: Distinguishing logout from disconnect events and passing that information to the Connection Broker Rebooting the user s computer Providing the drivers needed for the Leostream USB redirection feature, which allows you to lock down USB devices Setting registry keys
Attaching printers based on the user s client location Monitoring user idle time, as described in the next section Connection Broker Release Plans allow you to control the life cycle of the user s session. One of the most useful Release Plan features is the ability to monitor user idle time and automatically lock, disconnect, or logout the user s session. For example, the following figure shows how to configure a Release Plan to lock the user s desktop after 5 minutes of user idle time, disconnect the desktop after 15 minutes, and logout the desktop after 30 minutes. After 30 minutes of idle time, the Release Plan instructs the Leostream Agent on the desktop to monitor the desktop s CPU level and report when the CPU level falls below 5% for 10 minutes. At that point, the Connection Broker performs the logout action. Consumer-focused remote access solutions are suitable in small environments. Larger organizations, however, require additional flexibility, easier administration, more scalability, and extra security. The Leostream Connection Broker has been providing those features in VDI environments for over 10 years. This whitepaper aimed to show how, in five easy steps, you can get those benefits in a corporate remote access solution, as well.
Contact Leostream >