LANDesk White Paper LANDesk Management Suite for Lenovo Secure Managed Client
Introduction The Lenovo Secure Managed Client (SMC) leverages the speed of modern networks and the reliability of RAID-enabled data storage arrays to bring you an enterprise-class desktop PC that is competitive with desktop virtualization solutions. With SMC, users work on diskless workstations that are otherwise indistinguishable from the regular Lenovo desktops they normally use. Advantages Desktop Virtualization Unlike a desktop virtualization solution, SMC uses the processing power on the desktop to handle the huge volume of graphical user interactions and program executions going on behind the scenes on a typical desktop. Advantages compared to a virtualization solution n A rich graphical experience Windows uses the desktop graphics processor n Quick visual response user actions don t have to be optimized across the network n No need for massive array of servers with processor power on the back-end Windows runs on the desktop n Performance and functionality of traditional desktops Back-End Storage Like a desktop virtualization solution, the user s hard drive is kept as a virtual drive on a central storage array. The drive is less susceptible to loss, damage or theft than a local hard drive and is managed and backed up by central IT staff. Unlike a traditional desktop PC with the operating system on a local hard drive, the user is free to boot his operating system on any compatible SMC desktop system. Advantages of back-end storage n Free-seating users can log in from various locations n Reliability of RAID-enabled storage instead of a single local hard drive n Applications and data stored securely n Centralized management, higher security, reduced TCO, and easier compliance certification n Fault-tolerant, scalable architecture n HVAC and power management savings Proven Management Lenovo SMC Management Server, or SMC Manager for short, is built on LANDesk Management Suite for ThinkVantage Technologies and provides the infrastructure needed to manage SMC Desktops and back-end storage arrays. Advantages of the LANDesk management solution n A simple, intuitive interface n Task-centered management of SMC storage arrays n Integration with Microsoft Active Directory for creating users n Single sign-on and authentication for users based on existing policies in Microsoft Active Directory n Inventory and reporting for SMC desktops n Optional integration with LANDesk Management Suite n Optional integration with LANDesk Management Suite for ThinkVantage Technologies and the ThinkManagement Console Interoperability LANDesk Management Suite If you are a LANDesk Management Suite 8.8 customer, SMC Manager is simply an add-on to your existing suite. You can update an existing core or create an additional core for SMC. Any consoles that will be used to manage SMC will also need to be updated. LANDesk Management Suite for ThinkVantage Technologies If you are a LANDesk Management Suite for ThinkVantage Technologies or a ThinkManagement Console customer, SMC Manager is just an add-on to your existing suite. You can update an existing core or create an additional core for SMC. Any consoles that will be used to manage SMC will also need to be updated. Customers Who Do not Use LANDesk Management Suite You do not have to rethink your existing desktop management investment to use SMC. If you are not a LANDesk customer, you use LANDesk to manage your SMC desktops and back-end storage arrays but continue to use your existing infrastructure or IT solutions to manage and support your Windows users. Note, once a User OS has been booted, the client behaves like any other desktop PC. Windows Vista and Windows XP Lenovo SMC supports standard Windows XP and Windows Vista, the same operating system versions you are using today on your desktop or notebook systems. The only difference is the need to add one SMC network driver to the image before you boot it on an SMC device. 2
Architectural Overview Figure 1 SMC Solution Architecture 3
Architectural Components Network Infrastructure SMC depends on a high-performance network infrastructure between SMC desktops and back-end storage arrays. It is recommended that the storage array be connected to the switch closest to the end users. The network traffic during the SMC client s normal operation requires minimal network bandwidth. The bandwidth is needed during the time of the SMC client boot. A typical implementation uses 1 Gigabit Ethernet switches with Virtual LANs set up to constrain broadcast between domains. If you follow the free-seating model where a user can boot from any SMC desktop, you need to factor this cross VLAN access into your design. Traffic flow to the SMC Management server is not demanding, but since this link handles user authentication from the SMC Desktop, it must be fast and reliable. The LANDesk core server and Active Directory domain controllers must be accessible to the SMC client for a user to log in. The computers you want to manage with the SMC console need to obtain initial parameters such as their IP address, executable filename, server name, and root path. Note: All this information is included in the configuration of the DHCP servers. Therefore, only the DHCP server needs to be configured to pass the root path entry for the solution to work. Please refer to the SMC Management Console help file for instructions on configuring the root path on both Windows and Linux DHCP servers. SMC Desktops The SMC Desktop is a Lenovo ThinkCentre M57P Ultra Small Form Factor (USFF) desktop PC with Intel vpro technology. The solution also supports the new ThinkCentre M58P. To convert a supported ThinkCentre model, the system requires a BIOS update. When the BIOS update is completed, the desktop can easily be converted back and forth between a SMC client and a standard desktop. The desktop is configured for DHCP dynamic address allocation and uses the DHCP server s boot-path option to make an iscsi connection to the storage array, which will boot a common user logon screen. At login, the user s Active Directory credentials are sent to the SMC Desktop Connection Web Service, which authenticates the user to Active Directory and returns the information needed to boot the desktop to the User OS. The desktop makes an iscsi connection to the storage array and boots the user image natively. SMC Management Server auto-generates the iscsi logon information, including passwords, in the background and passes that information securely to the client as part of the process. The user does not know the iscsi initiator, target, or passwords used for low-level access to their image. Storage Arrays The Lenovo Storage Array is the appliance where the SMC client s data is securely stored. It is based on an Intel iscsi SAN with specialized software from America Megatrends Inc. All configurations have 12 disk and 6 x 1GB Ethernet ports. The Storage Array is managed and provisioned remotely through the SMC Management Console. The SMC Management Console auto-generates the accounts and passwords used to access the storage array. IT administrators never access the storage array directly. Instead, they use their SMC Management Console credentials, which are either their normal local computer or domain logon credentials, to access the management tasks available from the console. Locking down the array and limiting configuration to a well-known set of services enhances the security and reliability of the system. The SMC Management Server teams the Storage Array NICs to a single static IP address to optimize the performance of the network. Traffic to and from this address is free to travel across any of the physical network connections that are bridged in the Ethernet switch VLAN. A SMC Storage Array hosts the hard drives of up to 100 concurrent SMC users. 4
SMC Software Stack SMC is managed via the SMC Management Console or an SMC add-on to LANDesk Management Suite 8.8 for ThinkVantage Technologies. As mentioned earlier, you can integrate SMC Manager with your existing LANDesk Management Suite infrastructure or run SMC Management Server as a stand-alone system dedicated to SMC. When you purchase the SMC Solution from Lenovo you receive LANDesk installation media and licensing, including the following components: LANDesk Management Suite 8.8 LANDesk Management Suite Support Pack 1 SMC Manager Add-On Licensing During installation, a licensing key is provided for the product. After installation, the license needs to be activated using the SMC Management Console Core Server Activation. You can find the link to activate in the Start LANDesk Core Server Activation program on the SMC Management Core server. You will need one Lenovo SMC Client license for each of the SMC clients. The Lenovo SMC software license is available in the following configurations: Lenovo SMC Workgroup Client License The Lenovo SMC Workgroup Client License enables you to perform SMC User management, SMC Image management and Storage Array management and provisioning, Report Generator, Intel vpro management, and SMC alert management without requiring any SMC agent to be installed in your Windows user image. The Client License also grants you a right to install the SMC agent in the end-user s image, providing full PC management such as: full hardware inventory, software Inventory, Windows OS and software distribution, security settings and patching, remote control, executive dashboard, and software license monitoring. Lenovo SMC Enterprise Client License The Lenovo SMC Enterprise Client License includes functions that enable you to white/black list application and USB devices, lock down SMC clients hardware ports, implement network access control, and remove spyware, in addition to the SMC Workgroup client function. Lenovo SMC PMA The Lenovo SMC PMA includes phone support and gives you the future rights for SMC software updates. The PMA is paid yearly. The Lenovo SMC Software client licenses are acquired as a subscription or standard purchase. The subscription includes the client license and the PMA for a low yearly fee. Installation Please refer to the LANDesk Deployment and Installation Guide in the documents directory of the SMC software. Core Server Under the cover the SMC Management Server utilizes the LANDesk Management Suite core server. The core hosts a variety of SMC/LANDesk services, as well as a Web service and provides a connection to the SMC Management database. Database The SMC Management solution works with both SQL and Oracle databases. Please refer to the LANDesk Management Suite product requirements document for the supported database versions. 5
Console The SMC Management console includes the SMC Manager console plug-in. The console is available on the SMC core. Any number of additional consoles can run on an IT staff s notebook or PC. All SMC-related management tasks can be handled from an additional console as long as the console has connectivity to the SMC core Web services and the back-end database. Web Services SMC Manager uses two Web service portals on the core server. The first is a SMC Client Service that handles user login requests from SMC Desktops. The second is a SAN Portal, which is used by the SMC console to access and manage the Storage Array. The SMC Client Services Web portal is responsible for verifying end-user login credentials against Active Directory. Upon validation, it returns the correct iscsi boot information for that user s image on the storage array. Alerting From the SMC Management Console you can view the health of the SAN graphically as well as receive alerts when attention is needed for the Storage Array. Alerting and monitoring can be done remotely to ensure the reliability and predict failures of the Storage Array. Managing SMC SMC Desktops and storage arrays are managed through the SMC Management Console. An Active Directory (AD) browser is available inside the SMC Management Console to aid you when you add AD users to the SMC Storage Array. Below is an example of the SMC Management Console interface: Figure 2 SMC Management Console 6
Managing Storage Arrays Storage arrays are managed entirely through the LANDesk console. Before provisioning an array, you need to configure the DNS server with the name and IP address you will assign to the Storage Array. When you select to provision the array for the first time, you also need to enter the current IP address and password for the Storage Array. The array with its default IP address must be accessible from the SMC core server and the SMC console used for provisioning. As a part of the Storage Array provisioning, the SMC Management Server configures the array with the DNS name and IP address provided, using auto-generated passwords that are maintained securely in the SMC Management Server. The Console includes a function to generate new passwords to be able to meet corporate security needs. If you move the Storage Arrays after they have been provisioned, you can easily update the new IP address and network information directly from the SMC Management Console. SMC Client Inventory The SMC solution is designed to perform an agent-less automated HW inventory every time the SMC client is powered on. The information can be viewed easily from within the SMC Management Console. The SMC Solution is user-centric, so from an inventory perspective, an SMC client can exist without a dedicated user OS, and a user OS can exist without a dedicated HW. For example, this we added the SMC Management Agent to the end-user s Windows image. The results of the inventory scan are presented in the high level inventory view below. Figure 3 SMC Inventory SMC Desktop PC An SMC Desktop (the physical PC) is added to SMC inventory the first time it is booted on a storage array. Because the SMC Desktop is an SMC inventory item, its inventory can be used to build queries and generate reports. This lets you keep track of your physical assets and report on system information such as the amount of memory installed, model number and serial number, etc. The SMC Desktop does not include information about a user OS and cannot be used for software distribution, remote control, or other client management services that require a Windows agent to be present. User OS When a User OS is booted to an SMC Desktop, it behaves like any operating system. This means that it can be managed by the SMC Management Suite or other desktop management solutions. A User OS is only added to the SMC inventory if you have deployed the SMC Management Agent to the user OS. This optional step enables SMC services such as Software Distribution, Remote Control, Security and Patch Management, and other LANDesk functionality to be utilized. 7
Models for Deploying the User OS There are multiple methods that can be used to deploy the user operating system. SMC is designed to minimize duplication and can therefore use a customer s existing procedures to create or update images. A Base image includes your COE or standard PC image, the same image you are using to preload onto your Lenovo ThinkCentre or ThinkPads. The Base image is used as a template for creating virtual user hard drives of the user image. SMC provides a GUI to create a space on the Storage Array for a new base image. From the GUI an image size can be defined, along with selected boot options. The standard image is uploaded through a provided CD utility or by mounting the new base image space, using an iscsi initiator, and then copying the COE image up to the Storage Array. The SMC COE Image supports the following imaging methods: n Created using Windows Standard Install CDs n Created using standard Windows imaging tools n Created using SYSPREP n Created using ImageUltra Builder Note: As in a standard PC environment, with SMC you can use more than one base image as the base for the end-user unique image. Client Boot Acceleration Booting multiple users simultaneously can be accelerated using SMC Boot Acceleration. This will optimize the storage array cache. The cache reduces the number of disk-seeks and disk-reads needed in the boot cycle. The cache works most efficiently when most SMC clients connected to the Storage Array are using the same COE image. For instance, if most of the volumes on a storage array are Windows Vista but a few are Windows XP, the storage array cache should be optimized for Windows Vista. Each storage array has its own cache policy so you can bunch similar operating systems on different arrays to attain the maximum acceleration. Performance Factors The primary factors in maximizing boot acceleration on a storage array are: 1) operating system type (Vista or XP); 2) service pack level; and 3) periodic system updates. By keeping the images on the same patch level, you will gain most performance out of the SMC Boot Acceleration. User-unique software packages, such as those specific to the Sales or Customer Support teams, do not typically have any impact on client boot speeds. Boot Acceleration Factor Operating System Type Service Pack System Updates Software Packages User Data Files Impact Primary Factor for Acceleration High Medium Low Low Who is Accelerated SMC Manager creates a Boot Acceleration Group for each base image. When as user image is cloned from the base, the user image is added to the group. The administrator chooses the Boot Acceleration Group to use on each storage array, and its members are automatically accelerated. Optimizing Acceleration Acceleration should be enabled after several user images have been created, booted, and run through the Sysprep process. To enable the boot acceleration for a base image, use the storage array properties page to enable a Boot Acceleration Group. Images are accelerated if they are a member of the group and have been booted at least once. Business Analytics Add-on Software The SMC Client also has license right to use the Lenovo Analytics Manager on all SMC clients. This software includes an aggregated corporate summary of: n Average end-user n Response time during the day n Response time for desktop and Web-based applications n Bandwidth usage during standard operation n Average Windows and Web-based application usage and availability n Average power consumption n Average printer utilization (local and network printers) This software requires a separate registration and download. Please see www.lenovo.com/software/smc for more information. You are also welcome to contact a LANDesk sales professional for more information on LANDesk Management Suite for Lenovo Secure Managed Client by calling 1-800-982-2130. 8
Glossary SAN (Storage Area Network) architecture to attach remote computer storage devices to servers in such a way that, to the operating system, the devices appear as locally attached. iscsi (Internet SCSI (Small Computer System Interface) Protocol that allows clients (called initiators) to send SCSI commands [Command Descriptor Blocks (CDBs)] to SCSI storage devices (targets) on remote servers. It is a popular SAN protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts with the illusion of locally-attached disks. LUN In an iscsi environment, LUNs are essentially numbered disk drives. An initiator negotiates with a target to establish connectivity to a LUN; the result is an iscsi session that emulates a SCSI hard disk. Hypervisor a virtualization platform that allows multiple operating systems to run on a host computer at the same time. The information in this document is provided in connection with Avocent/LANDesk products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Avocent s terms and conditions for the license of such products, Avocent Corporation and its affiliates, including LANDesk, ( Avocent ) assume no liability whatsoever, and Avocent disclaims any express or implied warranty, relating to the sale and/or use of Avocent products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right. Avocent products are not intended for use in medical, life saving, or life sustaining applications. Information regarding third-party products is provided solely for educational purposes. Avocent is not responsible for the performance or support of third-party products and does not make any representations or warranties whatsoever regarding the quality, reliability, functionality or compatibility of these products. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Avocent. Avocent retains the right to make changes to this document or related product specifications and descriptions, at any time, without notice. Avocent makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. Copyright 2008, Avocent Corporation. All rights reserved. LANDesk and Avocent are registered trademarks Avocent Corporation or its affiliates. *Other brands and names are the property of their respective owners LSI-0771 11/08 BB(KBART)/NH 9