A VDI Connection Broker presently lacks clear defining. Thus, this blog's main aim is to effectively explain to you what a connection broker is and how this technology benefits today's VDI environment.
What is a basic VDI Connection Broker?
Many companies have been making VDI brokering products from more than 10 years, such as Leostream, Citrix and Ericom. Based upon the need for handling multiple access sessions with limited network resources and simplifying IT management infrastructure.
The trend of people working remotely is inevitable, VDI provides a great solution for this. But how to manage multiple VDI sessions at the same time? This diagram shows a typical VDI scenario with PCoIP protocol, where many employees are remotely accessing their computers inside Company A.
This works, only if:
- All users utilise the same VDI protocol, Company A thereby must possess adequate public IPs to cater for their users
- This is a routed environment, NAT or PAT protocol are needed to prevent ports from each computer being accessed, Company A ensure all computers are well protected against cybersecurity attacks
- The company have suitable IT resources to handle configuration changes, incidents and troubleshooting…
To resolve these issues, we need an intermediary. Who answers all requests, understands the requirements and handles the allocation/delivery of VDI services. This is my understanding of a basic VDI brokering:
A basic VDI connection broker is a centralised service consolidation entity which acts as a transparent or non-transparent intermediary for proxied VDI payload, provides user authentication, authorisation and services allocation based on a defined SLA.
With a connection broker in place, a VDI connection is much simplified:
- STEP 1: All employees are accessing the same connection broker, only one WAN IP is required to service multiple users
- STEP 2: The broker authenticates users (local authentication database or with an authentication provider) and allocates computers to each user, based upon user identification and pre-configured allocation policies
- STEP 3: Connection broker starts proxying VDI traffic
What additional value is provided by using connection brokers?
1. Directory services integration and single sign-on experience
A company's existing directory service (AD, LDAP, NIS) can be integrated with a connection broker and the user can be authenticated using their domain credentials with optional MFA (smart card or PIV card).
Single sign-on can also be enabled on domain computers. With this feature, a user can login automatically with the same domain credentials on allocated computers.
2. Explicit policy controls
Connection brokers allow the creation of user groups and computers groups. The group assignment can inherit from a directory service, or be defined locally on the broker.
The company administrator can define policies to control computer allocation, computer release, and so on. Below are a few examples:
- Alice has professional software installed on her own computer only, when Alice logs on, only allocate this computer to her
- Bob and Charlie are freelance designers, when either of them logs on, allocate any available designer computer to him
- David is the administrator and needs to maintain all editor suites, when David logs on, provide all available editor suites in a list, enabling him to choose one to complete his work
- Echo uses two different computers to complete her job, when Echo disconnects from a computer, don't sign her off so any unfinished background process can still run
- For public computers, sign a user off immediately when the current user disconnects, so this computer can return to the available pool for other ad-hoc users to jump on
3. Work seamlessly with on-prem and in-cloud workstations
In the M&E industry, cloud technology is leveraged to handle resource-intensive jobs and surges in workloads, brokering technology is also integrated into the major cloud platforms such as AWS, Azure and GCP to deliver VDI experience. Users can use either software client or zero clients (a small-factor and light-weighted hardware designed for VDI environment, doesn't run the operating system) to access both on-prem and in-cloud workstations through connection brokers.
4. Multiple brokered protocols
Some brokering technology supports multiple VDI protocols simultaneously, such as RDP, VNC, PCoIP, RGS, and RemoteFX. A company can choose the most suitable protocol for each user group or computer group to best deliver the VDI quality and save costs on bandwidth or licenses.
5. Customisable notifications and API integrations
Most modern connection brokers support SMTP and SNMP protocols for notification and services monitoring with customisable alert rules; API integration is also available in some solutions, which makes automation possible.
What about VPN?
VPN provides centralised access points for remote workers and uses strong encryption to protect traffic being tunnelled. This resolves some pain points of the typical VDI scenario. But also introduces a few other issues due to the nature of a VPN service.
VPN technology provides many advantages for a remote working environment. A company does not need to own a large number of public IP addresses to server multiple light weighted VDI sessions (RDP, VNC), and computers are not exposed on the public Internet. However, this is still not an ideal technology for the VDI environment in M&E industry.
- First of all, VPN is a category of services and many different protocols are delivering different service characteristics. For example: IKEv2, OpenVPN, SSL VPN is very client-dependent and is not well-supported on zero clients; PPTP, L2TP/IPSec are less secure or less efficient.
- Purchasing a VPN solution for throughput-intensive services is expensive, but in a VDI environment, a lot of traffic is being transferred all the time
- VPN introduces queueing delay due to complex tunnel encapsulation and encryption algorithms
- VPN provides transparent tunnel for data transfer; server-side cannot respond based on client-side network quality changes
Considerations
Based on the above analysis and comparison with VPN technology, it is very clear that the connection broker is a winner in almost every single aspect. This is also why brokering technology is always a key part of a VDI solution. Every technology is great in some way, and not so great in other ways. I'd like to conclude the advantages of VDI brokering by stating: it is designed to do this job, thus it accomplishes well.