2 Replies Latest reply on Jul 26, 2018 2:47 AM by MarXtar

    Persistent and Non-Persistent Virtual Desktop Environment EPM Metrics

    JacobTucker Rookie

      Hi Everyone!

       

      We are going to be deploying 2018.1 EPM agents to our VDI environment soon and the folks that manage it are inquiring about any kind of metrics that can be provided. We've gotten recommendations from Ivanti about best practices, but are interested in what some of you may be doing.

       

      VDI Environment details: 1600 - 3000 active non-persistent and around 60 - 300 persistent VM's. Our virtual desktops are accessed on thin-client embedded OS devices. These thin-client devices are also set back to a pristine state once rebooted similarly to the connection to a new VM when the non-persistent VMs are disconnected from.

       

      Our VDI administrators concerns:

      • Will there be any noticeable performance issues (VDI Server level, VM level)? If so, what is done to combat that?
      • Any Agent configuration settings to disabled / enable to reduce footprint?
      • They want to turn off all scheduled scans, or schedule scans out so far in the future that they never happen. Value in this?
      • Any comments on Self-Electing Subnet in a virtual desktop environment?

       

      Any anecdotal evidence, experiences, pitfalls are welcomed.

       

      Thanks everyone!

        • 1. Re: Persistent and Non-Persistent Virtual Desktop Environment EPM Metrics
          phoffmann SupportEmployee

          A few points here. Bear in mind that some of this is of the "how long is a piece of string" variety, as it all depends on "how you configure things".

           

          • Re Noticable Performance
            • ... shouldn't be, unless you configure it in a way that it would (i.e. "I run a vulnerability scan every 5 minutes, and that somehow kills my disk I/O" .
          • Agent settings to be configured ...
            • ... well - that depends on what you do / do not want to be able to do. What do you care about? You CAN remove most things ... but if you don't want to be able to remote control, then you won't be able to do so "if you need it".
              ... so this is a bit of an open question really. What do you want / need?
            • Remember that you can select whether or not you're collecting software usage (and whether you save that data to a network share, or keep it locally) - may be useful for your VDI stuff.
          • Turning off all scheduled scans ...
            • ... I'd say that's a bad idea. This stuff is "on your network" ... you will want to have regular updates of inventory & vulnerability data (1x per week) if only to have an idea where "the latest MELTDOWN" is vulneable, for instance. Turning that stuff off makes it somewhat moot having a management tool in the first place.

              It's a great recipe for causing all manner of grief & problems down the line. The "you don't know what you don't know" stuff tends to haunt people sooner usually rather than later.

           

          • Re: Self-electing...
            • ... if you CAN, I'd recommend sticking to self-electing being enabled on hardware (our algorithm prefers hardware over virtual anyway, IIRC) - especially hardware that's likely to be on / available at most times. So ... "while you CAN", I would argue that it's "best not to" use CSEP on VDI-infrastructure, unless you're stuck in a rut.

           

          Hope that helps as a starter for 10?

          • 2. Re: Persistent and Non-Persistent Virtual Desktop Environment EPM Metrics
            MarXtar ITSMMVPGroup

            More questions because as Paul says 'it depends'.

             

            First though I'd say for your persistent environment, treat it as though it is a physical device. You need all standard functionality including scheduled scanning in there as all updates etc. will probably need to be done via EPM. Yes it adds load but you need to be updating your knowledge of what will eventually become 60-300 totally unique systems. Just be careful abut frequency and consider 'windows' when it makes sense for scans to take place and/or randomise to the load is spread out.

             

            Your non-persistent environment can be different. You say they reset on reboot, so what is the normal behaviour with that? Is it being left down to the users to decide or is there a forced reboot happening? If a forced reboot, when/how?

             

            This part is important as this defines your maximum period (worst case) scenario caused by removing scheduled activities. If they are forcibly rebooted every night then you could have an agent config that does inventory based upon user login (you still need to be updating the inventory somehow otherwise it just gets stale). If these systems could be running for days or weeks before being rebooted then you need to consider the impact that stale data will cause.

             

            What is happening with patching for these devices? In non-persistent we'd normally expect there to be some kind of backend patching process that updates the gold image that machines are spun up from. If you have EPM patching then you probably don't want to be patching these systems using that (except perhaps for critical patches during the window of time it might take your gold build to be updated) but do you want some kind of 'belt and braces' scan to show you if your systems are still exposed to vulnerabilities? This is probably the most impactful scan you might do so this should be considered carefully.

             

            What about software usage? Do you require stats? If so have you configured the location for this data to be stored in your agent config (use a specific one for these devices) and have you tested its behaviour? Absolutely test so you fully understand what will happen and when.

             

            Really consider what you want EPM to be doing for you on these devices and if share that with us we can highlight a few options. For the most part EPM functionality is meant for a persistent environment but there is benefit in non-persistent if your expectations are set at the correct level.

             

            There's also what our State Management plugin offers for non-persistent VDI too so maybe take a look at that.

             

            Mark McGinn

            MarXtar Ltd/MarXtar Corporation

            http://ivantione.marxtar.com

            Ivanti One Development Partner

             

            Try MarXtar Enterprise Notifer for Ivanti to Better Communicate with Your Service Subscribers

            Try MarXtar State Management for Ivanti to Better Understand and Manage your Assets