Importance of Virtual Desktop Infrastructure (VDI)
Modern workplaces are evolving with shifting expectations of both employers and employees. Enterprises are focused on aligning employee and business needs, and they are using technology to boost productivity and increase engagement. VDI is one such technology that is seeing rapid adoption, with the current COVID-19 situation accelerating it. VDI provides added flexibility and portability for remote workers while giving IT administrators the benefits of scalability, security and centralized management.
While workplace flexibility and business agility have enabled the transition to adopting virtualization technologies like VDI, its mass adoption and rollout bring about challenges in administration. Common end user complaints include experiencing: high log-in times while accessing their VMs, poor app performance from the VMs, etc. Essentially, IT admins are left dealing with tickets that highlight inconsistent experience across locations and devices that employees use to initiate the VDI session. Additionally, they have to deal with the network availability as the VDI instance is accessed over the Internet, which brings in multiple dependencies like ISPs, CDNs, DNS, etc. This necessitates finding the right monitoring tools to get the visibility into the VDI system.
In this blog post, we will discuss the intricacies and dependencies around monitoring your VDI environments and how ThousandEyes can be used to detect and find root cause issues in VDI connectivity paths.
End-to-End VDI Connection Path
With VDI, desktop environments are hosted on a central server, or in the cloud, and the specific desktop images run within virtual machines (VMs) that are delivered to end-user devices over a network. Those endpoints may be PCs or other devices, like tablets or thin client terminals.
Upon initiating a VDI connection from the end-user device, the Gateway (or the VDI front door as it is sometimes called), provides users with secure access through single sign-on to all the resources specified in the VM. The Gateway can be deployed on premises or in any public cloud. A common example of this is the Citrix Gateway (Netscaler Unified Gateway).
- An end user tries to spawn a VDI session by initiating a connection to the Gateway (VDI front door) URL and provides login credentials.
- The Gateway communicates with the Connection Broker where the credentials are validated and the broker designates the list of available resources for this end user. Paths 1 and 2 in Figure 1 above, depict this.
- Once the user selects a resource, an encrypted session is launched between the user and the VM through the Gateway, through paths 3 and 4 seen in Figure 1 above.
- Once on the VM or VDI instance, the user can seamlessly access internal web applications (path 5) or external SaaS applications (path 6), just like they are connecting from their home device.
The VM running the VDI instance can run on datacenter infrastructure or on other cloud hosting providers (IaaS) like Microsoft Azure, AWS or GCP. Rather than design, deploy and manage VDI software and hardware in-house, you can use a Desktop-as-a-Service (DaaS) provider, like AWS Workspaces, Nutanix Xi Frame or Citrix Managed Desktops, to do the heavy lifting. In DaaS, the access (gateway) and control plane (connection broker) are provided as a managed service running in the cloud. This helps you scale quickly and efficiently but you lose some customizability in the process.
How ThousandEyes Can Monitor VDI Environments
This section walks you through the various ways in which ThousandEyes can be used to monitor your VDI environment. To monitor your VDI systems in an effective manner, you need visibility at both network and application layers. You can use a combination of different ThousandEyes vantage points and tests that are best suited for your environment and use case.
- Leverage Cloud Agents (instantly available from 190+ cities globally) to measure the user experience from various locations around the world. They can be used to benchmark performance and compare against various customer global branch offices and your employees’ remote locations.
- Deploy Enterprise Agents in your corporate network, within your data centers and regional branch offices to simulate your employee connectivity and performance. They can also be installed on thin clients if they allow for additional software to be installed in a partition such as iGEL custom partition.
- Gain visibility into remote users through vantage points deployed on Windows / macOS machines or web clients (e.g., HTML5 client for Citrix workspace) using our Endpoint Agents.
Monitoring from the End-user Device to the Gateway
When you rely on the Internet for connecting to your VDI Gateway, you are invariably relying on multiple external services (like ISPs and DNS) that you don’t directly own or control. Monitoring the connectivity path from the end-user device to the gateway will help resolve issues like validating if you can start or even access a VDI session and the reason behind the long response time from the Gateway.
Proactively monitoring the VDI front door can be accomplished by setting up a combination of HTTP and network tests from various vantage points. These tests gather service availability metrics, end-to-end network metrics along with hop-by-hop network path details so you can quickly identify and resolve issues before they impact user experience. The various vantage points give you flexibility for troubleshooting connectivity issues for specific end users (Endpoint Agents) and for specific locations like branch offices (Enterprise Agents). You can also use synthetic transaction tests to simulate end user interactions with the VDI service, letting you quantify log-in time to the front door portal to troubleshoot log-in delays.
In Figure 3, I will walk you through an example where we can pinpoint latency issues for an end user by traversing the network path taken between the end-user device and the VDI front door. The front door URL is a DNS load-balanced URL that resolves to several different IP addresses depending on the user’s location. The user in London is being directed to a gateway in London and sees low latency (6 ms). But the user in Munich is experiencing high latency (213 ms) because of being routed to a gateway in Singapore via the US!
Monitoring SaaS and Web Applications from the VM
Once the end user is able to establish a VDI session and access a VM, monitoring the applications accessed from within the VDI session is crucial. Accessing SaaS applications introduces a path through the Internet and the associated dependencies we discussed in the previous section. Monitoring the connectivity path from the VM to the application will help detect issues and root causes impacting user experience, helping the IT administrator determine if the issue lies within the VDI infrastructure or between the VDI session and the external SaaS/web application.
Deploying an Endpoint Agent on the VM allows you to monitor business-critical SaaS and internal web applications in real time. Our agents use browser-based real user monitoring to automatically capture user interactions for a set of IT-defined applications, such as Salesforce or Office 365, or to record sessions on-demand for ad hoc troubleshooting. You can also use the Endpoint Agents to proactively monitor SaaS targets using synthetic HTTP tests.
In Figure 5, we are showing the browser session overview for all the pages accessed by an AWS workspaces instance (IP-C61372CA).
Figure 6 captures the detailed waterfall and page load metrics (such as page load time, response time, browser errors and experience score) captured for every session and correlated with the underlying end-to-end network behavior to quickly identify the root cause of slow page loads or poor user experience.
The following is a summarized checklist on how to monitor your VDI environments.
VDI systems are here to stay and being able to monitor and narrow down application and network issues is crucial for achieving a good end-user experience and also increasing IT administrator productivity.