Вы находитесь на странице: 1из 56

Huawei FusionCloud Desktop

Solution for Governments


Contents
1 Analysis on Industry Trends

Service Scenarios and Huawei


2 FusionCloud Desktop Solution

3 Success Stories

1
Challenges to Traditional PCs
Information security Service assurance Resource fixing

 Delivering PCs to employees takes a long


time.
 Data is stored on the local terminal.  Standard hardware configurations fail to
 Terminal faults require onsite maintenance,
 Various ports are difficult to manage. which takes a long time and has low meet customized requirements.
 User behavior is difficult to manage. efficiency.  Hardware configuration does not support
 Data is lost and information leakage  Desktop standardized management is flexible upgrades.
occurs if computers are lost. difficult because of diverse software and  Hardware resource fixing and idle
hardware. resources cannot be used by other
 Personal data on the disks installed in PCs programs or users, which results in a low
is vulnerable to lose, which affects service resource usage.
operating.

Security protection, system management, and device O&M are resource-intensive and cause long-time business
interruption. The effect is still unsatisfactory.

2
Integration, Sharing, and Platformization Are the Development
Trends of E-government
Data center integration plan of the U.S. federal government Cloud computing-based e-government public platform in China
Service Government
Informatization administration
providing affair
department agency department
2096
Number
of data Service
Service design preparation Service implementation Service use
centers

800 Deploying Establishing Constructing Providing Supporting


400 12 years 5 years top-level a public a service high-quality application
design platform system services development
1998 2010 2015

Countries on the forefront of e-government actively The cloud computing-based e-government public platform is a
make and launch new development strategies and comprehensive service platform provided by the information
implementation plans, including the Open management departments at or above the county level with help
Government operation and Data Center Integration from professional technology service institutes. This platform is built
operation of the USA, the Smart Government strategy using the cloud computing technology as well as computing, storage,
and ICT strategy of the UK, and the Government 2.0 network, information, and application support resources to provide
strategy of Australia. All these strategies feature infrastructure, support software, application function,
integration, efficiency, openness, and sharing. information resource, operating assurance, and information
security services for government departments.
3
Overall Requirements for Secure Protection of Governments
Overall requirements
• The graded protection of the external network
mainly provides security protection for the
application systems and data that are carried and
Virus and Trojan horse monitors the attacks, viruses, and abnormal traffic,
Network being Data being decrypted
improving the capabilities to handle and respond to
listened
network and information security emergencies.
• The levels are evaluated according to the effect on
legitimate rights and interests, social order, public
System vulnerability Risk control interests, and the impact on national security.
Unauthorized access
Computing environment security Communication network security

Boundary security Security management

Challenges
The security deployment and implementation need
to strictly follow the graded protection standards to
DDOS attack Unauthorized access eliminate potential security risks:
• Computing environment security
ID Security Permission • Communication network security
management audit management • Boundary security
Virus and Trojan horse • Security management

4
Government Office Terminal Situation and Challenges
A terminal is infected by viruses and then the viruses
spread to the entire network.
Cloud computing center

The cloud terminal and the office PC exist at the same time, which W
makes Office
management
PC and control difficult. File server
External government network

Email server
Cloud terminal Internet

Network access points increase and network vulnerabilities double. Web server
Patches are not installed in a timely manner
so malicious attacks are incurred.

Remote office on
business trip
Database Application server

Core resources are accessed without authorization and sensitive data is stolen.

5
Cloud Computing-based Desktop Transformation
Desktop transformation Benefits

No data is stored locally.


Data security is under
control.
The cloud data center provides
storage, computing, and
applications that are used to be Mobile office
provided by local devices. Access to VMs anytime
and anywhere

Easy O&M
One person can
maintain 1500 desktops.
PCs are replaced
by TCs. Mobile PC TC Pad
phone
Quick fault recovery
Reduced service
interruption time

6
Huawei Desktop Cloud Breaks the Virtual Desktop
Development Bottleneck
Superior experience Agility and high efficiency
Optimized audio and video Unified O&M management platform
services, improving user Various maintenance-assisted tools for
experience improving the services
GPU sharing for meeting graphics Software pre-installation and quick delivery
requirements
User-friendly login page

Decision maker
Security, reliability, and flexibility
Complete product forms and flexible deployment
Complete and flexible E2E security protection
design
All-round reliability

Committed to creating better experience, easy to deliver, easy to manage, and cost-effective
enterprise virtual desktop infrastructure
7
Contents
1 Analysis on Industry Trends

Service Scenarios and Huawei


2 FusionCloud Desktop Solution

3 Success Stories

8
Logic Architecture of the Huawei Desktop Cloud Solution

TCs Desktop IT infrastructure


FusionAccess
cloud
gateway WI login page User side
User information
HDC connection
control database AD/DHCP/DNS
CT3000/CT3100

Network side

Data center side


Access

Cloud platform
VM Graphics
User side

VM
switch processing VM FusionManager

software
CT5000
Service
management
FusionSphere ITA
Firewall
Virtual resource
CT6000 management
VRM

Hardware
Other
terminals Unified hardware
management
RH2288H E9000 S5500T (optional) UHM

End-to-end solutions optimize and consolidate resources to ensure comprehensive


performance and user experience.
9
Typical Application Scenarios of Governments – Diversified
Requirements of Desktop Users
Government Mobile office Personnel in remote Government
Office personnel External personnel
affair personnel personnel branches hotline personnel

Administrative Government Mobile office Branch office On-premises outsourced


Maintenance
personnel office Call center + office personnel
personnel
R&D and test Distance education Trainee
Call center service
personnel Third-party maintenance
personnel
•Require complete • The external • Leaders on business
desktops to handle government trip need to review •Secure access • Single type of • Require complete
complex services. affair network is and approve •Fixed office desktop application
•Require divided into documents. desktops services experience.
personalized multiple isolated • Requirements for •Complex • Limited • Security
desktops. areas. information security applications resources restriction and
•Require high • Civil servants • Immobility of •Require a large • Unified UI audit
information need to access traditional C/S number of company • Moderate • Standard
security. the services in applications resources. personalized application set
multiple areas. • Service processing requirements
• Government in the outdoor, street,
affair hall port, and customs
scenarios.
10
Cloud-based Government IT System: Desktop Cloud Entrance

Confidential Government Internet service Internet


Converged government cloud
infrastructure service Public service cloud
Internal External government
government network cloud service
network
Gatekeeper

External
government
network

Government
branch
offices

11
Administration OA Scenario
Optimal Experience, Agility and High Efficiency, Solid
System Reliability

12
On-cloud Internal Government Office: Administrative Civil
Servant Scenario
Responsibilities Job characteristics Requirements on the desktop cloud

Single type of Performance optimization


professional work of certain services.
requires experience
assurance.

Requires collaboration. Convenient information


sharing and exchange

Private space for


Expects privacy employees (care,
protection.
software, and data)
Common civil
servants
Requires large-scale Automatic O&M
unified management.
management tools

13
Optimal Agility and Solid System
Terminal-to-Cloud User Office Experience Experience High Efficiency Reliability

Assurance
Key technology HDP@Media  Key technology HDP@Display
High-fidelity music compression algorithm  Lossless compression for non-natural images
Voice optimization  No transmission of redundant images
Low latency  Multiple image compression algorithms
Display
High sampling rate

Audio & Video Desktop


HD graphics
control
processing
High-performance protocol
virtualization
platform

• Optimal virtualization • Excellent office experience


 Key technology HDP@Media
performance • High security and efficiency
• Density and scale of the  Intelligent video scenario identification User-friendly
 Key technology GPU hardware virtualization
virtual desktop  Frame rate dynamic adjustment UI
 32-channel cloud graphics workstation/graphics card
 Dynamic video data adaptation  100 Mbit/s HD video and intelligent graphics
 Multimedia redirection identification technology
 HDP hardware acceleration improves graphics
 Flash redirection
compression speed to millisecond level.
14
Optimal Agility and High Solid System
Experience Efficiency Reliability

Efficient Office and O&M, and High Resource Utilization


Unified management of physical
Virtual desktop
Simple installation

and virtual resources

Mobile office
Desktop cloud service and unified
Unified O&M

fault management
Simplified installation package and
optimized installation process
Business trip Home office
Pre-installation and quick delivery
for the appliance

Enterprise
headquarters

Software/Peripheral compatibility
Management tools

High resource
test tool
Automatic O&M

Health check and log collection tool

utilization
Connection repair tool
User experience optimization tool
One-click restoration tool Resource reuse
Performance collection and analysis Thin provisioning
tool
Self-service maintenance tool

15
Optimal Agility and High Solid System
Experience Efficiency Reliability

All-round Reliability
Client connection

VM service
reliability
Desktop protocol supports port Distributed data
Network auto-negotiation to resolve Consistency check
Automatic reconnection after application software conflicts. Service disaster recovery
network interruption Desktop agent software prevents
Automatic network status detection mistakenly deletion.
Desktop agent software prevents
mistakenly virus deletion.
Platform reliability

VM management
reliability
Key component HA Local access at branch to
resources reserved in case in case of network
of physical faults interruption
Service layer status
Automatic VM VM snapshots monitoring
restart in case of in case of VM Automatic recovery
Automatic clock Node memory and CPU management, blue screens faults Automatic fault
synchronization and automatic disk status monitoring isolation

16
Government Affair Hall Scenario
Unified Management and Control, Service Continuity

17
On-cloud Government: Government Affair Hall Scenario

•Efficient service
running
•Stability and reliability
•Quick fault recovery
•Support for self-service Public self-service area
•Support for multiple
peripherals
Multimedia Easy to use
Security protection

TV
•Smooth video
playback Service waiting area
•Remote control
•Limited interaction

Counter service area

18
Optimal Agility and High Solid System
Experience Efficiency Reliability

Smooth Video Playing


 Key technology HDP@Media
 Video scenario automatic detection: Automatically
distinguishes between video data and common GDI data.
Uses H.264 or MPEG2 to efficiently encode the video data
and uses TCs' hardware capabilities to decode the data.
 Dynamic frame rate adjustment: Dynamically adjusts the
video frame rate based on network quality to ensure smooth
video playing.
HDP Other Desktop Protocol  Video data auto-adaptation: Automatically adjusts video
data volume based on the display resolution and video play
Maximum frame rate 35 30
window size to reduce CPU usage and improve user
experience.
 Multi-media redirection: Uses TCs' hardware decoding
Be able to detect
Automatic screen Cannot detect characters capabilities, automatically reconnects to the network upon
characters, pictures, and
detection and pictures. network disconnection, dynamically adjusts traffic, supports
video.
1080p video playing, provides better smoothness than ICA,
Video coding and supports DXVA redirection as well as a vast range of
H.264/MPEG2 H.264
standard file types and video formats.
 Flash redirection: Redirects flashes and videos to TCs for
Frame rate dynamic playing, fully utilizing TC hardware capabilities and reducing
Supported Supported
adjustment
loads from virtual desktops.
 Powerful application-aware capability: Optimizes
TC chip optimization Invokes TC chips directly common video playing software (such as Flash) and
(Huawei-developed but not through the OS, Not support graphics processing software (such as Photoshop).
chip) providing high efficiency.

19
Optimal Agility and High Solid System
Experience Efficiency Reliability
Multimedia Support
Mode A: Decoding on a VM Mode B: Decoding on a TC
 A video window is a part of a desktop  Enables the redirection technology to
after videos are decoded on the VM, redirect videos to a local TC for hardware
and are mapped to clients. decoding.
Decoding Desktop
 Supports 1080p videos.  Bandwidth has no relationship with video
on a VM Cloud
 Bandwidth is related with the size of a windows. Guarantees fluent play in full
video window. More bandwidth Access to screen mode.
the network  Supports 1080p HD videos.
is required for full screen play.
 Supports DXVA redirection to allow a
variety of file types and video formats.

Decoding
on a TC

The video decoding mode can be decided by the management system automatically.

20
Government Affair Hall Scenario: Full Memory Desktop
Solution

Key technologies Computing resources Customer benefits


 Batch operation efficiency, system
The memory deduplication and compression restoration capability, and management
VM VM VM
as well as reuse technologies are used. The VM experience are improved.
system disk is stored in the memory. A VM can

Memory resources
be restored to the initial status upon restart.
Delta
disk
Delta
disk disk
Delta
disk
 Deployment efficiency is improved.
Base
The full memory VDI storage technology is (compressed and
deduplicated)  Disk purchasing costs are reduced.
Hypervisor
used. The real-time online deduplication and
online compression technologies that break  Storage I/O performance bottlenecks are
NAS or SAN eliminated, improving user experience.
through the limitations on memory medium are
used. High-speed I/O capabilities and high-
speed clone capabilities are supported,
Base disk (shared
and read only) Solution limitations

User

User
disk

disk
providing more than 300 IOPS for each desktop.  This solution is applicable only to scenarios
VM disk read/write operations transfer to where user data does not need to be backed
memory operations. VMs are created and Storage resources
up or stored and desktops must be
delivered in batches, improving management
automatically restored, such as the
efficiency.
government affair hall self-service scenario.

21
Government Affair Hall Scenario – Service DR Solution
Customer benefits
GSLB (global server load balancing) TC-based service DR solution  Ensures service continuity when a
Service redundancy DR solution When no GSLB is deployed, the software disaster occurs.
A DR center equivalent to the production installed on TCs checks health of the production  Shortens service interruption time
center is constructed in a standby site (these center and DR center. and minimizes user data loss when
two centers can work in load sharing mode). When a disaster occurs, the client software a site is faulty.
The two data centers distribute desktop detects the disaster and switches services to the
resources for the key service users. DR site.
Solution limitations
 This solution is applicable only to
TC TC
scenarios where the service DR is
DR agent required, but data backup is not
GSLB GSLB required, such as the government
Access
Access
affair hall and service hotline
network
network scenarios.
Active Standby Active Standby  The NAS device needs to be added
AD AD AD AD to back up data on the VM data disk.
VM VM VM… VM1 VM2 VM… VM2 VM… VM1 VM2 VM…
1 2
VM1
FusionSphere
Using the remote replication function
FusionSphere FusionSphere FusionSphere
of the NAS device, data on the VM
data disk can be backed up.
Production site DR site Production site DR site

22
Government Mobile Office
Scenario
Mobile Experience, Quick Recovery, Data Security

23
On-cloud Government: Mobile Office Scenario
Law enforcement
and supervision
Administration for
industry and
commerce

Tax

Business travel

Daily check
On-site office and mobile inspection station Public
facilities
Requirements

• Low network bandwidth occupation

• Quick fault recovery


Disaster
• Data security assurance after the

terminal is lost Transportation


Public order
24
Mobile Office Solution
How to ensure that access to office desktops is not restricted by terminals or networks?
How does the unbounded office and personal equipment ensure office data security?

 The access network is not restricted. Users can


access the desktop cloud anytime anywhere. Internet/WiFi/3G

 The access terminal is not restricted. Users can


access the office desktop by using any terminal
device.

 Users who access the office desktop form different Private


LAN
terminals enjoy the same experience. network

 The unified ID authentication system ensures


security for various access modes.

25
Optimal Agility and High Solid System
Experience Efficiency Reliability

Mobile Office  Technical features


 High compatibility
Virtual applications or VDI SCs are compatible with smart Android and iOS
terminals.

 Touch optimization
Magnifying glass, local photo insertion, automatic display
of the keyboard, and scroll by touch are supported.

 Zero development for Windows applications


Intelligent terminals are only responsible for input, output,
Access
and display. Windows applications do not need to be
gateway HSPA/LTE developed for Pads.

Access  High security


WIFI
network Data is transmitted over VPN encrypted channels,
preventing information interception.

 Flexible modes
SBC application virtualization (Beta) and VDI modes are
supported.
 Application scenario
 Mobile office, such as mobile approval and
document browsing
26
Government Branch Office
Scenario
Secure Access, Automatic Management, Service
Continuity

27
On-cloud Government: Branch Office Scenario

Government IT service and data center


Government branch offices for
technology R&D
(research institutes)

Government branch offices for


Private
foreign affairs
(branches or divisions of related network
bureaus and offices)

Internet

3G
network

28
Government Branch Desktop Cloud Solution

Number of people > 500


Service requirements
Service system Latency < 50 ms Resources of government affair halls in
Desktop cloud
(VR/standard)
cities and counties at all levels are
dispersed and service capabilities are not at
the same level.
Multiple equipment rooms are built. The
Central site City branch site O&M management costs are high and
Local resource usage is low.
resources The primary office network is in poor
Number of people < 500 condition.
Latency > 50 ms
WAN
Desktop cloud appliance Solution design
County/Bureau (VX)
FusionCloud A centralized platform is built in the
branch site headquarters and resources are centralized,
Local reducing bandwidth costs.
resources According to the scale and network
condition, remote access is adopted or
resources are allocated to branches,
Primary branch Number of people < 100
ensuring user experience and service
Latency > 50 ms
site CompactVDI continuity.
Local
Unified quick deployment and unified
…… resources
O&M management are supported.

A maximum of 255
29branches are supported.
Challenges and Solution for the Government Remote
Access Scenario
Challenges for remote access Huawei remote access security solution

On business trip On business trip


SVN
Data center Data center External
External SSL VPN
government government
network Internet network Internet
Desktop cloud
Remote IPSEC VPN
Remote
village
village

Organization
and institution Organization
County Branch office and institution
County County Branch office
County County
Branch office County
County Branch officeCounty

For remote villages as well as organizations and institutions, the


deployment of private lines requires high costs and long deployment
The desktop cloud uses the SSL VPN encryption
duration; however, the Internet access has low security and data leakage Solution
risks. technology to ensure secure and reliable data
When personnel on business trip access the government office through transmission without affecting convenient access.
the Internet, data may be intercepted and tampered.
30
Terminal Protocol User System Management
Access Security Authentication Security Security

Centralized Data Management and No Data Running on


Terminals
Data is distributed to terminals. Applications and data are centrally managed.

Applications Application system


Virtual
desktop

PC Access
TCs gateway

Operating systems, applications, and data Desktops and data are separated from terminals
are locally deployed on terminals. Terminals and data centers and are centrally stored and
are easy to encounter virus attacks and processed in the background. Only screen
malicious steal. refresh information is transmitted to terminals.

31
Branch Network Latency and Office Cloud Experience
Office cloud experience in different latencies

> 100 ms: The experience is poor.


Unacceptable experience makes work impossible for end
users.
< 100 ms: Frame freezing occurs
during OA /webpage browsing.
The experience is poor.

< 80 ms: The OA/webpage End users can accept the experience but may feel
browsing is smooth but frame
freezing occurs during unsatisfied when frame freezing occurs frequently during
local/online video playback. video playback.

< 50 ms: The OA/webpage • Frame freezing occurs


browsing is smooth and the The experience of end users is
occasionally during video
local/online video playback
is smooth in most time. playback. similar to that of PCs. End users
feel unsatisfied occasionally
• The experience is similar
< 20 ms: The OA/webpage to that of PCs.
because frame freezing occurs
browsing and local/online
video playback are smooth. when the latency is greater than
20 ms.

32
Government Hotline
Scenario
Voice Experience, Efficiency and Reliability

33
On-cloud Government Hotline: Call Center Agent Scenario

High-level official supervising

Related government
department

Government cloud System feature


High audio QoS
Internet assurance
Government Public
hotline agent High service
Fixed-line handling
for high-level
officials network efficiency

Public High collaboration


Public capability

34
Optimal Agility and High Solid System
Experience Efficiency Reliability

High Sound Quality


 Key technology HDP@Media
HDP  Different algorithms for different sounds: Uses the
VoIP Tunnel telecommunication voice compression algorithm for
Server Client
(TC) human voice optimization in the VoIP scenario, and
(VM) uses the professional music coding and decoding
Music Tunnel
algorithms for music.
 Voice optimization algorithm (automatic denoising):
Enables the denoising algorithm for VoIP and ensures
excellent voice quality even in noisy environments.
 Stereo mixing: Mixes all input and output voices to
improve onsite experience.
 Low latency: Transparently transmits voice on TCs to
reduce latency due to voice buffer on TCs and ensure
real-time performance for voice communication.
 High sound quality: Uses a higher sampling rate for
voice (default: 44.1K, competitors': 16K) to ensure high
sound quality at the source.

HDP sound quality: PESQ reaches Sound quality of other VDIs:


3.4. PESQ is only 3.0.
Carriers require that the perceptual evaluation of speech quality (PESQ) value of voice communication be greater
than 3.3. If PESQ is lower than 3.3, voice quality cannot meet commercial requirements.
35
Optimal Agility and High Solid System
Experience Efficiency Reliability

VM-based SoftClient
Media access
Control flow
UAP/AIP Voice flow
Virtual desktop
LB & AG
VM 1 VM 2 VM 3
FusionSphere
HDP

Desktop cloud CTI platform/Service system


TCs
Voice
code Clients are Service applications
Client Agent installed on VMs.
OpenEye

Advantages Disadvantages
 Good compatibility: The voice software does not need to be  Long latency: VoIP voice data requires second codec
modified for the desktop cloud and is compatible with mainstream conversion from the VM to the TC, which causes long
call center software. latency. Latency is related to network environments. You
 Smooth evolution: The method of installing and deploying the are advised to perform a POC test before deployment.
voice software on VMs is the same as that on PCs.
36
Outsourcing Scenario
Security Isolation, Centralized Management, Rights- and
Domain-based Management

37
On-cloud Government: Outsourced IT Maintenance Scenario

Administrator

Internet

Remote IT personnel

G-cloud
• Level-, rights-, and domain-based
management

Requirements
• Security management and

Field IT support centralized monitoring of internal


personnel personnel and outsourcing personnel
• Optimized integrated IT platforms,
which improves IT O&M efficiency
and reduces IT O&M costs
Global manager

38
Two Desktop Modes: VDI and SBC
VDI (virtual desktop) SBC (shared desktop) (Beta)

VM1 VM2 VM3

FusionSphere (Optional) FusionSphere

 Application scenario  Application scenario


This mode applies to the standard VDI scenario. It allows each knowledge This mode is used by task-based employees. Complete desktops are
worker to have an independent Windows desktop and independent provisioned based on SBC application virtualization, and Windows Server
programs and data. This mode also supports virtual desktops created in shared virtual desktops are supported. Users are isolated based on
linked clone or pool mode without personalized settings. sessions, and data is stored in the profile file which is stored on the file
server in roaming mode.
39
Security Office Scenario
Access, Transmission, Data, and Management Security

40
On-cloud Government: Security Scenario

Military and national


security information
Enemy state

Direct contact personnel in the


Potential threats

• Access control

Requirements
Criminal investigation
and public security • Security control
information

Terrorist • Rights control

government
Business and • Operation audit
technical
Indirect contact
secrets • Data protection
personnel in the
Commercial espionage government

Public privacy profiles

Paparazzi

41
Separation of the Internal Network and External Network: Traffic
Isolation and Data Isolation
Traffic isolation
Internet
Supports the service network access traffic isolation. Physical user desktop
terminals can access the service systems only. Reference
Supports the Internet access traffic isolation. Reference
2
Management service Users can only access the Internet through virtual desktops or virtual
network
Internal network
system AD Storage network applications. Reference

Network isolation on the firewall


Load balancer
Access gateway
Fixed office
SANGFOR desktop
Ports from the PC to the virtual desktop: Ports 8843/443/80 are opened.
Others are disabled.
3 Internal/
Core/ Pooled office
Ports form the virtual desktop to the AD: Only ports for the AD IP address,
External
Internal network network
Aggregation desktop
firewall
switch security directories to be accessed, and Kerberos authentication are opened.
Others are disabled.
1 Virtual
application
Data isolation
Data Internal External
Load balancer
Access gateway
The desktop protocol control policy ensures that data on the PC disks,
network network
center
peripherals, and files cannot be transmitted to VMs using the desktop
protocol.
The data for accessing the Internet from a virtual desktop can only be
saved locally and cannot be transmitted to physical machines directly without
VIP user
Office area Common user Guest
using the desktop rights control policy.

42
Government Cloud Center Security Isolation Solution

Public Three function modules ensure office terminal security


Resource sharing area
service
area
(Front end)
 Management and service plane isolation
 Management and computing are performed on different
Government service area VLAN planes.
 Physical isolation between computing and storage
Application server area
Internet

Operation management area  Independent storage network


 Plane isolation of the three-layer application architecture
 WEB, APP, and DB are located on different VLAN planes.
Development and testing area  Isolation design of each service area

DMZ

Desktop VMs in the public service area, resource sharing area, and
government services area are physically isolated. Firewalls
OA area cloud or gatekeepers are deployed between areas to implement
isolation and IPS is deployed to implement intrusion
General service area prevention.
 The internal service area is logically divided into operation
management area, development and testing area, OA area,
High-security service area general service area, and high-security service area.
 Based on different requirements, services of different
departments can be allocated to different security areas and
different virtual firewalls can be deployed to implement
Storage area security isolation.

43
Security OA Scenario – E2E Security Protection

Additional access
TC security
measures

control
External Installation of Third-party digital
storage devices unauthorized software certificate Access
prohibited Security gateway Virtual desktop
prohibited authentication authentication
Domain account State Secrets Bureau-
Fingerprint tested Antivirus virtualization
USB key SSL encrypted Virtual desktop isolation
Dynamic password transmission
AD-free BM17 encryption
TC authentication Users bound to authentication
specific TCs

User data

Role separation and


encryption
 Transparent encryption  Unified management
System entrance
and decryption
management
Data privacy

 User unawareness of  Administrator behavior

log audit
encryption and decryption monitoring
 USB key support  Operation logs
 Security policy
Data Residual
configuration
Secure operations Management Unified log
security information 
roles

deletion  Safe deletion of VMs  Secure management management


 Residual information logs  Enhanced
overwritten with 0s Security Audit compliance audit
 Residual information management management
leakage prevention

44
Terminal Access Security – Restricted TC Access
 Restricted TC access: Binding relationships are established between TCs' MAC addresses/MAC address groups and domain users/domain user
groups, so that domain users/domain group members can access desktops from restricted TCs or TC groups. The restricted TC access feature can be
used with any WI authentication mode.
 Specified IP segment access: Access permissions can be configured for clients' IP segments. In this way, users can only access virtual desktops using
specified IP segments including IP addresses and subnet masks.
 Application scenario: The restricted TC access feature applies to scenarios in which high information security is required and users can access virtual
desktops that contain sensitive information only from restricted TCs.

 The desktop cloud Login experience


administrator can enable
the TC binding function on Desktop user TC bound to the user
the ITA portal and import
the binding relationships
between TCs' MAC +
addresses and users.
 The binding relationships
can be imported in one of Desktop user TC unbound from the user
the following ways:

Method 1: Manual import +


X
Method 2: Batch import
1. When a user logs in to the WI, the 2. If the information matches the 3. The user logs in
TC sends the username, domain binding information saved in ITA, to the VM.
name, and MAC address to the AD authentication is
desktop cloud system to check implemented, and login is
whether the TC is bound to the continued.
user.
 Users who have been bound to TCs can log in to WI only from the bound TCs.
45
Trusted Trusted Trusted computing
Desktop Protocol Security and Policy terminal access environment
Security audit

Control
 Centralized data control: Desktops and
data are separated from terminals and
centrally controlled on the cloud. Only screen
refresh information is transmitted to terminals.
Application
virtualization  Control over virtual peripheral channels:
Each virtual channel can be enabled or
Security access gateway
disabled independently, such as printing
HDP/SSL
HDP control and USB port mapping management.
 One-way control over data flows: The
USB flash drive is read-only. Data can be
User access
control and written to a VM from a USB flash drive but
data encryption Enterprise ERP & cannot be written from the VM to the USB
transmission App server other DB flash drive.
 Encrypted protocol transmission:
Output the screen Virtual desktop Desktop protocol transmission is encrypted
refresh and Desktop data center
and protected by the AES128 algorithm by
keyboard and
mouse command. default.
Terminal/Peripheral Data

46
Trusted Trusted Trusted computing
Security audit
terminal access environment

Virtualization Security Isolation


VM 1 VM 2 Resource isolation: CPU, memory, and disk Features: Hierarchical security protection
0 IO are isolated based on the VM.
Guest Infrastructure isolation: The management, storage, and
App OS App service planes are in physical network isolation.
vNIC security: The hybrid mode is blocked
and the MAC or IP address cannot be
OS OS changed to avoid spoofing attacks.
Virtual boundary isolation: Boundary isolation and
access control of data centers are implemented by virtual
firewalls. The ACL, Anti-DoS, and IPSec VPN functions are
Network isolation: The vSwitch supports supported.
VLAN isolation and hierarchical QoS control.
Virtual resource isolation: The layer 2 isolation
Access control: The security policy is between VMs is implemented using VLANs and the layer 3
Virtual hardware
Computing configured based on the security group and
resources isolation and access control are implemented using security
automatically applied to each VM. The
Allocation modules groups. The VM IP address and MAC address are bound to
security policy is dynamically migrated
prevent ARP spoofing attacks.
vCPU1 along with VM.
1 2 1 vSwitch
1 1 2 VM VM VM VM Benefits
vCPU1
2 2 1
The VM-level access control measures are provided
vCPU2 VM VM VM VM
to prevent viruses and threats from spreading among
tenants.
……
VM VM VM VM
Intelligent flexible security protection is provided. VM
drift and capacity expansion do not require manual
Security group 1 Security group 2 Security group 3 configuration of security policies.

47
Trusted Trusted Trusted computing
Rights- and Domain-based terminal access environment
Security audit

Management System Supporting Separation of Roles


Unauthorized Role-based access control (RBAC) proposed
operation
Green-zone
V V V
FusionSphere
M M M Cluster 1
by National Institute of Standards and
V 2 V3 V
administrator 1
FusionSphere
M M M
1 2 3
Technology (NIST) is implemented. Rights-
Management F Unauthorized and domain-based management prevents
Administrator network W operation
unauthorized management.
V V V
Red-zone FusionSphere
M V M VM V Cluster 2
1 M2 M3 M
FusionSphere
administrator
1 2 3  Rights of the system administrator, security
administrator, and security auditor are
Log auditing separated from each other (no super
Log viewing
administrator exists). The three roles restrict
Log exporting Security
Super System Security auditor and supervise each other, preventing
administrator management management
User creation User approval
security risks caused by centralized rights.
VM management Rights
Storage management
 The separation of roles mechanism must be
management Security policy
Network management specified during system installation.
management ...
System … Otherwise, the super administrator takes
Security
administrator administrator effect.
48
Contents
1 Analysis on Industry Trends

Service Scenarios and Huawei


2 FusionCloud Desktop Solution

3 Success Stories

49
Shanghai Pudong Public Service Center Project, Quick Rollout of
More Than 70 Peripherals upon One-time Test
Challenges
 The public service center is an important platform for government service improvement, work
innovation, government-society relationship improvement, and social construction reinforcement.
The public service center includes 23 offices, more than 50 functional departments, more than
500 personnel, and 196 service windows. There are a large number of service systems and the
terminals are distributed on different floors of the building. Centralized management is required
to improve management efficiency and information security.

Huawei Solution
 This project adopts FusionAccess V100R005C10 (5.1 version) and is configured with 14
Huawei E6000 blade servers. Each server is configured with the 8-core E5-2650 CPU and 160
GB memory. Four Huawei IP SAN 5500T enclosures are configured and four S5352 switches
are deployed. The configured TC is the mid-range and high-end CT5000, which supports the 2-
core AMD CPU, various peripheral interfaces, and smooth video playback.

Customer Benefits
 Quick rollout of desktop services helps office personnel to quickly handle citizens' services,
which also improves office operation experience. Efficient, green, and elastic cloud services are
fully reflected.
 In particular, the Huawei desktop cloud solution resolves the peripheral compatibility problems in
the industry. Based on diversified functions of HDP, the project team quickly finish the
compatibility tests of more than 70 peripherals and provision 200 users. After two-month stable
running of the system, the peripherals work properly, including 3 self-service desktops with the
printing amount of 10000 pieces per day.

50
Security Desktop Project of the Langfang Planning Bureau
Challenges
• The Langfang Urban and Rural Area Planning Bureau is in charge of the city system planning,
overall city planning, village planning, and underground space planning as well as the
organization, investigation and approval, and supervising of detailed city planning. There is a
large amount of sensitive data in the office system. To prevent data leakage, the bureau uses
physical isolation solutions in the desktop environment. However, the network switching is
complex, the data security management is difficult, and the O&M efficiency is low.

Huawei Solution
• The solution is configured with 15 E9000 (E5-2680) servers and two S2600Ts. Each civil servant
is configured with two desktops (4 CPUs, 4 GB memory, and 80 GB disk). 200 TCs and 400 VMs
are deployed. (200 VMs are used to access the Internet and 200 VMs are used to access the
government office network.)

• The comprehensive security isolation and design of the cloud and network implement the
isolated access between the office network and the Internet.

• To access the 3D graphics files (AutoDesk, 3DS MAX, and City Maker), 50 VMs adopt the GPU
passthrough solution. In addition, the high-performance CT6000 with excellent graphics
processing capability is deployed to ensure the graphics quality of the GPU passthrough VM.

Customer Benefits
• Internal planning data is protected and civil servants are allowed to access the Internet.

• Time for switching between the Internet and office network is reduced from 2 minutes to 5
seconds.

• Maintenance duration of a desktop decreases from 2 hours to 3 minutes, greatly improving O&M
efficiency.

51
Huawei Cloud Helps Jiangxi Provincial Party Committee Implements Efficient
Government Affair Informatization

Challenges
 The early phase of informatization lacks unified construction standards, planning, and
management. Information silos exist. Software and hardware resources cannot be
shared effectively.
 The rollout of new services requires a long period, inhibiting government service
development.
 Traditional PC office brings disadvantages, inconvenience, and security problems.

Huawei Solution
 This solution uses FusionSphere to build a virtual resource pool to deploy customers'
services on the cloud platform and reserves space for capacity expansion. One E6000
server subrack and two S5500Ts are deployed. The desktop is configured with 2 CPUs,
2 GB memory, and 160 GB disk.
 Based on the FusionAccess software, users and data are isolated and secure access to
the office environment is implemented. In the first phase of the project, 300 desktops are
deployed to meet the requirements of OA of the provincial party committee. In the
second phase, 2000 desktops are deployed based on the dual-DC architecture of the
The General Office of Jiangxi Provincial Party Committee Honggutan data center. In the third phase, 6000 desktops are deployed for the branch
is an organization directly under the Jiangxi Provincial offices in Jiangxi.
Party Committee. The information center provides the
information platform to all bureaus and carries the internal Customer Benefits
 Based on the dynamic resource scheduling capability of the virtualization platform,
network service construction of Jiangxi e-government.
services can be quickly deployed and O&M efficiency is improved.
 Users and data are isolated, reducing information security risks.

52
Huawei Helps Xi'an Railway Administration Implement Desktop Cloud
Office in the Ankang Section
Challenges
 Due to historical reasons, the Ankang starts informatization construction from the
scratch and requires advanced technologies to build an architecture that adapts to the
development of future data centers.
 PC software is not updated in time and has a large number of security vulnerabilities.
Service data may be leaked or lost on the client.
 PC-dominated office systems are hard to manage and old devices cost a lot in
maintenance.

Huawei Solution
 The E6000 server and S5500T storage are adopted. Huawei FusionAccess is deployed
to adapt to the development of cloud computing.
 During the project implementation, the user application features are analyzed and key
points that affect user experience are recognized to optimize the configuration.
 Automatic and centralized O&M realizes the unified management of all VMs.

Customer Benefits
"The Huawei server virtualization and desktop cloud simplify
 Cloud computing is applied to the office scenarios of the Xi'an Railway Administration,
overall maintenance and reduce O&M costs after the trial use improving work efficiency and competitiveness.
in the Ankang section."  Office security and reliability are ensured.
 Environmentally-friendly computer rooms are built, reducing energy consumption and
noise.
---- An frontline engineer of the Ankang section

53
AU Conference Center Desktop Cloud, a Secure and Efficient Office Platform

Challenges
 Low conference efficiency: Meeting minutes need to be translated into English, French,
Arabic, and Portuguese and delivered to participants. The meeting minutes need cannot be
modified quickly, and modification costs are high.
 High information security risks: Paper-dominated meeting minutes are difficult to be recycled
or managed. Moreover, meeting minutes disclosure easily occurs, and information security
cannot be ensured.

Huawei Solution
 Optimized services: Meeting minutes do not need to be printed, reducing required manpower
and money. Employees can focus on key service processes. The use of WiFi TCs implements
mobile office.
 Centralized O&M: Huawei FusionCloud Desktop Solution provides a unified O&M
management platform to improve O&M management efficiency and ensure the quick response
to incidents.
 Information security: All meeting minutes can be centrally stored, managed, recycled,
"We appreciate the excellent work Huawei has done for the 18th archived, and deleted after a meeting, ensuring information security.
AU conference. Huawei provided the desktop cloud system for
this AU conference and worked with MIS department of the AU to Customer Benefits
finish deploying the system within three weeks, which is of high  The initial fixed investment is cut down by 40%.
quality and high efficiency. The brilliant performance of the system
 The container data center has small footprint and is easy to maintain, which retains the
helps us improve the working mode and efficiency of the prestige university building that a history of 100 years.
conference."  The PUE is reduced to 1.55. Compared with the original data center, the total energy
---Quoted from the thanks letter written by the AU to Chinese consumption is cut down by 30%.
Embassy in Ethiopia and Huawei
 Data can be centrally stored and managed. Compared with the original storage system, the
TCO is reduced by more than 20%.
54
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY

Copyright©2015 Huawei Technologies Co., Ltd. All Rights Reserved.


The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time
without notice.