Hp Consolidated Client Infrastructure v1.4 Static Configuration

Static Configuration for the
HP Consolidated Client Infrastructure (CCI) v1.4

Abstract.............................................................................................................................................. 2

Document Scope ................................................................................................................................. 2

Static model description ....................................................................................................................... 2

Static Topology ................................................................................................................................... 3

Static configuration design considerations .............................................................................................. 5

Basic Static Configuration ................................................................................................................. 5

CCI User-based Configuration options................................................................................................ 6

Hard drive File Access .................................................................................................................. 6

Roaming profile ........................................................................................................................... 7

Folder Redirection ........................................................................................................................ 7

Ability for user to shut down blade PCs ........................................................................................... 7

Session timer values...................................................................................................................... 8

Methods of granting a user remote access to the blade PC................................................................ 8

CCI design considerations .................................................................................................................... 9

CCI static configuration network considerations................................................................................... 9

When to and when NOT to collocate blade PCs in a Data Center ......................................................... 9

Additional Active Directory information .................................................................................................. 9

Using an alias record in DNS............................................................................................................ 9

Using a static IP address ................................................................................................................... 9

Using a dynamic register through DHCP ............................................................................................. 9

Using security groups ....................................................................................................................... 9

For more information.......................................................................................................................... 10

Abstract

This document provides information on design considerations specific for the Static model
implementation of the HP Consolidated Client Infrastructure (CCI) Solution. The static configuration is
for customers who do not wish to dynamically allocate users to blade PCs. Instead, each user
connects directly to a statically assigned blade PC that is dedicated for use by that specific user.

Document Scope

This paper assumes that the reader already has a basic understanding of how CCI works and how it
is deployed in a dynamic configuration that allocates clients to blade PCs on-demand. To provide a
working example, this document describes a CCI Static implementation with the least amount of user
restriction to make the implementation as simple as possible. It will also cover static design options to
be considered when customizing the implementation to satisfy the customer’s requirements. This
paper provides information on design considerations specific for the Static implementation and is not
intended to communicate a baseline static configuration. Each customer site will require customization
for each of the CCI configurable items described in the following sections.

Static confguration description

The CCI Static configuration requires each user to be assigned to a specific blade PC. Every time the
user logs on, the user connects to their assigned blade PC. The CCI Static configuration does not
require use of an allocation engine, which can result in a simplified design and installation of a CCI
solution. Though generally simpler to implement, an increase in manual effort is required to manage
the user-to-blade PC assignments. As the number of users and blade PCs increase, the management of
a static CCI model can be more challenging due to:

• The IT staff having to establish procedures for assigning users to individual blades.

• The possibility of a catastrophic blade PC failure, requiring the user to phone the help desk, report

the issue, and be reassigned to another available blade PC. In contrast, dynamic CCI model users
are automatically assigned to different blade PCs in the event of blade failure.

Conversely, the static CCI model offers some design flexibility that is not available in a typical
dynamic CCI model.

• Although not recommended, user data files can be stored on the local hard drive of the blade PC.
However, without the use of an enterprise data backup solution deployed on each blade PC, end
users would be giving up the data protection provided by using network storage and backup
processes. IT staff would be giving up the ability to easily manage the blade PC image. The image
restore process will have to consider the user’s data files stored on the blade PC.

• A static configuration could offer less-restrictive policies on the blade PC, such as application
installation. With the dynamic CCI model, it is not logical to allow users to install software directly
to the blade PC because there is no guarantee that the user will connect to the same blade PC in
future logins. In a dynamic model, a ‘locked-down’ image ensures fewer calls to the Help Desk
asking for assistance in fixing image problems or eradicating viruses. When business requirements
make such restrictive policies inappropriate, the static CCI model may be a better option even
though many of the cost savings of a dynamic CCI implementation may not be realized.

• The static model can be configured so that the “follow-me roaming” feature is enabled. This means
that because each user is assigned to one specific blade PC, the user can move to another access
device, log in from there, and take over their active session.

• The static model can be configured to allow the user to disconnect from their blade PC without
logging off of their session. They will then be able to reconnect to their session and have access to
any open applications and data unchanged from when they disconnected.

2

Static Topology

Note:

Network Infrastructure Design can and should change to fit into the customers existing network and or
business requirements. Figure 1 below depicts an example of a simple network using just one VLAN.

Figure 1. CCI static topology with single VLAN

NIC B

NIC B

NIC B

NIC B

Blade 1

Blade 4

Blade 3

Blade 2

HP PC Blade Enclosure

NIC B

Blade 5

LAN Segment 2

NIC B

NIC B

NIC B

Blade 8

Blade 7

Blade 6

NIC B

NIC B

Blade 10

Blade 9

NIC B

NIC B

Blade 12

Blade 11

NIC B

NIC B

Blade 14

Blade 13

NIC B

NIC B

Blade 16

Blade 15

NIC B

NIC B

Blade 17

Blade 18

NIC B

NIC B

Blade 20

Blade 19

(NIC Bs disabled)

NIC A

Thin

Clients

Domain Controller/

DHCP/DNS

Altiris/

HPSIM (RDP)

Generic

Devices

NAS – File Shares

NIC A

NIC A

NIC A

NIC A

NIC A

NIC A

NIC A

LAN Segment 1

NIC A

NIC A

NIC A

L2 Switch

NIC A

NIC A

NIC A

NIC A

NIC A

NIC A

NIC A

NIC A

NIC A

(NIC A IPs

assigned by DHCP)

WAN

Router

3

Figure 2 shows an example of a two VLAN Network design (Allows separation of the Blade PC
Imaging from daily network traffic).

Figure 2. CCI static topology with two VLANs

Altiris/

HPSIM (RDP)

with PXE/DHCP

HP PC Blade Enclosure

NIC A

NIC A

NIC A

Blade 3

Blade 2

Blade 1

NIC B

NIC B

NIC B

Thin

Clients

Domain Controller/

DHCP/DNS

NIC A

NIC A

Blade 5

Blade 4

NIC B

NIC B

LAN Segment 1

NIC A

NIC A

NIC A

Blade 8

Blade 7

Blade 6

NIC B

NIC B

NIC B

LAN Segment 2

NIC A

NIC A

NIC A

Blade 11

Blade 10

Blade 9

NIC B

NIC B

NIC B

L2 Switch

NIC A

NIC A

Blade 13

Blade 12

NIC B

NIC B

NIC A

NIC A

Blade 14

Blade 15

NIC B

NIC B

NIC A

NIC A

Blade 17

Blade 16

NIC B

NIC B

NIC A

Blade 18

NIC B

NIC A

NIC A

Blade 20

Blade 19

NIC B

NIC B

(Segment 1

NIC IPs

assigned by DHCP)

(Segment 2

NIC IPs assigned

by DHCP)

Generic

Devices

NAS – File Shares

WAN

Router

4

Static configuration design considerations

Outlined below is the most basic Static Configuration. Compared to the dynamic CCI model, this
basic static configuration has increased risk of software image issues including viruses or losing user
data stored locally on the blade PC hard drive. Also provided is a list of customizable items that may
be considered when designing the static CCI solution to satisfy the customer’s business requirements.

Basic Static Configuration

The Basic CCI Static Configuration is similar to an unmanaged corporate PC with extended/remote
I/O devices, as described in Table 1. This configuration utilizes the least amount of user restrictions
and ease of implementation, in which each user has local Administrative privileges to their specific
blade PC.

Table 1. Basic static configuration settings

Parameter Setting

Blade PC setup Like other corporate PCs with added

CCI Blade PC tweaks and software

User-to-blade ratio One blade PC per user

Hard drive No file access restrictions

User profile Stored on blade PC hard drive (no

roaming profile)

CCI group policy restrictions Not implemented or few restrictions

User privileges User has local admin privileges

User data location Stored locally on blade PC hard drive

(no folder redirection)

User grouping All users in blade PC remote desktop

user security group

Access device (Thin Client) Kiosk mode, single or direct connect

5

CCI User-based Configuration options

Once the basic configuration is established, configuration options are available that allow ease of
management, security, reliability and maintenance. The options described below are controlled by
Active Directory Group Policy settings. Refer to the Policy Implementation and Recommendation Guide
for the Consolidated Client Infrastructure (CCI) document for additional information about the Group
Policy Objects which affect the CCI solution behavior.

Hard drive File Access

• Affected behaviors:
– Blade PC hard drive access

– Microsoft hot fix install process
– Application installation or removal
– Limited User privileges or Local Admin Privilege
– Blade PC image management process

• Impact of restricting user access to file on the hard drive:
– Image is managed by IT staff – blade PC images can be restored with no impact to user. IT staff

guarantees the desired OS hot fixes are installed and application versions are the desired

revisions.
– Could require IT maintenance for multiple blade PC images to meet the user base requirements
– Users do not have the ability to install harmful or non-licensed software.
– Requires the availability of network storage for User Data files where it can be backed up

protecting it from hard drive failure.
– Blade PC’s can be housed in the data center behind data center firewalls, benefiting from

increased security native to data centers.
– Requires folder redirection to be implemented

• Impact of NOT restricting user access to files on the hard drive:
– IT staff could maintain one baseline image and delegate the responsibility of customizing the

image to the users.
– IT staff may not be able to restore blade PCs without affecting user data.
– Users can be made responsible for managing the blade PC image.
– Users have the ability to install any software applications increasing the risk of infecting blade PC

with a virus or incompatible software versions.
– Users can store data files locally on the blade PC hard drive making it vulnerable to data loss

caused by hard drive and image failure. User may be required to perform backups.
– Does not require the purchase of network storage, which simplifies the network configuration
– It is not recommended for blade PC to be housed behind data center firewalls, potential for

regular users to install malicious software to systems behind Data Center firewalls

6

Roaming profile

• Affected behaviors:
– User profile is available for any blade PC logged into, enabling the user’s environment to follow

him/her to any blade PC logged into.

• Impact of using Roaming profiles:
– Need to limit what is included in the profile. The larger the profile, the longer it takes to log in

– Enables user work environment settings to be stored on network storage
– Could cause unwanted merging of profiles with NON-CCI production systems.
– Improper session closures could result in corrupted profiles.
– May require installation of Microsoft’s user profile hive clean up utility , found at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=1b286e6d-8912-4e18-b570­42470e2f3582&displaylang=en

• Impact of NOT using Roaming profiles:
– User has to reconfigure work environment and settings if assigned a new blade PC.

– Does not require network storage to upload profile

Folder Redirection

Note:

If user’s My Documents, Application Data, Desktop and Start Menu are redirected; the customer will
have a greater opportunity to backup and protect user data. IT Staff could then manage the blade PC
image(s) without having to worry about erasing user data.

Folder Redirection – My Documents

• When redirected:
– Changes the default location of the user’s data repository to any networked server share.

– Ensures access to all data from any blade PC

• When NOT redirected:
– Risk of data loss if blade PC requires re-imaging or hard drive fails.

– Should not be implemented when blade PC hard drive is locked down.

Folder Redirection – Application Data, Desktop, and Start Menu

• When redirected: Data is not stored on the hard drive. Instead, it is stored on a shared network
resource. This allows common user experience from any blade.

• When NOT redirected: Some aspects of the user’s experience will require configuration each time
the user acquires a new blade PC.

Ability for user to shut down blade PCs

• When removed: Most users will not be able to shutdown or restart the blade PC. Other policies are
required to completely remove this feature.

• When NOT removed: User could shut down the blade PC, requiring a call to user support to have
someone power the blade PC back on through either the HP PC Blade Enclosure Integrated
Administrator or gain physical access to the blade PC and press the power button.

7

Session timer values

Session timers are especially valuable when using a dynamic configuration where total users out
number total blades. In order to ensure the highest availability of blades, timers can be set to
disconnect user sessions that remain idle for long periods of time, thereby making the blade available
to others users.

Session timers are not critical in a normal static configuration as each blade is dedicated to a
particular user. This reduces the need to make the blade available to other users.

Methods of granting a user remote access to the blade PC

For each blade PC, inserting the target user’s NT account into the Remote Desktop Users group will
provide the following:

• Advantage: Protects a user’s assigned blade PC from unauthorized access.

• Disadvantage: Adds additional work to customize each blade PC by editing the remote desktop

user group.

Using a single Security Group containing all CCI Static users and placing the security group in the
blade PCs local Remote Desktop Users group provides the following:

• Advantages:
– Easier to manage user access to assigned blade PCs.

– Every user in the security group will have the ability to log into every blade PC.

• Disadvantages:
– In an implementation where the blade PC hard drive is not locked down, there could be security

issues with users gaining access to other user’s data files.

– Only one user can have an active session at a time. So, if a foreign user has logged into a blade

PC it is possible that the user assigned to that blade PC will NOT be able to log in.

Caution:

If CCI is not the exclusive solution (non-CCI PCs are used in the domain), each PC not a part of CCI
must have several policies set to prevent the CCI policies and/or roaming profiles from being applied
to devices not participating in the CCI Solution. If care is not taken to prevent CCI-specific policies from
being applied, catastrophic problems could result, including loss of data, icons referencing dead links,
or links being removed from the desktop. The CCI Fundamentals training class and materials covers the
steps to using preventative policies. For additional information contact HP support.

8

CCI design considerations

This section discusses CCI design considerations.

CCI static configuration network considerations

CCI can function as a bridging technology to separate corporate networks from the Internet by using
one Blade PC NIC for corporate data/user access and the other Blade PC NIC for Internet access.
However, the following should be considered:

• PXE operation is supported on NIC A only.

• HP recommends that corporate network traffic be handled by a blade PC NIC, and not the NIC

used for image management and/or data backup.

When to and when NOT to collocate blade PCs in a Data Center

• Do not put user-managed blade PCs behind data center firewall.

• Install blade PCs with IT managed images requiring the additional security provided by the Data

Center security practices.

• Position data required by a widely distributed user base in the Data Center. Data access will be
faster as opposed to remote users accessing their data from local PCs.

Additional Active Directory information

This section describes various methods for users to connect to CCI.

Using an alias record in DNS

To aid with network/blade PC administration, each blade PC name should coincide with the physical
bay, enclosure, and rack where the blade PC will be located. However, this is not conducive to an
end user environment since these names are typically too cryptic for the user to remember. To ensure
a user-friendly environment, an alias (cname) record can be assigned in DNS that will mask the actual
blade PC name. Users will use the cname for their assigned blade PC to connect to CCI.

Using a static IP address

Assign static ip addresses for each blade PC. Users will use the static IP address for their assigned
blade PC to connect to CCI.

Using a dynamic register through DHCP

In this scenario, if a blade PC fails, the DNS record may have to be manually adjusted and allowed
to re-propagate throughout the DNS infrastructure before the user can reach the new blade PC
resource.

Using security groups

Computer security groups can be used to manage access to CCI blade PCs, this allows domain
administrators to manage access lists instead of having to put individual groups/names on the blade
itself.

9

For more information

For more information please access the following site:

www.hp.com/go/cci

© 2004, 2006 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. The only warranties for HP
products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. HP shall not be liable for technical or editorial
errors or omissions contained herein.

379685-003, 03/2006