Better Understand Enterprise Wi-Fi Technologies

Aruba wireless solution

Better Understand Enterprise Wi-Fi Technologies

Aruba wireless solution

Aruba wireless solution provides network access for employees, internet access for guests, and IoT devices’ connectivity. Regardless of the location within the premises, clients have the same connection quality.

Advantages of this solution are:

  • Employee productivity increases via high-quality connection independent of their location and movement.
  • Easy connectivity for hard to wire locations.
  • Centralized control and easy wireless network management.
  • Reliable connection and easy spectrum management.

A contemporary mobile environment requires high throughput and connection quality. Clients can use their credentials to connect via multiple devices from any location within the site, which provides small latency during roaming and good network adaptation during routine access point maintenance or unexpected downtime. Higher access point density can support a larger number of client devices and greater reliability.

Aruba Instant

Aruba wireless network solution has two basic models – networks with and without a controller. Aruba Instant is a network architecture without a controller appropriate for smaller environments. Automatic spectrum management provides better environment organization and protection. Aruba Instant cluster distributes certain functions to the access points (AP). It performs election to choose one AP to serve as a virtual controller for the remaining management and control functions.

The network could be managed through a built-in GUI, Aruba AirWave, appliance or virtual solution, or Aruba Central, a cloud management platform.

Management

Aruba ARM and ClientMatch technologies are software functionalities created for enterprise wireless networks. AppRF Technology, together with Intelligent Application Identification, provides exceptional insight into applications present within a wireless network.

Aruba Adaptive Radio Management (ARM) is a technology intended for radiofrequency (RF) management and optimization of WLAN performances even during the highest traffic peaks. It dynamically and intelligently chooses optimal 802.11 channels and signals power levels for each AP and its surrounding. ARM is compatible with all standard users and operative systems and follows IEEE 802.11 standard. It does not require proprietary user software for the best performances. ARM provides roaming with small latency, consistently high performance, and maximum client compatibility in a multi-channel environment. With good spectrum management, ARM achieves appropriate delegation of network resources to data transfer and voice and video applications at any moment. Clients who support different standards (802.11a, 802.11b, 802.11g, 802.11n, i 802.11ac) can function with the highest performances.

ARM functionalities:

  • Voice Aware Scanning functionality prevents AP, supporting active voice session, to scan other channels until that session is over. It significantly increases session quality and allows automatic spectrum management functions.
  • Load Aware Scanning function dynamically adjusts spectrum scanning to maintain constant data transfer in a system with demanding resources when traffic crosses a defined threshold.
  • Network monitoring with ARM system – When ARM is enabled, AP dynamically scans all 802.11 channels regularly and sends network coverage, interference, and intrusion reports to the virtual controller.
  • ARM metrics – ARM calculates coverage and interference for every channel and chooses the one with the best performances and signal strength. Every AP collects other metric data about the channels where ARM is activated to get a proper insight into its health state.

 

ClientMatch technology continually monitors the client RF environment to provide the best band steering, load balancing, and optimal roaming for mobile clients. This function is recommended compared to the legacy band steering technologies that were not performing a transfer of the already connected client from one AP to another. If the client walks out of the AP range or an unexpected interference appears, ClientMatch starts the transfer of the client connection to another AP.

Providing all clients with the appropriate level of service is challenging since modern mobile devices, like smartphones and tablets, tend to choose by themselves the SSID they will connect to regardless of the network quality it is capable of offering. That could have a significant impact on the client experience and general network health. Consequence could be low signal quality, connection to the oversubscribed AP, or a client that is persistently connected to the same AP while moving through space where other APs are present with higher quality connection (sticky client issue).

Aruba worked on improving its roaming techniques to solve such problems, like band steering and 802.11k/v/r, and created the ClientMatch function. This patented RF optimization technology significantly improves performances and allows predictable and consistent connection through the whole WLAN. As a part of the Aruba AI-powered Mobility Solution, ClientMatch continually monitors the state of all client connections and intelligently groups clients for APs optimized for their traffic transport – a special user software is not needed.

Client behavior significantly impacts the WLAN performance. These are some of the contributing factors:

  • Client-based decision-making – Clients usually decide which AP they will connect to, what speed they are going to use, and if they are going to use roaming. Since they do not have an insight into the environment on a system level, they can stay connected to the oversubscribed network. However, there is another one available with a smaller number of users, which can cause lower performance quality.
  • Unpredictable performances – Lower level of system performance decreases user experience quality and increases the number of calls to the IT department asking for support.
  • Client Diversity – Increased number and diversity of mobile and IoT devices using applications that demand larger bandwidth impacts the network’s performance.
  • Sticky client problems and bad roaming algorithms – These problems are visible when clients stay connected to the same AP during roaming, even if they are far away. That leads to performance degradation for every connected client due to the weakening signal caused by large distances and lower data transfer speed.
  • Clients connect to the AP based on signal strength, not load. Besides sticky client issues, devices usually connect to an AP with the strongest signal present in their area, creating a disbalance in network resource usage.

ClientMatch is different from other technologies developed for solving similar issues because it uses the network’s system-level insight to monitor all connected clients continuously, dynamically gathering client data (signal strength, used channel) for every AP without any additional client software. Client data is collected and exchanged between APs for coordination and better decision making in real-time, following changes in the environment. For example, ClientMatch can identify when the user is connected to the oversubscribed AP and steer it to another with a smaller number of connected clients placed in the vicinity.

Advanced capabilities:

  • Video & voice-awarenessClientMatch has insight into active video and voice sessions in their network. That means that the clients who have active Skype calls will stay connected to minimize their activities.
  • Band Steering – Client with dual-band capabilities will be steered from 2.4GHz to 5GHz band with the better signal strength to improve the number of available channels, signal-to-noise ratio, and data transfer speed.
  • Client steering – Clients and AP performances are continually monitored to achieve supervision and control functions for support to all user devices.
  • Standard compatibility ClientMatch is operational with all Aruba 802.11n, 802.11ac (W1/W2), and wi-fi 6 APs.

 

Security

WPA3 – Basic WPA standard was issued in 2003. to replace WEP, and the next WPA2 got published a year later. WPA3 was released in 2018. in two basic forms: WPA3-Personal and WPA3-Enterprise. WPA3 brings improvements in general usage of encryption during wireless transfer of data thanks to the Simultaneous Authentication of Equals (SAE) protocol that replaced the Pre-Shared Key (PSK) authentication used in previous WPA versions. That provides better protection for the WPA3-Personal network that uses simpler access passwords. Clients in the network cannot see each other’s traffic even if they all use the same password. Passive surveillance is not possible if a malicious actor monitors exchange and determines the used session keys. Also, it is not possible to decrypt or alter previously recorded communication. WPA3-Enterprise has additional 192-bit protection intended for the organizations that consider data protection particularly important.

Enhanced OpenAruba Opportunistic Wireless Encryption (OWE). OWE is an alternative for Open network. It is based on the same principles and client requirements. Only a click on the network is practically needed for a client to establish a connection. OWE appears as a standard Open network from the client’s perspective since it has an icon without a lock but has encryption built-in. When the client is authenticated to the AP, OWE applies a non-authenticated Diffie-Hellman key exchange.

AppRF TechnologyAruba AppRF has insight into the application level’s environment, differentiating thousands of individual applications, including GoToMeeting, Box, Skype for Business, SharePoint, Salesforce.com. Also, it performs web filtering, including client activity control while they are searching the Internet. AppRF uses a cloud database updated in real-time on the reputation of million web pages protecting users from malicious attacks before they cause unwanted consequences.

Intelligent Application Identification – Aruba uses Deep Packet Inspection (DPI) on the fourth and seventh OSI level. It allows the AppRF function to monitor mobile application usage and performances and optimize the bandwidth, priority, and network routes in real-time, even for encrypted traffic applications. DPI is significant for understanding behavioral patterns that would require a change in network design and capacity during new app identification.

  • Business applications like Box are different from other applications that clients use for personal needs, like Apple Face-Time, even on the same device.
  • IP multicast video traffic and network services like Apple AirPrint and AirPlay are automatically prioritized with additional controls.
  • DPI resolves destination addresses for web traffic to identify individual applications like Facebook, Twitter, Box, WebEx, and thousands of others.
  • For encrypted traffic, Aruba AppRF technology uses heuristics for identification.
  • For applications that are not of a greater purpose for the business environment, AppRF can limit the bandwidth and prevent congestion in a particular location.

 

Quality of Service

Quality of service (QoS) determines priority for different traffic types to form equal distribution of network resources between applications. Since the end user device connection is basic network access, it is essential to make it the first point for traffic control policy application. Traffic needs to be classified and tagged based on previously defined parameters of the corporative network.

 

Guest Wireless Network

Organizations often have a large number of guest users that need network access. That could be clients, partners, vendors, and depending on their needs, they could use different types of devices and spend time in other business space locations. To support the productivity of such a diverse spectrum of users and their specific roles, an appropriate connection through the corporative network is necessary, often in spaces other than lobbies and conference rooms.

The Aruba wireless network’s flexibility provides the formation of appropriate access for employees and guest users through the same infrastructure without reducing environmental security. Guest user traffic is, after passage through APs, placed in a separate VLAN with a strictly defined internet connection, while on firewall level access to all internal recourses can be disabled.

Access control is provided by redirecting guest users to the captive portal, where clients can enter their credentials. Portal could be hosted on Aruba virtual controller or an external device.

Guest wireless network functionalities are:

  • Internet access for guest users with strict control.
  • WPA3 Enhanced Open characteristics are an encrypted alternative to open networks.
  • Segmentation of AP’s traffic.
  • Support of ephemeral credentials for guest users.

Пре него што наставите…
Претплатите се на наш месечни билтен и будите у току са свим што се дешава у индустрији!

How Desktop Virtualization Works II

End-User Computing – Simple and Secure

How Desktop Virtualization Works II

End-User Computing – Simple and Secure

VDI Access

Users access VDI with different types of devices:

  • Thin or zero clients
  • Mobile devices (smartphones and tablets)
  • standard PC platforms (Windows, macOS, Linux)

If clients are outside of the corporate network, using WAN, secure access is provided by an additional component – Unified Access Gateway (UAG).

User authentication is done through Active Directory integration, including additional security features such as Single-Sign-On (SSO) and Two-Factor-Authentication.

 

Figure 1. LAN access

 

Figure 2. WAN access

 

Figure 3. Various client devices

 

Thin/Zero clients

 

Thin and zero clients are designed for VDI, reliable and straightforward, with low power consumption. They also have a small footprint, which reduces space requirements. These clients are cheaper than standard desktops or laptops, with minimum maintenance required.

  • Zero Clients – contain no operating system, local disk, CPU, or memory resources. With only a PCoIP chip installed, they are extremely energy efficient and easy to administer. No data is ever stored on the device, which makes them suitable for high-security environments. Some of them are configured for specific protocols only, which could be a problem, especially in large environments. Besides, the configuration and use of USB devices can be complicated in some cases.
  • Thin Clients – contain an operating system, disk, CPU, and memory resources. It brings more capabilities but also more challenges in both hardware and software maintenance. These clients support VPN connections and a variety of USB devices.

Optimal device choice depends on many parameters, including the type of work, financials, and overall VDI environment. Some of the crucial factors are:

  • protocol (PCoIP, Blast, etc.)
  • Wi-Fi connectivity
  • VPN support
  • VoIP support
  • maximum resolution and number of monitors
  • graphical processing capabilities
  • security features
  • number and type of ports
  • centralized management capabilities
  • ease of configuration

 

Mobile devices and standard PC platforms

 

Users access VDI using Horizon Client software or browser if client installation is not possible (VMware Horizon HTML Access).

Standard PC platforms provide outstanding performance, but that comes with higher costs and more complicated maintenance. One way to lower costs is repurposing older devices at the end of their lifecycle. Both standard platforms and mobile devices are an excellent choice for remote user’s access to corporate VDI.

 

User profile management

 

All user environments, huge ones, fully benefit from VDI implementation if the whole process is automated as much as possible. It means the resources are dynamically assigned as needed, at the right point in time, with minimum static, pre-allocated workload capacities. The user logs in and gets the first available virtual machine, which can be different each time. It raises the question of user’s specific data and application settings management.

There are several ways to manage user profiles, depending on specific VDI implementation, Horizon 7 edition, and licensing model:

  • VMware Dynamic Environment Manager (DEM)
  • VMware Persona Management
  • VMware App Volumes Writable Volumes
  • Microsoft FSLogix

Profile management is done through Active Directory integration, using group policies and dedicated administrative templates for Horizon 7. A newer version of DEM can work without AD.

 

VMware Dynamic Environment Manager (DEM)

 

Specific settings are kept on the application level rather than complete profile, which provides better granular control. Configurations are kept in separate .zip files for each application (Figure 4). This way, they can be applied on various operating systems, unlike most standard solutions tied to a specific OS. Horizon 7 Enterprise edition is required.

 

 

Figure 4. Configuration files (DEM)

 

VMware Persona Management

 

This solution keeps the entire user profile, similar to standard Microsoft Roaming Profile solutions. It is available in all Horizon 7 editions, but it doesn’t support RDSH agents and newer versions of Windows 10.

 

VMware App Volumes – Writable Volumes

 

Profiles are kept on separate virtual disks and attached to various virtual machines, as needed. Horizon 7 Enterprise edition is required and separate infrastructure for App Volumes (servers, agents, etc.). Virtual disks are in standard .vmdk format, which eases their administration and data backup/recovery. App volumes can be combined with DEM to get a wide range of profile management options.

 

Microsoft FSLogix

 

This solution is handy for users without Horizon 7 Enterprise edition who can’t use advanced VMware profile management features. Profiles are kept on network share in VHD(X) format and added to VMs as virtual disks. This way, profile content is not copied at log on, which often caused significant start-up delays. Besides, there are several more optimization features:

  • Filter Driver is used for redirection, so applications see the profile as it was on the local disk; this is important because many applications don’t work well with profiles located on network drives
  • Cloud Cache technology enables part of user data to be stored on local disk and multiple network paths for profiles to be defined; this increases redundancy and availability in case of an outage
  • Application Masking can efficiently control resources based on the number of parameters (e.g., username, address range).

Both 32-bit and 64-bit architecture is supported, including all OS starting from Windows 7 and Windows Server 2008 R2. It is available for all users with any of the following licenses:

  • Microsoft 365 E3/E5
  • Microsoft 365 A3/A5/ Student Use Benefits
  • Microsoft 365 F1
  • Microsoft 365 Business
  • Windows 10 Enterprise E3/E5
  • Windows 10 Education A3/A5
  • Windows 10 VDA per user
  • Remote Desktop Services (RDS) Client Access License (CAL)
  • Remote Desktop Services (RDS) Subscriber Access License (SAL)

 

Advanced VDI solutions – Teradici PCoIP Remote Workstation

 

Global data growth requires more and more resources for fast and reliable data processing. Some specific business areas also require very intensive calculations and simulations, as well as complex graphical processing. Standard VDI solutions can’t cope with these demands, and usually, that kind of processing is not moved outside the data centers. On the other hand, many companies need their employees to access corporate resources from any place, at any time.

It can be handled by keeping all processes inside data centers and only transferring display information (in the form of pixels) to remote clients, using the Teradici PCoIP Remote Workstation solution (Figure 5). It is composed of three main components:

  • remote workstation host
  • remote workstation client
  • LAN/WAN

 

 

Figure 5. Teradici PCoIP Remote Workstation solution

 

The host can be any standard Windows or Linux platform which does the data processing. The host’s display information is then processed on pixel level by specific PCoIP techniques, encrypted, and sent over a network to the client. The host must have the following components installed:

  • Graphical card (GPU)
  • PCoIP Remote Workstation Card – receives data from GPU and does pixel-level processing, compression, and encoding. This component has three main types, depending on specific requirements and host configuration (Figure 6).

 

 

Figure 6. PCoIP Remote Workstation Card

 

Due to various display information types (text, images, video, etc.), special algorithms are used to recognize each type and apply appropriate compression methods. Moreover, the compression ratio can be adjusted to network fluctuations.

Image from the host is decompressed and displayed on the client side. Clients can be standard PC platforms (desktop/laptop) or dedicated devices (thin/zero clients), with 4 displays maximum, depending on the resolution.

Regardless of client type, security is at a very high level because data never leaves the data center – only encrypted pixels are transmitted. The use of dedicated devices, such as zero clients, additionally decreases the risk of potential attacks and data loss.

 

Implementation

 

As mentioned, every infrastructure is unique, and each implementation depends on many factors. However, some typical scenarios can be used for approximate resource planning and calculation.

 

Scenario 1. Small and medium environments

 

The basic option assumes infrastructure for 50 users, scalable up to 200 virtual machines by adding hardware resources and appropriate licenses.

Licensing model is based on Horizon 7 Advanced Add-on (Named/CCU) with separate licensing for vSAN, vSphere and vCenter.

Virtual desktops are created as linked clones which significantly reduces the disk space and eases administration. User data are kept on a network share, with 100 GB per user allocation.

Compute resources consist of 4 hosts in the vSAN cluster with RAID-5 configuration. ESXi operating system is installed on separate M2 disks with RAID-1 protection. Table 1 shows approximate calculation details for the vSAN cluster, and Table 2 shows the host specifications. Licenses are defined in Table 3.

 

 

Table 1. vSAN cluster calculation (50 VMs)

 

 

Table 2. Host specifications (50 VMs)

 

 

Table 3. Licenses (50 VMs)

 

Scenario 2. Large environments

 

Besides additional hardware resources, large infrastructures usually need extra features for management, control, and integration. In addition, a certain level of automation is desirable.

This scenario is based on the following presumptions:

  • The number of users is 200, with a possible scale-up to 500
  • Up to 100 GB of data per user
  • Ability to use RDS Published applications
  • Ability to virtualize applications with App Volumes
  • Ability to manage user profiles

The features mentioned above require Horizon 7 Enterprise edition, including vSAN, vSphere, and vCenter licenses. Besides, it enables instant clones for VM deployment, which significantly increases system agility and VM creation speed (compared to linked clones). Licensing model can be both Named or CCU.

User profile management can be done using Writable Volumes – virtual disks assigned to every user, containing all installed applications, data, and specific settings. These disks are attached to VM during logon, so the user profile is always available, regardless of VM assigned. Combined with VMware Dynamic Environment Manager, it can offer a high level of granularity in data and profile management.

The servers used are the same as for Scenario 1, with additional hardware resources installed. All details are listed in Tables 4, 5, and 6.

 

 

Table 4. vSAN cluster calculation (200 VMs)

 

 

Table 5. Host specifications (200 VMs)

 

 

Table 6. Licenses (200 VMs)

 

 

Пре него што наставите…
Претплатите се на наш месечни билтен и будите у току са свим што се дешава у индустрији!