Application Delivery the Free and Open Source Way

In a previous post...completed about fifteen minutes ago, I blogged about doing hyper-convergence the Open Source Way.  One of the major applications where hyper-convergence is taking over is in the Virtual Desktop realm - the ability to spread load in such a way as to make a virtual desktop experience as fast as, or faster than, a physical desktop, makes it a very compelling platform.

One of the uses for Virtual Desktop is known - to me, anyway - as Application Delivery.  This really just means that, instead of delivering a full desktop experience, we're delivering a single application.  In my current role we have several situations where delivering applications is preferable to delivering full desktops.  Usually this boils down to situations where users have chosen a better desktop experience than Windows will ever hope to offer - Linux or Mac - but still need access to a couple of pesky applications that only run on Windows.  Microsoft has held out some of their key business products - Project and Visio, most notably - and there are still a few web applications that, believe it or not, actually require ActiveX controls to run properly.  I know, I know, it is very hard for me to believe, but I do live with it every day.  Add to that a particular application we have that is a .Net ClickOnce application - basically a Windows Executable delivered via a web service - and you have three or four applications that make it impossible to completely get rid of Windows.

In the past I've just used VDI to deliver a full Windows desktop to these users, but it's so much more useful at times - and quicker, not to mention cooler - to just have the application.

Enter Guacamole.  Guacamole is a clientless remote desktop gateway, and has recently been accepted into the Apache Foundation in the Incubator stage.  Essentially, Guacamole sits on a java web server (Tomcat, etc.) and proxies remote desktop sessions between a web browser and a server or desktop running a remote desktop service of some sort.  At present, Guacamole has built-in support for VNC, RDP, and SSH.  Because Guacamole is presenting a truly web-based interface, it can be presented securely over HTTPS and WSS to clients.  It also features a configurable and extensible authentication framework, with built-in support for LDAP, Database, File, and No Authentication, but with easily-available documentation for writing your own plugin.  I hope to add RADIUS to that list at some point.

Focusing in on the support for RDP, Guacamole presents a powerful interface for allowing users to connect to Windows applications within a web browser.  In Windows, you can use RemoteApp to deliver specific applications via RDP without the full Windows shell.  Guacamole supports this RemoteApp integration, as well (via the FreeRDP RAIL plugin), so you can launch a configured RemoteApp application from a Guacamole session.  In our current environment, this means running IE, .Net ClickOnce applications, and Microsoft Office tools seamlessly in a web browser.  This is particularly compelling in the case of the IE applications - using the "-k" switch in IE and passing the URL to the RemoteApp, you get a web browser (Chrome or Firefox) tab running IE, with no IE window decoration that truly looks transparent to the user.

Furthermore, the extensible authentication support means that there's the potential to make such an interface accessible outside of a VPN.  Because you're just passing HTTPS traffic, and you could presumably integrate with RADIUS or some other multi-factor authentication system, you can securely provide a way for users to access applications and desktops without the need for a VPN client.  Furthermore, because you can control the configuration of Guacamole - hide it from the users, and control what can be configured - your risk of data loss can be almost entirely mitigated, unless someone is so intent on stealing your data that they are copying and pasting via the clipboard or taking screenshots.

The total power of this solution pulls in a few other components.  First, using oVirt, you can very easily manage the VMs you use to back this sort of configuration, dynamically scaling pools of (properly licensed) Windows VMs and automating the deployment of those to support varying workloads (hmmm...elasticity...sounds like Cloud).  Of course, you could also deploy to a public cloud scenario - AWS or (shudder) Azure - and be able to scale without worrying about the hardware - you just have to worry about what that invoice will look like next month :-).Second, an incredibly powerful TCP proxy, HAProxy, can be used to do host alive checks, aggregate hosts, and load balance between VMs in a pool.  Guacamole supports some load balancing, but I've found HAProxy to be a little more powerful and configurable.  oVirt also features a REST API that might be leveraged to control VM power states for the hosts in a pool.  A script can go look at the HAProxy data and figure out how many hosts are in use, and how many are down, and, upon reaching a certain threshold for hosts in use, execute REST API commands to start up additional hosts via oVirt.  Users can point their browsers at the Guacamole URL, and, without any plugins or client requirements outside of the HTML5 browser, connect to published Application or Desktop.

And, again, the building blocks for this are all Free & Open Source - with the exception, of course, of the licenses for Windows VDA.