Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
3 Success Stories
1
Challenges to Traditional PCs
Information security Service assurance Resource fixing
Security protection, system management, and device O&M are resource-intensive and cause long-time business
interruption. The effect is still unsatisfactory.
2
Integration, Sharing, and Platformization Are the Development
Trends of E-government
Data center integration plan of the U.S. federal government Cloud computing-based e-government public platform in China
Service Government
Informatization administration
providing affair
department agency department
2096
Number
of data Service
Service design preparation Service implementation Service use
centers
Countries on the forefront of e-government actively The cloud computing-based e-government public platform is a
make and launch new development strategies and comprehensive service platform provided by the information
implementation plans, including the Open management departments at or above the county level with help
Government operation and Data Center Integration from professional technology service institutes. This platform is built
operation of the USA, the Smart Government strategy using the cloud computing technology as well as computing, storage,
and ICT strategy of the UK, and the Government 2.0 network, information, and application support resources to provide
strategy of Australia. All these strategies feature infrastructure, support software, application function,
integration, efficiency, openness, and sharing. information resource, operating assurance, and information
security services for government departments.
3
Overall Requirements for Secure Protection of Governments
Overall requirements
• The graded protection of the external network
mainly provides security protection for the
application systems and data that are carried and
Virus and Trojan horse monitors the attacks, viruses, and abnormal traffic,
Network being Data being decrypted
improving the capabilities to handle and respond to
listened
network and information security emergencies.
• The levels are evaluated according to the effect on
legitimate rights and interests, social order, public
System vulnerability Risk control interests, and the impact on national security.
Unauthorized access
Computing environment security Communication network security
Challenges
The security deployment and implementation need
to strictly follow the graded protection standards to
DDOS attack Unauthorized access eliminate potential security risks:
• Computing environment security
ID Security Permission • Communication network security
management audit management • Boundary security
Virus and Trojan horse • Security management
4
Government Office Terminal Situation and Challenges
A terminal is infected by viruses and then the viruses
spread to the entire network.
Cloud computing center
The cloud terminal and the office PC exist at the same time, which W
makes Office
management
PC and control difficult. File server
External government network
Email server
Cloud terminal Internet
Network access points increase and network vulnerabilities double. Web server
Patches are not installed in a timely manner
so malicious attacks are incurred.
Remote office on
business trip
Database Application server
Core resources are accessed without authorization and sensitive data is stolen.
5
Cloud Computing-based Desktop Transformation
Desktop transformation Benefits
Easy O&M
One person can
maintain 1500 desktops.
PCs are replaced
by TCs. Mobile PC TC Pad
phone
Quick fault recovery
Reduced service
interruption time
6
Huawei Desktop Cloud Breaks the Virtual Desktop
Development Bottleneck
Superior experience Agility and high efficiency
Optimized audio and video Unified O&M management platform
services, improving user Various maintenance-assisted tools for
experience improving the services
GPU sharing for meeting graphics Software pre-installation and quick delivery
requirements
User-friendly login page
Decision maker
Security, reliability, and flexibility
Complete product forms and flexible deployment
Complete and flexible E2E security protection
design
All-round reliability
Committed to creating better experience, easy to deliver, easy to manage, and cost-effective
enterprise virtual desktop infrastructure
7
Contents
1 Analysis on Industry Trends
3 Success Stories
8
Logic Architecture of the Huawei Desktop Cloud Solution
Network side
Cloud platform
VM Graphics
User side
VM
switch processing VM FusionManager
software
CT5000
Service
management
FusionSphere ITA
Firewall
Virtual resource
CT6000 management
VRM
Hardware
Other
terminals Unified hardware
management
RH2288H E9000 S5500T (optional) UHM
External
government
network
Government
branch
offices
11
Administration OA Scenario
Optimal Experience, Agility and High Efficiency, Solid
System Reliability
12
On-cloud Internal Government Office: Administrative Civil
Servant Scenario
Responsibilities Job characteristics Requirements on the desktop cloud
13
Optimal Agility and Solid System
Terminal-to-Cloud User Office Experience Experience High Efficiency Reliability
Assurance
Key technology HDP@Media Key technology HDP@Display
High-fidelity music compression algorithm Lossless compression for non-natural images
Voice optimization No transmission of redundant images
Low latency Multiple image compression algorithms
Display
High sampling rate
Mobile office
Desktop cloud service and unified
Unified O&M
fault management
Simplified installation package and
optimized installation process
Business trip Home office
Pre-installation and quick delivery
for the appliance
Enterprise
headquarters
Software/Peripheral compatibility
Management tools
High resource
test tool
Automatic O&M
utilization
Connection repair tool
User experience optimization tool
One-click restoration tool Resource reuse
Performance collection and analysis Thin provisioning
tool
Self-service maintenance tool
15
Optimal Agility and High Solid System
Experience Efficiency Reliability
All-round Reliability
Client connection
VM service
reliability
Desktop protocol supports port Distributed data
Network auto-negotiation to resolve Consistency check
Automatic reconnection after application software conflicts. Service disaster recovery
network interruption Desktop agent software prevents
Automatic network status detection mistakenly deletion.
Desktop agent software prevents
mistakenly virus deletion.
Platform reliability
VM management
reliability
Key component HA Local access at branch to
resources reserved in case in case of network
of physical faults interruption
Service layer status
Automatic VM VM snapshots monitoring
restart in case of in case of VM Automatic recovery
Automatic clock Node memory and CPU management, blue screens faults Automatic fault
synchronization and automatic disk status monitoring isolation
16
Government Affair Hall Scenario
Unified Management and Control, Service Continuity
17
On-cloud Government: Government Affair Hall Scenario
•Efficient service
running
•Stability and reliability
•Quick fault recovery
•Support for self-service Public self-service area
•Support for multiple
peripherals
Multimedia Easy to use
Security protection
TV
•Smooth video
playback Service waiting area
•Remote control
•Limited interaction
18
Optimal Agility and High Solid System
Experience Efficiency Reliability
19
Optimal Agility and High Solid System
Experience Efficiency Reliability
Multimedia Support
Mode A: Decoding on a VM Mode B: Decoding on a TC
A video window is a part of a desktop Enables the redirection technology to
after videos are decoded on the VM, redirect videos to a local TC for hardware
and are mapped to clients. decoding.
Decoding Desktop
Supports 1080p videos. Bandwidth has no relationship with video
on a VM Cloud
Bandwidth is related with the size of a windows. Guarantees fluent play in full
video window. More bandwidth Access to screen mode.
the network Supports 1080p HD videos.
is required for full screen play.
Supports DXVA redirection to allow a
variety of file types and video formats.
Decoding
on a TC
The video decoding mode can be decided by the management system automatically.
20
Government Affair Hall Scenario: Full Memory Desktop
Solution
Memory resources
be restored to the initial status upon restart.
Delta
disk
Delta
disk disk
Delta
disk
Deployment efficiency is improved.
Base
The full memory VDI storage technology is (compressed and
deduplicated) Disk purchasing costs are reduced.
Hypervisor
used. The real-time online deduplication and
online compression technologies that break Storage I/O performance bottlenecks are
NAS or SAN eliminated, improving user experience.
through the limitations on memory medium are
used. High-speed I/O capabilities and high-
speed clone capabilities are supported,
Base disk (shared
and read only) Solution limitations
User
User
disk
disk
providing more than 300 IOPS for each desktop. This solution is applicable only to scenarios
VM disk read/write operations transfer to where user data does not need to be backed
memory operations. VMs are created and Storage resources
up or stored and desktops must be
delivered in batches, improving management
automatically restored, such as the
efficiency.
government affair hall self-service scenario.
21
Government Affair Hall Scenario – Service DR Solution
Customer benefits
GSLB (global server load balancing) TC-based service DR solution Ensures service continuity when a
Service redundancy DR solution When no GSLB is deployed, the software disaster occurs.
A DR center equivalent to the production installed on TCs checks health of the production Shortens service interruption time
center is constructed in a standby site (these center and DR center. and minimizes user data loss when
two centers can work in load sharing mode). When a disaster occurs, the client software a site is faulty.
The two data centers distribute desktop detects the disaster and switches services to the
resources for the key service users. DR site.
Solution limitations
This solution is applicable only to
TC TC
scenarios where the service DR is
DR agent required, but data backup is not
GSLB GSLB required, such as the government
Access
Access
affair hall and service hotline
network
network scenarios.
Active Standby Active Standby The NAS device needs to be added
AD AD AD AD to back up data on the VM data disk.
VM VM VM… VM1 VM2 VM… VM2 VM… VM1 VM2 VM…
1 2
VM1
FusionSphere
Using the remote replication function
FusionSphere FusionSphere FusionSphere
of the NAS device, data on the VM
data disk can be backed up.
Production site DR site Production site DR site
22
Government Mobile Office
Scenario
Mobile Experience, Quick Recovery, Data Security
23
On-cloud Government: Mobile Office Scenario
Law enforcement
and supervision
Administration for
industry and
commerce
Tax
Business travel
Daily check
On-site office and mobile inspection station Public
facilities
Requirements
25
Optimal Agility and High Solid System
Experience Efficiency Reliability
Touch optimization
Magnifying glass, local photo insertion, automatic display
of the keyboard, and scroll by touch are supported.
Flexible modes
SBC application virtualization (Beta) and VDI modes are
supported.
Application scenario
Mobile office, such as mobile approval and
document browsing
26
Government Branch Office
Scenario
Secure Access, Automatic Management, Service
Continuity
27
On-cloud Government: Branch Office Scenario
Internet
3G
network
28
Government Branch Desktop Cloud Solution
A maximum of 255
29branches are supported.
Challenges and Solution for the Government Remote
Access Scenario
Challenges for remote access Huawei remote access security solution
Organization
and institution Organization
County Branch office and institution
County County Branch office
County County
Branch office County
County Branch officeCounty
PC Access
TCs gateway
Operating systems, applications, and data Desktops and data are separated from terminals
are locally deployed on terminals. Terminals and data centers and are centrally stored and
are easy to encounter virus attacks and processed in the background. Only screen
malicious steal. refresh information is transmitted to terminals.
31
Branch Network Latency and Office Cloud Experience
Office cloud experience in different latencies
< 80 ms: The OA/webpage End users can accept the experience but may feel
browsing is smooth but frame
freezing occurs during unsatisfied when frame freezing occurs frequently during
local/online video playback. video playback.
32
Government Hotline
Scenario
Voice Experience, Efficiency and Reliability
33
On-cloud Government Hotline: Call Center Agent Scenario
Related government
department
34
Optimal Agility and High Solid System
Experience Efficiency Reliability
VM-based SoftClient
Media access
Control flow
UAP/AIP Voice flow
Virtual desktop
LB & AG
VM 1 VM 2 VM 3
FusionSphere
HDP
Advantages Disadvantages
Good compatibility: The voice software does not need to be Long latency: VoIP voice data requires second codec
modified for the desktop cloud and is compatible with mainstream conversion from the VM to the TC, which causes long
call center software. latency. Latency is related to network environments. You
Smooth evolution: The method of installing and deploying the are advised to perform a POC test before deployment.
voice software on VMs is the same as that on PCs.
36
Outsourcing Scenario
Security Isolation, Centralized Management, Rights- and
Domain-based Management
37
On-cloud Government: Outsourced IT Maintenance Scenario
Administrator
Internet
Remote IT personnel
G-cloud
• Level-, rights-, and domain-based
management
Requirements
• Security management and
38
Two Desktop Modes: VDI and SBC
VDI (virtual desktop) SBC (shared desktop) (Beta)
40
On-cloud Government: Security Scenario
• Access control
Requirements
Criminal investigation
and public security • Security control
information
government
Business and • Operation audit
technical
Indirect contact
secrets • Data protection
personnel in the
Commercial espionage government
Paparazzi
41
Separation of the Internal Network and External Network: Traffic
Isolation and Data Isolation
Traffic isolation
Internet
Supports the service network access traffic isolation. Physical user desktop
terminals can access the service systems only. Reference
Supports the Internet access traffic isolation. Reference
2
Management service Users can only access the Internet through virtual desktops or virtual
network
Internal network
system AD Storage network applications. Reference
42
Government Cloud Center Security Isolation Solution
Desktop VMs in the public service area, resource sharing area, and
government services area are physically isolated. Firewalls
OA area cloud or gatekeepers are deployed between areas to implement
isolation and IPS is deployed to implement intrusion
General service area prevention.
The internal service area is logically divided into operation
management area, development and testing area, OA area,
High-security service area general service area, and high-security service area.
Based on different requirements, services of different
departments can be allocated to different security areas and
different virtual firewalls can be deployed to implement
Storage area security isolation.
43
Security OA Scenario – E2E Security Protection
Additional access
TC security
measures
control
External Installation of Third-party digital
storage devices unauthorized software certificate Access
prohibited Security gateway Virtual desktop
prohibited authentication authentication
Domain account State Secrets Bureau-
Fingerprint tested Antivirus virtualization
USB key SSL encrypted Virtual desktop isolation
Dynamic password transmission
AD-free BM17 encryption
TC authentication Users bound to authentication
specific TCs
User data
log audit
encryption and decryption monitoring
USB key support Operation logs
Security policy
Data Residual
configuration
Secure operations Management Unified log
security information
roles
44
Terminal Access Security – Restricted TC Access
Restricted TC access: Binding relationships are established between TCs' MAC addresses/MAC address groups and domain users/domain user
groups, so that domain users/domain group members can access desktops from restricted TCs or TC groups. The restricted TC access feature can be
used with any WI authentication mode.
Specified IP segment access: Access permissions can be configured for clients' IP segments. In this way, users can only access virtual desktops using
specified IP segments including IP addresses and subnet masks.
Application scenario: The restricted TC access feature applies to scenarios in which high information security is required and users can access virtual
desktops that contain sensitive information only from restricted TCs.
Control
Centralized data control: Desktops and
data are separated from terminals and
centrally controlled on the cloud. Only screen
refresh information is transmitted to terminals.
Application
virtualization Control over virtual peripheral channels:
Each virtual channel can be enabled or
Security access gateway
disabled independently, such as printing
HDP/SSL
HDP control and USB port mapping management.
One-way control over data flows: The
USB flash drive is read-only. Data can be
User access
control and written to a VM from a USB flash drive but
data encryption Enterprise ERP & cannot be written from the VM to the USB
transmission App server other DB flash drive.
Encrypted protocol transmission:
Output the screen Virtual desktop Desktop protocol transmission is encrypted
refresh and Desktop data center
and protected by the AES128 algorithm by
keyboard and
mouse command. default.
Terminal/Peripheral Data
46
Trusted Trusted Trusted computing
Security audit
terminal access environment
47
Trusted Trusted Trusted computing
Rights- and Domain-based terminal access environment
Security audit
3 Success Stories
49
Shanghai Pudong Public Service Center Project, Quick Rollout of
More Than 70 Peripherals upon One-time Test
Challenges
The public service center is an important platform for government service improvement, work
innovation, government-society relationship improvement, and social construction reinforcement.
The public service center includes 23 offices, more than 50 functional departments, more than
500 personnel, and 196 service windows. There are a large number of service systems and the
terminals are distributed on different floors of the building. Centralized management is required
to improve management efficiency and information security.
Huawei Solution
This project adopts FusionAccess V100R005C10 (5.1 version) and is configured with 14
Huawei E6000 blade servers. Each server is configured with the 8-core E5-2650 CPU and 160
GB memory. Four Huawei IP SAN 5500T enclosures are configured and four S5352 switches
are deployed. The configured TC is the mid-range and high-end CT5000, which supports the 2-
core AMD CPU, various peripheral interfaces, and smooth video playback.
Customer Benefits
Quick rollout of desktop services helps office personnel to quickly handle citizens' services,
which also improves office operation experience. Efficient, green, and elastic cloud services are
fully reflected.
In particular, the Huawei desktop cloud solution resolves the peripheral compatibility problems in
the industry. Based on diversified functions of HDP, the project team quickly finish the
compatibility tests of more than 70 peripherals and provision 200 users. After two-month stable
running of the system, the peripherals work properly, including 3 self-service desktops with the
printing amount of 10000 pieces per day.
50
Security Desktop Project of the Langfang Planning Bureau
Challenges
• The Langfang Urban and Rural Area Planning Bureau is in charge of the city system planning,
overall city planning, village planning, and underground space planning as well as the
organization, investigation and approval, and supervising of detailed city planning. There is a
large amount of sensitive data in the office system. To prevent data leakage, the bureau uses
physical isolation solutions in the desktop environment. However, the network switching is
complex, the data security management is difficult, and the O&M efficiency is low.
Huawei Solution
• The solution is configured with 15 E9000 (E5-2680) servers and two S2600Ts. Each civil servant
is configured with two desktops (4 CPUs, 4 GB memory, and 80 GB disk). 200 TCs and 400 VMs
are deployed. (200 VMs are used to access the Internet and 200 VMs are used to access the
government office network.)
• The comprehensive security isolation and design of the cloud and network implement the
isolated access between the office network and the Internet.
• To access the 3D graphics files (AutoDesk, 3DS MAX, and City Maker), 50 VMs adopt the GPU
passthrough solution. In addition, the high-performance CT6000 with excellent graphics
processing capability is deployed to ensure the graphics quality of the GPU passthrough VM.
Customer Benefits
• Internal planning data is protected and civil servants are allowed to access the Internet.
• Time for switching between the Internet and office network is reduced from 2 minutes to 5
seconds.
• Maintenance duration of a desktop decreases from 2 hours to 3 minutes, greatly improving O&M
efficiency.
51
Huawei Cloud Helps Jiangxi Provincial Party Committee Implements Efficient
Government Affair Informatization
Challenges
The early phase of informatization lacks unified construction standards, planning, and
management. Information silos exist. Software and hardware resources cannot be
shared effectively.
The rollout of new services requires a long period, inhibiting government service
development.
Traditional PC office brings disadvantages, inconvenience, and security problems.
Huawei Solution
This solution uses FusionSphere to build a virtual resource pool to deploy customers'
services on the cloud platform and reserves space for capacity expansion. One E6000
server subrack and two S5500Ts are deployed. The desktop is configured with 2 CPUs,
2 GB memory, and 160 GB disk.
Based on the FusionAccess software, users and data are isolated and secure access to
the office environment is implemented. In the first phase of the project, 300 desktops are
deployed to meet the requirements of OA of the provincial party committee. In the
second phase, 2000 desktops are deployed based on the dual-DC architecture of the
The General Office of Jiangxi Provincial Party Committee Honggutan data center. In the third phase, 6000 desktops are deployed for the branch
is an organization directly under the Jiangxi Provincial offices in Jiangxi.
Party Committee. The information center provides the
information platform to all bureaus and carries the internal Customer Benefits
Based on the dynamic resource scheduling capability of the virtualization platform,
network service construction of Jiangxi e-government.
services can be quickly deployed and O&M efficiency is improved.
Users and data are isolated, reducing information security risks.
52
Huawei Helps Xi'an Railway Administration Implement Desktop Cloud
Office in the Ankang Section
Challenges
Due to historical reasons, the Ankang starts informatization construction from the
scratch and requires advanced technologies to build an architecture that adapts to the
development of future data centers.
PC software is not updated in time and has a large number of security vulnerabilities.
Service data may be leaked or lost on the client.
PC-dominated office systems are hard to manage and old devices cost a lot in
maintenance.
Huawei Solution
The E6000 server and S5500T storage are adopted. Huawei FusionAccess is deployed
to adapt to the development of cloud computing.
During the project implementation, the user application features are analyzed and key
points that affect user experience are recognized to optimize the configuration.
Automatic and centralized O&M realizes the unified management of all VMs.
Customer Benefits
"The Huawei server virtualization and desktop cloud simplify
Cloud computing is applied to the office scenarios of the Xi'an Railway Administration,
overall maintenance and reduce O&M costs after the trial use improving work efficiency and competitiveness.
in the Ankang section." Office security and reliability are ensured.
Environmentally-friendly computer rooms are built, reducing energy consumption and
noise.
---- An frontline engineer of the Ankang section
53
AU Conference Center Desktop Cloud, a Secure and Efficient Office Platform
Challenges
Low conference efficiency: Meeting minutes need to be translated into English, French,
Arabic, and Portuguese and delivered to participants. The meeting minutes need cannot be
modified quickly, and modification costs are high.
High information security risks: Paper-dominated meeting minutes are difficult to be recycled
or managed. Moreover, meeting minutes disclosure easily occurs, and information security
cannot be ensured.
Huawei Solution
Optimized services: Meeting minutes do not need to be printed, reducing required manpower
and money. Employees can focus on key service processes. The use of WiFi TCs implements
mobile office.
Centralized O&M: Huawei FusionCloud Desktop Solution provides a unified O&M
management platform to improve O&M management efficiency and ensure the quick response
to incidents.
Information security: All meeting minutes can be centrally stored, managed, recycled,
"We appreciate the excellent work Huawei has done for the 18th archived, and deleted after a meeting, ensuring information security.
AU conference. Huawei provided the desktop cloud system for
this AU conference and worked with MIS department of the AU to Customer Benefits
finish deploying the system within three weeks, which is of high The initial fixed investment is cut down by 40%.
quality and high efficiency. The brilliant performance of the system
The container data center has small footprint and is easy to maintain, which retains the
helps us improve the working mode and efficiency of the prestige university building that a history of 100 years.
conference." The PUE is reduced to 1.55. Compared with the original data center, the total energy
---Quoted from the thanks letter written by the AU to Chinese consumption is cut down by 30%.
Embassy in Ethiopia and Huawei
Data can be centrally stored and managed. Compared with the original storage system, the
TCO is reduced by more than 20%.
54
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY