The Sanctuary Group – Successful Virtual Client Deployment In A Large Dispersed Enterprise

Sanctuary Group’s Ben Andrews Highlights

  • Is dispersed in structure with many non-IT users among its 6k staff
  • Has adopted a ‘Terminal Services’ approach to virtualisation
  • Still manages fat PCs, especially for tied-in applications, such as alarm and door entry systems
  • Bases its infrastructure on Citrix, Wyse thin clients, Symantec tools and a resilient MPLS network
  • Uses EV archiving to address the difficulties of .PST files in a virtualised world
  • Always plans to stream ‘line of business’ applications using XenApp
  • Intends to digitise extensive paper records in the near future
  • Is an excellent example of a large enterprise saving money and improving service levels through centralisation

I had a chance to talk to Ben Andrews of the Sanctuary Group (a Backup Exec and Enterprise Vault customer) at a recent Symantec conference. He spoke eloquently about how this charity – a large organisation with 6k employees – successfully deployed virtualisation over ten years ago with Citrix Metaframe 1.0 (when Microsoft first included Terminal Services in Windows NT 4.0), introduced VMWare ESX server virtualisation five years ago and more recently added XenApp to the mix. During the deployment the organisation has overcome a number of challenges typical of a dispersed organisation.
He also has some very interesting ideas on the differences between Terminal Services and VDI approaches and the necessity for all companies to review and upgrade the infrastructure before centralising and introducing virtual desktops.
I thought it would be useful to look into what they achieved, how they overcame the hurdles and how they look at future developments. I’d like to thank Ben very much for his extensive help in writing this piece.

Sanctuary Group Backgrounder

Designated as a ‘social landlord’ charity the Sanctuary Group has grown since its foundation in 1969 through the combination of smaller association into a group now employing some 6k staff, the majority of which are nurses, housing and community workers and other (typically non-IT) professionals. In addition to regular housing it manages around 76k ‘units of accommodation’ in England and Scotland. These include general rented, sheltered, supported accommodation, student and key worker accommodation and care homes.
The Sanctuary Group’s locations include branch offices which range from small single person sites to major offices with up to 150 staff, the biggest of which also houses a large contact centre.
IT support within the organisation is heavily centralised. Its technology solutions include the use mobile Personal Digital Assistants (PDAs) by its property services division staff to deliver services such as dynamic repair to its locations through the group. It has decided to approach computing services through virtualisation – in fact Ben says they utilise anything with ‘a virtualisation sticker’ on it, but only when and where it’s appropriate.
The Sanctuary Group’s key 5 key IS infrastructure managers, who cover servers, networks, desktops and security, have all been with the company for a number of years when it was a small organisation and consequentially know each others’ areas well. Ben thinks this is an advantage over many other large companies in which roles are much more separated.

The Sanctuary Group Uses Virtualisation To Address Its Challenges

The group has a dispersed organisation, with a total staff of 6k – not all of whom use IT. Ben cited a number of challenges the IT department faced in deploying successfully. In particular:

  • Their organisation has doubled in size over a five-year period – so handling growth was an issue, as was supplying services to an increasing number of branch offices
  • Technically there was a requirement for highly-available systems and to address the inefficient management of data, which was growing significantly throughout the company
  • There was a particular problem of how to handle thousands of Personal Storage Table (.PST) files, which Microsoft doesn’t support across networks

The organisation’s network is based on Multi-Protocol Label Switching (MPLS) as shown in Figure 1, with its data centre located in Worcester. Its current IT infrastructure is as follows:

  • Client devices include 2,600 Wyse thin clients, 400 PCs and 100 laptops
  • 250 physical servers, of which 50 are hypervisor hosts (based on both VMWare ESX and Citrix XenServer), which in turn support an additional 250 virtual servers
  • XenApp runs on a mix of 150 physical and virtual servers (included in the above server count)
  • 10 Unix machines running either HP-UX or Solaris
  • Applications include Microsoft Office and Sharepoint
  • Databases include both Microsoft SQL and Oracle
  • ‘Line of business’ applications supported include housing, care, management services, HR and financial

Resilience is built into the network through the use of a DSL backup to the MPLS connections at the office level and through the 45Mb MPLS link between the group’s data centre and head office buildings on its central campus.

The Role Of Symantec Backup Exec And Enterprise Vault

Ben is a fan of Symantec’s Backup Exec (BE) and has been ‘keeping the subscription up to date’. He says it was originally targeted at Small and Medium Businesses (SMBs), of which his company was one 12 years ago when it started using it. Currently he uses the software to handle 19TBs, the largest of which is the Virtual Machine Disk (VMDK), which takes up about 6TB. BE is also used to manage the 25 archive tapes a month the company produces. The advantages of its current upgrade from BE12.5 to BE2010 include the use of de-duplication (a ‘no brainer’ in terms of its value to Sanctuary).
For backup processes the group uses a ‘backup to disk to tape’ approach, but isn’t able to keep more than a day’s worth of data online and a time. So improving the amount both of online backup data and its tape-based archive are high on the agenda. Moving tape to off-site locations is currently expensive and particularly time-consuming if you need to retrieve information from them back in-house.
The Sanctuary Group also uses Enterprise Vault (EV) for Microsoft Exchange mailboxes and journals and for its file system archive. Adoption has helped the company manage .PST files, which account for an archive of just 45GB. Ben reckons that he has been able to achieve a 75% saving across all archived items (including email, journal, FSA and .PST files) with Symantec’s single instance storage. The company is in the process of refining its backup policies, which hitherto have been based on the simple rule that, once information is three month’s old, it is moved to the archive. In particular it:

  • Will move to higher capacity tapes for monthly backups
  • Aims to keep the 3 monthly archive online to allow for rapid restores
  • Wants to enhance legal compliance through the use of the software
  • Introduced a new invoicing procedure 8 months ago, based on Microsoft Sharepoint, for the 3k transactions per week it processes; while it has scanned invoices for some time, making them available trough Sharepoint will allow access to anyone who needs them
  • Has many requirements for document scanning and storage, one of which is the collection of documents needed to be retained on each of its properties for legal compliance.
  • Aims to digitise many of the paper files that are currently sat in filing cabinets that are scattered across offices over the whole country; depending on the nature of the information, it will take care of these in house, or possibly add them to the list of documents (currently including utility bills and HR records) hosted externally by a document management company

In addition to improving the flow and storage of digitised information the company is also in the process of designing a group-wide network telephony system.

The Pros And Cons Of Terminal Services And VDI Approaches For Desktop Virtualisation

Following our discussion Ben followed up with a detailed written note clarifying hi views on the Terminal Services v VDI debate. He believes that both are great, will do a fantastic job and can provide virtual desktops; in addition both can make good use of thin client devices and he declares himself ‘definitely a fan of both’.
However he makes the important point that Terminal Services is a multi-user and VDI a single-user operating system, which makes the number of virtual machines you need to manage far greater in the case of VDI. Even if you ignore the operating system differences between multi and single user, you still have to set up far more machines for supporting, managing, licensing and other functions. In comparing the two approaches he has discovered:

  • Terminal services is fine for delivering Microsoft Office and ‘line of business’ applications and is much more efficient in terms of cost and hardware utilisation
  • VDI is more expensive and less efficient than Terminal Services in terms of users per host; however it’s still far less expensive than managing fat PCs in a distributed environment like his
  • VDI as a desktop operating system has an advantage in allowing all devices (thin client, fat or mobile PC) to have the same look and feel

The Sanctuary Group is investigating adding VDI to the mix to fill the gap between a Terminal Services and full PC users, but Ben doesn’t believe the organisation will make the full switch from Terminal Services unless it needs to deliver much richer multimedia capabilities and the business divisions decide there is real value in giving all users an identical operating system. In the – perhaps unlikely – scenario that the organisation moves strongly to VDI, Ben can’t see them moving away from using XenApp to present seamless ‘line of business’ applications to all thin, fat or mobile desktops.

Make Your Infrastructure Resilient, Or Your Virtual Client Deployment Will Probably Fail

Ben noted that any form of centralisation requires a more resilient infrastructure, because the impact on users is so much greater in the case of a failure. Both Terminal Services and VDI are great ways to centralise user desktops, but they both place a much higher dependency on network links than any of the regular servers you would normally have in a traditional PC environment. For example:

  • If the file server, hosting, user home drives and user profiles go down, then pretty much all the virtual desktops will fail, and nobody will be able to work
  • Many thin client terminals get their ‘config’ from an FTP server when they boot and the location of the FTP server from DHCP. Unlike fat PCs, which have DHCP lease periods, thin clients request this information every time you switch them on, so if the DHCP or FTP servers are down, users can’t launch a desktop and therefore can’t login.
  • Devices can’t use ‘cache mode’ when running Microsoft Exchange, because there isn’t anywhere to store the cache; they’re always on-line, which puts a much bigger burden on the Exchange servers; these may well need to be upgraded to handle the extra workload.
  • .PST files are a pain for all organisations, but the problem is worse when deploying virtual desktops as Microsoft doesn’t support storing them on file servers, which creates a massive strain; Ben is unaware of any virtualisation solution from any vendors that deal with the .PST problem, so this is exclusively a job for archiving systems, one area in which Symantec’s EV excels.

Ben believes that if companies fail to review and make their infrastructure resilient as part of the adoption of Terminal Services or VDI, they’ll suffer many headaches and their overall solution is likely to fail. He’s sure that many of the failed Terminal Services adoption attempts in the past have been partially due to these kinds of infrastructure issues rather than the fault of Terminal Services itself. He’s also concerned that the buzz around VDI at the moment is masking these real deployment issues and that VDI isn’t the magic answer many believe.

 

Some Conclusions – The Sanctuary Group Has A Working Terminal Services Solution

The Sanctuary Group stands out as a large organisation successful in the deployment of Terminal Services using Citrix, Wyse and Symantec. There are major advantages in its ability to accommodate the numerous new offices and building brought into the group quickly and efficiently and in its ability to address moving from paper to computerised process through targeted investments. In the UK the government has plans to cut billions of pounds in Public spending in the next few years. I believe that the Sanctuary Group’s approach demonstrates how consolidation can result in a solid compliant system, while avoiding the increasing mess and expense of managing fat client devices in a dispersed environment.
Ben Andrews is a key resource to his company; he is one of only a few IT managers I’ve met who fully understand how to deploy client virtualisation in a large, dispersed organisation. He is right to underline the importance of improving the infrastructure and making the network resilient because, as with most forms of centralisation, users can’t access their virtual systems if there’s a failure. He is a fan of both Terminal Services and VDI, although his experience is more with the former and he is concerned that the current hype surrounding the latter will cloud the real deployment issues and result in failure for some organisations.
Do you agree with the technical challenges in deploying virtual clients? Have you had positive experience of VDI? As always please let me know by commenting on this article.