South Eastern Trust is one of five in Northern Ireland, with a population of 440,000 in South Eastern Northern Ireland. They deliver services across 120 locations and use Kinloss Evolve. VDI users since 2012. Where this came from was the need from healthcare colleagues who know the pain of maintaining desktops and multiple users. Information governance could be difficult and VDI is a way to resolve this.
A proof of concept (POC) in the emergency department – it’s so intense that if it works there, it will work anywhere. A nurse can be logged on looking at results and typically be removed by a consultant mid-work. It’s an efficiency nightmare, but the only way an emergency department can work. The follow-me concept of VDI improves this as they could log on elsewhere and be exactly where they were.
Started with a single pool which is integrated with single sign on, throughout the trust, and has been a key part of the success as ID badge is part of log on. Follow me desktops give tremendous benefits. However, if you walk away without logging off, anyone can come and view confidential information. Implemented a 40 second log off – consultants are God, or at least they think they are.
75% of the PCs were removed and replaced with zero clients. There were a few issues, but mostly it worked. Very quickly, doctors and nurses coming from elsewhere in the hospital could see what was happening in the ED, and there were requests to roll it out elsewhere. It was then rolled out across the trust. Went from 200 to 300 desktops and increasing to 3500 at present from 2012. It was initially a slow burn. Everyone in the trust is enabled.
The interesting thing is the amount of devices supported.
The desktops are still in use because of applications which will not work on VDI. There are around 5000 Apple devices deployed. There are also around 1600 Chromebooks. The estate in terms of single numbers has increased, but anyone can log on as themselves anywhere. The follow me desktop will work anywhere, and the integration relies on swiping the badge. They will be asked for their ID password, then for the next 15 minutes they will be able to log on wherever they go. The human issue is always a factor.
This enables greater mobility across the site. The remote access part caught on and took over. Previously people had a checkpoint VPN to log in which was cumbersome. People now use VDI access and the VPN access has been removed. There is still two factor authorisation but this has been valuable during Covid.
VDI has been around for a while – how did you make the business case? Are the benefits demonstrable? Could it be transferred around the country as a compelling case?
It’s about productivity gains. It’s an investment in infrastructure. Not necessarily dearer, but cheaper at scale. Based on productivity rather than cost. Follow me desktop and single sign on introduced at the same time. The more you do with it, the better. Regional programmes are now going on and one of the key aspects is growing VDI across Northern Ireland so all trusts have access to the same kind of capability.
How big a challenge are application deployments via VDI?
Prior to VDI there was an application virtualisation, so were extracted from the desktop and delivered to the users. VDI was perfect as the applications followed. 10% can’t work in AppV so these have to work on a fat client PC.
We didn’t want to bake everything into it. It came from learning to keep it as streamlined as possible. We are investigating other ways for the future.
Was there any bad sharing?
We have a simple proximity card in NI. People don’t share their cards as they can’t get out of the car park at night!
Were there problems with JAVA?
Java is a pain in the backside. We had challenges because lots of different applications require certain sets of java. The element was critical and we had to be careful we didn’t break it. There were clashes with versions until colleagues worked it out.
Java 6.35 and java 7 we needed on the same base image, so we had a .jar file with URLs in it. This took a while getting there. We have it in place now and it will probably be there until we go to the epic product. It may get rid of the legacy systems.
Why Tintri for us was as soon as we were approaching the IOPS issue, our computer environment was the size for bit IOP things. We tested some, then asked Tintri for a loan box. It took us four hours to get it into the rack, then two hours to move our VDI environment. We were finished by 11.30am and were blown away. We are restricted in our team, so if we have this infrastructure in it has to take no more staff requirement than we already have. We cannot manage hundreds of logins. Tintri’s approach is you just throw your VMs at it. We went from one T540 to two and then a growth pattern. These are now eight years old because in health we get a long use out of things. These are still running desktops but will be upgraded. We went Tintri for ease of use. We more or less set it up and forgot about it. This is how we recompose. The ease, the headroom, and we could basically set it and forget it.
Tintri as a business
Tintri as an organisation has been around for 10 years. Parent companies today are DDN, well known with research and super computer markets. Specialist storage solution. Partnered with NVIDIA who are also a customer.
It has been the growth of big data that as driven DDN to start targeting the enterprise as well as traditional market. They are looking for a solution which led to them acquiriding Tintri.
The VMStore product is the storage solution that is underpinning the desktops that are being used. This is best understood by thinking in terms of virtualisation and virtual machines. It’s massively successful and is driving VDI projects across the globe. 99% of Fortune 100 use VDM ware. Challenge on the storage side is that you don’t have the hypervisor in control. It can lead to contention on the storage side. There can be a lot of workload targeting the same storage solution and this can be a problem as most don’t work at the VDM level. A spike in workload from one team can cause slowdowns affecting other areas of the business. It can be hard to find out why and you can’t necessarily see what to fix.
This led to VMStore being created around 10 years ago. Frustrations with how storage worked in a virtual environment led to it being created. Everything is managed at the virtual machine level. It instantly solves the problem of spikes in workload and if there is a slowdown you can see where issues are. Because the storage is now thinking in terms of virtual machines, you can log on and see latency where it is happening end to end. If there is a change in behaviour you can see where the spikes are historically.
When other storage techniques are applied, it’s at virtual machine level. You are just cloning a desktop. Everything happens at the VM level. It doesn’t take up any space. You can clone an entire environment and run patch or security testing without needing to invest in a new set of infrastructure.
Autodesk run 200k VMs across hypervisors for example. Dropbox found it halved their development cycles as copies could be spun up for testing. It’s what VMStore does.
Capacity modelling can be done with Tintri, which is useful. You can see what’s contributing to issues. Don’t need to use it that much.
How do you balance the requirement for offline and online working when looking at VDI environments?
VDI is only effective when working online. The need for truly working offline is a small use case. There is the capability where a desktop can be checked out but it doesn’t really play into the on premises requirement. It isn’t a panacea for everything.
It’s constantly a balancing act from different areas of the business. People are only around 10% truly offline working remotely.
Thousands of district nurses in the community would traditionally be offline, but they have all you can eat data so tether to their phones with Chromebooks in their car. They have connectivity.
Screenlag and disconnections – how is this compared to the cost of running a laptop?
We could quickly see we weren’t going to roll this out across a large number of users because of screenlag. We have HP servers and worked with them for a reference architecture for what we were working with. There shouldn’t be screenlag, but it is all in the design phase upfront. We have typically tried to buy the hardware as and when required because of how we are funded – but this is public sector.
If you’re using an older laptop, it’s probably slower than it was when you had it and you’re not getting the best experience. With VDM it’s a ‘new’ machine you’re logging into each day and still getting the best use out of the machine. No Windows bloat.
How can VDI help with graphic intensive environments?
There are graphic intensive requirements but NVIDIA cards enable graphic sharing. These are all done at the server side. This is very good from a security point of view. It can be done. It’s not the cheapest thing to do, but it can be done.
In teaching environments it can be a case of working out how many users can get on each server. The challenge is that you get spikes and whether it’s worth going VDI or remaining as a fat client.
How is security handled with a cloud vendor? How does a private cloud scenario work in terms of security around data storage?
It’s just access to your private VDI estate. You can’t copy and paste from one machine to another, so there’s no data loss element. It depends on the user case.
Where are the savings in terms of productivity in minutes a day? How much is it really saving? What is the business case? What would be a reasonable and workable solution to introduce this on a budget?
This is a million dollar question, but opportunities were taken to build this in as part of a refresh cycle moving away from bricks and mortar data centres. It was also a refresh on the client side so opportunistic funding was available. This presented an easy business case, but it wasn’t about saving money. It was about doing things in a more modern way and changing the paradigm moving forward. It helped doing smaller stuff and testing Open Office as an alternative to Microsoft. We spent the same amount of money with greater flexibility. Overnight we can ensure all our desktops are up to the latest patch levels.
Security is paramount. Encryption viruses are on the rise. We have seen viruses targeting back up servers and can hold all your data to ransom. It’s a benefit you don’t think of with VDI, but you can run snapshots, which is effectively an offline backup and you can recover in seconds.
What are the biggest challenges?
Single sign on can be a “keys to the kingdom” scenario so this needs to be protected, such as with a 40 second lockout. Infrastructure is built over a number of years and these need to be kept in different clusters or you can restrict later generation servers to the capability of the older ones. If you are going to expand users, expand the infrastructure well ahead. Use AppV rather than baking in too many applications. Users should have an experience on a desktop that feels like a personal device. They want their default printer and everything else to be the same. The right device is whatever is right for the user. User training on follow me desktop is essential – they don’t need to log out at a device, just disconnect. It needs following up too.
If you can make life easier for a user, that’s the greatest step to making a project successful. If the users don’t have faith and see the benefit, then projects fail.
At a clinician level, some went from seeing 10 to 11 patients – doesn’t sound like much, but that’s 10%. A huge time saving. One American provider estimated seeing an extra 30,000 patients a year.