Horizon Mirage Keeps Sysadmins Sane When Securing Mobile Endpoints

While I wish VDI was the silver bullet for all desktops in the Enterprise, VDI can’t fit every use case. VMware Horizon Mirage can help address the use cases that don’t fit the bill, whether that’s the corporate exec in and out of airplanes, heavy intense graphics based machines in remote area or in Oil refinery with many serial based peripherals. Unfortunately not every place of the world was blessed with a persistent Internet connection, so Mirage to the rescue?

Mirage can provide centralization, management and recovery of desktops is a pretty clean fashion. Using recovering points & imaging technology, Mirage can provide recovery with optimal traffic network optimization considering the task of what it is performing. The founders of Mirage actually help to form the base of Cisco’s Wide Area Application so you can get some idea of how that helps the overall product. Knowing that Mirage can help with file recovery, OS migrations and even hardware migration makes it a pretty intriguing product. The one short fall with all physical devices left in the wild is security. One of VDI strengths is that if keeps data off the endpoint . If VDI is not a option you are left to take a different course of action. Usually implementing BitLocker, Windows Encrypted File System (EFS) or some form of full disk encryption (FDE) would wreck havoc on product like this. My goal is see what limitations Mirage would have working when security was being imposed.

If you want more than daily snapshots you will have to change the default settings.

If you want more than daily snapshots you will have to change the default settings.

The first thing to do for my testing purposes and if you have a CEO\VP working on critical documents, is to change the default system configuration settings. If you don’t, you only get to fall back to the last daily snapshot. From looking at the file structure of Mirage if you were to do a “sync now” from the client it would keep a snapshot of the sync but the rules listed to the right would rules the roost so to speak. If you had more snapshots then the rules allowed saved they would be deleted. From the image it’s also a good opportunity to change the default location for your CIFS\SMB share.

DR-mirage-restore-2Once I had Mirage up and running I wanted to make sure I could at least recovery the easiest test case. I created a basic Word file called Top Secret. I deleted the file after I had synced the desktop to the Mirage Server. I went in the Mirage recycle bin and restored the file. As expected, no problems and the process was quick.

Next up and wanted to do a file restore with a full disk encryption. My poison of choice with TrueCrpyt.



Once the desktop was fully encrypted, rebooted the desktop and did a full sync back to the Mirage server. Deleted the file and went through the restore process. Same results as before, Success!

Encrypted File System (EFS) support

Encrypted File System (EFS) support

Encrypted File System (EFS) is supported with Mirage. There is a Protect EFS Files option of Upload policies enables all EFS files to be included in the protected upload set. All EFS files will be restored in their original encrypted form.

Next on my hit list was to test a restore of encrypted desktop onto new hardware. Keep in mind this would be the same process if your laptop was lost or stolen. This process would even work if you a had VDI desktop and you wanted the same image\applications for long extend road trip. My wife would kill me but I am really thinking about working on a vacation kind of scenario 🙂 In reality the most likely use case is your child takes your laptop, goes to Facebook and you end up with 500 pop ups telling you to pay money to have your PC fixed.

Mirage has two ways recover from any of the above mentioned scenarios:

    * Using a previous Centralized Virtual Desktop (CVD)
    * Using the Disaster Recovery Wizard<

Disaster Recovery Wizard - Step 1

Disaster Recovery Wizard – Step 1

Recovering form the CVD method will prove really useful for applications issues and user misconfiguration. Your able to recover from application changes without affecting the user data sitting on the device. The Disaster Recovery Wizard should be used for hard drive replacement, file corruption or formatting that is happening on the same device with the original problem or can be used to restore a CVD to a replacement device.

Restore Options when using the Recovery Wizard

Restore Options when using the Recovery Wizard

The hardware I was restoring to was not encrypted. Mirage does not distribute software that changes the Master Boot Record (MBR). Full Disk Encryption(FDE) software usually modifies the MBR and because of that can’t be included in the base layer. Most FDE vendors have a way to push out the software. From my experience it was usually not the smoothest of deployments but tools non the less.

Simple restore of full encrypted desktop onto new hardware

Simple restore of full encrypted desktop onto new hardware

Restore Process with Mirage

Loading the recovered profile with VMware Horizon Mirage

Once the process had finished I logged into the desktop with the correct profile and my file was waiting for me. Pretty slick. The thing I like best about this is that it means you can actually have the option of troubleshooting a laptop without having access to it. Restore the laptop to a virtual machine, figure out the issue can you can determine if it’s a hardware or software to certain degree. It also solves a huge pain of decrypting desktops if you need to get data off them. The Mirage process seems a lot easier to reset someone that has forgotten their boot password for there FDE vendor choice too. The only catch is you would have to make sure you encrypt the laptop again after you finish a full restore.

If plan to use Microsoft BitLocker keep in mind that the original state of BitLocker is kept and managed on each endpoint and doesn’t not get reflected on the Mirage server when it’s stored in the data center. If BitLocker is enabled on the target endpoint, it remains enabled regardless of any type of work that happens with image, restore/Base Layer update/rebase operations, and even if the reference machine from which the Base Layer was captured was different. Likewise, if BitLocker is disabled on the a endpoint it remains disabled after Mirage restore/Base Layer update/rebase operations. Mirage makes Bitlocker useful in the Enterprise becasue you really do need to use a PIN with a encrypted device because of know hacks. At least know if a user forgets their PIN you have a way at getting at the files. Since BitLocker is included with the Windows 7 Enterprise it seems like it would be choice to pair the two technologies.

When building a Windows 7 Base Layer for migration purposes, BitLocker must be disabled on the reference machine or migration operations will fail. This makes sense as mentioned before FDE software can’t be included the base image.

Mirage seems to work well while supporting security requirements. For people wondering Mirage does have role based security and logs files are generated on user action so a audit trail provided.

For you Windows XP users out there, get going, April 8, 2014 is coming faster than you think!

Related Mirage Blog Posts

* Scale Out File Server for Mirage – Windows 2012 w/Dedupe

* Nutanix on Scaling Horizon Mirage

Speak Your Mind