Cal Planning (Hyperion) Solution Overview (is this the ...



Options for secure access to campus Enterprise Applications

Background:

Campus security is a high priority for Berkeley and the campus workstation administrators are required to keep workstations current to meet the campus minimum-security standards. Workstations are consistently needing to be refreshed and new software releases are frequently released.

At the same time, enterprise vendors (Hyperion BAIRS, Hyperion Cal Planning and OBIEE CalAnswers) have been slow to certify their software with new browser and Java versions. In addition, the upgrade schedules for these applications do not always align with the OS, browser and Java updates.

The ever-changing software on the workstation and the need to support older certified browsers and Java is causing a security challenge for the campus.

An example to demonstrate this conflict is listed below:

BAIRS currently supports 2000+ users and utilizes Oracles Hyperion EPM applications (BAIRS - version 9 & CalPlanning latest version 11). This suite of applications unfortunately only supports the following browsers:

Internet Explorer 7.x

Internet Explorer 8.x

Firefox 3.5x

Support matrix

|system |version |supported browser |Java Runtime Environment (server |Microsoft Office integration |

| | | |not desktop) | |

|BAIRS (- >2000 users) |Oracle/Hyperion 9.3.1.1 |Internet Explorer 7.x |32 bit - JRE 1.5.0 Update 21 |  |

| | | |current 1.6 | |

| | |Internet Explorer 8.x |64 bit - JRE 1.5.0 Update 21 |  |

| | |Firefox 3.5x |  |  |

| | |  |  | |

|CalPlanning (estimated |Oracle/Hyperion 11.1.2.1 |Internet Explorer 7.x |32 bit - JRE 1.5.0 Update 21 |Windows XP Professional with SP2+ |

|600 users) | | |current 1.6.0.21 | |

| | |Internet Explorer 8.x |64 bit - JRE 1.5.0 Update 21 |Windows Vista with SP1+ |

| | | |current 1.6.0.21 | |

| | |Firefox 3.5x |  |Windows 7 (32bit & 64bit) |

| | |  |  |Apple Mac OS X Release 10.6.x |

| | |  |  |  |

| | |  |  |note: office versions 2003, 2007 2010 32 |

| | | | |bit only |

| | |  |  |  |

| |Oracle/Hyperion 11.1.2.2 just|Internet Explorer 7.x |32 bit - JRE 1.5.0 Update 21 |Windows XP Professional with SP2+ |

| |released April | |current 1.6.0.21 | |

| | |Internet Explorer 8.x |64 bit - JRE 1.5.0 Update 21 |Windows Vista with SP1+ |

| | | |current 1.6.0.21 | |

| | |Internet Explorer 9.x |  |Windows 7 (32bit & 64bit) |

| | |Firefox 3.5+ |  |Apple Mac OS X Release 10.6.x |

| | |Firefox 10.x |  |  |

|  | |  |  |note: office versions 2003, 2007 2010 |

| | | | |32/64 bit |

|CalAnswers (estimated |OBIEE 11.1.1.5 |Internet Explorer 9.x |  | |

|>2000 users) | | | | |

| | |Firefox 5+ - 9 (not 10, 11, 12 |  |Microsoft Office 2003 |

| | |three version in three months) | | |

| | |Google Chrome 10+ |  |Microsoft Office 2010 |

| | |Safari 5.x |  |Apple Mac OS X Release 10.6.x |

Because the application does not work for new IE and Firefox browsers, desktop administrators have been uninstalling new versions of these browsers and installing the older Hyperion supported browsers. This adds extra effort and expense for the administrator, and does not allow them to keep campus workstations patched to meet minimum-security standards. In addition, many campus workstations receive automatic updates to their browser version. The recent Firefox 10 release caused significant problems for the user community since the BAIRS application is not only not supported, but does not work on these browsers. NOTE: In some case, administrators can set the compatibility mode back to a prior version and execute the BAIRS reports.

This document presents some options for discussion in hopes of finding a solution that will allow desktops administrators to maintain secure campus workstations and allow users to utilize vendor supported enterprise applications.

Options Explored:

For each of the options below, a windows image is created presenting the customer with windows like workstation that will contain the Vendor supported browsers for BAIRS, CalPlanning and CalAnswers. Included might be a set of software such Hyperion plug-in, MS Office, Oracle office integration software SmartView, and other required applications required by BAIRS, CalPlanning and CalAnswers.

Listed below are three options; Terminal server, Application Virtualization and Desktop Virtualization.

Terminal Server (Remote Desktop Services) (A)

Remote Desktop Services in Windows Server 2008 R2, formerly known as Terminal Services in Windows Server 2008 and previous versions, is one of the components of Microsoft Windows (both server and client versions) that allows a user to access applications and data on a remote computer over a network, using the Remote Desktop Protocol (RDP). Terminal Services is Microsoft's implementation of thin-client terminal server computing, where Windows applications, or even the entire desktop of the computer running Terminal Services, are made accessible to a remote client machine.

With the Terminal server option, customers would be required to remote into the server. Once on the server all required vendor supported software is made available. As part of the configuration set-up, browsers and web access controls would be implemented to create a secure environment.

The customers will be allowed to print and move data to their desktop as they normally would. Other than signing into the terminal server the user experience would be the same as a window workstation running an older IE browsers.

Application Virtualization (B)

Application virtualization is an umbrella term that describes software technologies that improve portability, manageability and compatibility of applications by encapsulating them from the underlying operating system on which they are executed. A fully virtualized application is not installed in the traditional sense, although it is still executed as if it were. The application is fooled at runtime into believing that it is directly interfacing with the original operating system and all the resources managed by it, when in reality it is not. In this context, the term "virtualization" refers to the artifact being encapsulated (application), which is quite different to its meaning in hardware virtualization, where it refers to the artifact being abstracted (physical hardware).

With this option, a windows image is created similar to the terminal server option. The difference is that the application and windows image with the required software.

Customers would access this virtual desktop by selecting the icon on their desktop and transferring control to the virtual image. Once in the virtual desktop, the user experience would be the same a window workstation running older IE browsers.

Desktop Virtualization (C)

Desktop virtualization as a concept, separates a personal computer desktop environment from a physical machine using the client–server model of computing.

Some virtualization platforms allow the user to simultaneously run multiple virtual machines on local hardware, such as a laptop. Virtual machine images are created and maintained on a central server, and changes to the desktop VMs are propagated to all user machines through the network, thus combining both the advantages of portability afforded by local hypervisor execution and of central image management. This approach requires more capable user hardware capable of running the local VM images, such as a personal computer or notebook computer, and thus is not as portable as the pure client-server model.

With this option, a windows image is created similar to the terminal server option. The difference is that the application is sitting on the customer’s desktop and image installed with the required software.

Customers would access this virtual desktop by selecting the icon on their desktop and transferring control to the virtual image. Once in the virtual desktop, the user experience would be the same a window workstation running older IE browsers.

[pic]

[pic]

Options Matrix

| |A |B-1 |B-2 |B-3 |C |

| |Terminal Services |Standalone AppV with TEM |AppV with |AppV Management Server |vBox |

| |(Enterprise Windows Team)|(BigFix) |SCCM | | |

|End Point |Remote Desktop Client |AppV Client |AppV Client |AppV Client |Oracle VirtualBox |

|Control Point |Terminal Services Manager|TEM |SCCM |AppV Management Server | |

|Disadvantages |Cost |No Macs |No Macs |No Macs |No in-house knowledge |

| | | | | |or programmers |

| | |Additional MDOP per FTE per |Additional layer of |Additional infrastructure | |

| | |year costs |complexity with SCCM |components: AppV Management |No published TEM |

| | | |(support + training costs)|Server + SQL server |patches/ will need |

| | |Limited targeting, and | | |custom patching or will|

| | |reporting functionality with | |Additional training, setup and|need to patched at the |

| | |TEM | |support costs |end point |

| | | | | | |

| | | | |Can only be used for AppV |No central |

| | | | |streaming and management |configuration |

| | | | | |management |

| | | | | |option |

| | | | | | |

| | | | | |No scalability |

| | | | | | |

| | | | | |Requires additional RAM|

| | | | | |for VMs |

* Support: creating, delivering and updating AppV packages

** MDOP Cost = $2.35/FTE

*** Windows Terminal Server (VMs) Cost per server = $1969.20

**** MS remote desktop services Cost = $15.16/FTE

Request for Feedback

1. Is there another option we should explore?

2. Of the options presented, which would be easiest to administer?

3. We believe the chosen solution(s) must support Macs and Windows. Agreed?

Comments from Micronet

• Multifire software for Macs is a possible solution (allows user to use a earlier version of Firefox 3.5.9 but still have Firefox 11 as the browser)

• Would like to have an open reporting solution. PI need greater flexibility to access their financial information (interpret this to mean direct database access)

• Vbox sounds intriguing

• Commenter is curious if there are plans to replace these enterprise applications with something that isn't so dependent on particular browser versions.

The solutions presented in this document appear to address the symptoms of the problem without addressing the cause.

• Commenter regularly use Remote Desktop on my UCB laptop today to access services and it regularly fails to allow me to connect to my desktop environment, necessitating frequent hard reboots to my desktop and calls to IST DOCs to fix my remote desktop.

After a year of unsuccessful tickets to IST DOCS, I would oppose any attempt to require Remote Desktop use as a daily part of business.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download