Huawei FusionCloud Desktop

Solution for the Financial Industry

Author/ID Yu Qiang/00319423, Zheng Xueqiang/00297120

Department Desktop Cloud Product Dept, IT Product Line

Group Email Address

Co-author/ID Fan jiachao/00246927

Approver/ID

Release Date 2015-12-15

1
Filing and Renew Record

Product
Huawei FusionCloud Desktop Solution for the Financial Industry
Name
Version 5.3 (V100R005C30)

Based on the Huawei FusionCloud Desktop Solution 5.3 Promotional Theme Slides, this document
describes the concept and advantages of desktop cloud and its application to the financial industry.
Content
Highlights of the Huawei FusionCloud Desktop Solution for the financial industry and new features in version
5.3 are also described.

Purpose Used for preliminary communication with VIP customers who are interested in desktop cloud.

1. These slides are used for preliminary communication with customers and can be revised based on
Usage customers' concern.
2. These slides are not recommended for specific solution design or technical communication.

Release V1.0: 2015-01-15

Date V1.1: 2015-11-25

2
Contents
1 As-Is and Transformation Trend of Desktops

Desktop Cloud Scenarios in the Financial

2
Industry

3 Huawei FusionCloud Desktop Solution

4 Success Stories

3
 Driving Force for Information Security Construction in the Financial
Industry
Use of mobile devices in financial Internet finance is developing
services brings new risks. quickly but vulnerable to network
attacks.
Mobile office is becoming a new trend in the Opening and interconnection of networks of
banking industry. The traditional PC-based office financial institutions are the trends.
automation system cannot meet the requirements
Online banking: sees a transaction amount of
for high efficiency, fast pace, and mobile office.
CNY820 trillion and a growth rate of 7.0%.
Intermediate business: includes public housing
fund, E-port, tax/social insurance collection, call
charge collection, and utilities fees collection.

Driving force
Business across regions and branches No audit for office access of all
makes management difficult. users
Typical Financial
Institution
Country/Region Number of Outlets The financial industry has an outsourcing scale
China's 'Big Four' state- ranking second after the manufacturing industry.
owned commercial banks in 100+ cities 64055 branches Many services of various financial enterprises of
China
China's 'Big Four' state- 850+ branches and
all sizes have been outsourced.
32 countries and
owned commercial banks representative offices
outside China
regions
outside China
Various roles, such as internal
Bank of America, HSBC, employees, IT outsourcing staff,
150 countries and
Citibank, and Wells Fargo
regions
27000 outlets partners, and suppliers, need to access
(TOP4)
the intranet.

4
 Traditional Desktops with Poor Security and Difficult O&M Cannot
Meet Requirements of the Financial Industry
Information security Service assurance Resource optimization

 Data is stored on the local terminal.
 Different types of ports are difficult to
manage.
 User behavior is difficult to manage.
 Data loss can occur, and information
security may be compromised if
computers are lost.
 The logistics involved in delivering PCs to
all employees are time consuming.
 Operation and maintenance in the case of
PC hardware faults are also time consuming.
 Standardized management of desktops
becomes difficult because of diverse
hardware and software.
 Data stored in hard disks is vulnerable and
can be lost in the event of crashes or thefts,
affecting service operations.
 Standard hardware configurations fail
to meet customized requirements.
 Hardware configuration does not
support flexible upgrades.
 Idle hardware resources cannot be
used by other programs or users,
which has a low resource usage.

Security protection, system management, and device O&M are resource-intensive and cause long-
term business interruptions.
Page 5 HUAWEI TECHNOLOGIES CO., LTD.
 Advantages of Virtual Desktops
Centralized management
Application

Centralized management
system Desktop
Information security

APP APP cloud

Quick provisioning
Virtual OS OS
desktops
and control

No data is
stored on
terminals. Administrator

TCs
Branch 1 Branch 2 Branch 3… Branch N

Time division multiplexing

Flexible adjustment
Virtual
Access anytime

desktop
anywhere

Remote office on
a business trip Home office

Enterprise headquarters

6
Office Cloud TCO Analysis of a Securities Firm
CAPEX and OPEX per Desktop PC VDI Calculating Method
CAPEX Initial purchase cost Hardware and software 5000 7000 Purchase price
Initial purchase cost (CAPEX) 5000 7000
Average power consumption x Running time per year x Unit price. The power
Electricity fee System and terminal electricity fees 548 118
consumption of each VDI desktop is included in the calculation of PUE.

OPEX Number of maintenance personnel x IT O&M manpower cost/Number of

Maintenance cost Manpower cost per desktop 500 167
(per year) desktops

Service interruption cost due to system

Indirect cost 482 6 System breakdown time x Manpower cost per hour
breakdowns
Annual expenditure per desktop (OPEX, excluding indirect cost) 1048 284
Annual expenditure per desktop (OPEX, including indirect cost) 1529 291

TCO per desktop (excluding indirect cost) TCO per desktop (including indirect cost)

Note: TCO is calculated on a cumulative basis, that is, TCO of the second year = CAPEX+ OPEX
x 2. TCOs of other years are calculated accordingly.
7
Estimated O&M Costs of a Bank
VDI
Item Unit PC PC Cost VDI
Cost
Monitor W/set 25 25
OPEX Electricity fee DC W/set 0 25
and space 975 402
rental fee Desktop host W/set 100 10

System operation Management and Space rental RMB/set/year 0 12

cost personnel cost IT management
• System electricity • Breakdown cost information desk
Set/person 300 400
charge • Information desk Maintenance
personnel cost and Maintenance and
• Cooling electricity fee RMB/set/year 100 517 500 102
• Space rental fee • Desktop maintenance management warranty cost
personnel cost cost

OPEX
• Maintenance and System
• Information security Set/person 200 2,000
warranty cost maintenance cost
personnel cost
• Data backup and Management cost Set/person 400 0
restoration cost Data security
Data backup and 221 0
cost Hour/set/year 0 0
Note: Note: system restoration
Non-desktop cloud solutions Management and System breakdown
involve only client power personnel cost includes Hour/set/year 6 1
time
consumption and system O&M cost and
maintenance costs, and backup and restoration Software
Breakdown Hour/set/year 4 1
desktop cloud solutions need cost in normal cases, and installation 337 48
(indirect cost)
to calculate server power related costs upon faults. System migration Hour/set/time 4 0
consumption, cooling power
consumption, and equipment System migration
Times/year 1 0
room rental fees. frequency
Total /year 2049 575

The virtual desktop system greatly reduces the O&M costs of enterprise terminals, and CNY1474 (2049-575) OPEX is
reduced per desktop each year.
8
Contents
1 As-Is and Transformation Trend of Desktops

2 Desktop Cloud Scenarios in the Financial

Industry

3 Huawei FusionCloud Desktop Solution

4 Success Stories

9
Desktop Cloud Scenarios in the Financial Industry

e-banking
Production Development Telephone O&M
Secure office Common OA experience
operation and testing banking center management
center

• Access • Optimal • Support for • Quick desktop • Secure • High-quality • Authentication

security experience multiple deployment outsourcing voice security
• System • Agile and peripheral • Permanent access • HD video play
security efficient devices customer • Performance • Quick start
• Network system • Unified information configuration
security • Security and management deletion management
• Management reliability • Nearest access • Superior user
security experience

10
Scenario 1: Financial Information Security
Data resources of various financial services

Pain Points:
• A large number of service information users Service data Financial data Customer data System
and managers are involved, data prone to parameter
leakage.
• User behaviors are difficult to audit.
• Production, office, and Internet areas need VM VM VM
to be isolated.
Huawei desktop cloud

Huawei Solution:
• Uses the desktop cloud to centrally Server Network Storage Security
manage data and user behaviors.
• Enables users to log in to different virtual
desktops or applications by using a same
terminal for unified virtualization
management and security isolation
between production, office, and Internet
Service Customer Reviewer O&M Outsourcing
areas. personnel manager personnel employee

11
Security Solutions for the Financial Industry
Access Security
 Multiple user access authentication
modes (password/USB key/ dynamic
token)
 Restricted TC access
Terminal Security Desktop protocol /Network Security
 USB port control  Physical and virtual firewalls
 Read-only TC system (restorable by  VM security group
system reset)  Secure access gateway
 Patch and upgrade management  Plane isolation
 System tailoring and hardening  Controller peripheral channels
 802.1X authentication for TC access (enabled/disabled)
 Transmission channel SSL encryption
 storage devices
Terminal security Access and network security
Comprehensive security measures ensure that data is stored on the cloud, behaviors can be traced, and operations can be audited.
12
O&M personnel
Desktop cloud system User A
User B
Data Security O&M Security
 Data backup and disaster recovery  Unified account management and
(DR) authentication
 VM terminal security management  Log auditing
system  Rights- and domain-based
 Residual disk and memory data management
deletion  Assignment of roles
 Secure data transmission
Cloud Platform Security
 System(OS/DB/Tomcat) hardening
 System integrity protection supported
by the trusted platform module (TPM)
 Antivirus measures
 Security patches
 Web attack prevention
 Virtual isolation
Platform and data security Management security
Internet Access Security Solution

VDI-based secure Internet access SBC-based secure Internet access

• Data transmission between the intranet (local • Browsers are provided using server-based
Benefits and Deployment
clients) and extranet (virtual desktops) is computing (SBC) to access the Internet.
controlled. • If uses need to download data from the Internet
• Internet access VMs and intranet access VMs are to the intranet, shared desktops that are Benefits:
physically isolated and only desktop protocols can provided using SBC can be used to access the
 Secure data transmission between the
intranet and extranet eliminates
pass the firewall. Internet and download data.
information security risks.
• Files can be unidirectionally transmitted only from
 Full memory desktops in VDI-based
Internet access VMs intranet access VMs to Internet access areas support
ensure security. restoration after shutdown.
Intranet Internet  SBC-based Internet access does not
Internal office change the enterprise's office security
network Internet
Secure data architecture, and does not require new
transmission VM 1 VM 2 VM… PCs, greatly reducing investment
VM 1 VM 2 VM…

FusionSphere FusionSphere costs.

HDP over SSL Deployment:
Office VM/Office
Internet access VM  VDI desktops are deployed in full
environment Full memory desktop memory mode.
Security gateway
Efficient + secure Application  VDI desktops apply to secure OA
virtualization server scenarios.
TC

13
Monitoring and Auditing O&M Staff's Operations

Service system A
O&M administrator Forbid Forbid
Other entries
Desktop cloud
management and
Bastion host data servers

User A
Service system B

Core services and

data servers
User B

Service system C

Development, testing,
Partner and O&M

 Features Central monitoring

and auditing
 Provides unified portals for diverse management systems.
 Delivers efficient log auditing for terminals (GUI or character terminals) and services (database application or file transmission services)
 Implements real-time video monitoring and screen recording, allowing maintenance personnel to stop a high-risk operation (such as deletion or
restart) if needed
 Supports centralized user management, SSO, and periodic password updates.
14
Cooperation with Security Vendors to Provide High-Security Desktop
Cloud
Authentication and access
control
USB key, encryption gateway,
and authentication system
One-key, encryption gateway, and
authentication system
USB key, encryption gateway,
and authentication system
USB key and dynamic token
USB key
USB key and dynamic token
Dynamic token
Virtual terminal security Network and log
Antivirus
monitoring and audit auditing
Three-in-one and intranet terminal Traditional or virtual 4A integration and
computer auditing software antivirus software
centralized log auditing
Host monitoring and auditing Traditional or virtual
Network and log auditing
antivirus software
Host monitoring and auditing
Virtualization-based optimized
antivirus software Log auditing
Zhongtie Xin'an host
monitoring and auditing
Traditional or virtual
antivirus software
Shenwei host monitoring and auditing
Host monitoring and auditing
and data leakage prevention
Desktop cloud auditing system
15
Scenario 2: Financial Production and OA Environment
Pain Points:
 The production network and office OA system Service system
network are isolated and involve a large
number of desktop PCs, making
Desktop cloud Customer service
maintenance difficult. Desktop cloud center
 Too many branch offices complicate management software
desktop maintenance.
 Mobile OA brings security risks. WAN
Cloud

Branch office
Desktop security
protocol
Huawei Solution:
 Uses the QoS service to provide
desktop cloud resources of different
levels.
Process- Collaborative Mobile OA Mobile marketing
 Uses virtual desktops to enable quick centric bank OA
access and unified management.
Production OA network Mobile OA
operation

16
Dual-Port Single-System Zone-based Access Solution

Office application system

Firewall
Gateway 1 VM 1 VM 2 VM 3

FusionSphere

IP 1 Office desktop cloud

Isolation Secret information
IP 2 Firewall
Dual-port TC Gateway 2 VM 1 VM 2 VM 3

FusionSphere
(CT6000)
Desktop cloud in the top secret zone

Advantage: Single-system TCs have low costs. VDI can be simultaneously accessed in different zones.
Cloud desktops can be switched on the task bar of the operating system on a TC.
Disadvantage: You need to select a desktop cloud gateway address when accessing the desktop cloud.

17
Distributed Hardware Architecture — Local Access of Branch Offices
 Technical highlights
 Reduced network reconstruction costs
Only 2 Mbit/s management network bandwidth is required
Service system for the communication between branches and the central
site. In case of remote access, high bandwidth is required.
 Excellent experience
Local resources (including servers, storage devices,
network devices, virtual platforms, and desktop
Desktop cloud
Desktop cloud branch site
management devices) are created for branch offices to
central site Local enable local access and provide optimal service
resources experience. The disconnection between branch offices
and the central site does not affect local access.
 Unified maintenance management
WAN VDIs of branches and the headquarters are centrally
FusionCloud Service site managed and maintained, ensuring standards compliance
Local of desktops.
resources

 Application scenarios: branch offices

with poor network connection
Branch office
…… Local
resources
 Branch office  Customer service center

HQ
A maximum of 255 branches are supported.
18
Mobile Officing
The mobile officing solution based on application
virtualization has the following features:
 Enterprises do not need develop new clients
for mobile terminals. This greatly shortens the
mobile officing application rollout time and
saves investments in mobile officing
deployment.
HDP over SSL  All the applications and data of enterprise
service systems are saved in the cloud, and
Web Exchange
only images are delivered to the mobile
terminals. No data is stored in the mobile
Security terminals so that data security is ensured.
gateway  Application upgrade and maintenance are
CRM ERP
Application performed at the cloud in a unified manner so
publishing server that the operation and maintenance workload
is light.
 Mobile terminals are authenticated when
accessing the FusionAccess system, and
transmission is encrypted, thereby efficiently
ensuring security of enterprise information
transmission.
19
Public Terminal: Ease of Use and Simple Maintenance
Personal data maintenance at any time
Rapid software release
Hardware maintenance management
20
Conference room/Service site/Public
workspace/Internal business trip:
VM access anytime
Mobile desktops for consistent office
Conference room Public workspace experience
Telephone banking center/Customer
service center/Training
center/Electronic classroom:
Rapid service software rollout
Telephone banking Customer service Rapid courseware release
center center Standard desktop management
Training center/Electronic
classroom/Electronic reading room/Public
workspace:
Reduced hardware damage
Training center User experience center
Access permission control
On-demand and quick allocation of virtual
resources
Scenario 3: e-banking Customer Experience Center

Pain Points:
 Slow desktop provisioning
 Incomplete customer information deletion
 Poor user experience Desktop cloud
Quick provisioning, superior experience,
and permanent deletion
Huawei Solution:
 Full memory desktops ensure rapid
desktop provisioning and optimal user
experience.
 User data is cleared after user VMs are Mobile banking Television banking VTM

reclaimed.

21
Full Memory Desktop Solution Provides Optimal User Experience

Computing resources
 Principles
 Memory data deduplication compression and memory

Memory resources
overcommitment technologies are used to store all system disk
VM VM VM data of desktop VMs in memory so that read and write operations
on desktop VM disks are replaced by memory operations. This
Delta disk
provides better user experience than local PCs.
Delta disk Delta disk
 Linked clone VMs do not support personalized data storage on
Base disk (compressed
and deduplicated) the system disk. Full memory desktops are applicable to
Hypervisor stateless desktop scenarios such as electronic classrooms,
school computer rooms, and electronic reading rooms.
 Customer Benefits
NAS or SAN
 Full memory desktops provide high read/write performance and
fast VM start and restart as well as linked clone desktops.
 System administrators can deploy, update, and restore VM
User disk
User disk

Base disk (shared and

read only)
templates in a unified manner.
 Full memory desktops can be quickly created and VMs can be
created and provisioned in batches.
Storage resources
22
Completely Removing Remaining User Information

User A
1. Rent
1. Rent 123@
User A @#@!
123@ 2. Use
2. Use @#@!
3. Refund
3. Refund
Implement bit 0000

123@ override on logical

Format logical @#@!
User B
volumes.
volumes. 4. Rent
4. Rent Risk 0000 Safe
User B
123#@!
5. Use recovery
software to
obtain data.
Normal Solution: Security Solution:
Traditional methods of low-level formatting on Huawei desktop cloud system implements bit
volumes and data override on remaining user data to ensure that
After these volumes are allocated to new users, the new users cannot restore any data left by
remaining data can be restored and data leakage deregistered users.
risks appear.

23
Scenario 4: Development and Testing

Pain Points:
 The desktop cloud is required to provide a
Development Test Acceptance Production
unified interface for development, testing, environment environment
environment environment
and O&M.
 The development of different systems has An integrated development, testing, and production environment
various desktop resource requirements.
 Frequent mobility of a large number of Development Testing Production
outsourcing employees results in rapidly The automatic deployment platform flexibly defines the
changing desktop requirements. deployment process.

Development cloud Testing cloud Production cloud

resource pool resource pool resource pool
Huawei Solution:
 Provides the desktop cloud to enable
unified access to the integrated
development, testing, and O&M
environment.
 Uses the QoS service to provide desktop
cloud resources of different levels.
 Uses virtual desktops to enable quick
access and unified management.
Developer Outsourcing Testing Acceptance O&M
employee personnel personnel personnel

24
Experience Assurance: Leading Virtualization Software Platform

Member of Gartner Magic Quadrant No.1 in the SPECvirt test Support for core
CHALLENGERS LEADERS
Virtualization
Software
Score Ranking enterprise services
VMware FusionSphere
5.1
1616 1 • High performance
Red Hat 7 (KVM) 1614 2 - CPU usage lower than 5%
Microsoft
Oracle ESXi 5.1 472 3
- Support for services such as
ABILITY TO EXECUTE

Parallel
Citrix
HUAWEI
Red Hat
NICHE PLAYERS VISIONARIES
COMPLETENESS OF VISION
Source: Gartner (July 2014)
The first x86 virtualization vendor
included in the Gartner Magic
Quadrant over the past three years
http:
//www.spec.org/virt_sc2013/results/spec database, Email, ERP, and CRM
virt_sc2013_perf.html
• High reliability
Doubled expansion capability
Number of nodes in a cluster - Second-level fault detection and
recovery
As of July 2014 - Proactive event detection
128
- Uninterrupted upgrade with active
64
32 and standby management nodes
vSphere vSphere FusionSphere
5.1 6.0 5.1 - Hierarchical DR plan

The best virtualization performance facilitates desktop virtualization density improvement, scale
delivery, and excellent user experience.
25
Resource Allocation Based on Desktop Pressure in
Development and Testing Scenarios

High-performance computing desktop Customer Benefits

 Implements resource allocation

Desktop session
Priority & Reservation: Resources for

management
to ensure high-performance
high-performance computing desktops
need to be of the highest priority and High-performance
computing.
Common desktop and
computing desktop
reserved accordingly to ensure the highest application  Allocates different resources
image quality.
based on the desktop pressure

Virtualization
VIP resource pool Common resource pool
Bandwidth optimization management

layer
in development and testing
 Absolute value and percentage control scenarios.
of the bandwidth of virtual desktop
 Improves resource utilization.

resource layer
protocol channels that correspond to

Hardware
different service types  Safeguards key services.
 Virtual desktop protocol channel priority  Improves development and
setting
testing experience.

26
Scenario 5: Telephone Banking Center
Telephone
Pain Points: banking center
 Most tasks are simple and less
personalized, requiring rapid allocation
to save resources.
 Voice quality requirements are high.
 Video service requirements are Desktop cloud
increasing with more and more VTMs High performance, restoration after
and online registration applications. restart, and maintenance-free

Full memory Multimedia

Huawei Solution: desktop cloud desktop cloud
 Uses the next-generation desktop
protocol to ensure excellent video
TCs and
service experience. VTM CSR
accounts are
 Uses virtual desktops to enable quick bound.
access and unified management. Auto login
upon startup.
Mobile CSR 1 Mobile CSR 2
27
Next-Generation Desktop Protocol Ensures Excellent Video
Service Experience

HDP: Huawei Desktop Protocol

USB Tunnel
Display Tunnel
Server Audio Tunnel Client
(VM) Management Tunnel (TC)
Media Tunnel
Mouse Client
Other ……

Undistorted display 1080p HD video HD voice PESQ >3.4

 Automatically identifies non-natural images,
such as characters, Windows graphic
frames, and lines.
 Lossless compression: PSNR is higher than
50000 dB, and SSIM is 0.999955 (1
indicates lossless).
 Maximum frame rate of 35 FPS: Provides the
highest frame rate in the industry as well as
most smooth video playback.
 Frame rate dynamic adjustment: Dynamically
adjusts the video frame rate based on network
quality to ensure smooth video playback.
 HD support: Plays 1080p videos using the TC
redirection function.
 High-fidelity audio compression algorithm:
Automatically identifies voice scenarios and
optimizes human voice. Competitors' highest
PESQ value is only 3.0.
 Automatic denoising algorithm: Enables the
denoising algorithm for VoIP and ensures
excellent voice quality even in the noisy
environment.

28
Task-based Desktops in Telephone Banking Centers

Server Network Storage

Desktops used in telephone banking centers are
simple and less personalized peripheral devices.
Solution Highlights:
VM 1 VM 2  The shared desktop mode reduces hardware
resource usage of virtual desktops and greatly
reduces virtual desktop costs for users.
Multiple users share one VM and their
sessions are independent from each other.  Users in the same position share one VM.
Each user has an independent desktop.
Linked clone VMs can be centrally upgraded in
the background.
 The applications and data are stored in a cloud
data center, which provides better data and
information security protection than PCs.
Wealth management e-banking Investment Management
product purchase issues suggestions and monitoring
29
Scenario 6: Maintenance Management

CRM system e-banking system Unified management

Pain Points: portal
 Maintenance terminals cannot be moved.
 Data transmission is strictly limited.
VM VM (HA)
Server Network

Huawei desktop cloud

Storage Security

Server Network Storage Security Huawei desktop cloud

DR environment
Huawei Solution: Huawei desktop cloud
production environment
 Centralized maintenance, unified
allocation, and efficient management
 Production reliability assurance

Maintenance System Reviewer

personnel administrator
30
Terminal Access Security — Restricted TC Access
 Restricted TC access: Binding relationships are established between TCs' MAC addresses/MAC address groups and domain users/domain user groups, so that
domain users/domain group members can access desktops from restricted TCs or TC groups. The restricted TC access feature can be used with any WI
authentication mode.
 Application scenario: The restricted TC access feature applies to scenarios in which high information security is required and users can access virtual desktops
that contain sensitive information only from restricted TCs.

 The desktop cloud administrator can Login experience

enable the TC binding function on the ITA
portal and import the binding relationships TC bound to the user
Desktop user
between TCs' MAC addresses and users.
 The binding relationships can be imported
in one of the following ways: +
Method 1: Manual
import
Method 2: Batch import
Desktop user
TC unbound from the user

+
X
1. When a user logs in to the WI, the TC 2. If the information matches the 3. The user logs in
sends the username, domain name, binding information saved in to the VM.
and MAC address to the desktop cloud ITA, AD authentication is
system to check whether the TC is implemented, and login is
bound to the user. continued.

 Users who have been bound to TCs can log in to WI only from the bound TCs.

31
In-cloud and Off-cloud Secure Data Transmission System
 Management and Control of Data Transmission to
DC External
In cloud Compilation and  Data transmission from the cloud to off-cloud machines
Desktop construction needs to be approved and scanned for security.
cloud  Data transmission from off-cloud machines to the cloud
Controlled and
automatic transmission does not need to be approved or scanned for security.
Data transmission system  Files that do not meet the security policies can be
Image gateway system Secure data transmission system intercepted, to prevent information leakage.
 Flexible Security Policies
 Different security policies can be configured for
information assets of different confidentiality levels.
Off cloud  The security policies include: file type blacklists and white
lists, warning and interception policies, and whether
supervisor approval is required.
 Alarm and Log Auditing, Traceability
Test PC  File transmission information and approval operations are
Laptop PAD Device Laptop
commissioning PC all recorded in logs.
Conference Office area External network  Alarms are sent immediately when events not in
R&D area
room
compliance with the security policies occur.
 Files uploaded against regulations are backed up,
Picture Key information Secure data
stream asset transmission facilitating examination and backtracking.

32
Contents
1 As-Is and Transformation Trend of Desktops

Desktop Cloud Scenarios in the Financial

2 Industry

3 Huawei FusionCloud Desktop Solution

4 Success Stories

33
Cloud Management: Streamlined Management, Efficient O&M
1500 sets

Centralized management
Desktop cloud
Efficient management

Maintenance free for

APP APP
100 sets OS OS
Unified O&M

terminals
Conventional IT Desktop cloud
Average terminals managed Administrator

Branch 1 Branch 2 Branch 3 … Branch n

Rapid batch provisioning

Dynamical adjustment
Flexible upgrades
VM VM

App App

OS OS

34
All-round Efficient Service Delivery from Design Survey to O&M
Management
How to conduct a survey to forecast and resolve compatibility problems before desktop virtualization? How to ensure
reasonable planning and design? How to resolve user connection problems? How to migrate data? How to prevent startup
storms? How to assess performance and test user experience? How to simplify routine maintenance?

Delivery of 100,000 iCache & automatic

Automatic data migration
desktops startup tool
Desktop information Desktop information
collection tool analysis tool
Global system design idea Performance assessment & User self-help console
user experience test

Network model design Professional planning

evaluation and design Desktop cloud manager
Desktop virtualization
information assessment

35
End-to-End Architecture Ensures System Reliability
FusionAccess FusionAccess
Encrypted data stream transmission
HA
Client Server Desktop management
Client Agent Agent
LB/AG App App FusionSphere FusionSphere
OS OS HA Cloud platform
VM VM
management

Users OS OS
VM VM
User resources Management
nodes
User Connection Reliability Management Node Reliability
Desktop management Cloud platform management
Client network Server
reliability reliability
 Automatic reconnection  Automatic port switchover upon  Key nodes of the desktop  Management node redundancy
upon network desktop agent port conflicts with architecture do not depend on the  Automatic VM fault recovery
intermittent other software Windows OS, and HDC does not  Automatic monitoring for memory, CPU,
disconnection  Desktop agent software preventing depend on the domain control. and network status of management
 Automatic network itself from being deleted or killed  Service status is detected and nodes
status detection  Progress file protection services are automatically isolated  Management data backup
 Automatic VM restart upon blue and restored upon faults.
screen faults

36
VDI DR Technology Ensures Desktop Cloud HA
Running
Access network Access network

Standby

VLB/
HDC HDC
VLB/
Features:
AG AG
Stopped
AD domain data
Before DR is implemented, VDI
WI AD
synchronization
AD WI
VMs in the DR site are in the
Desktop data
running state. The AD domain
ITA DB synchronization
DB ITA controller synchronizes desktop
Before DR data periodically.
Production DC DR DC

Access network
After DR is completed, VDI VMs in
Access network
the DR site no longer synchronize
After DR
data from the active site. When the
VLB/
AG
HDC HDC
VLB/
AG
user terminal detects a fault in the
AD domain data
synchronization
production site during the login, the
WI AD AD WI terminal automatically switches to
Desktop data
synchronization
the WI in the DR site for login.
ITA DB DB ITA

37
Huawei Desktop Cloud Eliminates Bottlenecks in Virtual
Desktop Development

Optimal User Experience Agile and Efficient

 PESQ higher than 3.4, and 1080p video  Software pre-installation and rapid
experience delivery
 Unified O&M platform and eight
 GPU virtualization allowing up to 32 cloud
maintenance-assistant tools improve
graphics workstations per graphics card serviceability.
 Consistent experience in mobile office  Application virtualization quickly delivers
scenario and differentiated services for VIP applications.
desktops  Quick adaption to peripherals

Decision-maker
Secure, Reliable, Flexible
 Standard reference architecture and integrated hardware and software delivery allow
flexible deployment.
 E2E security protection covers access, platform, network, management, and data.
 Comprehensive reliability protection from terminal connections to platform services.

Cost-effective enterprise virtual desktop architecture ensures optimal user experience

38
Contents
1 As-Is and Transformation Trend of Desktops

2 Desktop Cloud Scenarios in the Financial

Industry

3 Huawei FusionCloud Desktop Solution

4 Success Stories

39
 Bank of China Builds an Efficient R&D Platform with Huawei
Desktop Cloud
Bank of China (BOC), is one of China's 'Big Four' state-owned
commercial banks. Its business scope covers the commercial
bank, investment bank, and insurance fields. Its branches
include the BOC Hong Kong, BOC International, and BOC
Insurance, which provide comprehensive and high-quality
finance service for individuals and enterprises worldwide.
40
Challenges
 A large number of outsourcing personnel work in the software R&D center of BOC.
Traditional desktops are weak in port, network, and hard disk security protection,
which may result in disclosure of confidential information to outsourcing personnel.
 PC resources must be flexibly allocated and reclaimed to meet different resource
requirements at different times.
 A large number of employees work in geographically dispersed locations, so the PC
maintenance workload is heavy.
Huawei Solution
 Huawei software and hardware products are deployed. FusionAccess is used to
consolidate and manage blade servers and IPSAN.
 Outsourcing personnel log in to VMs from PC soft clients (SCs) to do R&D work. All
data is stored in the data center, preventing data from being stolen.
 When an R&D task finishes, VMs of outsourcing personnel are reclaimed and used for
other services.
Customer Benefits
 All data is stored in SAN storage devices other than in local computers. This ensures
security for R&D assets, such as code and documents.
 Resources are allocated based on the number of users, which improves resource
utilization.
 All resources are managed on a unified portal, which reduces O&M costs.
 Cloud-based BOC R&D Platform — Application Scenarios
and Requirements Application Scenarios and
Requirements
As-Is

Information security Personnel transfer In R&D office environments, each user is assigned a VM. Users use TCs to
A large number of The software R&D center access their virtual desktops. All the USB ports are disabled so USB flash drives
outsourcing personnel hires different numbers of cannot be used. Information is not stored on TCs, preventing confidential
work in the software R&D outsourcing personnel at Application information from being disclosed or stolen. VM specifications can be adjusted
center of BOC. This risks different times. A large Scenario according to the OA software workload. All VMs are isolated from one another,
disclosing key design, number of outsourcing and each desktop has its own system disk. Users can have personalized
source code, and personnel are required for desktops and use a variety of peripherals. All these contribute to high service
development documents the development and security and superior user experience as if traditional PCs were being used.
and process documents to testing of online systems.
the outsourcing personnel. The human resources must
Scale 500 users, 100% concurrency
be promptly released after
the task is complete. System requirements Windows 7
4 vCPUs, 4 GB memory, 60 GB system disk, 60 GB
VM specifications data disk (10% computing resources and 20%
storage resources reserved)
PC update Maintenance efficiency
The software A large number of MS Office, Outlook, Project, VISIO, Internet Explorer,
development tool, employees work in Acrobat Reader, video players, enterprise
Software
database management geographically dispersed Software requirements communication software, common input methods, MSI
R&D
tool, and testing tool are locations, so the PC reader, Kingsoft PowerWord, and Visual Studio/My
used in the R&D scenario, maintenance workload is Eclipse/MENTOR/ALTUIM/VC/MATLAB.
which puts high heavy. This reduces the
requirements on the work efficiency of the Peripherals commonly used in the financial industry,
system. software R&D center. Peripheral such as USB port/serial port/parallel port printers,
requirements USB keyboard and mouse, cameras, card readers,
and card writers
The desktop cloud can effectively meet information security, flexible
resource management, and simplified O&M requirements and improve Identity authentication Domain account + Domain password
the work efficiency of the BOC software R&D center.

41
 Cloud-based BOC R&D Platform — Security Design and Proven
Peripheral Compatibility
Security design
Full peripheral compatibility Terminal security
USB key AD domain password
authentication authentication
Peripheral Vendor Model TCs bound to VMs
USB read/write disabled

Printer Nantian Donghua USB port printer Linux OS hardening

SSL-encrypted network transmission
Model: PR2E 0B3C PID 0001 PC
TC
(GI945)
MAC addresses bound to IP addresses
Infrastructure security
REV 0100 OS hardening
Windows antivirus Service network
Huawei supports Web security Management network
Nantian Donghua Serial port printer configurable COM Database hardening Transmission security
Storage network
Windows security patch Intranet
Model: PR2E ports (some
HTTPS encryption for WI access
HDP over SSL for VM access
AD/DNS/
802.1X authentication

HP Network printer peripherals need Patch server Virus server

DHCP (active/
standby)

Model: HP LASERJET M15304 fixed COM ports). Switch

Access gateway
Adaptation
Epson Parallel port printer development must Infrastructure server
Network security
Management/Service/Storage/

Magnetic card Nantian Donghua Serial-to-USB adapter be implemented in Environment loading network isolation
Firewall ACL

reader and Model: BP8901 UKZ NB045 environments of VLAN isolation

writer other vendors. Management security

HTTPS access
Account and password
management
Hypervisor
Nantian Donghua Magnetic card reader Log audit
OMS rights-based management Virtualization security
Model: BP8903 VIRA-A(ZH) ITA rights- and domain-based
management
VM isolation
Virtualization layer

NI955 VID 0403 PID 6001 Huawei HDP runs Virtualization and desktop
management pool
hardening

more stably than Computing resource pool

WBE Magnetic card reader and writer other protocols

Model: WB7H-2000 VER: (with USB port
2.0H VID 10C4 PID EA60 reconnection and Data security

exception handling Data storage isolation

Data access control
Scanner Fujitsu fi-6225 scanner VID 04C5 PID capabilities). User data backup

11EF
Standby storage
Camera Logitech/BlueLover Mainstream models supported Active storage

System security solution:

While providing equivalent experience to that of PCs, the
Huawei camera redirection technology requires a Access control, security control, rights control, operation
bandwidth over ten times lower than that of competitors. audit, and data loss prevention
42
 Industrial Bank Builds Secure and Efficient
Branch Offices with Huawei Desktop Cloud

Challenges
 As markets are developing, Industrial Bank establishes more and more branch offices
around the world. A branch office usually has a few employees. To reduce maintenance
costs, branch offices need to be centrally managed.
 In the existing outsourcing development environment, data is dispersedly stored in
computers, which makes centralized management and control difficult.

Huawei Solution
 Huawei provides the FusionCloud Desktop Solution for branch offices. With this solution,
the system is simplified and can be deployed in distributed mode, thereby improving
system flexibility.
 Only management data is exchanged between branch offices and the headquarters.
User services are locally provided by branch offices by default without the need of
connecting to the headquarters, so that services are not affected by network latency.

Industrial Bank was founded in August 1988. It is one of the first joint- Customer Benefits
stock commercial banks approved by the State Council of the
 Flexible, unified management and maintenance: The administrator at the headquarters
releases, manages, and maintains security policies, applications, and software patches.
People's Republic of China and the People's Bank of China. The The administrator at the headquarters can also assign operation rights to administrators in
headquarters of Industrial Bank is located in Fuzhou. The Industrial branch offices to implement rights- and domain-based management.
 High security: Branch offices and the management center are connected by the SVPN.
Bank was listed in the Shanghai Stock Exchange on February 5,
Each branch office is isolated from one another. The networking costs are low and the
2007 with a registered capital of CNY19.052 billion. data security is high.

43
 Industrial Bank Branch Office — Application Scenarios and
Peripheral Requirements
Test
Peripheral Model Port Type
Result
Counter service system–card Serial port COM1: B
Nantian 8902 card reader Pass
reader Universal card reader

Counter service system–card Newland Serial port COM1: B

Pass
reader BMAG_NL2805W/0/0/CT Universal card reader

Counter service system–card Serial port COM1: B

Nantian BP8903 Pass
reader/two-in-one IC card reader Universal card reader
Counter service system–IC card Serial port
Nantian BP89031RA-N Pass
reader COM: C
Counter service system–IC card Serial port
Guoguang CJ201 Pass
reader COM: C

Counter service system–bill printer Nantian PR2E Parallel port Pass

Counter service system–bill printer OKI MICROLINE 6100F Parallel port Pass

Counter service system–second- Huaxu second-generation ID

USB Pass
generation ID card reader card reader
Counter service system–second- Jinglun second-generation
USB Pass
generation ID card reader Idr200
Counter service system–second- Jinglun second-generation
USB Pass
generation ID card reader Idr200
Counter service system–second-
Zhewei ZWIC-100 USB Pass
generation ID card reader
Counter service system–second-
Shensi SS628(100) USB Pass
generation ID card reader
Counter service system–scanner FUJITSU fi-6130Z USB Pass

The desktop cloud of Industrial Bank mainly applies to R&D scenarios in Shanghai, Fuzhou, and Chengdu, including
common OA, development, testing, and outsourcing scenarios. Unified O&M must be implemented for the desktop
cloud in the three cities, and services can be independently provisioned in the three cities.
44
Industrial Bank Branch Office — Unified Management, User
Experience, and Security
Advantages of the branch office solution:
Management
Flexible, unified management and maintenance: The administrator
stream at the headquarters implements unified O&M, simplifying terminal
HDP
Enterprise
stream OA
mailbox
management and reducing maintenance workload for branches. The
administrator at the headquarters releases, manages, and maintains
Desktop cloud security policies, applications, and software patches. The
computing center +
Virtualization
Management center
administrator at the headquarters can also assign operation rights to
Desktop cloud management
management FusionManager deployed in Shanghai administrators in branch offices to implement rights- and domain-
FusionAccess
based management.
Local access to VM resources: Only management data is
Cloud-based
Testing R&D Shanghai R&D center exchanged between the headquarters and branch offices. Services for
users are provided by branch offices, and users do not need to
Infrastructure virtualization
FusionCompute connect to the headquarters to obtain resources remotely. Therefore,
Management impact of network latency on services is reduced. Obtaining VM
message Management
message resources locally is especially important for branch offices that use
networks of poor quality. VM templates and images for branch offices
Remote module
Remote module can be made and stored locally. These local templates and images
can be used to create VMs, saving network bandwidth and improving
efficiency.
High security: Branch offices and the management center are
Fuzhou R&D Chengdu R&D connected by the SVPN. Each branch office is isolated from one
center center
another. The networking costs are low and the data security is high.

45
 Industrial Bank Branch Office Architecture
Fuzhou desktop cloud
Shanghai desktop cloud computing center
computing center + Saving bandwidth without network reconstruction
Mawei desktop
management center
Service system cloud R&D center,  Only 2 Mbit/s management network bandwidth is
Shanghai Zhangjiang Fuzhou required for the communication between branches and
desktop cloud R&D center Local the central site.
resources
FusionManager Excellent experience
FusionSphere  Local resources (including servers, storage devices,
WAN FusionSphere
FusionAccess network devices, virtual platforms, and desktop
FusionAccess management devices) are created for branch offices.
 Local user access ensures optimal service experience.
 The disconnection between branch offices and the
Chengdu desktop central site does not affect local access.
cloud R&D center
Local Unified maintenance management
resources
 VDI desktops in local R&D centers and the
headquarters are centrally managed.
……  Desktops comply with industry standards.
FusionSphere
Branch offices can be expanded to up 255. FusionAccess
Chengdu desktop cloud
computing center
46
 Industrial Bank Branch Office Architecture

Headquarters
With the complex network environment of
Industrial Bank, Huawei SACG access control
Branch Branch core router
Office service area solution is adopted for the sake of feasibility
and maintainability. The deployment plan is
as follows:
 Production network: Core switches are
Production OA SACG TSM Server
Production SACG connected to SACGs in bypass mode in
server area
branch banks to direct upstream traffic of
sub-branch and branch banks to SACGs.
Branch OA area TSM servers are deployed in the branch
Branch core switch OA network
TSM Server aggregation production server area.
switch  OA network: Branch and sub-branch OA
terminals use different server paths to
access servers; therefore, SACGs are
Sub-branch Sub-branch core router
connected to core and aggregation
switches in bypass mode to process
upstream traffic.
Production area OA area
Note:
All SACGs are deployed in active/standby
mode to ensure high reliability.

47
 Chongqing Rural Commercial Bank Builds Secure and Efficient
Development Environment with Huawei Desktop Cloud
Chongqing Rural Commercial Bank is the third provincial rural
commercial bank in China and the first provincial rural commercial
bank in the Midwest. It is also the first China rural commercial bank
listed in Hong Kong. In terms of total assets, Chongqing Rural
Commercial Bank is the third largest Rural Commercial Bank in China
and ranks 21 among other banks.
48
Challenges
 In the existing outsourcing development environment, data is dispersedly stored in
computers, which makes centralized management and control difficult.
 A dedicated IT engineer is required for every 100 PCs, causing high maintenance costs.
 The PC-based office system requires long deployment cycle and provides low resource
utilization.
Huawei Solution
 The development environment is deployed in the data center. R&D engineers log in to
VMs from secure TCs to develop the system. Peripherals can be connected to VMs, but
data cannot be taken out.
 Computing resources are centrally provided by the data center. The IT administrator only
needs to maintain and manage data center devices, which reduces device maintenance
costs for the bank.
 Employees can access their VMs anywhere in the office area, which improves work
efficiency.
Customer Benefits
 With powerful security control policies, Chongqing Rural Commercial Bank can effectively
manage and control data and code used by third-party software companies during service
development.
 The maintenance efficiency is improved by about ten times, greatly reducing the
management costs.
 TCO is reduced by about 30%. Users can enjoy the same desktop experience as PCs.
Orient Securities Builds Lightweight Outlets with Huawei
Desktop Cloud
"Deployment of the Huawei desktop cloud accelerates
the construction of new outlets and improves
management efficiency for Orient Securities. In
addition, Huawei desktop cloud prevents leakage of
important customer information, which is very
important to us. With the increasing services, we will
retain such new OA desktop mode. "
Shu Hong COO from Orient Securities
49
Challenges
 As one of the top five securities traders in Shanghai, services of Orient Securities
develop quickly. However, the deployment efficiency of traditional PCs is too low to
meet service development requirements.
 Important information, such as customer information and transaction data, must be
protected against disclosure.
 Management personnel are busy with O&M.
Huawei Solution
 The Huawei FusionCloud Desktop Solution is delivered in an end-to-end manner,
facilitating quick service development.
 Various O&M tools, the unique self-service platform, and desktop manager improve
O&M efficiency.
 All-round security design prevents data leakage.
 Clients with minimum power consumption of 5 W provide green office.
Customer Benefits
 Remote centralized management and control improve O&M efficiency by ten times.
 Desktops and data are centrally processed and stored in the background other than
on terminals, which prevents data leakage.
 Annual power consumption is reduced by 60%, conserving energy and protecting
the environment.
 SZSE Enhances Financial Information Security with Huawei
Desktop Cloud

A 60% reduction in information security events: The result of transitioning to data stored in
data centers instead of on PCs and implementing behavior audits and operations tracing.
Desktops deployed in minutes, making O&M ten times more efficient.
Elastic IT resource allocation increases resource utilization by 20% to 30%.

50
China UnionPay Builds 2,000 Desktops with Huawei Desktop Cloud

Challenges
 Terminal maintenance is complex and the workload is large.
 Desktops are configured with fixed-line phones, which makes configuration
adjustment difficult.
 Internal information involves high security risks.
 Microsoft virtual desktops in use have poor performance, reliability, and experience,
China UnionPay plans to build 2,000 desktops in this phase. Each desktop includes and cannot meet service requirements.
four CPUs, 4 GB memory, and 500 GB storage. The memory of 50% virtual desktops
can be upgraded to 8 GB when they are configured with 64-bit OSs. These desktops
provide the same experience as PCs. Huawei Solution
Resource utilization (%) Service server preparation period (day)
 Huawei FusionCloud Desktop Solution is adopted.
Inceases 10 times Declines 97%  Resources are pooled, and centralized management is implemented to ensure
60 100
90 unified monitoring, alarming, and flexible configuration.
50
80  Tier-1 departments are physically isolated from other departments. The management
40 70

30
60 network and storage network are isolated from each other to ensure security.
Traditional
50 Traditional
20
Cloud computing-
40 Cloud computing-
 High scalability, smooth capacity expansion, and flexible configuration provide the
based NC
10
30 based NC
same experience as PCs.
20
0 10  Solutions are provided for Shanghai headquarters, and Beijing and Guizhou
Cloud computing- 0
Traditional
based NC
Traditional Cloud computing-based NC
branches to enable unified management.
Power consumption in 24 hours (W) Maintenance efficiency (set/person)
Reduces 71% Increases 9 times
90000000 1200
Customer Benefits
80000000
1000
70000000
60000000 800  Around 20% initial investment, 75% equipment room space, and 67.5% energy are
50000000 Traditional
40000000
Traditional
Cloud computing-
600 saved.
Cloud computing-
30000000 400
20000000
based NC based NC  Maintenance costs are reduced by 30%.
200
10000000
0 0
 Service rollout duration is shortened by 80%.
Cloud computing- Cloud computing-
Traditional Traditional
based NC based NC

51
Desktop Cloud Solution for China UnionPay Branches

Reduced network reconstruction costs

Shanghai Beijing branch
 Only 2 Mbit/s management network bandwidth is required for the
Local
headquarters communication between branches and the central site. In case of
resources
remote access, high bandwidth is required.

Excellent experience
FusionCloud WAN
Guizhou branch  Local resources (including servers, storage devices, network
devices, virtual platforms, and desktop management devices) are
Local
created for branch offices to enable local access and provide
resources
optimal service experience. The disconnection between branch
offices and the central site does not affect local access.

Unified maintenance management

 VDIs of branches and the headquarters are centrally managed and
…… maintained, ensuring standards compliance of desktops.

Applicable to branches with poor network conditions

 Only management data is transmitted between the headquarters
and the branches through the network. Local traffic is used for VM
remote desktops. This eliminates the need for network bandwidth.
The bandwidth required is less than 2 Mbit/s, and the delay is less
than 120 ms.

52
China Merchants Bank Desktop Cloud Solution
— R&D, OA, and Customer Service Center Optimal experience — users

Internet  Innovative experience similar to user habits is provided

Internet with virtual cloud.
Internet access zone Green zone
 The R&D network and OA network are isolated, and file
Red zone server Yellow zone server switching approval between them can be traced.
Web/Proxy/Email server  All user data is stored in non-system partitions to
facilitate backup.
Cloud  User account and authentication are integrated with the
existing AD of China Merchants Bank.
Red zone Yellow zone Yellow zone
DC equipment
rooms: logically desktop desktop desktop
Data Efficient security management — O&M
isolated cloud transm cloud cloud
Data management personnel
ission transm
system ission  High reliability: One or more VMs, servers, storage
Cloud
syste Green zone: OA and devices, network devices can be rapidly restored upon
m customer service centers faults.
Yellow zone: R&D  High security: User accounts can be bound to terminal
Red zone: top secret zones hardware, and accounts and desktops can be locked.
Core switching layers: and labs  High maintainability: Automatic O&M tools are provided.
logically isolated Core IP network Users can use the self-service portal to apply for and
Access zones: Approvable, controllable, release resources.
physically and traceable data  High scalability: Components in the system support
isolated transmission horizontal expansion and smooth capacity expansion.
Red zone Yellow zone Green zone
Access zone Access zone Access zone Cost advantages — decision-makers
Local
The cloud desktop system greatly reduces terminal O&M
costs.
Green area: OA and customer service center
CNY1474 (2049-575) OPEX can be reduced for each
Yellow area: R&D office desktop a year.
Red area: high-secret area and lab
53
 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY

Copyright © 2015 Huawei Technologies Co., Ltd. All Rights Reserved.

The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive
statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time
without notice.