Deploy virtual applications with GO-Global on Oracle Cloud Infrastructure
GO-Global is an application virtualization software developed by GraphOn that is able to promptly make existing applications available directly in the browser or through the GO-Global client.
GO-Global allows you to publish Windows applications on Oracle Cloud Infrastructure (OCI) and fully leverage the OCI services. GO-Global delivers high performance sessions even on low-speed connections with bandwidth as low as 16 Kbps. Security is ensured by encrypted connections via 256-bit SSL.
A key point that deserves to be evaluated is the fact that the application doesn't need to use RDS functionality. According to GraphOn, its software GO-Global allows multiple users to remotely access Microsoft Windows applications without relying on Microsoft Remote Desktop Services or the built-in multi-session kernel functionality of Windows. Unlike other products that add features to RDS, GO-Global fully replaces Microsoft's multi-session functionality and its Remote Desktop clients, display driver, protocol, internet gateway, and management tools. The unique architecture of GO-Global eliminates the need for RDS components to be installed on Windows desktops or servers.
GO-Global is a comprehensive solution for delivering virtual applications and accessing them remotely on both Windows desktops and servers. It utilizes GraphOn technology exclusively, without depending on the features or architecture of other vendors.
Architecture
This reference architecture describes a high level overview of how you can leverage GO-Global and OCI services to deploy a Windows application in the cloud, improving application availability, performance, and security.
Application Access from Multiple Platforms
GO-Global publishes applications on Windows servers installed on-premises or in the cloud. Users can transparently access GO-Global published applications from Windows, Mac, and Linux devices, or any device with an ARM processor running Android 9.0 and later. User access is accomplished via a client installed on the device or a browser, including Explorer, Firefox, Safari, Chrome, or Edge. Web browser access does not require installation of a HTML5 client.
For mobile devices, GO-Global offers its Mobile App Toolbar Editor, which is used to define the toolbar buttons and menus that are displayed when an application is accessed from a mobile device.
Publish Windows Apps without RDS
GO-Global is the only Windows application publishing tool that does not require Microsoft Remote Desktop Services (RDS) or Remote Desktop Protocol (RDP) to publish applications. Instead, GO-Global fully replaces RDS functionality, including multi-session kernel, Remote Desktop clients, display driver, protocol, internet gateway and management tools, eliminating Windows and user licensing costs.
We are considering the use case where we publish proprietary Windows applications from OCI and make them available to all users. The first step is creating our Infrastructure-as-a-service (IaaS) in OCI.
Following the architecture guided by GraphOn, we will need the following items:
- Relay Servers (also called Gateways): Relay servers serve to load balance incoming users. In this way, with at least 2 servers, you can have high availability and the distribution of users on the application's machines. This will ensure that users do not have to wait for a long time in a queue.
- Licensing Host: A simple, high availability alternative, eliminating license codes that required specific servers and the need to redeem, host, or upgrade the license. Administrators can run the Activation Wizard on a host, log into their GraphOn account and select the license they want the computer to use.
In the table below you can see an estimated consumption of RAM memory on the GO-Global server:
| Service Process | Executable | Allocated Memory (MB) |
|---|---|---|
| Application Publishing Service (one instance per server) | Aps.exe | 15 |
| License Service (one instance per server) | Lmgrd.exe | 2 |
| License interface (one instance per server) | blm.exe | 2 |
| Program Window (one instance per server) | pw.exe | 3 |
| Logon Graphical Authentication (one instance per server) | logon.exe | 2 |
| Remote clipboard (one instance per server) | remoteClipboard.exe | 2 |
| Update client service (one instance per server) | uc.exe | 2 |
| Microsoft Word (15 users) | Winword.exe | 25 |
- Total memory consumed by GO-Global services (Aps.exe, Lmgrd.exe, uc.exe): 19 MB (server)
- Total memory consumed (processes per session): 34 MB * 15 users = 510 MB (users) + 19 MB (server) = 529 MB
GO-Global application servers can be architected as single-tenant or multi-tenant as shown in the following diagrams.
GO-Global single-tenant environment
go-global-single-tenant-oracle.zip
GO-Global multi-tenant environment
go-global-multi-tenant-oracle.zip
For this use case, we are using a multi-tenant environment for a single Windows application. The following diagram illustrates this reference architecture.
oci-go-global-virtual-app-oracle.zip
The following diagram illustrates an example of GO-Global architecture on OCI using GO-Global Cloud Licensing Service.
oci-go-global-virtual-app-licensing-oracle.zip
The architecture has the following components:
- Tenancy
A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.
- Region
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
- Availability domains
Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.
- Fault domains
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.
- Virtual cloud network (VCN) and subnets
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
- Load balancer
The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.
- Security list
For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.
- Service gateway
The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.
- Object storage
Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.
- Dynamic routing gateway (DRG)
The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.
- Virtual Machine (VM)
A virtual machine (VM) is an independent computing environment that runs on top of physical bare metal hardware. The virtualization makes it possible to run multiple VMs that are isolated from each other. VMs are ideal for running applications that do not require the performance and resources (CPU, memory, network bandwidth, storage) of an entire physical machine. An Oracle Cloud Infrastructure VM compute instance runs on the same hardware as a bare metal instance, leveraging the same cloud-optimized hardware, firmware, software stack, and networking infrastructure.
- Block volume
With block storage volumes, you can create, attach, connect, and move storage volumes, and change volume performance to meet your storage, performance, and application requirements. After you attach and connect a volume to an instance, you can use the volume like a regular hard drive. You can also disconnect a volume and attach it to another instance without losing data.
Recommendations
- VCN
When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.
Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.
After you create a VCN, you can change, add, and remove its CIDR blocks.
When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.
- Security
Use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure proactively. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.
For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.
- Cloud Guard
Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.
Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.
You can also use the Managed List feature to apply certain configurations to detectors.
- Security Zones
For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.
- Network security groups (NSGs)
You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.
- Load balancer bandwidth
While creating the load balancer, you can either select a predefined shape that provides a fixed bandwidth, or specify a custom (flexible) shape where you set a bandwidth range and let the service scale the bandwidth automatically based on traffic patterns. With either approach, you can change the shape at any time after creating the load balancer.
Considerations
Consider the following points when deploying this reference architecture.
- Performance
Depending on the amount of data, you can use Oracle Cloud Infrastructure FastConnect or IPSec VPN to manage costs.
- Security
By default, Oracle Cloud provides encryption of all objects stored in Oracle Cloud Infrastructure Object Storage buckets. For extra security, you can choose to encrypt these objects using customer-managed keys.
- Availability
Object Storage is highly available. However, you can choose to configure cross-region replication to protect against unlikely regional outages.
- Cost
The price may vary according to the number of users with simultaneous access, as this directly impacts the cost of the infrastructure to be provisioned and the number of GO-Global licenses.