It is a common scenario that a flexVDI platform is used to provide Desktop as a Service (DaaS) to the different customers of the platform's owner. In this scenario, resources, network connections and authentication domains must be isolated for each customer. flexVDI supports isolating these three factors independently for each customer. For instance, resources can be isolated per customer while using the same network configuration for all or many of them, or customers may have different authentication domains while sharing the resources of the platform.

Isolate resources

Resource isolation is implemented with Pools. As explained before, Pools aggregate the resources of a group of Hosts so that the resources needed by a Guest when it is started are allocated automatically to the most suitable Host. Pools isolate resources in the following ways:

Use Pools to isolate resources dedicated to each customer. You can create one Pool per customer, or create many Pools per customer to assign different priorities to each group of Guests (e.g. higher priority to services, lower to desktops).

Isolate network connections

flexVDI networking model supports connecting Guests to multiple virtual bridges and VLANs, to match the level of network isolation you have in the rest of the data center. You can isolate the network connection of a group of Guests in the following ways:

Authentication domains

In a simple scenario, with only one customer, the recommended way to configure VDI authentication is to create an authenticated default Terminal Policy and additional non-authenticated Terminal Policies. In this way, only the terminals that require non-authenticated access to the platform are manually registered to a Terminal Policy. The rest will be automatically registered to the default Terminal Policy, and require authentication. However, in this case, there is only one authentication domain. If you add additional authenticated Terminal Policies for other domains, terminals must be manually registered to them.

To provide a solution for this problem and a more general case, flexVDI supports registering a terminal to a Terminal Policy automatically by connection name. It works in the same way as virtual web servers. First, create a different DNS entry for each authentication domain that points to your platform's IP address, e.g. cstmr1.myprovider.com, cstmr2.myprovider.com, ... Then, create an authenticated Terminal Policy for each of these names, replacing dots (.) with underscores (_), e.g. cstmr1_myprovider_com, cstmr2_myprovider_com, ... Finally, configure them with the appropriate authentication parameters (LDAP server, branch name, bind user, ...). Whenever a new terminal connects to the platform and it is not registered yet to any Terminal Policy, flexVDI will first look for a Terminal Policy which name matches the host name that was used to establish the connection. So, provide each of your customers with the DNS name that represents their authentication domain.

This model works for non-authenticated Terminal Policies too, so you may have vdikiosks.myprovider.com, and have your kiosk devices connect to the platform using that name to be automatically registered with a non-authenticated Terminal Policy named vdikiosks_myprovider_com. However, take into account that, in this case, any user may access a non-authenticated desktop just knowing the right domain name.