US20070180447A1 - Methods and systems for interacting, via a hypermedium page, with a virtual machine - Google Patents

Methods and systems for interacting, via a hypermedium page, with a virtual machine Download PDF

Info

Publication number
US20070180447A1
US20070180447A1 US11/559,658 US55965806A US2007180447A1 US 20070180447 A1 US20070180447 A1 US 20070180447A1 US 55965806 A US55965806 A US 55965806A US 2007180447 A1 US2007180447 A1 US 2007180447A1
Authority
US
United States
Prior art keywords
machine
client
embodiments
resource
remote
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/559,658
Inventor
Richard MAZZAFERRI
David Robinson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Citrix Systems Inc
Original Assignee
Citrix Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US76167406P priority Critical
Application filed by Citrix Systems Inc filed Critical Citrix Systems Inc
Priority to US11/559,658 priority patent/US20070180447A1/en
Priority claimed from PCT/US2007/060963 external-priority patent/WO2007087558A2/en
Priority claimed from EP11161963A external-priority patent/EP2369479A3/en
Assigned to CITRIX SYSTEMS, INC. reassignment CITRIX SYSTEMS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MAZZAFERRI, RICHARD JAMES, ROBINSON, DAVID NEIL
Publication of US20070180447A1 publication Critical patent/US20070180447A1/en
Application status is Abandoned legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09GARRANGEMENTS OR CIRCUITS FOR CONTROL OF INDICATING DEVICES USING STATIC MEANS TO PRESENT VARIABLE INFORMATION
    • G09G5/00Control arrangements or circuits for visual indicators common to cathode-ray tube indicators and other visual indicators
    • G09G5/14Display of multiple viewports
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/70Information retrieval; Database structures therefor; File system structures therefor of video data
    • G06F16/74Browsing; Visualisation therefor
    • G06F16/748Hypervideo
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/629Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/14Digital output to display device; Cooperation and interconnection of the display device with other functional units
    • G06F3/1415Digital output to display device; Cooperation and interconnection of the display device with other functional units with means for detecting differences between the image stored in the host and the images displayed on the displays
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/14Digital output to display device; Cooperation and interconnection of the display device with other functional units
    • G06F3/1423Digital output to display device; Cooperation and interconnection of the display device with other functional units controlling a plurality of local displays, e.g. CRT and flat panel display
    • G06F3/1438Digital output to display device; Cooperation and interconnection of the display device with other functional units controlling a plurality of local displays, e.g. CRT and flat panel display using more than one graphics controller
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/14Digital output to display device; Cooperation and interconnection of the display device with other functional units
    • G06F3/1454Digital output to display device; Cooperation and interconnection of the display device with other functional units involving copying of the display data of a local workstation or window to a remote workstation or window so that an actual copy of the data is displayed simultaneously on two or more displays, e.g. teledisplay
    • G06F3/1462Digital output to display device; Cooperation and interconnection of the display device with other functional units involving copying of the display data of a local workstation or window to a remote workstation or window so that an actual copy of the data is displayed simultaneously on two or more displays, e.g. teledisplay with means for detecting differences between the image stored in the host and the images displayed on the remote displays
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/485Task life-cycle, e.g. stopping, restarting, resuming execution
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/5055Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering software capabilities, i.e. software resources associated or available to the machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5083Techniques for rebalancing the load in a distributed system
    • G06F9/5088Techniques for rebalancing the load in a distributed system involving task migration
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09GARRANGEMENTS OR CIRCUITS FOR CONTROL OF INDICATING DEVICES USING STATIC MEANS TO PRESENT VARIABLE INFORMATION
    • G09G5/00Control arrangements or circuits for visual indicators common to cathode-ray tube indicators and other visual indicators
    • G09G5/003Details of a display terminal, the details relating to the control arrangement of the display terminal and to the interfaces thereto
    • G09G5/006Details of the interface to the display terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L29/00Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/00 - H04L27/00
    • H04L29/02Communication control; Communication processing
    • H04L29/06Communication control; Communication processing characterised by a protocol
    • H04L29/08Transmission control procedure, e.g. data link level control procedure
    • H04L29/08081Protocols for network applications
    • H04L29/08702Protocols for network applications involving intermediate processing or storage in the network, e.g. proxy
    • H04L29/08846Arrangements to globally emulate or virtualize the functionalities of an end device
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/02Network-specific arrangements or communication protocols supporting networked applications involving the use of web-based technology, e.g. hyper text transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/08Network-specific arrangements or communication protocols supporting networked applications adapted for terminal emulation, e.g. telnet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/14Network-specific arrangements or communication protocols supporting networked applications for session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/14Network-specific arrangements or communication protocols supporting networked applications for session management
    • H04L67/141Network-specific arrangements or communication protocols supporting networked applications for session management provided for setup of an application session
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/16Service discovery or service management, e.g. service location protocol [SLP] or Web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/28Network-specific arrangements or communication protocols supporting networked applications for the provision of proxy services, e.g. intermediate processing or storage in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/28Network-specific arrangements or communication protocols supporting networked applications for the provision of proxy services, e.g. intermediate processing or storage in the network
    • H04L67/2814Network-specific arrangements or communication protocols supporting networked applications for the provision of proxy services, e.g. intermediate processing or storage in the network for data redirection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/28Network-specific arrangements or communication protocols supporting networked applications for the provision of proxy services, e.g. intermediate processing or storage in the network
    • H04L67/2819Enhancement of application control based on intercepted application data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/28Network-specific arrangements or communication protocols supporting networked applications for the provision of proxy services, e.g. intermediate processing or storage in the network
    • H04L67/2842Network-specific arrangements or communication protocols supporting networked applications for the provision of proxy services, e.g. intermediate processing or storage in the network for storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/30Network-specific arrangements or communication protocols supporting networked applications involving profiles
    • H04L67/303Terminal profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/541Client-server
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09GARRANGEMENTS OR CIRCUITS FOR CONTROL OF INDICATING DEVICES USING STATIC MEANS TO PRESENT VARIABLE INFORMATION
    • G09G2354/00Aspects of interface with display user
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09GARRANGEMENTS OR CIRCUITS FOR CONTROL OF INDICATING DEVICES USING STATIC MEANS TO PRESENT VARIABLE INFORMATION
    • G09G2370/00Aspects of data communication
    • G09G2370/16Use of wireless transmission of display information
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09GARRANGEMENTS OR CIRCUITS FOR CONTROL OF INDICATING DEVICES USING STATIC MEANS TO PRESENT VARIABLE INFORMATION
    • G09G2370/00Aspects of data communication
    • G09G2370/22Detection of presence or absence of input display information or of connection or disconnection of a corresponding information source
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Application independent communication protocol aspects or techniques in packet data networks
    • H04L69/24Negotiation of communication capabilities

Abstract

A method for making a hypermedium page interactive includes the step of selecting a hyperlink on the hypermedium page displayed on a client machine, the hyperlink identifying a desired computing resource. A hyperlink configuration file is retrieved, the hyperlink configuration file corresponding to the hyperlink and identifying a virtual machine. A client agent is started on the client machine. The client agent creates a communication link to a virtual machine executing on the server identified by the hyperlink configuration file. The client agent receives data from the virtual machine and displays, on the client machine, the received data without intervention by the network browser.

Description

    RELATED APPLICATIONS
  • The present application claims priority to U.S. Provisional Patent Application Ser. No. 60/761,674, entitled “Methods and Systems for Providing Access to a Computing Environment,” filed Jan. 24, 2006, which is incorporated herein by reference.
  • FIELD OF THE INVENTION
  • The invention generally relates to providing access to computing environments. More particularly, the invention relates to methods and systems for making a hypermedium page interactive.
  • BACKGROUND INFORMATION
  • Virtual machines may be used to provide users with ubiquitous access to computing resources. Unfortunately, making a connection to an executing virtual machine providing computing resources can be difficult because it may require knowledge of not only the address of the physical machine, hosting the virtual machine, but also of the virtual machine address corresponding to the resource. A further complication is that virtual machines may be migrated from one physical machine to another to provide load balancing or to facilitate hardware maintenance, acquiring new addresses as they are relocated. It would be desirable to simplify access to a virtual machine.
  • SUMMARY OF THE INVENTION
  • In one aspect, problems of current desktop deployment strategies are addressed. An array of inexpensive physical machines may be partitioned into multiple virtual machines, creating a virtual PC for each user. The physical machines may be servers such as rack-mount servers, blade servers, or stand-alone servers. The physical machines may also be workstations or workstation blades or personal computers. A policy-based dynamic deployment system provisions the virtual machines and associates the virtual machine with an execution machine (i.e., a physical machine) and a user. Centralized hosting provides the manageability of server-based computing while the dedicated environment provides the flexibility and compatibility with applications that a desktop PC enables. However, the system has a much lower total cost of ownership because the system is implemented in software, rather than being dependent on hardware, the system has a much lower total cost of ownership.
  • In another aspect, the hardware lifecycle may be extended by increasing the amount of hardware resources assigned to virtual machines as computational demands increase over time. Additionally, the use of virtualization eases the difficulty in dealing with multiple OS images.
  • In one embodiment, machines are configured to run multiple copies of one or more operating systems (e.g. different versions/releases of WINDOWS from Microsoft Corporation). Users transmit requests for access to computing resources to the deployment system, which may use a configuration policy to decide how (with what physical and/or virtual resources) and where (on which physical machine in the machine farm and on which virtual machine) to provide access to the requested computing resource. The virtual machine can be created on demand, and the requested software resource may be downloaded and installed in the virtual machine as required. Alternatively, the virtual machine may be pre-configured with a plurality of software and/or virtual hardware resources to provide a particular computing environment to the user. The user request is directed to the selected, configured virtual machine and a remote display connection is established between the virtual machine and a remote display client on the user's access device, which will be referred to generally as a “client machine.” Devices such as CD-ROM drives, floppy drives, USB drives and other similar devices that are connected to the client machine are connected and remotely accessible to the virtual machine, thereby allowing the use of these devices in a manner similar to a standard desktop computer.
  • A deployment system may manage a pool of virtual machines (a machine farm) to which new virtual machines can be added on demand. Alternatively, a plurality of software modules, including a session management component and a virtual machine management component may provide management functionality. Executing virtual machines may be migrated from one physical machine to another, under control of the deployment system, to provide load balancing or to facilitate hardware maintenance. Inactive virtual machines may be suspended to free physical computing resources. Active virtual machines may be migrated from one physical machine to another to consolidate them onto a smaller number of physical machines to allow the unused physical machines to be shutdown to save power during off-peak periods or to free the physical resource to be re-assigned for a different purpose e.g. process web requests. Suspended virtual machines may be resumed prior to users requiring access. This can be done manually or automatically via policies or preferences or through a learning process by monitoring a user's behavior over time.
  • Performance requirements of the requested resource may be considered when allocating computing resources to virtual machines. For example, a financial analysis package may require twice as many CPU resources as a generic productivity application, such as those included in MICROSOFT OFFICE, manufactured by Microsoft Corporation of Redmond, Wash. A virtual machine providing the financial analysis package may execute on a physical machine determined to have sufficient spare computational capacity, or existing virtual machines may be relocated to other available physical machines to ensure sufficient available capacity on a particular physical machine.
  • Each user is provided a separate virtual machine environment, which provides increased flexibility in that each user may run any version or configuration of an operating system independently of other users and also allows users to run potentially dangerous or destabilizing applications with little risk of affecting other users. This is particularly useful for developers/testers/information technology personnel who frequently need to re-install and modify the operating system and run potentially destabilizing applications.
  • Since sharing computing resources and CPU scheduling occurs outside of the virtual machine environment, users can run computing-resource intensive resources with no risk of affecting other users. Virtual machines also provide increased security isolation between users. Because each user is running a separate copy of the OS, there is much less chance of security breaches and virus infections over the between-users boundaries than in the shared OS case.
  • A solution is also provided for problems that arise from a situation where, in a hardware-based system of machines, the hardware is mixed, whether due to an initial purchasing decision or due to the acquisition of different types of physical machines over time. Even if initially all of the hardware was uniform, purchasing additional hardware to replace failing modules and increasing the capacity typically leads to non-uniform hardware throughout a machine farm. Even if all hardware is purchased from the same vendor, it is likely that the hardware purchased later will use different chipsets and components, and will require different drivers. Non-uniform hardware has traditionally translated into the need to maintain multiple versions of the operating system images (which means higher costs) and limits flexibility of moving users between machines—because the operating system image may be incompatible—which also translates into higher cost. Virtual machines allow efficient use of the same operating system image even in a hardware farm that includes heterogeneous machines. The use of the same operating system image helps to significantly reduce the management cost.
  • Adding remote display capability (e.g. presentation layer protocols, such as ICA, RDP, or X11) to virtualization techniques allows virtualization to be used for interactive computing. Hosting multiple virtual machines on an execution machine allows better utilization of the available physical computing resources (e.g.: space, power, processing power, processing capacity, RAM, bandwidth, etc.) thereby lowering costs. The use of virtualization also allows hardware to be updated and maintained independently of OS version and specific device drivers hosted in the operating systems or virtual machines. Additionally, virtual machines enhance system security by isolating computing environments from each other.
  • In still another aspect, a method of making a hypermedium page interactive, the hypermedium page displayed by a network browser, includes the step of selecting a hyperlink on the hypermedium page displayed on the client node, the hyperlink identifying a desired computing resource. A hyperlink configuration file is retrieved, the hyperlink configuration file corresponding to the hyperlink and identifying a server machine. A client agent is started on the client node. The client agent creates a communication link to a virtual machine executing on the server identified by the hyperlink configuration file. The client agent receives data from the virtual machine and displays on the client node the received data without intervention by the network browser.
  • In one embodiment, the network browser starts the client agent upon a successful match of an entry in the hyperlink configuration file with an identifier associated with the client agent in a registration file accessible by the network browser. In another embodiment, the client agent is registered with the network browser. In still another embodiment, a presentation protocol is employed for communication over the communication link. In yet another embodiment, the execution of the identified application on the virtual machine starts in response to the created communication link.
  • In one embodiment, a virtual machine is launched. In another embodiment, a server agent is started on the virtual machine. In still another embodiment, data received from the virtual machine is displayed in a display window on the client machine.
  • In yet another aspect, a system for making a hypermedium page interactive, the hypermedium page displayed by a network browser comprises a client machine, a network server, and a client agent. The client machine executes a browser application, said browser application displaying a hypermedium page including a hyperlink identifying a desired computing resource. The network server transmits, in response to selection of said hyperlink, a network configuration file to said client node, said network configuration file corresponding to said identified computing resource. The client agent executes on the client machine, said client agent establishing, responsive to data in said configuration file, a communications link with a virtual machine providing the computing resource. The hypervisor transmits data to the client agent for display, without intervention by the browser application.
  • In one embodiment, the client agent displays data received from the virtual machine in a display window located at said client machine. In another embodiment, the display window is located within the boundaries of the hypermedium page. In still another embodiment, the display window is located outside the boundaries of the hypermedium page.
  • In one embodiment, the hyperlink configuration file comprises a resource identifier corresponding to said hyperlink and an identifier of the virtual machine corresponding to said hyperlink.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • These and other aspects of this invention will be readily apparent from the detailed description below and the appended drawings, which are meant to illustrate and not to limit the invention, and in which:
  • FIG. 1 is a block diagram of one embodiment of an environment in which a client machine accesses a computing resource provided by a remote machine;
  • FIGS. 1A and 1B are block diagrams depicting embodiments of typical computers useful in embodiments with remote machines or client machines;
  • FIG. 2A is a block diagram of a system for providing access to a resource;
  • FIG. 2B is a block diagram of one embodiment of a system in which a client machine can initiate execution of an application program for determining the resource neighborhood of that client machine;
  • FIG. 2C is a block diagram of an embodiment in which a client machine uses a web browser application to determine its resource neighborhood;
  • FIGS. 3A, 3B, and 3C are block diagrams of embodiments of systems of communication among a client machine and multiple remote machines;
  • FIG. 3D is a block diagram of one embodiment of a system in which a client machine can access a resource from a resource neighborhood web page displayed at that client machine;
  • FIG. 3E is a block diagram of one embodiment of a system in which a remote machine acts as an intermediary for a machine farm;
  • FIG. 4 is a block diagram of one embodiment of a resource neighborhood application in which a client machine is in communication with one of the remote machines;
  • FIG. 5 is a block diagram of a computing embodiment in which a client machine is in communication with a remote machine having an installed resource neighborhood application program of the invention;
  • FIG. 6A is a screen shot of an embodiment of a display of a client machine after a resource neighborhood application program is executed;
  • FIG. 6B is a screen shot of another embodiment of a display screen of a client machine after the resource neighborhood application program is executed;
  • FIG. 7A is a block diagram of an embodiment of a network providing policy-based access to application programs for a machine;
  • FIG. 7B is a block diagram depicting a more detailed embodiment of a policy engine;
  • FIG. 8 is a flowchart depicting one embodiment of a process for providing access to a resource;
  • FIG. 9 is a flow diagram depicting one embodiment of a process for electing a management node;
  • FIG. 10 is a flow diagram depicting one embodiment of a process to update information collected by the management node;
  • FIG. 11 is a block diagram depicting an embodiment of a machine farm including first and second network management processes;
  • FIG. 12 is a block diagram depicting one embodiment of a virtual machine management component;
  • FIG. 13 is a block diagram depicting one embodiment of a session management component;
  • FIG. 14 is a block diagram depicting one embodiment of a system in which a drive associated with the client machine 10 is made available to a computing environment;
  • FIG. 15A is a block diagram depicting one embodiment of a client machine supporting multiple client machine display devices;
  • FIG. 15B is a block diagram depicting one embodiment of a system for supporting multiple client machine display devices
  • FIG. 15C is a block diagram depicting one embodiment of a session login mechanism providing support for multiple client machine display devices;
  • FIG. 16A is a flow diagram depicting one embodiment of the steps to be taken to provide a desired display layout to a client machine having multiple display devices;
  • FIG. 16B is a flow diagram depicting one embodiment of a process to modify a window message;
  • FIG. 16C is a flow diagram depicting one embodiment of the steps taken to associate a display layout with a client machine;
  • FIG. 16D is a flow diagram depicting one embodiment of the steps taken to change a desired display layout for a client machine;
  • FIG. 17 is a block diagram depicting one embodiment of a system in which a remote machine authenticates the user of a client machine;
  • FIG. 18 is a flow diagram depicting one embodiment of the steps taken to access a plurality of files comprising an application program;
  • FIG. 19 is a block diagram depicting one embodiment of a client machine 10 including an application streaming client, a streaming service and an isolation environment;
  • FIG. 20 is a flow diagram depicting one embodiment of steps taken by a client machine to execute an application;
  • FIG. 21 is a block diagram depicts one embodiment of a plurality of application files;
  • FIG. 22A is a flow diagram depicting one embodiment of the steps taken to enable transparent distributed program execution on a remote machine through the selection of graphical indicia representative of a data file located on the client machine;
  • FIG. 22B is a flow diagram depicting one embodiment of the steps taken by a remote machine to enable transparent distributed program execution on a remote machine through the selection of graphical indicia representative of a data file located on the client machine;
  • FIG. 23 is a flow diagram depicting another embodiment of the steps taken to enable transparent distributed program execution on a client machine through the selection of graphical indicia representative of a data file located on a remote machine;
  • FIG. 24 is a flow diagram depicting one embodiment of the steps taken to negotiate the protocol for a connection between a client machine and a remote machine;
  • FIG. 25 is a block diagram depicting an embodiment of a remote machine and a client machine establishing a protocol stack for communication;
  • FIG. 26 is a block diagram depicting one embodiment of a client machine architecture;
  • FIG. 27 is a block diagram depicting one embodiment of communication between a client machine and a machine farm;
  • FIG. 28 is a block diagram depicting one embodiment of a client machine architecture;
  • FIG. 29 is a flow diagram depicting one embodiment of the steps taken to display application output in a web page;
  • FIG. 30 is a flow diagram depicting one embodiment of the steps taken link to a virtual machine identified by a hyperlink configuration file;
  • FIG. 31 is a block diagram depicting an embodiment of a system architecture in which a multiplexer is used to transmit data to more than one client machine;
  • FIG. 32 is a block diagram depicting another embodiment of a system architecture in which a multiplexer is used to transmit data to more than one client machine;
  • FIG. 33 is a block diagram depicting one embodiment of an architecture for displaying application output in a web page;
  • FIG. 34 is a block diagram depicting another embodiment of an architecture for displaying application output in a web page;
  • FIG. 35 is a block diagram depicting another embodiment of an architecture for displaying application output in a web page;
  • FIG. 36 is a block diagram depicting another embodiment of an architecture for displaying application output in a web page;
  • FIG. 37 is a block diagram depicting one embodiment of a client machine receiving window attribute data via a virtual channel;
  • FIG. 38 is a block diagram depicting a client machine connected to more than one remote machine;
  • FIG. 39 is a flow diagram depicting one embodiment of the steps taken to detect and transmit server-initiated display changes;
  • FIG. 40 is a flow diagram depicting one embodiment of the steps taken to detect and transmit client-initiated display changes;
  • FIG. 41 is a flow diagram depicting one embodiment for enabling transmission of seamless windows between a client machine and a remote machine;
  • FIG. 42 is a block diagram depicting one embodiment of an agent;
  • FIG. 43 is a block diagram depicting one embodiment of a system for enabling seamless windowing mode between a client machine and remote computing environments;
  • FIG. 44 is a flow diagram depicting one embodiment of the steps taken in a method of receiving window attribute data and graphical data associated with remote windows from virtualized operating systems and from native operating systems;
  • FIG. 45 is a block diagram of a system for providing a client with a reliable connection to a host service according to an embodiment of the invention;
  • FIG. 46 is a block diagram of a system for providing a client with a reliable connection to a host service according to another embodiment of the invention;
  • FIG. 47 depicts communications occurring over a network according to an embodiment of the invention;
  • FIG. 48 depicts communications occurring over a network according to another embodiment of the invention;
  • FIG. 49 depicts a process for encapsulating a plurality of secondary protocols within a first protocol for communication over a network according to an embodiment of the invention;
  • FIG. 50 is a block diagram of an embodiment of a computer system to maintain authentication credentials in accordance with the invention;
  • FIG. 51 is a flow diagram of the steps followed in an embodiment of the computer system of FIG. 5 to maintain authentication credentials during a first communication session in accordance with the invention;
  • FIG. 52 is a flow diagram of the steps followed in an embodiment of the computer system of FIG. 50 to maintain authentication credentials during a second communication session following the termination of the first communication session of FIG. 53A in accordance with the invention;
  • FIG. 53 is a block diagram of an embodiment of a computer system to maintain authentication credentials in accordance with another embodiment of the invention;
  • FIG. 54 is a flow diagram of the steps followed in an embodiment of the computer system of FIG. 53 to maintain authentication credentials during a first communication session in accordance with the invention;
  • FIG. 55 is a flow diagram of the steps followed in an embodiment of the computer system of FIG. 53 to maintain authentication credentials during a second communication session following the termination of the first communication session of FIG. 53 in accordance with the invention;
  • FIG. 56 is a flow diagram of the steps followed in an embodiment of the computer system of FIG. 53 to maintain authentication credentials during a second communication session following the termination of a second communication channel of the first communication session of FIG. 53 in accordance with the invention;
  • FIG. 57 is a block diagram of a system to maintain authentication credentials and provide a client with a reliable connection to a host service according to an embodiment of the invention;
  • FIG. 58 is a block diagram of a system to maintain authentication credentials and provide a client with a reliable connection to a host service according to another embodiment of the invention;
  • FIG. 59 is a block diagram of a system to maintain authentication credentials and provide a client with a reliable connection to a host service according to another embodiment of the invention;
  • FIG. 60 is a block diagram of a system to maintain authentication credentials and provide a client with a reliable connection to a host service according to another embodiment of the invention;
  • FIG. 61 is a block diagram of a system for providing a client with a reliable connection to a host service and further including components for reconnecting the client to a host service according to an embodiment of the invention;
  • FIG. 62 is a block diagram of an embodiment of a system for providing a client with a reliable connection to a host service and further including components for reconnecting the client to a host service;
  • FIG. 63 is a block diagram of an embodiment of FIG. 61 further including components for initially connecting the client to a host service;
  • FIG. 64 is a block diagram of the system of FIG. 62 further including components for initially connecting the client to a host service and to maintain authentication credential according to an embodiment of the invention;
  • FIG. 65 is a flow diagram of a method for network communications according to an embodiment of the invention;
  • FIG. 66 is a flow diagram of a method for reconnecting the client to the host services;
  • FIGS. 67-69 are flow diagrams of a method for connecting a client to a plurality of host services according to an embodiment of the invention;
  • FIG. 70 is a flow diagram of a method for providing a client with a reliable connection to host services and for reconnecting the client to the host services according to an embodiment of the invention;
  • FIGS. 71-72 are flow diagrams of a method for reconnecting a client to host services according to an embodiment of the invention;
  • FIG. 73 is a conceptual block diagram of an embodiment of client software and server software;
  • FIG. 74 is a flow chart of an embodiment of a method for monitoring network performance;
  • FIG. 75 is a flow chart of an embodiment of a method of operation of the server software;
  • FIG. 76 is a flow chart of an embodiment of a method of generating sub-metrics by the client;
  • FIG. 77 is a flow chart of an embodiment of a method of generating sub-metrics by the client;
  • FIG. 78 is a flow chart of an embodiment of a method of generating sub-metrics by the server;
  • FIG. 79 is a schematic diagram depicting a networked client-server computing system;
  • FIG. 80 is a flow chart depicting a method for connecting a client machine to disconnected application sessions;
  • FIG. 81 is a flow chart depicting on embodiment a method for connecting the client machine to active application sessions;
  • FIG. 82 is a schematic diagram depicting one embodiment of a client machine in communication with several remote machines;
  • FIG. 83 is a flow diagram depicting one embodiment of steps taken in a method to connect a user of a client machine to a computing environment;
  • FIG. 84 is a flow diagram depicting an embodiment of steps taken in a method to connect a user of a client machine to a computing environment in response to selection of a graphical user interface element;
  • FIG. 85 is a block diagram depicting one embodiment of a remote machine able to connect the client machine to an application session;
  • FIG. 86 is a block diagram of an embodiment of a system for connecting a client machine to an application session responsive to application of a policy;
  • FIG. 87 is a flow diagram depicting the steps taken in one method to connect a client machine to an application session responsive to application of a policy;
  • FIG. 88 is a block diagram depicting one embodiment of a system for providing, by a virtual machine, access to a computing environment;
  • FIG. 89A is a block diagram depicting one embodiment of a storage device and a computing device;
  • FIG. 89B is a flow diagram depicting one embodiment of the steps taken in a method for providing access to a computing environment on a computing device via a storage device;
  • FIG. 90A is a block diagram depicting one embodiment of a mobile computing device;
  • FIG. 90B is a flow diagram depicting one embodiment of the steps taken in a method for providing a portable computing environment by a mobile computing device;
  • FIG. 91A is a block diagram of one embodiment of a mobile computing device and a computing device;
  • FIG. 91B is a flow diagram depicting depicts one embodiment of the steps taken in a method for providing access to a computing environment on a computing device via a mobile computing device;
  • FIG. 92A is a block diagram depicting one embodiment of a mobile computing device and a computing device comprising a computing environment selector;
  • FIG. 92B is a flow diagram depicting an embodiment of the steps taken in a method for establishing a computing environment on a computing device via a mobile computing device;
  • FIG. 93A is a block diagram depicting one embodiment of a mobile computing device connecting to a docking station;
  • FIG. 93B is a block diagram depicting one embodiment of a docking station connecting a mobile computing device and a computing device;
  • FIG. 93C is a block diagram depicting one embodiment of a mobile computing device and computing device having a docking mechanism;
  • FIG. 93D is a flow diagram depicting one embodiment of the steps taken in a method of providing to a mobile computing device one or more hardware resources;
  • FIG. 94A is a block diagram depicting one embodiment of a mobile computing device having a plurality of processors;
  • FIG. 94B is a flow diagram depicting one embodiment of the steps taken in a method for switching, by a mobile computing device, between use of multiple processors;
  • FIG. 95 is a block diagram depicting one embodiment of a system for providing to a first client agent, via a second client agent on a first remote machine, output data generated by a resource executing in a virtual machine provided by a second remote machine;
  • FIG. 96 is a block diagram depicting an embodiment of a system for providing to a first client agent, via a second client agent on a first remote machine, output data generated by a resource executing in a virtual machine provided by a second remote machine; and
  • FIG. 97 is a block diagram depicting one embodiment of a system for identifying, by a coordinator machine, a worker machine providing, via a virtual machine, access to a computing environment.
  • DETAILED DESCRIPTION OF THE INVENTION
  • Referring now to FIG. 1, a block diagram of one embodiment of an environment in which a client machine 10, 10′ accesses a computing resource provided by a remote machine, 30, 30′, 30″, 30′″ is shown.
  • A remote machine 30 such as remote machine 30, 30′, 30″, or 30′″ (hereafter referred to generally as remote machine 30) accepts connections from a user of a client machine 10. Although only two client machines 10 and only four remote machines 30 are depicted in the embodiment shown in FIG. 1, it should be understood that the system may provide multiple ones of any or each of those components. For example, in one embodiment, the system may include multiple, logically-grouped remote machines 30, one or more of which is available to provide a client machine 10, 10′ access to computing resources. In these embodiments, the logical group of remote machines may be referred to as a “server farm” or “machine farm,” indicated in FIG. 1A as machine farm 38. In some of these embodiments, the remote machines 30 may be geographically dispersed. Thus, the group of remote machines 30 logically grouped as a machine farm 38 may be interconnected using a wide-area network (WAN) connection, metropolitan-area network (MAN) connection, a local area network (LAN) a storage-area network (SAN), or a public network such as the Internet. For example, a machine farm 38 may include remote machines 30 physically located in geographically diverse locations around the world, including different continents, regions of a continent, countries, regions of a country, states, regions of a state, cities, regions of a city, campuses, regions of a campus, or rooms. Data transmission speeds between remote machines 30 in the machine farm 38 can be increased if the remote machines 30 are connected using a local-area network (LAN) connection or some form of direct connection. A machine farm 38 may be administered as a single entity.
  • A centralized service may provide management for machine farm 38. In some embodiments, one or more remote machines 30 elect a particular remote machine 30 to provide management functionality for the farm. The elected remote machine 30 may be referred to as a management server, management node, or management process. The management node 30 may gather and store information about a plurality of remote machines 30, respond to requests for access to resources hosted by remote machines 30, and enable the establishment of connections between client machines 10 and remote machines 30. In other embodiments, an administrator designates one or more remote machines 30 to provide management functionality for machine farm 38.
  • Alternatively, management of the machine farm 38 may be de-centralized. In some embodiments, one or more remote machines 30 comprise components, subsystems and modules to support one or more management services for the machine farm 38. In one of these embodiments, one or more remote machines 30 provide functionality for management of dynamic data, including techniques for handling failover, data replication, and increasing the robustness of the machine farm 38. In another of these embodiments, one or more remote machines 30 include communications capabilities to enable the one or more remote machines 30 to interact with one another to share responsibility for management tasks. Each remote machine 30 may communicate with a persistent store and, in some embodiments, with a dynamic store.
  • Persistent store may be physically implemented on a disk, disk farm, a redundant array of independent disks (RAID), writeable compact disc, or any other device that allows data to be read and written and that maintains written data if power is removed from the storage device. A single physical device may provide storage for a plurality of persistent stores, i.e., a single physical device may be used to provide the persistent store for more than one machine farm 38. The persistent store maintains static data associated with each remote machine 30 in machine farm 38 and global data used by all remote machines 30 within the machine farm 38. In one embodiment, the persistent store may maintain the server data in a Lightweight Directory Access Protocol (LDAP) data model. In other embodiments, the persistent store stores server data in an ODBC-compliant database. For the purposes of this description, the term “static data” refers to data that do not change frequently, i.e., data that change only on an hourly, daily, or weekly basis, or data that never change.
  • The data stored by the persistent store may be replicated for reliability purposes physically or logically. For example, physical redundancy may be provided using a set of redundant, mirrored disks, each providing a copy of the data. In other embodiments, the database itself may be replicated using standard database techniques to provide multiple copies of the database. In further embodiments, both physical and logical replication may be used concurrently.
  • As described above, the remote machines 30 store “static” data, i.e., data that persist across client sessions, in the persistent store. Writing to the persistent store can take relatively long periods of time. To minimize accesses to the persistent store, the remote machines 30 may develop a logical, common database (i.e., the dynamic store) that is accessible by all of the remote machines 30in the machine farm 38 for accessing and storing some types of data. The dynamic store may be physically implemented in the local memory of a single or multiple remote machines 30in the machine farm 38. The local memory can be random access memory, disk, disk farm, a redundant array of independent disks (RAID), or any other memory device that allows data to be read and written.
  • In general, data stored in the dynamic store are data that are typically queried or changed frequently during runtime. Examples of such data (hereafter referred to as runtime data) are the current workload level for each of the remote machines 30 in the machine farm 38, the status of the remote machines 30 in the machine farm 38, client session data, the number of virtual machines supported by a remote machine 30, the identity of the operating systems supported by a remote machine 30, and licensing information.
  • In one embodiment, the dynamic store comprises one or more tables, each of which stores records of attribute-value pairs. Any number of tables may exist, but each table stores records of only one type. Tables are, in some embodiments identified by name. Thus, in this embodiment, two remote machines 30 that use the same name to open a table refer to the same logical table.
  • The dynamic store (i.e., the collection of all record tables) can be embodied in various ways. In one embodiment, the dynamic store is centralized; that is, all runtime data are stored in the memory of one remote machine 30 in the machine farm 38. That server operates in a manner similar to the management node described above, that is, all other remote machines 30 in the machine farm 38 communicate with the server acting as the centralized data store when seeking access to that runtime data. In another embodiment, each remote machine 30 in the machine farm 38 keeps a full copy of the dynamic store. Here, each remote machine 30 communicates with every other remote machine 30 to keep its copy of the dynamic store up to date.
  • In another embodiment, each remote machine 30 maintains its own runtime data and communicates with every other remote machine 30 when seeking to obtain runtime data from them. Thus, for example, a remote machine 30 attempting to find an application program requested by the client machine 10 may communicate directly with every other remote machine 30 in the machine farm 38 to find one or more servers hosting the requested application.
  • For machine farms 38 having a large number of remote machines 30, the network traffic produced by these embodiments can become heavy. One embodiment alleviates heavy network traffic by designating a subset of the remote machines 30 in a machine farm 38, typically two or more, as “collector points.” Generally, a collector point is a server that collects run-time data. Each collector point stores runtime data collected from certain other remote machines 30 in the machine farm 38. Each remote machine 30 in the machine farm 38 is capable of operating as, and consequently is capable of being designated as, a collector point. In one embodiment, each collector point stores a copy of the entire dynamic store. In another embodiment, each collector point stores a portion of the dynamic store, i.e., it maintains runtime data of a particular data type. The type of data stored by a remote machine 30 may be predetermined according to one or more criteria. For example, remote machines 30 may store different types of data based on their boot order. Alternatively, the type of data stored by a remote machine 30 may be configured by an administrator using administration tool 140. In these embodiments, the dynamic store is distributed among two or more remote machines 30 in the machine farm 38.
  • Remote machines 30 not designated as collector points know the remote machines 30 in a machine farm 38 that are designated as collector points. A remote machine 30 not designated as a collector point communicates with a particular collector point when delivering and requesting runtime data. Consequently, collector points lighten network traffic because each remote machine 30 in the machine farm 38 communicates with a single collector point remote machine 30, rather than with every other remote machine 30, when seeking to access the runtime data.
  • The machine farm 38 can be heterogeneous, that is, one or more of the remote machines 30 can operate according to one type of operating system platform (e.g., WINDOWS NT, manufactured by Microsoft Corp. of Redmond, Wash.), while one or more of the other remote machines 30 can operate according to another type of operating system platform (e.g., Unix or Linux). Additionally, a heterogeneous machine farm 38 may include one or more remote machines 30 operating according to a type of operating system, while one or more other remote machines 30 execute one or more types of hypervisors rather than operating systems. In these embodiments, hypervisors may be used to emulate virtual hardware, partition physical hardware, virtualize physical hardware, and execute virtual machines that provide access to computing environments. Hypervisors may include those manufactured by VMWare, Inc., of Palo Alto, Calif.; the Xen hypervisor, an open source product whose development is overseen by XenSource, Inc., of Palo Alto; the VirtualServer or virtual PC hypervisors provided by Microsoft or others.
  • In some embodiments, a hypervisor executes on a machine executing an operating system. In one of these embodiments, a machine executing an operating system and a hypervisor may be said to have a host operating system (the operating system executing on the machine), and a guest operating system (an operating system executing within a computing resource partition provided by the hypervisor). In other embodiments, a hypervisor interacts directly with hardware on a machine, instead of executing on a host operating system. In one of these embodiments, the hypervisor may be said to be executing on “bare metal,” referring to the hardware comprising the machine.
  • Remote machines 30 may be servers, file servers, application servers, appliances, network appliances, gateways, application gateways, gateway servers, virtualization servers, deployment servers, or firewalls. The remote machine 30 may be an SSL VPN server. The remote machine 30 may be an application acceleration appliance. For embodiments in which the remote machine 30 is an application acceleration appliance, the remote machine 30 may provide functionality including firewall functionality, application firewall functionality, or load balancing functionality. In some embodiments, the remote machine 30 comprises an appliance such as one of the line of appliances manufactured by the Citrix Application Networking Group, of San Jose, Calif., or Silver Peak Systems, Inc., of Mountain View, Calif., or of Riverbed Technology, Inc., of San Francisco, Calif., or of F5 Networks, Inc., of Seattle, Wash., or of Juniper Networks, Inc., of Sunnyvale, Calif.
  • In some embodiments, a remote machine 30 comprises a remote authentication dial-in user service, referred to as a RADIUS server. In other embodiments, remote machines 30 may have the capacity to function as a master network information node monitoring resource usage of other machines in the farm 38. In still other embodiments, a remote machine 30 may provide an Active Directory. Remote machines 30 may be referred to as execution machines, intermediate machines, broker machines, intermediate broker machines, or worker machines.
  • In one embodiment, remote machines 30 in the machine farm 38 may be stored in high-density racking systems, along with associated storage systems, and located in an enterprise data center. In this embodiment, consolidating the machines in this way may improve system manageability, data security, the physical security of the system, and system performance by locating machines and high performance storage systems on localized high performance networks. Centralizing the machines and storage systems and coupling them with advanced system management tools allows more efficient use of machine resources.
  • The client machines 10 may also be referred to as endpoints, client nodes, clients, or local machines. In some embodiments, the client machines 10 have the capacity to function as both client machines seeking access to resources and as remote machines 30 providing access to remotely hosted resources for other client machines 10. In some embodiments, remote machines 30 may request access to remotely-hosted resources. In one of these embodiments, the remote machines 30 may be referred to as client machines 10.
  • In one embodiment, the client machine 10 communicates directly with one of the client machines 30 in a machine farm 38. In another embodiment, the client machine 10 executes an application to communicate with the remote machine 30 in a machine farm 38. In yet another embodiment, the client machine 10 communicates with one of the remote machines 30 via a gateway, such as an application gateway. In some embodiments, the client machine 10 communicates with the remote machine 30 in the machine farm 38 over a communications link 150. Over the communications link 150, the client machine 10 can, for example, request access to or execution of various resources provided by remote machines 30, such as applications, computing environments, virtual machines, or hypervisors hosted by or executing on the remote machines 30, 30′, 30″, and 30′″ in the machine farm 38. The client machine 10, 10′ receives for display output of the results of execution of the resource or output of interaction between the client machine 10 and the applications or computing environments provided by the remote machines 30. In another of these embodiments, over the communications link 150, the client machine 10 can receive the output of applications executing in one or more virtual machines on a remote machine 30, 30′, 30″, and 30′″ in the machine farm 38.
  • The communications link 150 may be synchronous or asynchronous and may be a LAN connection, MAN connection, or a WAN connection. Additionally, communications link 150 may be a wireless link, such as an infrared channel or satellite band. The communications link 150 may use a transport layer protocol such as TCP/IP or any application layer protocol, such as the Hypertext Transfer Protocol (HTTP), Extensible Markup Language (XML), Independent Computing Architecture Protocol (ICA) manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla., or the Remote Desktop Protocol manufactured by the Microsoft Corporation of Redmond, Wash. In one embodiment, the communications link 150 uses a Wi-Fi protocol. In still another embodiment, the communications link 150 uses a mobile internet protocol.
  • The communications link 150 may provide communications functionality through a variety of connections including standard telephone lines, LAN or WAN links (e.g., T1, T3, 56 kb, X.25, SNA, DECNET), broadband connections (ISDN, Frame Relay, ATM, Gigabit Ethernet, Ethernet-over-SONET), and wireless connections or any combination thereof. Connections can be established using a variety of communication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, Ethernet, ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI), RS232, IEEE 802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, CDMA, GSM, WiMax and direct asynchronous connections). In one embodiment, the remote machine 30 and the client machine 10 communicate via any type and/or form of gateway or tunneling protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS), or the Citrix Gateway Protocol manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla. The computer system 100 may include a network interface comprising a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing the computer system 100 to any type of network capable of communication and performing the operations described herein.
  • The computer system 100 may support installation devices, such as a floppy disk drive for receiving floppy disks such as 3.5-inch, 5.25-inch disks or ZIP disks, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, network interface card, tape drives of various formats, USB device, hard-drive or any other device suitable for installing software, programs, data or files, such as any software, or portion thereof.
  • The computer system 100 may also include a storage device of any type and form for storing an operating system and other related software, and for storing application software programs. In one embodiment, the storage device includes one or more hard disk drives or redundant arrays of independent disks. In other embodiments, the storage device comprises any type and form of portable storage medium or device, such as a compact flash card, a micro hard drive or pocket drive, embedded flash storage, or USB storage drive. Portable storage devices may be generally referred to by a variety of names, including but not limited to, finger drive, flash disk, flash drive, flash memory drive, jump drive, jump stick, keychain drive, keydrive, memory key, mobile drive, pen drive, thumb drive, thumb key, vault drive, USB drive, or USB stick. Optionally, any of the installation devices or mediums could also provide a storage medium or device.
  • In some embodiments, the client machine 10 includes a client agent which may be, for example, implemented as a software program and/or as a hardware device, such as, for example, an ASIC or an FPGA. An example of a client agent with a user interface is a Web Browser (e.g., INTERNET EXPLORER manufactured by Microsoft Corp. of Redmond, Wash. SAFARI, manufactured by Apple Computer of Cupertino, Calif.). The client agent can use any type of protocol, such as a remote display protocol, and it can be, for example, an HTTP client agent, an FTP client agent, an Oscar client agent, a Telnet client agent, an Independent Computing Architecture (ICA) client agent manufactured by Citrix Systems, Inc. of Fort Lauderdale, Fla., or a Remote Desktop Protocol (RDP) client agent manufactured by Microsoft Corporation of Redmond, Wash. In some embodiments, the client agent is configured to connect to the remote machine 30. In other embodiments (not shown), the client machine 10 includes a plurality of client agents, each of which may communicate with a remote machine 30, respectively.
  • In many embodiments, the remote machines 30, and the client machines 10, are provided as computers or computer servers, of the sort manufactured by Apple Computer, Inc., of Cupertino, Calif., International Business Machines of White Plains, N.Y., Hewlett-Packard Corporation of Palo Alto, Calif. or the Dell Corporation of Round Rock, Tex. In some embodiments, the remote machines 30 may be blade servers, servers, workstation blades or personal computers executing hypervisors emulating hardware required for virtual machines providing access to computing environments. In these embodiments, a single physical machine may provide multiple computing environments.
  • FIGS. 1A and 1B depict block diagrams of typical computer architectures useful in those embodiments as the remote machine 30, or the client machine 10. As shown in FIGS. 1A and 1B, each computer 100 includes a central processing unit 102, and a main memory unit 104. Each computer 100 may also include other optional elements, such as one or more input/output devices 130 a-130 n (generally referred to using reference numeral 130), and a cache memory 140 in communication with the central processing unit 102.
  • The central processing unit 102 is any logic circuitry that responds to and processes instructions fetched from the main memory unit 104. In many embodiments, the central processing unit is provided by a microprocessor unit, such as those manufactured by Intel Corporation of Mountain View, Calif.; those manufactured by Motorola Corporation of Schaumburg, Ill.; those manufactured by International Business Machines of White Plains, N.Y.; or those manufactured by Advanced Micro Devices of Sunnyvale, Calif.
  • Main memory unit 104 may be one or more memory chips capable of storing data and allowing any storage location to be directly accessed by the microprocessor 102, such as Static random access memory (SRAM), Burst SRAM or SynchBurst SRAM (BSRAM), Dynamic random access memory (DRAM), Fast Page Mode DRAM (FPM DRAM), Enhanced DRAM (EDRAM), Extended Data Output RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended Data Output DRAM (BEDO DRAM), Enhanced DRAM (EDRAM), synchronous DRAM (SDRAM), JEDEC SRAM, PC100 SDRAM, Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM), Direct Rambus DRAM (DRDRAM), or Ferroelectric RAM (FRAM).
  • In the embodiment shown in FIG. 1A, the processor 102 communicates with main memory 104 via a system bus 120 (described in more detail below). FIG. 1B depicts an embodiment of a computer system 100 in which the processor communicates directly with main memory 104 via a memory port. For example, in FIG. 1B, the main memory 104 may be DRDRAM.
  • FIG. 1A and FIG. 1B depict embodiments in which the main processor 102 communicates directly with cache memory 140 via a secondary bus, sometimes referred to as a “backside” bus. In other embodiments, the main processor 102 communicates with cache memory 140 using the system bus 120. Cache memory 140 typically has a faster response time than main memory 104 and is typically provided by SRAM, BSRAM, or EDRAM.
  • In the embodiment shown in FIG. 1A, the processor 102 communicates with various I/O devices 130 via a local system bus 120. Various buses may be used to connect the central processing unit 102 to the I/O devices 130, including a VESA VL bus, an ISA bus, an EISA bus, a MicroChannel Architecture (MCA) bus, a PCI bus, a PCI-X bus, a PCI-Express bus, or a NuBus. For embodiments in which the I/O device is a video display, the processor 102 may use an Advanced Graphics Port (AGP) to communicate with the display. FIG. 1B depicts an embodiment of a computer system 100 in which the main processor 102 communicates directly with I/O device 130 b via HyperTransport, Rapid I/O, or InfiniBand. FIG. 1B also depicts an embodiment in which local busses and direct communication are mixed: the processor 102 communicates with I/O device 130 a using a local interconnect bus while communicating with I/O device 130 b directly.
  • A wide variety of I/O devices 130 may be present in the computer system 100. Input devices include keyboards, mice, trackpads, trackballs, microphones, and drawing tablets. Output devices include video displays, speakers, inkjet printers, laser printers, and dye-sublimation printers. An I/O device may also provide mass storage for the computer system 100 such as a hard disk drive, a floppy disk drive for receiving floppy disks such as 3.5-inch, 5.25-inch disks or ZIP disks, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, DVD-RW drive, DVD+RW drive, tape drives of various formats, and USB storage devices such as the USB Flash Drive line of devices manufactured by Twintech Industry, Inc. of Los Alamitos, Calif., and the ipod Shuffle line of devices manufactured by Apple Computer, Inc., of Cupertino, Calif.
  • In some embodiments, the client machine 10 may comprise or be connected to multiple display devices, which each may be of the same or different type and/or form. As such, any of the I/O devices 130 a-130 n may comprise a display device or any type and/or form of suitable hardware, software, or combination of hardware and software to support, enable or provide for the connection and use of multiple display devices by the client machine 10. For example, the client machine 10 may include any type and/or form of video adapter, video card, driver, and/or library to interface, communicate, connect or otherwise use the display devices. In one embodiment, a video adapter may comprise multiple connectors to interface to multiple display devices. In other embodiments, the client machine 10 may include multiple video adapters, with each video adapter connected to one or more of the display devices. In some embodiments, any portion of the operating system of the client machine 10 may be configured for using multiple displays. In other embodiments, one or more of the display devices may be provided by one or more other computing devices, such as remote machine 30 connected to the client machine 10, for example, via a network. These embodiments may include any type of software designed and constructed to use another computer's display device as a second display device for the client machine 10. One ordinarily skilled in the art will recognize and appreciate the various ways and embodiments that a client machine 10 may be configured to have multiple display devices.
  • In further embodiments, an I/O device 130 may be a bridge between the system bus 120 and an external communication bus, such as a USB bus, an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, a FireWire bus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, a Gigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus, or a Serial Attached small computer system interface bus.
  • General-purpose computers of the sort depicted in FIG. 1A and FIG. 1B typically operate under the control of operating systems which control scheduling of tasks and access to system resources. In some embodiments, the computers operate under control of hypervisors, which represent virtualized views of physical hardware as one or more virtual machines. Operating systems may execute in these virtual machines to control the virtual machine in a manner analogous to the way a native operating system controls a physical machine. Typical operating systems include: the MICROSOFT WINDOWS family of operating systems, manufactured by Microsoft Corp. of Redmond, Wash.; the MacOS family of operating systems, manufactured by Apple Computer of Cupertino, Calif.; OS/2, manufactured by International Business Machines of Armonk, N.Y.; and Linux, a freely-available operating system distributed by Caldera Corp. of Salt Lake City, Utah, among others.
  • The client machines 10 and 20 may be any personal computer (e.g., a Macintosh computer or a computer based on processors manufactured by Intel Corporation of Mountain View, Calif.), Windows-based terminal, Network Computer, wireless device, information appliance, RISC Power PC, X-device, workstation, mini computer, main frame computer, personal digital assistant, television set-top box, living room media center, gaming console, mobile gaming device, NetPC's, thin client, or other computing device that has a windows-based desktop and sufficient persistent storage for executing a small, display presentation program. The display presentation program uses commands and data sent to it across communication channels to render a graphical display. Windows-oriented platforms supported by the client machines 10 and 20 can include, without limitation, WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS NT 3.51, WINDOWS NT 4.0, WINDOWS 2000, Windows 2003, WINDOWS CE, Windows XP, Windows Vista, MAC/OS, Java, Linux, and UNIX. The client machines 10 can include a visual display device (e.g., a computer monitor), a data entry device (e.g., a keyboard), persistent or volatile storage (e.g., computer memory) for storing downloaded application programs, a processor, and a mouse. Execution of a small, display presentation program allows the client machines 10 to participate in a distributed computer system model (i.e., a server-based computing model).
  • In other embodiments, the general-purpose computers of the sort depicted in FIG. 1A and FIG. 1B may have different processors, operating systems, and input devices consistent with the device and in accordance with embodiments further described herein. The computer system 100 can be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile telephone or other portable telecommunication device, media playing device, a gaming system, or any other type and/or form of computing, telecommunications or media device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein. For example, the computer system 100 may comprise a device of the IPOD family of devices manufactured by Apple Computer of Cupertino, Calif., a PLAYSTATION 2, PLAYSTATION 3, or PERSONAL PLAYSTATION PORTABLE (PSP) device manufactured by the Sony Corporation of Tokyo, Japan, a NINTENDO DS, NINTENDO GAMEBOY, NINTENDO GAMEBOY ADVANCED or NINTENDO REVOLUTION device manufactured by Nintendo Co., Ltd., of Kyoto, Japan, or an XBOX or XBOX 360™ device manufactured by the Microsoft Corporation of Redmond, Wash.
  • For embodiments in which a client machine 10 is a mobile device, the device may be a JAVA-enabled cellular telephone, such as those manufactured by Motorola Corp. of Schaumburg, Ill., those manufactured by Kyocera of Kyoto, Japan, or those manufactured by Samsung Electronics Co., Ltd., of Seoul, Korea. In other embodiments in which the client machine 10 is mobile, it may be a personal digital assistant (PDA) operating under control of the PalmOS operating system, such as the devices manufactured by palmOne, Inc. of Milpitas, Calif. In further embodiments, the client machine 10 may be a personal digital assistant (PDA) operating under control of the PocketPC operating system, such as the iPAQ devices manufactured by Hewlett-Packard Corporation of Palo Alto, Calif., the devices manufactured by ViewSonic of Walnut, Calif., or the devices manufactured by Toshiba America, Inc. of New York, N.Y. In still other embodiments, the client machine 10 is a combination PDA/telephone device such as the Treo devices manufactured by palmOne, Inc. of Milpitas, Calif. In still further embodiments, the client machine 10 is a cellular telephone that operates under control of the PocketPC operating system, such as those manufactured by Motorola Corp.
  • In some embodiments, a client machine 10 communicates with a remote machine 30 to determine an enumeration of resources available to the client machine 10 or to a user of the client machine 10. Resources may include, without limitation, computing environments, applications, documents, and hardware resources. In another of these embodiments, the remote machine 30 provides the client machine 10 with address information associated with a remote machine 30′ hosting a resource identified by the enumeration of resources. In still another of these embodiments, the client machine 10 communicates with the remote machine 30′ to access the identified resource. In one embodiment, the client machine 10 executes a resource neighborhood application to communicate with the remote machines 30 and 30′. In some embodiments, each of the remote machines 30 provides the functionality required to identify and provide address information associated with a remote machine 30′ hosting a requested resource.
  • Referring now to FIG. 2A, a block diagram depicts one embodiment of a system for providing access to a resource. In brief overview, a request to enumerate computing resources is transmitted from a client machine 10 (step 202). In some embodiments, the request includes an identification of a user of the client machine 10. An enumeration of a plurality of resources available to the user of the requesting machine is provided by the remote machine (step 204). The client machine 10 transmits a request for access to a particular resource included in the enumeration (step 206).
  • Still referring to FIG. 2A, and in more detail, the transmitted request is a request for an enumeration of computing environments available to the client machine 10. In another embodiment, the request is a request for an enumeration of computing environments supporting a particular application requested for execution by the client machine 10. In still another embodiment, the request is a request for access to a computing environment supported by a particular plurality of hardware resources.
  • In some embodiments, information associated with the client machine 10 or with a user of the client machine 10 is received with the request. In one of these embodiments, credentials associated with the user, or with a user of the client machine 10, are received. In one embodiment, the remote machine 30 receives a request for an enumeration of available computing environments from the client machine 10 with the information associated with the client machine 10, 10′ or the user of the client machine 10. In another embodiment, the remote machine 30 receives a transmission from a policy engine including the information. In still another embodiment, the remote machine 30 receives a transmission from a collection agent including the information. In yet another embodiment, the remote machine 30 comprises a component receiving requests and associated information.
  • In some embodiments, a remote machine 30 functioning as a web server receives communications from the client machine 10, 10′. In one of these embodiments, the web server forwards the communications to a remote machine 30′. In one of these embodiments, the web server forwards the communications to a service on the remote machine 30′. In another of these embodiments where communications from the client machine 10, 10′ are routed to a remote machine 30′ by the web server, the remote machine 30 may be selected responsive to an Internet Protocol (IP) address of the client machine 10.
  • In some embodiments, the user provides credentials to the remote machine 30 via a graphical user interface presented to the client machine 10, 10′ by the remote machine 30. In other embodiments, a remote machine 30′″ having the functionality of a web server provides the graphical user interface to the client machine 10. In still other embodiments, a collection agent transmitted to the client machine 10, 10′ by the remote machine 30 gathers the credentials from the client machine 10.
  • In some embodiments, collected data regarding available resources is accessed. In some of these embodiments, collected data regarding computing environments is accessed. In some of these embodiments, the accessed data includes an indication of a virtual machine providing access to one of the computing environments. In one of these embodiments, the accessed data includes an indication of a location of the virtual machine. In other embodiments, the accessed data concerning computing environments includes an indication of a plurality of hardware resources required to support the computing environments. In still other embodiments, the accessed data concerning computing environments includes an indication of a user or type of user authorized to access the computing environments. In yet other embodiments, the accessed data is provided responsive to a request for identification of a computing environment providing access to an application program.
  • In some embodiments, the collected data is stored on a server, such as a remote machine 30. In other embodiments, the server is in communication with a database storing the collected data. In still other embodiments, the server collects the data from a plurality of machines 30 in a machine farm 38. In one of these embodiments, the data is received from at least one server responsive to a request for the information concerning the computing environments. In another of these embodiments, the server collects the data from a hypervisor executing on a machine 30′ in the machine farm 38. In still another of these embodiments, the server collects the data from a management component residing in a guest operating system provided by a virtual machine launched into a hypervisor executing on a machine 30′ in the machine farm 38.
  • In some embodiments, the data is collected by an intermediate, brokering machine. In one of these embodiments, the brokering machine maintains a database of a status of at least one computing environments and collects information from at least one machine providing access to at least one computing environments. In another of these embodiments, the brokering machine collects information from a virtual machine service component residing in a virtual machine providing the computing environments. In still another of these embodiments, the brokering machine collects information from a virtual machine providing management functionality for a virtual machine providing a computing environment. In yet another of these embodiments, the brokering machine collects information from a hypervisor on which an executing virtual machine provides a computing environment. In other embodiments, the brokering machine comprises a machine 30 including a brokering module.
  • In some embodiments, a determination is made for each available computing environment as to whether that computing environment is available to a user of the client system. In other embodiments, data is gathered about the client system and a data set is generated from the gathered information. In one of these embodiments, the accessed data is transmitted to the client system with an indication to the client system, made responsive to the generated data set, of each computing environment available to the client system. In another of these embodiments, the accessed data is transmitted to the client system indicating to the client system, responsive to the application of a policy to the generated data set, each computing environment available to the client system. In still another of these embodiments, the indication includes at least one method of access available to the user seeking access to the computing environment. In yet another of these embodiments, the indication includes at least one type of action associated with the computing environment which may be taken by, or on behalf of, the user of the client system.
  • An enumeration of a plurality of resources available to the client machine 10 is provided (step 204). In one embodiment, the enumeration is provided responsive to an application of a policy to received information associated with the user of the client machine 10 or the remote machine 30. In another embodiment, the enumeration is provided responsive to a request from the user for a particular type of computing environment. In still another embodiment, the enumeration is provided responsive to a request from the user for computing environments providing access to a type of application program. In yet another embodiment, the enumeration is provided responsive to a request from the user for computing environments supported by a specified plurality of hardware resources. In some embodiments, the enumeration is provided responsive to a request to
  • In some embodiments, an indication is transmitted to the client machine 10 of a plurality of computing environments available to a user of the client machine 10. In one of these embodiments, the indication is generated responsive to accessing collected data associated with the plurality of computing environments. In another of these embodiments, the accessed data is transmitted to the client machine 10 with an enumeration of computing environments available to the client machine 10. In some embodiments, a determination is made, for each stored computing environment, as to whether that computing environment is available to the client machine 10. In one embodiment, the collected information is transmitted to the client machine 10, the transmitted information displayable at the client machine 10 as icons in a graphical user interface window representing computing environments available to the client system. In another embodiment, the collected information is transmitted to the client machine 10, the transmitted information displayable at the client machine 10 as icons in a graphical user interface window representing computing environments unavailable to the client machine 10.
  • In some embodiments, an enumeration of available computing environments is presented to a user of the client machine 10. In other embodiments, an enumeration of applications is presented to a user of the client machine 10. In one of these embodiments, a physical machine provides access to an enumerated application. In another of these embodiments, a virtual machine provides access to an enumerated application. In still another of these embodiments, a virtual machine provides access to a computing environment from which a user of the client machine 10 may access the application. In still other embodiments, an enumeration of standard operating environments (such as a guest operating system pre-configured with a plurality of application programs) is provided to the user of the client machine 10.
  • In some embodiments, the enumeration of available resources includes an enumeration of a plurality of actions associated with a requested resource. In one of these embodiments, the enumeration of the plurality of actions enables the user to request execution of a computing environment. In another of these embodiments, the enumeration of the plurality of actions enables the user to request cloning of a computing environment. In still another of these embodiments, the enumeration of the plurality of actions enables the user to request shutdown of a computing environment. In yet another of these embodiments, the enumeration of the plurality of actions enables the user to request that a computing environment be rebooted. In some embodiments, the enumeration of the plurality of actions enables the user to request that a snapshot be taken of an existing state of a computing environment. In other embodiments, the enumeration of the plurality of actions enables the user to request that a previous snapshot of a computing environment be provided.
  • A request is transmitted for access to a particular resource (step 206). In one embodiment, a user of the client machine 10 requests a resource responsive to a received enumeration of available resources. In another embodiment, the user requests a resource independent of a received enumeration. In some embodiments, the user requests a resource by selecting a graphical representation of the resource presented on the client machine 10 by a client agent. In other embodiments, the user requests a resource by selecting a graphical or textual representation of the resource presented to the user on a web server or other remote machine 30′″.
  • In some embodiments, the user requests an action associated with a resource. In one of these embodiments, the user requests execution of the resource. In another of these embodiments, the user requests termination of the resource. In still another of these embodiments, the user requests transmission of the resource, including transmission across an application streaming session. In yet another of these embodiments, the user requests that a resource be shutdown. In other embodiments, a request to execute an application is received from the client machine 10, the requested application requiring one of the computing environments. In still other embodiments, a request to access a file is received from the client machine 10, the requested file requiring execution within one of the computing environments.
  • Still referring to FIG. 2A, a remote machine 30 launches the Resource Neighborhood (RN) application and presents results of the RN application to the client machine 10. The remote machine 30 can launch the RN application 241 in response to a request 202 by the client machine 10 for an enumeration of available resources. The remote machine 30 provides an enumeration of available resources to the client machine 10 (step 204). The client machine 10 and remote machine 30′ establish a connection (arrows 245 and 246). By this connection, the remote machine 30′ can transfer the executable code of the particular application to the client machine 10, when the client machine 10 and remote machine 30′ are operating according to the client-based computing model. Alternatively, the remote machine 30′ can execute the particular application and transfer the graphical user interface to the client machine 10, when the client machine 10 and remote machine 30′ are operating according to the server-based computing model. In some embodiments the remote machine 30′ can execute the Resource Neighborhood application 241 and push the results back to the client machine 10 so that when the client machine 10 requests the Resource Neighborhood application, the Resource Neighborhood results are already available at the client machine 10.
  • FIG. 2B shows another embodiment of a system in which the client machine 10 initiates execution of the Resource Neighborhood application 241 and a remote machine 30 presents the results of the RN application 241 to the client machine 10. The client machine 10 launches the Resource Neighborhood application (e.g., by clicking on a Resource Neighborhood icon representing the application 241). In response, the client machine 10 directs a request 202 for the Resource Neighborhood application to the remote machine 30. The remote machine 30 can execute the Resource Neighborhood application 241, if the application is on the remote machine 30, and return the results to the client machine 10. Alternatively, the remote machine 30 can indicate (arrow 204) to the client machine 10 that the Resource Neighborhood application 241 is available on another remote machine, in this example remote machine 30′. The client machine 10 and remote machine 30′ establish a connection (arrows 206 and 210) by which the client machine 10 requests execution of the Resource Neighborhood application 241. The remote machine 30′ can execute the application 241 and transfer the results (i.e., the graphical user interface any audio output etc.) to the client machine 10.
  • FIG. 2C shows another embodiment of a system in which a client machine 10 initiates execution of the Resource Neighborhood application 241, in this example via the World Wide Web. A client machine 10 executes a web browser application 280, such as NETSCAPE NAVIGATOR, manufactured by Netscape Communications, Inc. of Mountain View, Calif., INTERNET EXPLORER, manufactured by Microsoft Corporation of Redmond, Wash., or SAFARI, manufactured by Apple Computer of Cupertino, Calif.
  • The client machine 10, via the web browser 280, transmits a request 282 to access a Uniform Resource Locator (URL) address corresponding to an HTML page residing on remote machine 10. In some embodiments the first HTML page returned 284 to the client machine 10 by the remote machine 30 is an authentication page that seeks to identify the client machine 10 or the user of the client machine 10.
  • The authentication page allows the client machine 10 to transmit user credentials, via the web browser 280, to the remote machine 30 for authentication. Transmitted user credentials are verified either by the remote machine 30 or by another remote machine 30 in the farm 38. This allows a security domain to be projected onto the remote machine 30. For example, if the remote machine 30 runs the WINDOWS NT operating system, manufactured by Microsoft Corporation of Redmond, Wash., and the authenticating machine runs the UNIX operating system, the UNIX security domain may be said to have been projected onto the remote machine 30. User credentials may be transmitted “in the clear,” or they may be encrypted. For example, user credentials may be transmitted via a Secure Socket Layer (SSL) connection, which encrypts data using algorithms such as the RC4 algorithm, manufactured by RSA Security Inc. of Bedford, Mass.
  • In some embodiments, an access control decision is made based on received information about the user resources available to the user of the client system are identified responsive to the access control decision. In other embodiments, a policy is applied to the received information about the user. The remote machine 30 may verify the user credentials received from the client machine 10. Alternatively, the remote machine 30 may pass the user credentials to another remote machine for authentication. In this embodiment, the authenticating server may be in a different domain from the remote machine 30. Authenticated user credentials of the client machine 10 may be stored at the client machine 10 in a per-session cookie, in fields that are not displayed by the web browser 280, or in any other manner common in maintenance of web pages. In some embodiments, a machine farm 38 with which the remote machine 30 is associated may allow guest users, i.e., users that do not have assigned user credentials, to access resources hosted by the farm 38. In these embodiments, the authentication page may provide a mechanism for allowing a client machine 10 to identify that it is a guest user, such as a button or menu selection. In other of these embodiments, the remote machine 30 may omit the authentication page entirely.
  • Still referring to FIG. 2C, once the client machine 10 is authenticated by the remote machine 30, the remote machine prepares and transmits to the client machine 10 an HTML page 288 that includes a Resource Neighborhood window 258 in which appears graphical icons 257, 257′ representing resources to which the client machine 10 has access. A user of client machine 10 requests access to a resource represented by icon 257 by clicking that icon 257.
  • FIG. 3A shows one embodiment of a process of communication among the client machine 10 and multiple remote machines 30, 30′. In the embodiment shown in FIG. 3A, the client machine 10 has an active connection 372 with the remote machine 30′. The client machine 10 and remote machine 30′ can use the active connection 372 to exchange information regarding the status or execution of a first resource. User credentials may be stored at the client machine 10. Such storage of the user credentials can be in cache memory or persistent storage.
  • In this embodiment, the Resource Neighborhood application (not shown on FIG. 3A) runs on the client machine 10. The client machine display has a Resource Neighborhood window 258 in which appears a graphical icon 257 representing a second resource. A user of the client machine 10 can access the second resource by double-clicking the icon 257 with the mouse. The request passes to the remote machine 30 via connection 359. The remote machine 30 indicates to the client machine 10 via connection 359 that the sought-after resource is available on remote machine 30′. The client machine 10 signals the remote machine 30′ to establish a second connection 370. The remote machine 30′ requests the user credentials from the client machine 10 to authenticate access to the second resource. Upon a successful authentication, the client machine 10 and remote machine 30′ establish the second connection 370 and exchange information regarding status of or execution of the second resource. In some embodiments, the remote machine does not request user credentials to establish the second connection 370. In these embodiments, the remote machine 30′ may use the credentials supplied by the user of client machine 10 to establish the connection 372 to also establish the second connection 370. Accordingly, the client machine 10 and the remote machine 30′ communicate with each other over multiple connections.
  • FIG. 3B shows one embodiment of a system of communication among the client machine 10, master remote machine 30, and servers 32, 34, and 36. The client machine 10 has an active connection 373 with the remote machine 32. The client machine 10 and remote machine 32 can use the active connection 373 to exchange information regarding the status of or execution of a first resource. User credentials may be stored at the remote machine 32 in cache memory or in persistent storage.
  • In this embodiment, the Resource Neighborhood application runs on the remote machine 32. The remote machine 32 includes software providing a server-based client engine 62, enabling the remote machine 32 to operate in the capacity of the client machine 10. The client machine 10 display has a Resource Neighborhood window 258 in which appear graphical icons 357, 357′ representing a second resource and a third resource, respectively. A user of the client machine 10 can access the second resource by double-clicking the icon 357. The request to launch the second resource passes to the remote machine 32 via active connection 373, and the remote machine 32 forwards the request to the master remote machine 30 (arrow 365).
  • The master remote machine 30 indicates (arrow 365) to the remote machine 32 that the sought-after resource is available on server 34. The remote machine 32 contacts the server 34 to establish a connection 366. To authenticate access to the application, the server 34 obtains the user credentials of the client machine 10 from the remote machine 32. The remote machine 32 and server 34 establish the connection (arrow 366) by which the remote machine 32 requests access to the second resource and the server 34 returns the results to the remote machine 32. The remote machine 32 forwards the results to the client machine 10, where the results are displayed. Accordingly, the information exchanged between the client machine 10 and the server 34 “passes through” the remote machine 32.
  • Similarly, the client machine 10 can launch the third resource by double-clicking the icon 357′. The request to launch the third resource passes to the remote machine 32. The remote machine 32 forwards the request to the master remote machine 30. In this example, the master remote machine 30 indicates that the server 36 can be used to access the third resource.
  • The remote machine 32 and the server 36 establish a connection (arrow 374) by which the remote machine 32 requests access to the third resource, and the server 36 returns the results to the remote machine 32. To permit access to the third resource, the server 36 can authenticate the user credentials of the user of the client machine 10, which are obtained from the remote machine 32. The remote machine 32 forwards the results to the client machine 10 where the results are displayed. Accordingly, the results of accessing the third resource pass between the client machine 10 and the server 36 through the remote machine 32.
  • FIG. 3C shows another embodiment of a system of communication among the client machine 10, a master remote machine 30, and servers 32 and 34. The client machine 10 has an active connection 376 with server 32. The client machine 10 and server 32 can use the active connection 376 to exchange information regarding the access to a first resource. The client machine 10 can store user credentials in cache memory or in persistent storage.
  • In this embodiment, the Resource Neighborhood application runs on the server 32. The client machine 10 display has a Resource Neighborhood window 258 in which appears a graphical icon 257 representing a second resource. A user of the client machine 10 can access the second resource by double-clicking the icon 257. The request to access the second resource passes to the server 32. The server 32 responds (i.e., “calls back”) to the client machine 10 by returning resource-related information such as the name of the resource and capabilities needed by the client machine 10 to access the second application.
  • With the information provided by the server 32, the client machine 10 then communicates with the master remote machine 30 via connection 377 to determine the server for accessing the second resource. In this example, that server is server 34. The client machine 10 then establishes a connection 378 to the server 34. Server 34 requests the user credentials from the client machine 10 to authenticate the user of the client machine 10. The client machine 10 accesses the second resource on the server 34, and the server 34 returns the results to the client machine 10 via the established connection 378. Accordingly, the client machine 10 can have multiple active connections between the multiple servers.
  • FIG. 3D shows one embodiment of a system of communication between the client machine 10, a remote machine 30 that in this example acts as a web server, and a second remote machine 30′. The client machine 10 authenticates itself to the remote machine 30 as described above in connection with FIG. 2C. In one embodiment, the remote machine 30 accesses an output display template 390, such as an SGML, HTML or XML file, to use as a base for constructing the Resource Neighborhood window to transmit to the client machine 10. The Resource Neighborhood window may display an enumeration of resources available to the client. The enumeration of resources may include an enumeration of available application programs or computing environments. The template may be stored in volatile or persistent memory associated with the server 30 or it may be stored in mass memory 392, such as a disk drive or optical device, as shown in FIG. 3D.
  • In this embodiment, the template 390 is a standard SGML, HTML, or XML document containing Resource Neighborhood-specific tags that are replaced with dynamic information. The tags indicate to the server 30 where in the output display to insert information corresponding to available resources, such as icon images. In one particular embodiment, the Resource Neighborhood-specific tags are embedded within comments inside a file, allowing the file to remain compatible with standard interpreters. In another embodiment, the Resource Neighborhood-specific tags are extensions of the markup language used as the base for the template.
  • Examples of HTML tags that may be used in a template are set forth below in Table 1:
    TABLE 1
    Tag Description
    ControlField field value This tag is used to set the value of data
    that either persists between Resource
    Neighborhood web pages, is set by the
    user, or is used to help in cross page
    navigation, such as user name, domain,
    password, template, and resource.
    DrawResourceNeighborhood This tag is used to draw a Resource
    Neighborhood display at this location in
    an output display.
    ResourceName This tag is replaced by the name of the
    published resource in the current
    context.
    WindowType This tag is replaced by the window type of
    the published resource in the current
    context.
    WindowHeight This tag is replaced by the window height
    of the published resource in the current
    context.
    WindowWidth This tag is replaced by the window width
    of the published resource in the current
    context.
    WindowScale This tag is replaced by the window scale
    of the published resource in the current
    context.
    WindowColors This tag is replaced by the color depth of
    the published resource in the current
    context.
    SoundType This tag is replaced by the sound setting
    of the published resource in the current
    context.
    VideoType This tag is replaced by the video setting
    of the published resource in the current
    context.
    EncryptionLevel This tag is replaced by the encryption
    level of the published resource in the
    current context.
    Icon This tag is replaced by the icon of the
    published resource in the current
    context.
  • Other tags can be provided to set control fields and to provide conditional processing relating to the Resource Neighborhood application.
  • In one embodiment, the template is constructed dynamically using, for example, COLD FUSION, manufactured by Allaire Corp. of Cambridge, Mass. or ACTIVE SERVER PAGES manufactured by Microsoft Corporation of Redmond, Wash. Alternatively, the template may be static. The Resource Neighborhood application parses the template, replacing Resource Neighborhood-specific tags as noted above. Tags that are not Resource Neighborhood-specific are left in the file to be parsed by the browser program 80 executing on the client 10.
  • In one embodiment, a template parser object is provided that accepts an HTML template as input, interprets Resource Neighborhood-specific tags present in the template, and outputs the original template with all Resource Neighborhood tags replaced with appropriate text. The template parser object can be passed a cookie, a URL query string, or a control field from a web server interface to provide the information with which Resource Neighborhood-specific tags should be replaced.
  • In some embodiments, a web server receives a request from the client machine 10 for an enumeration of available computing environments. In one of these embodiments, the web server executes an application to access data regarding the computing environments. In another of these embodiments, a page template is retrieved from a database. In still of these embodiments, a page is created, at the web server, describing a display of stored computing environment images available to the client machine 10 responsive to the collected information and the retrieved page template, and the created page is transmitted to the client machine 10, indicating to the client machine 10 each computing environment available to the client machine 10. In some embodiments, computing environment images may comprise virtual machine images, resource images, screenshots of suspended virtual machines, and other images selected by a user or administrator for presentation to the user. In yet another of these embodiments, an output display is created indicating each computing environment available to the client machine 10 and transmitting the created output display to the client machine 10.
  • In some embodiments, an output display is created comprising a page constructed in a markup language, the output display indicating each computing environment available to the client system and transmitted to the client system.
  • In another embodiment, the Resource Neighborhood application allows scripts to access information via an application programming interface. Scripts may be written in, for example, VBScript or Jscript. In this embodiment, the scripting language is used to dynamically generate an output display using information returned by the application in response to queries posed by the script. Once the output display is generated, it is transmitted to client machine 10 for display by the browser program 80.
  • A user of the client machine 10 can access a resource by clicking an icon 257, 257′ displayed in the Resource Neighborhood web page. In some embodiments, each icon 257, 257′ is associated with an encoded URL that specifies: the location of the resource (i.e., on which remote machines it is hosted or, alternatively, the address of a master remote machine, a gateway, or other remote machine 30); a launch command associated with the resource; and a template identifying how the results of accessing the resource should be displayed (i.e., in a window “embedded” in the browser or in a separate window). In some embodiments, the URL includes a file, or a reference to a file, that contains the information necessary for the client to create a connection to the remote machine hosting the resource. This file may be created by the Resource Neighborhood application dynamically. The client machine 10 establishes a connection (arrow 394) with the remote machine 30′ identified as hosting the requested resource and exchanges information regarding access to the desired resource. In some embodiments, the connection 394 is made using the Independent Computing Architecture (ICA) protocol, manufactured by Citrix Systems, Inc. of Fort Lauderdale, Fla. In other embodiments, the connection is made using: the RDP protocol, manufactured by Microsoft Corp. of Redmond, Wash.; the X11 protocol; or the Virtual Network Computing (VNC) protocol, manufactured by AT&T Bell Labs. Thus, the client machine 10 may display the results of accessing the resource in a window separate from the web browser 280, or it may “embed” application output within the web browser.
  • FIG. 3E depicts an embodiment in which a remote machine 30 acts as an intermediary for a machine farm 38 and comprises a broker module 310, a transmitter 312, a receiver 314, and a transceiver 316.
  • The broker module 310 accesses collected data regarding resources, including application programs, computing environments, and hardware resources. In some embodiments, the broker module 310 accesses collected data regarding resources and determines for each resource whether that resource image is available to a client machine 10. In some embodiments, the server further comprises a database storing the collected data. In one of these embodiments, the broker module 310 determines for each resource whether that resource image is available to a client machine 10 based on the collected data. In other embodiments, the broker module 310 receives user credentials and determines for each resource whether that resource image is available to a client machine 10 based on the user credentials and the collected data.
  • In some embodiments, the server further comprises an output display creation engine creating output displays indicating each resource available to the client machine 10. In one of these environments, the output display creation engine creates a page describing a display of the resources available to a client system, the page created responsive to the collected information and a page template.
  • The transmitter 312 transmits accessed data to the client machine 10 indicating to the client machine 10 each resource determined to be available to the client machine 10. In some embodiments, the transmitted data is displayable at the client system as icons in a graphical user interface window representing resources available to the client system. In other embodiments, the transmitted data is displayable at the client system as icons in a graphical user interface window representing resources unavailable to the client system. The receiver 314 receives a request to access one of the available resources. In some embodiments, the receiver receives user credentials from the client machine 10. In other embodiments, the receiver receives a request to access an application program available through one of the available resources, such as an available computing environment. In still other embodiments, a database storing the collected information and the service module determines for each resource stored by the plurality of servers whether that resource image is available to a client machine 10 based on the user credentials and the collected information. In yet other embodiments, a determination is made as to an availability of resources, such as virtual machines or application servers, providing access to the available resources.
  • The transceiver 316 provides a connection between the client machine 10 and a virtual machine providing the requested resource. In some embodiments, the transceiver 316 provides a connection between the client machine 10 and a virtual machine providing the requested resource and the transceiver 316 establishes a presentation-layer protocol connection. In one of these embodiments, the transceiver 316 establishes an X11 or VNC connection. In another of these embodiments, the transceiver 316 establishes an ICA connection. In still another of these embodiments, the transceiver 316 establishes an RDP connection.
  • An intermediary machine of the sort just described may be used as any one of the remote machine 30 described above in FIGS. 1-1B, 2A-2B, and 3A-3D.
  • FIG. 4 illustrates one embodiment of program components for a client-based implementation of the Resource Neighborhood application. A client-based implementation of the Resource Neighborhood application 416 can be used in a network using either the server-based computing model in which the servers execute the Resource Neighborhood application or in a client-based computing model in which the client machine 10 executes the Resource Neighborhood application locally. The Resource Neighborhood application includes a Resource Neighborhood Service (RNSVC) component 444, a resource database component 448, a Resource Neighborhood Application Program Interface (RNAPI) component 452, a Resource Neighborhood User Interface component 456, and a local cache 460.
  • The remote machine 30, for example, includes the service component (RNSVC) 444 and the resource authorization cache 448. The client machine 10, which is a representative example of a client machine 10 that can support a client-based implementation of the Resource Neighborhood application, includes the application program interface RNAPI 452, the user interface user interface component 456, and the local cache 460 components. The RNAPI 452 communicates with the user interface component 456 and the local cache 460. The RNSVC 444 communicates with the resource authorization cache 448 and with the RNAPI 452 on the client machine 10 via communications link 462.
  • The communications link 462 can be established by, for example, using the ICA protocol, the RDP protocol, the X11 protocol, the VNC protocol, or any other suitable presentation-level protocol designed to run over industry standard transport protocols, such as TCP/IP, IPX/SPX, NetBEUI, using industry-standard network protocols, such as ISDN, frame relay, and asynchronous transfer mode (ATM) and which provides for virtual channels, which are session-oriented transmission connections that can be used by application-layer code to issue commands for exchanging data. The communications link 462 may also be established by protocols that support RPC or RPC-equivalents such as SOAP and HTTP. The communications link 462 may also be a communications link 150 as described above. The virtual channel commands are designed to be closely integrated with the functions of client machines. The ICA protocol can support the Resource Neighborhood virtual channel.
  • The Resource Neighborhood virtual channel protocol can include four groups of commands:
  • (1) Initialization-related commands;
  • (2) Single authentication related commands that can be supported by each client machine wanting a copy of the user credentials;
  • (3) Resource data related commands for implementing the Resource Neighborhood user interface; and
  • (4) Resource launch callback-related commands for running the user interface on a remote machine.
  • The resource authorization cache 448 may be a cache of the authorized user and group information for all the public (i.e., published) resources in a machine farm 38 or in a group of trusted domains. Each remote machine in a machine farm 38 can maintain its own resource-related information in persistent storage and build up the resource authorization cache 448 in volatile storage. In another embodiment, all collected resource-related information in the resource authorization cache 448 can be stored in persistent storage and made accessible to each other server in the machine farm 38. The resource authorization cache 448 can be implemented in a proprietary format (e.g., as a linked list in memory) or using Novell's Directory Services (NDS) or any directory service adhering to the X.500 standard defined by the International Telecommunication Union (ITU) for distributed electronic directories. The resource authorization cache 448 may be implemented as a standard relational database.
  • The resource authorization cache 448 includes a list of remote machines. Each remote machine in the list has an associated set of resources. Associated with each resource is resource-related information that can include the resource name, a list of remote machines, and client users that are authorized to use that resource. An overly-simplified example of the resource-related information maintained in the database is illustrated by the following Table 2. Users A and B are users of the client machines 10, “n/a” indicates that a desired application program is hosted, but is not available to client machine users, and “-” indicates that the application program is not hosted.
    TABLE 2
    Remote Spread- Customer Word
    Machine Name Sheet Database Processor Calculator
    Server 30 User A User B n/a
    Server 32 User B n/a User A
    Server 34 User A
    User B
  • Table 2 shows: a list of servers 30, 32, 34; applications hosted by the servers (Spreadsheet, Customer Database, Word Processor, and Calculator); and those users who are authorized to use the applications. For example, the server 30 hosts the Spreadsheet program, the Customer Database and the Word Processor. User A is authorized to use the Spreadsheet, User B is authorized to use the Customer Database, and no users are authorized to use the Word Processor. It is to be understood that other techniques can be used to indicate who is authorized to use a particular application. For example, the user information stored in the database can be used to indicate those users who are unauthorized to use a particular application rather than those who are authorized, or to indicate that multiple users may access a resource on a remote machine 30, or to indicate that a predetermined group of users are authorized to access a particular resource. Although Table 2 depicts an embodiment in which the resources that are available are application programs, a similar technique may be used for computing environments and other resources.
  • To obtain the information that is stored in the resource authorization cache 448, the remote machine 30 obtains the resource-related information from each other machine in the machine farm 38 regarding the resources on those remote machines, including control information that indicates which client users and remote machines are permitted to access each particular resource. The resource-related information maintained in the database may or may not persist across re-boots of the remote machine 30.
  • Each remote machine 30 having the Resource Neighborhood application installed thereon executes the RNSVC software 444. The RNSVC software 444, operating on each remote machine 30 establishes a communication link (e.g. a named pipe) with at least one other and, in some embodiments, each other remote machine 30. The remote machines 30 exchange resource-related information on the communications links. In another embodiment, the RNSVC software 444 collects the resource-related information from the other remote machine 30 in the machine farm 38 through remote registry calls (e.g., the service component 444 transmits a datagram to other remote machine 30 in the farm 38 requesting the resource-related information corresponding to the resources hosted by those remote machine 30). In some embodiments the resource authorization cache is populated by system administrators of by programs and scripts communicating with remotes machines 30. The RNSVC 444 software also maintains the relationships of groups and users to published resources in the resource authorization cache 448 and accesses the information when authenticating a client user. An administrator of the remote machine 30 can use a user interface to configure the RNSVC 444.
  • Other functions of the RNSVC software 444 include implementing the services and functions requested by the RNAPI 452 and communicating with the RNAPI 452 on the client machine 10 using a Resource Neighborhood virtual channel driver (VCRN). The VCRN operates according to the Resource Neighborhood virtual channel protocol described.
  • The RNAPI 452 is a set of software functions or services that are used by the Resource Neighborhood application to perform various operations (e.g., open windows on a display screen, open files, and display message boxes). The RNAPI 452 provides a generic mechanism for accessing user interface elements (e.g., icons) produced by running the Resource Neighborhood application and objects in a legacy (i.e., predecessor or existing for some time) client user interface. When the client machine 10 accesses an available resource, the accessing mechanism can launch the resource on the remote machine 30, if necessary (e.g., when the client machine 10 is unable to locally execute the application).
  • The RNAPI 452 provides all published resource information to the user interface component 456 for display on the screen 12 (FIG. 1) of the client machine 10. The RNAPI 452 also manages machine farm 38 logons in a local database of logon credentials (e.g., passwords) for users of the client machine 10 to support the single authentication feature. Credentials may or may not be persistent across a reboot (power-off and on cycles) of the client machine 10.
  • The RNAPI 452 provides automatic and manual management for Resource Neighborhood objects stored in the local cache 460. The local cache 460 can either be refreshed manually by the user of the client machine 10, or at a user-definable refresh rate, or by the server at any time during a connection. In a Windows implementation, the RNAPI 452 can build remote application file resource associations and manage the “Start” menu and desktop icons for resource object shortcuts.
  • The user interface module 456 interfaces the RNAPI 452 and can be a functional superset of an existing client user interface (e.g., Remote Resource Manager). The user interface module 456 accesses the information stored in the local cache 460 through the RNAPI 452 and visually presents that information to the user on the display screen 12 (FIG. 1) of the client machine 10. The displayed information is a mixture of information generated by a user of the client machine 10 and information obtained by the Resource Neighborhood application. The user interface module 456 can also show the user all resources that the user is currently accessing and all active and disconnected sessions.
  • In a Windows-based embodiment, the user interface module 456 can present a variety of graphical components, such as windows and pull-down menus, to be displayed on the display screen 12 (FIG. 1). A display of a combination of such graphical user interface components is generally referred to as a “desktop.” A desktop produced by the user interface module 456 can include a Resource Neighborhood window displaying the neighborhood of resources available to the user of the client machine 10. These resources may be a filtered combination of the published resources hosted by a machine farm 38. The user interface module 456 can generate a Resource Neighborhood window for each machine farm 38 or merge the resources from different machine farms 38 under a single Resource Neighborhood window.
  • At a top level, the Resource Neighborhood window includes a folder for each machine farm 38. Clicking on one of the folders produces a window containing a representation (e.g., an icon) of each hosted resource available to the user, e.g., see FIGS. 6A and 6B. The Resource Neighborhood window becomes the focal point for accessing published resources, and the user interface module 456 can be used to access resources and launch applications through the RNAPI 452. For example, the user of the client machine 10 can use the mouse 18 (FIG. 1) to select one of the displayed icons and launch the associated resource.
  • A feature of a client-based implementation is that the user can browse the objects displayed in the Resource Neighborhood window although the client machine is offline, that is, the connection 462 is inactive. Also, a user of the client machine 10 can drag application objects and folders out of the Resource Neighborhood window and into other graphical components (e.g., other windows, folders, etc.) of the desktop.
  • FIG. 5 shows one embodiment of the program components for a server-based implementation of the Resource Neighborhood application. The components include a Service (RNSVC) component 544′, a Resource Database component 548′, an Application Program Interface (RNAPI) component 552′, a User Interface component 556′ and a local cache 560′. Each software component 544′, 548′, 552′, 556′, and 560′ is installed on the application server 30′. The software components for the server-based implementation correspond to the software components for the client-based implementation of FIG. 4. The functionality of each server-based software component is similar to the client-based counterpart, with differences or added capabilities described below. The RNSVC 544′ communicates with the resource database 548′ and with the RNAPI 552′ using local procedure calls. The RNAPI 552′ also communicates with the user interface module 556′ and the local cache 560′.
  • Similar to that described in FIG. 4 for the client machine 10, the client machine 10 logs on to the network 40 (FIG. 1), the server 30′ develops and maintains a database containing the resource related information collected from the other machines in the machine farm 38, and a communication link is established between the server 30′ and the client machine 20. The application server 30′ may be in communication with the client machine 10 via an ICA connection 562′.
  • To run the Resource Neighborhood application in a server-based implementation, the user of the client machine 10 connects to an initial desktop (at the server 30′) and launches the Resource Neighborhood application from within that desktop environment. The connection to the initial desktop can occur automatically, e.g., via a logon script of the client machine 20, via an entry in a Startup group, or by another centrally managed server specific mechanism. All remote application management and launching is accomplished through this initial desktop.
  • Similar to that described in FIG. 4 for the server 30, the server 30′ uses the user credentials to determine those resources that the user of the client machine 10 is authorized to use. A Resource Neighborhood graphical window is returned to the client machine 10 and displayed on the client screen 22 (FIG. 1). This window can contain icons representing the available and, possibly, the unavailable resources that are in the Resource Neighborhood of the client machine 20.
  • In one embodiment, the web-based Resource Neighborhood application includes a group of objects that manage various aspects of a resource. In one embodiment, the Resource Neighborhood application includes three primary object classes that “plug in” to a web server: a gateway object class; a credentials object class; and a resources object class. In some specific embodiments, the object classes are provided as JavaBeans. The three primary object classes facilitate: validation of user credentials into a server farm; generation of lists of published resources that a specified user may access; provision of detailed information about a specific published resource; and conversion of resource application information into a format compatible with the protocol over which connection will be made.
  • When provided as JavaBeans, the objects can be accessed in a number of different ways. For example, they may be compiled as COM objects and made available to the web server as ActiveX components. In another embodiment, the JavaBeans can be used in their native form, such as when the server uses Java Server Pages technology. In yet another embodiment, the JavaBeans can be instantiated and used directly in a Java Servlet. In still another embodiment, the remote machine 30 can instantiate the JavaBeans as COM objects directly.
  • A credentials object class manages information necessary to authenticate a user into a target machine farm 38. A credentials object passes stored user credentials to other Resource Neighborhood objects. In some embodiments, the credentials object is an abstract class that cannot be instantiated and represents a user's credentials. Various class extensions may be provided to allow different authentication mechanisms to be used, including biometrics, smart cards, token-based authentication mechanisms such as challenge-response and time-based password generation, or others. For example, a “clear text credentials” extension may be provided that stores a user's name, domain, and password in plain text.
  • A gateway object class handles communications with a target machine farm 38. In one embodiment, the gateway object class is provided as an abstract Java class that cannot be instantiated. A particular gateway object may retrieve resource information by communicating with a machine farm 38 using a particular protocol, reading cached resource information, a combination of these two methods, or other various methods.
  • As noted above, the gateway object class may cache information to minimize communication with a target machine farm 38. Extensions to the gateway object may be provided to communicate with the machine farm 38 over specific protocols, such as HTTP. In one embodiment, an extension class is provided that allows the gateway object to communicate with the machine farm 38 via WINDOWS NT named pipes. The gateway object may provide an application programming interface hook that allows other Resource Neighborhood objects to query the object for application information.
  • A resources object class contains information about published resources and returns information about resources hosted by the machine farm 38 in order to create the Resource Neighborhood web page. The resources object class creates objects representing resources by retrieving information relating to the resources, either from an object created by the gateway object or directly from the machines in the machine farm 38. A resources object acts as a container for certain properties of the resource, some settable and some not settable, such as: the name of the resource (not settable); the width of the client window, in pixels, for this resource (settable); the height of the client window, in pixels, for this resource (settable); the number of colors to use when connecting to the resource (settable); the severity of audio bandwidth restriction (settable); the level of encryption to use when connecting to the resource (settable); the level of video to use when connecting to this resource (settable); whether the resource should be placed on a client's start menu (settable); whether the resource should be placed on the client's desktop (settable); the identity of the Resource Neighborhood folder to which the resource belongs (settable); the description of the resource (settable); the source of the graphics icon file for the resource (settable); the type of window that should be used when connecting to the resource (not settable); and whether to override default parameters for the object.
  • FIG. 6A is a screenshot of one embodiment of Resource Neighborhood window 620 that can be displayed on the screen 12, 22 (FIG. 1) of a client machine 10, 10′ after the Resource Neighborhood application has executed. The window 120 includes graphical icons 622. Each icon 622 represents a resource that is hosted by one of the machines in a machine farm 38. Each represented resource is available to the user of the client machine 10. The user can select one of the resources using the mouse 18, 28 or keyboard 14, 24.
  • FIG. 6B is a screenshot of another embodiment of a Resource Neighborhood window 624 that can be displayed on the screen 12, 22 (FIG. 1) of a client machine 10, 10′ after the Resource Neighborhood application has executed. The window 624 includes graphical icons 626, 628. Each icon 626, 628 represents a resource that is hosted by one of the machines in a machine farm 38. Each resource represented by one of the icons 626 is available to the user of the client machine 10. The user can select one of the resources using the mouse 18, 28 or keyboard 14, 24. For web-based Resource Neighborhood environments, the screenshots of FIGS. 6A and 6B are similar, except that icons 622, 626, 628 are displayed within a browser window.
  • Each resource represented by one of the icons 628 is unavailable to the user of the client machine 10, although such resources are present in the server farm. The unavailability of these resources can be noted on the display screen (e.g., “X”s can be drawn through the icons 628). An attempt to access such a resource can trigger a message indicating that the user is not authorized to access the resource. Alternatively, the attempt may invoke a method allowing the user of the client machine 10 to request access to the resource.
  • In some embodiments, the resource comprises a computing environment. In one of these embodiments, a connection is established between the client machine 10 and a virtual machine hosting the requested computing environment. In one embodiment, a presentation layer protocol is used in establishing the connection between the client system and the virtual machine. In another embodiment, the X11 protocol is used in establishing the connection. In still another embodiment, the Remote Desktop Protocol (RDP) is used in establishing the connection. In yet another embodiment, the Independent Computing Architecture (ICA) protocol is used in establishing the connection.
  • In some embodiments, a connection is established between the client machine 10 and a physical machine, such as a traditional workstation or server, hosting the requested computing environment. In other embodiments, a connection is established between the client machine 10 and a hardware partition hosting the requested computing environment.
  • In some embodiments, an enumeration of a plurality of resources available to the client machine 10 is provided (step 204) responsive to a determination by a policy engine regarding whether and how a client machine may access a resource. The policy engine may collect information about the client machine prior to making the determination. Referring now to FIG. 7A, one embodiment of a computer network is depicted which includes a client machine 10, a machine farm 38, a collection agent 704, a policy engine 706, a policy database 708, and a resource server 30′. In one embodiment, the policy engine 706 is a remote machine 30. Although only one client machine 10, collection agent 704, policy engine 706, machine farm 38, and resource server 30′ are depicted in the embodiment shown in FIG. 7A, it should be understood that the system may provide multiple ones of any or each of those components.
  • In brief overview, when the client machine 10 transmits the policy engine 706 a request 206 for a resource enumeration, the collection agent 704 communicates with the client machine 10, retrieving information about the client machine 10, and transmits the client machine information 712 to the policy engine 706. The policy engine 706 makes an access control decision by applying a policy from the policy database 708 to the received information 712.
  • In more detail, the client machine 710 transmits to the policy engine 706 a request 206 for resource enumeration. In one embodiment, the policy engine 706 resides on a resource server 30′. In another embodiment, the policy engine 706 resides on a remote machine 30. In still another embodiment, a resource server 30′ receives the request 206 from the client machine 10 and transmits the request 206 to the policy engine 706. In yet another embodiment, the client machine 10 transmits a request 206 for resource enumeration to an intermediate remote machine 30′″ (not shown), which transmits the request 206 to the policy engine 706.
  • In some embodiments, the client machine 10 transmits the request 206 over a network connection such as those described above. Upon receiving the request, the policy engine 706 initiates information gathering by the collection agent 704. The collection agent 704 gathers information regarding the client machine 10 and transmits the information 712 to the policy engine 706.
  • In some embodiments, the collection agent 704 gathers and transmits the information 712 over a network connection. In some embodiments, the collection agent 704 comprises bytecode, such as an application written in the bytecode programming language JAVA. In some embodiments, the collection agent 704 comprises at least one script. In those embodiments, the collection agent 704 gathers information by running at least one script on the client machine 10. In some embodiments, the collection agent comprises an Active X control on the client machine 10. An Active X control is a specialized Component Object Model (COM) object that implements a set of interfaces that enable it to look and act like a control.
  • In one embodiment, the policy engine 706 transmits the collection agent 704 to the client machine 10. In some embodiments, the policy engine 706 requires another execution of the collection agent 704 after the collection agent 704 has transmitted information 712 to the policy engine 706. In some of these embodiments, the policy engine 706 requires another execution of the collection agent 704 because the policy engine 706 may have insufficient information 712 to determine whether the client machine 10 satisfies a particular condition. In other embodiments, the policy engine 706 requires a plurality of executions of the collection agent 704 in response to received information 712.
  • In some embodiments, the policy engine 706 transmits instructions to the collection agent 704 determining the type of information the collection agent 704 gathers from the client machine 10. In those embodiments, a system administrator may configure the instructions transmitted to the collection agent 704 from the policy engine 706. This provides greater control over the type of information collected. This also expands the types of access control decisions that the policy engine 706 can make, due to the greater control over the type of information collected. The collection agent 704 gathers information 712 including, without limitation, machine ID of the client machine 10, operating system type, existence of a patch to an operating system, MAC addresses of installed network cards, a digital watermark on the client device, membership in an Active Directory, existence of a virus scanner, existence of a personal firewall, an HTTP header, browser type, device type, network connection information such as internet protocol address or range of addresses, machine ID of the remote machine 30, date or time of access request including adjustments for varying time zones, and authorization credentials.
  • In some embodiments, the device type is a personal digital assistant. In other embodiments, the device type is a cellular telephone. In other embodiments, the device type is a laptop computer. In other embodiments, the device type is a desktop computer. In other embodiments, the device type is an Internet kiosk. In still other embodiments, the device type is a game console.
  • In some embodiments, the digital watermark includes data embedding. In some embodiments, the watermark comprises a pattern of data inserted into a file to provide source information about the file. In other embodiments, the watermark comprises hashed data files to provide tamper detection. In other embodiments, the watermark provides copyright information about the file.
  • In some embodiments, the network connection information pertains to bandwidth capabilities. In other embodiments, the network connection information pertains to the Internet Protocol address of the client machine 10. In still other embodiments, the network connection information consists of the Internet Protocol address of the client machine 10. In one embodiment, the network connection information comprises a network zone identifying the logon agent to which the client machine 10 provided authentication credentials.
  • In some embodiments, the authorization credentials include a number of types of authentication information, including without limitation, user names, client names, client addresses, passwords, Personal Identification Numbers (PINs), voice samples, one-time passcodes, biometric data, digital certificates, tickets, etc. and combinations thereof. After receiving the gathered information 712, the policy engine 706 makes an access control decision based on the received information 712.
  • Referring now to FIG. 7B, a block diagram depicts one embodiment of a policy engine 706, including a first component 720, including a condition database 722 and a logon agent 724, and a second component 730, including a policy database 732. The first component 720 applies a condition from the condition database 722 to information 712 received about client machine 10 and determines whether the received information 712 satisfies the condition.
  • In some embodiments, a condition may require that the client machine 10 execute a particular operating system to satisfy the condition. In other embodiments, a condition may require that the client machine 10 execute a particular operating system patch to satisfy the condition. In still other embodiments, a condition may require that the client machine 10 provide a MAC address for each installed network card to satisfy the condition. In some embodiments, a condition may require that the client machine 10 indicate membership in a particular Active Directory to satisfy the condition. In another embodiment, a condition may require that the client machine 10 execute a virus scanner to satisfy the condition. In other embodiments, a condition may require that the client machine 10 execute a personal firewall to satisfy the condition. In some embodiments, a condition may require that the client machine 10 comprise a particular device type to satisfy the condition. In other embodiments, a condition may require that the client machine 10 establish a particular type of network connection to satisfy the condition.
  • If the received information satisfies a condition, the first component 720 stores an identifier for that condition in a data set 726. In one embodiment, the received information satisfies a condition if the information makes the condition true. For example, a condition may require that a particular operating system be installed. If the client machine 10 has that operating system, the condition is true and satisfied. In another embodiment, the received information satisfies a condition if the information makes the condition false. For example, a condition may address whether spyware exists on the client machine 10. If the client machine 10 does not contain spyware, the condition is false and satisfied.
  • In some embodiments, the logon agent 724 resides outside of the policy engine 706. In other embodiments, the logon agent 724 resides on the policy engine 706. In one embodiment, the first component 720 includes a logon agent 724, which initiates the information gathering about client machine 10. In some embodiments, the logon agent 724 further comprises a data store. In these embodiments, the data store includes the conditions for which the collection agent may gather information. This data store is distinct from the condition database 722.
  • In some embodiments, the logon agent 724 initiates information gathering by executing the collection agent 704. In other embodiments, the logon agent 724 initiates information gathering by transmitting the collection agent 704 to the client machine 10 for execution on the client machine 10. In still other embodiments, the logon agent 724 initiates additional information gathering after receiving information 712. In one embodiment, the logon agent 724 also receives the information 712. In this embodiment, the logon agent 724 generates the data set 726 based upon the received information 712. In some embodiments, the logon agent 724 generates the data set 726 by applying a condition from the database 722 to the information received from the collection agent 704.
  • In another embodiment, the first component 720 includes a plurality of logon agents 724. In this embodiment, at least one of the plurality of logon agents 724 resides on each network domain from which a client machine 10 may transmit a resource request 710. In this embodiment, the client machine 10 transmits the resource request 710 to a particular logon agent 724. In some embodiments, the logon agent 724 transmits to the policy engine 706 the network domain from which the client machine 10 accessed the logon agent 724. In one embodiment, the network domain from which the client machine 10 accesses a logon agent 724 is referred to as the network zone of the client machine 10.
  • The condition database 722 stores the conditions that the first component 720 applies to received information. The policy database 732 stores the policies that the second component 730 applies to the received data set 726. In some embodiments, the condition database 722 and the policy database 732 store data in an ODBC-compliant database. For example, the condition database 722 and the policy database 732 may be provided as an ORACLE database, manufactured by Oracle Corporation of Redwood Shores, Calif. In other embodiments, the condition database 722 and the policy database 732 can be a Microsoft ACCESS database or a Microsoft SQL Server database, manufactured by Microsoft Corporation of Redmond, Wash.
  • After the first component 720 applies the received information to each condition in the condition database 722, the first component transmits the data set 726 to second component 730. In one embodiment, the first component 720 transmits only the data set 726 to the second component 730. Therefore, in this embodiment, the second component 730 does not receive information 712, only identifiers for satisfied conditions. The second component 730 receives the data set 726 and makes an access control decision by applying a policy from the policy database 732 based upon the conditions identified within data set 726.
  • In one embodiment, policy database 732 stores the policies applied to the received information 712. In one embodiment, the policies stored in the policy database 732 are specified at least in part by the system administrator. In another embodiment, a user specifies at least some of the policies stored in the policy database 732. The user-specified policy or policies are stored as preferences. The policy database 732 can be stored in volatile or non-volatile memory or, for example, distributed through multiple servers.
  • Using the policy engine 706 as just described, an access control decision based upon information received about a client machine 10 is made. Upon receiving gathered information about the client machine 10, the policy engine 706 generates a data set based upon the information. The data set contains identifiers for each condition satisfied by the received information 712. The policy engine 706 applies a policy to each identified condition within the data set 726. That application yields an enumeration of resources which the client machine 10 may access. In some embodiments, the enumeration of resources includes an enumeration of levels of access to the resource. In one of these embodiments, a plurality of allowable actions associated with the resource is enumerated. In another of these embodiments, a plurality of methods of execution of the resource is enumerated. The policy engine 706 then presents that enumeration to the client machine 10. In some embodiments, as described above in connection with FIGS. 6A and 6B, the policy engine 706 creates a Hypertext Markup Language (HTML) document used to present the enumeration to the client machine.
  • In some embodiments, the policy engine 706 transmits the enumeration to a different remote machine 30. In one of these embodiments, the remote machine 30 transmits the enumeration to the client machine 10. In another of these embodiments, the remote machine 30 applies additional policies to the enumeration. In still another of these embodiments, the remote machine is an appliance such as an application gateway or a firewall. In some of these embodiments, the policy engine 706 transmits an assigned level of action applicable to a requested resource to a remote machine 30 functioning as a broker server. The broker server establishes, responsive to the assigned level of access, a connection between the client machine 10 and a computing environment providing the requested resource.
  • Referring now to FIG. 8, a flow diagram depicts one embodiment of the steps taken to provide access to a resource. In brief overview, a request for access to a resource is received (step 802). A method for providing access to the resource is identified (step 804). An application execution server may be selected to provide access to the resource (step 806). A virtualized environment may be selected to provide access to a resource (step 808). An application streaming service may be selected to provide access to the resource (step 816). If the virtualized environment is selected to provide access to the resource, an execution machine is identified (step 810). A virtual machine is selected (step 812). The virtual machine is configured (step 814). Access to the resource is provided (step 818).
  • Still referring to FIG. 8, and in more detail, a request for access to a resource is received (step 802). In one embodiment, a remote machine 30 receives the request. In some embodiments, the remote machine 30 is an intermediate broker server. In other embodiments, the remote machine 30 is a gateway. In still other embodiments, the remote machine 30 is a policy engine. In yet other embodiments, the remote machine 30 is an appliance.
  • In one embodiment, the remote machine 30 verifies that the user is authorized to access the resource. In still another embodiment, the remote machine 30 receives with the request information verifying authorization for access by the user.
  • In one embodiment, the remote machine 30 receives a request for an application program. In another embodiment, the remote machine 30 receives a request for access to a file. In yet other embodiments, the remote machine 30 receives a request for access to a computing environment. In one of these embodiments, the computing environment is a desktop environment from which the client machine 10 may execute application programs. In another of these embodiments, the computing environment provides access to one or more application programs. In some embodiments, the remote machine 30 receives a request for access to a computing environment supported by a plurality of hardware requirements. In some embodiments, a remote machine 30 functioning as deployment system receives a request for access to a resource, such as execution of an application program, from a client machine 10.
  • A method for providing access to the resource is identified (step 804). In one embodiment, a remote machine 30 consults a database to identify the method for providing access. In another embodiment, a remote machine 30 consults a policy or rules database to identify the method for providing access. In still another embodiment, a remote machine 30 receives from a policy engine an identification of a method to select.
  • For embodiments in which the resource is an application program, a policy may allow execution of the application program on the client machine 10. In another of these embodiments, a policy may enable the client machine 10 to receive a stream of files comprising the application program. In this embodiment, the stream of files may be stored and executed in an isolation environment on the client. In still another of these embodiments, a policy may allow execution of the application program only on a remote machine, such as an application server, and require the remote machine to transmit application-output data to the client machine 10. In yet another of these embodiments, a policy may allow execution of the application program only in a computing environment hosted on a virtual machine. In either of these cases, a stream of files comprising the application programs may be sent to the remote machine.
  • For embodiments in which the resource is a computing environment, a policy may allow installation of the computing environment on the client machine 10. In another of these embodiments, a policy may enable the client machine 10 to access a copy of the computing environment executing in a virtual machine on a remote machine 30. In still another of these embodiments, a policy may forbid the user of the client machine 10 to access the requested computing environment and offer an alternative computing environment.
  • For embodiments in which the resource is a computing environment supported by a plurality of hardware resources, a policy may enable the client machine 10 to access a copy of the computing environment executing in a virtual machine, which in turn executes on a hypervisor providing access to the requested plurality of hardware resources. In still another of these embodiments, a policy may forbid the user of the client machine 10 to access the requested computing environment and offer a computing environment supported by an alternative plurality of hardware resources.
  • The remote machine 30 may choose to provide access to an application execution server which provides access to a requested application program (step 806). The application execution server executes the application program and transmits application output data to the client machine 10. The application execution server may transmit the application output data over a presentation layer protocol, such as X11, VNC, ICA, or RDP.
  • Referring back to step 804, the remote machine 30 may choose to provide access to an application streaming service capable of transmitting a requested application program to the client machine 10 (step 816) for execution. Embodiments of application streaming services are described in greater detail below.
  • Referring back to step 804, the remote machine 30 may choose to respond to the client's request by allowing access to a computing environment provided by a virtual machine, the computing environment providing access to the requested resource (step 808). The computing environment may be provided by a virtual machine launched into a hypervisor executing on a remote machine 30′. In other embodiments, the remote machine 30 determines to provision on the client machine 10 a virtual machine providing access to the computing environment.
  • In embodiments where a remote machine 30 determines to provide access to the requested resource via a virtualized environment, the remote machine 30 identifies an execution machine providing access to a computing environment requested by the client machine 10 (step 810). In one of these embodiments, the remote machine 30 identifies an execution machine capable of hosting the computing environment. In another of these embodiments, the remote machine 30 determines that the user requesting access to the computing environment lacks authorization to access the requested computing environment. The remote machine 30 may identify an alternative computing environment which the user is authorized to access. In still another of these embodiments, the remote machine 30 identifies an execution machine on which a hypervisor provides access to a requested plurality of hardware and in which the requested computing environment may execute.
  • In other embodiments, the remote machine 30 is an execution machine capable of hosting the computing environment. In some of these embodiments, the computing environment is installed on the execution machine. In others of these embodiments, a hypervisor on the execution machine emulates a plurality of hardware resources required by the requested computing environment and the computing environment is launched in the hypervisor.
  • In some embodiments, the remote machine 30 identifies a remote machine 30′ functioning as an execution machine capable of providing access to the computing environment supported by a requested plurality of hardware resources. In one of these embodiments, the remote machine 30′ functions as an execution machine on which a hypervisor emulating the requested plurality of hardware resources executes and on which a computing environment supported by the hypervisor executes.
  • In some embodiments, an execution machine providing hardware resources, physical or virtual, capable of supporting a particular virtual machine is identified responsive to a load-balancing determination. In one of these embodiments, the execution machine is selected responsive to load-balancing information maintained by a management server 30. In some embodiments, the management server 30 is a single machine. In still other embodiments, several remote machines 30 may be capable of acting as a management server, but only one of such nodes is designated the management server. In some embodiments, a client request is directed to the management server 30 in the first instance. In other embodiments, a remote machine 30 queries the management server 30 to determine the identity of a suitable execution machine.
  • The master network information server node 30 maintains a table of addresses for the remote machines 30′, 30″. In addition, the master network information server node 30 receives messages from the remote machines 30′, 30″ indicating their level of activity, which may comprise CPU load or may comprise an identification of the number of a virtual machines currently hosted by a remote machine 30′, 30″. The level of activity of the remote machines 30′, 30″ is maintained in a table along with the address of each of the remote machines 30′, 30″.
  • For embodiments, in which a single management server 30 is used, it is desirable to dynamically select a master network information server node 30 from the available remote machines 30 on the network. In this way, if the active management server 30 fails, a new management server 30 may be selected as soon as the failure of the previous management server 30 is detected. In one embodiment a management server 30 is selected by an election process among the remote machines 30.
  • In one embodiment, any machine (client machine 10 or remote machine 30) may force an election at any time by broadcasting a request election datagram to the machine farm 38. The election results are determined by a comparison of the set of election criteria which is transmitted within the request election datagram transmitted by the requesting node with the set of election criteria maintained on each receiving node. That is, the first election criterion from the datagram of the requesting node is compared by the receiving node to the first criterion of the receiving node. The highest ranking of the two criteria being compared wins the comparison and the node with that criterion wins the election. If the two criteria tie, then the next criteria are sequentially compared until the tie is broken. If a remote machine 30 receiving the request election datagram has a higher election criterion than that received in the request election datagram, the remote machine 30 receiving the request election datagram issues its own request election datagram. If the receiving remote machine 30 has a lower election criteria than the criteria received in the request election datagram, the receiving remote machine 30 determines it is not the master network information server node and attempts to determine which remote machine 30 in the machine farm 38 is the management server 30.
  • In one embodiment the criteria which determine the outcome of the election include: whether or not the node is statically configured as a master network information server node; whether the remote machine 30 has the higher master network information server software version number; whether the remote machine 30 is an NT domain controller; whether the remote machine 30 is the longest running node; and whether the remote machine 30 has a lexically lower network name. In one embodiment, the datagram structure for the election request includes an unsigned shortword for the server version number, an unsigned shortword in which the bits are flags which designate whether the node is statically configured as a master network information server node, or is executing on a NT domain controller and an unsigned longword containing the amount of time the server has been running.
  • Periodically, the management server 30 transmits a declare message to the other remote machines 30 declaring itself to be the management server 30. If another remote machine 30 believes itself to be a management server 30, the other remote machine 30 will request an election. In this way erroneous master network information server nodes 30 of the same protocol are detected and removed. In addition an election will also be requested: by any remote machine 30 when that remote machine 30 reboots; by any remote machine 30 to whom the master network information server node has failed to acknowledge an update message; or any client machine 10 to whom the master network information server node 30 has failed to respond to a request for information.
  • In more detail and referring to FIG. 9, once any remote machine 30 (which may be referred to as a node) broadcasts a request election datagram requesting an election (Step 920), the remote machine 30 receiving the request election datagram (Step 924) first compares its election criteria to the criteria in the request election datagram (Step 930) to determine if the receiving remote machine 30 has higher criteria (Step 934). If the remote machine 30 receiving the datagram has lower election criteria (Step 938) than the criteria contained in the request election datagram, the remote machine 30 receiving the request election datagram drops out of the election process and awaits the results of the election (Step 938).
  • If the remote machine 30 receiving the request election datagram has higher election criteria than that contained in the request election datagram, then the remote machine 30 receiving the request election datagram broadcasts its own request election datagram containing the remote machine's own election criteria (Step 940). If in response to the transmission of the request election datagram by the second remote machine 30, another remote machine 30′ responds with a request election datagram with even higher election criteria, then the second remote machine 30 drops out of the election and the remote machine 30′ with higher criteria broadcasts it's own request election datagram. If no other remote machine 30 responds with higher election criteria, the node which has apparently won the election for master network information server node sends n more election requests, (in one embodiment three requests) (Step 956) and then if still no other remote machine 30 responds with higher election criteria, the remote machine 30 which has sent the n election requests is the new management server 30.
  • After the election has occurred and the new management server 30 has been determined, all the remote machines 30 send all of their configured gateway addresses to the new network information server node 30. In this way the new management server 30 becomes a gateway node.
  • Referring again to FIG. 1, once the management server 30 is elected, the remote machines 30 send update datagrams to the master network information server 30 providing information about each remote machine 30 transmitting the update datagram. In one embodiment, the update datagram sent to the master network information server node 30 from a remote machine 30 includes: the remote machine 30 name; the network address; the cluster name; the network transport protocol; the total number of remote machines 30 configured with this transport; the number of ports available for connection with a client using this transport protocol; the total number of users permitted to be active at one time; number of available user slots; and server load level. Upon receipt of the update datagram, the master network information server node 30 returns an acknowledgment to the remote machines 30 that transmitted the update datagram indicating that the update datagram was received. If the remote machine 30 transmitting the update datagram does not receive an acknowledgment from the master network information server node 30, the transmitting remote machine 30 assumes that the master network information server node 30 has failed and transmits an election request.
  • In more detail and referring to FIG. 10, a remote machine 30, after the election of a management server 30, waits a random period of time and then sends a datagram to the management server 30 with its latest load information (Step 1000). In one embodiment the delay is between four and six seconds. If the management server 30 receives (Step 1008) an update datagram from a remote machine 30, then the master network information server node 30 replies to the transmitting remote machine 30 with an acknowledgment (Step 1010) and forwards the data to any remote machine 30 configured as a gateway node. If the master network information server 30 fails to receive data from a remote machine 30 (Step 1008), then the master network information server 30 discards the old data from the remote machine 30 after a predetermined amount of time (Step 1020).
  • If the remote machine 30 does not receive an acknowledgment from the master network information server node 30 after the remote machine 30 has sent an update datagram (Step 1028), the remote machine 30 retransmits the update datagram. The remote machine 30 will attempt n retransmits (in one embodiment three) before it assumes that the master network information server 30 has failed and then transmits an election request (Step 1030). If the remote machine 30 receives an acknowledgment, then it periodically updates the master network information server node 30, in one embodiment every 5 to 60 minutes (Step 1040).
  • In some embodiments, a remote machine's participation in the activities just described is controlled by a virtual machine executing in the hypervisor rather than by an operating system. FIG. 11 is a block diagram depicting one embodiment of a machine farm 38 including a first and second network management processes. The first network management process 1110 executes in a native operating system 1105 (such as WINDOWS NT) and accesses a native memory element storing (i) a data table and (ii) at least one election criteria for allowing the first network management process 1110 to be dynamically selected as a management process, the data table having an entry for each of said at least two network management processes. The second network management process 1120 executes in a virtualized operating system 1115 and accesses a virtualized memory element storing (i) a data table and (ii) at least one election criteria for allowing the second network management process 1120 to be dynamically selected as the management process, the data table having an entry for each of said at least two network management processes. The client machine 10 communicates with the one of the first network management process 1110 and the second network management process 1120 selected as the management process and receives from the management process an address of a remote machine 30 with which to communicate. In some embodiments, a plurality of client machines 10 is in communication with a master network information process.
  • The first network management process 1110 executes in a native operating system 1105. The second network management process 1120 executes in a virtualized operating system 1115. In one embodiment, the at least two network management processes are grouped into clusters. In another embodiment, one of the at least two network processes is a gateway process. In still another embodiment, the gateway process is a master network management process. In some embodiments, the master network management process is selected by a process comprising the steps of (a) broadcasting an election datagram to the at least two network management processes, the election datagram comprising election criteria; and (b) selecting a master network management process in response to the election criteria. In one of these embodiments, the master network management process broadcasts a declare datagram to detect multiple master network management processes using the same transport protocol. In another of these embodiments, the master network management process is selected by a process that occurs after an event selected from the group of events consisting of: a system reboot, a master network management process failing to respond to a datagram sent from a network management process, a master network management process failing to respond to a request from a client machine, detection of at least two master network management processes configured with the same transport, and a new network management process appearing on said network.
  • In one embodiment, the management process is elected as described above in connection with FIGS. 9 and 10.
  • In some embodiments, the network includes a third network management process using a different network transport protocol from the first network management process. In one of these embodiments, the third network management process comprises a master network management process for the different network transport protocol.
  • For embodiments in which machine farm management is decentralized, each remote machine 30 may include a load management subsystem (LMS) providing a load management capability. In general, the LMS manages overall server and network load to minimize response time to client requests.
  • In some embodiments, an apparatus for selecting a server from a network plurality of servers to service a client request comprises a plurality of network management processes. In one of these embodiments, each of said plurality of network management processes includes an event bus and a subsystem in communication with the event bus. In another of these embodiments, a first one of the plurality of network management processes receives from a client machine a request for access to a computing resource and sends the client request to a second one of the plurality of network management processes. In still another of these embodiments, the second one of the plurality of network management processes executes in a virtualized operating system and comprises a dynamic store and a load management subsystem.
  • The dynamic store loads information associated with at least some of the plurality of network management processes in a virtualized memory element. In some embodiments, the dynamic store contains information relating to server processor load. In other embodiments, the dynamic store contains information relating to server input/output transaction load.
  • The load management subsystem (i) receives, via said event bus, a request to identify a server for servicing a client request, (ii) retrieves from said dynamic store the loading information, (iii) chooses, based on the retrieved loading information, one of the plurality of servers for servicing the client request, and (iv) transmits, via said event bus, a message including information identifying the chosen server. In some embodiments, the load management subsystem stores run-time information in the dynamic store at predetermined intervals. In other embodiments, the apparatus further includes a persistent store, the load management subsystem in communication with the persistent store via the event bus, the persistent store containing an identification of at least one rule to be used to manage server load.
  • In one embodiment, the LMS is rule-based, and an administration tool can be used to modify or create rules for managing server load. A rule is one or more criteria that influences how a LMS will direct requests. Rules may be individualized to a specific remote machine 30. Rules can also be individualized to a specific application or computing environment on a per-server basis. That is, one or more rules may be associated with a copy of an application or a computing environment residing on a first remote machine 30 in the machine farm 38 and different rules may be associated with a copy of the same application or computing environment residing on a second remote machine 30 in a machine farm 38. The output of rules individualized to a specific application may be combined with the output of general server rules to direct a client request.
  • Rules use the output from one or more operational meters. Operational meters may measure any aspect of server performance and the result is used by rules to help determine which remote machine 30 is most appropriate to service a client request. For example, operational meters may measure: processor load; context switches; memory usage; page faults; page swaps; transmission rate of input/output reads or writes; number of input/output operations performed or number of virtual machines hosted. In one embodiment, operational meters are used by a LMS to measure server performance during the occurrence of certain events such as a request for a client connection. In another embodiment, operational meters are used by a LMS to measure server performance at predetermined intervals, which may be configured by an administrator. A LMS on each remote machine 30 in the machine farm 38 evaluates various performance metrics for the remote machine 30 for each predetermined period of time and stores that information in the dynamic store. For example, every thirty seconds, an evaluation of server load may include a query to operational meters for server's CPU utilization and memory utilization. The results from the query will be used, in conjunction with other applicable load factors, to calculate a load number for this server load. The new load number is then sent to the dynamic store.
  • Rules and operational meters are, in one embodiment, executable code modules that query specific system conditions, resources, and performance metrics for remote machines 30 in the machine farm 38. Some of the rules accept user-configurable parameters that are entered by the administrator via the administration tool. Rules may be provided to the LMS using a dynamic link library (“DLL”), and the rules and rule parameters applicable to a specific server may be stored in the persistent store. That is, the administrator's selection of rules is stored, together with a weighting factor and applicable settings associated with those rules, in the persistent store. For example, some operational meters may measure load at a predetermined interval; the predetermined interval may be set by the administrator.
  • Examples of conditional rules that may be used by the LMS to determine to which remote machine 30 to direct a request include: whether the number of client machines 10 that may connect to a remote machine 30 is limited; whether the number of client sessions that may be serviced by a remote machine 30 is limited; whether the number of virtual machines that may be hosted by a remote machine 30 is limited; the number of application or connection licenses available to a remote machine 30; whether the application requested by the client machine 10 is currently executing on the remote machine 30; whether a client is physically proximate to, or is connected by a high bandwidth link to, a server; and whether a client request is being made during a time period for which the remote machine 30 is available to service client requests.
  • A set of rules may be grouped together by the group subsystem 300 to form a load evaluator associated with a particular server or a particular application. A server load evaluator is a load evaluator that applies to all applications published on the server. An application load evaluator is a load evaluator that encapsulates rules specific to certain applications. In one embodiment, loads for published application programs are the sum of a server load evaluator and an application load evaluator. The load evaluator associated with a particular server may be stored in the persistent store 230. When a LMS initializes, it queries persistent store 230 to determine whether a load evaluator is associated with the remote machine 30 on which the LMS resides. If so, the rules and operational meters are loaded and the LMS begins using those elements of the load evaluator. The outputs of the constituent parts of the load evaluator are combined to calculate composite indicia of the load on particular servers, and each LMS stores the results of its load evaluator in dynamic store. Each rule encapsulated in a load evaluator may have a configurable weighting factor. Many rules have user-configurable parameters that control the way LMS loads are calculated. For example, in one embodiment, a CPU Utilization rule has two parameters: Report Full Load when processor utilization is greater than X-percent; report no load when processor utilization is less than X percent. In one particular embodiment, the load reported by a load evaluator equals the sum of each rule's load times each rule's weight.
  • In another example, a remote machine 30 that hosts four applications may have three load evaluators with which it is associated. The server itself and a first application may by associated with a first load evaluator, the second and third applications may be associated with a second load evaluator, and the fourth application may be associated with a third load evaluator. When the remote machine 30 boots, it read the first, second, and third load evaluators from the persistent store 230. Periodically (or perhaps after certain events) the remote machine 30 calculates the output for each of the load evaluators and sends those values to the dynamic store. When a connection request is received, those values are used to determine if the remote machine 30 should service a client request.
  • For example, using operational meters the LMS can obtain information about the processor load on a particular remote machine 30, the memory load on that remote machine 30, and the network load of that remote machine 30. The LMS combines these results to obtain an overall load number that indicates the total aggregate load on that remote machine 30. In determining the aggregate load, the load evaluator may weight each piece of information differently. For embodiments in which a rule is associated with a remote machine 30, the rule may disqualify a remote machine 30 from servicing a client request. For example, a rule may limit the number of client sessions a remote machine 30 may initiate. In this embodiment, if a remote machine 30 is currently servicing the maximum number of client sessions allowed by the rule, it will not be chosen by the LMS to service a new client request, even if the outputs of its operational meters indicate that it is the most favorable remote machine 30 to which to route the client request.
  • Referring back to FIG. 8, after an execution machine has been selected, a virtual machine providing a requested computing environment is identified (step 812). In some embodiments, declarative policies such as rules databases, policy databases or scripts are consulted to direct requests to a virtual machine. In other embodiments, a remote machine 30 functioning as an application server hosting a plurality of virtual machines is identified. In one of these embodiments, one of the plurality of virtual machines hosted by the application server may be selected and associated with the client machine 10. In another of these embodiments, an identifier for the selected virtual machine may be transmitted to the client machine 10.
  • In some embodiments, a session management component identifies the virtual machine. In one of these embodiments, an intermediate machine 30 receiving the request invokes a session management component. In another of these embodiments, the intermediate machine launches the session management component in a terminal services session executing on the intermediate machine. In still another of these embodiments, the intermediate machine launches the session management component in a terminal services session executing on the identified execution machine.
  • In one embodiment, the session management component provides functionality for identifying a location of a virtual machine providing access to a computing environment. In still another embodiment, the session management component is provided as a program module published on a server, such as an application server. In yet another embodiment, the session management component identifies, launches, and monitors virtual machines.
  • In some embodiments, the session management component communicates with a virtual machine management component to identify a virtual machine. In one of these embodiments, the virtual machine management component provides functionality for locating virtual machines. In another of these embodiments, the virtual machine management component provides functionality for allocating an available virtual machine to a user from a plurality of available virtual machines. In still another embodiment, the virtual machine management component provides functionality for reallocating shared virtual machines to the plurality of available virtual machines. In yet another embodiment, the virtual machine management component provides functionality for tracking a state associated with a virtual machine for each virtual machine in a plurality of virtual machines.
  • Referring now to FIG. 12, a block diagram depicts one embodiment of a virtual machine management component 1200. In one embodiment, the virtual machine management component 1200 provides functionality for accessing and updating a database including a virtual machine catalog. In another embodiment, the virtual machine management component 1200 provides functionality for allowing an administrator or virtual machine provisioning system to add, remove, or modify entries in the database including a virtual machine catalog. In some embodiments, the virtual machine management component 1200 includes a virtual machine providing administrative functionality. In other embodiments, the virtual machine component 1200 includes a virtual machine providing management functionality.
  • In some embodiments, the virtual machine management component 1200 may receive a request from a provisioning system or from a session management component. In one of these embodiments, a provisioning system contacts the virtual machine management component 1200 when a virtual machine is created or destroyed. In another of these embodiments, the session management component contacts the virtual machine management component 1200 when the session management component is invoked to request a virtual machine to launch. In still another of these embodiments, the session management component contacts the virtual machine management component 1200 when the session management component identifies a change in a state of a launched virtual machine. The session management component may send messages, such as heartbeat messages, to the virtual machine management component 1200 while a virtual machine is active. If the virtual machine may be accessed by more than one user, the virtual machine management component 1200 may reassign the virtual machine to the plurality of available virtual machines after a user has terminated a session with the virtual machine.
  • In some embodiments, virtual machines of the same machine type may be categorized into a plurality of standard operating environments (SOE). In one of these embodiments, an SOE may be a group of virtual machine images of a particular configuration that implement the function of a particular Machine Type, e.g. a machine type “C++ Developer Workstation” may have one SOE containing images with WinXP Pro SP2 with Visual Studio 2003 installed and another SOE containing images with Win Vista with Visual Studio 2005 installed.
  • In other embodiments, the virtual machine management component 1200 may provide functionality for one or more of the following actions related to a standard operating environment (an SOE): creating an SOE, updating an SOE, deleting an SOE, finding an SOE, and retrieving an SOE. In still another embodiment, the virtual machine management component 1200 may provide functionality for one or more of the following actions related to virtual machines: create a virtual machine, update a virtual machine, delete a virtual machine, find a virtual machine, and assignment to or removal from a standard operating environment.
  • A machine type may refer to a non-technical description of a computing environment provided by a virtual machine. Some examples of machine types are “C++ Developer Workstation” or “Secretarial Workstation.” Many virtual machines may be grouped in a single machine type. In one embodiment, the virtual machine management component 1200 may provide functionality for one or more of the following actions related to machine types: creating machine types, updating a machine type, deleting a machine type, finding a machine type, and retrieving a machine type.
  • In some embodiments, the virtual machine management component 1200 may provide functionality for creating virtual machines. In one of these embodiments, an administrator or provisioning service creates a new machine type in a database of virtual machines. The machine type is given a meaningful name such as “HR Manager Workstation.” In one embodiment, the machine type name is the name for a class of standard operating environment (SOE) rather than a specific SOE, and multiple SOEs may be assigned to the machine type name. In another embodiment, the machine type may be used to publish the class of virtual machines.
  • In another of these embodiments, a standard operating environment (SOE) is created for the machine type and assigned to the machine type in the database of virtual machines. In one embodiment, the SOE is a virtual machine with a specific hardware and software configuration. A snapshot of the SOE virtual machine may be taken and used as a template for virtual machine clones. In one embodiment, clones of the SOE virtual machine are assigned to users.
  • In one embodiment, an administrator clones an SOE for use by users by creating linked clones of the snapshot of the SOE virtual machine. The linked clone virtual machines may be created in consecutively numbered subfolders in the SOE folder. The linked clones of the SOE may be assigned to the SOE in the database of virtual machines.
  • In another embodiment, an administrator updates a machine type by creating a new SOE, and new linked clones of the SOE. The administrator updates an SOE pointer within a machine type record in the database of virtual machines to point to the new SOE, and marks the old SOE as being superseded. The administrator may create the new SOE by creating a new virtual machine and installing the software, or by creating a full clone of an existing SOE and updating it. As an example the administrator could create a new virtual machine and install Microsoft Windows XP Professional, followed by Windows XP SP1, followed by Microsoft Office 2003, or the administrator could have taken a full clone of an existing SOE with Windows XP and Microsoft Office 2003 already installed, and installs Windows XP SP1 to achieve the same SOE. The new SOE may be created in a new SOE folder and a new SOE record is created in the database of virtual machines. Linked clones of the superseded SOE can be deleted when users have finished with them and the superseded SOE can be deleted when all linked clones have been deleted.
  • In some embodiments, a virtual machine may be designated as a shared virtual machine. In one of these embodiments, a shared virtual machine is an instance of a virtual machine image that is designated for use by multiple users. In another of these embodiments, the shared virtual machine is used by one user at a time and returned to a pool of available virtual machines when not in use. In still another of these embodiments, as the image of a shared virtual machine is executed, users may change the image but may not persist any changes to the image once it is shutdown. In this embodiment, all changes are discarded when the image is shutdown or a user terminates a session.
  • In other embodiments, a virtual machine may be designated as a private virtual machine. In one of these embodiments, a private virtual machine is an instance of a virtual machine image that is designated for use by a specific user. Only that user may be allocated to the image, launch the image, or execute the image. In another of these embodiments, private images will be configured to permit changes to be persisted when the image is shutdown. In still another of these embodiments, changes may be configured to be discarded upon image shutdown as per shared images, depending on the requirements of the user.
  • In some embodiments, a session management component is launched and identifies a virtual machine. In one of these embodiments, the session management component transmits an identification of a user and a virtual machine type identified responsive to a request for access to a resource to the virtual machine management component 1200. In another of these embodiments, the session management component requests an identification of a specific virtual machine to launch. In still another of these embodiments, the session management component requests an identification of a location of the configuration and virtual disk files of the identified virtual machine.
  • In some embodiments, a virtual machine is identified responsive to the received identification of the user of the requesting machine. In other embodiments, a virtual machine is identified responsive to a request by the user for a type of virtual machine. In still other embodiments, a virtual machine is identified responsive to a request by the user for a type of computing environment.
  • In some embodiments, the virtual machine management component 1200 transmits to the session management component an identification of a specific virtual machine to launch. In one of these embodiments, the session management component then proceeds to launch the virtual machine. In another of these embodiments, the virtual machine management component launches the virtual machine.
  • In other embodiments, the virtual machine management component transmits to the session management component an identification of a plurality of virtual machines to launch. In one of these embodiments, the session management component may present an enumeration of available virtual machines to a user. In another of these embodiments, the session management component receives a selection of a virtual machine from the enumeration of available virtual machines and the session management component launches the selected virtual machine. In still other embodiments, the virtual machine management component transmits to the session management component an indication that no virtual machines are available for the user requesting the access. In yet other embodiments, the virtual machine management component 1200 transmits to the session management component an indication that an existing, executing virtual machine has now been allocated to the user.
  • In yet other embodiments, the virtual machine management component transmits to the session management component an identification of an available virtual machine responsive to accessing a database storing information associated with a plurality of virtual machines, the information including, but not limited to, an identification of the plurality of virtual machines, an identification of a location of files associated with the plurality of virtual machines, an identification of an access control list associated with the plurality of virtual machines, and an indication of availability of the plurality of virtual machines.
  • In one embodiment, when a virtual machine has been identified as a machine to launch, the virtual machine management component 1200 modifies an access control list associated with the virtual machine responsive to the identification of the user received from the session management component in the initial request. In another embodiment, the virtual machine management component 1200 modifies the access control list to allow the virtual machine to be launched for the user. In still another embodiment, the virtual machine management component 1200 transmits additional information associated with the virtual machine to the session management component. The additional information may include network share details relating to a folder storing files associated with the virtual machine. In yet another embodiment, the session management component uses the additional information to map the folder to a mount point, such as a drive letter, in the virtual machine.
  • In some embodiments, virtual machine images—configuration and data files comprising the virtual machine—are stored on a storage area network. In other embodiments, virtual machine images are stored in network attached storage. In one of these embodiments, a file server in communication with the storage area network makes the virtual machine images accessible as if they were located on network attached storage.
  • Referring back to FIG. 8, an identified virtual machine is configured (step 814). In brief overview, an execution machine identified by the intermediate machine executes a hypervisor emulating hardware resources required by the requested computing environment. A session management component launches a configured virtual machine in the hypervisor. Configuration occurs of the virtual machine for a particular client machine 10. A connection is established between the client machine and the virtual machine.
  • Referring now to FIG. 13, a block diagram depicts one embodiment of a session management component 1300 in a system providing access to a computing environment by an intermediate machine to a requesting machine. In brief overview, the session management component 1300 includes an identification component 1302, an execution component 1304, and a management component 1306.
  • The identification component 1302 is in communication with a virtual machine management component and receives an identification of a virtual machine providing a requested computing environment. In some embodiments, the identification component 1302 is in communication with the virtual machine management component 1200. In one embodiment, the identification component 1302 receives an identification of an execution machine 30′ into which to launch the virtual machine. In some embodiments, the identification component 1302 identifies an execution machine on which a required hypervisor executes and into which to launch the virtual machine. In other embodiments, the identification component 1302 receives an identification of the execution machine. In one of these embodiments, the identification component 1302 receives the identification from the intermediate machine 30.
  • In some embodiments, the identification component 1302 further comprises a transceiver. In one of these embodiments, the transceiver in the identification component 1302 receives an identification of a user of the requesting machine and transmits the identification of the user to the virtual machine management component. In another of these embodiments, the transceiver receives an identification by a user of a type of computing environment requested and transmits the identification to the virtual machine management component 1200. In still another of these embodiments, the transceiver receives an identification by a user of a type of virtual machine requested and transmits the identification of the type of virtual machine requested to the virtual machine management component 1200.
  • In some embodiments, the identification component 1302 receives an identification of a virtual machine providing a requested computing environment, the virtual machine selected responsive to a received identification of a user of the requesting machine. In other embodiments, the identification component 1302 receives an identification of a virtual machine providing a requested computing environment, the virtual machine selected responsive to a received identification of a type of computing environment requested. In other embodiments, the identification component 1302 receives an identification of a virtual machine providing a requested computing environment, the virtual machine selected responsive to a received identification of a type of virtual machine requested.
  • The execution component 1304 launches the virtual machine into a hypervisor. In one embodiment, the hypervisor executes on an execution machine 30′. In another embodiment, the execution component 1304 is in communication with the identification component. In still another embodiment, the execution component 1304 receives from the identification component 1302 an identification of an execution machine 30′ executing a hypervisor into which to launches the virtual machine. In yet another embodiment, the execution component 1304 launches the virtual machine into a hypervisor emulating hardware resources required to support the computing environment. In some embodiments, a virtual machine service component executes in the hypervisor. In other embodiments, a virtual machine service component executes in a guest operating system provided by a virtual machine executing in the hypervisor. In one of these embodiments, the virtual machine service component is in communication with the session management component 1300 and receives configuration information associated with the client machine 10.
  • The management component 1306 establishes a connection between the requesting machine and the virtual machine and manages the connection. In one embodiment, the management component 1306 provides an internet protocol address associated with the virtual machine to the user of the requesting machine. In another embodiment, the management component 1306 provides an internet protocol address associated with an execution machine to the user of the requesting machine. In still another embodiment, the management component 1306 provides a proxy for communication between the requesting machine and the virtual machine. In yet another embodiment, the management component 1306 establishes a connection between the requesting machine and the virtual machine using a presentation layer protocol.
  • Although described above as separate functional entities, it should be understood that the identification component 1302, the execution components 1304 and the management component 1306 may be provided as a single functional unit or the functions provided by those components may be grouped into two or more components.
  • In some embodiments, the session management component 1300 establishes and manages a user's virtual machine session. In one of these embodiments, the session management component 1300 provides functionality for, without limitation, locating a virtual machine, launching a hypervisor, launching a virtual machine in the hypervisor, connecting a user to the virtual machine, and managing the established connection. In another of these embodiments, the session management component 1300 publishes a plurality of available virtual machines. In still another of these embodiments, the session management component 1300 provides, without limitation, enumeration into client drives, mapping of client drives to shared folders on the virtual machine, monitoring of the hypervisor, monitoring of an operating system provided by the virtual machine, and a virtual machine control panel to the user.
  • In one embodiment, the session management component 1300 provides a virtual machine control panel to the user. The virtual machine control panel may enable a user to switch to the virtual machine, power off the virtual machine, reset the virtual machine, or suspend the virtual machine. In some embodiments, the session management component 1300 provides the virtual machine control panel only to users authorized to access the functionality of the virtual machine control panel.
  • In some embodiments, a virtual machine service component executes in the hypervisor. In one of these embodiments, the virtual machine service component is in communication with the session management component 1300 and receives configuration information associated with the client machine 10. In another of these embodiments, the session management component 1300 creates a connection to the virtual machine service component, such as a TCP/IP connection, and communicates with the virtual machine service component over the created connection. In still another of these embodiments, the session management component 1300 transmits information associated with the client machine 10, such as initialization parameters or client monitor geometry, to the virtual machine service component.
  • In some embodiments, the session management component 1300 identifies a folder containing an image of the identified virtual machine. In one of these embodiments, the folder contains configuration and data files comprising the virtual machine. In another of these embodiments, the session management component 1300 mounts the folder in the execution machine prior to launching the virtual machine. In still another of these embodiments, the session management component 1300 copies definition data files associated with the virtual machine onto the execution machine. The session management component 1300 may copy the definition data files back into the identified folder when a session is completed. In yet another of these embodiments, the configuration and data files are streamed to the execution machine, as described below.
  • In other embodiments, the session management component 1300 enumerates in the virtual machine a plurality of drives associated with the client machine 10. In one of these embodiments, the session management component 1300 creates a folder associated with each drive in the plurality of drives. In another of these embodiments, the session management component 1300 stores a folder associated with a drive in the plurality of drives in the mounted folder containing the identified virtual machine. In still another of these embodiments, an enumeration of the stored folder associated with the drive is provided to a user of the client machine 10. In some embodiments, a protocol stack located in the hypervisor or in the guest operating system enables drive mapping through other techniques, including techniques enabled by presentation layer protocols.
  • Referring now to FIG. 14, a block diagram depicts one embodiment of a system in which a drive associated with the client machine 10 is made available to a computing environment. In brief overview, the client machine 10 has a connection (1) to an execution machine and a connection (2) to a plurality of drives available to a user of the client machine 10.
  • The session management component 1300 creates a folder associated with each drive in the plurality of drives (3). In one embodiment, the session management component 1300 stores the created folder associated with a drive in the plurality of drives in a virtual machine folder 1002, the mounted folder containing configuration and data files associated with the identified virtual machine. In another embodiment, the session management component 1300 generates a list of shared folders stored in the virtual machine folder 1002.
  • The session management component 1300 notifies the virtual machine service component of the change to the virtual machine folder 1002 (4). In some embodiments, the session management component 1300 responds to changes in the client device by rebuilding a shared folder list in the virtual machine folder 1002. In one of these embodiments, the session management component 1300 receives an identification of a modification to the drive associated with the client machine 10. In another of these embodiments, the session management component 1300transmits a notification to the virtual machine service component identifying the change to the virtual machine 1002.
  • For each folder associated with a drive in the virtual machine folder 1002, the virtual machine service component provides an indication of a mapped client drive to the virtual machine (5). In one embodiment, the virtual machine service component associates the mapped client drive with a drive letter on the virtual machine. In another embodiment, the virtual machine service component monitors for changes to the shared folder list in the virtual machine folder 1002. In some embodiments, an enumeration of the stored folder associated with the drive is provided to a user of the client machine 10.
  • In some embodiments, the session management component 1300 enumerates in the virtual machine a plurality of printers associated with the client machine 10. In one of these embodiments, the session management component 1300 accesses a printer service to acquire an authorization level required to enumerate a printer in the plurality of printers.
  • In one embodiment, a printer associated with the client machine 10 is shared as a network printer and made accessible to the virtual machine as a network resource. In another embodiment, the virtual machine generates printer output using the TCP/IP and LPR protocols, and this output is intercepted and transmitted to the printer associated with the client machine 10. In still another embodiment, the virtual machine transmits printer output to a virtualized hardware resource provided by the hypervisor, such as a COM port on the virtual machine. The output is captured and transmitted to the printer associated with the client machine 10. In yet another embodiment, a hypervisor may provide access to a virtual printer or printer port.
  • Referring back to FIG. 8, as part of the configuration process, an execution machine identified by the intermediate machine executes a hypervisor emulating hardware resources required by the requested computing environment. In one embodiment, the hypervisor executes on the intermediate machine. In another embodiment, the hypervisor executes in a terminal services session executing on the intermediate machine. In still another embodiment, the hypervisor executes on the execution machine. In yet another embodiment, the hypervisor executes in a terminal services session executing on the execution machine. In some embodiments, the hypervisor may be executed on the client machine 10.
  • In one embodiment, the hypervisor provisions a plurality of hardware resources on the execution machine for use by the requested computing environment. In another embodiment, the hypervisor partitions a plurality of hardware resources on the execution machine and makes the partition available for use by the requested computing environment. In still another embodiment, the hypervisor emulates a plurality of hardware resources on the execution machine for use by the requested computing environment. In yet another embodiment, the hypervisor may partition hardware resources, emulate hardware resources, or provision hardware resources, or all three. For example, a hypervisor may emulate a device (such as a graphics card, network card, and disk), partition the (execution time) of the CPU, and virtualize registers, storage, and underlying devices which they use to fulfill operations on their emulated hardware (such as RAM, and network interface cards).
  • In some embodiments, the session management component 1300 executes the hypervisor. In one of these embodiments, the session management component 1300 executes the hypervisor in full-screen mode. In other embodiments, the session management component 1300 monitors execution of the hypervisor. In one of these embodiments, the session management component 1300 transmits a notification to the virtual machine management component 1200 that the virtual machine has terminated when the session management component 1300 receives an indication that a virtual machine executing in the hypervisor has terminated. In another of these embodiments, the session management component 1300 receives a notification when the user logs out of a session.
  • In some embodiments, the hypervisor provides a hardware abstraction layer between hardware on the execution machine and a computing environment provided by a virtual machine. In one of these embodiments, there is no operating system between the execution machine hardware and the hypervisor. The hypervisor may be said to be executing “on bare metal.” In another of these embodiments, there is an operating system executing on the execution machine, referred to as a host operating system, and the hypervisor executes from within the operating system. Computing environments provided by a virtual machine may be referred to as guest operating systems.
  • In one embodiment, the hypervisor executes in a terminal server session on a host operating system on the execution machine. The hypervisor may emulate hardware resources required by a computing environment provided by a virtual machine. The hypervisor may partition hardware and provide access to the partition. The hypervisor may also virtualize existing hardware, making it appear to at least one domain on the hardware as if that domain were the only domain accessing the hardware. In another embodiment, output from the computing environment, or an application or resource executing within the computing environment, is passed from the computing environment to a virtualized hardware resource provided by the hypervisor. In still another embodiment, the hypervisor transmits the output to a component such as the session management component 1300. The session management component 1300 may transmit the received output to a client machine 10 from which a user accesses the computing environment. In yet another embodiment, the hypervisor redirects the output from the virtualized hardware resource to an actual hardware resource, such as a network interface card.
  • In some embodiments, the hypervisor provides a hardware abstraction layer and creates an environment into which a virtual machine may be launched, the virtual machine comprised of configuration and data files creating a computing environment, which may comprise a guest operating system and application programs or other resource. In other embodiments, the hypervisor provides functionality for transmitting data directed to a virtualized hardware resource and redirecting the data to a requesting machine via the session management component 1300. In one of these embodiments, the communication between the session management component 1300 and the hypervisor enable transmission of updates, such as audio updates, updates associated with a graphical user interface, or updates associated with serial COM port input/output, from the virtual machine to the requesting machine. In another of these embodiments, the communication enables transmission of keyboard or mouse or audio updates from the requesting machine to the virtual machine. In still another of these embodiments, where the hypervisor executes within a terminal server session, the hypervisor may map terminal server drives to the computing environment.
  • Referring still to FIG. 8, a virtual machine is configured for access by a particular client machine 10. In some embodiments, the management component 1300 receives an identification of a virtual machine already executing in the hypervisor. In other embodiments, the session management component 1300 launches the virtual machine in the hypervisor. In one embodiment, the session management component 1300 receives an identification of a folder containing configuration and data files comprising the virtual machine. In another embodiment, the session management component 1300 mounts the identified folder in the execution machine.
  • In some embodiments, a virtual machine service component executes in a guest operating system executing within the virtual machine. In one of these embodiments, the virtual machine service component is a system service running in a network service account. In another of these embodiments, the virtual machine service component is configured to initiate execution automatically upon the execution of the computing environment. In still another of these embodiments, the virtual machine service component communicates with the session management component 1300. In other embodiments, the virtual machine service component executes in the hypervisor.
  • In some embodiments, a virtual machine service component executes within the virtual machine. In one of these embodiments, after launching the virtual machine in the hypervisor, the session management component 1300 establishes a connection, such as a TCP/IP connection, with the virtual machine service component. In another of these embodiments, the virtual machine service component establishes the connection. The connection may be a single multiplexed connection between the components or multiple independent connections.
  • In still another of these embodiments, the session management component 1300 uses the connection to transmit configuration information to the virtual machine service component. The configuration information may be associated with a presentation layer protocol session executing on the client machine 10 in which output from the virtual machine is presented. The configuration information may also include information associated with display settings and changes, client drive information and authentication data.
  • In other embodiments, the virtual machine service component receives information associated with a printer to which the requesting machine has access. In one of these embodiments, the virtual machine service component access a network printer service to create in the virtual machine a printer connected to the printer to which the requesting machine has access.
  • In still other embodiments, the virtual machine service component transmits session status messages to the session management component 1300. In one of these embodiments, the virtual machine service component transmits heartbeat messages to the session management component 1300. In another of these embodiments, the virtual machine service component transmits keep-alive messages to the session management component 1300, to prevent the session management component 1300 from shutting down the virtual machine. In still another of these embodiments, the virtual machine service component transmits a message to the session management component 1300 providing an indication that the user of the client machine 10 has logged off, shut down, or suspended a session with the computing environment. The virtual machine service component may receive the indication of the user's activity from an authentication module.
  • Referring still to FIG. 8, as described above, a request for access to a resource is received (step 802), a method for providing access to the resource is identified (step 804), and a virtualized environment may be selected to provide access to a resource (step 808). In some embodiments, a client machine 10 receives the request, identifies a method for providing access, and selects a virtualized environment to provide access to a resource. In one of these embodiments, a mobile computing device connects to a client machine 10 referred to as a computing device, which identifies a method for providing access to a computing environment, selects a portable computing environment residing in storage on the mobile computing device and provides access to the portable computing environment.
  • Referring ahead to FIGS. 89A and 89B, a storage device and a computing device are depicted. In brief overview, the storage device stores data associated with a computing environment, such as a portable computing environment, which in some embodiments includes virtualization software, a virtual machine image, and user data. A computing device connecting to the storage device, executing a virtual machine, and providing access to the computing environment responsive to data stored in the storage device.
  • Still referring to FIG. 89A, and in further detail, the storage device 8905 stores the portable computing environment 8920 of one or more users. In one embodiment, the storage device 8905 may be any type and form of hard drive, including a micro hard drive. In another embodiment, the storage device 8905 may be any type and form of portable storage device, such as a flash drive or USB drive, or any type and form of portable storage medium, such as a CD or DVD. In still another embodiment, the storage device 8905 comprises a flash card, a memory stick, multi-media card or a secure digital card. In some embodiments, the storage device 8905 may store applications including word processing or office applications, ICA clients, RDP clients, software to establish any type and form of virtual private network (VPN) or SSL VPN connection, software to accelerate network communications or application delivery or any other type and form of application.
  • In one embodiment, the storage device 8905 may store a virtual machine image. In another embodiment, the storage device 8905 may comprise a transmitter for transmitting stored data to a computing device 8910. In still another embodiment, the storage device 8905 may comprise a transceiver for accessing stored data, transmitting stored data and receiving data for storage. In yet another embodiment, the storage device 8905 may comprise stored data comprising an application program for executing a virtual machine on a computing device.
  • In some embodiments, the storage device 8905 is embedded in a mobile computing device. In other embodiments, the storage device 8905 is connected to a mobile computing device. In still other embodiments, the storage device 8905 comprises a portable storage device removable from a computing device.
  • The storage device 8905 stores data associated with a computing environment. The data may comprise a portable computing environment 8920. In one embodiment, the portable computing environment 8920 is considered portable in that the portable computing environment 8920 may be easily or conveniently carried and transported from one computing device 8910 to another computing device 8910′. In another embodiment, the portable computing environment 8920 is considered portable in that the computing environment may be established or executed on any suitable computing device 8910 with little or no changes to the computing device 8910, or in a further embodiment, with little or no maintenance or administration. In still another embodiment, the portable computing environment 8920 includes a plurality of files representing a desktop environment, or a portion thereof, of a computer system 100, which a user desires to execute on the computing device 8910. In yet another embodiment, the portable computing environment 8920 may represent an environment under which a user operates a home or office desktop computer. In some embodiments, the portable computing environment 8920 represents one or more applications to which a user has access.
  • The portable computing environment 8920 may include a virtual machine image 8925. In one embodiment, the virtual machine image 8925 comprises a computing environment image, including any of the information, data, files, software, applications and/or operating system needed to execute a computing environment 8920, including files needed to execute the computing environment 8920 via the virtualization software 8921. In another embodiment, the virtual machine image 8925 comprises configuration and data files required to execute a virtual machine providing access to a computing environment requested by a user. In still another embodiment, the virtual machine image 8925 comprises a virtual machine image as described above.
  • The portable computing environment 8920 may also include user data 8930, including, without limitation, any data, information, files, software or applications of a user. In one embodiment, the user data 8930 is stored in, or as a part of, the virtual machine image 8925. In another embodiment, the user data 8930 may be created, edited or provided by any software, program, or application of the storage device 8905 or of the computing device 8910.
  • The portable computing environment 8920 may include virtualization software 8921. In some embodiments, the virtualization software 8921 may comprise any suitable means or mechanisms for a user to access, read and/or write any user data 8930 included in or provided by the virtualization software 8921 and/or virtual machine image 8925. In one of these embodiments, the virtualization software 8921 may track, manage and synchronize the access, reading and/or writing of user data 8930 during an established computing environment 8920′ with the user data 8930 provided on the storage device 8905. In another of these embodiments, the user data 8930 may only be accessed via the virtualization software 8921 or the established computing environment 8920′. In still another of these embodiments, any software, programs or applications of the storage device 8905 may access the user data 8930 when the storage device 8905 is not connected to the computing device 120 or when a computing environment 8920′ is not executing. In yet another of these embodiments, the user data 8930 may comprise data and files created during a session of an established computing environment 8920′.
  • The computing device 8910 may be any type and form of computer system as described in connection with FIG. 1A and FIG. 1B above. In one embodiment, the computing device 8910 is a client machine 10 as described above. In another embodiment, a connection between a computing device 8910 and a storage device 8905 provides a user of a client machine 10 with access to a requested resource. In still another embodiment, the computing device 8910 receives a request for access to a resource when a connection is made between the computing device 8910 and the storage device 8905. In yet another embodiment, a method for providing access to the resource is identified responsive to information received from the storage device 8905.
  • In one embodiment, the computing device 8910 has a storage element 128. In another embodiment, the computing device 8910 has a network interface 118′ connected to network 150. In still another embodiment, the computing device 8910 has a transceiver for accessing data stored in a storage device 8905 or in a computing device 8910′.
  • In some embodiments, the computing device 8910 comprises an operational or performance characteristic not provided by the storage device 8905. In one of these embodiments, the computing device 8910 comprises elements, such as a processor or a memory, which the storage device 8905 does not include. In another of these embodiments, the computing device 8910 provides an I/O device, display device, installation medium, or other peripherals, such as a keyboard or printer not available to the storage device 8905. In still another of these embodiments, the computing device 8910 may provide a feature, a resource, or peripheral desired to be used by the user of the storage device 8905. For example, the user may want to access a file or an application provided on a remote machine 30′ available via a connection across the network 150. In yet another of these embodiments, the computing device 8910 provides access to a network, such as machine farm 38, not available to the storage device 8905, or to a user of the storage device 8905.
  • In one embodiment, the computing device 8910 establishes a computing environment 8920′ based on the portable computing environment 8920 provided by the storage device 8905. The computing device 8910 establishes a virtual machine 8925′ and a virtualization layer 8922 to execute the computing environment 8920′ based on the virtualization software 8921 or 8921′, virtual machine image 8925 and/or user data 230.
  • In some embodiments, virtualization allows multiple virtual machines 8925′, with heterogeneous operating systems to run in isolation, side-by-side on the same physical machine 8910. In one embodiment, the virtualization software 8921 may include a virtual machine image. Virtual machines may include cross-platform X86 PC emulators, such as the products distributed by The Bochs Project at bochs.sourceforge.net, or VMware products manufactured and distributed by VMware, Inc. of Palo Alto, Calif., or products manufactured and distributed by Softricity, Inc., or the Virtuozzo products manufactured and distributed by SWSoft, Inc. of Herndon, Va., or the Microsoft® Virtual PC products manufactured and distributed by Microsoft Corporation of Redmond, Wash. In another embodiment, the virtualization software 8921 includes any the AppStream products manufactured and distributed by AppStream Inc, of Palo Alto, Calif., or the AppExpress products manufactured and distributed by Stream Theory, Inc of Irvine, Calif.
  • The computing device 8910 may use any other computing resources of computer system 100 b required by the computing environment 8920′. In some embodiments, the hypervisor 8923 provides a virtualized hardware resource required by the computing environment 8920′. In other embodiments, a hypervisor 8923 provides, via a virtualization layer 8922, access to a hardware resource required for execution of a computing environment. In one of these embodiments, the hypervisor 8923 provisions the hardware resource. In another of these embodiments, the hypervisor 8923 virtualizes the hardware resource. In still another of these embodiments, the hypervisor 8923 partitions existing hardware resources and provides access to a partitioned hardware resource.
  • In some embodiments, a virtual machine 8925′ executing on a virtualization layer provides access to a computing environment 8920′. In other embodiments, a session management component 1300 executes the virtual machine 8925. In still other embodiments, virtualization software 8921 or 8921′ execute the virtual machine 8925. In one of these embodiments, the portable computing environment 8920 includes any type and form of software for virtualizing on a computing device a user-accessible resource, such as an operating system, desktop, application, and any hardware computing resources. In yet other embodiments, virtual machine image 8925 is accessed to execute a virtual machine 8925′. In one of these embodiments, the virtualization software 8921 or 8921′ accesses the virtual machine image.
  • In some embodiments, the virtualization software 8921 may include software for virtualizing a server, such as the Microsoft Virtual Server products manufactured and distributed by Microsoft Corporation of Redmond, Wash., or the Linux Vserver products distributed by the Linux Vserver Project located at linux-vserver.org. In other embodiments, the virtualization software 8921 may also include an interpreter or just-in-time compiler, such as the JAVA Virtual Machine (JVM) originally manufactured by Sun Microsystems of Santa Clara, Calif., or the Common Language Runtime (CLR) interpreter manufactured by the Microsoft Corporation.
  • In some embodiments, the computing device 8910 has the virtualization software 8921′ stored or installed in storage element 128 prior to a connection with the storage device 8905. In one embodiment, the virtualization software 8921′ does not need to be installed on the computing device 8910, and can, instead, be executed from the storage device 8905. In another embodiment, the computing device 8910 installs and executes the virtualization software 8921 on a per connection basis. In this embodiment, the computing device 8910 may remove the virtualization software 8921 from storage element 128 upon termination of the established computing environment 8920′. In still another embodiment, the computing device 8910 installs and executes the virtualization software 8921 on a first connection. In yet embodiment, upon other connections, if the computing device 8910 detects changes to the virtualization software 8921, such as a newer version, the computing device 8910 updates the virtualization software 8921, or installs a newer version of the virtualization software 8921. In other embodiments, the computing device 8910 obtains the virtualization software 8921 from a storage element 128″ or a remote machine 30 accessible via network 150.
  • In one embodiment, the virtualization software 8921 is used to establish a virtualization layer 8922 on the computing device 8910. In another embodiment, the virtualization layer 8922 provides an abstraction layer that decouples or isolates an application or a hardware resource from the operating system. In still another embodiment, the virtualization layer 8922 comprises an application to host or run another operating system or application, such as virtual machine 8925.
  • In some embodiments, the hypervisor 8923 comprises the virtualization software 8921. In other embodiments, the session management component 1300 comprises the virtualization software 8921. In still other embodiments, the host computing device 8910 stores virtualization software 8921′ in storage element 128. In yet other embodiments, the computing device 8910 accesses a remotely located copy of virtualization software 8921′.
  • In some embodiments, the virtualization layer 8922 and/or virtual machine 8925 provide an execution environment on the computing device 8910. In one of these embodiments, each execution environment is a unique instance of the same execution environment, while, in another of these embodiments, each execution environment may be an instance of different execution environments. Each execution environment may be isolated from and/or not accessible by another execution environment. In other embodiments, the virtualization layer 8922 and/or virtual machine 8925 provides an execution context, space or “sandbox” to isolate processes and tasks running on the same operating system.
  • In one embodiment, the virtualization layer 8922 communicates with a session management component 1300. In some embodiments, the session management component 1300 is software executing in a layer between a hypervisor 8923 or operating system of the computing device 8910 and one or more virtual machines 8925 that provide a virtual machine abstraction to guest operating systems. In other embodiments, as described above, the session management component 1300 may reside outside of the computing device 8910 and be in communication with a hypervisor 8923 or operating system of the computing device 8910. In still other embodiment, the session management component 1300 can load, run or operate the virtual machine image 8925 from the storage device 8905 to execute a virtual machine 8925′. In yet other embodiments, the session management component 1300 and hypervisor 8923 are incorporated into the same application, software or other executable instructions to provide the virtualization layer 8922. In further embodiments, the session management component 1300 is in communication with a virtual machine service component executing within the computing environment 8920.
  • In some embodiments and still referring to FIG. 89A, the computing device 8910 includes a loading mechanism 8940, which may comprise software, hardware, or any combination of software and hardware. In one embodiment, the loading mechanism 8940 comprises an autorun configuration file. In another embodiment, the storage device 8905 may include the loading mechanism 8940. In still another embodiment, the storage device 8905 includes the loading mechanism 8940 in an autorun file. In some embodiments, a loading mechanism 8940 on the storage device 8905 establishes the computing environment 8920′ on the computing device 8910 based on the portable computing environment 8920 stored in the storage device 8905. In other embodiments, the loading mechanism 8940′ of the computing device 8910 establishes of the computing environment 8920′. In still other embodiments, the loading mechanism 8940 of the storage device 8905 works in conjunction with the loading mechanism 8940′ of the computing device 8910 to establish the computing environment 8920′.
  • In one embodiment, the loading mechanism 8940 comprises a driver, such as a device driver or a kernel or user-mode driver for connecting to and/or accessing the storage device 8905, or the storage element 128 thereof. In another embodiment, the loading mechanism 8940 comprises any type and form of executable instructions, such as a program, library, application, service, process, thread or task for accessing the storage element 128 or storage device 8905. In still another embodiment, the loading mechanism 8940 accesses any type and form of data and information on the storage 128 to establish the user environment 8920′ in accordance with the operations discussed herein. For example, in some embodiments, the loading mechanism 8940 reads an autorun configuration file in storage element 128 or on storage device 8905. In some embodiments, the loading mechanism 8940 comprises a plug-n-play (PnP) mechanism by which the operating system of the host computing device 8910 recognizes the storage device 8905 upon connection, and loads the drivers to connect to the storage device 8905.
  • In one embodiment, the loading mechanism 8940 upon detection of a connection between the storage device 8905 and computing device 8910 initiates the loading, establishing and/or executing of the virtualization software 8921 and/or the user environment 8920′ on the computing device 8910. In another embodiment, the loading mechanism 8940 may comprise any rules, logic, operations and/or functions regarding the authentication and/or authorization of establishing a computing environment 8920′ on the computing device 8910 based on the portable computing environment 8920. In still another embodiment, the loading mechanism 8940 may determine the existence of the virtualization software 8921′ on the computing device 8910 and/or the difference in versions between the virtualization software 8921 and virtualization software 8921′. In yet another embodiment, the loading mechanism 8940 may store, load, and/or execute the virtualization software 8921 or 8921′ on the computing device 8910. In a further embodiment, the loading mechanism 8940 may store, load, and/or execute the virtual machine image 8925 on the computing device 8910 as a virtual machine 8925 providing access to the computing environment 8920′. In still another embodiment, the loading mechanism 8940 may comprise or provide any type and form of user interface, such as graphical user interface or command line interface.
  • In some embodiments, the virtualization software 8921, portable computing environment 8920 and/or loading mechanism 8940 are designed and constructed in accordance with the U3 application design specification, or USB smart drive, provided by U3 LLC of Redwood City, Calif. For example, the loading mechanism 8940 may comprise a U3 launchpad program, and the virtualization software 8921 and/or portable user environment 120 may comprise a U3-based application.
  • Referring now to FIG. 89B, a flow diagram depicts one embodiment of the steps taken in a method for providing access to a computing environment on a computing device via a storage device. In brief overview, a method for providing access to a computing environment includes the step of storing, in a storage device, data associated with a computing environment (step 8950). A computing device connects to the storage device (step 8960). A virtual machine executing on the computing device provides access to the computing environment, based on the data stored in the storage device (step 8970).
  • In further detail, a storage device 8905 stores data associated with a portable computing environment 8920 (step 8950). In one embodiment, the storage device 8905 stores user data associated with the computing environment. In another embodiment, the storage device 8905 stores a virtual machine image 8925. In still another embodiment, the storage device 8905 stores data associated with a computing environment, the computing environment comprising at least one application program. In yet another embodiment, the storage device 8905 stores data associated with a computing environment, the computing environment comprising an operating system.
  • In one embodiment, the storage device 8905 stores data comprising an operating system. In another embodiment, the storage device 8905 stores data comprising an application program. In still another embodiment, the storage device 8905 stores an application program for executing a virtual machine on a computing device. In yet another embodiment, the storage device 8905 stores virtualization software for executing a virtual machine on a computing device.
  • In some embodiments, the storage device 8905 may include a connector for establishing a connection between the storage device 8905 and a computing device. In other embodiments, the storage device 8905 resides in a computing device, such as a mobile computing device. In one of these embodiments, the storage device 8905 is embedded in a mobile computing device. In still other embodiments, the storage device 8905 comprises a portable storage device removable from a computing device.
  • A computing device connects to the storage device (step 8960). The storage device 8905 may connect to the computing device 8910 by any suitable means and/or mechanism. In one embodiment, the storage device 8905 connects to a computing device 8910 via a mobile computing device. In another embodiment, the storage device 8905 is embedded in a mobile computing device connectable to the computing device 8910.
  • Upon connection, a request may be received by the computing device 8910 for access to a resource. In one embodiment, the request is for a desktop environment. In another embodiment, the request is for an application or for a plurality of applications. In still another embodiment, the request is for a virtual machine.
  • In some embodiments, a determination may be made to provide access to the requested resource via a virtualized environment. In one of these embodiments, the determination is made as described above in connection with FIG. 8. In another of these embodiments, the determination is made responsive to information received from the storage device 8905, such as a rule requiring the determination.
  • In one embodiment, the computing device 8910 accesses the storage device 8905 to access the portable computing environment 8920. In another embodiment, the computing device 8910 obtains the virtualization software 8921 from the storage device 8905 to establish a computing environment 8920′. In still another embodiment, the computing device 8910 does not obtain the virtualization software 8921 from the storage device 8905 as the computing device 8910 has access to the virtualization software 8921 in storage element 128′ or via network 150. In yet another embodiment, the computing device 8910 obtains portions of the virtualization software 8921 from the storage device 8905. For example, the virtualization software 8921 on the storage device 8905 may be an updated version or have updated files to the virtualization software 8921′ on the computing device 8910. In some embodiments, the storage device 8905 transmits information to the computing device 8910. In one of these embodiments, the storage device 8905 transmits the information with a request for access to a resource.
  • A virtual machine executing on the computing device provides access to the computing environment, based on the data stored in the storage device (step 8970). In one embodiment, the computing device 8910 retrieves data from the storage device 8905. In another embodiment, the computing device 8910 accesses the storage device 8905 to obtain a virtual machine image 8925 used to execute the virtual machine. In still another embodiment, the computing device 8910 accesses the storage device 8905 to obtain data or information identifying a location of the portable computing environment 8920 that may be accessible to the computing device 8910. For example, the storage device 8905 may comprise user data 8930 identifying a Uniform Resource Locator (URL) associated with a location on which a virtual machine image 8925 is stored, the URL accessible by the computing device 8910 via network 150. In yet another embodiment, the computing device 8910 accesses a storage element identified by the user data 8930, for example, a storage element or remote machine 30 on the network 150 storing the virtual machine image 8925.
  • In some embodiments, the computing device 8910 mounts the storage device 8905 as a storage, such as a disk, available to the computing device 8910. In one of these embodiments, the computing device 8910 mounts the storage device 8905 as removable media. In other embodiments, the loading mechanism 8940 accesses the storage device 8905.
  • The computing device 8910 establishes an environment for executing or providing access to the computing environment 8920′. In one embodiment, a virtual machine may be executed in the computing environment 8920′ to provide access to a requested resource. In another embodiment, a virtual machine is the requested resource. In still another embodiment, a virtual machine 8925′ executes a virtual machine 8925″.
  • In one embodiment, the computing device 8910 executes a virtual machine responsive to a virtual machine image 8925 stored in the storage device 8905. In another embodiment, the computing device 8910 executes a virtual machine 8925′ responsive to the data stored in the storage device 8905. In still another embodiment, the computing device 8910 executes the virtual machine responsive to a policy stored in the storage device.
  • In one embodiment, the computing device 8910 retrieves data stored in the storage device 8905. In another embodiment, the computing device 8910 uses an application program stored in the storage device 8905 to access the data. In still another embodiment, the computing device 8910 provides access to a computing environment by executing an operating system providing access to one or more applications identified by information stored in the storage device, the operating system and the one or more applications having access to user data stored in the storage device 8905.
  • In one embodiment, the computing device 8910 installs and/or loads the virtualization software 8921 to establish the virtualization layer 8922. In some embodiments, the virtualization software 8921 is designed and constructed as a portable application that can execute, load or establish the virtualization layer 8922 on the computing device 8910 without requiring installation of the virtualization software 8921. In other embodiments, the virtualization software 8921 is automatically installed on the computing device 8910 via an installation script. In one of these embodiments, the virtualization software 8921 is installed without requiring a reboot. In another of these embodiments, the virtualization software 8921 is installed and the virtualization layer 8922 established transparently to a user. In still other embodiments, the virtualization layer 8922 is established using the virtualization software 8921′ stored on the computing device 8910 or accessed via network 150.
  • In some embodiments, the computing device 8910 executes a hypervisor 8923 to establish the virtualization layer 8922. In other embodiments, a hypervisor 8923 on the computing device 8910 and in communication with a hypervisor 8923′ on a remote machine 30′ establishes the virtualization layer 8922. In still other embodiments, a hypervisor 8923 in communication with a session management component 1300 establishes the virtualization layer 8922. In one of these embodiments, upon establishment of the virtualization layer 8922, the session management component 1300 identifies, provisions, and/or executes a virtual machine in the virtualization layer 8922 as described above in connection with FIG. 8. In yet other embodiments, the loading mechanism 8940 establishes the virtualization layer 8922. In further embodiments, the computing device 8910 establishes a virtualization layer 8922 in which a virtual machine service component executes.
  • In one embodiment, the virtualization layer 8922 has been established prior to the storage device 8905 connecting to the computing device 8910. For example, the virtualization layer 8922 may have been established for another computing environment 8920′ or during a previous connection of the same or a different storage device 8905. In some embodiments, the computing device 8910 and/or loading mechanism 8940 establishes the virtualization layer 8922 and actuates, starts, or executes a session management component 1300 and/or hypervisor 8923. In other embodiments, the computing device 8910 and/or loading mechanism 8940 executes session management component 1300 and/or hypervisor 8923 upon loading or executing a virtual machine 8925.
  • The computing device 8910 provides access to the computing environment 8920′ based on the portable computing environment 8920 (step 8970). In one embodiment, the computing device 8910 and/or loading mechanism 8940 accesses the virtual machine image 8925 from storage device 8905 and executes the virtual machine image 8925 as a virtual machine 8925′ in the established virtualized environment 8922. In another embodiment, the computing device 8910 and/or loading mechanism 8940 automatically loads, executes or otherwise establishes the computing environment 8920 with the virtualization layer 8922 upon detection of a connection over network 150. In still another embodiment, the computing device 8910 and/or loading mechanism 8940 automatically loads, executes or otherwise establishes the computing environment 8920 and the virtualization layer 8922 upon detection of existence or identification of the portable computing environment 8920 in storage element 128.
  • In some embodiments, a user may select the virtual machine image 8925 from the storage device 8905 for execution as a virtual machine 8925′ via any type and form of user interface. In one of these embodiments, the virtualization software 8921, virtualization layer 8922, hypervisor 8923, or loading mechanism 8940 may display a user interface for a user to identify a virtual machine image 8925, and/or to execute a virtual machine 8925′ based on a virtual machine image 8925. In another of these embodiments, a client, such as an ICA client, an RDP client, or an X11 client, executes on the computing device 8910 and provides the user interface to the user.
  • In some embodiments, a user may access, read, and/or write user data 8930 during the course of using the established computing environment 8920′. In one of these embodiments, a user of the computing device 8910 may access, read and/or write the user data 8930 to the storage device 8905. In another of these embodiments, a user of the computing device 8910 may edit or modify user data 8930 or may create new data and information in user data 8930.
  • In other embodiments, a user of the computing device 8910 may access, read, and/or write user data to the storage 128′ of the computing device 8910. In still other embodiments, the computing device 8910 may synchronize user data 8930 on the computing device 8910 with user data 8930 on the storage device 8905. In one of these embodiments, the computing device 8910 uses the virtualization layer 8922 or the loading mechanism 8940 to synchronize the user data 8930. In yet other embodiments, the storage device 8905 may have a program or application for synchronizing data between the storage device 8905 and the computing device 8910.
  • In some embodiments, the storage device 8905 may disconnect from the computing device 8910 at any point in time during the established computing environment 8920′. In other embodiments, the storage device 8905 may disconnect after the computing environment 8920′ is terminated on the computing device 8910. In still other embodiments, the computing environment 8920′ is automatically terminated upon disconnection of the storage device 8905 to the computing device 8910. In yet other embodiments, the computing environment 8920′ may remain established on the computing device 8910 after the storage device 8905 disconnects from the computing device 8910. In one of these embodiments, once the computing environment 8920′ is established on the computing device 8910, the storage device 8905 may be disconnected.
  • In some embodiments, the storage device 8905 can access, read, and/or write user data 8930 to any portion of the portable computing environment 8920. In one of these embodiments, although the portable computing environment 8920 is not established or virtualized on computing device 8910, the storage device 8905 can still access, read, and/or write to and from the user data 8930. In other embodiments, a user may use a first application in the established computing environment 8920′ to access a file of the user data 8930. In still other embodiments, the user may use a second application on the storage device 8905 to access the same file of the user data 8930. In yet other embodiments, the virtualization software 8921 or virtual image 8925 allows access to the user data 8930, even though virtualization software 8921 or virtual machine image 8925 is not executing or operating.
  • Although FIGS. 89A and 89B are generally discussed with one portable computing environment 8920 stored in the storage device 8905, the storage device 8905 may store a plurality of portable computing environments 8920 for establishing a corresponding plurality of computing environments 8920′ on the computing device 8910. In some embodiments, the computing device 8910, loading mechanism 8940, or the virtualized layer 8920 provides a user interface for the user to select a portable computing environment from storage to establish the computing environment 8920. For example, the storage device 8905 or the computing device 8910 may have a portable computing environment selection mechanism as is further discussed in connection with FIG. 92A and with FIG. 93A. In other embodiments, the computing device 8910, loading mechanism 8940, or the virtualized layer 8922 uses one of the plurality of portable computing environments based on a characteristic of the computing device, such as operating system type, or based on user data identifying the portable computing environment to use for the computing device.
  • Referring now to FIG. 90A, a mobile computing device 9005 is depicted. In brief overview, the mobile computing device 9005 may be any type and form of computer system as described in connection with FIG. 1A and FIG. 1B above. In one embodiment, the mobile computing device 9005 comprises a storage device, such as a storage device 8905 as described in connection with FIG. 89A and FIG. 89B. In another embodiment, the mobile computing device 9005 is connected to a storage device 8905. In still another embodiment, the mobile computing device 9005 comprises a portable storage device removable from a computing device. In yet another embodiment, the mobile computing device 9005 has a network interface 118 used to connect to remote machines 30 or client machines 10 on the network 150, such as the computing device 8910. The storage device 8905 may store a portable computing environment 8920, which in some embodiments includes virtualization software 8921, a virtual image 8925, and user data 8930.
  • In some embodiments, the mobile computing device 9005 stores data associated with a computing environment, executes a virtual machine, and provides access to the computing environment responsive to data stored in the mobile computing device 9005. In one of these embodiments, the mobile computing device 9005 comprises a stored virtual machine image. In another of these embodiments, the mobile computing device 9005 comprises an application program for executing a virtual machine on a computing device. In still another of these embodiments, the mobile computing device 9005 provides access to a computing environment by executing an operating system with access to one or more applications identified via data stored on the mobile computing device, the operating system and the one or more applications having access to the user data on the mobile computing device. In other embodiments, the mobile computing device 9005 stores the portable computing environment 8920 of one or more users in storage provided by a storage device, such as a storage device 8905 as described above in connection with FIGS. 89A and 89B.
  • In one embodiment, the mobile computing device 9005 decrypts stored data. In another embodiment, the mobile computing device 9005 prevents one of unauthenticated and unauthorized access by a user of the mobile computing device 9005 to a computing environment provided by the mobile computing device 9005.
  • Referring now to FIG. 90B, a flow diagram depicts one embodiment of the steps taken in a method for providing a computing environment by a mobile computing device. In brief overview, a method includes the step of storing, in a mobile computing device 9005, data associated with a computing environment (step 9020). A virtual machine executing on the mobile computing device provides access to the computing environment, based on the stored data (step 9025).
  • In further detail, the mobile computing device 9005 stores data associated with a computing environment (step 9020). In one embodiment, the mobile computing device 9005 receives the data associated with the computing device from a storage device connected to the mobile computing device 9005. In another embodiment, the mobile computing device stores the data associated with the computing environment in a storage device 8905 embedded in the mobile computing device. In still another embodiment, the mobile computing device 9005 stores user data associated with the computing environment. In yet another embodiment, the mobile computing device 9005 stores a virtual machine image.
  • In one embodiment, the mobile computing device 9005 stores data associated with a computing environment, the computing environment comprising at least one application program. In another embodiment, the mobile computing device 9005 stores data associated with a computing environment, the computing environment comprising an operating system. In still another embodiment, the mobile computing device 9005 stores data comprising an operating system. In yet another embodiment, the mobile computing device 9005 stores data comprising an application program. In some embodiments, the mobile computing device 9005 stores an application program for executing a virtual machine. In other embodiments, the mobile computing device 9005 stores virtualization software for executing a virtual machine.
  • In some embodiments, a request may be received by the mobile computing device 9005 for access to a resource. In one of these embodiments, the request is for a desktop environment. In another of these embodiments, the request is for an application or for a plurality of applications. In still another of these embodiments, the request is for a virtual machine. In yet another of these embodiments, the request is for access to a computing environment.
  • In some embodiments, a determination may be made to provide access to the requested resource via a virtualized environment. In one of these embodiments, the determination is made as described above in connection with FIG. 8. In another of these embodiments, the determination is made responsive to information received from the mobile computing device 9005, such as a rule requiring the determination.
  • A virtual machine executing on the mobile computing device provides access to the computing environment, based on the stored data (step 9025). In one embodiment, an application program stored in the mobile computing device 9005 executes to access data associated with the computing environment. In another embodiment, the mobile computing device 9005 executes virtualization software, at least a portion of which is stored on the mobile computing device 9005. In still another embodiment, the mobile computing device 9005 provides access to a computing environment by executing an operating system with access to one or more applications stored on the mobile computing device, the operating system and the one or more applications having access to user data stored in the mobile computing device 9005.
  • In one embodiment, the mobile computing device 9005 executes a virtual machine, responsive to data stored in the mobile computing device 9005. In another embodiment, the mobile computing device executes a virtual machine responsive to a policy stored in the mobile computing device 9005. In still another embodiment, the mobile computing device 9005 executes a virtual machine that provides access to a requested resource or computing environment, the virtual machine executed responsive to a virtual machine image stored in the mobile computing device 9005. In yet another embodiment, the mobile computing device 9005 transfers execution of the virtual machine to a computing device 8910.
  • Although FIGS. 90A and 90B are generally discussed with one portable user environment 8920 stored in storage 8905 of the mobile computing device 9005, the mobile computing device 9005 may store a plurality of portable computing environments 8920 for establishing a corresponding plurality of computing environments 8920′ on the mobile computing device 9005.
  • Referring now to FIG. 91A, a mobile computing device and a computing device are depicted. In brief overview, the mobile computing device stores data associated with a computing environment. The computing device connects to the mobile computing device, executes a virtual machine, and provides access to the computing environment responsive to data stored in the mobile computing device. In one embodiment, the virtual machine executing on the computing device provides access to the computing environment.
  • In one embodiment, the mobile computing device 9005 may be any type and form of computer system as described in connection with FIG. 1A and FIG. 1B above. In another embodiment, the mobile computing device 9005 comprises a storage device 8905 as described above in connection with FIG. 90A and FIG. 90B. In another embodiment, the mobile computing device may be a mobile computing device 9005 as described above in connection with FIG. 90A and FIG. 90B. In some embodiments, the mobile computing device 9005 provides access to a portable computing environment 8920 of one or more users in storage provided by a storage device, such as a storage device 8905 as described above in connection with FIGS. 89A and 89B.
  • In some embodiments, the mobile computing device 9005 and the computing device 8910 may have the same processor or computer architecture, such as an X86 based processor architecture. In other embodiments, the mobile computing device 9005 may have a different processor or architecture than the computing device 8910. For example, the computing device 8910 may be a SPARC (Scalable Processor Architecture) and the mobile computing device 9005 may be an ARM based architecture. In some embodiments, the mobile computing device 9005 and the computing device 8910 may both operate a processor, or a data address or bus using the same numbers of bits, such as a 32-bit or 64-bit processor or bus. In other embodiments, the mobile computing device 9005 and the computing device 8910 may operate on processors and/or a data bus with different bit architectures. Furthermore, the mobile computing device 9005 and computing device 8910 may operate the same operating system, in one embodiment, and different operating systems, in another embodiment. For example, the mobile computing device 9005 may operate a PALM operating system while the computing device 8910 runs a WINDOWS operating system.
  • In one embodiment, a mobile computing device 9005 has multiple processors. One processor may have higher performance characteristics than the other processor, and each processor may share one or more storage and memory elements. For example, a storage element, such as a disk drive or portable storage device, may include a computing environment. The mobile computing device 9005 may also have a switching mechanism to switch between using a first processor having higher performance characteristics and a second processor having lower performance characteristics, based on operating conditions and applications executing on the device. The processor having lower performance characteristics may be used to execute applications with lower power requirements, such as typical PDA functionality of calendar access and email. When an application requires more power, the mobile computing device 9005 may automatically switch execution of such applications to the more powerful processor.
  • The computing device 8910 connects to the mobile computing device, executes a virtual machine, and provides access to the computing environment responsive to data stored in the mobile computing device 9005. In one embodiment, the computing device 8910 may mount the storage device 8905 of the mobile computing device 9005 as a removable hard drive or storage element 128′ of the computing device 8910. In some embodiments, the mobile computing device 9005 may be a plug and play device (PnP) of the computing device 8910, such that a PnP protocol manufactured by Microsoft Corporation of Redmond, Wash., is used between the mobile computing device 9005 and computing device 8910, such as via I/O devices 130 a-130 n or network interfaces 118, 118′.
  • In some embodiments, the computing device 8910 comprises an operational or performance characteristic not provided by the mobile computing device 9005. In one of these embodiments, the computing device 8910 has a more powerful processor 102′ and/or larger memory 122′ than the processor 102 and memory 122 of the mobile computing device 9005. In another of these embodiments, the computing device 8910 provides an I/O device 130 b, display device, installation medium, or other peripherals, such as a keyboard or printer not available to the mobile computing device 9005. In still another of these embodiments, the computing device 8910 may provide a feature, a resource, or peripheral desired to be used by the user of the mobile computing device 9005. For example, the user may want to access a file or an application provided on a remote machine 30′ available via a connection across the network 150. In yet another of these embodiments, the computing device 8910 provides access to machines on a network 150, such as those in machine farm 38, not available to the mobile computing device 9005, or to a user of the mobile computing device.
  • In one embodiment, the computing device 8910 provides access to a computing environment 8920′ based on the portable computing environment 8920 provided in the mobile computing device 9005. The computing device 8910 executes a virtual machine 8925′ and a virtualization layer 8922 to execute the computing environment 8920′ based on the virtualization software 8921 or 8921′, virtual machine image 8925, or user data 230. In some embodiments, the computing device comprises a transceiver for accessing data stored in the mobile computing device 9005.
  • In some embodiments, a loading mechanism on the mobile computing device 9005 actuates the establishment of the computing environment 8920′ on the computing device 8910 based on the portable computing environment 8920 stored in the mobile computing device 9005. In other embodiments, the loading mechanism 8940 of the computing device 8910 actuates the establishment of the computing environment 8920′. In yet another embodiment, a loading mechanism on the mobile computing device 9005 works in conjunction with the loading mechanism 8940 of the computing device 8910 to establish the computing environment 8920′.
  • Referring now to FIG. 91B, a flow diagram depicts one embodiment of the steps taken in a method for providing access to a computing environment on a computing device via a mobile computing device. In brief overview, a method includes the step of storing, in a mobile computing device, data associated with a computing environment (step 9155). A computing device connects to the mobile computing device (step 9160). A virtual machine executing on the computing device provides access to a computing environment, based on the data stored in the mobile computing device (step 9165).
  • A mobile computing device stores data associated with a computing environment (step 9155). In one embodiment, the mobile computing device 9005 may store data associated with a computing environment as described above in connection with FIGS. 90A and 90B. In one embodiment, the mobile computing device 9005 may comprise a storage device embedded in the mobile computing device 9005, such as the storage device 8905 described in connection with FIG. 89A through FIG. 90B.
  • The computing device 8910 connects to the mobile computing device 9005 by any suitable means and/or mechanism (step 9160). In one embodiment, the computing device 8910 connects to a storage device, such as a storage device 8905 as described above in connection with FIG. 89A and FIG. 89B, via the mobile computing device 9005. Upon connection, a request may be received by the computing device 8910 for access to a resource. In one embodiment, the request is for access to a desktop environment. In another embodiment, the request is for an application or for a plurality of applications. In still another embodiment, the request is for a virtual machine. In some embodiments, a determination may be made to provide access to the requested resource via a virtualized environment. In one of these embodiments, the determination is made as described above in connection with FIG. 8. In another of these embodiments, the determination is made responsive to information received from the mobile computing device 9005, such as a rule requiring the determination.
  • In one embodiment, the computing device 8910 accesses the mobile computing device 9005 to obtain the portable user environment 8920. In another embodiment, the computing device 8910 obtains the virtualization software 8921 to establish the virtualized environment 8922. In still another embodiment, the computing device 8910 does not obtain the virtualization software 8921 from the mobile computing device 9005 as the computing device 8910 has access to the virtualization software 8921 in storage element 128′ or via network 150. In yet another embodiment, the computing device 8910 obtains portions of the virtualization software 8921 from the mobile computing device 9005. For example, the virtualization software 8921 on the mobile computing device 9005 may be an updated version or have updated files to the virtualization software 8921′ on the computing device 8910. In some embodiments, the mobile computing device 9005 transmits information to the computing device 8910. In one of these embodiments, the mobile computing device 9005 transmits the information with a request for access to a resource.
  • In one embodiment, the computing device 8910 accesses the mobile computing device 9005 to obtain the virtual machine image 8925. In another embodiment, the computing device 8910 accesses the mobile computing device 9005 to obtain data or information identifying a location of the portable user environment 8920 in any storage that may be accessible to the computing device 8910. For example, the mobile computing device 9005 may comprise user data 8930 identifying a Uniform Resource Locator (URL) associated with a location on which a virtual machine image 8925 is stored, the URL accessible by the computing device 8910 via network 150. In still another embodiment, the computing device 8910 accesses a storage element identified by the user data 8930, for example, a storage element on network 150 storing the virtual machine image 8925. In some embodiments, the computing device 8910 mounts the mobile computing device 9005 as a storage element, such as a disk, available to the computing device 8910. For example, in one embodiment, the computing device 8910 mounts the mobile computing device 9005 as removable media. In one embodiment, the loading mechanism 8940 accesses the mobile computing device 8905.
  • In some embodiments, the computing device 8910 provides access to a computing environment by executing an operating system with access to one or more applications identified via data stored on the mobile computing device, the operating system and the one or more applications having access to the user data on the storage device. In other embodiments, the computing device prevents one of unauthenticated or unauthorized access by a user of the mobile computing device 9005 to a computing environment provided by the computing device 8910. In still other embodiments, the computing device 8910 decrypts data stored on the mobile computing device 9005.
  • A virtual machine executing on the computing device 8910 provides access to a computing environment, based on data stored in the mobile computing device 9005 (step 9165). In one embodiment, the computing device 8910 establishes a virtualized environment for providing access to the computing environment 8920′ by executing the virtual machine 8925. In another embodiment, a virtual machine may be executed in the user environment 8920′ to provide access to a requested resource. In still another embodiment, a virtual machine is the requested resource. In some embodiments, the computing device 8910 executes a virtual machine responsive to a virtual machine image 8925 stored in the mobile computing device 9005. In other embodiments, the computing device 8910 executes a virtual machine responsive to data stored in the mobile computing device 9005.
  • In one embodiment, an application program stored in the mobile computing device 9005 is executed to access data associated with a computing environment. In another embodiment, the computing device 8910 executes virtualization software 8921′ by accessing at least a portion of the virtualization software 8921 stored in the mobile computing device 9005.
  • In one embodiment, the computing device 8910 executes the virtualization software 8921 to establish the virtualization layer 8922. In some embodiments, the virtualization software 8921 is automatically installed on the host computing device 8910 via an installation script. In one of these embodiments, the virtualization software 8921 is installed without requiring a reboot. In another of these embodiments, the virtualization software 8921 is installed and the virtualization layer 8922 established transparently to a user.
  • In some embodiments, the computing device 8910 executes a hypervisor 8923 to establish the virtualization layer 8922. In other embodiments, a hypervisor 8923 on the computing device 8910 and in communication with a hypervisor 8923′ on a remote machine 30′ establishes the virtualization layer 8922. In still other embodiments, a hypervisor 8923 in communication with a session management component 1300 establishes the virtualization layer 8922. In one of these embodiments, upon establishment of the virtualization layer 8922, the session management component 1300 identifies, provisions, and/or executes a virtual machine in the virtualization layer 8922 as described above in connection with FIG. 8. In yet other embodiments, the loading mechanism 8940 establishes the virtualization layer 8922. In one embodiment, the computing device 8910 establishes a virtualization layer 8922 in which a virtual machine service component executes.
  • In one embodiment, the virtualization layer 8922 has been established prior to the mobile device 9005 connecting to the computing device 8910. For example, the virtualization layer 8922 may have been established for another user environment 8920′ or during a previous connection of the same or different mobile computing device 9005. In some embodiments, the computing device 8910 and/or loading mechanism 8940 establishes the virtualization layer 8922 and actuates, starts, or executes a session management component 1300 and/or hypervisor 8923. In other embodiments, the computing device 8910 and/or loading mechanism 8940 executes the session management component 1300 and/or hypervisor 8923 upon loading or executing a virtual machine 8925.
  • In some embodiments, the computing device 8910 establishes, executes or otherwise provides the computing environment 8920′ based on the portable computing environment 8920. In one embodiment, the computing device 8910 and/or loading mechanism 8940 accesses the virtual image 8925 from the mobile computing device 9005 and loads or executes the virtual machine image 8925 as a virtual machine 8925 in the established virtualized environment 8922. In another embodiment, the computing device 8910 and/or loading mechanism 8940 automatically loads, executes or otherwise establishes the computing environment 8920 with the virtualization layer 8922 upon detection of a connection over network 150. In still another embodiment, the computing device 8910 and/or loading mechanism 8940 automatically loads, executes or otherwise establishes the computing environment 8920 and the virtualization layer 8922 upon detection of existence or identification of the portable computing environment 8920 on the mobile computing device 9005.
  • In some embodiments, a user may select the virtual machine image 8925 from the mobile computing device 9005 for execution as a virtual machine 8925 via any type and form of user interface. In one of these embodiments, the virtualization software 8921, virtualization layer 8922, hypervisor 8923, or loading mechanism 8940 may display a user interface for a user to identify a virtual image 8925, and/or to execute a virtual machine 8925 based on a virtual image 8925. In another of these embodiments, a client, such as an ICA client, an RDP client, or an X11 client, executes on the computing device 8910 and provides the user interface to the user.
  • In some embodiments, a user may access, read, and/or write user data 8930 during the course of using the established user environment 8920′. In one of these embodiments, the user host computing device 8910 may access, read and/or write the user data 8930 to the mobile computing device 9005. In another of these embodiments, the user of the computing device 8910 may edit or modify user data 8930 or may create new data and information in user data 8930.
  • In other embodiments, a user of the computing device 8910 may access, read, and/or write user data to the storage element 128′ of the computing device 8910. In still other embodiments, the computing device 8910 may synchronize user data 8930 on the computing device 8910 with user data 8930 on the mobile computing device 8905. In one of these embodiments, the computing device 8910 uses the virtualization layer 8922 or the loading mechanism 8940 to synchronize the user data 8930. In yet other embodiments, the mobile computing device 9005 may have a program or application for synchronizing data, such as files and folders, between the mobile computing device 9005 and the computing device 8910.
  • In one embodiment, the mobile computing device 9005 may disconnect from the computing device 8910. In some embodiments, the mobile computing device 9005 may disconnect at any point in time during the use of the established computing environment 8920′. In other embodiments, the mobile computing device 9005 may disconnect after the computing environment 8920′ is terminated on the computing device 8910. In still other embodiments, the user environment 8920′ is automatically terminated upon disconnection of the mobile computing device 9005 from the computing device 8910. In one embodiment, the computing environment 8920′ may remain established on the computing device 8910 after the mobile computing device 9005 disconnects from the computing device 8910. In some embodiments, once the computing environment 8920′ is established on the computing device 8910, the mobile computing device 9005 may be disconnected.
  • In some embodiments, the mobile computing device 9005 can access, read, and/or write user data 8930 to any portion of the portable computing environment 8920. For example, in one embodiment, although the portable computing environment 8920 is not established or virtualized on computing device 8910, the mobile computing device 9005 can still access, read, and/or write to and from the user data 8930. In one embodiment, the user may use a first application in the established computing environment 8920′ to access a file of the user data 8930. In another embodiment, the user may use a second application on the mobile computing device 9005 to access the same file of the user data 8930. In some embodiments, the virtualization software 8921 or virtual machine image 8925 allows access to the user data 8930, even though virtualization software 8921 or virtual image 8925 is not executing or operating.
  • In some embodiments, the computing device 8910, loading mechanism 8940, or the virtualized layer 8920 provides a user interface for the user to select a portable computing environment from storage to establish the computing environment 8920. For example, the mobile computing device 9005 or the computing device 8910 may have a portable computing environment selection mechanism, as discussed in greater detail below. In other embodiments, the computing device 8910, loading mechanism 8940, or the virtualized layer 8922 uses one of the plurality of portable computing environments based on a characteristic of the computing device 8910, such as an operating system type, or based on user data identifying the portable computing environment to use for the computing device 8910.
  • Referring now to FIG. 92A, in one embodiment, the computing device 8910 further comprises a computing environment selector 9250. In brief overview, FIG. 92A depicts a mobile computing device 9005 connected to a computing device 8910 via a network 150. The mobile computing device 9005 further comprises a storage element 128, an I/O device or interface 130, and a loading mechanism 8940. The mobile computing device 9005 stores one or more portable computing environments 8920 a-8920 n in storage element 128. In some embodiments, the storage element 128 comprises a storage device, such as the storage device 8905 described above in connection with FIGS. 90A and 90B.
  • In some embodiments, the mobile computing device 9005 does not have a user input I/O device 130 and/or a user output I/O device 130. In other embodiments, the mobile computing device 9005 obtains or derives power from the connection to the computing device 8910, such as for example, from a USB connection. In still other embodiments, the mobile computing device 9005 is a card of the following type: CompactFlash, Memory Stick, MultiMediaCard, Secure Digital, or SmartMedia.
  • In one embodiment, the storage element 128 stores a plurality of computing environments and a plurality of virtual machine images. In another embodiment, the storage element 128 stores one or more of a plurality of virtual machine images providing one of a different operating system or a different application than at least one virtual machine images accessible to the computing device. In still another of these embodiments, the storage element 128 stores one of the data associated with at least one computing environment and the at least one virtual machine image in an encrypted format.
  • In some embodiments, the mobile computing device 9005 stores data associated with at least one portable computing environment 8920. In one of these embodiments, the mobile computing device 9005 stores data associated with a plurality of portable computing environments 8920 a-8920 n. In another of these embodiments, each of the portable computing environments 8920 a-8920 n comprises the same virtualization software 8921 a-8921 n. In still another of these embodiments, the portable computing environments 8920 a-8920 n comprise different virtualization software 8921 a-8921 n.
  • In other embodiments, the portable computing environments 8920 a-8920 n may comprise at least one virtualization software 8921 a that is the same as another virtualization software 8921 b. In other embodiments, the portable computing environments 8920 a-8920 n may comprise at least one virtualization software 8921 a that is different from another virtualization software 8921 b. In yet another embodiment, there may be one copy of the virtualization software 8921 to be used for each of the virtual images 8925 a-8925 n in storage 128.
  • In one embodiment, one or more of the virtual machine images 8925 a-8925 n provides access to the same operating system or are used on the same operating system. In another embodiment, one or more of the virtual machine images 8925 a-8925 n comprises a different operating system or executes on a different operating system. In some embodiments, the virtual machine images 8925 a-8925 n share the same user data 8930. In other embodiments, the virtual machine images 8925 a-8925 n may each have distinct sets of user data 8930 a-8930 n. In one embodiment, one of the virtual machine images 8925 a-8925 n may provide access to a first computing environment, for example, a work desktop environment. In another embodiment, one of the virtual machine images 8925 a-8925 n may provide access to a second computing environment, for example, a home desktop environment. In some embodiments, a virtual machine image 8925 a-8925 n may provide access to a computing environment comprising a set of one or more portable applications of the user. The mobile computing device 9005 may store any desired set of one or more user environments 8920 a-8920 n.
  • The mobile computing device 9005 includes a connector for connecting the mobile computing device 9005 to a computing device, such as the computing device 8910. In one embodiment, the connector is connectable to a computing device 8910 via one of the following: a wireless connection, a USB connection, a Firewire connection, a Bluetooth connection, a Wi-Fi connection, a network connection, and a docking connection.
  • The mobile computing device 9005 includes a loading mechanism 8940 for automatically loading the at least one computing environment from the storage element onto a computing device upon connection of the mobile computing device to the computing device via the connector. In one embodiment, the loading mechanism 8940 automatically installs the at least one computing environment on the computing device 8910. In another embodiment, the loading mechanism 8940 automatically executes the at least one computing environment on the computing device 8910. In still another embodiment, the loading mechanism 8940 accesses at least one virtual machine image stored in the storage element 128 to execute a virtual machine, the virtual machine providing access to a computing environment.
  • In some embodiments, the mobile computing device 9005 includes a user interface provided for a user to select one virtual machine image to execute on the computing device 8910 from a plurality of virtual machine images. In other embodiments, the computing device 8910 provides the user interface.
  • In one embodiment, a selection mechanism, such as a computing environment selector 9250 provides a user interface for a user to select one of the portable computing environments 8920 a-8920 n to execute or establish on the computing device 8910. The computing environment selector 9250 may comprise software, hardware, or any combination of software and hardware. In some embodiments, the computing environment selector 9250 has a graphical user interface providing a list of the one or more portable computing environment 8920 a-8920 n stored in the mobile computing device 9005. In other embodiments, the computing environment selector 9250 may comprise a command line interface. In one embodiment, the computing environment selector 9250 comprises software, stored on or provided by either the mobile computing device 9005 or the computing device 8910. In one embodiment, the virtualized software 8921, virtualized layer 8922 or portable computing environment 8920 comprises the computing environment selector 9250. In another embodiment, the computing environment selector 9250 is executed on the mobile computing device 9005. In some embodiments, the computing environment selector 9250 comprises a hardware and software mechanism on the mobile computing device 9005 for a user to select one of the portable computing environments 8920 a-8920 n. For example, the mobile computing device 9005 may provide via a screen or visual display unit a text based user interface with a thumb wheel to select a portable computing environment 8920 a-8920 n.
  • Referring now to FIG. 92B, a flow diagram depicts another embodiment of the steps taken in a method for establishing a computing environment on a computing device via a mobile computing device. By connecting the mobile computing device 9005 carrying a portable computing environment 8920 a-8920 n to a computing device 8910, a user establishes a virtualized computing environment 8920′ on the computing device 8910. In brief overview, at step 9255, the mobile computing device 9005 is connected to the computing device 8910, and at step 9260, the computing device 8910 detects the connection. At step 9265, and in some embodiments, the user selects a portable computing environment 8920 a-8920 n from storage to be used on the computing device 8910. At step 9270, a portable computing environment 8920 a-8920 n in the storage element 128 is decrypted. At step 9275, the virtualization software 8921 is automatically loaded on the computing device 8910. At step 9280, the computing device 8910 executes a virtual machine 8925′ in the virtualized environment 8922 based on the portable computing environment 8920 a-8920 n, such as by accessing virtual image 8925. At step 9285, the computing device 8910 controls access to the computing device 8910 via the virtualized computing environment 8920′.
  • In further detail, at step 9255, the mobile computing device 9005 is connected to the computing device 8910 by any suitable means and/or mechanisms. At step 9260, the computing device 8910 detects the connection. In some embodiments, the operating system of the computing device 8910 detects connection of the mobile computing device 9005. In other embodiments, a device manager detects the connection of the mobile computing device 9005. In still other embodiments, a plug-and-play manager detects the connection of the mobile computing device 9005. In other embodiments, a device driver for the computing device 8910 detects the connection. In yet another embodiment, the loading mechanism 8940′ detects the connection of the mobile computing device 9005.
  • In some embodiments, upon detection of the connection, the computing device 8910 may automatically install, load, and execute a device driver, software, application, process, service, thread or task to perform any of the operations described herein, as described above in connection with FIGS. 89A and 89B, FIGS. 90A and 90B, and FIGS. 91A and 91B. In other embodiments, upon detection of the connection, computing device 8910 may perform any type and form of authentication and authorization of the user of the mobile computing device 9005.
  • At step 9265, the user selects a portable computing environment 8920 a-8920 n from storage element 128 to establish as the computing environment 8920′ on the computing device 8910. For example, the user may identify or select, via the computing environment selector 9250, the portable computing environment 8920 a-8920 n to run on the computing device 8910. In one embodiment, the computing device 8910 displays a user interface providing a list of portable computing environments 8920 a-8920 n from the mobile computing device 9005 for the user to select to establish on the computing device 8910. In some embodiments, the computing device 8910 executes an application program identified via the storage element 128 of the mobile computing device 9005, such as via an autorun file. In another embodiment, the mobile computing device 9005 has a visual display unit displaying a user interface for the user to select one of the portable computing environments 8920 a-8920 n. In some embodiments, one of the portable computing environments 8920 a-8920 n is identified as a default computing environment 8920 to establish on the computing device 8910. In another embodiment, the portable computing environments 8920 a-8920 n are identified in an order or preference or priority. In one embodiment, the mobile computing device 9005 comprises one portable computing environment 8920. In this embodiment, the portable computing environment 8920 may not need to be selected by the user and is automatically used by the computing device 8910. In another embodiment, although there is one portable computing environment 8920 on the mobile computing device 9005, the user may select the one portable computing environment 8920.
  • At step 9270, the computing device 8910 may perform decryption on any portion of storage element 128 which may be encrypted. In one embodiment, the storage element 128 comprises an encrypted file system. In another embodiment, the virtualization software 8921, virtual image 8925 and/or user data 8930, or any portions thereof may be encrypted. In one embodiment, the computing device 8910, decrypts the portion of storage 128 using a key via the loading mechanism 8940′, the virtualization layer 8920, or another set of executable instructions. In some embodiments, the key may a public key. In other embodiments, the key may be a private key. In one embodiment, the decryption key may be identity-based, such as based on the identity of a user authenticated via the computing device 8910. In another embodiment, the user's authentication credentials, such as user id and/or password, may be used to generate or obtain a key for decryption. For example, the user's authentication credentials may be used to obtain a key stored in the database. In another embodiment, the computing device 8910 generates a private key based on performing an algorithm on the user's authentication credentials and a public key, such as a public key provided by a trusted third party. In yet another embodiment, the mobile computing device 9005 may store a key that is used by the computing device 8910 to authenticate the user and/or generate a decryption key. In some embodiments, the computing device 8910 uses a ticket authority to obtain a ticket for decrypting the encrypted portions of storage 128. Any type and form of authentication technologies may be used in performing the operations described herein, such as password based authentication or biometric authentication. In one embodiment, a token is used to provide two-factor authentication, such as a token manufactured by RSA Security Inc. of Bedford, Mass.
  • At step 9275, the computing device 8910 provides or establishes the virtualization layer 8922 on the host computing device 8910 as described above in connection with FIGS. 89A-89B, FIGS. 90A-90B, and FIGS. 91A-91B.
  • At step 9280, the computing device 8910 automatically loads, executes or otherwise establishes a virtual machine 8925 a-8925 n to provide access to a portable computing environment 8920 a-8920 n on the virtualized layer 8922. In one embodiment, the computing device 8910 and/or loading mechanism 8940 accesses the virtual machine image 8925 a-8925 n from the storage element 128 and loads or executes the virtual machine image 8925 a-8925 n as a virtual machine 8925′ in the established virtualized environment 8922. In another embodiment, the computing device 8910 loads, executes or establishes a virtual machine as described above in connection with FIGS. 89A-89B, FIGS. 90A-90B, and FIGS. 91A-91B.
  • At step 9285, in some embodiments, the computing environment 8920′ or virtual machine 8925 is established in a secured manner. In one embodiment, the established computing environment 8920′ protects access to user data 8930 or portions of the computing environment 8920 from the environment of the computing device 8910 external to the computing environment 8920′. In one embodiment, the virtualization software 8921 and/or virtualization layer 8922 ensures that contents of the virtual machine 8925′ remain secure while running on the computing device 8910. In some embodiments, the virtualization software 8921 and/or virtualization layer 8922 ensures that no input or no output is made available to the environment of the computing device 8910 in a persistent fashion. For example, in one embodiment, the virtualization software 8921 and/or virtualization layer 8922 may disable clipboard access between the host environment and the virtual machine 8925′. In another embodiment, the virtualization software 8921 and/or virtualization layer 8922 disables access to a file system, or portion thereof, of the computing device 8910. In other embodiments, the virtualization software 8921 and/or virtualization layer 8922 prevents paging by the virtual machine 8925′ to the page file of the computing device 8910. In one embodiment, the virtual machine 8925′ uses the storage element 128 on the mobile computing device 9005 for file and data operations. In some embodiments, the virtualization layer 8922 acts as firewall between the virtual machine 8925′ and the host environment. In yet another embodiment, the virtualization software 8921 and/or virtualization layer 8922 may provide a configuration mechanism, such as a user interface, to select which actions may be performed and/or data shared between the computing device 8910 and the virtual machine 8925′.
  • Although this method is generally discussed as establishing a computing environment 8920′ from one of a plurality of portable computing environments 8920 a-8920 n, a plurality of computing environments 8920′, 8920″ may be established on the computing device 8910. For example, a first computing environment 8920′ may be established on the computing device 8910 using a first portable computing environment 8920 a from the mobile computing device 9005, and a second computing environment 8920″ may be established on the computing device 8910 using a second portable computing environment 8920 b from the mobile computing device 9005.
  • Referring now to FIGS. 93A-93D, block diagrams depict embodiments of systems and methods for a mobile computing device to one or more hardware resources. The hardware resource may provide access to resources, such as a processor or memory with greater power, size, capacity or performance as compared to corresponding resources of the mobile computing device. FIG. 93A depicts an embodiment of a mobile computing device 9005 connecting to a docking station or device having a processor, memory and other computing resources for use by the mobile computing device. FIG. 93B depicts an embodiment of a mobile computing device connecting to a second hardware resource, via a docking mechanism, to use a processor, memory and/or resources of the second hardware resource. FIG. 93C depicts an embodiment of a docking station providing connectivity to a second hardware resource, such as a computing device, to use a processor, memory and/or resources of the second hardware resource. FIG. 93D depicts one embodiment of the steps taken in a method of providing to a mobile computing device one or more hardware resources, as described in the environments illustrated in FIGS. 93A-93C. In some embodiments, a portable computing environment may be established on the hardware resource in accordance with any of the systems and method described in conjunction with FIGS. 89A-89B, 90A-90B, 91A-91C, 92A-92B. In other embodiments, the computing environment of the mobile computing device is accessed using the processor, memory, and/or resources of the hardware resource.
  • Referring now to FIG. 93A, in brief overview, the depicted system includes a mobile computing device 9005 connected to a hardware resource 9302. The mobile computing device 9005 has a central processing unit 102. The hardware resource 9302 has a central processing unit 102′. In one embodiment, the hardware resource 9302 includes a docking station 9310 providing access to the hardware resource 9302. In another embodiment, the docking station 9310 includes a processor 102′ and memory 122′. In still another embodiment, the mobile computing device provides the functionality of a mobile computing device 9005 as described above in connection with FIGS. 90A, 90B, 91A, 91B, 92A, and 92B.
  • The mobile computing device 9005 comprises a connection mechanism 9305 for connecting the mobile computing device 9005 to the hardware resource 9302. The mobile computing device 9005 uses the central processing unit 102 to effect an initial quanta of work and uses the central processing unit 102′ of the hardware resource 9302 to effect subsequent quanta of work when connected to the hardware resource 9302. In one embodiment, the mobile computing device 9005 uses the connection mechanism 9305 to switch to using the processing or computing capabilities of the hardware resource 9302 upon or after connecting to the hardware resource 9302. For example, the mobile computing device 9005 may execute a computing environment 8920 on the hardware resource 9302 after connecting to the docking station 9310.
  • In one embodiment, the mobile computing device 9005 connects to the hardware resource 9302 via connection across network 150. In another embodiment, the mobile computing device 8905 is docked to the hardware resource 9302 via a I/O device mechanism 130 a-130 n designed and constructed to connect to, and/or interface or communicate with the type and form of mobile computing device 9005. In one embodiment, the mobile computing device 9005 is docked to the hardware resource 9302 via a docking connector. For example, one of the devices 9005 or 9310 may have a docking connector, and one of the device 9005 or 9310 may have a corresponding interface or connection mechanism designed to receive the connector.
  • The connection mechanism 9305 may comprise software, hardware, or any combination of software and hardware enabling the mobile computing device 9005 to access the hardware resource 9302. In some embodiments, the connection mechanism 9305 comprises any type and form of integrated circuit, such as a Field Programmable Gate Array (FPGA), Programmable Logic Device (PLD), or Application Specific Integrated Circuit (ASIC) capable of performing any of the operations described herein.
  • In one embodiment, the connection mechanism 9305 comprises one of the following: a wireless connection, a USB connection, a Firewire connection, a Bluetooth connection, a Wi-Fi connection, a network connection, and a docking connection.
  • In some embodiments, the connection mechanism 9305 is enables the system or mother board of the mobile computing device 9005 to use a processor 102′ and/or memory 122′ of the hardware resource 9302. In other embodiments, the connection mechanism 9305 communicates with any system or data bus of the mobile computing device 9005 to transmit and receive signals directing the mobile computing device 9005 to use a resource of the hardware resource 9302, such as the processor 102′ and memory 122′ of the docking station 9310. In some embodiments, the connection mechanism 9305 may communicate with a system or data bus of the hardware resource 9302 to enable the use of resources of the hardware resource 9302 by the mobile computing device 9005.
  • In one embodiment, the connection mechanism 9305 may have the mobile computing device 9005 reboot, restart or reset when connected or docked to the hardware resource 9302. In another embodiment, the connection mechanism 9305 may allow real-time switching to use a computing resource of the hardware resource 9302 without a reboot or restart. In some embodiments, the connection mechanism 9305 transfers data from memory 122 on the mobile computing device 9005 to memory 122′ of hardware resource 9302. In other embodiments, the connection mechanism 9305 transfers execution of a process from a processor 102 on the mobile computing device 9005 to processor 102′ of the hardware resource 9302. In still other embodiments, the mobile computing device 9005 transfers central processing control and management to the hardware resource 9302. In yet other embodiments, the connection mechanism 9305 provides for the use of the processor 102 and/or memory 122 on the mobile computing device 9005 in conjunction with the processor 102′ and/or memory 122′ of the hardware resource 9302. For example, when connected to the hardware resource 9302, the mobile computing device 9005 may operate as a multi-processor device.
  • In some embodiments, the mobile computing device 9005 and/or connection mechanism 9305 maintains the state of the processor 102 and/or memory 122 on the mobile computing device 9005. As such, in some of these embodiments, upon disconnection from the hardware resource 9302, the mobile computing environment 9005 continues from a state prior to connection to the hardware resource 9302. In others of these embodiments, the connection mechanism 9305 transfers data, information, and execution or control from a processor 102′ and/or memory 122′ to the processor 102 and/or memory 122 of the mobile computing device 9005.
  • In one embodiment, the connection mechanism 9305 comprises any type and form of user interface to receive user input regarding connection to the hardware resource 9302, use of hardware resources, and transfer of data and control between hardware resources. For example, the connection mechanism 9305 may display a graphical user interface upon docking to the hardware resource 9302 for the user to setup, configure, control and/or manage the use of the hardware resource 9302.
  • In some embodiments, the hardware resource 9302 uses the storage element 128 of the mobile computing device 9005 to provide access to a computing environment. In one of these embodiments, the hardware resource 9302 executes an operating system stored in storage element 128 of the connected mobile computing device 9005. In another of these embodiments, the hardware resource 9302 mounts the storage element 128 of the connected mobile computing device 9005 for access by the hardware resource 9302. In still another of these embodiments, the user uses the operating system or computing environment of the hardware resource 9302 but executes applications and accesses data on the storage element 128 of the mobile computing device 9005. In yet another of these embodiments, the mobile computing device 9005 may store portable applications to execute in the hardware resource 9302.
  • In one embodiment, the hardware resource 9302 executes a virtual machine to provide access to a computing environment stored in the mobile computing device 9005. In another embodiment, the hardware resource 9302 executes a virtual machine, the virtual machine providing access to a virtualized computing environment. In still another embodiment, a file from a storage location provided by the mobile computing device 9005 is accessed by a user via the hardware resource 9302 when the mobile computing device 9005 is connected to the hardware resource 9302, and the file is accessed by the user, via the mobile computing device 9005, when the mobile computing device 9005 is not connected to the hardware resource 9302.
  • Still referring to FIG. 93A and in one embodiment, the hardware resource 9302 comprises a docking station 9310, the docking station 9310 comprising a computer system 100. In some embodiments, the docking station 9110 may be any type and form of computer system 100, as described above in connection with FIGS. 1A-1B. In one of these embodiments, and as described in connection with FIGS. 1A-1B, the docking station 9110 may comprise components including, but not limited to, a processor 102′, memory 122, storage 128, a network interface 118′, and/or one or more I/O devices 130 a-130 n′. In another of these embodiments, the docking station 9110 is connected to a display device 124, a keyboard 126, and/or a pointing device 127. The docking station 9310 may also be connected to or provide access to other hardware resources and computing peripherals. In some embodiments, the docking station 9310 provides access to resources of another computer system 100 via a network 150.
  • In one embodiment, the hardware resource 9302 has a processor 102′ having a higher processor speed than the processor 102 of the mobile computing device 9005. In another embodiment, the hardware resource 9302 has a processor 102′ comprising a processor architecture different than a processor architecture of the processor 102 of the mobile computing device 9005. In still another embodiment, the mobile computing device 9005 uses the processor 102 to effect an initial quanta of work and, upon connection to the hardware resource 9302 via the connection mechanism 9305, uses the processor 102′ to effect a subsequent quanta of work. In yet another embodiment, the mobile computing device 9005 determines that a memory 122′ of the hardware resource 9302 has a memory size larger than a memory size of a memory 122 of the mobile computing device 9005 and uses the memory 122′ of the hardware resource 9302 to effect subsequent quanta of work.
  • In some embodiments, the mobile computing device 9005 uses a first operating system executing on the first central processing unit when not connected to the hardware resource and a second operating system executing on the second central processing unit when connected to the hardware resource. In one of these embodiments, the second operating system is different than the first operating system.
  • Referring now to FIG. 93B, another embodiment of the hardware resource 9302 and the mobile computing device 9005 is depicted. In brief overview, the mobile computing device 9005 connects to a docking station 9310 across a network 150, and in turn, docking station 9310 connects to a computing device 8910. In this embodiment, the hardware resource 9302 includes a docking station 9310 connected to or in communication with a computing device 8910. Instead of providing resources, such as a processor 102′ and memory 122′ as depicted in FIG. 93A, the docking station 9310 provides access to resources of a second computing device 8910 via the connection across network 150′. In one embodiment, after connection to the docking station 9310, the mobile computing device 9005 uses resources of the computing device 8910 via connections across networks 150 and 150′.
  • Referring now to FIG. 93C, another embodiment of the hardware resource 9302 and the mobile computing device 9005 is depicted. In brief overview, the mobile computing device 9005 connects to the computing device 8910 via docking mechanism 9310. In this embodiment, the hardware resource 9302 includes a computing device 8910 having a docketing mechanism 9310, such as an I/O device or mechanism 130, to dock the mobile computing device 9005. After connection via docking mechanism 9310, the mobile computing device 9005 uses the resources of the computing device 8910, such as a processor and/or memory. In some embodiments, the hardware resource 9302 provides access the mobile computing device 9005 with access to a peripheral computing device.
  • In any of the embodiments depicted in FIGS. 93A-93C, the hardware resource 9302 may provide resources and capabilities offering improved power, performance, or other operating or performance characteristics desired by the user of the mobile computing device 8905 or suitable for one or more applications of the mobile computing device, as described in more detail above in connection with FIGS. 89A-89B, 90A-90B, 91A-91B, and 92A-92B.
  • Referring now to FIG. 93D, a flow diagram depicts one embodiment of the steps taken in a method for providing to a mobile computing device one or more hardware resources. In brief overview, the mobile computing device uses a first central processing unit of the mobile computing device 9005 to effect an initial quanta of work (step 9355). The mobile computing device 9005 connects to a hardware resource 9302 including a second central processing unit (step 9360). The mobile computing device uses a second central processing unit of the hardware resource 9302 to effect subsequent quanta of work (step 9365).
  • A mobile computing device uses a first central processing unit to effect an initial quanta of work (step 9355). In one embodiment, the mobile computing device is a computer 100 as described above in connection with FIGS. 1A and 1B. In another embodiment, the mobile computing device is a mobile computing device 9005 as described above in connection with FIGS. 90A-92B.
  • The mobile computing device 9005 connects to a hardware resource 9302 including a central processing unit (step 9360). In one embodiment, the mobile computing device 9005 connects to the hardware resource 9302 by any suitable means and/or mechanisms. In some embodiments, the mobile computing device 8905 connects or docks to a docking station 9310 providing one or more resources. In one of these embodiments, the mobile computing device 9005 connects to a docking station 9310 having a processor 102′ and/or memory 122′. In another of these embodiments, the mobile computing device 9005 connects to a docking station 9310 providing a connection to a second computing device 8910, the second computing device 8910 including a processor 102′. In still another of these embodiments, the mobile computing device 9005 connects or docks to a docking mechanism 9310 of a host computing device 8910.
  • In some embodiments, the mobile computing device 8905 and the docking station 9110 may connect via any type and form of connection, wired, wireless or otherwise, including, but not limited to, via a wireless connection, a Wi-Fi connection, a USB connection, a Firewire connection, a Bluetooth connection, a network connection, and a docking connection. The mobile computing device 8905 and docking station 9110 may communicate via any type and form of protocol, such as a device, bus, communication, application, data, or network protocol.
  • The mobile computing device 9005 uses a central processing unit of the hardware resource 9302 (step 9370). In one embodiment, the mobile computing device 9005 initiates use of a processor 102′ and/or memory 122′ of the hardware resource 9302 via a connection mechanism 9305. In another embodiment, the mobile computing device 9005 transfers execution control and management to the central processing unit of the hardware resource 9302. In still another embodiment, the mobile computing device 9005 transfers data and information to the processor and/or memory of the hardware resource 9302. In some embodiments, the mobile computing device 9005 uses the processor and/or memory of the hardware resource 9302 as a second processor and/or memory for the mobile computing device 9005.
  • In one embodiment, the mobile computing device 9005 connects to a hardware resource 9302 comprising one of the following: a first docking station having the second central processing unit; a second computing device having the second central processing unit; and a second docking station providing access to a third computing device having the second central processing unit.
  • In some embodiments, an application program on the mobile computing device 9005 executes in the processor 102′ and uses memory 122′ of the computing environment 9102 and displays on a visual display unit of the mobile computing device 9005. In other embodiments, an application program executing on the processor and using the memory of the hardware resource 9302 receives user input from an input device of the mobile computing device 9005. In still other embodiments, an application program executing on the processor and using the memory of the hardware resource 9302 displays on a display device 124 of the hardware resource 9302 while receiving input from an input mechanism of the mobile computing device 9005.
  • In one embodiment, an application program executing on the processor and using the memory of the hardware resource 9302 displays on a visual display unit of the mobile computing environment 9005 while receiving input from an input device of the hardware resource 9302, such as keyboard 126 and pointing device 127. In some embodiments, the computing environment of mobile computing device 9005 executes on the processor and memory of the mobile computing device 9005 but also uses a resource of the hardware resource 9302, such as a network connection, printer, display device, input device, or any I/O device 120.
  • In one embodiment, the mobile computing device 9005 determines that the second central processing unit has a processor speed greater than a processor speed of the first central processing unit and uses the second central processing unit of the hardware resource to effect subsequent quanta of work. In another embodiment, the mobile computing device 9005 determines that the second central processing unit has a processor architecture different than a processor architecture of the first central processing unit and uses the second central processing unit of the hardware resource to effect subsequent quanta of work. In still another embodiment, the mobile computing device 9005 identifies a memory of the mobile computing device 9005 and identifies a second memory of the hardware resource 9302. In yet another embodiment, the mobile computing device 9005 determines that the second memory of the hardware resource has a memory size larger than a memory size of the first memory of the mobile computing device and uses the second memory of the hardware resource to effect subsequent quanta of work.
  • In some embodiments, the hardware resource 9302 uses one or more resources of the mobile computing device 9005. In one of these embodiments, the hardware resource 9302 accesses a storage element or storage device of the mobile computing device 9005, such as the storage element 128. In some embodiments, the hardware resource 9302 mounts the storage element 128. In another of these embodiments, the hardware resource 9302 boots or reboots or otherwise establishes an environment based on a computing environment stored on the mounted storage element 128. In still another of these embodiments, the hardware resource 9302 uses the processor 102 and/or memory 122 of the mobile computing device 9005 in addition to the processor and/or memory of the hardware resource 9302.
  • In some embodiments, the hardware resource 9302 uses a display device and/or input device of the mobile computing device 9005. In other embodiments, the hardware resource 9302 executes a computing environment 8920′ based on a portable computing environment 8920 in the storage element 128 of the mobile computing device 9005. In some embodiments, the portable computing environment 8920 may execute in the hardware resource 9302 but display on and receive input from the mobile computing device 9005.
  • In one embodiment, the hardware resource 9302 provides the mobile computing device 9005 with access to a peripheral computing device of the hardware resource. In another embodiment, the mobile computing device 9005 uses a first operating system executing on the first central processing unit on the mobile computing device 9005 when not connected to the hardware resource 9302 and a second operating system executing on the second central processing unit of the hardware resource 9302 when connected to the hardware resource 9302. In still another embodiment, the first operating system is different than the second operating system. In yet another embodiment, a virtual machine executing on the hardware resource 9302 provides the mobile device 9005 with access to a first operating system. In some embodiments, the hardware resource 9302 executes a virtual machine to provide access to a computing environment stored in the mobile computing device 9005. In other embodiments, the mobile computing device 9005 provides access to a computing environment on the hardware resource 9302. In still other embodiments, a user accesses, via the hardware resource 9302, a file stored in the mobile computing device 9005 when the mobile computing device 9005 is connected to the hardware resource 9302 and accessing, by the user, via the mobile computing device 9005, the file stored in the mobile computing device 9005 when the mobile computing device 9005 is not connected to the hardware resource 9302.
  • In one embodiment, the mobile computing device 9005 uses a processor of the hardware resource 9302 to provide access to a computing environment stored on the mobile computing device 9005. In another embodiment, the mobile computing device 9005 uses a processor of the hardware resource 9302 to provide access to an operating system stored on the mobile computing device 9005. In still another embodiment, the mobile computing device 9005 uses a processor of the hardware resource 9302 to provide access to an application program stored on the mobile computing device 9005. In yet another embodiment, the mobile computing device 9005 uses a processor of the hardware resource 9302 to execute a virtual machine on the hardware resource, responsive to a virtual machine image stored on the mobile computing device. In some embodiments, the mobile computing device uses a processor of the hardware resource 9302 to provide access to a computing environment stored on the hardware resource.
  • Referring now to FIG. 94A, a block diagram depicts one embodiment of a mobile computing device having a plurality of processors. In brief overview, mobile computing device 9005 comprises a first processor 102 and a second processor 102′. The processors 102, 102′ may access a memory 122 and/or storage element 128 on the mobile computing device 9005. The mobile computing device 9005 includes a switching mechanism 9405 for switching between using the first processor 102 and the second processor 102′. In some cases, the mobile computing device 9005 may have a lower-powered processor 102 for minimal functionality or standby operations, and have a higher-powered processor 102 for normal operations or for applications suitable or requiring more powerful processor capability. While mobile, the user may want to access features such as email, calendar, and contact information much like a PDA or smartphone. When accessing such applications, the mobile computing device 9005 may use the lower-powered processor 102 to lengthen battery-life and conserve power. The user may at any time want to access an application having higher processor requirements or suitability. When accessing these applications, the mobile computing device 9005 may use the higher-powered processor 102′.
  • In further detail, the processor 102 and processor 102′ may be the same type and speed of processor. In other embodiments, the processor 102 and processor 102′ may be a different type and speed of processor. In some embodiments, processor 102 comprises a processing speed and/or capability greater than processor 102′. In other embodiments, processor 102′ comprises a processing speed and/or capability greater than the processor 102. In some embodiments, the processor 102 and 102′ are single core processors. In other embodiments, the processor 102 and 102′ are multiple core processors. In one embodiment, the processor 102 is a single core processor and processor 102′ is a multiple core processor, such as dual or quad core processor. In yet another embodiment, the processors 102 and 102′ comprise the same processor architecture and/or are manufactured by the same processor manufacturer. In other embodiments, the processors 102 and 102′ comprise different processor architectures and/or are manufactured by different processor manufacturers.
  • In some embodiments, a first processor 102 comprises operational characteristics designed and constructed for lower power consumption, longer battery life, performance and/or applications of a mobile or portable computing device. In one of these embodiments, a first processor 102 may be referred to as a low-powered CPU. In other embodiments, a second processor 102′ comprises operational characteristics designed and constructed for the power, performance and/or application requirements of a desktop computing environment, server computing environment, or otherwise a non-mobile computing environment. In one of these embodiments, the second processor 102′ may be referred to as a high-powered CPU. In other embodiments, the processor 102 provides a first level of processing or processor capability, and the second processor 102′ provides a second level of processing or processor capability. In one of these embodiments, the second level of capability is greater or higher than the first level. In another of these embodiments, the second level of capability is preferred over the first level. In still other embodiments, the mobile computing device uses the first processor for one or more applications suitable for the first level of power consumption and processing capability, and the mobile computing device uses the second processor for one or more applications suitable for the second level of power consumption and processing capability.
  • The switching mechanism 9405 enables the mobile computing device 9005 to switch between using a first processor 102 and a second processor 102′, or any plurality of processors. In some embodiments, the switching mechanism 9405 comprises any type and form of integrated circuit, such as a Field Programmable Gate Array (FPGA), Programmable Logic Device (PLD), or Application Specific Integrated Circuit (ASIC) capable of performing any of the operations described herein. In some embodiments, the switching mechanism 9405 enables the system or mother board of the mobile computing device 9005 to use a first processor 102. In some embodiments, the switching mechanism 9405 enables the system or mother board of the mobile computing device 8905 to use a second processor 102′. In one embodiment, the switching mechanism 9405 communicates with any system or data bus of the mobile computing device 9005 to transmit and/or receive signals directing the mobile computing device 9005 to use a second processor 102′ instead of a first processor 102, and likewise to use the first processor 102 instead of the second processor 102′. In some embodiments, the switching mechanism 9405 may interface and/or communicate with a system or data bus of the mobile computing device 9005 to transmit and/or receive signals to use both the first processor 102 and second processor 102′ instead of just the first processor 102 or the second processor 102′.
  • In another embodiment, the switching mechanism 9405 transfers data and execution from processor 102 to processor 102′ of the mobile computing device 9005. In some embodiments, the switching mechanism 9405 transfers central processing control and management from a first processor 102 to a second processor 102′, or from the second processor 102′ to the first processor 102. In one embodiment, the switching mechanism 9405 may have the mobile computing device 9005 reboot, restart or reset when switching between using a processor 102, 102′. In another embodiment, the switching mechanism 9405 may perform real-time switching from processor to processor.
  • In some embodiments, the switching mechanism 9405 identifies a condition, event or trigger upon which to switch between using one processor and another processor. In other embodiments, switching mechanism switches to one of the first processor or the second processor based on a user selection. In one of these embodiments, the switching mechanism 9405 comprises a user interface, such as a graphical user interface or a command line user interface, for a user to identify, specify or configure the conditions, events or triggers for performing switching between processors. For example, the switching mechanism 9405 may switch, automatically, manually or otherwise, between a first processor 102 and a second processor 102′ based on any operational characteristics of the mobile computing device 9005 or the processors 102, 102′. In still other embodiments, the switch mechanism 9105 switches between use of a processor based on a level of load of the first processor or second processor. In yet other embodiments, the switch mechanism 9405 switches between use of a processor based on a level of activity, such as task, processes, applications, of the first processor 102 or second processor 102′. In some embodiments, the switch mechanism 9405 switches between using a first processor and a second processor based on a level of consumption of power and/or battery life. In still another embodiment, the switch mechanism 9405 switches between use of a processor based on a type of application actuated or executed on the mobile computing device 9005.
  • In another embodiment, the switching mechanism 9405 comprises a user interface for the user to switch between processors 102, 102′. For example, using a hot key, set of key strokes, or selecting an icon in a task bar, a user may instruct, command or direct the mobile computing device 9005 and/or switching mechanism 9405 to switch between processors, use one processor instead of another, or use the plurality of processors 102, 102′ at the same time.
  • Referring now to FIG. 94B, a flow diagram depicts one embodiment of a method for switching, by a mobile computing device, between use of multiple processors. In brief overview, the mobile computing device uses a first processor designed and constructed to provide a first level of power consumption and processing capability (step 9455). The switching mechanism determines to switch the mobile computing device to using a second processor based on an operating characteristic of the mobile computing device, the second processor designed and constructed to provide a second level of power consumption and processing capability (step 9460). The mobile computing device 9005 uses the second processor responsive to the determination by the switching mechanism.
  • In further detail, the mobile computing device 9005 uses the first processor (step 9455). In one embodiment, the switching mechanism 9405 identifies the first processor 120 as the default processor for use by the mobile computing device 9005. In another embodiment, the mobile computing device 9005 uses the first processor 120 upon starting, restarting or booting of the operating system on the mobile computing device 9005. In some embodiments, a user selects the first processor 120 as the default processor. In one of these embodiments, the use may have identified the first processor 120 to the switching mechanism 9405.
  • The switching mechanism 9405 determines to switch the mobile computing device 9005 to using the second processor 120′, based on an operating characteristic of the mobile computing device, the second processor designed and constructed to provide a second level of power consumption and processing capability (step 9460). In some embodiments, the switching mechanism 9405 determines to switch based on operating conditions or characteristics of the mobile computing device 9005, such as the operating system, resource usage, memory usage, power consumption, load, and numbers of processes, applications, services or tasks.
  • In one embodiment, the second level of power consumption and processing capability of the second processor comprises a level greater than the first level of power consumption and processing capability of the first processor. In another embodiment, the mobile computing device uses the first processor for one or more applications suitable for the first level of power consumption and processing capability, and uses the second processor for one or more applications suitable for the second level of power consumption and processing capability. In still another embodiment, the switching mechanism 9405 switches to one of the first processor or the second processor automatically based on the initiation of execution of an application.
  • In some embodiments, the switching mechanism 9405 switches to one of the first processor or the second processor automatically based on one or more of the following operating characteristics: a level of load of one of the first processor or the second processor, a level of activity of one of the first processor or the second processor, and a level of power consumption of one of the first processor or the second processor. In one of these embodiments, the switching mechanism 9405 determines the load, activity or power consumption of the first processor 102 is near, equal or greater than the processing capability of the first processor 102. In another pf these embodiments, the switching mechanism 9405 determines the processor requirements of an application executed by the user or requested by the user for execution is near, equal or greater than the processing capability of the first processor 102.
  • In other embodiments, the switching mechanism 9405 determines the mobile computing device 9005 would perform at a more suitable performance or operational level, or in a manner desired by the user if the mobile computing device 9005 was using the second level of processing capability of the second processor 120′. In still other embodiments, a user selects to switch to using the second processor 120′. In one of these embodiments, a user, via a user interface, directs or instructs the switching mechanism 9405 to switch the mobile computing device 9005 to use the second processor 120′.
  • The mobile computing device 9005 uses the second processor 120 (step 9465). In one embodiment, the mobile computing device 9005 uses the second processor 120′ instead of the first processor 120. In another embodiment, the mobile computing device 9005 uses the second processor 120′ in addition to the first processor 120. In some embodiments, the mobile computing device 9005 and/or switching mechanism 9405 transfers information, data, control and/or management to the second processor 120′ to continue operation of the operating system, applications, process, services or tasks executing on the first processor 102. In other embodiments, new applications or processes initiated by the user are executed on the second processor 120′.
  • In some embodiments, the switching mechanism 9405 switches to having the mobile computing device 9005 use the first processor 120 for a first level of processing capability. As with step 9460, the switching mechanism 9405 determines to switch based on the operating conditions or characteristics of the device 9005, such as the operating system, resource usage, memory usage, power consumption, load, and numbers of processes, applications, services or tasks. For example, in one embodiment, the switching mechanism 9405 determines the load, activity or power consumption of the second processor 102′ is greater than the processing capability needed for operating the mobile computing device 9005 in its current state. In another embodiment, the switching mechanism 9405 determines the processor requirements of an application executed by the user or requested by the user for execution is near, or equal to the processing capability of the first processor 102. In some embodiments, the switching mechanism 9405 determines the processor requirements of an application executed by the user or requested by the user for execution is less than the second level of processing capability of processor 120′. In other embodiments, the switching mechanism 9405 determines the mobile computing device 9005 would perform at a suitable performance or operational level, or in a manner desired by the user if the mobile computing device 9005 was using the first level of processing capability of the first processor 120. For example, the mobile computing device 9005 would perform in a suitable manner for the user using the first processor 102 but would also save on battery life or reduce power consumption. In yet another embodiment, a user selects to switch to using the first processor 120. For example, in one embodiment, the user via a user interface directs or instructs the switching mechanism 9405 to switch the mobile computing device 9005 to use the first processor 120. The method 9450 may be performed again to switch the mobile computing device 9005 to using the first processor at step 9455.
  • Referring still to FIG. 8, in some embodiments, the session management component 1300 uses a connection to transmit information associated with a monitor on the client machine 10 to the virtual machine service component. In one of these embodiments, multi-monitor geometry support is provided. In another of these embodiments, the session management component 1300 accesses multi-monitor information and enables the virtual machine service component to create a version of the multi-monitor information in the virtual machine.
  • In one embodiment, techniques are provided for virtualizing a display environment of a client by modifying and controlling the behavior and appearance of an application's window based on a desired display layout for the client. The techniques may be used for simulating or providing a multiple display setup for a single display environment. One embodiment provides a window processing mechanism to intercept a selected message to a window of an application and modify the message to the window to display the window on the client based on the desired display layout. The message to the window provides for the behavior or appearance of a window used or displayed by the application. In one embodiment, the window processing mechanism provides a hooking mechanism to an application's window procedure and replaces the original window procedure with a window procedure designed to intercept a selected window message and modify values of arguments or parameters of the intercepted window message based on the desired display layout of the client. As such, selected window messages are processed to provide or translate the behavior or appearance of the window to the desired display layout.
  • The techniques and mechanisms described may be practiced in a server-based computing environment, such as between a client machine 10 and a remote machine 30 communicating via a remote display protocol. A remote machine 30, or a virtual machine executing in a hypervisor on the remote machine 30, may be setup or configured for a single display environment while the client machine 10 may be setup or configured for one or more display devices. For example, a session on a machine, such as a session on a WINDOWS server operating system may only be able to be configured or setup for a single display. The server may obtain a preferred or desired display layout for the client, and store the display layout in association with the client, such as associating the display layout with a remote session for the client. The window message processing mechanism may be used by the server to intercept and modify selected messages to windows of the application running on the server on behalf of the client. The window messages are modified to provide a behavior or appearance of the window based on the display layout associated with the client. As such, the display output communicated by the server to the client includes display output to be displayed on the client according to the client's display layout rather than the display layout, e.g., single display layout, of the session on the server.
  • Using the techniques and mechanisms described herein allows a user to access a remotely available application in a server-based computing environment regardless of the monitor layout of the client. Instead of the server associating a single display with the remote session, the server will provide display output based on the client's display layout. Furthermore, remotely-provided application may maximize to the proper display from the perspective of the client. Also, menu items and other windows of an application may be displayed appropriately within an application, for example, without appearing disjoint from the application. Additionally, the issue of a window being rendered off-screen after changes to the display layout is handled by automatically moving the window to a viewable upon detection of an off-screen window.
  • Furthermore, these techniques and mechanisms may also be practiced in a local computing environment to virtualize, simulate, or otherwise provide a multiple monitor environment for a client having a single display device. Although the client may have a single display device, a desired display layout may be configured or provided to specify multiple displays. The window processing mechanism may be used to intercept and modify window messages for an application on the client to control the behavior or appearance of the window based on the desired display layout instead of the actual monitor layout. As such, a user may gain the functionality, benefits, and advantages of a multiple monitor environment without having multiple display devices.
  • Referring now to FIG. 15A, one embodiment of an environment 1502 is depicted. In brief overview, a client machine 10, may be connected to or otherwise use a display device 124, in one embodiment, or multiple display devices 124 a-124 n, in another embodiment. The client machine 10 includes a display layout 1520 comprising a desired display configuration for the client machine 10, such as for display device 124. The client machine 10 includes a storage element 1525 for storing the display layout of the client machine 10. The client machine 10 also includes a window processing mechanism 1550.
  • In further detail, the display layout 1520 comprises any type and/or form of information or data to identify, specify, or describe a desired display layout configuration for the client. In one embodiment, the display layout 1520 may comprise a file or set of files in any format. In another embodiment, the display layout 1520 may comprise any information or data stored in any type and/or form of storage or memory element provided by the client machine 10. In an additional embodiment, the display layout 1520 may be provided or stored in any suitable type and/or form of database. In further embodiments, the display layout 1520 may be provided via any object, data structure, or application programming interface (API). The display layout 1520 may comprise any graphical, textual, or combination of graphical and textual elements. The display layout 1520 may be created, edited, configured, or otherwise provided by any suitable means and/or mechanisms, such as a graphical and/or text-based tool, program or application. In one embodiment, a graphical tool with a user interface may be used to design, create, edit and configure the display layout 1520.
  • The display layout 1520 may include attributes, properties, characteristics, values, settings, profiles, and other display configuration information 1522 a-1522 n to define each display for the client. The display layout 1520 may include display configuration 1522 a-1522 n for each of the desired displays, physical, virtual, or otherwise. In some embodiments, the display layout 1520 includes a description of the layout, location, position, organization, or arrangement for each display device 124 a-124 n. In one embodiment, the display layout 1520 includes a visual or graphical arrangement identifying the location and/or size of each monitor with respect to each other. In some embodiments, each display 1522 a-1522 n is identified by an identifier, such as a name or number. Also, the display configuration 1522 a-1522 n may include a monitor type, a screen refresh rate, adapter type, adapter information, screen resolution, a color quality, a color scheme, a font size, a background, a style for buttons and menus, and a screen saver.
  • Additionally, the display configuration 1522 a-1522 n may include information or data to identify or specify a resolution 1524 a-1524 n and/or a work area 1526 a-1526 n for each display, such as the display corresponding to a display device 124 a-124 n. In one embodiment, the resolution 1524 a-1524 n identifies the number of pixels, or individual points of color, contained on a display monitor, expressed in terms of the number of pixels on the horizontal axis and the number of pixels on the vertical axis. As those ordinarily skilled in the art will appreciate, the sharpness of the image displayed on the display device 124 a-124 n may depend on the resolution and the size of the display device 124 a-124 n. In another embodiment, the work area 1526 a-1526 n identifies the usable dimensions of the screen area of the display device 124 a-124 n in pixels. In some embodiments, the work area 1526 a-1526 n does not include the dimensions of the screen area not useable by the user, such as the portion of the screen area having a menu, tool, or task bar, such as the task bar on a desktop provided via a WINDOWS operating system.
  • In one embodiment, the display layout 1520 is configured to correspond to the number of display devices 124 a-124 n, and their available features and characteristics, accessible by the client. In other embodiments, the display layout 1520 does not match or correspond to the number of display devices 124 a-124 n connected to the client. For example, the client machine 10 may have a single display device 124 a but the display layout 1520 may be configured for multiple display devices 124 a-124 n. In one aspect, the display layout 1520 may be configured for a display device 124 a that is virtual, or a virtual display device. A virtual display device is rendered off the screen area of the physical display device 124 a and may be placed on and off the visible screen area by any suitable mechanism and/or means, such as for example, tabbing between desktops, or panning and scrolling beyond the work area of the physical display device 124 a. A virtual display device may comprise a resolution 1524 a-1524 n, a work area 1526 a-1526 n, and any other data or information in a display configuration 1522 a-1522 n as if it was a physical display device 1524 a-1524 n connected or to be connected to a client machine 10.
  • In some embodiments, the work area 1526 a-1526 n of the virtual display device is relative to and/or adjacent horizontally or vertically to the screen area of the physical display device 124 a-124 n. In other embodiments, the resolution 1524 a-1524 n of the virtual display device is the same resolution 1524 a-1524 n of the physical display device 124 a, or one of the resolutions 1524 a-1524 n supported by the physical display device 124 a. In some embodiments, a display 1522 a corresponding to a physical display device 124 a is not required to be configured as the top left monitor. In other embodiments, the display layout 1520 may comprise any arrangement of positive and/or negative coordinate systems, and any displays 1522 a-1522 n, or display devices 124 a-124 n, virtual or otherwise, may be configured to be located with any positive and/or negative coordinates, or in any portion of the positive and/or negative coordinate system.
  • The storage element 1525 illustrated in the client machine 10 of FIG. 15A may comprise any type and/or form of storage or memory, such as random-access memory, a disk drive, a disk array, a rewriteable optical drive, shared memory, a database, a file, an object, a data structure, or any other type and/or form of storage or memory element that allows the storing of and access to information or data, such as the display layout 1520. In one embodiment, storage element 1525 provides the display layout 1520 as a globally mapped data file, which may be accessible by any of the applications 1530 of the client machine 10. In some embodiments, the storage element 1525 stores the display layout 1520, or a portion of the display layout 1520. In other embodiments, the display layout 1520 may be converted, translated, transformed or otherwise altered to be stored in the storage element 1525. Although the storage element 1525 is illustrated on the client machine 10, another client machine 10 accessible to the client machine 10, such as a server, may have a storage element for storing the display layout 1520.
  • In some embodiments, the client machine 10 executes or otherwise provides one or more applications 1530. The application 1530 can be any type and/or form of software, program, or executable instructions such as any type and/or form of web browser, web-based client, client-server application, a thin-client computing client, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on client machine 10. In some embodiments, the application 1530 provides one or more windows 1535 a-1535 n, also sometimes collectively referenced herein as 1535. In one embodiment, the window 1535 a-1535 n is a graphic, sometimes rectangular in shape, having either some kind of user interface or graphical or textual representation of the output of, and in some cases, allowing input for the application 1530. In another embodiment, the window 1535 a-1535 n comprises an area on the screen that displays information, including user documents as well as communications such as alert boxes and dialog boxes. Additionally, the user may open or close a window, move it around on the display, and sometimes change its size, scroll through it, and edit its contents.
  • In one embodiment, the user interface for the application 1530 is the window 1535 a-1535 n. In other embodiments, the application 1530 provides a top level window 1535 a-1535 n for the presentation and/or navigation structure or framework for the application 1530, and provides additional windows 1535 a-1535 n in response to input or other events. For example, the application 1530 may have a menu system and screen area for a user interface represented by a top level window 1535 a, and based on user input, displays a secondary or smaller window 1535 to provide output to the user and/or receive input from the user regarding the application 1530.
  • The application 1530, and/or any windows 1535 a-1535 n of the application may receive a message 1540, such as a window message, as input. The message 1540 may be any type and/or form of communication via any type and/or form of medium. In some embodiments, the message 1540 comprises a communication to a window 1535 a-1535 n to control or direct the behavior, appearance, attributes, or properties of the window 1535 a-1535 n. In an exemplary embodiment of a WINDOWS-based environment, the application 1530 is event-driven, and waits for the operating system, or system, to pass input to them. The system passes all input for an application to the various windows 1535 a-1535 n in the application 1530. Each window 1535 a-1535 n has a function, called a window procedure, which the operating system calls in response to receiving input for the window. A window procedure is a function that receives and processes all messages sent to the window. A window class may have a window procedure, and every window created with that class uses that same window procedure to respond to messages. The window procedure processes the input and returns control to the system. The system passes input to a window procedure in the form of a message 1540, which may be generated by the operating system or other applications 1530. A message 1540 may be generated for an input event, for example, when the user types, moves the mouse, or clicks a control such as a scroll bar. A message 1540 may also be generated in response to changes in the operating system or computing device brought about by an application 1530. An application 1530 can generate messages to direct windows 1535 a-1535 n of the application 1530 to perform tasks or to communicate with windows 1535 a-1535 n in other applications.
  • In the exemplary embodiment of a WINDOWS-based system, a message 1540 is sent to a window procedure with parameters. In one embodiment, the message 1540 comprises a set of four parameters: a window handle, a message identifier, and two values referred to as message parameters. The window handle identifies the window for which the message is intended, and is used to determine which window procedure should receive the message. A message identifier identifies a purpose or function of the message 1540. When a window procedure receives a message, it uses the message identifier to determine how to process the message. For example, a message identifier WM_PAINT of a message 1540 may indicate to a window procedure that the window's 1535 client area has changed and must be repainted. The parameters of a message 1540 may specify data or the location of data used by a window procedure when processing a message 1540. The meaning and value of the parameters may depend on the message 1540. A message parameter can include an integer, a string, packed bit flags, a pointer to a structure containing additional data, or any type and/or form of data or information.
  • Although a message 1540 is generally described in the context of a WINDOWS-based environment, a message 1540 may be any type and/or form of communication in any type of operating system or environment, as one ordinarily skilled in the art would recognize and appreciate, to control or direct the appearance, behavior and attributes of a window 1540 being displayed or otherwise being used, processed, or provided by the application 1530. As such, the message 1540 may be in a form and have content suitable to the environment or operating system for which the operations described herein may be practiced.
  • Still referring to FIG. 15A, the window processing mechanism 1550, also referred to as a window message processing mechanism, provides the means and mechanism for changing, controlling or directing an appearance, behavior or attribute of the window 1535 a-1535 n of an application 1530 based on the desired display layout 1520 of the client 1505. The window processing mechanism 1550 may comprise an application programming interface (API), application, module, software component, library, service, process, task or any other form and/or type of executable instructions designed to and capable of executing or providing the functionality described herein. The window processing mechanism 1550 may comprise software, hardware, or any combination of software and hardware. In some embodiments, an application 1530 may be designed or constructed to include the functionality of the window processing mechanism 1550, while in some other embodiments, the window processing mechanism 1550 is designed and constructed to be used by existing applications 1530, for example, without changing the application 1530.
  • In one embodiment, the window processing mechanism 1550 comprises a mechanism for subclassing window procedures of a window 1535 of the application 1530, and providing a window procedure that gets called or used in place of the original window procedure of the window 1535.
  • In one embodiment, a hooking mechanism is used by the window processing mechanism 1550 to provide the replacement window procedure. In some embodiments, a hooking mechanism comprises using an application programming interface (API) to replace the executable instructions or code of a function, procedure, or API with a desired set of executable instructions or code. For example, the window processing mechanism 1550 may introduce a hooking mechanism for any API related to creating, establishing, or providing a window 1535, for example, the CreateWindowA, CreateWindowW, CreateWindowExA, and CreateWindowExW APIs of the WINDOWS operating system environment. In some embodiments, the window procedure is replaced via the Windows application programming interface (API) calls of GetWindowLong and SetWindowLong. In other embodiments, the replaced window procedure is stored in a list of any suitable type and/or form along with a window handle or reference to the replaced window procedure. As such, the window procedure used by the window processing mechanism 1550 may call the replaced window procedure. For example, the window processing mechanism 1550 may pass through a message 1540 to the original window procedure for processing.
  • The window procedure of the window processing mechanism 1550 may be constructed and designed to intercept all or a portion of the messages 1540 communicated to or received by the window 1535. In some embodiments, the window procedure intercepts all messages 1540 and any messages 1540 not to be modified are communicated to the original or replaced window procedure. In one embodiment of a Microsoft® Windows based environment, the window procedure of the window processing mechanism 1550 intercepts messages 1540 with a message identifier comprising one of the following: 1) WM_DISPLAYCHANGE, 2) WM_WINDOWPOSCHANGED, 3) WM_WINDOWPOSCHANGING, and 4) WM_GETMAXMININFO. A WM_DISPLAYCHANGE message 1540 communicates to a window 1535 a change in a resolution 1524 of a display 124. A WM_WINDOWPOSCHANGED message 1540 communicates to a window 1535 a change in a size, position, or a place in the Z order for the window 1540. A WM_WINDOWPOSCHANGING message 1540 is communicate to a window 1535 when a change in a size, position, or a place in the Z order for the window 1540 is about to occur. A WM_GETMAXMININFO message 1540 is communicated to a window 1535 when a size or position, or a window 1540 is about to change.
  • The window processing mechanism 1550 intercepts a message 1540 and modifies a return value or parameter of the message 1540 to correspond to or be based on the display layout 1520. In some embodiments, the window processing mechanism 1550 intercepts messages 1540 for a top-level window 1535, and in other embodiments, the window processing mechanism 1550 intercepts messages for windows 1535 that are not a top-level window. In further embodiments, the window processing mechanism 1550 intercepts messages 1540 for a certain set of windows 1540. For example, the window processing mechanism 1550 may be configured to intercept windows 1550 defined in a list, database, storage 1525, or any other type and/or form of configuration medium.
  • The message 1540 intercepted by the window processing mechanism 1550 may have return values, arguments, and/or parameters designed or targeted for the actual display layout of the client machine 10 or remote machine 30, but the window processing mechanism 1550 changes the return values, arguments and/or parameters to be designed or targeted for the display configuration 1522 a-1522 n provided by the desired display layout 1520. The window processing mechanism 1550 may read, access, acquire or otherwise obtain the display layout 1520 from the storage element 1525 by any suitable means and/or mechanism. The window processing mechanism 1550 may comprise any type of logic, functionality, business rules, or operations to obtain the values, arguments, and parameters of the message 1540 and analyze, compare or otherwise process the values, arguments, and parameters of the message 1540 in view of the display layout 1520, and determine any changes or modifications to the values, arguments or parameters or the message 1540 to display the window 1535 on a display identified by the display layout 1520. The window processing mechanism 1550 modifies the message 1540 according to the determined changes and communicates the message 1540 to the window 1535. In some embodiments, the window processing mechanism 1550 determines the message 1540 does not need to be modified and thus communicates the message 1540 in the same form as intercepted by the window processing mechanism 1550. In other embodiments, the window processing mechanism 1550 replaces the message 1540 with a second message.
  • Referring now to FIG. 15B, another embodiment of a networked computer environment is shown in which the client machine 10 communicates with a remote machine 30 via one or more communication networks 150. The client machine 10 may be connected to or otherwise use one or more display devices 124 a-124 n. The client machine 10 includes a display layout 1520 comprising a desired display configuration for the client machine 10, such as for display devices 124 a-124 n. The client machine 10 may also include a client agent 1508. The remote machine 30 includes an application 1530 providing one or more windows 1535 a-1535 n, and a storage element 1525 for storing the display layout 1520 of the client machine 10. The remote machine 30 also includes a server agent 1528, a session login mechanism 1545, and a window processing mechanism 1550.
  • The environment 1500 may provide a server-based or thin-client computing environment for practicing the operations described herein. For example, the application 1530 may be an application executed on the remote machine 30 on behalf of the client machine 10. The display output from execution of the application 1530 may be communicated to the client machine 10 for display on the client, for example, via the client agent 1508. The display output may be communicated between the remote machine 30 and client machine 10 via a remote display protocol. The display output may be based on a window 1540 of the application 1530 running on the remote machine 30 but to be displayed on the client machine 10. As will be described in further detail below, the window processing mechanism 1550 on the remote machine 30 intercepts and modifies messages 1540 of the application 1530 running on the remote machine 30, communicates the message 1540 to the window 1535. As such, the display output communicated to the client machine 10 reflects the modified message 1540 processed by the window 1535.
  • In one embodiment, as shown in FIG. 15B, a client agent 1508 is included within the client machine 10. The client agent 1508 can be, for example, implemented as a software program and/or as a hardware device, such as, for example, an ASIC or an FPGA. An example of a client agent 1508 with a user interface is a Web Browser (e.g. Internet Explorer and/or Netscape™ Navigator browser). The client agent 1508 can use any type of protocol, such as a remote display protocol, and it can be, for example, an HTTP client agent, an FTP client agent, an Oscar client agent, a Telnet client agent, an Independent Computing Architecture (ICA) client agent from Citrix Systems, Inc. of Fort Lauderdale, Fla., or a Remote Desktop Protocol (RDP) client agent from Microsoft Corporation of Redmond, Wash. In some embodiments, the client agent 1508 is configured to connect to the remote machine 30. In some embodiments (not shown), the client 1508 includes a plurality of client agents 1508, each of which may communicate with a remote machine 30, respectively.
  • Additionally, the remote machine 30 may comprise a server agent 1528 which may be capable of and configured to work in conjunction with the client agent 1508. For example, the server agent 1528 may be a server side component that accepts connections and requests from the client agent 1508. In another embodiment, the server agent 1528 may be capable of and configured to accept or establish remote access connections or sessions for the client machine 10. In one embodiment, the client agent 1508 and server agent 1528 may communicate using a protocol, such as http, ICA or RDP, over the network 1504. In some embodiments, the client agent 1508 and/or server agent 1528 are used to establish, re-establish, maintain, or otherwise provide a server-based computing or thin-client computing based connection or session. In another embodiment, the client agent 1508 and the server agent 1528 establish the start and end points of communications for a connection between the client machine 10 and the destination remote machine 30.
  • In some embodiments, the remote machine 30 includes a storage element 1525 for storing the display layout. In one embodiment, storage element 1525 provides the display layout 1520 as a globally mapped data file, which may be accessible by any of the applications 1530 of the remote machine 30. In some embodiments, the display layout 1520 is stored in the same form as provided to or received by the remote machine 30. Although the storage element 1525 is illustrated on the remote machine 30 in FIG. 15B, the client machine 10 may also include a storage element 1525′, and in some embodiments, the client machine 10 stores the display layout 1520 in the client's storage element 1525′, and/or to the remote machine's storage element 1525.
  • The remote machine 30 may also include a session login mechanism 1545, which may include any type and/or form of service, process, task or program, application, or executable instructions on the remote machine 30 to handle and process login or session requests. The session login mechanism 1545, or any portion thereof, may be provided via the operating system of the remote machine 30. In one embodiment, the session login mechanism 1545 includes the windows logon process, winlogon, a component of the Microsoft® Windows families of operating systems. As such, the session login mechanism 1545 may provide interactive logon support, and may include a Graphical Identification and Authentication dynamically linked library (DLL) referred to as the GINA, and any number of network providers. The session login mechanism 1545 may include any interfaces, such as an application programming interface (API) or dynamically linked libraries, i.e., a dll, to allow any resource, application, network or network provide gather obtain any identification and authentication information during a logon process.
  • The session login mechanism 1545 may perform an authentication process and password-updating operations for the operating system and/or for one or more resources, programs, applications, networks, or network providers. In one embodiment, the session login mechanism 1545 provides authentication services for the operating system, and in additional embodiments, also provides authentication services for access to applications 1530 to be executed on the remote machine 30 on behalf of the client machine 10, such as in a server-based or thin-client computing model. Additionally, the session login mechanism 1545 may monitor any mouse and/or keyboard activity related to logging on or secure access of the remote machine 30, or any resource, application, network, or network provider. In some embodiments, the session login mechanism 1545 may establish any initial services, processes, or tasks for a user or session on the remote machine 30.
  • The remote machine 30 may execute or otherwise provide one or more applications 1530. The application 1530 can be any type and/or form of software, program, or executable instructions such as any type and/or form of web browser, web-based client, client-server application, a thin-client computing client, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on client machine 10 or communicating via a network 1504. The application 1530 can use any type of protocol and it can be, for example, an HTTP client, an FTP client, an Oscar client, or a Telnet client. In some embodiments, the application 1530 uses a remote display or presentation level protocol. In other embodiments, the application 1530 comprises any type of software related to Voice-Over-Internet Protocol (VoIP) communications, such as a soft IP telephone. In further embodiments, the application 1530 comprises any application related to real-time data communications, such as applications for streaming video and/or audio. In some embodiments, the application 1530 provides one or more windows 1535 a-1535 n, also sometimes collectively referenced herein as 1535.
  • In some embodiments, the remote machine 30 or a machine farm 38 may be running one or more applications 1530, such as an application 1530 providing a thin-client computing or remote display presentation application. In one embodiment, the remote machine 30 or machine farm executes as an application 1530, any portion of the Citrix Access Suite™ by Citrix Systems, Inc., such as the MetaFrame or Citrix Presentation Server™, and/or any of the Microsoft® Windows Terminal Services manufactured by the Microsoft Corporation. In one embodiment, the application 1530 is an ICA client, developed by Citrix Systems, Inc. of Fort Lauderdale, Fla. In other embodiments, the application 1530 includes a Remote Desktop (RDP) client, developed by Microsoft Corporation of Redmond, Wash.
  • Additionally, the remote machine 30 may run an application 1530, which for example, may be an application server providing email services such as Microsoft Exchange manufactured by the Microsoft Corporation of Redmond, Wash., a web or Internet server, or a desktop sharing server, or a collaboration server. In some embodiments, any of the applications 1530 may comprise any type of hosted service or products, such as GoToMeeting™ provided by Citrix Online Division, Inc. of Santa Barbara, Calif., WebEx™ provided by WebEx, Inc. of Santa Clara, Calif., or Microsoft Office LiveMeeting provided by Microsoft Corporation of Redmond, Wash.
  • Although in FIG. 15A and FIG. 15B, the window processing mechanism 1550 is illustrated as included in the application 1530, the window processing mechanism 1550 may reside in any portion of the remote machine 30, the client machine 10, and/or external to the application 1530, for example, as illustrated in FIG. 15C. In one embodiment, the window processing mechanism 1550 comprises a service, process, or task that runs in a system context or with the system privileges of the operating system. In some embodiments, the windows processing mechanism 1550 may monitor messages 1540 communicated to windows 1535 a-1535 n of an application 1530, and intercept and modify the message 1540 to the windows 1535 a-1535 n. One ordinarily skilled in the art will recognize and appreciate that the windows processing mechanism 1550 may comprise any type and/or form of executable instructions capable of performing the operations described herein.
  • In another embodiment of illustrated in FIG. 15C, the session login mechanism 1545 may be used to provide for, or use, any of the functionality of the window processing mechanism 1550. In some embodiments, the session login mechanism 1545 may read, access, acquire or otherwise obtain the display layout 1520 from the storage element 1525. In other embodiments, the session login mechanism 1545 accesses, loads, or uses the functionality of the window processing mechanism 1550 via a dynamically loaded library, such as a library provided via a network provider to the winlogon process of a WINDOWS operating system. In other embodiments, the session login mechanism interfaces with or communicates to the window processing mechanism 1550 to provide the techniques described herein. In further embodiments, the session login mechanism 1545 may use the techniques described herein during reconnection, re-establishment, and/or re-authentication of a login or user session, such as a remote session in a server-based computing environment 1500.
  • In another aspect, techniques for virtualizing a display environment of a client machine 10 by controlling or directing the appearance, behavior and attributes of a window 1535 of an application 1530 based on the desired display layout 1520 for a client machine 10 are described. In view of the systems and structure of the environments 1500, 1501, and 1502 depicted in FIGS. 15A-15C, the operations, functionality, and techniques will be addressed by the methods depicted in FIGS. 3A-3D. FIG. 3A depicts a method 300 for practicing an embodiment using the window processing mechanism 1550. FIG. 3B depicts examples of window messages and processing used in conjunction with the method 300. FIG. 3C depicts a method 350 for practicing an embodiment when reconnecting, re-establishing or re-authenticating via the session login mechanism 1545. FIG. 3D depicts illustrative method 360 for changing the client's display layout 1520, for example, during execution of an application 1530.
  • Referring now to FIG. 16A, in brief overview, one embodiment of a method for providing a desired display layout 1520 of the client machine 10 is shown. At step 1610, and at step 1615, the display layout 1520 is stored in the storage element 1525, and the display layout 1520 is associated with the client 1505. At step 1620, the window processing mechanism 1550 accesses the display layout 1520 from the storage element 225 to obtain the desired display layout information for the client machine 10. At step 1625, the window processing mechanism 1550 intercepts messages 1540 to a window 1535 displayed on a client machine 10 by an application 1530. At step 1630, the window processing mechanism 1550 modifies the message 1540 to provide the window 1535 on the client machine 10 based on the desired display layout 1520 for the client machine 10. At step 1635, the window 1535 is displayed on the client machine 10 based on the modified message 1540. As such, the appearance and behavior of the window 235 is translated to and based on the display layout 1520.
  • In further detail, at step 1610 of the method, the desired display layout 120 for the client is provided. In one embodiment, the display layout 120 is communicated from the client machine 10 to the remote machine 30. For example, the client machine 10 establishes a connection or communication session with the remote machine 30. In some cases, the remote machine 30 requests the display layout 1520 from the client machine 10, and the client 1505 communicates the display layout 1520 in response to the request. In another embodiment, the display layout 1520 is communicated via the session login mechanism 1545 during a logon or authentication process, and in some embodiments, upon a re-logon or re-authentication process. In one embodiment, the display layout 1520 is stored in a database and queried by the client machine 10 or remote machine 30 to obtain the display layout 1520. In other embodiments, the display layout 1520 is downloaded, by either the client machine 10 or the remote machine 30 from a web server, a web-site, an application server, another remote machine 30′ or via the Internet. In further embodiments, a user may configure the display layout 1520 with a program, application, or tool, and store the display layout 1520 on a client machine 10, remote machine 30, or another client machine 10.
  • At step 1615, the display layout 1520 is stored in the storage element 1525, and associated with the client machine 10. In some embodiments, the remote machine 30 receives the display layout 1520 from the client machine 10 and stores the display layout 1520 in the storage element 1525. In one embodiment, the remote machine 30 stores the display layout 1520 as a globally mapped data file on the remote machine 30 accessible by one or more applications 1530. In another embodiment the remote machine 30 stores the display layout 1520 to another client machine 10 accessible to the remote machine 30, such as via the network 1504. In some embodiments, the client machine 10 stores the display layout 1520 to a storage element 1525 on the remote machine 30, to a storage element 1525 on the client machine 10, or to a storage element 1525 accessible via the network 1504 or via the Internet.
  • The display layout 1520 may be stored to the storage element 1525 in any form suitable to the storage element 1525, and may be converted, transformed, altered, translated or otherwise processed for storage in the storage element 1525. For example, in one embodiment, the display layout 1520 may comprise data, such as a file, on the client machine 10 transmitted via network packets to the remote machine 30, and then translated into a globally mapped data file on the remote machine 30. In another embodiment, the display layout 1520 is stored into any type and/or form of database 1525, such as a relational database. In other embodiments, the display layout 1520 is stored in storage 1525 comprising memory. For example, the display layout 1520 may comprise or be represented by any type of object, data structure, or portion of memory on the client machine 10 and/or remote machine 30.
  • The display layout 1520 may be associated with the client machine 10 by any suitable means and/or mechanisms. In one embodiment, the name, or any portion thereof, of the globally mapped data file may identify the client machine 10. In another embodiment, any portion of content of the globally mapped data file may identify the client machine 10. In additional embodiments, the client machine 10 or remote machine 30 may use any type of object, data structure, process, or other elements in memory to associate the display layout 1520 with the client machine 10. In other embodiments, the client machine 10 or remote machine 30 may use portions of the storage element 1525 or other types of storage, such as another file, to associate the display layout 1520 with the client.
  • The window processing mechanism 1550, at step 1620 of illustrative method 300, accesses the display layout 1520 from the storage element 1525 to obtain the desired display layout information for the client machine 10. In one embodiment, the executable instructions of the window procedure used by the window processing mechanism 1550 comprises instructions to load, read, or otherwise acquire the display layout 1520. For example, the window processing mechanism 1550 may perform any type and/or forms of file input/output, i.e., file I/O, operations to read a globally mapped data file having the display layout 1520. In another embodiment, the instructions of the hooking application programming interface (API) for the window processing mechanism 1550 provides instructions for obtaining the display layout 1520. In another embodiment, the application 1530 reads or accesses the display layout 1520, for example, upon execution or start up. In some embodiments, the application 1530 may be executed during a session, such as a user or remote session. In one embodiment, the globally mapped data file 1525 may only be accessible by an application 1530 associated with or available via the remote session. In further embodiments, access to the globally mapped data file may have access locked by a mutex or semaphore, which is global for the remote session. One ordinarily skilled in the art will recognize and appreciate that any type and/or form of locking mechanism can be used to control access the storage element 1525, such as a globally mapped data file.
  • At step 1625, the window processing mechanism 1550 intercepts messages 1540 to a window 1535 displayed on a client machine 10 by an application 1530. In one embodiment, upon obtaining the display layout 1520 a hooking mechanism is introduced into the remote machine 30 or the application 1530 on the remote machine 30, which hooks one or more window creation application programming interfaces (APIs), such as for example, a create window type of API in a WINDOWS based environment. In some embodiments, the window processing mechanism 1550 intercepts all messages 1540 to windows 1535 of the application 1530. In other embodiments, the window processing mechanism 1550 intercepts messages 1540 of a certain message identifier or name. In one embodiment, the message 240 may have arguments, parameters or values that are used by the window processing mechanism 1550 to determine that the message 1540 should be intercepted. In additional embodiments, the window processing mechanism 1550 intercepts messages 1540 to some of the windows 1535 of the application 1530, and in further embodiments, only for a portion of the types of messages 240 communicated to these windows 1535. In yet another embodiment, the window processing mechanism 1550 is configurable, for example, by a user, to select the messages 1540, by name, type, or otherwise, to be intercepted.
  • In some embodiments, the window processing mechanism 1550 intercepts messages 1540 communicated to or intended for a top-level window 1535 of the application 1530. In other embodiments, the window processing mechanism 1550 may intercept any level of window 1535, or only certain levels of windows 1535 in a hierarchy of windows 1535. For example, the window processing mechanism 1550 may ignore any popup dialog windows of a second level window displayed on top of or in front of a top-level window 1535.
  • In one embodiment, the window processing mechanism 1550 may intercept a message 1540 but pass the message 1540 through or communicate the message 1540 to the original or replaced window procedure. In some embodiments, the window processing mechanism 1550 ignores certain messages 1540. In another embodiment, the window procedure of the window processing mechanism 1550 also includes the functionality and operations of the replaced window procedure. As such, the window processing mechanism 1550 may intercept a message 1540 and have either the replaced window procedure or the window procedure hooked into the application 1540 process the message 1540.
  • At step 1630, the window processing mechanism 1550 modifies the message 1540 to provide the window 1535 on the client machine 10 based on the desired display layout 1520 for the client machine 10. In some embodiments, the window processing mechanism 1550 examines, inspects, analyzes, or otherwise processes any values, arguments, or parameters of the message 1540 in comparison to the display layout 1520 for the client machine 10 displaying the application 1530. Based on the comparison, the window processing mechanism 1550 may modify, adjust, edit, change, alter, replace, translate or otherwise set or provide values, arguments, and/or parameters for the message 1540 that will provide the desired behavior, appearance and attributes of the window 235 as displayed or to be displayed by the application 1530 on the client machine 10 in accordance with the display layout 1520. For example, the values and/or parameters of the message 1540 may indicate a size, position, location, resolution or other attributes of the window 1535. These characteristics may be based on a display environment different than as specified in the display layout 1520. As such, in some embodiments, the window processing mechanism 1550 may modify the size, position, location, resolution or other attributes of the message 1540 for a display 1522 a-1522 n specified in the display layout 1520.
  • By way of further example, and referring now to FIG. 16B, the window processing mechanism 1550 may intercept and modify a message 1540 identified as one of the following: 1) WM_GETMAXMININFO, 2) WM_WINDOWPOSCHANGING, 3) WM_WINDOWPOSCHANGED, and 4) WM_DISPLAYCHANGE. At illustrative step 1630 a, for a message 1540 intercepted and identified as a WM_GETMINMAXINFO, the window processing mechanism 1550 analyzes the position of the application 1530, i.e., a top-level window 1535, relative to the one or more displays 1522 a-1522 n of the display layout 1520, and determines which of the displays 1522 a-1522 n the application 1530 should be maximized to. The window processing mechanism 1550 modifies the message 1540 to provide values corresponding and translated to the resolution based on the desired display layout 1520. For example, a remote machine 30 may provide window resolution for a single monitor session, and the window processing mechanism 1550 translates the resolution to the multiple display environment provided via the display layout 1520. As such, this technique enables the application 1530 to maximize to a desired location in accordance with the display layout 1520, instead of the single monitor session.
  • At illustrative step 1630 b, for a message 1540 intercepted and identified as WM_WINDOWPOSCHANGING, the window processing mechanism 1550 determines if the window 1535 is in the maximized state, and if so, the message 1540 is modified to set the window flag to a no move style of window, or otherwise to fix the location or position of the window 1535, or not allow the position of the window 1535 to change. As such, in the maximized state a user may not be able to move the window 1535. This technique enables the application 1530, or a window 1535 of the application 1530 to be maximized to a set or fixed location on a display 1522 a-1522 n specified by the display layout 1520. In some embodiments, either in response to the WM_WINDOWPOSCHANGING message 1540 or otherwise, the window processing mechanism 1550 determines the window 1535 is not in the maximized state, and modifies the message 1540 to remove the no move style, e.g., the window's position is no longer fixed, or to otherwise allow the position of the window 1535 to be moved.
  • At illustrative step 1630 c, for a message 1540 intercepted and identified as WM_WINDOWPOSCHANGED, the window processing mechanism 1550 compares the position or location of the window 1535 to the display layout 1520 and if the window 1535 is to be rendered outside the screen or work area of display 1522 a-1522 n, then the position or location of the window 1535 is changed to be rendered in at least a portion of the screen or work area of the display 1522 a-1522 n. This technique enables the user not to lose the application 1530 or window 1535 of the application 1530 to an off-screen location.
  • At illustrative step 1630 d, for a message 1540 intercepted and identified as WM_DISPLAYCHANGED, the window processing mechanism 1550 suspends passing of messages 1540 until a new or second display layout 1520 is obtained or provided for the client 1505. In one embodiment, the window processing mechanism 1550 suspends the processing of all messages 1540. In some embodiments, the window processing mechanism 1550 suspends messages 1540 that are intercepted and communicated to the replaced or original window procedure. In other embodiments, the window processing mechanism 1550 suspends messages for the replaced or original window procedure while continuing to process other messages 1540. This technique enables a client machine 10 to dynamically change the display layout 1520 at any time, for example, during the execution of an application 1530.
  • Although the techniques of are generally described above in relation to message, one ordinarily skilled in the art will recognize and appreciate that any message of any type and/or form may be used. Furthermore, the window processing mechanism 1550 may perform any logic, function, operations or rules based on the message 1540 and/or the display layout 1520, and even for the same type of message 1540, may perform a different operation or function for each instance of the message 1540 depending on changes to the display layout 1520 or any events, conditions or status of the environment 1500, 1501 or 1502.
  • Referring back to FIG. 16A, at step 1635 of method 300, the window 1535 is displayed on the client machine 10 based on the message 1540 processed via the window processing mechanism 1550. As such, when the window processing mechanism 1550 modifies the message 1540 based on the display layout 1520, the window 1535 is displayed on the client machine 10 according to the display layout 1520. In some embodiments, the window processing mechanism 250 does not modify the message 1540, and therefore, the window 1540 is displayed on the client machine 10 according to the unmodified message 1540. The technique as illustrated above enables, for example, in one embodiment of a server-based computing environment 1500, an application 1530 running on remote machine 30 to provide display output to the client machine 10 that controls and directs the behavior, appearance, and attributes of windows in the display output in any manner desired and specified by the display layout 1520, which may not correspond to the physical display layout of the client machine 10.
  • In another aspect, although techniques described herein are generally described with a window management system from WINDOWS operating system, one ordinarily skilled in the art will recognize and appreciate that techniques described herein may be practiced with any type and/or form of window manager or management system, such any type and/or form of X-windows managers, including any custom or open-source based window manager running on any type of operating system.
  • Referring now to FIG. 16C, these techniques may be practiced during the re-connection, re-establishment or re-authentication of any communication session or user session, for example a remote display session between the client machine 10 and the remote machine 30. In one embodiment, the session login mechanism 1545 as illustrated on the remote machine 30 of FIGS. 15A and 15B may include the window processing mechanism 1550, or any portion thereof. In brief overview of method 350, the session login mechanism 1545, at step 1652, accesses or obtains the display layout 1520 from the storage element 1525. At step 1654, there may be a disconnection and reconnection processed by the session login mechanism 1545. Upon re-establishing and/or re-authenticating the session, the session login mechanism, at step 1656, compares a location of a window 1535 to the client's display layout 1520, and at step 1658, modifies the window 235 to display on the client machine 10 based on the client's display layout 1520.
  • At illustrative step 1652, the session login mechanism 1545 obtains information on the display layout 1520 by any suitable means and/or mechanisms. For example, the window processing mechanism 1550 included in or used by the session login mechanism 1545 may have executable instructions, such as file I/O operations, to access a globally mapped data file 1525. In another embodiment, the session login mechanism 1545 may load dynamically linked libraries that load, read or otherwise access the storage element 225 having the display layout information. In one embodiment, as part of establishing or re-establishing the session, the session login mechanism 1545 may obtain the display layout 1520 from the client 1520. For example, the session login mechanism 1545 requests the display layout 1520 from the client machine 10 along with any identification or authentication credentials.
  • At illustrative step 1654, any type of disconnection or disruption to a session between the client machine 10 and remote machine 30 may occur, and any type of reconnection or re-establishment of the session may be facilitated via the session login mechanism 1545. In some cases, a user may cause a disconnection or disruption, temporary or otherwise, to a session between the client machine 10 and the remote machine 30 due to physical changes in the client's display environment or because the user moves to another client machine 10. In one case, the user moves from a first client machine 10 a, such as a work computer, to a second client machine 10 b, such as a home computer. The remote machine 30 may maintain the same user session between computing devices 100 a-110 b but the display layout 1520 may have changed. In another case, the user and/or the client machine 10 may traverse network segments or network access points that cause changes in the network address or host name, e.g., internet protocol (IP) address, of the client machine 10 or causes the client machine 10 to disconnect. The client machine 10 may reconnect, manually or automatically, to the network 1504, such as via the client agent 1508. As such, the session login mechanism 1545 may facilitate or be used to facilitate the reconnection.
  • At step 1656 of method 350, the session login mechanism 1545 compares the location or position of a window 1535 of an application 1530 in relation to the desired display layout 1520. In some embodiments, the session login mechanism 1545 intercepts a message 1540 to a window 1535, and examines, inspects or analyzes any portion of the message 1540, such as a value or parameter. In one embodiment, the session login mechanism 1545 queries, acquires or obtains the current location or position of one or more windows 1535 of the application 1530 via an application programming interface (API). In another embodiment, the session login mechanism 1545 requests from the application 1530, the location or position of any of the application's windows. The session login mechanism 1545 compares the location, position, size, and any other attributes of the window 1535 to any information in the display layout 1520.
  • At step 1658, the session login mechanism 1545 may modify the window 1535 based on the desired display layout 1520. From the comparison of the information about the window 1535 to the information of the display layout 1520, the session login mechanism 1545, in some embodiments, modifies the window 1535 to display on the client machine 10 via a display 1522 a-1522 n identified in the display layout 1520 in a desired manner. In one embodiment, via the functionality of the window processing mechanism 1550 embodied in or interfaced with the session login mechanism 1545, a message 1540 to a window 1535 may be intercepted and modified in accordance with the operations described herein. In another embodiment, the session login mechanism 1545 may modify one or more windows 1535 of the application 1530 via any application programming interface (API) to modify such windows 1535. The techniques depicted by method 350 enable client sessions to be disconnected and reconnected and have the display of windows be adjusted accordingly to any new or changed display environments of the client machine 10, new or changed display layouts 1520 of the client machine 10, or changes from one client machine 10 a to another client machine 10 b.
  • In another aspect, dynamically changing a display layout 1520 for a client machine 10 is described. Referring now to FIG. 16D, the techniques described may be practiced for a change to a display layout 1520 that occurs during the execution of an application 1530. In brief overview of illustrative method 360, at step 1662, a client's display layout 1520 is changed. At step 1664, the window processing mechanism 350 suspends window message processing when the client's display layout 1520 is changed. At step 1666, an updated or a second display layout 1520′ is obtained by the window processing mechanism 1550, and at step 1668, the window processing mechanism 1550 resumes intercepting and modifying messages 1540 to windows 1535 based on the second display layout 1520′.
  • In further detail, at step 1662, the display layout 1520 may be changed at any time and for any reason. In one embodiment, the display environment for the client machine 10 may change and the display layout 1520 may be updated to reflect the changed display environment. For example, another display device 124 may be connected to the client machine 10. In another embodiment, a user of the client machine 10 may be making adjustments, updating or otherwise changing the display layout 1520 to suit the user's desire for a behavior and appearance of applications 1530 and the display of windows 1535 of the application 1530 on the client machine 10. In yet a further embodiment, a first session may be on a first client machine 10 with a first display layout 1520, and the user switches to a second session or maintains the first session on a second client machine 10′ with a second or updated display layout 1520′.
  • At step 1665, the method suspends intercepting and modifying messages 1540 for windows 1535 of an application 1530 upon notification of a change to the display layout 1520. In one embodiment, the window processing mechanism 1550 intercepts a message 1540, such as the WM_DISPLAYCHANGE message, indicating a change in any attribute or characteristic, for example, the resolution, of the display environment. In another embodiment, the client machine 10 communicates a notice to the remote machine 30, the window processing mechanism 1550 or the session login mechanism 1545 indicating a change has occurred or is about to occur to the display layout 1520. In yet another embodiment, the application 1530 may comprise a user interface mechanism for a user to indicate a change to the display environment, or to have the application 1530 suspend processing of window messages according to the display layout 1520.
  • The window processing mechanism 1550 may suspend the processing of messages 240 for all applications 230, a portion of applications 230, or for a portion of windows 235 of one, some, or all of the application 230. In one embodiment, the window processing mechanism 1550 queues any messages 240 received until the window processing mechanism 1550 obtains another display layout 1520. In another embodiment, the window processing mechanism 1550 only suspends processing of window messages to be modified according to the display layout 1520, and continues passing the messages 240 not to be modified to the original or replaced window procedure.
  • At step 1666 of the method, an updated or a second display layout 1520′ is obtained to use for window message processing. The updated or second display layout 1520′ may be provided by any suitable means and/or mechanisms. In one embodiment, the updated or second display layout 1520′ is stored with the first display layout 1520 in the storage element 225. In another embodiment, the updated or second display layout 1520′ is stored as an updated version of the first display layout 1520, and in further embodiments, the second display layout 1520′ may replace the first display layout 1520 in the storage element 225. In one embodiment, the client machine 10 communicates the updated or second display layout 1520′ to the remote machine 30 or stores the second display layout 1520′ to the storage element 225 on the remote machine 30. In some embodiments, the client machine 10 via a reconnection or re-establishment to the remote machine 30 may provide an updated display layout 1520. In one embodiment, the client machine 10 communicates an unchanged display layout 1520 or a display layout 1520 to the remote machine 30 that the remote machine 30 already has stored in the storage element 225. In yet other embodiments, the remote machine 30 or client machine 10 may obtain the second display layout 1520′ from another client machine 10 on the network 204, such as downloading the second display layout 1520′ form a remote machine 30. As described above in connection with illustrative method 300, the window processing mechanism 350 may obtain the display layout 1520 from the storage element 225 by a variety of means and/or mechanisms.
  • At step 1668 of method 360, the window processing mechanism 1550 resumes intercepting and modifying messages 240 to windows 235 based on the second display layout 1520. In one embodiment, if the window processing mechanism 1550 queued any messages 240, the window processing mechanism 1550 analyzes and modifies the queued messages 240 based on the second display layout 1520′. Otherwise, the window processing mechanism 1550 uses the second display layout 1520′ to modify any messages 240 intercepted after obtaining the second display layout 1520′. Using the techniques described herein, a client display environment and a client's display layout can be dynamically changed during the course of executing one or more applications, and the display of windows for the application appear and behave according to the changes to the display layout. For example, another display device may be added to the client, and an application may be minimized during a change in the display layout. When the display layout is updated, the user can maximize the application and have the application appear in the appropriate display even though the display environment changed when the application was minimized.
  • In view of the functions, structures, and operations described above, systems and methods are provided to control and direct the appearance, behavior and attributes of windows of an application in a flexible manner for virtualizing, simulating or providing a multiple display environment without restricting or limiting the client side display configuration. For example, the display layout of the client may not be limited to configure the physical monitor of the client as the primary display, i.e. as the top left most monitor in the display layout configuration. The systems and methods described may be practiced in a server-based or thin-client based computing environment, with clients having multiple display devices, or with clients having a single display device. Additionally, the configuration of a display layout that is not restricted or limited to the physical display environment of the client is provided. The display environment of the client may extend to include additional virtual displays, so if the client has two display devices, three or more displays may be virtualized or simulated for the client. A single display configuration for a single display device may be implemented while still changing the appearance and behavior of windows based on a desired or customized display layout. A client or user may gain the functionality, benefits, and advantages of a multiple display environment without having multiple display devices, or having all the display devices desired.
  • In one embodiment, multi-monitor support provides maximizing of windows to fill a single monitor rather than the full screen and centering of dialogs on a monitor rather than on a screen. In another embodiment the session management component, the virtual machine service component, and a multi-monitor hook component executing in a computing environment provided by a virtual machine together provide multi-monitor support in a virtual machine environment. In still another embodiment, a multi-monitor hook component and a component acquiring client geometry data provide multi-monitor support in a virtual machine environment.
  • In one embodiment, the session management component 1300 reads the monitor configuration for the client machine 10 from a multi-monitor hook file mapping. In some embodiments where a user of the client machine 10 establishes a connection to a presentation server executing on an execution machine in which the virtual machine provides access to a computing environment, the presentation server generates the multi-monitor hook file mapping upon establishment of the connection by the user.
  • In one embodiment, the session management component 1300 sends a message to the virtual machine service component containing the monitor layout for the user. In some embodiments, the message is sent when the session management component 1300 detects a user reconnection, so that the monitor layout remains synchronized with the client machine 10.
  • The virtual machine service component receives the monitor layout messages provided by the session management component 900. In some embodiments, the virtual machine service component creates a file mapping in the computing environment and updates the file to include monitor layout data.
  • In other embodiments, the virtual machine service component also creates a checksum for the data that is used by the multi-monitor hook component to ensure that it has correctly read the layout data. In one of these embodiments, a checksum is used rather than a locking scheme to synchronize access to the layout data. In this embodiment, the checksum does not cause any blocking between the processes reading the data. The layout data is updated infrequently and may be small in size, so the checksum calculation may complete quickly. In another of these embodiments, the reader processes save the checksum, read the data and recalculate the checksum. If the calculated checksum does not match the saved checksum it indicates that the data was updated while it was being read and the process is repeated. As the data is usually only updated when the user reconnects to another client and given the short time required to read the data, it is unlikely that a reader would have to reread the data more than once for a particular change. In some embodiments, the virtual machine service component uses a stored default display setting for the client machine 10, the stored default selected to ensure that the computing environment has valid display settings upon initialization of the session.
  • In some environments, a multi-monitor hook component executes in a computing environment provided by a virtual machine. In one of these embodiments, the multi-monitor hook component receives an event for each window created just before the window is created, including a window handle for the window being created. The multi-monitor hook component may identify a window type of the window and determine to hook window messages for the window. In some embodiments, windows having window types indicating that the window can be maximized or that the window is a dialog will be hooked. Hooked windows may be added to an array that contains the window handle and an original window procedure. In other embodiments, the multi-monitor hook component receives an event indicating that a window is about to be destroyed. In one of these embodiments, the multi-monitor hook component removes the entry in the hook array associated with the window.
  • In some embodiments, the multi-monitor hook component receives an identification of a window after the window is created and before the window is displayed. In one of these embodiments, the multi-monitor hook component checks the position of the dialog and if it spans multiple monitors, the multi-monitor hook component repositions the window to the centre of the monitor that contains most of the dialog, or the first monitor containing the dialog if the dialogs area is equally split between two monitors. In other embodiments, the multi-monitor hook component receives an event when a window is about to be maximized. The multi-monitor hook component ensures that when the window is maximized from the minimized state it will be positioned on the correct monitor.
  • In some embodiments, the multi-monitor hook component receives an event when a window is being maximized. The multi-monitor hook component checks the state of the window and, if the window is minimized, the multi-monitor hook component retrieves an identification of a monitor in which the window is minimized from the window hook array. If the window is not minimized, the multi-monitor hook component identifies the monitor that contains most of the window. If no monitor is found, or if the monitor does not exist (as after a reconnection) monitor 0 is used. The multi-monitor hook component then removes the origin and size of the monitor from its saved monitor information and updates the MINMAXINFO structure pointed to by the message. This causes the window to maximize to the specified monitor only.
  • In some embodiments, the virtual machine service component receives authentication information associated with a user of the client machine 10. In one of these embodiments, the virtual machine service component receives the authentication information from a protocol stack component receiving the credentials from the client machine 10. In another of these embodiments, the virtual machine service component receives authentication information from the session management component 1300. In still another of these embodiments, the virtual machine service component uses the received authentication information to authenticate the user of the client machine 10 to the computing environment provided by the virtual machine.
  • In one embodiment, when the communications channel is established and the initial session related information is passed to the virtual machine service component, the virtual machine service component automatically logs the user into the computing environment. In one embodiment, the virtual machine service component receives credentials from the session management component 1300. In another embodiment, the virtual machine service component receives credentials previously provided by the user. In some embodiments, the user provides credentials to the client machine 10 prior to requesting access to a resource. In one of these embodiments, the user provides credentials to a client agent, such as an ICA client. The virtual machine service component automatically reconfigures the display settings of the guest operating system to match those of the ICA client. The virtual machine produces graphics and sound output to the virtual devices that redirect that output to a client agent, such as an ICA client, on the requesting machine. The virtual machine receives audio input, mouse and keyboard device data redirected from the ICA client. When the virtual machine is shutdown or suspended the session management component 1300 cleans up and shuts down the ICA session.
  • The remote machines 30, 30′, and 30″ can belong to the same authentication domain. A domain may comprise a group of machines, such as application servers, execution machines, or client nodes under control of one security database. A domain can include one or more machine farms linked together to act as a single system to provide centralized administration. Conversely, a machine farm can include one or more domains. For servers of two different domains to belong to the same machine farm, a trust relationship may need to exist between the domains. A trust relationship is an association between the different domains that allows a user to access the resources associated with each domain with just one log-on authentication.
  • In one embodiment, the remote machine 30′″ is in a different domain than the farm 38. In another embodiment, the remote machine 30′″ is in the same domain as machines 30, 30′, and 30″. For either embodiment, machines 30, 30′, and 30″ can belong to one server farm, while the remote machine 30′″ belongs to another machine farm, or all of the machines 30, 30′, 30″ and 30′″ can belong to the same machine farm. When a new machine is connected to the network 150, the new machine either joins an existing machine farm or starts a new machine farm.
  • The machines 10 may be in a domain, or may be unconnected with any domain. In one embodiment, the client machine 10 is in the domain 38. In another embodiment, the client machine 10 is in another domain that does not include any of the machines 30, 30′, 30″ and 30′″. In another embodiment, the client machine 10 is not in any domain.
  • In one embodiment the client machine 10 is in the domain 38 and a user of the machine provides user credentials to log onto the client machine 10. User credentials typically include the name of the user of the machine, the password of the user, and the name of the domain in which the user is recognized. The user credentials can be obtained from smart cards, time-based tokens, social security numbers, user passwords, personal identification (PIN) numbers, digital certificates based on symmetric key or elliptic curve cryptography, biometric characteristics of the user, or any other means by which the identification of the user of the client node can be obtained and submitted for authentication.
  • From the user-provided credentials, the client machine 10 generates user authentication data. The client machine 10 transmits this user authentication data to the remote machine 30. In this embodiment, the user credentials are not transmitted over a network, only the resulting user authentication data is transmitted by the client machine 10.
  • The remote machine 30 may determine which resources hosted by the machine farm containing remote machine 30 are available for use by the user of the client machine 10. In one embodiment, the remote machine 30 consults user authentication data to make this determination. In another embodiment, the remote machine 30 consults information associated with a resource requested by the user to make the determination. The remote machine 30 transmits information representing the available resources to the client machine 10.
  • The user authentication performed by the remote machine 30 can suffice to authorize the use of each hosted resource presented to the client machine 10, although such resources may reside at another machine. Accordingly, in this embodiment, when the client machine 10 accesses or launches (i.e., initiates execution of) one of the hosted resources, additional input of user credentials by the user will be unnecessary to authenticate access to that resource. Thus, a single entry of the user credentials can serve to determine the available resources and to authorize the access or launching of such resources without an additional, manual log-on authentication process by the user.
  • FIG. 17 depicts in more detail a system for remotely authenticating a client of a client machine 10 to a remote machine 30. As shown in FIG. 17, the client machine 10 includes an authentication module 1710 in communication with a thin-client program 1720. The authentication module 1710 receives user authentication credentials provided for the purposes of authenticating a user to the client machine 100, the remote machine 30, or both. Received authentication credentials can include username-password combinations, graphical password data, data derived from time-based tokens such as the SecurID line of tokens manufactured by RSA Security Inc. of Bedford, Mass., challenge-response data, information from smart cards, and biometric information such as fingerprints, voiceprints, or facial features. The authentication module 1710 may use the provided authentication credentials to authenticate the user to the machine 100. For example, in WINDOWS-based environments, the authentication module 1710 may be provided by the MSGINA dynamically-linked library. In other embodiments, for example, in Unix-based environments, the authentication module 1710 may be provided by the Unix Pluggable Authentication Manager, using the pam_krb module. In still other embodiments, the authentication module 1710 may be provided by the UNIX kinit command program.
  • In the embodiment shown in FIG. 17, the machine 100 also includes a security service 1712. In some embodiments, the authentication module 1710 and the security service 1712 are provided as the same dynamically-linked library. The security service 1712 provides security services to modules and applications on the machine 100, including the authentication module 1710 and the thin-client application 1720, such as authentication to the machine 100 and authentication to remote machines or network services. For example, the security service 1712, which may be the GSSAPI specified by the Internet Engineering Task Force (IETF) or the SSPI manufactured by Microsoft Corporation of Redmond, Wash., may obtain a Kerberos ticket in response to receipt of the user authentication credentials and use this ticket to obtain additional Kerberos tickets to authenticate the user to remote machines or network services, at the request of modules or applications on the machine 100. The security service 1712 may then generate user authentication data using these Kerberos tickets if needed for remote authentication. In one embodiment, the security service 1712 may generate the user authentication data using an external authentication service, such as a Key Distribution Center in a Kerberos environment or Active Directory in a Windows-based environment.
  • The security service 1712 provides the generated user authentication data, e.g., Kerberos ticket and associated Kerberos authenticator, to the thin-client application 1720. The thin-client application 1720 transmits the user authentication data to a remote machine 30 for remote authentication of the user. Thus, unlike existing single sign-on mechanisms for server-based computing, user-provided authentication credentials are not transmitted over the network 150 to a remote machine 30. The user authentication data generated by the security service 1712 is independent of the method used by the user to authenticate to the machine 100. Thus, for example, a Kerberos ticket for the user of machine 100 is obtained whether the user uses a username-password combination or a biometric to authenticate to the machine 100.
  • In the embodiment shown in FIG. 17, the thin-client application 1720 communicates with the remote machine 30 via a thin-client protocol having one or more virtual channels 1735. In these embodiments, the thin-client application 1720 loads a virtual channel driver and uses it to send and receive messages on the authentication virtual channel. In some embodiments, the virtual channel driver exposes functions for opening the virtual channel and sending data over it.
  • The thin-client application 1720 passes a data structure to the remote machine 30 for the virtual channel 1735 when the thin-client protocol connection is established, indicating to the server-side thin-client application 1750 that the authentication virtual channel is available. In one embodiment, the virtual channel data structure for the authentication virtual channel contains the virtual channel information and a representation of the size of the largest data packet the machine 100 can accept from or send to the remote machine 30 over the virtual channel 1735. The data packet size is constrained by the maximum thin-client size and any specific memory restrictions imposed by the client machine 10. In one particular embodiment, the data structure for the authentication virtual channel is defined as:
    typedef struct _C2H
    {
    VD_C2H Header;
    UINT16 cbMaxDataSize;
    } C2H, *PC2H;
  • The server-side thin-client application 1750 indicates to the thin-client application 1720 its intention to perform authentication using the authentication virtual channel 1735 by opening the virtual channel and sending a bind request message onto the channel. Once the virtual channel has been opened, the virtual channel driver in the thin-client application 1720, in one embodiment, reads a message requesting a binding from the virtual channel, sends a message onto the virtual channel responding to the bind request; and reads a “commit” message from the channel. In one embodiment, the message requesting a binding includes data specifying the protocol version that is supported. In other embodiments, the protocol version can be negotiated between the thin-client application 1720 and the server-side thin-client application 1750 using the bind request and bind response messages.
  • The bind request, bind response, and bind commit initialization messages allow the server-side thin-client application 1750 and the thin-client application 1720 to conduct a 3-way handshake initiated by the server-side thin-client application 1750, and negotiate capabilities. A 2-way handshake may be initiated by the server-side thin-client application 1750 when the current set of virtual channel capabilities can be negotiated using a 2-way handshake only, but a 3-way handshake is supported to allow more flexibility that might be required by new capabilities or future enhancements to current capabilities. For example, in a 3-way handshake, after receiving a “menu” of capabilities from the server-side thin-client application 1750, the thin-client application 1720 can exhibit a specific preference or could instead acknowledge a whole set of options pertaining to a specific capability thus letting the server-side thin-client application 1750 decide on a specific option. In a 2-way handshake to be initiated by the thin-client application 1720, the thin-client application 1720 could not exhibit a specific preference because it might not be supported by the host.
  • Following channel setup, the virtual channel driver of both the thin-client application 1720 and the server-side thin-client application 1750 does the following in a loop until a “stop” message or an “error” message is received: retrieve authentication data from the security service 1712, 1712′, providing as input any authentication data sent by the other party via the virtual channel; and send the retrieved authentication data (if any) onto the virtual channel in a data message. If the retrieval of data from the security service 1712, 1712′ returned a “STOP” message, then signal stop and close the authentication virtual channel. In some embodiments the virtual channel driver may reset itself on a “stop” signal. If the retrieval of data from the security service 1712, 1712′ returned a “CONTINUE” message, then continue. If the retrieval of authentication data from the security service 1712, 1712′ returned an “ERROR”, then signal that an error has occurred and close the authentication virtual channel.
  • As long as “stop” or “error” are not signaled, the virtual channel driver of the thin-client application 1720 and the server-side thin-client application 1750 are free to exchange data messages until the security service 1712, 1712′ stops producing data buffers to be sent. In some embodiments, the number of messages exchanged may be limited by the virtual channel driver, the server-side thin-client application 1750, or the virtual channel 1735. In other embodiments, the virtual channel driver of the thin-client application 1720 and the server-side thin-client application 1750 exchange messages sequentially, that is, two messages are not sent in one direction without a reply to the first being sent in the other. In either embodiment, message exchange can stop after a message has been sent in either direction.
  • In some particular embodiments, the data messages are sent over the virtual channel Least Significant Double Word (LSDW), Least Significant Word (LSW), Least Significant Byte (LSB) first. In other particular embodiments, the data messages are aligned at a byte boundary and fully packed in memory. In these embodiments, data fields will be aligned in memory as written to or read from the virtual channel.
  • Some messages transmitted on the authentication virtual channel span multiple virtual channel packets. To support this, every message must be preceded by a message specifying the length of the next transmitted command. An example of a message that may be used to specify the length of the next command is:
    typedef struct _PKT_CMDLEN
    {
    UINT32 Length;
    UINT8 Command;
    UINT8 FlagsBitMask;
    } PKT_CMDLEN, *PPKT_CMDLEN;
  • In some of these embodiments, PKT_CMDLEN also contains a command number to indicate what type of message is to follow:
    #define CMD_BIND_REQUEST 0x00
    #define CMD_BIND_RESPONSE 0x01
    #define CMD_BIND_COMMIT 0x02
    #define CMD_SSPI_DATA 0x03
  • A PKT_CMDLEN packet containing Length=0 indicates that no more data will follow (i.e. a logical channel close).
  • The server-side thin-client application 1750 passes the authentication data it receives over the authentication virtual channel to its security service 1712′. If the server-side security service 1712′ is able to verify the data, it generates an access token representing a logon session for the user, allowing the user to authenticate to the remote machine 30 without resubmitting authentication credentials. An access token is a data object that includes, among other things, a locally unique identifier (LUID) for the logon session. If the server-side security service 1712′ is not able to verify the data, the user is prompted to resubmit authentication credentials.
  • In some embodiments, until the server-side security service 1712′ authenticates the user, the only virtual channel over which the user may communicate with the remote machine 30 is the authentication virtual channel. In some of these embodiments, after authentication, new virtual channels are initiated for communication. In other embodiments, only one virtual channel exists and it may only be used for authentication-related communications until the user is authenticated, and it may be used for other communications after the user is authenticated.
  • For embodiments in which the remote machine 30 operates under control of a MICROSOFT WINDOWS operating system, the access token generated by the server-side security service 1712′ is an impersonation token that has only network logon rights. That is, the generated access token is not suitable to use for starting applications to run interactively, as is required in the WINDOWS server-based computing environment. To allow applications to run interactively, a primary access token is needed that has interactive logon rights. In one embodiment, the generated access token is modified to provide the appropriate rights. In another embodiment, a new token is generated for the user.
  • For embodiments in which the server-side computing device 140 operates under control of a Unix-based operating system, if the server-side security service 1712′ verifies the authentication data it receives over the authentication virtual channel from the server-side thin-client application 1750, the server-side thin-client application 1750 will grant the user access to the resources. In these embodiments, the server-side security service 1712′ does not generate an access token.
  • In some embodiments, after the remote machine 30 has authenticated the user, the remote machine 30 presents an enumeration of resources available to the user. In these embodiments, the remote machine 30 may create a page describing a display of resources, hosted by a plurality of machines, available to the machine 100. The remote machine 30 may then transmit the created page to the machine 100 for display and receive from the machine 100, a request to access one of the hosted resources.
  • In some of these embodiments, the selected one of the available resources hosted by one of the plurality of machines is then executed without requiring further receipt of user authentication data from the machine 100. In some of these embodiments, the remote machine 30 initiates, in response to successful authentication by the user, a connection from the remote machine 30 to a second remote machine 30′ which is hosting a resource available to the user. In these embodiments, the available resource is executed over the connection. In some embodiments, the connection is a virtual channel.
  • In other embodiments, the first remote machine 30 is hosting the selected one of the available resources. In some of these embodiments, the remote machine 30 makes the resource available to the user over the existing connection. In others of these embodiments, the remote machine 30 makes the resource available to the user over a new connection. In some of those embodiments, the new connection comprises a virtual channel.
  • In some embodiments, a plurality of components are provided for authenticating a user of the client machine 10 to a virtual machine on a remote machine 30. In one of these embodiments, functionality is provided for a Kerberos-based Single Sign-On process between the client machine 10 and a guest operating system provided by the virtual machine.
  • In some embodiments, a user seeking to access a resource provided by a virtual machine provides authentication credentials multiple times to different entities. In one of these embodiments, the user is authenticated by a client agent on the client machine 10, by a remote machine 30, and by a computing environment provided by a virtual machine in the remote machine 30. In some of these embodiments, single sign-on support would enable authentication of the user to different entities with only one transmission of authentication credentials from the user.
  • Authentication of the user to the client machine and the remote machine 30 may be accomplished as described above in connection with FIG. 17. In some embodiments, an authentication component, a GINA (Graphical Identification and Authentication) component, an authentication module in the session management component and an authentication module for the virtual machine service component are provided. In one embodiment, a bidirectional virtual channel enables communication between a service management component on the remote machine 30 and a virtual machine service component executing in the guest operating system. In one embodiment, the remote machine 30 includes client-side single sign-on functionality and the virtual machine includes server-side single sign-on functionality. In still another embodiment, the service management component implements an authentication module and communicates with an authentication module in the virtual machine service component to authenticate the user.
  • In one embodiment, the session management component creates a Kerberos SSPI channel between itself and the virtual machine service component. When the channel is established the session management component acquires the credentials of the user and initializes a security context using this data. The initialization data returned is sent to the virtual machine service component which accepts the data and starts an exchange of SSPI messages between the two components until the security context is established in the virtual machine service component. This context is then used to log the user on to the virtual machine using a single sign-on GINA component.
  • In some embodiments, the session management component authenticates the user to a host operating system on the remote machine 30. In one of these embodiments, the host operating system then authenticates the user to the virtual machine. In other embodiments, the session management component authenticates the user to a hypervisor. In one of these embodiments, the hypervisor then authenticates the user to the virtual machine. In still other embodiments, the session management component authenticates the user to a virtual machine providing management functionality for the virtual machine to which the user seeks access.
  • Referring back to FIG. 8, a remote machine 30 may determine to provide access to a resource streaming service capable of transmitting a requested resource to the client machine (step 816). In some embodiments, the remote machine 30 determines to implement a resource streaming service to transmit to the client machine 10 or to a remote machine 30′ a requested resource. In other embodiments, the remote machine 30 determines to use a resource streaming service to stream the resource to a computing environment provided by a virtual machine. In still other embodiments, the resource is a computing environment and the remote machine 30 determines to use a resource streaming technique to stream the computing environment to a virtual machine. In some embodiments, the plurality of resource files resides on the remote machine 30′. In other embodiments, the plurality of resource files resides on a separate file server or remote machine 30″. In still other embodiments, the plurality of resource files may be transmitted to a client machine 10. In yet other embodiments, a file in the plurality of resource files may be executed prior to transmission of a second file in the plurality of resource files to the client machine 10.
  • In some embodiments, the remote machine 30 retrieves information about the enumerated resource from a remote machine 30′. In one of these embodiments, the remote machine 30 receives an identification of a remote machine 30″ hosting a plurality of resource files. In another of these embodiments, the remote machine 30 receives identification of a location of a plurality of resource files, the identification conforming to a Universal Naming Convention (UNC). In still another of these embodiments, the identification includes a network location and a socket for a resource streaming protocol.
  • In one embodiment, the remote machine 30 retrieves a file containing information about the enumerated resource. The file may include an identification of a location of a remote machine 30′ hosting the enumerated resource. The file may include an identification of a plurality of versions of the enumerated resource. The file may include an enumeration of a plurality of resource files comprising the enumerated resource. The file may include an identification of a compressed file comprising a plurality of resources files comprising the enumerated resource. The file may include an identification of pre-requisites to be satisfied by a machine executing the enumerated resource. The file may include an enumeration of data files associated with the enumerated resource. The file may include an enumeration of scripts to be executed on a machine executing the enumerated resource. The file may include an enumeration of registry data associated with the enumerated resource. The file may include an enumeration of rules for use in an embodiment where the enumerated resource executes within an isolation environment. In one embodiment, the file may be referred to as a “manifest” file. The information that the file may contain is described in further detail below.
  • The stream of data packets may include resource files comprising the enumerated resource. In some embodiments, resource files include data files associated with an resource. In other embodiments, resource files include executable files required for execution of the resource. In still other embodiments, the resource files include metadata including information about the files, such as location, compatibility requirements, configuration data, registry data, identification of execution scripts rules for use in isolation environments, or authorization requirements.
  • In some embodiments, the streamed resource executes prior to the transmission of each resource file in a plurality of resource files comprising the streamed resource. In one of these embodiments, execution of the streamed resource begins upon receipt by a client machine 10 of one resource file in the plurality of resources. In another of these embodiments, execution of the streamed resource begins upon receipt by a client machine 10 of an executable resource file in the plurality of resource files. In still another of these embodiments, the client machine 10 executes a first received resource file in a plurality of resource files and the first received resource file requests access to a second resource file in the plurality of resource files.
  • In one embodiment, the streamed resource executes on the client machine 10 without permanently residing on the client machine 10. In this embodiment, the streamed resource may execute on the client machine 10 and be removed from the client machine 10 upon termination of the streamed resource. In another embodiment, the streamed resource executes on the client machine 10 after a pre-deployed copy of each resource file is stored on the client machine 10. In still another embodiment, the streamed resource executes on the client machine 10 after a copy of each resource file is stored in an isolation environment on the client machine 10. In yet another embodiment, the streamed resource executes on the client machine 10 after a copy of each resource file is stored in a cache on the client machine 10.
  • In some embodiments, the remote machine 30 streams the enumerated resource to the remote machine 30, executes the enumerated resource on the remote machine 30, and provides to the client machine 10 resource-output data generated by the execution of the enumerated resource. In other embodiments, a resource is streamed to a virtual machine and resource output data is transmitted to a client machine 10 using a presentation layer protocol such as X11, VNC, ICA or RDP.
  • In one embodiment, the remote machine 30 receives a plurality of resource files comprising the enumerated resource. In another embodiment, the remote machine 30 provides the resource-output data via a presentation level protocol, such as an ICA presentation level protocol or a Remote Desktop Windows presentation level protocol or an X-Windows presentation level protocol.
  • In some embodiments, the remote machine 30 also provides access information associated with the enumerated resource, the access information generated responsive to the selected method. In one of these embodiments, the access information provides an indication to the client machine 10 of the selected method for execution of the enumerated resource. In another of these embodiments, the access information includes an identification of a location of the enumerated resource, the identification conforming to a Universal Naming Convention (UNC). In still another of these embodiments, the access information includes an identification of a session management server.
  • In some embodiments, the access information includes a launch ticket comprising authentication information. In one of these embodiments, the client machine 10 may use the launch ticket to authenticate the access information received from the remote machine 30. In another of these embodiments, the client machine 10 may use the launch ticket to authenticate itself to a second remote machine 30 hosting the enumerated resource. In still another of these embodiments, the remote machine 30 includes the launch ticket in the access information responsive to a request from the client machine 10 for the launch ticket.
  • Referring now to FIG. 18, flow diagram depicts one embodiment of the steps taken to access a plurality of files comprising a resource, such as a computing environment or an application program. A client machine 10 performs a pre-launch analysis (step 1810). In one embodiment, the client machine 10 performs the pre-launch analysis prior to retrieving and executing a plurality of resource files comprising a resource. In another embodiment, the client machine 10 performs the pre-launch analysis responsive to a received indication that the pre-launch analysis is a requirement for authorization to access the plurality of resource files comprising a resource.
  • In some embodiments, the client machine 10 receives, from a remote machine 30, access information associated with the plurality of resource files. In one of these embodiments, the access information includes an identification of a location of a remote machine 30′ hosting the plurality of resource files. In another of these embodiments, the client machine 10 receives an identification of a plurality of resources comprising one or more versions of the resource. In still another of these embodiments, the client machine 10 receives an identification of a plurality of resource files comprising one or more resources. In other embodiments, the client machine 10 receives an enumeration of resources available to the client machine 10 for retrieval and execution. In one of these embodiments, the enumeration results from an evaluation of the client machine 10. In still other embodiments, the client machine 10 retrieves at least one characteristic responsive to the retrieved identification of the plurality of resource files comprising a resource.
  • In some embodiments, the access information includes a launch ticket capable of authorizing the client machine 10 to access the plurality of resource files. In one of these embodiments, the launch ticket is provided to the client machine 10 responsive to an evaluation of the client machine 10. In another of these embodiments, the launch ticket is provided to the client machine 10 subsequent to a pre-launch analysis of the client machine 10 by the client machine 10.
  • In other embodiments, the client machine 10 retrieves at least one characteristic required for execution of the plurality of resource files. In one of these embodiments, the access information includes the at least one characteristic. In another of these embodiments, the access information indicates a location of a file for retrieval by the client machine 10, the file enumerating the at least one characteristic. In still another of these embodiments, the file enumerating the at least one characteristic further comprises an enumeration of the plurality of resource files and an identification of a remote machine 30 hosting the plurality of resource files.
  • The client machine 10 determines the existence of the at least one characteristic on the client machine 10. In one embodiment, the client machine 10 makes this determination as part of the pre-launch analysis. In another embodiment, the client machine 10 determines whether the client machine 10 has the at least one characteristic.
  • In one embodiment, determining the existence of the at least one characteristic on the client machine 10 includes determining whether a device driver is installed on the client machine 10. In another embodiment, determining the existence of the at least one characteristic on the client machine 10 includes determining whether an operating system is installed on the client machine 10. In still another embodiment, determining the existence of the at least one characteristic on the client machine 10 includes determining whether a particular operating system is installed on the client machine 10. In yet another embodiment, determining the existence of the at least one characteristic on the client machine 10 includes determining whether a particular revision level of an operating system is installed on the client machine 10. For embodiments in which a remote machine 30 acts as a client machine 10 (such as, for example, a terminal services session in which the remote machine executes computing resources on behalf of a user of a client machine), determining the existence of at least on characteristic may include determining whether the remote machine 30 executes a hypervisor or, alternatively, whether the remote machine executes a hypervisor which itself executes in the native operating system.
  • In some embodiments, determining the existence of the at least one characteristic on the client machine 10 includes determining whether the client machine 10 has acquired authorization to execute an enumerated resource. In one of these embodiments, a determination is made by the client machine 10 as to whether the client machine 10 has received a license to execute the enumerated resource. In another of these embodiments, a determination is made by the client machine 10 as to whether the client machine 10 has received a license to receive across a resource streaming session a plurality of resource files comprising the enumerated resource. In other embodiments, determining the existence of the at least one characteristic on the client machine 10 includes determining whether the client machine 10 has sufficient bandwidth available to retrieve and execute an enumerated resource.
  • In some embodiments, determining the existence of the at least one characteristic on the client machine 10 includes execution of a script on the client machine 10. In other embodiments, determining the existence of the at least one characteristic on the client machine 10 includes installation of software on the client machine 10. In still other embodiments, determining the existence of the at least one characteristic on the client machine 10 includes modification of a registry on the client machine 10. In yet other embodiments, determining the existence of the at least one characteristic on the client machine 10 includes transmission of a collection agent 704 to the client machine 10 for execution on the client machine 10 to gather credentials associated with the client machine 10.
  • The client machine 10 requests, from a remote machine 30, authorization for execution of the plurality of resource files, the request including a launch ticket (step 1812). In some embodiments, the client machine 10 makes the request responsive to a determination that at least one characteristic exists on the client machine 10. In one of these embodiments, the client machine 10 determines that a plurality of characteristics exist on the client machine 10, the plurality of characteristics associated with an enumerated resource and received responsive to a request to execute the enumerated resource. In another of these embodiments, whether the client machine 10 receives an indication that authorization for execution of the enumerated resource files depends upon existence of the at least one characteristic on the client machine 10. In one embodiment, the client machine 10 received an enumeration of resources, requested execution of an enumerated resource, and received access information including the at least one characteristic and a launch ticket authorizing the execution of the enumerated resource upon the determination of the existence of the at least one characteristic on the client machine 10. In one embodiment, the client machine 10 receives from the remote machine 30 a license authorizing execution of the plurality of resource files. In some embodiments, the license authorizes execution for a specified time period. In one of these embodiments, the license requires transmission of a heart beat message to maintain authorization for execution of the plurality of resource files. For embodiments in which a virtual machine is streamed or otherwise downloaded to the client machine, a license pool may be provided that authorizes the virtual machine, its guest operating system and all the licensed software installed within that guest operating system. In some of these embodiments, a single license is provided that authorizes those entities.
  • In another embodiment, the client machine 10 receives from the remote machine 30 the license and an identifier associated with a remote machine 30 monitoring execution of the plurality of resource files. In some embodiments, the remote machine 30 is a session management server 1962, as described below in connection with FIG. 19. In one of these embodiments, the session management server 1962 includes a session management subsystem 1910 that monitors the session associated with the client machine 10. In other embodiments, a separate remote machine 30″″ is the session management server 1962.
  • Referring back to FIG. 18, the client machine 10 receives and executes the plurality of resource files (step 1814). In one embodiment, the client machine 10 receives the plurality of resource files across a resource streaming session. In another embodiment, the client machine 10 stores the plurality of resource files in an isolation environment on the client mach