WO2005116888A2 - Method of providing computing resources to computers operated by different companies - Google Patents

Abstract

An implementation of this invention is a hybrid approach, offering features of conventional service provider based IT system (e.g. with applications remaining resident on a remote server) combined with features associated with client-server architectures. More specifically, a central server provides services requiring low levels of bandwidth for delivery, such as one or more of the following functions: e-mail server hosting, messaging server hosting, groupware application hosting, managed desktop, virus scanning, patch deployment, spam filtering, remote access, automated off-site back-up, web site hosting, disaster recovery. The client devices each provide one or more of the following functions: running local applications and a local operating system; access to the remote server over the network. This approach is implemented by the server automatically deploying the applications and OSs to a local server on the same physical network as the client device; it is then the local server that then deploys these to the client device. Resources for a given client device that require high levels of network bandwidth, including file/print services, network authentication and software deployment, are stored on the local server. This approach combines the best of a fully outsourced, service provider based IT system, with the performance of a client-server system wholly within the control of a given company.

Description

METHOD OF PROVIDING COMPUTING RESOURCES TO COMPUTERS OPERATED BY DIFFERENT COMPANIES

FIELD OF THE INVENTION

This invention relates to a method of providing computing resources to computers operated by different companies. It enables companies to outsource various aspects of their IT infrastructure and IT operations.

DESCRIPTION OF THE PRIOR ART

IT outsourcing involves a company delegating the management and performance of IT operations to a third party; for example, a large corporation with a complex IT network may decide it is more efficient and effective to hand across the management and operation of that IT network to a speciaUst computing services company, as opposed to directly employing IT staff to do the same job.

In a service provider based approach to IT outsourcing, client devices remotely access applications that remain resident on a remote server operated by the service provider; hence, keeping those applications up to date becomes the responsibihty of the third party.

Previously, IT outsourcing has been implemented only by large companies, since it has not been cost effective for the major IT outsourcing companies to provide this kind of service to large numbers of small or medium size businesses; equally, the cost for a small or medium size business would be prohibitive. Yet it is precisely small and medium sized businesses that can most benefit from an outsourced IT function because they are often least able to deploy their own skilled IT staff. The present invention aims to resolve this dilemma. SUMMARY OF THE INVENTION

The present invention is a method of providing computing resources to computers, in which a server is connected over a network to multiple client devices being operated by different companies, the method comprising the step of the server running processes that enable the automatic deployment of applications and/ or operating systems directly or indirectly to the networked client devices for those client devices to run locally, at least some of the processes being re-useable by the server for any of the client devices.

The term 'processes' should be expansively construed to include, inter alia, scripts. The term 'server' includes one or more servers.

One key element in any IT sourcing is the requirement to deploy applications and operating systems to client computers; the present invention allows this to be done automatically using processes that are available to any chent computer from any of the different companies that ate connected to the server. Because of this efficiency, even quite small companies can rely on applications and OSs to be deployed to them from the entity controlling the server.

The server can also run automated, re-useable processes that enable the automatic management and updating of the applications and operating systems.

In one implementation, the re-useable processes are flexible so that the client devices do not have to conform to a pre-defined configuration. Rather, the server can be provided with and use information defining the configuration of different chent devices and deploy accordingly.

An implementation can also be a hybrid, offering features of conventional service provider based IT system (e.g. with applications remaining resident on a remote server) combined with features associated with client-server architectures. More specifically, the server provides services requiring low levels of bandwidth for delivery, such as one or more of the following functions: e-mail server hosting, messaging server hosting, groupware application hosting, managed desktop, virus scanning, patch deployment, spam filtering, remote access, automated off-site back-up, web site hosting, disaster recovery. The chent devices each provide one or more of the following functions: running local applications and a local operating system; access to the remote server over the network. This approach is implemented by the server automatically deploying the applications and OSs to a local server on the same physical network as the client device; it is then the local server that then deploys these to the chent device. Resources for a given chent device that require high levels of network bandwidth, including file/print services, network authentication and software deployment, are stored on the local server.

This approach combines the best of a fully outsourced, service provider based IT system, with the performance of a client-server system wholly within the control of a given company.

The server can also provide a user interface to a management application that enables the configuration and management of the automatic deployment and the functions. The user interface enables a manager to initiate the processes without detailed knowledge of their operation. The user interface to the management application can be located at one of the chent devices; Roaming can also be enabled so that a user can use different chent devices on the network and gain access to all of the same resources, including files, printers, settings and applications.

There can also be a single central point of entry for all remote access services, so that users operating different chent devices all connect to the same central point of entry to be provided access to their company's resources. The chent devices can be equipped with a web browser and are selected from the group: PCs, PDAs, mobile phones.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is implemented in a system called Vital; Vital will be described with reference to the accompanying drawings, in which:

Figures 1 and 2 depict different connection methods from client device to the Vital data centre;

Figure 3 depicts the overall client-server architecture of Vital;

Figure 4 depicts the Vital application framework;

Figure 5 depicts the roles played by the core servers in the Vital data centre;

Figure 6 depicts how the Vital Active Directory is configured programmaticaUy; and

Figure 7 depicts how the company creation process operates.

DETAILED DESCRIPTION

Section A: Overview

The present invention is implemented in a system caUed Vital. Vital is a complete network solution for companies, mixing the best of chent server and appUcation service provider together to create a new way of providing IT network solutions. To the end user, Vital is viewed as a normal IT network providing aU of the standard networking, coUaboration, remote access, security and backup / disaster recovery that are expected from a modern IT solution. At the backend, Vital is a managed networking solution, providing its services in a highly automated but still flexible manner. The Vital service encompasses a number of software solutions and operational processes to provide a coherent solution to the end user.

Vital encompasses the foUowing concepts: (a) A geographicaUy distributed network where cUents connect over a number of mediums to access a central resource.

(b) A single logical network in which aU cUents function; although the network is a single logical entity each chent is only aware of itself, its resources and its information.

(c) A solution where the client can stiU function even if connectivity to the central resource is lost.

(d) Backup of chent data from their local site to an off-site location in an automated and transparent (to the user) manner.

(e) Chent computers utilising "fat chent", local operating systems and applications but which are deployed, managed and updated in a controUed manner in a similar vein to "thin chent solution".

(f) The storage of services requiring high levels of network bandwidth including file / print services, network authentication and software deployment are stored on a local server on the same physical network as the rest of the client's network.

(g) The provision / storage of services requiring low levels of bandwidth including e-mail / groupware services, Internet access, database support, backup, updating and patching, fire walling and remote access is in a central location in a simUar vein to a "Hosting" provider.

(h) Advanced roaming where users can travel from machine to machine within the network and gain access to aU of the resources including files, printers, settings and applications. (i) A single central point of entry for aU remote access services, users from different cUents aU connect to the same central location and then are provided access to their company's resources instead of each accessing a different entry point for each chent.

(j) A management platform that performs aU configuration and management across the service. The management platform abstracts the complexities and technical knowledge required to perform configuration to a level where non-technical users can create, deploy and manage a network solution.

Section B: Summary of Vital Service Features

B.l Vital Manager

Vital Manager is the core software application used to configure, support and manage the Vital service. Vital Manager implements the foUowing concepts: o Interface orientated towards non- technical users coupled with wizard-driven work flows. o Total abstraction of technical complexities from the software, the user thinks in terms of "Vital", Companies, Sites, Departments, Users and Computers. o Complete separation between creating items (companies, users, etc) within the software application and the creation of the actual underlying objects (Active directory users, Exchange manboxes, file system folders, etc) on the underlying systems. This is referred to within Vital as "un-bu t" (item existing within the software only, it cannot be actuaUy used) and "buUt" (item exists within the software and on the underlying systems, it can be used). o Viewing of the network configuration, services and items on both a global (aU cUents) and individual cUent basis through an intuitive tree and action page based work flow. o Role based authentication system aUowing access rights and features to be scaled from global administration to single user / single feature. o Auditing system tracking aU changes made to aU items within the software.

B.2 Connection to Vital To access the services of Vital, clients need to connect to the central servers or datacentre. This datacentre handles many services including the automation of computer and application deployment, backup, e-mail/groupware, database connectivity and Internet access. There are a number of different options to connect a company to the datacentre and the choice is based on the most effective solution for the chent.

Vital provides a dedicated connection method through a partner ISP. This aUows cUents to have an ADSL, SDSL or leased line which then provides direct connection to the Vital datacentre. This connection does not traverse the Internet. It is highly secure and efficient, cutting out the QuaUty of Service issues sometimes associated with services that travel over the Internet. CUents who connect using this option are provided secure fire waUed Internet access through the Vital datacentre. If an existing connection is present then chents can connect over a VPN. A VPN / firewaU device is instaUed onsite and provides a secure connection to the Vital datacentre.

B.3 Email / Collaborative Working

User has fuU access to the features of Microsoft Exchange server; users may access this information through the foUowing chents: l. Microsoft Outlook 2. Oudook Web Access (OWA) 3. Outlook Mobile Access (OMA) 4. Exchange Active Sync. 5. POP3 / SMTP

FuU access is provided to conferencing, instant messaging and remote access services, aU e-mail is fuUy virus-checked before arrival or departure. Vital fuUy automates and manages a company's domain name and e-maU routing. Users are able to manage their own e-mail addresses through a simple web-based interface. Vital creates additional e- mail addresses for every new domain purchased.

Vital also provides the services offered by the Research In Motion (RIM), Blackberry Enterprise Server. This offers full support for Blackberry handheld wireless devices.

B.4 FreeBase FreeBase is a bespoke Vital service that provides access to Files and Folders from web browsers. This services works from any location on the Internet and supports both PC and Mac based browsers. FreeBase aUows users to browse, download and upload files and folders stored within the company data structure. It supports file / folder permissions, deletion and creation of new folders. Changes made to files or folders are real time so users accessing the same information from another location, wϋl see aU changes and updates as they occur.

B.5 Backup Vital makes backup easy to manage. Every night, aU of the amended data from the local server is uploaded to a central datacentre. Vital then backs up this data onto high- capacity tape and disk based storage units on a rotational cycle. Any lost data can be quickly restored. Should an onsite server failure occur, Vital can automaticaUy rebuild and restore the server within a couple of hours. While this is being done users can stiU logon, access the Internet or send and receive e-mail.

B.6 Security, Patches, Updates, Viruses

Updating systems has either been cosdy in both time and resources or has not been carried out correcdy, therefore leaving companies open to attack. With Vital, manual updates are a thing of the past. AU security, virus checker and system updates are deployed automaticaUy the latest service packs. When a new update is released it is fully tested on a test system to check for stability. Once this has been completed it is deployed across aU user systems.

B.7 Remote working / Roaming

Access to data from any location and at any time is now vital to aU businesses. Vital provides fuU access to aU e-maU / groupware information through a web interface, from a PDA, laptop or mobile phone. FreeBase provides access to files and folders from a web browser. Laptop users have transparent access to their appUcations and data when they are away from their office and this is automaticaUy synchronised upon their return. For users who require real time access to data, a virtual private network can be created from their laptop. This connection will securely connect them to their office just as if they were there. Vital fuUy configures users' laptops, PDA's and mobUe phones for these services. Every chent is able to fully control which users have access to remote services through the use of Vital Manager.

B.8 Internet Access Vital provides high speed fire waUed Internet access. This is either through the core Vital datacentre for chents who connect using an IPVPN private circuit or via a firewaU located on a cUents site for cUents who connect to Vital over a VPN. In both case Vital provides centraUsed management and monitoring of all firewaUs and traffic flow.

B.9 Web / Ftp

Vital automaticaUy creates web and FTP sites. These are administered through Vital manager. CUents have access to manage the site though both private FTP and FrontPage server extensions.

B.10 Operating Systems and Programs

Getting users working quickly, and keeping users working, is a core concept of Vital. Therefore instaUing the system is quick and simple. The chent computers run operating systems and applications locaUy for speed and reUabihty, giving it a distinctive advantage over alternative terminal service (thin chent) based solutions. The core operating system is the Microsoft business oriented desktop operating system (OS) which is a highly secure and stable operating system capable of handling any task from general office documents to high end CAD and Graphics design. The OS is automaticaUy deployed to the chent system with a few button presses and the entire process takes about 40 minutes. This is also the case if the system faUs and must be "rebuilt". Once it is complete, the system is ready to go with no additional configuration required for drivers or joining a domain. The applications are instaUed to a cUent device system the first time it logs on. Every user can be aUocated their own combination of software and this software wiU be avaUable to them whichever computer they logon to. The site's Power User can manage the aUocation of software within the company through Vital Manager. AU billing and Ucensing is fuUy managed by Vital. Vital provides a large selection of software already integrated into the system but if a required appUcati^'on is not avaialbe it can be integrated into the system so that it can be autoamtticaly deployed as the users logon. B.ll Data Centre Security

Vital stores its core server hardware within a secure, high avaUabihty facility. This facility provides (a) Guaranteed power supphes with generator backup (b) Fire suppression systems that do not use water or other equipment damaging substances (c) Multi level security including visual recognition, CCTV and key card access (d) High power air conditioning capable of cooling the location if 33% of the units are off line (e) Anti bomb and terrorist attack systems (f) 24 hour monitoring of aU equipment and services

Through the use of such a facility, chent data security and availability are maximised.

B.12 Support Vital provides an integrated support system aUowing users to easily help themselves or get help. AU users have access to an on-line administration system (Vital Manager) giving them access to a range of self administration features. If there is a problem they cannot handle, a simple and straightforward web-based interface is provided to log and manage ' support caUs. Vital also provides a "staffed" technical support desk for telephone queries. Vital aUows technical staff to connect to any machine on the Vital network in order to diagnose and rectify problems.

B.13 Existing Hardware

Vital can utilise existing computer hardware and networking equipment, aUowing cUents to leverage existing investment in equipment while stiU being able to take advantage of the additional features of Vital. Vital achieves this by taking a sample of the hardware and then "integrating" it so that it rebuilds and is configured in the same way as new hardware.

B.14 Database Support

Vital provides a complete SQL Server service. This means chents can run many third party and bespoke appUcations which use it as a back-end data store. This service greatiy reduces the traditional costs associated with the purchase of SQL server hardware and software hcenses. Vital can fuUy integrate any bespoke 1^st and 3^rd party appUcations to install in the same way as any software product.

B.15 Multiple Sites

Multi-site companies can benefit gready from Vital. Companies can connect aU of their locations to the system and act as a single entity with coherent e-mail addresses, data access and public folders right across the entire organisation. Staff can logon at any site within the company, safe in the knowledge that their appUcations and data are avaUable to them. This can be achieved without many of the costs associated with deploying a traditional WAN. It is now possible for sites with only a couple of staff to fuUy benefit from the IT systems of the rest of the company including custom Oudook forms, applications and processes. Sales staff, home workers and "road warriors" can also be easUy connected aUowing a single company-wide information structure.

B.16 Advanced Hot Desking

Vital makes it simple to roam. Users are free to logon at any machine within any of there company's sites. When they log on they wiU get not only ah of their data and settings but also their appUcations. This means that when traveUing to remote sites they can still be just as productive as when in the office. A user wiU only get access to their own appUcations and data, so if they log on to a machine with access to a restricted program, they won't even know it's there.

Section C: Technical Overview

C.l Introduction

Vital dehvers an outsourced, managed networking solution for companies of aU sizes. The solution combines the best elements of chent server architecture with the best practices and delivery of a managed service provider. Vital provides the complete managed end to end solution from the desktop to the server, whilst presenting the user with an 'industry standard' Microsoft Windows based working environment.

C.2 Audience This section is designed to give a conceptual and technical review of the inteUectual property, features and technologies that have been both developed and combined to dehver the Vital service. This section assumes that the reader has a basic understanding of networking technologies and the out-sourcing business model.

C.3 User experience

Vital provides a stable, scaleable platform for future growth and presents a strategic and comprehensive IT strategy that wiU instil confidence and trust in users, customers and stakeholders. Vital is a secure, scalable and integrated IT solution that dehvers an entire network and computing needs through outsourcing a company's IT functions. That company's hardware and software capital expenditure is minimised whUst the security, support, scalability and delivery of infrastructure to employees and customers is of a standard generaUy only found within International Corporate institutions.

When compiling accounts and reports, companies also benefit from being able to remove excessive technology based capital expenditure and are able to show a large percentage of their IT infrastructure as a tax deductible service on a single line item rather than a Ust of depreciating hardware and software assets that require a salaried team for support.

The Vital service creates an integrated computing universe in which: Companies are provided with, as part of the service, fuU and audited Ucensing for • Microsoft Office Professional • Enterprise antivirus software (Network Associates AVD) • Backup and data archiving (Veritas).

The server hardware, licensing and administration associated with the implementation of the Microsoft Exchange messaging platform are totaUy outsourced. Security is taken care i of by enterprise class firewaUs with system security updates transparentiy deployed to users. Data is automaticaUy backed up to a remote secure location and can easily be restored to your desired Vital location. When connected to the service, virus protection is always up to date and effective with no user intervention.

Organisations and their users have access to the messaging and coUaborative tools deUvered with Microsoft Exchange and Outlook including: • E-mail • Calendars • Task s and the groupware functionaUty.

Computers are remotely deployed and software is instaUed complete with the latest operating systems and apphcations. Users enjoy a fuUy managed desktop experience with appUcations, printers, shared network resources and user settings fuUy configured, as they log on at any workstation in any 'office' connected to the customer's Vital network.

Users are able to log on and work from any Vital machine on their domain. The user is presented with aU of their apphcations, data and maU. The provided software is always the latest version with deployments and updates taking only minutes (not hours) across aU your computers. Granting users access to their data and apphcations from multiple office locations is a simple and straightforward task. User data and E-maU is easUy available from remote locations using either a Web browser or remote access services.

AU of this is achieved whUst aUowing an organization to greatly reduce much of the initial Capital expenditure associated with traditional IT solutions that offer this level of service, application deployment and management. Vital aUows a secure and robust technological infrastructure to be commoditized with the ongoing TCO being manageable and predictable due to a monthly per user pricing structure that has no hidden costs.

Vital takes the apphcations a company already know and use, such as Microsoft Word, Excel and Oudook and makes them simpler to maintain without any loss in functionaUty or features. Vital can also provide fuU support for your custom appUcations and SQL solutions within the Vital framework.

C.4 Connectivity

To access the services of Vital, you need to connect to our secure, central data centre. The data centre handles many services including: • Automation of your computer and appUcation deployment, • Backup, • E-mail/groupware, • Database connectivity and • Internet access.

There are a number of different options to connect a company to the Vital data centre and the choice is based on the most effective solution. The company has complete control over Internet access levels. These can range from full unrestricted access through to access to certain selected sites. Every user's system gives them access to Internet Explorer 6 (or the latest suitable version). There is also full support for should a customer wish to use non-standard Internet protocols and ports (for example PCAnywhere or ICQ). By channelling aU Internet traffic through the Vital datacentre, Vital will be able to offer customers a level of managed FirewaU security that is in many cases beyond and in advance of its current deployment.

C.5 Connection Method A

Vital utilises a secure Private Circuit DSL connection directly to the Vital data centre. Vital/MBD then becomes the ISP for the customers users. The customer does not require the capital expenditure of a firewaU, its warranties or maintenance, as they are fuUy protected by the Vital firewaUs in operation at the data centres. Figure 1 depicts this.

C.6 Connection Method B Figure 2 depicts a Virtual Private Network utilising a non- Vital connection but requiring the purchase of a Sohoόtc firewaU.

C.7 E-mail / Collaborative Working

Vital offers every user fuU access to many of the features within Exchange Server 2003 and Microsoft Outiook. These features include elements such as company wide 'PubUc Folders' for company contact Usts, and shared calendars. FuU access is provided to conferencing, instant messaging and remote access services and aU E-maU is fully virus- checked before arrival or departure. Vital fully automates and manages a company's domain name and E-maU routing. Users are able to manage their own E-mail through a simple web-based interface. Vital creates additional E-maU addresses for every new domain purchased. Just like every service within Vital, E-maU and groupware is simple and powerful aUowing you to concentrate on your business and display an infrastructure that builds confidence in those who you do business with. If your current E-mail chent is Oudook, but without an Exchange server, or a sirr lar mail chent without the related backup, aU the data in each individual mailbox is at risk of data loss. In addition to solving this data backup issue, Microsoft Exchange server wiU give users groupware functionaUty such as shared Calendars and Pub c Folders.

C.8 Backup

Many companies now find that they must specificaUy request offsite backup. Insurance companies have already started to base pohcy premiums on metrics that include the safety of a company's critical data, with the refusal to insure due to poor or incoherent backup strategies becoming common.

Vital includes secure offsite backup with up to 500Mb of data (Exchange data and file data) for every user with more capacity avaUable for purchase if requited. Backup, the restoration of data and a coherent and resilient back-up strategy (often overlooked), is vital to the ongoing success of any business. Could any organization function correctly after a catastrophic incident, an occurrence of data loss, a mahcioύs intrusion at its premises or a simple case of aU persons responsible for back-up having taken annual leave and being un-contactable? In the event of a fire or explosive attack, data that is stored on a company site in fire proof safes may not be accessible for periods in excess of 72 hours as the emergency services create a security cordon around the affected area, effectively rendering a company inoperable. Even having a member of staff remove storage media from site is not without its dangers. In the event of that member of staff being injured, unobtainable or at worst kiUed in an accident, retrieval of company data is either delayed or made impossible. .

If a company is not employing an automated pffsite data backup the process can become very time-consuming and may, at times, also lack a coherent pohcy to which employees rigidly adhere. On site backups routines that rely on human interaction can become erratic which in turn has security implications for the company and its customers. If there are no Exchange or mail servers on site and aU users are using Microsoft Outlook or equivalent with a POP3/SMTP connection to external E-maU, there is a high possibility that personal copies of Outlook store the maU, tasks and calendar data locaUy on the users' machines in individual .PST files. These mail and data files, in many cases, may not be part of the back-up schedule. Many companies execute their backup poUcy by implementing tape backup using a 14 or 28 day manual rotation of the tapes giving either 2 or 4 archives of the data. This requires tapes to be changed da y but there is generaUy no contingency should the drive fail. Vital makes backup easy to manage. Every night aU data on a company's local server that has been amended in the preceding 24 hour period is firstly uploaded to the Vital central data centre using an automated element of the Vital service. Vital then backs up this data onto high-capacity data autoloaders (secure devices within our data centre that are capable of storing Terabytes of data). The tapes are taken off-site to a secure location where they are stored with the data stored upon them avaUable for restore for a period of up to 28 days. Vital can provide further archives (monthly, quarterly, bi-annuaUy or yearly) as requested by the customer. Customer requested archives beyond the standard provided as part of the service, are avaUable upon request and charged according to volume of data stored and the frequency of the archiving. A user's data can generaUy be restored within 2-4 hours should the requirement arise. WhUst a server is being rebuUt and the data recovered users that have Internet access can continue to work with Outlook Web Access and the group working functionaUty.

C.9 Comparison of standard backup practices against Vital.

A company's staff are not generally expected to be IT speciahsts and with many other operational tasks at hand, it is very easy to overlook data backup. Any data loss Data backup under Vital f o r can severely impact on business. Users with Windows based O/S Customers with no backup pohcies are already in a potentiaUy high risk situation. Standard backup implementation Outlook data held centrally within

Outlook data files (pst's) held locaUy and Exchange, and is not only backed up daUy, not backed up unless the correct back-up but can also be partially restored, down to application agents are deployed. an individual E-maU, thus minimising disruption.

HQ data backed up to tape drive, with Data is backed up overnight to a secure multiple tapes. These need to be changed remote location, which in turn is backed

CIO Security, Patches, Updates, Viruses With the global increase in viruses, and outbreaks of hacking, the need to keep systems up-to-date with security and virus updates has become imperative. Updating systems has either been costly in both time and resources or has not been carried out correctly, therefore leaving companies open to attack. With Vital, manual updates are a thing of the past. AU security, virus checker and system updates are deployed automaticaUy to workstations on boot up including the latest service packs. When a new update is released, we fuUy test it on a test system to check for stability. Once this has been completed it is deployed across aU user systems. Vital ensures we get priority notification of any critical updates. In many cases we wiU have tested and deployed an update before it is avaUable to the general pubhc. This process helps to ensure that your company can continue to work happy in the knowledge that you wiU not experience the devastating effects of not having applied a critical update or virus patch to servers or workstations. The dramatic global spread of the viruses Blaster, SoBig and Nimda and most recently MyDoom, MyDoomB and the NetSky variants have been squarely attributed to insufficient security patching and virus data updating. Patching a distributed network without the necessary management infrastructure in place is as good as impossible.

C.U Multiple Sites

Multi-site / multi location companies, with users that roam between locations on the WAN and access the information from external locations, wiU instantly experience both the cost and user benefits provided by Vital. Vital now makes it possible for companies to connect aU of their locations to the system and act as a single entity operating a coherent E-maU address poUcy, data access and pubUc folders right across the entire organization without the need to invest in the overheads of multi-domain controUers. Staff can logon at any Vital machine, at any site within the company that is connected to the Vital network, safe in the knowledge that their apphcations and data are avaUable to them. This can be achieved without many of the costs associated with deploying a traditional secure WAN. It is now possible for sites with only minimal staff in to fuUy benefit from the IT systems of enjoyed the rest of the company including custom outlook forms, appUcations and processes. There wiU naturaUy be restrictions appUed to this which are directly controUed by the available bandwidth local to any office.

C.12 Advanced Hot Desk utility

If you need to move between multiple sites or offices Vital makes it simple to roam. You are free to logon at any machine within any of your company's sites that employ the Vital service. When you log on you wiU get not only all of your data but also aU of your third party appUcations that have been integrated into the Vital service. This means that when travelling to remote sites you can be as productive as when you are in your own office. If your hardware faUs, after mforming the On-Site point of contact / MBD support desk, you can simply move desks and carry on working until it is rebu t (about 40 minutes later). Any given user wiU only have access to their specific appUcations and data, so if they logon to a machine with access to a restricted program, the user wiU not even be able to run the application. Should a company have an identified need for the features of the 'Advanced Hot Desk' utility, or as the company expands and opens further offices, this feature aUows employees to visit multiple offices and be able to work effectively. Further advantages of this feature are experienced after a workstation faUure as a user simply logs on to any other Vital workstation on the customers network. The advance management utilities within Vital automaticaUy delivers and instaUs aU appUcations and data that the user has been aUocated. This process is greatly speeded up by the use of onsite servers in every location but appUcations can be transferred between the connected offices on the WAN by using the avaUable connectivity.

C.13 Remote Access Secure and unrestricted access to your data from any location and at any time is now critical to aU businesses. With Vital an end-user is never far from his data. Vital can provide full access to aU of E-maU/groupware information through a web interface, from a PDA (where compUant E-maU syntax and network services are avaUable), laptop and mobUe phone. Laptop users have transparent access to their apphcations and data when they are away from their office if they have access to a DSL link can synchronize this over a secure VPN connection, however, this is automaticaUy synchronized when they return. For users who require real time access to data, a virtual private network can be created from their laptop, home machine or when on-site with another company. This connection wiU securely connect them to their office just as if they were there. Vital fuUy configures user's laptops for these services. Vital can also provide home-users with aU the information required for self configuration further minimizing setup and instaUation costs. Every company is able to fuUy control which users have access to remote services and detailed activity logs are avaUable if required.

C.14 Operating Systems and Programs

Getting users' hardware and apphcations working quickly, and ensuring that they continue to work is the Vital mission. Therefore, once a company has migrated its hardware and software apphcations to the Vital service, installing their operating systems and apphcations is a quick and simple process. Vital is designed to run operating systems and apphcations locaUy for speed and rehabUity, giving it a distinctive advantage over alternative terminal service (thin chent) based solutions. With Vital a company's core operating system is either Microsoft Windows XP (preferred) or Windows 2000 Professional, both highly secure and stable operating systems. They are automaticaUy deployed by the Vital infrastructure to your system along with the relevant apphcations. The entire process takes about 40 minutes.

In the unlikely event that a system faUs and must be "rebuUt" a company's system is ready to go with no further drivers instaUation, user or domain configuration. The company's apphcations are instaUed to its system the first time a user logs on. Every user can be aUocated their own combination of software and this software wiU be avaUable to them whichever computer they logon. The site's aUocated Tower User(s)' can manage the aUocation of software within the company through a simple web based interface.

The auditing of managed software licensing is handled for the customer by the Vital service removing the time and cost elements experienced by an organization when compihng software hcence comphance audits for legal compUance and the UK Government backed body - FAST (Federation Against Software Theft) audits. Vital provides a large selection of software akeady integrated into the system but if the application you require is not avaUable, Vital can integrate it into the service.

By moving to Vital, a customer also migrates (if they have not akeady undertaken thek own implementation) to a Windows 2003 Active Dkectory infrastructure. Within this managed, secure and accepted industry framework, aU users permissions can be fully locked down and grouped according to requkements. Sensitive data can be kept from prying eyes and network security can be implemented with unique individual user logons and strong passwords.

C.15 Data centre Security

Ensuring that your staff can operate and your data is avaUable and safe are of paramount importance to Vital. The Vital data centre is housed in a secure location. This centre is specificaUy designed to house mission critical computer hardware and services, and hosts many of the networking technologies of some of the world's largest companies. Some of its many features include: • Guaranteed power supphes with generator backup • Fke suppression systems that do not use water or other equipment damaging substances • Multi level security including visual recognition, CCTV and key card access • High power ak conditioning capable of cooling the location if 33% of the units are off line • Resistance to bomb and terrorist attack. • 24 hour monitoring of aU equipment and services

C.16 Support

Vital provides an integrated support system aUowing users to easUy help themselves or obtain network support. AU users have access to an on-line system giving them the abiUty to change thek passwords and view help and documentation covering aU areas of the system. The Vital system incorporates automated workstation and server rebuUd in the event of faUure. During a workstation rebuUd a user can log onto any other Vital machine and access aU of thek apphcations, maU and data. This dramaticaUy reduces the need for support engineers to attend site. If there is a problem that the Customer Point of Contact can not remedy, a simple and straight forward web-based interface is provided to log and manage support caUs dkectly with Vital support staff. If you do not have internet access you can always phone the help desk to log the caU.

C.17 Hardware Repairs

In the event of any hardware failure, Vital wiU administer the manufacturers or any other 3^td party warranty for you, providing we have been given fuU warranty detaUs foUowing an asset audit. The process of migration is handled as an implementation project, planned in advance with the customer to minimize downtime aUowing it to benefit from the maximum return on your existing investment whUe leveraging the benefits of Vital.

C.18 Disaster recovery / Business continuity

Vital is aware of the operational and legal requkements an organization may have placed upon them by thek insurers, stakeholders and customers. In the event of a business continuity p an being requked Vital aUows many of the infrastructure aspects to be easUy met. Hard disk and data rebuild for servers can be easUy deployed to new locations with temporary hardware being purchased locaUy should the need demand a full location move. Redundant laptops and relevant hard drives can be buUt with user data and couriered to location to ensure downtime is minimal. During aU of this time ah users wiU be able to log onto a web browser to access thek maU, calendar and any data stored in the company public folders.

C.19 DNS Records and Web hosting Companies that subscribe to the Vital service can also benefit from moving thek DNS, MX and Microsoft (ASP) based web sites onto the Vital framework. For a small annual fee per domain, Vital works with a leading domain host to ensure a company's domains and thek associated records are • Registered • Correctly hosted • Forwarded to if requked (E-maU and URL) • Renewal notification is offered in a timely fashion

C.20 Conclusion ^' Vital develops and scales thek infrastructure and provides: Secure computing envkonment. • Fully outsourced IT operations and support at a fraction of the cost of hking the correct level of sk led and mobUe in house support staff. • FuU Microsoft Office Ucensing costs with software assurance. > ^β Scalable, controUed, predicable and cost effective infrastructure growth as a company expands and its staff t requke IT access from multiple locations. • Secure offsite backup. • Managed virus protection across the WAN. • Centralization of maU. • Implementation of Exchange 2003. • Reassurance to customers and cUents. • Compliance. • Security. • Reduction of Risk. • Productivity Gains. • The abiUty to seamlessly add further locations and users to the WAN. Section D: Technical architecture

D.l Technologies

The core Vital backend engine configures and manages ah the independent data providers and technologies requked to achieve each area of user functionahty. Outlined below is an overview of aU technologies and process used within the core Vital framework

D.2 Overall design . Vital is a distributed chent server network, spht between chent sites and central datacentres. It is illustrated schematicaUy in Figure 3. CUents connect to the data centre using either a private DSL connection provided by Ma box Internet or through a VPN connection over the Internet. Connection speeds are between 256Kbs — lOOMbs dependent on chent type and location.

AU devices on the chent site see the router/fkewaU as there default gateway. AU connections to other sites are routed through the datacentre using a hub and spoke network topology. Each site runs a local domain controUer (fuUy managed) and this handles the foUowing services, cUents do not have the ability to administrate thek site server: ^■ FUe and print sharing. ^■ Local logon authentication. ' ^■ AppUcation distribution (through a DFS). ^■ GPO processing. ^■ Adrninistration of internal user accounts (passwords, access rights etc). ^■ DNS. ^■ DHCP. ^■ Remote InstaUation Services (RIS) — For operating systems.

The datacentre then provides the foUowing services: ^■ RepUcation of aU cUent site data. Backup of aU site and data centre data to long term storage. Microsoft Exchange 2003 including OWA, OMA and Exchange active sync. Central domain controUers and global catalogue servers. Deployment of operating system patches and updates. Deployment and maintenance of virus checking software. High speed Internet access. Remote access to files and e-mail. Web site hosting. Hosting of database appUcations.

D.3 The core vital engine

The core Vital engine is an N tier, distributed application written in C# on the Microsoft.Net framework. The application framework is shown in Figure 4. The appUcation uses single location storage. Data is only stored within the underlying data provider and is not rephcated to another location (for example a database). This aUows for the underlying data to be modified either through traditional administration interfaces or API's without effecting the rest of the application. Approaching the task of data manipulation in this style offers administrators a greater level of flexibility to support changes and user requirements which are not supported through the bespoke administration system. The engine supports authentication at aU appUcation levels and is fuUy transactional (including a complete audit traU). The engine can raise events that trigger an interaction with external data providers or appUcations e.g. billing systems, external suppUers.

D.4 Vital Datacentre Server Roles

Servers within the datacentre perform the roles outlined below. By utilising the scale "up" and "out" technologies built into the Microsoft Windows Server System, the datacentre can be scaled to meet growing user requkements and load without effecting operating efficiency, server role or avaUability to the chent. The datacentre(s) are deployed as shown in Figure 5. D.5 Front end firewalls • VPN termination — Acts as a VPN termination point for branch office (chent connections) and for remote (MUVPN) workers. • Intrusion detection and firewaU — Provides both proxy and stateful packet inspection of aU incoming and outgoing traffic. • Secure server pubUshing — Pubhshes internal DNZ servers to the Internet on specific defined ports and protocols (SMTP, HTTP, HTTPS, etc). • Core routing — Acts as the central hub for aU TCP-IP traffic routing between the internal network, branch office (chent) VPN's and the Internet.

The elements in the front end firewaUs operate as foUows: DMZ servers • SMTP virus scanning — Acts a primary receiver for aU mcoming e-ma , messages are scanned for virus infection before being routed to the relevant servers. • SMTP routing server — Performs routing and if requked modification (address translation, catch aU and redkecting) of incoming e-maU after it has been virus cleaned by SMTP scanners. • Pubhc DNS servers — Hold the pubhc DNS records for aU Vital chents domains, they are configured in a classic primary/secondary configuration. • Pubhc web server — Web servers to house chents' pubhc web/ftp sites and apphcations.

Internal (Trusted) Servers • Domain controUers — Provide core active dkectory domain services for aU datacentre servers and act as the central point for the chent's site server replication. • Front end Exchange servers — Act as termination point for external Exchange server services, OWA, OMA, and RPC over HTTP(S). • Backend Exchange server — Act as mailbox stores for aU Vital cUents maUboxes. • CUent data repUcation servers — Store a repUcated copy of aU cUent site data as part of the two stage backup process. • Backup media servers — Connected to backup (tape) devices for long term data backup. • SQL data stores — Provide database services for the core Vital engine and chent database appUcations. ^• Vital engine appUcation servers — Run the core Vital engine and administration front ends.

D.6 Active directory

The Active Dkectory is a native Microsoft Windows Server 2003 dkectory in a single domain / single forest configuration. The Active Dkectory is the primary dkectory service and authentication system used across the Vital system. The Active Dkectory is customised as explained below to aUow each chent to only see objects relating to thek company and no one else. Each company then appears to exist as an independent entirety. The dkectory is rephcated in it's entirety to aU domain controUers. The dkectory is configured programmaticaUy as shown in Figure 6.

Permissions on aU objects are configured to aUow only specific objects access to other objects. During the company creation process the Figure 7 OU structure with associated permissions are created.

By acting as the central authentication provider across the Vital network aU other services and appUcations can function without modification or the requkement for each chent having access to other chent recourses.

D.7 Exchange

Microsoft Exchange is configured to support multiple organizations within a single

'Exchange organisation configuration'. This is performed programmaticaUy using the core Vital engine. During the configuration of a new company (chent) within the system the foUowing areas entries are created: • Global address Usts only accessible by the company. • Offline address hst only accusable by the company. • User address hsts only accessible by the company. • Recipient pohcy containing aU domains held by the company, only apphed to user within the company. • Root pubhc folder only accessible by the company. During user creation the users' maUbox is automaticaUy created along with e-maU address and aU access permissions requked to access the Exchange server and the companies pubhc folders.

D.8 DNS - External When a new chent is added to the system DNS is automaticaUy configured with the foUowing entries for aU domains held by the chent: • DNS zone file. • Host (alias) entries for maU servers. • Host (aUas) entries for web/FTP servers. • RepUcation to secondary DNS server.

An internal administration process then carries out the requked changes with the current domain holder to update the authoritative DNS servers to point at the Vital external DNS servers.

D.9 DNS - Internal

When a new chent is added, entries are created for aU cUents domains in the same manor as the external DNS servers. Rather than containing external IP addresses, the internal servers IP address is used. This aUows internal (chent) users to perform name resolution on resources within the DNZ. '

D.10 Websites

The Vital engine automaticaUy creates an FTP and web site for every domain associated with a company on the Vital network. This is created programmaticaUy within IIS 6.0 as foUows: • User accounts are created aUowing cUents to administer thek site. • A root folder for each site is created. • The web/FTP site is created within IIS and referenced to the correct location. • Permissions are set on the root folder. • Permissions are set on the web/FTP site. • An additional FTP site is created to aUow the chents administrator accounts to control content on the web site. • AU administration accounts are set to be "deactivated" until they are requked by the chent. • The associated DNS entries are created on external and internal DNS servers to aUow the correct name resolution from both internal and external locations.

FuU administration of the web sites, associated accounts and access rights is avaUable through the staff and chent administration systems.

Access to SQL server, OBDC complaint data sources, ASP.net and ASP are avaUable if requked.

D.ll Site server - Build process The chent site sever runs Windows Server 2003 Enterprise Edition, it is deployed and configured automaticaUy using custom written instaUation scripts utilising the unattended instaUation features of Windows Server 2003 and the configuration capabilities of the Windows Scripting host. Before the buUd process begins the Vital administration system automaticaUy generates the requked configuration files to complete the process correctly. During the buUd process the foUowing items are carried out. • Hard disk partitions are created and formatted. • The basic instaUation of Server 2003 is carried out. o IP address is set. O DNS instaUed. o DHCP instaUed. o Server name set. • The server authenticates against the network. • The server joins the domain. • The server is promoted to be a domain controUer. • RIS is instaUed and Windows 2000 Pro / XP Pro are added to RIS. • FUe system permissions are set. • The software archive DFS is setup and begins replicating. • AU services are checked.

The entire build process takes about 3 hours with additional time requked for the software archive to rephcate.

D.12 Site server files and folders

CUent site servers may store the information of one or many chents', the administration application automaticaUy sets up the foUowing file structure on the site server: Data < Company aUas> Profile (shared as - <company aUas>_Profile$) <Folder for each user> User (shared as - <company ahas>_User$) <Folder for each user> Shared (shared as - <company alias>_Shared$) Profile — Store the server's copy of the users roaming profile. User — Stores a user's personal files and folders. Shared — Stores company shared file and folders. Permissions to aUow only the relevant users to access each folder are set during the creation process. Users may change the permissions within the shared dkectory if requked.

These folders are automaticaUy presented to the user as the P — (personal) and S (shared) drives from thek workstations.

D.13 Admin front end

Vital provides a bespoke custom written web based administration system providing internal staff access to aU management and administration features of the system. The front end is specificaUy designed to aUow non technical staff to perform aU areas of chent acquisition and administration without the need to understand the underlying technology or process.

D.14 User (Client) front end Users and designated "power" users have access to custom administration system aUowing them to manage personal settings and options. The user's front end shares the same core engine as the Vital administration system and as such provides a sirnilar feature set restricted a user individual company.

D.15 Hot Desking

User settings foUow users around the network through the use of roaming profiles. These are automaticaUy configured for each user as part of the user creation process. Apphcations roam with user through the user of GPO's appUed to an OU specificaUy associated with a single user.

D.16 Workstation Deployment

AU computers on the Vital network are deployed using the Microsoft Windows Remote InstaUation Service (RIS). This is customised to provide a fuUy automated bu t process including joining the active dkectory domain. RIS is configured as foUows: • Dedicated robotic accounts used for the buUd process. • RIS dkectories only accessible from robotic accounts. • Hardware drivers integrated into the RIS instaU image. • Separate RIS image used for each hardware specification to simphfy management and compatibility. • Post buUd tasks carried out through configuration script — started at the end if the buUd process.

A RIS server is located on each chent's site and is instaUed as part of the site server buUd process. Each RIS server is automaticaUy deployed with the correct driver integration to deploy aU computer specifications on site.

D.17 Software Deployment

Software may be deployed to either a user or computer, user aUocated software are software apphcation for example, Microsoft Word or Excel. Computer aUocated software are items such as service packs or hardware support utilities, for example scanner support software. This aUows programs to roam with users and operating system or hardware updates to be applied to a specific machine. All software is aUocated through GPO's, these are deployed from the administration system. The GPO contains either a Windows InstaUer (MSI) package or a reference to the Vital custom apphcation instaUer utility. So that aU software is avaUable to aU users on aU sites a software archive is rephcated across the network in the form of a domain level DFS. This DFS is referenced within aU GPO entries aUowing the software to be obtained wherever the user/ computer logs on.

D.18 Software Integration

Software is integrated in one of 3 ways. If the apphcation is supphed in Windows instaUer format it is fuUy tested in a test envkonment and any requked changes to the setup process are made. It is then moved to the software achieve before being aUocated within GPO's as requked. If the apphcation is supphed using the InstaU Shield instaUation routine; a custom written utility (The Vital custom apphcation instaUer) is used. This aUows an InstaU Shield instaUer with an associated automation script to be instaUed as part of a GPO. If the apphcation instaUer is in another format then it is integrated using the "pre, post" instaUation method. This is done on an evaluation envkonment using one of several 3^rd party tools.

D.19 Virus protection Vkus protection is provided by the Network Associates Active Vkus Defence suite (AVD). This suite of products is used across the entire Vital network. Webshield is deployed on aU external SMTP servers and scans aU mcoming traffic, it automaticaUy updates every hour. Groupshield is deployed on aU backend maUbox servers, this monitors the internal information stores and cleans any infect files. Groupshield will rarely find vkuses because aU points on entry into the message store (external message, files uploaded from users etc) are protected by virus products. It is updated every hour.

Virus Scan enterprise is deployed on aU servers and workstations across the network. On workstations it performs both real time and scheduled scanning of the system. On site servers and the datacentre it performs only scheduled scanning, this is to improve the performance of the site and datacentre servers. E-Pohcy Orchastrator (EPO) is deployed within the datacentre and manages deployment, reporting and updating of Virus Scan and Groupshield across the Vital network. D.20 Backup

Backup is a two stage process and involves both data rephcation and archival to tape media. A custom written tool rephcates a chent's site server to the datacentre every night during non-business hours. This means the datacentre contains a complete copy of aU onsite data. This data is then rephcated to tape based media as part of a fuU datacentre backup. Veritas Backup Exec is used to backup aU daatacentre information including the rephcated site data, this occurs on nighdy bases using high speed tape Ubrary units. The rephcation storage space and tape backup capacity are scaled with chent demand.

D.21 Remote Access

MUVPN Users of managed Vital laptops may gain fuU VPN access from any location they can make a connection to the Internet. The MobUe User VPN (MUVPN), provided by Watchguard technologies is used, the chent software and access certificate are automaticaUy configured on the machine for the user during the initial buUd phase. With the MUVPN connection the user has fuU access to aU network services as if they were connected in the office. FkewaU protection is provide the by Zone Alarm personal firewaU, this is provided as part of the MUVPN software suite and is automaticaUy configured for the user to aUow access to internal network resources when in or away from the office whUe still providing fuU protection from other users on the Internet.

DocView (Product name : 'FreeBase') Docview provides users of Vital, access to there personal and shared company drivers from any web browser connected to the Internet. Docview is a bespoke apphcation written in C# on the Microsoft.Net framework utilising ASP.Net at the presentation layer. Navigation is provided through bespoke written controls. It supports forms based authentication and themes. Docview supports both Internet Explorer (Windows) and Netscape Navigator (Windows and Mac). Outlook Web Access (OWA) OWA 2003 is provided to aU users on Vital, this is accessible through both forms based and chaUenge response authentication. HTTP and HTTPS connections are supported. Exchange Active Sync Exchange Active Sync is provided for Pocket PC "over the ak synchronisation" this is provided over an HTTPS connection and is accessible from any Internet connected compliant device.

WAP - Oudook MobUe Access (OMA) The features of OMA are avaUable to users of compUant devices.

D.22 Software Update Services (SUS)

The Microsoft SUS server is used to deploy updates to chent workstations and site servers. The server rephcates a hst of updates from Microsoft on a daUy bases these are then deployed to workstations over night. This configuration is handled by a GPO. Users (for example Laptops) who may not have thek machine connected are prompted to install the updates when they are next connected.

D.23 Hardware inventory The core Vital engine provides hardware inventory for aU items distributed across sites. This data is stored within a custom SQL database and provides a flexible schema to support future specifications and hardware types. Warranty, purchase price and suppher detaUs are also stored along with the hardware specifications. The engine provides a range of notification services, for example warranty expiry, to simply administration and generate sales. Internal staff and chents have access to this information through the admin/ chent web front end, this aUows them to query the data in many ways aiding in sales, administration and auditing.

D.24 System monitor System monitor is a bespoke C# apphcation written on the Microsoft.Net framework. If provides a wide range of monitoring services for aU datacentre and chent site servers. The feedback from the monitoring is provided through an ASP.Net interface. System monitor can generate e-maU alerts for faUed states and supports warning thresholds.

D.25 Conclusion

Vitals innovative product offering and backend technology provides a radicaUy different approach to providing high quality information technology solutions to companies of aU sizes. It greatly reduces the capital expenditure and operations costs of it's chents while aUowing a fare higher "chent to internal staff ratio" than traditional outsourcing or support models.

Claims

1. A method of providing computing resources to computers, in which a server is connected over a network to multiple chent devices being operated by different companies, the method comprising step of the server running processes that enable the automatic deployment of apphcations and/or operating systems dkectiy or indkecdy to the networked chent devices for those chent devices to run locaUy, at least some of the processes being re-useable by the server for any of the chent devices.

2. The method of Claim 1 in which the server runs automated, re-useable processes that also enable the automatic management and updating of the apphcations and operating systems.

3. The method of Claim 1 in which the re-useable processes are flexible so that the chent devices do not have to conform to a pre-defined configuration.

4. The method of Claim 1 in which the server provides services requking low levels of bandwidth for delivery.

5. The method of Claim 4 in which the server provides one or more of the foUowing functions: e-mail server hosting, messaging server hosting, groupware appUcation hosting, managed desktop, vkus scanning, patch deployment, spam filtering, remote access, automated off-site back-up, web site hosting, disaster recovery.

6. The method of Claim 1 in which the chent devices each provide one or more of the foUowing functions: running local appUcations and a local operating system; access to the remote server over the network.

7. The method of Claim 1 in which, where the server runs processes that enable the automatic deployment of appUcations and operating systems indkectiy to a networked chent device, then those apphcations and operating systems are stored on a local server on the same physical network as the chent device and deployed from that local server to the chent device.

8. The method of Claim 7 in which resources for a given chent device that requke high levels of network bandwidth, including file / print services, network authentication and software deployment, are stored on the local server.

9. The method of Claim 4 in which the server provides a user interface to a management apphcation that enables the configuration and management of the automatic deployment and the functions.

10. The method of Claim 9 in which the user interface enables a manager to initiate the processes without detaUed knowledge of thek operation.

11. The method of Claim 10 in which the user interface to the management apphcation can be located at one of the chent devices.

12. The method of Claim 1 in which roaming is enabled so that a user can use different chent devices on the network and gain access to aU of the same resources, including files, printers, settings and appUcations.

13. The method of Claim 1 in which there is provided a single central point of entry for aU remote access services, so that users operating different chent devices aU connect to the same central point of entry to be provided access to thek company's resources.

14. The method of Claim 1 in which the chent devices are equipped with a web browser and are selected from the group: PCs, PDAs, mobUe phones.