Many organizations, such as corporations, hospitals and universities, maintain enterprise computer networks to interconnect workstation computers, printers, storage devices and other network resources. Such networks facilitate users' access to data and application programs stored on the network or on other workstations. Such networks also facilitate communication, such as by electronic mail (e-mail), among workstation users.
Some organizations allow their users to connect remote workstations, such as home computers, to their enterprise networks. Such remote connections facilitate working from home or from some other “off campus” locations. For example, a doctor may have admitting privileges at several hospitals. The doctor may find it convenient to be able to access patient data at all of these hospitals from one or more locations, such as his/her primary clinical office or from a workstation in any of the hospitals.
Information technology (IT) organizations prefer to manage workstations connected to their respective enterprise networks. For example, these organizations typically control which operating system and which version of the operating system executes on each workstation. Managed workstations typically include prescribed anti-virus software. IT policy may also prohibit users from installing unapproved software or hardware on users' workstations to minimize the likelihood of malicious software being installed on the workstations. In general, IT organizations standardize the workstations to facilitate maintaining and upgrading the workstations.
The desire to be able to access an enterprise network from remote locations and the simultaneous desire to tightly manage all workstations connected to the enterprise network pose problems. A virtual private network (VPN) connection can be used to interconnect a remote user with an enterprise network. A VPN connection is a secure computer network connection between two points. The VPN connection is carried over another network, typically a public wide area network (WAN), such as the Internet. Communications between the end points of a VPN connection are typically encrypted, so their contents cannot be ascertained by unauthorized nodes along the WAN. Software at the endpoints operates to establish a network link (independent of the carrying WAN) between the endpoints. Thus, a VPN connection makes the exemplary workstation appear as a node on the enterprise network.
However, connecting a remote user's computer to an enterprise network via a VPN connection poses problems. For example, such a connection can expose the enterprise network to malicious software on the user's computer.
One solution to this problem involves executing a managed virtual machine on a user's remote (host) computer. The virtual machine provides protection against malicious software that might execute on the host computer. A virtual machine is instantiated (created) on a host computer by a virtualization program and a virtual machine image file. However, the virtual machine image file must be provisioned (customized) for each remote user. Creating and distributing such user-specific virtual machine image files is time consuming and expensive.