- Connect to Exchange Online with PowerShell - Wed, Jun 7 2023
- SCP from remote to local - Wed, May 31 2023
- Understanding Kubernetes Persistent Volumes - Mon, May 29 2023
Is there a best remote access technology?
Many may think one technology solution is the best over all the others. However, digging deeper past all the marketing and advertising that may support one technology solution over another, as we will see, this really isn't the case. The "it depends" answer usually comes into play.
"The best" solution is relative to the needs, resources, and other business requirements of each organization. It is similar to the Venn diagram containing three characteristics of good, cheap, and fast. You can only choose two of the three. With RDS, VDI, and VPN there are tradeoffs with each solution.
RDS
Many are familiar with the RDS technology in Windows environments. In the old days, what we know as RDS today was called Terminal Services or Terminal Server in legacy versions of Windows Server. Windows Server environments have long made "remote desktops" for users possible. RDS uses the Remote Desktop Protocol (RDP).
With RDS, organizations can effectively give employees access to remote desktops via Remote Desktop Session Hosts (RDSHs). Windows Servers enabled as RDSH servers can provide desktop sessions to simultaneous users.
Establishing a remote desktop connection for remote access
Organizations can effectively use RDS as a technology to provide remote access to employees working from home. RDS provides many advantages as a remote access technology. These include the following:
- It is easy to deploy.
- It provides a relatively cheap remote access platform, and many enterprises already have a Microsoft agreement.
- It allows user concurrency—you can assign multiple users to the same Windows Server.
- It can provide a great solution to publish applications to users with clients that do not have the processing power to run the application natively.
- It can allow access to Windows desktops and applications from non-Windows devices.
- It keeps data local to the corporate datacenter or cloud environment.
Using RDS and specifically RDSH servers, organizations can also choose to publish applications alongside or instead of full desktops. Publishing applications allows remote users to run an application from the RDSH server without the need to launch a full remote desktop connection. The application displays as a resource end users can run without the need to install anything on their local workstations or mobile devices.
When might organizations not want to use RDS as a solution for providing remote access? A few reasons steer businesses to use another solution to empower users for remote work.
- It can be riddled with security flaws, especially if it is not configured properly or if it presents an RDSH server with RDP enabled to the internet without a Remote Desktop Gateway server.
- Resources are shared between remote users, so one user who monopolizes resources will affect the others
- RDS is based on Windows Server operating systems, which means there will be differences for end users who are used to Windows client operating systems.
VDI
VDI is another common technology often used for remote access for end users to datacenter resources. VDI can present a Windows client desktop via a "pool" of desktop resources to end users that can place them on an available desktop. Or it can assign them a desktop, which they receive each time they log in. Common VDI platforms include Citrix VDI and VMware Horizon View.
VDI is generally more expensive than RDS; however, it tends to be a more powerful solution when compared to RDS. Yet they do blur the lines of capabilities in terms of the desktop experience presented to the end user.
VDI allows organizations to do some really powerful things, such as quickly provisioning workstations on the fly as needed by user demand, managing user data, and providing an easy way to make changes across all end user workstations by means of a "gold image." With modern VDI solutions, you can also present physical workstations to end users.
VMware Horizon View provides VDI to end users for remote access
Similar to RDS, VDI can also publish applications for end users so they can run applications without having to log into a fully provisioned desktop.
VDI generally requires quite a bit more infrastructure than RDS in general to support the performance needed for backend workstations, especially if "power users" are using these.
What are the advantages of VDI as a remote access technology, and when would organizations choose to use it as a remote access solution?
- VDI provides many security benefits to organizations, such as housing data inside the datacenter and secure methods of connecting from the outside (hardened, secure gateways).
- It allows provisioning desktops on the fly as needed.
- It works really well for power users who need a lot of resources, especially with the advancements in GPU-based processing for end-user computing (EUC).
- It can present to end users Windows client operating systems they are already familiar with using.
- It can allow secure access to end users' physical desktops, so they see the exact same desktops they usually work with.
- It can effectively publish applications for end users to use, much like RDS.
What are some downsides to using VDI technology for remote access? Organizations may decide not to use VDI due to the following:
- VDI is arguably one of the most expensive technologies to use for remote access.
- Organizations may not readily have the infrastructure in place needed to provide a satisfactory user experience with VDI.
- It has a steeper learning curve, so IT admins may not readily be familiar with the technology to administer it properly.
- You cannot provision the technology quickly. It generally requires time to plan the solution appropriately and implement it correctly.
VPN
VPN is another type of technology that has been around for quite some time. A VPN establishes a secure, encrypted network tunnel between a client device and the corporate network. Site-to-site VPNs can create a secure tunnel between an entire end-user site and the corporate datacenter. VPNs can quickly establish remote connectivity between the remote worker and the main office.
VPN technology and clients are also built into most modern operating systems today, including Windows clients. This means for the most part, there is nothing to purchase, manage, or install for establishing the VPN connection.
Windows 10 provides built in VPN connectivity
While VPNs provide an affordable, quick, and easy way to establish remote connectivity between clients and the main corporate datacenter, some VPN aspects are not ideal. Since VPNs are simply creating a tunnel back to the corporate datacenter, you can essentially think of them as an imaginary "patch cable" stretched between the office and a home user's device.
From a security perspective, this may be less than optimal. When a client establishes a VPN connection, in most cases it places the client device "on the corporate network." This means the device becomes an endpoint that can potentially introduce malware or other security vulnerabilities into the network.
It is ideal to establish a network security zone for VPN connections that allows scrutinizing and limiting their connectivity. Still, it requires proper configuration and management at the VPN termination point, via a firewall or other device.
Another point of concern with VPN connections is where the data lives. Often, with VPN connections, the data may exist on the client side along with applications loaded locally on the client. This means the data is outside the protective boundaries of the corporate datacenter and at a much higher risk of compromise. Additionally, it is much easier for data to be exfiltrated from on premises to the end user device. This is also a data-leak risk and potential compliance violation waiting to happen.
Organizations may choose to use VPN connections for remote access for the following reasons:
- A VPN is easy to use.
- The software and components are already built into most operating systems, including Windows clients.
- It allows users to use their own devices to work with corporate resources.
A VPN often is not the choice of organizations for remote access for the following reasons:
- Security concerns
- Data and applications can live on client devices outside the corporate datacenter
- It is much easier to leak data
- Compliance regulations
Final thoughts
Providing remote access connectivity for remote workers has certainly been a hot topic in 2020. Many organizations have had to make choices based on their current needs for remote workers as well as the resources they have available to make remote access possible.
When looking at RDS vs. VDI vs. VPN, there are many different considerations for organizations to make the right choice for their business. Between these solutions, the "best" solution will most likely be different for each business, weighing the pros and cons and balancing them with their business objectives.
The factors that will certainly come into play will be the ease of configuration, cost, and security. In general, a VPN is the easiest to get remote access working simply and is most likely the cheapest. However, security is not its strong suit, especially for your data.
Subscribe to 4sysops newsletter!
VDI is the most expensive to configure and requires investment in infrastructure, licensing, and training for admins who will manage the solution. However, it can provide some of the most flexible options of the three, based on end-user needs. RDS falls somewhere in between the other solutions, balancing cost, infrastructure requirements, and ease of configuration.
Nice, I would also include performance and user experience of each solution with each there are benefits depending on where application and user data lives.
Latency is a challenge for VPN and arguably for RDS as VDI has more features that help in this area. Citrix and VMware are obvious choices to consider which do cost more but offer the most secure solutions.
Yes, a very important consideration since something with high data requirements like video or other graphics is a lot different than just a large spreadsheet.
There are significant challenges to quickly rolling out a remote access solution. The quickest, safest, and cheapest solution I've been able to come up with is a live cd/usb that allows a home computer to boot a hardened thinos vpn client that uses rdp to get back to a users physical machine at work. This way, the traffic is over a secure tunnel, the endpoint is vetted and secure, and the employee simply has their computer back in front of them again with all the data still secure in the corporate network where it should be.
This whole category has been my bread & butter for 20+ years. (Huge background as a Citrix engineer). (My apologies if this comes across as rambling – I've written it in little bits and pieces while being frequently interrupted). 🙂
In all of these cases, bandwidth matters. Citrix still has the best performance for the lowest bandwidth. (You can do effective work at 19.2k of bandwidth – you can't do everything effectively, but basic app usage works reasonably well). These days people tend forget that Citrix wrote the multiuser core that became RDS. RDP Connections generally need about 56k of bandwidth to be comfortable, and VMWare needs ~150k of bandwidth for Blast, and I think it was around 300k of bandwidth for PCoIP. Now, in these days of multi-megabit service being available almost everywhere, these minimums don't have much impact. For effective 3D rendering solutions, all of the vendors need you to be on the LAN. They use massive amounts of bandwidth and provide effective solutions for things like AutoCAD, 3D imaging, etc.
Latency is usually one of the bigger factors for any of these connections. None of them tolerate latency very well, but again, Citrix ICA/HDX has the best tolerance. ICA/HDX runs well under 150ms latency. RDP runs well under 100ms latency, Blast/PCoIP needs less than 50ms latency. When you start to exceed these numbers, then the session will begin to feel sluggish, and at a high enough latency, the session will become almost unusable.
ICA/HDX offers RC5 encryption "for free" (computationally, anything over a 286 can process this with virtually no overhead). There was a single known hack for RC5 encryption in these circumstances, but no known "in the wild" instances of it being exploited. Citrix created the Citrix Secure Gateway to let everyone use SSL for the connections. When RDS came out, Microsoft created their own gateway, followed by VMware, and the other providers have their SSL/TLS to native protocol gateway. A few years back when Citrix made the move to XenApp/XenDesktop 7.x, they started requiring the use of a Netscaler for the gateway. They went from a free gateway (other than the Windows OS) to a multi-thousand dollar product being required. RDP has had a series of vulnerabilities discovered and exploited internally on networks, since most organizations use RDP on workstations and servers for the convenience factor.
Citrix created numerous OS configuration items to make single user applications work in a multi user environment. After Microsoft bought the multi-user core, they began deprecating some of these items as time goes on. Fortunately, a few years back Microsoft introduced a flag into Visual Studio for terminal server awareness, and most applications these days are compiled to be aware of the multi-user core. (It doesn't mean they were written correctly, but they at least make an attempt).
Also, as the article points out, VDI is the most expensive option in general. With multi-user Windows (RDS, Citrix XenApp/CVAD, VMWare RDSH, etc.) you have 1 copy of the OS running per machine with multiple users. Disk I/O is very low (typically 1-2 IOPS per user when idle). With VDI, each user has a dedicated machine (at least for the session). and their own individual copy of the OS running. Effectively, every user has about 2GB of "wasted" RAM running the OS – this is considerable overhead. The storage costs are also typically a lot higher, because in order to run these individual VM's effectively, the storage needs to be as fast as possible. VMware's Instant Clone and Citrix' PVS technologies eliminate quite a bit of this storage overhead. Another huge consideration for VDI is the licensing. Each running VM requires a license for the OS, an RDS CAL for remote access, and whatever licensing is required by the main product. (For example, Citrix has concurrent usage licenses or per-user/per-device licenses). This can get *very* expensive. It's only relatively recently that Microsoft released the multi-user version of Windows 10 to allow people to run VDI in the cloud legally.
From a client device access security point of view, Citrix and RDP are on relatively equal footing. Generally, client device access is generally open, and require some policies to close them to users. Citrix offers the ability to control the client device access based on if the connection is internal, or is going through the gateway. (I do know know about RDS's capability in this respect). VMware however, is generally closed out of the box, and you have to configure things to open them to users on their endpoints. VMware has generally lagged behind Microsoft which has generally lagged behind Citrix in the ability of the user to access their local devices on their endpoints, and the types of devices the user can access.
VPN's are generally very secure, but as the article points out, they are the greatest potential source of data exfiltration. The VPN risks can be managed, and user connections isolated, but the management requirements can become a huge management headache of controlling who can access what data where at, etc. VPN's based on SSL/TLS are the easiest to use, since they just use port 443 (by default). The biggest problem using VPN's remotely is on other networks, they may proxy connections, or only allow specific ports out, and if the VPN runs on a different port, the connection is blocked. From the administrator point of view, the VPN can be the most difficult to manage. I would disagree on the idea that they are the easiest to use :-). I've used a number of VPN's and most of them require some sort of client software that frequently has conflicts with other applications (including anti-virus). They've gotten much better over the years. The one good things in this respect – once the software is configured and runs, it tends to be very reliable. The other products are all very reliable, but still less than VPN and they require more hands on management in the backend compared to a VPN appliance after it has been set up.
I hope all of this information helps someone.
David F.
Amazing that Citrix is still around. I still remember when I first worked with WinFrame which was based on Windows NT 3.51. It was an amazing technology at the time. When Microsoft announced RDP all experts said that Citrix is dead. But somehow Citrix was able to stay ahead of Microsoft. This is where Novel failed. It is interesting to note that most experts predicted that Novel will survive.
Really great summary of this entire ecosystem for those of us that weren't in it when it was around! Thank you!
Citrix is still going pretty strong, although they aren't really growing much anymore as far as I know, as far as I know, most of the revenue is license renewals these days. They are still the king of remote access, and there are numerous competitors out there.
VMware is going after that market very aggressively, and have been working on their RDSH apps a lot (equivalent to XenApp).
David F.
How can you have this article and not mention Windows Virtual Desktop (WVD)!?
I can't see Joe internal RDS Farm is cheapest option, especially compared to WVD. With Citrix you not only have all the infrastructre to worry about but the extra licensing too.
On all cases, it would be better to adopt a zero trust model to data access and allow authenticated users to use any device to access their data, just like how people are allowed to access corporate emails on personal smartphones.
I had a big post and lost it..
In short – WVD doesn't necessarily mean a cheaper solution. You have to be licensed for Windows Enterprise or Office 365 in order to use WVD. It is the desktop OS version of RDS, but you will still need some cloud infrastructure to support it generally. Most of it really revolves around the data and applications.
On prem Apps – VDI or RDS type (Citrix, MS, VMware, whatever)
Cloud apps – any of the above, or WVD
Heavy local processing – points much more to VPN
Massive amounts of data transfer to a server – back to VDI/RDS
And all of this also revolves budget and need also. How you manage and use your cloud computing resources can make it much cheaper, OR a lot more expensive at any scale. And of course, data security plays into all of it. (like if you need HIPAA compliant storage in the cloud, there is a cost associated.
It is definitely not a straight forward decision – there are a huge amount of variables 🙂
David F.
I remember when covid19 hit and a sudden lockdown was imposed in 2020, we used Amazon workspaces for remote workforce. It is not cheap but worked great for us back then.