- Hysolate Free for Sensitive Access: Run sensitive activities in an isolated workspace - Thu, Dec 2 2021
- Manage security baselines and compliance policies using Intune - Mon, Nov 29 2021
- Block the installation of USB devices on Windows PCs using Intune - Tue, Nov 23 2021
Is there a best remote access technology? ^
Many may think one technology solution is the best over all the others. However, digging deeper past all the marketing and advertising that may support one technology solution over another, as we will see, this really isn't the case. The "it depends" answer usually comes into play.
"The best" solution is relative to the needs, resources, and other business requirements of each organization. It is similar to the Venn diagram containing three characteristics of good, cheap, and fast. You can only choose two of the three. With RDS, VDI, and VPN there are tradeoffs with each solution.
Many are familiar with the RDS technology in Windows environments. In the old days, what we know as RDS today was called Terminal Services or Terminal Server in legacy versions of Windows Server. Windows Server environments have long made "remote desktops" for users possible. RDS uses the Remote Desktop Protocol (RDP).
With RDS, organizations can effectively give employees access to remote desktops via Remote Desktop Session Hosts (RDSHs). Windows Servers enabled as RDSH servers can provide desktop sessions to simultaneous users.
Organizations can effectively use RDS as a technology to provide remote access to employees working from home. RDS provides many advantages as a remote access technology. These include the following:
- It is easy to deploy.
- It provides a relatively cheap remote access platform, and many enterprises already have a Microsoft agreement.
- It allows user concurrency—you can assign multiple users to the same Windows Server.
- It can provide a great solution to publish applications to users with clients that do not have the processing power to run the application natively.
- It can allow access to Windows desktops and applications from non-Windows devices.
- It keeps data local to the corporate datacenter or cloud environment.
Using RDS and specifically RDSH servers, organizations can also choose to publish applications alongside or instead of full desktops. Publishing applications allows remote users to run an application from the RDSH server without the need to launch a full remote desktop connection. The application displays as a resource end users can run without the need to install anything on their local workstations or mobile devices.
When might organizations not want to use RDS as a solution for providing remote access? A few reasons steer businesses to use another solution to empower users for remote work.
- It can be riddled with security flaws, especially if it is not configured properly or if it presents an RDSH server with RDP enabled to the internet without a Remote Desktop Gateway server.
- Resources are shared between remote users, so one user who monopolizes resources will affect the others
- RDS is based on Windows Server operating systems, which means there will be differences for end users who are used to Windows client operating systems.
VDI is another common technology often used for remote access for end users to datacenter resources. VDI can present a Windows client desktop via a "pool" of desktop resources to end users that can place them on an available desktop. Or it can assign them a desktop, which they receive each time they log in. Common VDI platforms include Citrix VDI and VMware Horizon View.
VDI is generally more expensive than RDS; however, it tends to be a more powerful solution when compared to RDS. Yet they do blur the lines of capabilities in terms of the desktop experience presented to the end user.
VDI allows organizations to do some really powerful things, such as quickly provisioning workstations on the fly as needed by user demand, managing user data, and providing an easy way to make changes across all end user workstations by means of a "gold image." With modern VDI solutions, you can also present physical workstations to end users.
Similar to RDS, VDI can also publish applications for end users so they can run applications without having to log into a fully provisioned desktop.
VDI generally requires quite a bit more infrastructure than RDS in general to support the performance needed for backend workstations, especially if "power users" are using these.
What are the advantages of VDI as a remote access technology, and when would organizations choose to use it as a remote access solution?
- VDI provides many security benefits to organizations, such as housing data inside the datacenter and secure methods of connecting from the outside (hardened, secure gateways).
- It allows provisioning desktops on the fly as needed.
- It works really well for power users who need a lot of resources, especially with the advancements in GPU-based processing for end-user computing (EUC).
- It can present to end users Windows client operating systems they are already familiar with using.
- It can allow secure access to end users' physical desktops, so they see the exact same desktops they usually work with.
- It can effectively publish applications for end users to use, much like RDS.
What are some downsides to using VDI technology for remote access? Organizations may decide not to use VDI due to the following:
- VDI is arguably one of the most expensive technologies to use for remote access.
- Organizations may not readily have the infrastructure in place needed to provide a satisfactory user experience with VDI.
- It has a steeper learning curve, so IT admins may not readily be familiar with the technology to administer it properly.
- You cannot provision the technology quickly. It generally requires time to plan the solution appropriately and implement it correctly.
VPN is another type of technology that has been around for quite some time. A VPN establishes a secure, encrypted network tunnel between a client device and the corporate network. Site-to-site VPNs can create a secure tunnel between an entire end-user site and the corporate datacenter. VPNs can quickly establish remote connectivity between the remote worker and the main office.
VPN technology and clients are also built into most modern operating systems today, including Windows clients. This means for the most part, there is nothing to purchase, manage, or install for establishing the VPN connection.
While VPNs provide an affordable, quick, and easy way to establish remote connectivity between clients and the main corporate datacenter, some VPN aspects are not ideal. Since VPNs are simply creating a tunnel back to the corporate datacenter, you can essentially think of them as an imaginary "patch cable" stretched between the office and a home user's device.
From a security perspective, this may be less than optimal. When a client establishes a VPN connection, in most cases it places the client device "on the corporate network." This means the device becomes an endpoint that can potentially introduce malware or other security vulnerabilities into the network.
It is ideal to establish a network security zone for VPN connections that allows scrutinizing and limiting their connectivity. Still, it requires proper configuration and management at the VPN termination point, via a firewall or other device.
Another point of concern with VPN connections is where the data lives. Often, with VPN connections, the data may exist on the client side along with applications loaded locally on the client. This means the data is outside the protective boundaries of the corporate datacenter and at a much higher risk of compromise. Additionally, it is much easier for data to be exfiltrated from on premises to the end user device. This is also a data-leak risk and potential compliance violation waiting to happen.
Organizations may choose to use VPN connections for remote access for the following reasons:
- A VPN is easy to use.
- The software and components are already built into most operating systems, including Windows clients.
- It allows users to use their own devices to work with corporate resources.
A VPN often is not the choice of organizations for remote access for the following reasons:
- Security concerns
- Data and applications can live on client devices outside the corporate datacenter
- It is much easier to leak data
- Compliance regulations
Final thoughts ^
Providing remote access connectivity for remote workers has certainly been a hot topic in 2020. Many organizations have had to make choices based on their current needs for remote workers as well as the resources they have available to make remote access possible.
When looking at RDS vs. VDI vs. VPN, there are many different considerations for organizations to make the right choice for their business. Between these solutions, the "best" solution will most likely be different for each business, weighing the pros and cons and balancing them with their business objectives.
The factors that will certainly come into play will be the ease of configuration, cost, and security. In general, a VPN is the easiest to get remote access working simply and is most likely the cheapest. However, security is not its strong suit, especially for your data.
Subscribe to 4sysops newsletter!
VDI is the most expensive to configure and requires investment in infrastructure, licensing, and training for admins who will manage the solution. However, it can provide some of the most flexible options of the three, based on end-user needs. RDS falls somewhere in between the other solutions, balancing cost, infrastructure requirements, and ease of configuration.