Due to work at home mandates, many businesses are starting to re-think their IT strategy. One major technology seems to be prevailing, delivering desktop and applications through a centralized server platform. Essentially, all security and processing are removed from the desktop and transitioned to a server which can be centrally managed.
The concept of serving desktop and/or applications from a Cloud/Data Center is commonly referred to as Virtual Desktop Infrastructure, or VDI. It’s popular today because it enables a secure work from home environment where employees can access their “workspace” from any Internet connected device. This helps businesses because they can eliminate Desktops all together and embrace a “Bring Your own Device” (BYOD strategy).
This blog will examine how a hybrid Microsoft RDP server can help facilitate an easy to manage and affordable VDI solution, sometimes referred to as Published Desktops. The topics discussed show how we can deliver desktop experiences from any Data Center or Public Cloud to any Internet connected device.
What is RDP?
RDP stands for Remote Desktop Protocol – (formally known as terminal services) is a Microsoft Server tool that allows users to connect remotely. For the most part, all Microsoft Windows machines can speak with each other, and RDP has been in practice since 1998.
RDP allows remote users to see and use Windows from a device that is not in the same location. Think of it as tunneling in through a secure window over the Internet. If the server is configured correctly, and the device has proper licensing to communicate, users will be able to access their virtual workspace anywhere.
For years, RDP has been an effective tool for providing virtual resources for remote users. For example, a business may use a software solution and wish to share it with specific users across the organization, no matter where they work. RDP can facilitate that. It also has the potential to eliminate a desktop, which we will cover later.
RDP vs VDI
Remote Desktop Protocol and VDI differ from each other in minor ways, but both share the idea that a server will power the desktop experience. The fundamental difference is that RDS runs on a server that shares computing resources across all users. There is no Desktop license, and no desktop “end point.” VDI is an actual dedicated desktop environment that is powered by a server. It is considered an endpoint and does require a Windows 10 license.
Remote Desktop solutions can potentially lead to security risks because the port they use is commonly scanned for vulnerabilities. It is highly recommended not to use direct Internet access to connect an RDP session – a VPN or LAN (Local Area Network) is a must have. Other security issues to understand include:
- Enable Network Level Authentication
- Restrict RDP Connections to non-admins (as much as possible)
- Enforce Password Policy
- Leverage 2 Factor Authentication (when applicable)
- Set RDP for max encryption
A Published Desktop is a concept originated with Citrix that offers an alternative to VDI. Technically, it is not considered Virtual Desktop technology, as the end user is actually running on a shared server. The big difference is that there is no dedicated desktop environment or Windows desktop experience. Instead of a Windows 10 Pro experience, the end user will get the Server OS, which looks and operated in a familiar manner. By running Published Desktops, you turn a Windows server into a multi-user operating system with Windows desktop applications running within the RDS environment.
What is Citrix Cloud?
Citrix is a software vendor that specializes in Server, Desktop and Application Virtualization. As the Cloud has progressed, Citrix has shifted their offering from being an on-premise installation to a Cloud Hosted solution. The core component of Citrix Cloud is not exactly server Infrastructure, but more of a management pane and a Cloud Gateway for reliable, and secure connectivity.
Citrix’s Gateway solution, formally known as Netscaler, enables users to directly connect to their servers by leveraging Internet protocols. Think of it as a more advanced VPN that can be initiated by a non-technical user with a basic web application. Once the gateway is called on, a desktop or application session will simply launch on the device.
The management pane of Citrix Cloud provides admins the ability to manage applications and desktops, by user groups. From an administrator’s perspective, this makes managing the end user experience significantly easier.
Citrix users get the benefit of HDX, a true High Definition experience. With the developments in Cloud solutions and increased bandwidth availability, the delivery of streaming services has become even more fluid, to the point where users will not know the difference.
Principle of Least Privilege
When virtualizing desktops and applications, you have the ability to significantly limit the end users access to everything else. In theory, they can be given just a dashboard of application needed solely for their work. The Principle of Least Privilege is a philosophy in mapping a cyber security strategy, helping to outline ways where vulnerabilities can be minimized by restricting user access. Using RDP and Citric Cloud will help you clearly identify and limit end user access.
Embracing a Cloud delivered desktop solution can help reduce costs in many ways. Most of the costs savings come from eliminating endpoints. The following are examples of ways costs are cut:
- Replace PCs with Thin Clients/Cloud Gateways - $100 devices that will last 3+ years
- Centralize software licensing to the data center (no Windows 10 licensing for users, no AV for endpoints etc).
- Centralize management to the data center, eliminating the need for on-site technicians.
- Reduce security threats and other, end user caused issues.
Of course, the server environment will have to be beefed up, so there will be some costs there that will off-set some of the perceived savings. However, it is a great method of increasing efficiency while reducing costs.
When running all users through a server environment, operations and management are significantly more centralized. When allocating terminal services on a Cloud gateway like Citrix Cloud, you are eliminating the need for endpoint protection because you are eliminating endpoints all together. Admins that run the Infrastructure should have security measures and tools in place to watch and protect their servers.
The idea of using RDP for a desktop moves all control away from desktop PCs and not from the Admins who can manage it all from their Data Center/Cloud environment. Because this is a shared environment, we can be much more liberal with the server specs than we would with dedicated Virtual Desktop Infrastructure.
Engineers must create a “farm” of application servers, depending on the number of users, to support their users and associated applications. There must also be a server designated to act as a broker, assisting the routing of the users to the application environment. It is recommended to have (2) Domains, (2) Citrix Cloud Connectors, 2-10 Application servers, and a Broker to make this combination work.
A Virtual Private Network is an absolute must while running RDP, there are massive security gaps of access without encryption. VPNs have also been a source of frustration for end users and administrators – especially with large amounts of workers dialing in from home and remote offices. No one wants to deal with dropped connections, timed out sessions and other nuisances that come along with this technology.
The Citrix Cloud Gateway wraps the administration and the ability to connect into a much easier and reliable process. Admins just do their job and end users just launch the app – it is as simple as that.
Instead of using a traditional PC to connect back to a server, it is best to use a custom-built device that can automatically dial-in and deliver everything the end user needs. Traditionally, Thin/Zero clients act as a gateway to stream the desktop experience back to the end user. These devices, when paired with Citrix, can even deliver USB access if that is acceptable within your organization.
Mindcentric partners with StratoDesk to deliver Gateways that are built using Raspberry Pi4s, delivering exceptional performance and ease. These machines include the following for under $200:
- USB 3.0
- Enriched CPU/GPU
- 4GB RAM
- 40 Frames per Second
- 4K Resolution
- Dual Monitor (HDMI)
These devices are incredibly easy for the end user. They simply hook it up to their keyboards/monitors and enter their credentials. They are rapidly delivered in a high-quality Windows environment with all the apps they require. The core OS that runs this machine also has a built-in device manager so inventory can be managed, and firmware upgrades can be administered.
Mindcentric is a technology partner that specializes in engineering and managing web-based technologies. Our team has specialized in Server/Infrastructure design and management for 20+ years and consider ourselves elite experts in the space.
As a Citrix partner, we can deliver Virtual Workspaces multiple ways from any Cloud infrastructure. Our clients are security-focused and turn to us to manage their critical infrastructure. One common requirement is the need to lock down desktop access and privilege, while running everything from the Cloud/Data Center.
Although we do work with public Cloud infrastructure providers, Mindcentric is also a Cloud operator. We have significant data center investments into Switch facilities in Las Vegas and Reno NV. Citrix compliments our services with next generation cloud services to help deliver the ultimate cloud solution for businesses.