Does VDI Conquer the Dashrender Challenge?
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
So I have to ask - WTF? why would anyone want that? I mean of course, hundreds of users, etc WAN acceleration - I get those things... But why RDS in front of VDI? What's the gain?
- Because many of the touted benefits of VDI require it. Aggregating bandwidth, added network security, less storage utilization, centralized management, automation, etc. Not the things that matter most, but often pretty nice benefits.
- Because most VDI deployments are "sold" to customers, not "chosen because VDI was needed."
- Because most IT seeks to "purchase" solutions rather than implementing them and no one is "selling" free DIY VDI.
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
Yeah, I found something from 2009.
So we agree that SA can be added to Full new or OEM licenses within 90 days?
Seems reasonable. So that saves another $160 there.
I'm not sure where that number comes from - it wasn't included any any of my figures. I only included the full license (I didn't show a set of figures where a machine included an OEM license), nor did I ever show a figure that included the VLSC upgrade license.
I know, but yours were ignoring that you don't buy the license separate. You were adding an unneeded full license cost of $300. Which I showed was only $160. That now we learn is $0.
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
I've also heard (I think) something about VDI solutions building and destroying VMs on the fly for users as they connect, to keep resource usage (mainly disk space I guess) down - is that a thing? I could see that being useful - but to the point of needing RDS in front of the VDI host to make it work?
Yes, that is VERY common and most of those solutions do that. Ephemeral VDI.
RDS isn't the only way to do it, you could use Ansible and build your own solution like that. But probably best to just buy a solution that already does it automatically.
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
It seems like the whole VDI thing is mainly a scam to get money for nothing?
Hence why it is sold by sales people and not requested by customers. If a solution was both useful and obvious, then it has no need to be sold. Lack either aspect, and you need sales people for it to happen.
Think about almost anything you buy in IT, you normally pay a lot and get very little. Especially things with lots of buzz around them. "Buzz" is a term for things where you pay a lot for very little, like Apple products.
VDI products are obvious, but rarely useful. Hence, the need for loads of sales people to push them.
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
Question - is it hard to get users to access their VDI assuming it's an always running VM? Do the users need some type of RDS gateway to make it easier to access? or to secure it?
No harder than any desktop. It's so easy, it's amazing that anyone thought that something more would be needed.
Whatever you need for a normal desktop, that's what you need for VDI. Because VDI is just a normal desktop that you can't sit at.
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
like Apple products.
Upvote for that.
-
NTG runs NX as our VDI protocol. We use Deepin Linux desktops running on a Scale HC3 cluster. Scale storage does a dedupe and compression process so our VDI nodes use almost zero storage as almost every bite of each VM overlaps with the others. They are "always on", though, so using RAM and CPU all of the time.
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
NTG runs NX as our VDI protocol. We use Deepin Linux desktops running on a Scale HC3 cluster. Scale storage does a dedupe and compression process so our VDI nodes use almost zero storage as almost every bite of each VM overlaps with the others. They are "always on", though, so using RAM and CPU all of the time.
But what if I want to use my Windows only software? What then Scott, what then?!
-
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
NTG runs NX as our VDI protocol. We use Deepin Linux desktops running on a Scale HC3 cluster. Scale storage does a dedupe and compression process so our VDI nodes use almost zero storage as almost every bite of each VM overlaps with the others. They are "always on", though, so using RAM and CPU all of the time.
But what if I want to use my Windows only software? What then Scott, what then?!
What do you mean? We use Windows on that too, just not as often.
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
NTG runs NX as our VDI protocol. We use Deepin Linux desktops running on a Scale HC3 cluster. Scale storage does a dedupe and compression process so our VDI nodes use almost zero storage as almost every bite of each VM overlaps with the others. They are "always on", though, so using RAM and CPU all of the time.
But what if I want to use my Windows only software? What then Scott, what then?!
What do you mean? We use Windows on that too, just not as often.
It was tongue in cheek
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've held this belief for many years.
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've head this belief for many years.
What?
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
NTG runs NX as our VDI protocol. We use Deepin Linux desktops running on a Scale HC3 cluster. Scale storage does a dedupe and compression process so our VDI nodes use almost zero storage as almost every bite of each VM overlaps with the others. They are "always on", though, so using RAM and CPU all of the time.
But what if I want to use my Windows only software? What then Scott, what then?!
What do you mean? We use Windows on that too, just not as often.
I'm assuming the Scale would do the same for the storage with Windows... because that's part of the Scale system.
-
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've head this belief for many years.
What?
poor typing skills -
-
If you do RDP from Linux, and have Linux users, RDP is totally secure.
To address short coming of the Windows products and users, you can get add ons to RDS that add "fail2ban" style functionality, and add a secondary authentication mechanism to make it harder to brute force. But it is all silly that it is needed.
Also, like any protocol, you can lock it at the firewall. Some firewalls will have the needed functionality to increase RDP security.
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
NTG runs NX as our VDI protocol. We use Deepin Linux desktops running on a Scale HC3 cluster. Scale storage does a dedupe and compression process so our VDI nodes use almost zero storage as almost every bite of each VM overlaps with the others. They are "always on", though, so using RAM and CPU all of the time.
But what if I want to use my Windows only software? What then Scott, what then?!
What do you mean? We use Windows on that too, just not as often.
I'm assuming the Scale would do the same for the storage with Windows... because that's part of the Scale system.
Correct
-
@DustinB3403 said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
We constantly see people saying 'never publish RDP to the internet' - but how much of that is just fud, and the real issue is poor passwords and no lockout policy?
That's FUD. RDP is a fully secured protocol. It is wrapped in SSL, so already inside a VPN tunnel. It is as secure as anything else.
RDP has a tendency to be a high profile target, which is still not a big deal.
The biggest issues with RDP are that...
- Microsoft's implementation of an RDP server lacks common sense security to lock out brute force attacks. Like how fail2ban protects SSH.
- End users of RDP tend to be "Windows users" and that user group is notoriously incapable of doing things properly so tend to use weak passwords that never change on publicly exposed services.
If you treat RDP like you normally treat SSH (smart users, good security) they are equally secure.
I've head this belief for many years.
What?
That RDP is secure and the concerns around the protocol are FUD.
-
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
If you do RDP from Linux, and have Linux users, RDP is totally secure.
To address short coming of the Windows products and users, you can get add ons to RDS that add "fail2ban" style functionality, and add a secondary authentication mechanism to make it harder to brute force. But it is all silly that it is needed.
Also, like any protocol, you can lock it at the firewall. Some firewalls will have the needed functionality to increase RDP security.
How would a firewall increase RDP security? by doing the lockout at the firewall?
-
@Dashrender said in Does VDI Conquer the Dashrender Challenge?:
@scottalanmiller said in Does VDI Conquer the Dashrender Challenge?:
If you do RDP from Linux, and have Linux users, RDP is totally secure.
To address short coming of the Windows products and users, you can get add ons to RDS that add "fail2ban" style functionality, and add a secondary authentication mechanism to make it harder to brute force. But it is all silly that it is needed.
Also, like any protocol, you can lock it at the firewall. Some firewalls will have the needed functionality to increase RDP security.
How would a firewall increase RDP security? by doing the lockout at the firewall?
Right
