windows server 8: remote desktop services with remotefx, more than a word!
DESCRIPTION
More info on http://www.techdays.be.TRANSCRIPT
Windows Server 8 Remote Desktop Services with RemoteFX, more than a word!
TomDecaluwéInfrastructure – IT Manager
Macintosh Retail Group
Contact me:[email protected]://trycatch.be/blogs/decaluwet
Brief History
Install Experience RemoteFX End-user application
What are we going to cover
Wrap-up
What we have today in our labDemonet.local
TS_WIN8_DC TS_WIN8_BR_LC TS_WIN8_GW_AP TS_WIN8_SH
10.10.10.40/24 10.10.10.30/2410.10.10.50/24 10.10.10.20/24
10.10.10.5/24
Brief history
Citrix MultiWin Technology
The history
V6.1 - 2008V6.0 - 2007
V5.0 - 2000V4.0 - 1998
V7.1 - 2010V7.0 - 2009
V5.2 - 2003V5.1 - 2001
V8.0 - 2012
R2 SP1
TS is part of the core OSadded 24-bit colorConsoleSession directoryLocal resource mapping Transport layer Security TLS
Support for WPFNetwork Level Authenticationmulti-monitor
New console connectSeamless windowsEasy printRDP gateway
Media player redirectBi-directional audioBetter multi monitor supportAero glass supportBitmap acccelerationLanguage bar docking
Remote FX Media editionRemote FX
Push to the Cloud
Three historical security issues
RDP sessions are susceptible to in-memory credential harvesting that can be used for pass the hash attacks
RDP was vulnerable to a man-in-the-middle attack. Solved in Win2003 SP1 with TLS and later with NLA
Text/Pic
http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspx
http://www.sans.org/reading_room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation_33283
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A
RDP sessions are susceptible to brute force password attacks
Will we need TS in a modern hybrid world
You as a consumer
• Legacy applications• Desktop consolidation
(VDI / Session Host)• Remote access• Business continuity• Quick adoption• …
You as a provider
• Rich cloud apps• Ease of deploy and
scale• Security• …
Not For Remote Management => server manager
Remote access connectivity model Direct
accessManaged clients
Windows 7
Windows , MAC, Linux
Slates and tablets,
smartphones, etc.
SSL gateway
TMG/UAG
RDGW
Remote Desktop
><
HTTP (s) / APP
publish
TMG
Medium level
Line of business
Low level
Line of business
Email / files read only
TR
US
THIGH Confidential
Business Intelligence
(payroll, Finance)
MEDIUM
LOW
sensetivity
EndpointsTechnology Data
Remote access connectivity model
Managed clients
Windows 7
Windows , MAC, Linux
Slates and tablets,
smartphones, etc.
TR
US
T
Endpoints
Who
Where
Device
Remote access connectivity model
Medium level
Line of business
Low level
Line of business
Email / files read only
HIGH Confidential
Business Intelligence
(payroll, Finance)
MEDIUM
LOW
sensetivity
Data
Data
Remote access connectivity model Direct
accessManaged clients
Windows 7
Windows , MAC, Linux
Slates and tablets,
smartphones, etc.
SSL / VPN gateway
TMG/UAG
RDGW
Remote Desktop
><
HTTP (s) / APP
publish
TMG
Medium level
Line of business
Low level
Line of business
Email / files read only
TR
US
THIGH Confidential
Business Intelligence
(payroll, Finance)
MEDIUM
LOW
sensetivity
EndpointsTechnology Data
Remote access connectivity model
Managed clients
Windows 7
Windows , MAC, Linux
Slates and tablets,
smartphones, etc.
TR
US
TTrust is a combination of
Idendity + Device and Health
+ Location
How sure are you the person telling you who they are are actually who they are + RBAC model
Increase by:- Complex password- Call and enable- Multi account- Multi factor auth- ....
+What device is being used and how sure are we of the health of the user.
Increase by:- Health inspection- Device jump- ...
+How confident are we about the physical and logical location
Increase by:- Changing physical
location- Logical network
The 6 roles in a Remote Desktop setup
What we have
- RD web and app- RD Gateway- Connection
broker- RD Licensing- RD Session Host- RD VDI host
4 positions of you TS gateway
RDG in the DMZ, with Active Directory
No DMZ. RDG in the LAN
Reverse Proxy in the DMZ. RDG in the LAN
TMG / UAG
RDG in the DMZ. No Active Directory
Þ Dual auth. required
2 positions for your RD session hosts
RDG in the DMZ, with Active Directory
No DMZ. RDG in the LAN
Reverse Proxy in the DMZ. RDG in the LAN
TMG / UAG
RDG in the DMZ. No Active Directory
Þ Dual auth. required
Client/isolated VLAN
Server VLAN
Installation Experience
Do it all from one system / one console
Server Manager
“One stop shop”Scenario Based install
Role Based Install
Text/Pic
DemoAdd servers to Server admin + powershell,…
Role based deployment
You are installing from a technicalviewpoint
”A function or position on a server per server basis”
Text/Icon/PicText/Icon/Pic
Text/Icon/Pic
Text/Icon/Pic
DemoRole base deploy SessionHost
Text/Icon/Pic
Scenario based deployment
You are installing with the
eye to reach a specific goal
“A model of an expected
sequence of events on all servers in one
wizard”
Text/Icon/Pic
Scenario based deployment
Currently supported roles
• Remote Desktop Session Host • Remote Desktop WebAccess • Remote Desktop Connection
Broker* Can be add after initial install:• Remote Desktop Gateway• Remote Desktop Virtualization Host• Remote Desktop Licensing Server
DemoScenario Base deploy Broker and App host
Overview based install
What we don’t need (today)
- VDI host
What We need
- RD gateway- RD licensing
What we have
- RD web and app
- Session broker- Session host
Text/Pic
DemoOverview base install the Gateway and Licensing Role
+ check default RDGW CAP and RAP
Remote FX
Key focus points
Fast and fluid graphics
Wide range of network
conditions
New client devices & form
factors
Windows Metro style user interface
Mobile devices, WAN
Touch, Slates
What’s new in Remote Desktop Win8
Broad Range of Clients Supported
RemoteFX For WAN
RemoteFX Adaptive Graphics
RemoteFX Media Remoting
RemoteFX Multi Touch
RemoteFX USB Redirection
Metro Style Remote Desktop App
Choice of Software or Physical GPU, vGPU for VM
Available for Sessions, VM’s and Physical Machines
Desktop remoting experience
New experience
No more tradeoffs
Rem
ote
FX
Remote FX
Network
RemoteFX adaptive system
vs
Auto-tuning
Network issues
Latency Packet LossLimited
bandwidth
End to end delay/ping (e.g. 100ms) Burst or Random
E.g. <2 Mbps vs 100Mbps for LAN
TCP => UDP (good for packet loss and latency)
RemoteFX for WAN – Multi transport (old) RemoteFX
Adaptive Graphics
VC
Dynamic Virtual Channel Management
Network autodetect
RemoteFX Graphics Dynamic
Virtual Channel
RemoteFX Media
Remoting
RemoteFX Audio
RemoteFX TCP Transport
Audio PluginsVideo Encode
PluginsInput
Control
Devices
VC VC
NETWORK (TCP Packets)
RemoteFX for WAN – Multi transport (New) RemoteFX
Adaptive Graphics
VC
Dynamic Virtual Channel Management
Network autodetect
RemoteFX Graphics Dynamic
Virtual Channel
RemoteFX Media
Remoting
RemoteFX Audio
RemoteFX TCP Transport RemoteFX UDP transport
Audio PluginsVideo Encode
PluginsInput
Control
Devices
VC VC
NETWORK (TCP & UDP Packets)
DemoSniff a win8 normal RDP sessionTCP 3389UDP 3389
Remote FX
Engine
RemoteFX Graphics Architecture Overview
Windows Metro style UI and Applications (HTML, XAML, Native, etc..)
RemoteFX Intelligent Caching
RemoteFX Progressive Rendering
RemoteFX Optimized Text
Codecs
RemoteFX Media
Remoting
RemoteFX for WAN Transports
RemoteFX Calista Codec
Apps and Desktop
RemoteFX Adaptive Graphics
RemoteFX for WAN
RemoteFX Protocol Encoding
RIGHT TYPE OF CODEC FOR EACH TYPE OF CONTENT
RemoteFX Progressive Rendering
RemoteFX Optimized Text codecs
• Text is sent as text and always sharp => think of pinch zoom blurring
Remote FX Adaptive Graphics
Remote FX Adaptive Graphics
Image Content
Text Content
Video/Animations
Remote Desktop Server and network side
TS Web
New features
Remote desktop WebAccessYou can now create folders in the webpage to group apps
Text/Icon/PicText/Icon/Pic
DemoTS web access + folder creation / port change
Remote Desktop Server and network side
TS Gateway
New features
Remote desktop GatewayPublish on non standard port (requires RDP 8.0 client)Add UDP support
Text/Icon/Pic
UDP 3391
DemoDemo connect to TS direct / via GWSniff the traffic
End-user application
Two flavors
Classic mstsc.exe Metro style RDP client
<>
Both support RDP 8.0
Classic MSTSC
Detect connectin quality automatically=>
Classic MSTSC
Authenticated using LiveID
Now supports RDP 8.0=>
Classic MSTSC
Authenticated using LiveID
Now supports RDP 8.0=>
Classic MSTSCRemote actions - App bar- Charms- Snap
=>
DemoLogon to session host through MSTSC.EXE
Metro style RDP
Touch Remoting
Touch Friendly UI
Integrated with app publishing
Metro style RDP > swipe from the right
App sepcific settings
System settings
Metro style RDP > swipe from the right
Auto tuning WAN
Auto tuning CPU
Auto Codec selection
Auto selection Adaptive graphics
Metro style RDP >Subscription
RDP Autodiscover
Metro style RDP > System Access
Open sessions bar
DemoMetro app
Wrap up
1. Brief history2. Installation Experience3. Remote Desktop Server and
network side4. End-user application
MVP Freek Berson: http://microsoftplatform.blogspot.comRemote desktop team blog:http://blogs.msdn.com/b/rds/
Want more:
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.