Simple Brokered Windows VDI without RDS
-
Microsoft has a simplified VDI management system built on top of their suite of RDS (Remote Desktop Services) technologies. Not only can RDS provide a solid terminal services environment on its own, but it can use this same interface to act as a brokered front end to VDI sessions - but only when used in conjunction with Hyper-V. This can be a major limitation for some environments, especially those that are only using VDI as a portion of the total platform workload. And the use of RDS to broker VDI requires RDS CALs be employed as well, on top of VDI licensing costs which increases the VDI investment somewhat considerable.
Other options do exist, of course. On the high end of the scale are products like Citrix XenDesktop. In the mid range are products like WorkSpot. And on the lower cost side of the scale are connection brokering systems like the free, open source Apache Guacamole project. And this last product is what we will look at here.
Guacamole is a web based, multi-protocol HTML 5 remote connection client made by the Apache Foundation. It provides a gateway service that can aggregate many connections behind it.
The architecture is relatively simple. The Guacamole Client application handles user authentication and presentation of connections and generally runs on the same server as the Guacamole Server which manages the remote connections to the desktops and servers to which people connect. Guacamole can handle protocols currently such as VNC (common with Linux, BSD and Mac OSX), RDP (common with Windows), SSH (common with all UNIX) and Telnet (not common anywhere, any longer.) These connections are then translated into HTML 5 and all that an end user needs is a web browser on their desktop to access the Guacamole web interface.
Guacamole can be easily configured to present a single resource to a single user, or to present many potential connections. Because Guacamole is not directly tied to VDI, it can be used equally to broker Windows VDI, Linux VDI, physical desktops, RDS and other remote systems. And these different types can be trivially mixed and matched in Guacamole making for a very robust and powerful gateway tool.
Guacamole does use an independent connection and user management pool from most other resources, although it can be configured to pull user data from LDAP, so there is more manual labour involved in setting up and configured Guacamole compared to some more expensive solutions, such as RDS automated VDI, but this extra configuration effort brings more power and flexibility as well. Being able to present many solutions or options through a single, simple web interface is a very powerful system.
The biggest limitation of Guacamole is probably that it does not have any sort of VDI automation which means that the back end VDI has to be preconfigured in order to work. Many people assume that VDI means that VMs will be automatically created when needed and torn down when not, but this would expect permanent VDI sessions to support the connections. For many SMBs, though, static VDI is perfectly acceptable and will work very well. Guacamole is also idea for companies where users need access to many different resources or where different people or teams have different access type needs or for companies that are transitioning from physical machines to VDI as both can be presented in the same interface transparently and users can be migrated one by one to the new system as time or funds allow.
Of course, it is very possible to write scripts to automate the addition of resources into Guacamole. One could, with reasonable effort, install a simple script in a VDI system image that would register itself with Guacamole upon startup and deregister itself on shutdown so that resources would auto-populate when available. Guacamole is open and easily extendable if advanced or unique needs exist.
Guacamole is hardly going to be the singular, end all answer to small and medium business VDI access needs, but it does bridge a major gap that SMBs often struggle to cross in providing a broker for remote access consolidation on non-uniform platforms. Few SMBs look to invest heavily in VDI and end user connection automation but this often leaves them either short of capabilities or overpaying for resources they are unable to effectively leverage. Guacamole man easily be exactly the tool that has been missing from your IT shed.
-
Can this be used as a Remote Desktop Gateway for standard RDP clients as well?
Does it work from Android / iOS devices?
-
@dafyre said in Simple Brokered Windows VDI without RDS:
Can this be used as a Remote Desktop Gateway for standard RDP clients as well?
Does it work from Android / iOS devices?
Do you need a gateway for the RDP client? I guess you would if you're doing the auto startup/teardown thing, but if static VDIs, then probably not.
-
@dafyre said in Simple Brokered Windows VDI without RDS:
Can this be used as a Remote Desktop Gateway for standard RDP clients as well?
Does it work from Android / iOS devices?
Yes, and.... Yes.
-
@Dashrender said in Simple Brokered Windows VDI without RDS:
@dafyre said in Simple Brokered Windows VDI without RDS:
Can this be used as a Remote Desktop Gateway for standard RDP clients as well?
Does it work from Android / iOS devices?
Do you need a gateway for the RDP client? I guess you would if you're doing the auto startup/teardown thing, but if static VDIs, then probably not.
Guacamole is the gateway in this case if you want it to be.
-
@Dashrender said in Simple Brokered Windows VDI without RDS:
@dafyre said in Simple Brokered Windows VDI without RDS:
Can this be used as a Remote Desktop Gateway for standard RDP clients as well?
Does it work from Android / iOS devices?
Do you need a gateway for the RDP client? I guess you would if you're doing the auto startup/teardown thing, but if static VDIs, then probably not.
My thinking of is like the RD Gateway role in Server 2012 R2... If I can set up Guacamole, and use that as my RD Gateway, then that's another Windows Server license that I don't need to use.
-
@dafyre said in Simple Brokered Windows VDI without RDS:
@Dashrender said in Simple Brokered Windows VDI without RDS:
@dafyre said in Simple Brokered Windows VDI without RDS:
Can this be used as a Remote Desktop Gateway for standard RDP clients as well?
Does it work from Android / iOS devices?
Do you need a gateway for the RDP client? I guess you would if you're doing the auto startup/teardown thing, but if static VDIs, then probably not.
My thinking of is like the RD Gateway role in Server 2012 R2... If I can set up Guacamole, and use that as my RD Gateway, then that's another Windows Server license that I don't need to use.
Exactly, not only do you not need that Windows license (or that Windows overhead) but it saves on RDS CALs, too. So it's a double savings of licensing in that particular case.
-
I did try an early version of the product which was good and did work, I did get some freezing with it early on but probably improved now. link is here: https://guacamole.incubator.apache.org/
-
@scottalanmiller said in Simple Brokered Windows VDI without RDS:
@dafyre said in Simple Brokered Windows VDI without RDS:
@Dashrender said in Simple Brokered Windows VDI without RDS:
@dafyre said in Simple Brokered Windows VDI without RDS:
Can this be used as a Remote Desktop Gateway for standard RDP clients as well?
Does it work from Android / iOS devices?
Do you need a gateway for the RDP client? I guess you would if you're doing the auto startup/teardown thing, but if static VDIs, then probably not.
My thinking of is like the RD Gateway role in Server 2012 R2... If I can set up Guacamole, and use that as my RD Gateway, then that's another Windows Server license that I don't need to use.
Exactly, not only do you not need that Windows license (or that Windows overhead) but it saves on RDS CALs, too. So it's a double savings of licensing in that particular case.
The question though... Is can I use the Android Microsoft Remote Desktop App, and use the Guacamole server as my RD Gateway to access a Windows machine?
-
@dafyre said in Simple Brokered Windows VDI without RDS:
@scottalanmiller said in Simple Brokered Windows VDI without RDS:
@dafyre said in Simple Brokered Windows VDI without RDS:
@Dashrender said in Simple Brokered Windows VDI without RDS:
@dafyre said in Simple Brokered Windows VDI without RDS:
Can this be used as a Remote Desktop Gateway for standard RDP clients as well?
Does it work from Android / iOS devices?
Do you need a gateway for the RDP client? I guess you would if you're doing the auto startup/teardown thing, but if static VDIs, then probably not.
My thinking of is like the RD Gateway role in Server 2012 R2... If I can set up Guacamole, and use that as my RD Gateway, then that's another Windows Server license that I don't need to use.
Exactly, not only do you not need that Windows license (or that Windows overhead) but it saves on RDS CALs, too. So it's a double savings of licensing in that particular case.
The question though... Is can I use the Android Microsoft Remote Desktop App, and use the Guacamole server as my RD Gateway to access a Windows machine?
No, it's a web interface. Not an RDP proxy.
-
So there is never "accessing with a client." The whole point of Guacamole is that the web application IS the client.
-
Would this be used on a bastion host?
-
@tiagom said in Simple Brokered Windows VDI without RDS:
Would this be used on a bastion host?
Like a jump box? Yes.
-
Very cool, will have to toy around with this.
