Has Windows 10 VDI Licensing changed yet?
-
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
Would you setup a VPN server on a host at Vultr (or anywhere really), and then set it up so the Vultr instances are only allowed to talk to the IPs from that VPN server?
all things taking place on the same interface on the VPN server?
That's one option. Or just put the VPN service directly on the server in question. Depends on what you want. If you are using VPNs like ZeroTier, you'll never even realize that there is something "to do" as it all "just works" without thinking about it at all. Or maybe you have a VPN aggregator at your office (like OpenVPN) and your RDP clients are just clients of it, no need for a VPN "server" on the VPS side of things at all.
OK yeah ZT could be awesome in this situation.
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
At a colo the servers are behind a firewall, there is NO way for them to reach the internet other than through the firewall... the firewall is also a VPN concentrator.
No, at a colo you have servers in a rack. If you add a firewall, and add a VPN to that, and if you make the machines talk through it... those are all configurations that you decided to add and use. All things you can do and commonly do do with someone like Vultr. You have an assumption that "colo means firewall with VPN" and that "cloud host does not", but those are both just your assumptions. You can easily have a colo without a firewall, and you can easily have Vultr with one.
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
... then moving to colo would possibly allow him to solve this.
How? Same issues exist. Same solutions exist.
How do you put VPS behind a VPN at a system like Vultr? It's a network engineering question I don't know the answer to.
Again, assumptions. Why is a VPN needed? Where did that come from?
You mentioned that most people want to use RDP over VPN, so the need for an RDS gateway is often not needed. This was a solution - not a requirement.
Right but you stated it as if without RDS, VPN was the only option.
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
Would you setup a VPN server on a host at Vultr (or anywhere really), and then set it up so the Vultr instances are only allowed to talk to the IPs from that VPN server?
all things taking place on the same interface on the VPN server?
That's one option. Or just put the VPN service directly on the server in question. Depends on what you want. If you are using VPNs like ZeroTier, you'll never even realize that there is something "to do" as it all "just works" without thinking about it at all. Or maybe you have a VPN aggregator at your office (like OpenVPN) and your RDP clients are just clients of it, no need for a VPN "server" on the VPS side of things at all.
I'm completely unfamiliar with the RDP client being a VPN client at the same time.
I'm not sure what to tell you, this is incredibly common. To the point of nearly expectation in many environments. Think about any home user or remote worker that has a Windows desktop that you support from the LAN. That's the same thing, literally. They have a VPN client on their desktop, their desktop is an RDP client. I'm not sure what aspect of VPNs is making this non-obvious so not sure what part to explain.
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
Would you setup a VPN server on a host at Vultr (or anywhere really), and then set it up so the Vultr instances are only allowed to talk to the IPs from that VPN server?
all things taking place on the same interface on the VPN server?
That's one option. Or just put the VPN service directly on the server in question. Depends on what you want. If you are using VPNs like ZeroTier, you'll never even realize that there is something "to do" as it all "just works" without thinking about it at all. Or maybe you have a VPN aggregator at your office (like OpenVPN) and your RDP clients are just clients of it, no need for a VPN "server" on the VPS side of things at all.
OK yeah ZT could be awesome in this situation.
But not unique. Pertino actually used this example as their primary use case when first release - for providing simplified remote access. It was so much their focus that they built the RDP over Pertino stuff into their interface.
-
The use of RDP end points with local VPN end points on the same boxes was the standard "go to" remote management scenario for Windows environments in the early 2000s.
-
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
The use of RDP end points with local VPN end points on the same boxes was the standard "go to" remote management scenario for Windows environments in the early 2000s.
Interesting - I just never saw it deployed that way. There was always a VPN concentrator in front of the RDP solution.
I never saw it, so I simply didn't consider it. Good to know. Now to remember it.
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
Interesting - I just never saw it deployed that way. There was always a VPN concentrator in front of the RDP solution.
I never saw it, so I simply didn't consider it. Good to know. Now to remember it.
What was connecting to that VPN concentrator if not other RDP endpoints? The most common thing was for Windows clients to connect to VPNs. Or did you only ever seen site to site VPN?
-
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
Interesting - I just never saw it deployed that way. There was always a VPN concentrator in front of the RDP solution.
I never saw it, so I simply didn't consider it. Good to know. Now to remember it.
What was connecting to that VPN concentrator if not other RDP endpoints? The most common thing was for Windows clients to connect to VPNs. Or did you only ever seen site to site VPN?
An example setup would be Cisco firewall as VPN concentrator, with Windows RDS (TS) or PCs with RDP behind it.
I've personally never seen a VPN server software deployed directly onto the Windows clients or Windows servers for people to VPN directly into the Windows machines.
Obviously, the use of ZT or Pertino in these cases could/should simplify things.
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
An example setup would be Cisco firewall as VPN concentrator, with Windows RDS (TS) or PCs with RDP behind it.
But what is connecting TO it?
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
I've personally never seen a VPN server software deployed directly onto the Windows clients ....
It's built right into Windows. There isn't even anything to deploy. All Windows, both desktops and servers, have the VPN clients right there. Plus then there are things like Cisco clients, OpenVPN clients, Pertino, ZeroTier, etc. Lots that you can deploy, but several options built in. Even on Windows NT 4 VPN was built into the workstations. It was PPTP so we like to not talk about it, but it was fine at the time.
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
Obviously, the use of ZT or Pertino in these cases could/should simplify things.
A little, perhaps. But VPNs are really pretty simple already. Using other standard VPN approaches would be very easy as well.
-
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
An example setup would be Cisco firewall as VPN concentrator, with Windows RDS (TS) or PCs with RDP behind it.
But what is connecting TO it?
Here is a picture
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
An example setup would be Cisco firewall as VPN concentrator, with Windows RDS (TS) or PCs with RDP behind it.
But what is connecting TO it?
Here is a picture
And in that example that "user" is on a Windows PC, right? So that would be an RPD server over VPN. Exactly as I was describing. So you HAVE seen what I've been talking about all the time, I assume.
-
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
An example setup would be Cisco firewall as VPN concentrator, with Windows RDS (TS) or PCs with RDP behind it.
But what is connecting TO it?
Here is a picture
And in that example that "user" is on a Windows PC, right? So that would be an RPD server over VPN. Exactly as I was describing. So you HAVE seen what I've been talking about all the time, I assume.
Except in my case 100% of the time, the firewall is it's own box, typically it has been a Cisco Firewall/router.
-
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
@bigbear said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@bigbear said in Has Windows 10 VDI Licensing changed yet?:
Its nice that you can replicated everything to the cloud for DR, but man Azure's new GUI sure is a headache compared to the one I was using a couple years back.
Hard to believe that it could get worse The terrible interfaces and unintuitive system are some of the reasons that I like to avoid it. It is a huge pain to do anything on it compared to the alternatives.
But things like capacity based MS SQL Server are big bonuses of it.
And yeah it is amazingly worst. And I still hate that the RDS Gateways are a requirement. It complicated an otherwise simple installation for a small setup like ours. If we are lucky we MAY have 20 people by end of year and I doubt we add a person or two per year at peak growth.
What makes you require an RDS gateway?
Perhaps instead of on Prem, you should go for Colo. You're own hardware with your own firewalls.
I'm not aware of them ever being required.
I believe I am picking up this assumption from 2012 RDSH, and I only tested it on Azure. I also may be remembering that I was playing with app publishing.
Forwarding the firewall port has worked so far in my testing, and their are SSL security options that I believe negate the need for VPN.
The real story here is the way you can run an RDSH server as a container, move profile data and app profile data into storage blobs and save sandbox changes to app and OS updates back to the container.
Or I am sure in a larger environment using App-V along with container based RDSH servers would be a real win.
-
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@Dashrender said in Has Windows 10 VDI Licensing changed yet?:
An example setup would be Cisco firewall as VPN concentrator, with Windows RDS (TS) or PCs with RDP behind it.
But what is connecting TO it?
Here is a picture
And in that example that "user" is on a Windows PC, right? So that would be an RPD server over VPN. Exactly as I was describing. So you HAVE seen what I've been talking about all the time, I assume.
Except in my case 100% of the time, the firewall is it's own box, typically it has been a Cisco Firewall/router.
You mean every PC had a firewall hardware device in front of it? So network to network VPNs?
-
@bigbear said in Has Windows 10 VDI Licensing changed yet?:
Forwarding the firewall port has worked so far in my testing, and their are SSL security options that I believe negate the need for VPN.
SSL is a VPN, we just don't think of it that way.
-
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@bigbear said in Has Windows 10 VDI Licensing changed yet?:
Forwarding the firewall port has worked so far in my testing, and their are SSL security options that I believe negate the need for VPN.
SSL is a VPN, we just don't think of it that way.
I have been thinking about this but isn't RDP SSL a pre-shared certificate that prefaces auth info transmission. Or are you saying with the right routing table, once connected, you can send/receive packets to the remote network once connected?
-
@bigbear said in Has Windows 10 VDI Licensing changed yet?:
@scottalanmiller said in Has Windows 10 VDI Licensing changed yet?:
@bigbear said in Has Windows 10 VDI Licensing changed yet?:
Forwarding the firewall port has worked so far in my testing, and their are SSL security options that I believe negate the need for VPN.
SSL is a VPN, we just don't think of it that way.
I have been thinking about this but isn't RDP SSL a pre-shared certificate that prefaces auth info transmission. Or are you saying with the right routing table, once connected, you can send/receive packets to the remote network once connected?
Yes, and that's what a VPN is. RDP over SSL is just a highly focused SSL VPN.