@jimmy9008 said in VDI Options - Modernization:

Sure, if the project was 'get rid of VD' - but its not.

Why not change the project to "do whatever is best" instead of "deploy what we say"? Maybe you can, maybe you can't. We don't know. It sounds like you are being told to blindly deploy something without evaluating any needs. Do they realize that they are forcing you into that? Maybe they do, then maybe you shouldn't push back. Or maybe they have no idea that they are suggesting something that is considered legacy and a stop gap for companies trying to get to modernization and would really appreciate your insight on how to modernize and your evaluation of it that is or isn't valuable in this case.

If the company is a real business, why not go to the powers that be and ask "Have we evaluated the value in modernizing rather than throwing money at bandaiding legacy solutions? Maybe there's a better way, we should run the numbers and see." It's a chance to shine, a chance for IT to prove it can provide value, that it is doing its job. If they shoot you down, that's fine, you did your due diligence. That someone dictated a VDI project, but then assigned you to find VDI options, guarantees that they didn't do their IT diligence at all... because in order to make that VDI decision, they would have to have known the options in order to have evaluated it in the first place. So we can guarantee that something is amiss. We totally understand if you feel politically that your organization is vindictive and would punish you for attempting to do a good job and expose upper managers as just spending money to try to not have to do proper evaluations or just looking the other way as money is spend because it's the easy thing to do, but if so, just say so, there's no reason to feel like it is something personal.

Don't go after it assuming that legacy is bad and modern is good, that's the wrong attitude. Lead white paint still looks the best. Fountain pens are still a joy to write with. Reading paper books is still easy for your brain to retain information (and easy to read under a tree in the park.) Legacy is not wrong by definition, modern is not right by definition. But it's highly useful to know where you sit when evaluating, but to always evaluate.

@jimmy9008 said in VDI Options - Modernization:

@jimmy9008

Just had a very quick look at Azure Virtual Desktop and the calculator for 3 years up-front shows around 1.5m usd. Were looing upper limit of 1m usd, which would cover us for the next 5-7 years, making Azure look expensive.

Azure is generally the most expensive solution you can imagine for anything. Azure has a brand name that is worth a fortune regardless of what they do under the hood, so MS will always capitalize on that. If you want to consider price (as you should), you can generally just rule Azure out. Once in awhile they will come in with similar prices to other solutions, but never cheaper (that I've seen) and often like this, wildly more expensive.

Cloud, in general, is a price premium solution. If you haven't already totally modernized your network, cloud should mostly be off of the table. Moving legacy apps and designs to cloud is the worst of all worlds. If you need like a single VDI instance and have no office, sure, Azure will kick butt. But at any scale, building your own and even putting it in colocation will be far, far better.

@travisdh1 said in VDI Options - Modernization:

@jimmy9008 said in VDI Options - Modernization:

@travisdh1 said in VDI Options - Modernization:

@jimmy9008 said in VDI Options - Modernization:

@scottalanmiller

I get what ya'll are saying but thats just not how it is here. My options are replace what is there with new, or keep what is there and let it grow older.

I'll keep looking at options on my own, but thanks folks.

If you just want to buy a solution without doing your homework to figure out what's right for the business, just get new servers and keep paying the crazy license fees for VMWare/Citrix (I'm assuming you've got the HA VMWare license.)

Without knowing what apps are running in the VDI, all we can do is generalize.

Are you stuck with VMWare and/or Citrix because of management? Big cost savings in moving away from those, even if you keep paying for support IE: Scale or Starwind

More details would be needed to make any solid recommendations.

I am more than capable of being able to appraise solutions to meet our business needs. My question was asking for a list of solutions "What would you suggest we look at?", not to be told to not look at VDI as its wrong. I'll decide that. I was hoping the community could point me to solutions, vendors, resources which you have used and had experience of. I see the people on here as experienced so wanted to ask here, I should have just looked at g2.

Well, I think @scottalanmiller already explained much better than I ever could that VDI Modernization is a contradiction in terms. If you're stuck using VDI, then you by definition are not modernizing.

As to different platforms to run it on, that's why I suggested Scale or Starwind to run the Citrix solution.

We have a small amount of legacy VDI and we do it on Scale. It's not at scale, just on Scale. For our small scale this works really well.

One MAJOR question is reliability. Scale you pay extra for high reliability. VDI often doesn't need that level of reliability. So that can be a huge decision factor (And one of the reasons we HAVE to know what the use of the VDI is to understand what approaches even make sense.) The majority of our VDI is application testing, so a huge mix of operating systems (hence why VDI instead of terminal services.)

So a highly available VDI approach vs. a normally available VDI approach will make a huge difference in recommendations.

@jimmy9008 said in VDI Options - Modernization:

I’ll take a look at Starwind, but not Scale. Unless I am mistaken Scale do not use ESXi as the hypervisor layer. Don’t they use KVM? I didn’t write previously but we have to stay standardized to VMWare. That would remove Scale as an option.

Scale is KVM. That you need to be on VMware changes everything. It's not really VDI (so much) that you are evaluating but ways to deploy VMware for use as VDI. That's a wholly different picture as that rules out basically everything, and certainly all of the interesting stuff.

Starwind could be a great PART of the solution, but they are not the VDI portion. So while I love Starwind, it's not necessarily applicable, at least not entirely, to the discussion as it's the storage component of the hypervisor that you will use for VDI.... so two steps away from the conversation.

If you are stuck on VMware, I'd just install VMware on your own servers, use Starwind IF you need HA, and stick to the VMware stack. Not a lot of other pieces to consider.

Since VMware was a requirement for one piece, are there other requirements also like VMware vSAN instead of Starwind?

A key example of where NTG is stuck on something legacy is our financial systems. Due to reasons I don't totally agree with, we are currently on QuickBooks (and I could write a lot about what I think about that and how my suppositions played out, but that's for another time). For now, it is a legacy app, deployed on a legacy platform (by the vendor), hosted in a legacy way. It's SaaS, but legacy (SaaS has existed for a REALLY long time and doesn't have any modernization suggested in its use.) We are stuck with it. But we know it is legacy and causes network design complications. It is isolated and we can work around it mostly. But it is annoying and a red flag, we know it is a place that needs to be modernized and we regularly discuss plans around it.

QuickBooks Online is a modern replacement to QuickBooks, but more limited. We can't use it as it is less capable. In this case, legacy is better. We hate it, but it is better.

@gus said in MS Teams file attachments and changing primary email address:

It’s good that MS is upgrading Outlook to make it work better with Teams work. let's see what happens

Or people could catch up to 2003 and have everything fully integrated already like all of MS' competitors have had for nearly two decades now, lol. The use of Outlook remains pretty silly and it would be better if no one cared rather than MS trying to shoehorn Teams into a product that people shouldn't be deploying.

@dashrender said in VDI Options - Modernization:

@scottalanmiller said in VDI Options - Modernization:

@dashrender said in VDI Options - Modernization:

I'm really curious to know what is running on this VDI platform that makes it needed in first place - especially for 600-1000 users.

Dollars to donuts, I bet it is ERP related or similar.

Do you think this is because the ERP is so horrible it's pulling data to the local session and working locally on it - or are they doing it simply for security reasons?

I'm guessing just because ERP is the biggest reason (to my knowledge) for any company to use VDI. ERPs are the single largest LOB application period, and are the biggest legacy apps that still do 1990s style client/server applications that require a fat client to operate (the main reason that apps need VDI.)

VDI isn't good for security (it's not horrible, but it isn't something you ever do FOR security) so that would not make any sense and could just be modernized in a heartbeat if that were the case. But if there is a client/server app running like a pre-Internet application that has high latency sensitivity at the fat client / database interface, then VDI is the primary way that that is addressed while providing remote access options. It also requires that the app need sole sessions or desktop licensing which is only common in ERP clients.

This is exactly what is done in the veterinary space (except without the licensing requirement so TS is used instead of VDI) because of the legacy ERP-style client/server apps that are in use that haven't been updated in 30+ years (literally).

@dashrender said in VDI Options - Modernization:

I know Gene's company is using VDI for access to their EMR - which is cloud hosted.. I can't really understand the gain there.

Generally, none. Many VDI deployments are done out of confusion. But there could be other factors at play, like the EMR needed to be access and manipulated using MS Word and there was no web hooks for it because it was legacy.

But, like cloud, VDI is often done solely because it's an easy to remember term that almost no one understands making it an easy target for sales people to sell managers on or IT folks who just want to be able to say that they "did something" to management or people looking to pad their resumes. "Moved a company to cloud" or "rolled out VDI" look great to the untrained managers that tend to do hiring. So it is VERY popular to do where it has no purpose.

@pmoncho said in Will faxes ever die - cheapest way to forward a DID:

If I am understanding the gist correctly, they basically want VOIP everywhere correct?

Just not POTS. But VoIP has been the only logical mechanism for voice calls for decades now.

@jaredbusch said in Looking for a remote access solution:

Not of the type you were discussing. Don't be a Scott.

Always a type discussed if someone mentions VPN and knows anything. ZT is no more special or niche than any other VPN. It's every bit as much a VPN as some random other assumed solution.

To most people, VPN is purely a Netflix location trickery tool and has nothing to do with security or access to resources.

@dashrender said in Looking for a remote access solution:

@scottalanmiller said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-free

Just use ZT to lower (all but remove) the attack surface.

That would get them up to 3FA (which isn't a bad thing) assuming ZT isn't somehow tied to some other authentication mechanism.

As it's been AGES since I've used ZT - can you make the user have to log into it each time they launch it? If yes - and it's logon isn't associated with AD (as you mentioned) then OK - I see how you consider ZT and RDP MFA.

The user can be forced to start or stop the process. The fact that it uses a key (something you have) owned by the user makes it MFA regardless of if they automate the login or force it to be manual.

Don't try to compare it to Duo or something like that which uses "something you have" to generate "something you know." Compare it to a security USB stick like YubiKey. It's a direct "something you have" 2FA in that sense.

@gjacobse said in Will faxes ever die - cheapest way to forward a DID:

we are working to migrate to etherFax I believe.

So just a way of avoiding free, secure email to do something questionable and cumbersome? Why? Why do people hate security and efficiency so much!!

@gjacobse said in free clone/imaging solution needed:

There are a few options and that aren't that difficult

You can just download "dd" for Windows and do the same as on Linux, it's just more effort and can't be all packaged up nice and easy.

@siringo said in free clone/imaging solution needed:

@gjacobse thanks for the input. I've looked at them. actually used macrium a fair bit, that has a gui which is what i'm trying to move away from .... but I have a feeling i'll be using it once more as it is the most reliable tool i've used.

Macrium automates VSS. So it is really VSS that you are seeing in action (and works quite well.)

@stacksofplates said in ZeroTier & Security:

There's also nothing stopping you from doing everything over HTTPS/SSH/whatever over zerotier. I just don't see the issue.

Right, ZT, like all VPNs (as always the rules are general) should never carry unencrypted traffic unless it's of no value (someone's YouTube videos I guess). The VPN should only provide handling / tunneling, not the base security. If used properly, VPNs increase protection not decrease it. But they aren't a replacement for the necessary security that you should already have to make the traffic safe on the WAN or, for that matter, on a LAN.

You shouldn't be running unencrypted traffic even on a LAN that has no routing to the Internet. It's just reckless and pointless... why do that?

@pete-s said in Reboot on ping loss:

Yes, it's good to know that Tripp Lite is a real brand and commercial grade, not no-name consumer gadget.
Eaton owns them now.

It's not a real brand. It's total consumer BS. I have a client just try to deploy this trash for a small bank and it's the least production ready stuff I've ever seen. All of the apps and support were long ago abandoned. I think the latest version of their code is Windows 2012 and Fedora 8. EIGHT!!!!!

Nothing works, Tripp Lite is completely abandoned and has no place in a business. Ever.

@pete-s said in Reboot on ping loss:

@scottalanmiller said in Reboot on ping loss:

It's not a real brand. It's total consumer BS. I have a client just try to deploy this trash for a small bank and it's the least production ready stuff I've ever seen. All of the apps and support were long ago abandoned. I think the latest version of their code is Windows 2012 and Fedora 8. EIGHT!!!!!

Sounds like someone bought a legacy product that companies keeps on the shelf for replacement in legacy systems. Or tried to install some old software that is not supposed to be installed on new systems. Basically someone not having a clue. Obviously not the product I mentioned.

The product may be old, I don't know. But the software for it is the "current" and its all abandoned. It was special order network enabled gear included thermal sensors. It's the top end Tripp Lite line stuff. They've just abandoned support completely.

Their Windows product hasn't been updated in forever and doesn't even support TLS for email notifications!

You can make it work, but only with serial connections (e.g. only communicating to a single device.) Even though it was bought with the upgraded network cards and the most expensive features are on the network card, not the UPS itself, so most of what the customer paid for doesn't work. Even if you get Tripp Lite's "current" software running, the features it is supposed to have aren't there.

If you know where Tripp Lite has modern, working thermal monitoring software and network alerting let me know, because Tripp Lite / Eaton's website doesn't seem to offer it.

The system only works because we have Linux and can use the open source drivers for it.

@dashrender said in Server 2012 R2 not installing Updates:

@itivan80 said in Server 2012 R2 not installing Updates:

I never ever liked windows update service. In one hand they fix some issues but in the other hand they create more unnecessary issues. I am glad you were able to isolate the update and made it work congrats.

I agree that MS should do better at making updates, but all things considered - with millions if not billions of combinations and different setups - they could definitely have way more issues.

But Jason - Linux Distros have billions upon Billions of deployments and they don't have these issues... or so we're told.

Exactly. Why are Linux distros, BSD distros, and MacOS distros all able to do this with very, very few issues, but MS constantly having issues with it?

Also, the issues that people have are really never about different combinations with Windows. It's Windows itself breaking, things that have little to nothing to do (in most cases) with configuration or third party components.

Also, other OSes update a lot more than Windows does.

@dashrender said in Server 2012 R2 not installing Updates:

@scottalanmiller said in Server 2012 R2 not installing Updates:

@dashrender said in Server 2012 R2 not installing Updates:

@itivan80 said in Server 2012 R2 not installing Updates:

I never ever liked windows update service. In one hand they fix some issues but in the other hand they create more unnecessary issues. I am glad you were able to isolate the update and made it work congrats.

I agree that MS should do better at making updates, but all things considered - with millions if not billions of combinations and different setups - they could definitely have way more issues.

But Jason - Linux Distros have billions upon Billions of deployments and they don't have these issues... or so we're told.

Exactly. Why are Linux distros, BSD distros, and MacOS distros all able to do this with very, very few issues, but MS constantly having issues with it?

Also, the issues that people have are really never about different combinations with Windows. It's Windows itself breaking, things that have little to nothing to do (in most cases) with configuration or third party components.

Also, other OSes update a lot more than Windows does.

This is a great question - of course one of which I do not have an answer. Though I guess it's likely to do with fundamental design differences - does nix use DLLs? There's no registry on nix either (at least not in general) - this poor design choices by MS could be all the reason for the problems.

Could be, but are also things that they can fix. But Linux uses config files like a registry. And Linux has shared libraries. And once in a while they have issues, but fixes are normally easy. But how many of these Windows update issues are related to DLL and registry issues since 2003? Not many, I don't think.

@dashrender said in Server 2012 R2 not installing Updates:

@scottalanmiller said in Server 2012 R2 not installing Updates:

@dashrender said in Server 2012 R2 not installing Updates:

Of course though - this thread is about Windows Server, not desktop - where this should be MUCH less of an issue with properly designed code.

Same code, they don't make it twice. Less hardware hotplugging, but probably just as many lines of code in use.

Less desktop apps on the platform, but you're right - the base code is the same.

Fewer desktop apps, maybe. But in the Windows world, server often is treated as a desktop (like 90% of the time) so the reduction is rarely what you'd hope. And there tends to be lots of server-only code too, often running as desktop apps.