RDPSoft

Remote Desktop and Terminal Server Software

We Make RDS, XenApp & VDI Monitoring/Reporting Easy and Affordable

Three Reasons Why You Need to Monitor CAP and RAP Failures On Your Remote Desktop Gateways

By 1 Comment

The latest version of our Remote Desktop Commander Suite (Version 6) now offers reporting that tracks CAP (Connection Authorization Policies) and RAP (Resource Authorization Policies) failures on your Remote Desktop Gateway servers. Why is it important to track these failures? Here are three very important reasons.

CAP and RAP Failures on Your Remote Desktop Gateways May Be Indicative of Hack Attempts

Put simply, Remote Desktop Gateway CAPs control WHO (which users and groups) can access your Remote Desktop Services deployments, and Remote Desktop Gateway RAPs control WHAT (e.g. which computers) they can access in the deployment. If you are seeing either CAP or RAP failures in your event logs, it could be an intruder trying to gain access to your internal network’s systems. This is especially true if you are *not using* a MFA solution on your network to better validate RDS users authenticating through a Terminal Services Gateway.

For instance, if you see a CAP failure (Event ID 201 in the Microsoft-Windows-TerminalServices-Gateway/Operational event log), it could indicate that an attacker has managed to successfully authenticate with one of your Remote Desktop Gateway servers, but the compromised user was not a user approved to access your RDS deployment. Or in other words, a hacker has obtained the correct username/pw combo for a user in your Active Directory, but that user is NOT authorized to use your RDS collections.

In this CAP failure example, a hacker may have gotten the password for ‘CompromisedAccount’, and then attempted to authenticate through the Gateway in attempt to access other systems internal to your network.

In contrast, if you see a RAP failure (Event ID 301 in the Microsoft-Windows-TerminalServices-Gateway/Operational event log), an attacker may be trying to connect to a system BEYOND your RDS deployment and has been blocked from doing so. That is more likely if you’ve already done what I’ve recommended in my book on securing RDS deployments and tightened down your RAPs. A normal user typically uses the default RDP file they obtain from your RDWeb feed. An attacker, on the other hand, could have altered an RDP file to keep your gateway server information, but instead target a non-RDS server by it’s name or IP address.

In this RAP failure example, a hacker may have gotten the password for ‘CompromisedAccount’, and then attempted to access your Domain Controller or another critical server beyond your RDS deployment through the Gateway.

You Could Have a Configuration Issue On Your Gateways

It’s easy to screw up CAP and RAP policies on a Gateway. For instance, let’s say you’ve setup an RDS deployment with a single connection broker. Then, you decide to add a second connection broker and put the deployment into High Availability mode. Did you remember to visit both of your Remote Desktop Gateway servers and add the new broker to each of their RAPs? If not, users who get load balanced to the new, second broker will have problems connecting via the gateway because they’re not yet authorized to connect via the RAP.

In another scenario I’ve seen in my consulting work, a client migrated their RDS deployment from one datacenter to another, and then had an issue with name resolution because of legacy RDP files still in use. The gateways had RAP entries for the fully qualified domain names of the session hosts, but not for their equivalent NetBIOS short names and IP addresses. As a result, some connections were working and others were not.

Your End Users Could Be Using Misconfigured RDP Files

Your end users will continually cause you pain by doing things like caching copies of the RDP files they’ve downloaded to their desktop. Then, when you push changes and reconfigurations out to RDWeb via the Connection Broker, they’ll bypass RDWeb or RADC in favor of their out of date RDP file already stashed on their desktop. That, in turn, can generate RAP failures and/or connection broker connection request failures. If you’re monitoring CAP/RAP failures and connection broker failures, you can make a list of the “wayward children” who need to get a tap on the shoulder!

The Takeaway – You Need Automated Collection and Reporting of Remote Desktop Gateway CAP and RAP Failures

In busy deployments, the Microsoft-Windows-TerminalServices-Gateway/Operational event log wraps VERY quickly. I’ve seen these logs wrap within an hour, because no one remembers to boost their retention settings via Group Policy. And even if you fix the retention, consolidating things by username or by gateway server to make sense of it all will take some doing, even if you do have a SIEM or other log aggregation solution in place.

Our Remote Desktop Commander Suite solution automates all of this for you.

First, it continually collects CAP, RAP and other informational events from your Remote Desktop Gateways and stores them in its SQL database. Doing so allows you to produce reports like these on demand or on a scheduled basis with powerful filtering capabilities around usernames and server names.

Remote Desktop Gateway CAP and RAP Failures

Secondly, it has a Top Level Deployment Status Dashboard where you can continually keep your eye on Remote Desktop Gateway health, current connection count, recent connection failures, plus summon reports like those above with just two mouse clicks. To give you an idea of that dashboard’s power, please watch this video below (remember to expand it to full screen!)

The Remote Desktop Commander Suite can monitor and report on your gateways for only $11.49 per server per month, with volume discounts available. Contact our sales team for more information or to set up a demo.



Connection Broker Monitoring

By 1 Comment

Learn more about how the Top Level Deployment Status Dashboard in Remote Desktop Commander v6 handles connection broker monitoring, remote desktop gateway monitoring, session host monitoring, and synthetic RDP login monitoring.

In Remote Desktop Commander 6.0, we introduced a new Top Level Deployment Dashboard which displays the health of all of your Remote Desktop Services deployment infrastructure in one main view. If you integrate the Remote Desktop Commander Suite with our Remote Desktop Canary solution, the results of your continuous synthetic RDP login tests will automatically update in this dashboard, so you can spot errors or lengthening login times that impact user experience. In addition, this dashboard displays the trending health and load of all of your RDS gateway servers, your connection brokers, and session host collections.

Why Connection Broker Monitoring Is Important

Out of all of these roles, the Connection Broker is arguably the most important, as it truly is the “brains” of an RDS deployment. It is responsible for routing and load balancing users on to the correct servers in RDS collections, and also reconnecting disconnected sessions to the appropriate hosts. As such, the Remote Desktop Commander Suite monitors Connection Broker metrics like connection success rate, the recent number of connections processed, the response time of the SQL database server(s) the connection broker(s) are linked to, and the stored procedure success rate on that SQL database(s) that the connection brokers consult when routing users.

How To Monitor Connection Brokers

Our software collects and monitors these metrics because it has been our direct experience that connection brokers can seem “OK” in terms of CPU and memory use, but may NOT actually be OK when you start looking at things like database response times and stored procedure failure rates. Frankly, the internal mechanics of how connection brokers interact with their SQL databases are, erm, “complicated” and somewhat akin to watching sausage being made – it’s not pretty! When login storms arrive in the morning, after lunch, or after a temporary RD gateway or load balancer failure, the SQL DB typically gets overloaded, causing the connection broker to stop routing connections, etc. Consequently, proper connection broker monitoring must incorporate all of these metrics.

Furthermore, comprehensive RDS deployment monitoring, like what we provide in our Complete Monitoring and Management Bundle for RDS, monitors connection broker metrics ALONGSIDE critical gateway AND session host metrics, plus drives continuous testing into the farm with synthetic RDP login monitoring. The Top Level Deployment Status Dashboard is your entry point to all of this rich information, with drill down capabilities into active session management, shadowing sessions, user and process level performance troubleshooting, and over 100 reports on connection quality, user activity monitoring, licensing, and much more just a few mouse clicks away.

Connection Broker Error Reporting

Quickly investigate the reason for connection broker routing failures using the new Infrastructure – Connection Broker Connection Request Failures report

While connection broker routing failures happen less frequently than Remote Desktop Gateway CAP and RAP failures, it’s still important to keep an eye on them. For instance, if you migrate your deployment to use new infrastructure servers, or if you recreate your RDS collections, you may have users trying to connect with older RDP files that hold invalid collection information. Running the Connection Broker Connection Request Failures report in the Remote Desktop Commander Suite will show you all of the user accounts that are using invalid RDP files, as well as other problems, such as connection broker(s) with insufficient system resources to route users appropriately.

Ready To Get Started?

Are you ready to add comprehensive monitoring and management to your RDS environment? Would you like to have that “single pane of glass” that can show you all the critical metrics related to your Remote Desktop Services deployment, with active session management/shadowing, deep dive performance troubleshooting, user activity monitoring, license tracking, connection quality, and more just a few mouse clicks away?

If so, start a very affordable subscription to our Complete Monitoring and Management Bundle for RDS for only $17.99 per server monitored per month, with volume discounts available. Or, if you’re not ready to purchase just yet, contact us for a web demo and let us answer all of your pre-purchase questions.

Remote Desktop Commander v6 Sneak Peek

By Leave a Comment

Greetings, friends and customers! For our U.S. based customers, we hope you enjoyed a great Thanksgiving holiday last week.

We wrote this blog post to give you a quick update on development progress in Remote Desktop Commander v6, which will be released in Q1 of 2022. Read on to learn how you can participate as a beta tester for this new version. Also, if you are a user of our free Remote Desktop Commander Lite tool, read on to learn about a special promotion available to you if you start a monthly subscription with us before December 31, 2021.

In this RDPSoft E-Newsletter:

Remote Desktop Commander Version v6 Sneak Peek and Beta Signup Link

End of Year Promotion for New Customers Who Start a Monthly Subscription

Remote Desktop Commander Version 6 Sneak Peak

First of all, a big thank you to all of our customers who participated in our product feature survey we sent out a few months ago, and congratulations to James W., our winner of the randomly drawn $150 Amazon Gift Card. Based on your feedback, the biggest need identified was a comprehensive, top level dashboard displaying the health of your RDS deployment. So that’s what we’ve been hard at work on, and that’s what will be the cornerstone feature of our upcoming Version 6 release.

While currently a work in progress, the Top Level Deployment Status Dashboard will show you things like login times monitored by Remote Desktop Canary, Remote Desktop Gateway health, Remote Desktop Connection Broker health, and the health of your various RDS collections and AVD host pools.

Version 6 of Remote Desktop Commander will offer better integration with Remote Desktop Canary databases so you can see recent login durations and errors directly atop the new dashboard. The health status of your Remote Desktop Gateway servers and Connection Brokers will also be displayed, in terms of whether or not those infrastructure services are running, their CPU and memory loads, connection statistics, database response times, etc. Finally, you can see the general health of specific collections and host pools in your RDS and AVD deployments, in terms of things like CPU/Memory load, session counts, average sessions per host, latency, and user input delay.

Clicking on specific subitems in the dashboard will in turn launch other dashboards and reports so you can quickly drill into areas of interest for a closer inspection.

Furthermore, Remote Desktop Commander v6 will offer additional new reports related to Remote Desktop Gateways and Connection Brokers, such as connection statistics, reason for connection failures, connection broker database responsiveness, and other metrics.

We’d love for you to participate in a beta of Remote Desktop Commander v6 once it is ready. To do so, please sign up here and we’ll notify you when the beta becomes available.

20% Off For New Customers Who Start a Monthly Subscription

We have many customers worldwide who currently use one of our commercial tools (Remote Desktop Commander Suite, Remote Desktop Canary, Premium Management Features) for monitoring their Remote Desktop Services (RDS) and Azure Virtual Desktop (AVD) environments. We have an even larger user base who utilizes our free Remote Desktop Commander Lite solution to do basic user session management in RDS and AVD. We greatly appreciate both of these groups, as they are the reason for our success.

If you’re in the latter category, but have contemplated a move to one or more of our commercial RDS and AVD monitoring tools, please go here to request a quote and mention that you want your special 20% off coupon code to start a monthly subscription with us. We’ll write back with your coupon code and we’ll also do a quick needs assessment before your purchase to make sure you order exactly what you need. Here are the details of the promotion:

  • You must be a new customer who is not currently licensing the Remote Desktop Commander Suite, Remote Desktop Canary, or Premium Management Features applications from us.
  • The offer applies to monthly subscriptions only (not annual subscriptions)
  • The discount applies to the first 3 months of the subscription, at which point the price will revert to the regular price.
  • You must sign up for a monthly subscription on or before December 31st, 2021.

Whether you have a limited time need or ongoing need for comprehensive RDS/AVD monitoring and management, this promotion is a great way to get started.

Remote Desktop Commander v5.1 Now Available!

By Leave a Comment

Greetings friends and current Remote Desktop Commander customers!  We’ve just released Version 5.1 of our Remote Desktop Commander Lite, Premium Management Features, and Remote Desktop Commander Suite solutions.  While largely a maintenance release, Version 5.1 introduces a new Drain Mode Helper for RDS collections and AVD hostpools – and this feature is available in both the free Remote Desktop Commander Lite and commercial Premium Management Features and Remote Desktop Commander Suite releases.  In addition to this new feature, Version 5.1 offers some performance enhancements and improvements to the Remote Desktop Commander Suite and Premium Management Features solutions:

  • The Remote Desktop Reporter Service has been further optimized for larger environments.  Specifically, SQL query improvements have been made to reduce locking and waits when inserting lots of agent data.
  • The new CPU Usage By Application Dashboard has been optimized for larger environments, so that it loads relevant data faster.
  • Areas of the software that research items online, such as process names, connecting IP addresses, disconnect reasons, etc., now load a full instance of a web browser when researching those items on Google.  This makes those research features more compatible across a wider variety of operating systems and web browsers.
  • It’s now easier to build custom computer groupings for related RDS or AVD hosts in the Remote Desktop Commander Session Navigator.  We’ve improved the code that retrieves computer accounts from the domain controller, making it easy to add both server and workstations to the Remote Desktop Session Navigator for management tasks.

Finally, as we begin development on the next version of the Remote Desktop Commander Suite, we want to hear from you regarding the new features you want to see in our products.  Read on for a link to our product features survey below – all participants in the survey will be entered into a drawing for a $150 Amazon Gift Card, in which a winner will be selected at random after the survey deadline closes.

In this RDPSoft E-Newsletter:

Using The New Drain Mode Helper

New Performance Enhancements and Tweaks in Version 5.1

Participate In Our Product Features Survey For A Chance To Win a $150 Amazon Gift Card

Version 5.1 Upgrade, Purchase, and Demo Links

Check On and Change the Status of Drain Mode On Multiple RDS and AVD Hosts With Our New Drain Mode Helper

Managing Drain Mode on Hosts in RDS Collections and AVD Host Pools Just Got A Lot Easier

Administrators of medium and larger sized Remote Desktop Services and Azure Virtual Desktop environments know how tricky it can be to manage drain mode across all of their session hosts. It’s easy to put a host into drain mode for maintenance yet forget to take it out of drain mode later, causing problems related to load balancing. When too few servers have to pick up the slack of too many sessions, bad things happen.

As a result, we created the new Drain Mode Helper, which is now available for ALL of our user base – both users of the free Remote Desktop Commander Lite utility and our commercial Premium Management Features and Remote Desktop Commander Suite customers can leverage this feature.

Using the Drain Mode Helper is easy. Simply select the RDS collection, AVD host pool, or manual grouping of RDS session hosts from the left hand tree view in the Remote Desktop Commander Client’s Session Navigator. Then choose the “Check and Manage Drain Mode on Computers” menu item.

The Drain Mode Helper will then launch and quickly retrieve the drain mode status on all of the hosts in that RDS Collection or AVD Host Pool. You can easily select all of the hosts that are in drain mode to take them out of drain mode, or vice versa.

This tool is sophisticated enough to realize when it is dealing with an RDS collection versus an AVD host pool. When dealing with an RDS collection, it adjusts drain mode on the individual servers. When working with an AVD host pool, it adjusts the drain mode status of the host(s) directly via the Azure Virtual Desktop brokering infrastructure.

New Performance Enhancements And Tweaks In the Remote Desktop Commander Suite and Premium Management Features

At RDPSoft, we’re always working to further improve and optimize our software based on customer feedback. Version 5.1 has several of these optimizations, as discussed in depth below.

First, we optimized some internal SQL statements in the Remote Desktop Reporter Service, which reduces locks and waits when Remote Desktop Commander is transferring large amounts of agent data collected from session hosts into the relevant tables. This results in reduced resource usage on the SQL Server and speeds up the time it takes to transfer this data into the SQL database.

Secondly, in our newer CPU Usage By Application dashboard, we added optimizations so that this dashboard will only show up to 2500 records maximum of programs using the most CPU, regardless of the size of the environment. This will speed up the loading and display of data in this dashboard for our larger customers.

CPU Use By Application Report
CPU Usage By Application Dashboard – Now Optimized!

Thirdly, we improved the “research” buttons throughout the Remote Desktop Commander Suite and Premium Management Features tools, that would automatically try to lookup things like process names, IP addresses, and RDP disconnect reasons via Google. In previous versions, we’d use an internal web browser component to display the results, but this did not always work reliably on some operating systems with certain security settings, so now research tasks shell out to a separate default web browser instance for improved compatibility.

Researching Items Online Now Launches a Separate Web Browser

Finally, we updated the Computer Group builder in the Remote Desktop Commander Client. In certain environments, like Citrix, you may need to build logical groupings of session hosts or virtual desktops that don’t correlate to an RDS collection or AVD host pool. Version 5.1 makes it easier to build computer groups – simply enter in your domain name, click the Refresh button, and Remote Desktop Commander will quickly do a deep search in Active Directory to return all servers, and optionally, all workstations. You can then select the ones you want to incorporate into a custom computer grouping.

Define Custom Computer Groupings
Defining Custom Computer Groupings Is Now Even Easier in the Remote Desktop Commander Client

What New Features Would You Like Us To Add?

We’ve got many great ideas about new features that we want to add to Remote Desktop Commander, but we’d like you to help us prioritize them- so that we add the features that will benefit the majority of our clients first.

As a way of saying thank you, if you complete the survey at the link below, you will automatically be entered into a drawing for a $150 Amazon gift card. Please, only complete one survey per person. The survey closes on September 30th, 2021, and we will inform the winner shortly thereafter.

To start the survey, please click here.

Remote Desktop Commander 5.1 Upgrade, Purchase, and Demo Links

If you are an existing Remote Desktop Commander SUITE subscription licensee and/or active maintenance agreement holder, click here to request upgrade instructions.

If you are an existing Remote Desktop Commander Lite or Premium Management Features customer, proceed to the Remote Desktop Commander Lite download page to download Version 5.1 of the client.  Then install it over your previous version.

If you’d like to learn more about the Remote Desktop Commander Suite, including its feature set and how to start a subscription for only $11.49 per server per month, click here.

If you’d like to learn more about Premium Management Features, including its feature set and how to start a subscription for only $114.99 per named admin or technician per year, click here.

Request a web demo with an RDPSoft solutions expert to see all our solutions’ features in depth.

From the RDPSoft Blog

We Do “Single Pane of Glass” Monitoring and Management for RDS

Reach Out

For fastest response, reach out via our sales and support contact forms.

Sales
US: 1-855-738-8457 x1
Outside the US: 1-702-749-4325 x1

Support
for Evaluators and Priority Support Customers
US: 1-855-738-8457 x2
Outside the US: 1-702-749-4325 x2