RDPSoft

Remote Desktop and Terminal Server Software

We Monitor, Manage & Fix RDS, AVD, Citrix and Parallels RAS

Most RDS/Citrix Monitoring Tools Licensing Models are Bull$h!+

By Leave a Comment

Ready for another epic Andy rant on the Citrix/RDS monitoring industry? Strap into your seats, folks! Today we’re going to take on how most RDS and Citrix monitoring tool vendors adopt licensing models designed to soak their customers and bleed them dry.

RDS Licensing

RDS Licensing Gotcha 1: When They Charge You For Data Retention, and/or Tier Their Licensing Based on Citrix/RDS Data Retention

This seriously chaps my hide. Back when I ran Dorian Software, our licensing model was simple. You paid us for each Windows system you monitored / archived Windows event log data from. We didn’t care if you had your auditing turned on full bore or at a trickle, nor how many gigabytes of log data you generated each day. We simply gathered up the incoming entries and stashed them into a database. Then, we put YOU in control of your own data retention / grooming policies. Provided you had the database server beefy enough to handle a year or more’s worth of log data, you could hold on to data that long or longer.

We use this same licensing model at RDPSoft for our Remote Desktop Commander Suite. We put you in charge of the Citrix and RDS data retention, as you can see below from one of our configuration dialogs. And just like in the Dorian days, our licensing model is based on the total number of RDS servers and workstations/virtual desktops you’re collecting data from, not the number of concurrent users connecting to sessions/remote apps, nor the retention days or the volume of data collected. There’s a word for this licensing model: Fair.

rds licensing retention
We put you in complete control of your RDS and Citrix data retention.

However, more and more Citrix and RDS monitoring vendors tie their licensing models to data retention. This includes the Citrix Director plus Edgesight monitoring platform. If you want, in effect, unlimited data retention, you get to pay through the nose. We’ve seen licensing schemes whereby pricing is tiered based on retention, such as one day, one month, or one year. Guess what – the one month and one year data retention options are considerably more costly.

To those vendors adopting those models, we at RDPSoft say: STOP HOLDING YOUR CUSTOMERS’ DATA HOSTAGE.

RDS Licensing Gotcha 2: When They Charge You For Concurrent Users, But Also Count The Built-In Services and Console Sessions Towards the Total

Seriously? You’re so greedy that you’re going to run up the concurrent user count by adding the built-in services and console sessions on every Windows system? Yes, there are vendors in the marketplace that do this. If you’re evaluating other Citrix / RDS monitoring tools, you MUST read their licensing fine print. In this market, more than many others, the licensing scams models are apples and oranges.

Unfair Licensing Schemes Are the Product Of Desperation, Not Innovation

I’ve been around the software industry long enough to tell you how these convoluted and unfair licensing models come into being. It’s no different in the RDS/Citrix tools market.

Picture a bunch of sales weasels professionals gathered around a conference table. They’re sweating bullets because they have major quotas to meet for the year. More than likely there are now ambitious revenue targets set by management in place. “Eureka,” one of them exclaims, “let’s change our licensing model / rules to create more billable units/devices/interfaces/users per customer. That’s the ticket!”

Rather than innovating and raising prices to match an expanded feature set, they simply change the rules of the game midstream. If the subsequent cost increases are mild enough for most customers, those customers don’t complain too much. The old anecdote about boiling a frog slowly comes to mind.

At RDPSoft, Our Licensing Model For RDS and Citrix Monitoring Is Fair, and Maximizes Value

We’re probably old fashioned, but at RDPSoft, we believe in the golden rule. When we buy software or services, we ourselves want to be treated fairly, and we want to support vendors that provide a lot of value for our money. We treat our customers no differently. To summarize, here’s how we do that:

  • Our licensing is based on the number of servers, workstations, or virtual desktops you want to monitor, not the number of named users or concurrent users.
  • We don’t charge you / upsell you based on how much monitoring and reporting data you want to store over time.
  • We don’t pad our margins by forcing you to pay for extra licenses to monitor the built-in console or services sessions.
  • We offer an extremely affordable, pay as you go monthly subscription option for only $9 per RDS/Citrix server monitored, and $1 per Workstation/VDI monitored.
  • We offer free support and a money-back guarantee during the first 30 days after purchase / subscription start. If our software does not perform in your environment for any reason, we will refund your purchase price. Your satisfaction is our number one concern.

Are you ready to save money by dumping your existing RDS/Citrix monitoring vendor? Would you like to start monitoring your RDS farm without breaking the bank on licensing costs? View all the features of our Remote Desktop Commander Suite here, and start your monthly subscription for only $9 per server per month.

Shadowing RDP Users: A Twisted History

By Leave a Comment

Alright folks, it’s time for a post on the fun, twisted history of shadowing RDP users in Microsoft Remote Desktop Services. Not a month goes by that I don’t field a call from an administrator confused about the shadowing changes across various Windows Server implementations. And, I’ll cover some of the basics in Remote Desktop Commander that make these RDP shadowing variations as seamless as possible among the different Microsoft OS versions.

First Rule of Shadow Club: You CANNOT Shadow RDP Users on Windows Server 2012, ONLY Windows Server 2012 R2

This keeps biting RDS admins in the butt. There is ZERO support for shadowing in Windows Server 2012. I’ve written at length about many of the radical changes between RDS on Windows Server 2008 and Windows Server 2012. Microsoft literally roto-rootered the whole RDS stack in Windows Server 2012, tearing out old plumbing and integrating new plumbing related to RemoteFX and RDP enhancements. It took them until the Windows Server 2012 R2 release to put Humpty Dumpty mostly back together again. So unless you REALLY like pain, don’t upgrade to Windows Server 2012 – bypass it and upgrade to Windows Server 2012 R2 or Windows 2016.

Review: Legacy Shadow Techniques for RDP Users on Windows Server 2003 and Windows Server 2008

Yes, I included Windows Server 2003 because I know some of you deviants still have some Windows 2003 systems running in your enterprise, long after extended support and updates have expired. That’s fine you slackers – blame legacy apps and management. 🙂

Back in the good ole days of simpler operating systems, to shadow you would either:

1.) Fire up a copy of TSAdmin (Remote Desktop Services Manager), highlight the user session in question, then right mouse click to shadow them, OR:
2.) Command line it with the shadow command, passing it the user’s session ID and the server their session was located on.

Legacy Shadow User RDP
Ahh, the good ole days of RDP user shadowing…

Both of these approaches required you to run the app or the command from within a Remote Desktop session; you could not issue these commands directly from the console session of a server or workstation.

New Shadow Techniques for RDP Users in Windows Server 2012 R2 (and Windows 8.1 and Windows 10)

Alright, let’s engage in some fantasy now shall we? Let’s say that all of your servers are Windows 2012 R2, and all of your workstations are Windows 8.1 or Windows 10. Ha ha! See how funny I can be? In this case, you can use the new command line arguments built into the Remote Desktop Connection Client (mstsc.exe) to get the party started.

NOTE 1: Unlike Windows Server 2008, Windows Server 2003, and Windows 7, you DO NOT already have to be running in a remote desktop session to start shadowing another user session. You can be logged into the console session of your own desktop, laptop, etc and jump right into shadowing a remote user’s session, IF:

1.) Your Windows system is running Windows 8.1, Windows 10, Windows Server 2012 or later.
2.) Their Windows system is running Windows 8.1, Windows 10, Windows Server 2012 or later.

If either one of the systems is at a lower OS level, this new approach won’t work.

NOTE 2: In Windows Server 2012 R2, by default you need to be a local administrator on the machine hosting the sessions you wish to shadow. This is a major shift from Windows Server 2008 and earlier operating systems. There is a way around this however with a gnarly command you can run inside Powershell.

Again, provided you live in this magical world of fairy tales, unicorns, and homogeneous operating systems, you simply launch mstsc.exe with the appropriate combination of command line switches, such as:

1.) Switch /v, which is the remote computer with the session you want to shadow (e.g. /v:MY2012SERVER)
2.) Switch /shadow, which accepts the session id of the user session that will be shadowed (e.g. /shadow:1)
3.) Switches /control and /noConsentPrompt, which determine whether you can control or only view the session, and whether or not the user is notified that you are shadowing their activity, respectively.

Putting it together: mstsc /v:TARGETSERVER /shadow:1 /noConsentPrompt lets you monitor (but not control) session 1 on TARGETSERVER without notifying the user.

The RDP Shadow Reality: You Run a Heterogeneous Network Full of Systems That Are At Different OS Levels.

I gave a talk on RDP 8 at TechMentor once, and asked for a show of hands to find out who had deployed Windows Server 2012 in their environment. The vast majority of attendees were still running Windows Server 2008, and those who had started deploying Windows Server 2012 still had a lot of Server 2008 systems in place. It was clear that there would be two different approaches to shadowing RDP users for quite a while.

Given this challenge, we built a bit of magic quite some time ago into Remote Desktop Commander when it comes to shadowing users. We automatically detect whether or not you want to shadow a user on the local system or a remote system, and we also look at the OS level of both the local machine and the remote machine. If both systems are running Windows 8.1, 2012 R2, Windows 10 or later, we shell out immediately to MSTSC with the new options. If there is an OS level mismatch, we’ll first establish a client RDP session on the remote system, and then auto launch a helper utility on the remote system that will invoke the appropriate shadowing technique to start shadowing the desired session.

Intelligent RDP User Shadowing
Remote Desktop Commander makes this much easier…

Shadow User RDP Settings

In addition, as you can see in the above screenshot, we give you even more options before starting the RDP user shadow attempt. For instance, you can temporarily override the GPO that controls whether or not users are notified that their session will be shadowed. You can also start your client session in Admin mode, so that the connection broker doesn’t block you from connecting to the desired server in the collection.

The Best Part Of This Twisted History?

These shadowing features come in versions of Remote Desktop Commander. So, luckily, this history doesn’t have too messy an ending.

Find out more about later developments in user session shadowing with Remote Desktop Commander or find out what fits your needs best – you can request a web demo from our team

Updated: November 2020.

Avoiding UDP Transport Gotchas With RDP 8

By Leave a Comment

I’ve been writing and speaking a lot lately about the improvements found in version 8 of the Remote Desktop Protocol, which is used in Windows 8 and Windows Server 2012. Version 10 of RDP was just introduced in Windows 10, and it soon will be implemented in Windows Server 2016, adding some new enhancements over Version 8 which we’ll talk about soon. But back to the topic at hand…

UDP Transport in RDP 8 Boosts Throughput And Enhances User Experience

RDP version 8 is the first generation of the Remote Desktop Protocol that uses UDP alongside TCP for data transmission. Provided the RDP client supports RDP 8 (e.g. Windows 7 with RDP 8 Update, Windows 8, or Windows 10), the Windows 2012 RDSH server can transmit data using both UDP and TCP. This is a big deal, because UDP doesn’t suffer from TCP’s enforcement of its congestion-avoidance algorithm, so RDP 8 can push more data across the wire in a selected chunk of time via UDP (e.g. 2x to 8x more compared to TCP transport only), even over high latency links. Couple that with some nifty forward error correction techniques, and RDP 8 is able to boldly go into sketchy network conditions that previous versions would run screaming from.

But Watch Out For the Following Gotchas That Can Block UDP in RDP 8

Believe it or not, there are several common “gotchas” that can conspire against you to prevent UDP transport use with an RDP 8 or later Remote Desktop Connection. Let’s look at them in order:

Using a Windows Server 2008 Remote Desktop Gateway With Windows Server 2012 Remote Desktop Session Hosts

The Remote Desktop Gateway Role Service in Windows Server 2008 does not support UDP transport, so all connections via this legacy gateway will be forced to use TCP only. Not good. Make sure you upgrade your Windows 2008 server running the Remote Desktop Gateway Role Service to Windows Server 2012.

Forgetting to Explicitly Add an Endpoint For UDP in Windows Azure

This one is BIG if you are hosting your Remote Desktop Session Hosts in Windows Azure (or any other cloud service provider for that matter). By default, when you create a new Windows Server 2012 instance (with or without the RDSH role implemented), only the TCP endpoint for RDP will be created. See below:

RDP UDP Endpoint Missing

You’ll need to go back behind any newly provisioned RDSH servers in Azure and remember to explicitly define a UDP endpoint for RDP like so:

RDP UDP Endpoint Defined

Accidentally Disabling UDP Transport Via Server Side Group Policy Objects

One other potential problem is incorrectly setting the “RDP Transport Protocols” Group Policy setting, located under Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Connections. By default, both UDP and TCP will be used if the client supports it, but administrators can explicitly disable the use of UDP transport in this area.

So, there you have it. UDP transport in RDP 8 opens up so many possibilities in terms of user experience an overall Remote Desktop performance. However, you have to double check and make sure that it’s not being restricted right out of the gate.

Want to find out more about what transport protocols your clients use, bandwidth consumption, and connection quality? Click here to learn more about the Remote Desktop Commander, and start a $9 per server per month subscription to profile all of the above, plus much more.

Preventing Remote Desktop Logins For Privileged Users

By Leave a Comment

Recently, I was working with a client who had the interesting goal of preventing a specific domain administrator from logging on via Remote Desktop Services. They wanted the domain admin and other privileged accounts to only connect via the VMWare vSphere console (through the corporate firewall), and then start a console session.

Fortunately, this is easily accomplished via user rights assignments in Group Policy / Local Security Policy. To do this, open up your Group Policy editor, or, if on a non-domain system, launch secpol.msc, and adjust the “Deny logon through Remote Desktop Services” policy entry.

Deny Logon Via Remote Desktop Services

Deny Logon Via RDS

Add the users who you want to prevent from logging on via Remote Desktop Services, save, and then apply/refresh the policy and test.

Note that this works well in all scenarios, from Windows Server 2003 onward. There is an older setting for individual users in Active Directory user management called “Deny this user permission to logon to a Remote Desktop Session Host Server.” This setting worked in all scenarios back in Windows Server 2003. However, in Windows Server 2008 and Windows Server 2012, it only works when the RDSH server is configured in Application Mode, NOT Remote Administration mode. Only setting the “Deny logon through Remote Desktop Services” user right assignment in Group Policy will effectively block access across all RDSH modes.

For more, read this Microsoft support article.

Is This The Absolute Surefire Way To Prevent Those Remote Desktop Logins? Well . . .

So, the above would not prevent an Administrator from altering a Group Policy object to remove themselves from this policy restriction. Therefore, using a tool like our Remote Desktop Commander Suite to audit privileged user sessions is a smart idea.

Using Remote Desktop Commander in conjunction with Group Policy, you can turn on heightened session auditing for specific users, routinely creating session recordings and screen captures for review later.

Quite a bargain for only $9 per server per month, if we do say so ourselves.

New Remote Desktop Services Hotfixes for Windows Server 2012 R2

By Leave a Comment

Greetings folks.

The Remote Desktop Services team at Microsoft has just released several new hotfixes for Windows Server 2012 R2 RDS deployments, one of which is pretty significant:

Remote Desktop Licensing Manager
Our Old Friend, the Remote Desktop Licensing Manager.

High Importance Hotfixes

Scenario where too many users signing on can corrupt the RDS Licensing Server database.
Apparently, if there is a high volume surge of many users logging on at the same time, this can corrupt the licensing server DB. Not good!

Lower Importance Hotfixes

Remote Desktop Licensing Manager Tool corrupts reports in large farms.
Not an issue unless the report goes over 4KB in size, so this should only affect larger farms.

Disappearing RemoteApp windows
As a developer, this one fascinates me a bit. It only affects applications that temporarily disable window painting via the WM_SETREDRAW windows message. Still, if you’re having an issue with certain app windows disappearing when hosted via RemoteApp, it’s worth looking into this hotfix.

Remote Desktop Easy Print speed issues
Ahh yes, the continued bane of all RDS/Citrix admins’ existence – printing. After an OS upgrade to Windows Server 2012 R2, a new *feature* can make printing through the Easy Print driver take longer. This hotfix gives you better control over whether printing starts during or after spooling is completed.

That’s all for now.

— Your humble Microsoft RDS MVP

Do you need complete RDS/XenDesktop monitoring & reporting for only $9 per server per month? Review our sample reports and watch demonstration videos here.

From the RDPSoft Blog

We Do “Single Pane of Glass” Monitoring and Management for RDS

Reach Out

For fastest response, reach out via our sales and support contact forms.

Sales
US: 1-855-738-8457 x1
Outside the US: 1-702-749-4325 x1

Support
for Evaluators and Priority Support Customers
US: 1-855-738-8457 x2
Outside the US: 1-702-749-4325 x2