Are you now working remotely due to the global COVID-19 Pandemic? Are you an employer who has been forced to rethink the way your employees work? Also, tired of dark forecasts and messages in your inbox about people who have the silver bullet for working remotely? Me too. Unfortunately, Forbes Magazine recently predicted the largest global cybersecurity hack in history to take place sometime in the next 6 months due to the combination of our risk tolerance overload and widespread, sometimes sloppy remote workforce scenarios. So, here’s the goal– let’s explore what is best-practice anyway for technology you are probably already using. No silver bullet. No massive overhaul. Just practical help. In this blog, am going to walk you through the pros and cons of the various approaches typically in use today for a remote workforce, from an engineer’s perspective, leveraging the best Microsoft’s currently available technology. This breakdown applies to your environment, whether you are an enterprise business, a smallish tech company, or an educational institution. Simple enough?
Working Remotely – The New Normal
Today most of us have been asked to work remotely due to COVID-19. For some, this is how they have worked for years. For others, this is a major change and can be challenging for many reasons. If you were not set up with good internet access and a high-quality PC at home, it may be tough working remotely. Maybe you are used to dual monitors at work and now at home you only have one small monitor. Schools–from middle schools to universities– have handed out hundreds of thousands of laptops to enable students to use distance learning to do schoolwork remotely, as well, even supporting remote access with busses converted to internet hotspots in some communities. There has been a renaissance of sorts transitioning many daily activities to online, such as Zoom meetings and Microsoft Teams meetings, rather than primarily in-person interactions. (It can’t be all that bad if you can wear pajama pants to work and no one knows, right?)
So, we are going to look at the different ways we can work remotely, but efficiently and securely. Primarily we will talk about Remote Control vs. Remote Node in terms of computing architecture. We will look at these different approaches, as well as the pros and cons of each of these associated Microsoft product and service offerings.
Microsoft 365 – What is this?
Microsoft 365 is an integrated bundle of Windows 10, Office 365 and Enterprise Mobility + Security services. Many of these cloud service offerings were formerly separate, such as Office 365. Today they are bundled under one subscription-based suite of software and services we call Microsoft 365 or M365.
We all know Windows 10 as a desktop operating system. And most of us know about Office 365, or what I used to call “Microsoft Exchange Online”. This is the leading e-mail service in the cloud, in my opinion. Enterprise Mobility + Security are the M365 components of the bundle. The Microsoft 365 service was launched in 2017 and continues to grow and innovate rapidly. M365 methodology will fall into the “Remote Node” architecture of remote computing. More on that later.
Microsoft VDI – What is this?
VDI stands for virtual desktop infrastructure. This refers to the servers, storage equipment, and networking hardware on the back end used by IT to create and deliver the virtual machine we can call your cloud desktop. There are many variations of VDI– from a private virtual machine dedicated just for you, to a multi-user server leveraging terminal services that may have 25 people on one virtual machine working each with their own private slice of this virtual server as their cloud desktop.
Obviously, there will be advantages and disadvantages to both of the above methods of delivering users a virtual desktop for daily use. We will touch on those in a bit.
VPN – Do you use this?
VPN stands for Virtual Private Network, and we refer to this as the hardware and software used to create a secure tunnel between your remote computer connected most anywhere on the internet and your office network. On your remote laptop you most likely have VPN software. In most cases, it connects back to the office network on a firewall or VPN concentrator appliance. This allows you to create a secure connection that no one on the internet can intercept by being a “man in the middle” or sniffing the traffic. This is secure because of the encryption used by the VPN to secure the back and forth communications from your laptop remoting into the corporate network. These solutions usually give the office IT staff control over what you have access to once connected and so forth. More on the pros and cons of VPN as a remote solution later.
RDP – Remote Desktop Protocol
RDP, or Remote Desktop Protocol, is a communications protocol that allows a computer such as your laptop on the internet to connect to another remote computer, seeing and controlling the desktop as if you were sitting in front of it, with full graphics support. This is wildly popular in remote computing today and is the method used to connect to VDI in the Microsoft cloud. When we refer to RDP as a methodology of working remotely, it can mean a few things, so we will touch on each of these before moving on.
One example can be just using RDP from home and remoting into to your desktop at work. This is generally not secure enough, and can be difficult to support for multiple users, so we would not generally see this basic use case for RDP in business. If this is how you are currently utilizing RDP, you might reach out to your IT team.
The next example of RDP is the Microsoft hosted desktop service.[i] This service offers a Windows 10 Multi-session virtual machine for you to use as your personal desktop in the cloud daily. This uses a special RDP client for this service and may have some licensing advantages for current Office 365 E3 level or higher clients. (Please see TRUE’s white paper, Setting Security Baselines in Microsoft 365, containing an updated M365 licensing overview to explore the various service plans for more information.[ii] You may already have access to what you need, or it may be a very simple upgrade.) This service has many appealing features for a corporate IT administrator that can help secure the deployment and manage it on going to keep things running smoothly.
Finally, we talk about Terminal Services. This is referred to as a session host computer or even a terminal server. Usually built by corporate IT staff this server has tons of CPU and RAM resources so many users can each have a private slice of the terminal server for their remote session. Users generally have no idea they are on a shared server with 30-40 other users and they should not care. You have all software required and these are generally more cost effective in larger corporate use cases for 100’s or even 1000’s of users. Many terminal servers may form a farm to support such a large group of users. This solution usually includes a gateway server or portal where users login from outside, and it brokers the session between you and the terminal server. This is very secure and can be made highly available for those use cases when down time is expensive and undesired. The DaaS (Desktop as a Service) offering from Microsoft comes with a gateway solution included in the service and managed by Microsoft as opposed to being managed and owned by IT staff. You can even get a dedicated Virtual Desktop that you and only you use, as opposed to Win 10 Multi-Session.
Remote Control vs Remote Node?
Remote control vs. remote node refers to computing architecture, specifically as to where the processing takes place. This can be quite relevant to the end user in terms of performance, as well as security. Take remote control, for example. This is where, via RDP or other protocol, you remotely control any computer. If you have an older desktop as an endpoint (the computer you sit in front of) then the cloud desktop you are remote controlling may be faster. If all business applications are hosted in the cloud in the same Azure VNET as your virtual desktop, then the cloud desktop might be a lot faster. This is using VDI and can require a good quality internet connection for a good experience. This is mostly dependent on latency and not so much bandwidth, because the only things going back and forth over the internet are keyboard and mouse clicks uploading, and video downloading to your screen. With remote control a quality 10 meg internet circuit may be better for VDI than a lumpy 100 meg service from a different provider. The faster you can get from your endpoint to the VDI the better, and this is measured in 1000’s of a second. Ideal experiences would be below about 120ms (Milliseconds) to 180ms. I prefer 80ms or less.
Remote node, on the other hand, uses the local laptop or desktop you are in front of to do all the computing or calculations via that local CPU. If you have a nice, new laptop with a fast i7 processor and lots of RAM, things might compute faster locally. This is sometimes true with heavy graphics applications like CAD and Photoshop. Your internet connection also plays a huge role in the end user experience in terms of performance. If you have a new, lightning fast ATT Gigabit fiber circuit like I do, loading that spreadsheet from the cloud will be as fast as any other method to open or save the file. Keep in mind that some applications run slower in remote node due to inefficient network transactions’ having to traverse long distances. It takes a bit of time. An example of this would be QuickBooks. This application does not run well in a WAN (Wide Area Network) situation, such as a laptop at home and a VPN to work were the QuickBooks file is hosted on a file server. This is another type of remote node (VPN) that we see in use today. Just remember things optimized for WAN, such as SharePoint and Teams, work much better over WAN in remote node. This is another feature of the M365 platform– applications that have been optimized for use over the web. Examples of this are Office 365 apps such as Outlook and Teams.
The Good, The Bad, and The Ugly
So, what are the pros and cons of each of these options for remote computing, and which one is right for your use case? Let us dive into that topic. Remote control or remote node should be the first thing we look at, as this may drive us toward one solution or the other. The two main choices would be M365 vs VDI (Microsoft’s hosted Windows 10 desktop as a service offering). Each of these methodologies has good and bad for your use case, so let us look at that.
VDI has become wildly popular, and Desktop as a Service (Referred to as DaaS) is offered by many vendors today on the internet. VDI is remote control. Microsoft’s offering may have some distinct licensing advantages, as many users currently subscribed to M365 (formerly Office 365) may have entitlement to this service already. With VDI you remote to the virtual machine in the cloud with client software installed on your local computer or laptop. The VDI solution can even allow for the endpoint computer you sit in front of to be a thin terminal or dumb terminal. That refers to a lessor computer with nothing more than the RDP client to connect to the cloud hosted desktop. The advantage of the thin client device over your laptop is they generally cannot get viruses and are very locked down, purpose-built devices, so they are very reliable. They can use less power and last longer as an endpoint device and generally cost less than a quality PC.
Once you get connected to the VDI and you are on your cloud desktop, all processing happens remotely in the cloud. All software is installed remotely into the cloud desktop, and the only things going back and forth over the internet are your screen updates (video) downloading and your keyboard/mouse clicks being uploaded. In some ways this is very secure because all the corporate spreadsheets and documents are on the virtual computer in the cloud and not on your laptop or endpoint computer. If someone steals your laptop from your car and you strictly use VDI, there should be no documents or corporate data on the device (in theory). Your virtual desktop and those documents are secure inside a Microsoft data center somewhere. This solution can also be very fast, as the virtual desktop in the cloud may have more CPU and RAM than the laptop you’re using to connect to the cloud VDI. Also, VDI works well if your line of business software is hosted in your cloud using back end servers such as MS SQL. QuickBooks accounting software would be another good example of where a VDI desktop is right next to the server hosting QuickBooks and they communicate very fast. This makes for a good end user experience and good reliable performance.
That all sounds great– however, what happens with VDI when you lose internet connectivity? Well, you lose access to the entire desktop and all software and documents (temporarily). So, if you’re running a business with 50 users who need full-time access to their cloud desktops, redundant high-quality internet might be required. Another downside may be cost if you must pay for the virtual desktop, and you just purchased a new laptop with Windows 10 a few months ago.
Microsoft 365 has also become very popular since its release in 2017 due to a steady stream of improvements and overall increased awareness of the functionality and security of the solution. M365 is remote node. This means all processing happens on your local PC or laptop. This may be better if you have a good quality local computer. Let us take that same document example we used in VDI and look at things here. If your internet connection is a little slow when you open a spreadsheet or word document with M365, you may not even notice. When you open the document, you download a copy of it locally in the background. When you go to edit a large spreadsheet, all processing is local, and your computer runs fast and works well. If there was slow internet or disruptive connectivity using VDI, you would feel it right away. This can result in jerky mouse movement, slow typing, or a lag in screen updates. None of that goes on with remote node, as all processing is local to your computer. The combination of web-optimized applications and next-level security has made M365 a top choice for businesses across the globe. Some of these features are Exchange Online Protection (Anti-SPAM), Office 365 Advanced Threat Protection, Information Rights Management, Microsoft Intune, Exchange Online Archiving, and more than 1,000 security and privacy controls to name a few features. No wonder this is becoming so popular as a cloud service offering.
The Bottom Line
So hopefully now you can guess or even know which method you have been using to work from home remotely. Or you now know which ones you want to investigate for your business to be ready for the next pandemic. Some examples are as follows:
- Low end consumer type solutions using remote control
- Log Me In or Go To My PC
- Corporate level solutions like Screen Connect
- Better than nothing in a pinch for small deployments (Screen connect with MFA) but not business grade for daily use in most cases
- VPN to Corporate Network using remote node
- Cisco VPN Client
- WatchGuard SSL VPN or SonicWALL VPN Client
- Limitations such as slow running client-server-based software like QuickBooks
- Usually slower as a solution for large file transfers, etc.
- Can be cumbersome and not intuitive for end user
- Desktop as a Service subscription offering from Microsoft using remote control
- My preferred solution based on the consistent experience
- Less expensive endpoint (get another 2 years from my old desktop)
- You can put M365 on top of this for the ultimate solution
- Terminal Services Session Host from Corporate IT using Remote control
- You may know this as Citrix if you company uses Citrix
- Citrix is software that enhances Microsoft Terminal Servers and offers additional capabilities and supports additional features for an extra fee
- You may have a portal such as https://remote.mycompany.com for RDP access
- This is a more secure way of connecting to the internal RDP desktop
- This is likely only for larger organizations with IT support or services you subscribe to like Microsoft Windows Virtual Desktop service.
- You may know this as Citrix if you company uses Citrix
- Microsoft 365 subscription
- This is a top of the line solution for business not intended for single consumer
- When your company gets support from a vendor like TRUE this can be setup to do amazing things not possible before M365 such as:
- Auto install software when a new computer powers on with Intune
- Prevent users from sending emails with credit card numbers or social security numbers with Microsoft information Protection[iii]
- Monitor logins from new locations or new devices and force use of Multi-Factor Authentication or force user to change password with Conditional Access policies in Intune [iv]
So, really any of these solutions can work for you in a pinch. Some can be easier to own than others. Some can have lower cost of ownership, but may be more time-consuming to administer for the IT dept. And of course, we want to talk about security. Some of these are more secure than others. Please see TRUE’s blog series on Securing your Remote Workforce using M365 for more valuable info on security.[v]M365 can offer unprecedented visibility and control over your data and how it is stored or shared than ever before. Next-level security features backed by AI and Microsoft are a great weapon against the modern onslaught of malware and security breaches on the internet today.
In these trying times, there is not a right or wrong answer to getting a reliable work-from-home solution for a business. The needs and budget capabilities should be thought about, along with security and the end user’s productivity. Many of these newer features of Microsoft 365 can be very compelling and solve many problems for the modern remote workforce. Do not forget you can also combine these when looking for the best solution rather than the most cost effective. One example of that would be using a DaaS virtual desktop in Azure with M365 on top of that. You can remove the need for the expensive domain controller and file server virtual machines in your network, and effectively have the best of both worlds in my opinion.
I have been using VDI and remote control to get to my cloud desktop for years. I was an early adopter. I enjoy the consistent experience and easy access to my same desktop from anywhere, on any device. The M365 remote node option has really come on in recent years. I use more and more of these services daily. Microsoft Teams, SharePoint, Exchange Online are all daily parts of today’s remote work life for many. An awesome example of M365 is you can literally take a new Surface tablet computer out of the box, log in, and it will download and setup all your software for you using M365. Couple in the security features such as Conditional Access and Information Protection and you have some of the best security available today for your business. Combine this with functionality and ease of use and we can see Microsoft 365 is here to stay. Chances are we are all current subscribers to M365, as well. Isn’t it time to investigate setting up some of these features in your account? Please feel free to reach out to TRUE for more info or assistance with your work from home needs. Stay Safe and Stay Secure!