Windows Virtual Desktop - Thoughts?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

GregM

Member
Dec 6, 2020
15
2
We are looking at running some "Inventory Management Software" on a Win 10 installation, but the people that are going to access it are not even in the same city.

I was thinking that maybe setting up a Windows Virtual Desktop might be a way to go.

I did think about setting up a machine, and then using the services that Steve had recommended (Remote Utilities) to remotely access it (still an option).

Does anyone have any experience with WVD (Securely Accessing it, how well it runs, troubles they've had with it), or maybe another suggestion?

Cheers.
 

PHolder

Well-known member
Sep 16, 2020
719
2
353
Ontario, Canada
It sounds like an ideal solution would be an inventory system that has a web front end allowing access to do what your users need to do (and no more.) Of course, you probably don't have that, nor the time or budget to create it. Exposing a virtualized machine poses the risk that one of your users will get it into some mucked up state whereby it's unusable for the others. You will be needing to have regular backups, I'm guessing, to be able to restore back to a known good state if ever needed. Also, how will users share the machine if two people need it simultaneously?
 

rfrazier

Well-known member
Sep 30, 2020
286
89
TeamViewer is cool for remote access. I use it to support family members BUT, they have to physically interact on their end and set up the connection. Having remote access without that interaction can be dangerous. @Steve and others can chime in on how to secure such a thing.

Ron
 
  • Like
Reactions: Mervyn Haynes

Cozmo

Active member
Oct 8, 2020
25
3
Montreal, Canada
TeamViewer IS very efficient, even in an unattended setup. I've been using it for a few years on remote workstations. It does have limitations, especially in domain environments.

I'm not sure how I would feel about having a web-facing front end, the software would need to basically be bullet proof and that is rarely the case.

Edit : In my (semi-functioning) mind, this is practically a normal use case for a VPN.
 
Last edited:

EdwinG

Well-known member
Sep 24, 2020
47
15
I can't talk to Windows Virtual Desktop, except to say that I heard about it. My understanding is that it is similar to RDSH/RemoteApp in behaviour.

I have more experience with a Remote Desktop Session Host based RemoteApp setup to achieve something similar, but that might be quite expensive due to the licensing involved (Windows Server licences, Remote Desktop Services Client Access Licences, etc.).
My only tip is to never expose an RDSH/RemoteApp server to the Internet directly.
 

GregM

Member
Dec 6, 2020
15
2
It sounds like an ideal solution would be an inventory system that has a web front end allowing access to do what your users need to do (and no more.) Of course, you probably don't have that, nor the time or budget to create it. Exposing a virtualized machine poses the risk that one of your users will get it into some mucked up state whereby it's unusable for the others. You will be needing to have regular backups, I'm guessing, to be able to restore back to a known good state if ever needed. Also, how will users share the machine if two people need it simultaneously?

I've used TeamViewer, AnyDesk, Cloudberry's Remote Desktop, and others . . . some will warn ir there is already a connection, so there is that.

Agreed, exposing a VM may be problematic.

At this point I'm spitballing ideas here.

The Inventory software has a "Server" and a "Client". That would be the next best thing to a 'web interface', but from what I'm seeing it looks like it might be piggy backing on Windows RDP which, thanks to Steve and the Security Now podcasts, I want to stay as far away from as possible.
 

GregM

Member
Dec 6, 2020
15
2
TeamViewer IS very efficient, even in an unattended setup. I've been using it for a few years on remote workstations. It does have limitations, especially in domain environments.

I'm not sure how I would feel about having a web-facing front end, the software would need to basically be bullet proof and that is rarely the case.

Edit : In my (semi-functioning) mind, this is practically a normal use case for a VPN.

Thanks for the reply Cozmo.
re: . . . case for a VPN.
I completely agree.
I know what I'm shooting for - not 100% sure how to get it, but . . . I think I'm getting there.

The inventory software apparently runs on Linux (with limited "tech support"). I'm thinking of firing up a Linux Server (with some help to make sure it is secured correctly), initiating a Wiregard server and then having the other connect using the Wiregard Client BEFORE initiating the "Inventory Software's Client". That way if there are any vulnerabilities in the "Inventory Software's Client" protocols, the VPN wrapper should keep them safe.

I'm still trying to work that out, but I think that is where I'm headed.
 
  • Like
Reactions: Cozmo

zim

New member
Jan 5, 2021
1
0
We are looking at running some "Inventory Management Software" on a Win 10 installation, but the people that are going to access it are not even in the same city.

I was thinking that maybe setting up a Windows Virtual Desktop might be a way to go.

I did think about setting up a machine, and then using the services that Steve had recommended (Remote Utilities) to remotely access it (still an option).

Does anyone have any experience with WVD (Securely Accessing it, how well it runs, troubles they've had with it), or maybe another suggestion?

Cheers.
WVD is more than what you describe, requiring M365, an FSLogix Profile server, host pool, etc. You'll also want MFA enforced as the access/control plane allows access through even web browser login, so it'll be attacked. Further, you'll need data/apps sitting in Azure so unless you already live in that world, you'd have to maintain a VPN Gateway link from onprem to Azure. It sounds like you're wanting either a single PC and someone to remote to it or a multisession WVD or RDS. I'd argue unless you are already "in" Azure, you'd be better served by VPN+RDP to an onprem system.
 

B_D

New member
Nov 5, 2020
2
0
I setup something like this for a small customer. Put in a PFsense, setup OpenVPN for remote VPN.
Users need to start VPN before they can connect to apps/intranet/etc.
Price is reasonable and setup is not too bad. Clients for most everything are available.
 

GregM

Member
Dec 6, 2020
15
2
WVD is more than what you describe, requiring M365, an FSLogix Profile server, host pool, etc. You'll also want MFA enforced as the access/control plane allows access through even web browser login, so it'll be attacked. Further, you'll need data/apps sitting in Azure so unless you already live in that world, you'd have to maintain a VPN Gateway link from onprem to Azure. It sounds like you're wanting either a single PC and someone to remote to it or a multisession WVD or RDS. I'd argue unless you are already "in" Azure, you'd be better served by VPN+RDP to an onprem system.
Thanks for the info zim!
I'm going to go the route B_D just mentioned.
I've setup a Wireguard on Amazons Lightsail.
Works like a charm.