VDI, DaaS, and Emerging Technologies That Better Fit the SSL VPN Use Case

Whether evaluating their current function or considering implementing them as part of a remote work strategy, many organizations have undoubtedly evaluated SSL VPNs and their efficacy in securing the applications, data, and services of remote workers.  

But while VPNs might have more recognition, having been around for decades, there are technologies now that better fit the VPN use case in securely connecting remote workers to their corporate environments. Below we’ll look at the drawbacks of SSL VPNs that enterprises must be aware of and more modern technologies that are equipping enterprises with the security, connectivity, and improved end user experience that VPNs are lacking.  

SSL VPNs and Why They Are Used  

Virtual Private Networks (VPNs) provide users with secure remote connectivity. They are a mature, well-established technology that effectively allow a remote user to plug their laptop into the corporate network. SSL VPNs are software clients connecting end users to corporate networks. Connections are encrypted end-to-end so anyone “eavesdropping” on the network can’t intercept the traffic. That being said, SSL VPNs are increasingly being exploited by cybercriminals and nation states. This prompted the CISA and NSA to issue a detailed guide to help organizations and users understand the risks VPNs pose and how to select and configure a secure VPN.  

However, I’d be remiss not to detail where these types of VPNs are used safely and effectively. An effective use case for example, is when companies issue company-managed devices to their employees. Fully managed and secured devices can enable users to connect from various locations via a SSL VPN without sacrificing much in terms of cybersecurity and protection. Of course, there are a lot of components that go into making a device managed and secured. These include enforcing password policies and multi factor authentication (MFA) on both laptop and VPN connections, equipping employee devices with anti-virus / anti-malware, current patches, etc.  

The bottom line is SSL VPNs are a satisfactory solution if the environment matches it – meaning the client device connecting to the company network must be trusted as if it was physically present. It doesn’t work when WFH/WFA users install the company VPN client on a personal machine that has keyloggers or other nastiness compromising the environment’s security.  

Drawbacks of SSL VPNs 

SSL VPN connectivity is typically a function of a corporate firewall or router with VPN functionality being a non-scalable component of the core network. In many cases, they are designed to support up to a certain number of users or bandwidth threshold. If that’s exceeded then performance suffers dramatically, or users simply will not be able to connect. Upgrading VPN capabilities often requires changes to the core network infrastructure and scaling it up and down based on remote user need, so the state of pandemic and work from home policies has made managing and maintaining a robust and flexible VPN solution at scale very challenging. 

Furthermore, SSL VPN functionality is generally seen as a low performance way to give users access to their data and applications. Unlike these VPNs that have users connect to the internet from unmanaged locations (ex. home network) and “pull” data across to their local PC, remote desktop solutions allow users to access data over higher bandwidth and lower latency connections by nature of their desktop running adjacent to the data source, and only send streaming images to the user’s home connection.  

Finally, being a mature technology solution also means that in many cases SSL VPNs were not architected with modern security and availability considerations in mind. For instance, some solutions may not have multi-factor authentication enabled or may not have redundancy built in. Many organizations have traditionally used SSL VPNs for a small minority of users working remotely as opposed to within the confines of a corporate office. Because of this, a VPN failure could be tolerated because the majority of a company’s users used the corporate network to connect to corporate data and apps. In today’s WFH world, SSL VPNs simply don’t stack up to modern alternatives.  

Emerging Technologies Better Fit the SSL VPN Use Case  

A number of technologies like SD-WAN, SASE and SDP have emerged to address the same issues VPNs traditionally have by offering secure, encrypted remote access. It’s worth noting that some of these still suffer similar drawbacks such as reduced performance from accessing data at a distance and being susceptible to compromised end user devices. Many organizations have also replaced SSL VPN technologies with zero-trust methods and tools along with modern identity and access management (IAM) solutions.  

That being said, organizations have also increasingly turned to virtual desktop infrastructure (VDI) and Desktop-as-a-Service (DaaS) solutions as they seek out not only more modern ways to securely enable remote work but also evaluate corporate device policies and hardware investments. These solutions, like Microsoft’s Azure Virtual Desktop and Windows 365 offerings, keep all data and work within the secured environment. As a result, there is no worry if a user is logging in from a company laptop, home computer, or public machine – users working inside VDI prevents the need for any data to travel outside the company network. So, the potential attack surface is much smaller while the scalability and opportunity for BYOD initiatives increases.  

Additionally, today’s VDI solutions are very flexible, allowing users the option to security access their resources without needing extra software. Users can quickly connect through web browsers and without any installs, making remote work fast, flexible, and safe. And for simple cases like accessing internal apps or web resources, organizations won’t find it necessary to provide users a full desktop and can be selective in only giving users the resources they need and abiding by zero-trust principles.  

The bottom line is that SSL VPNs are often a slower, less reliable, non-scalable, and less secure way to enable work from home.  This is why VDI and DaaS solutions are better, more modern, and flexible alternatives. 

AVD Identity Management Part 1: Historic Limitations + The Introduction of Azure Active Directory  

Identity management in Microsoft Azure is a huge component of overall management and architecting a successful environment. It is necessary for delivering apps, data and tools needed to be productive, maintain proper group policies and permissions, and much more.  

In this blog post learn about the history of Microsoft’s Active Directory, it’s evolution, and the new era of identity management in Azure Virtual Desktop utilizing Azure AD Join. This is the first in a two-part series around identity management in Azure Virtual Desktop and more broadly, Azure.

A Brief History Lesson 

If you are as old as I am then you will remember the phrases Primary Domain Controller and Backup Domain Controller which went waaaaaay back to Windows NT4. In 2000, Microsoft released something called Active Directory alongside Windows 2000 (I hope lots of memories are flooding back now!).  

Active Directory was an essentially a database with a schema, which consisted of all the user accounts, computer accounts, security groups and other information for the Active Directory “Domain”. This information was replicated around to other “Domain Controllers” throughout a company’s Active Directory forest and domains. This allowed users to log onto the company domain and authenticate to access other resources using Kerberos or NTLM authentication.  

As part of Active Directory, Microsoft also introduced the concept of Group Policies, a way of configuring settings and applying them to centrally to all of a company’s computers which were domain-joined.  

Active Directory continues to be extremely popular today, an impressive 22 years after its initial release! If you ask any enterprise company running Windows, and even most SMBs using the OS, there is a high chance they will be using Active Directory. 

In October 2015, Microsoft released Azure Active Directory Domain Services (Azure AD DS) to the world.  Azure AD DS is an Azure-managed PaaS (platform-as-a-service) service for Active Directory. This effectively brought Azure Directory into the cloud. 

Each Azure AD DS deployment consisted of two domain controllers in the company’s specified region. These are deployed and managed by Microsoft. Alternatively, some customers deployed virtual machines (VMs) into Azure and then installed AD DS onto them. Generally, this provided more compatibility and kept operating costs around the same, but it meant introducing an additional VM to manage within one’s Azure Environment.  

Enter the modern era of cloud computing and we now have a third identity management service in the Microsoft mix – Azure Active Directory (Azure AD).  Azure AD was initially released to support Office 365 and work alongside Azure AD DS or AADS.  Admins sync users and security groups from either of these solutions into Azure AD and then Office 365 and other Microsoft services use Azure AD to authenticate users.  

However, Azure Virtual Desktop hosts still had join to Active Directory domains.  

Image Credit: Microsoft

This is All Getting a Bit Complicated 

Azure Virtual Desktop was released September 2019, known as Windows Virtual Desktop at the time. With Azure Virtual Desktop, users must be synced to Azure AD, and Azure Virtual Desktop hosts must be joined to either AD DS or Azure AD DS. This presented a problem as companies had to go through the process of authenticating twice: first to Azure AD to authenticate access to the Azure Virtual Desktop service, and second to authenticate against the computer account for the domain. This was known as a double logon, which inevitably begged the question, “Wouldn’t it be great if we could authenticate against only one service?” 

Enter Azure AD Join 

In September 2021, Microsoft released Azure AD Join for Azure Virtual Desktop hosts. This introduced the capability to Azure AD Join an Azure Virtual Desktop host, which takes away the requirement to deploy either Azure AD DS or AD DS into an Azure environment.  

Before you get too excited, the users must still be synced into Azure AD from Azure AD DS or AD DS if you want to use FSLogix profiles. Many do, and will still need to deploy these for now. This is a limitation which Microsoft is working to unblock that will hopefully be remedied later this year.  For now, though, it gives us the ability to Azure AD Join our session hosts and to not have line of sight of our domain controllers. Not having to have line of sight of our domain controllers means that we do not have to deploy additional network infrastructure to ensure connectivity to the domain controllers, for example, site-to-site domain controllers 

What about FSLogix Profiles? 

Eagle-eyed readers of this article by now will have thought, “If I have my FSLogix profile sitting on an Active Directory storage account, how is logging into my session using my Azure AD credentials going to work?”  

Well…Microsoft also recently released the capability to Azure AD Join storage accounts into public preview! This means that if session hosts are Azure AD Joined, and the storage account containing the FSLogix profiles is Azure AD Joined, it will all work like magic!  

The process of performing Azure AD Join is quite complicated to get to the above ideal scenario, but Nerdio makes it easy through automation – a screenshot of Nerdio Manger for Enterprise is below to illustrate. Note Azure AD Join is currently in Public Preview so please only use this in non-production environments.  

Once Azure Virtual Desktop hosts and storage accounts are Azure AD Joined, admins will only ever have to authenticate against Azure AD for a seamless experience.  

Note, at this moment in time, the user must be synced from Active Directory Domain Services for this to work. Azure Active Directory Domain Services is not supported currently but will be in the future.

We all also now have the capability to auto-subscribe to the Azure Virtual Desktop feed via MEM Configuration which means a true single-sign on experience is possible for our end users.  

I hope you enjoyed this post! Check back in a few weeks for Part 2 in this series on identity management in Azure. We will do a technical deep dive on how Azure AD Join is configured and some other things you need to think about when using the service.  

For more information, please check out the following Microsoft resources:  

Deploy Azure AD joined VMs in Azure Virtual Desktop – Azure | Microsoft Docs 

Create an Azure file share with Azure Active Directory (preview) | Microsoft Docs 

NerdioCon 2023 Location Announced! 

Back in late February we kicked off NerdioCon 2022, our first-ever in-person user conference and industry event. It was a smashing success and one met with a fantastic reception by the global managed service provider (MSP) and channel community.  

Not only were we able to engage in-person with partners and MSPs from all over the world – but they were able to meet, learn and connect with each other and the channel’s top vendors and thought leaders. Attendee feedback has been overwhelmingly positive, with many expressing appreciations for the venue, location, and dedication to creating community.  

But the question on everyone’s mind (and in our inboxes!) is undoubtedly… “Where and when will NerdioCon 2023 take place?!” 

The number of inquiries about this in the months following NerdioCon 2022 already has us super excited for our next user conference. And thinking hard on how we can replicate the success of this year’s event with a dedicated enterprise track for our Nerdio Manager for Enterprise customers and community. While many details are still being ironed out – we couldn’t hold our tongues anymore.  

We’re announcing that we will be returning to beautiful Cancun, Mexico in February 2023 for another amazing all-inclusive event!  

Watch prominent channel leaders from Nerdio, Datto, Pax8 and Blackpoint Cyber in the video above discuss NerdioCon highlights and overall takeaways. Sign up at www.nerdiocon.com to stay informed on event updates and when tickets go on sale!  

5 Things MSPs Must Know about FSLogix  

Microsoft’s FSLogix is known for being a powerful profile management tool. It has many desirable features for managed service providers (MSPs) operating in Azure.  Launched in 2012 as a startup independent of Microsoft, FSLogix provided a tool to reduce the number of resources, time, and labor required to support virtual desktops. Because of the natural synergies with our mission, Nerdio has been a big fan of FSLogix since the beginning and closely kept an eye on the evolution of their product.  

And we weren’t the only ones! In 2018 Microsoft acquired the company. They noticed the value FSLogix brought to profile and application containerization and the company’s alignment with their own goals as it related to Azure Virtual Desktop (AVD), called Windows Virtual Desktop (WVD) at the time.  

Skip to today and we have seen the investments Microsoft has made into this technology and bringing it to the masses via AVD pay off significantly. MSPs who have an Azure practice have come to rely on FSLogix to optimize their environments. And MSPs who aren’t in Azure may not know about the benefits FSLogix provides… this article is for you!  

Below I outline the five key things your MSP should know when it comes to FSLogix and how you can use them to your advantage. 

1. A Premium Experience Requires Premium Storage 

We see a good deal of our MSP partners leveraging FSLogix alongside Azure Files, a popular solution for hosting files and folders, including user-profiles, on Microsoft Azure. Specifically, they are seeing great results with this combination when using the Premium storage tier because profiles are so read/write-intense. Azure Files Premium coupled with FSLogix maintains the best user experience by providing the highest IOPS and throughput for the disk.  

To further the above benefits while reducing storage costs, combine these technologies with the powerful auto-scaling capabilities available in Nerdio Manager. It helps MSPs eliminate common issues around over-provisioning or incorrectly guessing how much storage is needed by effectively turning the Premium tier into a pay-as-you-go model. 

2. How to Automate the Security and Access You Require  

Azure Virtual Desktop is a service that is constantly improving when it comes to identity and access management (IAM) and ensuring security at scale. Roles-Based Access Controls (RBAC) roles are available in AVD and Nerdio Manager, with the latter giving MSPs the ability to create custom RBAC roles. In ensuring FSLogix helps support your access policies, MSPs can automate setting the Azure Storage File Data SMB Share Contributor Role on the Azure Files profile share for all users within a Security Group.  

This role is required to provide the needed Read/Write access for the profile share. You can read more about this role and others available via Microsoft’s documentation. By automating this setting, MSPs can consistently uphold zero trust principles whenever a new user or group is added.  

Pro Tip – Consider these best practices for NTFS Permissions on the profile share: 

3. Configure Outlook Cache to Avoid Overspending Real CASH 

One of the biggest benefits of FSLogix profiles is the ability to roam the user application caches, for example, Outlook mailbox data, and avoid constantly recreating it. Strategically defining individual cache settings allows MSPs to plan for growth and spending. What most MSPs don’t consider is that if left undefined, application caching can grow quickly and not all of it is crucial to your users’ experience.  

As an example, consider again a user’s Cached Exchange Mode settings. Is it wise to download all their mailbox if they only need “fast/local” access to the last three months’ worth of data?  

Most MSPs find that it is in their best interest to configure a Group Policy Setting to manage Cached Exchange Mode which will define the amount of a user’s profile dedicated to Mailbox content storage. We have seen MSP partners configure this setting for as little as three months and as much as one year. Knowing the details of this setting can allow you to strategically assume/plan for the amount of growth in a user’s profile. Read Microsoft’s documentation about planning and configuring for additional insights and recommendations.  

4. FSLogix Is More Than Just Profile Management  

FSLogix is a great way to create roaming user profiles in non-persistent computer environments like an AVD host pool with users logging into different hosts on what could be a daily basis. Profiles would no longer be dependent on an individual machine due to the added flexibility with FSLogix. This allows MSPs to provide customers dynamic environments with a consistent user experience.  

But FSLogix includes a suite of tools focused on much more than just profile containers. Skilled and advanced MSPs have found value in using FSLogix for roaming Office profiles and cache, and masking applications so only the right users can see and access them. And some also use it for the ability to manage Java versioning. 

5. Why Application Masking May Be Our Favorite Feature  

FSLogix includes some incredible tools to manage application restrictions within multi-user environments. If you only want a subset of users to have access to an application on a multi-session host, you can implement app masking to hide apps from users. Looking to make app masking and management easier? Learn more about how Nerdio Manager helps managed installed apps and rule sets using FSLogix.  

I hope this has been an informative read on what is without a doubt one of the most helpful (but complex!) Azure Virtual Desktop-related technologies. To discuss FSLogix further or how your MSP can benefit from using or optimizing it, you can contact our team or join me at the Nerdio Partner Success Community.