RDP Shortpath is all about offering better reliability and consistent latency for Azure Virtual Desktop (AVD). For a regular AVD session, all traffic is always tunneled through a gateway that is hosted by Microsoft as part of the AVD Service in Azure. RDP Shortpath allows direct RDP traffic from client to host and, after authentication and authorization, essentially bypasses the Gateway.
You might be familiar with the RD Gateway role as part of Remote Desktop Services. This role provides a similar service as it also tunnels RDP Traffic from the RD Client towards the RD Session host by only requiring outbound TCP traffic over 443 (SSL). There are distinct differences however. First, the AVD Gateway is hosted and controlled by Microsoft so you don’t see it in your subscription and it is managed and maintained for you. Second, AVD Gateway does not require you to open port 3389 from gateway to host as the AVD Agent on the host only requires outbound ports. The latter is called reverse connect and allows full separation between the gateway and host. Very important from a security standpoint of course.
Why is this important to the topic of RDP Shortpath? The AVD Gateway only support RDP-TCP, meaning we cannot leverage RDP-UDP. If you’ve worked with RDS before, you’ll know that having RDP-UDP available significantly boosts the overall RDP experience. This is especially the case how graphics intensive applications or applications that are latency-sensitive. Ever since the release of AVD (and before that WVD), there has been a big ask for RDP-UDP and it has been on the radar and roadmap for some time.
With RDP Shortpath, Microsoft delivered this promise. This allows for direct communication from the AVD Client to the AVD host. This reduces round-trip time, improving user experience, especially with latency-sensitive applications. RDP Shortpath does not replace reverse connect as all session brokering is still performed by the AVD Control Plane.
RDP Shortpath comes in two different options
The first option is RDP Shortpath for managed networks. For this option your AVD Clients needs direct TCP port 3389 to the host. This option is mostly ment for trusted connections like Express Route and Site-To-Site VPN. You can also use a public IP on the host, but for security reasons I would advise against that. More information on the setup and the requirements can be found here: Azure Virtual Desktop RDP Shortpath for managed networks.
The second option is Azure Virtual Desktop RDP Shortpath for public networks, which is currently into public preview. For this option, no TCP port 3389 to the host is required and as a result, a private network like Express Route or Site-To-Site VPN is also not required. More information on the setup and the requirements can be found here: Azure Virtual Desktop RDP Shortpath for public networks (preview).
Although RDP Shortpath for public networks is still into public preview (Microsoft recommends to not use it for production yet and configure it on a validation host pool), my experiences with the feature have been super great so far.
Enable RDP Shortpath for public networks preview
To participate in the RDP Shortpath for public networks preview, all you have to do is add the registry entry ICEControl as shown below.
Once enabled, the easier way to confirm that RDP Shortpath for public network is working (also applies to managed networks) is by clicking on the Connection information in the blue bar. As you can see below, it says ‘UDP is enabled’ and the further down states UDP as the transport protocol.
Putting RDP Shortpath to action
Over time, I have performed several tests with RDP Shortpath both for Public as well as for private networks, even when RDP Shortpath was still in technical preview. A subset of those videos are available on my YouTube channel.
In my most recent test from last week, I took RDP Shortpath for Public Networks to the test using an NVads A10 v5-series Session Host in Azure Virtual Desktop. These VM’s are powered by a NVIDIA A10 GPU. What’s also great about the NVads A10 v5 series is that it allows you to select models with a partial GPU. So for scenarios where a full A10 GPU is not required, you can also select a size with 1/2, 1/3 or even 1/6 of a GPU. Back in March of this year, when this new series was still ito preview, Michel Roth (Microsoft Azure HPC team), wrote a great article called Why the NVads A10 v5 series lowers AVD costs even further which contains interesting insights into the benefits and costs.
Back to my test case. To testdrive RDP Shortpath on the GPU enabled machine in a fun way, I used GTA5 running inside the AVD Session Host! The results were amazing. As you can see in the screenshot below the round trip latency was only 8ms and 49 frames per second. During this test run the frames per second fluctuated between 46 and 50 frames per second.
This is article number three in a series I’m publishing on Parallels Remote Application Server version 19. In the previous two articles I discussed support forLet’s Encryptandintegration with MSIX app attach.
In this article I will focus on two smaller, but definetly not less powerful features. I will show you how to use Expression based filtering & policies, and Multiple Multi-factor Authentication (MFA) providers.
Expression based filtering & policies
Expression-based filtering rules and criteria, allow you to more granularly control to who has access to what published items, to what objects the RAS Client Connection policy is applied, restrict user logon hours for accessing Farm resources, and manage MFA requirements.
In this example I’ll show you how easy it is to apply an expression-based filter on a published application or desktop. First, select a published resource and open the filter tab.
Next, notice there already is a default filter there, which basicially applies in case no other previous filter apply. Click the + sign to create a new filter, and provide a name. In this example I want to prevent users from launching PowerBI from the web client, so I name it No Web Clients. Now click Tasks, and in this example I want to filter on Client device operating system.
I select ‘User Portal (Web Client)’ because that is the client type I want to prevent access from.
As a last step, click ‘Allow if’ to easily flip it to ‘Deny if’. Notice that a super readable sentance is now generated saying: Deny if users or goup is everyone and the operating system is User Portal (Web CLient). Also notice that many of the words are links you can easily click on to change the rule properties.
Now log on on to both the Web client as well as the Windows client with the same username to see the expected end result, PowerBI is not available as a published app in the Web Client where it is available in the Windows client.
Another great thing about Expression Based Filters is that these can also be applied to the extensive list of policies that are included in RAS. The example below shows the creation of a new policy with the ability to add an expression to control when (under which conditions) the policy gets applied. Super powerful!
And finally, a new criteria has been added called ‘Theme’. This allows you to filter based on a Theme created in Parallels RAS. For example, below is a sample of a newly created theme containing some branding and user experience settings.
I can now create an expression based filter on this new created theme. In this case I am denying access if the specific theme was being used.
The same method of creating conditions also applies to for example the MFA settings in Parallels RAS. In RAS19, increased flexibility is added for using multiple MFA providers without the requirement to deploy different Parallels RAS environments. Plus, combining the MFA settings with restrictions is really powerful! In the example below I have configured DUO MFA as an MFA provider and on the restrictions tab I configured to disable Duo MFA for the users avdtest1 and avdtest2 and also for the devics avd-demo-1 and avd-demo-2.
And in Parallels RAS 19, I can now create another MFA provider, in this case Google Authenticator, and enable that for the previously excluded users and devices.
Being able to configure multiple MFA providers in such an easy way is definetly a great feature. The capabilities of the super essy to use restrictions and filters add even more power and simplicity to the admin!
Give it a try! Log in to your existing Parallels My Account, download and install the Parallels RAS 19 Technical Preview to get started. If you do not already have an account, please visit my.parallels.com/register
On June 1st 2022 Parallels released Remote Application Server 19 Public Preview! This version comes with a lot of new exciting features! In a previous article I focused on theMSIX app attach support. In this article I want to address the support for Let’s Encrypt!
Let’s Encrypt is a free, automated, and open certificate authority by the nonprofit Internet Security Research Group (ISRG). Their mission is creating a more secure and privacy-respecting web for eveyone by promoting adoption of HTTPS. They do not charge any fees for their certificates that are valid for 90 days. The certificate management automation provided by Parallels RAS allows to issue, automatic renew, manual renew and revoke certificates.
There are two basic requirements that are needed to get started.
You need a publicly accessible domain that resolves to the Secure Gateway directly or through third-party load balancers.
On the the Secure Gateway, port 80 must be opened for incoming Let’s Encrypt requests
First, to make sure that only Let’s Encrypt is able to access port 80 on your Secure Gateway, configure the network properties of the Secure Gateway as shown below.
Next, go to farm, certificates, and select ‘Let’s Encrypt settings’.
Select the ‘I have read and accept Let’s Encrypt EULA’ option, provide an expiration email address, and optionally change how many days before expiration you want to automaticially renew.
Now select the + sign and choose ‘Issue Let’s Encrypt certificate’.
Now provide the required information to issue the certificate. Once you have done that the certificate will appear in the list and will show a status of ‘Issuing’ first.
Once this is completed, this only takes a few minutes, you are ready to go!
To confirm, connect to the web portal and as you can see below, the certificate is in use, valid and publicially trusted!
And the session information of the Parallels RAS 19 client also shows the certificate.
Both manually renewing and revoking is also possible from within the Parallels RAS console. To renew or revoke, simple right click the certificate, select control, and perform the desired action.
Parallels did a great job in making the issuing, renewing, and revoking of certificates via Let’s Encrypt super easy! Overall, Parallels really excels in continuously bringing improvements to RAS based on community as well as customer feedback. I’ve been part of the Parallels VIPP group since 2017 and can tell you the Let’s Encrypt support is only one of many, many examples where Parallels truly listens to feedback, updates their backlog accordingly and makes it happen!
Give it a try! Log in to your existing Parallels My Account, download and install the Parallels RAS 19 Technical Preview to get started. If you do not already have an account, please visit my.parallels.com/register
Parallels just released Remote Application Server 19 Public Preview! This version comes with a lot of new exciting features!
Here is a quick list of the top 4 features that are announced
Amazon Web Services (AWS) as a cloud provider — Parallels RAS 19 extends the list of supported cloud computing providers by integrating with Amazon EC2. This integration will allow customers to utilize RAS Templates based on Amazon EC2 instances and build hybrid and cloud environments with a unified administrative and end-user experience.
MSIX app attach Integration — Parallels RAS 19 provides a new and modern application delivery method — Application Packages, based on MSIX app attach. This App Layering technology enables customers to separate applications from the core operating system and deliver applications to users dynamically. This makes it easier to create a RAS template and get more control by providing the right application for the right user.
Let’s Encrypt Certificate Management — Let’s Encrypt (LE) is a global Certificate Authority (CA). This organization behind LE is non-profit and provide free SSL/TLS certificates with each certificate valid for 90 days, thus requiring to be renewed during the period. Parallels RAS 19 includes automated certificate management which provides the ability to issue, renew and revoke certificates directly from the RAS Console.
Parallels Client for Windows on ARM64 — Parallels Client for Windows has been rebuilt and optimized to natively run on machines that are powered by ARM64 processors which were created to be more lightweight and power-efficient.
Besides these, Parallels RAS 19 now also covers Expression based filtering & policies, Power Management, Email-based account discovery, Logon hours restrictions, Multiple Multi-factor Authentication (MFA) providers, and Specific URL redirection.
---
I’ve had the opportunity to test drive Parallels RAS 19 during a private technical preview and in this article I want to focus on the MSIX app attach support. You can expect additional articles to follow covering the other new features of this release!
Below is the list of MSIX app attach related features that Parallels RAS 19 contains.
• Discover and import packages from existing MSIX images (CIM, VHD(X))
• Support for packages created with 3rd parties’ tools (MS MSIX Packaging Tool, appCURE, etc…).
• Package version management and versions tags support.
• Package certificates management.
• Application Packages management on Remote Desktop Session Hosts.
• New wizard for publishing applications from packages or desktop publishing.
As a requirement, you need Windows Server 2022 as the RD Session host, a network share where MSIX app attach packages are stored and the RD Session host need read permissions to the share.
The first thing you do is enable the Application Packages feature as shown below.
Next, you can start adding new MSIX application packages to Parallels RAS. Browse to the UNC path where your MSIX app attach packages are stored. In my case this is Azure Files and, in this example, I use Power BI as the package.
In the Display Name field specify the name that will be used for this package in Parallels RAS and click finish.
You can also use MSIX app attach packages that contain multiple applications. In my example below I have an MSIX app attach package containing three applications. The wizard shows me nice drop-down list of all applications that were discovered in the package.
After adding a couple of MSIX app attach packages, the result looks like below.
Next, add the packages to a RD Session Host. Once added, packaged applications behave the exact same way as regular applications in Parallels RAS 19.
To add the applications, go to Farm, RD Session Host open the properties and go to the Application packages tab and add the application packages using the + icon.
Once completed, Parallels RAS takes care of the MSIX app attach staging step and as a result the MSIX packages are now mounted on the RD Session Host server(s) as shown below. Note that in my case some application packages came from a combined MSIX app attach container called demo-msix-apps.
As mentioned before, MSIX app attach application are treated the same way as any other application in Parallels RAS. As shown below, you can publish them the same way as well. In this case I have published all the MSIX app attach applications and a Full Desktop.
After applying the configuration, log on to the Parallels client. You can now see the published apps and desktop.
After logging on to the published desktop, the MSIX app attach registering step takes place and as a result the user sees the MSIX app attached applications.
And, if you take a look at the folder C:\Program Files\WindowsApps you can see the various junction points indicating that the MSIX applications are not locally installed but junction points to the Azure Files share.
Parallels did a great job integrating MSIX app attach into Remote Application Server 19! More reviews on other Parallels RAS 19 features will follow soon!
Give it a try! Log in to your existing Parallels My Account, download and install the Parallels RAS 19 Technical Preview to get started. If you do not already have an account, please visit my.parallels.com/register
If there is one thing we learned over the past 2 years, it is that hybrid work is here to stay. Many organizations have struggled with the challenges of working entirely remote during the early days of the pandemic. Digital transformation took a giant leap, and there is no way back. Businesses and organizations are no longer operated the way they were before 2020, and people, who are the most crucial part of a successful digital transformation, have different mindsets and priorities. It requires organizations to adapt and think differently on how to provide a flexible working environment and workplace for everyone.
Looking back, the generally availability of Azure Virtual Desktop could not have come at a better time. Early 2020 I have helped many organizations embrace Azure Virtual Desktop to provide a secure workplace for everyone in a fast and flexible way. To date, Azure Virtual Desktop has grown into a mature platform and got even more traction with the release of Windows 365, Microsoft’s Desktop as a Service on top the Azure Virtual Desktop platform.
Where do innovative ecosystem partners come in?
Even though Azure Virtual Desktop is a feature rich platform, Microsoft works with a large number of ecosystem partners that provide additional value on top of native Azure Virtual Desktop. As more organizations start to use Azure Virtual Desktop, one of the topics that becomes more and more important is getting insights in usage, performance, and monitoring. Out of the box, Azure Virtual Desktop comes with AVD Insights. This is a set of workbooks and dashboards that provides information on the usage of Azure Virtual Desktop based on telemetry data that is being collected in an Azure Log Analytics Workspace. It provides insights on things like average use, concurrency, average logon times, session diagnostics and host performance. Although AVD Insights already provides a lot of information, it is a dashboard that focusses on just the Azure Virtual Desktop layer. The end user experience in Azure virtual Desktop is determined by many more components and services. AVD Insights also not does not tell us much on the perceived end user experience and only allows pinpointing a root cause of a problem to a certain extend.
eG Enterprise for end-to-end monitoring of Azure Virtual Desktop
In scenarios where you want to pinpoint slowness of a user session, get detailed insights on sessions and applications that are used, spot issues in the supporting Cloud infrastructure beyond the Azure Virtual Desktop resources, or want to periodically create detailed reports, you need a 3rd party solution. I’ve had the privilege to personally test drive eG Enterprise 7.2 during a private preview which includes capabilities to monitor Azure Virtual Desktop to provide answers to these questions. In this article I’m sharing some of my experiences.
Sharing my experience with eG Enterprise for Azure Virtual Desktop
First of all, the console of eG Enterprise is entirely web-based, which is great. In my case I’m using eG Enterprise Cloud. As the screenshot below shows, you get an end-to-end topology of the health of our Azure Virtual Desktop environment. Beyond the Azure Virtual Desktop services and session hosts, you can also include supporting infrastructure like Azure Active Directory, Active Directory Domain Services, Azure AD connect and any backend servers or services you are using.
AVD components
Starting with the AVD Brokering services, eG Enterprise provides in-depth details about the Azure Virtual Desktop service by covering your workspaces, app groups and host pools. The example below focuses on a specific host pool showing all details about the current usage. eG Enterprise also has auto-discover functionality for host pools, which makes the configuration super easy.
The great thing here, and this goes for entire console, is that you can click on any items and get more information and history. For example, the screenshot below shows the available Session Hosts over the last 3 hours.
AVD Services
Besides the AVD components you are running, eG Enterprise also monitors the AVD Service itself. For example, detailed availability of the AVD Web Access services as shown below.
AVD Session Hosts
If you drill down into the one of the host pools, you can easily navigate to the performance of a single session host. This allows you to get a very detailed overview of the metrics of user sessions of a single session host as shown below.
Drilling down further you can also get detailed information about the operating system.
User Sessions
Were eG Enterprise really excels is the ability to keep on drilling down into more details, for example the ability to get detailed information about the experience of a single user session.
And in this specific use case, I’m investigating more detailed GPU performance inside the Session Host.
And finally, you can even easily navigate into the performance and resource consumption of individual applications! For example, in the below screenshot I’m looking at the metrics of Microsoft Edge.
Using the top bar menu, you can further drill into the Azure Virtual Desktop environment.
AVD High Level overview
The overview page provides you with a high-level overview of your host pools. It includes information like the number of host pools, the health, and session information per host pool. Again, all of these can be drilled down into by simply clicking on them.
The session hosts tab provides you with a clean summary of the environment. Showing the overall resources consumed, a status per host and information related to active and disconnected sessions.
Again, the console makes it very intuitive to drill down into the performance per individual user showing details like logon duration, round trip latency and bandwidth consumption.
Detailed user session telemetry
Clicking on a specific user provides even more details about the user session. You are presented with session information containing the users IP address, client version, a break down on the logon sequence, and even information on the FSLogix disk usage in the lower right corner.
Again, what I personally really like about eG Enterprise is how almost anything allows you to drill down further and see historical information or discover trends. There are too many scenarios to show here, but for example clicking on the FSLogix disk space, the diagram below shows the growth of the FSlogix Profile Container over time.
On that same page, you can also view more details on the consumption per process for this specific user.
The User Experience tab provides a higher-level overview. In this case for example, I have three active sessions from the same client located West Europe. You can clearly tell one of these three sessions is connected via an Azure Virtual Desktop Control Plane in another region, in this case East US.
Besides all this information per user or per host pool, sometimes you also want to view details on applications across all your environments. This is exactly what the Applications tab contains. The overview below contains the number of instances per application as well as great details on the resource consumption!
Azure Environment
As addressed earlier, eG Enterprise goes beyond the monitoring of Azure Virtual Desktop and is truly end-to-end. The screenshot below shows how eG Enterprise also includes telemetry and health about your Azure environment! For example, you can see the number of virtual machines, their size, location, and SKU. But interestingly also the trend of the virtual machines. This allows you to easily spot changes in number of virtual machines over time as well as gain information on how many of those were powered on and what the top5 trend is in terms of performance. All this information can of course also be found throughout various places in the Azure Portal or using Azure CLI, but the way eG Enterprise brings this information together in a single pane of glass including trends and environment dynamics, which makes it super easy to digest!
Again, the diagram is also highly interactive. As shown below, you can easily get insights in the performance metrics for all virtual machines to spot issues or configure alerting based on thresholds.
Going one level deeper you are presented with even more details about current performance as well as trends about a single virtual machine.
Azure Quotas are typically also something you have to deal with in larger environments. Insights on these quotas are made easily accessible in the console as well. For example, here is the current quota of the NVADSA10v5 Family vCPUs I have running as part of the A10 GPU public preview.
Azure Active Directory
You can also perform in depth monitoring of Azure Active Directory administrative activities. This allows you to keep track of activities and send alerts on suspicious activities related to objects like users, groups, or app registrations.
This also includes Azure Active Directory Sign-in activities as shown below.
The power behind eG Enterprise is that it really allows you to monitor the entire Azure Virtual Desktop stack to achieve end-to-end monitoring. Besides the Azure Virtual Desktop, Azure Infrastructure and Azure Active Directory components you can also add any other service you want to monitor including any SaaS, IaaS, virtualization platform or backends you might be running. For many of those eG Enterprise provides an agentless approach, but where needed, agents for various platforms are also included.
Reporting
Interactive dashboards are great, but a monitoring solution is not complete without reporting functionality. Being able to automatically generate and distribute reports on the usage, uptime and performance of your environment is critical. eG Enterprise comes with a wide variety of different types of reports out of the box. Executive, operational, analytics or domain specific, they are all included. Let’s cover some Azure Virtual Desktop specific examples.
The report below provides details on the usage of Azure Virtual Desktop. It answers questions like who logged on? For how long? What was their average resource consumption?
Furthermore, the reports below show you the top 10 applications being used. These reports can be run on various levels, per broker, per host pool, and per session host.
A very useful report is one related to logon performance. The report below shows you the average logon time during a specific time range, a logon process breakdown as well as detailed analytics of each logon step.
More specifically, you can also generate a report that focusses on slow logons over a period of time. This allows you get insights in where and when slow logons occurred and more importantly, drill down to perform a root cause analysis.
You can also gain detailed insights on the usage per application to find out how often, how long, by which user, and on which session host a specific application was used.
More high level executive KPI reports are also possible. For example, the report below which shows the health of all components in the stack.
All of the reports are customizable including the ability to create full custom reports, and you can also create your favorite reports, exports them to pdf, or automatically generate & email them periodically.
Logon Simulations & synthetic users
eG Enterprise also provides synthetic monitoring solutions that allow you to proactively test, detect, and diagnose problems. A variety of synthetic monitoring functionalities, and logon simulations are provided. You can use synthetic monitoring to baseline the performance and user experience to identify changes in the future.
The screenshot below shows the result of a logon simulation test for Azure Virtual Desktop. I really like the way eG Enterprise presents the information of the logon sequence showing each logon step, and the duration of each individual step.
Note that the last step ‘Application/Desktop launch complete’ shows an image icon, upon clicking that icon, a screenshot is presented showing the actual output, the perceived end user experience!
A great way to confirm a successful test, but of course the real value is also being able to see the result in case of an unsuccessful test. For example, if no Session Hosts are available in the configured host pool, the ‘Session Establishment’ step obviously fails.
And the collected screenshot clearly indicates the reason!
Once you have a baseline test, you are also collecting historical information. For example, the screenshot below shows the test duration over a period of time.
And finally, you can also create reports on logon simulations. The report below is per external agent and shows successful and failed logon simulations over a period of time.
A report by Application/Desktop is also possible. The report below shows the availability of each individual step. Notice the unavailability inside the Application/Desktop launch diagram. That was during the test described earlier where all session hosts were set in drain mode.
Summary
I’m impressed what eG Enterprise has to offer in end-to-end monitoring for Azure Virtual Desktop. The auto discovery capabilities, including out of the box thresholds, allow for easy and fast configuration. Getting detailed insights in logon duration, application launch times and the perceived end user experience is great. The ability to gather load simulation tests details using a synthetic user is super helpful and the way they are displayed in the console is great. eG Enterprise goes beyond monitoring Azure Virtual Desktop only, with the ability to also closely monitor all surrounding infrastructure like Azure, Azure Active Directory, Active Directory Domain Services and any application backend. This makes eG Enterprise truly end-to-end. The reporting capabilities provide highly detailed as well executive level health overviews of your entire environment and can be created periodically in an automated way.
Stay tuned for more news from eG Innovations on eG Enterprise 7.2 and monitoring Azure Virtual Desktop! I want to thank eG Innovations for providing the opportunity to test drive this functionality during preview!
