Greetings, gentle readers. I’m back from my summer blogging hiatus and am ready to tackle a subject that comes up from time to time when talking to my customers around the world. Specifically, have they outgrown Microsoft Remote Desktop Services, and might it be time to look at a product that extends core RDS capabilities, such as Parallels RAS by Alludo?
As I mentioned in my previous blog article, I’ve always maintained that if you think you’ve outgrown regular Remote Desktop Services, the first product you should evaluate is Parallels RAS before considering any other alternatives like Citrix. I take this position because I feel software must deliver tremendous value to an organization at its price point, which is reflected in our own RDPSoft monitoring and management tools pricing. It’s no fun for the IT department when a piece of software becomes an expensive albatross around a CIO’s neck, with ever increasing renewal costs.
I feel so strongly about the Parallels offering that I accepted my nomination a few years ago to become a Parallels VIPP, and more recently, my company RDPSoft is now an authorized reseller of Parallels RAS. On top of that, our Complete Monitoring and Management Bundle for RDS already extends the management, monitoring, and reporting capabilities native to Parallels RAS, and we’re adding more Parallels RAS specific integration points in our software because we feel so strongly about their platform’s technology and future.
To my knowledge, there is no other solution in the EUC market that delivers more value on a per concurrent user basis than Parallels RAS. The question then becomes, when does it make sense to consider upgrading from RDS to Parallels RAS? When have you truly outgrown RDS?
There are no easy answers to that question, as it comes down to an organization’s budget and specific feature needs. So in this blog article, I’ve done a careful study of some of the key features that Parallels RAS provides out of the box which are either not present, or “less present” in native RDS. Please note that I’m not going to dive into *every* feature offered by RAS (as there are tons), just the ones that I feel alleviate major pain points present in basic RDS. So let’s get started…
Brokering and Load Balancing
In regular RDS, the connection broker (or connection brokers in a High Availability Deployment) perform load balancing of user sessions across the session hosts using a basic algorithm centered around session counts. An admin can also assign a relative weight factor to certain session hosts in a collection, which will make the connection broker only send a fraction of users to some session hosts compared to others. If you have some session hosts with fewer resources than others, a relative weight assignment can keep the lower resourced hosts from getting overwhelmed. However, at its core, the RDS load balancing algorithm on the broker only takes into consideration session counts as a load balancing factor.
In Parallels RAS, the load balancing algorithm is much more sophisticated. Its connection broker can do round-robin load balancing, or resource-based load balancing. Round-robin load balancing is a very basic load balancing mechanism that distributes new sessions to the next session host in the farm, until all session hosts have been visited, at which point it will circle back around to the first session host and repeat the process. This would be similar in effect to a basic RDS deployment which did not use a connection broker, but simply had a load balancer (e.g. like Kemp or F5) that would distribute incoming RDP connections across all session hosts.
The more sophisticated load balancing algorithm in Parallels RAS is the resource-based one. Here, unlike basic RDS, you can use any combination of 1.) session counts, 2.) CPU utilization, and 3.) memory utilization to determine how to load balance new user sessions onto the session hosts. This is especially beneficial for organizations whose users run wildly different application workloads with significantly different CPU and memory consumption profiles. In regular RDS, you cope with this by creating different collections based on user workload type, and isolate users on to specific collections based on their workload. In RAS, you can keep your farms “flatter,” because RAS will take into account the user workloads dynamically, and will not send new user sessions to servers with lower session counts that are under high resource load.
Another thing to keep in mind around the topic of load balancing and brokering is that Parallels RAS uses a built-in internal database, which does not require licensing SQL Server on a per core basis. This is in contrast to RDS, which if you plan on setting it up in High Availability mode, requires use of a Microsoft SQL Server cluster and/or Azure SQL Database instance. As a result, this is often a cost that be reclaimed when migrating from RDS to RAS.
Similarly, if you want to setup up Remote Desktop Services in High Availability mode, you will most likely need to purchase and implement a hardware or virtual appliance based load balancer for your RDS gateways and RDS brokers. Parallels RAS ships with its own Load Balancer virtual appliance (the HALB) that can run on Hyper-V or VMWare. As a result, if you are only using your load balancer for RDS purposes, this also may become a reclaimed expense after a migration to RAS, since the RAS HALB is included as part of the per concurrent user pricing.
On top of that, the Parallels RAS Agent components on each session host can automatically adjust the process priority of user programs that are misbehaving and taking up an excessive amount of CPU time. If a process starts to use too much CPU, and if you have configured CPU optimization, the RAS Agent will lower that process’ priority until CPU use is less, and then will restore it back to a normal priority. While this setting may not be appropriate for all organizations, if user workloads are similar, it’s another way that RAS helps protect user experience on multi-user session hosts, beyond the Dynamic Fair Share Scheduling that is enabled by default on all Windows RDS hosts.
FSLogix Support
Even in the most recent version of Remote Desktop Services on Windows Server 2022, there is no native integration with FSLogix for user profile management. The default, integrated user profile option remains User Profile Disks, which have numerous limitations and reduced performance when compared to FSLogix. Why Microsoft has not introduced more native FSLogix integrations with Remote Desktop Services, I do not know, but if you want to deploy FSLogix on RDS, you’ll be responsible for installing it on all of your session hosts yourself and you’ll also be responsible for configuring the Group Policy settings that control its operation.
In contrast, Parallels RAS offers native, integrated FSLogix support in its product. All a systems administrator needs to do is check a few boxes in a dialog in the Parallels RAS Console, and FSLogix will be deployed and configured as desired. Using its own agent, RAS can deploy FSLogix via direct download from Microsoft, from a network share, or via a push from the Connection Broker. Then, rather than having to learn any of FSLogix’s GPO settings, you can set properties both in terms of how FSLogix works and the users it applies to directly in the RAS Console GUI.
Impressively, Parallels RAS is only continuing to expand their FSLogix support in upcoming versions. In Version 19.3, currently in public beta, Parallels is introducing more configurable options around cloud cache, logging, and Office/M365 container management. Finally, if you still want to use UPDs or a different user profile solution, RAS makes that easy too, and it’s just a matter of adjusting a few different settings in their GUI.
Certificate Management
Certificate installation and renewal seems to trip up more than a few RDS admins. In order to work properly, RDS needs certificates correctly installed and associated with any Remote Desktop connection brokers and gateways. If you forget to renew and reinstall your certificates before they expire, you end up with a nasty mess where users can’t connect into the environment.
Parallels RAS solves this problem with direct integration to the Let’s Encrypt non-profit certificate signing authority. Again, with a few mouse clicks, you can instruct Parallels RAS to generate a certificate for your RAS gateway(s) and High Availability Load Balancer(s) (if deployed), and then to automatically renew that certificate before expiration with the Let’s Encrypt authority. With Let’s Encrypt enabled, certificate management is completely removed as a potential source of downtime or frustration for your remoting environment, and you no longer have certificate renewal costs to deal with moving forward.
Printing and Scanning
The closest thing Microsoft RDS has to a universal redirected printing solution is “EasyPrint,” but this is often anything but easy when it comes to getting it set up and working properly with all client printers. And there is no universal scanning solution built into RDS, so if users wish to use their client-side scanners to scan documents into the remote application, you’ll be chasing your tail installing drivers for all sorts of scanners that your workers have on site or at home. Most RDS customers I know who need to scan directly into a remote application have opted to purchase a third party scanning solution for RDS, which of course adds additional costs per user.
Parallels RAS offers simple universal printing and universal scanning features that will save you from chasing down drivers and installing them on the server. In the case of universal printing, print jobs from the remote application get easily redirected back to the client’s printer without any additional work on your part. Moreover, since the print jobs are compressed with Parallels RAS, they often print more quickly than a redirected printer in native RDS. In terms of universal scanning, all a RAS administrator needs to do is associate the universal scanner with the TWAIN configuration for the remote applications that need scanning support, and then the user will see and can use their local scanner to send documents to the remote app.
Multi-Factor Authentication
Native Remote Desktop Services has no multi-factor authentication options available “out of the box.” Most RDS administrators who deploy MFA use a third-party solution like Cisco DUO or Okta. In other cases, they will integrate MFA into their Remote Desktop Gateways by using the Network Policy Server (NPS) extension with Microsoft Azure Active Directory (Entra ID). Both of these approaches to MFA in Remote Desktop Services add costs on top of regular RDS licensing – because even with Entra, if you want *any* sort of granularity in terms of which users must use MFA, or other features like conditional access, you will have to pay for that, either in the form of higher levels of Microsoft 365 licensing, or paying for a higher tier of Entra ID.
In comparison, Parallels RAS allows you to setup MFA in a variety of ways, some of which do not add any additional cost. While Parallels RAS integrates with MFA providers like Azure MFA, Cisco Duo, FortiAuthenticator, and others, you can also just set up Parallels RAS to use TOTP (Time-based One Time Passwords) with a free third party app like Google Authenticator.
Given that MFA costs are often one of the most expensive third-party add-ons to native Remote Desktop Services, leveraging TOTP with Parallels RAS effectively helps subsidize the Parallels RAS per concurrent user cost.
Hybrid Public Cloud Support
If you’ve watched any of my RDPHard videos, or read any of my PureRDS articles, you’ll know that I have a fairly negative view of both Azure Virtual Desktop and Microsoft’s licensing and “feature starvation” games to try and forcibly compel you to migrate from RDS to AVD. It is my opinion that they have zero interest in organizations taking a hybrid approach to remote work – they simply want you to lift and shift ALL of your remote workloads to their public cloud, regardless of the cost or complexity to do so. I have heard plenty of horror stories about failed lift-and-shift migrations of RDS to AVD. In fact, one customer told me this year in a phone call – “Andy, the AVD costs post migration are literally bleeding us dry.”
The thing I really like about Parallels RAS is that they have adopted a hybrid model in regards to remote workloads, and they let you host applications and desktops both in on-premises / private datacenters OR in a public cloud infrastructure like Azure Virtual Desktop and AWS. In fact, the underlying virtual machines that run these workloads are completely abstracted away from the user altogether – they just see their published apps and desktops in the unified Parallels RAS Client and click an icon to run them. It doesn’t matter where those apps are hosted.
Moreover, Parallels RAS also has AVD cost optimization orchestration already built into it, offering both VM autoscale features and storage cost reduction (by changing disk types when virtual machines are powered down.) With Parallels RAS, you could simply provision AVD host pools for a backup/failover scenario, hiding those farms in the RAS Client until a disaster recovery / failover scenario happened, at which point you could spin up the AVD hosts and enable optimal disk types on the hosts, and then reconfigure the RAS Client to show the remote apps and desktops hosted from AVD in the Parallels RAS client. Failover scenarios, along with seasonal work, are two valid use cases for AVD. Yet with Parallels RAS, you can still keep workloads running on-premises most of the time to save money and avoid the costs and pitfalls of a wholesale migration to the cloud.
URL Redirection
Finally, one issue that all RDS admins have to deal with is Microsoft Teams operating in a remoting environment. For a native RDS deployment, Teams is only supported by Microsoft to operate in “chat and collaboration mode only.” Meaning, you have to disable the calling and meeting functionality via GPOs as they will not function properly in a remote RDS session. All the while, Microsoft continues to release enhancements for AVD to make Teams calling and meeting functionality work OK in that environment, while starving RDS of those features, for what I only can surmise is a deliberate attempt to push organizations towards AVD.
Fortunately, Parallels RAS has a nice workaround for Teams support in RDS. In Parallels RAS, you can set up what is known as “specific URL redirection.” Meaning, when a user clicks on a Teams, Skype, or Zoom meeting link inside an email in their remote session, the RAS client will redirect that URL and open it up on their client device, which most likely will have the Teams, Skype, or Zoom client installed locally, and which has the required horsepower and dedicated hardware to do the video conferencing, etc. I think this is an elegant solution that saves you a lot of money, when directly compared to Azure Virtual Desktop or Citrix’s protocol and remoting stack optimizations for Teams. Moreover, this technology is conferencing software agnostic, so whatever video conferencing/meeting software your organization uses, you can redirect meeting request links to the client side.
Conclusion
While pure Remote Desktop Services remains a great platform for many organizations, there may come a time when you need more than what RDS can deliver out of the box. If and when that time comes, look to Parallels RAS first. If you’d like to have a more in-depth strategy discussion with us on whether or not Parallels RAS makes sense for your remoting environment and budget, schedule a call with us and we’ll be happy to go over your options, plus price out the per CCU costs of Parallels RAS, offset by the cost savings it delivers with features like native MFA, native universal printing/scanning support, native load balancing, and much more.
Leave a Reply