0800 8047 256

United Kingdom
EACS on LinkedInEACS on TwitterEACS on YouTubeEACS on FacebookEACS on Goolge+EACS on Pintrest
≡ Menu

Remote Desktop Solutions: What’s Out There?

Remote Desktops are not new.  In fact they reach back to the dawn of time…well the 1990s. In that time they’ve come a long way and there appears to be more options than ever before. However, the same goal remains at their core: to allow you to connect remotely to a desktop, enabling you to be productive and access your Line of business (LOB) applications.

In the broadest sense, Remote Desktops can be split into two categories:

  • Single user remote desktops, often referred to as VDI (Virtual Desktop Infrastructure)
  • Multi user remote desktops, referred to as Remote Desktop Services (RDS), Terminal Services (TS) or Server-Based Computing (SBC)

The single user remote desktop typically involves having a client OS virtual desktop (Windows 8.1 or Windows 10) per user.  So 30 users = 30 virtual machines. Great if everyone needs to personalise their desktop and perhaps install applications.

Multi user remote desktops have many users with their own “desktop session” on a single Server based OS, such as Windows 2008 R2 or Windows 2012 R2.  30 users = 1 RDS server1.  Great user per virtual machine (VM) density.

How do I choose what option is best for me?

How long is a piece of string?  The best way is to engage with an IT partner to discuss your business requirements as to why you are looking into remote desktop solutions.  However, there are some questions you can ask yourself to give you a better idea of what approach may be more suitable (see table).

Now we know the basics, let’s look at the options. This article will focus on Microsoft and Citrix based technologies as this is our area of expertise.

Microsoft Remote Desktop Services (RDS)

As old as the hills and the “tried and tested” remote desktop solution.  Many users log onto the same RDS server and share the server resources, leading to the best user density.  The server is made to look and feel like a desktop OS, such as Windows 8.1. Being a server OS, there can be compatibility issues or licensing restrictions for your applications. It is also possible for a single user to “hog” resource on the server, degrading the experience for other users. However, there are measures to prevent this.  RDS can be based on physical or virtual servers on any supported hypervisor, such as Microsoft Hyper-V, Citrix XenServer or VMware vSphere. Users connect to their remote desktop via the Microsoft Remote Desktop Client which is now available for many platforms, including Mac, iOS and Android.

Microsoft Virtual Desktop Infrastructure (VDI)

Although late to join the party, Microsoft’s VDI offering uses Hyper-V to provision client OS virtual desktops; one for each user. This may be a nonpersistent pooled VM that returns to its original state when the user logs off, giving the same user experience every time based on a “master” or template image. Or it could be a static VM assigned to the user permanently.  A statically assigned VM allows the user to make changes, such as install applications.  VDI should give a user experience closest to using a physical PC and has better application compatibility.  However, it can come at a higher hardware cost due to the amount of virtual machines required. One advantage of Microsoft’s VDI solution is that Hyper-V’s extended management tool, System Center Virtual Machine Manager (a paid for product) is not required whereas this is a requirement for Citrix XenDesktop VDI2.  Users connect the same way as above, via the Remote Desktop Client.

Microsoft RemoteApp

This is as variation of Remote Desktop Services but instead of having a full blown desktop, the user accesses only the applications remotely. This is great if you have a subset of applications on your remote desktop servers and want to integrate the experience with your local desktop rather than having two desktops to manage. It can also be preferable for mobile users who may want to access their applications on devices with smaller screens where navigating a Windows desktop can be impractical.  Again, access is via the Microsoft Remote Desktop Client.

Citrix XenApp

XenApp builds upon Microsoft Remote Desktop Services with built-in features as image management for your XenApp servers, broader end-user device compatibility and a more adaptive connection protocol which can better handle higher latency, less bandwidth connectivity.  Another advantage is that you can publish both Desktops and Applications from the same server, giving greater flexibility to your users and administrators. At present, this is not possible via Microsoft RDS/ RemoteApp with separate servers needed.

Seen as the market leaders in the “session hosted” remote desktop space, Citrix XenApp gives you a very good management layer in which to configure, provision and secure your remote desktop servers.  Users connect via the Citrix Receiver (available for almost any device) using Citrix’s proprietary remoting protocol, HDX. As with Microsoft RDS, application compatibility can be an issue.  As well as your Microsoft RDS licenses, you will need to purchase XenApp licenses.

Citrix XenDesktop

Citrix’s VDI solution, XenDesktop uses the same architecture as XenApp so you can invest in a single technology and deploy either shared hosted, pooled VDI or private (static) virtual desktops to your users via a single management interface. It also allows you to deploy their agent to a physical PC and use the same infrastructure to remotely connect in the same way you would to a virtual desktop.  However, for fairness it must be noted that you can achieve a similar function using Microsoft’s solution.

Another major plus with XenDesktop is that it is hypervisor agnostic, so you can deploy on Citrix XenServer, Microsoft Hyper-V or VMware vSphere meaning you can use the same hypervisor already deployed and not have to run two hypervisor technologies. Like XenApp, you do have to buy additional licenses on top of the Microsoft licenses and, depending on the level of license, this will influence which features are available.

We’ve looked at five options available today and as mentioned before, there are others.  However, whichever option you decide upon (after careful research and an assessment carried out by EACS, of course), you will ultimately get the same benefits:

  • Greater flexibility through home working, roaming/mobile workers being able to access their Windows applications
  • Broader device compatibility which is almost a must in today’s multidevice world, allowing the possibility of a BYOD scheme
  • Centralised management of your desktops/applications
  • Easier scalability.  Adding 10 new users to a remote desktop solution should be quicker than provisioning 10 physical desktops with all the bits and pieces that go with the “traditional” desktop rollout
  • Easier rollout to a new operating system; more true with RDS and Pooled VDI solution where a single image is used for multiple users








To find out more about the options around Remote/Virtual Desktop solutions, please call EACS. You can also arrange for a Desktop Assessment, where for a fixed fee we will analyse and assess your current infrastructure and requirements to make sure that you choose the right solution.

1 exact user load depends on multiple factors and will vary on each use case.
2 for using image management of Pooled/ non-persistent VDI or deployment of Static/ persistent VDI.

Update from the End User Computing Team

In the End User Computing Team, we have a lot of new technology updates to take on board and help our customers deploy, including new operating systems, assessment tools and Cloud based solutions, as well as Mobile Device and Application Management.

The big news of course is Windows 10, whilst it has only just been released, consumers and IT departments alike are very interested in making the switch- but should you dive right in? For consumers this is probably an obvious choice as it is free until July 2016 for customers who already have Windows 7 or 8, but what about corporate IT?

The biggest problems faced when migrating to a new platform are application compatibilities and user profiles and EACS can help you with both of these issues. Using our Windows 10 Readiness Assessment services we can assess the applications as well as the current platform they reside on. The service is part of a best-practice project approach developed by EACS to ensure the success of application and desktop migrations.

Once we have the applications that require migration, we can then analyse them using Citrix’s AppDNA, which will examine each application and determine whether it will run without any modification on Windows 10, or if updates or patches are required. It produces a simple report that indicates the readiness of your applications for Windows 7, 8 or 10. In addition, it will state whether they are 64-bit compatible, suitable for XenApp/XenDesktop, RemoteApp or Remote Desktop Services. If it’s identified that the application will not run under Windows 10, don’t worry, this isn’t the end of the line for the application. There are several technologies available that can virtualise the application and isolate it from the operating system.

AppSense helps with user profiles. As well as managing applications, AppSense virtualises the user so that they can log onto different versions of Windows without fear of corrupting their profile. It is worth noting that each version of Windows has a different Profile Version and if using centralised profiles each profile will be kept in a different folder, meaning settings will not roam with the user.

Mobility has always been a theme with Citrix, and now with XenMobile 10, it is iOS 9 and Android 6 ready, with a hugely improved interface and features that make the end user experience smooth and simple. Citrix has taken the step to join both the Application and Device management server from XenMobile 9 into one Linux based appliance. This provides much easier management, troubleshooting and installations.

With the huge response EACS is seeing with regards to Cloud technologies, here in the EUC team we have been looking into the new Citrix Workspace Cloud as well as RemoteApp and Desktop as a Service using Microsoft Azure. Citrix has taken the approach to provide a Software as a Service (SaaS) offering where Citrix hosts the management of their solutions such as XenApp, and you simply connect your datacentre or Public/Private cloud to the Workspace Cloud. This keeps the data close to the Desktop or Server hosting the applications, whilst ensuring access is highly available and secure. The datacentre could be in your own building, hosted elsewhere, or as a cloud service such as Microsoft Azure.

NVIDIA continues to improve their GRID offerings with the release of the Tesla M6 and M60 graphics cards for Virtual Desktop Infrastructure. The new cards are more powerful as you would expect, with the M60 boasting up to 32 concurrent users per card, whilst the smaller M6 card designed for high density Blade Servers will take up to 16 concurrent users. Overall this is twice as powerful as the previous K2 cards with twice as many users per card. Through testing and research, EACS has found that it isn’t just 3D applications that benefit from having a dedicated graphics card in the server. With graphical applications like Microsoft Office 2013, and the increase in HTML 5 websites, more and more graphics are making their way into the corporate XenApp environment; having a graphics card in the hardware hosting XenApp and passing it through to the XenApp worker servers vastly improves the end user experience, something that is at the heart of what we do in the End User Computing Team.


What is EMS?


Microsoft’s Enterprise Mobility Suite is a collection of Microsoft Cloud products designed to allow users to be more agile in the workplace. EMS is the epitome of Microsoft’s mobile first, cloud first vision, in that it provides administrators with the tools to make corporate data available to users on any device, and from any location. This does, however, pose a security issue in that data is then allowed to flow freely around potentially unprotected devices. EMS addresses this by including mobile device management capabilities and data protection features in its product set.

EMS is designed to allow users the freedom to use whichever device they wish, whilst also ensuring that corporate data is kept secure and safe no matter which device the data is accessed from.

There are currently four products included in the Enterprise Mobility Suite. These can be purchased separately if required, but EMS becomes the most cost effective option if two or more products are purchased. Below is a rundown of the feature set of Microsoft’s Enterprise Mobility Suite.

Azure AD Premium

Azure AD Premium builds on the success of Azure AD by providing additional features to make the option of extending your existing Active Directory into the Cloud more attractive than ever before. The feature set includes:

Self Service Password Reset– A portal which a user can visit in order to reset their cloud, or Active Directory password. This alleviates the issue of 1st line support password reset calls and gives the user the control to reset their password when needed without making a call to a service desk.

Cloud App Discovery – This agent can be deployed to client computers and will report back on the usage of web based cloud applications, such as how many people are using them, and how much data is flowing through them. For example, it might report that 40 staff members are using the Dropbox application, and that 5GB of data is flowing through Dropbox every week. This is invaluable information and helps discover and target the increasingly prevalent issue of ‘Shadow IT’ and data leakage.

Cloud App Single Sign On – Based on the findings of the Cloud App Discovery tool, or based on information already available to IT, cloud applications can be integrated with Azure AD.

As an example of this, instead of the marketing team having knowledge of the username and password of the corporate Twitter account, you can integrate it with Azure Active Directory. This means that the marketing team log into Twitter with their Active Directory credentials, and if a user leaves the company, you can revoke access to this account easily by simply disabling the Active Directory account. Over 2500 cloud applications can be integrated into Azure AD, and this number grows by the day. You can effectively use this tool to increase corporate security by obfuscating usernames and passwords for corporate 3rd party accounts behind your existing Active Directory user accounts.

Multi Factor Authentication (MFA) – This allows IT to force a second factor of authentication to be used for login to cloud services. This can be a text message, phone call, or a mobile app (available for Windows Phone, iOS and Android). The Azure MFA server can also be deployed on premise to provide MFA to on premise line of business applications.

Analytics– IT can use Azure analytics to report on password reset activity, suspicious logons and other important data which can help identify potential attacks on user accounts.


This is a mobile device management solution designed to help customers manage their Bring Your Own Device (BYOD) environment. You can manage the following devices with Intune: Windows 8.1/10, Windows Phone, iOS and Android. It includes the following feature set, along with many other configurable options.

Security Policies – These control which security settings mobile devices require in order to connect to corporate resources, such as password locks, client certificates and encryption.

Conditional Access –This forces a mobile device to be enrolled into the Intune service and be compliant with the company’s security policy in order to access resources hosted on Office 365, or even on Exchange On Premise. This means that IT can have control of every mobile device which is connecting to corporate resources.

Mobile Application Management– Office applications can be automatically pushed to managed mobile devices and then secured. For example, copy and paste can be restricted so that corporate data can only be copied/ pasted into approved applications. This helps to prevent corporate data leakage.

Email Profile Management – Deploy Email Profiles automatically to devices.

Selective Wipe – IT can just wipe corporate data from a mobile device. For example, when a user leaves a company, IT can ensure that corporate data is wiped without factory resetting the device.

Azure RMS

Rights Management Services are used to apply restrictions to files and emails. Examples of these restrictions are: Do Not Forward, Read Only and Expiry Dates. These restrictions can be applied to Office 365 data, or On Premise data (using a connector). Some examples of this in use are:

Email RMS– If a credit card number is detected in an email which is sent outside the company, a Do Not Forward rule can be applied to the email. This will make sure that the recipient can only Reply or Reply All.

Document RMS – A sensitive document on a File Server, containing financial information, could be marked as Read Only for all users except the Finance Department, who have full access.

Document Expiry – A file could be sent out to people external to the business with an expiry date. Once this file reaches the set expiry date, it will become inaccessible. This file could also be instantly revoked if required, making it instantly inaccessible, no matter where the file was located. This includes copies of the file.

Advanced Threat Analytics

ATA is the latest addition to the EMS product suite and provides Administrators with sophisticated tracking and alerting against advanced targeted attacks. This includes elements such as:

Brute Force Attacks – ATA will monitor and alert administrators if any attacks of this type are recognised.

Reconnaissance – Any recon activities being performed against DNS server, or against Active Directory using account enumeration, are tracked.

Identity Theft – Various forms of identity theft such as pass-the-hash and remote execution can be identified and alerted against.

Abnormal Behaviour – Strange working hours, password sharing, random geographical access and other abnormal behaviours can be identified and alerted against.

Known security issues – ATA will inform you if weak protocols are in place, or if plain text authentication is being used, exposing sensitive information.

You had me at Enterprise! In summary, the Enterprise Mobility Suite provides administrators with the tools to make workplaces more usercentric and device agnostic. It is set to be a fast growing product and is priced to suit.

Additionally, the Enterprise Cloud Suite can be purchased through Microsoft licensing channels, which combines Office 365 E3 licensing, the Enterprise Mobility Suite and Windows Software Assurance, all on a per user basis.

Speak to EACS today about how the Enterprise Mobility Suite can make your business more agile and productive!


Skype for Business

Microsoft Skype for Business (SfB) is the new name for the Unified Communications product formally known as Lync. Under the covers SfB is technically very similar to Lync and has an interface anyone used to using Skype at home will be familiar with but with the enhanced availability, security, compliance and control that businesses require. 

SfB enables new ways of working and location independence as people are no longer tied to their desk phone. This supports the new “work is something you do, not where you go” approach by providing a consistent experience on a range of clients including Windows, Mac, Web and mobile.

SfB facilitates the seamless and efficient transition between communication methods depending on the situation and devices available. This might start with verifying someone is available to chat via a simple Instant Message, and then escalating to richer methods as the conversation develops; IM to Voice, Voice to Video, and adding screen sharing or additional participants into a virtual meeting. The benefits of deploying SfB are manifold.

Improvement in employee productivity

There can be a significant reduction in “motorway miles” and unproductive time by replacing in person meetings with virtual meetings over video with screen and application sharing. This method enhances collaboration,
reduces the time to consensus and engenders a sense of working together by removing the distance boundary amongst distributed team members. It also reduces the stress associated with driving for hours for short meetings and allows much more to be packed into a day.

Although it may seem antisocial, SfB allows instant confirmation of understanding without all of the “conversational overhead” relating to traditional phone calls. How are you, the family, your football team, etc? before getting down to business. There is also a nice feature (or nasty  depending on your view), which prompts when someone comes back on line rather than having to continuously chase them down.

This more flexible and efficient way of working can be extended to customers and suppliers by securely linking the organisation’s SfB solutions together using a process called federating. Once organisations are federated people from each organisation can see each other’s presence and talk or Video Conference (VC) entirely free of charge. SfB calls and VC are also free of charge to any one of the hundreds of millions of people using the consumer Skype service.

Increased engagement through video conferencing

Although studies have shown that video enhances engagement over voice alone, let’s face it video conferencing has been too complex for years. How many meetings start with a “how does this Skype for Business work” discussion before getting down to business? With SfB setting up a video conference is simplicity itself. For anyone used to setting up a meeting in Outlook, attendees simply click on the meeting and choose to attend via either voice or video.

Integration with existing telephony solutions or voice enabling Office 365

Integration with existing legacy PBX equipment is also possible as it may be that you don’t want to migrate all of your users to SfB in one go, and instead wish to continue to use the existing PBX until its support contract is due for renewal, or it is fully depreciated. In this scenario the Instant Messaging and Presence (IM&P) together with VC and screen sharing capabilities of SfB can be used alongside the PBX which is used for voice calling only. Voice and video capability can also be added to Office 365 maximising your investment.

New work styles, reduction in real estate, cost reduction and built in Business Continuity

The flexible working enabled by SfB allows people to work from home, customer site or anywhere they choose. This enhances user experience, reduces stress and can improve work-life balance and remove the need for dedicated equipment or lines. This decoupling of numbers from desk phones can also facilitate the consolidation of desks or even buildings.

There is a reduction in cost by replacing dedicated phone lines or ISDN circuits which carry a recurring charge. In fact the cost of changing to SfB can often be significantly offset by decommissioning circuits and terminating support contracts for legacy PBX infrastructure.

Any call or video conference to anyone on the same network federated with the organisation or using Skype consumer is free regardless of where they are in the world. The cost of calls to PSTN lines, international or mobile numbers is also dramatically reduced.

Business Continuity is simplified, and its cost reduced, due to the inherent flexibility to work anywhere. In the event of a disaster users simply go home or to another location and their number will follow them.

Assessment, deployment and support

EACS offers a range of Skype for Business services to suit the size of your business and can assist in the integration with, or replacement of, existing PBX based services. EACS can also assist in the cost benefit analysis to help justify the replacement. Once deployed by our expert consultants the managed service includes 24/365 support for care free communications. Contact EACS



Three Ways to Improve the “Human Firewall” and Strengthen Email Security

When it comes to enterprises finding innovative ways to neutralise widespread email-based attacks, the case has been made before that its employees – the same “weak links” who unknowingly click on malicious email URLs and attachments – who could actually be the strongest allies of IT managers in fighting back against these threats.  

There’s one caveat, though. The “human firewall” will not be as successful if employees are merely aware that email-based threats exist. Attackers know employees either don’t care about cybersecurity or don’t know enough to ward off threats, which is why spear-phishing and social engineering attacks continue to be so effective.

Here are three things to consider:

1. Shore Up Your First Line of Defense

Picture your cybersecurity infrastructure. At the core is all the sensitive data you’re trying to protect. The first line of defense should be your cybersecurity technology. This is critical. Technology is not a security guarantee, but if you have the right controls in place, like Targeted Threat Protection, then fewer threats will actually break through.

This is important because your next line of defense comprises your employees – the “human firewall.” If your technology is working correctly, employees won’t be overwhelmed by a wave of continuous threats; they’ll be less likely to fall victim to the few that may enter your infrastructure.

2. Appeal to Employees’ Ability and Motivation

So, what happens when a threat actually does reach your “human firewall”? Are your employees properly trained to recognise and react to it? The answer depends on how well they were trained.

To illustrate how to educate employees, consider a hypothetical example of a mobile phone ringing.

There are two reasons why someone wouldn’t answer it – either they don’t have the ability to do so (too busy) or don’t have the motivation (just didn’t feel like talking).

Applying the example to cybersecurity training, “ability” refers to whether employees have learned how to recognise and respond to threats, while “motivation” refers to whether they understand the consequences of whatever action they take, right or wrong.

The best training stresses both, and does so in compelling language that employees will remember.

3. Link Desired Behaviours to Necessary Knowledge

Once employees understand the threats at bay, the next step is to teach them new behaviours. To get to that point, employees need context. You first have to identify their current behaviours putting your organisation at risk. This could be, for example, clicking on malicious links or attachments.

Once those behaviours are clear, determine the desired alternatives. So, instead of clicking on a malicious link, you’d want your employees to recognise a link or attachment as being malicious and then flag it to the IT department. By working backwards from that point, you would know exactly the knowledge you would need to impart upon your employees about email-based threats.

Email Security Survey
EACS and Mimecast recently conducted an online survey on Email Security and the top three fears or concerns amongst respondents were:

1) An accidental leak from within the company
2) Spam and email viruses
3) The threat of targeted attacks (spear-phishing)

When asked where they felt their organisation was most vulnerable  the survey respondents rated  Human Error as the most significant corporate email vulnerability.

The Writing is on the Firewall

While it may seem farfetched  that IT departments can build a  savvy, well-trained army of cyber defenders from the same employees who previously snuck shadow IT into the workplace and jeopardised enterprise security, the process works. We’ve seen the technology and the “human firewall” go hand-in-hand to protect organisations that were previously vulnerable. It can  work for your company too.

Mimecast Email Security

Comprehensive security protection for business email

Mimecast Email Security uses sophisticated, multi-layered detection engines and intelligence to protect email data and users from malware, spam, advanced threats and other unknown attacks.

The advanced cloud security platform provides flexible and granular email security controls and configuration capabilities, with the benefit of cloud resilience and scale, to deliver comprehensive inbound email security.  The same integrated platform ensures privacy and secrecy of sensitive or confidential information in email. Protecting it in transit and preventing unauthorised leakage.

If you would like to receive a copy of the Email Security Survey report, please contact us

Orlando Scott-Cowley, Cyber Security Specialist, Mimecast