LEOSTREAM 9 USE CASES

1. Connecting users to graphics-intense applications

 Who are these people? Engineers, architects, designers, video editors. Generally, highly educated users doing complex tasks.

What Industries are they in? Oil and Gas, Semiconductor design, Media and Entertainment, Automotive, Aerospace, Defense

What technologies do they use? High-performance display protocols such as HP RGS and Remote Boost, Mechdyne TGX, or Teradici PCoIP. Applications often run on Linux. Operating system hosting the application is often installed directly on powerful workstations, racks or towers. If virtualization exists, it’s use to improve density if the workstations have a supported graphics card to enable GPU passthrough.

How does Leostream help in these environments?

Leostream is the only Connection Broker that supports HP RGS and Mechdyne TGX, and it supports collaboration for each of those protocols as well as connections through the Leostream Gateway. Leostream is well-suited for environments that do not include virtualization, as it can manage connections to any desktop joined to an Active Directory domain or with an installed Leostream Agent. In VMware environments utilizing GPU passthrough, Leostream can automatically vMotion stopped machines to a host with an available GPU, allowing virtual machines to be over-allocated on each host (For example, the host has 4 GPUs so supports only 4 running VMs, but two additional stopped VMs may be located on the host. Leostream will vMotion the stopped VM to a host with an available GPU before powering on the VM.)

2. Connecting users to high-compute environments

Who are these people? Engineers, architects, designers, video editors. Generally, highly educated users doing complex tasks.

What Industries are they in? Oil and Gas, Semiconductor design, Media and Entertainment, Automotive, Aerospace, Defense

What technologies do they use? Very powerful workstations or servers, or virtual machines with a large CPU. Probably working with large data sets that are hosted on another server. Engineers submit jobs that run on the compute servers. These users don’t necessarily need a high-performance display protocol and may just use VNC or SSH to connect to the desktop. Almost always, they are connecting to a Linux machine.

How does Leostream help in these environments?

Leostream’s VNC support and our ability to treat a Linux server as a multi-user center (similar to a Microsoft Remote Desktop Server / Terminal Server) Organizations can purchase a single, powerful workstation and connect multiple users to unique sessions, instead of managing individual desktops.

3. DevOps – Operations-focused management for developer environments

Who are these people? Organizations with operations teams (or others) who manage developer environments, including updating developer tools, managing Linux operations systems, monitoring resource usage, and maintaining adequate capacity.

What Industries are they in? Artificial Intelligence and Machine Learning, Enterprise Software/Application Development, R&D, Retail, Government & Defense, Healthcare

What technologies do they use? Linux operating systems, containers, integrated developer environments (IDE), databases, source control repositories

How does Leostream help in these environments? Leostream’s pools and policies make it easy to ensure that developers always have access to the right tools, always updated to the latest versions. New developers can be immediately on-boarded, without acquiring or configuring additional laptops or hardware. Leostream’s ability to create and delete instances in OpenStack clouds allows developers to change their desktop’s performance to meet their needs, while the Leostream Gateway provides secure, in-browser SSH access to their development environment from any web browser. Leostream power plans manage desktop power state, and release plans monitor user idle-ness, so unused machines can be powered down to conserve resources for other developers.

4. Application Sharing

Who are these people? Enterprises that use applications with expensive licensing fees. Often, people doing either use case 1 or use case 2.

What Industries are they in? Oil and Gas, Semiconductor design, Media and Entertainment, Automotive, Aerospace, Defense – Think MediaComposer, Simulink/MATLAB, CAD, Schlumberger applications, etc.

What technologies do they use? Usually a mix of back end operating systems, as well as a mixture of display protocols and client devices. Applications may be cloud hosted or in their data center.

How does Leostream help in these environments?

Leostream pools allow organizations to create groups of desktops running shared applications. Release plans can then be designed to control how long a user maintains ownership of the application, for example based on if the user disconnects from the workstation, if the user’s session is idle, or if a certain amount of time as elapsed. Leostream reports and alerts on pool usage, so IT knows if their resources are under or over utilized, allowing them to either repurpose or purchase equipment, accordingly. In cloud environments, Leostream power control plans can automatically control the power state of the cloud instances, stopping instance when not in use in order to save on cloud compute costs.

5. Cloud migrations and/or expansions

Who are these people? Large enterprises with existing data center deployments who now want to burst or migrate into the cloud for certain workloads.

What Industries are they in? Oil and Gas, Semiconductor design, Media and Entertainment, Automotive, Aerospace, Defense

What technologies do they use? Azure and AWS

How does Leostream help in these environments?

Leostream’s hybrid-cloud support allows organizations to manage their existing on-premises deployment in the same console as their cloud resources. That said, the customer we’ve seen do this are building a separate Leostream environment in the cloud. In that case, Leostream’s integrated support for Azure and AWS and our general support for any cloud enables the organization to choose the best cloud for their workload, based on corporate standards or available compute in the cloud. By using the Leostream Gateway, the customer can place the cloud-hosted desktops in a private network, and connect users via the Gateway using either a high-performance client-based protocol or using the built-in HTML5 client.

6. Application Hosting in the Cloud

Who are these people? Service providers who provide access to applications (like Pearson and their test taking app) or organizations with single-use applications (for example, Westat has a timesheet application running in the cloud.)

What Industries are they in? Hosting providers, MSPs, education

What technologies do they use? Azure or AWS. Maybe PCoIP/Cloud Access Software.

How does Leostream help in these environments?

Leostream’s support for a wide range of hosting platforms, back end operating systems, client types, and display protocols allows the organization to build the application hosting environment that best suits their needs. Leostream pools and plans then help the organization control, monitor, and manage the user’s connection, ensuring that only authorized users have access and that the appropriate actions are taken when the user finishes with the application, such as deleting the desktop and spinning up a clean desktop for the next user.

7. Hosted Linux, macOS, or mixed OS environments

Who are these people? Enterprises with applications that run on a range of operating systems. Typically, engineering applications run on Linux, while Media & Entertainment may use Windows or macOS.

What Industries are they in? Oil and Gas, Semiconductor design, Media and Entertainment, Automotive, Aerospace, Defense

What technologies do they use? Usually a mix of back end operating systems, as well as a mixture of display protocols and client devices.

How does Leostream help in these environments?

Leostream can manage and monitor connections to Windows, Linux, and macOS desktop, as well as multi-user Windows and Linux sessions. We support a wide range of display protocols and client devices. Organizations can design the environment that best suits their users’ needs while managing and accessing everything from a single portal. Leostream is uniquely suited for hosted macOS environments, supporting VNC and PCoIP connections.

8. Managing Connections to Hosted Hardware

Who are these people? Enterprises that are running workloads that require high-power, often GPU-enabled, workstations. Also, organizations of any size who are performing a data center refresh and adding new hardware form factors such as Moonshot or HP ZCentral.

What Industries are they in? Oil and Gas, Semiconductor design, Media and Entertainment, Automotive, Aerospace, Defense…in other words, our typical industries…

What technologies do they use? Little to no virtualization. HP ZCentral, HPE Moonshot. Dell Workstations. Amulet Hotkey devices. Typically, a high-performance protocol such as RGS, TGX, or PCoIP

How does Leostream help in these environments?

Leostream can manage connections to any machine with an installed Leostream Agent and has integrated support for HPE Moonshot Systems. Leostream also integrates with Active Directory to automatically discover new desktops as they join the domain (and can even perform the domain join. Desktops can be installed on any hardware type, and Leostream can manage the connection using a wide range of display protocols. Desktops can be persistently assigned or shared via a pool. If power consumption is a concern, desktops can be shutdown and restarted using Wake-on-LAN.

9.0 SMB, Distributed Enterprise, and Edge

Who are these people? Small VDI deployments, either at edge locations or globally distributed enterprise locations. The VDI environment may be managed by a small IT team.

 What Industries are they in? Healthcare, Municipal Governments, Retail, Community Colleges or other small educational institutes

 What technologies do they use? Scale Computing HC3 virtualization platform.

How does Leostream help in these environments?

The HC3 virtualization platform brings together servers, storage, virtualization, and disaster recovery into a single, feature-rick solution. Leostream makes it simple to provision pools of Windows and Linux desktops from a single master image designated in the Scale Computing environment. Leostream policies can be configurated to manage a wide range of business use cases, including persistent and non-persistent desktops, shared or personal desktops, and everything in between. Leostream allows organizations to ensure that the right users get access to the right resources, every time and from where ever they roam.

Today, Leostream Corporation announced their intention to provide out-of-the-gate support for the newly announced HP ZCentral remote workstation solution, including ZCentral Remote Boost (formerly known as Remote Graphics Software). ZCentral customers can leverage Leostream to provide advanced policy-based connection management to Z by HP racked workstations and to build flexible hybrid environments.

The Leostream platform supports seamless integration for existing HP Remote Graphics Software (RGS) deployments, in addition to a wide range of high-performance display protocols.

For HP’s new ZCentral solution, Leostream will provide connection management and brokering support for ZCentral customers who require:

  • Support for environments requiring additional display protocols beyond ZCentral Remote Boost.
  • Support for mixed or hybrid infrastructure, with both on-premises and cloud workstations or virtual machines.
  • Advanced user-policy permissions and secure access controls, including multi-factor authentication and location-aware end-user experience features, such as network printer redirection.

“We are thrilled to expand our close partnership with HP to include support for the new ZCentral solution,” remarked Leostream CEO Karen Gondoly. “We believe that the ZCentral solution is ideal for enterprise customers looking for a highly performant remote racked workstation solution. The Leostream Connection Broker will provide out-of-the-gate support for ZCentral in hybrid and otherwise heterogeneous environments, including those with mixed display protocols and secure user access requirements.”

“Leostream and the Z by HP team have worked closely to ensure joint customers receive a world-class, remote workstation solution,” says Clifton Robin, global software manager, ZCentral. “Out-of-the-gate support for ZCentral is a testament to how committed we are to provide our customers all the functionality needed for an end-to-end remote racked workstation solution.”

The Leostream Connection Broker will support ZCentral as soon as the platform is made generally available in Spring 2020. Today, Leostream invites all HP customers considering adopting ZCentral to contact Leostream to conduct a free 30-day proof-of-concept trial with the Leostream Connection Broker. For a limited time, Leostream is offering new HP customers two hours of free setup service for professional assistance configuring the Leostream with ZCentral.

For more information about ZCentral and ZCentral Remote Boost visit hp.com/ZCentral

A Decade of Leostream

On my daily commute through the Boston traffic, every radio station I turn to seems to be discussing one “best of the decade” list or another. That got me thinking, “Does Leostream have a ‘best of’? How have we grown and changed over the last 10 years?”

The simple answer is, “We’ve changed a lot!” And those changes really are the “best of” our last decade. So, take a trip down memory lane with me to see how Leostream has kept pace with a market that has put many other independent VDI companies to bed over the last 10 years.

Out with the old – Connection Broker 5.3

Before we talk about this decade, let’s look at where Leostream wrapped up the last. I came to Leostream in 2008, which was the era of Connection Broker 5.x. Our somewhat dark interface sat on top of a platform that managed VDI, Terminal Services, Citrix Presentation Server (you heard that right), and not much else.

In 2008, though, there wasn’t much else on the market, which means that even when VDI was still in its infancy Leostream had already adopted the “hybrid” approach that would define our growth and the growth of the market for the decade to come.

From the beginning, the Connection Broker walked the path of being a vendor agnostic tool for mixed environments, with support for the various platforms in the market at the time, as seen in the types of Centers we supported in 2008.

While the Leostream architecture and hybrid philosophy would serve us well into the next decade, our web interface was decidedly 2008.

The Connection Broker Administrator’s interface contained many of the Leostream concepts you see, today. You defined authentication servers and centers, built pools, created policies, and assigned them to users. However, as is typical in early software versions, usability was a little lacking. I remember watching customers, even experienced ones, clicking around the menu structure seemingly at random to find the page they needed.

Looking back at our menu structure, I understand why.

Just as the Connection Broker already had its hybrid approach to hosting platforms, it already supported both commodity (RDP) and high-performance (HP RGS) display protocols, with some interesting options available, such as support for Neoware and Sun Ray clients.

In 5.x, Leostream policies were a long form that locked you into the same display protocol for every pool offered in that policy. That limitation was fine in 2008, but increasingly we heard the market asking for flexibility in managing user workflows in their VDI environment.

The Connection Broker 5.x branch lived on nearly to this decade, with its last release in September of 2009, but changes to the Connection Broker to support additional flexibly were brewing.

2010 Connection Broker 6.x

The decade started with our first rebranding and redesign of the Administrator Web interface. While the login screen didn’t change too much, what you saw after you logged in did.

The menus along the top weren’t quite as dark and foreboding, and contained new options such as plans.

Plans were split out of policies as reusable sets of rules for controlling user workflows.  Our plans simplified policy creation and provided the flexibility the market was asking for to use different display protocols for different connections, as an example.

Our Protocol Plans even allowed you to prioritize protocols, so you could fail a user over to an RDP connection if their RGS Sender became unavailable, as another example. I will admit that our Protocol Plan form in 2010 was long and cumbersome, but we had another nine years left in the decade to tackle that usability problem.

As virtualization matured and new vendors brought solutions to market, such as Microsoft Hyper-V, we kept to our “Remote access for all” ethos and added support for the new platforms, even earning a Citrix Ready certification for XenServer 5.6 (yes, 5.6, this was still 2010). Our goal was, then as now, to allow our customers to future proof their data centers so they could try out new technologies while continuing to leverage what they had in house, including Citrix Presentation Server which had rebranded to XenApp.

The 6.x branch was full of features that started the Leostream Connection Broker down the path of being a complete connection management platform. Among those features: we added the ability to attach network printers to the remote VMs; added more administrator tools, like integrated search; and logged more and more events, giving administrators an audit-level look at what was going on in their system

And, in a tradition that continues to this day, we started publishing patch releases at a greater frequency, ensuring that we get customer-facing bugs and smaller feature requests into their hands as quickly as possible. Our fix-and-release customer-first attitude is one of the reasons customers have appreciated working with Leostream over the decade.

2011 Connection Broker 7.x

Being a company that doesn’t rest on its laurels, we pushed on to Connection Broker 7.x. Initially released at the very end of 2010, the 7.x branch lived on until late 2014.

With 7.0, the look-and-feel of the Web interface stayed mostly the same and, instead, the depth of the product features grew. The first release of 7.0 enabled Leostream to model non-persistent workflows, and introduced our collaboration feature, where users with active desktop sessions could invite other Leostream users to shadow their session.

As disaster recovery and high availability became greater concerns for the market, Connection Broker 7.x introduced backup pools and failover desktops to expand our goal that Leostream always get the user connected to a desktop where they can get their job done, even if their primary machine becomes unusable. 

And, of course, the 7.x branch continued to add support for more platforms, including Red Hat Enterprise Virtualization, Citrix XenDesktop and VMware View. (All third-party product names are referenced as they appeared at the time.) It was these 7.x releases that earned Leostream the name, “the one Broker to rule them all.” Props to Paul K. for the quote, where ever this decade has taken him.

There are too many features to mention over the four years of 7.x. The release notes bring to mind the customer conversations that lead to many of the features. Many of those customers are still with us (a couple may even still be on 7.x!) To all of you, for your years of loyalty, I thank you!

2014 Connection Broker 8.x

Onward to Connection Broker 8.x. Like Connection Broker 7.x, the 8.x branch lived on for four years until 2018. Unlike version 7.x, Connection Broker 8.2 is still under support as we close 2019. While the last update was made in November 2018, the 8.2 release is supported until the end of 2020, and we have many, many customers that are still on that release.

Why are they still on that release? Well, because it’s a rock-solid battleship of a connection broker.

Connection Broker 8.x took the “one broker to rule them all” notion even further, adding in support for more and newer platforms. Leostream recognized how important the cloud was going to be in the market and, with Connection Broker 8.x, Leostream added support for Amazon Web Services and Azure, well before AWS had their Workspaces offering.

We also added support for additional high-performance display protocols. In addition to the support we already had for Teradici PCoIP and HP RGS, Connection Broker 8.x introduced new partners such as Mechdyne and their TGX protocol, and NICE with DCV. With the number of supported display protocols at 13, in order to make the Protocol Plan form less intimidating, we collapsed sections that weren’t in use, but the form still displayed the full breadth of our protocol support.

Connection Broker 8.2 hammered out the edge cases of nearly every VDI workflow you could possibly want, persistent, non-persistent, pooled, dedicated, and everything in between. Our policy logic and session management became second to none. That said, we still had a problem.

Throughout 8.2, we made slight usability enhancements like the change to the Protocol Plan page to try and make our product easier to understand and use. The feedback overwhelming stated that we weren’t succeeding. After eight years of building the most robust, scalable, feature-rich, and platform-agnostic connection broker on the market, we were just too hard to use.

Thankfully, in the summer of 2017, we had the time and resources to tackle our usability issues head on.  

2018 Connection Broker 9.0

Enter Leostream 9.0. With the help of a graphic designer and the usability input of a number of our customers, we retooled the Administrator interface and redesigned our licensing scheme to turn Leostream into a product that provides “Remote Access for All”, without the confused looks.

Our new sign in page was sleek, and web and mobile friendly

Our new Administrator Interface was organized and intuitive, and our licensing scheme allowed us to hide the platforms, display protocols, and features customers weren’t planning to use, so we could simplify long forms.

I do a lot of demos for prospective customers. At the end of showing off Connection Broker 8.2, I was typically greeted by blank stares and crickets. With Leostream 9.0, I literally always hear a variant of, “Well, that’s straight forward.”

Leostream 9.0 isn’t just about a new look and feel, though. Leostream 9 extended our platform to include the Leostream Gateway and HTML5 viewer, it finished our journey to the big-three cloud with support for Google Cloud Platform, it expanded our reach from enterprise to SMB with our integration with the Scale Computing HC3 hyperconverged platform, and it saw our MFA capabilities grow with support for SAML-based identity providers and Duo.

True, we retired support for some older technologies (sorry Citrix), but only those that the market told us were going by the wayside.

Leostream 9 will be with us for a while. Our new packaging and update method make it easy for us to get updates to our customers as soon as we can, so they can keep their Leostream environment running smoothly.

Maybe, by the end of the next decade, we’ll see a Leostream 10. For now, in 2020, we’ll continue updating Leostream 9 to add the features and functionality our customers need to get their jobs done, on-premises, in the cloud, or at the edge.

We hope you decide to take this journey with us.

If the Chrome “experiment” isn’t enough to convince enterprise IT it’s time to get really serious about Disaster Recovery, I don’t know what will.

For those of you out of the loop, last week Chrome dev’s pushed out an “experiment” that primarily impacted users accessing Chrome in RDS terminal environments. And who, might you ask, primarily accesses Chrome in RDS? The largest of enterprises, of course.

So, try another browser? Nope, not in these tightly locked down environments. We’re talking hundreds of thousands of employees – largely call centers – unable to do their jobs for two days.

So, how do we prevent something like this from happening again?

There’s a lot of chatter around this topic. One idea is to give enterprises the option to opt-out of such experiments. However, I align with reddit user ShadowPouncer on this one –

“…corporate IT shops need to stop pretending that only one web browser exists.”

Personally, I downloaded the Brave browser this morning, and I am already impressed with the speed and the neat little pop-up that tells me exactly how many creepy-trackers they’ve blocked on any given site.However, as much as I agree with ShadowPouncer that corporate IT shops need to offer a second option for web browser, they question is how to offer that back up, or DR, browser in the event of another Chrome or Firefox or Opera or even IE – failure.

It’s not as simple as installing a second browser onto the Windows terminal. Often, in these types of environments, users are so locked down that they don’t even open the browser on their own – they are launched directly into the app. Completely bypassing the desktop, and any option of loading the app in an alternative browser.

The only way to offer the second browser, while maintaining corporate security compliance, is to create a DR pool of desktops within your environment that provide access to the needed corporate app from an alternative browser.

Using a connection broker with advanced user policy settings, the sysadmins at these affected enterprises could switch their users over to the DR pool, and have their call center back online in minutes – rather than the days spent waiting for Chrome to get their *stuff* together.

And, thankfully, the cloud is now a perfect place for that DR pool. By leveraging the cloud, you can switch users over to their backup desktop only for the length of the DR event, and then shut down the DR environment after the event passes. Don’t build a DR environment that sits in your data center forever. Simply rent it in the cloud, only when you need it.

To learn more about how to leverage the cloud for backup desktops, or any type of VDI solution, join our webinar.

Most large organizations use virtualization in at least some capacity, and over 50% of companies over 250 employees have deployed a full-scale VDI solution. The vast majority of these large-scale implementations are built on the full-stack legacy VDI model offered by the likes of VMware and Citrix.

However, these full-stack solutions, built by the enterprise, for the enterprise, come with costly hardware and licensing fees that all add up to an enterprise-level price tag. As a result, the full-stack VDI solution has historically been limited almost exclusively to the realm of the largest organizations.

So where does that leave the rest of us?

The reality is – VDI has enormous benefits for nearly any organization, in any vertical, and of any size.

Optimizing compute resources, providing remote or off-site access, while securing data locally? That’s a no brainer!

Enter Hyperconverged Infrastructure.

Hyperconverged infrastructure eliminates much of the cost and complexity associated with legacy VDI and condenses it all into a neat and tidy box that even the smallest of IT teams could handle dropping into a datacenter. It provides all the compute, storage, and virtualization software you need to make VDI work – on the backend at least.

Let’s explore what happens when smaller companies try to implement full stack VDI and how we can solve those challenges with hyperconvergence and connection management.

 

The legacy VDI model doesn’t work for the SMB and Distributed Enterprise

Let’s set the stage.

The word comes down from the top that it’s time for your organization to “do VDI” and you were tasked to figure out how. Logically, your first stop is the people who practically invented VDI – VMware.

A very friendly VMware sales rep is happy to take you through everything a VMware VDI solution has to offer – and if it’s anything, it’s impressive. Hardware, virtualization software, compute, storage, networking, connection management, and a display protocol – everything you could ever need for a large scale VDI implementation.

Perfect! Mission accomplished. You pat yourself on the back for being such a resourceful employee. Until the quote comes back, of course. Sticker shock would be putting it mildly.

If you can push through the hefty price tag, you’ll be quick to discover that implementing legacy VDI is not for the faint of heart – or IT teams of less than 10.

So, now It’s back to the drawing board.

 

Hyperconvergence is the key to on-prem VDI success for the SMB and distributed enterprise

So, what is hyperconverged infrastructure? Hyperconvergence, or hyperconverged infrastructure, is defined by the integration of storage, compute and virtualization layers into a single solution architecture.

The idea is to reduce or eliminate the complexity associated with the legacy datacenter architecture. If the primary goal of virtualization is consolidation, hyperconvergence works to apply those same principles on the hardware side.

By applying these principles of consolidation, hyperconvergence allows small and medium businesses to implement virtualization in their datacenters, without the cost and complexity associated with the legacy model.

 

Connection management turns hyperconverged virtualization into a true VDI solution

However, we know that infrastructure is only half the story.

When we boil it down, the primary goal of adopting VDI, or any technology in a corporate setting, is to promote workplace productivity. We all want to be fast, agile, well-oiled machines, and good technology is what makes that possible. Our goal is to provide our users with technology that saves time, reduces human error, and helps us serve our customers better. So, if any part of that technology process inhibits, rather than promotes, those goals, well –

Houston, we have a problem.

Therefore, we need to prioritize user experience. VDI is going to seem like a very lofty and nebulous topic to your average user, and frankly, they don’t care where their data lives – they just want access.

This is where connection management is the key to VDI success, no matter if your infrastructure is hyperconverged, Cloud, OpenStack, or yes, even VMware – you need a single portal for your users to access everything they need.

So, how can Leostream and Scale Computing help address these challenges?

 

Leostream and Scale Computing: A Match Made in VDI Heaven

Leostream and Scale Computing were both early pioneers in vendor-independent VDI connection management and hyperconvergence, respectively.

The Scale Computing HC3 virtualization platform is a complete ‘datacenter in a box’ with server, storage and virtualization integrated into a single appliance to deliver simplicity, availability, and scalability at a fraction of the cost.

Leostream installs quickly and easily onto a Linux virtual machine running in the Scale Computing environment. Once installed, it provides “user access for all” with support for nearly any display protocol, including in-browser HTML5 RDP, VNC, and SSH access, from almost any client device – including thin clients, Chromebooks, and tablets.

Additionally, Leostream integrates with multi-factor authentication providers such as Okta and Duo, or any other identity provider that utilize RADIUS or SAML protocols.

On the management side, Leostream makes it simple to provision pools of Windows and Linux desktops from a single master image designated in your Scale Computing environment.

Leostream policies can be configured to manage a wide range of business use cases, including persistent or non-persistent desktops, shared or personal desktops, and everything in between.

Leostream partners with software vendors such as Liquidware to provide user profile and data management, application installation and updates, and operating system upgrades for non-persistent machines.

Together, Scale Computing and Leostream are pioneering VDI for the distributed enterprise, SMB, and all those for whom VDI was unaffordable or unrealistic in the past. With their combined expertise in both datacenter solutions as well as VDI desktop and user management, they can provide a complete VDI solution that is simple to set up, easy to manage, cost-effective, while still offering all the same great features you’ll find from a legacy VDI solution.

For more information, contact sales@leostream.com

What is BlueKeep?

Well, the vulnerability isn’t yet publicly disclosed so it’s not exactly clear what the issue is. CVE-2019-0708 explains that there is the potential for unauthenticated remote code execution with no user interaction required. Using a carefully crafted exploit an attacker could “install programs; view, change, or delete data; or create new accounts with full user rights.”

How many machines are vulnerable?

As of May 15th there were over 2.3 million RDP hosts on the public internet that are vulnerable to the exploit. Machines that are running Windows XP, Windows 7, Windows Server 2003, Windows Server 2008 R2, or Windows Server 2008 with Remote Access enabled are vulnerable to the BlueKeep exploit if they have not been patched, or if they do not require the use of Network Level Authentication (NLA). Additionally the exploit is wormable, so one machine exposed to the internet can cause entire corporate networks to be exposed.

How do I protect my machines?

  • Update to the latest Windows build available, or manually install the latest patches for machines that are no longer supported by Microsoft.
  • Enable NLA to prevent unauthenticated connections on Windows versions that support it
  • If RDP access is not required, block TCP port 3389 using a firewall to prevent any RDP connections

RDP allows attackers to bypass the lock screens of remote sessions

Another potential vulnerability was introduced in Windows 10 1803 and Windows Server 2019, and the latest response from Microsoft indicates that this is working as expected, so it will not be fixed. If a user locks their RDP session an attacker can interrupt the network connection of the system and gain access to the RDP desktop session due to a recent change in the automatic reconnection behavior. Certain MFA methods/providers as well as any login banners are able to be bypassed using this method, as well.

The issue is due to a change in NLA, wherein the client’s login credentials are cached on the RDP host in order to quickly reestablish the connection in the case of a connectivity loss. If the RDP session is locked, an attacker can take advantage of this new change to bypass the lock screen simply by interrupting the network connection. When the RDP session is reestablished the attacker will be presented with the user’s desktop on the RDP host. This does require the attacker to have physical access to the RDP client machine, but still the behavior seems concerning.

There are a couple of ways to mitigate this new behavior. The first is to disable the automatic reconnection feature in the Windows Group Policy. You can also advise users to lock the client machine (instead of the host machine) when they leave their machine unattended. The last option is to have users disconnect the RDP session instead of locking it, as disconnecting invalidates the session and will require authentication to reconnect.

 

Some of us prefer Linux to Windows but want something with a modern user interface that doesn’t look like it’s something out of the ’90s. Given that you can download a seemingly infinite number of Linux distros, why do I find myself always coming back to elementary OS? In this first blog post of what will likely become a series, we explore what makes me choose elementary OS over everything else.

 

Ubuntu-based

In the modern Linux space a lot of power users will naturally prefer something like Arch Linux for it’s rolling release and always bleeding edge features. When running these distros on machines meant for everyday desktop use though, there is a higher risk of running into newly introduced bugs or code that is not tested thoroughly by the community. Elementary OS is based on the latest Ubuntu LTS release, so the underlying operating system is known to be stable and well tested (or at least as stable and well-tested as Linux can be).

Additionally, while something like the Arch User Repository is an amazing community created package repo, I still prefer being able to download a .deb file for whatever program I am trying to install. Packages for Ubuntu still seem to be the norm for most software that I use on a daily basis. A quick installation of a software package called Eddy even enables DEB packages to be quickly and easily installed using a GUI. With so much community support for Ubuntu, diagnosing and solving any OS-level issues that I run into is also much easier thanks to the various resources and the MANY Stack Overflow answers available online. Lastly, Ubuntu has the broadest hardware support of any Linux distro, so it’s a great place to start for most Linux users who want to run Linux on their existing hardware.

 

Pantheon

Pantheon is the desktop environment developed by the elementary team specifically for elementary OS, and it’s magnificent. It reminds me a lot of (and has taken inspiration from) macOS, which is to say that without being a total ripoff of Apple’s desktop operating system it’s functionally and aesthetically similar in a lot of important ways. Firstly, the dock that sits at the bottom of the desktop, called Plank, is arguably even better than the macOS dock. It comes with a default setting to dodge windows, so if windows are taking up the space that overlaps with the dock the dock will automatically hide, but if there are no windows open (or no windows that overlap), the dock will proudly display itself. This is something that is so simple, but even macOS doesn’t do it and everytime I used a Mac I miss this window dodge feature.

Pantheon also has a concept called workspaces, which is essentially the same as how macOS handles having multiple desktops, except with one key difference. In macOS you have to predefine the number of desktops you want and while you can add more if you need to, it’s not a seamless process. But in elementary OS I can simply use a keyboard shortcut to take the current window I’m using and move it into the next workspace, without having to predefine anything at all, which is a feature I use quite often. Other basic features like tiling two windows on the screen (which requires a separate app on macOS, such as Spectacle), fullscreening the current window, and cycling through windows are also all accessible via keyboard shortcuts. To view a list of the most useful keyboard shortcuts, you just have to press the super key, and a nice list appears for you to review. I prefer the way that Pantheon handles cycling tabs, and workspaces (as opposed to activities in GNOME) over anything else that I’ve found.

 

Open source software

I know, any Linux distro will have access to these packages, so we are getting into the territory of why Linux is better than Windows and macOS, but still, these packages are why I continue to use elementary OS and Linux in general.

    1. Remmina – a fantastic RDP client
    2. Peek – easy GIF recording, far better than any macOS app I’ve found
    3. TLP + powertop – detailed power usage information
    4. GParted – amazingly powerful disk and partition editor

 

Subscribe to the Leostream blog to follow my thought series on Linux distros and beyond.

In March, in a blog post by their Chief Security Information Officer, Citrix notified the public about potential unauthorized access to their internal network. The FBI believes that the hackers used a technique known as “password spraying”, attempting to gain access by trying a few commonly used passwords, with many different usernames. With more customers exposing their Leostream environments to the internet, what can be done to protect your Broker from unauthorized logins?

The first thing to consider is do you need Leostream to be accessible publicly? If you have remote users logging in then the answer is probably yes. If, however, your users are only accessing Leostream on the internal network then there’s no reason to expose the Broker to the public internet in the first place!

If you have users logging into Leostream from the internet, what can you do to secure Leostream to protect against hackers?

 

Multi-Factor Authentication

Multi-factor authentication (MFA) requires users to prove their identity through another system in addition to the standard username and password credentials. Leostream is working hard to bring MFA integrations into our software suite moving forward, and as of today, we include support for RADIUS servers, as well as Duo Security which allows users to verify login attempts from a smartphone application. In the future, we plan to offer Google Authenticator support as well.

 

Leostream Gateway

The Leostream Gateway provides a few features to enhance security. The first is Broker URL forwarding, which allows organizations to expose only the Gateway publicly, which will handle the web traffic for the Broker, without needing to expose the Broker appliance itself. The Leostream Gateway can also forward display protocol traffic for your end users, so you can keep your host machines off of the public internet and when a user requests a connection it will be routed through the Leostream Gateway to that end user.

 

Firewall Rules

Putting the Leostream appliances behind strict firewalls is a good way to limit access to the underlying operating systems, and prevent things like SSH logins from unauthorized locations or networks.

 

Disabling the Default Admin Account

The Leostream Broker ships with a default account named ‘admin’. Typically during an intrusion attempt the hackers will attempt to gain access by using common usernames such as admin or root. With Leostream 9 we have provided the ability for organizations to disable the default admin account outright, or rename it with any desired username.

 

Rate Limiting

The Leostream 9 Broker also employs rate limiting of login requests and a backoff algorithm by default. This prevents hackers from spamming your Broker with login attempts by rejecting the requests after just three consecutive login attempts. By default the Broker will throttle these logins by user name combined with source IP, but organizations can configure this behavior on the System>Settings page. The rate limiting of login attempts can be used to thwart internal bad actors (that might already know the administrator username they are trying to gain access with), as well as external hackers.

 

Setting Authorized Locations in the Broker

The Broker has a built-in concept of client locations, which can be used to limit access from only authorized networks. Using client locations as well as strict assignment rules can prevent users from logging into the Broker from unrecognized locations, or unknown networks.

 

Authentication Server Password Policies

Since Leostream integrates with your organization’s authentication server, such as Active Directory, you can utilize the built-in password policy options for the authentication server. Forcing users to create more complex passwords with a minimum allowed length will make it less likely that a hacker would be able to guess the user’s password.

The answer? It depends. Leostream CEO Karen Gondoly discusses when that expensive, high-performance display protocol really does matter, and when free will work just fine. 

(more…)

Ever since virtual and hosted desktops emerged, connection brokers have been used to securely connect end-users to resources hosted in the data center. But what’s really going on behind the scenes? In this blog we pull back the curtain to give you some insight into how a connection broker manages users.

CB-8-step-infographic

(more…)

Close Menu