High Performance Remote Desktop Access for Mobile Users Without the Pain and Complexity of VPN/RDP

(1)

High Performance Remote

Desktop Access for Mobile Users

Without the Pain and

Complexity of VPN/RDP

March 2015

(2)

1. Situation Analysis

Extending legacy VPN/RDP to mobile devices can be fraught with challenges. Lengthy, complex, and error-prone configuration of mobile VPN and RDP clients can result in downtime and additional management costs. Users are frustrated with remembering multiple logins. Remote connections back to desktops are painfully slow. Splashtop Enterprise represents a unique alternative to this traditional approach.

Splashtop is used by over 18 million users and is the market leading remote access solution. By using Splashtop Enterprise, organizations can more efficiently and more cost effectively deliver secure remote desktop services designed from the ground up to support today’s mobile users while retaining the same level of security as a VPN.

This white paper provides server, desktop, network and security personnel with an architectural overview and description of Splashtop Enterprise and how it compares to a traditional VPN/RDP solution.

(4)

1. Challenges extending VPN / RDP to mobile users

Despite the explosion of mobile devices and the increasing trend of BYOD, most businesses still rely on legacy solutions designed decades ago to connect mobile users back to desktops.

RDP is a Microsoft remote desktop protocol that allows users to connect to remote desktops. Using RDP alone outside the firewall exposes traffic to security risks - and can make host computers vulnerable to outside attack - so VPN is required. When connected using VPN, the corporate network is exposed to users – allowing them to retrieve files, access documents, access the internet or login to specific services hosted on the corporate network.

However, when this conventional VPN/RDP approach is extended to support tablets and smartphones, the situation changes dramatically:

• Lengthy, complex, and error-prone configuration of mobile VPN and RDP clients can result in user downtime when using line of business applications.

• Users are confused remembering multiple logins - VPN client, RDP app, desktop.

• There is significant slowness when accessing applications – users selecting menu options or typing text do not see an instant response leading to frustration.

• Typically Internet access is also pushed through VPN. This increases the load on the VPN appliance leading to a bad user experience and potentially impacting other network services. • Lack of vendor documentation for VPN client and RDP app configuration - or conflicting

options - leave user forums as a source of answers. It’s hard to even know which vendor to contact when it comes to getting answers.

• There is no ‘one-way’ to reliably configure VPN clients with RDP apps - resulting in time consuming ‘trial-and-error’ set-up and on-going maintenance.

(5)

• Mobile client connections may involve users authenticating through third-party cloud/SaaS servers that exist outside of your organization’s network and so increase security risk. • Mobile users may download a variety of RDP apps – each offering different configuration

options and user experiences as they behave differently – all of which IT has to support. As can been seen, ensuring a fast and reliable RDP connection across a VPN can be a challenging, lengthy and tortuous experience. Splashtop Enterprise addresses these challenges and more.

(6)

2. Introducing Splashtop Enterprise

Splashtop Enterprise eliminates the pain and complexity involved in extending existing VPN/RDP technologies to mobile devices. Splashtop Enterprise delivers:

• A managed, on-premise service that is secure, easy to set-up and cost effective to operate. • High performance, secure remote access to desktops and servers that reside inside the

company firewall.

• Integration with the existing Active Directory infrastructure

• Significantly reduced user frustration by delivering applications to their mobile devices with the speed and ease of use as if they were in front of their desktops.

“Splashtop satisfied our two top priorities — security and budget. It provides a cost-effective and secure gateway to our desktops without the need to allocate additional server resources or incur additional licensing cost.”

Velta Moisio - Director, Information Technology Lake County Juvenile Court The physical setup for Splashtop Enterprise is comparable to a basic VPN/RDP solution –remote clients connect to a server on the network over a secure tunnel and authenticate based on access policies applied to the connection.

However, despite being similar in terms of physical setup, the two systems differ significantly in important key areas. The following table contrasts network configuration, desktop setup, mobile device setup, operational/management and performance. It demonstrates how Splashtop Enterprise eliminates many of the challenges of using VPN/RDP.

(7)

Table 1: Comparison of Splashtop Enterprise to Legacy VPN/RDP

Area Legacy VPN/RDP Splashtop Enterprise

Operational / Management

 Multiple points of administration and configuration to support mobile users

 Need to support multiple, inconsistent mobile VPN and RDP clients/apps

 Mobile activity must be synthesized from multiple server logs

 Unified administration console

 Single mobile remote access solution

 Centralized logging with audit trail

Network  Setup and maintain multiple firewall policies for each user device

 Configure port forwarding on router

 Configure VPN appliance for mobile device access

 Configure policies for VPN access

 Single firewall policy/port - No additional complex firewall policy/port configuration is required

 Single point to define user and device access policies

Desktop  Configure each remote desktop for RDP o May require Windows upgrade to

support RDP, or installation of additional third-party software

 Grant access rights for each user on each remote desktop separately

 Install Splashtop Streamer on each remote desktop

Mobile  Configure L2TP client for secure connection (VPN)

 Evaluate, install and configure RDP app for remote desktop access

 Train users how to use different gestures and menus for each RDP app

 Install Splashtop Enterprise App onto mobile devices.

 Single app architecture includes Intuitive gestures for an excellent user experience.

Performance / Use cases

 Tunneling RDP within VPN is inefficient. It increases the connection pay load and so consumes more bandwidth.

 Poor video streaming means it is unable to support 3D/graphics intensive applications without considerably more bandwidth.

 Splashtop streaming protocol requires just 300kbps for general office productivity

 Additional use cases include: o Working with graphic intensive

3D images / animation o Viewing full screen video such

as product training

o Engineering/design simulation o Viewing medical images

(8)

3. How Splashtop Enterprise Addresses Your Needs

3.1. High Level Overview

The Splashtop Enterprise solution is comprised of three components, each residing on different systems within an enterprise network. Together, they provide a high performance and secure remote desktop experience.

3.1.1. Splashtop Enterprise App

The Splashtop Enterprise App is a lightweight remote client that is installed on an employee’s mobile device, such as an Apple iPad or iPhone, Google Android phone or tablet; Macs and Windows PCs and laptops are also supported. Users connect to desktops using the same AD credentials they use at their desk.

3.1.2. Splashtop Center

Splashtop Center is installed within the enterprise firewall (or DMZ) on a Windows-based system and brokers connections between the user’s mobile device (running the Splashtop Enterprise app) and enterprise desktops (running Splashtop Streamer software). It also provides an administrative console to manage users and devices. Seamless integration with existing Active Directory (AD) domains helps IT administrators simplify the process of local user authentication and ensures that only authorized users can establish remote sessions. Since all Splashtop traffic is managed by Splashtop Center, only a single firewall policy is required, not per-user policies, reducing the firewall management workload. Security policies are applied within Splashtop Center as part of each user’s assigned policy.

(9)

3.1.3. Splashtop Streamer

This agent software must be installed on the target desktop the user will access. IT administrators can install the software either by visiting the user’s desktop, using existing management tools or optionally allowing users to download the software from the Splashtop Center server themselves. To enable users to access more than one desktop, IT administrators must install streamers onto those other systems. The streamer software can automatically login using the users AD credentials.

3.2. Helping to Meet HIPPA Compliance

For organizations specifically concerned with Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance, please see the whitepaper ‘How Splashtop Helps Support HIPAA

Compliance’.

3.3. Typical DMZ set-up

All communications within the Splashtop Enterprise solution – from the mobile app through Splashtop Center to Splashtop Streamer and back again – are secured over Splashtop’s patent-pending streaming technology using the IETF-standard Transport Layer Security (TLS) protocol. Splashtop Enterprise also prevents eavesdropping on and modification or replay of communications by restricting the cipher suite to 2048 bit ECDH-RSA with 256-bit AES-CBC and SHA1 (see Figure 5: Splashtop Center Deployment in DMZ).

(10)

3.4. Splashtop Center Administration

Splashtop Center provides a robust, unified administrative console that includes: • Active Directory (AD) integration – Support existing AD for authentication

• Centralized policy-based control - Set user and device access policies,

activate/deactivate users and devices, MAC address filtering, create or import SSL certificates, set maximum frame rate per user connection, set idle timeout

• Reporting - View real-time connections and audit trails

• Grouping - Allow access to shared pool of physical or virtual desktops

With the installation of Splashtop Streamer on the Splashtop Center server, the console can be accessed remotely by administrators from a Splashtop Enterprise app on a mobile device (or Windows PC or Mac).

Active Directory (AD) integration eliminates redundant administration tasks and ensures

consistency of user identities. By authenticating against the domain in read-only mode, the risk of modifying the existing AD infrastructure is reduced. Only approved devices and users that have been specifically added by the administrator can access desktops. Administrators can also allow/deny remote access by mobile devices individually using MAC addresses, lock or disable access by a specific device, disable auto-logon (forcing users to enter passwords to connect), and de-activate a mobile device entirely. Groups can be created to act as a shared resource pool for users. Splashtop Center also displays the active status of connections, IP addresses, and

connection time and duration as well as device type – logging this information in an audit trail.

(11)

IT Security Controls

(12)

3.5. Implementation Overview — Four Simple Steps

IT setup

User Setup

Set-up Splashtop Center on a Windows server (for initial proof of concept you can install this onto your existing desktop).

Install Splashtop Enterprise app on mobile devices (users download from device's app store)

Create users and define access policies. Users can be created by accessing Active Directory or by creating local users.

Install Splashtop Streamer on each computer to be accessed. Users log in and connect to their desktop.

(13)

3.6. Bandwidth Considerations

Splashtop Enterprise is capable of providing a truly interactive experience to mobile users, delivering 3D graphics and HD video without compromise using relatively modest bandwidth. Splashtop Center policies can be defined to throttle the frame rate for specific users (from 1-60 frames per second), allowing administrators to reduce bandwidth for each connection if required.

 Bandwidth required per session for general productivity usage bandwidth : 300 kbps  For optimal performance : 800 kbps

3.7. Additional Ways to Use Splashtop Enterprise

In addition to providing an alternative to VPN and RDP technologies, Splashtop Enterprise opens the door to discover new ways to extend company resources to mobile devices:

“Tabletize” Office, Outlook, and Corporate Apps

Support existing MS Office, IE-only, .NET or JAVA applications without rewriting or retraining users.

Extending VDI

Deliver virtual desktops to mobile devices more cost effectively and with greater performance.

Turn Mobile Device into an Interactive Whiteboard

Allow teachers, presenters or instructors to be freed from their computer to teach in all four corners of the classroom.

High-Performance / High Fidelity Remote Access to 3D/graphics

Deliver highly responsive 3D AutoCAD, animations, simulation, and medical images.

Pooling of Resources

(14)

4. The New Approach to Remote Desktop Access

Extending legacy VPN/RDP technologies to mobile devices can be fraught with challenges. Business of all sizes can use Splashtop Enterprise to efficiently and more cost effectively delivers a secure remote desktop solution uniquely designed to support the demands of today’s mobile workforce. Its key features are:

Market Leading Performance — Patent-pending streaming technology and intelligent optimization

techniques deliver up to 30 frames per second with synchronized audio for superior performance and highly responsive user interactivity

Simplicity — No complicated changes to your existing server hardware, networking, or storage

infrastructure; intuitive administrative console for efficient user management

Secure — On-premise service with end-to-end encryption that integrates with your existing Active

Directory (AD) infrastructure

Universal — A single app that supports a broad range of mobile devices and use cases

Cost Effective – Eliminates lengthy ‘trial and error’ setup and reduces ongoing maintenance costs MDM/MAM integration - Deep integration with MDM / MAM partners adds additional on-device security and control.

For further details and to start a free trial, please visit www.splashtop.com/enterprise

Splashtop aspires to touch people’s lives by delivering the best-in-class remote desktop experience – bridging tablets, phones, computers and TVs. Splashtop technology empowers consumer and business users with high-performance, secure, interactive access to their favorite applications, media content and files anytime, anywhere.

4.1. Contact Information: Office Locations, Telephone Numbers

Silicon Valley Headquarters Taipei Office Tokyo Office

1054 S. De Anza Blvd, Suite 200 San Jose, CA 95129

U.S.A

+1.408.861.1088

5F., No.152, Sec. 1, Zhongxiao E. Rd., Zhongzheng Dist.,

Taipei City 100, Taiwan, 10049 +886.2.2351.3030

Level 20 Marunouchi Trust Tower - Main 1-8-3 Marunouchi, Chiyoda-Ku

Tokyo 100-0005 Japan

High Performance Remote Desktop Access for Mobile Users Without the Pain and Complexity of VPN/RDP