I need to ask all of you enterprise guys a question. First off, a small story for all interested:
The company I’m working for (“We”) recently fell victim to the latest Citrix Vulnerability.
Why: We are a small IT team in charge of everything so we weren’t able to check proactively for issues. Citrix failed to inform in advance (Their response later on was: “Didn’t we? We thought you were on the list…”)
We don’t have issues with mistakes. They are human. They are everywhere. Everybody makes them. But what we have issues with, is how it was handled afterwards: False promises, recommended procedures that didn’t work (Again answers like: “it didn’t? Well, it should… We’ll get back to you” - 10 days silence).
So we all agreed - which is rare: IT and management agreeing - that it’s time for a change.
What we are currently planning is ditching Citrix all together. We have some things solved already:
Sharefile we’ll replace with Nextcloud Hub and an Outlook plugin.
Reverse proxy & Forward proxy will be done by our FW using squid.
Netscalers for Remote Access… well, there’s the problem.
What we need:
We need different desktops for different groups. Currently we use 5 different profiles.
We’d like to have a solution as easy as it is now for our employees: Login to Webportal -> Virtual desktop opens -> done.
We’d like to have some technology change between login and Desktops, hence no direct RDP (Desktops are Windows only… not my idea)
We’d prefer it to be Open Source. Not free necessarily, but Open Source.
We need it to be performant and reliable.
We’d like to be able to publish applications like we can now, but could live without.
2FA is a must
Any ideas? Is there anything you guys are using that you might recommend? We’re only talking about 60 concurrent users/connections. And I’d appreciate @wendell and team and @lawrencesystems inputs as well, if you guys like and can. I figure you may have way more experience in that regard than we have.
We looked at some different offers but there is surprisingly little information and real world experience on the web. At least easily found.
I don’t have a done solution in mind, but I’m thinking it should be possible to perhaps have:
thinly provisioned VMs pre spun up and running (how many different types of VMs do you have? just have a python script run in a loop that ensures a few virgin VMs are always available)
web app that you build yourself and tailor to your needs that allows the user to reserve a VM (no longer a virgin VM), connect to it, do their work, once logged out, destroys the thinly provisioned VM.
Good plan. Only: 3 IT guys, ~ 140 servers (including the “desktops”), all the network, security, projects, hand-holding our BI and explaining SQL to their “Infrastructure Architects”, coordinating different countries and Micro-ITs and… well… users. Not to sound unthankful but building our own is out of the question.
“We” is always difficult. Since I try to summarize all of the wishes and opinions. We aren’t against RDP. Citrix builds on it or wraps it. We just want to have technology-changes so to speak in our connections. Right now it is (from outside the company) FW -> Netscaler -> “Citrix” RDP. We’d like to keep an abstraction in between as to make hopping less likely.
Could you elaborate on that? So the accounts have to be created using Proxmox or can regular AD-Profiles be used for the users?
That actually could work. Having stuff full screen would be nice since the machines used to login are only thin clients and or users are… users. They like it easy and looking like it’s local. But I will add it to the ones to check out. Thanks!
I don’t know enough about RBD RDP to know if it’s possible to steer the TLS connection to the right endpoint based on some kind of SNI. That kind of proxying would be trivial to implement in a few hundred lines in Go. … but then again, build vs. buy.
There’s a uri scheme for RDP that may make easy for your users to connect to the right endpoint. Not sure if that can help with provisioning of these.
Proxmox can use PAM for the web authentication, so using AD LDAP is probably the way to go there. That being said, I don’t think Proxmox would be the cleanest integration for end users without some custom stuff make sure they don’t get lost or confused. As much as I like Proxmox, Gucamole looks cleaner.
Ok, I’ll have to check out Proxmox then. Maybe some others in here are already using it. Might make a new post once we narrowed it down. Thanks!
Yes, both tickets and certs. Tickets are handled by AD, Certs are handled by Internal Root-CA.
Our issue exactly. None of us are programmers. We’re “Script Kiddies” at best in that regard. Yes, we all have some coding experience and are fine with scripting to a degree but well… And home brew (no pun intended) solutions are a PIA to administer, troubleshoot and expand in a professional environment.
Thanks for chiming in. Yes, it seems Proxmox would be way more hassle than we can handle. Especially in the long run.
Thanks to all of you guys. Not exactly what I was hoping for but still good pointers. I guess we’ll have to keep on looking and evaluate what you proposed. And maybe do a user acceptance test regarding the HTML5 only clients…