Reverse Seamless & RES VDX: Separating facts from fiction

RES VDX, the discussion continues

[Note from Brian: We've had an interesting conversation the past few days on BrianMadden.com and SearchVirtualDesktop.com about RES Software's Reverse Seamless product. I first wrote "RES Software launches standalone reverse seamless VDI tool" where I generally praised the product's awesomeness. Then earlier this week we published a blog post from AppDetective called "Why reverse seamless is not as cool as Brian thinks it is." After dozens of comments it's become clear that this is a hot topic, so I thought it made sense for RES themselves to join the conversation. And that's what today's post is. (But don't worry. This is it! I promise no more posts on this topic for awhile. :)]

Let me first start this article off by providing some context. My name is Max Ranzau, and yes, I do work for RES Software. However, I've been running my own independent blog (as in "not RES sponsored") for well over two years, giving me a certain level of impartiality. I work with the RES technology, and that's it. In the last decade I've made my living doing just that, even for seven years prior to joining the company in 2007.

I’ll cite and paraphrase P.T. Barnum's; "there's no such thing as bad publicity." I'm not sure my esteemed colleagues in marketing would agree, which is exactly why I'm not in marketing :) However, it's blatantly obvious that some have an axe to grind with RES for having the audacity to file for a patent on something that was invented and put into production years ago and then actually sell this patented product to customer who will benefit from the solution. Hence, there is a need for clarifying a few misconceptions and dispelling the associated myths. I’d like to thank Brian for providing us with the opportunity to do so.

So, let's set the record straight:

Myth: VDX is not secure!

What is there to secure? The remote session is completely and utterly separated from the local session. If you're worried about sending certain MIME types or file extensions over the wire, then just switch them off. It's all fully configurable via the server side component (called the "VDX Engine"). See the guide here for details.

Second, if the local windows endpoint is a security concern, there are solutions available to solve that issue, (like RES Workspace Manager and several others).

Third, sending information over the wire is not a security concern because we use the virtual channels inside the carrier protocol (HDX or RDP). Both can be encrypted. Additional encryption can also be added on top--VDX doesn't really care. While security folks can be perceived as the party-poopers of the industry, their jobs are usually justified. It's those few individuals among them who cry wolf in a misguided quest for job security that we need to worry about.

Myth: VDX is not cool!

Actually, it's very cool. At least that's what our thousands of customers tell us. Especially with the Z-order stuff enabling a local app to be able to be sandwiched in-between a remote desktop and a remote application. This makes the blendign very convincing for the user. (For more info about how VDX actually works, see this article on my blog.) There is a definitely a need for it and we're seeing them hotcakes sell quite well already!

Myth: VDX does not use virtual channels!

Yes it does. Period.

Myth: Danger! Danger! Third party!

It almost sounds like this is supposed to be a bad thing. Yet on a Windows platform, everybody except Microsoft is a third party — Citrix, VMware and RES included. Take the Wikipedia definition for reference: "In computer programming, a third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform." So yes, per definition RES VDX is indeed a third party application, but can we please dispense with the negative implication? It’s like complaining that water is wet.

Myth: RES Software is a small vendor: It's risky!

Everybody has an unpleasant vendor experience sooner or later, but let's try not to judge a book by its cover--or the number of pages for that matter. RES Software has been around for over twelve years, and if I've got anything to do with it, we'll be here for at least another twelve. The numbers are solid, the technologies are sound (we happen to have multiple other products in addition to VDX) and we are continuing to form strong alliances with the major players in the market. Also remember that all the big guys were also once the size of RES Software.

Myth: VDX may not support Aero!

[Max: Post publishing--I had to do a slight redaction here] VDX is Aero aware. However it's not currently possible to bring the "glass-effect" into a remote session. What happens is that the VDX Plugin component on the client side disables the Aeroglass effect locally while the remote session is in effect, and then re-enables it when the session ends. Just for the record VDX also works fine with x64 systems.

Myth: VDX should be free!

No it shouldn't. At least not yet. RES has never registered this or any other patent just to sit on it and milk it for cash. Our major revenue streams comes from selling RES Workspace Manager and RES Automation Manager. In regards to reverse seamless windows, RES Software has provided value to customers for the last eight years starting with the Subscriber and the Workspace Extender agents. These were baked into our own Workspace Manager product (formerly known as PowerFuse) for years. (See this article for the development history.)

Now since RES released VDX as a stand-alone product, if someone feels it should all of a sudden be a part of someone else’s protocol, feel free to encourage that vendor to talk to RES about this. I'm sure the "powers that be" are busy sorting it out one way or the other. That's above my pay grade to discuss anyway. Either way, until whatever happens, RES Software will exercise its right to develop, patent and sell great technology like any other vendor on the market. And, ultimately, that’s a benefit for our customer base.

Thank you for your attention

Max Ranzau (@resguru)

Join the conversation

16 comments

Send me notifications when other members comment.

Please create a username to comment.

Hi Max,


Thanks for the write-up;


In my lab VDX doesn't work with Windows 7 Aero Glass. Are you sure Aero Glass is supported (and works) or do you mean an other functionality?


Ruben


Cancel

Excellent "clarification" :)


I don't think charging for a value added feature is an issue. $15 RRP which means in quantity can be driven down and that's within my conform zone.


I don't think for one second that if Citrix or anyone else got this concept into production before RES, would make it free for all!


Cancel

comfort zone!


Cancel

@Ruben - On the topic of Aero, You're right - this needs to be redacted a bit. VDX is _aware_ of Aero, but it's not currently possible to bring the "glass-effect" into a remote session. I'll be happy to dig out the technical details for you later.


What happens is that the VDX Plugin component on the client side disables the Aeroglass effect locally while the remote session is in effect, and then re-enables it when the session ends.


I'll have to ask Brian if he'll let me update this in the article.


/Max


Cancel

Updated


Cancel

@MaxRanzau Quick look at the documentation shows editing an XML file to control behavior. So that means manage distributed XML files I assume? Central management comes from upsell to core RES product I also assume? Still worth $15? Is that secure if an XMl file an be used to override a central policy?


When the protocol vendor releases a client patch, I assume you have to upgrade the VDA or equivalent? If that is the case what happens if you release a patch off cycle from the vendor? Does that mean X client updates for me. How do I know they are tested together or do I just assume they will not break each other?


Is RES is saying they are willing to license the patent and nobody has asked them? If you are saying that, you must be Baghdad Bob en.wikipedia.org/.../Muhammad_Saeed_al-Sahhaf


Come on RES I am sure that is not true. I will asked this question, trust me.


@danielbolton So an SMB will pay $15 to get not a lot and not worry about cost, hmmmm:-) There is no business model here, and why it will be a free feature since it's worth more to the big guys dealing with problem apps that they can't remote.


Cancel

@appdetective if a SMB NEEDS it they should pay :)


Cancel

VDX is realy cool, only one thing. Its open's all my application that are also open on my desktop!!!


Cancel

@Assad, yes that's default behavior. If you don't want it, you can switch it off with HKCU\SOFTWARE\Policies\RES\VDX Engine\EnableClientDesktop = 0 (REG_DWORD). More info about setting it via policy or config file here: https://bit.ly/gG5LUV


Cancel

Thanks Max for the rebuttal, good service.


By any account it’s embarrassing for @appdetective to have just assumed without getting the facts straight (I refer to the virtual channel blunder) and other comments showing a lack of technical insight. I think it’s fair to highlight this.


Nevertheless, I do agree in the points raised on the merits of RES VDX being a standalone, patch-on solution rather than a basic integral part of the mayor Desktop Virtualization solutions.


On the security side of Desktop Virtualization, it’s of much regret that to hereto the issues, by large, are avoided and not discussed properly.


Cancel

I have a question about the security risk of reverse seamless, namely, can someone explain exactly what the risk is? Because if reverse seamless is really just a window z-order trick.. I mean what's the risk? Anything the user is doing on their client is on the client.. And if you're worried about cutting and pasting sensitive data or a content redirection issue.. that's not a reverse seamless-only thing, you know?


Cancel

@appdetective i enjoy reading your comments but i am a bit surprised and disapointed with this blog in general as it feels like a concentrated attack on a vendor.


That being said, since you bring up the idea of "what if" your patch cycle does not align with the vendor and the fact that you have to constantly update etc..


Did you know or were you aware that when VMware released vSphere 4 U1, the first thing it broke was PCoIP, which they OEM by the way, Microsoft releases endless upgrades that break Citrix software and they are well aligned.


How could you even use this analogy and i know for a fact you know better.


One other note on the XML thing :) so of all the security risks that can be exploited, someone is going to try and hack a reverse seamless session and land inside a locked down VDI session? :) why explot it in the first place, if they have already hacked the host PC, then they control the host user's priviliges already, why not use that host to jump around, why do they need the reverse seamless.


Come on dude :)


Eli


Cancel

Brian, it's about introducing client side computing and thus dual management. The assumption is that the end client management either doesn't happen or is done poorly. Further it's assumed that the end client (The PC) in itself becomes a black hole with little or no control over, in effect an attack vector. So you see it’s not directly about the technology, but the implied potential consequences of thereby (again) introducing client computing on the end point.


At least that’s what I meant with “context of the concept”


That said. I do think this is a quite lousy excuse for security problems (and within actual dual managed desktops a non-issue) in the face of the myriads others more real security issues, especially within SBC, but to some degree also within VDI.


Cancel

I just can't bite my tongue any longer :P


@appdetective: I feel a lot of pent up anger and I'm not sure it's not all aimed at RES Software. Why are you so against paying for the reverse seemless technology? If you don't think it's worth the money then don't buy it. It sounds like you want something for nothing which, let's be honest will never happen. I assume you pay for published applications/desktops from Microsoft and/or Citrix (not that you'll be happy about it). Why don't we get that for free too?


I'm sure that if the vendors such as Citrix, MS and Quest etc were interested in licensing the technology from RES then they would be talking as we speak or at least be thinking about it. If not, it's obviously not that much of an issue for their customer base. End of story. If it is a requirement, you now have a solution for the users that require this functionality (and you only need to license the users that use it). What's the value of that?


As for the off cycle patching and breaking stuff it's a moot point. All vendors are at risk of this just look at the VMware View/PCoIP incident a little while ago.


There. I feel a little better now! Iain


Cancel

When you need to define policy for different local app interaction per client with the hosted desktop you will need to integrate with the core desktop virtualization security infrastructure. Example cut and paste between local app and hosted application needs to be managed at a per app level, not a generic host setting that determines the behavior for all clients. The Reverse Seamless use case will open up many use cases like this, and therefore it needs to be part of the core protocol, well integrated, secured, attested etc.


@DanielBolton I expect that to be provided as required functionality for remote desktops from the vendors whom are already well paid to provide me with remote desktops.


@Elias I agree with your admin rights point. However it's important to understand that central management of this is overhead and lowers the value of a $15 standalone solution that is nothing more than an upsell to the core RES product suite. It's critical to understand that. Add to that the above use cases, and the security integration and testing becomes a lot more complex and risky, which will mean a lot more risk acceptance from any potential customer. Perhaps your friend Bruce Hoard for virtualNOTreview can write about it......


@kimmo, yes leveraging the VC as a transport is true, but that does not mean it's secure, see above use cases. So understand the use cases.


@Lain, A deeper level of integration is required to meet the use case needs, so it's not the same thing.


Therefore I maintain that RES is using their patent to try to differentiate themselves. That is not their core product or focus, and it's nothing more than a way to upsell that to naive people who don't understand the implications. They have not made a public statement about licensing their patent to the protocol providers  (where they can make money). The protocol providers who are the only ones who can evolve the FREE feature to meet the required use cases. Therefore those of us who want the feature to solve real world use cases are unable to do so, because it will not be possible for RES to do it themselves unless they provide direct evidence that they are jointly developing their standalone roadmap with full cooperation from the protocol vendors. That is not going to happen.


These kind of marketing scams fool simple minds. If you want to fall for that go right ahead and pay RES for a feature that will never evolve to solve many use cases. I instead will continue to insist that is a requirement to deploy desktop virtualization at scale. I have already paid the vendors for that, and therefore I expect them to provide a feature that I need for a successful deployment. If they can't, what value is there in me paying the vendors for software maintenance every year when I can't use it the way I need? Maintenance is not about funding vendors to build features for naive people, it's money I have to defend in budgets to enable my business users, EOM.


Cancel

Anyways, guys. I think that the discussion have been healthy and good.


In the society as general and with great speed in the world of technical geekiness it’s the way of self-chosen numbness in the face of the real or imagined expectations on the surrounding etc.


I think it’s great for people to be freely express and debate – exchange. I also believe that it’s a fundamental to acknowledge that retraction is victory and not a loss, and by all means something that we should reflect in our own.


Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close