Flip. Flop. Flip. Flop... Flip!
Ever since the RDP 6 / Bear Paw rumors came out five years ago, I've gone back-and-forth as to whether the increased features in Terminal Server will impact Citrix's Presentation Server business. I originally thought Citrix was screwed. Then I didn't. Then I did. Then I wasn't sure. But now that Windows Server 2008 has been released, and now that its Terminal Services capabilities have been used in the field, I feel confident saying that Citrix has nothing to worry about. In other words, I do not feel that the native capabilities of Terminal Services on Windows Server 2008 are a threat to Citrix at all.
I know that several other folks have written about this before (and some of this has even been captured in our automated industry news bot), but I'd like to officially go on record as to specifically why I think Citrix has nothing to worry about.
Terminal Server 2008's interesting features
Citrix and Microsoft have always been in a quasi-competition in this space ever since Microsoft announced the first version of Terminal Server in 1997. Since then each release of Terminal Server has created a new round of fears. And each time Citrix has been able to address those fears and MetaFrame / Presentation Server / XenApp has gotten stronger and stronger.
So when the rumors of RDP 6 started five years ago, Citrix's response was "What's the big deal? This is the same battle that we've been fighting since the beginning of Terminal Server."
But I wasn't so sure about that. Sure, I agreed with Citrix in the past. But if you look at the features that were rumored to be in the Terminal Server plans, they looked scary to Citrix. They certainly looked like they could take away a significant portion of Citrix's low-end market.
There are charts floating around on the Internet that show a very detailed list of every feature that Terminal Server 2008 (and Citrix, for that matter) have. But if you boil away the marketing fat, Terminal Server on Windows Server 2008 has six primary features that could be scary to Citrix:
- TS RemoteApp (a kind of seamless windows / application publishing)
- TS Web Access (a web front end for TS RemoteApps)
- TS Session Broker (a load balancer for incoming RDP sessions)
- TS Gateway (an SSL gateway for RDP)
- TS Easy Print (An XPS-based printing solution)
- Windows System Resource Manager (Performance Management)
This is certainly an impressive list--if you don't take the time to learn about how each of these features actually works. (In other words, according to this list, Citrix is screwed! But according to anyone who's actually used the product, Citrix has nothing to worry about!)
Let's look at each of these six major new features and compare them to what you get with Citrix Presentation Server.
On the surface, TS RemoteApp sounds like Citrix's application publishing. True, they both let you connect to a single application window instead of a full remote desktop. But that's pretty much where the similarities end. With Citrix, you "publish" applications by configuring groups of users who are allowed to access individual apps on the server (or a group of servers), and then the Citrix infrastructure makes sure that the users get access to the shortcuts to start their applications (either via a desktop-integrated solution or a Web Interface).
In pure Terminal Server, you don't "publish" a RemoteApp per se. Instead, you use the RemoteApp wizard to create a custom RDP file for a specific application on a specific Terminal Server. Users can then double-click this RDP file to launch the RemoteApp.
You also have the option to "wrap" that RDP file into an MSI installer package. This installer package doesn't contain the actual app--it just contains the RDP file, the icon, and any file type associations. Users can then "install" the MSI (which is small, typically under 100k) to their Windows desktops. The RemoteApp version of the app shows up in their Add / Remove Programs and on the start menu. Clicking the icon launches the remote seamless instance of the app.
So while the RemoteApp "installation" is cool, it's philosophically different than what Citrix is doing. TS RemoteApp is a method for installing applications locally to workstations, but there's absolutely no management built in. There's no capability in the TS product to deploy these MSI files to users or to decide which users get access to which apps. That's something you'll have to handle externally, like with System Center Configuration Manager (the new name for SMS) or AD Intellimirror or something.
TS Web Access
In saying that TS RemoteApp has no management or deployment built-in, some people suggest, "Sure it does. Just use TS Web Access!" But that's not quite it either. TS Web Access (TWSA) is a very, very basic IIS web site that can provide links to the TS RemoteApp packages on a single server via a web page.
So yes, TSWA is easier than figuring out how to install RemoteApp MSIs on your users workstations. And TSWA is nice because if you add a new RemoteApp to a Terminal Server, it will automatically be available via the web page.
But there are some big drawbacks. The first is that TSWA does not have any kind of user authentication or differentiation. The single TSWA site shows all RemoteApps on a server--you can't show different apps to different users or groups. (Although TSFactory does provide a free tool called TS RemoteApp Filter that lets you specify which users and groups can see which RemoteApps via a TSWA site.)
The other main drawback of TSWA is that Terminal Server on Windows 2008 doesn't have a "farm" concept. When you configure a TSWA site (whether running on IIS on a Terminal Server or on a standalone web server), your RemoteApps all connect back to a single IP address. So if you want to have multiple Terminal Servers supporting connections, you need to configure them in a load balancing group so that they're all available via the same virtual shared IP address. This might not be that big of a deal, but it also means that all your Terminal Servers need to have the same RemoteApps installed and should 100% identical.
TS Session Broker
TS Session Broker is the "load balancer" capability of Windows Server 2008 Terminal Services. It's basically the Session Directory feature of Windows Server 2003 Terminal Services that's been extended to also work when users connect to new sessions. To use the session broker, you install the service and configure all of your servers to be part of the same "farm." (Although Microsoft uses the term "farm" liberally in this case.) Then when an incoming RDP connection is made, the user authenticates to one of the Terminal Servers, and that server then contacts the server running the session broker service to see if that user should be redirected to a different Terminal Server (either because another server has lower load or because the user has an existing session on another server).
Of course this can be a single-point of failure in your environment, so again, you need to build two session brokers and then use Windows Network Load Balancing to create a shared virtual IP address.
The TS Session Broker works well enough, although configuring it is pretty complex. It also has a drawback in that it only balances new connections based on session count, rather than being able to use any other perfmon counters.
One of the challenges of Terminal Server environments has been ensuring that remote RDP connections are made securely. Windows 2003 Service Pack 1 introduced the capability for RDP sessions to be encrypted with SSL, but unfortunately that was done on a server-by-server basis. This meant that each Terminal Server still needed to be directly accessible from outside the firewall via an FQDN, and each server needed it's own SSL certificate. Citrix solved this problem years ago with their Citrix Secure Gateway (CSG) software-based ICA-over-SSL VPN product. In Windows Server 2008, Microsoft introduced a similar product called TS Gateway.
TS Gateway works well. It's similar to the IIS-based RPC-over-HTTPS technology from Windows 2003 for external Exchange users, except of course TS Gateway is "RDP-over-HTTPS." One of the really cool things about TS Gateway is that it can use Network Access Protection (NAP), a technology from Microsoft that can allow or deny network access based on the health of the client device. (This is similar to Citrix's Smart Access.)
TS Gateway is a nice feature!
TS Easy Print
As anyone who's been in this business more than a week knows, printing in server-based computing environments is a major pain. Microsoft added "fallback" driver support in Windows 2003, allowing users to print to their own local printers without having the model-specific drivers installed on the Terminal Servers. TS Easy Print takes that to the next level, leveraging Microsoft's new XPS printing format. While Easy Print is still based on the single-threaded print spooler and rendering engine on the server (so it more compares with UPD I and II from the older versions of Citrix), it does work well (as long as your client device is running Vista or the soon-to-be-released Windows XP SP3). But this is also a nice feature!
Windows System Resource Manager
Rounding out the list of "big six" new features in Terminal Server on Windows 2008 is the Windows System Resource Manager (WSRM), which is technically not new for Windows Server 2008 (although there are new resource-allocation policies in 2008 for TS sessions). WSRM lets you configure policies that define how many system resources specific processes (and now user sessions) are able to consume. WSRM is not a Terminal Server-specific feature, although if you know what you're doing you can get a lot out of it. (That's an article for another day though.)
Six big new features. TS Gateway and TS Easy Print are pretty cool. Web Access, the Session Broker, and RemoteApp are pretty limited and/or require some serious smarts to make work. And WSRM can be cool but is certainly not for part-time admins. And all of this is for single-server environments only, so as soon as you add a second server to your environment, you need to manually configure everything separately on each server.
This leads to the ultimate question of "When can I use pure Terminal Server, and when do I need a third-party add-on like Citrix?"
Microsoft has specified that pure Terminal Services can be used for "low complexity" environments, and that third-party add-on tools should be used for higher-complexity environments. In some ways this makes sense, and in other ways it's crazy. The low complexity thing makes sense because native Terminal Server 2008 is designed for environments where all your servers are the same, all users have access to all applications, and you load balance based purely on user session counts. And in reality, that probably defines 20 or 30% of all existing Citrix Presentation Server deployments.
But that doesn't mean that Citrix's Presentation Server business is going to instantly drop by 20 or 30%, because in a lot of ways, Terminal Server 2008 is so simple that deploying it in the real world is more complex than deploying Citrix! You want load balancing? Fine, but you have to configure a Session Broker then add Terminal Servers to the group then install NLB then configure a virtual IP address then configure your RemoteApps to point to it then.... Compare that to Citrix where you just install a second server, point it to your existing data store, and your done! (And the same example could be used for RemoteApps or Web Access or Gateway.)
I typically think of "low complexity" scenarios as environments that only have part-time TS admins. (Not that the IT admin is part-time, but that he or she has other IT admin duties and is not dedicated to TS.) And so in this case, I would think these admins need a server-based computing product that is as easy as possible to use, and pure Terminal Server on Windows 2008 sure isn't that! (This is what Citrix Access Essentials, or "Presentation Server Lite" is for.)
I recognize that Citrix Presentation Server is so much more than these six features. Management. ICA performance. Non-Windows clients. Load balancing. Application Publishing. Web Interface. Smart Access. WAN acceleration. I could go on. But in the context of Terminal Server on Windows Server 2008, these are the main things that people will be up against.
Finally, I'd be remiss if I didn't mention Ericom. Ericom has a product called PowerTerm WebConnect that competes against Citrix Presentation Server. Ericom has made the Windows Server 2008 version of their product available completely for free. It's too early to tell whether this will have an impact on the market(since no one is really using Windows Server 2008 Terminal Server yet.
Will Windows 2008 Terminal Server plus the free Ericom give Citrix a run for their money? Probably not in the enterprise space, but this could make things dicey for Citrix Access Essentials in the "low complexity" market.