What are RDS CALs, and Do You Need Them?

If your organization is looking to support remote workers or off-network employees, you might be considering Remote Desktop Services (RDS).

Microsoft Remote Desktop Services is an established Microsoft technology that has existed since the late 1990s, back when it was known as Terminal Services (terminal server). RDS is a thin-client architecture, which, in a nutshell, means that the end user’s computer functions as an input device and the actual computing session is hosted by a remote desktop license server to which that computer is connected. At the risk of oversimplification, you can think of it like a monitor and keyboard attached to a PC located miles and miles away.

The great thing about RDS is that all the heavy lifting is done by the Microsoft Windows server. Because the remote client is more or less an interactive window onto that server-hosted computing session, it doesn’t have to be an expensive, cutting-edge powerhouse. Lower-spec’d machines can save IT departments a lot of money on procurement. Plus, they minimize some of the financial toll of user-caused damage.

Remote Desktop Services also gives organizations more curation and control over the computing session itself, as nothing is stored on the user’s computer. That allows for more consistency and ease of configuration. And, finally, RDS can deliver a Windows desktop environment to any machine that supports the Remote Desktop Protocol (RDP) regardless of operating system, including iOS, Chromebook, and Android devices. In this day and age, when device agnosticism is more important than ever, that can be a huge advantage.

What are RDS CALs?

To provide your people with access to  Microsoft products via RDS, you’ll first need to purchase client access licenses (CALs)/device cals through a Microsoft license program. The Remote Desktop Session Host (RDSH) server hosts the resources—such as Windows apps or files—and then clients connect to the RDSH to access the resources.

It’s important to note that the RDSH that hosts the resources must have a Windows Server 2016 (or above) CAL that matches the OS version, and remote clients that access the server must have a User CAL. Newer RDS Client Access Licenses are capable of working with older RDSH servers, but older RDS CALs cannot work with new RDSH servers – which means you’d need a new license agreement.

To install and keep track of all your concurrent RDS CAL licenses in your RDS environment requires a RD Licensing Server, which is a component of the RD Session Host Server. When users connect to an RDSH server, the server checks to see if each user has an active User CAL by contacting the RD licensing server. If the RDS CAL is available, the RDSH server accepts the connection from the user and starts a session.

When it comes to determining the right number of licenses, it’s worth noting that you need a Windows Server CAL and an RDS CAL for each user or device.

What are the downsides to Remote Desktop Services?

Organizations typically encounter two important hurdles when it comes to Remote Desktop Services 

  • Security: As RDS relies on RDP, that protocol has to be exposed to the Internet (via ports 3389, 3387 and 3392) whenever remote users need access—which is 24-7 in most cases. This leaves servers with RDP enabled vulnerable to brute-force attacks. Malicious actors will make repeated RDS login attempts using passwords that are weak or based on known dictionary values.
  • Complexity: Remote Desktop Services require infrastructure and administration. That involves tasks like setting up RD gateway servers, creating special RD roles, fine-tuning the deployment types and properties, and then configuring the provisioning for each user who needs to be supported with RDS. And, of course, all of these will need to be monitored and updated on an ongoing basis.

Faced with these considerations, many organizations pause and ask themselves if every remote user really needs a complete desktop environment as part of their digital workspace.

That’s where application virtualization comes in. Virtual apps offer a more streamlined supplement or alternative to the traditional RDS implementation, enabling organizations to provide their remote users with Windows applications that don’t necessarily require a Windows desktop too.

Cameyo simplifies and secures remote productivity

Cameyo is ideal for organizations that want to strike this balance and provide their off-network workforce with a more tailored digital workspace experience, with some users supported by remote desktop applications while others are able to access full Remote Desktop Services. This is because our Virtual App Delivery (VAD) platform is built on the robust, proven functionality of RDS, yet it eliminates the sticking points of security and complexity in two important ways.

To begin with, Cameyo’s Virtual App Delivery includes our proprietary Port Shield technology. Instead of keeping a known list of RDP-specific ports open all the time, Cameyo Port Shield opens and closes them dynamically to establish SSL-encrypted connections between clients and the server. It performs this whitelisting and blocking of RDP traffic at the Windows firewall level and in real time based on authenticated users. This minimizes the attack surface without resorting to VPNs or asking users or admins to jump through additional hoops.

Similarly, Cameyo’s ease of use makes provisioning and productivity much more straightforward. On the backend, admins can quickly restrict or allow access to individual Windows applications on a per-group or per-user basis. And users don’t need to fire up an entire RDS session to use that remote desktop application. With Cameyo, they can simply click on a link that enables them to start working with their standard Windows application in a browser window—no matter where they are or what device they’re on. 

Right-sizing your digital workspace

At one time, Remote Desktop Services was the go-to method to get Windows applications in the hands of off-network users. The advent and maturity of application virtualization has changed that. Cameyo makes it possible for organizations to equip their remote users with the apps they need—including legacy Windows software—without also having to provision a full Remote Desktop Services session and all that entails. 

Best of all, it doesn’t take weeks to see if Cameyo’s Virtual App Delivery platform will round out your RDS implementation and help you create secure, user-optimized digital workspaces. Sign up for your free trial of Cameyo today and you can be publishing Windows applications to your remote workers within a matter of minutes.