[ale] XRDP

Michael H. Warfield mhw at WittsEnd.com
Wed Apr 23 12:58:26 EDT 2014 

On Wed, 2014-04-23 at 02:00 -0400, Justin Goldberg wrote:
> I am trying to use xrdp in a testing environment. I am using opensuse
> on a 64-bit machine. Is it as cpu and bandwidth friendly as
> microsoft's terminal server, or is this a pointless endeavor? What
> we're trying to do is run a web browser and a few other apps on a
> Linux box. I'm not sure if they'll be running on wine, but wine is cpu
> friendly. I don't know the whole scope of what my boss is trying to
> do, but I've been tasked with looking in to using linux as a terminal
> server. 
> 
> 
> For example, we have customers who can easily fit 60 simultaneous
> users on a 2003 terminal server that is five years old, and it's
> responsive.
> 
> 
> We tested vnc in our lab, and it consumed a lot of resources on the
> server, to the point that it wouldn't scale as ms ts does.
> 
> 
> Any thoughts or ideas are welcomed.

For a moment, I was thinking you were referring to XDMCP above rather
than Xrdp.  I don't have any direct experience with Xrpd, like I have
with several others.  Since it's using the same protocol as MS-RDP, I
would assume the bandwidth requirements would be quite similar, which is
not the best but pretty darn good.  Having had no experience with it, I
can't speak to the CPU utlization and demands.  Security on RDP is fair,
depending on version and configuration. Native clients (rdesktop) won't
do ssh tunneling.  But the Windows RDP client should connect to it,
which could be a plus.

In my experience (and other's mileage may vary), XDMCP CPU usage is
reasonable while its bandwidth usage is notably poor (sucks).  Also,
security on raw X11 (XDMCP) makes me extremely nervous.  Bandwidth wise,
just tunnelling X11 over SSH can be better than XRDP thanks to the SSH
tunnel compression.

Where you want to use X11, you get the best performance from NX.  NX
does native X11 compression on X11 tokens and objects and utilizes SSH
for its transport.  It may use more resources on the server than say
XRDP or raw X11 just because you have an SSH connection from the client
to the server nx user and and internal local SSH connection between the
server nx process and the server's user process.  I've never found it to
be particularly burdensome, though.  60 users?  Depending on memory and
processors in the servers, it's possible.  One site I've used NX with
was over a T1 (1.5Mbit symmetrical) where RDP and VNC were painful and
X11 over SSH was totally useless.  I hardly noticed any slowdown with
NX.

I use the FreeNX server package and the Remmina multiprotocol client
package.  I don't like the nxclient (rdesktop analog) single protocol
client.  Bandwidth performance wise, I have seen NX out-perform RDP even
in the case where I'm running Windows in a VirtualBox VM and that
console is remoted over NX (that was in the case of that remote site
over a T1) compared to the RDP connection to the VM itself.  You don't
get any X11 object compression but the raw compression still does better
than native RDP.  Link level authentication and security uses SSH
authkeys.

There is a little bit of a challenge getting the SSH key management down
and manageable for the "nx" user on the server but it's worth the
effort, security wise, and can be somewhat automated.  I do NOT
recommend the documented practice of distributing the private key for
the nx user to the clients.  The more proper way is to register ssh
public keys from the users and install them into the nx client's
authorized_keys keystore.  That maintains access security on the server
where it belongs.

VNC does use a lot of resources on the server but can be reasonable on
bandwidth (about on par with RDP).  Security with VNC can be very
problematical, to be kind.  Some of the protocol levels and
implementations only allow 8 character passwords and silently truncate
them (I think tight/tiger VNC warns you).  Since switching to NX for my
*NIX to *NIX remote desktops, I've stopped using VNC entirely.

VNC 5900/tcp and MS-RDP 3389/tcp are also two of the most scanned for
ports in terms of brute force "scan the planet" scans.  If it's open on
the net (I know you said a test environment) you can expect it to get
beat on frequently.

NX / FreeNX would get my vote for a *NIX remote desktop terminal server
and Remmina gets my vote for a *NIX based client.  Remmina supports NX,
RDP, SSH, SFTP, VNC, and XDMCP all in one package with more protocol
pluggins available.  I often have multiple remoted desktops up scattered
across a half a dozen sites sitting in my Remmina viewport with multiple
tabs and windows.
 
Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20140423/563246c8/attachment-0001.sig>

More information about the Ale mailing list