Windows Server 2008 R2 - RDC Encryption verification plus performance and compression
I have a couple of questions regarding the setup / verification of Remote Desktop in a Windows Server 2008 R2 environment.
I have had a good search about but have not been able to find the answers - sorry if I have just manged to miss them... I was able to install WS 2008 R2, and get Remote Desktop working both locally and over the internet so I have done a fair bit of reading ;)
Confirmation of encryption...
On the server
Server Manager -> Roles -> Remote Desktop Services -> RD Session Host Configuration
I have 1 session configured (Connection type: Microsoft RDP 6.1) in the Properties for this:
Security Layer is set to: Negotiate
Encryption Level is set to: Client Compatible
Allow connections only from computers running Remote Desktop with Network Level Authentication is Selected.
When connecting either from the local network or remotely over the Internet from Remote desktop Connection (Vista machine) if I check the status of the connection
Server Manager -> Roles -> Remote Desktop Services -> Remote Desktop Services Manager
Users or Session tab then Status
Against Encryption Level: there is nothing, is this normal how can I confirm that the session is encrypted?
Compression
Unrelated but also on the same status window under Input/output status
Against Compression Ratio I see N/A.
Again I have searched the web and forums but have not found where I set compression for connections. Searching for Compression in the Windows 2008 R2 help did not bring anything up related to TS?
Thanks in advance for any help
Shaun
P.S. The Windows 2008 R2 server is fully patch as are the Vista Clients
Answers
Hi Shaun,
Encryption
What you are seeing is normal for R2. For some reason the display of the encryption is broken (it worked in 2008/2003/2000). My guess is something with the underlying function call is broken now since even if you connect to a R2 server using 2003 Terminal Services Manager encryption still shows as blank. Even if it did show up it is not very helpful if you have Client Compatible set, since all it will show is Client Compatible. In other words it would always show Client Compatible regardless of the bit level of the connecting client. For example, say you have a 128-bit client as well as a 56-bit client connected at the same time--both will show as Client Compatible.
I recommend that you set the encryption level to the minimum required for your environment instead of leaving it set to client compatible. In most cases I set servers to High so that strong encryption in both directions is required. For the security layer I would suggest SSL with a public cert installed. Since your clients are Vista you are in effect using High/SSL, however, your server is not requiring it so a lower encryption level client could connect at some point in the future.
Peformance/Compression
The best experience is obtained using the version 7 Remote Desktop Client. Please see this article for a breakdown of which features are supported under which OS/RD client version:
Remote Desktop Connection 7 for Windows 7, Windows XP & Windows Vista
http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx
Download the version 7 client for Vista/XP here: http://support.microsoft.com/kb/969084
By default a 2008 R2 server has the maximum compression setting enabled. You can manually configure the compression setting via local or domain-based group policy setting. Open gpedit.msc on your server, and navigate to the following location:
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment
Set compression algorithm for RDP data
There are other settings located in the above location that you may be interested in as well, for example, Do not allow font smoothing. Please read through each one and experiment.
In general web surfing and other potentially graphically intense applications may need large amounts of bandwidth, CPU, and RAM to perform acceptably, and are best done on the client if possible. Web sites that have flash content, video, large photos, etc. may be especially bad. I say may because some web sites/web applications are not too bad, for video the new windows media player redirection helps tremendously (although you still need bandwidth for the video feed), and for flash/graphical cases the new enhanced bitmap acceleration helps.
Reducing color depth as well as screen resolution will improve performance. Other suggestions/comments:
- Printing may consume large amounts of bandwidth. You can reduce this by purchasing a third-party universal printer driver solution that supports printing bandwidth limits as well as enhanced compression
- Other redirected devices may consume bandwidth while in use, for example, drive redirection, clipboard redirection
- Disabling visual styles (Themes), font smoothing, animations, wallpaper, etc., will use less bandwidth
- Disable application splash screens
Thanks.
-TP- Proposed As Answer byTP [] Monday, November 09, 2009 4:29 PM
- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorFriday, November 13, 2009 8:31 AM
All Replies
- Anybody?
If I need to provide more information or my questions are not clear please say and I will try and re-word.
I am basically trying to set up a proof of concept for a client and have performance issues and security concerns.
On the performance side anything with pictures can be painful and also web browsing is not pleasant.
To try and improve performance I have Limited the maximum colour depth to 16 bits per pixel, I do not see anywhere to disable font smoothing on the server however it is not slected on the clients...
Would RDP 7 help? The reading I have done suggests it might improve performance.
I have also started to experiment with RemoteApps as an alternative and the ability to disable font smoothing is there... I think the performance is better but it is still noticable that you are not working locally.
Test connection has a average ping response of 50ms, 60ms and 120ms depending on which client I test with, I might be getting a little more latency from the server rather than the router but when I test a ping from the server it seems similar.
Thanks again
Shaun - Please anyone?
Thanks...
Shaun - Sorry getting desparate here... I will not be able to recommend remote desktop to the client unless I can show encrytion is used and improve performance...
Thanks for looking - I can see people are taking the time to look - if you don't know the answer but have any suggestion for where I might be able to find the answes please let me know.
Thanks again
Shaun Hi Shaun,
Encryption
What you are seeing is normal for R2. For some reason the display of the encryption is broken (it worked in 2008/2003/2000). My guess is something with the underlying function call is broken now since even if you connect to a R2 server using 2003 Terminal Services Manager encryption still shows as blank. Even if it did show up it is not very helpful if you have Client Compatible set, since all it will show is Client Compatible. In other words it would always show Client Compatible regardless of the bit level of the connecting client. For example, say you have a 128-bit client as well as a 56-bit client connected at the same time--both will show as Client Compatible.
I recommend that you set the encryption level to the minimum required for your environment instead of leaving it set to client compatible. In most cases I set servers to High so that strong encryption in both directions is required. For the security layer I would suggest SSL with a public cert installed. Since your clients are Vista you are in effect using High/SSL, however, your server is not requiring it so a lower encryption level client could connect at some point in the future.
Peformance/Compression
The best experience is obtained using the version 7 Remote Desktop Client. Please see this article for a breakdown of which features are supported under which OS/RD client version:
Remote Desktop Connection 7 for Windows 7, Windows XP & Windows Vista
http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx
Download the version 7 client for Vista/XP here: http://support.microsoft.com/kb/969084
By default a 2008 R2 server has the maximum compression setting enabled. You can manually configure the compression setting via local or domain-based group policy setting. Open gpedit.msc on your server, and navigate to the following location:
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment
Set compression algorithm for RDP data
There are other settings located in the above location that you may be interested in as well, for example, Do not allow font smoothing. Please read through each one and experiment.
In general web surfing and other potentially graphically intense applications may need large amounts of bandwidth, CPU, and RAM to perform acceptably, and are best done on the client if possible. Web sites that have flash content, video, large photos, etc. may be especially bad. I say may because some web sites/web applications are not too bad, for video the new windows media player redirection helps tremendously (although you still need bandwidth for the video feed), and for flash/graphical cases the new enhanced bitmap acceleration helps.
Reducing color depth as well as screen resolution will improve performance. Other suggestions/comments:
- Printing may consume large amounts of bandwidth. You can reduce this by purchasing a third-party universal printer driver solution that supports printing bandwidth limits as well as enhanced compression
- Other redirected devices may consume bandwidth while in use, for example, drive redirection, clipboard redirection
- Disabling visual styles (Themes), font smoothing, animations, wallpaper, etc., will use less bandwidth
- Disable application splash screens
Thanks.
-TP- Proposed As Answer byTP [] Monday, November 09, 2009 4:29 PM
- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorFriday, November 13, 2009 8:31 AM
- Thank you TP!!!
I will look into your suggestions.
As I have not changed compression defaults - I assume that I am at maximum compression, however again this does not get displayed on the status page.
I assume the display of Encryption and Compression will be fixed at some point I can't imagine that it will be that hard to fix?
All the best and thanks again
Shaun
P.S. I will post back with my results.
