Client Drive Redirection enables users to access files and folders located on the endpoint from within a VDI or HSD session. It has been in XenApp for more than 15 years and in XenDesktop from Day 1, so it has been battle-tested for quite some time now.
Because it’s been a core feature in XenApp and XenDesktop for such a long time, many people have assumed that this is basic feature that exists in every other VDI/HSD solution, as well.
As many VMware Horizon evaluators have learned, accessing files and folders on the endpoint has not been available, until the recent release of Horizon 6.1.1. For VMware, this new release means that Horizon just got a big step closer to being equal with XenApp and XenDesktop, a view shared by some of industry analysts.
This post offers an in-depth evaluation of this feature, based on results we found when evaluating client drive mapping in Horizon 6.1.1, to make it easier to evaluate the quality of the new Horizon features.
In the fine print while installing the Horizon View Agent, you might spot “… use this feature only on a secure network,” next to the client drive redirection checkbox. From a technical point of view, this means files and folders are sent as clear text across the network. Furthermore, there is no way to add any level of encryption, unless you:
- Add a Horizon Security Server (with all its limitations) and treat all users as external users. But even then the last mile between the Security Server and the VDI/HSD system remains unencrypted
- Implement IPSec
This means with simple networking tools it is possible to capture and reconstruct the files and folders users access. Below you can find a screenshot of Wireshark capture of a text file uploaded to a VDI system, containing the Synergy Innovation Award announcement:
Customers who are particularly cautious about security might not want to use client drive redirection with Horizon View.
In contrast, with XenApp and XenDesktop all network traffic is encrypted end to end (ICA encryption or TLS), even without deploying a NetScaler Gateway in between.
When client drive redirection was introduced with XenApp, dial-up connections were the standard. So the feature was built very bandwidth-efficient and has been optimized for high latency. This means even users who connect over WAN links will have a good user experience. The Horizon client drive redirection feature has not been optimized to work on low-bandwidth connections. Below, you can see a table comparing the time it takes to copy a file from the client to the virtual desktop as well as to browse the local C:\ drive using a 2Mbit/s 100ms RTT link.
User experience and admin controls
With XenApp and XenDesktop all client drives (including network and removable drives) are mapped into a user session automatically. So, a user will have all files and folders accessible on the endpoint available from within the virtual desktop as well. Of course the admin can modify this behavior. So, it’s possible to only connect specific folders (instead of full drives) or to link MyDocuments and Desktop to the equivalent on the server. Furthermore, it is possible to deny or limit access to local resources, enable the mapping for specific drives only (e.g. just network drives) or prevent uploads or downloads respectively. All of this can also be configured by means of SmartAccess, where for example only users on clients with encrypted hard disks can download files, while others users can only upload.
In contrast, Horizon View only maps the profile folder of the current user (e.g. C:\Users\thomas) automatically. In case a user has started a published application and additional folders or drives are required, the following steps need to be performed:
- Switch to the Horizon Client window on the endpoint
- Right-click on any of the app icons
- Click Properties
- Click Sharing
- Select the appropriate file/folder/drive and click OK
- Go back to the published app, wait a few seconds and click refresh.
Furthermore, the admin is provided with the ability to control this behavior.
XenApp and XenDesktop support client drive redirection from Windows, Mac OS and Linux endpoints as well as file up/download capabilities for ChromeOS and HTML5 client users.
In contrast, Horizon View client drive limits mapping support to Windows clients only, while support for Mac OS is experimental and other platforms are not supported at all.
While VMware Horizon enables users to interact with files and folders located on Windows endpoints, a number of essential usability, admin and security features are still missing.
The following table summarizes the findings discussed within this blog post:
Follow me on Twitter @tberger80.