Remote Desktops & VDI Explained
🤖 www.thenetworkdna.com • Topic Coverage
• VDI vs Remote Desktop
• What is Virtual Desktop Infrastructure
• Remote Desktop Protocol • VMware Horizon vs Citrix vs Azure Virtual Desktop
• VDI Performance Optimization • Application Steering VDI
The shift to hybrid and remote work pushed two technologies into the mainstream: Virtual Desktop Infrastructure (VDI) for delivering consistent desktop experiences from the data center
📅 May 2026 | ⏱ 45 min read | 🔒 VDI • RDS • Citrix • VMware Horizon • Azure Virtual Desktop
💻 Remote Desktop & Virtual Desktop Infrastructure (VDI)
1. What Is VDI? — Complete Definition & How It Works
VDI (Virtual Desktop Infrastructure) is an IT architecture that hosts desktop operating system instances as virtual machines on centralized servers in a data center or cloud, and delivers those desktops to end users over a network. Instead of a PC running Windows locally on its own hardware, the OS, applications, and data live on a server. The user’s endpoint device — a thin client, laptop, tablet, or smartphone — runs only a display protocol client that renders the screen, transmits keyboard and mouse input, and handles audio/video. Everything computational happens in the data center.
How VDI Works — Step by Step
1. User connects from endpoint device User opens a client (Citrix Workspace, VMware Horizon Client, Microsoft RD Client) and authenticates. 2. Connection Broker routes the request The broker checks user entitlements, finds an available VM (or creates one), and returns connection details. 3. Display protocol establishes session Protocol (ICA, PCoIP, RDP, Blast Extreme) compresses and encrypts screen content, delivering it to the endpoint. | 4. Hypervisor runs the VM ESXi, Hyper-V, or KVM hosts the Windows/Linux VM. Multiple users may share a single physical host via VM density. 5. Shared storage delivers OS images Non-persistent VMs boot from a shared gold image. Persistent VMs have dedicated disk storage. 6. Session terminates and VM is reset Non-persistent VMs revert to clean state at logoff. User profiles and data saved to network shares or profile containers (FSLogix). |
Why organizations choose VDI: Centralized management (patch one gold image, update thousands of desktops), stronger security (data never leaves the data center), device flexibility (any device including thin clients can access a full corporate desktop), disaster recovery (rebuild a desktop pool in minutes), and regulatory compliance (data residency enforced at the server level, not on distributed endpoints). The trade-off is infrastructure cost, network dependency, and the operational complexity of managing a hypervisor, broker, storage, and network stack.
VDI’s Achilles heel: Every pixel the user sees has to travel from the data center to the endpoint and back. A slow, unreliable, or high-latency WAN connection turns a 100ms round-trip into a janky, frustrating experience. This is why SD-WAN — and specifically Fortinet’s SD-WAN with its application-aware SLA policies — is so frequently discussed alongside VDI architecture. The network between the user and the data center is as critical as the VDI infrastructure itself.
2. VDI vs Remote Desktop Services (RDS) vs DaaS — Clear Comparison
These three terms get conflated constantly, including in vendor marketing. The distinction is technically meaningful and affects architecture, licensing cost, and user experience.
| Attribute | VDI (Virtual Desktop Infrastructure) | RDS / RDSH (Remote Desktop Session Host) | DaaS (Desktop as a Service) |
| OS per user | Dedicated VM per user (own Windows instance) | Shared Windows Server session (multi-user) | Cloud-hosted VM per user (outsourced) |
| Isolation | Full VM isolation; one user can’t affect another | Shared kernel; one user can affect others | VM-level isolation (depends on provider) |
| OS version | Windows 10/11 (desktop OS) | Windows Server 2019/2022 (server OS with RDS role) | Windows 10/11 multi-session or full desktop |
| Infrastructure | On-premises servers, storage, hypervisor (high CAPEX) | Lower server density requirement (many users per server) | No on-premises infrastructure needed (OPEX) |
| Cost model | High upfront CAPEX; VMware, Nutanix, Citrix licensing | Lower per-user cost; Windows Server CALs + RDS CALs | Monthly per-user subscription (Azure, Citrix DaaS) |
| Best for | Power users, regulated industries, personalized desktops | Task workers, call centers, simple applications | Organizations with no on-prem DC; rapid deployment; flexible workforce |
| Examples | Citrix DaaS (on-prem), VMware Horizon 8, Nutanix Frame | Windows Server + RDS role, Citrix Virtual Apps | Azure Virtual Desktop, Citrix DaaS Cloud, Amazon WorkSpaces |
RDP (Remote Desktop Protocol) is often confused with RDS and VDI. RDP is the protocol used to deliver the remote session — Microsoft’s proprietary display protocol that carries screen pixels, keyboard input, audio, and USB redirection between client and server. VDI and RDS are architectures; RDP is a transport protocol used by both (along with PCoIP, ICA/HDX, and Blast Extreme as alternatives).
3. Persistent vs Non-Persistent VDI — Which Is Right for Your Organization?
Persistent VDI Each user has their own dedicated virtual machine. Changes persist between sessions — installed applications, desktop customizations, and files remain. The VM is essentially a personal computer in the data center. PROS: ● Full user personalization CONS: ● Higher storage cost (each user has own VMDK) | Non-Persistent VDI VMs boot from a shared “gold image” template. At logoff, the VM reverts to the clean base image. User profiles and data are stored in separate profile containers (Microsoft FSLogix) or network shares. PROS: ● Patch one image, update all desktops CONS: ● Less personalization |
FSLogix Profile Containers deserve special mention here. The single biggest operational problem with non-persistent VDI historically was user profiles — Outlook OST files, browser cache, and application data that couldn’t survive a session revert. FSLogix (acquired by Microsoft in 2018, now free with Microsoft 365) solved this by mounting a VHD/VHDX container from a file share directly into the VM at login, making the profile appear local. The container follows the user across any VM in the pool. This made non-persistent VDI genuinely usable for the majority of enterprise workloads.
FSLogix and Fortinet SD-WAN: FSLogix profile containers are attached over SMB (file shares), typically from a file server in the same data center as the VDI. For branch VDI deployments where the file server is remote, the SMB traffic for profile loading must traverse the WAN — making FSLogix profile attachment latency-sensitive. Fortinet SD-WAN’s application steering can prioritize SMB traffic (or tag it with a specific DSCP mark) to ensure profile loading completes within the session establishment timeout even over congested WAN links.
4. Top VDI Platforms Compared — 2026
| Platform | Protocols | Deployment | Strengths | Best For |
| Citrix DaaS / Virtual Apps & Desktops | ICA/HDX, RDP | On-prem, hybrid, cloud | Best protocol (HDX) for WAN; strong session management; app publishing | Enterprise, healthcare, financial services requiring high WAN performance |
| VMware Horizon 8 | Blast Extreme, PCoIP, RDP | On-prem (vSphere), Horizon Cloud | Deep vSphere integration; Blast Extreme H.264/HEVC; mature platform | Organizations already running vSphere; GPU workloads (Blast + NVIDIA) |
| Microsoft Azure Virtual Desktop (AVD) | RDP (RD Gateway), Reverse Connect | Azure cloud only | M365 license included; Windows 10/11 multi-session; Azure integration; no on-prem infra | M365 organizations; eliminating on-prem DC; Teams optimization (multimedia redirection) |
| Nutanix Frame | H.264 web-based, RDP | Multi-cloud (AWS, Azure, GCP, AHV) | Browser-based delivery; multi-cloud; simple management | BYOD users; no client install required; multi-cloud strategy |
| Amazon WorkSpaces | PCoIP, WSP (WorkSpaces Streaming Protocol) | AWS cloud only | Simple per-user monthly pricing; AWS native; WSP protocol optimized for WAN | AWS-first organizations; simple procurement; consistent OPEX model |
Post-Broadcom VMware Horizon note (2026): Broadcom’s acquisition of VMware in November 2023 and subsequent licensing restructuring significantly affected Horizon deployments. Organizations that previously ran Horizon under affordable perpetual licenses now face subscription-only pricing under the VMware Cloud Foundation bundle. Many are actively evaluating Citrix DaaS, Azure Virtual Desktop, and Nutanix Frame as alternatives. This migration wave is creating significant demand for re-evaluation of the entire VDI delivery network — including SD-WAN — as organizations redesign their access layer.
5. VDI Architecture & Core Components
A production VDI deployment has seven major infrastructure components. Missing or under-specifying any one of them creates either a performance bottleneck or a reliability problem. The network (item 7) is the component most often underspecified by teams who focus intensively on the compute and storage layers.
| Component | Function | Examples / Sizing Notes |
| 1. Hypervisor | Hosts VM instances; provides CPU, memory, I/O abstraction | vSphere ESXi, Hyper-V, KVM, Nutanix AHV. Size: 1 host per 40–150 VMs depending on workload profile |
| 2. Connection Broker | Authenticates users, allocates VM from pool, establishes display protocol session | Citrix Delivery Controller, VMware Connection Server, RDS Connection Broker. Deploy HA pairs; critical path for all logins |
| 3. Shared Storage | Stores VM disk images; delivers IOPS for simultaneous VM boot storms | All-flash arrays (Pure, NetApp, Nutanix) or vSAN. Boot storm: 100 VMs starting simultaneously requires 50,000+ IOPS. All-flash is de facto standard for >50-VM deployments |
| 4. Gold Image / Master VM | Base OS template from which non-persistent VMs are cloned | Citrix Machine Creation Services (MCS) or Provisioning Services (PVS). PVS streams image over network; requires sufficient IOPS at boot time |
| 5. Profile Management | Persists user data and personalization across sessions | FSLogix (free with M365), Citrix Profile Management, VMware Dynamic Environment Manager. Store VHD containers on SMB file share or Azure Files |
| 6. Gateway / Access Layer | Proxies external user connections securely into the VDI environment | Citrix ADC/Gateway, VMware Unified Access Gateway (UAG), Microsoft RD Gateway. Provides SSL termination, MFA enforcement, and session proxying |
| 7. Network (WAN/SD-WAN) | Carries display protocol traffic between endpoint and data center; critical for user experience | Minimum: 1.5 Mbps per HDX/Blast session (office apps); 5–15 Mbps for multimedia, video. RTT <50ms ideal; >150ms = visible degradation. SD-WAN optimizes multi-link path selection |
6. VDI Performance & Bandwidth Requirements
VDI traffic characteristics are quite different from typical web browsing or file transfer traffic. Understanding these characteristics explains why generic WAN connections fail VDI users and why SD-WAN’s application-aware path selection helps.
| Protocol | Office Apps | Video Playback | Max Latency (Good) | Transport |
| Citrix HDX (ICA) | 150–500 Kbps | 2–5 Mbps (EDT) | <100ms RTT | UDP (EDT) preferred, TCP fallback |
| VMware Blast Extreme | 300–700 Kbps | 3–8 Mbps | <100ms RTT | UDP (BLAST) + TCP fallback |
| VMware PCoIP | 700 Kbps – 1.5 Mbps | 4–10 Mbps | <75ms RTT ideal | UDP (RTP-based) |
| Microsoft RDP 10 | 500 Kbps – 1 Mbps | 3–7 Mbps | <150ms RTT | TCP (default), UDP (RDP Shortpath for AVD) |
| Amazon WSP | 200–600 Kbps | 2–6 Mbps | <100ms RTT | UDP preferred |
Why UDP matters for VDI: Most modern display protocols prefer UDP because lost UDP datagrams cause a brief visual artifact (a blurry frame for <100ms) which is far less disruptive than TCP retransmission stalls (where the screen freezes until the lost TCP segment is retransmitted). When VDI protocols fall back from UDP to TCP due to firewall blocking, user experience degrades noticeably, especially during screen animations, scrolling, and video playback. Fortinet SD-WAN must be configured to allow UDP traffic on the relevant port ranges (Citrix HDX: UDP 1494, 2598; Blast: UDP 8443; PCoIP: UDP 4172) without any stateful session timeout issues.
| User Workload Type | Bandwidth/User | Max RTT Target | WAN Path Priority |
| Task Worker (email, browser, Office) | 0.5–1.5 Mbps | <150ms | Medium |
| Knowledge Worker (mixed, some multimedia) | 1.5–4 Mbps | <100ms | High |
| Power User (heavy data, CAD, financial terminal) | 4–10 Mbps | <75ms | Critical (highest) |
| GPU / 3D / Video Editing | 10–50 Mbps | <50ms | Dedicated circuit if possible |
7. VDI Security — ZTNA, MFA, Encryption & Zero Trust
VDI centralizes data — which is both its security strength (data doesn’t leave the data center to user laptops) and its risk concentration point (a compromised broker or gateway exposes all desktops). Modern VDI security requires layering multiple controls.
| Security Control | Implementation & Notes |
| Zero Trust Network Access (ZTNA) | Replace legacy VPN with ZTNA for VDI access. Fortinet FortiClient ZTNA, Citrix Secure Private Access, and Zscaler Private Access verify device posture and user identity before granting session access. No implicit trust based on network location. Users get access only to specific VDI resources, not the entire network. |
| Multi-Factor Authentication (MFA) | Enforce MFA at the gateway layer (Citrix Gateway, VMware UAG) using Azure AD, Duo, Okta, or RADIUS-based MFA. Configure the gateway to require MFA before any VDI session is brokered. Credential stuffing attacks targeting VDI gateways are common; MFA stops 99%+ of automated credential attacks. |
| End-to-End Encryption | All display protocol traffic should be encrypted. Citrix HDX: TLS 1.2/1.3. VMware Blast: AES-128 (TLS). RDP: TLS 1.2 minimum (disable TLS 1.0/1.1). Fortinet SD-WAN SSL inspection can decrypt and re-encrypt traffic to inspect for threats, but VDI protocol encryption must be maintained end-to-end to the VDI gateway, not terminated at the SD-WAN appliance for latency reasons. |
| Device Posture Assessment | Before granting VDI access, check endpoint compliance: OS patch level, antivirus status, disk encryption, certificate presence. FortiClient EMS integrates with Fortinet ZTNA to enforce posture checks before establishing the ZTNA tunnel. Non-compliant devices are redirected to a remediation page. |
| Session Recording & DLP | Citrix Session Recording captures pixel-perfect session recordings for audit and forensics. Citrix Analytics for Security detects behavioral anomalies (user printing 1,000 documents suddenly). Restrict clipboard, drive mapping, and printing based on device trust level. |
| Network Micro-Segmentation | Don’t put all VDI VMs in the same flat network segment. Segment by department/sensitivity using VLANs, NSX-T micro segmentation, or Fortinet FortiGate firewall policies. A compromised VDI VM should not have lateral movement to production servers. Fortinet NGFW east-west inspection policies between VDI VLANs are a standard design in regulated industries. |
