Virtual Desktop Infrastructure

(TL;DR = scroll down to “Conclusion / The ‘Fix'”)

Fortunately, I have the opportunity to see many environments “in-the-wild”, as it were. The downside is running into those annoying conditions where something is obviously wrong (or not operating as expected), without an obvious cause. Over the last year or so, I’ve come across this one often enough that I figured it’s worthy of an article. This generally applies to VDI/RDSH environments including VMware Horizon, Microsoft RDSH/VDI, Citrix, Nutanix Frame, etc. I’ll loosely use the acronym “VDI”, to describe accessing a remote desktop or remotely published apps.

How many VDI admins observe higher CPU than expected on your VDI/RDSH VMs? You’ve optimized the crap out of the image, invested in all-flash, tic-tock’d past Xeon Gold and have like Xeon Palladium or something more exotic (note: that was a joke), GPU acceleration, etc. Yet, still your VDI images are bogged down. I don’t know about you, but I have limited hair left and not excited about losing more… Anyways – when you look at process information, you see chrome.exe or iexplore.exe or web browser X choking the CPU.

Then you blame the users. “you should keep tabs closed more often”, “you shouldn’t be browsing to xyzabc.com”, “you shouldn’t be using ____”. The problem with that approach – those sites work fine (kind of) on a physical PC or their phone/tablet. Also, I don’t know about your users and chalk it up to American charm, but users don’t like being told “you should ___” or “you shouldn’t ____”. It’s hard enough to get buy-in for VDI to begin with, never mind assaulting users with a new set of can/can’t-do’s.
Then you’re the bad guy and …

VDI

So what’s going on? I’ll just share my experience, which is echoed in some far and not-so-far reaches of the web. It’s the ads. Yup – those ad networks. Even pages that don’t seem like they have ads, are probably using some kind of ad network tracking/machinery in the programming of the site/page. Not only are they are great way to deliver malware, but they could be killing your VDI environment too! (I understand ad-sponsored-sites allow publishers to share content without subscriptions, but this is a practical matter geared toward VDI)

First – why is VDI so sensitive? Simple – it’s a shared platform. Any good admin’s goal is to optimize the crap out of it to save resources ($$$), have it operate as efficiently as possible, then stack images wide and deep. It’s not practical to buy users their own dedicated server, with Xeon Californium or whatever precious metal we’re using today. Rather, we condense down to [shared] 2 vCPUs and 6-8GB of RAM commonly (should not be shared). Compare that to a “basic” laptop, featuring a 4-core dedicated i5 or something. VDI also has this amplification effect – remember when we all learned not to run scheduled AV scans at the same time?

Close to the point – here’s some data I collected in my lab. Your results may vary, this isn’t overly scientific nor was it meant to be. My lab is an all-flash Xeon-E Dell Precision laptop, with vSphere 6.7.

VMware vSphere 6.7, VMware Horizon 7.11 (using a UAG, v3.8, with HTML / Blast for this test), desktop images are Windows 10 1909 with 2 vCPU and 6GB of RAM. Minimal optimizations, no vGPU/etc.

Baseline – no apps open, except task manager: ~1% CPU utilization

Let’s launch some browsers!

IE (not Edge)

Tracking Protection = Disabled

Page Load:

  • winslowtg.com: ~55% CPU (spikes to ~20-30%)
  • msn.com: ~64% CPU
  • cnn.com: ~60% CPU

After 5 second “settle” period – full screen, “idle”:

  • winslowtg.com: ~2% CPU (spikes to ~20-30%)
  • msn.com: ~8% CPU
  • cnn.com: ~14% CPU

Tracking Protection = Enabled, EasyList Tracking Protection = Enabled, Personalized List = Enabled

Page Load (**pages “feel” like they load/display faster and are snappier**):

  • winslowtg.com: ~40% CPU (spikes to ~20-30%)
  • msn.com: ~32% CPU
  • cnn.com: ~40% CPU

After 5 second “settle” period – full screen, “idle”:

  • winslowtg.com: ~2% CPU
  • msn.com: ~5% CPU
  • cnn.com: ~10% CPU

Chrome Enterprise

(No AdBlock Extension / “block ads” settings):

Page Load:

  • winslowtg.com: ~50% CPU
  • msn.com: ~60+% CPU
  • cnn.com: ~70+% CPU

After 5 second “settle” period – full screen, “idle”:

  • winslowtg.com: ~13% CPU
  • msn.com: ~22% CPU
  • cnn.com: ~10% CPU

GPO forced install of AdBlock:

Page Load (subjectively feels like it loads faster):

  • winslowtg.com: ~50% CPU (spikes to ~20-30%)
  • msn.com: ~40% CPU
  • cnn.com: ~50% CPU

After 5 second “settle” period – full screen, “idle”:

  • winslowtg.com: ~10% CPU (spikes to ~20-30%)
  • msn.com: ~6% CPU
  • cnn.com: ~4% CPU

Conclusion / ‘The Fix’

Phew – that’s a lot! So, is this some silver bullet? No. It does help explain a bunch of what’s going on with high CPU usage related to Chrome, IE, etc. In VDI, every little bit helps out. Just another tool in your toolbox.

So, whats the best way to deploy a “fix” for this? We have a few options. You can create a GPO to deploy EasyList tracking settings for IE. There are a couple blogs that describe that, so I won’t repeat it here. It’s pretty effective, but a little complex to do. With Chrome Enterprise (that is what you’re using in VDI, right?), you can use a GPO to force the deployment of extensions like AdBlock. Again – GPO is effective – but … is this the way I would do it? Not really, nope. Mucking with GPOs and IE/Chrome settings like this, is almost as fun as a root canal. It’s way more effective to use the Web/DNS filter on your firewall!

In Fortinet/FortiGate, it’s these settings (then apply to your policy, of course):

Web Filter:

DNS Filter:

And there you have it! Feel free to comment if this was/wasn’t helpful or effective for you!

As always, this article does not come with any sort of warranty nor specific suggestion or recommendation. Any views or results shared are my own, and do not necessarily represent that of my employer or vendor/OEM/manufacturer cited in the article.

Additional Info:

https://www.htguk.com/improving-citrix-xenapp-session/

https://virtualwarlock.net/internet-explorer-tracking-protection/

https://citrixguyblog.com/2017/05/07/xenapp-internet-explorer-improving-user-experience/

Share This Story, Choose Your Platform!

About the Author: Matthew Kozloski

WTG's Vice President of Professional Services and Cybersecurity