Wyse Management Suite (WMS) DNS Discovery

Once you have Wyse Management Suite (WMS) installed the next step is to automatically have your devices ‘find’ and check-in into your WMS server. This is accomplished by setting up a few DNS records that include the key WMS server information. I’ve outlined the DNS records that need to be setup and steps to setup on Microsoft Server 2012.

  • Service Location (SRV) Record
    • _WMS_MGMT
    • _WMS_MQTT
  • Text (TXT) Record
    • _WMS_GROUPTOKEN
    • _WMS_CAValidation

Steps to setup Service Location (SRV) Record on Microsoft Server 2012

  1. On your DNS server navigate to the domain you want, then right click on “_tcp”, and select “Other New Records”.

  2. To setup the 2 SRV records, select “Service Location (SRV) from the options.

  3. Setup your record for, “_WMS_MGMT”. This is the FQDN of your WMS server. Use the following options below:
    1. Domain: Your domain name
    2. Service: _WMS_MGMT
    3. Protocol: _tcp
    4. Priority: 0
    5. Weight: 100
    6. Port Number: 443
    7. Host offering this service: your_wms_server, i.e. wms1.dellse.local

  4. Setup your record for, “_WMS_MQTT”. This is a service port WMS uses. This is the FQDN of your WMS server. Use the following options below:
    1. Domain: Your domain name
    2. Service: _WMS_MQTT
    3. Protocol: _tcp
    4. Priority: 0
    5. Weight: 100
    6. Port Number: 1883
    7. Host offering this service: your_wms_server, i.e. wms1.dellse.local

  5. To setup the next 2 records, navigate to the domain you want, select that node, then right click and select “Other New Records”. *Note* do not select a sub node such as _tcp for these records.

  6. Select the “Text (TXT)” Record type:

  7. Setup your record for, “_WMS_GROUPTOKEN”. This is the specific Group Token/Profile that you setup and want to use. Use the following options below:
    1. Record Name: _WMS_GROUPTOKEN
    2. Fully qualified domain name (FQDN): _WMS_GROUPTOKEN.your_domain
    3. Text: defa-labdemo1
      1. This “Text:” field is the key that you want to use. You will get this from your WMS console where you setup your group profile under the key icon.

  8. Setup your record for, “_WMS_CAValidation”. If you are not using an SSL cert (default), then this value needs to be set to ‘False’. If you are using a cert, then this would be set to “True”. Use the following options below:
    1. Record Name: _WMS_CAValidation
    2. Fully qualified domain name (FQDN): _WMS_CAValidation.your_domain
    3. Text: False (or True, if using a cert)

9. Once you have these 4 options setup, you should see the following in DNS;

The following records should be listed under your_domain:

The other 2 records should be listed under, your_domain\_tcp

10. This completes the setup. Once your device boots up and does it’s DNS lookup it will populate the proper fields on the device, in this example, Wyse ThinOS:

Dell Wyse ThinOS – SCEP and NDES Certificate Configuration

In order to request certificates manually or automatically, for example for wireless access, you need to configure Dell Wyse ThinOS to request certificates. This process requires you have the Network Device Enrollment Service (NDES) role setup in your environment. This is what implements Simple Certificate Enrollment Protocol (SCEP), which is used to issue certificates.

The setup outlined here uses a Microsoft Windows Server 2012.

In addition to having an internal Certificate Authority setup in your Active Directory environment you will also need the Network Device Enrollment Service (NDES) role installed. This is role/service that implements the Simple Certificate Enrollment Protocol (SCEP) used to issue certificates.

If not already setup, you can setup your Certificate Authority following steps here.

If not already setup, you can install and configure the NDES server role here.

  • The Setup section here outlines exact steps to setup your NDES server to start handing out certificate.

Issue:

How do you setup Dell Wyse ThinOS to request certificates from your Network Device Enrollment Service (NDES).

Resolution:

You will first need to setup your NDES environment by following steps in requirements section. Once setup your device will be able to request certificates manually or automatically.

Details:

We will first cover the manual process to have the device request a certificate from the NDES server.


1.
On Dell Wyse ThinOS go to System Tools\Certificates and select “Request Certificate” and the following screen will appear.


2.
Fill in the fields as shown below making note of the following;


  1. Request URL: This will be the URL of your NDES server. Note, do not include the prefix, http, otherwise, you will get an error: “failed getting port number.”
  2. CA Certificate Hash Type: if using MS CA/NDES server then this should remain MD5. Even though your server may issue SHA256 hashed certs, MD5 is what is used to issue the request but cert will be signed however you have them configured, i.e. SHA1, SHA256, etc..
  3. CA Certificate Hash Value: You will need to browse to the following location on your NDES server; http://hostname/certsrv/mscep/mscep.dll. You will then click link, http://hostname/certsrv/mscep_admin to get the Hash Value and Enrollment Password. * NOTE * Be sure to include spaces in the Hash Value name as it shows on the webpage example below.

  4.  Enrollment Password: This will be the password retrieved from above.

3. Once you click “Request Certificate” the client will communicate with the server and return the following:


Note: Be sure to check off “Install CA Certificate” so this is also installed otherwise, the certificate will be installed under ‘Unknown’ on client and not be chained correctly.


4. Click “Install Certificates” and both certificates will be installed on the client.


NOTE: You can also verify it has the correct Signature Algorithim, i.e. SHA1 or SHA256 or whatever your CA is set to.

SHA1 Cert:


SHA256 Cert:


NOTE 1: Even if Signature Algorithm is set to SHA256, the Thumbprint Algorithm will be set to SHA1. This is expected as noted here.

NOTE 2: It is helpful to know what Signature Algorithm your CA uses. You can confirm this from here;

SHA1


SHA256


Note: To upgrade your CA from using SHA1 to SHA256 you can follow steps here.

5. This completes process to manually request certificates. In order to Dell Wyse ThinOS request certificates automatically you will have to do this via an INI file or Wyse Management Suite. The values you will use to do this are outlined on the 8.4 INI guide and you can get documentation here.


NVIDIA Releases Updates to NVIDIA GRID GPU line!

Today, NVIDIA announced some updates to the  line of NVIDIA GRID GPU’s for VDI. I continue to see the use cases increase for GPU’s in VDI so great to see these new releases. The increase in user density is one of the key considerations customers always ask; how many users per server/GPU? Great to see the users density continue to increase!

Here are some details from todays launch webinar and my key takeaways;

  • renamed vWorkstation license version to Quadro Virtual Data Center Workstation Software (Quadro vDWS)
  • newer P40 & P6 GPU’s do NOT have 512MB profile (min is 1Gb)
  • a new license server will be released; 5.0
  • 50% more vGPU per physical GPU (improves density!)
  • updated/newer monitoring and insight integration into VMware vRealize Operations and 3rd party’s, i.e. Liquidware Labs, Lakeside, ControlUp, eGInnovations, etc..

Updated NVIDIA GRID line:

You can see press release here.

Dell Wyse ThinOS – “Invalid Digital Signature” Message

Issue: When attempting to downgrade ThinOS firmware from version 8.4.x to earlier versions, i.e. 8.3.x, 8.2.x, etc.. you may get the following message, “Invalid Digital Signature”.

Resolution: In order to rollback the version of firmware you need to add the following parameter to your wnos.ini configuration file or WMS/CCM configuration.

VerifySignature=no

Note: This will need to be added on a line starting with, “autoload=x”

For example: autoload=1 VerifySignature=no

See v8.4 INI guide for further details here.

More details on VerifySignature= parameter from the 8.4 release notes:

“The option VerifySignature specifies to verify the signature or not when updating the firmware and/or packages. It is introduced in 8.4 and later to make sure the security and integrity of the firmware and packages. If set VerifySignature to no, it will not check the signature so that to downgrade the firmware and/or packages which did not support signature. The default is yes.”

@chris_messier ~~> Subscribe to blog to get latest updates <~~

Windows Embedded Security – Threat Defense | Dell Data Protection

When looking at Windows Embedded devices people often ask about options to further secure them. In many cases, the devices are only used to access virtual desktops and the thought is often, since it’s essentially a kiosk, i.e. not running email locally, browser, etc.., then I have a limited attack surface. Although the Windows foot print on the client is smaller than a full Windows build there is still value in looking to further secure the endpoint regardless how it is used.

One thing I always suggest to customers is to check directly with their existing A/V vendor for what they have for support on Windows Embedded as some have specific solutions for it and some do not.

Dell has recently integrated it’s Dell Data Protection products into the Dell virtual desktops portfolio, specifically 2 solutions;

The one I am highlighting here is Dell Data Protection | Threat Defense for Windows thin clients. You can see a great demo of the solution below. When looking at further securing your Windows embedded thin clients this solution may be worth a look.