Wyse Management Suite (WMS) DNS Discovery

Once you have Wyse Management Suite (WMS) installed the next step is to automatically have your devices ‘find’ and check-in into your WMS server. This is accomplished by setting up a few DNS records that include the key WMS server information. I’ve outlined the DNS records that need to be setup and steps to setup on Microsoft Server 2012.

  • Service Location (SRV) Record
    • _WMS_MGMT
    • _WMS_MQTT
  • Text (TXT) Record
    • _WMS_GROUPTOKEN
    • _WMS_CAValidation

Steps to setup Service Location (SRV) Record on Microsoft Server 2012

  1. On your DNS server navigate to the domain you want, then right click on “_tcp”, and select “Other New Records”.

  2. To setup the 2 SRV records, select “Service Location (SRV) from the options.

  3. Setup your record for, “_WMS_MGMT”. This is the FQDN of your WMS server. Use the following options below:
    1. Domain: Your domain name
    2. Service: _WMS_MGMT
    3. Protocol: _tcp
    4. Priority: 0
    5. Weight: 100
    6. Port Number: 443
    7. Host offering this service: your_wms_server, i.e. wms1.dellse.local

  4. Setup your record for, “_WMS_MQTT”. This is a service port WMS uses. This is the FQDN of your WMS server. Use the following options below:
    1. Domain: Your domain name
    2. Service: _WMS_MQTT
    3. Protocol: _tcp
    4. Priority: 0
    5. Weight: 100
    6. Port Number: 1883
    7. Host offering this service: your_wms_server, i.e. wms1.dellse.local

  5. To setup the next 2 records, navigate to the domain you want, select that node, then right click and select “Other New Records”. *Note* do not select a sub node such as _tcp for these records.

  6. Select the “Text (TXT)” Record type:

  7. Setup your record for, “_WMS_GROUPTOKEN”. This is the specific Group Token/Profile that you setup and want to use. Use the following options below:
    1. Record Name: _WMS_GROUPTOKEN
    2. Fully qualified domain name (FQDN): _WMS_GROUPTOKEN.your_domain
    3. Text: defa-labdemo1
      1. This “Text:” field is the key that you want to use. You will get this from your WMS console where you setup your group profile under the key icon.

  8. Setup your record for, “_WMS_CAValidation”. If you are not using an SSL cert (default), then this value needs to be set to ‘False’. If you are using a cert, then this would be set to “True”. Use the following options below:
    1. Record Name: _WMS_CAValidation
    2. Fully qualified domain name (FQDN): _WMS_CAValidation.your_domain
    3. Text: False (or True, if using a cert)

9. Once you have these 4 options setup, you should see the following in DNS;

The following records should be listed under your_domain:

The other 2 records should be listed under, your_domain\_tcp

10. This completes the setup. Once your device boots up and does it’s DNS lookup it will populate the proper fields on the device, in this example, Wyse ThinOS:

Dell Wyse ThinOS – SCEP and NDES Certificate Configuration

In order to request certificates manually or automatically, for example for wireless access, you need to configure Dell Wyse ThinOS to request certificates. This process requires you have the Network Device Enrollment Service (NDES) role setup in your environment. This is what implements Simple Certificate Enrollment Protocol (SCEP), which is used to issue certificates.

The setup outlined here uses a Microsoft Windows Server 2012.

In addition to having an internal Certificate Authority setup in your Active Directory environment you will also need the Network Device Enrollment Service (NDES) role installed. This is role/service that implements the Simple Certificate Enrollment Protocol (SCEP) used to issue certificates.

If not already setup, you can setup your Certificate Authority following steps here.

If not already setup, you can install and configure the NDES server role here.

  • The Setup section here outlines exact steps to setup your NDES server to start handing out certificate.

Issue:

How do you setup Dell Wyse ThinOS to request certificates from your Network Device Enrollment Service (NDES).

Resolution:

You will first need to setup your NDES environment by following steps in requirements section. Once setup your device will be able to request certificates manually or automatically.

Details:

We will first cover the manual process to have the device request a certificate from the NDES server.


1.
On Dell Wyse ThinOS go to System Tools\Certificates and select “Request Certificate” and the following screen will appear.


2.
Fill in the fields as shown below making note of the following;


  1. Request URL: This will be the URL of your NDES server. Note, do not include the prefix, http, otherwise, you will get an error: “failed getting port number.”
  2. CA Certificate Hash Type: if using MS CA/NDES server then this should remain MD5. Even though your server may issue SHA256 hashed certs, MD5 is what is used to issue the request but cert will be signed however you have them configured, i.e. SHA1, SHA256, etc..
  3. CA Certificate Hash Value: You will need to browse to the following location on your NDES server; http://hostname/certsrv/mscep/mscep.dll. You will then click link, http://hostname/certsrv/mscep_admin to get the Hash Value and Enrollment Password. * NOTE * Be sure to include spaces in the Hash Value name as it shows on the webpage example below.

  4.  Enrollment Password: This will be the password retrieved from above.

3. Once you click “Request Certificate” the client will communicate with the server and return the following:


Note: Be sure to check off “Install CA Certificate” so this is also installed otherwise, the certificate will be installed under ‘Unknown’ on client and not be chained correctly.


4. Click “Install Certificates” and both certificates will be installed on the client.


NOTE: You can also verify it has the correct Signature Algorithim, i.e. SHA1 or SHA256 or whatever your CA is set to.

SHA1 Cert:


SHA256 Cert:


NOTE 1: Even if Signature Algorithm is set to SHA256, the Thumbprint Algorithm will be set to SHA1. This is expected as noted here.

NOTE 2: It is helpful to know what Signature Algorithm your CA uses. You can confirm this from here;

SHA1


SHA256


Note: To upgrade your CA from using SHA1 to SHA256 you can follow steps here.

5. This completes process to manually request certificates. In order to Dell Wyse ThinOS request certificates automatically you will have to do this via an INI file or Wyse Management Suite. The values you will use to do this are outlined on the 8.4 INI guide and you can get documentation here.


NVIDIA Releases Updates to NVIDIA GRID GPU line!

Today, NVIDIA announced some updates to the  line of NVIDIA GRID GPU’s for VDI. I continue to see the use cases increase for GPU’s in VDI so great to see these new releases. The increase in user density is one of the key considerations customers always ask; how many users per server/GPU? Great to see the users density continue to increase!

Here are some details from todays launch webinar and my key takeaways;

  • renamed vWorkstation license version to Quadro Virtual Data Center Workstation Software (Quadro vDWS)
  • newer P40 & P6 GPU’s do NOT have 512MB profile (min is 1Gb)
  • a new license server will be released; 5.0
  • 50% more vGPU per physical GPU (improves density!)
  • updated/newer monitoring and insight integration into VMware vRealize Operations and 3rd party’s, i.e. Liquidware Labs, Lakeside, ControlUp, eGInnovations, etc..

Updated NVIDIA GRID line:

You can see press release here.

Dell Wyse ThinOS – “Invalid Digital Signature” Message

Issue: When attempting to downgrade ThinOS firmware from version 8.4.x to earlier versions, i.e. 8.3.x, 8.2.x, etc.. you may get the following message, “Invalid Digital Signature”.

Resolution: In order to rollback the version of firmware you need to add the following parameter to your wnos.ini configuration file or WMS/CCM configuration.

VerifySignature=no

Note: This will need to be added on a line starting with, “autoload=x”

For example: autoload=1 VerifySignature=no

See v8.4 INI guide for further details here.

More details on VerifySignature= parameter from the 8.4 release notes:

“The option VerifySignature specifies to verify the signature or not when updating the firmware and/or packages. It is introduced in 8.4 and later to make sure the security and integrity of the firmware and packages. If set VerifySignature to no, it will not check the signature so that to downgrade the firmware and/or packages which did not support signature. The default is yes.”

@chris_messier ~~> Subscribe to blog to get latest updates <~~

Windows Embedded Security – Threat Defense | Dell Data Protection

When looking at Windows Embedded devices people often ask about options to further secure them. In many cases, the devices are only used to access virtual desktops and the thought is often, since it’s essentially a kiosk, i.e. not running email locally, browser, etc.., then I have a limited attack surface. Although the Windows foot print on the client is smaller than a full Windows build there is still value in looking to further secure the endpoint regardless how it is used.

One thing I always suggest to customers is to check directly with their existing A/V vendor for what they have for support on Windows Embedded as some have specific solutions for it and some do not.

Dell has recently integrated it’s Dell Data Protection products into the Dell virtual desktops portfolio, specifically 2 solutions;

The one I am highlighting here is Dell Data Protection | Threat Defense for Windows thin clients. You can see a great demo of the solution below. When looking at further securing your Windows embedded thin clients this solution may be worth a look.

Introduction to VMware NSX & VDI

nsx

In my quest to learn a bit more about VMware NSX for Horizon virtual desktops I came across a few great resources I wanted to share. If your not familiar with VMware NSX you can get a good overview of this network & security solution here: VMware NSX for VDI. In order to further secure virtual desktops, NSX allows you to create rules and policies that are VM & user centric to control various levels of access to the users VM.

A lot has been talked about whether VDI is inherently more secure than a physical PC environment and the opinions vary. A great post a few years ago was hotly debated on this topic on BrianMadden.com and is worth a read.

vdi_security
BrianMadden.com

However you look at it, the industry is evolving to help further secure virtual desktop environment’s and VMware NSX is one solution to help in that area.

A great overview of the solution is below. Another deep dive that I thought was great can be found here.

Wyse ThinOS Fails to Auto Create Printer when using Citrix Universal Print Driver

Issue:

Wyse ThinOS fails to auto-create local/USB printers using the Citrix Universal Print Driver when connecting to XenApp 7.8 on Windows Server 2008 or 2012 servers.

The issue occurs if the local Wyse ThinOS printer “identification” field is set to use the “PCL5” driver which ThinOS is set to use by default. On Windows Server 2008 R2 and 2012 servers running Citrix XenApp 7.8, and other versions, they do not have the specific PCL5 driver, “HP Color LaserJet 4500 PCL 5”, installed by default. This specific HP driver is the PCL5 driver that the Citrix Universal Print driver uses and is not installed by defaults so it needs to be manually installed.

Resolution:

The required Windows PCL5 driver that the Citrix UPD leverages, “HP Color LaserJet 4500 PCL 5”, needs to be manually installed on the Windows Server 2008 or 2012 servers. Citrix identifies this issue in the following CTX article:

CTX140208 – Non-Windows Clients may not Autocreate Printers on Windows Server 2012 using the Citrix UPD

“As non-windows clients do not support EMF or XPS drivers, they will attempt to use PS or PCL drivers. In Windows Server 2008 R2 or Windows Server 2012, PCL5c, PCL4, and PS drivers may not be installed by default. To install them, launch the Print Server Properties window and click Windows Driver Update.”

The default Citrix UPD drivers are the following and the PCL5c is the one generally missing:

PS driver HP Color LaserJet 2800 Series PS
PCL4 driver HP LaserJet Series II
PCL5c driver HP Color LaserJet 4500 PCL 5

Details:

By default, the server does not have the “HP Color LaserJet 4500 PCL 5” installed as shown under print server properties. As shown in the registry, the Citrix UPD uses this driver to map the PCL5c driver and since its missing, auto creation from ThinOS fails.


By default, Wyse ThinOS is set to use a PCL5 driver under “Printer Identification” field so when the printer is auto created it attempts to map to the PCL5 driver on the server which is missing so auto creation fails.


By default, the Citrix UPD is set to “Use universal printing only if requested driver is unavailable” and the UPD driver preference order is set to; EMF;XMS;PCL5c;PCL4;PS.

As noted above, “non-windows clients do not support EMF or XPS” so the first driver it attempts to use is PCL5c which is not installed by default so auto creation from Wyse ThinOS PCL5 fails. If Wyse ThinOS “Printer Identification” was set to use PCL4 or PS then auto creation would succeed as those 2 drivers are installed by default.


This issue and resolution is also documented in the following PDF Technote – Wyse ThinOS and Citrix UPD Fails to Autocreate Printers.