SSL Certificates & Wyse Management Suite

In a previous post, here, I covered how to resolve the SSL error message, “SSL Certificate Authority is Unknown” when using ThinOS.

In this post I will cover how to upload SSL certificates into Wyse Management Suite (WMS) and how to assign them to a specific group configuration/profile for ThinOS 8.x and 9.x.

The process is slightly different for ThinOS 8.x & ThinOS 9.x but I will cover both below. 

How to upload SSL certificates for use by ThinOS 8.x:

1. In WMS, browse to “Apps & Data”:

2. Scroll down to “File Repository”:

3. Click “Add File” to upload Certificate:

4. Browse out to the Certificates you exported. You will need to do for each Certificate you exported.

 

5. Once you click upload it should show up under the ‘Apps & Data – Inventory File Repository”:

 

How to upload SSL certificates for use by ThinOS 9.x:

    1. In your ThinOS 9 policy, browse to “Privacy & Security\Certificates”. Here you can turn on “Auto Install Certificates” and browse to the certificates you want to upload as shown below:

 

How to assign SSL Certificates to WMS configuration group/policy: 

Once your certificates are imported into WMS, you then need to assign them to your ThinOS profile you are using under, “Groups & Configs” select the group you want to edit following steps below;

  • ThinOS 8.x: in the policy, browse to “Device Configuration\Security\General Settings”. Select “Auto-install Certificates” and your Certificate should show up in the list to select. Once you are done, click “Save & Publish”. The next time the device reboots, it will pick up the new Certificate.

  • ThinOS 9.x: in your policy, browse to “Privacy & Security\Certificates”. Here you can turn on “Auto Install Certificates” and browse to the certificates you want to upload as shown below:

This completes the process of uploading your SSL certificates to WMS and assigning them to a ThinOS policy.

For more assistance, check out Dell Community Forums (formally Dell TechCenter):

@chris_messier ~~> Subscribe to blog to get latest updates <~~

 

Dell Wyse ThinOS – “SSL Certificate Authority is Unknown”

“SSL Certificate Authority is Unknown”

A common issue connecting to a VDI connection broker, i.e Citrix, VMware, etc.., from Dell Wyse ThinOS or any thin client, is an SSL certificate error. There are generally 2 reasons why.

  • the Root Certificate Authority certificate is not installed on the device
  • the Intermediate Certificate Authority certificate is also not installed on the device

Error: SSL Certificate Authority is Unknown

This is easily fixed by installing both the missing Root and likely the Intermediate certificate.

To do this, you can simply export from a browser, and then import on the device, generally through Wyse Management Suite (WMS) or even a USB key if you had to.

I will cover the 3 step process to fix this.

  1. Export the required certificates from a browser
  2. Upload into Wyse Management Suite
  3. Assign the certificates to the device profile

Steps to export certificate from browser:

  1. In this example, I used https://portal.vmware.com as an example to work with certificates but this would be your VMware Horizon server, Citrix Storefront site, Citrix Netscaler/ADC, Microsoft Azure MFA site, etc…
  2. Click on the SSL padlock on your browser as shown below to bring up below window. Click on ‘Certificate (Valid)’ field.

3. This will bring up the certificate information:

4. Click on “Certification Path” tab bring up the following:

5. Select the top level certificate, in this case, “Sectigo (formally Comodo CA)”

6. This will bring up the Root certificate as shown below, “Comodo RSA Certification Authority”. This is the first certificate we want to export.

7. Click on the “Details” tab and select, “Copy to File”:

8. Take defaults and follow the wizard to export the certificate:

9. Once you export the top level Root Certificate, follow the same steps to export the Intermediate certificate. This Intermediate is chained, or trusted, by this top level Root Certificate so we need both certificates in this chain.

10. In the browser, select the Intermediate Certificate, “COMODO RSA Domain Validation Secure Server CA” and select “View Certificate”:

11. Select “Details” and “Copy to File” to export the certificate:

12. Follow wizard again to export the Intermediate Certificate:

13. You now have successfully exported both the top level Root Certificate, “Comodo RSA Certification Authority”, and the Intermediate Certificate, “COMODO RSA Domain Validation Secure Server CA”.

Once exported you need to upload them into your WMS server. It’s a simple process and the steps to upload the certifications are outlined here. Once complete, resume to step 15 below to assign the certificate(s) to your group configuration/profile.

15. Once certificates are imported into WMS, you then need to assign them to your ThinOS profile you are using under, “Groups & Configs” select the group you want to edit following steps below;

  • ThinOS 8.x: in the policy, browse to “Device Configuration\Security\General Settings”. Select “Auto-install Certificates” and your Certificate should show up in the list to select. Once you are done, click “Save & Publish”. The next time the device reboots, it will pick up the new Certificate.

  • ThinOS 9.x: in your policy, browse to “Privacy & Security\Certificates”. Here you can turn on “Auto Install Certificates” and browse to the certificates you want to upload as shown below:

 

This completes the process of exporting the SSL certs, uploading to WMS, and assigning them to your profile. This should resolve the issue of “SSL Certificate Authority is Unknown”.

For more assistance, check out Dell Community Forums (formally Dell TechCenter):

@chris_messier ~~> Subscribe to blog to get latest updates <~~

How To: Wyse Management Suite and Active Directory Integration

One of the great features of Wyse Management Suite (WMS) Pro is the ability to integrate it with Active Directory so you can log into WMS using your existing Active Directory accounts.

The process is pretty straightforward as outlined in admin guides but recently working on this with a customer I wanted to document the process with some additional details that helped.

  • Go to ‘Portal Administration’, ‘Active Directory (AD)’
  • Enter your Active Directory information as outlined below:
    • Name: FQDN of domain controller
    • Domain: domain name
    • Server URL: ldap://ip_fqdn of domain controller
    • Port: 389


  • Once you click ‘Save’ and it’s successful, you will see the following screen:

  • Click on the ‘icon’ to add by either Groups, Users, and also search by OU to enumerate from AD.


  • You will then see your existing Groups appear below:


    You could also search just for a specific Group, i.e. WMS Administrators:


    You could also search just for a specific User, i.e. wyseuser: (NOTE: User account must have email associated with account in order to show up, otherwise you will get an error message while trying to import users.


    You could also search by Organizational Unit (OU), i.e. Management


  • Once you have imported what you choose, the users will show up under the Users tab in WMS under, ‘Unassigned Admins’. Note: This may take a few minutes to show up after importing from AD.

  • Select the account and select ‘Edit User’:

  • Select ‘Roles’ and assign the appropriate role for the user:

  • Once complete, the user will show up under the ‘Administrator(s)’ tab:

  • On the WMS Portal logon screen, choose ‘Sign in with your domain credentials’ to log in with your newly imported and assigned AD user.

  • Enter your AD user account and login!

Wyse Management Suite – Error pulling Windows 10 IoT Image

In some recent lab testing I ran into the following error: “CCM on-prem Server authentication token is not available in configuration file.”

I got this error when attempting to pull a Windows 10 IoT Image off a Wyse 5060 client.

The fix was to push the updated Merlin package, aka boot agent, to the device prior to capturing image.

This package is already pre-loaded in the Wyse Management Suite software and listed under “Apps & Data\App Inventory\Thin Client” – MerlinPackage_Common.exe.

You will need to create and App Policy containing this package and push to the client.

  1. To create App Policy go to, Apps & Data\App Policies\Thin Client\Add Policy
  2. Complete the policy using the details below:
  3. Once policy is created, go to, “Jobs\Schedule App Policy” and create your policy similar to below:
  4. Once the policy is pushed successfully you should now be able to pull the image!

Error details:

(Status: Failed – [ERROR: CCM on-prem Server authentication token is not available in configuration file. (error code : 107).]
[ERROR STAGE: Repository validation.]
[REASON: Configuration file is missing authentication token of on prem Server.]
[SOLUTION: Make sure config file is updated with proper CCM on prem Server authentication token.]
| (107))

Hope this helps someone else down the road!

@chris_messer ~~> Subscribe to blog to get latest updates <~~

Additional support resources as noted below:

Dell TechCenter Wyse Product Support Forums – these are a great resource for getting up and running with the solutions as well as tips and tricks for troubleshooting common issues. Once you join the Dell TechCenter community you will have a variety of resources to get started!

Dell Wyse Support Site – Wyse documentation, log support incident, etc…

Available categories with forum and topic lists:

  • Wyse general forum: for discussions that, for example, span multiple categories, involve end-to-end methods, heterogeneous environments, new use cases or topics not found under the support documentation or existing discussions.
  • Wyse thin clients: includes Cloud Connect, Linux, Windows Embedded Standard, ThinOS and zero clients for Citrix, MultiPoint Server and VMware.
  • Wyse software: includes Wyse Management Suite, Wyse Device Manager, Wyse WSM and Wyse Virtualization Software

Using HTTP for StoreFront Server

In some recent lab testing I setup Citrix StoreFront to use HTTP as I was running some quick tests and didn’t need HTTPS for my test.

Unfortunely, by default, the Citrix Receiver only allows you to connect via HTTPS. If you enter an HTTP URL, it won’t allow you to save it and instead, get the following error:

“The specified server address is not secure”

StoreFront1

Once you click, “Add”, you will get the following:

“HTTP Store requires additional configuration before being added to the Citrix Receiver. Please contact your system administrator.”

StoreFront3

The fix for this is to edit/add the following Registry keys on the client your using the Citrix Receiver to connect from:

  1. Set HKLM\Software\[Wow6432Node\]Citrix\Dazzle\AllowAddStore to A to allow users to add non-secure stores.
  2. (Optional) Set HKLM\Software\[Wow6432Node\]Citrix\Dazzle\AllowSavePwd to A to allow users to save their passwords for non-secure stores.
  3. To enable the addition of a store that is configured in StoreFront with a TransportType of HTTP, add to HKLM\Software\[Wow6432Node\]Citrix\AuthManager the value ConnectionSecurityMode (REG_SZ type) and set it to Any.
  4. Exit and restart Citrix Receiver.

Source: Configure and install Receiver for Windows using command-line parameters

You should now be able to use an HTTP URL in your Citrix Receiver to connect to StoreFront successfully!

Hope this helps someone else down the road!

@chris_messer ~~> Subscribe to blog to get latest updates <~~

Dell Wyse ThinOS – SCEP and NDES Certificate Configuration

In order to request certificates manually or automatically, for example for wireless access, you need to configure Dell Wyse ThinOS to request certificates. This process requires you have the Network Device Enrollment Service (NDES) role setup in your environment. This is what implements Simple Certificate Enrollment Protocol (SCEP), which is used to issue certificates.

The setup outlined here uses a Microsoft Windows Server 2012.

In addition to having an internal Certificate Authority setup in your Active Directory environment you will also need the Network Device Enrollment Service (NDES) role installed. This is role/service that implements the Simple Certificate Enrollment Protocol (SCEP) used to issue certificates.

If not already setup, you can setup your Certificate Authority following steps here.

If not already setup, you can install and configure the NDES server role here.

  • The Setup section here outlines exact steps to setup your NDES server to start handing out certificate.

Issue:

How do you setup Dell Wyse ThinOS to request certificates from your Network Device Enrollment Service (NDES).

Resolution:

You will first need to setup your NDES environment by following steps in requirements section. Once setup your device will be able to request certificates manually or automatically.

Details:

We will first cover the manual process to have the device request a certificate from the NDES server.


1.
On Dell Wyse ThinOS go to System Tools\Certificates and select “Request Certificate” and the following screen will appear.


2.
Fill in the fields as shown below making note of the following;


  1. Request URL: This will be the URL of your NDES server. Note, do not include the prefix, http, otherwise, you will get an error: “failed getting port number.”
  2. CA Certificate Hash Type: if using MS CA/NDES server then this should remain MD5. Even though your server may issue SHA256 hashed certs, MD5 is what is used to issue the request but cert will be signed however you have them configured, i.e. SHA1, SHA256, etc..
  3. CA Certificate Hash Value: You will need to browse to the following location on your NDES server; http://hostname/certsrv/mscep/mscep.dll. You will then click link, http://hostname/certsrv/mscep_admin to get the Hash Value and Enrollment Password. * NOTE * Be sure to include spaces in the Hash Value name as it shows on the webpage example below.

  4.  Enrollment Password: This will be the password retrieved from above.

3. Once you click “Request Certificate” the client will communicate with the server and return the following:


Note: Be sure to check off “Install CA Certificate” so this is also installed otherwise, the certificate will be installed under ‘Unknown’ on client and not be chained correctly.


4. Click “Install Certificates” and both certificates will be installed on the client.


NOTE: You can also verify it has the correct Signature Algorithim, i.e. SHA1 or SHA256 or whatever your CA is set to.

SHA1 Cert:


SHA256 Cert:


NOTE 1: Even if Signature Algorithm is set to SHA256, the Thumbprint Algorithm will be set to SHA1. This is expected as noted here.

NOTE 2: It is helpful to know what Signature Algorithm your CA uses. You can confirm this from here;

SHA1


SHA256


Note: To upgrade your CA from using SHA1 to SHA256 you can follow steps here.

5. This completes process to manually request certificates. In order to Dell Wyse ThinOS request certificates automatically you will have to do this via an INI file or Wyse Management Suite. The values you will use to do this are outlined on the 8.4 INI guide and you can get documentation here.


Dell Wyse ThinOS – “Invalid Digital Signature” Message

Issue: When attempting to downgrade ThinOS firmware from version 8.4.x to earlier versions, i.e. 8.3.x, 8.2.x, etc.. you may get the following message, “Invalid Digital Signature”.

Resolution: In order to rollback the version of firmware you need to add the following parameter to your wnos.ini configuration file or WMS/CCM configuration.

VerifySignature=no

Note: This will need to be added on a line starting with, “autoload=x”

For example: autoload=1 VerifySignature=no

See v8.4 INI guide for further details here.

More details on VerifySignature= parameter from the 8.4 release notes:

“The option VerifySignature specifies to verify the signature or not when updating the firmware and/or packages. It is introduced in 8.4 and later to make sure the security and integrity of the firmware and packages. If set VerifySignature to no, it will not check the signature so that to downgrade the firmware and/or packages which did not support signature. The default is yes.”

@chris_messier ~~> Subscribe to blog to get latest updates <~~

Windows Embedded Security – Threat Defense | Dell Data Protection

When looking at Windows Embedded devices people often ask about options to further secure them. In many cases, the devices are only used to access virtual desktops and the thought is often, since it’s essentially a kiosk, i.e. not running email locally, browser, etc.., then I have a limited attack surface. Although the Windows foot print on the client is smaller than a full Windows build there is still value in looking to further secure the endpoint regardless how it is used.

One thing I always suggest to customers is to check directly with their existing A/V vendor for what they have for support on Windows Embedded as some have specific solutions for it and some do not.

Dell has recently integrated it’s Dell Data Protection products into the Dell virtual desktops portfolio, specifically 2 solutions;

The one I am highlighting here is Dell Data Protection | Threat Defense for Windows thin clients. You can see a great demo of the solution below. When looking at further securing your Windows embedded thin clients this solution may be worth a look.