Dell Wyse ThinOS 9.1 & Windows Virtual Desktop (WVD) Support

The Dell Wyse team has recently launched support for Windows Virtual Desktop(WVD) on Dell Wyse ThinOS 9.1. This is big news as it allows us to use a non-Windows thin client endpoint to connect to your WVD environment! Microsoft posted a quick announcement about this as well here.

I’ve covered some details about the configuration below and you can access the official documentation here;

  1. ThinOS 9.1 & WVD product summary noted here
  2. ThinOS 9.1 administrators guide here, release notes here, & 8.6 to 9.1 migration guide here
  3. Note – If you are still on ThinOS 8.6 you can learn how to upgrade to 9.x here

The configuration for ThinOS & WVD is pretty straightforward with the only configuration needed is a Wyse Management Suite (WMS) policy to specify Windows Virtual Desktop under the broker setting which is shown below.

Note – by default, the WVD client package is pre-installed on 9.1 but incase it’s not or you’re looking for latest you can get from support.dell.com under drivers for your model, for example 5070, search for ‘wvd’.

    1. In WMS, edit your ThinOS 9 policy and browse to ‘Advanced –> Broker Settings –> Windows Virtual Desktop Settings’ as shown below
    2. Under the following section you just need to choose the appropriate WVD deployment model you are using. You will chose either the latest WVD ARM (Azure Resource Manager) based deployment model or the ‘classic’ WVD non ARM based deployment. In my testing, I am using the Azure portal ARM based deployment so I selected the (ARMv2) option. When you are done, click ‘Save & Publish’.
    3. Once the updated WMS policy is received by your device, you should see your new WVD setting reflected on your device as shown below
    4.  Once the devices reboots, you should be prompted with the Microsoft Azure AD login screen as shown below 5. At this point you are ready to login into WVD and access your VMs! wmswvd1_46. In this case I have access to a Windows 10 VM!

Hope you found this helpful!

Additional Resources:

  • If you are new to ThinOS 9.1, here is a quick video overview of some of it’s features.
  • Looking for more details on ThinOS 9.1? Check out the release notes here
  • ThinOS 9.1 release notes discussing WVD setup here & 8.6 vs 9.1 feature comparison here
  • Excellent Dell Wyse community located here
  • Dell Community forums for ThinOS here

@chris_messier ~~> Subscribe to blog to get latest updates <~~

Dell Wyse ThinOS 9 & Netscaler/ADC

I’ve run into a few issues lately where customers are currently using ThinOS 8.x successfully with Citrix Netscaler/ADC but having issues connecting with Dell Wyse ThinOS 9.x.

In more than one case, it’s been an issue with the existing Netscaler Session Policy that was setup specifically for Wyse devices and contains information from the ThinOS 8.x User-Agent HTTTP/S request header that may no longer apply to ThinOS 9.

The ThinOS 8.x User-Agent request header is: CitrixReciever WTOS/1.0

The ThinOS 9.x User-Agent request header is: “CitrixReceiver”/18.12.0.65534 (X11; Linux x86_64) Warthog/9.0.8024 (Release) X1Class CWACapable

(18.12.x & 9.0.x values will vary based on versions)

The issue I’ve seen is many customers using ThinOS 8.x have a Netscaler Session Policies setup to look for a User-Agent to include “WTOS” or “WTOS/1.0” and that does NOT exist in the 9.x User-Agent header so the existing Session Policy will be ignored and not applied.

Network trace from ThinOS 8.6_511:

Network trace from ThinOS 9.0_4024:

 

To fix this, you have 2 options.

Option #1: Create a new session policy on Netscaler/ADC to contain something from the ThinOS 9.x header, for example, ‘Warthog’ (name for ThinOS 9) so it uses the policy.

Option #2: Wyse Management Suite has the ability to specify the User-Agent header under the WMS Citrix Broker/Netscaler section.  

  • Under ‘Citrix Broker’ settings from ThinOS 8.x policy

  • Under ‘Broker Settings’ settings from ThinOS 9.x policy

Finally, we also saw an issue where we get the following error; INFO: “Waiting for token to change, then enter the new tokencode”

The existing Netscaler/ADC policy was set to have an RSA policy first BUT since that policy was setup using the 8.6, “WTOS”, header, it was going to the second policy and only allowing LDAP, but threw this error. Once we fixed the policy as noted above with proper header, we were able to use or RSA policy as primary, and the LDAP as secondary.

You can configure this behavior under the “Citrix Netscaler/ADC” settings section in the ThinOS 9 policy.  

Hope you found this helpful!

@chris_messier ~~> Subscribe to blog to get latest updates <~~

SSL Certificates & Wyse Management Suite

In a previous post, here, I covered how to resolve the SSL error message, “SSL Certificate Authority is Unknown” when using ThinOS.

In this post I will cover how to upload SSL certificates into Wyse Management Suite (WMS) and how to assign them to a specific group configuration/profile for ThinOS 8.x and 9.x.

The process is slightly different for ThinOS 8.x & ThinOS 9.x but I will cover both below. 

How to upload SSL certificates for use by ThinOS 8.x:

1. In WMS, browse to “Apps & Data”:

2. Scroll down to “File Repository”:

3. Click “Add File” to upload Certificate:

4. Browse out to the Certificates you exported. You will need to do for each Certificate you exported.

 

5. Once you click upload it should show up under the ‘Apps & Data – Inventory File Repository”:

 

How to upload SSL certificates for use by ThinOS 9.x:

    1. In your ThinOS 9 policy, browse to “Privacy & Security\Certificates”. Here you can turn on “Auto Install Certificates” and browse to the certificates you want to upload as shown below:

 

How to assign SSL Certificates to WMS configuration group/policy: 

Once your certificates are imported into WMS, you then need to assign them to your ThinOS profile you are using under, “Groups & Configs” select the group you want to edit following steps below;

  • ThinOS 8.x: in the policy, browse to “Device Configuration\Security\General Settings”. Select “Auto-install Certificates” and your Certificate should show up in the list to select. Once you are done, click “Save & Publish”. The next time the device reboots, it will pick up the new Certificate.

  • ThinOS 9.x: in your policy, browse to “Privacy & Security\Certificates”. Here you can turn on “Auto Install Certificates” and browse to the certificates you want to upload as shown below:

This completes the process of uploading your SSL certificates to WMS and assigning them to a ThinOS policy.

For more assistance, check out Dell Community Forums (formally Dell TechCenter):

@chris_messier ~~> Subscribe to blog to get latest updates <~~

 

Dell Wyse ThinOS – “SSL Certificate Authority is Unknown”

“SSL Certificate Authority is Unknown”

A common issue connecting to a VDI connection broker, i.e Citrix, VMware, etc.., from Dell Wyse ThinOS or any thin client, is an SSL certificate error. There are generally 2 reasons why.

  • the Root Certificate Authority certificate is not installed on the device
  • the Intermediate Certificate Authority certificate is also not installed on the device

Error: SSL Certificate Authority is Unknown

This is easily fixed by installing both the missing Root and likely the Intermediate certificate.

To do this, you can simply export from a browser, and then import on the device, generally through Wyse Management Suite (WMS) or even a USB key if you had to.

I will cover the 3 step process to fix this.

  1. Export the required certificates from a browser
  2. Upload into Wyse Management Suite
  3. Assign the certificates to the device profile

Steps to export certificate from browser:

  1. In this example, I used https://portal.vmware.com as an example to work with certificates but this would be your VMware Horizon server, Citrix Storefront site, Citrix Netscaler/ADC, Microsoft Azure MFA site, etc…
  2. Click on the SSL padlock on your browser as shown below to bring up below window. Click on ‘Certificate (Valid)’ field.

3. This will bring up the certificate information:

4. Click on “Certification Path” tab bring up the following:

5. Select the top level certificate, in this case, “Sectigo (formally Comodo CA)”

6. This will bring up the Root certificate as shown below, “Comodo RSA Certification Authority”. This is the first certificate we want to export.

7. Click on the “Details” tab and select, “Copy to File”:

8. Take defaults and follow the wizard to export the certificate:

9. Once you export the top level Root Certificate, follow the same steps to export the Intermediate certificate. This Intermediate is chained, or trusted, by this top level Root Certificate so we need both certificates in this chain.

10. In the browser, select the Intermediate Certificate, “COMODO RSA Domain Validation Secure Server CA” and select “View Certificate”:

11. Select “Details” and “Copy to File” to export the certificate:

12. Follow wizard again to export the Intermediate Certificate:

13. You now have successfully exported both the top level Root Certificate, “Comodo RSA Certification Authority”, and the Intermediate Certificate, “COMODO RSA Domain Validation Secure Server CA”.

Once exported you need to upload them into your WMS server. It’s a simple process and the steps to upload the certifications are outlined here. Once complete, resume to step 15 below to assign the certificate(s) to your group configuration/profile.

15. Once certificates are imported into WMS, you then need to assign them to your ThinOS profile you are using under, “Groups & Configs” select the group you want to edit following steps below;

  • ThinOS 8.x: in the policy, browse to “Device Configuration\Security\General Settings”. Select “Auto-install Certificates” and your Certificate should show up in the list to select. Once you are done, click “Save & Publish”. The next time the device reboots, it will pick up the new Certificate.

  • ThinOS 9.x: in your policy, browse to “Privacy & Security\Certificates”. Here you can turn on “Auto Install Certificates” and browse to the certificates you want to upload as shown below:

 

This completes the process of exporting the SSL certs, uploading to WMS, and assigning them to your profile. This should resolve the issue of “SSL Certificate Authority is Unknown”.

For more assistance, check out Dell Community Forums (formally Dell TechCenter):

@chris_messier ~~> Subscribe to blog to get latest updates <~~

How To: Wyse Management Suite and Active Directory Integration

One of the great features of Wyse Management Suite (WMS) Pro is the ability to integrate it with Active Directory so you can log into WMS using your existing Active Directory accounts.

The process is pretty straightforward as outlined in admin guides but recently working on this with a customer I wanted to document the process with some additional details that helped.

  • Go to ‘Portal Administration’, ‘Active Directory (AD)’
  • Enter your Active Directory information as outlined below:
    • Name: FQDN of domain controller
    • Domain: domain name
    • Server URL: ldap://ip_fqdn of domain controller
    • Port: 389


  • Once you click ‘Save’ and it’s successful, you will see the following screen:

  • Click on the ‘icon’ to add by either Groups, Users, and also search by OU to enumerate from AD.


  • You will then see your existing Groups appear below:


    You could also search just for a specific Group, i.e. WMS Administrators:


    You could also search just for a specific User, i.e. wyseuser: (NOTE: User account must have email associated with account in order to show up, otherwise you will get an error message while trying to import users.


    You could also search by Organizational Unit (OU), i.e. Management


  • Once you have imported what you choose, the users will show up under the Users tab in WMS under, ‘Unassigned Admins’. Note: This may take a few minutes to show up after importing from AD.

  • Select the account and select ‘Edit User’:

  • Select ‘Roles’ and assign the appropriate role for the user:

  • Once complete, the user will show up under the ‘Administrator(s)’ tab:

  • On the WMS Portal logon screen, choose ‘Sign in with your domain credentials’ to log in with your newly imported and assigned AD user.

  • Enter your AD user account and login!

Just Released! What’s new with Wyse Management Suite 1.3?

Dell Releases Wyse Management Suite 1.3

The Dell Wyse team has recently released Wyse Management Suite (WMS) 1.3 and also updated the cloud hosted version at www.wysemanagementsuite.com!

You can see a quick summary of the new features below.

You can download this new WMS 1.3 and documentation from here.

New features

Wyse Management Suite – Error pulling Windows 10 IoT Image

In some recent lab testing I ran into the following error: “CCM on-prem Server authentication token is not available in configuration file.”

I got this error when attempting to pull a Windows 10 IoT Image off a Wyse 5060 client.

The fix was to push the updated Merlin package, aka boot agent, to the device prior to capturing image.

This package is already pre-loaded in the Wyse Management Suite software and listed under “Apps & Data\App Inventory\Thin Client” – MerlinPackage_Common.exe.

You will need to create and App Policy containing this package and push to the client.

  1. To create App Policy go to, Apps & Data\App Policies\Thin Client\Add Policy
  2. Complete the policy using the details below:
  3. Once policy is created, go to, “Jobs\Schedule App Policy” and create your policy similar to below:
  4. Once the policy is pushed successfully you should now be able to pull the image!

Error details:

(Status: Failed – [ERROR: CCM on-prem Server authentication token is not available in configuration file. (error code : 107).]
[ERROR STAGE: Repository validation.]
[REASON: Configuration file is missing authentication token of on prem Server.]
[SOLUTION: Make sure config file is updated with proper CCM on prem Server authentication token.]
| (107))

Hope this helps someone else down the road!

@chris_messer ~~> Subscribe to blog to get latest updates <~~

Additional support resources as noted below:

Dell TechCenter Wyse Product Support Forums – these are a great resource for getting up and running with the solutions as well as tips and tricks for troubleshooting common issues. Once you join the Dell TechCenter community you will have a variety of resources to get started!

Dell Wyse Support Site – Wyse documentation, log support incident, etc…

Available categories with forum and topic lists:

  • Wyse general forum: for discussions that, for example, span multiple categories, involve end-to-end methods, heterogeneous environments, new use cases or topics not found under the support documentation or existing discussions.
  • Wyse thin clients: includes Cloud Connect, Linux, Windows Embedded Standard, ThinOS and zero clients for Citrix, MultiPoint Server and VMware.
  • Wyse software: includes Wyse Management Suite, Wyse Device Manager, Wyse WSM and Wyse Virtualization Software

Wyse Management Suite (WMS) DNS Discovery

Once you have Wyse Management Suite (WMS) installed the next step is to automatically have your devices ‘find’ and check-in into your WMS server. This is accomplished by setting up a few DNS records that include the key WMS server information. I’ve outlined the DNS records that need to be setup and steps to setup on Microsoft Server 2012.

  • Service Location (SRV) Record
    • _WMS_MGMT
    • _WMS_MQTT
  • Text (TXT) Record
    • _WMS_GROUPTOKEN
    • _WMS_CAValidation

Steps to setup Service Location (SRV) Record on Microsoft Server 2012

  1. On your DNS server navigate to the domain you want, then right click on “_tcp”, and select “Other New Records”.

  2. To setup the 2 SRV records, select “Service Location (SRV) from the options.

  3. Setup your record for, “_WMS_MGMT”. This is the FQDN of your WMS server. Use the following options below:
    1. Domain: Your domain name
    2. Service: _WMS_MGMT
    3. Protocol: _tcp
    4. Priority: 0
    5. Weight: 100
    6. Port Number: 443
    7. Host offering this service: your_wms_server, i.e. wms1.dellse.local

  4. Setup your record for, “_WMS_MQTT”. This is a service port WMS uses. This is the FQDN of your WMS server. Use the following options below:
    1. Domain: Your domain name
    2. Service: _WMS_MQTT
    3. Protocol: _tcp
    4. Priority: 0
    5. Weight: 100
    6. Port Number: 1883
    7. Host offering this service: your_wms_server, i.e. wms1.dellse.local

  5. To setup the next 2 records, navigate to the domain you want, select that node, then right click and select “Other New Records”. *Note* do not select a sub node such as _tcp for these records.

  6. Select the “Text (TXT)” Record type:

  7. Setup your record for, “_WMS_GROUPTOKEN”. This is the specific Group Token/Profile that you setup and want to use. Use the following options below:
    1. Record Name: _WMS_GROUPTOKEN
    2. Fully qualified domain name (FQDN): _WMS_GROUPTOKEN.your_domain
    3. Text: defa-labdemo1
      1. This “Text:” field is the key that you want to use. You will get this from your WMS console where you setup your group profile under the key icon.

  8. Setup your record for, “_WMS_CAValidation”. If you are not using an SSL cert (default), then this value needs to be set to ‘False’. If you are using a cert, then this would be set to “True”. Use the following options below:
    1. Record Name: _WMS_CAValidation
    2. Fully qualified domain name (FQDN): _WMS_CAValidation.your_domain
    3. Text: False (or True, if using a cert)

9. Once you have these 4 options setup, you should see the following in DNS;

The following records should be listed under your_domain:

The other 2 records should be listed under, your_domain\_tcp

10. This completes the setup. Once your device boots up and does it’s DNS lookup it will populate the proper fields on the device, in this example, Wyse ThinOS: