FastPass Password Manager Version 3.4 FastPass in Thin Clients environments
Document Title FastPass in Thin Clients environments Document Classification Public Document Revision B Document Status Final Document Date February 18, 2013 The specifications and information in this document are subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any means, in whole or in part, for any reason, without the express written permission of FastPassCorp A/S. Copyright 2004-2013 FastPassCorp A/S. All rights reserved. Lyngby Hovedgade 98, 2800 Kongens Lyngby, Denmark. http://www.fastpasscorp.com/. FastPass Password Manager is a trademark of FastPassCorp A/S. All further trademarks are the property of their respective owners. Limited Warranty No guarantee is given for the correctness of the information contained in this document. Please send any comments or corrections to documentation@fastpasscorp.com. Status: Final Page 2 of 21
Table of Contents FastPass in Thin Clients environments 1. Introduction... 5 1.1 Purpose... 5 1.2 Audience... 5 1.3 References... 5 1.4 Terms... 5 2. Technologies... 6 2.1 Virtualization platform: VMware vcloud... 6 2.2 Application management: Citrix XenApp... 7 2.3 Desktop management: Citrix XenDesktop... 8 2.4 Thin Clients... 8 2.4.1 Linux devices... 9 2.4.2 Windows Embedded devices... 10 2.4.3 ThinOS devices... 11 2.4.4 Zero Client devices... 12 3. FastPass and Thin Clients... 13 3.1 Linux devices... 14 3.1.1 Option 1: Anonymous invoked RDP client... 14 3.1.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed domain authentication... 14 3.1.3 Option 3: Anonymous Web browser entrance page configured with application launchers protected by Citrix governed domain authentication... 14 3.1.4 Option 4: A Windows Credential Provider can be installed... 14 3.1.5 Option 5: Special credentials allowing access to locked down environment... 14 3.2 Windows Embedded devices... 15 3.2.1 Option 1: Anonymous invoked RDP client... 15 3.2.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed domain authentication... 15 3.2.3 Option 3: Anonymous Web browser entrance page configured with application launchers protected by Citrix governed domain authentication... 15 3.2.4 Option 4: A Windows Credential Provider can be installed... 15 3.2.5 Option 5: Special credentials allowing access to locked down environment... 16 3.3 ThinOS devices... 17 3.3.1 Option 1: Anonymous invoked RDP client... 17 3.3.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed domain authentication... 17 Status: Final Page 3 of 21
3.3.3 Option 3: Anonymous Web browser entrance page configured with application launchers protected by Citrix governed domain authentication... 18 3.3.4 Option 4: A Windows Credential Provider can be installed... 18 3.3.5 Option 5: Special credentials allowing access to locked down environment... 18 3.4 Zero Client devices... 19 3.4.1 Option 1: Anonymous invoked RDP client... 19 3.4.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed domain authentication... 19 3.4.3 Option 3: Anonymous Web browser entrance page configured with application launchers protected by Citrix governed domain authentication... 19 3.4.4 Option 4: A Windows Credential Provider can be installed... 19 3.4.5 Option 5: Special credentials allowing access to locked down environment... 19 4. Conclusions... 21 Status: Final Page 4 of 21
1. Introduction The document has been released February 2013 and is covers FastPass Password Manager version 3.4.3. The document has been written on a technical level where a reader familiar with the basics of Citrix Xen, Dell Wyse and FastPass should understand how FastPass can be deployed to offer a Self-Service Password Reset Service. NOTICE: THIS VERSION OF THE DOCUMENT CONTAINS CUSTOMER SPECIFIC (ATOS) ICONS THAT MUST BE REMOVED BEFORE PUBLIC RELEASE OF THE DOCUMENT. 1.1 Purpose The purpose of this document is to describe how to deploy and use FastPass in a Thin Client environment. 1.2 Audience The intended audience of this document is persons responsible for architecting or deploying the FastPass Password Manager solution in a Thin Client environment. 1.3 References This document references the following documents: None. 1.4 Terms The following technical and product specific terms are used without further explanation throughout the document. Status: Final Page 5 of 21
2. Technologies This section introduces the main technologies of the Thin Client environment that could exist in Thin Client environments. In this document the focus has been put on products from Citrix and Dell Wyse, but please be aware that these products are included only for the representation of the functionality that they are offering and their technical behavior. 2.1 Virtualization platform: VMware vcloud The VMware platform has for many years been the leading platform in server virtualization and is now taking a major position in the desktop virtualization market. Other large competitors are Microsoft with their Hyper-V platform and Citrix with their XenServer platform. The platform consists of a numerous products as shown below: Status: Final Page 6 of 21
The VMware vcloud is estimated to be the product of choice for virtualization by 70-80% of large organizations but still it is very open for integrations for other vendors to integrate with, such as Citrix with their Xen products. VMware has its own desktop virtualization platform, named VMware View, and supports many standards for desktop and application streaming, such as PCoIP (PC over IP). 2.2 Application management: Citrix XenApp The Citrix XenApp is a thin client product that allows users to connect to their corporate applications. XenApp can host applications on central servers and allow users to interact with them remotely or stream and deliver those applications to user devices for local execution. The product was formerly known as Citrix WinFrame Server, Citrix MetaFrame Server and Citrix Presentation Server. Citrix has been the absolute marked leader in remote access technologies over a period of 10-15 years but is increasingly seeing competition from other vendors as the Cloud industry is growing. Illustrated the conceptual architecture of a Citrix XenApp implementation looks like shown below. Technically the XenApp application utilizes Citrix Systems proprietary presentation layer protocol or thin client protocol called Independent Computing Architecture (ICA). Unlike framebuffered protocols like VNC, ICA transmits high-level window display information, much like the X11 protocol, as opposed to purely graphical information. The Citrix Display Driver is installed in the Session Space and captures high level GDI draw commands, which can be replayed on GDI-capable clients, for example Windows-based clients. Clients are Status: Final Page 7 of 21
available for several operating systems, including Microsoft Windows (CE, 16-bit, 32-bit and 64-bit platforms), Mac OS, Linux, other Unix-like systems, and in many Thin Client devices. There is a web-based Citrix client, freely available under the name Web Interface for XenApp. The Web Interface client may be used as a secure ICA proxy over HTTPS when combined with Citrix Secure Gateway, both of which are included in the base XenApp product. XenApp also supports three UNIX variants: HP-UX, Solaris, and AIX which are included in Enterprise and Platinum editions of XenApp. 2.3 Desktop management: Citrix XenDesktop The Citrix XenDesktop is a desktop virtualization solution that transforms desktops and applications into a secure ondemand service available to any user, anywhere, on any device. With XenDesktop, individual Windows, web and SaaS applications, or full virtual desktops, can be delivered to PCs, Macs, tablets, smartphones, laptops and thin clients with a high-definition user experience. The basic idea of the product is to deliver application and/or desktops to user from single standardized images but still with full support of customization by the end-user as illustrated below. The XenDesktop solution builds on the same technology as XenApp and its openness towards virtualization platforms (XenServer, VMware vsphere and Microsoft Hyper-V) makes it a good and safe investment. Other major advantages of the products are support of high-definition user experience on LAN, built-in optimization for delivery over WAN and integration with WAN Opt technology, Enterprise-grade Virtual Desktop Infrastructure (VDI), support of multiple desktop and application delivery models to meet the needs of every user, support of user personalization (profile and application management) and support of virtually any device/end-point. 2.4 Thin Clients A thin client (sometimes also called a lean or slim client) is a computer or a computer program which depends heavily on some other computer (its server) to fulfill its traditional computational roles. This stands in contrast to the traditional fat client, a computer designed to take on these roles by itself. The exact roles assumed by the server may vary, from providing data persistence (for example, for diskless nodes) to actual information processing on the client's behalf. Status: Final Page 8 of 21
Thin clients, like traditional computers, run a full operating system for the purposes of connecting to other computers. Although the operating systems on Thin Clients are very light it is still there and shall be maintained. This is in contrast to Zero Clients. The Thin Client market is currently dominated by Dell Wyse and HP, followed by a handful of other vendors like Samsung, Fujitsu, Pano Logic, Lenovo and Oracle. Some of those have just recently entered the market but might play a big role in the future. The following sections only includes devices from Dell Wyse, as they as said to be a true leader in the market. Sub sections are split into 3, by operating system, as this is the categories that Dell Wyse delivers devices for. Other vendors deliver other flavors that might be of the same quality, worse or better. 2.4.1 Linux devices This category of devices is characterized by running any version of the Linux operating system, for instance the SUSE Linux Enterprise. Devices in this category are often very flexible and extensible. 2.4.1.1 Examples of products that specifically support Citrix are: Dell Wyse C50LE Dell Wyse T50 2.4.1.2 OS description from Dell Wyse: 2.4.1.3 Login user interface: The Dell Wyse Linux devices support local as well as LDAP authentication from the login interface but does not support extensions/plugins. Note: The newer Dell Wyse devices might have some undocumented special login features that can be utilized. Examinations are in progress. Status: Final Page 9 of 21
2.4.2 Windows Embedded devices This category of devices is characterized by running any version of the Windows Embedded Standard (WES) operating system, for instance the Windows Embedded Standard 7 (WES7) and the Windows Embedded Standard 2009 (WES2009) both successors of the older Windows XP Embedded operating system. 2.4.2.1 Examples of products that specifically support Citrix are: Dell Wyse C90D7 Dell Wyse C90LE7 2.4.2.2 OS description from Dell Wyse: 2.4.2.3 Login user interface: The Dell Wyse Windows Embedded devices give the users a feeling of being working on a PC directly from the login prompt. If a device is joined directly to the domain infrastructure a user can login using their domain username and password or if not, automatic login using a local user can be configured so that the user will get in to a limited environment allowing only access to predefined applications. The Microsoft Windows Embedded Standard (WES) operating system supports the Credential Provider architecture also known from the Microsoft Windows 7/8/2008/2012 operating systems. This means that software vendors can develop customized Credential Providers to be deployed on WES devices. Status: Final Page 10 of 21
2.4.3 ThinOS devices This category of devices is characterized by running the Dell Wyse ThinOS operating system, which is developed with focus on performance, management easiness, security and user experience. 2.4.3.1 Examples of products that specifically support Citrix are: Dell Wyse C10LE Dell Wyse V10LE Dell Wyse T10 2.4.3.2 OS description from Dell Wyse: 2.4.3.3 Login user interface: The Dell Wyse ThinOS devices support does not support extensions/plugins related to the login interface. Note: The newer Dell Wyse devices might have some undocumented special login features that can be utilized. Examinations are in progress. Status: Final Page 11 of 21
2.4.4 Zero Client devices This category of devices is the newest and lightest types of devices and devices are characterized by not running a full real operating system but rather just a small engine embedded into a chip and just as important by not having flash memory to store persistent data, meaning that these devices complies to the strongest security measurements. 2.4.4.1 Examples of products that specifically support Citrix are: Dell Wyse Xenith Pro Dell Wyse Xenith 2 2.4.4.2 Description from Dell Wyse: 2.4.4.3 Login user interface: As mentioned above the Dell Wyse Zero Client devices do not contain an operating system and besides the login interface and a few connection related dialogs, there isn t any user interfaces built into the devices. This means that the Zero Client doesn t offer any kind of anonymous kiosk logins and the user must complete a full login to get access to the services of the Citrix solution, whether this is XenApp or XenDesktop that is being used. Note: The newer Dell Wyse devices might have some undocumented special login features that can be utilized. Examinations are in progress. Status: Final Page 12 of 21
3. FastPass and Thin Clients This chapter describes how FastPass Password Manager can be integrated in Thin Clients environments. Basically FastPass can be used directly if just one of the following interfaces is made available to the end user: 1. Anonymous RDP connection (launched without pre-authentication) If device always connects to the same computer then this computer can have FastPass Windows Client installed, so that this is accessible in the Windows login prompt. 2. Anonymous Windows/Linux desktop (launched without pre-authentication) configured with icons to applications protected by Citrix governed domain authentication. If the device is configured for automatic login of a local user a shortcut for a browser can be registered on the desktop with an URL reference to the FastPass Self-Service Client. 3. Anonymous Web browser entrance page (launched without pre-authentication) configured with application links protected by Citrix governed domain authentication. If the device is configured for automatic login of a local user and the native desktop for this user is replaced with a web browser then this can display links to the Citrix environment as well as to the FastPass Self-Service portal. 4. A Windows Credential Provider can be installed. If the device is running the Windows Embedded Standard operating system a customized Credential Provider can be installed directly in the operating system so that it is visible in the login interface exactly as on standard Windows PCs. 5. Special credentials allowing access to locked down environment. If a customizable image or text can be shown in the login interface it can instruct the user what to if failing to authenticate. A possible text to display could be something like Forgotten your password? Login as selfservice / password to regain access like shown in the sample image below. A special Citrix XenApp or XenDesktop profile could then be configured for this user, so that he would be allowed to open a locked down virtual desktop in which there only should be granted access to the FastPass Self-Service Client. The table below shows which of the above usage options that can be supported by the different Thin Client devices types. Option 1 Option 2 Option 3 Option 4 Option 5 Linux X Windows Embedded Standard Thin OS X X X Zero Client X X X Table: supported usage options Status: Final Page 13 of 21
In the following sub sections the various usage options will be described for the different Thin Client device types. 3.1 Linux devices This sub section describes how FastPass can be made accessible to Linux devices accessing Citrix XenApp and Citrix XenDesktop. 3.1.1 Option 1: Anonymous invoked RDP client This can be supported by configuration of Wyse device setting. Works on most Dell Wyse device. Only usable if a device is reserved for an individual user General lower performance than native Citrix connections. 3.1.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed domain authentication This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers. Works on most Dell Wyse Thin Client devices. Opens the first door to the IT infrastructure by offering visibility to which services are available. 3.1.3 Option 3: Anonymous Web browser entrance page configured with application launchers protected by Citrix governed domain authentication This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers. Works on most Dell Wyse Thin Client devices. Opens the first door to the IT infrastructure by offering visibility to which services are available. 3.1.4 Option 4: A Windows Credential Provider can be installed This can t be supported. 3.1.5 Option 5: Special credentials allowing access to locked down environment This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers. Works on most Dell Wyse device. Status: Final Page 14 of 21
Requires the user to read the instruction and enter the shown credentials. 3.2 Windows Embedded devices This sub section describes how FastPass can be made accessible to Windows Embedded devices accessing Citrix XenApp and Citrix XenDesktop. 3.2.1 Option 1: Anonymous invoked RDP client This can be supported by configuration of Wyse device setting. Works on most Dell Wyse device. Only usable if a device is reserved for an individual user 3.2.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed domain authentication This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers. Works on most Dell Wyse Thin Client devices. Opens the first door to the IT infrastructure by offering visibility to which services are available. 3.2.3 Option 3: Anonymous Web browser entrance page configured with application launchers protected by Citrix governed domain authentication This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers. Works on most Dell Wyse Thin Client devices. Opens the first door to the IT infrastructure by offering visibility to which services are available. 3.2.4 Option 4: A Windows Credential Provider can be installed This can be supported. As mentioned in section 2.4.2.3, the Microsoft Windows Embedded Standard (WES) operating system supports the Credential Provider architecture also known on in the PC operating systems. The FastPass Password Manager solution already have a Credential Provider for the PC platform and this will from Marts 1, 2013 also support the Windows Embedded Standard 7 platform. Status: Final Page 15 of 21
The visual appearance of the FastPass Windows Client for WES will in its first release be as on Windows PCs (below detailed in bullet 1) but the logical flow will in a following release be extended so that it will be configurable to be one of the following: Start a locked down login session locally on the device, only allowing access to the FastPass Self-Service Portal (as it is done on the PCs). Automatically login a system user for which a special Password Reset virtual desktop image shall be prepared in the virtual infrastructure. The connection can be based either on a XenApp full screen RDP connection or a XenDesktop connection, where the latter will be more resource consuming but also offer a better isolation seen from a security perspective. Both configurations will allow a user experience exactly as on standard Windows PCs. Same user experience as on standard PC s. Requires installation of software on the device. This is a photo of the FastPass Windows Client installed on and activated in the login interface of a Wyse Windows Embedded Standard device. 3.2.5 Option 5: Special credentials allowing access to locked down environment This can be supported by replace of a bitmap (image) file.. No software installation. Requires the user to read the instruction and enter the shown credentials. Status: Final Page 16 of 21
This is a photo of a sample implementation of a customized image in the login interface of a Wyse Windows Embedded Standard device. 3.3 ThinOS devices This sub section describes how FastPass can be made accessible to ThinOS devices accessing Citrix XenApp and Citrix XenDesktop. 3.3.1 Option 1: Anonymous invoked RDP client This can be supported by configuration of Wyse device setting. Works on most Dell Wyse device. Only usable if a device is reserved for an individual user General lower performance than native Citrix connections. 3.3.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed domain authentication This can only be supported by first provide anonymous access to a virtual desktop and from there provide access to the real desktop protected by domain authentication. This scenario is not likely to be implemented and therefore it is considered as impossible. Status: Final Page 17 of 21
3.3.3 Option 3: Anonymous Web browser entrance page configured with application launchers protected by Citrix governed domain authentication This can only be supported by first provide anonymous access to a virtual desktop and from there provide access to a web browser and other applications protected by domain authentication. This scenario is not likely to be implemented and therefore it is considered as impossible. 3.3.4 Option 4: A Windows Credential Provider can be installed This can t be supported. 3.3.5 Option 5: Special credentials allowing access to locked down environment This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers. Works on most Dell Wyse device. ThinOS devices support customization of the whole background and the image in the login dialog separately. This allows for a long description and inclusion of images. Requires the user to read the instruction and enter the shown credentials. This is a photo of a sample implementation of a customized background image and customized image the login interface of a Wyse ThisOS device. Status: Final Page 18 of 21
3.4 Zero Client devices This sub section describes how FastPass can be made accessible to Zero Client devices accessing Citrix XenApp and Citrix XenDesktop. 3.4.1 Option 1: Anonymous invoked RDP client This can be supported by configuration of Wyse device setting. Works on most Dell Wyse device. Only usable if a device is reserved for an individual user General lower performance than native Citrix connections. 3.4.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed domain authentication This can only be supported by first provide anonymous access to a virtual desktop and from there provide access to the real desktop protected by domain authentication. This scenario is not likely to be implemented and therefore it is considered as impossible. 3.4.3 Option 3: Anonymous Web browser entrance page configured with application launchers protected by Citrix governed domain authentication This can only be supported by first provide anonymous access to a virtual desktop and from there provide access to a web browser and other applications protected by domain authentication. This scenario is not likely to be implemented and therefore it is considered as impossible. 3.4.4 Option 4: A Windows Credential Provider can be installed This can t be supported. 3.4.5 Option 5: Special credentials allowing access to locked down environment This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers. Works on most Dell Wyse device. Zero Client devices support customization of the whole background, so anything but the login dialog in the center of the screen. This allows for a long description and inclusion of images. Requires the user to read instructions and then enter the shown credentials. Status: Final Page 19 of 21
This is a photo of a sample implementation of a customized background image in the login interface of a Wyse Zero Client device. Status: Final Page 20 of 21
4. Conclusions This chapter concludes how FastPass Password Manager can be integrated in a Thin Client environments and how the whole solution will be beneficial for Thin Clients users. The table below is the same as shown in the last chapter, and shows which of the described usage options that can be supported by the different Thin Client devices types. Option 1 Option 2 Option 3 Option 4 Option 5 Linux X Windows Embedded Standard Thin OS X X X Zero Client X X X Table: supported usage options In the Options listed above, the following Password Reset implementation options (see Chapter 3) are possible. Option 1 Option 2 Option 3 Option 4 Option 5 Anonymous invoked RDP client Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed domain authentication Anonymous Web browser entrance page configured with application launchers protected by Citrix governed domain authentication A Windows Credential Provider can be installed Special credentials allowing access to locked down environment FastPass will as shown in the above table and as described in chapter 3 deliver the best support for Windows Embedded Standard devices as there will be no difference in working on terminal devices and on PCs. FastPass will as of Marts 1, 2013 support the Windows Embedded Standard 7 platform with the same functionality as on the PC with a few limitations related to the Enforced Enrollment feature that will have to be implemented on the virtual desktop. The customized image solution is also seen as useful, and as this doesn t have any dependencies and utilizes the standard FastPass product as it should be considered as a good choice if multiple types of devices exists within the same organization. It shall also be noted that the text could be anything, so also an instruction for the user to use the iphone App that will be available in the spring (2013). Status: Final Page 21 of 21