Deploying and Managing Thin Clients A white paper by Wyse Technology Inc.
Abstract In this article, we will consider some of the requirements for a large-scale thin client deployment. We will cover the following topics: Enterprise Security User Experience and Mobility Network Scalability and Interoperability Asset Management and Health Monitoring We will also review the key features of Wyse Device Manager (WDM), for addressing these requirements. 1
Table of Contents INTRODUCTION............................................3 CONSIDERATIONS FOR LARGE-SCALE DEPLOYMENTS...................4 THIN CLIENT MANAGEMENT WITH WYSE DEVICE MANAGER 4.7............9 CONCLUSION............................................13 APPENDIX A ABOUT WYSE TECHNOLOGY INC.......................14 2
INTRODUCTION By some estimation, each day 10-million enterprise users access their corporate network and applications through thin clients. Thin clients run simplified versions of Operating Systems (ex: Windows XP Embedded, Linux, Windows CE, or vendor-specific OS like Wyse Thin OS) and a limited set of applications. The combined solution provides just enough hardware and software resources to connect to remote back-end infrastructures such as Citrix Application Delivery, Microsoft Terminal Services or Hyper-V, and VMware Virtual Desktop Infrastructure (VDI). All corporate applications and resources reside within these back-end environments. What is a thin client? It is a client computer in clientserver architecture networks, which depends primarily on the central server for processing activities, and mainly focuses on conveying input and output between the user and the remote server. Their reduced complexity makes thin clients the ideal front-end computing platform for VDI and other client virtualization environments. Organizations of all size are able to realize the following benefits: Lower TCO Lower energy consumption Reliability of mission-critical operations Increased data security While traditional PCs work well with virtual desktops, they are too power hungry, have redundant resources and management needs, therefore cost more. Besides, they offer little compelling functionality in exchange for the added complexity they bring. 3
Figure 1: Thin clients are ideal for VmWare VDI Architecture (picture from wmware.com) Thin clients, on the other hand, are cost-effective, and have just enough resources. But they also allow IT challenges to be aggregated to corporate datacenters where dedicated staff can provide much faster, higher quality of service and realize economies of scale in terms of energy savings, storage optimization, and server virtualization. CONSIDERATIONS FOR LARGE-SCALE DEPLOYMENTS There have been numerous studies about the cost advantage and other benefits of thin clients. In this article, we want to discuss some important, but often understated, remote management aspects for deploying thin clients. To illustrate how critical remote management can be, consider the following question: What do you do when a reservation agent in Honolulu airport notifies your IT department in Chicago that his computer screen is black? The implied requirement is the ability to automatically manage and to seamlessly interact with thin clients, regardless of their geographical location. The speed of remedial actions will have a big impact on the end-user experience, employee productivity, and reliability of mission-critical operations. 4
The example above highlights only one of several issues, which you need to foresee for a large-scale deployment. In a broad sense, the challenges can be grouped into the following categories: Enterprise Security User Experience and Mobility Network Scalability and Interoperability Asset Management and Health Monitoring Enterprise Security Often thin clients exist in networks that carry sensitive business information, such as in a branch office of a bank, connected to a server in the headquarters through a remote connection protocol. In an environment like this, it is imperative that thin clients operate according to well-defined policies and all customizations or local applications be installed through the central IT department to minimize voluntary or involuntary security breaches. Most importantly, all communications between thin clients and backend servers must be fully encrypted. While thin clients offer significant security benefits over traditional PCs, highest levels of security require that there is no clear text data flowing through the corporate network. Otherwise, attacks like man-in-the-middle where a malicious 3rd party intercepting a software download and interjecting a Trojan horse is possible Note that financial companies are not the only organizations grappling with these risks. Take a Health-Care institution that has to secure patient information, or a retail business that has to process VISA transactions. Most organizations must secure their network with industry-standard encrypted HTTPS protocol. In short, without full encryption, any large-scale deployment across multiple geographies, particularly with any network topology that has to traverse the Public IP Network represents a potential risk to the organization. User Experience and Mobility One size does not fit all, and neither does one network! Traditionally thin clients were confined to ticket counters in Airports or tellers in bank branches. The industry term for these use-cases is task-based computing. However, with the rapid proliferation of 5
Client Virtualization technology, more and more mainstream users, often referred to as knowledge workers are adopting thin clients. The mainstream users bring along a new set of experience requirements that must be addressed. They want to be able to roam across public IP networks and they demand to have a personalized computing experience. As a trend, more and more organizations are embracing the next generation of Virtualization based thin computing, for the following reasons: Ability to roam in a campus Ability to work from SOHO Ability to travel while working with highly-sensitive information (ex: Airport, Automobile) In many instances, these devices will be located across the public IP network, behind residential gateways or other network elements. Without the right network architecture planning and necessary remote access capabilities, securing and managing these devices will be difficult. The remote management solution has to work across multiple IP networks, architected to provide the right balance of security and accessibility. Furthermore, it should provide a wealth of policy creation and enforcement features to allow for various device configurations and user customizations. When a user travels to Hong Kong from London with his/her portable thin client, the geography and time zone based management policies should gracefully adapt to user mobility. Reaching out to mainstream users also requires a special attention to their unique experience needs. A strong pushback from the end-users may create resistance in your organization and put deployment plans in jeopardy. While there have been advances in desktop virtualization technologies, there are still a number of technical issues that can only be dealt at the thin client side. "Which local printer do you connect to? What USB mouse did you plugin? What was the monitor resolution size you chose? Can your PDA synchup with your outlook calendar / contact information running on the backend server? How do you remember the SSID/Password for the Wi-Fi net work?" In addition, users may want to install applications, particularly on Windows XP Embedded and Linux based thin clients. What should be the policy towards these local 6
customization attempts and how do you enforce these policies? Network Scalability and Interoperability Compared to PCs, thin clients have significantly extended life cycle. According to customers, an average thin client is fully operational for 7 years, whereas a PC would have to be replaced every 3 years. The net result is additional cost-savings. But on the flipside, the thin client base operating system and local applications may have to upgraded on an ongoing basis to ensure seamless functionality over a longer period of time. Many thin clients, particularly Windows XP Embedded based devices, require up 250 Mbytes or more memory for the operating system and applications. Imagine you have found a critical security hole in your thin client operating system and all devices must be updated immediately. What is your strategy for upgrading 10,000 thin clients around the world with the latest OS and Applications, with download sizes exceeding 250 Mbytes? The network scalability plan should include remote software repositories so that updates can be propagated to geographically disperse locations in the most efficient and automated manner. In addition, the remote management capabilities should include features for managing remote thin client policies. Remote repositories can be great assets to optimize your network traffic. However, they may not be suitable for every location. A Point-of-Sales terminal in a small store in a shopping mall will be better served with a direct connection to a regional software repository. In cases like that, it is important that the management software provide adequate bandwidth-throttling to handle network limitations. With proper planning and adequate policy enforcements previously mentioned, thin clients should operate flawlessly. However, plans are never perfect and unforeseen problems do arise. As an example, thin clients store their software on Flash Memory. In a few instances, like power interruptions during software upgrades, images may become corrupted, rendering thin clients nonoperational, also known as bricked device. The remedial action is to reimage or de-brick the device across the network. A common practice is to use Pre-Boot Execution (PXE) capabilities, provided by device BIOS, to initiate a software upgrade (a.k.a imaging ) over the network. Ease of de-bricking a remote device, or lack thereof, will impact your Total Cost of Ownership Unfortunately, PXE boot requires specially configured DHCP servers and does not work well across WANs and not at all across the public IP networks. When a thin client OS is 7
corrupted and the required action is to de-brick the device, there should be a non- PXE solution, that is, a solution that doesn t require PXE setups on the network. Asset Management and Health Monitoring We have covered many useful features for fixing thin clients when they break. But the best strategy to maximize your Return-On-Investment is to prevent these problems before they occur. Policy management is an important methodology to ensure the healthy operations of thin clients. By creating various user and device policies, you can ensure the proper usage of the company assets, therefore eliminate most, if not all, problems that stem from improper customizations, incompatible peripherals, undesired local applications, and so on. While a simplistic approach of locking-down the device or one-profile for everyone may be okay for some organizations, there are many instances where this generic approach is not adequate. The device policy and security management should give System Administrators the flexibility to customize these policies based on various factors like user-profile, location, time-zone, job-function, and so on. It may be midnight in San Francisco, but that doesn't mean that traders in an investment bank should see their devices reboot and update their software at 9:00 A.M. in Frankfurt. Another important consideration is extensive asset reporting and tracking. Through tracking and reporting, IT staff can ensure that that right users have the right environment to maximize their productivity. A trading-desk agent might have a dual-screen with a Bloomberg key board, whereas a senior executive may like to have a rather minimalistic device on his desk. IT teams can proactively resolve issues if the system provides real-time asset management and reporting. For instance, when a new operating system or application update is provided, or when a device configuration is changed, the system should be able to gather reports from the thin clients, comparing these reports to a reference, and flag any discrepancies, or better yet, take automated action to remedy any problem ensuring that the end-user experience is consistent with the desired policies. These advanced asset management and health-monitoring data constitute a critical part of business operations and must be stored in a sophisticated, distributed and/or clustered, relational database, such as SQL or Oracle DB. Any flat-file based information 8
storage solution may appear straightforward in a Lab or a proof-of-concept but in the end will not scale for a large-scale deployment. THIN CLIENT MANAGEMENT WITH WYSE DEVICE MANAGER 4.7 In planning a large-scale thin client deployment, the key considerations are Enterprise Security, User Experience and Mobility, Network Scalability and Interoperability, and Asset Management and Health-Monitoring. While there are many solutions targeted for PC management, WDM is purpose-built for thin clients. We believe that a generic management solution is not adequate simply because: Thin clients run a diverse set of Embedded OS s, not just Windows Thin clients require very strong profile based policy enforcement for task-based computing Thin clients are imaged / provisioned through the network Thin clients require specific Asset Database for tracking and fast remote diag nosis Thin clients require tight-integration with ancillary network assets like remote software repositories Wyse designed WDM 4.7 to address all these challenges and to make a large-scale thin client deployment as straightforward as possible. We will use the following simplified network topology (Figure 2) to outline the features that make WDM the industry s most advanced thin client Management Software. In this example, there are multiple sites, including telecommuters in a SOHO setup or end-users in branch offices, while there is also a large thin client installation within the corporate network. WDM is installed as a distributed architecture. Branch offices have NAT/Gateways and Remote software Repositories. Asset Database is a SQL 2005 server cluster and multiple Administration GUIs allow segregation of Administrative duties for various sub-groups. These groups can be based on geography, network topology, device configuration, user profile, and so on. 9
Figure 2: Network architecture for large-scale thin client deployment Enterprise Security For ensuring the highest level of security, all communications between various network elements, like the thin clients, WDM Server, Remote software Repositories are based on full HTTPS encryption. Furthermore, to reduce deployment cost, the HTTPS certificates are self-signed and thin clients have the necessary logic to authenticate the WDM Server component. For the first time in thin client management, IT teams have the option to fully encrypt their network traffic and disable almost all server ports (except for HTTP/S, typically port 80/443) to ensure a higher-level of security. Besides security, full encryption allows IT staff to deploy additional techniques like compression to increase network efficiency. 10
WDM 4.7 supports the following features to make it the Industry s most-secure thin client management software. HTTPS based Server-Client Communication HTTPS based Server-Remote software Repository Communication HTTPS based Device Software Imaging Ability to authenticate self-signed HTTPS Certifications Server Client paired encrypted key for pairing clients with genuine manage ment server Ability to separate the Asset Database from the WDM server for DMZ installa tions User Experience and Mobility Next, let us take a look at enabling User Experience and Mobility where thin clients are connected to the public IP networks. To make WDM services like remote imaging shadowing, firmware upgrade and real-time asset tracking accessible, at least a portion of the WDM components must be installed in corporate DMZ network. However, the risk of exposing the Asset Database on a DMZ is simply unacceptable for many organizations. So, instead of running all the components in DMZ, we will simply attach WDM to an SQL 2005 server running inside the secure corporate networks. Alternatively, we can install and start a new SQL service inside the network. WDM has a very powerful device policy management module, called Default Device Configurations. By creating the right groupings, we will make sure that roaming users get all the proper updates and other policy enforcements, without being impacted by geography glitches. WDM 4.7 offers: DMZ friendly component installation for managing roaming or telecommuting end-users Powerful and flexible user configuration / policy management through Default Device Configuration (DDC) Extensive customization, device personalization and peripheral connection 1 1 In conjunction with Wyse TCX Multimedia Acceleration and USB Virtualization Features 11
Network Scalability and Interoperability WDM ensures that high-latency downloads occur only between the Master and Remote software Repositories. All device image updates should occur through the local / nearest Remote software Repository. Remote repositories act as local mirrors of the Master Software Repository and they automatically synch with the Master Repository. Furthermore, the new Non-PXE boot capabilities in WDM 4.7 provide seamless Network Interoperability. Windows and Linux based Remote Software Repositories Dealing with large images through distributed software download locations Adjusting to remote location bandwidth limitations through bandwidth-throt tling Imaging / Remote management over public IP networks: Non-PXE Boot HTTP / HTTPS based software imaging Asset Management and Health Monitoring WDM 4.7 has industry leading policy management tools. Different types of configurations, based on location, subnet, device type, and so on, can be created with up to 90 levels of hierarchy. These configuration policies are called Default Device Configuration (DDC) and ensure that a particular device belonging to a particular DDC group behaves exactly the way intended. Administration delegation is another powerful technique that is available in WDM and is integrated with Microsoft Active Directory services. This allows Administrators to set up restricted views and designate sub-group Administrators to manage a subset of thin clients, based on the policies set by the root administrators. WDM also supports remote GUI connections so those delegate Administrators can connect to the WDM sever and the Asset Database. 12
WDM comes packed with powerful scripts and queries for Asset Tracking and Reporting. In addition, Administrators have full access to the powerful relational Database, MS SQL, which contains the Asset data. Any comprehensive Asset Management and Health- Monitoring solution must rely on an industry-standard Relational Database. Powerful and flexible Default Device Configuration (this feature is worth men tioning a second time) Administration Delegation MS SQL Relational Database for Asset Tracking CONCLUSION In this white paper, we have reviewed some of the considerations for a large-scale thin client deployment program and discussed how to design and manage a thin client computing infrastructure with Wyse Device Manager, (WDM). This has shown that while thin client management may appear straightforward at the outset, a sophisticated management such as Wyse WDM is required to deliver the full benefits of a thin computing solution. WDM 4.7 is an advanced, purpose-built, thin client management software that provides superior security, better accommodation for end-user experience and mobility, additional logic and features for network scalability and interoperability and finally a world-class asset management and health-monitoring feature-set. 13
Appendix A About Wyse Technology Inc. Wyse Technology is the global leader in thin computing. Wyse and its partners deliver the hardware, infrastructure software, and services that comprise thin computing, allowing people to access the information they need using the applications they want, with better security, manageability, and at a much lower total cost of ownership than a PC. Thin computing allows CIOs and senior IT professionals to reduce costs, manage risk, and deliver access to information. Wyse partners closely with industry leaders Microsoft, Citrix, VMware, and others to achieve this objective. Wyse is headquartered in San Jose, California, with offices worldwide. For more information, visit the Wyse web site at www.wyse.com or call 1-800-GET-WYSE 2008 Wyse Technology Inc. The Wyse logo and Wyse are trademarks of Wyse Technology Inc. Other product names mentioned herein are for identification purposes only and may be trademarks and/or registered trademarks of their respective companies. Specifications subject to change without notice. Some features require support by server operating system and protocol.. 09/08 880925-26 Rev. A Wyse Technology Inc. 3471 North First Street San Jose, CA 95134-1801 Wyse Sales: 800 GET WYSE (800 438 9973) Sales: 408 473 1200 Wyse Customer Service Center: 800 800 WYSE (800 800 9973) Or send email to: sales@wyse.com Visit our website at: http://www.wyse.com