fastpass in thin clients environments

FastPass Password Manager Version 3.4

FastPass in Thin Clients environments


Status: Final of 21

Date: February 18, 2013

Document Title FastPass in Thin Clients environments

Document Classification Public

Document Revision B

Document Status Final

Document Date February 18, 2013

The specifications and information in this document are subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. This document may not be copied or distributed by any means, in whole or in part, for any reason, without the express written permission of FastPassCorp A/S.

Copyright © 2004 - 2013 FastPassCorp A/S. All rights reserved. Lyngby Hovedgade 98, 2800 Kongens Lyngby, Denmark. http://www.fastpasscorp.com/. FastPass Password Manager is a trademark of FastPassCorp A/S. All further trademarks are the property of their respective owners. Limited Warranty No guarantee is given for the correctness of the information contained in this document. Please send any comments or corrections to [email protected].

mailto:[email protected]


Status: Final of 21


Table of Contents 1. Introduction ..................................................................................................................................................................... 5

1.1 Purpose ................................................................................................................................................................... 5

1.2 Audience ................................................................................................................................................................. 5

1.3 References .............................................................................................................................................................. 5

1.4 Terms ...................................................................................................................................................................... 5

2. Technologies .................................................................................................................................................................... 6

2.1 Virtualization platform: VMware vCloud ................................................................................................................ 6

2.2 Application management: Citrix XenApp ................................................................................................................ 7

2.3 Desktop management: Citrix XenDesktop .............................................................................................................. 8

2.4 Thin Clients ............................................................................................................................................................. 8

2.4.1 Linux devices ...................................................................................................................................................... 9

2.4.2 Windows Embedded devices ........................................................................................................................... 10

2.4.3 ThinOS devices ................................................................................................................................................. 11

2.4.4 Zero Client devices ........................................................................................................................................... 12

3. FastPass and Thin Clients .............................................................................................................................................. 13

3.1 Linux devices ......................................................................................................................................................... 14

3.1.1 Option 1: Anonymous invoked RDP client ....................................................................................................... 14

3.1.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix

governed domain authentication .................................................................................................................................. 14

3.1.3 Option 3: Anonymous Web browser entrance page configured with application launchers protected by Citrix


3.1.4 Option 4: A Windows Credential Provider can be installed ............................................................................. 14

3.1.5 Option 5: Special credentials allowing access to locked down environment ................................................... 14

3.2 Windows Embedded devices ................................................................................................................................ 15








3.3 ThinOS devices ...................................................................................................................................................... 17





Status: Final of 21






3.4 Zero Client devices ................................................................................................................................................ 19








4. Conclusions .................................................................................................................................................................... 21


Status: Final of 21


1. Introduction

The document has been released February 2013 and is covers FastPass Password Manager version 3.4.3.

The document has been written on a technical level where a reader familiar with the basics of Citrix Xen, Dell Wyse and

FastPass should understand how FastPass can be deployed to offer a Self-Service Password Reset Service.

NOTICE: THIS VERSION OF THE DOCUMENT CONTAINS CUSTOMER SPECIFIC (ATOS) ICONS THAT MUST BE REMOVED BEFORE PUBLIC RELEASE OF

THE DOCUMENT.

1.1 Purpose

The purpose of this document is to describe how to deploy and use FastPass in a Thin Client environment.

1.2 Audience

The intended audience of this document is persons responsible for architecting or deploying the FastPass Password

Manager solution in a Thin Client environment.

1.3 References

This document references the following documents:

None.

1.4 Terms

The following technical and product specific terms are used without further explanation throughout the document.


Status: Final of 21


2. Technologies

This section introduces the main technologies of the Thin Client environment that could exist in Thin Client environments.

In this document the focus has been put on products from Citrix and Dell Wyse, but please be aware that these products are

included only for the representation of the functionality that they are offering and their technical behavior.

2.1 Virtualization platform: VMware vCloud

The VMware platform has for many years been the leading platform in server virtualization and is now taking a major

position in the desktop virtualization market. Other large competitors are Microsoft with their Hyper-V platform and Citrix

with their XenServer platform.

The platform consists of a numerous products as shown below:


Status: Final of 21


The VMware vCloud is estimated to be the product of choice for virtualization by 70-80% of large organizations but still it is

very open for integrations for other vendors to integrate with, such as Citrix with their Xen products.

VMware has its own desktop virtualization platform, named VMware View, and supports many standards for desktop and

application streaming, such as PCoIP (PC over IP).

2.2 Application management: Citrix XenApp

The Citrix XenApp is a thin client product that allows users to connect to their corporate applications. XenApp can host

applications on central servers and allow users to interact with them remotely or stream and deliver those applications to

user devices for local execution. The product was formerly known as Citrix WinFrame Server, Citrix MetaFrame Server and

Citrix Presentation Server.

Citrix has been the absolute marked leader in remote access technologies over a period of 10-15 years but is increasingly

seeing competition from other vendors as the Cloud industry is growing.

Illustrated the conceptual architecture of a Citrix XenApp implementation looks like shown below.

Technically the XenApp application utilizes Citrix Systems’ proprietary presentation layer protocol or thin client protocol

called Independent Computing Architecture (ICA).

Unlike framebuffered protocols like VNC, ICA transmits high-level window display information, much like the X11 protocol,

as opposed to purely graphical information. The Citrix Display Driver is installed in the Session Space and captures high level

GDI draw commands, which can be replayed on GDI-capable clients, for example Windows-based clients. Clients are


Status: Final of 21


available for several operating systems, including Microsoft Windows (CE, 16-bit, 32-bit and 64-bit platforms), Mac OS,

Linux, other Unix-like systems, and in many Thin Client devices.

There is a web-based Citrix client, freely available under the name Web Interface for XenApp. The Web Interface client may

be used as a secure ICA proxy over HTTPS when combined with Citrix Secure Gateway, both of which are included in the

base XenApp product. XenApp also supports three UNIX variants: HP-UX, Solaris, and AIX which are included in Enterprise

and Platinum editions of XenApp.

2.3 Desktop management: Citrix XenDesktop

The Citrix XenDesktop is a desktop virtualization solution that transforms desktops and applications into a secure on-

demand service available to any user, anywhere, on any device. With XenDesktop, individual Windows, web and SaaS

applications, or full virtual desktops, can be delivered to PCs, Macs, tablets, smartphones, laptops and thin clients with a

high-definition user experience.

The basic idea of the product is to deliver application and/or desktops to user from single standardized images but still with

full support of customization by the end-user as illustrated below.

The XenDesktop solution builds on the same technology as XenApp and its openness towards virtualization platforms

(XenServer, VMware vSphere and Microsoft Hyper-V) makes it a good and safe investment. Other major advantages of the

products are support of high-definition user experience on LAN, built-in optimization for delivery over WAN and integration

with WAN Opt technology, Enterprise-grade Virtual Desktop Infrastructure (VDI), support of multiple desktop and

application delivery models to meet the needs of every user, support of user personalization (profile and application

management) and support of virtually any device/end-point.

2.4 Thin Clients

A thin client (sometimes also called a lean or slim client) is a computer or a computer program which depends heavily on

some other computer (its server) to fulfill its traditional computational roles. This stands in contrast to the traditional fat

client, a computer designed to take on these roles by itself. The exact roles assumed by the server may vary, from providing

data persistence (for example, for diskless nodes) to actual information processing on the client's behalf.


Status: Final of 21


Thin clients, like traditional computers, run a full operating system for the purposes of connecting to other computers.

Although the operating systems on Thin Clients are very light it is still there and shall be maintained. This is in contrast to

Zero Clients.

The Thin Client market is currently dominated by Dell Wyse and HP, followed by a handful of other vendors like Samsung,

Fujitsu , Pano Logic, Lenovo and Oracle. Some of those have just recently entered the market but might play a big role in the

future.

The following sections only includes devices from Dell Wyse, as they as said to be a true leader in the market. Sub sections

are split into 3, by operating system, as this is the categories that Dell Wyse delivers devices for. Other vendors deliver other

flavors that might be of the same quality, worse or better.

2.4.1 Linux devices This category of devices is characterized by running any version of the Linux operating system, for instance the SUSE Linux

Enterprise. Devices in this category are often very flexible and extensible.

2.4.1.1 Examples of products that specifically support Citrix are:

Dell Wyse C50LE Dell Wyse T50

2.4.1.2 OS description from Dell Wyse:

2.4.1.3 Login user interface:

The Dell Wyse Linux devices support local as well as LDAP authentication from the login interface but does not support

extensions/plugins.

Note: The newer Dell Wyse devices might have some undocumented special login features that can be utilized.

Examinations are in progress.


Status: Final of 21


2.4.2 Windows Embedded devices This category of devices is characterized by running any version of the Windows Embedded Standard (WES) operating

system, for instance the Windows Embedded Standard 7 (WES7) and the Windows Embedded Standard 2009 (WES2009)

both successors of the older Windows XP Embedded operating system.


Dell Wyse C90D7 Dell Wyse C90LE7



The Dell Wyse Windows Embedded devices give the users a feeling of being working on a PC directly from the login prompt.

If a device is joined directly to the domain infrastructure a user can login using their domain username and password or if

not, automatic login using a local user can be configured so that the user will get in to a limited environment allowing only

access to predefined applications.

The Microsoft Windows Embedded Standard (WES) operating system supports the Credential Provider architecture also

known from the Microsoft Windows 7/8/2008/2012 operating systems. This means that software vendors can develop

customized Credential Providers to be deployed on WES devices.


Status: Final of 21


2.4.3 ThinOS devices This category of devices is characterized by running the Dell Wyse ThinOS operating system, which is developed with focus

on performance, management easiness, security and user experience.


Dell Wyse C10LE Dell Wyse V10LE Dell Wyse T10



The Dell Wyse ThinOS devices support does not support extensions/plugins related to the login interface.




Status: Final of 21


2.4.4 Zero Client devices This category of devices is the newest and lightest types of devices and devices are characterized by not running a full real

operating system but rather just a small engine embedded into a chip and just as important by not having flash memory to

store persistent data, meaning that these devices complies to the strongest security measurements.


Dell Wyse Xenith Pro Dell Wyse Xenith 2

2.4.4.2 Description from Dell Wyse:


As mentioned above the Dell Wyse Zero Client devices do not contain an operating system and besides the login interface

and a few connection related dialogs, there isn’t any user interfaces built into the devices. This means that the Zero Client

doesn’t offer any kind of anonymous “kiosk” logins and the user must complete a full login to get access to the services of

the Citrix solution, whether this is XenApp or XenDesktop that is being used.




Status: Final of 21


3. FastPass and Thin Clients

This chapter describes how FastPass Password Manager can be integrated in Thin Clients environments.

Basically FastPass can be used directly if just one of the following interfaces is made available to the end user:

1. Anonymous RDP connection (launched without pre-authentication)

If device always connects to the same computer then this computer can have FastPass Windows Client installed, so

that this is accessible in the Windows login prompt.

2. Anonymous Windows/Linux desktop (launched without pre-authentication) configured with icons to applications

protected by Citrix governed domain authentication.

If the device is configured for automatic login of a local user a shortcut for a browser can be registered on the

desktop with an URL reference to the FastPass Self-Service Client.

3. Anonymous Web browser entrance page (launched without pre-authentication) configured with application links

protected by Citrix governed domain authentication.

If the device is configured for automatic login of a local user and the native desktop for this user is replaced with a

web browser then this can display links to the Citrix environment as well as to the FastPass Self-Service portal.

4. A Windows Credential Provider can be installed.

If the device is running the Windows Embedded Standard operating system a customized Credential Provider can

be installed directly in the operating system so that it is visible in the login interface exactly as on standard

Windows PCs.

5. Special credentials allowing access to locked down environment.

If a customizable image or text can be shown in the login interface it can instruct the user what to if failing to

authenticate. A possible text to display could be something like “Forgotten your password? Login as selfservice /

password to regain access…” like shown in the sample image below.

A special Citrix XenApp or XenDesktop profile could then be configured for this user, so that he would be allowed

to open a locked down virtual desktop in which there only should be granted access to the FastPass Self-Service

Client.

The table below shows which of the above usage options that can be supported by the different Thin Client devices types.

Option 1 Option 2 Option 3 Option 4 Option 5

Linux √ √ √ X √

Windows Embedded Standard √ √ √ √ √

Thin OS √ X X X √

Zero Client √ X X X √

Table: supported usage options


Status: Final of 21


In the following sub sections the various usage options will be described for the different Thin Client device types.

3.1 Linux devices

This sub section describes how FastPass can be made accessible to Linux devices accessing Citrix XenApp and Citrix

XenDesktop.

3.1.1 Option 1: Anonymous invoked RDP client This can be supported by configuration of Wyse device setting.

Pros:

Works on most Dell Wyse device.

Cons:

Only usable if a device is reserved for an individual user

General lower performance than native Citrix connections.

3.1.2 Option 2: Anonymous Windows/Linux desktop configured with icons to applications

protected by Citrix governed domain authentication This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers.

Pros:

Works on most Dell Wyse Thin Client devices.

Cons:

Opens the first door to the IT infrastructure by offering visibility to which services are available.

3.1.3 Option 3: Anonymous Web browser entrance page configured with application

launchers protected by Citrix governed domain authentication This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers.

Pros:


Cons:


3.1.4 Option 4: A Windows Credential Provider can be installed This can’t be supported.

3.1.5 Option 5: Special credentials allowing access to locked down environment This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers.

Pros:


Cons:


Status: Final of 21


Requires the user to read the instruction and enter the shown credentials.

3.2 Windows Embedded devices

This sub section describes how FastPass can be made accessible to Windows Embedded devices accessing Citrix XenApp and

Citrix XenDesktop.


Pros:


Cons:



protected by Citrix governed domain authentication This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers.

Pros:


Cons:



launchers protected by Citrix governed domain authentication This can be supported by configuration of Wyse device setting and this is used by existing FastPass customers.

Pros:


Cons:


3.2.4 Option 4: A Windows Credential Provider can be installed This can be supported.

As mentioned in section 2.4.2.3, the Microsoft Windows Embedded Standard (WES) operating system supports the

Credential Provider architecture also known on in the PC operating systems. The FastPass Password Manager solution

already have a Credential Provider for the PC platform and this will from Marts 1, 2013 also support the Windows

Embedded Standard 7 platform.


Status: Final of 21


The visual appearance of the FastPass Windows Client for WES will in its first release be as on Windows PCs (below detailed

in bullet 1) but the logical flow will in a following release be extended so that it will be configurable to be one of the

following:

Start a locked down login session locally on the device, only allowing access to the FastPass Self-Service Portal (as it

is done on the PCs).

Automatically login a system user for which a special Password Reset virtual desktop image shall be prepared in the

virtual infrastructure. The connection can be based either on a XenApp full screen RDP connection or a

XenDesktop connection, where the latter will be more resource consuming but also offer a better isolation seen

from a security perspective.

Both configurations will allow a user experience exactly as on standard Windows PCs.

Pros:

Same user experience as on standard PC’s.

Cons:

Requires installation of software on the device.

This is a photo of the FastPass Windows Client installed on and activated in the login interface of a Wyse Windows Embedded Standard device.

3.2.5 Option 5: Special credentials allowing access to locked down environment This can be supported by replace of a bitmap (image) file..

Pros:

No software installation.

Cons:



Status: Final of 21


This is a photo of a sample implementation of a customized image in the login interface of a Wyse Windows Embedded Standard device.

3.3 ThinOS devices

This sub section describes how FastPass can be made accessible to ThinOS devices accessing Citrix XenApp and Citrix

XenDesktop.


Pros:


Cons:




protected by Citrix governed domain authentication This can only be supported by first provide anonymous access to a virtual desktop and from there provide access to the real

desktop protected by domain authentication.

This scenario is not likely to be implemented and therefore it is considered as impossible.


Status: Final of 21



launchers protected by Citrix governed domain authentication This can only be supported by first provide anonymous access to a virtual desktop and from there provide access to a web

browser and other applications protected by domain authentication.




Pros:


ThinOS devices support customization of the whole background and the image in the login dialog separately. This

allows for a long description and inclusion of images.

Cons:


This is a photo of a sample implementation of a customized background image and customized image the login interface of a Wyse ThisOS device.


Status: Final of 21


3.4 Zero Client devices

This sub section describes how FastPass can be made accessible to Zero Client devices accessing Citrix XenApp and Citrix

XenDesktop.


Pros:


Cons:




protected by Citrix governed domain authentication This can only be supported by first provide anonymous access to a virtual desktop and from there provide access to the real

desktop protected by domain authentication.



launchers protected by Citrix governed domain authentication This can only be supported by first provide anonymous access to a virtual desktop and from there provide access to a web

browser and other applications protected by domain authentication.




Pros:


Zero Client devices support customization of the whole background, so anything but the login dialog in the center

of the screen. This allows for a long description and inclusion of images.

Cons:

Requires the user to read instructions and then enter the shown credentials.


Status: Final of 21


This is a photo of a sample implementation of a customized background image in the login interface of a Wyse Zero Client device.


Status: Final of 21


4. Conclusions

This chapter concludes how FastPass Password Manager can be integrated in a Thin Client environments and how the

whole solution will be beneficial for Thin Clients users.

The table below is the same as shown in the last chapter, and shows which of the described usage options that can be

supported by the different Thin Client devices types.

Option 1 Option 2 Option 3 Option 4 Option 5

Linux √ √ √ X √

Windows Embedded Standard √ √ √ √ √

Thin OS √ X X X √

Zero Client √ X X X √

Table: supported usage options

In the Options listed above, the following Password Reset implementation options (see Chapter 3) are possible.

Option 1 Anonymous invoked RDP client

Option 2 Anonymous Windows/Linux desktop configured with icons to applications protected by Citrix governed

domain authentication

Option 3 Anonymous Web browser entrance page configured with application launchers protected by Citrix

governed domain authentication

Option 4 A Windows Credential Provider can be installed

Option 5 Special credentials allowing access to locked down environment

FastPass will as shown in the above table and as described in chapter 3 deliver the best support for Windows Embedded

Standard devices as there will be no difference in working on terminal devices and on PCs. FastPass will as of Marts 1, 2013

support the Windows Embedded Standard 7 platform with the same functionality as on the PC with a few limitations

related to the Enforced Enrollment feature that will have to be implemented on the virtual desktop.

The customized image solution is also seen as useful, and as this doesn’t have any dependencies and utilizes the standard

FastPass product as it should be considered as a good choice if multiple types of devices exists within the same

organization. It shall also be noted that the text could be anything, so also an instruction for the user to use the iPhone App

that will be available in the spring (2013).

fastpass in thin clients environments

Documents