Monday, February 18, 2019

Wyse ThinOS and RD Gateway with Broker - External Access

The other day I was able to get my hands on a Dell Wyse 3040 with ThinOS unit. I wanted to test out connecting to a Windows Remote Desktop Gateway with Connection Broker and RDSH from home. My intended end users are at remote sites with VPN connections, but I had other ideas for some remote workers to utilize these devices (without VMWare or Citrix) to connect in.

This post isn't about setting up RDSH, RDGateway, etc.  This is in line with getting ThinOS 8.6+ working with your RD Gateway and RD Connection Broker to RDS Hosts.  Something that in hind sight was very easy, but took me a bit to weed through the online posts, ini settings, etc.

I used Wyse Management Suite to configure the device (online trial). This has been a great option and works very well.  For production I will be deploying WMS Standard onsite.

Windows Remote Desktop environment layout:
The environment consists of the following layout. 
  • All servers running Windows Server 2016
  • 1 server with RD Gateway and Web installed together.  We'll refer to this as
  • 1 server with Connection Broker installed (NOT in HA config)
  • 2 servers running RDSH and the desktop being published - Collection Name: Desktop Resources
  • Dell Wyse 3040 ThinOS 8.6_013 connected to my home network. NO VPN to main datacenter.
Goal: To get the 3040 to connect through the and broker the connection to the proper RDSH server.  I want it to prompt the user for login upon boot and upon disconnect to logout of the gateway and prompt for login again (Shared workstation).

WYSE config:
I'm going to break this down by section in the WMS portal.  Then I will do my best to put the wnos.ini out.  Obviously there are other areas to configure, I'm just giving the basics for the RDGateway to work.

Require Domain Login: First area of interest to me was to disable the "Require domain login".  I want the thin client to load and prompt with the connection to the RD Gateway. 

Certificates: Depending on the CA you used on your Gateway you'll need to import the certificates.  I used Godaddy so I had to get the .cer for the Root and Secondary.  This was as easy as going to my site, viewing the certs, and then downloading (copy to file) the GoDaddy Root CA and GoDaddy Secure CA to files.  From there you will upload both files into Apps & Data tab under the File Repository (select certificate for the type).
Now you can check the option for certs and you will see all of the certs you need listed.

Security Policy: I set mine to Full
TLSCheckCN: enabled
VNC: I turned on VNC to allow ease of testing

Visual Experience:
Action after all sessions exit: "sign off automatically"

Microsoft Broker:
Broker Server:
This should be set to your gateway server.  Include the https:// but do not including anything past the FQDN.

Sessions to connect automatically: Desktop Resources
This is the collection name.  Since in this case I'm pushing out a collection of desktops there is only the collection name and not app names.  

Microsoft RDP Settings:
Enable NLA: Enabled  
In my environment I have this on for all servers.

That's it.  Restart the device to apply and test it out.  Notice that when you logout it puts the workstation back at the login screen, perfect for shared workstations!
Note that I did NOT put any Direct RDP Connections in as this isn't needed.

here's the devices wnos.ini as delivered from WMS.

Signon=Yes SaveLastDomainUser=no LastUserName=No
AddCert="Go Daddy Root CA - G2.cer"
AddCert="Go Daddy Secure CA - G2.cer"
SignOn=No ExpireTime=0 RequireSmartCard=No SCRemovalBehavior=0 DisableGuest=No
SecurityPolicy=full SecuredNetworkProtocol=Yes TLSMinVersion=1 TLSMaxVersion=3 DNSFileServerDiscover=Yes TLSCheckCN=Yes
AutoSignoff=10 Shutdown=no Reboot=no
SysMode=Classic toolbarclick=No ToolBarAutoQuit=No EnableLogonMainMenu=No
AutoLoad=2 VerifySignature=yes
ConnectionBroker=MICROSOFT \
host= AutoConnectList="Desktop Resources"
SessionConfig=all \
SessionConfig=rdp \
EnableNLA=yes EnableRecord=no EnableRFX=yes EnableTSMM=no ForceSpan=no enablegfx=no EnableUDP=yes EnableVOR=yes USBRedirection=rdp defaultcolor=2 MaxBmpCache=128 RDPScreenAlign4=no AutoDetectNetwork=yes EnableRdpH264=yes