Sunday, September 15, 2019

Have a device (Roku or other) that won't connect to wifi?

I have a sister-in-law that bought a new Roku express this weekend.  She spent 4 hours fighting an issue where it wouldn't connect to her wifi claiming that the passcode is incorrect.  She searched forums, called xfinity support, and Roku support all to no solution.  She found that she should enter the MAC address in the router which didn't help.  Reset her router passcode, but why when every other device is working on the wifi just fine with that passcode. Change the WPA2 AES settings to something else.  Again why, the other devices are working fine.

Finally she decides to call me.  After about 20 seconds looking at her router settings I advise making the 2.4GHz and 5GHz wifi networks the same password.  Since the Roku Express only supports 2.4GHz it's trying to connect to 2.4, but since they are different passcodes and the same SSID there is nothing indicating to her that she needs to enter the 2.4GHz passcode.  In fact she didn't even know it or that there was ANY difference as Xfinity staff set it up.

Immediately this resolved the issue

Make them the same SSID and Passcode and let it just work.  The device will connect to the frequency it wants / supports and the end user doesn't need to care.  Or if you insist on different passcodes for some reason, make the SSID different as well as a visual indicator.

Thursday, June 27, 2019

Testing your website for weak ciphers and protocols

With recent deployments and integrations of systems I have had to ensure that several websites are secure. After digging around and setting registry keys I figured someone else has done this already, so I started looking for a quick script.

One better I found this handy software:

These guys have it setup so you can set the Schannel, and Cipher Suites plus orders.
Then click the site scanner and you'll see the familiar Qualys SSL Labs site.

Monday, February 18, 2019

Wyse ThinOS and RD Gateway with Broker - External Access

The other day I was able to get my hands on a Dell Wyse 3040 with ThinOS unit. I wanted to test out connecting to a Windows Remote Desktop Gateway with Connection Broker and RDSH from home. My intended end users are at remote sites with VPN connections, but I had other ideas for some remote workers to utilize these devices (without VMWare or Citrix) to connect in.

This post isn't about setting up RDSH, RDGateway, etc.  This is in line with getting ThinOS 8.6+ working with your RD Gateway and RD Connection Broker to RDS Hosts.  Something that in hind sight was very easy, but took me a bit to weed through the online posts, ini settings, etc.

I used Wyse Management Suite to configure the device (online trial). This has been a great option and works very well.  For production I will be deploying WMS Standard onsite.

Windows Remote Desktop environment layout:
The environment consists of the following layout. 
  • All servers running Windows Server 2016
  • 1 server with RD Gateway and Web installed together.  We'll refer to this as
  • 1 server with Connection Broker installed (NOT in HA config)
  • 2 servers running RDSH and the desktop being published - Collection Name: Desktop Resources
  • Dell Wyse 3040 ThinOS 8.6_013 connected to my home network. NO VPN to main datacenter.
Goal: To get the 3040 to connect through the and broker the connection to the proper RDSH server.  I want it to prompt the user for login upon boot and upon disconnect to logout of the gateway and prompt for login again (Shared workstation).

WYSE config:
I'm going to break this down by section in the WMS portal.  Then I will do my best to put the wnos.ini out.  Obviously there are other areas to configure, I'm just giving the basics for the RDGateway to work.

Require Domain Login: First area of interest to me was to disable the "Require domain login".  I want the thin client to load and prompt with the connection to the RD Gateway. 

Certificates: Depending on the CA you used on your Gateway you'll need to import the certificates.  I used Godaddy so I had to get the .cer for the Root and Secondary.  This was as easy as going to my site, viewing the certs, and then downloading (copy to file) the GoDaddy Root CA and GoDaddy Secure CA to files.  From there you will upload both files into Apps & Data tab under the File Repository (select certificate for the type).
Now you can check the option for certs and you will see all of the certs you need listed.

Security Policy: I set mine to Full
TLSCheckCN: enabled
VNC: I turned on VNC to allow ease of testing

Visual Experience:
Action after all sessions exit: "sign off automatically"

Microsoft Broker:
Broker Server:
This should be set to your gateway server.  Include the https:// but do not including anything past the FQDN.

Sessions to connect automatically: Desktop Resources
This is the collection name.  Since in this case I'm pushing out a collection of desktops there is only the collection name and not app names.  

Microsoft RDP Settings:
Enable NLA: Enabled  
In my environment I have this on for all servers.

That's it.  Restart the device to apply and test it out.  Notice that when you logout it puts the workstation back at the login screen, perfect for shared workstations!
Note that I did NOT put any Direct RDP Connections in as this isn't needed.

here's the devices wnos.ini as delivered from WMS.

Signon=Yes SaveLastDomainUser=no LastUserName=No
AddCert="Go Daddy Root CA - G2.cer"
AddCert="Go Daddy Secure CA - G2.cer"
SignOn=No ExpireTime=0 RequireSmartCard=No SCRemovalBehavior=0 DisableGuest=No
SecurityPolicy=full SecuredNetworkProtocol=Yes TLSMinVersion=1 TLSMaxVersion=3 DNSFileServerDiscover=Yes TLSCheckCN=Yes
AutoSignoff=10 Shutdown=no Reboot=no
SysMode=Classic toolbarclick=No ToolBarAutoQuit=No EnableLogonMainMenu=No
AutoLoad=2 VerifySignature=yes
ConnectionBroker=MICROSOFT \
host= AutoConnectList="Desktop Resources"
SessionConfig=all \
SessionConfig=rdp \
EnableNLA=yes EnableRecord=no EnableRFX=yes EnableTSMM=no ForceSpan=no enablegfx=no EnableUDP=yes EnableVOR=yes USBRedirection=rdp defaultcolor=2 MaxBmpCache=128 RDPScreenAlign4=no AutoDetectNetwork=yes EnableRdpH264=yes