Archive for February, 2015

Tip: Still using IGEL LX/OS Version 4.x.x and require SHA2 or Storefront support for Citrix ICA sessions?

Tuesday, February 24th, 2015

Hi Folks,

i know a couple of customers and users are waiting for this, so if you still have older IGEL UDx-x2x and UDx-x3x running IGEL LX Version 4.x.x or migrated 3rd Party devices (migrated with the Universal Desktop Converter Version 1) you can now use SHA2 certificates and Citrix Storefront with the latest Version 4.14.100.

Please be aware: Read the disclaimer coming with the new firmware release, it’s very important for devices coming with only a 512MB HDD/CF-Card! Also the “old” hidden failback switch (mentioned here) to select between different Citrix Receiver 12 Versions is obsolete with Firmware 4.14.100, you can now switch  between Citrix Receiver Version 12 and 13!

For the Storefront Setup you can use our Whitepaper here, only the local Client screens will look a little bit different regarding the GUI difference between Linux V4 and V5.

Cheers
Michael

News from Superfish (aka Lenovogate)

Tuesday, February 24th, 2015

Hi Folks,

last week we posted two articles related to the Superfish Adware which came pre-installed with some Lenovo devices produced in the last Quarter of 2014. Superfish contains strong security concerns regarding the used SSL interception technology coming from an other Company calling Komodia.

It seams that this will now run into a or better several (i know already about two) class action lawsuit in the US against Lenovo, read also the article at PCWorld. I hope this will be a warning for other Hardware vendors pre-installing software without any sense or effective use for the user and without any real security verification.

Lenovo has already published a uninstall tool (Read also here), also some Virus remove tools like Avast or Microsoft Defender will remove it (or try to do it). In any way you should verify the local Computer Certificate Store to be sure… Also Lenovo released an open letter here.

There is also other Software available which uses the Komodia SSL interception technology incl. a Trojan, there is a really good article available at Facebook by Matt Richard(Facebook Securtiy Team) here and i recommend to read it if you have to do or are intrested with/in IT Security.

If you want to perform a check to verfiy that you’ve not any SSL interception software installed try out this site: Badfish check

You’re using Firefox and Chrome/Internet Explorer? Don’t forget to open the Website above with Firefox and also Chrome/Internet Explorer.

Cheers

Michael

Release: IGEL Universal Desktop LX/OS Firmware 4.14.100

Tuesday, February 24th, 2015

IGEL Universal Desktop LX
=========================
Version 4.14.100
Release date 2015-02-23
Last update of this document 2015-02-23

Supported devices:
UD2-x31 LX, UD2-x30 LX, UD2-x21 LX, UD2-x20 LX
UD3-x40 LX, UD3-x31 LX, UD3-x30 LX, UD3-x21 LX, UD3-x20 LX
UD5-x40 LX, UD5-x30 LX, UD5-x20 LX
UD9-x31 LX, UD9-x30 LX
The online Release Notes can be found at http://edocs.igel.com/index.htm#10202439.htm
Registry Keys of parameters are listed there.

====================
Versions:
====================
Clients:
– 2X Client 12.0.0-2270
– Cisco VPN Client 4.8.02.0030-k9
– Citrix Access Gateway Standard Plug-in 4.6.3.0800
– Citrix HDX Realtime Media Engine 1.6.0-6
– Citrix Receiver 12.1.8.250715
– Citrix Receiver 13.1.2.295815
– Client for RedHat Enterprise Virtualization Desktops 3
– Dell vWorkspace Connector for Linux 7.7.3
– Ericom PowerTerm 9.2.0.6.20091224.1-_rc_-25848
– Ericom Webconnect 5.6.0.4000-rel.20413
– FabulaTech USB for Remote Desktop 5.0.4
– Firefox 17.0.11
– IBM iSeriesAccess 7.1.0-1.0
– IGEL Legacy RDP Client 1.0
– IGEL RDP Client 2.1
– Imprivata OneSign ProveID Embedded
– Leostream Java Connect 3.0.57.0
– NCP Secure Client (Enterprise) 3.25-rev15580-i686
– NX Client 4.2.27
– Oracle JRE 1.7.0_76
– SAP GUI java710rev6
– Thinlinc Client 4.3.0-4538
– ThinPrint Client 7.0.63
– Totem Media Player 2.30.2
– Virtual Bridges VERDE Client 7.1.1_rel.24005
– VMware Horizon client 3.2.0-2331566
– Voip Client Ekiga 3.2.7

Dictation:
– Driver for Grundig Business Systems dictation devices
– Driver for Olympus dictation devices
– Legacy Philips Speech Driver 5.0.10
– Philips Speech Driver 12.2.7

Smartcard:
– PKCS#11 Library A.E.T SafeSign 3.0.3665
– PKCS#11 Library Gemalto IDPrime 1.1.0
– PKCS#11 Library SecMaker NetID 6.1.1.21
– Reader Driver ACS CCID 1.0.5
– Reader Driver HID Global Omnikey CCID 4.0.5.5
– Reader Driver MUSCLE CCID 1.4.13
– Reader Driver Omnikey CCID legacy-3.6.0
– Reader Driver Omnikey RFID legacy-2.7.2
– Reader Driver REINER SCT cyberJack 3.99.5final.SP03
– Reader Driver Safenet / Aladdin eToken 8.1.0-4
– Reader Driver SCM Microsystems CCID 5.0.27
– Resource Manager PC/SC Lite 1.8.9

System Components:
– Graphics Driver INTEL 2.17.0
– Graphics Driver VIA 5.75.32.87a-59172
– Graphics Driver VIA Legacy 4.1.83
– Xorg X11 Server 1.11.4
– Xorg Xephyr 1.7.6
====================
Information:
====================
IMPORTANT:
This release contains Citrix Receiver versions 12 and 13.
The Citrix Receiver 12 is still available for compatibility reasons and
activated by default. Version 13 of the Citrix Receiver can be activated at
the local setup of the device or through a UMS profile configuration.
Only one version can be used.
====================
Known issues:
====================

[Dell vWorkspace Connector]
– Seamless applications exported from Win8/8.1 desktops show display errors when
dragged to the screen edges.
– At dual view configuration flash redirected windows can appear on wrong screen.
– After the start of a seamless session the window is initially maximized before being
resized to the correct size.
– Windows XP sessions might not work properly anymore.
– Only standard 105 keys PC keyboards are supported.
Not supported anymore: Trimodal, Sun Type 6 or IBM 122 keys.
– Mapping of drives to a dedicated drive letter is not possible anymore.
– If Com-port redirection is enabled all linux serial ports (/dev/ttySx) will be mapped.
– If printer mapping is enabled all printers configured in CUPS are mapped.
– For Multimedia Redirection sound redirection with WMV/WMA streams is not working.
– USB Redirection may not work reliable.
– Session starts only if RDP Local Logon Window
(IGEL Setup->Sessions->RDP->RDP Global->Local Logon) is active.

[VMware Horizon]
– Remote Applications are not seamless in the strict sense.
These are rather displayed in an extra window decorated by the TC’s window manager.
– If more applications defined and started in the same session, all are displayed inside this window.
The default size of this window can be defined in the Window section of the Horizon session.
– PCoIP user input language synchronization is currently broken.

[StepOver]
– StepOver serversonet does not work with natureSign signature pad.

[Genucard]
– Genucard versions 4 or greater currently cannot retrieve an IP adress.

[Smartcard]
– In mode “IGEL Smart Card without Locking Desktop”: when a Horizon session is running
and the smart card is removed , the Horizon desktop and application chooser window stays open.
– In mode “IGEL Smart Card without Locking Desktop”: when a RDP session is running
and the smart card is removed, a bogus warning window is shown.
– Running 2X sessions from IGEL Smart Card fails with error “server name missing”.
====================
New features:
====================

[Citrix Receiver 13]
– Integrated Citrix Receiver 13.1.2
– Added support for StoreFront
Hints (It is IMPORTANT to read this, if you plan to use Citrix Receiver 13
instead of 12 and/or want to connect to a Citrix StoreFront server):
– This firmware contains two Citrix Receivers, but only one of them can be
active at a time. Default is Citrix Receiver 12. The version can be
switched by the new parameter “Use Citrix Receiver version 13” in the
IGEL setup at “Sessions->Citrix->Citrix Receiver Selection”
– The new parameter “Citrix server type” on IGEL setup page
“Sessions->Citrix->Citrix StoreFront / Web Interface ->Server” defines the
capabilities of the Receiver
according to the used Citrix server versions (default is “Web Interface”).
– For Citrix StoreFront only access via https is supported. If the SSL certificate
of your Citrix server is not signed by a trusted certificate authority
(like Verigsign, Thawte etc.), you have to install the root certificate of your
own certificate authority on each Thin Client.
Please use http://edocs.igel.com/index.htm#10200413.htm to access the
document on how to install SSL certificate.
– Legacy ICA sessions only work with Citrix XenApp servers up to version 6.5.
– The parameter “Deferred update mode” has no effect anymore.
– Added support for SHA-2 based certificates.
– Kerberos is only supported with Legacy ICA Sessions and Web Interface,
not with StoreFront.
– To enable usage of Smartcard authentication it is necessary
to choose Smartcard logon on the redesigned setup page
Citrix > Citrix StoreFront / Web Interface > Logon
and to choose the correct smart card on page
Citrix > Citrix StoreFront / Web Interface > Logon > Smartcard.
Passthrough authentication with smart card is only possible with StoreFront.
– Added “CGP Address” parameter to support the session reliability feature on page:
Citrix > HDX / ICA Global > Options
(Please note that this parameter might be overwritten by the
Citrix server.)
– Added parameter “ica.wfclient.twiavoidfullscreenwhenmaximized” to enable
a bug fix from Citrix regarding maximization of windows in a multi-monitor
setup with different resolutions (default: Disabled).
– Added parameter “ica.wfclient.twisetfocusbeforerestore” to enable a
workaround from Citrix to set the focus on windows before restoring them
to avoid issues with Java applications.(default: Disabled)
– Added parameter “ica.wfclient.applysucconntimeouttodesktops” to let the
session sharing timout option “SucConnTimeout” be applied to desktops
as well (default: Disabled)
– Added registry parameter “ica.pnlogin.use_ctx_auth_mgmt”, that
enforces usage of the built-in authentication management of the
Citrix Receiver 13 instead of the IGEL mechanism. This disables credential
related features like passthrough, auto-logon etc.
– With Citrix Receiver 13 there is support for new graphics codec parameters:
– H264 deep compression codec registry keys:
* ica.wfclient.h264enabled (disabled by default)
* ica.wfclient.texttrackingenabled
* ica.wfclient.smallframesenabled
The H264 codec is only usable if the multimedia codec pack is installed.
Detailed description of the parameters are available at:
http://support.citrix.com/proddocs/topic/receiver-linux-13-1/receiver-linux-13-1.html and
http://www.citrix.com/content/dam/citrix/en_us/documents/downloads/citrix-receiver/linux-oem-guide-13-1.pdf
– JPEG codec registry keys:
* ica.wfclient.directdecode
* ica.wfclient.batchdecode (enabled by default)
Detailed description of the parameters are available at:
http://support.citrix.com/proddocs/topic/receiver-linux-13-1/receiver-linux-13-1.html and
http://www.citrix.com/content/dam/citrix/en_us/documents/downloads/citrix-receiver/linux-oem-guide-13-1.pdf

[ICA]
– Updated Philips Speech drivers to version 12.2.7
– New Grundig dictation driver: increased stability of audio channel.
Grundig SoundBox 820, DigtaSonic Mic I and ProMic 840 are not supported any more
– Updated driver for dictation with Olympus devices
– Added Citrix HDX RTME 1.6.0-6 used for Lync optimization.
– ICA sessions with Kerberos Passthrough: it is now possible to choose the Kerberos
implementation(s) which are used with Citrix via parameter
ica.module.virtualdriver.sspi.kerberosselection default: Heimdal,MIT
– Added parameter windowmanager.wm0.variables.igelicaallowminimize in the
registry to circumvent problems java-based windows over ICA with a popup
window. If set to false, ICA windows with a popup can not be minimized
anymore.
– Added support to restrict Legacy ICA sessions with workarea window mode to
a single monitor at
“IGEL Setup->Sessions->Citrix-> Legacy ICA Sessions->[session name]->
Window->Start Monitor”.
The value “No Configuration” expands the windows over all monitors without
hiding the taskbar.
– Improved the synchronization of starting Citrix sessions to avoid opening
multiple ICA channels, if possible. For fine-tuning, it is possible to
configure the maximum waiting time till a session starts, regardless of
the status of a previous started session. The parameter is available in
the registry: “ica.pnlogin.app_start_max_delay” (default: 30)
– Added a mechanism to autostart published applications, configurable on
setup page Citrix > Citrix StoreFront / Web Interface > Logon.
The new synchronization mechanism mentioned above is applied for
autostarts as well.

[RDP]
– Integrated IGEL RDP Client 2:
– New workarea window mode
– New Audio-In support
– Improved RemoteApp support
– Fixes for drive mapping
– Without Gateway Support
– Without RDP 8 based RemoteFX support (EGFX)
– Without Video Optimized Redirection (EVOR)
– IGEL Legacy RDP Client 1.0 can be enabled at setup page:
IGEL Setup -> Sessions -> RDP -> RDP Global -> Options
– Updated Philips Speech drivers to version 12.2.7
– New Grundig dictation driver: increased stability of audio channel.
Grundig SoundBox 820, DigtaSonic Mic I and ProMic 840 are not supported any more
– Updated driver for dictation with Olympus devices

[VMware Horizon]
– Updated VMware Horizon Client to version 3.2.0-23315666
– Added support to start a specific application published by a Horizon 6 server.
In the IGEL Setup go to Sessions->Horizon Client->Horizon Client Sessions
choose a session or create one and specify under Connection Settings
the application name to start and set the session
type to “Application”. (the checkbox “Autoconnect” should also be enabled).
In the IGEL setup registry the new keys can be found in each view session:
– sessions.vdm_client%.options.appname
– sessions.vdm_client%.options.sessiontype (default: “Desktop”)
– RDP sessions are using the standard IGEL RDP Client 2 client now
instead of the legacy rdesktop variant.
– The Ctrl+Alt+Delete behavior (for PCoIP sessions) has three options now:
* show Horizon Client’s chooser dialog to either send the key combo to the
host/VM or disconnect from the session
* send Ctrl-Alt+Delete directly to the host/VM
* do nothing
The corrosponding key in the IGEL registry is found in:
– vmware.view.handle-ctrl-alt-del (default is “Show chooser”)
For sessions connected via Microsoft RDP the chooser dialog is the only option.
– Added switch for “Ctrl+Alt+Insert” redirection to VM.
Depending on server configuration either “Ctrl+Alt+Insert”,
“Ctrl+Alt+Delete” or no action can be triggered.
The registry key is located at “vmware.view.sendctrlaltinstovm” (default: Disabled)

[Dell vWorkspace Connector]
– Updated Dell vWorkspace Connector for Linux to version 7.7.3
– Added switch to enable bidirectional audio at
“IGEL Setup->Sessions-> RDP->RDP Global->Sound->Audio capture”
for global configuration, or session-specific at
“IGEL Setup->Sessions-> vWorkspace Client Sessions->[session name]->Mapping->Enable Microphone mapping”
– Added switch for font-smoothing at
“IGEL Setup->Sessions-> RDP->RDP Global->Performance->Enable Font smoothing”
for global configuration or session-specific at
“IGEL Setup->Sessions-> vWorkspace Client Sessions->[session name]->Performance->Enable font smoothing”.
– Added switch for vWorkspace connection bar at
“IGEL Setup->Sessions ->RDP->RDP Global->Enable Toolbar”
for global configuration, or session-specific at
“IGEL Setup->Sessions->vWorkspace Client Sessions-> [session name]->Window->Display the
connection bar when in full screen mode”.

[NX-Client]
– Updated NX Client to version 4.2.27:
New parameters:
– Connection service: sessions.nxclient<NR>.general.connection_service (Possible values: SSH, NX. Default: SSH)
– Logon method: sessions.nxclient<NR>.login.login_method (Possible values: Password, Private key. Default: password)

[2X Client]
– Updated 2X Client to version 12.0.0-2270
New parameters:
– TLS Authentication: sessions.twox<NR>.local_resources.windows_key_combinations Default: Disabled
– Network Level Authentication: sessions.twox<NR>.advanced.network_level_authentication Default: Enabled
– Pre-Windows 2000 Login Format: sessions.twox<NR>.advanced.oldwindows_login_format Default: Enabled
– Windows key combinations: sessions.twox<NR>.local_resources.windows_key_combinations Default: Local

[Shared Workplace]
– Shared workplace (SWP) now supports user display configurations
(including resolution, orientation, layout, refresh rates).

[ThinLinc]
– Updated ThinLinc client to version 4.3.0-4538.
New parameters:
– Multi monitor option: sessions.thinlinc<NR>.config.full_screen_all_monitors (default: Enabled)
– Resize remote desktop session: sessions.thinlinc<NR>.config.remote_resize (default: Enabled)
– Send system keys: sessions.thinlinc<NR>.config.send_syskeys (default: Enabled)
– SmartCard redirection: sessions.thinlinc<NR>.config.smartcard_export_enabled (default: Disabled)
– Lockdown Local device tab: sessions.thinlinc<NR>.options.locklocaldevices (default: Enabled)
– Lockdown Security tab: sessions.thinlinc<NR>.options.locksecurity (default: Enabled)

[Leostream Java Connect]
– Updated Leostream Connect_Java Client to Version 3.0.57

[Shadowing/VNC]
– Changed VNC version to 0.9.13
– Added VNC secure mode, based on a SSL-encrypted VNC connection. The SSL
connection uses a special certificate located in the directory /wfs/ca-certs.
This feature requires the Universal Management Suite (UMS) to be involved,
to handle the shadowing permissions and double check whether the connection
is allowed or not. In addition the UMS is used to assure a secure credential
exchange between the TC and the UMS console.
IMPORTANT: The UMS must have the version 4.07.100 or higher!
The feature can be enabled in IGEL setup at “System->Shadow->Secure Mode”

[Smartcard]
– Upgraded HID Global Omnikey smart card reader driver to version 4.0.5.5.
The following new readers are supported:
OMNIKEY CardMan (076B:0596) 2020
OMNIKEY CardMan (076B:3020) 3020
OMNIKEY CardMan (076B:3022) 3021
OMNIKEY CardMan (076B:3620) 3620
OMNIKEY CardMan (076B:7021) 3121
OMNIKEY CardMan (076B:3623) 3621
OMNIKEY CardMan (076B:3822) 3821
OMNIKEY CardMan (076B:3823) 3821
OMNIKEY CardMan (076B:5820) 4121 CL
OMNIKEY CardMan (076B:512D) 5025 PROX CL
OMNIKEY CardMan (076B:502A) 5025 PROX CL
OMNIKEY CardMan (076B:C001) 5121
OMNIKEY CardMan (076B:C100) 5121
OMNIKEY CardMan (076B:C101) 5121
OMNIKEY CardMan (076B:C104) 5125 CL
OMNIKEY CardMan (076B:C105) 5125
OMNIKEY CardMan (076B:5127) 5127 CK
OMNIKEY CardMan (076B:5220) 5220 Pay CL
OMNIKEY CardMan (076B:5221) 5221 Pay
OMNIKEY CardMan (076B:5311) 5321
OMNIKEY CardMan (076B:532B) 5321 Pay
OMNIKEY CardMan (076B:5340) 5021 CL
OMNIKEY CardMan (076B:A521) 5321
OMNIKEY CardMan (076B:5326) 5326 DFR
OMNIKEY CardMan (076B:5421) 5421
OMNIKEY CardMan (076B:1784) 6020
OMNIKEY CardMan (076B:6623) 6121
OMNIKEY CardMan (076B:6310) 6311 CL
OMNIKEY CardMan (076B:1BD0) 7120
OMNIKEY CardMan (076B:1BD1) 7121
OMNIKEY CardMan (076B:8630) 8630
OMNIKEY CardMan (076B:9621) 9621
CCID SC Reader (076B:A023)
CCID SC Reader (076B:A024)
CCID SC Reader (076B:A111) Keyboard
CCID SC Reader (076B:A112) Keyboard
CCID SC Reader (076B:A721)
CCID SC Reader (076B:B000) HID identiCLASS
CCID SC Reader (076B:B001) iCLASS Smart@Link
CCID SC Reader (076B:C000)
CCID SC Reader (076B:C200)
CCID SC Reader (076B:C300)
CCID SC Reader (0BF8:101B)
Fujitsu D321 (0BF8:1021)
Fujitsu G87 SC Contact Keyboard Cherry SmartTerminal XX44 (046A:007B)
Cherry SC Reader (046A:0090)
Cherry SC Reader (046A:0091)
Cherry SC Reader (046A:0092)
Cherry SC Reader (046A:00A3)

[Driver]
– Updated Softpro VirtualSerialSignpad driver to version 1.4.6.0

[USB Redirection]
– Upgraded Fabulatech USB for Remote Desktop up to 5.0.4

[Java]
– Updated JRE to version 1.7.0 update 76

[StepOver]
– Updated StepOver serversonet to version 0.7.16

[Network]
– Added parameter for DHCP user class option (see RFC 3004): * network.dhcp.user_class The default value is
empty and means that the option is not used. Non-printable bytes can be specified as \ooo, where each o is
an octal digit, or \xhh, where each h is a hexadecimal digit. ‘\’ and ‘”‘ must be escaped by prepending ‘\’.
– Added parameters for DHCP client identifier options (see RFC 2132):
– network.interfaces.ethernet.device0.dhcp_client_id
– network.interfaces.ethernet.device1.dhcp_client_id
– network.interfaces.wirelesslan.device0.dhcp_client_id
Example values: \x00host.example.org (a FQDN with type byte 0 prepended),
\x01\x00\x11\x22\x33\x44\x55 (the MAC address 00:11:22:33:44:55 with type byte 1 prepended)

[VPN]
– Upgraded NCP Enterprise VPN client up to 3.25-rev15580

[base system]
– Active Directory/Kerberos Logon: it is now possible to specify the default lifetime
and renewal lifetime of Kerberos tickets with parameters auth.krb5.libdefaults.ticket_lifetime
and auth.krb5.libdefaults.renew_lifetime in setup registry.
The default values are 10 hours and 7 days respectively.
– New TC Setup 4.8.18:
Added a quick link bar on many setup pages to find and get to related
configuration pages directly. Increased the default size of the setup window
to retain the readability of the affected setup pages (only when the setup
is started for the first time).
– Updated Chinese, Dutch, French and German userinterface translations
– Changed english label of start button on Application Launcher’s Applications
page from “Start” to “Execute”. A custom label for the button can be defined with parameter:
– userinterface.launcher.displaynames.startbuttonname.
– Added possibility to add custom timezone files to /wfs/zoneinfo/ directory.
– Increased the default taskbar height to 40.

====================
Resolved issues:
====================

[ICA]
– Fixed missing desktop/menu icons with Citrix XenApp/Program Neighborhood
– Fixed matching of application names in ICA autostart list
– Fixed Citrix XenApp/Programm Neighborhood refresh command
– Fixed problems with vanishing systray icons.
– Fixed: ICA sessions are not closed anymore, when a USB headset is plugged in or out.
– Fixed window focus after closing a dialog. The focus will be set correctly.
– Added a workaround to deal with windows of a very low height, that show up.
in the taskbar although they shouldn’t (e.g. some tooltip windows in seamless
Citrix sessions). To use this, adjust the parameter
“windowmanager.wm0.variables.tooltipsize” in the registry. A useful value for
single-lined tooltip windows would be 20.

[XEN]
– Fixed a minor bug in xen appliance mode with german keyboard layout and numblock DEL key.

[RDP]
– Fixed log on with Gemalto .net cards to Windows Server 2008
– Fixed execution problems of RemoteApps with short names.

[VMware Horizon]
– Added for passthrough authentication the possibility to use the shortened
domain name instead of the fully qualified domain name, like “EXAMPLE” instead of “EXAMPLE.COM”.
To enable shortened domain name for a particular session, go in the IGEL Registry and set the key
sessions.vdm_client%.options.passthrough_shortdomain to true.
– Fixed bug regarding Horizon/RDP sessions, where session restart was not possible after closing via menu bar
(Disconnect desktop and quit).

[Dell vWorkspace Connector]
– Fixed USB Redirection issues
– Fixed hotkey handling

[IBM_5250]
– Fixed system language detection in IBM iSeriesAccess sessions.
– fixed keyboard input of eastern european characters (czech, slovak, etc.)
enable registry key “iseriesaccessglobal.iso8859_2_fix”, default: Disabled

[ThinPrint]
– Handling of the “default” mark of a printer configured under Devices/Printer/Thinprint/Printer has been improved.

[Shadowing/VNC]
– Improved handling of Lock keys in VNC Server. All modifiers will be cleared
by default when shadowing is started. Lock keys are handled on client side
only by default.
(registry: network.vncserver.clear_all (default: Enabled) and
network.vncserver.skip_lockkeys (default: Enabled))

[XDMCP]
– Fixed X server restart.

[Universal MultiDisplay]
– Fixed UMD screen arrangement

[Smartcard]
– Implemented SCARD_ATTR_CURRENT_PROTOCOL_TYPE in pcsc-lite; this helps smart card log on with
SafeSign minidriver
– Fixed log off with IGEL Smartcard: when additional smart card readers were added or removed during
a session, removing the smart card did not trigger log off any more.

[base system]
– Updated ca-certificates to ubuntus utopic version
The list of integrated certificates is available at:
http://myigel.biz/index.php?dir=IGEL_UNIVERSAL_DESKTOP_FIRMWARE/LX/V4/
– Fixed CVE-2014-6271 (ShellShock Bug)
– Applied bash security patches for CVE-2014-6277, CVE-2014-6278
– Fixed OpenSSL 1.0.1 security issues:
CVE-2014-0160 (heartbleed bug), CVE-2014-0076, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470,
CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-5139, CVE-2014-3512, CVE-2014-3511,
CVE-2014-3510, CVE-2014-3509, CVE-2014-3508, CVE-2014-3507, CVE-2014-3506, CVE-2014-3505,
CVE-2014-3568, CVE-2014-3567, CVE-2014-3513, CVE-2014-3569, CVE-2014-3570, CVE-2014-3571,
CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205 and CVE-2015-0206 fixed.
– Improved OpenSSL 1.0.1 security: Added support to mitigate a protocol downgrade attack
to SSLv3 that exposes the POODLE attack.
– Fixed OpenSSL 0.9.8 security issues: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195,
CVE-2013-0169, CVE-2013-0166, CVE-2012-2333 and CVE-2012-0884 fixed.
– Fixed gnuTLS security issues: CVE-2014-0092, CVE-2011-4128, CVE-2012-1573, CVE-2013-1619,
CVE-2013-2116, CVE-2014-1959, CVE-2014-0092 and CVE-2014-3466 fixed.
– Fixed libtasn1-3 security issues: CVE-2012-1569, CVE-2014-3469, CVE-2014-3468 and CVE-2014-3467 fixed.
– Fixed libgcrypt11 security issues: CVE-2013-4242 and CVE-2014-5270 fixed.
– Fixed libkrb5 security issues: CVE-2010-1321, CVE-2010-1322, CVE-2010-4020, CVE-2010-1323,
CVE-2010-1324, CVE-2010-4022, CVE-2011-0281, CVE-2011-0282, CVE-2011-0284, CVE-2011-1530,
CVE-2012-1012, CVE-2012-1013, CVE-2012-1015, CVE-2012-1014, CVE-2014-4345, CVE-2014-4344,
CVE-2014-4343, CVE-2014-4342, CVE-2014-4341, CVE-2013-6800, CVE-2013-1418, CVE-2013-1416,
CVE-2013-1415 and CVE-2012-1016 fixed.
– Fixed: With Kerberos authentication, when typing a wrong password at log on or screen saver unlock,
badPwdCount in Active Directory was incremented by 2 instead of 1 and thus the
account was locked too soon.
– Added security patch to fix CVE-2014-0196
– Fix for identical custom CAs.
– Fixed CVE-2014-6271 (ShellShock Bug)
– Fixed Active Directory domain logon with user principal names (UPN): Before logon was only working
if the first part of the UPN was the same as the sAMAccountName of the user.
– Improved FAT USB Stick write performance with using flush,dirsync mount option instead of sync.
The corresponding switch is in the IGEL Registry:
– devices.autofs.automount%.sync_option, default: Disabled (default was changed)
– devices.autofs.automount%.flush_option, default: Enabled (new registry entry)
To get back old behaviour switch devices.autofs.automount%.sync_option to enabled.
– Fixed glibc 2.15 security issues: CVE-2015-0235 (GHOST), CVE-2012-6656, CVE-2014-6040,
CVE-2014-7817, CVE-2014-5119, CVE-2014-0475, CVE-2013-4458, CVE-2014-0475, CVE-2014-4043,
CVE-2013-4332, CVE-2012-4412, CVE-2012-4424, CVE-2013-0242, CVE-2013-1914, CVE-2013-4237
and CVE-2013-4332
– Fixed english label in application launcher: renamed “Start …” in context menu of
applications to “Execute …”
– On resume caps-lock/scroll-lock modifiers are reset
– Updated timezone information

[TC Setup (Java)]
– Added hint in setup tooltips that suspend option isn’t available with Universal MultiDisplay.
– Fixed alphabetical sorting of keyboard layout list on IGEL Setup page User Interface->Language.
Previously the sorting was not correct in some languages like German.

[Desktop]
– Fixed the “Hide Cursor” feature
– Added support for DisplayPort Resolution 2560×1080
– Fixed display gamma correction setting on UD2 and UD3
– Fixed wrong background of taskbar separators after screen lock
– The System set the focus correctly on desktop after system start.
Registryparameter: userinterface.desktop.focusable must be activate.

[VPN]
– Fixed Genucard DHCP IP retrieval

Security: cloud-client.info domain blacklist

Monday, February 23rd, 2015

Hello Folks,

like already mentioned in our blog registration form we will publish domains which are used by spam bots, malware and virus senders and/or domains where users perform suspicious actions against our websites.

So here is our first list called “domains_we_dont_like” containing 643 domains (collected by our websites in the last 12 months), you can use this list as blacklist for mail servers or to protect other webhostings/services. We do also allow the use of this list for other security related use and to prevent these actions in the future. Please note: There are also a couple popular email providers like GMX, Yahoo or Hotmail in the list, as long these mail provider can’t prevent the massive misuse of there services we have no reason to remove these providers from the list. All listed domains are used a couple of times for different suspicious activities, if you are responsible for one of these domains and you want to be removed you can get in contact with us to discuss how you can be removed from the list.

The list will updated from time to time.

Cheers

Michael

 

Info: What clients can be used with the Windows Server 2012 Work Folder feature?

Monday, February 23rd, 2015

Hi Folks,

very often asked during workshop’s, what Clients can be used with the Windows Server 2012 Work Folder feature. Currently the following Desktop/Mobile OS’s are supported:

– Windows 8(.x) x86 and 64-Bit and Windows RT: Work Folder support is coming directly with the OS.
– Windows 7 x86 and 64-Bit; Work Folder support needs do be downloaded from here and to be installed.
– Apple Ipad (IOS): Work Folders app for devices is available in the Apple store

Still unsupported:

– Windows Phone 8(.x)
– Android
– Linux
– Webbrowser based access

It’s quite funny (no, not really) to see how Microsoft create good features/products and directly do the best to kill this advantage by not providing a client for several major OS’s in the same or nearly equal way.. Similar to the still existing Remote Desktop Gateway gap for Windows Phone or a missing Lync/RDP Client for Linux. Before talking about cloud as the future of Microsoft it’s maybe helpfull to unterstand that “cloud” means a bunch of end devices and it still seams that Microsoft did not realize this small but important fact. ..don’t misunterstand me, i really like these features/products but i really don’t like to explain customers/users all the time why they can’t use these features in there infrastructure regarding the lack of a well developed client infrastructure. Maybe it will be better with Windows Server vNext… …or Skype for Business. 🙂 Maybe iam also to spoilt by the existing Citrix client environment… 🙂 🙂

Cheers

Michael

Tip: Using Windows Server 2012 R2 workfolders with Remote Desktop/Citrix XenApp based Terminal Servers/VDI’s

Monday, February 23rd, 2015

Hi Folks,

already a year ago I wrote an article how you can change the default port for the Windows Server 2012 R2 workfolder role/feature. By default the Workfolder feature works a “sync” share for Windows 8.1 based desktop systems/VDI’s like a self hosted OneDrive/Google Drive. In the article here i’ve also mentioned that these Workfolders can be mapped to a Terminal Server based on Microsoft Remote Desktop Services and Citrix XenApp.

I got a couple of request how the setup should look like so here is a small guide.

1) Install the Workfolder feature (can be found in the file server roles setup) to a Windows Server 2012 R2, make sure that no other feature or application block the SSL Port 443 or modify the Port by following our guide here. During the Workfolder configuration you will be ask what “folder” name should be used, username or username@domain; use username here only.
2) After the workfolder setup is done create a new smb fileshare pointing to your workfolder directory, make sure to setup the exact similar user rights like set for the original workfolder directory. Open Windows Explorer at the Workfolder Server and check the User Rights for the Workfolder and adopt this configuration for the Workfolder Share. If not done right you may mismatch the Userrights and Users may can access files from other Users or loose the Workfolder access.
3) After this is done open the Group Policy Management Console (GPMC) and create a new policy linked to your Terminal Server OU
4) Edit the new policy and browse to User Configuration->Preferences->Windows Settings->Drive Maps and create two new mapping entries, in my sample i map the workfolder shares to drive U: (Click picture to enlarge). Location should be always \\*your_workfolder_server*\*Workfolder_Sharename*\%USERNAME%.

Create the share configuration

Create the share configuration

Update the share configuration

Update the share configuration

Final view

Final view

5) Close the policy and logon to a terminal server to verify the configuration, all modified content within the drive U: will be synced to the user devices and vice versa.

Cheers

Michael

P.S.: This can be also used with any Microsoft Desktop OS based VDI if you want to use the workfolder sync feature only for physical devices (which make sense to prevent double data in the Workfolder Share and the User Profile/Personal VDisk). If you install the file resource manager to the Workfolder Server to set quotes (like 250MB availabe space per User) make sure to set the similar quote also for the fileshare!

P.S.2: The screenshot’s are coming from a production environment, that why the location path is pixeled.

 

Tip (Update): Setting the Startmenu for Terminal Server Users working with Windows Server 2012 R2

Monday, February 23rd, 2015

Hi Folks,

maybe you noticed already that the handling for the Startmenu is very different between Windows Server 2012 R2 and old Windows Server versions like 2008 R2 and so on. These configurations will also work for Windows 8.1 incl. Windows 8.1 RT (Require enabled Group Policy Client service or local Policy setup).

A lot of Administrator want to modify the Startmenu and to offer a standard view for all User, this can be a very tricky task and i saw already a lot of funny way’s how to edit it. To clear this up a little bit i would like to suggest you two ways how this task can be done, the first variant will introduce you a “static” way. Static means the User will get a “fixed” Startmenu without the ability to change something here. The second way will introduce you a way to create a “default” Starmenu  that can be modified by the User. So you can figure out which way works best for you, depending on the scenario, for example if you deploy Terminal Server thru Citrix Provisioning with an static base image it doesn’t make sense to give the User the ability to modificate the Startmenu in any way. These configurations can be done thru local and/or domain policies.

Way 1 – Static Startmenu for all users

1) Login as User with Administrator permissions and install/setup all Applications you want to provide to the user.
2) Setup Starmenu like it should be “published” to the users.
3) After you have finished the final look and feel create a new SMB Share on any fileserver in your environment, call it “startmenu” or something similar.
4) At the server where you have created the Startmenu “User” view open the powerhell with administrative permissions and enter the command: “Export-StartLayout -Path \\*yourfileserver*\*sharename*\StartMenu.xml -As XML”
5) Logoff from the Terminal Server and start the GPMC (Group Policy Management Console) on any domain system where the GPMC is available.
6) Create a new policy (or use an existing Policy) and link it to the OU where your Terminal Server Users can be found and click the right mouse button->Edit.
7) In the policy browse to User Configuration->Policies->Administrative Templates->Start Menu and Taskbar and edit here the setting Start Screen Layout.
8) Enable the policy and set the Start Layout File to the file you have created in 4) = \\*yourfileserver*\*sharename*\StartMenu.xml

startmenustatic

9) Close the policy and make sure the policy is assigned to the right OU, after this login to the Server and verify the result.

Please note: The Startmenu can not be modified thru a User! For the Export-StartLayout command (4) you have to use the XML format for the export, the bin format can not be used thru the policy! If you assign the policies to a Computer OU like your terminal servers don’t forget to enable loopback processing!

Update: I forgot, Applications where the shortcut is not listed in %ProgramData%>Microsoft>Windows>Start Menu may dissapear after the second User Login (Notepad, Internet Explorer default entry as example). So you may have to create the Shortcuts by your own and assign it to the Startmenu before exporting the XML file. In this folder you can also setup the Applications that should be shown to the User in the “full” Starmenu applications view by editing the User permissions for each file and folder in a very simple way. As example if you want to hide the Windows Store disable the permission inheritance and set the User permissions to full access for “Domain Administrators”, “System”, “Administrators” and add the Usergroup(s) which should be able to gain access to the Applications thru the “full” Startmenu view (Arrow down button in the Startmenu). If you want to be more secure regarding the general Application access you can also combine this with the Windows Applocker feature.

Way 2 – Flexible default Startmenu for all Users (Source: Microsoft Platform)

There is also an alternative described here: Microsoft Platform, this way allows also provide write access for the users but it’s a little bit tricky to set it up and can cause issues in production.

I personal do prefer Way 1 which make more sense for the most scenarios, so i do provide only the link to the source.

Cheers

Michael

Lenovo released a Superfish uninstall tool

Saturday, February 21st, 2015

Hi Folks,

after big public concerns against the Superfish pre-installed tool coming with some Lenovo End Consumer product’s, Lenovo now released a tool to fully remove the Superfish Adware.

You can download the software from the Lenovo support site here.

I strongly recommend to perform the uninstall as soon as possible, the root certificate is already hacked (CA Private key password: “komodia”) and this means it’s now quite simple to create or be a victim of a man in the middle attack by using this certificate anymore.

Cheers

Michael

Warning: BYOS-Bring your own Sh**! …and why Lenovo now was a Adware distributor. (Updated)

Thursday, February 19th, 2015

Hi Folks,

can your users work with there own device (Laptop/PC/Tablet) in your company environment or have access  to your company environment from home?

Than you should look out for new Lenovo End-Consumer devices! Why?

Lenovo seams to have some fun to add a software called “Superfish” to there harddisk images, so why this is now a security concern?

First of all Superfish can be called a Adware, the software will add a component to Webbrowsers like the Firefox, Internet Explorer and Google Chrome. This by default is already a pain in the a*s but to make it even worser. Superfish will add an own thrusted root CA certificate to the certificate store and this means it’s possible to perform a man in the middle attack for all certificate based SSL communication; like Facebook, Online Banking, Remote Desktop Gateway access or your companies Netscaler incl. the related ICA traffic. This will affect the Google Chrome Browser and the Internet Explorer, Firefox comes with an own certificate store and doesn’t use the Windows Certificate Store. There is also a nice article describing how Superfish deals with certificates here (expand the pictures in the top post).

So i strongly recommend, if a user came up with a “new” Lenovo device that you should force him to allow a device review.. Uninstall Superfish (some Virus Scanners like Avira incl. the certificate or Malware Tools can do the job, just use google) and remove all thrusted CA Certificates which belongs to Superfish Inc or even better: Read out the Windows activation Key incl. Office and wipe the damm system (My prefered way… 🙂 ). Removing CA Certifcates can be tricky read also here, but this is the most important part.

Somewhere in January Lenovo has stopped to deploy Superfish but regarding what i read until now it’s only on-hold and not finally stopped, so this shi**y software can be delivered again. So customers should now “force” Lenovo to stop this in the future, don’t forget that there are also other vendors available.. Be also aware: Lenovo has stopped this in January and affected devices can still be sold in retail stores.

There is already a statement available from Lenovo (Source(Parts in German) ):

“Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in market from activating Superfish. Superfish was preloaded onto a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish.”

Background information on Superfish

Superfish was preloaded onto select models of Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.

The Superfish Visual Discovery engine analyzes an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.

Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.

The statement is one of the funniest i ever read… Superfish is a miracle software, it can help a user to find and discover products without monitoring the user = Pure Magic? ..or who should believe this? How do you call a real time image recognition and a software that can intercept and sneak into certificate trusts? A glorious present for all Hackers and intelligence agencies! Did anyone from Lenovo read the Superfish “Privacy Policy”?

Superfish will collect and store certain information that is automatically collected by WindowShopper or provided by its users, such as download date, status changes, usage logs, email address. Such information will be kept private by Superfish and is not for public distribution.
Superfish will also store bugs hunting information provided regarding the service. This information is for Superfish’s internal use only and will not be distributed under any circumstances.

Ok… So what do you call “It does not profile nor monitor user behavior”?

Lenovo is a strong canditate for our “That sucks!” Award now. Bloatware or other useless pre-installed crap like a lot of vendors do provide is one thing but a pre-installed Adware containing strong security issues/concerns is a new dimension how hardware vendors tread customers. Today and in the mixed environments it’s also not important if the device comes as “End consumer” or “Enterprise” device.

Update: I just got a new statement provided thru the Lenovo Website here. Most important is the part: We will not preload this software in the future. Lesson learned.. But please remember, there could be still affected devices available in stores and the time period Lenovo “provided” Superfish is estimated with ~3 months.

Cheers

Michael

Citrix Tool Highlight: Pimp my Storefront – Introducing the StoreFront Web Configuration GUI

Thursday, February 19th, 2015

Hi Folks,

i just want to introduce you a small and mostly unknown tool to configure your Storefront Servers a little bit more than with the regular StoreFront Console.

First of all you can download the tool for free from here: Citrix StoreFront Web GUI Assistant

Download the archive and extract the .exe file to your Citrix StoreFront Server(s), the tool do require local Administrator permissions so make sure the User has full access to the system. Now execute the tool to get the console, if the tool is executed at your StoreFront Server you will the “Running on Storefront” in the upper left corner.

SFCG1

Now you need to open the web.config file for the Web GUI you want to edit, in my sample the file is located in the folder C:\inetpub\wwwroot\Citrix\DEMOWeb. Please note: Only Web related web.config files can be edited with this tool!

SFCG2After you have opened the web.config file you can now edit and save the file thru the tool, i do also strongly recommend to make a backup before you overwrite an existing/production web.config file.

There are a bunch of useful configurations available, just a few samples (click on a picture to enlarge):

SFCG3

SFCG4

SFCG5

Of course you can also edit the web.config files in a manual way but this is only recommended for User with some experience, it’s also a good way to create documentation screenshots and to gain easy access to these configuration. Of course you can now ask.. Why are these settings not available in the regular StoreFront Management? This is a very good question! But at all this is a good (and mostly unknown) configuration tool for Administrators to maintain/configure new or existing StoreFront installations in an easy way.

Cheers

Michael

cloud-client.info Remote Desktop Services Configuration Tool Beta is now available for download

Monday, February 16th, 2015

Hello Folks,

if you are looking for a small tool to simple configure a bunch of Microsoft Remote Desktop Service settings for Windows 8 (.1) or Windows 2012 (R2) than you should try our latest Tool “Remote Desktop Services Configuration Tool” which is now available as public Beta.

Remote Desktop Services Configuration Tool 1.0 Beta

The tool can also import and export settings, as example to switch settings very fast between different system’s or to adopt a configuration from a production system to a trial system and so on.

As written RDSCT is currently a Beta Version and a bunch of settings will follow with upcoming releases (and depending on my time). The source is already more than 16k lines of code and i don’t have always the time to add new features as i want to do it. 🙂

The download is available here: Remote Desktop Services Configuration Tool

Have Fun

Michael

P.S.: Please report bugs or settings you want to see in later versions to us, see readme.txt for details.

Lync 2013 in a Box for SMB customers, introducing the UCBOX. (Updated)

Friday, February 13th, 2015

Hi Folks,

today i got my first hands on the UCBOX coming from the german Vendor Bressner.

What is the UCBOX? Last but a not least a small and handy Microsoft Lync 2013 Server Box/Appliance designed with a very simple setup and handling for SMB customers. The UCBOX is available in different versions, this one is a UCBOX Lync Express OS version coming with the following content:

  • BRESSNER UCBOX Lync-in-a-box
  • with Auto installer for
  • Microsoft® Lync ™ 2013 Standard,
  • Telephony-Addon FonComfort Server
  • incl. Windows SRV 2012 R2
  • Embedded System 2U, 9,5″ Width
  • External power supply 19V DC,
  • Prerequisite Active Directory,
  • Lync-Licenses,
  • can be combined with 2. System to 19″,
  • incl. 19″ rack mounting kit

Today i don’t have much time available to run some more test’s with the UCBOX but here are already some pictures (click to enlarge) showing the UCBOX and also to compare the size of the UCBOX with a Surface Pro Tablet and an IGEL UD5 Thin Client.

UCBOX Front View

UCBOX Front View

UCBOX Back View

UCBOX Back View

Comparing UCBOX size with the Microsoft Surface Pro and an IGEL UD5

Comparing UCBOX size with the Microsoft Surface Pro and an IGEL UD5

Currently the UCBOX is available in Germany thru the distribution company ADN and in Switzerland thru BCD-Sintrag, if you’re intrested to get more information’s you can also visit various road shows in Germany (Road shows in Germany). For simple product details and features you can also go to the Bressner website here: Lync related products.

At the moment the UCBOX looks very promising and I will provide you some test results during the next week.

Updated:

After the first tests, the UCBOX is not only a stupid hardware box. The main advantage is the software which is also sold seperatly and can be used with your own server hardware. The installer will take a lot of tasks away from the Engineer to focus on the main work and it’s also Skype for Business ready, so it can not be compared with other “more” or “less” efficient hardware appliances available.

ucboxsetup

 

More will follow soon after some more tests…

Cheers

Michael

Windows Update KB3013455 breaks Font Smoothing on Windows XP, Server 2003R2 and 2008

Thursday, February 12th, 2015

Hello Folks,

if you are using Windows XP as VDI or have old Terminal Server’s (incl. Citrix solutions) running Microsoft Windows Server 2003R2 or 2008 (32-Bit) you should not deploy KB3013455 which was released during the last Microsoft Patch Day.

The Update will cause a general font smoothing issue with a bunch of fonts and the users will/can get a much lower user experience if working with a lot of text content.

There is currently no work around for this issue, Windows Server 2008R2/2012(R2) and Windows 7/8(.1) do not show any issue once the update is applied.

The issue is already confirmed by Microsoft, read also here: MS15-010

The MS15-010 article currently doesn’t mention Windows XP (or Vista) but i was able to reproduce it also with a Windows XP 32-Bit VM.

Cheers
Michael

P.S.: Some Users also reporting issues with Windows Vista 32 Bit but i believe this is less important for VDI environments.

Next Thin Client/Zero Client Vendor NComputing on the way to be part of an other company? (Updated)

Monday, February 9th, 2015

Hi Folks,

in the last 10 years a couple of thin clients vendors are gone.. Mostly acquired by other companies.

Neoware (US) was bought by HP…
Wyse (US) was bought by Dell…
Pano Logic (US) was… I don’t know how this can be described.
Sun Microsystems (US) was bought by Oracle and discontinued the Thin/Zero Client business.
Liscon (Austria) moved/changed to Stratodesk…

Now the next larger Thin Client Vendor “NComputing” seams to struggle, as mentioned in the Silicon Valley Business Journal here: NComputing in Santa Clara put on the block after troubles and in the San Jose Mercury news here: Santa Clara’s NComputing is for sale and in deep financial trouble. So in the upcoming weeks we will see what will happen to NComputing.

Cheers
Michael

Tip: Business Card Scanners for Linux / MacOSX in virtual environments and without USB Redirection.

Monday, February 9th, 2015

Hi Folks,

from time to time customers are asking what type of Business Card Scanners can be used with the IGEL Linux or any other “none” Windows Client devices together with XenApp or Microsoft Remote Desktop Services. Typical these customers don’t want to deal with USB Redirection (XenApp 7.x or Microsoft Remote FX) or don’t have USB Redirection available (XenApp <=6.5 / Windows Terminal Server <= Windows 2008 R2)

If you run in a situation like this you should look out for solutions like IRIS Card Anywhere (Canon). Devices working in the same way don’t need a “special” driver installed, they come with an internal memory or SD-Card and can be used like an regular USB Memory and this means: It can be used with Windows, Linux, MacOSX or an Android Tablet providing a USB Port. Disadvantage: They are a little bit more expensive but if you calculate the work to get a driver installed or deployed in your environment than you will have a much cheaper TCO.

Cheers

Michael

P.S.: I used the IRIS Card as sample regarding my past experience, it’s not an advertisement. 🙂 In any way there are several solutions out there and you should test it in advance and before ordering a bunch of these devices. 😉

Tip: Flashplayer 16, Citrix HDX Flash redirection and Linux based Thin Clients

Monday, February 2nd, 2015

Hello Folks,

the Flashplayer 16 plugin  now comes in two plugin versions (NPAPI and PPAPI), one for Chrome and one for Firefox… Both Plugins will currently not work with HDX Flash Redirection for Linux based Thin Clients.

To get it working you need to perform the configuration settings from an older article here in the blog and you have now to install the following Flash Players to the VM / Terminal Server / Thin Client.

Follow these steps:

1) Install the Flash Player 15 Plugin (not the ActiveX Plugin!) to the VDI/Terminal Server (download can be found in the flash player archive)
2) Install the Flash Player 16 ActiveX Plugin to the VDI/Terminal Server
3) Disable Flash Player Updates in the system control
4) Perform the configurations to the registry mentioned here: HDX Flash Tweaks
5) Deploy the Flash Player for Linux to the IGEL LX/OS based devices and make sure HDX Flash Redirection is enabled in the Sessions->Citrix->ICA Global configuration!
6) Make sure the Citrix Policies for the Flash redirection are in place incl. the website compatibility Policy!!

That’s it!

Cheers

Michael

P.S.: I forgot… Install the Internet Explorer 11 or any other HTML 5 enabled browser if you want to watch youtube and kick out any Flash Player in your environment! This is the best multimedia support.. 🙂 🙂 🙂 Do you believe i hate flash? Yes, you’re right but iam sorry to say that we currently still have to live it. 🙁 🙁

P.S.2: Perform the steps in the order like shown! Tested with XenDesktop 7.5 and XenApp 6.5.