Tip: How to avoid Adobe Flash in Terminal Server/VDI environments with the IGEL LX/OS

Hi Folks,

maybe you also agree that Adobe Flash content is one of the biggest crap that can be used in a Terminal Server/VDI environment. For example youtube or similar site’s mostly waste expensive Server CPU resources only for watching a “funny” video..

flashtaskbar
Yeah… One User with one HD Flash Movie use 41% of  Server CPU resources!

HTML5 is still not a big deal for most site’s, so how can you handle it?

1) Ban it… Block unwanted traffic with a firewall or proxy. This is highly efficient but will upset the user base and maybe you need it (schools/education), so mostly this option is no deal.

2) Buy more Server.. More or less efficient and very expensive (Hardware, licensing, setup and cooling). No deal!

3) Use solutions like Citrix HDX Flash Redirection… More or less efficient, hard to setup and not 100% compatible, it could be a option but it’s not a real solution.

4) Ban it from the servers… I just setup this for a PoC and it seams to be the most efficient way which is also acceptable for most users. So how is the setup?

a) You need IGEL Linux based devices (LX or OS) based on the x86 architecture to do this.

b) Setup a local Firefox browser session and deploy any Version of the Adobe Flash Player for Linux to it (Browser Plugins in the IGEL Setup).

c) Assign a Hotkey to the Firefox Browser Session like ALT+CTRL+i.

d) Setup a IIS/Webserver on any System that is not already running a IIS/Webserver

e) On the Terminal Server/VDI (i recommend to use the golden Image) site open the hosts file which is located in the Windows/System32/drivers/etc folder and edit it. Now add any Website you want to outsource, point it to the “new” Webserver. Example:

192.168.1.150 youtube.com
192.168.1.150 youtube.de
192.168.1.150 anyotheruselessflashsite.com

Do not perform this for any Website which is used for “business” uploads/work! Don’t use a DNS Server to apply the configuration, this might also point the Thin Clients to a “wrong” site… Of course you can also add Webradio Website’s, browser based games or what ever you don’t want to see in a Webbrowser on the server backend. But at all.. It’s not a security solution at all, it’s to save resources only!

f) Create a small HTML Website with a short Text like “This site can not be used on a Server/VDI! Please press ALT+CTRL+i to open the local Browser and use ALT+CTRL+TAB to switch between the Browser/Session.” or similar. Make it simple and easy to understand… Now set this HTML Page as default and 404 error page for the new Webserver (d).

g) Let the user test it… If the User enter www.youtube.com the “new” Website will open and point the user how to work with the local Browser.. For the User it looks “very” embedded into the session, not 100% but it will be good enough to watch movies for most of them.

I know this solution is also not a 100% one and it can be bypassed if the User is using the IP. 😉 ..but it’s not a security solution, the User can watch Movies and you have minimized the wasted CPU resource on your backend. It’s easy to control, high compatible and everyone is happy. From my point it’s currently the best way to handle Flash until it will be fully replaced by HTML5 or any other “better” working solution. The performance depends on the User device, a UD5 will better perform than a UD2 but still: A slow client is better than a slow server for most company environments.

Also some more benefit’s.. You can seperate client traffic from your server traffic quite simple, the customer where i suggest this mentioned that they have 10GB or more “flash” streaming traffic (only youtube) per day in the server infrastructure with a little bit more than 300 user’s. You can use it with any Terminal Server/VDI solution but please note: If using VMWare View, Microsoft RemoteFX, Citrix XenDesktop x.x / XenApp 7.5 or any other solution that support real USB redirection don’t setup USB Redirection for Human Interface Devices (HID) because in this case the Mouse and Keyboard can not be used outside the Session (…and with the local Browser).

You can also add other description’s to the created “manual” website, for example for Android press the home button and open the local Browser or similar.

If you have suggestions to improve this solution feel free to give me a mail or add a comment.

Cheers

Michael

Leave a Reply

You must be logged in to post a comment.