Archives for June 2009

HP GT7725 Thin Client Windows XP/7 Drivers

The HP GT7725 thin client is really a pretty good AMD laptop in a mini-desktop form factor. However, HP doesn’t provide you drivers for a generic OS like Windows XP or Windows 7 as they assume you will use their XPe provided OS. But, the computer is so powerful that it can easily function as desktop replacement with a little tweaking. Additionally, it can work with Citrix XenDesktop 3.0 using the OS streaming feature so you can harness the full power of the unit without any internal storage. Great for high security environments.

Whether you buy a large PATA SSD for internal storage, or stream the OS via Citrix XenDesktop, you will need hardware drivers. After some research via PCI vendor IDs, I tracked down all the needed drivers. Windows 7 actually recognized all of the hardware, but I prefer to get the vendor enhanced video drivers for best performance.

ATI HD3200 Video Driver – Windows XP
ATI HD3200 Video Driver – Windows 7 32-bit
RealTek Audio Driver – Windows XP and Windows 7
Broadcom NIC -Windows XP
ATI SM Bus – Windows XP

If you are wondering what SSDs I am testing, after a lot of research I’ve narrowed it down to two devices: 32GB Super Talent 44H2 or the 32GB Mtron Mobi 3000 PATA. Technically you can also use the 32GB Mtron 1.8″ ZIF series, but finding a good PATA ZIF to 44-pin IDE adaptor is a bit tricky. The Addonics AAT18ZIF25 does the trick, though (when used with a 44-pin laptop IDE cable).

The goal of the project is to allow the HP GT7725 to function in various roles 1) Traditional fat client with local storage 2) Streaming OS via Citrix XenDesktop 3.0 3) “Typical” thin client with XPe used in conjunction with Citrix XenDesktop using ‘hosted’ VDI solution.

I am still in the process of performing benchmarks and comprehensive testing, but when that is completed and I have a solution I’m feel is enterprise ready, I’ll post an update.

Remote Desktop Protocol Comparison

Over at Virtualization.info they have an interesting blog with a chart from VDIworks comparing various VDI (Virtual Desktop Infrastructure) protocols to their new VideoOverIP protocol. The chart is very enlightening, but leaves out one big player: XenDesktop and their ICA protocol. I don’t know if that was intentional, or just a glaring oversite. Either way, if you are evaluating VDI the chart is a good starting point for a feature comparison of the various solutions.

Multi-Factor authentication with Exchange Outlook Anywhere?

In some organizations, in particular the Department of Defense, we are required to use CAC (SmartCard) authentication to access a variety of resources internally and externally. At my previous job I really loved using Outlook Anywhere (formerlly known as RPC over HTTP), from literally anywhere without a VPN.

Unfortunately, Microsoft does NOT support multi-factor authentication for Outlook Anywhere even if you are running Outlook 2007, Windows 7, or Exchange 2007. This is due to limitations of the RPC over HTTP implementation which can only utilize NTLM, not Kerberos or other forms of authentication. Even if you throw ISA in the mix, which can use smart card authentication, you are still limited by the Exchange server only supporting NTLM.

So how can I return to the bliss of accessing my corporate e-mail from anywhere, anytime, via any network? Well there’s a few glimmers of hope, but none are quick fixes. Microsoft is considering releasing a hotfix in the spring or summer of 2010 which will enable Windows Vista and higher in conjunction with Exchange 2010 to utilize multi-factor authentication. I say consider, because Microsoft has NOT made a firm commitment to deliver such a hotfix.

Why only Windows Vista or later and Exchange 2010? There are some significant architectural changes in Exchange 2010 that allowed Microsoft to re-write the RPC authentication mechanism to support additional protocols besides NTLM. Specifically, now that Outlook clients communicate via MAPI to a CAS server in Exchange 2010 (vice the mailbox server in 2007 and earlier), Microsoft was able to make major changes and improvements. Why only Windows Vista and later? Back porting the required changes to Windows XP was not very feasible and would have required a lot of development work. Plus the OS is nearly end of life, so it didn’t make the cut.

If you are an organization which would like multi-factor authentication for Outlook Anywhere, please, please, bug your Microsoft rep and make it known you want such a feature. The more customers complain to Microsoft, the better chance they will follow through with the hotfix.

What can you do in the mean time (before summer 2010)? Well there are a few options. One would be to use Windows 7 and Windows Server 2008 R2 with DirectAccess. DirectAccess sets up a transparent IPv6 IPsec tunnel to your corporate network which tunnels application requests directly to the intranet. DirectAccess CAN use multi-factor authentication, so before Outlook attempts to make a connection to Exchange, you are securely authenticated. Problem solved, plus DirectAccess gives you many other advantages over a traditional VPN.

Another option, which you can to TODAY, is configure ISA server for an IPSec VPN tunnel using certificates. After the IPsec tunnel is established you would launch Outlook and get your e-mail. Unlike DirectAccess, this is more a traditional VPN and comes with other down sides while the VPN is up. Not ideal, but better than being without e-mail.

The easiest option is to forget about running Outlook while on the road, and just use OWA. SmartCard enabling OWA, even with ISA in the mix, is not a monumental task. You can SmartCard enable OWA with Exchange 2003 and Exchange 2007. As a side note, OWA in Exchange 2010 is almost on par feature wise with the fat Outlook client. Microsoft has done an amazing job of bring a rich client experience to the web. Microsoft has a few good articles on Smarcard enabling OWA. See the links below.

Exchange 2003

Exchange 2007

If you are a DoD entity and want to CAC enable ISA, see this short draft document created by DISA as a configuration addendum for some pointers. CAC enabling SharePoint 2007 is much more complicated, so I won’t dip into that topic right now.

Microsoft Intellitype and IntelliPoint 7.0 for Windows 7

Microsoft finally released their final (non-beta) versions of IntelliType and IntelliPoint 7.0 for Windows 7. You can download them directly from the links below.

IntelliType 7 64-bit
IntelliPoint 7 64-bit

Cisco Nexus 1000v demo videos

Today Cisco released two videos on the Cisco Nexus 1000v, going into a lot of good deals about how it works. I’d recommend anyone considering the Enterprise Plus edition of VMware vSphere and the Cisco 1000v to look at the videos.

If you want to view them in HD, so you can clearly see the screenshots, take a look at their facebook page. Look on the LEFT side of the page for the two videos with the HD icon. The primary videos in the middle of the page are low-resolution and VERY hard to read.

June ATI Windows 7 Drivers

Get the new Windows 7 64-bit ATI drivers here. Version 9.6, released on 6/14/2009.

From dozens to one…imaging simplified with SmartDeploy!

A few weeks ago I was at Microsoft TechED 2009 in LA, and I was wondering around the vendor expo area. I stumbled upon a small company which, among other things, specializes in Windows OS deployment tools. OS deployment tools are nothing new; Microsoft has Windows Deployment Services (WDS). Symantec has Ghost and now owns Altiris. WDS, for instance, is great for re-imaging a machine when it’s connected to the LAN. WDS can inject drivers from a repository at image time, so you can keep one master image yet deploy to a variety of hardware.

However, WDS’s driver injecting feature is limited to LAN based deployments not to standalone (offline) DVD based imaging. The project I support has several dozen client workstation models and probably a dozen server models. To make matters worse, for a variety of reasons, we use DVD based imaging and not LAN based imaging. So we ended up with literally dozens of machine specific DVDs which could take weeks or months to build and test. Very unpleasant to say the least. Not to mention our images were always out of date and restoring machines with known security vulnerabilities is not optimal.

A small company called Prowess has a product called SmartDeploy Enterprise which is an amazing piece of software that allowed us to consolidate all of our client AND server images into a single DVD. Their web site has good information on how the solution works, so I won’t repeat all of the details.

At a 10,000 foot view the concept is very simple: You build up a hardware agnostic VM, convert it to a WIM (using their tools), inject the Platform Packs (driver bundles), and burn to DVD/CD/USB stick. Insert the DVD/CD/USB stick into your client or server, boot from it, run a quick wizard, and in just a few minutes the OS will restore and have all the needed drivers. Image restores can take as little as five minutes, even middle of the road computers.

The secret sauce are the Platform Packs, which Prowess is building and making available on their web site. You can of course build your own, so you are not limited by the models they choose to support. The Platform Packs are bundles of all the drivers which a particular model and OS need. One Platform pack for a HP 8510 laptop running Windows XP, and other for a Dell E6400 running Vista x64, etc. The packs have built-in detection logic so upon restore it looks up the manufacturer and model information burned into the system BIOS and picks the right driver package. It is important to note these Platform packs are NOT stored in the OS WIM. They are loaded at demand during the restore process from the DVD.

Other great features are single instance storage for both WIMs and drivers. What does this mean? If you have 20 PCs which all need the same driver, SmartDeploy only stores one copy on the DVD, not 20. In addition, if you have two or more WIMs on the disc it will crack open the WIM and only store one copy of each file, no matter how many WIMs it is in. If you have custom OS images for legal and IT, for example, only the differences in the WIMs are stored saving vast quantities of space.

Using this technology we will be able to consolidate 60+ image DVDs into a single DVD disc which has our Windows XP, and Server 2003 x86 and x64 images. SmartDeploy also supports USB memory sticks, CD media, and spanned media.

The most significant gain in efficiencies will be future updates to the image. Instead of having to update 60+ images, do extensive testing, and take weeks or months of time we can update the VM and build a new DVD disc with existing Platform packs in literally less than an hour. Building monthly or quarterly images with all the latest security patches has now become a reality and would take less time than writing this blog.

Other uses for these image discs could be emergency recovery DVDs for people on the road with laptops. If their machine crashes or becomes unusable a single DVD could get them back and running in less than 10 minutes. Anyone that needs to perform offline imaging should seriously look at this product.

SmartDeploy enterprise is still in beta, but should be released in late June 2009. They already support Windows 7 experimentally, and you can download a beta from their website. There is no scripting involved, it is all GUI driven, and the company is very responsive to feature requests and enhancements. A number of feature requests and bug fixes from our project have already been incorporated into the product before it has even RTM’d.

If you are a Dell customer, they are now starting to build driver CAB files for their platforms. This will greatly simplify the building of Platform packs. I hope HP follows suit, as extracting the HP drivers into their component INF files can be challenging. The Dell driver CAB files also work with Microsoft OS deployment tools such as MDT 2008, MDT 2010, ConfigMgr, WDS R2.

USB and VDI, why it’s not so easy!

On my current project we are looking at various VDI (virtual desktop infrastructure) solutions, to meet some pretty stringent requirements. In past years the technology was just not there yet to provide a fully collaborative A/V experience to our users so we stuck with traditional fat clients.

The killer application for us is desktop 2-way video conferencing using USB web cams and headsets. Currently we are using a third-party conferencing application, but it is end of life and now other options such as OCS 2007 R2 Live Meeting are on the table. But I digress.

Today there are limited number of VDI solutions which can support robust 2-way A/V to the desktop. The key to understanding which solutions you can choose from is understanding the gory details of USB. A number of VDI solutions today support a variety of USB devices including smart card readers or scanners. So what about web cams and head sets? Shouldn’t they work just as well? Unfortunately not.

Nearly all web cams and head sets operate in ‘isosynchronous‘ mode meaning the device is sending a constant (and likely high bit rate) datastream to the client device at precise intervals. Why is this important? Very few VDI solutions support isosynchronous devices, because technically they require a lot more intelligence and processing logic due to the large amount of constant data the device is sending.

The bottom line is the two VDI leaders, Citrix XenDesktop and VMware View, today do not natively support isosynchronous USB devices with their ‘hosted’ VDI product. By hosted I mean a client OS VM running on a server, remoted to a client device via ICA (Citrix) or RDP (Microsoft). Plus, if you are using VDI over a WAN you need to consider the bandwidth required by such USB devices in addition to the multimedia stream the user is viewing.

In addition to a hosted VDI solution, Citrix has a streaming OS feature where the OS runs on the client end point device but PXE boots from the network so it acts just like a typical fat client and thus can use any USB device you wish. So today with Citrix XenDesktop OS streaming, full 2-way A/V conferencing is possible. However, this is just a LAN solution and will not work over a WAN. For WAN solutions, you are looking at a hosted VDI solution.

But back to the hosted VDI solutions, since that is a more common approach. If you have looked at all into thin clients, you will have heard of Wyse. They are one of the leaders, and have a variety of hardware devices at many price points. Wyse has a proprietary add-on to Citrix XenDesktop and VMware View which is called TCX. TCX has several components, one of which is isosynchronous USB support. Unfortunately, this proprietary software requires a Wyse end point device and an additional license for each device.

Wyse makes a variety of appliances which work for many customers, but they do not produce the most powerful thin client on the market. The most beefy thin client today is the HP GT7725. With Windows 7, Aero Glass, and future graphical intensive programs, lengthy refresh cycles, robust hardware is at the top of my list. Thus after careful consideration, I ruled out Wyse which also ruled out the TCX extensions for enhanced USB support.

So for now, the Citrix XenDesktop using the OS streaming model is the primary solution I am evaluating. There are enhancements to both XenDesktop and VMware View later this year which should add native isosynchronous support to hosted VDI solutions. If and when this happens, it will open up another deployment scenario which could be very useful since it would be WAN friendly unlike the OS streaming mode.

In my next blog I will cover some of the cool features of the HP GT7725 which make it a very appealing platform and might even replace a traditional thick client by adding local flash storage.

Mark October 22, 2009 on your calendars!

So it’s official, the planned launch date of Windows 7 and Server 2008 R2 is October 22, 2009! Windows 7 will come in six varities: Starter, Home Basic, Home Premium, Professional, Ultimate, and Enterprise. According to a Microsoft blog the RTM code will be available to partners the second half of July.

Hopefully enterprise customers and MSDN/Technet users can get their hands on the RTM code before October 22nd.