In some industries end point security is a significant concern, so organizations have been moving away from a traditional fat client to thin clients, and even to zero clients. Traditionally thin clients have some security and maintenance issues of their own. If they run Window Embedded you still need to do patching, customize the image, and remotely manage the devices. There’s also a chance you can store data on the device, depending on the configuration.
Recently there has been a trend towards ‘zero clients’ which either eliminates or radically changes what runs on the client device. A true zero client would have no operating system or software to ever update. Panologic has true zero clients. But if you are moving towards a mainstream VDI solution like VMware View or Citrix XenDesktop, your client hardware needs a little OS to provide the connectivity into the VDI environment. Alternatively you could use Wyse WSM to “stream” Windows XP or Windows 7 to one of their devices, but that is only a LAN based solution. We needed a solution that would work across the WAN.
Wyse supplies ThinOS for some of their thin clients, which has a smaller attack surface area than embedded Windows or Linux operating systems. ThinOS is just 4MB in size, so it’s very small. For some organizations though, having any embedded flash memory is a security risk, even if end users can’t easily write data to it.
For Wyse products you have two solutions that completely remove the flash memory from the thin client, yet provide you connectivity into VMware View, Citrix XenDesktop, and Microsoft Remote Desktop Services. Both involve PXE booting the Wyse zero client to download the micro OS, which then runs from RAM. When you power down the device all memory is lost, and there’s no local storage.
One is their V00LE and the other is Xenith. What Wyse doesn’t tell you on their public web site is that both of these models can be ordered with zero flash memory and PXE booted to download their operating system. The V00LE uses Wyse ThinOS and the Xenith uses a special XenDesktop only operating system. The project I support purchased a few V00LEs for a proof-of-concept. Once you get the hang of it, PXE booting the V00LE is easy, but in trying to make it work I encountered a few issues.
1. You don’t need to use WSM to PXE boot ThinOS or Xenith OS. In fact, Wyse recommends against using WSM to “stream” their embedded operating systems.
2. You cannot use the ThinOS BIOS downloads that are available to registered users. You need to contact your Wyse rep to get their PXE bootable versions of the firmware. If you try and use the stock downloads it will either hang or say the image is too big.
3. The PXE boot process requires the use of a TFTP server to download the PXE boot strap binary and the ThinOS firmware. For my purposes I used the Windows Deployment Services (WDS) that comes with Windows Server 2008 R2, since it comes with a PXE and TFTP server.
4. ThinOS needs to download a text configuration file once ThinOS has booted. This can be from a FTP site or HTTP(S) source. I chose a HTTP source since I could later apply SSL if need be. The configuration file controls the security and connection details of the device.
After I got over all of these hurdles, I was able to PXE boot our V00LE with ThinOS. The boot time is just a matter of seconds and its really slick. For part 2 I will provide more technical details on how to configure DHCP and the TFTP server to make the PXE boot process work.