Administration Guide for Cisco Virtualization Experience Client 2112/2212 ICA Firmware Release 7.1_118
Automated updates and configuration using central configuration
Downloads: This chapterpdf (PDF - 1.34MB) The complete bookPDF (PDF - 6.18MB) | Feedback

Automated updates and configuration using central configuration

Contents

Automated updates and configuration using central configuration

Cisco VXC Manager for remote administration

Cisco VXC Manager servers provide network management services to the zero client (complete user-desktop control, with features such as remote shadow, reboot, shutdown, boot, rename, automatic device check-in support, Wake-On-LAN, change device properties, and so on).

For more information, see Administration Guide for Cisco Virtualization Experience Client Manager.

Guidelines for network services setup

This appendix contains information on the network architecture and enterprise server environment needed to provide network and session services for zero clients running WTOS. It also includes information to help you address important considerations when configuring the services to be provided by the server environment. Use this chapter in conjunction with the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 to set up and configure your WTOS server environment.

Network services used by the zero client can include DHCP, FTP file services, Virtual Desktop file services, DNS, and so on. How you configure your network services depends on what you have available in your WTOS environment and how you want to design and manage it.

The following topics in this section provide important overview information on the supported service situations you may have when configuring the network services for your WTOS environment (after becoming familiar with your environment requirements, see Network services setup):


Caution


If a zero client accesses the enterprise intranet through PPPoE or PPTP VPN and the zero client is locked-down, a non-privileged or low-privileged user attempting to reboot to Standalone user mode will disable the Network Setup dialog box and system reset capabilities. The user will not be able to re-access the enterprise intranet through this path. If this happens, the zero client must be moved to a location where it can access the enterprise intranet directly (Ethernet cable) and reboot so that an administrator can make any required changes to the zero client operating configurations through the user profiles (for example, set the user profile to unlock the zero client).


Network setup guidelines with FTP and DHCP

As a network administrator in an environment where DHCP and FTP servers are available, you can set up both DHCP and FTP network services and create “global” and “user” INI files as described in the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 .


Tip


A zero client is initially (new-zero client or reset zero client to default configurations) configured to obtain its IP address and the location of the FTP server from a DHCP server. DHCP can only be used for the Ethernet Direct access.

A wnos.ini file contains the “global” parameters you want that will affect all zero clients accessing the file server. A {username}.ini file contains the user-specific or “user profile” parameters you want that will comprise the connection profile for an individual user. For information on constructing these INI files, refer to the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 .


After DHCP and FTP servers are configured and available, simply connect the zero client to the network (directly through a network cable), turn it on, and begin using the zero client. A sign-on name and password may be required for access to the session services. If applications (published by Citrix PNAgent/ PNLite services) are available, a Domain name must be entered or selected from the list. Connections or applications may start automatically if they are configured to automatically start in the INI files.


Tip


If session connections or published applications are designated to open automatically on start-up, upon accessing the enterprise server environment you will see a session server log-in or server application window instead of the zero client desktop. Use Ctrl-Alt-Up Arrow to toggle between window display modes. Use Ctrl-Alt-Down Arrow to open a selection box for toggling between the desktop, the Connect Manager, and currently active connections.


If the zero client accesses the enterprise server environment through a manually initiated Dial-up, PPPoE, or PPTP VPN, the automation provided by a DHCP server is not available. In such cases, refer to Network setup guidelines with FTP and no DHCP and Nework setup guidelines with no virtual desktop servers and no FTP for configuration information.


Tip


If Dial-up, PPPoE, or PPTP VPN are automatically started, FTP server services can be accessed through these connections.


Network setup guidelines with FTP and no DHCP

In an environment where a DHCP server is not available but an FTP server is available, the zero client user must locally enter (using the Network Setup dialog box) network information that would otherwise be supplied by the DHCP server.

If the zero client is configured for DHCP (new zero client or reset zero client to default configurations) but DHCP is not detected on the network, the Network Setup dialog box automatically opens when the zero client is started. You can also open the Network Setup dialog box manually by clicking on the desktop background, selecting System Setup from the desktop menu, and then clicking Network. In the Network Setup dialog box, select the Statically specified IP Address option and configure the dialog box for the following information (any remaining information will be automatically populated from the INI files when the FTP server is contacted):

  • Static IP address of the zero client
  • Subnet Mask
  • Default Gateway
  • DNS Domain Name (not necessary if DNS is not used)
  • DNS Server Address (not necessary if DNS is not used)
  • File Server IP address or DNS name of the FTP server on which the INI files reside and the FTP path on the server to /wnos.
  • PNAgent/PNLite Servers list (If PNAgent/PNLite is deployed on the network environment, enter the IP address or Host name with optional TCP port number of one or more PNAgent/PNLite servers that will provide published applications on the network)
  • Ethernet Speed
  • WINS Server Address (not necessary if WINS is not used)
  • Username and Password for login to the FTP server
  • Cisco VXC Manager Server Address (not necessary if Cisco VXC Manager server is not used)
  • Time Server

Tip


A wnos.ini file contains the “global” parameters you want that will affect all zero clients accessing the file server. A {username}.ini file contains the user-specific or “user profile” parameters you want that will comprise the connection profile for an individual user. For information on constructing these INI files, refer to the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212.


After the network settings are configured, reboot the zero client before using it. A sign-on name and password may be required for access to the session services. If applications (published by Citrix PNAgent/PNLite services) are available, a Domain name must be entered or selected from the list. Connections or applications may start automatically if they are configured to automatically start in the INI files.

Network setup guidelines with virtual desktop servers and DHCP

A zero client is initially (new-zero client or reset zero client to default configurations) configured to obtain its IP address and the location of the Virtual Desktop server from a DHCP server. DHCP can only be used for the Ethernet Direct access configuration.

As a network administrator in an environment where DHCP and Virtual Desktop servers are available, you can set up both DHCP and Virtual Desktop network services and create “global” and “user” INI files (in the Virtual Desktop Broker) as described in the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 .


Tip


A zero client is initially (new zero client or reset zero client to default configurations) configured to obtain its IP address and the location of the Virtual Desktop server from a DHCP server. DHCP can only be used for the Ethernet Direct access configuration.

A wnos.ini file contains the “global” parameters you want that will affect all zero clients accessing the file server. A {username}.ini file contains the user-specific or “user profile” parameters you want that will comprise the connection profile for an individual user. For information on constructing these INI files, refer to the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212.


After DHCP and Virtual Desktop servers are configured and available, simply connect the zero client to the network (directly through a network cable), turn it on, and begin using the zero client. A sign-on name and password may be required for access to the session services. If applications (published by Citrix PNAgent/PNLite services) are available, a Domain name must be entered or selected from the list. Connections or applications may start automatically if they are configured to automatically start in the INI files.


Tip


If session connections or published applications are designated to open automatically on start-up, upon accessing the enterprise server environment you will see a session server log-in or server application window instead of the zero client desktop. Use Ctrl-Alt-Up Arrow to toggle between window display modes. Use Ctrl-Alt-Down Arrow to open a selection box for toggling between the desktop, the Connect Manager, and currently-active connections.


If the zero client accesses the enterprise server environment through a manually initiated Dial-up, PPPoE, or PPTP VPN, the automation provided by a DHCP server is not available. In such cases, see Network setup guidelines with virtual desktop server and no DHCP for configuration information.


Tip


If Dial-up, PPPoE, or PPTP VPN are automatically started, Virtual Desktop server services can be accessed through these connections.


Network setup guidelines with virtual desktop server and no DHCP

In an environment where a DHCP server is not available but a Virtual Desktop server is available, the zero client user must locally enter (using the Network Setup dialog box) network information that would otherwise be supplied by the DHCP server.

If the zero client is configured for DHCP (new zero client or reset zero client to default configurations) but DHCP is not detected on the network, the Network Setup dialog box automatically opens when the zero client is started. You can also open the Network Setup dialog box manually by clicking on the desktop background, selecting System Setup from the desktop menu, and then clicking Network. In the Network Setup dialog box, select the Statically specified IP Address option and configure the dialog box for the following information (any remaining information will be automatically populated from the INI files when the Virtual Desktop server is contacted):

  • Static IP address of the zero client
  • Subnet Mask
  • Default Gateway
  • DNS Domain Name (not necessary if DNS is not used)
  • DNS Server Address (not necessary if DNS is not used)
  • Ethernet Speed
  • WINS Server Address (not necessary if WINS is not used)
  • Username and Password for login to the FTP server
  • Cisco VXC Manager Server Address (not necessary if Cisco VXC Manager server is not used)
  • Time Server
  • VDI Server

Tip


A wnos.ini file contains the “global” parameters you want that will affect all zero clients accessing the file server. A {username}.ini file contains the user-specific or “user profile” parameters you want that will comprise the connection profile for an individual user. For information on constructing these INI files, refer to the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 .


After the network settings are configured, reboot the zero client before using it. A sign-on name and password may be required for access to the session services. If applications (published by Citrix PNAgent/PNLite services) are available, a Domain name must be entered or selected from the list. Connections or applications may start automatically if they are configured to automatically start in the INI files.

Nework setup guidelines with no virtual desktop servers and no FTP

In an environment where FTP and Virtual Desktop Broker servers are not available (for example, Standalone User or PNAgent/PNLite-only User situations), configuration files are not available and network information must be entered locally at the zero client as follows:

  • Standalone User—This user does not access user profiles or PNAgent/PNLite-published applications. New and Settings command buttons appear in the Connect Manager for use (if the Connect Manager does not open automatically, open it from Desktop menu). These command buttons are also available to low-privileged and non-privileged users. Locally entered connection definitions (using these command buttons) are preserved for the next zero client use after the zero client is powered off and restarted (automatic software updates, however, are not available when the zero client is powered on again).
  • PNAgent/PNLite-only User—This user does not access user profiles, but applications (published by Citrix PNAgent/PNLite services) are available (the IP address of a PNAgent/PNLite server and Domain are entered into the Network Setup dialog box or available through DHCP options 181 and 182). A login dialog box (similar to the standard login dialog box) opens for logging on to the PNAgent/PNLite server. Applications published by PNAgent/PNLite are listed in the Connect Manager (Published applications that add a shortcut to the client desktop will have an icon on the desktop which you can double-click to open). Locally entered connection definitions are not preserved for the next zero client use after the zero client is powered off and restarted.

Network services setup

Before you use the information in this section to configure your network services, be sure you have read Guidelines for network services setup, and remember the following important issues:

  • Restrictions to Network Services can Exist—Zero client network services reside on the enterprise intranet. When setting up zero client network services, remember that if zero clients are to access the enterprise intranet through Dial-up, PPPoE, or PPTP VPN, restrictions imposed by these access paths must be considered.
  • Know How Your Environment Works—Either the FTP server or the Virtual Desktop server (depending on your environment) holds the INI files, while the FTP server (if available) holds the current and upgrade versions of the zero client software. The zero client software is acquired from either local flash memory or the FTP server. During the boot process, the local image is transferred to RAM and executed far enough for the zero client to check the image and the INI files on the file servers. Under direction of the INI files and the version of the remote image, the image in RAM can be replaced with the remote image; and separately, the remote image can update the local flash-memory.
  • Functionality Depends on You—The WTOS INI files contain the parameters and associated values necessary for the various functionality you want. The INI files (wnos.ini file and {username}.ini file) are constructed and maintained by you and are stored on the file server for use with zero clients running WTOS.

Tip


The INI files contain connection definitions and zero client settings. These text-based files must be created and maintained by using an ASCII text editor. If the INI files are omitted or they cannot be accessed because a file server is not used, the zero client user must enter connection definitions locally (or for FTP servers, use what is published by PNAgent/PNLite servers residing on the network).


You can also define connections in the INI files which are to be stored in local NV-RAM and used in cases where the file server fails.

A wnos.ini file contains the “global” parameters you want that will affect all zero clients accessing the file server. A {username}.ini file contains the user-specific or “user profile” parameters you want that will comprise the connection profile for an individual user. The zero client accesses the wnos.ini file upon zero client initialization and accesses any individual {username}.ini file when the user logs on (if user login is required, the {username}.ini file must exist before that user can log in). For information on constructing these INI files, see INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 .

To configure network services, use the information in the following sections:

Configure FTP servers

Before you use the information in this section to configure your FTP server, be sure you understand and use the following guidelines:

  • General Guideline—When the zero client boots, it accesses the software update images and INI files from the FTP server. The FTP server and path to the software update files are available through DHCP vendor options 161 and 162 (see DHCP options setup). If these are not specified, the default FTP server is the DHCP server from which the zero client receives its IP address and the default directory (/cisco/wnos). The FTP server and path to the software update files can also be specified locally on the zero client. DHCP options 184 and 185 can be used to provide the User ID and Password for non-anonymous access to the FTP server in WTOS.
  • Non-Anonymous Access Guidelines—You must first create a local account (name the account so that you remember it is a non-anonymous account) on the FTP server defined between the DHCP vendor options 161 and 162 (DHCP server). Then, add DHCP options 184 and 185 to provide the User ID and Password for non-anonymous access to the FTP server. Ensure that option 184 is the account User ID and that option 185 is the account Password, and that you keep consistency with FTP server DHCP vendor options (for example, ensure that the 184 and 185 options are string parameters). Then provide the non-anonymous account with read-only permissions through the entire FTP server path. Be sure to modify these guidelines according to your specific security environment and configuration.
  • Windows FTP Server Guideline—You can use the FTP tools available on the Windows server. For WTOS, this support is not necessary because of the User Interface (UI)/DHCP feature to specify the login ID and password.
  • Linux FTP Server Guideline—Be aware of the following:
    • The FTP server must be configured to offer FTP services (by adding the following line or equivalent to the /etc/inetd.conf file, if it is not already present): ftp stream tcp nowait root /usr/sbin/tcpd in.proftpd
    • The FTP server must be configured to support anonymous FTP. For most FTP servers, this requires establishment of an FTP login account by adding the following line or equivalent to the /etc/password file: ftp:x:17:1:Anonymous FTP directory:/home/ftp:/dev/null/ftp-shell The shell file /dev/null/ftp-shell need not exist, but some FTP servers require that it be listed in the /etc/shells file to allow FTP connections on this account.
    • Depending on which Linux distribution you are using, additional modifications to a central configuration file for the FTP daemon may be necessary to enable anonymous FTP. You can try man protftp, man wuftpd, or man ftpd to access information applicable to your particular FTP daemon.
    • A Linux server used for FTP must support passive FTP.

FTP Folder Structure Guidelines—The FTP folder structure that is required by zero clients running WTOS is /cisco/wnos and must be placed under the FTP root folder (if DHCP option tag 162 is not used) or under the folder which has been specified by DHCP option 162. For example, if DHCP option tag 162 has been configured with the name ThinClients and DHCP option tag 161 has been configured with IP address 192.168.1.1, then the zero client will check the folder <FTPRoot>/ThinClients/cisco/wnos for a wnos.ini file and firmware on the FTP server with the IP address (192.168.1.1). Then the optional folders (with their contents) can be placed under the wnos folder as described in Central configuration setup.

To configure an FTP server, complete the following procedure.

Procedure
    Step 1   Create the following directory structure on your FTP server (note that only the wnos folder containing the wnos.ini file is required):

    <path from anonymous user FTP root>/cisco/wnos

    <path from anonymous user FTP root>/cisco/wnos/bitmap

    <path from anonymous user FTP root>/cisco/wnos/cacerts

    <path from anonymous user FTP root>/cisco/wnos/font

    <path from anonymous user FTP root>/cisco/wnos/inc

    <path from anonymous user FTP root>/cisco/wnos/ini

    <path from anonymous user FTP root>/cisco/wnos/locale

    <path from anonymous user FTP root>/cisco/wnos/trace

    Note   

    There is a difference between a path obtained from the DHCP server and a path entered in the UI. If the path is obtained from DHCP, /cisco/wnos are appended. If the path is obtained from the UI, the /cisco portion is not appended; only /wnos is automatically inserted. As written in this first step, the configuration procedure will only work in conjunction with a DHCP server.

    Step 2   If you need to upgrade the firmware for your zero client, place it in the wnos subdirectory of your FTP server. (Copy the ZC0_wnos and ZC0_boot files to the wnos subdirectory.)
    Step 3   Obtain the Sample User INI files (see the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 for the example INI files) and copy them into a directory from which they can be examined and modified using an ASCII text editor. These sample files are annotated to allow you to use them as a starter set on your FTP server and can be modified to suit your needs. The sample files include:
    • wnos.kiosk—Example wnos.ini file for a kiosk configuration
    • wnos.login —Example wnos.ini file to enable multiple user accounts
    • user.ini—Template for {username}.ini for individual user profiles
    Step 4   Determine whether all the zero clients served by this FTP server will be used as kiosks or will support individual user accounts. You must rename the downloaded files so that there will be one wnos.ini file available to all users globally; and for a multiple user account configuration there will be a unique {username}.ini file for each user. In addition:
    • If the kiosk configuration is to be used—Change the name of wnos.kiosk to wnos.ini. Otherwise, for multiple user accounts, change the name of wnos.login to wnos.ini.
    • If the individual user account configuration is to be used—Make a copy of the user.ini file for each user name as {username}.ini (where {username} is the name of the user) and place the files in the subdirectory ini of wnos. The files must have read permission enabled, and if users are to be allowed to change their passwords, the files also must have write permission enabled (so that the zero clients can write the encrypted user passwords to them). For Linux servers, use the chmod command to set the read/write permissions. For Microsoft servers, use the Properties dialog box to set read/write permissions.
    Step 5   If desired, you can customize the INI files to match the local environment using the instructions in the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 . If you modify the INI files to include icons and logos, be sure to place the images in the FTP server /wnos/bitmap subdirectory.

    Virtual desktop infrastructure server setup

    When the zero client boots, it accesses the INI files from a Virtual Desktop Infrastructure (VDI) server. VDI servers are available through DHCP vendor option 188 (see DHCP options setup).

    The zero client communicates with a Virtual Desktop Broker server by the sysinit, signon, signoff, and shutdown commands. When the zero client boots and successfully connects in a Virtual Desktop environment, it sends the sysinit command to the Virtual Desktop Broker, which then sends back the wnos.ini file (if a broker connection cannot be made, the zero client will attempt to connect to an FTP or PNLite server). After the zero client successfully receives the wnos.ini from the Virtual Desktop Broker, a sign-on window displays, prompting the user for username and password credentials. The zero client then sends the signon command to the Virtual Desktop Broker with the username and password as its parameter. If the sign-on is successful, the Virtual Desktop Broker server will send back the {username}.ini file (if the sign-on is unsuccessful, the user is prompted again for username and password credentials). The signoff command will be sent when a user disconnects from the connection. The shutdown command will be sent when a user turns off the zero client power.

    XenDesktop support setup

    XenDesktop is supported in WTOS without the need to use a Web browser. To connect to XenDesktop, do not use the VDI Broker parameter. Instead, use the same parameter and configuration that is used when connecting to a PNAgent/Lite server.

    DHCP options setup

    Before you use the information in this section to configure your DHCP server, be sure you understand and use the following guidelines:

    • General Guidelines—The DHCP service provides all zero clients on the network with their IP addresses and related network information when the zero clients boot. DHCP also supplies the IP address and directory path to the zero client software images and user profiles located on the file servers. Use of DHCP is recommended. However, if a DHCP server is not available, fixed IP addresses can be assigned (this does, however, reduce the stateless functionality of the zero clients) and the fixed IP addresses must be entered locally for each device using the zero client Network Setup dialog box as described in Network setup guidelines with FTP and no DHCP and Network setup guidelines with virtual desktop server and no DHCP). Many DHCP options correspond to places in the network configuration UI where the zero client user can enter information manually. Be aware that wherever there is information in the UI and the zero client receives information about the same function from one or more DHCP options, the information received from the DHCP server will replace the information contained in the UI. However, if the zero client does not receive information from the DHCP server about a particular function, the information manually entered in the UI will remain and will be used.
    • LPD Print Server Guideline—If a particular zero client is to function as an LPD print server, it can be assigned a fixed IP address. However, you can also guarantee that an LPD server will always have the same IP address by making a reservation for that zero client in the DHCP server. In that way, you can preserve the stateless nature of the zero client and still guarantee a fixed address for the server. In fact, you can assign a symbolic name to the reservation address so that other zero clients can reference the LPD server by name rather than by static IP address (the symbolic name must be registered with a DNS server before other zero clients will be able to locate this LPD server). The zero client does not dynamically register its name and the DNS registration must be manual.
    • Cisco VXC Manager Guidelines—If you use Cisco VXC Manager, the zero client uses port 80 as the default to access a Cisco VXC Manager server. If a port other than 80 is used to access a Cisco VXC Manager server, use option 187 in the list of DHCP options in the table below (option for a Cisco VXC Manager server is option 186 in the list of DHCP options). Cisco VXC Manager options are the only options used by the zero client that are not in text form.
    • PNAgent/PNLite Server Guidelines—If you use a a PNAgent/PNLite server, the zero client uses port 80 as the default to access a PNAgent/PNLite server. If a port other than 80 is used to access a PNAgent/PNLite server, the port number must be specified explicitly with the server location in the form IP:port or name:port (option for a PNAgent/PNLite server is option 181 in the list of DHCP options in the table below).
    • Windows DHCP Server Guidelines—You can use the DHCP tools available on the Windows server.
    • Linux DHCP Server Guidelines —For Linux servers, enter DHCP options 161 and 162 (described in the table below) in /etc/dhcpd.conf (refer to the manual page man dhcpd.conf for more information on DHCP and the syntax of this file). For example, if you want the computer to search ftp://132.237.16.157/pub/serversoftware/wnos, add the following line to /etc/dhcpd.conf: option option-161 132.237.16.157;option option-162 "pub/serversoftware$"; The /wnos suffix is automatically appended to the FTP path, so you should not specify it explicitly. In this case, the actual directory searched will be pub/serversoftware/wnos.
    • DHCP Options Guidelines—WTOS uses several DHCP option tags. These option tags must be created, activated within the DHCP scope(s), and then added for the zero clients to use them. The following figure shows the Windows DHCP Server Predefined Options and Values dialog box that is displayed when right-clicking the DHCP server and selecting Set Predefined Options. The most commonly used tags are 161 and 186. Depending on the Terminal Server environment, more options can be added using the Predefined Options and Values dialog box.


    Use the guidelines shown in the following table when creating and adding the DHCP option tags you need for your zero clients.


    Tip


    Ensure that within the DHCP scope these new DHCP option tags you create are activated (this can be done using the Scope Options dialog box on the DHCP server after you add them, or the Configure Options command before you add them before you add them).


    Table 1 DHCP options
    DHCP Option Description Notes
    1 Subnet Mask Required only if the zero client must interact with servers on a different subnet (MS DHCP requires a subnet mask and will always send one).
    2 Time Offset Optional.
    3 Router Optional, but recommended. It is not required unless the zero client must interact with servers on a different subnet.
    6 Domain Name Server (DNS) Optional, but recommended.
    15 Domain Name Optional, but recommended. See Option 6.
    28 Broadcast Address Optional.
    44 WINS servers IP Address Optional.
    51 Lease Time Optional, but recommended.
    52 Option Overload Optional.
    53 DHCP Message Type Recommended.
    54 DHCP Server IP Address Recommended.
    55 Parameter Request List Sent by zero client.
    57 Maximum DHCP Message Size Optional (always sent by zero client).
    58 T1 (renew) Time Optional, but recommended.
    59 T2 (rebind) Time Optional, but recommended.
    61 Client identifier Always sent.
    161

    File server (ftp/http/ https)

    Optional string. Can be either the name or the IP address of the file server. If a name is given, the name must be resolvable by the DNS server(s) specified in Option 6. If the option provided by the server is blank or the server provides no value for the field, the machine on which the DHCP server resides is assumed to also be the file server.

    162

    Root path to the file server (ftp/http/https)

    Optional string. If the option provided by the server is blank and the server provides no value for the field, a null string is used.

    \cisco\wnos is automatically appended to the search path. For example, if you enter pub\serversoftware, the path searched will be pub\serversoftware\cisco\wnos.

    Note   

    The usage or omission of a leading slash (\) on the path is critical on some servers. Some servers limit access to the root path of the user specified at login. For those servers, the usage of the leading slash is optional. Some UNIX servers can be configured to allow the file user access to the entire file system. For those servers, specifying a leading slash specifies that access is to start at the root file system. Proper matching of the file specification to the file server in use is critical to ensuring proper operation. A secured Windows server requires the slash be specified in order to complete proper access.

    181 PNAgent/PNLite server list Optional string. The zero client uses the server to authenticate the Windows credentials of the user and to obtain a list of ICA published applications valid for the validated credentials. The user supplies those credentials when logging in to the zero client.
    182 NT domain list for PNAgent/PNLite Optional string. The zero client creates a pull-down list of domains from the information supplied in option 182. This list is presented at zero client login in the order specified in the DHCP option (for example, the first domain specified becomes the default). The selected domain is the one which must authenticate the user ID and password. Only the selected domain is used in the authentication process. If the domain list is incomplete and the user credentials must be verified against a domain not in the list (assuming that the server in option 181 is capable of authenticating against a domain not in the list), the user has the option of not using any of the domains specified in option 182 and typing a different domain name at the time of login.
    184 File server Username Optional string. Username to use when authenticating to the server specified in Option 161.
    185 File server Password Optional string. Password to use when authenticating to the server specified in Option 161.
    186 Cisco VXC Manager server list Optional binary IP addresses of Cisco VXC Manager. This option can specify up to two Cisco VXC Manager servers. If two are specified, at boot time the zero client will attempt to check-in to the first server. If it cannot contact the first server it will try to check-in to the second server.
    187 Cisco VXC Manager server port Optional number. Byte, word, or two-bytes array.
    Note   

    The value of this option tag, when not embedded in Vendor Class Specific Information option, is interpreted in reverse order when it is sent as 2 bytes (for example, the value of 0x0050 was interpreted as 0x5000).

    188 Virtual Desktop Broker port Optional string.
    190 Cisco VXC Manager secure port Optional number. Word, or two-bytes array. Specifies to use HTTPS to communicate with Cisco VXC Manager instead of HTTP.
    192 Cisco VXC Manager server port Optional number. Word, or two-bytes array.
    Note   

    The value of this option tag represents the same information as option tag 187. The difference is that WTOS interprets the value of this option tag in correct order (for example, the value of 0x0050 is interpreted as 0x0050). If the DHCP server provides both option tag 192 and 187, option tag 192 takes precedence


    Tip


    The zero client conforms to both RFC-compliant DHCP servers (RFC numbers 2131 and 2132) and RFC-noncompliant Microsoft servers (which NULL terminate strings sent to the zero client). The zero client supports both infinite leases and leases that expire (per RFC 2131 and others).



    Tip


    Not all options in the range 128 to 254 are strings. Options 186, 190, and 192 are employed for all Cisco products that use Cisco VXC Manager. Their format and content are determined by the Cisco VXC Manager product.


    DNS setup

    Zero clients accept valid DNS names registered on a DNS server available to the enterprise intranet. In most cases, DNS is not required but may be used to allow hosts to be accessed by their registered DNS names rather than their IP addresses. Every Windows DNS server in Windows 2000 and later includes Dynamic DNS (DDNS) and every server registers dynamically with the DNS server. There are also DDNS implementations available for UNIX environments. However, the zero client does not perform dynamic registration, and therefore, requires a static or non-variant IP address and manual DNS registration in order to provide LPD support by name (for example, in the case where the zero client is used as an LPD printer server or if DHCP is not available). For DHCP entry of DNS domain and server location information, see DHCP options setup.

    WINS setup

    The zero client does not do dynamic registration and therefore, requires a static or non-variant IP address and manual Windows Internet Naming Service (WINS) registration. Use the network address of an available WINS name server. WINS allows the zero client user to specify remote systems by their host names rather than IP addresses. If a specific IP address (instead of a name) is entered for a connection, it rather than WINS will be used to make the connection. These entries are supplied through DHCP, if DHCP is used.


    Tip


    You may use two WINS server addresses, separated by a semicolon, comma, or space. The first address is for the primary WINS server and the second address is for a backup WINS server.


    Cisco VXC Manager server setup

    Cisco VXC Manager servers provide network management services to the zero client (complete user-desktop control—with features such as remote shadow, reboot, shutdown, boot, rename, automatic device check-in support, Wake-On-LAN, change device properties, and so on). Use the IP addresses or host names with optional TCP port number for Cisco VXC Manager servers. Each entry with optional port number is specified in the form IP:port or name:port, where :port is optional (if not specified, port 80 is used).

    Set up Transport Layer Security connections over LAN

    The IEEE 802.1x standard allows a switch port to remain wired or enabled but not permit traffic to traverse the switch until the identity of the client is confirmed. IEEE 802.1x is a security feature. It defines the process of authenticating a wired client to allow the client to communicate with the network. WTOS supports IEEE 802.1x for zero clients to be authenticated to access an Ethernet network. Depending on the EAP type and settings of certain connections, you may be required to download certificates from a Certificate Authority (CA), and then install and configure them for the zero client.

    Use the Network Setup dialog box to configure the authentication options (Classic Desktop - Desktop Menu > System Setup > Network Setup; Cisco VXC Desktop - Cisco VXC Toolbar > System Settings > Network Setup).

    Procedure
      Step 1   Click the Security tab.
      Step 2   Check the Enable IEEE802.1x Authentication check box.
      Step 3   In the EAP Type drop-down list, select an Extensible Authentication Protocol option (either TLS, LEAP, or PEAP).
      Step 4   Use the following guidelines to configure the EAP Type option you selected (note that the maximum length for the username is 31 characters, the password is 31 characters, and the domain is 31 characters):
      • TLS—If you select the TLS option, click Properties to open and configure the Authentication Properties dialog box (you can use Browse to find and select the Client Certificate file and Private Key file you want). Validate Server Certificate is mandatory (be sure the check box is checked). Note that the CA certificate must be installed in the device.
      • LEAP - If you select the LEAP option, click Properties to open and configure the Authentication Properties dialog box (be sure to use the correct Username and Password for authentication).
      • PEAP - If you select the PEAP option, click Properties to open and configure the Authentication Properties dialog box (be sure to select either EAP_GTC or EAP_MSCHAPv2, and then use the correct Username, Password, and Domain, if necessary, for authentication). Validate Server Certificate is optional. To configure EAP-GTC, enter the username only, and the password or PIN will be asked when authenticating. To configure EAP-MSCHAPv2, enter the username, password, and domain (domain/username in the username box is supported, but you must leave the domain box blank). Note that if the Validate server certificate check box is selected, the CA certificate must be installed in the device (the server certificate is forced to be validated).
      Step 5   Click Certificate Mgmt to open the Certificates Browser dialog box.
      Step 6   Select an Import From option (either USB Storage [the default] or File Server) to configure where a user can import a new certificate, click Import, and then use the following guidelines to configure the option you selected:
      • USB Storage: Select a certificate and click OK to import it to local memory.
      • File Server: Enter the path to the certificate, and then enter a username and password.

      Session Services setup

      Before you use the information in this section to configure your ICA and RDP session services, be sure you understand and use the following guidelines:

      • General Guidelines—Be aware of the following:
        • The zero-client session services are made available by servers hosting Citrix ICA and Microsoft RDP software products.
        • A browser must be available through one of the session services to access any on-line help documentation for users.
        • There can be more connections than desktop space to display them.
        • Connections can be defined in persistent memory (with a statement reading enablelocal=yes in the wnos.ini file). These connections can be displayed as desktop icons only in Standalone mode with a Non-privileged user.
        • Only the connections defined in an INI file and containing an icon= clause will be displayed on the desktop (assuming there is adequate desktop space).
        • Connections can be displayed on the desktop without requiring a sign-on (when you define these connections in a wnos.ini file or when the wnos.ini file does not contain a SignOn=yes statement).
      • ICA Guidelines—Independent Computing Architecture (ICA) is a three-tier, server-based computing technology that separates the logic of an application from its user interface. The ICA client software installed on the zero client allows the user to interact with the application GUI, while all of the application processes are executed on the server. ICA connects to NT TSE, Windows Server 2003, or Windows Server 2008 Server hosts that have a Citrix MetaFrame server, Citrix Presentation server, or CDS installed. Load balancing is included. ICA browsing or DNS can be used to resolve the server name. For information on configuring ICA, see ICA session services setup. For detailed information on the supported parameters (in the INI files) that you can use for ICA connections, see INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212.

        Tip


        The ICA server must be licensed from Citrix Systems, Inc. You must purchase enough client licenses to support the total concurrent zero client load placed on the Citrix server farm. A failure to connect when all client seats are occupied does not represent a failure of Cisco equipment. The ICA client software is installed on the zero client.


      • RDP Guideline—Remote Desktop Protocol (RDP), like ICA, is a network protocol that allows a zero client to communicate with the Terminal Server or Windows 2003/2008 Server with Terminal Services over the network. This protocol is based on the T.120 protocol suite, an international standard multi-channel conferencing protocol. For information on configuring RDP, see RDP session services setup. For detailed information on the supported parameters (in the INI files) that you can use for RDP connections, refer to the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 .

      ICA session services setup

      Before you use the information in this section to configure your ICA session services, be sure you have read Session Services setup.

      ICA session services can be made available on the network using either Windows 2003/ 2008 Server with Terminal Services and one of the following installed:

      • Citrix MetaFrame XP
      • Citrix Presentation Server

      Tip


      If PNAgent/PNLite-published application services are to be made available to the zero clients, see PNAgent/​PNLite installation guidelines when installing Citrix MetaFrame XP.


      When using the instructions accompanying these products to install them and make sessions and applications available to the zero clients sharing the server environment, be aware of the following:

      • If a Windows 2003/2008 Server is used, a Terminal Services Client Access License (TSCAL) server must also reside somewhere accessible on the network. The server will grant a temporary (120-day) license on an individual device basis. Beyond the temporary (120-day) license, you must purchase TSCALs and install them on the TSCAL server (you will not be able to make a connection without a temporary or permanent license).
      • It is recommended that any ICA connection which traverses a Dial-up or WAN connection have Lowband=yes set in the INI files or the Optimize for Low Speed Link option selected in the Connection Settings (ICA) dialog box.
      • If an ICA connection is created using the Connect Manager and the Host Names or Application Name text box is left blank, a message appears prompting the user to enter the IP Address or Server Name of the ICA server to which to connect.
      • An audio input port is available (Audio can be recorded).

      PNAgent/PNLite installation guidelines

      PNAgent/PNLite is a component of the Citrix XML publishing service. PNAgent/PNLite is an ICA connection mode that enables the zero client to connect to applications available (published) on an ICA server without having to configure connections for individual published applications.

      Use the following guidelines during installation:

      • MetaFrame X—Installing MetaFrame XP supports XML publishing services. During installation, a series of prompts appear for you to follow. When you are prompted to install the XML Publishing Service, be aware that clicking Yes to this option allows you to change the default port (80) used by the service.
      • Citrix Presentation Server—Installing Citrix Presentation Server supports XML publishing services. During installation, a series of prompts appear for you to follow.

      The port to be used for XML publishing services must be known for making appropriate PNAgent/PNLite server location entries required by the operating mode. For related information, refer to DHCP options setup and the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212). The zero client uses port 80 as the default port, but if a port other than 80 is used, the port number must be specified explicitly with the PNAgent/PNLite server location in the form IP:port or name:port, where :port is optional.

      RDP session services setup

      Before you use the information in this section to configure your RDP session services, be sure you have read Session Services setup.

      RDP session services can be made available on the network using any of the following:

      • Windows 2003/2008 Server with Terminal Services installed
      • Windows NT 4.0 Terminal Services (WTS) Edition
      • Windows XP

      When using the instructions accompanying these products to install them and make sessions and applications available to the zero clients sharing the server environment, be aware of the following:

      • If a Windows 2003/2008 Server is used, a Terminal Services Client Access License (TSCAL) server must also reside somewhere accessible on the network. The server will grant a temporary (90-day) license on an individual device basis. Beyond the temporary (90-day) license, you must purchase TSCALs and install them on the TSCAL server (you will not be able to make a connection without a temporary or permanent license).
      • It is recommended that any RDP connection which traverses a Dial-up or WAN connection have Lowband=yes set in the INI files or the Optimize for Low Speed Link option selected in the Connection Settings (RDP) dialog box.
      • If an RDP connection is created using the Connect Manager and the Host Names or Application Name text box is left blank, a message appears prompting the user to enter the IP Address or Server Name of the RDP server to which to connect.
      • WTOS supports an RDP connection with no encryption (found in older versions of Microsoft NT4-TSE servers).
      • WTOS supports server browsing over Server Message Block (SMB) when defining an RDP connection. SMB browsing restrictions mean that the server desired may not be listed, in which case the user will need to know either the name or IP address of the target server and enter that information into the text box (as it will not appear in the pull-down list).

      Software updates

      The software version is embedded in both the RAM and flash memory images. This version information is used to compare the images on the file server to the currently-loaded flash image on the zero client. A major revision number supersedes a minor revision number when making the comparison. In turn the minor version number takes precedence over the build number. The image names and date-time stamps determine whether or not the update is newer than the version currently installed on the zero client.


      Tip


      The code identifier is split into four parts, the major release identifier, the minor release identifier, the build number identifier, and the sub-build number identifier (if the sub-build number is 0, it will not be displayed). Each part is compared to the current code internal identifier in the same format. If the file identifier is greater, the update is performed. If the file identifier is less, the update is abandoned. If the file identifier is equal, the next term is examined until the build identifiers are found to be equal and the update is abandoned. This comparison process using the build number can be important in cases where you are using a beta release, or in cases where you need to reinstall a release with the same major and minor numbers but with an updated build.


      After obtaining software updates from Cisco, you must replace the existing software images in the wnos subdirectory on the FTP server to allow the zero clients to automatically detect and self-install the new software (upon zero client system start). The file server address and exact path to these files are specified in DHCP Options 161 and 162 (if DHCP is not used, the path is specified in the Network Setup dialog box on the zero client).

      Each time a zero client boots, it checks the software images on the file server, and if configured, automatically performs an update if a newer version is detected. Whether or not an update is performed depends on the AutoLoad parameter setting in the wnos.ini file as described in the INI Files Reference Guide for Cisco Virtual Experience Client 2112/2212 .

      Be aware that there is a significant distinction between using DHCP and not using DHCP to access the various necessary files as follows:

      • If DHCP is used, zero client software automatically inserts the path command /cisco following what it receives from the DHCP server (unless the path is terminated by a $); this is done only if a value is received from DHCP. The dollar sign character ($) acts as a flag that notifies WTOS that the absolute path has been given (that is, where it expects to find WTOS configuration files inside a “wnos” folder) instead of the relative path (where it expects to find the general “cisco” configuration folder).
      • If DHCP is not used and the configuration is done manually, the full path up to the wnos component must be inserted; there is no automatic /cisco insertion and no $ processing.
      • Note that WTOS software does not recognize a $ terminator as a legal meta-character in a locally entered string.

      Tip


      Citrix ICA Auto-Update does not function for the ICA client installed on the zero client; the ICA client is fully contained in the zero client system and can only be updated by changing that entire system. The RDP client is also not replaceable.



      Caution


      Interrupting power during the update process can corrupt the FLASH on the zero client. Zero clients with corrupted FLASH must be shipped to Cisco for service.



      Tip


      Note the following zero client update process:

      If called for, the zero client first searches in the wnos directory for the following file:

      ZC0_wnos

      If the file exists with a different internally encoded version number than the image currently in flash memory, and depending on the wnos.ini file AutoLoad parameter setting, the zero client will load this image into flash and reboot.


      Icon and logo management

      Icons and logos specified in the INI files must be placed in the file server /wnos/bitmap subdirectory. Icons are specified in the Icon clause of the connection statement and logos are specified in the FormURL statement. Supported image file types include .ico (icon), .bmp (bitmap), .jpg (JPEG), and .gif(GIF). Color depth for logos can be up to 256 colors. Color depth for icons can be 16 colors. It is recommended that .jpg format not be used for desktop icons.

      Use the following guidelines:

      • Typical desktop icons are 64 x 48 pixels.
      • Typical sign-on logos are 100 x 61 pixels, with transparent background.
      • Maximum size for sign-on logos is 352 x 80 pixels (if smaller than this, it will be positioned in the upper-left corner).

      System lockdown operations

      Lockdown status for a zero client is set or removed using the LockDown clause of the Privilege statement in the INI files. Lockdown establishes the default privilege level following zero client boot and before any privilege statement is read from an INI file. Access to many facilities is affected by the privilege level.

      • Non-Lockdown Operation—For normal operation, Low-privileged and Non-privileged users may access the Network Setup dialog box by temporarily disconnecting the Ethernet cable from the zero client and rebooting to Standalone user mode. The Network Setup dialog box can also be accessed after resetting the zero client to factory defaults by a G-key reset to factory default or using the Reset the System Setting to Factory Defaults check box in the Sign-off/Shutdown window of any user with sufficient privilege to the Sign-off/Shutdown window.
      • Lockdown Operation —In most cases, access to the resources available when the system is not locked down is desirable; however, network environments requiring maximum security should not permit uncontrolled changes to zero client network access. Most facilities would include a Privilege with LockDown statement in the wnos.ini file and might override the privilege in a {username}.ini file without modifying the lockdown privilege. Thus, an administrator could log into any unit and have sufficient privilege to modify the configuration of that unit without altering the default privilege at the next reboot.

      Caution


      If the unit is configured for Dial-up access, there must be an RAS server answering the configured telephone number. Otherwise, the unit will require factory attention to recover it.