May 142019
 

On a fresh or existing WSUS install, you may notice that the WSUS Administrator MMC applet stops functioning and present the error “Error: Connection Error – An error occurred trying to connect to the WSUS Server.”

I originally experienced this on Windows Server Update Services running on Windows Server 2012 R2 and applied the fix. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. Before realizing what the issue was, I attempted to re-install WSUS and IIS from scratch numerous times until I came across old notes. One would have thought they would have resolved this issue on a new server operating system.

When the issue occurs, all processes will appear to be running on the server. Looking at the server event log, you’ll notice multiple application errors:

  • Event ID: 13042 - Windows Server Update Services
    Description: Self-update is not working.
  • Event ID: 12002 - Windows Server Update Services
    Description: The Reporting Web Service is not working.
  • Event ID: 12012 - Windows Server Update Services
    Description: The API Remoting Web Service is not working.
  • Event ID: 12032 - Windows Server Update Services
    Description: The Server Synchronization Web Service is not working.
  • Event ID: 12022 - Windows Server Update Services
    Description: The Client Web Service is not working.
  • Event ID: 12042 - Windows Server Update Services
    Description: The SimpleAuth Web Service is not working.
  • Event ID: 12052 - Windows Server Update Services
    Description: The DSS Authentication Web Service is not working.
  • Event ID: 12072 - Windows Server Update Services
    Description: The WSUS content directory is not accessible.
    System.Net.WebException: The remote server returned an error: (503) Server Unavailable.
       at System.Net.HttpWebRequest.GetResponse()
       at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)

You will also see the below error message when attempting to use the WSUS MMC.

WSUS Connection Error presented when memory issue occurs
WSUS 503 Error: Connection Error

The Problem

This issue occurs because the WSUS application pool in IIS “WsusPool” has reached it’s maximum private memory limit and attempts to recycle the memory usage.

Ultimately I believe this causes the IIS worker process to crash since it has run out of memory, and the pending command (whether it’s a synchronization or something else) fails to complete.

Previously, I noticed database corruption on a WSUS SQL Express database when this issue occurred, so I recommend applying the fix on a fresh install of WSUS.

The Fix

To resolve this issue, we need to adjust the max

  1. On the server running WSUS and IIS, open the “Internet Information Services (IIS) Manager” inside of the “Windows Administrative Tools” (found in the start menu, or Control Panel).
    Internet Information (IIS) Services in Start Menu
  2. On the left hand side under “Connections”, expand the server, and select “Application Pools”.
    IIS Application Pools Selected
  3. On the right hand side under “Application Pools” heading, right-click on “WsusPool” and select “Advanced Settings”.
    WsusPool Application Pool Selected with Right-Click
  4. In the “Advanced Settings” window, scroll down until you see “Private Memory Limit (KB)”. Either change this to “0” (as shown below) to set no memory limit, or increase the limit to the value you prefer.
    Private Memory Limit set to "0" in WsusPool IIS Application Pool
  5. Select “Ok” to close the window.
  6. Restart IIS by running “iisreset” from an administrative command prompt, restarting the server, or selecting “Restart” under “Manage Server” when looking at the default pane in IIS when the server is selected.

The issue should now be resolved and your WSUS server should no longer be crashing.

If you are applying this fix on a Server Core install, you’ll need to connect remotely to the IIS instance to apply the fix.

May 082019
 
vSphere Logo Image

We’ve all been in the situation where we need to install a driver, vib file, or check “esxtop”. Many advanced administration tasks on ESXi need to be performed via shell access, and to do this you either need a console on the physical ESXi host, an SSH session, or use the Remote vCLI.

In this blog post, I’m going to be providing a quick “How to” enable SSH on an ESXi host in your VMware Infrastructure using the vCenter flash-based web administration interface. This will allow you to perform the tasks above, as well as use the “esxcli” command which is frequently needed.

This method should work on all vCenter versions up to 6.7, and ESXi versions up to 6.7.

How to Enable SSH on an ESXi Host Server

  1. Log on to your vCenter server.
    vCenter Server Login Window
  2. On the left hand “Navigator” pane, select the ESXi host.
    ESXi Navigator Pane on vCenter Web Interface
  3. On the right hand pane, select the “Configure” tab, then “Security Profile” under “System.
    ESXi Host Configuration under Configure Tab in Web Interface
  4. Scroll down and look for “Services” further to the right and select “Edit”.
    ESXi Host Services in Host Configuration
  5. In the “Edit Security Profile” window, select and highlight “SSH” and then click “Start”.
    ESXi Services List on vCenter web interface
  6. Click “Ok”.

This method can also be used to stop, restart, and change the startup policy to enable or disable SSH starting on boot.

Congratulations, you can now SSH in to your ESXi host!

May 072019
 
VMware Horizon View Icon

So you’ve started to use or test Duo Security’s MFA/2FA technology on your network. You’ve been happy so far and you now want to begin testing or rolling out DUO MFA on your VMware Horizon View server.

VMware Horizon is great at providing an end user computing solution for your business, a byproduct of which is an amazing remote access system. With any type of access, especially remote, comes numerous security challenges. DUO Security’s MFA solution is great at provided multi-factor authentication for your environment, and fully supports VMware Horizon View.

In this guide, I’ll be providing a quick how to guide on how to get setup and configured with DUO MFA on your Horizon Server to authenticate View clients.

DUO Security Login VMware View Client Dialog Box
DUO Security Login VMware View Client

Enabling DUO MFA on VMWare View will require further authentication from your users via one of the following means:

  • DUO Push (Push auth request to mobile app)
  • Phone call (On user’s pre-configured phone number)
  • SMS Passcode (Texted to users pre-configured phone number)
  • PIN code from a Hardware Token

For more information on the DUO technology and authentication methods, please visit
https://www.digitallyaccurate.com/blog/2018/06/12/secure-business-enterprise-it-systems-multi-factor-authentication-duo-mfa/

Prerequisites

  • VMware Horizon View Connection Server (Configured and working)
  • VMware View Client (for testing)
  • DUO Authentication Proxy installed, configured, and running (integrated with Active Directory)
  • Completed DUO Auth Proxy config along with “[ad_client]” as primary authentication.

Please Note: For this guide, we’re going to assume that you already have a Duo Authentication Proxy installed and fully configured on your network. The authentication proxy server acts as a RADIUS server that your VMware Horizon View Connection Server will use to authenticate users against.

Instructions

The instructions will be performed in multiple steps. This includes adding the application to your DUO account, configuring the DUO Authentication Proxy, and finally configuring the VMware View Connection Server.

Add the application to your DUO account

  1. Log on to your DUO account, on the left pane, select “Applications”.
  2. Click on the Blue button “Protect an Application”.
  3. Using the search, look for “VMware View”, and then select “Protect this Application”.
  4. Record the 3 fields labelled “Integration key”, “Security key”, and “API hostname”. You’ll need these later on your authentication proxy.
  5. Feel free to modify the Global Policy to the settings you require. You can always change and modify these later.
  6. Under Settings, we’ll give it a friendly name, choose “Simple” for “Username normalization”, and optionally configure the “Permitted Groups”. Select “Save”.

Configure the DUO Authentication Proxy

  1. Log on to the server that is running your DUO Authentication Proxy.
  2. Open the file explorer and navigate to the following directory.
    C:\Program Files (x86)\Duo Security Authentication Proxy\conf
  3. Before any changes I always make a backup of the existing config file. Copy and paste the “authproxy.cfg” file and rename the copy to “authproxy.cfg.bak”.
  4. Open the “authproxy.cfg” file with notepad.
  5. Add the following to the very end of the file:
    ;vmware-view
    [radius_server_challenge]
    ikey=YOUR_INTEGRATION_KEY
    skey=YOUR_SECRET_KEY
    api_host=YOUR-API-ADDRESS.duosecurity.com
    failmode=safe
    client=ad_client
    radius_ip_1=IP-ADDY-OF-VIEW-SERVER
    radius_secret_1=SECRETPASSFORDUOVIEW
    port=1813
    Using the values from the “Protect an Application”, replace the “ikey” with your “integration key”, “skey” with your “secret key”, and “api_host” with the API hostname that was provided. Additionally “radius_ip_1” should be set to your View Connection Server IP, and “radius_secret_1” is a secret passphrase shared only by DUO and the View connection server.
  6. Save the file.
  7. Restart the DUO Authentication Proxy either using Services (services.msc), or run the following from a command prompt:
    net stop DuoAuthProxy & net start DuoAuthProxy

Configure the VMware View Connection Server

  1. Log on to your server that runs your VMware View Connection Server.
  2. Open the VMware Horizon 7 Administrator web interface and log on.
    Horizon 7 Administrator Launch Icon Screenshot
  3. On the left hand side, under “Inventory”, expand “View Configuration” and select “Servers”.
    View Configuration and Servers highlighted on Left Pane
  4. On the right hand side in the “Servers” pane, click on the “Connection Servers” tab, then select your server, and click “Edit”.
    Select Connection Server in Server Pane Window
  5. On the “Edit Connection Server Settings” window, click on the “Authentication” tab.
    Authentication under Edit Connection Settings Window
  6. Scroll down to the “Advanced Authentication” section, and change the “2-factor authentication” drop down, to “RADIUS”. Check both check boxes for “Enforce 2-factor and Windows user name matching”, and “Use the same user name and password for RADIUS and Windows Authentication”.
    Advanced Auth Settings for DUO in Authentication Tab Dialog Window
  7. Below the check boxes you will see “Authenticator”. Open the drop down, and select “Create New Authenticator”.
  8. In the “Add RADIUS Authenticator” window, give it a friendly name, friendly description, and populate the fields as specified in the screenshot below. You’ll be using the shared RADIUS/DUO secret we created above in the config file for the proxy auth.
    Edit RADIUS Authenticator VMware View Window
    Please Note that I changed the default RADIUS port in my config to 1813.
  9. Click “Ok”, then make sure the newly created authenticator is select in the drop down. Proceed to click “Ok” on the remaining windows, and close out of the web interface.

That’s it!

You have now completely implemented DUO MFA on your Horizon deployment. Now when users attempt to log on to your VMware View Connection server, after entering their credentials they will be prompted for a second factor of authentication as pictured below.

DUO Security MFA authenticate VMware View Client dialog box
DUO Security MFA authenticate VMware View Client

VMware Horizon View is now fully using MFA/2FA.

Leave a comment!

May 072019
 
Sophos UTM with SFP Modules Picture

In the many years I’ve been providing IT Services, I’ve noticed that whenever taking over a customer from a competitor, or providing consulting services for a company that has IT staff, that I don’t see DHCP reservations being used all that frequently.

I wanted to write a post to discuss the comparison, when each should be used and the various case scenarios. I’m hoping my readers may provide their own input in the comments.

As an example: When a customer was purchasing a VoIP PBX, the PBX vendor get angry when I requested that it be configured for DHCP so that a DHCP reservation could be used, I advised I’d prefer this method so I could change the IP when needed for maintenance or network restructuring. They tried to convince me the IP will change on a DHCP Server and the port forwarding will stop working, because they simply had no idea of what a DHCP reservation was. Ultimately when the day came where I had to change the IP and firewall rules for the PBX, I had to log a support call with the vendor since I couldn’t change the IP myself (which resulted in delays, and costs). If we were using DHCP reservations, I could have simply modified the firewall rules, modified the IP address on the reservation, and restarted the device using the buttons on the front panel (I didn’t have any other access to the device).

Just to state the obvious:

  • A static IP address is an IP address that’s manually set on a NIC (Network Interface Card).
  • A DHCP Reservation is a pre-set IP that’s provided by a DHCP Server, and given to a NIC when a NIC calls out to a DHCP server for an IP address.

Static IP Addresses

It’s in my opinion that for server, network, core, and all top level infrastructure, all of these devices and services should be configured with Static IP addresses.

These devices which are almost always running, and have other services that rely on them, require a set static IP that should and will not change. Typically, these IP addresses will never change, even when major changes are being made to the core infrastructure.

These addresses should always be logged, documented, and added to network topology maps.

An example of devices commonly seen with Static IPS:

  • Servers
  • Storage (SAN, NAS)
  • Network Switches, Routers, Gateways, Load Balancers
  • Printers
  • Wireless Access Points
  • Computers/Workstations using special services (or requiring firewall exceptions)

DHCP Reservations

DHCP stands for Dynamic Host Configuration Protocol, and was created to dynamically configure hosts networking configuration on the fly for easy deployment.

In it’s most simplest explanation, when a computer (or device) that is configured to use DHCP reaches out to the network, the DHCP server will assign and provide an IP address for the computer to use.

In home networks, pretty much every computer and device will get it’s IP address from the DHCP server running on the router.

In business networks, pretty much every computer and device that isn’t hosting services will get it’s IP address from the DHCP server running on one of their servers or routers.

DHCP Servers support something called a “DHCP Reservation”, which essentially allows you to provide a pre-set IP address to a specific client based on it’s physical MAC address. This means that the device will always get the same IP address and it will never change (whereas they typically do on occasion).

I’m surprised I don’t see these used more often, as they can become quite the powerful tool on the IT tool belt when used properly. I’ve listed some pros and cons below.

The Pros:

  • Manage IP addresses (IP reservations) from a single console
  • Ability to change IP addresses on the fly easily from a single console without having to log in to the device.
  • Manage network topology for ROBO (Remote Office, Branch Office) remotely, easily, and efficiently.
  • Manage IP addresses for 3rd party devices that you don’t normally have access to modify (tell the vendor to set to DHCP), reducing support calls for external services.
  • Ability to create different PXE boot environments as each reservation can have it’s own PXE boot options assigned.

The Cons:

  • Device must support DHCP Configuration.
  • The device MUST RELY on a DHCP Server once set to use DHCP. If the DHCP Server is down, so is the device.
  • If rogue DHCP servers appear on your network, it may disrupt communication (this can also happen with static IPs and conflicts).

So with the list above, DHCP reservations look pretty powerful. The next question, is where do we use DHCP reservations. Let’s finish off with the devices we’d use them on, and what use case scenarios apply.

Devices:

  • Wireless Access Points
  • Printers
  • 2nd Level (non core) Routers and Gateways
  • IoT Devices
  • IP Phones
  • IP PBX Systems (VoIP, Traditional with IP Management, etc).
  • Thin Clients and Zero Clients

Use Cases:

  • Remote Offices (remote sites with limited access)
  • Remote Support environments
  • Branch Offices
  • IP Phone Networks
  • Wireless LAN Access Point VLANs

DHCP Reservation Use Cases

I use DHCP reservations frequently with customers that have remote or branch offices in remote geographical areas. When supporting these users and troubleshooting issues, it’s awesome to be able to just log in to the DHCP server to change IP addresses of printers, phones, and wireless access points.

Also, when configuring, shipping, and deploying new devices to these offices, I can simply log and write down the MAC address, configure the DHCP reservation, and the device will get the IP address I’ve chosen once it’s connected to the network and powered on.

Using DHCP reservations, you can easily make big changes to these remote networks without having to be present. If you were to use Static IPs and something was misconfigured, this might cause a physical visit to the site to resolve.

If by change a vendor directly dropships equipment to the remote site, I can simply call someone at that office to get the MAC address. Most devices with a NIC (printers, MFPs, wireless access points), all usually have their MAC addresses printed on the outside of the box. With this information provided, I can login to the remote server, create a DHCP reservation, configure drivers, and push the device config out to the network.

DHCP reservations add to the whole concept of a centrally managed environment, which further helps ease of maintaining, and supporting it.

Leave a comment and let me know your thoughts!

May 062019
 
10ZiG 5948qv Zero Client VMware Horizon View

You have VMware Horizon View deployed along with Duo Multi-Factor Authentication (2FA, MFA), and you’re you having user experience issues with 10ZiG Zero Clients and multiple login dialog boxes and planning on how to deal with the MFA logins.

I spent some time experimenting with numerous different settings trying to find the cleanest workaround that wouldn’t bother the user or mess up the user experience. I’m going to share with you what I came up with below.

The Issue

When you have DUO MFA deployed on VMware Horizon, you may experience login issues when using a 10ZiG Zero Client to access the View Connection Server. This is because the authentication string (username, password, and domain) aren’t passed along correctly from the 10ZiG Login Dialog Box to the VMware Horizon View Client application.

Additionally, when DUO is enabled on VMware View (as a RADIUS authentication), there is no domain passed along inside of the DUO login prompt on the view client.

This issue is due to limitations in the VMware Horizon View Linux Client. This issue will and can occur on any system, thin-client, or Zero Client that uses a command string to initialize a VMware View session where DUO is configured on the View Connection Server.

Kevin Greenway, the CTO at 10ZiG, reached out to say that they have previously brought this up with VMware as a feature request (to support the required functionality), and are hopeful it gets committed.

At this point in time, we’d like to recommend everyone to reach out to VMware and ask for this functionality as a feature request. Numerous simultaneous requests will help gain attention and hopefully escalate it on VMware’s priority list.

The Workaround

After troubleshooting this, and realizing that the 10ZiG VMware login details are completely ignored and not passed along to the VMware View client, I started playing with different settings to test the best way to provide the best user experience for logging in.

At first I attempted to use the Kiosk mode, but had issues with some settings not being passed from the 10ZiG Client to the View Client.

Ultimately I found the perfect tweaking of settings that created a seamless login experience for users.

The Settings

On the 10ZiG Zero Client, we view the “Login” details of the “VMware Horizon Settings” dialog box.

10ZiG Zero Client VMware Horizon Settings Login Settings Dialog Box
10ZiG Zero Client VMware Horizon Settings Login Settings
  • Login Mode: Default
  • Username: PRESS LOGIN
  • Password: 1234
  • Domain: YourDomain

Please Note: In the above, because DUO MFA is enabled, the “Username”, “Password” and “Domain” values aren’t actually passed along to the VMware View application on the Zero Client.

We then navigate to the “Advanced” tab, and enable the “Connect once” option. This will force a server disconnection (and require re-authentication) on a desktop pool logoff or disconnection.

10ZiG Zero Client VMware Horizon Settings Advanced Settings Dialog Window
10ZiG Zero Client VMware Horizon Settings Advanced Settings

Please Note: This option is required so that when a user logs off, disconnects, or get’s cut off by the server, the Zero Client fully disconnects from the View Connection Server which causes re-authentication (a new password prompt) to occur.

The Login User Experience

So now that we’ve made the modifications to the Zero Client, I want to outline what the user experience will look like from Boot, to connection, to disconnection, to re-authentication.

  1. Turning on the 10ZiG Zero Client, you are presented with the DUO Login Prompt on the View Connection Server.
    DUO Security Login VMware View Client Dialog Box
  2. You then must pass 2FA/MFA authentication.
    DUO Security MFA authenticate VMware View Client dialog box
  3. You are then presented with the desktop pools available to the user.
  4. Upon logging off, disconnecting, or getting kicked off the server, the session is closed and you are presented to the 10ZiG VDI Login Window.
    10ZiG Zero Client VMware View Login Dialog Window
  5. To re-establish a connection, click “Login” as instruction by the “Username” field.
  6. You are presented with the DUO Login Window.
    DUO Security Login VMware View Client Dialog Box
  7. And the process repeats.

As you can see it’s a simple loop that requires almost no training on the end user side. You must only inform the users to click “Login” where the prompt advises to do so.

Once you configure this, you can add it to a configuration template (or generate a configuration template), and then deploy it to a large number of 10ZiG Zero Clients using 10ZiG Manager.

Let me know if this helps, and/or if you find a better way to handle the DUO integration!

May 062019
 
10ZiG 5948q Zero Client

You’ve created some configuration templates, modified them to reflect the settings you need, and now you want to deploy the configuration template to your 10ZiG Zero Clients using the 10ZiG Manager.

In this post, we’ll be going over how to deploy an existing configuration template that is stored inside of your 10ZiG Manager management software.

This allows you to push out configs on the fly to either a single device, or 10,000 devices at once. This is a MUST for managing small, medium, and large sized 10ZiG deployments.

This post is part three of a three part 10ZiG Manager Tutorial series:

Please Note: we are going to assume you have created a configuration template, have modified it to the settings you required, and have your network properly configured for 10ZiG Manager to function.

Instructions

  1. Open the 10ZiG Manager.
    10ZiG Manager Logged In Main Window
  2. Choose the 10ZiG Zero Client(s) that you’d like to deploy the configuration to. You can “CTRL + Click” or “SHIFT + Click” to select more than one 10ZiG Zero Client.
  3. In the menu, expand “Configuration” -> and select “Apply Template”.
    10ZiG Manager Configuration Menu via Right Click
  4. A “Configuration Template Note” is displayed. Please read and understand this, then click “Ok”.
    Configuration Template Note on configuration merge
  5. In the “Configuration Templates” window, select and highlight the configuration template you’d like to deploy, and then click “Ok”. In my example, I’m choosing “DA-MainTemplate”.
    10ZiG Apply Template Window Dialog Box
  6. The “Configuration Cloning Target” dialog box is displayed. Here you can change the target hostname, and choose to immediately push the configuration. Select “Ok”.
    Configuration Cloning Target 10ZiG Manager Dialog Box
  7. And now the “Reboot” dialog box is displayed. Here you can choose how you’d like the reboot to be handled once the configuration is pushed to the device(s). Select your preference, or leave as default and select “Ok”.
    10ZiG Manager Configuration Template Apply Reboot Options Dialog Box
  8. You’ll be brought back to the 10ZiG Manager interface. Here you’ll see a new task in the tasks list at the bottom of the window.
    10ZiG Manager Apply Configuration Template Status Task Window Pane Completed
  9. Once completed, you have successfully deployed the configuration.

You’re done! You have successfully pushed the configuration template to your 10ZiG Zero Client(s).

You can maintain, edit, and use multiple templates for different users, organizational units, or geographical units.

May 062019
 
10ZiG 5948q Zero Client

Let’s say you manage numerous 10ZiG Zero clients and your users all have similar USB hardware that needs to be redirected to the VDI session. In most cases the hardware will be redirected without any configuration necesary, but what about when that doesn’t happen. You need to push a configuration template with the device information to your 10ZiG Zero Clients.

In my case, I use a YubiKey Security Key. I regularly use this for logins in Chrome and noticed that it wasn’t being directed via USB redirection.

This post is part two of a three part 10ZiG Manager Tutorial series:

Now there’s two ways to do this:

  1. On the 10ZiG Zero Client, go to settings, USB redirection, and change the preference from “Default” to “Include”. This must manually be done on every Zero Client inside of your infrastructure (time consuming).
  2. Add the USB hardware ID to your configuration template inside of the 10ZiG Manager and then push this to all your 10ZiG Zero Clients that you manage (super fast, can be deployed to thousands of devices in seconds).

In this post we’re going to cover the later, and show you how to add this to a config template. In my example, we’ll be adding the YubiKey security key with a hardware identifier (USB Product ID/PID) of 1050/0120 (Vendor ID: 1050, Product ID: 0120). We’ll be manually adding the hardware ID/PID to the config template in this tutorial.

Please Note: You can also add the settings on a 10ZiG Zero Client, and generate a template by pulling the config from that client. You can then push this to others as well.

To find out the Hardware ID/PID, you can either use the “Device Manager” on Windows, or plug in the device in to a 10ZiG Zero Client, go to settings, USB Redirection, and you should see the device name, along with the HID/PID info.

Instructions

  1. Open the 10ZiG Manager.
    10ZiG Manager Logged In Main Window
  2. Randomly choose a 10ZiG Zero Client from the list, right-click on it to open the menu. Expand “Configuration” -> Select “Manage templates”.
    10ZiG Manager Configuration Menu via Right Click
  3. In the “Configuration Templates” window, right-click on your existing template (or create a new one), and select “Edit”.
    10ZiG Manager Configuration Templates Right Click Menu Shown
  4. In the “Template Configuration – Template Name” window, double-click on “USB Device Redirection”.
    10ZiG Manager Template Configuration Window Shown
  5. In the “USB Device Redirection” window, click on “Add”.
  6. Enter in a friendly name, and enter your Vendor ID and Product ID in to the fields. For a YubiKey Security key, I did the following.
    10ZiG Manager Configuration USB Redirection Settings Window and Add Window Selected
  7. Click OK on all the fields, save the template. The configuration has been saved to the configuration template.

You’re done! You can now deploy this template to a single 10ZiG Zero Client, or deploy it as a batch to many 10ZiG Zero Clients.

May 062019
 
10ZiG 5948q Zero Client

So you’ve purchase some 10ZiG Zero Clients, configured the 10ZiG Manager, and want to create a configuration template to deploy to all your devices.

In this post, we’ll be going over how to create a configuration template from a manually configured 10ZiG Zero Client, so that you can edit it, and then deploy it to other 10ZiG Zero Clients (whether it’s a single unit, or 10,000).

Once you have a configuration template, you can add certificates, modify the VDI configuration, configure keyboard/mouse input, USB Redirection, and more! Doing all this with a configuration template allows you to manage and maintain a large amount of 10ZiG Zero Clients with ease.

This post is part one of a three part 10ZiG Manager Tutorial series:

Please Note: We are going to assume that you have manually configured at least one of your 10ZiG Zero Clients as a base configuration that you want to generate a template from. If not, make sure you do this before generating a template. We are also assuming that you have configured the 10ZiG Management software so that the Zero Clients can connect to it.

Instructions

  1. Open the 10ZiG Manager.
    10ZiG Manager Logged In Main Window
  2. Choose the 10ZiG Zero Client that you have already configured in the list and right-click on the unit.
  3. In the menu, expand “Configuration” -> and Select “Generate Template”.
    10ZiG Manager Configuration Menu via Right Click
  4. A warning explaining how the configuration is merged is presented, please read and understand this.
    Configuration Template Note on configuration merge
  5. In the “Configuration Templates” window, type in a template name in to the “Template Name” field, and then select “Ok”. I’m calling mine “DA-MainTemplate”.
    Create Configuration Template Name Dialog
  6. A warning explaining changes is presented, please read and understand this.
    Retrieve Device Configuration Warning Dialog Window
  7. You will be brought back to the 10ZiG Manager, and will see the “Generate configuration template” task in the tasks list at the bottom of the window. It should eventually complete and be marked as successful.
    Generate configuration template task list
  8. The configuration template has been created.

You have now created a configuration template inside of 10ZiG Manager! You can edit this, and eventually deploy it to other 10ZiG Zero Clients on your network.

May 052019
 
Ubuntu Orange Logo

After upgrading a computer from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS, during boot the screen goes blank (turns black), all HD disk activity halts, and the system becomes frozen. This event can also occur on a fresh installation or when updates are installed.

This is due to a video mode issue that causes the system to halt or freeze. It’s much like the issue I described here on a Fedora Linux system.

Temporary Fix

To get the system to boot:

  1. After turning on your PC, hold the right SHIFT key to get to the GRUB bootloader.
  2. Once GRUB is open, press the “e” key to edit the first highlighted entry “Ubuntu”.
  3. Move your cursor down to the line that starts with “linux”, and use the right arrow key to find the section with the words “ro quiet splash”.
  4. Add “nomodeset” after these words.
    nomodeset
  5. Feel free to remove “quiet” and “splash” for more verbosity to troubleshoot the boot process.
  6. Press “CTRL + X” or “F10” to boot.
  7. The system should now boot.

Permanent Fix

To permanently resolve the issue:

  1. Once the system has booted using the temporary fix, log in.
  2. Open a terminal window (Applications -> Terminal, or press the “Start” button and type terminal).
  3. Either “su” in to root, or use “sudo” to open your favorite text editor and edit the file “/etc/default/grub” (I use nano which can be install by running “dnf install nano”):
    nano /etc/default/grub
  4. Locate the line with the variable “GRUB_CMDLINE_LINUX_DEFAULT”, and add “nomodeset” to the variables. Feel free to remove “splash” and “quiet” if you’d like text boot. Here’s an example of my line after editing (yours will look different):
    GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nomodeset"
  5. Save the file and exit the text editor (CTRL+X to quit, the press “y” and enter to save).
  6. At the bash prompt, execute the following command to regenerate the grub.conf file on the /boot partition from your new default file:
    update-grub
  7. Restart your system, it should now boot!

Please Note: Always make sure you have a full system backup before modifying any system files!

May 042019
 
Ubuntu Orange Logo

You’re trying to install Ubuntu on your computer, but it freezes due to lack of resources, specifically memory. This can happen when you’re trying to re-purpose old laptops, netbooks, etc.

This recently happened to met as I tried to install Ubuntu on an old HP Netbook. Originally I used Fedora, but had to switch to Ubuntu due to library issues (I wanted to use the VMware Horizon Client on it).

Unfortunately, when I’d kick off the USB installer, the OS would completely freeze (mouse either unresponsive, or extremely glitchy).

The Fix – External SWAP File

In the ~5 minutes where the system is operable, I used the key sequence “CTRL + ALT + F2” to get to a text tty console session. From here I noticed the system eventually uses all the RAM and maxes out the memory. When this occurs, this is when the system becomes unresponsive.

Since this is a Live CD installer, there is no swap file for the system to use once the RAM has filled up.

To fix this and workaround the problem, I grabbed a second blank USB stick and used it as an external swap file. Using this allowed me to run the installer, complete the installer, and successfully install Ubuntu.

Please make sure you are choosing the right device names in the instructions below. Choosing the wrong device name can cause your to write to the wrong USB stick, or worse the hard drive of your system.

Instructions:

  1. Attached USB Installer, boot system.
  2. Once system has booted, press “CTRL + ALT + F2” to open a tty console session.
  3. Login using user: “Ubuntu” with a blank password.
  4. Type “sudo su” to get a root shell.
  5. Type in “tail -f /var/log/kern.log” and connect your spare blank USB stick that you want to use for SWAP space. Note the device name, in my case it was “/dev/sdd”.
  6. Press “CTRL + C” to stop tailing the log file, then run “fdisk /dev/sdd” and replace “/dev/sdd” with whatever your device was. PLEASE MAKE SURE YOU ARE CHOOSING THE RIGHT USB DEVICE NAME.
  7. Use “n” to create a new partition, follow the prompts, when it asks for size I randomly chose “+2G” for a 2GB swap file. Use “w” to write the partition table and then quit the fdisk application.
  8. Run “mkswap /dev/sdd1” and replace “sdd1” with the device and partition number of your USB Swap stick. This will format the partition and mark it as a SWAP filesystem.
  9. Run “swapon /dev/sdd1” and replace “sdd1” with your swap partition you created. This will activate the external swap file on the USB stick.
  10. Press “CTRL + ALT + F1” to return to the Ubuntu installation guide. Continue the install as normal.

This should also work for other Linux distributions, as I have also used this in the past with Fedora (on a Single Board Computer with almost no RAM).

During the install process where the Ubuntu installer formats your hard drive, the install will actually mount the hard drive swap file as well (it’ll use both). Once the installer is complete, shut down the system and remove the USB SWAP stick.