What’s everyone using for RDP thin clients and how are you configuring them? We are working a comanaged project with a client to take care of a few remote locations for them that are near us but it has turned into someone’s full-time job to deal with their endpoint RDP solution and talking to their team it’s the same for them. I would like to present them with a better option.
My first thought was use windows 10 machines like they have been but it takes so much time each month to keep them up and running I don’t want to go down that path again.
My second thought was could I network boot a bunch of Rasberry PIs that automatically create a RDP session where the user just has to enter the login information once. In my mind, this sounds much cleaner and simpler. If a PI dies we just replace it. Most of the endpoints only need a keyboard and a touchscreen monitor to operate everything else is connected via the network to the server. Then we just have to handle updating a master image.
Things I haven’t answered yet.
- Is having an auto-login on the PI to much of a security issue?(If so how do I make it not an issue.)
- Has anyone ever done something similar in production? If so what was your experience?
- Is Active Directory going to have a hard time authenticating something like this?
I’m sure there are other things that I have forgotten. I’m going to play around with the concept tonight when I get home and see what happens. Let me know what you think and if you have any suggestions.
I have always found that inexpensive Windows laptops dedicated to RDP are easier to manage than configuring things like Raspberry Pi’s or any Linux solution. But it has been a while since I tried.
Where I work our it guys use small form factor windows 10 pc. Similar to intel nuc but hp versions.
They get mounted to the back of the monitor and use wireless keyboard on a tray also attached to monitor.
The workstation are set to auto login and secured using the domain controller so only specific applications can run. Typically just a web browser.
If one goes down they can be swapped easily.
Real question I have is what applications are you running? You say rdp are they opening remote sessions on a server somewhere?
Also what is taking the time each month to keep win10 running?
Used Wyse thin clients might be a good option. There are plenty on eBay for less than $50/client.
I’ve been wanting to do RDP thin clients for many years and literally just did my first one 3 days ago. Years ago my friend found the project Thinstation for me and that’s what I chose to use. It doesn’t support arm so pi computers won’t work. Ask Noah uses ThinLinx with raspberry pi and he recently talked about it in an episode a few months ago. Huge credit to Allenscloud (on youtube) for helping me get GPU passthrough finalized on Proxmox to do my setup. He told me about WTWare. I haven’t deployed WTWare or ThinLinx but the video demo I saw from Allenscloud looked like WTWare is much easier to setup than ThinLinx but I’m not speaking from any experience simply just video demonstrations so you’ll have to do more research.
We used Wyse S50 thin clients in the past…Was a good experiment, but not the utopia we wanted them to be, actually not really impressed with them at all. Now we’re mostly using Chromebooks/boxes and Guacamole for “thin client” type applications accessed through the browser…Most of the Chromebooks sent to the suddenly WFH employees last March are just using the “guest” account built in from the factory on the Chromebooks, they just need a web browser to get access Guacamole and some using also webphone (using ctxSIP connecting to an Asterisk server), and also Zoom/Jitsi conferences only need a “guest” browser session. I know I can do Chrome Management on them and have the browser pop up automatically, etc…But I tend to KISS. User access is managed through Guacamole (Chrome guest mode wont remember UN/PWs between sessions), and they are very cheap devices if they are stolen, lost, damaged, etc… I was starting to integrate TOTP to Guacamole just before the pandemic forced WFH, waiting now for some sort of return to “normal” to roll it out , but may just have to do it with everyone at home (training nightmare, user resistance)…
I used to follow http://davelargo.blogspot.com/ closely on thin clients in a municipal government environment (I work in municipal government/utilities also), seemed to have many of the same ideas I had at the same time in the late 2000s, he implemented a little differently (and had more user acceptance), but I stopped following him for some unknown reason…Looking at his posts now, looks like he’s moving more Chromebook/browser based also.
We’ve recently started messing with some devices from NComputing. They’ce been pretty easy and reliable so far.
These to be precise: https://www.ncomputing.com/products/RX-series/RX-RDP
Their just raspberry pi’s but their os they load seems to actually make a big difference in setup and functionality. They have the capability to setup auto logins, run specific programs on login, and a few other things. We’ve only used this in a manufacturing facility where employees only need access to a certain program for data collection in the manufacturing process so they don’t get access to anything else.
What we have here is Ncomputing. It’s like a small terminal device that you can screw at the back of the monitor and have a server in your IT room.
Thank you for everyone for the suggestions. I will look into those windows thin client solutions as well.
@Thedannymullen Everything seems to be an issue. Just in the last week, I have had
1 Hard drive failure
2 of them fell out of the domain for some random reason
1 got stuck in a boot loop and had to be restored
1 has a broken rj45 port (I don’t even know how this happens. Its bolted to the wall and there is no way to reach the ethernet cable without taking the cover off that is on top of both the system and wall port.)
1 doesn’t support drivers on our touchscreens but the 20 others work
1 for some reason could not log in to all the users on the domain only some of them
This client might be cursed I’m not sure. It is also co-managed so they could be messing with things and I won’t know.
They RDP into a server to access an ordering system. That also connects to the manufacturing system.
I have been playing with Remmina on the Pi and I made a pros and cons list. For my playing around/testing, I set up a VM on one of the servers to RDP into and have been trying to use it as my main desktop at home for everything but gaming.
- So far from testing the stability is definitely and responsiveness are there.
- I have not found any incompatibility with any hardware we use.
- Cheap and quick to deploy. (I have deployment down to 5 mins I think I could get that lower with network booting)
- I can automate everything to launch the RDP session
- It’s one less windows system I have to deal with.
- There’s going to have to be some staff training to show them how to use Linux.
- I have not gotten the pi to network boot yet(So if something is wrong just turn it off and back on to get a clean image).
- Not sure if this is 100% PCI complaint because the same server does handle the payment gateways. But I could lock down the network to only allow connections to the server IP and update the image outside of the network (just a thought).
I think the next step for testing is I should set a few of these up on a network boot and have myself and a few others use them more aggressively to see what happens. Plus do some research into making sure this whole system is PCI compliant and if not can I make it.
PCI compliance shouldn’t be an issue since all the data is on the servers and not the thin clients. If the servers are secured and follow the requirements you should be good.
The thing I liked about the Wyse clients is the TFTP server you could deploy for network booting.
But won’t having devices that auto login to a secured server be a violation because I’m not controlling access? My general rule for making things compliant is to lock things down both virtually and physically. Someone that is walks by a pos system should not be able to just open it up be able to see private data.
My goal with these devices is to boot them over the network. That might solve my PCI issue because if they still need to enter a username and password to access the secure server. This is kinda a work in progress plus I need to get the company to go with this over buying more windows desktops like what they have.
I would never allow auto login, but yes you are correct that would be an issue.